Entire Section | SAMA Rulebook

Governance and Internal Control

Key Principles of Governance in Financial Institutions
To read the Key Principles of Governance in Financial Institutions, click here.

Requirements for Appointments to Senior Positions
To read the Requirements for Appointments to Senior Positions, click here.

Banks Remuneration Rules
No: 44049096 Date(g): 4/1/2023 | Date(h): 12/6/1444 Status: In-Force
In reference to the Saudi Central Bank Law issued by Royal Decree No. M/36 dated 11/04/1442H, the Banking Control Law issued by Royal Decree No. M/5 dated 22/02/1386H, and the Rules on Compensation Practices issued by the Saudi Central Bank under Circular No. 1258/BCS/26194 dated 19/05/1431H,
Attached are the new Banks Remuneration Rules, which replace the aforementioned Rules on Compensation Practices. These new rules are designed to ensure that banks implement an appropriate governance framework for awarding Remuneration and effectively managing risks.
For your information and action accordingly as of 01/06/2023G.

1. General Requirements

1.1 Background
These Banks Remuneration Rules shall supersede the existing Rules on Compensation Practices issued vide circular no. 26194/BCS/12580 dated 3 May 2010. Saudi Central Bank (SAMA) has updated these rules for the purpose of addressing the risk of misconduct that may be associated with improper reward practices.

1.2 Objective
The objective of these rules is to set the minimum requirements and provide supervisory guidance to banks in formulation of their policies, procedures and practices on remuneration to ensure financial soundness and promote effective risk management.
These rules are aimed at dealing with risks posed by the remuneration practices, and not at determining the absolute amount of remuneration, which will continue to be determined by banks in line with their remuneration policies. However, banks shall comply with the regulatory caps on remuneration, if any, as specified by SAMA or any other regulatory authority.

1.3 Scope of Application

These rules shall apply to banks as follows:
1.	All locally incorporated banks licensed and operating in Saudi Arabia.
2.	Where a locally incorporated bank has majority owned subsidiary(ies) operating in the financial sector, it will either formulate group level Remuneration Policy and practices consistent with these rules for application across the group or will ensure that the subsidiary’s Remuneration Policy and practices are in line with these rules.
3.	Where a locally incorporated bank has majority owned subsidiary(ies) outside Saudi Arabia, it will ensure that the Remuneration Policy and practices of such subsidiary or branch are in accordance with these rules provided that there is no inconsistency with the legal and regulatory requirements of the host country.
4.	Foreign Banks Branches (FBB) licensed and operating in Saudi Arabia shall also follow these rules in designing their Remuneration Policy and practices for Saudi operations, taking into consideration the following:
	a.	The responsibilities of the Board of Directors, relative committees and General Assembly stated in these rules should lie with the authority responsible for overseeing the business and operations of the FBB at the Head Office/Regional Office.
	b.	Minimum percentages required in clause number 40 of these Rules shall not be applicable.

1.4 Effective Date
These updated rules shall come into force starting from 1 June 2023, and all banks shall take necessary measures to ensure compliance thereof. Banks shall also ensure that all employment contracts including contracts already in force at time of issuance of these updated rules are consistent with the rules by 1 June 2023.

1.5 Definitions

SAMA:	Saudi Central Bank.
Rules:	Banks Remuneration Rules.
Senior Management:	The functions, roles and responsibilities entrusted to those positions who take, propose and implement strategic decisions and manage the Financial Institution’s business processes including senior management positions that requires SAMA’s non-objection for appointment.
Control Functions:	Those functions that have a responsibility independent from management to provide objective assessment, reporting and/or assurance including risk management function, compliance function, and internal audit function.
Misconduct:	Conduct that falls short of expected standards, including legal, professional, internal conduct and ethical standards.
Remuneration System:	Bank’s internal remuneration policies and procedures including structure, roles and controls of the remuneration and the actual implementation and application thereof by the bank.
In-year adjustment:	Downward adjustment of an anticipated annual variable remuneration award to reflect the impact of a negative event or behavior.
Malus:	Permits the bank to reduce the value of all or part of deferred remuneration based on ex post risk adjustment before it has vested.
Clawback:	Under this process the individual has to return ownership of an amount of variable remuneration paid in the past or which has already vested to the bank under certain conditions.

2. Governance of Remuneration
1. Banks shall comply with all corporate governance requirements with regards to remuneration as specified by SAMA or any regulatory authority, as applicable.

2.1 Board of Directors Responsibilities

2.	The Board of Directors (the Board) of a bank shall be responsible for the overall design and oversight of the remuneration system that promote prudent risk-taking behaviors and business practices and accordingly shall not delegate this responsibility to senior management.
3.	The Board shall be ultimately responsible for promoting effective governance, sound remuneration practices, ethical behavior and compliance with laws, regulations, and internal conduct standards, and for ensuring accountability for misconduct; in addition to the following:
	a.	Overseeing and holding senior management accountable for implementing and participating in the design of the remuneration system that effectively delineates how remuneration tools address misconduct risk or other imprudent risk taking behavior.
	b.	Engaging actively with senior management, including challenging senior management’s remuneration assessments and recommendations if warranted when serious or recurring misconduct occurs and ensure that root cause analysis is performed, lessons learned are promulgated bank-wide and new policies are adopted, as necessary, to prevent it from happening again.
4.	The Board shall ensure that senior management puts in place policies and procedures that ensure effective control and adherence to these rules, and any relevant Laws, Regulations, Principles and Standards.
5.	The Board shall review and, if satisfied, approve the remunerations of the senior management based on the recommendations of the Nomination and Remuneration Committee.
6.	The Board shall ensure that an annual review of the remuneration (internally through Internal Audit or externally commissioned by a recognized firm) is carried out independently without the intervention of senior management. The review must assess the compliance with these rules and any relevant Laws, Regulations, Principles and Standards, as well as the bank’s internal policies that are prepared according to these rules. The Board shall takes into account the results of such a review when making decisions related to remuneration, and could briefly disclose those results in the Board of Directors Annual Report.

2.2 Formation and Responsibilities of the Nomination and Remuneration Committee

7.	Banks shall have a Nomination and Remuneration Committee comprising of at least three members. The composition and responsibilities of the committee shall be consistent with SAMA’s Key Principles of Governance in Financial Institutions and any other requirements set by any regulatory authority, as applicable.
8.	The General Assembly, upon the proposal of the Board, shall lay down the terms of reference of the Nomination and Remuneration Committee, which should include its work controls, responsibilities, procedures for appointing committee members, their membership duration and remuneration. A copy of the terms of reference of the Nomination and Remuneration Committee shall be submitted to SAMA along-with the Compliance Report for every cycle.
9.	The Nomination and Remuneration Committee should work closely with the bank’s Risk Management Committee and/or the Chief Risk Officer in the evaluation of the incentives created by the remuneration system.
10.	The Nomination and Remuneration Committee shall review the implementation of the Remuneration Policy at-least on a half-yearly basis to ensure achievement of its stated objectives.
11.	The Nomination and Remuneration Committee shall closely review and monitor the remuneration for highest paid staff to verify compliance with the Remuneration Policy, and to avoid misuse.

2.3 Senior Management Responsibilities

12.	Senior management should implement the remuneration system that promotes effective governance, sound remuneration practices, ethical behavior and comply with laws, regulations, and internal conduct standards.
13.	Senior Management shall be responsible for the following:
	a.	Promote, develop and communicate conduct expectations and clearly link remuneration and conduct standards, including as part of the performance assessment process and ensure that the potential consequences of misconduct on remuneration are clearly explained to all employees.
	b.	Follow-up on the publication of the desired aspirations of every department in the bank regarding ethical behavior and work practices that are in compliance with the laws, regulations and internal standards of behavior, and the application and achievement of these aspirations.
	c.	Identify, monitor and report on relevant indicators of misconduct risk in every department in the bank, as well as monitor the role of each department in the bank in escalating and remediating identified deficiencies or other important matters in an appropriate and timely fashion, in such a way as to allow inclusion of relevant feedback and changes in the performance assessment process if needed.
14.	Senior management shall submit a report to the Nomination and Remuneration Committee on a semi-annual basis at least on measures taken and steps to be taken within the framework of applying the Banks Remuneration Rules issued by SAMA and any relevant Laws, Regulations, Principles and Standards.

2.4 Misconduct

15.	Banks should have an internal definition of misconduct based on their characteristics, values and business, which promotes adherence to legal, professional, internal conduct and ethical standards.
16.	The bank’s risk appetite statements should reflect clear and well-understood values and conduct standards that are tailored and cascaded to individual business units and taken into account when assessing performance and promotion potential. Individuals should be held accountable for ensuring that their own conduct is consistent with these standards.

2.5 Remuneration Policy

17.	Banks shall have a written Remuneration Policy for Senior Management approved by General Assembly, and a Remuneration Policy for all other employees approved by the Board of Directors. The Remuneration Policy shall ensures the achievement of prudent management of the risks associated with remuneration.
18.	The Remuneration Policy should be designed to attract and retain quality staff with sufficient knowledge, skills and expertise to effectively conduct the business of the bank.
19.	The Remuneration Policy should, inter-alia, cover the following areas:
	a.	The objectives of the Remuneration system (with focus on promoting effective risk management and achieving financial soundness and stability of the bank).
	b.	Scope of policy should cover all levels and categories of employees whether regular or contractual as well as outsourcing arrangements with third-party service providers.
	c.	Broad structure of the Remuneration system (including but not limited to linking remuneration with performance and alignment of remuneration with risk taking).
	d.	Determinants of the mix of remuneration components (including but not limited to fixed and variable components; cash, equity and other non-cash benefits).
	e.	Description and details of major perquisites to be made part of the remuneration.
	f.	Authority matrix clarifying management’s approval limits for remunerations and any constraints that require approval from Nomination and Remuneration Committee.
	g.	A clear description of the responsibilities of the control functions, as well as human resources, related to participating in designing appropriate remuneration policies, developing performance indicators related to risk and behavior, and identifying, monitoring and reporting misconduct.
	h.	Criteria to be used for determining the value for allocation of the shares in relation to remuneration.
20.	The Remuneration Policy should not be solely based on industry practices but should also take into account the business model, financial condition, operating performance and business prospects of the bank.
21.	The review of Remuneration Policy to assess its adequacy and effectiveness should be made an integral part of the bank’s risk management framework.

3. Performance Measurement

22.	Banks shall have a performance measurement system in place to evaluate and measure the performance of its employees at various levels in an objective manner.
23.	Procedures and processes for performance appraisal and measurement should be clearly stated and documented. Such procedures and processes should provide for avoidance of undue influence and conflict of interest situations, and be transparent to the employees concerned.
24.	Performance measurement procedures and processes should provide for measuring individual contribution, to the extent practicable, to the overall performance of the bank. The individual contributions measured should, however, be supplemented with managerial judgment in determining the performance based remuneration of an employee. Conduct goals and performance targets should work together as a part of employees’ remuneration to drive good behavior and address potential conflicts of interest.
25.	Performance assessments and remuneration outcomes should consider all risks, including those associated with the bank main activities and those stemming from conduct that may not be consistent with laws and regulatory requirements, internal policies and procedures or the bank’s risk management framework. These factors should be given due weightage in performance measurement.
26.	Gross revenue or profit earned should not be the sole factor when setting performance objectives and when measuring performance. Other factors including, at a minimum, risks associated with the underlying transactions, ethical behavior, quality of business transacted, customer satisfaction and risk adjusted return on capital should also be taken into account, wherever practicable, in performance management.
27.	The performance measurement of senior management should be based on longer-term performance of the bank and accordingly the performance-based component of their remuneration should not be based solely on the current year’s performance. The performance assessments of senior management and other employees who have an oversight responsibility within the bank should also include considerations regarding their relevant oversight responsibility in relation to the risk of misconduct within their business line.

4. Determining Remuneration

4.1 Alignment of Remuneration with Risk

28.	Banks shall ensure that the incentives provided by their remuneration system take into consideration risk, capital, liquidity and the likelihood and timeliness of earnings.
29.	An employee’s remuneration should take into account all existing and potential risks including difficult-to-measure risks such as liquidity, cost of capital, reputation, regulatory and misconduct risks. Furthermore, the size of the variable remuneration pool and its allocation within the bank should take into account the full range of risks.
30.	The processes for managing misconduct risks through remuneration system should include, at a minimum, ex ante processes that embed non-financial assessment criteria such as the quality of risk management, degree of compliance with laws and regulations and broader conduct objectives of the bank, including fair treatment of customers, into individual performance management and remuneration at all levels of the bank and as part of the broader governance and risk management framework. Such processes should be supported by ongoing programs including formal training courses that reinforce appropriate standards of behavior.
31.	Control functions and Human Resources function should be adequately involved in remuneration design and decision-making to ensure effective remuneration incentives in addressing misconduct risk.
32.	Remuneration payments should be sensitive to the time horizon of risks and, if needed, the variable component of remuneration should be deferred where risks are realized over long periods.
33.	Banks shall employ an appropriate technique/criteria to adjust their accounting profits for the full range of identifiable risks keeping in view the size and complexity of its operations.
34.	Adequate amounts of variable remuneration should be placed at risk of reduction, to help alignment of remuneration outcomes with adverse outcomes and/or risks that may manifest only with time.

4.2 Remuneration Structure

35.	The remuneration structures for various levels of employees should be designed to promote effective risk management and achieve remuneration objectives.
36.	The mix of forms of remuneration should vary depending on the employee’s position and role, it should take into account the full range of financial and non-financial incentives in an employment relationship, and may include cash, equity and other forms of remuneration.
37.	The proportion of fixed and variable components of remuneration for different business lines should be determined taking into account the nature and level of responsibilities of an employee, business area in which they work, and the Remuneration Policy of the bank. Banks should, however, ensure that total variable remuneration does not limit their ability to strengthen their capital base.
38.	The remuneration structure of employees working in control functions should be designed to ensure objectivity and independence of these functions. In this regard, it should be ensured that performance measurement and determination of remuneration of such employees are not dealt with by any person working in/associated with the business areas monitored by the control functions.
39.	The determination of bonus pool should take into account the overall performance of the bank whereas its distribution to individual employees should be based on performance of the employee as well as that of the business unit or division in which they work. There should, however, be no guaranteed minimum bonuses and similar other payments, other than an employee’s salary, that are not based on performance.
40.	Current and potential risks should be taken into account when determining the size and distribution of the variable remuneration. The variable remuneration of senior management as well as other employees whose actions have a material impact on the risk exposure of the bank should, therefore, be determined in line with the following:
	a.	A substantial proportion of remuneration should be variable and paid on the basis of individual, business-unit and bank-wide measures that adequately measure performance.
	b.	A substantial proportion of variable remuneration, of at least 40 percent, should be awarded in shares or share-linked instruments (or, where appropriate, other non-cash instruments) and should be subject to an appropriate share retention policy.
	c.	A substantial portion of variable remuneration, of at least 40 percent, should be payable under deferral arrangements over a period of years.
	d.	These proportions should increase significantly along with the level of seniority and/or responsibility. For the most senior managers and the most highly paid employees, the percentage of variable remuneration that is deferred should be substantially higher of at least above 60 percent.
41.	The deferral period for remuneration should not be less than three years based on the nature of the business, its risks and the activities of the concerned employee.
42.	The remaining portion of the deferred remuneration can be paid as cash remuneration vesting gradually. In the event of negative contributions of the bank and/or the relevant line of business in any year during the vesting period, any unvested portions are to be clawed back, subject to the realized performance of the bank and the business line.

