Risk Management for Islamic Banks Recent Developments

130 RISK MANAGEMENT IN ISLAMIC BANKING RATING AND FINANCING RISK PROVISIONS Before setting the amount of provision to be charged, the bank should clas- sify financing assets based on its collectability. Asset classification should reflect the ranking for financing risk, measured through the probability that the debtor’s obligation will be able to be fulfilled and liquidated according to the terms of contract. The bank will need to classify not only the items in the balance sheet (i.e., accounts receivable, financing assets, qardh, or advance) but also all off-balance sheet activities (contingent claims and com- mitment) containing financing risk. An asset is classified by the bank from the moment the asset enters the financing portfolio, and it will be periodi- cally reviewed, evaluated, and classified for any changes in its financing risk level. This is ideally done once every three months for assets that are doubt- ful and once every semester for assets that are current. The bank will need to review changes in the internal environment (the debtor’s performance and financial position) and external environment (business climate, competition in the industry, market as well as macroeconomic conditions) that can affect the debtor’s ability to fulfill the terms of the contract. In principle, the bank classifies financing assets based on the standards set by the regulator. But for internal control purposes, the management may prefer to construct its own standard to classify and review assets—as long as those standards are not lower than the ones set by the regulator. When a debtor proposes more than one financing proposal, the bank should rank collectability based on the individual financing contract instead of the individual debtor, and thus one debtor with two contracts will have two ratings, except in the cases where the source of repayment for both contracts comes from the same cash flow. For debtors that are trying to extend their financing period, without the bank having acquired more information on the debtor’s fundamental conditions and collectability, the bank should give the debtor the last rating in effect before entering a new contract. Based on international standards, asset quality is classified into five categories (Table 6.7). The bank may add additional subcategories to differentiate some assets residing in the same category, especially with regard to cash flow, profitability, collateral quality, and financing capability’s sensitivity to changes in the environment. In Islamic accounting, provision is the reserved capital that must be formed based on the category of financing quality. The main reason behind the formation of this provision is to prevent the bank from the possibil- ity of business failure if there are debtors that default. Before the debtor defaults, the bank has prepared an amount of capital reserved to avoid a large financial risk. If the capital reserved is not adequate, when a debtor with a large financing value in the bank’s asset portfolio defaults, the bank

Financing Risk in Islamic Banking 131 TABLE 6.7 Asset Classification Based on Collectability Quality Asset category Definition and criteria Standard (or pass) Asset considered to be far from concerns of default; included Specially in this are assets collateralized by cash or cash-equivalents; they are categorized as standard without considering other mentioned (or financing risk factors. watched) Substandard Asset has potentially doubtful conditions, such as inadequate financing agreements, weak control over collateral assets, or Doubtful inadequate documentation, that can reduce the debtor’s ability to fulfill future obligation. Included in this category Loss are debtors whose business operates under market or economic conditions that can have a negative impact on its future performance. Asset has weaknesses: its main repayment source is inadequate and the bank will need to locate secondary sources (i.e., collateral, liquidation of fixed assets, refinancing, or additional paid-in capital); the cash flow from the asset (or inventory to cash cycle) is inadequate to fulfill its contract; and intermediation to debtor is undercapitalized significantly. Asset has been delinquent for at least 90 days, or in the case of financing renegotiation and advance where the debtor pays bills with the debtor’s own funds before renegotiation until stable performance under a realistic repayment program is achieved. Asset has weaknesses as in the substandard, but the probability of full collection is questionable based on available facts. The probability of loss exists, but the factors determining the classification of the asset as loss are still uncertain. This asset has been delinquent for at least 180 days and is not adequately collateralized. Asset is considered uncollectable and its continued existence as bankable asset is not guaranteed. This classification means that the asset will be written off, even if partial recovery is still probable in the future. This asset has been delinquent for at least a year and is not adequately collateralized. will face liquidity and solvability problems. This worsens if the depositors also draw their funds from the bank in tandem. This condition will force the bank to choose among (1) borrowing funds from a third party, (2) requesting the short-term credit facility to the central bank or regulator, (3) optimizing activity in the inter-Islamic-bank money market, (4) requesting additional capital from investors, or (5) selling the securities owned by the bank. In a

132 RISK MANAGEMENT IN ISLAMIC BANKING tight condition like this, the bank will tend to face a steep cost for the addi- tion of any necessary capital. This can come in the form of a high rate of return requested or a large amount of price discount. If the bank’s investors are unable to provide additional capital, then looking for additional liquid- ity in the market will only increase the bank’s problems without fixing the bank’s solvability condition. The formation of provision will be negatively correlated with the liquid- ity risk faced by the bank. However, a bank with a large provision indicates two things. The first is that the bank is not competent in adequate risk man- agement of its financing portfolio. The bank failed to screen the potential debtors that would default early after the bank approved their proposal. The bank is also ineffectual in monitoring its debtors, and because of that reduced the quality of financing and increased the provision. The second is the deterioration of the bank’s profitability with the increase in the amount of capital reserved. The bank is then hampered further from channeling funds to the public in the form of financing. If this condition continues, the bank will find it even more difficult to provide a competitive rate of return for depositors and investors. This has the potential to cause customers to leave the bank and shift to other banks. In other words, the bank’s inability to provide an adequate risk management system, measured in the size of its provision, causes the bank to face reputation risk and rate-of-return risk. Financing assets are categorized as nonperforming assets when con- sidered as unable to generate income. There are three categories of assets considered to be nonperforming: substandard (delinquent for 90 days or more), doubtful (delinquent for 180 days or more) and loss (delinquent for 1 year or more). Though this classification refers to the delinquency of payment, the bank should be more focused in the debtor’s ability to pay. The aggregation of nonperforming asset in a financing portfolio shows the bank’s capacity in accommodating financing risk. The bank would need to immediately classify and detail assets based on the financial contract, matu- rity period, economic sector, geographical area, and purpose of financing (investment, working capital, or consumption). The bank will also need to activate an early warning system and internal control, especially one that regularly updates the market value of collateral, accessibility of guarantor, haircut (or cut-loss) policies, and other risk mitigation tools. With regard to the treatment of loss assets, there are two bookkeeping approaches adopted by Islamic banks. The first is to maintain the assets in the balance sheet until all methods of collecting them are exhausted. This approach is usually used in British-style banking, and the effect of this is the sizeable amount of loss reserve that must be kept. The second approach is to write off all the loss assets to reserve, and thus expense them from book (balance sheet). This approach is usually used in U.S.-style banking, is more conservative,

Financing Risk in Islamic Banking 133 and immediately considers loss asset as unbankable (even if some may still be recoverable). RISK-BASED FINANCING LIMIT One of the benefits of a debtor rating system is the availability of reliable risk mitigation tools, especially at the financing proposal selection phase and the setting of the terms of financing contracts (including financing limit). In order to balance the level of risk taken (risk appetite) between debtors as well as means to diversify the financing portfolio, a financing limit system can be used to form a financing portfolio with a large number of financing contracts, but with an expected loss that is more or less the same. Expected loss can be calculated as a multiplication of the probability of default, and the financing value after collateral and guarantee value is deducted from it (that is, the expected return). This means that the financing limit for indi- vidual debtors must be set at a rate that is inversely proportional to the debtor’s probability of default. Then, the Islamic bank could improvise by setting larger limits for debtors with higher ratings and financing maturity (tenor) that is lower. This limitation system also needs to be applied at a wider scale, for example, on the maximum size that could be given for a cer- tain contract type (murabahah, salam, istishna’, qardh, ijarah, musyarakah, mudharabah), economic sector, or geographic area. The purpose is simple: to reduce the bank’s exposure to concentrated risks leading to correlated default risk, which is also known as systematic risk or systemic risk. CONCENTRATION RISK IN FINANCING PORTFOLIO Diversification strategy can be used to reduce portfolio risk. But at the same time, diversification strategy will also reduce the maximum profit achievable. The concept of high risk, high return or “al ghunmu, bil ghurmi” is cor- rect here. Islamic banks could implement diversification strategy in financing limit policy, including: limit the individual debtor’s financing amount to con- trol the size of the exposure in financing portfolio, limit the time period (tenor) of the financing of the individual debtors, limit the financing value related to the debtor’s rating, and limit the industrial and geographical con- centration to reduce the risk of systemic default. If the asset portfolio of the bank is not diversified enough, then the distribution spread of potential loss will be wider, and the amount of capital that will need to be reserved will be higher. The opposite is also true; the more diversified a bank’s financing port- folio, then the smaller the amount of capital that the bank needs to reserve.

134 RISK MANAGEMENT IN ISLAMIC BANKING Because of this, the measurement of the distribution of potential loss can be used to manage an Islamic bank’s financing portfolio’s exposure. Starting from this argument, the risk contribution of an exposure in a financing portfolio can be defined as the effect of choosing the percentile and loss distribution when the exposure is taken away from the current port- folio. If the percentile chosen is the same used to calculate the minimum required reserved capital, the risk contribution is an addition over the min- imum required reserved capital for the portfolio. This risk contribution has several characters: 1. The total risk contribution of each individual debtor is the same as the total risk of the portfolio 2. Risk contribution affects changes to the portfolio being measured, like eliminating or adding a particular exposure 3. Generally, the financing portfolio can be effectively managed with a focus on several debtors with a significant risk proportion but whose value is relatively small in the financing portfolio exposure In ranking debtors based on their risk contribution, the debtors requir- ing the largest amount of reserved capital can be easily identified. Figure 6.8 provides an interesting illustration. After eliminating a number of debtors with a small loss exposure but with the highest risk contribution, the loss distribution of the portfolio is shifted left; the effect of this is the smaller Expected loss (new) Probability of occurrence Expected Minimum capital requirement loss (old) (old) Minimum capital requirement (new) Percentile 99 Percentile 99 (new) (old) Loss in financing as a result of debtor’s default FIGURE 6.8 Risk Contribution and Risk Distribution

Financing Risk in Islamic Banking 135 potential loss faced and thus the smaller the minimum capital that will need to be reserved. When financing is overconcentrated in a particular industry sector or geographic area, portfolio diversification is reduced, and as such, this increases portfolio risk. Setting policies to limit concentration will be correlated positively with risk limitation. This is also an effective technique to control risk over the fat tails of the loss distribution and potential loss due to catastrophic events like flood, tsunami, volcanic eruption, social disorder and riots, and the like. FINANCING PORTFOLIO MANAGEMENT Policies related to financing facility should cover the portfolio diversification strategy adopted, the coverage of financing facility, the contract structure, the debtor selection process, and the debtor’s business process (or ability to pay) monitoring, as well as how the financing portfolio is managed. A good policy should be disciplined and yet flexible; it should be able to take into account that an unconventional proposal that is inadequate according to the guidelines of written parameters can still be presented manually to the board of directors to be reviewed. Policies should also be regularly reviewed and evaluated, especially under rapidly changing economic and business condi- tions, in order to maintain the bank’s ability and speed to react and adapt. The framework of financing risk management should cover the identifica- tion process over the risks that are present as well as those that have the potential to be present, the policy definition to show the risk management philosophy that is adopted, the measurement criteria or parameter for the portfolio selection process and monitoring, the risk measurement method, and the reporting mechanism that is in line with good governance principles. Rebalancing the Financing Portfolio The financing portfolio of an Islamic bank consists of various financing contracts, each with their own characteristics and business process. These differences also cause the risk factors and the time periods of possible risk occurrences to differ as well. In managing a portfolio, the financing division should at first consider the perspective of the entire portfolio. The portfo- lio profile, consisting of the rate of return, the risk level, and the expected cash flow pattern will need to be defined beforehand. This expected profile will then serve as the guidance in forming the portfolio. Then, by consid- ering the profile and behavior of the expected return, risk, and cash flow pattern of each contract, financing allocation and distribution to gain the particular preferred portfolio profile can be done. The intelligence, wisdom,

