Chapter 3: Provision of Relevant Payment Services
Article 70
(1) A Payment Service Provider must have a policy for setting risk-based Payment Service User transaction limits and limits on its Total Outstanding Electronic Money.
(2) A Payment Service Provider shall, prior to making any changes to the policy referred to in the Paragraph above, obtain a non-objection letter from SAMA in accordance with Article 39 of the Regulations of the Implementing Regulation and, if required by SAMA, provide details of the updated policy.
(3) SAMA may direct a Payment Service Provider to set Payment Service User transaction limits at levels specified by SAMA, and that’s in case -for example- where specific regulatory criteria related to risk management and governance are not complied with to the satisfaction of SAMA.
Article 71
(1) A Payment Service Provider issuing a Payment Instrument must:
(a) Ensure that the Personalized Security Credentials are not accessible to Persons other than the Payment Service User to whom the Payment Instrument has been issued;
(b) Ensure that appropriate means are available at all times to enable the Payment Service User to notify the Payment Service Provider of the loss, theft, or unauthorized use of a Payment instrument or exploitation and prevent any use of the Payment Instrument once notification has been made.
(2) A Payment Service User should take all reasonable steps to keep safe Personalized Security Credentials relating to a Payment Instrument or a Payment Account Information Service and notify the Payment Service Provider in the agreed manner in The Framework Contract, and without undue delay on becoming aware of the loss, theft, exploitation or unauthorized use of the Payment Instrument.
Article 72
(1) A Payment Service Provider must not execute a Payment Transaction unless it has received a Payment Services Order.
(2) If received within the business hours specified by the Payment Service Provider, a Payment Services Order is considered received on that business day. If a Payment Services Order is not received within such business hours, it is considered received at the beginning of the next business day.
(3) The execution of the Payment Services Order may be scheduled to be executed at a future date or time agreed between the Payer and the Payment Service Provider (or on the date on which the Payer has put Funds at the disposal of the Payment Service Provider).
Article 73
(1) A Payment Service Provider may refuse a Payment Services Order or suspend a Payment Account only if:
(a) The conditions for accepting or executing Payment Services Orders that set out in a contract between the Payment Service User and the Payment Service Provider have not been met;
(b) The Payment Service Provider has grounds to suspect that the Payment Transaction to which the Payment Services Order relates is fraudulent or poses a money-laundering or terrorism-financing risk; or
(c) The Payment Transaction to which the Payment Services Order relates would breach any of the Payment Service Provider’s obligations under applicable Laws, regulations and decisions.
(2) When a Payment Services Order is refused, the Payment Service Provider must notify the Payment Service User in a timely manner of the refusal and provide objectively justifiable reasons for the refusal, as well as details on how to rectify the problem, and the refused payment service must resume once the grounds for refusal have been resolved or terminated.
(3) A Payment Service User may not be charged for a refused transaction, except where such charge is stipulated in its contract with the Payment Service Provider.
Article 74
(1) A Payment Service User may not revoke a Payment Services Order after it has been received by the Payer’s Payment Service Provider.
(2) The Payer may not revoke the Payment Services Order after giving Consent to the Payment Initiation Service Provider to initiate the Payment Transaction or giving Consent to execute the Payment Transaction to the Payee.
(3) In the case of a Direct Debit, the Payer may not revoke the Payment Services Order after the end of the business day preceding the day agreed upon for debiting the Funds.
(4) The Payment Service User may not revoke a Payment Services Order after the end of the business day preceding the agreed day to execute the order.
(5) The Payment Services Order cannot be revoked after the expiry of the revocation period mentioned in this Article unless it’s agreed between the Payment Service User and the Payment Service Provider to revoke the order; or in the case of a Payment Transaction initiated by or through the Payee, including in the case of a Direct Debit, also agreed with the Payee.
(6) A Payment Service User may not be charged for a revoked Payment Services Order unless the charge is stipulated in its contract with the relevant Payment Service Provider.
Article 75
(1) The Payment Service Provider of the Payer and the Payment Service Provider of the Payee must ensure that the full amount of the Payment Transaction is transferred to the Payee In accordance with the provisions of this Article.