4.3 Remuneration Adjustment

43.	Remuneration system should provide for mechanisms to adjust variable remuneration, including, for instance, through in-year adjustment, and malus or clawback arrangements, which can reduce the variable remuneration after it is awarded or paid. Such mechanisms must be documented in the Bank’s policies and procedures.
44.	The bank's poor financial performance during any period is expected to lead to a decrease in the total variable remuneration, taking into account both current remuneration and reductions in payment previously earned during that period. Banks should submit clear justifications of such decrease to SAMA as support documents along with the compliance report.
45.	Remuneration adjustment should allow banks to adjust remuneration to account for risks that have subsequently occurred, including instances of employee misconduct or material error, material downturn in performance or a material failure of risk management.
46.	Effective policies and procedures must be in place to set indicative criteria and cases that could trigger the use of remuneration adjustment and may result in reductions to variable remuneration regardless of the individual’s performance.
47.	At a minimum, adjustment should occur in the following cases:
	a.	In cases of misconduct that have led to significant loss to the bank, its customers or any party or;
	b.	Where there is fraud, gross negligence or material failure of risk management controls, including violation of internal policies or any related rules or regulation.
48.	Remuneration adjustment policies should take into account, as a minimum, those under review when determining accountability for adverse risk events; the liability or proximity to the misconduct, rank and role, individual’s motivation (e.g. personal gain, malice, fraud, ignorance, lack of training), negligence in exercise of individual’s duties, level of participation in and responsibility for the events under review, history of misconduct, actions that were taken or could have been taken to prevent such events from occurring, including any failures within the bank to internally supervise and oversee staff, and the root cause of the events triggering review.
49.	When deciding the amounts of remuneration to be adjusted, performance and remuneration adjustment policies should take into account all relevant indicators of the severity of impact, which may include the cost of fines and regulatory actions, direct and indirect financial losses and/or the impact on profitability attributable to the relevant failure, any reputational damage, the impact of such events on customers, and costs to redress the events under review.
50.	Where remuneration adjustments are made before the full impact of the risk management failures or misconduct is known, appropriate subsequent adjustments should be made to ensure that the final adjustment fully reflects the impact of the incident or misconduct.
51.	Remuneration adjustment policies should provide that the granting and vesting of all awards made to individuals undergoing internal or external investigation may be frozen until the investigation has concluded and a decision has been made and communicated to the relevant employee(s).
52.	The use of remuneration adjustment should not be limited to those most directly involved and responsible for misconduct, but it should extends beyond them. Specifically, adjustment should be considered for the heads of control functions and for employees in control or direct line of business functions who by virtue of their role could be considered responsible or accountable for the failure or for the weakness in the control framework relevant in the employee misconduct, if such failure or weakness was attributed to lack of due diligence or misuse. Also it should be considered for senior management or members of the Board or relevant committees who, while not directly responsible were either aware, or could have been reasonably expected to be aware due to their seniority or role in the bank, of the failure or misconduct at the time, but failed to take adequate steps to promptly address it.
53.	Remuneration adjustment should be governed by clear procedures that:
	a.	Indicate the authority to approve remuneration adjustment and processes of escalating to human resources, control functions, and senior management and deciding cases that may trigger the use of remuneration adjustment for misconduct.
	b.	Ensure that control functions and human resources, are appropriately involved in the processes of remuneration adjustment, except for those persons who may also fall within the scope of the investigation.
	c.	Make clear the role of discretion in such processes, who is authorized to use such discretion and how such discretion would be appropriately bound by supporting governance and risk management processes.
	d.	Require adequate documentation and rationale of final decisions.
	e.	Ensure transparency by clearly communicating in writing to all affected individuals the value of remuneration adjustments made to variable remuneration and the reasons for such adjustments. That includes noticing the Board or Nomination and Remuneration Committee.

5. Remuneration Control

5.1 Disclosure Requirements

54.	Banks shall disclose in the Bank’s Annual Financial Statements the aggregate quantitative information on remuneration paid to various categories of employees and their number with breakup of fixed and variable components and the forms of payment. The categorization of employees includes at a minimum senior management, employees engaged in control functions and outsourced employees.
55.	Banks shall disclose in its Annual Financial Statements the salient features of its Remuneration Policy and its implications on the bank’s risk profile as well as the composition and the mandate of the Nomination and Remuneration Committee. Such disclosure should also provide information on the overall design of remuneration system and the manner of its implementation, description of the manner of risk adjustment, linkage of remuneration with actual performance, deferral policy and vesting criteria, parameters for allocating cash versus other forms of remuneration, and achievement of the stated policy objectives.

5.2 Compliance Report

56.	Banks are required to submit a semiannual Compliance Report to SAMA that includes an assessment of the bank’s existing remuneration practices and alignment with these rules; by assuring full compliance, or highlighting gaps along with an action plan (how to cover the gap, responsible persons/ department and target date) in addition to updates on the progress of the action plan until all gaps are covered. The report should include the items mentioned in Appendix-I.
57.	Banks shall submit, along-with the Compliance Report, the following about all types of remuneration:
	a.	Details of total remuneration including break-up of fixed and variable remuneration, and remuneration adjustments as per Appendix-II;
	b.	Details of remuneration of the top 12 highly compensated employees of the bank as per Appendix-III.
58.	Banks shall submit its semiannual Compliance Report for the second half year before March 31, and for the first half of the year before August 31.
59.	Banks shall submit the results of the annual review of the remuneration, and any consequential actions before March 31 of each year.

5.3 Supervisory Review

60.	Banks are expected to use these rules in identification and assessment of risks arising out of remuneration policies and practices as part of its Internal Capital Adequacy Assessment Plan (ICAAP) and Internal Liquidity Adequacy Assessment Plan (ILAAP).
61.	In case of material deficiencies from these rules or from the bank’s policies, SAMA could direct the concerned bank for rectification of deficiencies and may also prescribe increased capital or liquidity requirements for such bank. SAMA may also impose penalty or any other necessary measures in case of serious violations.
62.	If needed, SAMA may limit a bank’s total variable remuneration as a percentage of total net revenues when it is inconsistent with the maintenance of a sound capital or liquidity base or with sound risk management practices. In addition, SAMA may also impose certain limits and constraints on bank’s remuneration structure, forms and deferment.

Appendix-I: Coverage of the Compliance Report

The report should cover all actions taken by the bank to comply with SAMA rules or other related regulations. It should contain at a minimum the following information:
1.	Composition of the Nomination and Remuneration Committee including the names, qualification, status (whether shareholder, independent, non-executive) and terms of reference of the Committee;
2.	Confirmation to the effect that the bank has formulated a Remuneration Policy for Senior Management with the approval of the General Assembly, and a Remuneration Policy for all other employees approved by the Board of Directors. The policies should be annexed with the report;
3.	Confirmation to the effect that all employment contracts negotiated or renegotiated after issuance of SAMA’s rules are compliant with these rules. Also information regarding the number of contracts, if any, which were in force at the time of issuance of SAMA rules but are still non-compliant with these rules along-with the reasons thereof and the timeline for their regularization;
4.	Details of the measures taken to ensure compliance with these rules by the bank’s subsidiaries and the name and location of all such subsidiaries and branches to which these rules have been applied;
5.	Categories of employees and their number to which the measures taken to implement SAMA rules apply. Such categories of employees should, inter-alia, include senior management, employees engaged in risk taking activities as defined in the Remuneration Policy, employees working in control functions, other employees of the bank and outsourced employees/service providers (engaged in material risk taking activities on behalf of the bank, if allowed under the SAMA’s Rules on Outsourcing). Definitions for each category of those employees should be provided as well in detail;
6.	Listing down the material changes to date in the remuneration practices of the bank/subsidiaries since implementation of these rules. Each of these changes should be elaborated with supporting information;
7.	Description of / reference to the disclosures made in the bank’s Board of Directors Annual Report with regard to risk management framework, internal controls and Remuneration Policy and practices;
8.	Confirmation to the effect that the bank has established appropriate compliance arrangements by seeking commitment from their employees not to use personal hedging strategies or remuneration - and liability - related insurance to undermine the risk alignment effects embedded in their remuneration arrangements;
9.	Any unexpected issues that have been encountered to date in the implementation of these rules should be enumerated;
10.	Details of the steps planned for the next half-year for further refinement of the remuneration practices.

Compliance Principles and Internal Control

Principles of Internal Auditing for Local Banks Operating in Saudi Arabia
No: 43037826 Date(g): 1/12/2021 | Date(h): 26/4/1443 Status: In-Force
Translated Document

In line with the supervisory and regulatory role of SAMA, and its commitment to enhancing the systematic performance of internal audit units in independently and objectively evaluating the adequacy and effectiveness of governance processes, risk management, internal controls, and implemented policies and procedures. Based on the powers granted to it under its Law, issued by Royal Decree No. (M/36) dated 11/04/1442H, and other related regulations,
This is the first edition of the Principles of Internal Auditing for Local Banks Operating in the Kingdom.
For your information and action accordingly, effective as of 01/01/2022G.

Chapter One: Introduction, Definitions, and General Provisions

1. Introduction

1-1	SAMA has issued these principles based on its supervisory and regulatory powers as outlined in the following regulations:
		A:	The Saudi Central Bank Law, issued by Royal Decree No. (M/36) dated 11/04/1442 H.
		B:	The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386 H.
1-2	These principles are structured and contextualized into three chapters: Chapter One: Clarifies the terms used and general provisions. Chapter Two: Provides an overview of the roles, responsibilities, and duties of the Board of Directors, the Audit Committee, and Executive Management in relation to internal audit, as stipulated by relevant regulations and guidelines, including the requirements for their effective implementation, Chapter Three: Includes detailed and comprehensive requirements concerning the activities, roles, and responsibilities of the internal audit function. It highlights its position as the third line of defense, complementing the first and second lines of defense. This chapter also underscores the role of internal audit as a tool for oversight and supervision within the bank, rather than a replacement for the bank's management, ensuring alignment with regulatory requirements, guidelines, and best practices, while considering the unique nature and application style of banking institutions.

2- Definitions

The following terms wherever they appear in these principles are intended to have the meanings specified next to each of them, unless the context requires otherwise:

Term	Definition
central bank	Saudi Central Bank.
Bank	Local commercial banks licensed to conduct banking operations in the Kingdom.
Board	Board of Directors of the bank.
Audit Committee	One of the committees formed by the council, established by a decision from the ordinary general assembly
Executive Management	The bank's senior management, who are responsible for managing the bank's daily operations, proposing strategic decisions, and implementing them.
Unit	The internal audit unit in the bank, which is overseen by its head and staff responsible for internal auditing tasks and responsibilities
Head of the Unit	The person responsible for managing the unit.
Internal Auditors	The staff in the unit responsible for carrying out the tasks and responsibilities of internal auditing.
Principles	Principles of internal auditing for local banks operating in the Kingdom of Saudi Arabia.
Internal Audit Function	An independent evaluation activity that provides objective assurance and consulting services on the quality, adequacy, and effectiveness of the bank's internal control system. This involves a systematic, organized approach to auditing accounting, financial, operational processes, and more, and assessing and improving governance, risk management, and control effectiveness.
Internal Audit Policy	The official document approved by the Board that defines and clarifies the unit's purpose, scope of activity, organizational position, functional and administrative references, responsibilities, authority, relationships with other units, and the principles and methodology the bank follows regarding internal control. It also grants access to records, staff, and physical assets necessary to perform its duties.
Regulations and Rules	The regulations and rules that apply to the banking sector and its members.
Instructions	All that is issued by SAMA in its supervisory and regulatory capacities over the banking sector, as well as what is issued by relevant authorities in terms of regulations, rules, principles, frameworks, guidelines, and mandatory circulars
Independence	Free from circumstances and conditions that affect the unit's ability to perform internal auditing tasks and responsibilities in a professional, objective, and unbiased manner.
Conflict of interest	The situation or situations in which the head of the unit and its staff have, or appear to have, a direct or indirect interest or relationship in a matter under consideration by this person/people: for the purpose of making a decision regarding it, such that this interest or relationship prevents or leads to the belief that it has hindered their ability to express their opinion or make their decision independently, impartially, and objectively, without regard to this interest or relationship.
Objectivity	Neutral professional behavior based on facts that enables internal auditors to perform their tasks in a way that assures them of the quality of their work and its desired outcomes, without any substantial interference or influence from outside the unit affecting its quality or being swayed by personal beliefs and emotions
Consulting services	These are the consultations carried out at the specific request of one of the units in the bank
First line of defense	Business units responsible for identifying, assessing, and managing the risks of their activities early and continuously, and accepting those risks within acceptable limits.
Second line of defense	Regulatory units and support units such as risk management, compliance, legal, Sharia (if applicable), finance, and technology related to business units, responsible for verifying through a comprehensive and systematic perspective that the business units in the first line of defense have appropriately identified and are appropriately managing their business risks.
Third line of defense	The internal audit unit – the unit- responsible for independently and objectively evaluating and confirming the adequacy and effectiveness of governance, risk management, controls, policies, and procedures implemented by the first and second lines of defense, enhancing confidence in them, and providing the executive management with reasonable assurance that the policies and procedures align with the specified expectations.
Stakeholders	All those with a direct interest in the unit, specifically: the board, the audit committee, executive management, business units in the bank, external auditors, external consultants, and others. Indirectly, this includes shareholders, investors, and customers.

3. General Provisions

3-1	The general purpose of these principles is to establish the minimum requirements necessary for the internal audit function to perform efficiently and optimally within a unified, comprehensive, and robust framework. This framework serves as a tool to enhance self-regulation and lay the foundations for performing internal audits and improving the bank's operations and activities. The methods for implementing these principles depend on various factors, including: the size of the bank, the complexity of its operations, its geographical scope, regulatory framework, and the instructions it operates within.
3-2	The primary objectives of these principles are:
		1)	To protect the bank's assets, continuously ensure the soundness, adequacy, and effectiveness of processes, and the accuracy and reliability of reports, especially financial reports prepared for various purposes and stakeholders. This includes instilling confidence in these reports, enhancing the data contained within them, and protecting the interests of stakeholders.
		2)	To enhance compliance with the requirements of regulatory and supervisory authorities, ensuring that the bank and its employees adhere to laws, regulations, and instructions.
3-3	The internal audit function represents the third and final line of defense in the three lines of defense model. It is directly accountable to the Board and Audit Committee on a continuous and ongoing basis for evaluating and confirming the adequacy and effectiveness of governance, risk management, and control processes, as well as the policies and procedures implemented by the first and second lines of defense. This line of defense enhances confidence in it and contributes to the improvement of these processes through a structured risk-based approach, optimizing resource use by directing audit activities towards the bank's most significant and high-risk areas. It performs these activities objectively, considering the defined strategies and goals. The importance of this line of defense is bolstered by its independence, which strengthens its objectivity and credibility, ensures proactive effectiveness, provides new insights, identifies future impacts, and promotes appropriate ethics and values, thereby giving executive management reasonable assurance that policies and procedures align with defined expectations.
3-4	These principles do not alter the requirements imposed on banks by other relevant regulations, laws, and instructions.
3-5	SMA has issued several instructions related to internal audit requirements, and these principles should be read alongside them, as applicable, including but not limited to:
		1)	Key Principles of Governance in Financial Institutions under SAMA's supervision and control.
		2)	Principles of conduct and Work Ethics in financial institutions.
		3)	Principles of Compliance for Commercial Banks Operating in the Kingdom of Saudi Arabia.
		4)	Anti-Money Laundering and Counter-Terrorism Financing Guide.
		5)	Rules for Bank Account.
		6)	Regulatory rules for the operation of self-regulation units and committees.
		7)	Principles of financial fraud prevention in banks operating in the Kingdom.
		8)	Shariah Governance Framework for local banks operating in Saudi Arabia.
		9)	Whistleblowing Policy for financial institutions.
		10)	Risk Management Instructions.
		11)	Rules on Outsourcing.
		12)	Cyber Security Framework.
		13)	Business Continuity Management Framework.
		14)	Information Technology Governance Framework.
3-6	The internal audit function is subject to international attention, with various international bodies and organizations issuing guidance on it. These should be referenced and consulted, including but not limited to:
		1)	Basel Committee on Banking Supervision (BCBS).
		2)	Institute of Internal Auditors (IIA).
		3)	Committee of Sponsoring Organizations of the Treadway Commission (COSO).

4. Scope of Application
These guidelines apply to all local banks working in the kingdom.

Chapter Two: Roles and Responsibilities of the Board and Executive Management Regarding Internal Audit

Principle (1): Board Responsibilities for Internal Audit

5-	To ensure the performance of the ordinary general assembly to its functions regarding the audit committee and internal auditing as specified, in accordance with the provisions of the Companies Law and its implementing regulations, the Corporate Governance Regulations issued by the Capital Market Authority, and the Key Principles of Governance in Financial Institutions issued by SAMA, the board is required to do the following:
		5-1	submitting effective proposals and recommendations that enable the ordinary general assembly to carry out its functions.
		5-2	Monitor any developments that occur in the regulations, rules, and instructions related to internal auditing from the relevant authorities from time to time.
6-	Although the audit committee operates independently from the board and executive management, this does not exempt the board—according to the key principles of governance in financial institutions—from the responsibility of effectively overseeing the audit committee and monitoring its work and assigned duties.
7-	The following responsibilities fall upon the board concerning the roles and responsibilities of executive management regarding internal auditing:
		7-1	The ultimate responsibility for ensuring that executive management establishes and maintains an appropriate internal control framework that is efficient and effective, which identifies, measures, monitors, and manages all risks faced by the bank.
		7-2	Ensuring the review of the effectiveness and efficiency of the internal control system based on information provided by the internal audit function, though not relying solely on it.
8-	Without prejudice to the powers, duties, and responsibilities of the Board according to the relevant SAMA instructions and other regulatory authorities, the Board has the responsibility to continuously ensure the following with respect to the internal audit function:
		8-1	Taking all necessary actions to ensure the existence and continued effectiveness of an independent and effective internal audit function within the bank, and periodically updating its organization and operating policies.
		8-1	Ensuring that the size of the internal audit function, the qualifications and competence of its head and staff, are appropriate to the size of the bank, its nature of operations, the automated systems in use, and the complexity of its organizational structure.
		8-3	Ensuring that the Audit Committee conducts an independent external evaluation of the quality of the internal audit function’s performance at least once every five years.

