Part 4: Licensee Obligations
Chapter 1: Outsourcing Rules and Auditing and Risk Management
Article 27
1. A Licensee must comply with the Outsourcing Rules in a manner sufficient to ensure compliance with its obligations under Part 4 of the Implementing Regulation.
2. A Licensee must obtain a non-objection letter from SAMA in the event of its intention to enter into a contract with another Person under which that other Person will carry out material functions relating to its provision of Relevant Payment Services or operation of a Payment System.
3. Where a Licensee intends to outsource material functions, the Licensee shall consider the following:
(a) The outsourcing is not undertaken in such a way as to impair or adversely affect:
(i) The quality of the licensee’s internal controls (including over the outsourced services);
(ii) The powers of SAMA to monitor the licensee’s compliance with the Law and the Implementing Regulation and the licensing requirements.
(iii) The relationship and obligations of the Licensee towards its Payment Service Users or Members.
(iv) Compliance with the conditions which the licensee must observe in order to be licensed; and
(v) Adherence to the conditions of the License.
(b) Outsourcing of functions shall not lead to delegating the Licensee's responsibilities to comply with the Implementing Regulation by the Senior Positions;
4. For the purposes of the Paragraph (3) of this Article, functions are considered material if a defect or failure in its performance would materially impair any of the following :
(a) Compliance with the licensee with the Law and the Implementing Regulation or any of the License requirements;
(b) The financial performance of the licensee.
(c) The soundness or business continuity of the Relevant Payment Services or the Payment System.
5. The licensee must notify SAMA of any change in outsourced functions or the Persons to which functions are outsourced.
6. Where a Licensee outsources functions, it remains liable to its Clients and to SAMA.
Article 28
1. A Licensee must have risk management, compliance policies and business continuity, procedures, systems and controls that are comprehensive and proportionate to the nature, scale and complexity of the provided activities and services by the Licensee, and the policies, procedures, systems and controls must take into account the types of activities performed by the Licensee, the nature, scale and complexity of its business model, any operational challenges and the degree of risk associated with its operations.
2. A Licensee must ensure that its risk management and compliance policies, and business continuity, procedures, systems and controls are kept up-to-date and must review them at least once per year, submitting copies when there are any material updates to SAMA. SAMA may request additional information or changes to be made.
3. A licensee’s risk management and compliance systems and controls must include the following:
(a) Effective procedures for identifying, managing, monitoring and reporting any risks to which the entity may be exposed;
(b) Adequate internal control mechanisms, including sound administrative, risk management and accounting procedures;
(c) Appropriate mechanisms for the verification of compliance with all relevant requirements under the Law and the Implementing Regulation, as well as all other relevant applicable laws, regulations, instructions and circulars and decisions.
(d) Policies and procedures to detect and respond to fraud incidents; and
(e) Policies and procedures to inform SAMA and the competent authorities of fraud incidents.
4. Subject to Paragraph (3) above, a Licensee’s risk management and compliance systems and controls must include the following:
(a) The establishment of a risk management function, internal audit function and compliance function, with the heads of such functions being provided with sufficient independence and resources to carry out their duties; and
(b) The establishment of an integrated control framework between the internal audit, risk management, and compliance functions, and external audits.
Article 29
The Licensee must have sufficient and eligible staff that have the appropriate knowledge and experience in order to fulfill the operational needs of the Licensee. The remuneration and incentives of staff must be fair and aligned with the Licensee’s risk management strategy, taking into account the principles of sound governance, non-conflict of interests and the principles of customer protection; and the Licensee must comply with laws, regulations and decisions applicable in the Kingdom in relation to non-Saudi employee percentage.
Article 30
A Licensee must have corporate governance rules, systems and controls that are commensurate with the nature, scale and complexity of its business and structure, designed to address matters that include but are not limited to its organizational structure, independence and separation of duties, roles of the company management and board members and its committees – including the appointment of the managers and members and their duties, remuneration and compensation policies, conflict of interest controls, integrity and transparency controls, compliance with applicable laws, regulations and decisions, confidentiality and protection of company assets. In so doing, the Licensee must meet the applicable standards and principles as promulgated by SAMA and competent authorities in this regard.
