Chapter 1: Outsourcing Rules and Auditing and Risk Management
Article 27
1. A Licensee must comply with the Outsourcing Rules in a manner sufficient to ensure compliance with its obligations under Part 4 of the Implementing Regulation.
2. A Licensee must obtain a non-objection letter from SAMA in the event of its intention to enter into a contract with another Person under which that other Person will carry out material functions relating to its provision of Relevant Payment Services or operation of a Payment System.
3. Where a Licensee intends to outsource material functions, the Licensee shall consider the following:
(a) The outsourcing is not undertaken in such a way as to impair or adversely affect:
(i) The quality of the licensee’s internal controls (including over the outsourced services);
(ii) The powers of SAMA to monitor the licensee’s compliance with the Law and the Implementing Regulation and the licensing requirements.
(iii) The relationship and obligations of the Licensee towards its Payment Service Users or Members.
(iv) Compliance with the conditions which the licensee must observe in order to be licensed; and
(v) Adherence to the conditions of the License.
(b) Outsourcing of functions shall not lead to delegating the Licensee's responsibilities to comply with the Implementing Regulation by the Senior Positions;
4. For the purposes of the Paragraph (3) of this Article, functions are considered material if a defect or failure in its performance would materially impair any of the following :
(a) Compliance with the licensee with the Law and the Implementing Regulation or any of the License requirements;
(b) The financial performance of the licensee.
(c) The soundness or business continuity of the Relevant Payment Services or the Payment System.
5. The licensee must notify SAMA of any change in outsourced functions or the Persons to which functions are outsourced.
6. Where a Licensee outsources functions, it remains liable to its Clients and to SAMA.
Article 28
1. A Licensee must have risk management, compliance policies and business continuity, procedures, systems and controls that are comprehensive and proportionate to the nature, scale and complexity of the provided activities and services by the Licensee, and the policies, procedures, systems and controls must take into account the types of activities performed by the Licensee, the nature, scale and complexity of its business model, any operational challenges and the degree of risk associated with its operations.
2. A Licensee must ensure that its risk management and compliance policies, and business continuity, procedures, systems and controls are kept up-to-date and must review them at least once per year, submitting copies when there are any material updates to SAMA. SAMA may request additional information or changes to be made.
3. A licensee’s risk management and compliance systems and controls must include the following:
(a) Effective procedures for identifying, managing, monitoring and reporting any risks to which the entity may be exposed;
(b) Adequate internal control mechanisms, including sound administrative, risk management and accounting procedures;
(c) Appropriate mechanisms for the verification of compliance with all relevant requirements under the Law and the Implementing Regulation, as well as all other relevant applicable laws, regulations, instructions and circulars and decisions.
(d) Policies and procedures to detect and respond to fraud incidents; and
(e) Policies and procedures to inform SAMA and the competent authorities of fraud incidents.
4. Subject to Paragraph (3) above, a Licensee’s risk management and compliance systems and controls must include the following:
(a) The establishment of a risk management function, internal audit function and compliance function, with the heads of such functions being provided with sufficient independence and resources to carry out their duties; and
(b) The establishment of an integrated control framework between the internal audit, risk management, and compliance functions, and external audits.
Article 29
The Licensee must have sufficient and eligible staff that have the appropriate knowledge and experience in order to fulfill the operational needs of the Licensee. The remuneration and incentives of staff must be fair and aligned with the Licensee’s risk management strategy, taking into account the principles of sound governance, non-conflict of interests and the principles of customer protection; and the Licensee must comply with laws, regulations and decisions applicable in the Kingdom in relation to non-Saudi employee percentage.
Article 30
A Licensee must have corporate governance rules, systems and controls that are commensurate with the nature, scale and complexity of its business and structure, designed to address matters that include but are not limited to its organizational structure, independence and separation of duties, roles of the company management and board members and its committees – including the appointment of the managers and members and their duties, remuneration and compensation policies, conflict of interest controls, integrity and transparency controls, compliance with applicable laws, regulations and decisions, confidentiality and protection of company assets. In so doing, the Licensee must meet the applicable standards and principles as promulgated by SAMA and competent authorities in this regard.
Article 31
The Licensee must establish an internal audit department unit reporting directly to the audit committee (or its equivalent) of its board or the company directors. The internal audit department shall be independent in performing its duties, and its employees shall not be assigned any other responsibilities in accordance with the following:
(1) The internal audit unit assesses the internal policies and controls and will ensure the extent to which the Licensee and its employees comply with the applicable laws, regulations and decisions, and Licensee’s policies and procedures, including outsourced functions. The internal audit unit must have unfettered access to information and documents as necessary.
(2) The internal audit unit shall operate according to a comprehensive audit plan approved by the audit committee of its board, which shall include major activities and operations, including those related to risk management and compliance, and must be updated on an annual basis.
