Chapter III: Features, Duties and Responsibilities of the Unit
Principle 4: Key Features of the Unit
Autonomy 1. Autonomy is inclusive of the following:
a. The Unit shall have an official status in the company.
b. The Unit shall functionally report to the Audit Committee and administratively to the Executive Management.
c. The Compliance Officer and Unit Staff shall perform the tasks assigned to them with autonomy, and they may not perform any other administrative tasks.
d. The Compliance Officer and Unit staff shall have the authority to access all information and documents, and communicate with any of the Company staff to the extent necessary to discharge their responsibilities.
e. Other departments shall not interfere with the Unit’s work, without prejudice to the Unit’s cooperation with other departments in a manner that serves the compliance.
Compliance Officer 2. Compliance Officer selection and nomination is subject to the Requirements for Appointment to Senior Positions issued by SAMA and any relevant SAMA instructions issued at a later date.
3. The Compliance Officer shall have the necessary knowledge and skills to perform the Unit’s duties and maintain its effectiveness. To this end, the Compliance Officer shall:
a. Obtain Compliance for Financing Companies Sector Professional Certificate, excluding any incumbents assigned to the position.
b. Have broad expertise in the finance sector and understanding of all laws and instructions related to various finance operations and other relevant regulations.
4. Submit periodic compliance reporting to the Audit Committee. The report shall identify the main non-compliance risks facing the Company, and key observations reached as a result of reviewing the work of the departments during the reporting period; analyze existing processes and procedures related to compliance and assess their effectiveness; and suggest any amendments or changes relevant to these functions.
5. Have the authority to hold periodic meetings with the Executive Management and directors of other departments and units to discuss compliance implementation in accordance with the relevant regulations and instructions.
6. Meet with the Audit Committee during the submission period of periodic compliance reporting to assess the extent of the company’s ability and effectiveness in managing its non-compliance risks.
7. Verify any possibility of non-compliance, and may request support from specialists within the Company (such as the internal auditor), or involve an external specialist to carry out the task if necessary. Have the authority to directly contact concerned officials, whether in the Board, the Executive Management or the Audit Committee, in the event of any observation or violation.
Unit Staff 8. The number of employees in the Unit shall be sufficient and consistent with the Company’s business model and size. Unit employees shall report solely to the Compliance Officer.
9. Unit employees shall have the appropriate qualifications and expertise to perform their job duties and keep abreast of developments in their field of work.
10. Unit employees shall have full understanding of the instructions and their impact on the Company's business.
Principle 5: Duties and Responsibilities of the Unit
1. The Unit shall, without limitation:
a. Cooperate and communicate with control and supervisory authorities effectively, taking into account their reported observations to identify shortcomings periodically, and coordinate with other departments to address and resolve them.
b. List, communicate and explain the relevant laws and instructions to other departments and units immediately upon receiving them from the supervisory authorities, and ensure that they are incorporated into the work policies and procedures of each department and unit according to their competencies; and implemented within the specified period.
c. Cooperate with the Company staff and provide them with support and advice in their compliance-related daily work.
d. Identify and address all risks of non-compliance and ways to avoid them, provide advice on them, and monitor their developments.
e. Analyze new policies, procedures and processes and suggest necessary recommendations to address non-compliance risks therewith.
f. Adopt a risk-based compliance program and include its findings in the periodic compliance report.
g. Collect compliance-related complaints and formulate written guidance to staff, where necessary.
h. Draft internal policies and procedures to combat financial crimes, such as money laundering, terrorism and combating fraud, and test their effectiveness in line with developments and recent changes.
i. Monitor compliance with AML/CTF laws, regulations, and rules.
j. Promote awareness of compliance issues and provide training to staff on compliance-related matters through periodic programs, and clarify the risks of non-compliance with laws and instructions.
k. Report to SAMA and the Audit Committee upon the identification of any irregularities or violations resulting from non-compliance.
l. Review the work of the customer care department semiannually at least to ensure the soundness of its workflow, with the exception of real estate refinance companies.
m. Review the work of the department concerned with collection procedures and/or the third party to which the collection task was assigned on an annual basis – at least – to ensure the soundness of the procedures and their compliance with Debt Collection Regulations and Procedures for Individual Customers and the relevant instructions, taking into account that the review of such department and/or third party’s work does not include real estate refinance companies.
n. Develop methods to measure the risks of non-compliance quantitatively and qualitatively, and use these measures to support the assessment, management and addressing of non-compliance risks. Technology can be used as a means of developing risk indicators by aggregating or filtering data that may be indicative of potential non-compliance risks; for example, but not limited to, increased customer complaints, fraud cases, reports, penalties and sanctions imposed, with determination being made as to the extent to which additional measures are needed to address them.
o. Create a database for all instructions, classify them according to the work of each department or unit, update them continuously, and enable all Company employees to access and benefit from such database continuously.
p. Recommend approval of contracting with external service providers and verify their compliance with relevant instructions.
Principle 6: Responsibilities of Company Staff Towards Compliance
1. Company employees shall be responsible for compliance with and implementation of the policies, procedures and controls issued by the relevant control and supervisory authorities.
2. Company employees shall refer regulation- and supervision-related inquiries received from the competent authorities to the Unit. Moreover, no employee shall have the right to respond to any such inquiry or provide such authorities with the requested information except through the Unit or unless otherwise authorized to do so. Company employees shall cooperate in providing documents that support the Unit to respond to such inquiries.
3. Before applying for SAMA’s no-objection, the approval of the Unit, in addition to the approval of other relevant departments, for the offering of products and services to be provided by the Company to its individual clients or beneficiaries of microfinance shall be obtained, with documentation of the Unit’s verification that the product or service does not violate the relevant laws and instructions.
Principle 7: Responsibilities of Internal Audit Department Towards Compliance
1. Subject to its duties and responsibilities contained in relevant laws and regulations and SAMA-issued instructions, the Internal Audit Department shall:
a. Assess the internal control system to ensure that the Company and its employees comply with relevant laws and instructions as well as the Company's policies and procedures, whether the management of operations is carried out internally or outsourced.
b. Review the main activities and operations of the Unit at least annually in accordance with the plan approved by the Audit Committee, and update this plan annually.
c. Conduct regular assessment to verify the effectiveness of Company policies and procedures, provided that procedures undertaken are properly documented, and such information is included in the Internal Audit Department’s report prescribed in the Implementing Regulations of the Finance Companies Control Law.