Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Member Organisations should immediately notify SAMA of new fraud typologies and significant fraud incidents to mitigate the risk of the fraud impacting additional customers, other organisations, or the financial sector in the KSA.
Control Requirements
a.
Member Organisations should notify SAMA General Department of Cyber Risk Control immediately of the following:
1.
Any new fraudulent typology whether it resulted in financial loss or not (e.g., type of fraud not previously observed or new scam attempt detected).
2.
Where an external person has committed or attempted to commit a significant fraud against it.
3.
Where an employee of a Member Organisation has committed a significant internal fraud against one of its customers or may be guilty of serious misconduct concerning honesty or integrity related to the organisation's regulatory obligations.
4.
Where Wholesale Payment Endpoint Security Fraud is suspected or identified.
5.
Where a significant irregularity is identified in the organisation's accounting records that may be indicative of fraud.
b.
When assessing whether a fraud is considered significant to meet the notification requirements above, Member Organisations should consider at a minimum:
1.
The value of any monetary loss or potential monetary loss to the organisation or its customers (the value should consider an individual fraud incident or total losses from connected incidents).
2.
The number of customers impacted.
3.
Reputational damage to the organisation and the wider financial sector.
4.
Whether any regulation has been breached.
5.
Whether the incident reflects weaknesses in the organisation's Counter-Fraud controls.
6.
If the incident has the potential to impact other Member Organisations.
c.
Member Organisations should use the standard reporting template in Appendix G to notify SAMA.
d.
At a minimum, Member Organisations should include the origin of the incident; the methods used; related parties (internal and external); corrective actions; and losses, if any, in the notification to SAMA. Where all required information is not available at the time of notification, any gaps should be supplied to SAMA promptly as the investigation progresses.