Article 31
The Licensee must establish an internal audit department unit reporting directly to the audit committee (or its equivalent) of its board or the company directors. The internal audit department shall be independent in performing its duties, and its employees shall not be assigned any other responsibilities in accordance with the following:
(1) The internal audit unit assesses the internal policies and controls and will ensure the extent to which the Licensee and its employees comply with the applicable laws, regulations and decisions, and Licensee’s policies and procedures, including outsourced functions. The internal audit unit must have unfettered access to information and documents as necessary.
(2) The internal audit unit shall operate according to a comprehensive audit plan approved by the audit committee of its board, which shall include major activities and operations, including those related to risk management and compliance, and must be updated on an annual basis.
(3) The internal audit unit must prepare and submit to the audit committee a written report on its work every three months. This report must include the scope of the audit, all findings and recommendations. It must also include the procedures taken by each department in respect of the findings and recommendations of the previous audit, especially if they have not been settled on time and the reasons for their unsettlement, and any other related observations.
(4) The internal audit unit must prepare and submit to the audit committee of its board a report on all of its audits in each fiscal year, compared with the approved audit plan and stating any gaps or deviations from the audit plan, if any. This report shall be submitted within the first quarter following the end of every fiscal year.
(5) The Licensee shall maintain the working documents and approved audit reports that show in a transparent manner the work carried out, as well as the approved findings and recommendations and what has been accomplished regarding these recommendations.
Article 32
(1) A Licensee must appoint an external auditor (and must receive a non-objection letter from SAMA prior to doing so) to conduct an external audit. The appointed auditor must be subject to rotation on a five-year basis.
(2) The external auditor must be approved by the competent authorities in the Kingdom and must have no conflict of interest in acting for the Licensee.
(3) A Licensee must ensure that its terms of appointment with an auditor require that the auditor, at a minimum:
(a) Carries out, for the year in respect of which the auditor is appointed, an audit of the financial statements or consolidated financial statements of the Licensee prepared in accordance with the financial and accounting standards and practices approved for use in the Kingdom;
(b) Carries out an audit of the transactions in relation to the regulated services (separately from any audit carried out on activities not related to regulated services); and
(c) Submits a report of the audit to SAMA in such form as may be prescribed by SAMA and within such timeframe as SAMA may allow (including separate accounting information in respect of regulated activities) In accordance with the provisions of the Implementing regulation.
4. SAMA may make further requests of the auditor, including but not limited to the following:
(a) To submit any additional information in relation to the audit;
(b) To enlarge or extend the scope of the audit of the Licensee’s business; and
(c) To carry out any other examination that it requests in relation to the audit.
(5) If SAMA is not satisfied with the performance of the auditor, SAMA may direct the Licensee to remove the auditor and appoint another auditor at the Licensee’s expense.
(6) The auditor’s reports prepared in accordance with this Article must be attached to the balance sheet and the profit and loss account, the financial statements or the consolidated financial statements of the Licensee, which must submit copies of these reports to SAMA in such form and time as may be prescribed by SAMA.
(7) A Licensee must ensure that its terms of appointment with an auditor require that, if the auditor believes that any of the following matters have occurred, the auditor must immediately report such matter to SAMA:
(a) There has been a contravention of any provision of the Law and the Implementing Regulation or other applicable laws, regulations, decisions and instructions;
(b) A criminal offense involving fraud or dishonesty has been committed;
(c) Losses have been incurred that have led to the capital requirements set out in the Implementing Regulation not being satisfied;
(d) There is any irregularity that has or may have a material effect on the accounts of the Licensee, including any irregularity that had caused a major disruption to the provision of any type of regulated service to the Clients of the Licensee; and
(e) The auditor is unable to confirm that the assets of the licensee exceed the liabilities of the Licensee or satisfy another test of solvency applicable in the Kingdom.
(8) A report made under Paragraph (7) of this Article must not be considered a breach of any restriction upon the disclosure imposed by any applicable laws, regulations or contractual terms. The auditor and its employees are not liable for any loss arising from the disclosure or any act or omission in consequence of the disclosure, provided that the auditor or its employees disclose in good faith to SAMA the following:
(a) The knowledge or suspicion of any of the matters mentioned in Paragraph (8) of this Article; and
(b) Any information or other matter on which that knowledge or suspicion is based.
