Guidance Note Re Shari’Ah Compliance Function At Islamic Financial Institutions

1 / 16 CBUAE Classification: Public GUIDANCE NOTE RE SHARI’AH COMPLIANCE FUNCTION AT ISLAMIC FINANCIAL INSTITUTIONS

2 / 16 CBUAE Classification: Public TABLE OF CONTENTS

Subject | Page Introduction (Article 1) | 3 Objective (Article 2) | 3 Scope of Application (Article 3) | 3 Development of Annual Plan (Article 4) | 4 Planning and Scoping of the Review (Article 5) | 5 Field Review (Article 6) | 5 Issues and Actions (Article 7) | 8 Reports (Article 8) | 9 Monitoring Status Progress (Article 9) | 12 Appendix (A) An Example in Prioritization Parameters for Selection of Subjects in the Annual Plan | 13 Appendix (B) Generic Guidance for Developing Sampling Methodology | 14 Appendix (C) Generic Guidance for Developing Product Checklist | 15

3 / 16 CBUAE Classification: Public Article (1) Introduction

This Guidance Note Re Shari’ah Compliance Function at Islamic Financial Institutions (“Guidance Note” or “Note”) complements the Standard Re Shari’ah Compliance Function at Islamic Financial Institutions (“the Standard”) with the aim to promote the development of the banking system and to ensure its effectiveness and efficiency.

Article (2) Objective

The Guidance Note contains guidance aimed at facilitating implementation of the requirements related to Shari’ah Compliance at licensed financial institutions that conduct all or part of their activities and businesses in accordance with the provisions of Islamic Shari’ah (“Islamic Financial Institutions” or “IFIs”).

Article (3) Scope of Application

3.1 The Guidance Note applies to all IFIs. IFIs may comply with the guidance stated in this Guidance Note or apply equivalent criteria in order to comply with the requirements stated in the Standard.

3.2 The Guidance Note should be read in conjunction with the Standard and the standards and resolutions issued by Higher Shari’ah Authority (“HSA”) and notified to IFIs.

4 / 16 CBUAE Classification: Public Article (4) Development of Annual Plan

4.1 The Board and the senior management approve the Annual Plan that relate to Shari’ah Compliance Function (“SCF”) review exercises and ascertain smooth realization and implementation of the approved Annual Plan, including but not limited to, full cooperation and support from the relevant department heads at the IFI.

4.2 The IFI should prioritize what needs to be included in the Annual Plan, and develop a prioritization matrix that takes into account the relevant parameters, including: a. frequency of reviews, b. historical incidents, and c. size and complexity of products.

Appendix (A) contains generic guidance on developing the prioritization matrix that aims to assist IFIs in identifying segments of operations and activities that should undergo review in a financial year.

Article (5) Planning and Scoping of the Review

In the planning stage, the SCF should understand the regulatory requirements, the resolutions of Internal Shari’ah Supervision Committee (“ISSC Resolutions”) that relates to SCF, Shari’ah Non-Compliance (“SNC”) risks, compliance obligations, processes, policies and procedures, and related internal controls, including identifying and documenting known and self-identified issues. Subsequently, the SCF should send a memo outlining the reason for the review, scope, planned timeline and other terms of the scheduled review exercise to the relevant parties, including those departments or sections directly impacted by the review, prior to the commencement of the field review.

5 / 16 CBUAE Classification: Public Article (6) Field Review

6.1 The field review may include the following: a. Opening Meeting, b. Sampling Methodology, c. Development of Internal Checklists, d. Walkthrough, e. Internal Controls Assessment, and f. Staff Awareness.

6.2 Opening Meeting The SCF should start the field review with an opening meeting that involves representatives from the relevant departments and sections.

6.3 Sampling Methodology a. The SCF should develop a sampling methodology that will be followed during the review exercise. The sample size and the sampling procedure should be objective and robust to ascertain with a high level of confidence that the selected sample fairly represents transactions executed during the period that is covered by the review exercise. b. The SCF should determine the sampling methodology which provides clarity related to the minimum quantity of samples that may be reviewed (such as 10% sample size) of the total number of transactions subject to the review exercise. Appendix (B) contains generic guidance for developing the sampling methodology. c. The SCF may need to select a larger or additional sample size than what was initially planned if the circumstances arise, such as in cases where there is reasonable uncertainty on whether an identified SNC incident/s is a random or systemic failure of the IFI to comply with the regulatory requirements and ISSC Resolutions. These instances should be specified in the IFI’s sampling methodology.

6.4 Development of Internal Checklists a. SCF should develop checklists needed to undertake an adequate and effective review of the subject that is being reviewed. b. In developing checklists, the SCF should ascertain that it has mapped all requirements and expectations of the regulatory requirements and the ISSC’s Resolutions applicable to the subject planned to be reviewed, and that all relevant requirements are adequately transferred into the checklists. Appendix (C) outlines generic guidance for developing the respective checklists.

6.5 Walkthrough a. SCF should conduct a walkthrough test of real-life deals to gauge the reliability of internal procedures, manuals and policies in relation to day-to-day activities of the IFI. b. The walkthrough should be accompanied by an assessment of the controls, their adequacy and effectiveness in real-life deals. Preparation for the walkthrough should include interviewing the relevant staff regarding the applicable processes and procedures, and questions or queries that would need to be asked during the walkthrough. The questions should cover exceptional and unusual situations that occur in day-to-day work.