(3) The internal audit unit must prepare and submit to the audit committee a written report on its work every three months. This report must include the scope of the audit, all findings and recommendations. It must also include the procedures taken by each department in respect of the findings and recommendations of the previous audit, especially if they have not been settled on time and the reasons for their unsettlement, and any other related observations.
(4) The internal audit unit must prepare and submit to the audit committee of its board a report on all of its audits in each fiscal year, compared with the approved audit plan and stating any gaps or deviations from the audit plan, if any. This report shall be submitted within the first quarter following the end of every fiscal year.
(5) The Licensee shall maintain the working documents and approved audit reports that show in a transparent manner the work carried out, as well as the approved findings and recommendations and what has been accomplished regarding these recommendations.
Article 32
(1) A Licensee must appoint an external auditor (and must receive a non-objection letter from SAMA prior to doing so) to conduct an external audit. The appointed auditor must be subject to rotation on a five-year basis.
(2) The external auditor must be approved by the competent authorities in the Kingdom and must have no conflict of interest in acting for the Licensee.
(3) A Licensee must ensure that its terms of appointment with an auditor require that the auditor, at a minimum:
(a) Carries out, for the year in respect of which the auditor is appointed, an audit of the financial statements or consolidated financial statements of the Licensee prepared in accordance with the financial and accounting standards and practices approved for use in the Kingdom;
(b) Carries out an audit of the transactions in relation to the regulated services (separately from any audit carried out on activities not related to regulated services); and
(c) Submits a report of the audit to SAMA in such form as may be prescribed by SAMA and within such timeframe as SAMA may allow (including separate accounting information in respect of regulated activities) In accordance with the provisions of the Implementing regulation.
4. SAMA may make further requests of the auditor, including but not limited to the following:
(a) To submit any additional information in relation to the audit;
(b) To enlarge or extend the scope of the audit of the Licensee’s business; and
(c) To carry out any other examination that it requests in relation to the audit.
(5) If SAMA is not satisfied with the performance of the auditor, SAMA may direct the Licensee to remove the auditor and appoint another auditor at the Licensee’s expense.
(6) The auditor’s reports prepared in accordance with this Article must be attached to the balance sheet and the profit and loss account, the financial statements or the consolidated financial statements of the Licensee, which must submit copies of these reports to SAMA in such form and time as may be prescribed by SAMA.
(7) A Licensee must ensure that its terms of appointment with an auditor require that, if the auditor believes that any of the following matters have occurred, the auditor must immediately report such matter to SAMA:
(a) There has been a contravention of any provision of the Law and the Implementing Regulation or other applicable laws, regulations, decisions and instructions;
(b) A criminal offense involving fraud or dishonesty has been committed;
(c) Losses have been incurred that have led to the capital requirements set out in the Implementing Regulation not being satisfied;
(d) There is any irregularity that has or may have a material effect on the accounts of the Licensee, including any irregularity that had caused a major disruption to the provision of any type of regulated service to the Clients of the Licensee; and
(e) The auditor is unable to confirm that the assets of the licensee exceed the liabilities of the Licensee or satisfy another test of solvency applicable in the Kingdom.
(8) A report made under Paragraph (7) of this Article must not be considered a breach of any restriction upon the disclosure imposed by any applicable laws, regulations or contractual terms. The auditor and its employees are not liable for any loss arising from the disclosure or any act or omission in consequence of the disclosure, provided that the auditor or its employees disclose in good faith to SAMA the following:
(a) The knowledge or suspicion of any of the matters mentioned in Paragraph (8) of this Article; and
(b) Any information or other matter on which that knowledge or suspicion is based.
(9) Except as may be necessary for compliance with the Implementing Regulation or relevant laws, regulations, or decisions, a Licensee must instruct the external auditor appointed in accordance with this Article not to disclose any information that comes to its knowledge in the course of performing its duties to any Person other than the Licensee or SAMA.
(10) If a Licensee or any of its employees intentionally commits the following (or conspires with any other Person to do any such act), then they shall in contravention of the Implementing Regulation:
(a) Prevent, delay or obstruct the carrying out of an audit
(b) Destroy, conceal or replace any property, records or documents relating to the business of a licensee; or
(c) Sends out of the Kingdom any record, document or asset of any description belonging to or in the possession of or under the control of the Licensee.
Article 33
A Licensee must comply with the Implementing Regulation and decisions related to business continuity management issued by SAMA, taking into account the types of activities performed, as well as the nature, scale and complexity of their business model.
Article 34
A Licensee must comply with the Implementing Regulation and decisions related to cyber security requirements issued by SAMA and other applicable regulations of competent authorities in the Kingdom.