136 RISK MANAGEMENT IN ISLAMIC BANKING and perception of the human resources of the financing division are abso- lutely necessary at this stage. Why? Because this stage will determine vari- ous financing policies, like the limit per financing contract, the amount and period of the installments paid to fulfil the expected cash flow pattern, the allowable risk level per contract, and of course the margin level or expected rate of return with various constraints present. Various rules or policies at this contract level are then transformed into setting the selection criteria and terms of financing contract per debtor. In this stage, the issue of concentration risk will need to be observed. It is nec- essary to remember that the debtor composition in a portfolio has different rate of return, risk, cash-flow pattern, and maturity profiles. When a debtor leaves the portfolio for various reasons (either due to the final settlement of a financing contract, early settlement or termination, or default), it will cause a particular portfolio’s profile to change. Naturally, the financing division will then need to devise a strategy to enter a new debtor to the portfolio to return the portfolio profile to the preferred form. In the same way, entering a new debtor to a portfolio cannot merely be based by the expected rate of return, but also the portfolio’s overall balance. This rebalancing process is one that will be continuously done as long as the Islamic bank’s business is ongoing, as shown in Figure 6.9. In managing a financing portfolio, the Islamic bank should avoid the possible occurrence of the pension effect. The pension effect occurs when the recovery of funds from debtors, both through the payment of installments or final settlement, is not accompanied with the ability to rechannel them to the public. As a result, the fund is then left to lay idle in the bank and does not generate any sort of return. It is then crucial to synchronize the strategy and synergy of the financing division and the marketing division. The expertise of the marketing division in finding potential debtors with the profile and capital needs similar to the debtors, whose contracts are about to mature in the portfolio, is needed vitally by the financing division to maintain portfolio balance. As a consequence, the portfolio-balancing success of the financing division cannot be claimed as a unilateral achievement, as it is also the result of the critical contribution of the marketing division. In forming a financing portfolio, the Islamic bank should construct it from top to bottom—from the total to the smallest subcluster. The various profiles defined should be able to be defined in very specific measurements. For example, the expected rate of return of the total financing portfolio should be stated as the rate-of-return percentage of the total financing value. The same can also be said of the acceptable risk level. After that, financing portfolio clusters are formed based on the type of the financing contract. The characteristic differences between clusters will present a challenge to adjust them to fit one homogenous profile. The consequence of this is that

Financing Risk in Islamic Banking 137 Financing portfolio of Islamic bank Subportfolio based on type of financing contract Expected profile of financing Portfolio formation Profile of portfolio, include: process subportfolio, include: 1. The composition of Process of portfolio 1.Rate of return financing contract, which is monitoring, evaluation, 2. Acceptable risk level qardhul hasan, bay’ al- and rebalancing 3. Cash flow pattern muajjal, bay’ as-salam, Monitoring, istishna’, and ijarah evaluating, 2. Rate of return and 3. Acceptable risk level rebalancing 4. Cash flow pattern portfolio Diversifying portfolio Determining the selection criteria for Profile of sub potential debtor and monitoring portfolio, include: 1.Rate of return mechanism for existing debtor base on 2. Acceptable risk level the profile of sub-subportfolio created 3. Cash flow pattern Selecting potential debtor, determining Sub-subportfolio based on contract terms, and monitoring the economic sectors and debtor’s performance geographic area FIGURE 6.9 Managing Cycle in a Financing Portfolio it is better for the bank to combine the profiles of various clusters in a way that the resulting combined total portfolio profile is the same as the financing portfolio profile. This process is continued in forming sub-subcluster profiles present in the subcluster of the financing portfolio formed, and so on and so forth up to the identification of the financing profile of individual debtors. Unlike the financing portfolio formation process, in maintaining its monitoring mechanism, the Islamic bank should start from the analysis unit of the individual debtor, before then observing the effects to the sub- subcluster where the debtor is classified. After that, the bank reviews how the actual changes in the profile of the financing subcluster will affect the profile of the actual cluster containing the subcluster. Finally, the bank ana- lyzes whether any changes to the cluster profile will affect the profile of the entire financing portfolio held by the Islamic bank. This mechanism of effect aggregation is done to evaluate the influence of the difference in the perfor- mance (quality) of actual financing of individual debtors with the expected profile at the time the financing contract is entered into the overall portfolio.

138 RISK MANAGEMENT IN ISLAMIC BANKING Limiting Concentration Risk To limit concentration risk, the bank can concentrate in limiting exposure in many areas: type of contract, tenor, individual debtors, related-party, eco- nomic sector, or geographic area. The authorized supervisor has prudential regulations limiting the bank from overinvesting in individual debtors or groups related to the bank in terms of percentage of capital and reserve fund of the bank (usually around 10 to 25 percent). When the financing expo- sure exceeds the threshold, the bank faces concentration risk and will have to enact precautionary measures to prevent risk increases. The bank should place exposure limit both for new financing proposals as well as extensions of older ones, and included in this are off-balance sheet activities (contin- gent liabilities) such as guarantee, banker’s acceptance, letter of credit, and financing commitment. When the debtor is a business entity, checking its ownership structure is important. If the business is mutually associated or directly controlled by an existing debtor through dominant stockholding ownership (at least 15 to 20 percent) either indirectly or directly, or has the capacity to direct or influence the firm’s policy, then the bank will need to include it as additional exposure to an existing debtor and apply limitation rules on it. Whichever way, financing exposure from interdependent debtors generates cumulative risk, especially if their repayment source is the same (interconnected). When the bank provides financing to related parties (i.e., the bank’s parent company, subsidiaries, affiliates, dominant shareholder, directors, and key employees), the bank incurs added risk along with the increase in exposure, especially if the financing is given to parties with the capacity to affect the bank’s policies. Controlling the Financing Risk with Financial Ratios The Islamic bank will need to develop several ratios to evaluate and control bank performance related to the financing activity. Most cases of debtor default stems from the debtor’s business failure. The bank can at the very least use the following ratios to measure the performance of financing risk. Equity to Financing Ratio This ratio measures the bank’s capital adequacy in covering potential losses when the entire financing portfolio defaults. This ratio is measured as a percentage of equity to total net financing. The larger the ratio indicates the higher the bank’s capacity in absorbing potential financing losses. Equity to net financing ratio = total equity∕net financing

Financing Risk in Islamic Banking 139 Impaired Financing Ratio This ratio is measured as the percentage of gross financing in a bank’s financing portfolio that can be categorized as doubt- ful. The lower the ratio, the better the bank’s financing risk management. This ratio is useful to banks as an evaluation criterion to measure financing quality or assets owned by the bank. Impaired financing ratio = total impaired financing∕gross financing Collection Ratio Collection ratio measures the speed with which the out- standing financing portfolios can be collected by the bank or converted to cash. To evaluate the performance of the financing division and for reporting purposes, the bank can focus on a different side, other than payment (debtor) that is delinquent, by focusing on the principal of the outstanding financing to identify nonperforming portfolios. Specifically, the bank can measure this ratio for every asset category. The lower the ratio, the faster the portfolio matures or is collected into cash. Collection ratio = [ average debtor∕gross financing in the period ] Number of days in the period MEASURING FINANCING RISK IN THE ISLAMIC BANK An Islamic bank needs to measure financing risk in order to limit or reduce financing risk, classify assets, and calculate loss provision or allowance to ensure that there is enough capital to absorb anticipated risks. In reducing risk, the bank needs to create policies against concentration and limit from financing exposure over regional or specific economic sectors, over diversi- fication strategies, and over financing to parties with special relations. Asset classification would need to be periodically evaluated in order to monitor changes in the collectability of the financing portfolio and to review the effectiveness of the bank’s monitoring system. Risk-Weighted Assets Based on a Standardized Approach According to the IFSB, assets that are risk-weighted according to rating are calculated with a standard method proposed in Basel II (see Table 6.8). The financing risk rating for debtors, counterparty (or other obligors), or secu- rity is based on eligible external credit assessment appointed by supervisory authorities. The Islamic Financial Services Board (IFSB) allows the bank to

140 TABLE 6.8 Risk-Weighted Individual Assets Based on External Rating Assessment Rating (risk score) AAA to AA− A+ to A− Risk weights Below B− Unrated ECA country risk score 1 2 7 BBB+ to BBB− BB+ to B− 3 4 to 6 Counterparty Risk weight Sovereigns and central banks 0% 20% 50% 100% 150% 100% Non-central government public Subject to supervisory authorities’ discretion to treat as either IIFS, banks and securities sector entities Multilateral development banks firms (option 1 or option 2a) as sovereign IIFS, bank and securities firms Option 1: treat as sovereigns 20% 50% 50% 100% 150% 50% Option 2a: treat as IIFS, bank and 20% 50% 100% 100% 150% 100% securities firms 20% 50% 50% 100% 150% 50% Option 2b: treat as IIFS, bank and 20% 20% 20% 50% 150% 20% securities firms and maturity ≤ 3 months AAA to AA− A+ to A− BBB+ to BB− Below BB− Unrated Rating (risk score) 150% 100% Corporates 20% 50% 100%

Financing Risk in Islamic Banking 141 use an internal ratings–based approach (IRB) as long as it fulfills the mini- mum requirements set by the relevant supervisory authorities. The IFSB suggests that the portion of exposure that is not guaranteed should be charged risk-weighted over counterparty. On the other hand, the bank can use collateral as a method to reduce risk exposure through several possible approaches. First is the simple approach: The bank can directly change the risk-weighted exposure for the portion guaranteed with the risk-weighted of the collateral, where the risk-weighted of the portion guaranteed is not lower than 20 percent. The bank can apply risk-weighted of 0 percent if and only if exposure and collateral are denominated in the same currency, and collateral consists of cash on deposit or sovereign securities of value for risk-weighted 0 percent and its market value is discounted 20 percent. The second is the standard supervisory haircuts. The amount of exposure and collateral is adjusted with the standard supervisory haircut in Table 6.9. The third is internal haircuts. The bank can use its own haircut estimate to measure market price and volatility of foreign exchange, as long as the regulator approves it. The bank will need to assure that the TABLE 6.9 Standard Supervisory Haircut for Islamic Banks Residual Haircuts (%) Type of collateral maturity (years) Sovereigns Others Cash All 00 Sukuk ≤1 0.5 1 Long-term: AAA to >1 to ≤ 5 24 AA− and >5 Short-term: A−1 ≤1 48 Sukuk >1 to ≤ 5 12 Long-term: A+ to BBB− 36 >5 and All 6 12 Short-term: A−2 to A−3 15 15 Sukuk All Long-term: BB+ to BB− All 25 25 Sukuk (unrated) 15 15 Equities (included in All 25 25 main index) All Equitas (not included in Depending on the Depending on the All underlying underlying assets main index but listed) assets as above as above Units in collective ≥30 ≥30 investment schemes Physical assets pledged

142 RISK MANAGEMENT IN ISLAMIC BANKING system of internal haircut is able to fulfill several prerequisites: integration of risk measurement to daily risk management, validation over significant changes in the risk management process, consistency verification, data timeliness and reliability, and accuracy of volatility assumptions. IFSB also provides leeway in the form of reduction in the financing risk exposure for banks using murabahah, istishna’, and ijarah contracts and fulfilling several related requirements. For retail financing over individual debtor (or debtors) or small business, receivables on murabahah, istishna,’ and ijarah that do not exceed US$250,000 (or the limit set by the supervisory agency) is charged a risk-weight of 75 percent. For residential and property financing, the risk-weight for murabahah and ijarah should be 35 percent, as long as the contracts fulfill the prudential criteria set by the regulator, the property is used as collateral to the bank, the total receivable is not more than 50 percent of the market value of the collateral property, and an appropriate legal infrastructure exists to allow the bank to reposses and liquidate the property used as collateral. For commercial real estate, muraba- hah and ijarah are charged a risk-weight of 50 percent if the market is well developed and long established; is reserved for office, multipurpose premises TABLE 6.10 Risk Weight for Past-Due Receivables Type Percentage of specific provisions Risk weight for past due receivables Unsecured exposure (other 150% Less than 20% of the outstanding than unsecured portion of 100% receivables receivable partly secured by 100% residential real estate) that is At least 20% of the outstanding past due more than 90 days, 100% receivables net of specific provisions 100% At least 50% of the outstanding Exposure fully secured by 50% receivables, but regulators have other than eligible collateral discretion to reduce risk weight to 50% Exposure secured by residential real estate At least 15% of the outstanding receivables (Regulators are set strict operational criteria to ensure quality of collateral) For receivables that are past due for more than 90 days, net of specific provisions The risk weight can be reduced to 50% risk weight if specific provisions are at least 20% of the outstanding receivables

Financing Risk in Islamic Banking 143 TABLE 6.11 Credit Conversion Factor for Off-Balance Sheet Items Off-Balance Sheet Item Credit Conversion Factor Commitments 20% Maturity ≤ 1 year 50% Maturity > 1 year Unconditionally cancellable without prior notice 0% Effectively provide automatically cancellation due to 0% deterioration 20% Import or export financing (murabahah) where underlying goods/shipment are collateralized and insured and/or multitenanted premises; and is guaranteed (for murabahah). When the payment schedule of receivables (trade financing) is delinquent, the IFSB recommends that exposure should be charged with a particular risk-weight and net of specific provision (Table 6.10). Risk-Weights on Off-Balance Sheet Activities In a standardized approach, off-balance sheet items are converted to the equivalent financing exposure using a credit conversion factor (Table 6.11).