Principle (2): Responsibilities of the Audit Committee towards the Unit

9-	Without prejudice to the specific responsibilities and duties of the Audit Committee as defined by regulations and instructions issued by SAMA and other regulatory authorities, the Committee is responsible for the following requirements for effective oversight:
		9-1	Recommend the board to approve the organizational structure of the unit and review it periodically as needed.
		9-2	Recommend the board the appointment, reappointment, or dismissal of the head of the unit, or acceptance of their resignation.
		9-3	Ensure the presence of appropriate human resources in the unit in terms of quantity, qualifications, and skills, especially in specialized topics, including, for example, units for: treasury, finance, international financial reporting standards, anti-money laundering and counter-terrorism financing, technology/cybersecurity risks, governance, Basel standards, liquidity, credit, and provisions, among others.
		9-4	Review and approve the audit plan prepared by the head of the unit based on the results of the annual risk assessment, including the scope of the plan and the budget allocated for it.
		9-5	Approve the strategy of the unit prepared by its head and monitor its performance alongside the execution of the annual audit plan, in alignment with the bank's overall strategy and objectives, and after coordinating with the relevant department in the bank.
		9-6	Review and discuss internal audit reports.
		9-7	Review the unit's performance to ensure its ability to carry out its responsibilities independently and objectively.
		9-8	Approve performance measurement indicators for the head of the unit and evaluate their performance.
		9-9	Ensure that the head of the unit possesses integrity and the ability to perform their duties with honesty, diligence, and responsibility. Verify compliance with regulations and instructions and confirm that they have not been previously involved in any violations.
		9-10	Ensure that executive management takes the necessary corrective actions in a timely and appropriate manner to address weaknesses in controls, issues of compliance with policies, regulations, and instructions, as well as other violations and observations, and shortcomings identified and reported by the audit unit with recommendations.
		9-11	Conduct the required independent external assessment—according to the approved audit policy to verify the quality of the unit's work at least once every five years.

Principle (3): Roles and Responsibilities of Executive Management Regarding Internal Audit

10-	The executive management has the following responsibilities:
		10-1	Develop and apply appropriate and effective internal control systems and procedures, and maintain them.
		10-2	Fully and unconditionally enable the internal audit unit to access all records, individuals, systems, and buildings, and provide them with the necessary information and data to perform their tasks in a timely and appropriate manner.
		10-3	Provide the internal audit unit with updates on new initiatives, projects, products, operational changes, or any amendments to policies and procedures within the bank.
		10-4	Ensure that all relevant risks (both known and anticipated) are identified and reported to the internal audit unit at an early stage.
		10-5	Share their risk assessments with the internal audit unit to enable the unit to plan audits based on a risk-based approach.
		10-6	Implement appropriate measures and corrective actions in a timely and suitable manner regarding all findings and recommendations received from the internal audit unit.
		10-7	Encourage inviting representatives of the internal audit unit to attend various administrative committee meetings as permanent invitees, without granting them voting rights.
		10-8	Including a key performance indicator for the executive management that reflects the effectiveness of its handling of the observations monitored by the unit in an appropriate manner and timing.

Chapter Three: Functions, Tasks, and Responsibilities of the Unit.

Principle (4): Key Characteristics of the Unit

Independence and Objectivity

	11-	The unit must be administratively independent from all other business units with activities subject to review, as well as from the first and second lines of defense, in a complementary manner. The unit should have sufficient organizational status and authority within the bank to perform its tasks objectively. The head of the unit and its staff should not undertake or be assigned any other tasks or work in the bank that could compromise their roles, except for internal audit activities, reviewing, and evaluating the effectiveness and efficiency of the internal control system.
	12-	The unit must have the authority to perform its tasks across all areas of the bank's operations and business units, without any restrictions from the executive management or any source other than its functional reference
	13-	The unit should have the freedom to discuss its views, results, evaluations, and conclusions directly with the Audit Committee and the Board, and to submit its reports directly through a clear organizational structure - functional link - to the Audit Committee.
	14-	The unit should not be involved in the preparation (design), selection, implementation, or management of specific internal control procedures. However, its independence does not preclude the executive management from requesting internal audit inputs on matters related to risks and internal control, provided that such advisory roles are well-documented in audit procedures and guidelines and are not interpreted as conflicting with its independence.
	15-	The rotation of staff in the unit to other business units should be governed by a written policy within its operational framework to avoid conflicts of interest. This includes a mandatory cooling-off period of no less than twelve months between the employee’s time in the unit and their subsequent review of activities in the bank’s operational areas where the rotation occurred.
	16-	A performance rewards for the head of the unit and its staff - if any - should be organized in a way that ensures no conflict of interest or compromise to the unit's independence and ability to work objectively, and in accordance with the relevant instructions issued by the central bank and the bank’s reward policies and practices. Their rewards should not be linked to the financial performance of the business activities subject to internal audit, and the head of the unit’s rewards should be recommended by the Audit Committee in accordance with the bank’s reward policies and practices.
	17-	The head of the unit should confirm annually - at a minimum - the organizational and functional independence of the unit's activities, either in a dedicated section of the annual report or through a separate official written statement.
	18-	The unit should have the right to request a meeting with the Audit Committee at any time if there is a need to discuss any topic it wishes to raise.

Professional Competence and Due Diligence

19-	The head of the unit must possess leadership skills and the necessary skills to maintain the unit’s effectiveness.
20-	The head of the unit must have an academic degree in one of the following:
		20-1	Either in accounting, auditing, business administration, or other related fields to internal auditing, preferably holding a specialized professional certification in internal auditing or accounting such as (QIAI), (CIA), (SOCPA), (CPA), or an advanced degree in accounting, auditing, or business administration.
		20-2	Or in specialized technical fields such as (CISA) Certified Information Systems Auditor or (CISM) Certified Information Security Manager, in this case, they also have to hold one of the professional or advanced certifications specified in (1) above. In both options, they must have sufficient practical experience in internal auditing and possess appropriate leadership skills to fulfill their responsibilities while maintaining the unit’s independence and objectivity.
21-	The head of the unit, without conflicting with the bank’s general employment policies, procedures, and requirements, must establish standards to attract competent individuals to the unit who possess professional competence, scientific knowledge, experience, qualifications, skills, and the ability to gather and understand information, examine and evaluate evidence during the audit process, and communicate with stakeholders. This requirement also includes supporting and enabling national talents and training them.
22-	The head of the unit must assess the skills of the unit’s staff, monitor their development, and ensure they receive continuous, relevant training to meet the technical requirements of banking activities, adapt to the increasing diversity of tasks due to new products, services, and procedures, and keep up with other developments in the financial sector.

Professional Ethics for the Head of the Unit and Its Staff

23-	In accordance with the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA, and to ensure the maintenance of professional standards for the unit at all times, the bank’s code of conduct and ethics should, at a minimum, include principles of objectivity, behavior, competence, confidentiality, and integrity, and should stipulate the following:
		23-1	The necessity of demonstrating professionalism, integrity, honesty, and trustworthiness.
		23-2	Emphasis on maintaining the confidentiality of information obtained during the performance of duties, avoiding the use of such information for personal gain or harmful activities, and taking care to protect the information acquired.
		23-3	Avoidance of conflicts of interest. To this end, the head of the unit must take adequate measures to ensure that its staff consistently adhere to integrity, comply with internal audit principles, and follow the Principles of Conduct and Work Ethics in Financial Institutions issued by SAMA.

Principle (5): Internal Audit Policy

24-	The head of the unit must prepare and periodically update an internal audit policy, and have it approved by the board based on the recommendation of the audit committee.
25-	The key items of the policy must include, at a minimum:
		25-1	The purpose of establishing the unit, and its scope and methodology of work.
		25-2	Its organizational position within the bank, its authorities, responsibilities, and its relationships with other control units.
		25-3	The key characteristics of the unit as outlined in these principles.
		25-4	Ensuring what enhances its role and performance of its duties and responsibilities.
		25-5	The right to communicate directly with any bank employees, and to examine the activities of any bank unit or its affiliated entity, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-6	The right to access any records, files, data, or physical assets of the bank, without conflicting with relevant SAMA instructions.
		25-7	The right to obtain copies of records and supporting documents for audit activities, including access to administrative information systems, records, and minutes of all advisory bodies in the bank and decision-making entities.
		25-8	The right to enable the unit to perform its role and achieve its responsibilities for reviewing all activities of the bank's units and its affiliated entities internally and externally, if the affiliated entities do not have independent review units or committees, without breaching related regulations and instructions.
		25-9	The right to escalate to the audit committee without any restrictions when needed.
		25-10	The obligation to communicate the results of internal auditors derived from their work, clarify the method of doing so, and specify the receiving entities - administrative dependencies - for these reports.
		25-11	The unit's responsibility to the audit committee for all matters related to its performance of duties and responsibilities.
		25-12	The responsibility of the head of the unit.
		25-13	The conditions and terms for coordination and follow-up of work between the unit and external auditors.
		25-14	The conditions and terms under which advisory or consulting services can be requested from the unit or assigned special tasks, without violating relevant instructions.
		25-15	The commitment to conduct an independent external assessment of the unit's work quality and adherence to ethical conduct and compliance with internal audit principles for local banks in the country, at least once every five years.
		25-16	In accordance with SAMA's instructions on Rules on Outsourcing tasks to third parties, the conditions and terms that determine the method, timing, and circumstances of outsourcing any of the unit's specialized limited tasks to external service providers, ensuring the primary basis and minimum requirement is the lack of specialized expertise within the unit for such tasks (e.g., information security), with the board being primarily responsible and the unit for proper oversight, performance under a non-disclosure agreement, achieving knowledge transfer and experience gain to unit staff, not affecting the unit's ability to work independently and objectively, and not contracting with a provider previously contracted for the same task unless at least three years have passed, and ensuring that the service provider is not a current external auditor of the bank, and does not impede the effectiveness of SAMA oversight, and obtaining its prior approval for the outsourcing.
		25-17	The requirements and mechanisms for reviewing the bank's affiliated entities that do not have independent review units or committees.
		25-18	The commitment to international standards for internal audit relevant to the field.
		25-19	The scope and contents of the periodic report of the unit submitted to the board.
		25-20	The authority to refer to the Unified Internal Audit Charter of the Institute of Internal Auditors and use the standards specified therein as a guideline when preparing the internal audit policy. Banks may add what they deem important, as necessary, without violating relevant regulations, policies, and procedures.
26-	The policy should focus on the guiding principles for internal audit and control areas, including high-level guidance for each activity of the audit unit, and provide a formally documented mechanism to resolve any discrepancies in viewpoints that may arise with the unit, for example, regarding the classification of findings, general report classification, contents, prominent risks, etc.
27-	This policy should be made available to all bank stakeholders for review through the appropriate mechanism followed by the bank.

Principle (6): Organization, Tasks, and Responsibilities of the Unit

Organizational Structure and Reporting

28-	The unit must have a clearly defined organizational structure approved by the board, reporting functionally to the audit committee and administratively to the CEO. This structure should reflect the specialized roles within the unit and be appropriate to the size, nature, and complexity of the bank's operations.
29-	It is preferable for the unit to form a specialized team of experienced and competent senior auditors to manage and ensure the execution of all audit requests required by SAMA, continuously providing high-quality outputs.
30-	The unit should report its audit findings to the audit committee and the CEO, without the results of these reports affecting the performance evaluation and compensation of the unit’s head and its staff.
31-	The unit must inform the executive management of all significant findings related to the implementation and maintenance of an appropriate and effective internal control system and procedures, enabling the executive management to take timely and appropriate corrective actions. The unit should also follow up on the results of these corrective actions with the executive management.

Requirements and Responsibilities of the Unit Head

32-	The unit head must possess the necessary independence, objectivity, competencies, and ethics to effectively perform their role and duties.
33-	Their responsibilities must be clearly defined and should include, at a minimum, the following:
		33-1	Attracting human resources with suitable qualifications and skills, based on a formal analysis of the unit’s actual needs required to perform its activities efficiently, and comparing those needs with the available human resources and their competency levels. Develop a plan to meet these needs and competencies, and formally share it with the audit committee for monitoring and evaluation. The analysis should consider international standards, emerging risk areas, and audit experience.
		33-2	Working towards Saudization of the unit’s positions as required by relevant regulations.
		33-3	Developing teams and skills related to audit techniques with the aid of technical systems and performance analysis programs to expand the scope of their reviews and manage system-related risks more comprehensively.
		33-4	Continuously monitoring, evaluating, and developing the unit’s staff.
		33-5	Ensuring the unit's adherence to integrity and compliance with sound internal audit standards.
		33-6	Developing the internal audit plan and obtaining approval from the audit committee, and periodically reviewing and updating it.
		33-7	Developing and periodically reviewing the internal audit policy as needed and at each audit committee cycle, and submitting it along with any updates to the board for approval based on the audit committee’s recommendation.
		33-8	Formulating an internal audit strategy aligned with the bank’s strategy, obtaining approval from the audit committee, and regularly reporting the results and compliance to the committee.
		33-9	Participating in relevant committees, such as those for risk and compliance, while adhering to Key Principles of Governance in Financial Institutions.
		33-10	Meeting with the audit committee individually whenever necessary.
		33-11	Monitoring the work of external service providers when some or part of the internal audit tasks are outsourced, ensuring their adherence to the internal audit policy, and verifying that they do not affect the unit’s independence and objectivity, and that they transfer relevant knowledge and experience to the unit's staff.
		33-12	Preparing a detailed matrix listing and classifying potential risks resulting from suspending or postponing any audit activities or parts of them beyond the plan’s year, including an assessment and risk classification. This should address whether the suspension or postponement is requested by the unit or other units and submit it to the audit committee for approval of high and medium-risk cases, with reasons and considerations, ensuring that risks continue to be addressed.
		33-13	Identifying factors to consider when selecting branch samples for field audits in the targeted geographic area.
		33-14	Encouraging audit unit staff to obtain Certified Internal Auditor (CIA) certification and other professional certifications (or one of them) to enhance the competence of internal auditors in the banking sector.
		33-15	Enabling and supporting the implementation of an independent external quality assessment of the audit unit’s work at least once every five years, to ensure the quality of audit outputs, in line with the board-approved policy, based on the direction and approval of the audit committee, and selecting the independent assessment provider. The results should be presented to the committee and reported to the board.

SAMA's Non-Objection to Appointing or Changing the Unit Head

34-

Taking into account the Requirements for Appointing to Senior Positions in financial institutions under the supervision of SAMA, and the Key Principles of Governance in Financial Institutions issued by SAMA; the bank must obtain SAMA’s prior non-objection to the appointment, assignment, or extension of the term of the head of the unit. Additionally, the bank must obtain SAMA’s prior non-objection if the head of the unit leaves their position (resignation, transfer to another role, termination of service, etc.), with documentation and explanation of the reason for the change.

Internal Work Procedures for the Unit

35-	Procedural manuals should be developed for the unit (either as an independent document or as part of the audit manual) to guide its staff in performing daily activities. These manuals should cover all activities of the unit in detail, providing step-by-step instructions. Each activity should include a sequential workflow that outlines the complete cycle of each process along with descriptive guidance. The manuals should align with detailed guidelines for implementing the audit policy.
36-	Detailed work guides should also be provided for using technical audit systems to assist both current and newly joined staff in using the systems effectively and understanding their capabilities.
37-	When developing work procedures for the unit, reference should be made to the standards and guidelines from the Institute of Internal Auditors, including the "International Standards for the Professional Practice of Internal Auditing" and its updates, as well as best practices for guidance in the procedures.

Units and Entities Subject to Internal Audit and the Audit Cycle

38-	The unit must document a comprehensive list of the bank's units and its affiliated entities subject to audit, serving as a comprehensive framework for audit processes.
39-	This list should cover all operational units, products, services, systems, risks, and processes of the bank.
40-	The list should include all requirements set by SAMA for the unit and be part of the comprehensive audit framework.
41-	Ensure that the comprehensive audit programs for this list cover relevant SAMA instructions and internal policies, and that they are developed for each unit within the bank and its affiliated entities within the comprehensive audit framework.
42-	The unit should develop an official framework for assessing the risks of each unit in the bank and its affiliated entities listed separately. This framework should also identify risk factors, such as: the latest audit assessment, time elapsed since the last audit, applicable and realized risk levels, complexity, etc., as a basis for risk assessment. The frequency of audits for each unit in the bank and its affiliated entities may be based on this risk assessment (e.g., increasing the frequency for high-risk units and entities).
43-	The unit should review all units in the bank and its affiliated entities documented in the list at least annually to ensure completeness and coverage of all units, products, systems, and procedures of the bank.
44-	The unit should document an official audit cycle that covers all units in the bank and its affiliated entities listed, and execute this cycle within a defined period, which may extend from three to four years depending on the risk classification of each listed item, in accordance with the risk-based approach.

Risk Assessment Methodology

45-	The risk assessment methodology should include the following:
		45-1	Documented and detailed guidelines that outline and assist internal auditors in classifying risks when preparing each observation.
		45-2	Documented and detailed guidelines for assessing risks in the overall audit report.
		45-3	Identification of quantitative and qualitative factors necessary to facilitate understanding and consistent application by audit staff.
		45-4	Classification of internal violation reports from the bank—of which the audit unit should receive copies—based on their risk level and the extent of compliance with reaching the competent authority in the bank and their documentation.
		45-5	All instances of non-compliance with SAMA instructions should be classified as high risk unless the non-classification is supported by specific justifications approved by the compliance unit. These justifications should be based on a risk classification mechanism that includes the size and impact of the non-compliance.