(9) Except as may be necessary for compliance with the Implementing Regulation or relevant laws, regulations, or decisions, a Licensee must instruct the external auditor appointed in accordance with this Article not to disclose any information that comes to its knowledge in the course of performing its duties to any Person other than the Licensee or SAMA.
(10) If a Licensee or any of its employees intentionally commits the following (or conspires with any other Person to do any such act), then they shall in contravention of the Implementing Regulation:
(a) Prevent, delay or obstruct the carrying out of an audit
(b) Destroy, conceal or replace any property, records or documents relating to the business of a licensee; or
(c) Sends out of the Kingdom any record, document or asset of any description belonging to or in the possession of or under the control of the Licensee.
Article 33
A Licensee must comply with the Implementing Regulation and decisions related to business continuity management issued by SAMA, taking into account the types of activities performed, as well as the nature, scale and complexity of their business model.
Article 34
A Licensee must comply with the Implementing Regulation and decisions related to cyber security requirements issued by SAMA and other applicable regulations of competent authorities in the Kingdom.
Article 35
A Licensee must comply with the Implementing Regulation, rules, decisions and circulars on data and technology governance requirements in relation to information technology systems issued by SAMA, in addition to any other applicable laws, regulations or relevant decisions issued by competent authorities in the Kingdom and a Licensee must adhere to the relevant approved technical standards of the Payment System of which they are Members or that would otherwise apply to them, and any other technical standards relevant for the execution of Payment Transactions (including the Payment Card Industry – Data Security Standards as may be applicable and amended).
Article 36
(1) The Licensee must comply with the laws, regulations, resolutions and instructions issued in relation to the Anti-Money Laundering, Counter-terrorism Crimes and Financing and the internal policies issued in this regard.
(2) The Licensee must adopt a risk-based approach in developing its Anti-money laundering and counter-terrorist financing internal policies and procedures to ensure that measures used to mitigate the risks of money laundering and terrorist financing are commensurate to the risks identified.
Article 37
(1) A Licensee must comply with the applicable laws in relation to data protection in the Kingdom, as well as with any other regulations, resolutions, instructions and circulars issued by SAMA.
(2) A Licensee must protect Client Data and maintain their confidentiality, including when it is held by a third party or an Agent of the Licensee. The personal information of Clients may be accessed and used by personnel authorized by the Licensee only to comply with regulatory requirement applicable in the Kingdom, including in relation to suspicion of money laundering reporting, fraud and financial crime reporting.
(3) Subject to applicable laws, a Licensee must not disclose Client Data except where the following:
(a) In compliance with SAMA requirements or under the request of other competent authorities from SAMA inside and outside the Kingdom.
(b) The disclosure is made with the prior specified written consent of the Client.
(4) A Licensee must put in place and maintain adequate policies, procedures and controls, as well as employee awareness training, to protect Client data from any information security risks.
(5) A Licensee must put in place data protection controls in accordance with what is issued by SAMA and other competent authorities in the Kingdom in this regard.
Article 38
(1) A Licensee must make and keep records of transactions, data and information relating to compliance with requirements of Part 4 of the Implementing Regulation, in a form where such records would enable SAMA to supervise such compliance effectively.
(2) The records which SAMA requires Licensees to keep and include:
(a) Financial information (including financial statements, bank statements, and Client accounts) and Accounting Records, including (but not limited to): cheques, records of electronic Fund transfers (including as relevant, bank statements), invoices, contracts, general and subsidiary ledgers, journal entries and adjustments to the financial statements that are not reflected in journal entries; and Worksheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures.
(b) Reports relating to the activities performed by the Licensee, the volume of business and Relevant Payment Services (including the volume and value of Payment Transactions);
(c) Minutes of the board or the company directors and related business decisions;
(d) Information on any security or material operational incidents that are (when viewed in isolation or jointly with other incidents) not immaterial;
(e) Records of Consents given to Payment Transactions;
(f) Records of security logs, including authentication logs;
(g) Details of changes required to be submitted in accordance with Article 121 of the Implementing Regulations.