7CHAPTER Operational Risk in Islamic Banking Operational risk is tightly connected with the bank’s daily business. This is the oldest risk known to banking and any other business in the world, rec- ognized far earlier than financial risk and other nonfinancial risks. The age of this risk is probably as old as the age of the banking industry itself. This risk existed before all other risks existed, and will always be present along with a business’s operations. This risk usually occurs due to human factors, inter- nal processes, systems, technology, noncompliance with legal/internal rules, or other external factors like natural disasters, riots, war, and so forth. Compared to the conventional bank, the operational risks faced by the Islamic bank are much larger and more complex. In principle, the operational risk attached to a business organization is extremely reliant on the business processes used by the organization. Even if in general the business processes of an Islamic bank and a conventional bank are more or less the same—that is, to engage in a “production” process from its input in order to produce output—on a more detailed technical level the Islamic bank has many differences compared to the conventional bank. At a product level, both in depository products as well as financing ones, the Islamic bank has a higher variety of products, and as such the opportunity for operational risk to occur is also larger. For a conventional bank, the variety of products offered in both the depository and financing is much simpler and the operational risks faced are relatively smaller. Other than that, the Islamic Financial Service Board (IFSB) has stated in their rules that syari’ah compliance risk is also included in operational risk, thus increasing the scope of operational risk that must be managed by the Islamic bank. Because of this, for an Islamic bank in the form of an Islamic business unit (Islamic window), the calculation of its operational risk should be done separately from its parent company’s operational risks. URGENCY OF RISK AWARENESS Awareness of operational risk can begin by building awareness to potential risk factors. These factors can originate from something trivial-seeming to Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd. 144

Operational Risk in Islamic Banking 145 something that looks dangerous from the beginning. An example of opera- tional risk is negligence in placing electrical outlets or hubs near a wet area, which can cause a fire. Operational risks can also happen by mistyping the amount of deposit or financing approved, or they can happen in the noncom- pliance with agreed-upon credit approval procedures in channeling one. In addition to being caused by internal factors, which can be anticipated to a certain degree, operational risk can also be caused by external factors that are more difficult to predict. Examples of these include natural disasters such as floods, typhoons, hurricanes, and earthquakes; information system hacks by outside parties; and riots. The still-memorable Indonesian riot of 1998 destroyed public trust in the banking system at that time, and a large-scale rush happened. Hundreds of people were willing to stand in line in the main streets of Jakarta, from Sudirman to the HI rotunda, to save their savings from the banks. Another notorious case occurred in financial report manipulation by the Enron Corporation, a U.S. energy company. In 2001, Enron caused a furor after it was proven that the company was providing its financial statements only after they were systematically manipulated. The exposure caused the firm’s stock price to freefall. The act was so unprincipled and its manipula- tion so unrepentant that it drove Enron and its auditor, Arthur Andersen, into bankruptcy. This case triggered the construction of the Sarbanes-Oxley Act, which detailed standards that all public companies in America would need to fulfill in order to protect the interests of their stakeholders, especially their investors. The birth of this regulation has actually driven many public companies to go private, as the costs that must be borne to fulfill the requirements and disclosure requested by the Act are considered expensive. When even large and old companies can easily fall due to operational risks, then how can firms that have just been established, like many Islamic banks, withstand this risk? With their young age, Islamic banks are still vul- nerably exposed to operational risk. The limitations of the required human resources both quantitatively and qualitatively, of support from informa- tion system and technology, and of an inadequate core banking system can trigger operational risk. This is especially true when one considers that many systems already in place in modern banks cannot be transplanted wholesale for use by Islamic banks. These challenges also increase the operational risks faced by the Islamic bank. OPERATIONAL RISK COVERAGE IN ISLAMIC BANKS Basel II defines operational risk as “risk of loss resulting from inadequate or failed internal processes, people or system, or from external events.” This definition limits operational risks into two subsets: risks that occur

146 RISK MANAGEMENT IN ISLAMIC BANKING from internal system mistakes (both due to the system itself as well as per- sonal human errors) and risks that occur from external events. The IFSB has expanded on the prior definition of operational risks by adding two more subsets: risks that occur due to an Islamic bank’s noncompliance with syari’ah principles, and risks that occur due to the Islamic bank’s failure in fulfilling its fiduciary obligations. The IFSB considers syari’ah noncompli- ance a significant factor, so affecting the degree of operational risks faced by the Islamic bank that it cannot be ignored. Unlike other types of risks (market risk, credit risk, etc.), operational risk is a type of risk that is difficult to measure and calculate because of the difficulty in collecting valid data needed for the measurement and calculation process of operational risks. In operational risks, the source of risk is diffi- cult to pinpoint because the “event actor” that causes the operational risk is often difficult to identify, especially if the operational risk that occurred is related to fraud. Yet when seen from the effects caused by operational risk, the negative impact is usually significant. There are many cases of opera- tional risk that occur very rarely, but when they do, the loss caused is very significant. The fraud case in Barings Bank is an example of just how large the impact of the operational risk is. Scope of Operational Risk In this section, various operational risks are described, apart from syari’ah noncompliance risk, which will have its own chapter. People Risk Operational risks generated by employees can be caused by incompetence, negligence, or fraud. People risk can occur through events that are intentional as well as unintentional. Incompetence and negligence in general are unintentional events, while fraud is always intentional. Both unintentional and intentional people-risk events cause a significant amount of damage to Islamic banks. As an example, the inability of an Islamic bank’s officers to understand the standards of syari’ah principles can cause the exe- cution of transactions that are not syari’ah compliant. Noncompliance with syari’ah principles causes the Islamic bank to be unable to claim the income generated from the transaction. If the transaction is large enough in size, then the Islamic bank suffers a significant loss. An example of this is the loss suffered by the Dubai Islamic Bank in 1998 due to an unauthorized loan of US$242 million done by an officer. Not only did the bank have to bear US$50 million, the bank also had to fulfill the withdrawal of US$138 million in savings (equal to around 7 percent of total deposits in DIB) because of fraud done by the bank’s officer. Ironically, many cases of loss suffered from people risk are caused by fraud and unauthorized trading.

Operational Risk in Islamic Banking 147 Risks related to human resources are dangerous to the Islamic bank, and special attention from the Islamic bank’s management is needed in order to manage it properly. The management can use several methods to pre- vent personnel risks; among them is the employee recruitment process that is tailor-made to the particular Islamic bank’s culture. As an example, sev- eral Islamic banks in Indonesia not only test their potential employees with cognitive tests and those about banking knowledge, but also with psycho- logical profile tests, group discussions, case studies, interviews, and tests of understanding of Islamic principles. At the time of new employee training, the management also supplies the new employees with training to improve emotional and spiritual intelligence. All these stages are done in order to ensure the acquisition of human resources who are not only technically com- petent but also possess adequate restraint through their moral and religious understanding. As such, the two types of human mistakes above, of mistakes and intentional violations, can be prevented as early as possible. Technology Risk A bank is a business institution that requires technological support. The more complex and varied the service provided by the bank to the public, the higher the bank’s technological needs will be. Seen from a business perspective, an Islamic bank’s inability to effectively and efficiently use information technology will contribute to the Islamic bank’s obsolescence. The Islamic bank should thus commit to using information technology well in order to fulfill the requests of its varied clients effectively, to fulfill regulatory requirements, and to fulfill the Islamic bank’s internal needs. Risk-wise, weak utilization of technology and information systems can render the Islamic bank vulnerable to operational risk, especially technology-related operational risks. In the application of technology and information systems, the Islamic bank should ensure that the system used is appropriate to the bank’s business process and particular needs. Technology risk can occur not only from the obsolescence of the technology used, but also from the system’s incompatibility with what the bank needs. Syari’ah Compliance Risk In a document related to the standards of risk management practice for Islamic banks, the IFSB states that syari’ah compliance risk in an Islamic bank occurs when an Islamic bank fails or doesn’t comply with the various syari’ah principle provisions and standards set by the syari’ah board where the Islamic bank operates. For the Islamic bank, compliance with various syari’ah principles is strictly required for every Islamic bank. Noncompliance with syari’ah principles means that an Islamic bank will enter a transaction that is prohibited by the Islamic syari’ah. Each product and transaction done by the Islamic bank should be fully in compliance with syari’ah principles. Any violations over syari’ah

148 RISK MANAGEMENT IN ISLAMIC BANKING principles can cause the contract entered to be void. If the contract generates profit, then the profit cannot be recognized as income. Fiduciary Risk Fiduciary risk is tightly related with the Islamic bank’s function as intermediator between the owners of excess funds and debtors lacking in them. Fund owners entrust their funds to the Islamic bank to be managed as well as possible by channeling these funds to other parties lacking funds for their enterprises. An Islamic bank’s inability to choose profitable investment opportunities will contribute to a high volatility of the income received by the Islamic bank. Under those conditions, the Islamic bank will be unable to: (1) fulfill its responsibilities to the current account holder when the depositor wants to withdraw funds from it, and (2) protect the interests of the investment account holder who had entrusted the Islamic bank to invest his or her funds. If this happens, this risk could spread to reputation risk for the Islamic bank and could proceed to fund withdrawal risk from the customer or capital withdrawal risk from shareholders. If not immediately settled, it will create a liquidity risk for the Islamic bank. Fiduciary risk can be prevented through improvements in financing policy (i.e., better selection processes before channeling financing) and the appropriate application of asset-debt management policy. Legal Risk The IFSB states that legal risk falls under operational risk. Yet many people considered that legal risk should not be included in the oper- ational risk category. One of the main reasons for that opinion is the consideration that legal risk is unpredictable, and thus difficult to measure. In some cases, legal risk truly occurs from external rather than internal factors. Legal risk can still happen even when the Islamic bank has done its best to comply with the positive laws in force. Legal risk can happen when the Islamic bank or its employees commit acts that violate the law; this generates sanctions on the bank that it must fulfill. It can also happen when the Islamic bank is involved in a legal case due to some misinterpretation of the laws and regulations involved. This usually happens when the law and regulation are expressed in a language that is too general and thus allow for multiple interpretations. Additionally, legal risk can also happen due to changes in the law and other regulations. With these in mind, it is important for the Islamic bank to retain law experts of its own among its staff. Reputational Risk This risk is also known as “headline risk,” closely approached nowadays by the term “Twitter risk.” This risk does not only have the potential to cause loss for the bank in question, but also the banking industry in general. This risk can also increase the risk of customer fund withdrawal, shareholder capital withdrawal, and liquidity risk.