(2) The Payment Service Provider must clearly communicate to the Payer any fees or charges, and it must be shown in the transaction history, taking into account the service agreements signed with the payer.
(3) Where the Payee and its Payment Service Provider have agreed upon a fee or charge, the amount may be deducted from the amount transferred before crediting it to the Payee’s Payment Account, provided that the fee or charge has been clearly communicated to the Payee, and shown in the transaction history provided.
(4) In the case of a Payment Transaction initiated by the Payer, the Payer’s Payment Service Provider must ensure that the Payee receives the full amount of the Payment Transaction.
(5) In the case of a Payment Transaction initiated by the Payee, the Payee’s Payment Service Provider must ensure that the Payee receives the full amount of the Payment Transaction.
Article 76
(1) The Payer’s Payment Service Provider must ensure that the amount of the Payment Transaction is credited to the Payee’s Payment Service Provider’s account in the event of executing a payment transaction in SAR or parts thereof by the end of the business day following the time of receipt of the Payment Services Order. The Payment Service User, however, may agree with the Payment Service Provider not to apply the provisions of this paragraph.
(2) Where a payment transaction is not in SAR or parts thereof but is to be wholly executed within the Kingdom, the Payer’s Payment Service Provider must ensure that the amount of the Payment Transaction is credited to the Payee’s Payment Service Provider’s account by the end of the third business day following the time of receipt of the Payment Services Order (or such other day as agreed with the Payment Service User).
(3) The Payee’s Payment Service Provider must transmit a Payment Services Order initiated by or through the Payee to the Payer’s Payment Service Provider within the time limits agreed between the Payee and its Payment Service Provider, enabling settlement in respect of a Direct Debit to occur on the agreed due date.
Article 77
The Payment Service Provider may return the received Funds to the Payer’s Payment Service Provider when the Payee does not have a Payment Account with that Payment Service Provider, with the explanation that the Payee does not hold an account with the Payment Service Provider.
Article 78
(1) A Payee’s Payment Service Provider shall apply a credit date to the Payee’s Payment Account no later than the business day on which the amount of the Payment Transaction is credited to the account of the Payment Service Provider.
(2) A Payee’s Payment Service Provider must ensure that the amount of the Payment Transaction is put at the Payee’s disposal immediately after that amount has been credited to that Payment Service Provider’s account unless additional time is required to execute a currency conversion, which shall be executed as soon as practically possible.
(3) The debit value date for the Payer’s Payment Account must be no earlier than the time at which the amount of the Payment Transaction is debited to that Payer’s Payment Account.
Article 79
(1) A Payment Transaction is considered to be authorized by the Payer when the Payer has given Consent to its execution in accordance with the approach agreed with their Payment Service Provider.
(2) Where a Payer claims not to have authorized an executed Payment Transaction or that a Payment Transaction has not been properly executed by a Payment Service Provider, it is for the Payment Service Provider to prove that the Payment Transaction was authenticated, accurately recorded and not deficient.
(3) If a Payment Service Provider considers that a Payer has acted fraudulently, it is for the Payment Service Provider to prove that and provide supporting evidence during a dispute settlement process.
(4) If a Payment Transaction was initiated through a Payment Initiation Service Provider, it is for the Payment Initiation Service Provider to prove that, within its sphere of competence, the Payment Transaction was authenticated, accurately recorded and not subject to a deficiency arising from the Payment Initiation Service.
Article 80
(1) The Payer’s Payment Service Provider shall be liable to the Payer for the correct execution of a Payment Transaction unless it can prove in a timely manner to the Payer and to the Payee’s Payment Service Provider that the Payment Transaction has been correctly executed to the Payee’s Payment Service Provider.
(2) Where the Payer’s Payment Service Provider is liable under the Paragraph above, it must promptly refund the amount of the non-executed or defective Payment Transaction to the Payer and restore the debited Payment Account to the position it would have been had the defective Payment Transaction not occurred.
(3) Where a Payment Transaction is executed late, on request from the Payer’s Payment Service Provider, the Payee’s Payment Service Provider should adjust the credit date of the Payment Transaction to the date as if the Payment Transaction had been executed properly.