(h) Reports on risk management (including in relation to incidents of fraud that must be disclosed);
(i) Reports on data protection and privacy measures taken;
(j) Complaints from Payment Service users, including any remedial action taken;
(k) Reports of any errors, delays, refunds or other matters dealt with;
(l) Reports on compliance with the requirements of protecting safeguarded funds ;
(m) Any information related to know-your-customer requirements, Client due diligence and sanctions screening in accordance with the laws, regulations and instructions of Anti-Money Laundering and Counter-Terrorism Crimes and Financing;
(n) Reports on compliance with the Implementing Regulation or other applicable laws, regulations, decisions, instructions and circulars.
(o) Material legal documentation, including employment contracts, auditor appointment contracts, agreements relating to business continuity and outsourcing agreements, as well as corporate governance documentation.
(3) A Licensee must maintain such records and keep them for at least ten years from the date on which the relevant record was created. SAMA, however, may (at its discretion) amend the Licensee’s retention period of records as deemed appropriate.
(4) A Licensee must put in place and maintain policies, procedures, systems and controls that regulate the electronic storage of documents and records, satisfying the following minimum requirements:
(a) Creating and storing records and documents on highly reliable, secure storage media;
(b) Clearly indexing and categorizing records and any related documents in a manner that enables further use or reference;
(c) Providing a reliable and secure system for granting and organizing access privileges for electronic and physical systems, ensuring that there is no unauthorized access to electronically or physically held data;
(d) Creating and maintaining a backup policy providing the utmost level of protection and the ability to retrieve backup copies in case of the loss of the original copy of any kind and testing the backup copies periodically;
(e) Using digital certification and electronic encryption;
(f) Storing the records and related documents in the same format in which it was created or received, without any additions, omissions or modifications;
(g) Logging all actions made in relation to a record; and
(h) Ensuring that personnel with authorization to access electronic and physical records, documents and data maintain their confidentiality during and after the period of their employment or work at the Payment Service Provider.
(5) The Licensee must conduct regular reviews, at least on an annual basis, to ensure compliance with the provisions of this Article.
Chapter 2: Structural Changes
Article 39
(1) Before making any of the changes set out in Paragraph (2) of this Article, a Licensee must obtain a non-objection letter from SAMA and provide reasons for making such changes with details of the proposed date on which each change is suggested to come into effect.
(2) The changes include the following:
(a) The changes to the details of the Licensee, including but not limited to the following:
(i) Legal name (as shown on the public register); and trading name;
(ii) Principal place of business;
(iii) Address of the registered office in the Kingdom;
(iv) Opening and closer of branches.
(v) The contact details of the member of the Senior Positions that is the primary contact for communications with SAMA;
(vi) Its website; and
(vii) Details of any commercial registrations of its subsidiaries -where applicable -.
(b) The changes to the operation, management or financing of the Licensee’s business, including but not limited to:
(i) Any proposed restructuring, reorganization or business expansion, with a detailed explanation of any foreseeable that might result from changes to the Licensee’s risk profile;
(ii) Any action that would result in a material change to the Licensee’s financial resources; and
(iii) Changes to material outsourcing arrangements or material new agreements with service providers for outsourcing;
(c) Changes to the policy documenting the methods adopted for Safeguarded Funds;
(d) Changes to the natural persons making up the Senior Positions of a Licensee or changes affecting the fitness and propriety of any Controller or member of Senior Management;
(e) Changes to policy for setting transaction or other limits required by Article 70 of the Implementing Regulations.
(f) Changes to its commercial activities beyond the scope of the Implementing Regulation;
(g) Any other changes that SAMA specifies.
(3) The Licensee must obtain prior written approval from SAMA in the event that it wishes to go public with its shares or part thereof.
Article 40
(1) A Licensee must keep a register in respect of each of its Controllers and update it within forty days of becoming aware of any changes. Accordingly, Controllers shall provide the Licensee with all necessary information to be included in the register, which includes (as a minimum) the following particulars:
(a) Full name;
(b) Current residential address;
(c) Date and place of birth;
(d) Nationality; and
(e) Copy of current government identity document.
(2) A Licensee shall send to SAMA an annual report identifying its Controllers in the mechanism and format set by SAMA.