Article 35
A Licensee must comply with the Implementing Regulation, rules, decisions and circulars on data and technology governance requirements in relation to information technology systems issued by SAMA, in addition to any other applicable laws, regulations or relevant decisions issued by competent authorities in the Kingdom and a Licensee must adhere to the relevant approved technical standards of the Payment System of which they are Members or that would otherwise apply to them, and any other technical standards relevant for the execution of Payment Transactions (including the Payment Card Industry – Data Security Standards as may be applicable and amended).
Article 36
(1) The Licensee must comply with the laws, regulations, resolutions and instructions issued in relation to the Anti-Money Laundering, Counter-terrorism Crimes and Financing and the internal policies issued in this regard.
(2) The Licensee must adopt a risk-based approach in developing its Anti-money laundering and counter-terrorist financing internal policies and procedures to ensure that measures used to mitigate the risks of money laundering and terrorist financing are commensurate to the risks identified.
Article 37
(1) A Licensee must comply with the applicable laws in relation to data protection in the Kingdom, as well as with any other regulations, resolutions, instructions and circulars issued by SAMA.
(2) A Licensee must protect Client Data and maintain their confidentiality, including when it is held by a third party or an Agent of the Licensee. The personal information of Clients may be accessed and used by personnel authorized by the Licensee only to comply with regulatory requirement applicable in the Kingdom, including in relation to suspicion of money laundering reporting, fraud and financial crime reporting.
(3) Subject to applicable laws, a Licensee must not disclose Client Data except where the following:
(a) In compliance with SAMA requirements or under the request of other competent authorities from SAMA inside and outside the Kingdom.
(b) The disclosure is made with the prior specified written consent of the Client.
(4) A Licensee must put in place and maintain adequate policies, procedures and controls, as well as employee awareness training, to protect Client data from any information security risks.
(5) A Licensee must put in place data protection controls in accordance with what is issued by SAMA and other competent authorities in the Kingdom in this regard.
Article 38
(1) A Licensee must make and keep records of transactions, data and information relating to compliance with requirements of Part 4 of the Implementing Regulation, in a form where such records would enable SAMA to supervise such compliance effectively.
(2) The records which SAMA requires Licensees to keep and include:
(a) Financial information (including financial statements, bank statements, and Client accounts) and Accounting Records, including (but not limited to): cheques, records of electronic Fund transfers (including as relevant, bank statements), invoices, contracts, general and subsidiary ledgers, journal entries and adjustments to the financial statements that are not reflected in journal entries; and Worksheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures.
(b) Reports relating to the activities performed by the Licensee, the volume of business and Relevant Payment Services (including the volume and value of Payment Transactions);
(c) Minutes of the board or the company directors and related business decisions;
(d) Information on any security or material operational incidents that are (when viewed in isolation or jointly with other incidents) not immaterial;
(e) Records of Consents given to Payment Transactions;
(f) Records of security logs, including authentication logs;
(g) Details of changes required to be submitted in accordance with Article 121 of the Implementing Regulations.
(h) Reports on risk management (including in relation to incidents of fraud that must be disclosed);
(i) Reports on data protection and privacy measures taken;
(j) Complaints from Payment Service users, including any remedial action taken;
(k) Reports of any errors, delays, refunds or other matters dealt with;
(l) Reports on compliance with the requirements of protecting safeguarded funds ;
(m) Any information related to know-your-customer requirements, Client due diligence and sanctions screening in accordance with the laws, regulations and instructions of Anti-Money Laundering and Counter-Terrorism Crimes and Financing;
(n) Reports on compliance with the Implementing Regulation or other applicable laws, regulations, decisions, instructions and circulars.
(o) Material legal documentation, including employment contracts, auditor appointment contracts, agreements relating to business continuity and outsourcing agreements, as well as corporate governance documentation.
(3) A Licensee must maintain such records and keep them for at least ten years from the date on which the relevant record was created. SAMA, however, may (at its discretion) amend the Licensee’s retention period of records as deemed appropriate.
(4) A Licensee must put in place and maintain policies, procedures, systems and controls that regulate the electronic storage of documents and records, satisfying the following minimum requirements:
(a) Creating and storing records and documents on highly reliable, secure storage media;
(b) Clearly indexing and categorizing records and any related documents in a manner that enables further use or reference;
(c) Providing a reliable and secure system for granting and organizing access privileges for electronic and physical systems, ensuring that there is no unauthorized access to electronically or physically held data;
(d) Creating and maintaining a backup policy providing the utmost level of protection and the ability to retrieve backup copies in case of the loss of the original copy of any kind and testing the backup copies periodically;
(e) Using digital certification and electronic encryption;
(f) Storing the records and related documents in the same format in which it was created or received, without any additions, omissions or modifications;
(g) Logging all actions made in relation to a record; and
(h) Ensuring that personnel with authorization to access electronic and physical records, documents and data maintain their confidentiality during and after the period of their employment or work at the Payment Service Provider.
(5) The Licensee must conduct regular reviews, at least on an annual basis, to ensure compliance with the provisions of this Article.