Risk-Based Internal Audit Plan

46-	The head of the unit is responsible for preparing the annual internal audit plan and its implementation schedules, and for seeking approval from the Audit Committee. When preparing the plan, a thorough risk assessment should be undertaken (considering inputs from executive management). The plan can be part of a multi-year plan, in which case it should be reviewed and updated annually aiming to respond to changes in the sector and in the bank's risk profile, or more frequently, throughout the year, to enable continuous and real-time assessment of areas where significant risks may arise.
47-	The annual audit plan should include a list of business units and activities subject to audit and risk assessment, with well-prepared documentation to ensure a systematic audit approach.
48-	In implementing the annual audit plan, audit work programs must include detailed audit procedures for each business unit subject to review, with sufficient clarifications regarding the scope of its relevance, surveys, and ensure coverage of all potential key or significant risks, control elements, and regulatory supervisory instructions. It should be taken into account that the assessment and analytical skills of internal auditors are essential to ensure a high quality of internal audit.
49-	A list of all supervisory expectations from the audit units must be compiled, and this requirement should be stipulated in their policy or procedures. This list, along with the required areas in the comprehensive audit framework, should serve as sources among others, such as the audit cycle, the bank’s most significant risks, new or emerging risk areas, and so on, for developing the annual internal audit plan. The frequency of audits, wherever specified by SAMA, must exceed the internal risk assessment conducted by the audit unit.
50-	Adequate resources must be available to support the unit in performing its duties, in accordance with the annual internal audit plan.
51-	The unit should periodically conduct a self-assessment of specific requirements from SAMA and other regulatory bodies. Capabilities should be developed, and sufficient resources allocated to these areas, ensuring adequate space for them in the internal audit plan.

Information Technology for the Unit

52-	The unit should carry out its activities using appropriate technological systems to enhance the efficiency of the internal audit function.
53-	The unit should conduct a formal gap analysis using current automation tools, address and close these gaps, highlight activities currently performed manually, and develop action plans to automate all such activities—wherever feasible—and escalate these plans to the Audit Committee for monitoring purposes.

Quality Assurance and Performance Improvement Program

54-	The unit should establish an internal function reporting directly to the head of the unit, dedicated to quality assurance and performance improvement, and should be staffed with qualified and suitably experienced resources.
55-	The internal audit unit should implement a quality assurance and performance improvement program covering all aspects of internal audit activities. This program should include both internal evaluations (ongoing assessments and annual comprehensive reviews) and external evaluations (conducted at least once every five years), with the results reported to the Audit Committee.
56-	The quality assurance and performance improvement unit must review and evaluate all activities and reports of the audit unit on an ongoing basis. The head of the audit unit must submit regular reports on the review and evaluation results of that unit (both ongoing and annual) to the Audit Committee.
57-	The quality assurance and performance improvement unit should be responsible for reviewing and updating the internal policies and procedures of the internal audit unit, training and motivating its staff, and working on enhancing the quality of work and other performance improvement tasks.

Periodic Reports to the Audit Committee

58-	The internal audit unit should prepare periodic reports on its reviews and submit them to the Audit Committee. The committee, in turn, should submit these reports directly and independently to the board without any revisions from the executive management or any other source. The reports should, at a minimum, include:
		58-1	A quarterly report: This should include an assessment of the internal control system of the units reviewed, the findings and recommendations related to the work units audited, the actions taken by each unit regarding the findings and recommendations from the previous review, and an explanation of the status of findings not addressed by the executive management. It should also detail instances of failure to respond promptly to those findings and recommendations, along with the reasons for such failures.
		58-2	An annual general (comprehensive) report: This should include an assessment of the bank's internal control system and the audit activities conducted during the financial year compared to the approved plan. It should also state the reasons for any shortcomings or deviations from the plan, if any, within a deadline not exceeding the end of the following quarter after the end of the relevant financial year, or according to the dates in the approved annual plan.

Database and Document/Report Storage

59-	The audit unit must establish a database for its operations and update it continuously.
60-	In accordance with relevant central bank regulations and other regulatory bodies; all internal audit reports, findings, recommendations, corrective action plans, and supporting documents should be stored electronically in the database. This includes any results obtained by independent auditors that were previously found by audit staff, and all work-related documents, internal audit achievements, results, recommendations, and measures taken in accordance with the relevant central bank instructions.
61-	A formal manual (either independently or as part of the audit manual) for record retention and storage mechanisms should be prepared and approved. This manual should describe the methods of storage and details of all work papers and information to be retained, the minimum retention period, and the recommendations of the audit unit. This should be done considering the data and information retention regulations and instructions provided by the relevant supervisory regulatory authorities.

Principle (7): Scope of the Unit's Work

62-	The general scope of the unit includes every unit in the bank and its affiliated entities (that do not have independent audit units or committees), covering all activities, operations, products, and services of the bank, as well as the limited specialized tasks that may be outsourced to external service providers, including the review and assessment of the effectiveness of the internal control system, risk management, governance, compliance, and supervisory requirements, as well as consulting services. The unit should evaluate the entire bank, including branches and affiliated entities.
63-	The unit is responsible, independently within its scope and work plan, for evaluating the following:
		63-1	The effectiveness and adequacy of internal control functions, risk management, and governance in the context of current and potential future risks, including committees.
		63-2	The procedures established by business units and support units.
		63-3	The reliability of management information system policies and procedures, (including: data relevance, accuracy, completeness, availability, confidentiality, and comprehensiveness).
		63-4	The level of compliance with regulations, policies, and internal procedures of the bank.
		63-5	The adequacy and effectiveness of asset protection procedures.
		63-6	The adequacy and effectiveness of all reports and their preparation mechanisms.
64-	Participate, upon request, in internal investigations that do not conflict with the unit's scope, duties, and responsibilities, as deemed necessary by the head of the unit: the audit committee should be provided with reports on such investigations.
65-	With consideration to the relevant instructions and the requirements for applying the risk-based approach and its methods, the unit must, in implementing the scope of its activities, properly cover in the audit plan the requirements of topics of regulatory and supervisory importance according to the timeframes specified for each requirement, or at least annually if no timeframes are specified, unless the risk assessment of the units requires a shorter period for the following activities:

Risk Management Unit

66-	The unit should primarily include the following in its plan concerning the Risk Management Unit:
		66-1	Its organization and powers, including market, credit, liquidity, interest rate, operational risks, legal risks, and any other risks.
		66-2	Assessment of risk tolerance, escalation of issues and decisions, and reporting on them.
		66-3	The adequacy of policies and procedures for identifying, measuring, assessing, monitoring, and addressing emerging risks from the bank's activities, and reporting on them.
		66-4	The integrity of its information systems, including the accuracy, reliability, and completeness of data used.
		66-5	The approval and maintenance of risk models, this includes the process of verifying the consistency of information sources, timeliness, independence, and reliability of the sources of information used in these models.
		66-6	The degree of significant differences between its views and those of the executive management regarding the level of risks facing the bank.
		66-7	The compliance of all business units and their employees with the internal authority matrix of the bank, and ensuring no authority is exceeded.

Capital and Liquidity

67-	The unit must address all requirements of the regulatory framework for capital and liquidity within its scope of activities, particularly:
		67-1	The internal capital adequacy assessment document and the internal liquidity assessment document.
		67-2	Regulations for determining and measuring the bank's regulatory capital, assessing the adequacy of its capital resources relative to risk exposures, and the minimum indicators approved.
		67-3	The process for conducting stress tests for capital and liquidity levels, considering the frequency of such tests, their purpose, the reasonableness of hypothetical scenarios, assumptions used, and the reliability of procedures.
		67-4	The bank's instructions and procedures for measuring and monitoring liquidity conditions relative to its risk register, external environment, and minimum regulatory (supervisory) requirements.

Regulatory (Supervisory) and Internal Reporting

68-	Evaluate the effectiveness of the process through which the Risk Unit and the relevant reporting unit communicate for issuing accurate, timely, and reliable reports, whether internally or for regulatory (supervisory) purposes.

Compliance Unit

69-	Assess the scope of activities of the Compliance Unit and evaluate the effectiveness of its execution of responsibilities related to compliance risks.
70-	Cooperate with the Compliance Unit in following up on tasks, responsibilities, and activities requested by the central bank from the audit unit, as specified in terms of format and timing.

Governance

71-	Study the scope of governance activities at the bank, focusing on:
		71-1	Evaluating the effectiveness of the unit responsible for governance in executing its responsibilities.
		71-2	Reviewing all governance-related policies and procedures within the bank to ensure they align with regulations, rules, instructions, and updates, and assessing their implementation and effectiveness.
		71-3	Ensuring the bank's compliance with all regulations from local supervisory authorities related to governance.
		71-4	Ensuring the presence of an effective control system to prevent fraud within the bank.
		71-5	The process of appointing bank representatives in its subsidiaries and ensuring there are policies and procedures governing this.

Finance Unit

72-	The audit unit should include the following aspects in its scope of work:
		72-1	The organization and powers of the Finance Unit.
		72-2	The adequacy and integrity of financial data and the financial systems, instructions, and procedures, including the identification, monitoring, measurement, and reporting of key data (e.g., profit or loss, financial instrument valuations, provisions), including necessary changes in accordance with international accounting standards and international financial reporting standards.
		72-3	The approval and maintenance of pricing models, including verifying the consistency, timeliness, independence, and reliability of information sources used in these models.
		72-4	The controls in place to prevent and detect violations.
		72-5	Controls on the balance sheet, including reconciliation processes and procedures (e.g., adjustments), regulatory tasks and activities, and other ongoing activities that the audit units must review periodically, as documented in the comprehensive audit procedures and framework, along with the required compliance timing. Examples include but are not limited to information security (cybersecurity), business continuity, anti-money laundering and counter-terrorism financing, dormant accounts, and others currently and in the future.

Principle (8): The Unit's Relationship with Second Line of Defense Units and External Auditors

(A) Relationship with Second Line of Defense Units

73-

Second line of defense units are subject to independent review by the audit unit. Each of these units has areas closely related to other units in general and to the audit unit specifically. However, they are all organizationally separate from each other. Given the comprehensive coverage provided by the oversight performed by the second line of defense, particularly by the Risk Management Unit and the Compliance Unit, the audit unit relies on valuable information provided by these units. Nevertheless, the reliability of this information is subject to assessment by the Head of the Audit Unit.

(B) Relationship with External Auditors

74-

External auditors appointed by the bank play a crucial role in the continuous improvement of the bank’s internal control systems related to their scope of work. Therefore, their work should be complementary to the internal audit unit. This should be coordinated through a defined mechanism and regular meetings (based on the approved internal audit policy) to enable both parties to stay continuously informed about significant concerns. The audit committee must ensure that this coordination is in place and effectively implemented.

Principle (9): Internal Audit of the Bank’s Subsidiaries

75-	In cases where the bank has a subsidiary with its own independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—it is preferable to:
		75-1	Obtain a seat for the head of the bank’s unit or their delegate in the audit committees of the bank’s subsidiaries to monitor developments and ensure the effectiveness of internal controls within them.
		75-2	Conduct limited tests to verify the quality of the subsidiary’s audit unit operations to ensure the soundness of its activities.
76-	In cases where the bank has a subsidiary that does not have an independent audit unit and audit committee while ensuring compliance with relevant regulations and instructions—the following should be done:
		76-1	The approved audit policy should define how the audit of such entities will be conducted.
		76-2	The unit should report the results of the audit activities of these entities to the audit committee.

Principles of compliance for commercial banks operating in the Kingdom of Saudi Arabia
No: 42005223 Date(g): 15/9/2020 | Date(h): 28/1/1442 Status: In-Force
Translated Document

Based on the powers vested to SAMA under its Law issued by Royal Decree No. (23) dated 23/05/1377H, and the Banking Control Law issued by Royal Decree No. (M/5) dated 22/02/1386H, and with reference to the Compliance Manual for Banks Working in Saudi Arabia issued in the year (1429H/2008G). and in light of SAMA's supervisory and regulatory role, as well as its efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions.
Attached are the Principles of Commitment for Banks and Commercial Banks Operating in the Kingdom of Saudi Arabia, which aim to activate supervisory roles and enhance sound practices in banking institutions, replacing the aforementioned guide.
These principles shall apply as guiding rules until the end of 2020G, and a mandatory basis from 01/01/2021G.

Definitions

The terms and phrases below—wherever they appear in these principles—mean the definitions given next to each term, unless the context indicates otherwise:
1-	Central Bank: The Saudi Central Bank.
2-	Bank: Local commercial banks and branches of foreign banks licensed to conduct banking activities in the Kingdom in accordance with the Banking Control Law.
3-	Council: The Board of Directors of the local bank. The primary officer in a foreign bank branch assumes the tasks and responsibilities of the Board of Directors in local banks wherever referenced in these principles.
4-	Senior Management: The executive management of the local bank (CEO, Managing Director, General Manager) and senior executives responsible for managing the bank's operations, proposing and implementing strategic decisions, and the branch manager for foreign bank branches licensed to conduct banking activities in the Kingdom.
5-	Compliance Function: An independent function at the first managerial level in senior management that identifies, evaluates, advises on, monitors, and reports on non-compliance risks related to the bank's exposure to regulatory, administrative penalties, financial losses, or harm to its reputation due to non-compliance with regulations, instructions, financial crime prevention requirements, or standards of conduct and professional practice. This function is carried out by an independent compliance unit in banks.
6-	Compliance Policy: The policy approved by the Board of Directors of the bank and the head of the foreign bank branch that defines and outlines the comprehensive responsibilities of compliance, the authority of the compliance unit, and the main principles, pillars, and methodology the bank follows to manage compliance risks, including the elements outlined in Principle (1).
7-	Compliance Unit: A unit at the group, sector, or department level, depending on the structure of first managerial level units in local banks, or a department, division, or section, etc., at the first managerial level reporting to the primary officer in foreign bank branches, where the head and compliance staff are solely responsible for compliance-related tasks and responsibilities.
8-	Chief Compliance Officer: The CEO of the compliance unit in local banks and the executive in the first managerial level reporting directly to the head of the branch in foreign bank branches, whose responsibilities include coordinating the process of identifying non-compliance risks, providing advice to senior management on how to manage them, and overseeing the activities of compliance officers and staff.
9-	Compliance Staff: All individuals performing compliance duties and responsibilities within the compliance unit.
10-	Compliance Officer: An employee from other operational units, different from the compliance unit staff, designated by the Chief Compliance Officer to handle specific compliance responsibilities and tasks within their operational unit.
11-	Compliance Risks: Risks resulting in or leading to the imposition of penalties and regulatory actions against the bank or significant financial losses, or damage to its reputation due to non-compliance with relevant regulations, instructions, and standards applicable to the bank, and ethical and behavioral codes governing banking activities, collectively referred to as "non-compliance risks."
12-	Compliance Role: The description of responsibilities assigned to compliance staff within the bank.
13-	Regulations: The regulations and rules applicable to the banking sector and its personnel.
14-	Instructions: All directives issued by SAMA in its role as a supervisory and regulatory authority, and by other relevant authorities, including regulations, rules, principles, frameworks, guides, and mandatory circulars.
15-	Compliance Systems, Rules, and Standards: The regulations and instructions applicable to the banking sector and its personnel.
16-	Conflict of Interest: A situation where the Chief Compliance Officer, compliance staff, or compliance officers in other units may have a direct or indirect interest or relationship in a matter being reviewed by them for decision-making purposes; such that this interest or relationship prevents or leads to the belief that it interferes with their ability to express their opinion or make a decision independently and impartially, without considering this interest or relationship.

* The name "Saudi Central Bank" replaced "Saudi Arabian Monetary Authority" according to the Saudi Central Bank Law No. (M/36) dated 11/04/1442H.

