Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

Article 38

No: 000044093096 Date(g): 13/6/2023 | Date(h): 24/11/1444 Status: In-Force
 (1)A Licensee must make and keep records of transactions, data and information relating to compliance with requirements of Part 4 of the Implementing Regulation, in a form where such records would enable SAMA to supervise such compliance effectively.
 
 (2)

The records which SAMA requires Licensees to keep and include:
 

(a)Financial information (including financial statements, bank statements, and Client accounts) and Accounting Records, including (but not limited to): cheques, records of electronic Fund transfers (including as relevant, bank statements), invoices, contracts, general and subsidiary ledgers, journal entries and adjustments to the financial statements that are not reflected in journal entries; and Worksheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures.
 
(b)Reports relating to the activities performed by the Licensee, the volume of business and Relevant Payment Services (including the volume and value of Payment Transactions);
 
(c)Minutes of the board or the company directors and related business decisions;
 
(d)Information on any security or material operational incidents that are (when viewed in isolation or jointly with other incidents) not immaterial;
 
(e)Records of Consents given to Payment Transactions;
 
(f)Records of security logs, including authentication logs;
 
(g)Details of changes required to be submitted in accordance with Article 121 of the Implementing Regulations.
 
(h)Reports on risk management (including in relation to incidents of fraud that must be disclosed);
 
(i)Reports on data protection and privacy measures taken;
 
(j)Complaints from Payment Service users, including any remedial action taken;
 
(k)Reports of any errors, delays, refunds or other matters dealt with;
 
(l)Reports on compliance with the requirements of protecting safeguarded funds ;
 
(m)Any information related to know-your-customer requirements, Client due diligence and sanctions screening in accordance with the laws, regulations and instructions of Anti-Money Laundering and Counter-Terrorism Crimes and Financing;
 
(n)Reports on compliance with the Implementing Regulation or other applicable laws, regulations, decisions, instructions and circulars.
 
(o)Material legal documentation, including employment contracts, auditor appointment contracts, agreements relating to business continuity and outsourcing agreements, as well as corporate governance documentation.
 
 (3)A Licensee must maintain such records and keep them for at least ten years from the date on which the relevant record was created. SAMA, however, may (at its discretion) amend the Licensee’s retention period of records as deemed appropriate.
 
 (4)

A Licensee must put in place and maintain policies, procedures, systems and controls that regulate the electronic storage of documents and records, satisfying the following minimum requirements:
 

(a)Creating and storing records and documents on highly reliable, secure storage media;
 
(b)Clearly indexing and categorizing records and any related documents in a manner that enables further use or reference;
 
(c)Providing a reliable and secure system for granting and organizing access privileges for electronic and physical systems, ensuring that there is no unauthorized access to electronically or physically held data;
 
(d)Creating and maintaining a backup policy providing the utmost level of protection and the ability to retrieve backup copies in case of the loss of the original copy of any kind and testing the backup copies periodically;
 
(e)Using digital certification and electronic encryption;
 
(f)Storing the records and related documents in the same format in which it was created or received, without any additions, omissions or modifications;
 
(g)Logging all actions made in relation to a record; and
 
(h)Ensuring that personnel with authorization to access electronic and physical records, documents and data maintain their confidentiality during and after the period of their employment or work at the Payment Service Provider.
 
 (5)The Licensee must conduct regular reviews, at least on an annual basis, to ensure compliance with the provisions of this Article.