Operational Risk in Islamic Banking 149 This risk can be mitigated by regular supervision, the standardization of syari’ah banking’s operational procedures, independent evaluation by each Islamic bank, and the like. This risk is very close to strategic risk and will be covered in more detail in the next chapter. IDENTIFICATION OF OPERATIONAL RISK FACTORS In identifying operational risk in an Islamic bank, it would be better to under- stand first how operational risk is classified. Generally, operational risk is divided into five groups, based on the nature of the risk, on the effects on the Islamic bank, on the amount of expected loss, on the frequency and severity, and on hazards, as shown in Figure 7.1. Based on the nature of operational risk, there are two sources that can cause operational risk: internal and external causes. Basel II states that oper- ational risk of internal sources is caused by fraud, misappropriation of prop- erty, or circumvention of regulations, law, or company policy. Included in it is intentional error in reporting, theft or corruption by employees, and insider trading on employee accounts. While in an Islamic bank, the bank’s failure to comply with syari’ah principles in various banking products and the bank management’s inability to fulfill its fiduciary responsibility are also Nature of Risks Internally People risks, tech risks, fiduciary inflicted risks, syari’ah compliance risks Impact of the Externally Risks inflicted Legal risks and other operational risks Degree of Direct Operational Expectancy Risks Indirect Frequency and Severity Expected Hazard, Event, & Unexpected Consequence Type High frequency low severity Low frequency high severity FIGURE 7.1 Identification of Operational Risk

150 RISK MANAGEMENT IN ISLAMIC BANKING included in operational risks of internal source. Other than that, sources of internal risks can also come from technology risks such as program- ming errors, disturbances in the operation of the bank’s information system due to the installation of new application and parts, or an incompatibility between the bank’s contract characteristics and the information technology installed in the bank’s information systems. In the banking industry, the information system plays a vital role. It is therefore pertinent for the Islamic bank to ensure that the information system used is operational and accurate. In reality, it is necessary for the bank to periodically perform updates and maintenance on the technology used, and during those times, the system’s functioning usually experiences some degree of disturbance. This condition can still be anticipated, and should thus be clarified to all customers well beforehand to avoid any major transactions using the banking information system around the time. For external sources of operational risks, examples would include fraud done by outside parties (debtors or depositors), hacker attacks on the bank’s information system, abrupt changes in the regulatory regime, and other factors outside the Islamic bank’s control. The Islamic bank can better prevent some external factors by constructing a tighter and more comprehensive system to handle it. Fraud done by external parties, for example, usually happens due to the presence of a loophole or weak- ness in the bank’s standard operating procedures in approving transactions. Improving the standard operating procedure will reduce the rate of external fraud occurrence. As for external causes that are not easily controllable, the Islamic bank should improve its ability to respond quickly to those various causes (perhaps by preparing possible scenarios beforehand), thus minimiz- ing any potential losses. Based on the effects of loss the Islamic bank can experience from an event, operational risk can be differentiated into two types: direct and indi- rect. Direct risks are all types of risks that will directly affect the Islamic bank when a risk event occurs. As an example, when an officer in an Islamic bank responsible for a foreign currency transaction misprices a transaction, the bank suffers the loss directly at the event. Basel II has set guidelines regarding the regulatory capital calculation estimate set by the Islamic bank based on calculations of direct loss, as can be seen in Table 7.1. The indirect effects of operational risk are usually tightly related with opportunity costs occurring from loss-causing operational risk events. For example, when a human error or system error occur in a transaction, the bank will need to expend some amount to replace the loss experienced or to repair the system. Those costs are the indirect effects of operational risks on an Islamic bank. As such, in many operational risk events, the occurrence of operational risk can cause a double negative effect to the Islamic bank.

Operational Risk in Islamic Banking 151 TABLE 7.1 Direct Loss Types in Operational Risk Loss Type Contents Write-downs Direct reduction in the value of assets due to theft, fraud, unauthorized activity, or market and credit losses arising Loss of recourse as a result of operational events. Restitution Payments or disbursements made to incorrect parties and not covered Legal liability Regulatory and Payments to clients of principal and/or interest by way of restitution, or the cost of any other form of compliance compensation paid to clients. Loss of or damage to Judgments, settlements, and other legal costs. assets Taxation penalties, fines, or the direct cost of any other penalties, such as license revocations. Direct reductions in the value of physical assets, including certificates, due to an accident, such as neglect, accident, fire, and earthquake Source: Basel Committee on Banking Supervision Operational Risk—Supervisory Guidelines for the Advanced Measurement Approaches (Basel, Switzerland: Bank for International Settle- ments, 2001). Based on degree of expentancy in calculating possible losses, the Islamic bank should be able to estimate expected loss as well as unexpected loss. Expected loss is the sort of loss that occurs regularly enough that both the frequency as well as the severity can be predicted by the Islamic bank. Examples of expected loss include loss that occurs due to a teller’s bookkeeping mistake, minor credit card fraud, and the like. Thus, expected loss is one that can be anticipated beforehand, even if it does not always occur. Unexpected loss is the type of loss that cannot be easily predicted by the Islamic bank. Usually, unexpected loss occurs from infrequent events, causing significant losses for the Islamic bank. An early document of Basel II published in 2001 states that the minimum capital charge for the opera- tional risks of every bank should be enough to cover expected loss as well as unexpected loss, with an emphasis on unexpected loss. As for expected loss, the bank usually sets a provision for every type of operation risk event that is predictable and occur regularly. But the calculation of minimum capital charge for operational risk covering both expected loss and unexpected loss is not easy, especially due to the presence of accounting bias, which can potentially distort the calculation results. As an example, the size of the pro- vision that needs to be set aside by a bank usually only exists after the first of a particular event has happened, in case the event will be repeated in the future. This is not in accordance with the philosophy of reserving capital for

152 RISK MANAGEMENT IN ISLAMIC BANKING Frequency of Loss Expected Unexpected Unexpected (Dangerous) (Catastrophic) Magnitude of Loss Loss Operational risk capital No capital provisions coverage absorbed FIGURE 7.2 Coverage of Operational Risk operational risk, where the existing provision should be used immediately to absorb the loss occurring from an operational risk event. Basel II was revised in 2004 due to this, to accommodate the bias. The minimum capital charge illustration for operational risk can be seen in Figure 7.2. Like other types of risk faced by the Islamic bank, operational risk can be divided according to the frequency of its occurrence and its severity. The combination of the two attributes generates four risk conditions that can be faced by the Islamic bank for all types of operational risk: low frequency/low severity, high frequency/low severity, high frequency/high severity, and low frequency/high severity. These can be seen in Figure 7.3. As explained before, expected loss usually falls under the high frequency/low severity category. Operational risks within that category are easy to identify and are usually already anticipated by the Islamic bank’s management. On a different note, unexpected loss falls under the category of low frequency and higher severity because the majority of loss that is unpredictable previously happened on a low frequency and yet with a high impact to the bank. Figure 7.3 shows that the most extreme risk suffered by the Islamic bank happens when an occurrence falling under the category of high fre- quency and high severity happens to the Islamic bank. But according to other practitioners and researchers, events that fall under the category of high frequency and high severity are almost impossible in a particular field of business, because most people would avoid entering an industry where the risk of experiencing large losses exist and can happen frequently too, as the

Operational Risk in Islamic Banking 153 High Frequency/ High Frequency/ Low Severity High Severity Loss Frequency Low Frequency/ Low Frequency/ Low Severity High Severity Loss Severity FIGURE 7.3 Frequency and Severity of Opera- tional Risk potential to create any sort of profit in the business is then low. Similar things can be said of events in the category of low frequency and low severity that are generally not relevant with operational risk management that the Islamic bank needs to face. Because of these stated reasons, in an operational con- text, events that fall within the category of high frequency/low severity and low frequency/high severity received special attention from various firms, including Islamic banks. Events that are high frequency/low severity can have a major impact for the Islamic bank. Even if the amount of loss per event is small, if those losses are ignored, the accumulated loss suffered by the bank can easily pile up. Events that are low frequency/high severity are events of unexpected loss that happen very rarely, but if they ever occur, the damages suffered from the event by the Islamic bank are very big and, in several cases, can even cause an Islamic bank’s bankruptcy. Because the effect is so large, the Islamic bank should also pay attention to all events in the category of low frequency/high severity. At last, one of the most challenging aspects of operational risk is its wide scope, beginning from the hazard or event to the consequences of operational risk. Because of this, any analysis related to operational risk cannot begin at the event level, but should start from the hazard level. The definition of hazard is a condition or character, both in terms of physical traits or those of behavior and character, that influences the probability of a dangerous event’s occurrence. Event is everything that can cause the occurrence of loss to an Islamic bank. The relationship between hazard, event, and consequences is a relationship of cause and effect. The event is the effect of the presence of a hazard and the cause of consequences or loss. It can be concluded that both

154 RISK MANAGEMENT IN ISLAMIC BANKING hazard and event are the cause of loss. Every loss (consequence) should be associable with an event that causes the loss, while every event should be relatable to one or more hazard that causes it to happen. As such, identifi- cation of comprehensive operational risk should be able to cover all three. Incompleteness in identification can cause operational risk management to have reduced effectivity. Other than that, identifying the three elements will also be useful for the Islamic bank in creating risk management policies. In general, the relationship between hazard, event, and consequences is illus- trated by Figure 7.4. According to Figure 7.4, poor internal management (employee, oper- ational standards, etc.) can cause all forms of internal fraud, generating consequences in the form of write downs (devaluation of asset value, losses in the market as well as from unauthorized credit transactions). Obsolete computer systems and inexperienced personnel can cause the bank to be more vulnerable to all forms of external fraud. Seen from the characteristics of the Islamic banks, some of which are very different from conventional banks, the number and types of hazard that can occur in an Islamic bank can possibly be higher and larger than conventional banks. This is because Causes HAZARDS EVENTS CONSEQUENCES • Inadequate employee • Internal fraud (e.g., • Write downs management unauthorized trading, • Loss of recourse theft) • Restitution • Obsolete computer • Legal liability systems • External fraud (e.g., • Regulatory and credit card fraud) • Inexperienced compliance (e.g., personnel • Diversity/ fines, penalties, and discrimination events taxation) • Large transaction • Loss of or damage to volumes • Improper business physical assets and market practices • Other • Diversity and cultural differences • Failed/inaccurate reporting • Unfavorable climate conditions or • System failure geographical • Natural disasters conditions FIGURE 7.4 The Taxonomy of Operational Risk Source: Hylmun Izhar, “Identifying Operational Risk Exposures in Islamic Banking,” Kyoto Bulletin of Islamic Area Studies (2010).

Operational Risk in Islamic Banking 155 the types and number of hazards are related to the business processes of the Islamic bank. The scope of a conventional bank’s business is mostly limited to the financial sector, while the Islamic bank’s business covers the finan- cial sector and the real sector. As such, the hazards and events faced by the Islamic bank will be far more varied than a conventional bank. We can see several unique hazards that are only experienced by the Islamic bank and not by the conventional one. For example, in a financing product based on the MPO contract (murabahah purchase order), there is a hazard in the form of nonfinancial uncertainty from an external source, the potential debtor. The MPO contract began with the order (promise from a debtor to the Islamic bank), and based on that promise, the Islamic bank buys the goods that will be the object of the contract from the supplier. According to the rules of syari’ah, the debtor is still given the rights to khiyar (option) whether to continue with the sale transaction or to cancel it. This condition becomes an uncontrollable hazard for the Islamic bank. The hazard opens the bank to the possibility that the potential debtor will cancel the intent to enter into a sale contract with the bank after the bank already purchases the object from the supplier. If that event happened, the Islamic bank will suffer several possible losses: the loss of potential debtor, the loss of market share from financing, exposure to market risk due to possible reduction in the price of goods bought, and the presence of expenses to cover for the inventory costs of goods that have already been bought. Another example is an event in which the Islamic bank failed to comply with various syari’ah principles in several of the products that it offered. This event can be triggered by various types of hazards, among them inadequate employee knowledge in fiqih mu’amalah, especially in the product division; vagueness on several important points in the contract; and incompatibility between the information system used by the bank and the bank’s syari’ah-compliant business processes. An employee’s limited understanding with regards to fiqih mu’amalah can potentially cause many of the Islamic bank’s products to be noncompliant with syari’ah principles. OPERATIONAL RISK IN ISLAMIC FINANCIAL CONTRACTS This part will specifically cover operational risk attached to various contracts that are often used by the Islamic bank in channeling financing to the public. Even though there are various financing contracts that can be used by the Islamic bank, this segment only covers contracts that are widely used by Islamic banks in many countries, that is the murabahah, salam, istishna’, mudharabah, musyarakah, qardh, and ijarah contracts.