Introduction

17-	SAMA issued these principles based on the powers granted to it and its supervisory and regulatory responsibilities as follows:
	a.	The Saudi Arabian Monetary Law, issued by Royal Decree No. (23) dated 23/05/1377H.
	b.	The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386H.
	c.	The Anti-Money Laundering Law issued by Royal Decree No. M/20 dated 05/02/1439 H. and its implementing regulations issued by the State Security Presidency Decision No. (14525) dated 19/02/1439H.
	d.	The Law on Combating the Financing of Terrorism issued by Royal Decree No. (M21) dated 12/02/1439H and its Implementing Regulations issued by the Cabinet Decision No. (228) dated 02/05/1440H.
18-	SAMA issued these principles as the first update to the Compliance Manual for Banks Working in Saudi Arabia issued by Circular No. 56202/M A T/787 dated 19/12/1429H. This issuance is part of SAMA’s efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions. It also emphasizes that bank officials must be convinced that compliance policies and procedures are effective and applied, and that senior management has appropriate corrective actions to address any non-compliance or deficiencies when detected.
19-	Compliance with regulations and instructions starts from the top of the hierarchy, where the chairman, board members, and senior management should serve as examples in managing work and compliance.
20-	Effective compliance requires continuous affirmation from senior management that a culture based on high standards of integrity and professional ethics prevails. Compliance should be an integral part of the bank’s culture and should not be limited to the compliance unit only. Each individual in the bank carries responsibility for compliance, and this responsibility must be integrated into the bank's operations and activities, ensuring high standards are met in its operations by constantly adhering to the spirit and letter of the regulations. It must also consider the impact of actions related to shareholders, customers, employees, and the market environment that could lead to significant negative reactions affecting the bank’s reputation, even if there is no actual violation of regulations.
21-	Trust and integrity are the core values and highest priority in the relationship between the bank and its customers, forming the foundation upon which the bank builds its reputation with customers and stakeholders. Reputation protection must be a fundamental concern for managers and employees. They must exhibit a high level of trust, integrity, and professionalism in their duties and ensure their actions are always in compliance with the letter and spirit of regulations and instructions governing the banking sector.
22-	These principles establish a framework for governance of compliance within the bank, consisting of the board and its responsibility for approving the compliance policy and overseeing the management of non-compliance risks, senior management and its responsibility for managing non-compliance risks, and the compliance unit with its responsibility for overall coordination of compliance and supporting senior management.
23-	These principles begin by defining the responsibilities of the board and senior management regarding compliance as a primary importance, followed by the principles that should support the compliance unit within the bank.
24-	Compliance systems, rules, and standards cover matters such as adherence to appropriate market practices, managing conflicts of interest, treating customers fairly, ensuring the suitability of advice given to customers, and specific areas such as anti-money laundering, combating terrorism financing, preventing the spread of weapons, Know Your Customer (KYC), anti-financial fraud, anti-corruption, and handling reports of violations.
25-	Compliance systems, rules, and standards are based on multiple sources including the regulations and instructions applicable to the banking sector under the supervision of SAMA, regulations and instructions overseen by other official authorities with jurisdiction or in other countries where banks operate, prevailing banking practices, industry-supported business practices, internal conduct rules applied to bank employees, integrity and ethical behavior standards, and relevant requirements issued by international organizations and groups responsible for setting policies governing the supervision of banking and financial institutions, such as the Basel Committee on Banking Supervision, among others.
‏26-	Compliance principles require that the compliance unit be independent, adequately resourced, clearly define its responsibilities, and be subject to independent and periodic review by the internal audit unit, as detailed in principles (5) to (8) below. These principles reflect the effectiveness of the compliance unit’s work.
27-	The compliance unit and function in banks are considered one of the most important foundations and factors for their success, as they play a crucial role in maintaining their reputation and credibility, protecting shareholder and depositor interests, and providing protection from penalties. This is achieved through its activities and contributions as follows: Mitigating non-compliance risks, particularly regulatory, reputational, and financial penalty risks. Strengthening relationships with regulatory and supervisory authorities and addressing their feedback to identify and rectify deficiencies on a regular basis before they escalate. Contributing to the establishment of sound management and governance principles within banks. Ensuring compliance with regulations and instructions issued by supervisory and regulatory authorities, as well as other relevant authorities. Developing appropriate mechanisms and frameworks to combat money laundering, terrorism financing, weapons proliferation, financial fraud, and corruption, and providing insights, advice, and recommendations to address and correct deficiencies and violations. Carrying out the necessary procedures to address reports of violations submitted by bank employees and stakeholders, in alignment with the whistleblowing policy for financial institutions issued by SAMA. This ensures an objective and escalatory approach to handling the reports and devising a corrective action plan. Upholding values and professional practices in banking operations. Raising awareness among bank employees about the positives and negatives of their compliance and the risks associated with non-compliance with regulations and instructions issued by relevant regulatory and supervisory authorities.
28-	The bank must organize its compliance unit such that the priorities for managing non-compliance risks align with its risk management strategy.
29-	It should be understood that the scope of compliance frameworks and the diversity and complexity of compliance rules and their sources place the responsibility for managing non-compliance risks, verifying the level of compliance, and establishing the necessary controls to ensure compliance, whether at the level of business procedures, technical systems, or data protection, on the shoulders of senior management and all business units (groups and business sectors). This is achieved through conducting the necessary reviews and ensuring effective and continuous implementation. The role of the compliance unit is limited to compiling, communicating, and explaining the regulations and instructions to the business sectors immediately upon receiving them from supervisory and regulatory authorities or other relevant entities, obtaining confirmation from these sectors, ensuring they are included in policies and procedures, conducting continuous monitoring, and periodically identifying, detecting, and assessing non-compliance risks. It also involves reporting violations of compliance systems, rules, and standards, as well as submitting reports on non-compliance risks and violations.
30-	The compliance principles apply to all commercial banks operating in the Kingdom and their branches and offices in foreign countries where they conduct banking activities, unless they conflict with the regulations and instructions of those countries. They represent the minimum necessary to achieve overall compliance effectiveness and specifically the effectiveness of the compliance unit and function. SAMA expects adherence to higher and more sound practices.
31-	These principles should be read and applied in conjunction with several related instructions for the unit's operations, including but not limited to the following: Principles of Governance for Banks Operating in Saudi Arabia. Principles of Conduct and Work Ethics in Financial Institutions. Anti-Money Laundering and Counter-Terrorism Financing Guide. Rules for Bank Accounts. Regulatory Rules for the Operation of Self-Supervision Units and Committees. Guidelines for Combating Financial Fraud in Banks Operating in Saudi Arabia. Internal Control Guidelines. Sharia Governance Framework for Local Banks Operating in Saudi Arabia. Whistle blowing Policy for Financial Institutions. Instructions related to Risk Management. Requirements for Appointments to Senior Positions. Rules on Outsourcing.

Principles

Responsibilities of the Board of Directors Regarding Compliance.

Principle (1): Oversight of Non-Compliance Risk Management

The responsibility for effective oversight of non-compliance risk management lies with the Board of Directors in local banks and with the CEO/Branch Manager in foreign bank branches. To fulfill this responsibility, the following must be done:
32-	Approve an effective compliance policy and oversee it, which includes at a minimum: 1. Establishing a permanent and effective compliance unit and updating its organization from time to time. 2. Promoting a culture of compliance, employee responsibilities, and penalties for neglect and the levels that must be achieved. 3. Supporting and promoting values of integrity and honesty throughout the bank. 4. Comprehensive and total commitment in all of the bank's policies to comply with regulations and instructions. 5. The necessary requirements for managing non-compliance risk matters. 6. Supervising the implementation of the policy, including ensuring that compliance-related issues are addressed by senior management quickly and effectively with the help of the compliance unit. 7. Committing to providing adequate resources to the compliance unit on a continuous basis. 8. Granting the compliance unit the necessary independency as per Principle (5). 9. Precisely defining the responsibilities of the compliance unit. 10. Having the internal audit unit review the activities of the compliance unit and compliance risks periodically. 11. Continuously overseeing efforts towards implementing the compliance policy, the performance level achieved through periodic reports, assessing the compliance unit's activities, identifying weaknesses, and efforts in training and awareness.
33-	The board or a committee delegated by it must evaluate the effectiveness of non-compliance risk management in the bank at least once a year.
34-	Approve updates to the compliance policy from time to time to enhance the effectiveness and efficiency of compliance, in line with instructions from SAMA regarding policy updates.
35-	Approve the annual compliance report and provide SAMA with a copy.

Responsibilities of Senior Management Regarding Compliance

Principle (2) General Principle: Effective Management of Non-Compliance Risks
The responsibility for effective management of non-compliance risks rests with the senior management of the bank. Principles (3 and 4) outline the key elements of this principle

Principle (3) Preparation, Update, and Approval of Compliance Policy, Responsibility, Sanctions, Monitoring, and Reporting on Non-Compliance Risks

The senior management of the bank is responsible for preparing, updating, and obtaining board approval for the compliance policy, and ensuring its dissemination. They must also ensure adherence to the policy and report on non-compliance risk management to the board.
Responsibility for Preparing, Updating, and Communicating the Compliance Policy
37-	The senior management of the bank is responsible for preparing and updating the compliance policy for managing compliance matters and obtaining board approval for local banks, and the branch head for foreign bank branches, and communicating it to all bank sectors. The policy should include: The compliance principles that work units and their personnel must adhere to. An explanation of the key procedures for identifying and managing compliance risks throughout all levels of the bank's system. Enhancement of clarity and transparency by distinguishing between general standards applicable to all employees and specific standards and procedures that apply only to certain employee groups.
Responsibility for Adhering to the Compliance Policy, Taking Corrective Actions, and Applying Sanctions
38-	The senior management has the duty to ensure adherence to the compliance policy and to ensure that appropriate corrective and disciplinary actions are taken in case of policy violations.
Oversight and Reporting
39-	The senior management, with the assistance of the compliance unit, are responsible for: Identifying the principal non-compliance risks facing the bank, developing plans to manage and assess these risks at least annually. These plans should address any deficiencies in the policy, procedures, or implementation related to the effectiveness of the existing non-compliance risk management, as well as determine the need for any additional policies or procedures to address new non-compliance risks identified in the annual non-compliance risk assessment. Providing written reports to the board or its delegated committee, highlighting the bank's management of non-compliance risks at least once annually, to support board members in making informed decisions based on accurate information regarding the effectiveness of the bank’s non-compliance risk management. Reporting in writing to the board or its delegated committee immediately about any significant failures, deficiencies, or violations of non-compliance (e.g., non-compliance situations that may result in significant risks leading to legal or regulatory penalties, severe financial losses, or damage to the bank’s reputation).

Principle (4) Responsibility for Establishing and Developing the Compliance Unit

The senior management is responsible, under the compliance policy approved by the board, for establishing and developing a permanent and effective compliance unit within the bank, as follows:
Establishing, Supporting, and Developing the Compliance Unit
40-	As a fundamental requirement of compliance, senior management in local banks, according to the compliance policy approved by the board, must establish, support, and develop an independent, permanent, and effective compliance unit with sufficient powers and responsibilities to oversee compliance. This includes having an independent compliance unit or head of compliance at the senior management level reporting directly to the top executive for foreign bank branches. The role of the compliance unit should be clearly communicated to all employees, encouraging them to consult the unit on compliance matters.
Reliance on the Compliance Unit
41-	Senior management must take necessary measures to ensure that the bank relies on a permanent and effective compliance unit, which performs its duties in accordance with the "Compliance Unit Principles" mentioned later.
Coordination and Integration with Other Business Units
42-	Achieving compliance requires senior management to foster a climate of trust and integration between the compliance unit and other business units, and to take the necessary measures and coordination to facilitate this relationship.
Appointment of the Head of Compliance and Compliance Unit Staff
43-	The selection and nomination of the head of compliance and the staff of the compliance unit are subject to the Requirements for Appointments to Senior Positions issued by SAMA and any other relevant guidelines issued by SAMA. The responsibility for selecting compliance unit staff lies with the head of compliance in accordance with the bank’s internal employment and appointment requirements.

Compliance Unit Principles
The main principles from Principle (5) to Principle (8) detail the practices, requirements, and proper applications necessary for the compliance unit. However, the methods for implementing these principles depend on various factors such as the size of the bank, the nature and complexity of the bank's activities, its geographic scope, and the regulatory framework and instructions under which it operates.

Principle (5) Independence

44-	The compliance unit in the bank must be independent.
Concept of Independence for the Compliance Unit
45-	The concept of independence in this principle refers to "the independence of the compliance unit from external interference by other operational units in performing its compliance duties or influencing them." This does not mean that the compliance unit should not work closely with other business units to facilitate compliance; rather, the working relationship should be cooperative between the compliance unit and other units, supporting the early identification and management of non-compliance risks. The various elements outlined below should serve as preventive measures to help ensure the effectiveness of the compliance unit. Regardless of the close working relationship between the compliance unit and other units, the method of implementing preventive measures depends to some extent on the specific responsibilities of each compliance unit employees.
Elements of the Concept of Independence
‎46-	The concept of independence includes four interrelated elements that must be applied as follows: Element One: The Compliance Unit Must Have an Official Status in the Bank. Element Two: In local banks, the compliance unit should be headed by an executive at the first managerial level. In branches of foreign banks, the unit should be led by a senior executive at the first managerial level who reports directly to the head of the branch. This position should include the overall responsibility for coordinating the management of compliance risks within the bank. Element Three: The personnel of the compliance unit, particularly the head of compliance, should not be placed in a position that could lead to potential conflicts of interest between their compliance responsibilities and any other responsibilities associated with their role. Element Four: All personnel within the compliance unit should have the right and authority to access and review all relevant information, records, and files, and communicate with bank employees as necessary to perform their duties.
The Official Organizational Status of the Compliance Unit
47-	The Compliance Unit must have an official status within the bank that grants it appropriate recognition, authority, and independency. This should be outlined in the bank's compliance policy or in an official document related to the policy. All bank employees should be informed of the document specifying this status.
Key Items of the Compliance Unit's Organizational Document
‎48-	The organizational document for the Compliance Unit, related to the compliance policy, must include at a minimum the following requirements: ‎ The role and responsibilities of the Compliance Unit. Procedures necessary to ensure the independency of the Compliance Unit. The relationship of the Compliance Unit with other risk units within the bank, and its relationship with the internal audit unit. The method for distributing compliance responsibilities in exceptional cases where, due to technical or specialized reasons, or where there is not a significant relationship with non-compliance risks, some compliance responsibilities may be assigned to employees in other operational units such as human resources, administrative affairs, branches, etc., and must be according to specific procedures outlining the role and authority of those units and designated officials. The Compliance Unit has the right to access the necessary information, records, and data to perform its responsibilities, and the requirement for bank employees to cooperate in providing this information. The Compliance Unit has the right to conduct necessary investigations by itself or through delegated external experts for potential policy violations or shortcomings in compliance policy implementation, and its authority to appoint or request external experts if needed. The Compliance Unit has the right to freely report investigation results to senior management and, when necessary, to the board or its authorized committee. The official obligations of the Compliance Unit regarding reporting to senior management. The Compliance Unit has the right to direct access to the board or its authorized committee.
Compliance Officer Job Level
49-	Every local bank must appoint a Chief Compliance Officer, and every branch of a foreign bank must appoint a high-ranking officer at the first managerial level who reports directly to the branch’s chief officer. This role includes the overall responsibility of coordinating the identification of non-compliance risks at the bank, advising on their management, and supervising the activities of compliance officers and staff within the compliance unit.
Job Affiliation
‎50-	The compliance officer at the first managerial level in the bank should be directly linked to the chief executive only in the senior management of local banks (Managing Director/CEO/General Manager) or to the chief officer of the branch in the case of foreign bank branches (according to the highest job title in the branch). The Chief Compliance Officer should not hold any direct or indirect responsibilities related to banking activities. They must have the authority to report and notify the board or its delegated committee of any significant weaknesses, deficiencies, or violations without fear of negative repercussions from management, other business units, or bank employees. No actions should be taken against them when reporting.
Notification of Appointment and Changes to the Board
51-	For local banks, the board members must be notified when there is an appointment or change (resignation, transfer to another role, retirement, termination of service, etc.) of the Chief Compliance Officer, including documentation and reasons for the change.
SAMA's Non-Objection to Appointments and Changes
52-	The bank must obtain a non-objection letter from SAMA for the appointment of the Chief Compliance Officer, in accordance with the Requirements for Appointments to Senior Positions. SAMA's non-objection is also required if the Chief Compliance Officer leaves the position (resignation, transfer to another role, termination of service, etc.), with documentation and reasons for the change.
Notifying Regulatory Authorities in the Host Countries
53-	For banks licensed to conduct international banking activities with compliance officers from those countries, the regulatory authority in the host countries must be notified of the Chief Compliance Officer's appointment or departure if such notification is required by the host country regulations.
The Affiliation of the Compliance Officers and Staff with the Chief Compliance Officer
54-	All staff in the compliance unit must report directly to the Chief Compliance Officer, ensuring that the unit can fulfill all responsibilities independently of other business units within the bank. Compliance officers assigned to compliance tasks in other business units should have a functional reporting relationship to those units but must also have a reporting line to the Chief Compliance Officer concerning their compliance responsibilities and reports. To avoid dual hierarchy, the compliance officers' reporting path to the Chief Compliance Officer regarding non-compliance risks should be the controlling and mandatory line.
Periodic Meetings
55-	The Chief Compliance Officer should have the authority to hold regular meetings with senior management and heads of different business units to discuss compliance with regulations and instructions relevant to the operations and activities of each group, department, or sector. These meetings should be officially documented. It is preferable that senior management and heads of business units attend these meetings personally rather than sending representatives, as their active participation demonstrates: Leadership by example. Understanding of their responsibilities regarding compliance. Continuous reinforcement of compliance. Support for the compliance process.
Delegation of Responsibilities by the Chief Compliance Officer
56-	The Chief Compliance Officer may delegate some of their authority to certain employees within the bank for performing tasks related to compliance, such as those in the Treasury Unit or the bank's overseas branches and offices. Any employee delegated these tasks will act as an assistant to the Chief Compliance Officer and will be under their authority concerning non-compliance risks while maintaining full independency in other banking tasks. The size of the bank and its operational capacity should be considered. Any delegation by the Chief Compliance Officer does not exempt them from responsibility; they remain accountable for all compliance-related tasks to the relevant parties.
Conflict of Interest
57-	To ensure the independency and professionalism of the Chief Compliance Officer and the Compliance Unit staff, they should only hold responsibilities related to the Compliance Unit. For compliance officers in other business units assigned compliance oversight tasks within those units—if present—they must avoid conflicts of interest and disclose any situations that may result in a conflict of interest.
58-	To ensure the independency of the Chief Compliance Officer and compliance unit staff is not undermined, their financial rewards must not be tied to the financial performance of the business activity for which they are executing compliance responsibilities. However, financial rewards may be linked to the overall financial performance of the bank. In all cases, the final approval of the rewards for the Chief Compliance Officer and compliance unit staff must come from the Board of Directors or a committee derived from it.
Direct Access to Information and Employees
59-	To effectively manage compliance responsibilities as outlined in the compliance documentation and at all administrative levels within the bank where non-compliance risks may exist, the Compliance Unit must have the following principal rights and capabilities, without waiting for orders or instructions: The right to communicate with any employee and access any necessary information, records, and files needed to fulfill its responsibilities. The ability to carry out its responsibilities independently across all business units where non-compliance risks are present, including the right to investigate any potential violations of compliance policies and to seek assistance from internal specialists (e.g., legal affairs or internal audit) or engage external experts if necessary. The freedom to report any potential violations or transgressions uncovered during its investigations to senior management, without fear of retaliation or dissatisfaction from business units or other employees. Although the Compliance Unit should report administratively to the CEO/Managing Director/General Manager, it must also have the right to communicate directly with the board or its delegated committee, bypassing usual administrative reporting lines if necessary. The Chief Compliance Officer should meet with the board or its delegated committee at least once a year to help assess the board's evaluation of the bank's ability to manage non-compliance risks effectively. The Chief Compliance Officer must promptly and directly notify SAMA/General Directorate of Bank Supervision upon identifying strong indicators of significant or serious compliance failures or violations that impact the reputation of the banking sector and must ensure that SAMA is informed.

