Additional Licensing Guidelines and Criteria for Digital-Only Banks in Saudi Arabia Feb 2020
Date(g): 24/2/2020 | Date(h): 1/7/1441 Status: In-Force Introduction
These Additional Licensing Guidelines and Criteria for Digital-Only Banks in Saudi Arabia are issued in accordance with the authority vested in SAMA under the Charter of Saudi Arabian Monetary Authority –issued via Royal Decree No. 23 dated 23/5/1377 H, and the Banking Control Law – issued via Royal Decree No. M/5 dated 22/2/1386 H.
Purpose and Scope
1. This document sets out the licensing criteria for Digital-only Banks. For purposes of implementing the provisions in this document, a Digital-only Bank is defined as a bank that conducts a banking business mainly through digital channels (e.g. the web and mobile applications).
2. These guidelines are applicable to Digital-only Bank license applications in Saudi Arabia. They must be considered as additional requirements to be met along with the Banking Licensing Guidelines and Minimum Criteria.
Licensing Conditions
To apply for a Digital-only Bank license in Saudi Arabia, the following conditions must be met:
1. The Digital-only Bank should be set up as a locally incorporated joint-stock company.
2. A promoter should have:
a. experience and knowledge in the financial industry;
b. appropriate technology-related experience and knowledge; and
c. financial capacity to support setting up the Digital-only Bank.
3. An applicant must possess a team with adequate expertise to discuss relevant aspects of the application.
Business Plan
An applicant is required to present a clearly articulated business plan, covering as a minimum:
1) the IT infrastructure plan and innovative technologies that will be rolled out;
2) the financial projections;
3) the targeted segment (with the underlying study and analysis); and
4) the proposed products and services in line with the targeted segments.
Capital and Liquidity Requirements
An applicant is required to submit an Internal Capital Adequacy Assessment Plan (ICAAP) and an Internal Liquidity Adequacy Assessment Plan (ILAAP) along with the application.
SAMA will assess the adequacy of capital of applicants on a case-by-case basis considering the scale, nature and complexity of the operations as proposed in the Business Plan, ICAAP and ILAAP of the applicants.
Physical Presence
An applicant must maintain a physical presence for its Digital-only Bank in Saudi Arabia to be its principal place of business (i.e. head office). A Digital-only Bank is not expected to establish physical branches; however, on exceptional basis, SAMA may require a Digital-only Bank to establish costumer service centers in order to facilitate customer interaction, enquiries or complaints.
Governance
Digital-only Banks are required to follow the same SAMA’s Principles of Corporate Governance for Banks Operating in Saudi Arabia as with conventional banks.
Risk Management and Control
Digital-only Banks are required to satisfy SAMA that their proposed risk management and control policies are adequate and appropriate for monitoring and limiting risk exposures as per section D of the SAMA Banking Licensing Guidelines and Minimum Criteria.
Compliance & Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT)
In addition to demonstrating compliance with the requirements set out in Section E of the SAMA Banking Licensing Guidelines and Minimum Criteria, applicants should demonstrate the compliance of the AML/CTF regulations in the fully digitalized environment.
Technology and Cybersecurity Risks
1. Applicant should consider Information systems security, resilience and availability, being key components of a Digital-only Bank. The selection of appropriate technologies and security arrangements should be aligned to the proposed banking products and services.
2. SAMA requires compliance with all relevant requirements, such as (but not limited to) SAMA’s Cybersecurity Framework and BCM Framework. In addition, SAMA requires applicants to consider other relevant regulations, (e.g. from National Cybersecurity Authority) when designing and implementing the Technology and Cybersecurity framework of the proposed Digital-Only Bank.
Independent Assessment
SAMA may require the applicant to appoint a qualified and experienced third-party entity (“assessor”) to perform assessments on the specific technical areas such as the technology/cybersecurity and AML/CFT arrangements at the expense of the applicant. Such assessment will be performed over following phases:
a) The design phase – After submission of the application to SAMA, the assessor should perform an assessment of the adequacy of the governance, proposed processes and systems of the proposed design. SAMA requires the applicant to submit a report on the proposed design phase assessment along with a plan on the closure of observations/issues (if any). The applicant should remediate all key observations / issues to the satisfaction of SAMA.
b) The implementation phase – Prior to commencement of operations, the assessor should perform a detailed assessment of the implementation of paragraph (a) above. SAMA requires the applicant to submit a report on the implementation phase assessment in accordance with the approved design along with a plan on the closure of observations/issues (if any). The applicant must remediate all key observations / issues to the satisfaction of SAMA prior to obtaining SAMA's approval to go-live.
Outsourcing
Any planned outsourcing of material processes, people and systems must satisfy SAMA’s outsourcing requirements as set out in SAMA’s Rules of Outsourcing.
Exit Plan
An applicant is required to provide an exit plan in case of difficulties in achieving the targeted business objectives.
The exit plan should be clearly articulated to provide SAMA with the steps that will be taken to manage customer funds and ongoing businesses. This could include, for example, the migration of bank accounts and associated funds to another bank, ensuring continued services to the existing customers, and management of other assets and liabilities.
Prudential and Supervisory Requirements
1. Digital-only Banks will be subject to the same set of prudential requirements as with other banks.
2. In addition, due to the nature of business operations, all (or most) of the data are expected to be in an electronic format. The design of technology solutions in a Digital-only Bank should allow for easy and quick access to complete and accurate information needed for SAMA to perform its supervisory duties.
Consumer Protection
1. SAMA’s Banking Consumer Protection Principles are also applicable to Digital-only Banks.
2. An applicant should demonstrate that the necessary arrangements and channels are in place to adequately support customers during the banking life cycle.
Soft Launch
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.