Article 81
(1) The Payee’s Payment Service Provider is liable to the Payee for the correct transmission of the Payment Services Order initiated by the Payee to the Payer’s Payment Service Provider and where it does so incorrectly, it shall immediately re-transmit the relevant Payment Services Order correctly.
(2) The Payee’s Payment Service Provider must ensure that the Payment Transaction is handled, given the fact that the value of the payments process was deposited into the payment account of the Payee on the date of the transaction properly and in a timely manner.
(3) The Payer’s Payment Service Provider is liable to the Payer if the Payee’s Payment Service Provider proves to the Payee and the Payer’s Payment Service Provider that it is not liable in respect of a non-executed or defectively executed Payment Transaction.
(4) If the Payer’s Payment Service Provider proves that the Payee’s Payment Service Provider has received the amount of the Payment Transaction, it is for the Payee’s Payment Service Provider to value date the amount on the Payee’s Payment Account as if the transaction had been executed correctly.
Article 82
(1) This Article applies where a Payment Services Order is initiated by the Payer through a Payment Initiation Service.
(2) The Payment Account Service Provider must refund the Payer the amount of the non-executed or defective Payment Transaction and bring the debited Payment Account back to the position in which it would be if there were no defective Payment Transaction.
(3) When requested by the Payment Account Service Provider, the Payment Initiation Service Provider must promptly compensate the Payment Account Service Provider for any loss forthwith as a result of the refund to the Payer. This is if the Payment Initiation Service Provider cannot prove that:
(a) The Payment Services Order was received by the Payer’s Payment Account Service Provider in accordance with Article 72 of the Implementing Regulations.
(b) Within the Payment Initiation Service Provider’s sphere of influence, the Payment Transaction was authenticated, properly recorded and not affected by a deficiency connected to the non-execution, defective or late execution of the Payment Transaction. Article 83
(1) If the Payment Service Provider discovers or is made aware of a systemic error in the execution of Payment Transactions, it must investigate and refund all Payment Service Users who are affected by that systemic error within thirty calendar days of discovering the systemic error or being aware of it.
(2) The Payment Service Provider should, as soon as practicable, communicate with and notify SAMA about the systemic error through the appropriate channels.
(3) The Payment Service Provider should, as soon as practicable, issue a communication to all affected Payment Service Users, advising them of the systemic error and the steps taken to correct it, including the amount of any refund to the Payment Service Users’ accounts.
(4) If the Payment Service Provider fails to correct the systemic error within the period prescribed in Paragraph (1) of this Article, it must notify SAMA of the reason for that delay. Article 84
A Payment Service Provider is liable to the Payment Service User for any charges incurred due to the non-execution or defective or late execution of the Payment Transaction in accordance with the provisions of the Implementing Regulation.
Article 85
Where the liability of a Payment Service Provider under Part 6 of the Regulations of the Implementing Regulation is attributable to another Payment Service Provider, including in respect of Payment Transactions that are unauthorized, defective, non-executed or late, or where liability is the result of the other Payment Service Provider’s failure to use the Payment Service User’s Authentication as measures required by applicable laws, regulations, instructions and circulars, The assigned payments service provider must compensate the assigning Payment Service Provider for any loss incurred or sums paid.
Article 86
(1) A Payment Service Provider is not liable for errors made by a Payment Service User if that Payment Service User initiated a Payment Transaction and provided the incorrect Payee-related Unique Identifier Number or provided incorrect bank details.
(2) The Payment Service Provider must make reasonable efforts to recover the Funds from the incorrect recipient of the Funds and the recipient’s Payment Service Provider. The Payment Service Provider may charge the Payment Service User a fee for trying to recover the Funds in accordance with the contract between a Payer and a Payment Service Provider. The Payee’s Payment Service Provider must provide co-operation to the Payer’s Payment Service Provider in recovering the Funds as much as possible.
(3) If the Payer’s Payment Service Provider is unsuccessful in recovering the Funds, it has to provide - based on a written request from the payer- to the Payer all available relevant information in order for the Payer to claim recovery of the Funds.