Principle (6): Resources

The bank must provide the Compliance Unit with the necessary resources to perform its responsibilities effectively.

Resources and Effectiveness in Achieving Tasks

60-	The resources provided to the Compliance Unit must be both sufficient and appropriate to ensure effective coordination of non-compliance risk management within the bank.
Adequacy and Appropriateness of Resources
‎61-	The Compliance Unit should have staff with the necessary qualifications, experience, and personal and professional attributes required to carry out its defined duties. Compliance Unit staff must also have a sound understanding of regulations and instructions and their actual impact on the bank's operations. Additionally, the professional skills of the Compliance Unit staff should be maintained and developed, especially in keeping up with developments in regulations, instructions, and technology, through ongoing and regular education and training.
Responsibility for Providing Resources and Its Impact
‎62-	The responsibility for providing the necessary financial, human, and technical resources and directing them towards the compliance process lies with the board according to the approved policy and with senior management during the implementation and management of non-compliance risks and their development. It should be noted that increased compliance costs (e.g., development plans) can lead to enhanced effectiveness in identifying, measuring, monitoring, and controlling risks, thereby resulting in higher profits, better coordination of activities, and improved quality. Therefore, a periodic assessment should be conducted to ensure the adequacy of human and technical resources and determine whether additional support or development is needed to ensure the effective and efficient management of the compliance process.

Principle (7) Responsibilities of the Compliance Unit

Assisting Senior Management in Compliance Implementation

63-	The responsibility for compliance and managing non-compliance risks at the bank lies with senior management. The role of the Compliance Unit is to assist senior management in effectively managing and addressing non-compliance risks (through advising, monitoring, and oversight). The Chief Compliance Officer supervises the implementation of compliance duties, which include executing the compliance program with its objectives and projects, and other approved tasks required for the effectiveness and role of compliance, aligned with the bank's risk strategy. If some of these responsibilities are carried out by employees in different business units (compliance officers), the distribution of these responsibilities must be clearly defined.
64-	The responsibility for addressing and correcting any deficiencies or violations identified by the Compliance Unit rests with senior management and the heads of business units where deficiencies or violations have been observed. The Compliance Unit's role is limited to providing advice and follow-up with the heads of business units and reporting any shortcomings in addressing and correcting issues.
Communicating Regulations and Instructions and Monitoring Compliance
‎65-	The Compliance Unit must ensure that senior management and various business units are appropriately and timely informed of regulations issued and instructions received from SAMA and other relevant official internal and external entities (such as countries and organizations related to banking regulation). These must be stored in a database and maintained continuously and accessibly, ensuring that policies, procedures, products, services, and advertising models comply with the relevant regulations and instructions. It is essential to understand the communicated instructions and seek clarifications from the Compliance Unit or SAMA if needed. The bank will not be exempt from regulatory penalties due to incorrect application of instructions.
66-	All business units within the bank must obtain the Compliance Unit's approval before submitting requests for SAMA's approval for new products and services. The request for approval or non-objection from SAMA should be submitted to SAMA only by the Chief Compliance Officer.
67-	The Compliance Unit must be involved in the decision-making process when assigning tasks to third parties to ensure there is no conflict with any instructions issued from SAMA or other relevant authorities.
Organizing Responsibilities
‎68-	Not all compliance responsibilities are executed solely by the Compliance Unit. Some compliance tasks can be carried out by employees in various bank units and its foreign branches (compliance officers), with the Chief Compliance Officer overseeing their work through an organization approved by the board or a delegated committee.
69-	Bank's organizational structures include specialized supervisory units requiring specialized expertise, such as credit risk monitoring units, information security units, and finance units. These specialized supervisory units are responsible for implementing compliance requirements related to their specialized tasks (e.g., taxation, zakat, credit risk, market risk, operational risk, information security, etc.). The Compliance Unit’s role concerning these specialized units is to obtain necessary assurances, documents, and evidence of their compliance responsibilities and required role, unless specialized expertise and competencies are assigned to the compliance unit to implement the compliance requirements related to the activities and tasks of those units, these responsibilities must be documented through a compliance policy to ensure the prevention of any overlap that may arise due to the similarity of supervisory roles between those units and the compliance unit.
70-	To ensure that the Chief Compliance Officer and the Compliance Unit staff can perform their responsibilities effectively, the Compliance Unit must have the right to request the bank's legal department to:
	Provide advice on regulations and the drafting of instructions for the Compliance Unit, and to prepare necessary guidelines for employees. The Compliance Unit will focus on monitoring compliance, instructions, policies, and procedures, and prepare and submit reports to senior management.
	Investigate deficiencies and violations related to the implementation of relevant regulations and instructions concerning the tasks and operations of all units within the Compliance Unit.
	Provide legal opinions on the results of investigations conducted by the Compliance Unit from time to time.
Consultation
71-	The Compliance Unit must provide advice to senior management regarding compliance regulations, rules, and standards, including updates on local and international developments in this area. This advisory role involves close collaboration between the Compliance Unit staff and the bank’s business units, offering support and guidance on their daily operations. The Compliance Unit is responsible for advising on compliance matters and serving as the point of contact for any compliance-related inquiries from its staff.
Guidance and Awareness
72-	Training and educating all bank staff on relevant regulations and instructions pertaining to their individual responsibilities is a fundamental aspect of senior management's efforts to instill a compliance culture and encourage reporting of any violations to the Compliance Unit. Therefore, the Compliance Unit must continuously and proactively assist senior management in:
	Raising employee awareness about compliance issues and potential violations, recognizing that they are the first line of defense, and serving as an internal contact point for compliance-related questions from bank employees.
	Developing written guidance for employees that addresses the appropriate application of relevant regulations, compliance rules, and standards through policies and procedures. This includes preparing other guidance documents such as compliance manuals, internal codes of conduct, and practical guides.
	Ensuring that the annual training and awareness program for all employees includes a plan that meets the bank’s ongoing needs and can be promptly adjusted in response to new issues, observations, significant changes, or updates in regulations, or high employee turnover. Training should be provided through available methods within or outside the bank, particularly for new employees, to familiarize them with compliance requirements related to their banking operations before starting their duties, and for those who interact directly with the public, to periodically remind them of requirements such as sales and marketing instructions, anti-money laundering and counter-terrorism financing, due diligence, reporting suspicious transactions, and internal violations.
Identifying, Measuring, and Evaluating Non-Compliance Risks Identifying Risks
73-	The Compliance Unit should proactively identify, document, and assess non-compliance risks related to the bank’s activities (regulatory, financial, reputational, or strategic risks), including new product developments, business practices, new types of business or customer relationships, or significant changes in the nature of these relationships. If the bank has a New Products Committee, representatives from the Compliance Unit should participate in this committee.
Measuring Risks
74-	The Compliance Unit should study methods for measuring non-compliance risks both quantitatively and qualitatively (e.g., performance indicators related to compliance) and use these metrics to support the assessment, reduction, and management of non-compliance risks. Techniques such as aggregating or filtering data to identify potential non-compliance risk indicators (e.g., increasing customer complaints, fraud cases, reports, penalties, and payments) can be employed.
Evaluating Risks
75-	The Compliance Unit should evaluate the adequacy of the bank's compliance policy and procedures, promptly address any identified deficiencies, and propose amendments when necessary, based on technical capability. It should also encourage and monitor the relevant departments to make necessary adjustments and corrections.
Monitoring, Testing, and Reporting
‎76-	The Compliance Unit must continuously monitor and test compliance through adequate and representative tests. The results of compliance tests should be reported according to their administrative hierarchy and in accordance with the bank’s internal risk management procedures.
77-	The chief compliance officer must submit regular written reports to senior management addressing compliance issues. These reports should include an assessment of non-compliance risks during the reporting period, note any changes in the level of non-compliance risk based on relevant metrics (e.g., performance indicators), and provide a summary of any identified violations and deficiencies, proposed corrective actions, and required correction dates, along with details of actions already taken. The reporting format should align with the bank's non-compliance risk profile and activities.
High-Risk Cases and Urgent Developments
‏78-	The board or its delegated committee overseeing compliance policy implementation should be informed immediately of any significant compliance failures or deficiencies that could lead to substantial regulatory penalties, legal actions, financial losses, or damage to reputation. If the impact is deemed significant to the banking sector's reputation, SAMA and the general administration for bank supervision should be notified directly and immediately.
Annual Compliance Report
79-	An annual compliance report should be prepared by senior management and presented to the board, covering at a minimum the requirements set forth by SAMA from time to time.
80-	SAMA should receive the board-approved version of the annual compliance report by the end of April each year, sent by the Chairman of the Board of the local bank or the Chief of the foreign bank branch, as part of the bank’s self-assessment of its compliance.
Regulatory Responsibilities and Communication
‎81-	As a regulatory basis, the Compliance Unit must undertake responsibilities and tasks directly and indirectly related to non-compliance risks, including: (1) compliance oversight (monitoring, relationship with SAMA, consultations), (2) anti-money laundering and counter-terrorism financing, (3) anti-fraud measures, (4) anti-corruption, (5) self-supervision, and (6) handling violation reports, and to take on the responsibility of developing the appropriate mechanisms and coordination for how to effectively meet the requirements of implementing the communicated security procedures within the institution.
82-	The Compliance Unit is responsible for monitoring external regulatory bodies, standard-setting entities, and external experts concerning its regulatory responsibilities, particularly in anti-money laundering, counter-terrorism financing, and non-proliferation.
Compliance Program
‎83-	The Compliance Unit should implement its responsibilities under a compliance program that outlines its planned activities, such as applying and reviewing specific policies and procedures, assessing non-compliance risks, conducting compliance tests, and raising employee awareness on compliance issues. The compliance program should be risk-based and overseen by the Chief Compliance Officer to ensure it adequately covers all activities and coordinates between the compliance units (monitoring compliance with regulations, anti-money laundering and counter-terrorism financing, anti-fraud, anti-corruption, and handling violation reports).
Compliance Unit Database
84-	The Compliance Unit should establish and continuously update a database of all compliance regulations, rules, and standards, ensuring that all bank employees can access and benefit from it at all times.
Documentation
85-	The Compliance Unit must document policies, procedures, plans, events, and work papers to fulfill its duties and responsibilities.
Warning Signs (Red Flags)
86-	The compliance program must include a principle for warning signs to alert about violations of internal and external regulations and situations exposing the bank to non-compliance risks, such as rapid bank growth, opening new branches, high employee turnover, changes in programs, and the introduction of automated systems in workflows. This principle should also protect whistleblowers and include incentives in accordance with SAMA’s whistleblowing policy.

Principle (8): Relationship Between the Compliance Unit and the Internal Audit Unit

Internal Audit Activities

87-	The activities and scope of the Compliance Unit should be subject to periodic review by the Internal Audit Unit.
Independence of Both Units
‎‎88-	The Compliance Unit and the Internal Audit Unit should be separate and independent within the bank. One of the primary responsibilities of the Compliance Unit is to monitor the bank's adherence to compliance rules. The Internal Audit Unit has a broader scope of responsibilities. Although there may be some overlap between the responsibilities of the two units in certain areas, each unit operates independently and any overlap should not impact the functioning of either unit.
Review of Compliance Unit Activities
‎89-	To assess the efficiency and effectiveness of the Compliance Unit, non-compliance risks should be included in the risk assessment methodology adopted by the Internal Audit Unit. A periodic review program of the Compliance Unit’s activities should be established, including testing controls that align with the level of potential risks, in accordance with the requirements of these principles.
Integration in Risk Assessment
‎90-	It is important to have a clear understanding within the bank regarding how the activities of risk assessment and testing are divided between the two units, and this should be documented in the bank’s compliance policy. The Internal Audit Unit should inform the head of Compliance Unit the audit results related to compliance within the bank.
Monitoring the Compliance of the Internal Audit Unit
91-	The Compliance Unit plays a crucial role in monitoring the compliance process within the bank, which includes overseeing that the Internal Audit Unit carries out the tasks, responsibilities, and activities as required by SAMA in the specified manner and timeframe.
Oversight from a Specific Perspective
‎92-	For further clarification regarding the role of both the Compliance Unit and the Internal Audit Unit as two independent entities, both the Compliance Unit and the Internal Audit Unit are responsible for overseeing the bank's activities, but each has its own perspective on oversight. The Compliance Unit focuses on identifying and clarifying the regulations, instructions, policies, and procedures that need to be implemented in the bank, ensuring that these are incorporated into the approved policies, procedures, and work programs, and continuously verifying that these policies and procedures are actually followed and effective in mitigating non-compliance risks, with regular updates. The role of the Internal Audit Unit involves conducting field and documentation audits on all bank units through sampling or comprehensive coverage, continually monitoring the internal control systems of the bank, and assessing compliance with the policies and procedures that the Compliance Unit has worked to implement and assist in preparing, based on regulations, instructions, and guidelines.

Other Matters

Principle (9) Matters Related to External Operations

Compliance with Regulations and Instructions in the Host Country

93-	Banks that choose to conduct banking activities in certain countries must adhere to the regulations, instructions, and laws applicable in those countries. The branches or offices, as well as the structure and responsibilities of the compliance function, must be aligned with the regulatory requirements and local instructions of those countries.
Higher Standards as a Basis When Regulatory Requirements Differ
‎94-	When engaging in banking operations in specific countries, whether through branches or subsidiaries, it is important to recognize that regulatory requirements and instructions may vary from one country to another. These differences might depend on the type of business the bank is conducting or the form of its presence in those countries. Therefore, particular emphasis should be placed on the requirements outlined in Paragraph (2/6) of Section Two of the Anti-Money Laundering and Counter-Terrorism Financing Guide.
Compliance Officers in Host Countries
‎95-	Banks that choose to operate in specific countries must comply with all local regulations and instructions applicable in those countries. For example, banks operating as subsidiaries must meet the regulatory and instructional requirements for companies in the host countries. Banks operating as foreign branches must fulfill the requirements specified for foreign bank branches. The bank must ensure that compliance responsibilities in host countries are carried out by employees with local knowledge and expertise, in addition to oversight by the Chief Compliance Officer in collaboration with other risk and control units in the home country.
Risk Assessment for Overseas Activities
96-	Each bank must have implemented and updated procedures to identify and assess potential or increasing risks to its reputation regarding the products and activities offered in host countries through its subsidiaries or branches that are not permitted or practiced in the Kingdom.

Principle (10) Delegation of Compliance Unit Tasks

Limited Delegation Agreement and Responsibility

‎97-	The activity of the compliance unit is considered a primary function in managing non-compliance risks within the bank. While some specific activities may be delegated to specialized entities, they must remain under the supervision and responsibility of the Chief Compliance Officer. The Chief Compliance Officer is ultimately responsible for ensuring compliance and cannot delegate their responsibility to others.
Suitability of Agreements with Tasks
98-	The bank must ensure that any agreements or arrangements for delegating some compliance tasks do not impede the effectiveness of supervision by SAMA or other regulatory and supervisory bodies. Regardless of delegating certain tasks that the bank deems necessary, the primary responsibility for ensuring compliance with all regulations and instructions remains with the board and senior management.
SAMA Approval
‎99-	The delegation of any compliance activities is subject to the instructions issued by SAMA, including obtaining its non-objection prior to entering into any delegation agreements.

