2. Corporate Governance and Risk Management
2.1. Introduction
11. These regulatory requirements are relevant to all Foreign Bank Branches (FBBs) in respect of their operations in the Kingdom of Saudi Arabia (KSA). It sets out SAMA’s requirements for the internal governance and risk management of the FBBs and how they should comply with these regulations. These regulations cover the following areas:
i. General requirements;
ii. Senior Management Function & Responsibilities;
iii. Segregation of Functions;
iv. Compliance and Internal Audit;
v. Risk Management and Control;
vi. Outsourcing; and
vii. Record keeping and Retention Requirements.
2.2. General Requirements
12. SAMA requires that the governance and risk management arrangements, processes and mechanisms implemented by a FBB should be proportionate to the nature, scale and complexity of the risks inherent in its business and its activities.
2.3. Requirements in Relation to the Senior Management and their Responsibilities
13. SAMA requires a FBB to have robust governance and risk management arrangements, which includes a clear organizational structure with well-defined, transparent and consistent lines of responsibility. All FBBs are required to put in place a Job description (JD) for each member of the senior management. More specifically, JDs must:
i. Clearly set out the areas of the FBB’s activities for which the senior manager is responsible;
ii. Be included in every application to SAMA for pre-approval as a senior manager as per SAMA’s fit and proper regulations; and
iii. Be updated and resubmitted if there is a significant change to the senior manager’s responsibilities as per SAMA’s fit and proper regulations.
14. A FBB is also required to produce and maintain a Governance Policy, which is a single, up-to-date document setting out the branch’s management, governance and risk management arrangements. The Governance Policy should be proportionate and include information about the business relationship with the Head Office and the group.
2.4. Senior Management Function (SMF) and Responsibilities
15. SAMA requires all FBBs to have at least one individual approved as a bespoke Senior Management Function (SMF) known as the General Manager (GM)/Chief Executive Officer (CEO) or any other title as appropriate. The GM/CEO should have the highest degree of individual decision-making authority within the FBB over activities and areas subject to KSA regulations.
16. SAMA looks to the GM/CEO to oversee the management of the branch, including matters of a corporate governance nature that relate to the branch. As such, SAMA requires that the GM/CEO will be accountable for the FBB’s operations.
17. While the GM/CEO may not conduct all responsibilities or activities directly, SAMA requires the GM/CEO to retain his or her overall accountability for the operations of the FBB. Regardless of who conducts the various functions, SAMA requires the GM/CEO to:
i. Ensure that business objectives, strategies, and plans set for the FBB are prudent in the context of the FBB. Recognizing that FBBs are an extension of the parent, the GM/CEO is required to advise the parent should any planned activities for the FBB not be considered suitable;
ii. Be satisfied that appropriate policies and procedures (i.e. control systems) are in place to manage the risks regardless of where the controls may reside;
iii. Receive sufficiently comprehensive and frequent reports to understand and monitor the business of the FBB; and
iv. Undertake or obtain, periodically, an independent assessment of the adequacy and effectiveness of the controls. Independent assessment may be obtained from individuals or groups designated with that role, such as internal audit or risk management (either at the branch or Head Office), or qualified third parties.
18. The GM/CEO is required to ensure that there are robust policies and procedures to manage the assets and liabilities recorded on the FBB’s books and records and related accounts (e.g. deposit, loan, investment, etc.).
19. The GM/CEO should ensure the FBB is in compliance with all applicable legislation and regulations, and is conducting its business and affairs in a manner that is consistent with applicable SAMA requirements.
20. While the GM/CEO may delegate responsibility for day-to-day management to others, SAMA requires the GM/CEO to be in a position to verify the FBB’s regulatory returns. Therefore, SAMA would expect the GM/CEO to have, or to ensure the individuals undertaking activities with respect to the FBB have, a good understanding of applicable legislation, regulations and guidelines, as well as the activities and related records of the branch, including its assets, liabilities, revenues and expenses. SAMA would also expect the GM/CEO to be satisfied with any work performed by others (e.g., Head Office or another entity within the group) and should ensure any deficiencies are corrected.
2.5. Segregation of Functions
21. A FBB should ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally. The senior personnel within the FBB should define arrangements concerning the segregation of duties within the branch and the prevention of conflicts.
22. A FBB should ensure that no single individual has unrestricted authority to do all of the following:
i. Initiate a transaction;
ii. Bind the FBB;
iii. Make payments; and
iv. Account for it.
23. Where a FBB is unable to ensure the complete segregation of duties because the branch has a limited number of staff, it should ensure that there is adequate compensating controls in place such as frequent review of an area by relevant branch senior managers.
2.6. Mechanisms and Procedures
24. SAMA requires that, taking into account the nature, scale and complexity of the business of the FBB, the FBB should establish, implement and maintain:
i. Decision-making procedures and an organizational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities and governance of the branch,
ii. Effective internal reporting and communication of information at all relevant levels of the branch and;
iii. Effective reporting and communication with the Head Office of the branch.