156 RISK MANAGEMENT IN ISLAMIC BANKING Murabahah Contract The following are the types of operational risks attached to the murabahah contract. First is syari’ah compliance risk. This occurs whenever the Islamic bank provides money to the debtor, either through a standard murabahah contract or a murabahah contract with order; the exchange that thus hap- pens is between money and money, not money and goods. Any additional markup that occurs and can be enjoyed by the Islamic bank is thus consid- ered usury. Apart from that, the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) stated in their murabahah standard operating procedures that the Islamic bank must truly own the asset that will be sold through a murabahah contract before selling that asset to the debtor in the murabahah contract. As such, the Islamic bank should observe care- fully the technical order of the murabahah contract scheme. Any violation on the order of events can result in the annulment of the contract’s lawful (halal) status. Second is fiduciary risk. This occurs whenever the Islamic bank is unable to present a good or asset that is in accordance with the specifications that have been requested by the potential debtor. If this happens, the potential debtor can decide to cancel his or her previous promise to buy from the bank. Third is people risk. This can happen from two sides, on the side of both the buyer and seller. The potential debtor acts as a buyer, while the Islamic bank can act as a buyer (when the bank is buying from a supplier) as well as a seller (when the bank sells the asset it has bought to the buyer or potential debtor). People risk on the side of the Islamic bank occurs when- ever the employee responsible does not have the competence to purchase the good needed by the potential debtor (buyer), and causes the goods bought to be inadequate for the debtor’s purposes. On the side of the debtor (buyer), people risk occurs when the debtor cancels his or her promise to buy the asset from the Islamic bank. Fourth is legal risk. This occurs whenever there is incongruence between syari’ah principles and the legal regulations covering the Islamic banking industry in a country. It seems from the outside that a murabahah contract has many similarities with a loan contract in a conventional bank, because the basis of a murabahah contract is a sale contract that causes a loan to occur as the object is purchased in installments. Yet the margin/mark-up in a murabahah contract is still not the same as the loan interest in a conven- tional bank, as it is only there because of the presence of the asset sold and the amount is also closely related to it too. In a country where the Islamic banking industry still has a low market share, the regulations applied are still based on interest, and the banking authority in every country sets the limit on the level of interest chargeable by any bank. Because margin is different from interest, the rules limiting loan interest should not apply to Islamic banks.

Operational Risk in Islamic Banking 157 The implication of this is that the Islamic bank can set margin rates above the prevailing market rate. Yet the Islamic bank should also observe the legal effect of such behavior. If the prevailing regulations consider margin the same as interest rate, then the Islamic bank should adjust to it. Salam Contract The following are several operational risks inherent in a salam contract. First is syari’ah compliance risk. This occurs when the price of the subject commodity of the salam contract cannot be paid in advance, or if there is a delay in payment. Under those conditions, neither the seller nor the buyer have the capability to enter into a sale contract; if both insist on doing so, any sale contract they enter into will be based on mutual debt, such that this type of contract is called a kali bil kali contract (selling debt with debt). In a salam contract, the payment of the whole price in advance is a requirement that absolutely must be fulfilled to ensure the validity of the contract itself. Apart from that, syari’ah compliance risk can also occur in a parallel salam contract, when the first and second salam contract are contingent on each other in any way, thus allowing one of the contracts to void itself if the other fails. In a parallel salam contract, the first and second contracts must be independent of each other. Under these conditions, if the seller of the first salam contract (debtor) defults, the Islamic bank would still have to fulfill its responsibility as a seller in the second salam contract. The AAOIFI does not allow any penalty to be charged to the seller when the seller fails to deliver the commodity at the agreed-upon time. This is because the delay does not void the seller’s debt to the buyer (in this case, the commodity), and the responsibility to pay that still holds. Under conditions of debt, any penalty of additional payment on the debtor can be considered as usury, and thus is not allowed. Second is fiduciary risk. This can occur when the commodity that is sent is of a lesser quality or of a quality that is not the same as agreed in the contract. Fiduciary risk also happens when the price set is the original price and not the discount price. Third is people risk. This can occur when the seller defaults in deliver- ing the subject commodity of the contract at the agreed-upon time, or the commodity that is delivered does not fulfill the specifications requested in the contract. The Islamic bank can minimize this risk by asking the seller to set a certain quality management standard to be used in the process. Fourth is legal risk. This occurs if the legal framework of Islamic banking in the jurisdiction of the bank’s operational area does not allow the Islamic bank to involve itself directly in the real sector. The Islamic bank’s involve- ment in a salam contract requires the Islamic bank to be directly involved in a real sale, both as a buyer and seller. Because of this, the Islamic bank should

158 RISK MANAGEMENT IN ISLAMIC BANKING examine in detail the rules covering the bank’s operational activities and ana- lyze what “loopholes” can be used to legalize the bank’s salam transactions. Fifth is technology risk. In a banking system used to the business pro- cesses of conventional banks, salam-based financing will require the bank to massively modify its information system, especally if the bank uses the parallel salam contract. Often the Islamic bank still uses the recordkeeping methods of conventional banks, so that the implementation of the salam contract becomes complicated and fraught with troubles. Istishna ’ Contract The following are the operational risks inherent in an istishna’ and a parallel istishna’ contract. First is syari’ah compliance risk. This can occur when the istishna’ contract is used as hilah (ruse) to enter transactions that are effectively usury-based. This can happen when the party acting as the buyer placing the order is the contractor himself. The contractor acts as a buyer to the Islamic bank, and the Islamic bank subcontracts the contract to the contractor, so that the transaction winds up being very similar to an ‘inah sale. As with the parallel salam contract, two istishna’ contracts in a parallel istishna’ should be independent from each other and done separately. If the two istishna’ contracts are clearly contingent on each other and are done at the same time in a single contract, then the contracts clearly violate the stipulations of the Islamic syari’ah. Second is fiduciary risk. This can occur when the subcontractor fails to fulfill the quality standard specified by the customer in the istishna’ contract. Third is people risk. This can occur when a breach of contract occurs, where the Islamic bank is unable to finish the task within the allotted time frame. This usually happens when the subcontractor experiences a delay in finishing the manufacture or construction of the requested object. Fourth is legal risk. This can occur when the Islamic bank is directly involved in an istishna’ contract. In an istishna’ contract, the Islamic bank usually acts as the contractor responsible in finishing the construction of the asset ordered by the debtor. As in a salam contract, the Islamic bank should identify whether there are any rules or regulations that allow the Islamic bank to act as a contractor in an istishna’ contract. Fifth is technology risk, which can occur when the accounting informa- tion system used by the Islamic bank does not accommodate the particular characteristics of an istishna’ contract. Ijarah Contract In both the ijarah and the ijarah mumtahia bi tamlik (IMBT) contracts, the Islamic bank should own the asset (or benefit) beforehand before leasing

Operational Risk in Islamic Banking 159 it to the debtor, thus the operational risks related to asset ownership are similar to the operational risks attached to the murabahah contract. Other operational risks inherent in the ijarah and IMBT contracts are as follows. First is syari’ah compliance risk. This can occur in various conditions in an ijarah or IMBT contract. In an ijarah contract, the debtor acts as the lessee, and is responsible for periodically (usually monthly) paying the lease (ujrah). If the Islamic bank sets penalties for any delay of the debtor’s in paying the lease, then the act is not syari’ah compliant. Any delay of the debtor in paying lease would then cause the debtor to incur additional debt that the debtor owes to the Islamic bank. If the Islamic bank requires addi- tional payment of funds for the penalty, then that addition is usury. In an IMBT contract, violation of syari’ah principles can occur when the Islamic bank merges an ijarah and a sale contract into one when the contracts are settled between the Islamic bank and the debtor. This merging of contracts causes the IMBT contract to be equivalent with financial or capital lease transactions commonly used in conventional financial institutions. Second is fiduciary risk. This can occur when the Islamic bank (as the lessor) is unable to maintain the asset leased to the debtor (lessee). Accord- ing to the AAOIFI, maintenance of the leased asset is the responsibility of the Islamic bank as lessor. The purpose of leased asset maintenance is to preserve the value of the asset’s benefit, so that the debtor (lessor) can experience the appropriate benefit in return for the lease paid periodically. Failure in asset maintenance leads to deterioration of the asset’s benefit, thus causing the Islamic bank to fail in “sending” the benefit to the debtor. Third is people risk. For any delayed lease payment, the Islamic bank, as lessor is not allowed to set penalty in the form of additional cost charged to the lessee. Incomprehension on the part of the Islamic bank’s employees with regard to this issue is a form of people risk in ijarah contract that will lead to syari’ah compliance risk. Fourth is legal risk. This can occur when the existing legal framework does not allow Islamic banks to own assets for lease. In an ijarah con- tract, the Islamic bank acts as lessor, leasing the asset to debtors. Because of this, the Islamic bank Islam will have to own the asset, or at least lay claim to the rights to utilize the asset that will be leased. Fifth is technology risk. This can occur when the accounting information system used by the Islamic bank does not accommodate the characteristics of the ijarah contract. Syirkah Contract The operational risks inherent in a syirkah contract are as follows. First is syari’ah compliance risk, which can occur when the profit-sharing cal- culation used by the Islamic bank is based on expected profit instead of

160 RISK MANAGEMENT IN ISLAMIC BANKING actual profit. Expected profit is the Islamic bank’s prediction on the poten- tial profit that the business can generate, and is usually calculated at the beginning of the contract. The realized profit of the financed business can be larger or smaller than the profit previously calculated by the Islamic bank. According to syari’ah principles, the profit that can be divided and shared is only actual profit, not expected profit. Second is fiduciary risk. Every misconduct by a partner in a syirkah con- tract is a source of fiduciary risk. The Islamic bank’s position in the syirkah contract is usually as the passive partner, not actively involved in the man- agement of the financed business. Misconduct can thus happen when the Islamic bank is negligent in monitoring the management of the financed business activity. Third is people risk. Incompetence on the part of the bank’s employees and its debtors is a source of people risk in a syirkah contract. People risk occurs when an officer from the Islamic bank is unable to assess risk ade- quately, and the debtor managing the business is not competent enough in doing so. Fourth is legal risk. This can occur when there are regulations set by the banking authority responsible for the Islamic banking industry that prohibits the bank’s involvement (in the form of ownership or investment) in the real sector. While in a syirkah contract, the Islamic bank gains ownership in the financed business. This difference in principle is a source of legal risk in a syirkah contract. MEASUREMENT OF ISLAMIC OPERATIONAL RISK After the identification of operational risk is done, the Islamic bank can summarize all those risks in a matrix, as in Figure 7.5. The process of identi- fying operational risk is sometimes perceived as something that takes a long time and tends to be confusing. This is because operational risk is closely related to other risks. But if the identification of operational risk is not done appropriately, then risk measurement in general will be more difficult. The potential loss caused by each type of operational risk becomes difficult to calculate. If the loss potential over operational risk is incalculable at the cur- rent time, then the process of allocating capital to cover the potential loss cannot be done yet. Generally, losses occurring due to a bank’s operational risk can be divided into three groups. These are losses that take the form of payments to external parties, losses in the form of decreases in value of the bank’s assets, and lastly, losses suffered from the necessary expenses that the bank needed to spend to return condition to before the risk manifested into loss. This loss still does not include the costs expended by the bank for

Operational Risk in Islamic Banking 161 Mitigate Avoid Loss Frequency Accept or prevent Mitigate with internal control Loss Severity FIGURE 7.5 Operational Risk Based on the Frequency and Effects of Its Occurrence risk control and preventive measures. These losses are the ones that will be translated in various risk measurement methods, like value at risk (VaR). Operational risk measurement in an Islamic bank can utilize the guide- lines published by the IFSB or the Basel III. The guideline for operational risk measurement published by the IFSB mentioned that there are three approaches that can be used to measure operational risk: the basic indicator approach (BIA), the standardized approach (SA), and the alternative stan- dardized approach (ASA). Basel II mentions three approaches that can be used to measure operational risk: the BIA, SA, and advanced measurement approach (AMA). IFSB does not use AMA in its guide in measuring operational risk as Basel II does, but that does not mean an Islamic bank cannot use the approach. Basically, every approach used is designed with the intention of measuring operational risk, and does not have any bearing on the Islamic bank’s business processes. In the guidelines published by the IFSB, Islamic banks in all countries are advised to use the BIA in preference to the other two approaches. Use of the SA and the ASA is possible as long as the bank receives permission from the local regulator. Usually, the banking authority in each country will judge the readiness of each Islamic bank to use the two approaches. Accord- ing to the IFSB, the regulator can permit the Islamic bank interested in using the SA or AMA to do so if the Islamic bank is already able to maintain a good operational risk management framework, and included in the list of risks managed is syari’ah noncompliance risk. Apart from that, the regula- tor should also ensure beforehand that the Islamic bank interested in using