Shariah Governance Framework for Local Banks Operating in Saudi Arabia
No: 41042498 Date(g): 12/2/2020 | Date(h): 18/6/1441 Status: In-Force

Chapter One: Preliminary Provisions

Article 1: Introduction

Shariah governance has become an important requirement in the Islamic banking industry. Its effectiveness can lead to achieving a number of benefits, the most important of which are:
■	Limiting the risk of non-compliance with Shariah principles and rules.
■	Supporting the Islamic banking industry stability and economic growth.
■	Improving operational efficiency and decision making of the Islamic banking industry.
■	Attracting foreign investment in Shariah-compliant assets.
■	Increasing efficiency of internal capital management.
■	Enhancing trust among key stakeholders.
■	Strengthening relations with depositors, investors, and financiers.
In order to implement the effective Shariah governance requirements for banks and ensure that Islamic banking transactions in Saudi Arabia are Shariah compliant, SAMA issued this framework. To establish a robust and effective Shari’ah Governance Framework (SGF) for the banks conducting Shari’ah compliant banking, a minimum set of regulations and guidelines are issued for compliance by the banks. SGF does not contradict the requirements of other regulations rather it compliment already issued regulations and guidelines.

Article 2: Objectives of the Shariah Governance Framework
This framework aims to enhance the environment for compliance with Shariah principles and rules in banks in general. It also aims to define the tasks and responsibilities of the board of directors, executive management, Shariah committee, compliance department, risk management department, and internal audit department in relation to the application of the requirements of this framework.
To achieve this, the board and the executive management of the bank are expected to have a reasonable understanding of Shariah principles and their broad application in Islamic finance. The Shariah committee is expected to have sufficient knowledge of financial and banking aspects in general and Islamic finance in particular so as to be able to understand the Shariah matters presented to it. In addition, the committee is expected to constantly gain knowledge of Shariah and financial matters and laws, attend relevant training programs, continue to enhance knowledge and understanding, and keep abreast of the latest developments in the field of Islamic finance.

Article 3: Definitions

The following words and phrases, wherever mentioned in this framework, will have the meanings assigned to them unless the context requires otherwise:
SAMA: The Saudi Central Bank.
Bank: Any local bank that is licensed to carry out banking business in Saudi Arabia in accordance with the provisions of the Banking Control Law and that conducts Islamic banking.
Board: The board of directors of the bank.
Management: The bank executive management and senior executives that manage the bank business as well as propose and implement strategic decisions.
Committee: A Shariah committee responsible for supervising compliance with Shariah principles and rules and their application in the bank.
Committee Members: A group of specialists whose knowledge and experience are not limited only to the Shariah and related matters, but also include the jurisprudence of contemporary financial transactions used to form Shariah decisions given to the bank. These Shariah decisions are usually not directed to the public or entities engaging in other activities.
Independent Committee Member: A person who is completely independent in position and decisions and who meets the requirements for independence as stipulated in Paragraph 3 of Article 7 of this framework.
Shariah Compliant: Compliance with Shariah decisions issued by the bank’s Shariah committee.
Islamic Window : That part of a conventional bank (which may be a branch or a dedicated unit of that bank) that provides Shariah compliant finance and investment services both for assets and liabilities products.
Investment Account Holders: Bank customers who have Shariah-compliant investment accounts which may be restricted or unrestricted according to their Shariah and accounting status.
Bank Subsidiaries: Any legal entity controlled by the bank by owning more than half of its capital or voting rights or by forming its board of directors, including special-purpose entities.
Relatives:
-	Fathers and mothers, grandfathers and grandmothers.
-	Offspring and their children.
-	Full and half siblings.
-	Spouses.
Stakeholders: Any person who has an interest in the bank, such as shareholders, employees, investors, creditors, customers, suppliers and supervisors.

Chapter Two: Composition of the Shariah Governance Framework

Article 4: Composition of the Shariah Governance Framework

The bank shall establish a Shariah governance framework with emphasis on the key functions and elements that ensure effective implementation of this framework and according to the following:
1.	The Shariah governance framework shall consist of a set of policies and procedures that describe the structure, roles, responsibilities, and tasks of the relevant departments as well as the communication arrangements among them.
2.	These policies and procedures shall define the mechanism that a bank must follow to meet the requirements of this framework, including how committee meetings shall be conducted, how decisions are made and recorded, and how reports shall be prepared and submitted.
3.	The bank shall establish formal reporting channels among the key units/departments to ensure effective and timely reporting. In this regard, the committee shall report to the board of directors.
4.	The bank must establish a control mechanism to ensure that the objectives and operations of its Islamic banking activities are in compliance with Shariah principles and rules at all times.
5.	The composition of the Shariah governance framework shall be supported by pillars that include effective tasks and responsibilities carried out by the board and the management, independence of the committee, and qualification of its members in addition to the effectiveness of the internal control functions which are Shariah compliance, Shariah non-compliance risk management, and Shariah internal audit.
6.	Continuous assessment of the bank’s compliance with the Shariah principles and rules shall be carried out.
7.	The bank shall manage the potential Shariah non-compliance risk resulting from Islamic banking which includes identifying the inherent risk and establishing controls to mitigate such risk.
8.	A regular and periodic Shariah internal audit shall be conducted to verify the level of compliance of Islamic banking activities and operations with the Shariah principles and rules.
9.	The bank shall establish a unit/department responsible for conducting research and studies on Shariah, coordinating between the management and the committee, and disseminating Shariah decisions to stakeholders within the bank in addition to acting as secretariat to the committee.

Chapter Three: Responsibilities of the Board and the Executive Management

Article 5: Responsibilities of the Board of Directors

1.	The board is primarily responsible for the overall Shariah governance framework of the bank and the compliance of its Islamic banking activities with the Shariah principles and rules. The board is also responsible for approving the bank’s Shariah governance framework, performing continuous oversight over the effective functioning of the framework, and ensuring that the framework is commensurate with the size, complexity, and nature of the bank’s business.
2.	The board shall approve all Shariah policies of the bank and supervising the effective implementation of these policies.
3.	The board shall provide the necessary mechanisms and methodology for risk management to protect the interests of investment account holders through Profit-lost sharing accounts.
4.	The board shall supervise the bank’s compliance and implementation of the Shariah decisions issued by the committee.
5.	The board shall ensure that an effective communication policy among the key functions of the bank is in place to facilitate and allow the escalation of important matters related to compliance of Islamic banking activities with the Shariah principles and rules.
6.	The board shall remunerate the Shariah committee members appropriately based on the recommendation of the nomination and remuneration committee of the board. Such remuneration shall be commensurate with the duties and responsibilities of these members and consistent with SAMA’s relevant instructions.
7.	A formal procedure shall be adopted, as proposed by the nomination and remuneration committee, to assess the performance of the Shariah committee members based on competence, knowledge, contribution and effectiveness.
8.	The resume of all the Shariah committee members shall be disclosed so that shareholders and investors can judge the competence and ability of these members to carry out their duties effectively.
9.	The mechanism used to supervise the integrity and performance of the committee members shall be disclosed. Moreover, it must be taken into account not to nominate any member who has previously been convicted by a court judgment or of a crime impinging on honor or integrity.

Article 6: Responsibilities of the Executive Management

1.	The management shall identify and refer any Shariah issues to the Shariah committee for decisions and provide the committee with the required information and disclosures in a timely manner.
2.	The management shall monitor and implement the Shariah decisions issued by the committee.
3.	The management shall provide continuous education and training programs to key internal stakeholders, including the board, the Shariah committee, and the employees related to Shariah and finance matters. This is to ensure that all departments/units associated with the Shariah governance framework of the bank are sufficiently exposed to current developments in Shariah related matters.
4.	The management shall develop and adopt a holistic culture of Shariah compliance within the bank to comply with the Shariah principles and rules in its overall Islamic banking activities. In addition, all relevant employees are expected to be familiar with the Shariah-compliant products offered by the bank as well as similarities and differences between Shariah-compliant banking products and services and others that are conventional.
5.	The management must ensure that Shariah policies and procedures are accessible to employees involved in the implementation of the Shariah governance framework.
6.	The management shall ensure that all Islamic banking operations are carried out according to the bank’s Shariah policies and procedures and shall constantly review and update the policies and procedures to reflect market practices and developments.
7.	If the management becomes aware that certain financial or Islamic banking transactions appear to involve operations that are not Shariah-compliant, the management shall:
	a)	Immediately inform the board and the committee.
	b)	Immediately stop providing any banking services or products in that business line related to the Shariah non-compliant operation.
Within (30) business days of becoming aware of such non-compliance, submit a plan to rectify the state of non-compliance with the Shariah principles and rules, to be approved by the board and endorsed by the committee.

Chapter Four: Formation, Appointment, and Membership of the Shariah Committee

Article 7: Formation of the Shariah Committee 1

The board shall form the Shariah committee and appoint its members, based on the recommendation of the nomination and remuneration committee, after obtaining SAMA’s written non-objection. The bank may obtain the approval of the general assembly to appoint the Shariah committee members if such is stated in the bank internal policy. The term of committee membership is three years. The committee shall be formed according to the following:

1.	The number of its members must be proportionate with the size and nature of the bank business, provided that it is not less than three and not more than five.
2.	The chairperson of the committee shall be an independent member.
3.	The number of the independent members must not be less than two-thirds of the committee members. Independence of a committee member shall be invalidated in the following cases:
	a)	If the member owns five percent or more of the stock of the bank or one of its subsidiaries.
	b)	If the member is a representative of a corporate person who owns five percent or more of the stock of the bank or one of its subsidiaries.
	c)	If the member is a relative of any of the board members or senior executives in the bank or in one of its subsidiaries.
	d)	If the nominated member is a board member in one of the bank’s subsidiaries.
	e)	If the member is currently an employee, or used to be an employee during the past two years, of the bank, of a party that deals with the bank, or of a subsidiary, e.g. an accounting auditor or a main supplier, or held a controlling interest in any of these parties during the past two years.
	f)	If the member has a direct or indirect interest in the business and contracts executed for the bank.
	g)	If the member receives financial consideration from the bank in addition to the remuneration for their membership in the committee.
	h)	If the member has a credit relationship with the bank (credit cards, credit facilities, guarantees, etc.), under his name or the name of a relative, in excess of three hundred thousand Saudi riyals.
	i)	If the member engages in a business that would compete with the bank or conducts businesses in any of the bank's sub-activities.
	j)	If the member served for more than six consecutive years or nine nonconsecutive years as a member of the committee.
	k)	The business and contracts that serve a personal interest of a committee member, which requires a license from the ordinary general assembly, shall not be considered as interest invalidating independence of that committee member if such business and contracts are carried out according to the same terms and conditions adopted by the bank with all contractors and customers and are part of the bank’s usual activities unless the nomination and remuneration committee of the board deems otherwise.
		If independence of any member is invalidated for any reason, the bank shall notify SAMA within five business days.
4.	The bank shall not appoint any member of its committee from a Shariah Committee of another bank operating in Saudi Arabia. This is to ensure that the committee member would be more focused, avoiding conflict of interest, and maintaining the confidentiality of information.
5.	The bank shall include a confidentiality clause in the contract or terms of appointment of the committee members to maintain the confidentiality and secrecy of the bank’s information.
6.	Upon resignation/expiry of the term of membership of any committee member for any reason, the bank must notify SAMA in writing within five business days. The resigning member shall submit his resignation, along with his reasons, to the board with a copy to SAMA. Membership of a committee member may not be terminated before the expiry of its term except with an acceptable justification.

¹ The article is for guidance and will be enforced starting from 01/01/2023.

Article 8: Membership of the Shariah Committee

The committee members shall be properly qualified to carry out the duties assigned to them. They shall have a clear understanding of their tasks and responsibilities and be able to exercise sound judgment with objectivity. These members shall also possess various professional, practical and administrative skills as well as experience in Shariah and financial matters. They shall have appropriate personal qualities, especially honesty and commitment in addition to a high degree of good reputation, competence and responsibility.The effectiveness of the committee depends on the experience and ability of its members to judge comprehensively as well as their participation in the committee’s discussions and familiarity with the topics raised before making any related decision. Moreover, a member's qualifications should include the following:
■	Leadership: A Committee member should have leadership skills and be able to grant powers that lead to stimulating performance, applying best practices in the field of effective management, and adhering to professional values and ethics.
■	Independence: It is the ability of a committee member to be impartial and objective in making a decision without any influence from the management or from other external entities.
■	Competence: This is reflected by the level of education, training, skills, and the desire to continue learning as well as the diversified experience of at least five years in various fields, including Islamic banking, compliance, and Shariah audit of financial transactions.
■	Shariah and financial knowledge: A member should have adequate Shariah knowledge in addition to the ability to read and understand financial statements and reports.

Article 9: Shariah Committee Meetings

1.	The committee shall hold meetings on a regular basis, and whenever the need arises, to exercise its duties effectively and to ensure that the bank’s operations are not adversely affected by the difficulty in obtaining the committee’s decisions on Shariah matters that are referred to it.
2.	The committee meetings shall be held periodically, at least once every three months.
3.	For a committee meeting to be valid, it shall be attended by the majority of the members. The resolutions shall be adopted by the majority of votes of the attending members. In the case of a tie, the vote of the committee's chairperson shall prevail.
4.	A committee member is expected to contribute to meetings and allocate sufficient time and effort to discharge their duties effectively. The member must attend at least (75) percent of the committee meetings held during the fiscal year.
5.	The meetings shall be documented and minutes of meetings shall be prepared, including the discussions and deliberations. The committee’s decisions and voting results shall be documented and kept in a special and organized record. Names of the attending members shall be stated along with their objections (if any) and their reasons. All attending members shall sign the minutes of meetings.

Chapter Five: Responsibilities and Duties of the Shariah Committee

Article 10: Responsibilities of the Shariah Committee

The committee shall be responsible for all its decisions related to Shariah matters. The board must rely on the committee for issuing Shariah decisions related to engaging in Islamic banking activities. The committee shall perform the following tasks:
1.	It shall supervise the compliance of Islamic banking transactions with the Shariah principles and rules. Shariah compliance reports and internal Shariah audit observations should enable the committee to identify issues that require attention and, where appropriate, propose corrective measures.
2.	It shall issue decisions on Shariah matters so that the bank can comply with the Shariah principles and rules.
3.	It shall ensure that the Shariah policies and procedures developed by the bank are consistent with the Shariah principles and rules.
4.	To ensure that Islamic banking products are Shariah compliant, the committee shall approve the following:
	a)	The terms and conditions contained in the forms, contracts, agreements and other legal documents used in executing the transactions.
	b)	The product manual, marketing advertisements, illustrative pamphlets and brochures used to describe the product.
5.	The committee shall assess the compliance and internal Shariah audit work to ensure compliance with the Shariah aspects. Such assessment is part of the tasks related to submitting the reports on assessment of Shariah compliance.
6.	The related parties of the bank such as its legal consultant, external auditors, or consultant entities may seek advice from the Shariah committee on Shariah matters related to the bank operations, and the committee shall provide the necessary assistance in this regard.
7.	It shall inform the board, and recommend appropriate corrective actions, if it is proven to the committee that the bank has engaged in Islamic banking activities that are not Shariah compliant.
8.	The committee shall inform SAMA of cases in which Shariah non-compliant activities are not effectively or adequately addressed or no corrective actions are made by the bank.
9.	It shall prepare an annual report on the compliance of the banking Islamic activities of the bank with the Shariah principles and rulesand submit it to the board.

Article 11: Responsibilities and Duties of the Chairperson

Without prejudice to the functions of the committee, the chairperson shall lead the committee, supervise the progress of its work, and effectively perform its duties, which are:
1.	Ensuring that the committee members receive complete, clear, correct and not misleading information on a timely manner.
2.	Verifying that the committee has discussed all Shariah matters submitted to it effectively and on a timely manner.
3.	Encouraging the committee members to carry out their tasks effectively.

Article 12: Responsibilities and Duties of the Shariah Committee Members

1.	Attending committee meetings and providing a legitimate excuse when absent after notifying the chairperson in advance.
2.	Knowing clearly the duties and responsibilities arising from membership in the committee.
3.	Dedicating sufficient time to carry out their responsibilities and to prepare for and participate in committee meetings effectively.
4.	Enabling other committee members to express their views freely, encouraging the deliberation of certain topics, and taking opinions of specialists from the relevant department and others if the need arises.
5.	Informing the board immediately and fully about any direct or indirect interest in the business and contracts executed for the bank, or the direct or indirect engagement in any business that would compete with the bank.
6.	Refraining from disclosing any confidential information obtained through their membership in the committee.

Chapter Six: Independence and Confidentiality of Information

Article 13: Independence

The independence of the Shariah committee in performing its duties to issue objective and reliable Shariah decisions shall be observed continuously as follows:
1.	The board shall recognize the independence of the committee and ensure its freedom from any influence that would hamper the committee from issuing objective Shariah decisions when deliberating issues presented to the committee.
2.	The committee shall report to the board directly.
3.	The Shariah decisions issued by the committee should not be modified or set aside without its approval.
4.	The Shariah committee shall have accurate and complete information from the management. If the information provided is insufficient, the committee has the right to request additional information which shall be provided by the management.
5.	If the committee is not provided with the required information, the board shall be informed of the fact and an appropriate action shall be taken to rectify the situation.

Article 14: Confidentiality of Information

1.	Internal information obtained by the committee members in the course of their duties shall be kept confidential and shall not be misused. Confidential or sensitive information obtained by any member of the committee while performing his duties shall not be used in any manner that could be detrimental to the bank.
2.	Notwithstanding the above, the committee will not be regarded as breaching the confidentiality code if the information was disclosed to SAMA when reporting serious breaches of Shariah Principles and Rules by the bank.