2.7. Business Continuity Management (BCM) & Disaster Recovery Planning (DRP)
25. SAMA requires FBBs to take reasonable steps to ensure continuity and regularity in the performance of its activities. SAMA requires FBB to comply with the requirements of SAMA’s Business Continuity Management (BCM) and Disaster Recovery Planning (DRP) as per SAMA’s SAMA Cyber Security and BCM frameworks regulations.
2.8. Regular Monitoring
26. A FBB should monitor and, at least on annual basis and using a risk based approach, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements and take appropriate measures to address any deficiencies.
2.9. Compliance and Internal Audit Functions
2.9.1. Compliance & Anti Money Laundering and Combating Terrorism Financing (AML/CTF)
27. All FBBs are required to have a separate compliance function which is permanent, effective, and operates independently. The compliance and AML/CTF/Legal function/s should have the responsibility to monitor and, on a regular basis, to assess the adequacy and effectiveness of the policy measures and procedures put in place in accordance with;
(a) SAMA’s Rules Governing Anti-Money Laundering & Combating Terrorist Financing
(b) SAMA’s Compliance Manual for Banks Working in Saudi Arabia and;
(c) Other Kingdom of Saudi Arabia regulatory and legal requirements.
28. In order to enable the FBB’s compliance/AML/CTF functions to discharge their responsibilities properly and independently SAMA requires that the FBB should ensure these functions have the necessary authority, resources, expertise and access to all relevant information.
29. In addition, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its activities, SAMA requires a FBB to ensure at least the following conditions are met:
i. The relevant persons involved in the FBB’s compliance team should not be involved in the performance of services or activities they monitor. In other words, compliance department’s officers and staff, especially the compliance officer, should not also be entrusted with functions that may expose them to a conflict of interest in their compliance responsibilities and the compliance work; and
ii. The method of determining the remuneration of the relevant persons involved in the FBB’s compliance function do not compromise their objectivity.
2.9.2. Internal Audit Function (IAF)
30. SAMA requires that a FBB should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its activities, establish an independent IAF. The IAF should, at a minimum, have the following responsibilities:
i. To ensure the FBB meets all SAMA Audit requirements;
ii. To establish, implement and maintain an audit plan
iii. To examine and evaluate the adequacy and effectiveness of the FBB’s governance, systems, internal control mechanisms and arrangements (or alternatively, to assess the extent to which the parent’s audit plan meets local regulatory requirements and make any modifications that may be necessary);
iv. To issue recommendations based on the result of work carried out in accordance with the audit plan;
v. To verify compliance with those recommendations; and
vi. To report in relation to Internal Audit matters.
31. Where a FBB has an individual performing the role of Head of Internal Audit, he or she will need to be pre-approved as the Head of IAF in line with SAMA Fit and Proper requirements.
2.10. Risk Management and Control
32. A FBB is required to have effective processes to identify, classify, manage, monitor and report all the risks it is or might be exposed to.
33. A FBB should establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify all the risks relating to the FBB’s activities, processes and systems, and where appropriate, set its risk appetite or the level of risk tolerated by the FBB.
34. A FBB should adopt effective arrangements, processes and mechanisms to identify and manage the risk relating to its activities, processes and systems, in the light of that level of risk tolerance.
35. A FBB’s senior management should approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the FBB is or might be exposed to.
36. A FBB should, as a minimum, monitor the following:
i. The adequacy and effectiveness of its risk management function, policies and procedures;
ii. The level of compliance by the FBB and its staff with the risk control arrangements, processes and mechanisms; and
iii. The adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.
37. A FBB is expected to, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of activities, establish and maintain a risk management function that operates independently and carries out the following tasks:
i. Implementation of risk management policies and procedures; and
ii. Provision of risk management reports and advice to its senior management.
38. Where a FBB does not maintain a local risk management function, it should nevertheless be able to demonstrate that the risk management policies and procedures which it has adopted are robust and are consistently effective.
39. SAMA requires that the risk control arrangements of an FBB that has significant retail activities or is a systemically important wholesale FBB, to include:
i. The appointment of a branch Head of Risk Management; and
ii. The Establishment of a branch risk management oversight team whose role includes giving risk oversight under an effective risk management structure and framework.
2.11. Branch Head of Risk Management
40. Where a FBB has an individual performing the role of Head of Risk Management, he or she will need to be pre-approved as the Head of Risk Management function in line with SAMA Fit and Proper regulations. SAMA also requires that such a position should, at a minimum;
i. Be accountable to the FBB’s Head Office for oversight of branch-wide risk management;
ii. Be fully independent of a branch’s individual business units;
iii. Have sufficient authority, stature and resources for the effective execution of his/her responsibilities;
iv. Have unfettered access to any parts of the branch’s business capable of having an impact on the branch’s risk profile;
v. Ensure that the data used by the branch to assess its risks are fit for purpose in terms of quality, quantity and breadth;
vi. Provide oversight and challenge of the branch’s systems and controls in respect of risk management;
vii. Provide oversight and validation of the branch’s reporting of risk;
viii. Ensure the adequacy of risk information, risk analysis and risk training provided to members of the branch’s management team;
ix. Report to the branch’s management team (and, if appropriate, to that of the parent) on the branch’s risk exposures relative to its risk appetite and tolerance, and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the branch’s risk appetite and tolerance. The branch Head of Risk Management should also alert the branch’s management team and provide challenge on, any business strategy or plans that exceed the branch’s risk appetite and tolerance.