6.6 Internal Controls Assessment The SCF should assess internal controls related to SNC risk to ascertain their design and operational effectiveness. The assessment should, among others, cover the following aspects: a. scope and adequacy of the control design in relation to addressing the SNC risk, b. operational reliability of the control and its effectiveness in identifying exceptions across all possible scenarios that could arise, c. probability of avoiding or circumventing the control, and d. comprehensiveness of the existing controls to address all relevant SNC risk.

6.7 Staff Awareness a. The SCF should assess the staff awareness in relation to knowledge and skills that they need to possess to adequately fulfil their job duties, as per the responsibilities specified in the employee’s job description, without violating the provisions of Islamic Shari’ah. b. Determination of the type of knowledge and skills each employee needs to possess should depend on the nature of the employee’s responsibilities. For example, personnel with responsibility to execute the exchange of currency should be equipped with knowledge and skills specifically related to:

1. execution of all necessary steps or processes in currency exchange, which the employee is responsible for executing in line with parameters of Islamic Shari’ah.
2. reasonable understanding of SNC risks that may arise from this type of transaction, their potential consequences and steps or actions required to adequately manage the risks in order to prevent potential incidents from occurring. c. The IFI should develop proper training and staff awareness programme.

8 / 16 CBUAE Classification: Public Article (7) Issues and Actions

Article (9) of the Standard emphasizes that each identified finding/incident is included in the report. The SCF should analyze and identify the root cause and assess the following: a. existence of reliable and efficient controls that should have prevented the identified incident from occurring, b. comprehensiveness and clarity of the internal policy’s requirement in relation to the incident, c. Whether the relevant employees are notified of, and have access to, the relevant internal policy, d. adequacy of staff awareness and the existing training programmes in relation to the identified finding, and e. staff conduct and adherence to the established policies, and potential conflict of interest.

9 / 16 CBUAE Classification: Public Article (8) Reports

8.1 Preliminary Issues Report The SCF should send a report of preliminary issues (“Preliminary Issues Report”) to the relevant parties at least five (5) working days before the closing meeting.

8.2 Response from Respective Parties After receiving the report, the respective parties should respond on the Preliminary Issues Report within a specific number of days. All responses should undergo an assessment by the SCF in light of the existing evidence related to the issue raised.

8.3 Closing Meeting The SCF should conduct a closing meeting after completing the assessment of the responses. The relevant parties should be made aware of all the findings and supporting evidence. The meeting should be documented in the form of minutes of the meeting for audit purposes.

8.4 Final Report a. The SCF when preparing the final review report (“Final Report”) should consider that the report is to assist the IFI in establishing effective and adequate procedures at the institutional level, making corrections and improvements where needed, and rectifying and closing identified gaps, if any. The Final Report should include: − adequacy of control status and adequacy of management action, − an executive summary that will briefly explain the scope and methodology used in preparing the report (such as specifying the total number of customers or transactions, sample size, list of issues and their risk grading, etc.), and − details of issues and actions as per the Standard and the Note. b. The Final Report may include a statement of the level of cooperation and support extended by the relevant departments to the SCF during the review exercise.

8.5 Final Report Approval The SCF presents the Final Report, upon its completion, to the ISSC for assessment and approval. The ISSC should conduct a comprehensive assessment of the report regarding its compliance with the Standard, including but not limited to, assessment of the following aspects: − validity of the identified issues, − accuracy of root cause/s of the issues and suitability of action plan, − adequacy and effectiveness of the controls, and − clarity of the report. The ISSC should maintain records of the same for audit purposes.

8.6 Final Report Dissemination The SCF should conduct the following procedures regarding the Final Report Dissemination: a. Circulating the final report to the relevant parties within five (5) working days after being approved by the ISSC. b. All findings of the report should be incorporated in the tracker for progress status monitoring (“Status Tracker”). c. Each party responsible for an action plan may confirm to SCF within the agreed timeline, or periodically if needed, that all the actions specified in the Final Report have been addressed, and substantiate such confirmation with adequate evidence for each finding. d. If any action from the Final Report is not closed/addressed within the timeline, the party responsible for the action plan should provide reasoning and evidences for not closing/addressing the issue, and its target completion date. e. The progress update on addressing the findings and implementing recommendations should be monitored.

12 / 16 CBUAE Classification: Public Article (9) Progress Status Monitoring

The SCF may consider the following procedures in the progress status monitoring, including but not limited to: a. Monitoring progress updates provided by the relevant parties regarding how the findings are addressed and whether the action plan has been implemented. b. All responses should be supported with adequate evidence. The evidence should be kept for audit purposes. c. All responses received from the respective parties should be read in the context of existing evidence related to the highlighted issue. d. The Status Tracker should be updated based on the results of the monitoring. e. An update on the outsourced activities should be included in the monitoring process.

Appendix (A) An Example in Prioritization Parameters for Selection of Subjects in the Annual Plan

This appendix provides an example of how to develop a prioritization matrix for selecting subjects for the annual review plan. The matrix considers parameters such as:

1. Frequency of Reviews
2. Historical Incidents
3. Size and Complexity of Products

Appendix (B) Generic Guidance for Developing Sampling Methodology

This appendix provides generic guidance on developing a robust sampling methodology. Key considerations include:

1. Ensuring the sample size is objective and representative.
2. Defining minimum sample quantities (e.g., 10% of transactions).
3. Adjusting sample sizes for systemic failures or uncertainties.

Appendix (C) Generic Guidance for Developing Product Checklist

This appendix outlines generic guidance for developing internal checklists. Key steps include:

1. Mapping all regulatory requirements and ISSC Resolutions to the subject.
2. Ensuring all relevant requirements are transferred into the checklist.
3. Using the checklist to ensure adequate and effective review coverage.