Article 15: Maintaining Professional Ethics, Judgment, and Consistency to Ensure Compliance with Shariah Principles and Rules
In ensuring the quality and consistency of the Shariah decisions, the committee shall develop a structured procedures for arriving at Shariah decisions to be documented, approved and maintained in order to ensure the credibility of decision making and protect the committee from undue influences. In this regard, please check the development process of Shariah-compliant products described in Chapter Nine of this framework.

Chapter Seven: Internal Control

Article 16: Internal Control

First: Shariah Compliance:

The Shariah compliance function refers to the regular assessment of the bank’s Islamic activities and operations to ensure that they are Shariah compliant. This function includes:
1.	Ensuring of the bank’s level of compliance with the Shariah principles and rules, the corrective actions to resolve non-compliances, and the control mechanisms to avoid recurrences.
2.	overall Islamic banking operations at the bank, including the development process of Shariah-compliant products, which starts from product structuring to product offering to customers (See Chapter Nine of this framework).

Second: Shariah Non-Compliance Risk Management:

The systematic approach of managing Shariah non-compliance risks will enable the bank to continue its Islamic banking operations and activities effectively without exposing the bank to unacceptable levels of risk. Risk management involves systematically identifying, measuring, monitoring and managing Shariah non-compliance risks to reduce potential cases of non-compliance, taking into account that:
1.	The Shariah non-compliance risk management function shall be considered as part of the bank's integrated risk management framework.
2.	Due to the technicality and complexity in managing the risk of non-compliance to the Shariah principles and rules, the function shall be performed by risk officers that have suitable qualifications and experience in the subject matter.

Third: Internal Shariah Audit:

The Shariah audit function refers to the independent assessment conducted to provide objective assurance in order to add value and improve the degree of compliance in relation to the bank’s Islamic operations and activities, with the aim of ensuring a sound and effective internal control system for Shariah compliance. Additionally, the following should be taken into account:
1.	Internal Shariah audit on areas of relative importance shall be conducted at least once a year depending on the risk profile of the bank. Shariah audit may be conducted as part of the bank’s audit on specialized areas, according to the risk level and materiality of the impact of Shariah non-compliance in these areas.
2.	The board audit committee shall determine the deliverables of the internal Shariah audit function after consulting with the Shariah committee. These deliverables shall be in line with accepted auditing standards.
3.	The Shariah audit function shall be performed by internal auditors who have acquired adequate Shariah-related knowledge and training. In addition, the internal auditors may engage the expertise of the bank’s Shariah officer in performing the audit, as long as the objectivity of the audit is not compromised.
4.	The findings and observations of the internal Shariah audit shall be submitted to both the board audit committee and the Shariah committee.

Chapter Eight: Islamic Window Operations

Article 17: Islamic Window Operations²

When engaging in Islamic banking activity through Islamic window operations, the bank shall ensure that adequate internal control systems and tools are in place to properly separate Shariah-compliant assets and finance sources from those assets and finance sources that are not compliant with the Shariah principles and rules. This is in addition to the other requirements of this framework. Moreover, the bank shall comply with the following requirements:
1.	The bank shall keep a separate accounting records for Islamic banking operations and ensure that these records are properly maintained.
2.	The bank shall prepare separate financial statements for its Islamic banking operations along with its periodical financial statements at least on a monthly basis.
3.	An internal audit is required at least once a year to assess the bank’s compliance with the requirements mentioned in Paragraphs 1 and 2 of this Article.

² The article is for guidance and will be enforced starting from 01/01/2023.

Chapter Nine: The Development Process of Shariah-Compliant Products

Article 18: The Development Process of Shariah-Compliant Products

This development process of Shariah-compliant products should be comprehensive and sufficient to reduce the possibilities of the committee rejecting the products due to non-compliance with the Shariah principles and rulesas a result of improper structuring of products, lack of insufficient internal research in understanding the Shariah concepts, or misrepresentation of the product at the issuance or marketing stage. In this regard, the bank shall comply with the following:
1.	All Shariah issues related to the product development, design, and process must be referred to the committee. The request for an advice or a decision must be detailed for effective deliberation by the committee. This will include explaining the process involved, documents used, and other necessary information.
2.	The committee approval shall be obtained for all Islamic banking products to be presented and for any subsequent amendments. The committee shall make detailed review of legal contracts and other documents related to the products and transactions.
3.	Product development includes both pre-product approval (i.e. the process of product structuring and developing prior to introduction to the market) and post-product approval process (i.e. the process after the product has been offered to the customers and transactions have been carried out) as follows:
	a)	Pre-product Approval:
		1)	Pre-product approval process involves the issuance of Shariah decisions, product structuring or design of processes backed by comprehensive Shariah research, and review of contracts and agreements before the product is offered to customers.
		2)	The pre-product approval process shall include, among other things, a review of the concept, structure, terms and conditions, documentations, policies and procedures, pamphlets, brochures and advertising materials. These documents shall be approved by the committee.
	b)	Post-product Approval:
		1)	Shariah governance shall include the post-product approval process which involves Shariah compliance and internal audit.
		2)	Areas of potential Shariah non-compliance risks shall be identified, and appropriate relevant actions shall be proposed to the management.

Related Parties Rules for Banks
No: 43095743 Date(g): 16/6/2022 | Date(h): 17/11/1443 Status: In-Force
In reference to the first update of the Related Parties Rules for Banks issued by the Central Bank Circular No. 41045379 dated 01/07/1441H, the Central Bank is keen to apply international standards and the safety of transactions with all related parties.
We would like to inform you that the Related Party Rules for Banks have been updated to comply with the standards of the Islamic Financial Services Board (IFSB), which replaces the above-mentioned rules, in addition to the updated rules that the Central Bank emphasizes all local banks to adhere to.
For your information and action accordingly as of 09/01/2022 G. Banks should send their compliance plans to this email address: BSD@SAMA.GOV.SA before the specified effective date.

1. Introduction
These Rules are issued by SAMA in exercise of the authority vested under the Central Bank Law issued via Royal Decree No. M/36 dated 11/04/1442H and the Banking Control Law issued by the Royal Decree No. M/5 on 22-02-1386H (11 June 1966G) and the rules for Enforcing its Provisions issued by Ministerial Decision No 3/2149 on 14/10/1406H.
These rules define related parties, provide additional requirements in regards to exposures/transactions to related parties and reinforce and provide further guidance to Article 9 of the Banking Control Law.
Banks should also adhere to the related party requirements as prescribed in SAMA Principles of Corporate Governance and any relevant policies as applicable.
These Rules shall supersede the Related Parties Rules for Banks issued vide SAMA circular no. 41045379 dated 01/07/1441H. The changes from the previous version are underlined.

2. Definitions

The following terms and phrases, where used in these Rules, shall have the corresponding meanings, unless the context requires otherwise:
i.	SAMA: The Saudi Central Bank.
ii.	Rules: Related Parties Rules for Banks.
iii.	Exposure/Transaction: both on and off-balance sheet exposures/transaction included in either the banking or trading books, and instruments with counterparty credit risk under the Basel risk-based capital framework. Banking and trading books have the same meaning as under the Basel risk-based capital framework. Additionally, all Shari’ah Based products and Shari'ah Compliant product exposures/transaction, including but not limited to; service contracts, asset purchases and sales, construction contracts, lease (ijarah) contracts, financings, borrowings (through Qard) and write-offs.
iv.	Eligible Capital Base: is the effective amount of Tier 1 capital fulfilling the criteria defined in the Basel III Framework.
v.	Control Relationship: control relationship will be deemed to exist automatically if one entity owns more than 50% of the voting rights of another entity. In addition, banks must determine whether a control relationship exists using the following criteria:
	a.	Voting agreements (e.g. control of a majority of voting rights pursuant to an agreement with other shareholders);
	b.	Significant influence on the appointment or dismissal of an entity’s administrative, management or governing body, such as the right to appoint or remove a majority of members in those bodies, or a majority of members have been appointed solely as a result of the exercise of an individual entity’s voting rights;
	c.	Significant influence on senior management, e.g. an entity has the power, pursuant to a contract or otherwise, to exercise a controlling influence over the management or policies of another entity (e.g. through consent rights over key decisions);
		Banks are also expected to refer to criteria specified in appropriate internationally recognized accounting standards (The International Financial Reporting Standards - IFRS are applied to all banks in KSA) for further qualitatively based guidance when determining control.
vi.	Related Party:
	a.	Substantial Shareholders of the bank.
	b.	Board members of the bank or any of its subsidiaries/ affiliates (Associates and joint venture as per the definitions giving by the accounting standards) and their relatives.
	c.	Shariah Committee Members of the bank (as appointed under the provisions of Shariah Governance Framework issued via SAMA circular no. 41042498 dated 18/06/1441 H and any future amendments on the framework), or their relatives.
	d.	Seniors Executives of the bank or any of its subsidiaries/ affiliates and their relatives.
	e.	Board members and Seniors Executives of Substantial Shareholders of the bank.
	f.	Entities other than companies owned by the following:
		a.	Board members of the bank or their relatives.
		b.	Shariah Committee Members of the bank or their relatives.
		c.	Seniors Executives of the bank or their relatives.
	g.	Companies in which of the following is a member of its Board of directors or is one of its Senior Executives or has influence on the company’s decisions even if only by giving advice or guidance:
		a.	Board members of the bank or their relatives.
		b.	Shariah Committee Members of the bank or their relatives.
		c.	Seniors Executives of the bank or their relatives.
	h.	Non-joint stock companies in which the following is partner:
		a.	Board members of the bank or their relatives.
		b.	Shariah Committee Members of the bank or their relatives.
		c.	Seniors Executives of the bank or their relatives.
	i.	Joint stock companies in which the following owns (5%) or more:
		a.	Board members of the bank or their relatives.
		b.	Shariah Committee Members of the bank or their relatives.
		c.	Seniors Executives of the bank or their relatives.
	j.	Subsidiary/ affiliate.
Advice or guidance that is provided on a professional basis by a person licensed to provide such advice shall be excluded from the provisions of paragraph (g).
vii.	Relatives:
	a.	Fathers, mothers, grandfathers and grandmothers.
	b.	Children, grandchildren.
	c.	Siblings, maternal and paternal half-siblings.
	d.	Husbands and wives.
Where dependence criteria for relatives/ family members has been identified based on the Related Party definition, a bank may still demonstrate to SAMA in exceptional cases, that the family members clearly operate all business activities independent of each other with no economic interdependence, financial support or shareholding from the other family member.
viii.	Substantial Shareholders: any person who owns 5% or more of the shares of the bank or voting rights therein.
ix.	Security: means such security as would, in the opinion of the SAMA, be acceptable to a prudent banker and satisfies the following criteria:
	a.	The market value of the asset is readily determinable or can be reasonably established and verified.
	b.	The asset is marketable and there exists a readily available secondary market for disposing of the asset.
	c.	The bank’s right to repossess the asset is legally enforceable and without impediment.
	d.	The bank is able to secure control over the asset if necessary.
	e.	The bank has the expertise and systems to manage the asset concerned.
x.	Senior Executive: the Managing Director, Chief Executive Officer, General Manager, their deputies, Chief Financial Officer, Managers of key departments, officers of risk management, internal audit, and compliance functions, and similar positions in the Bank, in addition to incumbents of any other positions determined by SAMA.

3. Scope and Level of Application

These rules shall be applicable to the following institutions:
i.	All locally incorporated banks licensed and operating in the Kingdom of Saudi Arabia.
ii.	All foreign branches and subsidiaries of locally incorporated banks operating outside the Kingdom of Saudi Arabia.
While applying the rules to subsidiaries and branches, banks shall also take into account legal and regulatory requirements of the concerned regulatory authorities.

4. Governance and Risk Management

i.	The Board of the bank is ultimately responsible for oversight of the bank’s associations with its related parties and for approving policies governing the bank’s dealings and associations with its related parties. The Board must ensure that these policies are reviewed at least annually and that they remain adequate and appropriate for the bank’s risk appetite, risk profile, capital, balance sheet size and the complexity of the bank.
ii.	A bank is required to have policies and procedures on related party exposures/transactions.
iii.	A bank is required to have adequate systems and controls in place to identify, measure, monitor and report related party exposures/transactions of the bank in a timely basis and ensure related party exposures/transactions of the bank are reviewed at least quarterly.
iv.	Exposures/transactions to related parties shall only be considered on arm’s length basis and without any preferential treatment. Furthermore, any such credit exposures/transactions should also be strictly in line with the bank’s credit policy and procedures and policies and procedures on related party exposures/transactions.
v.	Any exposure/transaction to a related party or any variation of the terms of a related party exposure/transaction should be approved at the level of Board of Directors or its delegated authority. While considering any proposal of lending to a board member or any of their connected parties, the Board of Directors shall ensure that the concerned board member would neither participate in the discussion nor influence such a decision.
vi.	A bank should institute procedures to prevent the beneficiaries of any credit exposure/transaction being part of the processing or approval of such exposure/transaction.
vii.	Any facilities granted by a bank to its key executives/members of senior management as a part of their employment contract/compensation package shall be exempt from the application of these rules.

5. Exposure/Transaction Limits

5.1 Maximum Exposure/Transaction Limits

Exposures/transactions to related parties are subject to measurement requirements as prescribed in SAMA Rules on Large Exposures of Banks. Subject to the following limits:
i.	The sum of all exposures/transactions values a bank has to a non-bank related party must not be higher than 5% of the bank’s available eligible capital base at all times. However, a bank may have exposure/transaction to its non-banking subsidiary in financial sector of up to 25% of the banks eligible capital.
ii.	Banks exposures/transactions to a non-bank related party that is a listed company in the Saudi stock exchange are exempted from the 5% limit specified in section 5.1.i, the sum of all exposures/transactions values a bank has to a non-bank related party that is a listed company in the Saudi stock exchange must not be higher than 10% of the Bank’s available eligible capital base at all times.
iii.	Where a related party is included within a Group of Connected Counterparties, the exposure/transaction limit specified under Sections 5.1.i and 5.1.ii above shall be applicable, in addition to the overall group exposure limit as specified in SAMA Rules on Large Exposures of Banks.
iv.	A cumulative limit on all exposures/transactions to non-bank related parties shall be 50% of the banks eligible capital.
Any breaches of the exposure/transaction limits, must be communicated immediately to SAMA. The communication to SAMA must also include the bank’s action plan to bring the exposure/transaction to within the breached limit. Furthermore, any such breaches may attract punitive supervisory action depending upon their materiality.

5.2 Exposures/Transactions Exempted from Related Parties Limits.

The following exposures/transaction shall be exempt from the limits specified under these Rules:
i.	Banks’ exposures/transactions to the Saudi Government, SAMA, Entities Connected with the Saudi Government, GCC and their central banks.
ii.	Entities that are related to the bank only due to above sovereign ownership in both the entity and the bank. This also applies if there is a joint Board member representing and appointed by Saudi Government in both the related party entity and the bank. However, the representative himself or herself is not exempted from the limits specified in these rules.

6. Security for Related Party Transactions

Article 9 of the Banking Control Law requires banks not to grant, without security, a loan or credit facilities, or issue a guarantee or incur any other financial liability in respect to parties specified in the law.

ii.

For loans, credit facilities, guarantees or other financial liabilities to establishments not taking the form of joint-stock companies in which any of its Directors or Auditors is a partner or is a manager or has a direct financial interest, banks are required to ensure such facilities are fully secured where control relationship by the party exists. Where no control relationship exists, security for the borrowing should be on pro rata basis. In other words, only the respective party’s effective share of the facility is required to be fully secured.

7. Reporting
Banks are required to submit to SAMA all exposures/transactions to related parties that exceeded 5% of the banks eligible capital base on the reporting date, on the prescribed format attached as per Appendix-I.
The above information shall be submitted to SAMA each calendar quarter within 30 calendar days of the end of each quarter.

8. Effective Date
These Rules shall come into force with effect from 1^st of September 2022. Banks are required to ensure compliance with these Rules while taking any new exposure/transaction or renewing existing exposures/transactions after the effective date. Bank are required to submit to SAMA a list of all exposures/transactions (if any) that do not meet the requirements of these Rules, and a rectification plan where necessary.

Appendix-I

Name of the Bank:

Statement for the Month ended

Statement Showing Exposures/Transactions to Related Parties that Exceeded 5% of Bank's Eligible Capital Base

(All amounts are in SR thousands)

SR. No.	Name and Location of Borrower	Total Amount of Gross Exposure/transaction			Value of Eligible Credit Risk Mitigates(CRM)	Net Exposure/transaction	Ratio of Net Exposure/transaction to Bank's Eligible Capital	In Case if Exempted Exposures/transactions, State Reasons for Exemption
SR. No.	Name and Location of Borrower	On Bal. Sheet	Off Bal. Sheet	Total
1	2	3	4	5 (=3+4)	6	7(=5-6)	8	9

Total
A. Aggregate of all Exposures/transactions to Related Parties (Incl. the above Exposures/transactions)
B. Ratio of Aggregate Related Parties Exposures/transactions to Bank's Eligible Capital

Soft Launch

Governance and Internal Control

Key Principles of Governance in Financial Institutions

Requirements for Appointments to Senior Positions

Banks Remuneration Rules

1. General Requirements

1.1 Background

1.2 Objective