162 RISK MANAGEMENT IN ISLAMIC BANKING one of the two approaches has a line of business that is clear and appro- priate according to what is written in the guide. IFSB (2005) states that the Islamic bank can calculate capital based on operational risk using the BIA or SA method, as set in Basel II, yet these two methods need to be adjusted before being used by an Islamic bank. The use of gross revenue as a base indicator of operational risk is possibly a mismodeling, because the major- ity of financing in an Islamic bank is based on varied contracts, like sale, rent or lease, and partnership (syirkah). Other than that, in syirkah contracts of profit–loss sharing, like mudharabah and musyarakah, the revenue that is the depositor’s by right should first be excluded from the calculation of the bank’s gross revenue. Basic Indicator Approach (BIA) The BIA is simplest operational risk measurement approach. Using this approach, the Islamic bank only needs to set aside 15 percent of its average positive revenue in the last three years. Thus, the capital charge for operational risk can be calculated using the following formula: Op. Capital = 15% × Gross Income Gross income in the above formula consists of the components: ■ Net income from financing activity, which has not been deducted by provision components, operating expense, and depreciation for ijarah asset ■ Net income from investment activity; included in this is the portion of profit gained by the Islamic bank from channeling financing using musyarakah and mudharabah contracts ■ Fee income (e.g., comission, agency fee) ■ The portion of revenue that has to be distributed to the investment account holder and other account holder; this component reduces the total from the previous three components Gross income includes all income that will be allocated for restricted and unrestricted profit sharing investment account (PSIA) fund. But every income from extraordinary activities like takaful or profit/loss realization from sale of sukuk in the banking book has to be excluded from gross revenue. With the BIA method, the bank is required to allocate 15 percent of the average of its gross revenue over the last three years to prepare for an operational risk manifesting into actual loss. If the bank’s gross revenue for the last three years is IDR300 billion, then the operational capital that it

Operational Risk in Islamic Banking 163 would need to prepare is IDR45 billion (15 percent of IDR300 billion). The BIA method has been criticized for oversimplification and its blunt top-down approach, and it ignores the variety in business activity entered into by the Islamic bank. This method does not accommodate other factors that are important for consideration, such as the variety of business activity, the size, and the asset growth of the bank. Standardized Approach (SA) BIA’s weakness can be minimized by using SA. Though it still uses a top-down method and gross income as a proxy for operational risk expo- sure, it already includes the variation of the bank’s business activity, where gross income calculated in the SA is the gross income from eight lines of business available in the Islamic bank, that is, corporate finance, trading and sales, retail banking, commercial banking, payment and settlement, agency service, asset management, and retail brokerage. The division of business lines into those eight categories is based on the Basel II guide, which in turn is based from the Quantitative Impact Study. In BIA, the risk factor set for gross income is 15 percent; the risk factor in SA is set at different levels for different business lines. The risk factors for each business line, based on Basel II, are shown in Table 7.2. The capital charge calculation formula for operational risk using SA is similar to the formula used in BIA in which the risk factor and gross income are adjusted based on the respective business lines of the Islamic bank. In mapping and grouping, the Islamic bank can use the guidelines published by the IFSB: ■ The Islamic bank should map all activities and transactions into eight business lines according to mutually exclusive principles. This means that no activity should fall into two different business lines. TABLE 7.2 Risk Factor of Business Lines Business Line Risk Factor (Beta) Corporate finance (������1) 18% Trading and sales (������2) 18% Retail banking (������3) 12% Commercial banking (������4) 15% Payment and settlement (������5) 18% Agency service (������6) 15% Asset management (������7) 12% Retail brokerage (������8) 12%

164 RISK MANAGEMENT IN ISLAMIC BANKING ■ All functions run by the Islamic bank, both representing banking and nonbanking activities, that cannot be adequately mapped or included into a unique business line should be included in the business line that supports or supervises the activity. ■ In mapping, grouping, and calculating gross income, if an activity that generates income for the Islamic bank cannot be grouped in a particular business line, then the business line whose contribution to the income is the largest becomes the business line that covers the activity. ■ The total gross income from the eight business lines should be the same with the gross income from the BIA. All internal pricing methods should observe this principle. ■ The mapping of all activities into the eight business lines for operational risk purposes should be consistent with the business line definition used for other risk, like financing risk and market risks. If there are differ- ences, the Islamic bank should state clearly the reason for the difference and how it is managed. ■ The mapping and grouping process should be well documented. The def- inition of each business line should be clearly written enough to enable a third party to replicate it. ■ Senior management (top and middle) is the party responsible for the mapping and grouping of all activities into eight business lines. ■ The process of mapping activities into eight business lines is subject to review by independent parties. Alternative Standardized Approach (ASA) Measuring operational risk using ASA is almost the same as with SA. The ASA method, though, pays special attention to two business lines: retail banking and commercial banking. For the two business lines, gross income cannot be used as proxy for operational risk exposure faced by the Islamic bank. The proxy used to use gross income is the total value of financing channeled by the two business lines that have been multiplied by a fixed factor of 0.035. The other six business lines are treated the same as they are in the SA approach, as has been explained before. Thus, the calculation formula for the retail and commercial banking lines of business with ASA is as follows: KRB = ������RB × m × FRB KCB = ������CB × m × FCB KRB and KCB is capital charge of operational risk for the retail and commercial banking lines of business, ������RB and ������CB each are risk factors for

Operational Risk in Islamic Banking 165 the retail and commercial banking lines of business (the same with the SA approach), m is the fixed factor 0.035, and FRB and FCB each are the average of total financing for three years that has been channeled by the retail and commercial banking lines of business. Advanced Measurement Approach (AMA) If Islamic bank is ready to do so, it is better for it to use the AMA method in designing its own measurement tools and methods for the risks it faces. The approach, based on the operational risk inherent in the contracts used by the Islamic bank, can be a useable alternative. This effort is expected to generate a more accurate calculation, hopefully reducing the amount of cap- ital that must be set aside by the Islamic bank to cover its operational risk. If this is achievable, the bank will be able to move more freely in channeling financing, as it is no longer held back by the minimum capital adequacy reg- ulation. Compared to previous approaches, the AMA method is considered most flexible and sensitive to risk, because the AMA method is considered most able to capture the complexity of a bank’s scope of operational risk. As such, before an Islamic bank can use AMA, it has to have had a database of internal and external loss that goes back for at least three years. In many Islamic banks of limited funds, the three-year requirement is difficult to ful- fill, as the construction of a database in the first place would need no little amount of funds, as building the database also requires the construction of an adequate information system. The AMA approach requires the operational loss data of the bank to be grouped according to eight business lines (as used in SA) and seven categories of loss events, that is, internal fraud; external fraud; employment practices and workplace safety; customer practices; products and business; damage to physical assets; business disruptions and system failure; and execution management, delivery, and process. The combination of the two, business lines and loss events, will form a complex matrix of data. With an adequate loss database, the next step of calculating the capital charge for operational risk is as follows: 1. Estimate the distribution of the frequency of loss; banks that have only begun to use AMA generally use the Poisson distribution. 2. Estimate the distribution of the loss severity. This step is more difficult than estimating the distribution of frequency of loss, because the size of the loss is often unpredictable and may generate some extreme values (see explanation on low frequency, high severity). This condition highly affects the estimation model used, considering that many distribution models do not accommodate the extreme value phenomenon.

166 RISK MANAGEMENT IN ISLAMIC BANKING Risk Mitigation – Expected Loss Offsets, Insurance Probability Operational Risk Capital Expected Unexpected Loss Loss Tail Events Aggregate Loss FIGURE 7.6 Loss Distribution for AMA According to Basel II 3. Estimate the loss distribution by combining the distribution of loss fre- quency and the distribution of loss severity. This stage is also a difficult stage due to the high degree of mathematical complexity involved in con- structing the new distribution. 4. Calculate the operational risk value at risk (OpVaR) for each combination of business line and type of loss event. The combination is repeated in such a way that a mean is gained, representing the VaR at a 99.9 percent confidence level, as stipulated by the Basel Committee as the addition of expected loss and unexpected loss. The amount of capital charge for operational risk can be calculated by adding the total VaR from the combination of all the business lines and all the loss events. The aggregate loss distribution for AMA according to Basel II can be seen in Figure 7.6. DEVELOPING AN OPERATIONAL RISK MANAGEMENT SYSTEM The previous section discussed how to identify, measure, and mitigate operational risk. All tools and methods of measurement, management, and mitigation of operational risk will need to be combined into an effective working operational risk management system. For that, the Islamic bank will need to have a special framework related to operational risk management.

Operational Risk in Islamic Banking 167 There are at least eight aspects that will need to be observed in constructing this framework: (1) operational risk management policy construction, (2) operational risk identification, (3) business process scheme construction, (4) setting the most appropriate operational risk calculation method, (5) setting operational risk mitigation policies, (6) setting operational risk management reporting standards and methods for those who will need the information, (7) operational risk analysis, including the construction of operational risk database and stress-testing, and (8) allocating the bank’s capital in preparation for the occurrence of loss due to operational risk.

8CHAPTER Syari’ah Compliance Risk In December 2009, an interesting article published in BBC News titled “How Sharia-Compliant Is Islamic Banking?” questioned Islamic banks’ syari’ah compliance. The article began with a statement from Syaikh Muhammad Taqi Utsmani from the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI). He said that 85 percent of outstanding global sukuk is not actually in accordance with syari’ah principles. Even if the context of the statement is specific to sukuk, the issue of syari’ah compliance has also been raised to various Islamic financial institutions, including Islamic banking. This is especially relevant in the current Islamic banking industry, where many of the products offered have so many similarities with various established products from the conven- tional banking industry that many people consider the products offered by the Islamic banks equivalent to the products offered by the conventional banks. In the speed of Islamic banking’s development and the more challenging competition in the banking industry, the issue of syari’ah compliance becomes very important to raise and question. After all, philosophically and ideologically, Islamic banking is founded on syari’ah principles with the intention of abolishing all forms of injustice, especially usurious transac- tions, and pioneering the establishment of an economic system based on the principles of fairness and justice. This is the unique trait of Islamic banking. Because of this, it should be rightfully preserved and maintained as the core identity of Islamic banks. It is these values that are then packaged and become the most important selling point offered to the wider public. It is not enough to answer the above question with only philosophical and ideological arguments. It is very important for an Islamic bank to dis- play its identity and commit to fulfill it. Concrete proofs should be provided. To ensure the consistency of syari’ah compliance, a solid system would need to be prepared, starting from legal support and protection, to supervision mechanisms, to identification and mitigation methods to prevent any poten- tial noncompliance with syari’ah principles. This chapter will discuss the background, urgency, and arguments on the importance of syari’ah compli- ance in Islamic banking as well as the syari’ah compliance risk’s management and mitigation process. Risk Management for Islamic Banks: Recent Developments from Asia and the Middle East. Imam Wahyudi, Fenny Rosmanita, Muhammad Budi Prasetyo, Niken Iwani Surya Putri. © 2015 by John Wiley & Sons Singapore Pte. Ltd. Published 2015 by John Wiley & Sons Singapore Pte. Ltd. 168

Syari’ah Compliance Risk 169 BASIC PRINCIPLES OF ISLAMIC ECONOMICS AND FINANCIAL SYSTEM The concentration of wealth is the natural progression of various robust eco- nomic systems. No matter how often or how much wealth is redistributed, the economic system is redesigned; there will always be parties with a surplus as well as a deficit of funds. A country’s economic system will not move without support from the parties with surplus funds. Without funds, the creativity of the deficit party’s efforts will be unrealized. Simply put, for reasons of profitability and the lack of guarantees of capital return, banks would reject the funding proposal of the potential debtor to open a general store. The potential debtor then loses the opportunity to receive income, while at the same time the bank loses the opportunity to profit from an investment in the general store. The debtor’s prospective employees experience the same thing. Suppliers, producers, and industry will also lose potential income from the general store that now does not open. The public living near the store’s poten- tial location will not gain access to the goods the store is able to provide, and so on and so forth. The effects of the rejected proposal of the potential debtor cascade through society. The effects are not only borne by the bank and the debtor, but also by the loss of potential improvement in overall public welfare. It is thus also a natural principle that economic actors complement each other in increasing the total amount of wealth available in an economy. In Islam, profit is the compensation received over the willingness to bear risk. Without bearing risk or any effort, no one is allowed to receive any profit. In fact, all profits arising without any risk of the business being operated are ruled as usurious and thus prohibited. This is the meaning of the fiqh prin- ciple “al kharaju bidh dhamani” and “al ghurmu bil ghunmi.” As such, the surplus party has no right over any profit if the surplus party only loans funds without any willingness to bear risk. Of course, the profit that is within the rights of the surplus party is not meant as compensation for the opportunity cost, but from the willingness to bear the risk of loss of the project/business funded. This is the basis of the prohibition of usury in Islam. Other than that, the interest system will create a real injustice. When economic condition is poor, the bank will still be guaranteed profit from the funds that it channeled. The debtor’s interest expense will erode his or her part of the profit, and even some part of his or her capital. If it is high enough, in the long run, it will even prevent the debtor from being able to reinvest an adequate amount of profit into the business and perhaps might even kill it. Whether the bank is conscious of this or not, it will certainly kill its own source of income this way. On the other hand, when economic conditions are very good, the debtor gains returns in excess, a portion of which are the bank’s right to receive as the business grows by leaps and bounds at a rate that is far faster than the bank.