(3) A Licensee shall notify SAMA as soon as possible after it becomes aware of any significant changes in the conduct or circumstances of existing Controllers that may impact the fitness and propriety of a Controller or the ability of the Licensee to conduct its business properly.
Article 41
(1) A Licensee that is incorporated in the Kingdom must obtain prior written approval from SAMA in the event that any Person wishes to become a Controller or to increase their level of control.
(2) Upon receiving a request under the above Paragraph of this Article, SAMA may approve or reject the request to add the Controller or increase the level of control or impose any conditions on the Licensee or Controller.
(3) Where SAMA proposes to approve a proposed Controller or an increase in the level of control in the Licensee, it shall do so in writing within ninety calendar days of the receipt of a completed application;
(4) TAn approval, including a conditional approval granted by SAMA pursuant to this Article, is valid for a period of six months from the date of the approval unless an extension is granted by SAMA in writing.
(5) A Person who has been approved by SAMA as a Controller must comply with the relevant conditions of approval. A Licensee shall not enable the Person who has been notified by SAMA as unacceptable to proceed with the proposed acquisition of control of the Licensee.
(6) In the case of the Licensee being a branch of an entity that is incorporated outside the Kingdom, a written notification to SAMA must be submitted by a Controller or a Person proposing to become a Controller of that Licensee or proposing to exceed the level of control.
(7) A Controller who proposes to stop being a Controller or who proposes to decrease their level of control must notify SAMA before taking any action that results to decrease their level of control.
Chapter 3: Licensing Requirements for Payment Service Providers
Article 42
(1) A Payment Service Provider is considered a Micro PI if the following conditions are met:
(a) Carries on one or more Relevant Payment Services, except issuing Electronic Money;
(b) Does not provide Relevant Payment Services cross-border to Persons outside the Kingdom;
(c) Does not exceed the Average Monthly Payment Transaction Value of ten million SAR.
(2) A Payment Service Provider is considered a Major PI in the event that one or more Relevant Payment Services are implemented, except for the issuance of Electronic Money, and the average value of monthly payments exceeds ten million SAR.
Article 43
(1) An EMI is considered a Micro EMI if the following conditions are met:
(a) Ensures that its Total Average Outstanding Electronic Money does not exceed ten million SAR;
(b) Does not exceed an Average Monthly Payment Transaction Value of ten million SAR;
(c) Does not permit any Payment Service User to hold more than twenty thousand SAR of Electronic Money in aggregate across all accounts held by that Payment Service User, subject to Paragraph (3) of this Article;
(d) Does not permit any Payment Service User to execute Payment Transactions of more than twenty thousand SAR per calendar month in aggregate, including Cash-Out Transactions (but excluding those made in the event of the closure of an Electronic Money account), subject to Paragraph (3) of this Article.
(2) An EMI is considered a Major EMI in the event that it exceeds any of the limits stipulated in the above Paragraph of this Article.
(3) A Micro EMI must comply, in the cases prescribed below, with the following:
(a) A Micro EMI that has yet to start issuing Electronic Money, or has been issuing Electronic Money for fewer than twelve calendar months, must ensure that its projected Total Average Outstanding Electronic Money for its initial twelve-month period of operations does not exceed ten million SAR; and
(b) A Micro EMI that has yet to commence the provision of Relevant Payment Services, or has been providing Relevant Payment Services for fewer than twelve calendar months, must ensure that its projected Average Monthly Payment Transaction Value does not exceed ten million SAR.
(4) SAMA may increase one or more of the limits set out in Paragraph (1) of this Article if the Micro EMI submits an application that includes adequate causes and is committed to having sufficient systems and controls to monitor those limits, taking into account the power of SAMA to restrict its approval until additional conditions as deems appropriate are met.
(5) A Major EMI must comply with the following:
(a) Not permit any Payment Service User to hold Electronic Money of more than one hundred thousand SAR in aggregate across all accounts held by that Payment Service User; and
(b) Not permit any Payment Service User to execute Payment Transactions of more than one hundred thousand SAR (per calendar month in aggregate, including Cash-Out Transactions (but excluding those made in the event of the closure of an Electronic Money account).