41. SAMA requires that a FBB will structure its arrangements so that senior management personnel at an appropriate level in the Head Office will exercise functions in taking into account group-wide risks.
2.12. Reporting Lines of FBB’s Head of Risk Management
42. Where a FBB has an individual performing the role of Head of Risk Management, he or she should be accountable to a branch’s GM/CEO and, in most cases, to the head of the parent’s or group risk management function.
43. SAMA recognises that, in addition, a reporting line should be established for operational purposes. Accordingly, to the extent necessary for effective operational management, the branch Head of Risk Management should report into the GM/CEO.
2.13. Branch Risk Oversight Team
44. SAMA requires that, while a branch’s GM/CEO is ultimately responsible for risk governance throughout the business, a FBB that is involved in significant retail business or is a systemically important wholesale FBB should establish a mechanism for providing risk oversight to the branch’s business activities to provide focused support and advice on risk governance. The responsibilities of the Risk Oversight Team should, at minimum, include the following;
i. Providing advice to the branch’s management team on risk strategy, including the oversight of current risk exposures of the branch, with particular, but not exclusive, emphasis on prudential risks;
ii. Development of proposals for consideration by the branch management team in respect of overall risk appetite and tolerance, as well as the metrics to be used to monitor the branch’s risk management performance;
iii. Oversight and challenge of the day-to-day risk management and oversight arrangements of the branch management team;
iv. Oversight and challenge of due diligence on risk issues relating to material transactions and strategic proposals that are subject to approval by the branch management team; and
v. Providing advice, oversight and challenge necessary to embed and maintain a supportive risk culture throughout the branch.
45. In carrying out their risk governance responsibilities, a FBB’s management team and branch risk oversight function covering the branch should have regard to any relevant advice from the parent’s risk and audit committees concerning the effectiveness of its control framework.
2.14. Outsourcing
46. SAMA outsourcing rules require a FBB to have effective outsourcing processes to identify, manage, monitor and report risks and internal control mechanisms. A FBB should ensure that, when relying on its Head/Regional Office or a third party for the performance of any functions which are critical for the performance of its activities, on a continuous and satisfactory basis, it takes reasonable steps to avoid undue additional operational risks.
47. A FBB should not undertake the outsourcing of important functions in such a way as to impair materially:
i. The quality of its internal control; and
ii. The ability of SAMA to monitor the branch’s compliance with all its regulatory obligations.
48. Any planned outsourcing of processes, people and systems must satisfy SAMA’s outsourcing rules as set out in SAMA’s Instructions for Outsourcing as applicable to FBBs. All outsourcing activities must also be reported using the FBB Return Form (Attachment A).
2.15. Record Keeping and Retention Requirements
49. FBBs are required to maintain all records (both electronic and physical) at their KSA principal office. In addition, FBBs are required to maintain and process in KSA information and data relating to the preparation and maintenance of these records unless they obtain an exemption from SAMA or where the outsourcing rules permits this. SAMA’s requirements in evaluating a request for approval to process records outside KSA are set out in SAMA’s outsourcing rules.
50. Where processing of records related to the FBB’s business occurs at a location other than the KSA principal office, it is required that they are backed up as appropriate, confidentiality maintained and provided to the FBB to ensure that records maintained in KSA are up to date at the end of each business day. SAMA requires records maintained in KSA will be of sufficient detail to:
i. Enable the GM/CEO to fulfill his or her accountabilities with respect to the FBB’s business; and
ii. Enable SAMA to conduct an examination and inquiry into the business and affairs of the FBB.
51. Where sufficient information is not available, SAMA may request it as necessary.
52. SAMA requires records to be capable of being reproduced in Arabic and in English languages. Where a FBB is required to retain a record of a communication that was not made in Arabic or English, it may retain it in that language. However, it should be able to provide a translation upon request.
53. A FBB should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the FBB may fulfil its regulatory and statutory obligations. With respect to retention periods, SAMA requires that records should be retained in accordance with SAMA records retention requirements.
2.16. Foreign Bank Branch (FBB) Reporting Requirements
54. FBBs must ensure that the arrangements for reporting to SAMA and the parent foreign bank or Head Office are adequate and in compliance with applicable laws and regulations.
55. All FBBs must provide SAMA with information in accordance with the FBB Return A (Attachment A) accompanying these regulations. The information must be provided as at end of quarter each year and provided, by electronic means, within 30 days of the date to which the information relates. This should be sent to the FBB’s relevant relationship manager.