170 RISK MANAGEMENT IN ISLAMIC BANKING SYARI’AH AS PRINCIPLE AND SPIRIT IN BUSINESS Linguistically, Islam means the submission, obedience, compliance, and sur- render of a servant to the Creator, Allah Ta’ala (see QS Al-Baqarah: 131). The logical consequence of the meaning of Islam above is an absolute accep- tance of all of the commands and prohibitions of Allah Ta’ala. There is no reluctance and a heavy heart in accepting all of Allah’s provisions, as said according to the words of Allah Ta’ala in surah An Nisaa verse 65. A concrete form of surrender to Allah Ta’ala is to promptly observe all that has been commanded and to avoid all that has been prohibited by Allah Ta’ala. It is true that Allah Ta’ala has gifted mankind with reason. With reason, humans can consider what is right and what is wrong, what is beneficial to them and what is harmful. With this reason, Allah calls upon humanity to think and learn, and promises that Allah praises and dignifies, as well as raises the stature of a faithful and knowledgeable person in the hereafter (QS Al-Mujaadilah: 11; QS Ali-Imran: 18; QS Al-‘Ankabut: 43). With reason, humans can understand and have faith in kauniyah verses (evidences in the universe). But for the syari’ah verses (contained in the Qur’an and the As-Sunna), there are limitations of understanding them solely using reason. Not all of the meanings in Al Qur’an are within human comprehension. Some verses are explicit and clear (muhkamat verses), and some are implicit (mutasyabihat verses). Regarding these mutasyabihat verses, no one knows his or her actual meanings other than Allah Ta’ala. Our responsibility as Muslims is to believe (the mutasyabihat verses) and acknowledge that all of it came from Allah Ta’ala (QS Ali-Imran: 7). Allah Ta’ala and His Messenger do not always explain the reasons, benefits, and consequences of every commandment and prohibition. Even then, all believers should submit and obey every command and prohibition from Allah Ta’ala and His Messenger, even if the reason and consequences for it are something we could not understand at the present. In fact, if a believer is even considering loopholes, especially just to satisfy personal greed or wants, Allah Ta’ala will place that person amongst the people who’ve gone astray. Finding loopholes to avoid Allah Ta’ala’s commands or prohibition is a form of hilah that is prohibited and is perfidious to Allah Ta’ala and His Messenger (see QS Al Ahzab: 36). Maqashid al Syari’ah Terminologically, syari’ah means rules, regulations and law, as well as the road that is clear and bright. Allah Ta’ala as the creator of mankind

Syari’ah Compliance Risk 171 certainly knew better what is beneficial (brings maslahat) and harmful (brings mudharat) to humanity. Allah Ta’ala sends the messengers and reveals holy books to provide guidance to mankind for mankind’s own benefit. Islamic syari’ah is there to uphold and bring what is beneficial as well as avoid and erase what is harmful from the life of mankind. Imam Asy-Syathibi rahimahullahu explains that the purpose of the revelation of syari’ah is to realize the well being and ultimate welfare of humanity in this world as well as the next by protecting mankind in five aspects: religion, soul, mind, descendants, and wealth. With regards to wealth, Islamic rules are very precise and fair. It is not allowed to take other people’s wealth, except in ways that are lawful and consented to by the owner (see surah An Nisa: 29). With regards to issues of worship, what is considered is only the consent of Allah, thus in worldly issues (e.g., sales, borrowing and loans, alliance, joint ventures), Islam requires two consents, the consent of Allah Ta’ala and the consent of mankind. Wealth in Islam It is true that wealth is a worldly issue. Wealth in general is ruled as mubah, not encouraged to be acquired but not prohibited either (see QS Al Baqarah: 29; QS Al An’am: 119; QS Yunus: 59). But to be drawn into complacency by wealth and forget the hereafter will cause a person to risk the threat of hell. This is even truer when, in the pursuit of wealth, man transgresses the prohibitions and observances of Allah Ta’ala (see QS Yunus: 7–8). Even if wealth is not the main purpose of every Muslim (as in QS Al Hadid: 20), wealth is one of the methods with which to support and enhance human life on this planet. The amount of conflicts, oppression, murders, civil wars, and injustice that have occurred in the name of wealth is uncountable. Included in this are the various flaws and loopholes of the con- ventional financial system, which can be (and often are) wrongfully utilized to gain more wealth, in ways that are unjust, in parts of the system where the allocation of funds is often ineffective and inefficient, and so on. Because of this, Islam ensures that the preservation of wealth as one of the main purpose of the revelation of the Islamic syari’ah to mankind. This is to ensure that wealth is beneficial rather than harmful to human life. Unlike the free-market capitalist and state-controlled communist economic systems that are extreme in their regulation of wealth ownership, in Islam, the actual owner of all wealth is Allah Ta’ala. Human ownership is relative. Wealth owned by mankind in principle is something entrusted (amanah) from Allah to be man- aged and utilized according to the principles of syari’ah (QS Al Hadid: 7).

172 RISK MANAGEMENT IN ISLAMIC BANKING Mu’amalah as a Means of Wealth Transfer Individual ownership of property is allowed in the Islamic syari’ah as long as it is gained through lawful means and thus in accordance with the syari’ah. People can gain wealth through various mu’amalah activities, that is, any activity involving human interaction (QS An Nisaa: 29). In fiqh principles, it is said that the basic legal ruling on any mu’amalah is allowed until there is a specific argument that prohibits it (see Imam As-Suyuthi, Al-Asybah wa an-Nadzhair, 1/33). Humans are given the largest leeway to enter into any kind of mu’amalah transaction, as long as there are no arguments that prohibit it. This is the beauty of Islam; mankind is provided with a corridor for mu’amalah transaction. The freedom provided is not absolute, as in free-market capitalism; the restrictions of Islam is made clearly with the purpose of erasing or avoiding harm. All elements with the potential to create harm and injustice will be prohibited in Islam, thus elements that certainly create such negative effects will definitely be prohibited. This can be seen in the prohibitions against usury, gharar (vagueness), maysir (gambling), tadlis (fraud), injustice, and coercion. VARIOUS PROHIBITIONS IN MU’AMALAH According to the principle, contracts in Islamic finance have to be free from prohibited activities in Islam. Beside the condition of permissiveness for the object (mubah), the specification of contract should not contain the following elements: riba (usury), maysir (gambling), gharar (vagueness, lack of clarity), tadlis (fraud), injustice or illegal force. Riba (Usury) Linguistically, usury in Arabic means az-ziyadatu/addition and fadhlu/excess (Fairuz Abadi, Al-Qamus al-Muhit, Dar al-Fikr, Beirut, 1995, p. 1158; see also QS Al Haqqah: 10; al Hajj: 5). Terminologically, usury is any special addition given to one of the parties involved in a transaction without there being an appropriate recompense given for it. There are three meanings in that definition: 1. The addition of quantity in selling certain types of assets where any differ- ence in quantity is not allowed. This occurs in the sale of usurious goods with usurious goods, that is, gold, silver, wheat, sya’ir (a type of grain), dates, and salt. This also applies to commodities that are equivalent to those six commodities.

Syari’ah Compliance Risk 173 2. The addition of time given until the delivery of goods for types of assets that require direct and immediate handover. This applies in the exchange of different usurious goods but is still within the same type/group, where the six good types are divided into two groups, with precious metals in one group (gold and silver) and the four other goods (wheat, sya’ir, dates, and salt) in the other group. 3. Any addition to the debt due to a delay in payment (i.e., the interest system in a conventional bank). Usury has been prohibited based on Kitabullah, the Sunna of Rasul- ullah and the ijma’ of the ulama, based on arguments that are clear and shahih. Because usury is commonly found and accepted in the era of ignorance (jahiliyah), Allah Ta’ala prohibits usury in stages in in four places: QS Ar Rum: 39, QS An Nisa: 160–161, QS Ali Imran: 130, and QS Al Baqarah: 275–279. In general, usury can be divided into two, qurudh and buyu’. Qurudh occurs through loans and debts. Any form of profit, both in the form of monetary form or not, gained by virtue of extending a loan is ruled as usury. Usury of the buyu’ type occurs due to trade; it is usually caused by the sale of usurious goods. Where if the sale (barter) is between the same usu- rious good, their measure or weight should be the same and the transaction should be in cash (both goods are immediately delivered before either party leaves the forum). For example, the exchange of gold with gold, silver with silver, dates with dates, and the like. Any delay in the delivery of goods by one of the parties involved will cause the transaction to be ruled to contain nasi’ah usury. The addition of quantity, either in measure or weight, is a cause to rule the transaction to contain fadhl usury. If the barter is between different usurious goods but is still within the same group, then the require- ment is only one, in cash or immediate delivery, for example, gold with silver, money (Rupiah) with gold, rice with dates, and so forth. This meant that only nasi’ah usury might happen. The excess in either weight or measure- ment of one good over another is allowed. If the usurious goods are different and also of different groups, then they can be exchanged according to any agreement, as long as it is clear in the contract. An example of this is the exchange of gold/money with rice, and so forth. The only thing that is not allowed is for both parties to delay the delivery of their goods. Even if this does not fall under usury laws, it is still a prohibited sale in Islam due to elements of gharar. This is known as the sale of debt with debt. The buyer and the seller both are indebted to each other. Maysir (Gambling) Linguistically, qimar or maysir is any activity that contains “bets,” where the winner will take the betting pool and the loser will lose all that has