(4) SAMA may direct the Payment Service Provider to take specific actions according to the controls it sets, including refunding the Payer. Article 87
(1) Subject to Article 90 of the Implementing Regulation, a Payment Service Provider is liable for Unauthorized Payment Transactions.
(2) Where a Payment Service User raises a Complaint in relation to an allegedly fraudulent Payment Transaction, the Payment Service Provider must handle such Complaint in accordance with Article 129 of the Implementing Regulation.
(3) If such a Complaint is submitted to SAMA, then the Payment Service Provider must provide evidence that the conditions stated in Paragraph (1) of Article 75 of the Implementing Regulation are met and present such evidence to SAMA. SAMA will then seek to decide if such conditions are met.
Article 88
(1) Notwithstanding the provisions of Paragraphs (2), (3) and (4) of this Article, a Payment Service Provider which is liable under Article 87 of the Implementing Regulations may require that the Payer is liable up to a maximum of one hundred fifty SAR for any losses incurred in respect of Unauthorized Payment Transactions arising from the use of a lost or stolen or misappropriated Payment Instrument.
(2) The provisions of the previous Paragraph do not apply if:
(a) The loss, theft or exploitation of the Payment Instrument was not detectable by the Payer prior to the payment, except where the Payer acted fraudulently; or
(b) The loss was caused by acts or omissions of an employee, Agent or branch of a Payment Service Provider or of an entity that carried out activities on behalf of the Payment Service Provider.
(3) The Payer is liable for all losses incurred in respect of an Unauthorized Payment Transaction where the Payer:
(a) Has acted fraudulently; or
(b) Has, with intent or gross negligence, failed to comply with its obligations to keep safe its Payment Instrument and its Personalized Security Credentials.
4. Except where the Payer has acted fraudulently, the Payer is not liable for any losses incurred in respect of an Unauthorized Payment Transaction, where:
(a) The unauthorized Payment Transaction arises after the Payer has notified the Payment Service Provider of the loss, theft, exploitation or unauthorized use of its Payment Instrument;
(b) Where the Payment Service Provider has failed at any time to provide the Payer with the appropriate means for notification; or
(c) Where the Payment Service Provider is required by the provisions of the Implementing Regulation -or any other SAMA’s regulations, rules, circulars, or decisions relevant to Authentication requirements - to apply certain Authentication measures that address any potential risks, but the Payer’s Payment Service Provider does not require such strong Authentication.
(5) Where the Implementing Regulation or other SAMA’s regulations, rules, circulars, controls or instructions require the application of certain Authentication measures that address any potential risks, but the Payee or the Payee’s Payment Service Provider does not accept such Authentication, the Payee or the Payee’s Payment Service Provider, or both (as the case may be), must compensate the Payer’s Payment Service Provider for the losses incurred or sums paid as a result of complying with Paragraph (1) of Article 87 of the Implementing Regulation. Article 89
(1) Notwithstanding the provision of Paragraph (8) of this Article and Paragraph (1) of Article 79 of the Implementing Regulation, where an executed Payment Transaction was not authorized correctly, the Payment Service Provider must refund the amount of the Unauthorized Payment Transaction to the Payer and, where applicable, restore the debited Payment Account to the state it would have been in had the Unauthorized Payment Transaction not taken place.
(2) The Payment Service Provider must provide a refund to the Payer by crediting a Payment Account under Paragraph (1) of this Article as soon as practicable and in any event no later than the end of the business day following the day on which it becomes aware of the unauthorized transaction.
(3) Paragraphs (1), (2) and (6) of this Article do not apply where the Payment Service Provider has reasonable grounds to suspect fraudulent behavior by the Payment Service User and notifies SAMA (and any other competent authority in the Kingdom) of those grounds in writing.
(4) When providing a refund through crediting a Payment Account under Paragraph (2) of this Article, a Payment Service Provider must ensure that the date on which the amount of a Payment Transaction is credited to a& Payee’s Payment Account is no later than the date on which the amount of the Unauthorized Payment Transaction was debited.