(6) SAMA may increase one or more of the limits set out in Paragraph (5) of this Article if the Major EMI submits an application that includes adequate causes and is committed to having sufficient systems and controls to monitor those limits, taking into account the power of SAMA to restrict its approval until additional conditions as deems appropriate are met.
Article 44
(1) An Applicant must provide evidence satisfactory to SAMA that it meets the initial capital requirement for licensing as follows:
(a) Provide evidence of possession of at least one million SAR in paid-up equity for a Micro PI License.
(b) Provide evidence of possession of at least three million SAR in paid-up equity for a Major PI License.
(c) Provide evidence of possession of at least two million SAR in paid-up equity for a Micro EMI License.
(d) Provide evidence of possession of at least ten million SAR in paid-up equity for a Major EMI License.
(e) Provide evidence of possession of at least one million SAR in paid-up equity for a Payment Initiation Service License independently or with a Payment Account Information Services License.
(f) Provide evidence of possession of at least five hundred thousand SAR in paid-up equity for a Payment Account Information Services License.
(2) An Applicant for a License to act as a Payment System Operator must comply with such initial capital requirements as determined by SAMA that are commensurate with the projected size, as well as the nature, scale and complexity of the proposed Payment System or Systems proposed to be operated by it.
Article 45
(1) As an on-going capital requirement, Licensees must maintain regulatory capital as set out in this Article.
(2) A Micro PI and Micro EMI must maintain an amount equal to the initial capital requirement stated in Article 44 of the Implementing Regulations.
(3) A Major PI must maintain an amount equal to the higher of:
(a) The initial capital requirement stated in Article 44 of the Implementing Regulations.
(b) 1% of the Major PI’s Average Monthly Payment Transaction Value.
(4) A Major EMI must maintain an amount equal to the higher of:
(a) The initial capital requirement stated in Article 44 of the Implementing Regulations.
(b) 2% of the Total Average Outstanding Electronic Money.
(5) A Payment Service Provider must provide evidence of its compliance with its on-going capital requirements by providing the following:
(a) A certified copy of a license issued by the competent licensing authority in the Kingdom showing its paid-up capital;
(b) Audited financial statements by a certified public accountant in the Kingdom;
(c) Any other method deemed acceptable by SAMA.
(6) A Payment Service Provider must comply with the relevant accounting standards applicable in the Kingdom, as determined by SAMA in this regard.
Article 46
(1) Payment Account Information Services Provider or Payment Initiation Services Provider must hold professional indemnity insurance or a comparable guarantee.
(2) The professional indemnity insurance must cover potential liability to Payment Account Service Providers and Payment Service Users, resulting from - unless there is a specific value indicated by SAMA :
(a) In respect of its Payment Account Information Services, unauthorized or fraudulent access to, or use of, Payment Account information;
(b) In respect of its Payment Initiation Services, Unauthorized Payment Transactions and non-execution or defective or late execution of transactions and associated liability for charges and interest and right of recourse.
Chapter 4: Scope of Application on the Licensees
Article 47
Article 48
(1) A Licensed Bank that provides Relevant Payment Services is exempted from the requirement to apply for a License under the Implementing Regulation.
(2) SAMA shall specify the provisions of the Implementing Regulation that a licensed bank must comply with when providing Relevant Payment Services, in accordance with its nature and in a manner that achieves the objectives of the Law and the Implementing Regulations.
Article 49
(1) Subject to the remainder of this Article, the provider of a Limited Network Service must register with SAMA as a provider of a Limited Network Service in the manner designated by SAMA.
(2) A registered Provider of a Limited Network Service-with SAMA- must notify SAMA immediately if its execution of transactions within the context of a Limited Network Service exceeds (or will likely be expected to exceed) the aggregate value of five million SAR in any period of twelve consecutive calendar months, or the value of two million SAR in any month in that twelve-month period.
(3) The notification to SAMA must include a description of Limited Network Service provider services and its reasons for categorizing the relevant transactions as a Limited Network Service.
(4) Notifications and information provided to SAMA under Paragraph (2) of this Article must be given within such time and in such form as SAMA may direct after the end of the relevant month or period of twelve months.
(5) A Person to which this Article applies may be required by SAMA to apply for a License.