174 RISK MANAGEMENT IN ISLAMIC BANKING been betted (Nazih Hammad, Mu‘jam al-Mustalahat, p. 226; see Q.S. Al Maidah: 90). There are at last three elements of a transaction that need to be fulfilled in order to categorize a transaction as maysir. The first is the presence of gamblers; there exist people who bet as well as the participants in the gambling system. The second is the presence of something gambled by all the participants (i.e., the pot itself that is the final prize or something bought with the money from the pot). The third, the winner (the recipient of part or all of the prize) and the loser (lost everything that has been bet) are determined through chance or games. In the context of modern finance, a form of maysir can be seen in the actual form of conventional insurance. The insured is required to pay the insurance premium (of the policy), and receives the rights to claim compensation if the conditions agreed on actually occur. Policies in general have a benefit period (the active period), where if the period passes and the insured did not experience any of the covered catastrophe according to the agreed-upon terms, then the premiums paid are lost and are the full right of the insurance company. The reverse is also true: If the condition covered actually happened during the policy’s active period, the insured will receive claim payment that is multiple times of the amount paid to the insurance company (in the form of premiums). This is the actual form of gambling. Another example of maysir is derivative transactions (i.e., forward, future, and option). Gharar (Vagueness, Lack of Clarity) Linguistically, gharar means khatar, which is containing danger (Al-Mu‘jam al-Wasit, Dar al-Dakwah, Istanbul, 1980, vol. 2, p. 648), or means khida’, which is to defraud (Fairuz Abadi, Al-Qamus al-Muhit, page 577). Gharar is any form of transaction that contains elements of jahalah (vagueness, lack of clarity) within it or gambling. Rasulullah firmly and clearly prohibits gharar in every transaction. The question is, are all forms of gharar then prohib- ited in Islam? In principle, Rasulullah prohibits every form of gharar. But, if the gharar is unavoidable, and if avoiding it can actually bring even larger harm, then the gharar is forgiven. For example, when buying a house, it is almost impossible for the potential buyer to see the physical condition of the house’s foundations. There is then an element of gharar in the house’s sale. Yet to remove that gharar, the floor must be uprooted, the foundation shown. These actions can bring harm to the seller, for they entail the destruc- tion of the property. Another example is in the case of the sale of peanuts. Because they are still underground, there is an element of gharar in the sale. The seller and the farmer do not have a precise idea of the quality and quan- tity of the peanuts. Ideally, the peanuts can be harvested beforehand, and then weighed and witnessed by the potential buyer. Yet if that is done, and

Syari’ah Compliance Risk 175 then the buyer cancels the purchase, the farmer is harmed. The peanuts will dry and begin to spoil if they are not immediately stored properly. Thus, what is the solution? Simply put, use a sampling or estimation method. Is this not gharar? Yes, but the probable injury that this may inflict is far less from one that can be inflicted by prematurely harvesting the peanuts when the farmer does not have a warehouse ready. This type of sale is only allowed if the buyer has the expertise in estimating it. When is someone considered an expert? When the deviation between the estimated value and actual value is not large, and is reasonable according to the local farmers, for example, around 5 percent or 10 percent. If in actuality it is larger than that, say, by 20 percent, khiyar exists for both parties. This means that both have the choice whether to continue with the sale or to cancel it. Tadlis (Fraud) Gharar occurs naturally. There is no artifice between the parties in the transaction to hide information, either about flaws in the goods, quality or quantity. Any imperfect information that causes vagueness and uncertainty (gharar) occurs naturally. When one of the parties fakes or hides some information about the goods being sold on purpose, this is called tadlis (fraud). Injustice and Illegal Force All forms of injustice are prohibited in Islam. The injustice can be done against Allah Ta’ala, as in the case of syirik, sinful acts (not observing the commandments nor avoiding the prohibitions of Allah), or the injustice can be done to other people. An example of this is taking objects that belong to other people without the consent of the owner, coercing other people to transact with us, and the like. Allah Ta’ala requires the consent of the peo- ple involve in mu’amalah, as Allah has stated in An Nisa verse 29. Other than avoiding elements of usury, gharar, maysir, tadlis, and coercion, Allah Ta’ala also prohibits us to trade in objects that are prohibited by Allah and His Messenger (e.g., khamr [intoxicants], swine flesh, carcasses, blood). WHY SHOULD ISLAMIC BANKING COMPLY WITH ISLAMIC PRINCIPLES? The Muslim countries (those that are mostly composed of Muslims, like Saudi Arabia, Indonesia, Pakistan, and Malaysia) have waited for the pres- ence of a banking institution that is truly based on the Islamic syari’ah.

176 RISK MANAGEMENT IN ISLAMIC BANKING The people are already tired of the structural flaws and weaknesses of the conventional banking system. They wish for an alternative banking system able to provide them with a genuine benefit and, at the same time, avoid the harm and weaknesses of the conventional banking system. Compliance with the Islamic syari’ah is what ensures that the Islamic bank is different from the conventional bank. When the Islamic bank does not submit itself to and obey the various principles of the Islamic syari’ah, it is at that time that the Islamic bank loses its identity. The Islamic bank is then no different from the conventional bank, and in the end, that will only erase any possible welfare/benefit for society. If this is allowed to happen and fester, the pub- lic will become even more skeptical and unsympathetic to the Islamic bank, considering the Islamic bank the same as a conventional bank. INTEGRATING SYARI’AH COMPLIANCE IN THE ISLAMIC BANK Islam is a holistic and integrated set of rules. Even if an affair is specifically a part of mu’amalah, but in general it also falls under aqidah (faith), worship, akhlak (character), and so forth. For example, in commerce, belief in the lawfulness of trade and the unlawfulness of usury is a matter of faith. Someone can be ruled as an unbeliever for believing otherwise. To buy or sell is also a matter of worship when it is done with the express purpose of seeking a living from Allah’s good and lawful bounty on the word and to avoid what is unlawful in the name of Allah. Commerce is also very much influenced by adab (manners) and akhlak (character), by not reducing measurement or weights when selling, by being honest, trustworthy, flexible, and at ease in offering, bargaining, and selling, and so on. The same can be said of the operational activity of an Islamic bank. A holistic and integrated Islamic syari’ah should be internalized in all the Islamic bank’s business process. Islamic syari’ah is not only applied to the bank’s banking products, but also in various managerial decision-making processes in the Islamic bank’s environment. The commissioners, directors, and all the other employees, in the back office as well as on the front line, should try to practice Islamic syari’ah in a kaffah manner and apply it in every activity that they do. The Islamic syari’ah should not just be applied in issues of financial contracts, but should also touch every other line of oper- ations in Islamic banking: finance, marketing, human resources, operations, and so on. Marketing should use the principles of honesty, trustworthiness, friendliness, and greetings and salutations in marketing the products of the Islamic bank. Other divisions should apply the same amount of dedication. If Islamic syari’ah can be practiced holistically, then Islam will manifest as

Syari’ah Compliance Risk 177 more than just a mere symbol, but as a presence that can enable many good changes. Once the Islamic syari’ah and value are internalized in every line of operation, Islamic banks could reduce the level of risk they face. Operational risks coming from fraud, from the likes of corruption/embezzlement, from the misuse and abuse of authority, from swindling, and the like can be min- imized because every employee considers them as unlawful and prohibited actions under the syari’ah. Other than that, the risk of noncompliance to Islamic syari’ah can be eliminated, because the Islamic bank has submitted itself and obeys the Islamic syari’ah fully. EVOLUTION OF SYARI’AH GOVERNANCE IN ISLAMIC FINANCIAL SYSTEM As a comprehensive religion, the Islamic syari’ah covers all the fields of human life, including religious observances, politics, culture, economy, and so on. Islamic syari’ah has several important purposes in mind, often called the maqashid syari’ah. The maquashid syari’ah consists of five main pur- poses: to protect religion, protect the soul, protect the mind, protect the progeny/family, and protect property. Other than that, the implementation of the Islamic syari’ah also tries to minimize various possible negative exter- nalities that can arise in society and maximizing the amount of possible positive externalities that can manifest, through the process of amar ma’ruf nahi munkar. Syari’ah governance in an Islamic finance and banking system is part of establishing this process for which the final purpose is to protect the property of humans from various transactions that are harmful and thus prohibited by the syari’ah. As can be seen in Figure 8.1, the process in the economic field has evolved far from the times of Rasulullah shalallahu’alaihi wassalam up to the present. Hisbah is an institution or organization in the government whose purpose is to prevent harm or injury and establish many benefits to wider society. The main purpose of hisbah is to preserve the society itself from various forms of transgressions, to protect the belief (aqidah) of the people, and to ensure that, grounded in the laws of syari’ah, prosperity becomes present and even rises. Based on that definition of hisbah, the main function of hisbah in a classic Islamic country is to establish amar ma’ruf nahi munkar = enjoining good and forbidding evil in society. Since hisbah is part of the government, it can be said that hisbah is a representative of the state in practicing amar ma’ruf nahi munkar in society. If the coverage is limited to only mu’amalah activities, then hisbah is the earliest form of syari’ah governance application in an Islamic banking and financial system.

178 RISK MANAGEMENT IN ISLAMIC BANKING Notion of Hisbah Implemented Syari'ah Committee since pre-modern Islamic societies AAOIFI Standards Initially rest with SC. Faisal Islamic Standard on IFSB Bank Egypt is the Syari'ah Board first to establish and Syari'ah IFSB-1 defines 5 SC, follow by Reviews CRM and IFSB-10 other IFI and defines syari'ah regulators governance system FIGURE 8.1 The Evolution of Syari’ah Governance The form of hisbah itself has changed from the times of Rasulullah to the eras after that, and was quite famous in the times of the caliphate of Umar bin Khattab radiyallahu’anhu. Umar as the caliph himself often fulfilled the role of the muhtasib. He walked with his stick in the markets during the daylight to supervise and check. If a merchant were swindling his customers, or if there were any forms of transaction that were not in accordance with the principles of syari’ah, then the caliph Umar bin Khattab would not hes- itate to punish the merchant. Umar would even prohibit merchants from entering the markets of the muslimin if the trader did not understand fiqh mu’amalah. As time progressed, Umar bin Khattab appointed a woman by the name of Asy-Syifa’ binti Abdullah Al-Adawiyah Al-Quraisyiyah to repre- sent the caliph in supervising the market. This is Umar bin Khattab’s version of hisbah, responsible for ensuring the practice of syari’ah governance in the market. As muhtasib, Asy-Syifa’ was responsible for monitoring every transaction and stopping any transaction that was not in accordance with the Islamic syari’ah. Apart from that, she was also responsible for punishing merchants and traders that cheat or swindle, as well as acting as the arbitrer (qadhi) when there were disagreements between the parties of a transaction. In an era of modern finance, hisbah has been presenced as a syari’ah board in the organization structure of an Islamic bank. When the Islamic bank declares itself as an institution that will fulfill syari’ah principles in its operating activities, there should be special components that are responsible for overseeing the commitment of the bank’s management to the imple- mentation of syari’ah principles. With the presence of syari’ah board, the implementation of syari’ah principles in the bank’s operational activities is guaranteed. The presence of syari’ah board in a bank also marks the

Syari’ah Compliance Risk 179 beginning of the involvement of the ulama, the Islamic jurisprudence experts, in modern financial activity. This also provides the opportunity for fiqh ulama to experience firsthand the development of fiqh issues in modern finance and banking. The next development in the application of syari’ah governance in the Islamic banking and finance industry was the formation of Accounting and Auditing Organization for Islamic Financial Institution (AAOIFI), with the role of establishing various standards of accounting, auditing, and syari’ah principles for all Islamic banks around the world. The presence of AAOIFI in the context of syari’ah compliance is very important in the global Islamic finance industry because all the standards published by the AAOIFI (fatwa as well as standard operating procedure) can be used as a reference for all Islamic banks in the world. With the presence of AAOIFI, a newly established Islamic bank, as well as any countries that are interested in applying their own Islamic banking systems, can use the standards published by the AAOIFI as their reference. Other than AAOIFI, the international regulatory institution that also contributes to the practice of syari’ah governance is the Islamic Financial Service Board (IFSB). Unlike the AAOIFI, the IFSB’s roles covers more of the technical aspects of Islamic banking (e.g., risk management, corporate governance). Since the syari’ah aspect is one that is inseparable from Islamic banking, IFSB also issues various rules that can serve as a guide for the Islamic bank in building a good syari’ah governance system. SYARI’AH ADVISORY BOARD AND SYARI’AH COMPLIANCE AUDIT AS A FRAMEWORK One indicator of syari’ah compliance in an Islamic bank is the existence of a syari’ah advisory board. This independent body has task to ensure that all operational activities and practices of Islamic banks run in accordance with syari’ah procedure. In general, the syari’ah board is divided into two: a syari’ah supervisory board in each syari’ah institution, and a national syari’ah board in the central. Both of them must have integrity and inde- pendency in making decisions related to syari’ah compliance as a form of quality control and moral responsibility for Islamic banks. Syari’ah Advisory Board The first Islamic bank with a syari’ah board or syari’ah advisory board in its organizational structure was the Faisal Islamic Egypt Bank in 1976. After that, almost all Islamic banks in the world had a syari’ah board or syari’ah