(5) Where an Unauthorized Payment Transaction was initiated through a Payment Initiation Service Provider, the Payment Account Service Provider must comply with Paragraph (1) of this Article, and if the Payment Initiation Service Provider is liable for the Unauthorized Payment Transaction (in relation to which see Paragraph (4) of Article 79 of the Implementing Regulation), the Payment Initiation Service Provider must, on the request of the Payment Account Service Provider, compensate the Payment Account Service Provider immediately for the losses incurred or sums paid including the amount of the Unauthorized Payment Transaction.
(6) Notwithstanding the provisions in Paragraphs (1),(2),(3),(4),and (5) of this Article, the Payment Service Provider must notify the Payment Service User of the conclusion of an investigation and must pay any refund or monetary compensation due to a Payment Service User within seven days of from the completion of any investigation of an error or a complaint by the Payment Service Provider, or on receipt of an instruction from any competent authority in the Kingdom. In case of a delay in payment of any refund or compensation, the Payment Service Provider should notify the Payment Service User of the expected time for crediting the amount due, along with a justification for the delay.
(7) A Payment Service Provider must hold records on the processing of refunds or monetary compensation, including those referred to under Article 87 and Article 88 of the Implementing Regulation, response timelines and reasons for delays, for a period of ten years from the date of the conclusion of an investigation. Additionally, a Payment Service Provider must submit such records to SAMA on an on-going basis, as specified by SAMA, and must record such refunds against the original transaction with the original transaction sequence number.
(8) A Payment Service User is entitled to a refund under this Article if it notifies the Payment Service Provider without undue delay, and in any event no later than six months after the debit date, upon becoming aware of any Unauthorized Payment Transaction, except where the Payment Service Provider has failed to provide the information concerning a Payment Transaction required by Part 6. Article 90
(1) Notwithstanding the provisions in Paragraph (1) of Article 91 of the Implementing Regulation, the Payer is entitled to a refund from the Payee’s Payment Service Provider of the full amount of any authorized Payment Transaction initiated by or through the Payee if the following conditions are met:
(a) The Payment Transaction authorization did not specify the exact amount of the Payment Transaction when Consent for the authorization was given; and
(b) The amount of the Payment Transaction exceeds the amount that is expected to be paid by the Payer, taking into account the Payer’s previous spending pattern and the conditions of the Framework Contract and the circumstances of the case.
(2) When providing a refund through crediting a Payment Account of the Payer under Paragraph (1) of this Article, a Payment Service Provider must ensure that the credit value date is no later than the date on which the amount of the Unauthorized Payment Transaction was debited.
(3) For the purposes of Paragraph (1) (b) of this Article, a Payer cannot rely on currency exchange fluctuations where the reference exchange rate provided under the contract was applied.
(4) The payer and the payment service provider may agree in the framework contract that the right to a refund does not apply where:
(a) The Payer has given Consent directly to the Payment Service Provider for the Payment Transaction to be executed; and
(b) Information on the Payment Transaction was provided in an agreed manner to the Payer for at least four weeks before the due date by the Payment Service Provider or by the Payee
Article 91
(1) The Payer must request a refund from the Payee’s Payment Service Provider for any Payment Transaction Authorized by or through the Payee within eight weeks from the date on which the Funds were debited.
(2) The Payment Service Provider may require the Payer to provide such information as is reasonably necessary to prove that the conditions in Paragraph (1) of Article 90 of the Implementing Regulation are satisfied. The Payment Service Provider may not refuse the refund until such information is received from the Payer.
(3) The Payment Service Provider of the Payee must provide any refund or justification for refusing a refund within ten business days of receiving a request for a refund or within 10 business days of receiving any further information requested and indicating the bodies to which the Payer may refer the matter if the Payer does not accept the justification provided.
Article 92
a Payment Service Provider - on a request from their Payment Service User must make efforts to trace any non-executed or defectively executed Payment Transaction and notify the Client of the outcome free of charge where the Payment Service Provider is liable for the non-executed or defectively executed Payment Transaction, or at a reasonable charge where a Payment Service Provider is not liable under the Implementing Regulation.