Rules on Outsourcing for Finance Companies
No: 65338/99 Date(g): 13/1/2019 | Date(h): 7/5/1440 Status: In-Force Chapter 1: Definitions
a. The terms and phrases used in these Rules shall have the same meaning assigned thereto in the Finance Companies Control Law and its Implementing Regulations.
b. For the purpose of applying the provisions of these Rules, the following terms and phrases, wherever mentioned herein, shall have the meaning assigned thereto unless the context otherwise requires:
Rules: Rules on Outsourcing for Finance Companies.
Outsourcing: Any contract or agreement by which an external service provider undertakes to provide services to the finance company.
External Service Provider: Any service provider to whom an activity is outsourced. An External Service Provider can be a member of the group to which the finance company belongs, a related party, or an unrelated third party.
Material Functions: Any function that the default or disruption of which may have an impact on the finance company’s activities, reputation or the financial situation or if the outsourced functions include sharing, transferring, processing or storing data and information of consumers.
Chapter 2: Application of the Rules
2- These Rules set the regulatory requirements for licensed finance companies under Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433H which have entered into or intend to enter into outsourcing contracts/agreements.
3- These Rules shall be read in conjunction with the Finance Companies Control Law and its Implementing Regulations in addition to the relevant laws, regulations, instructions, controls and rules.
Chapter 3: Liability and Obligations
4- The finance company shall establish and annually update a written outsourcing policy approved by the Board of Directors.
5- The finance company should establish appropriate internal controls and procedures to ensure compliance with these Rules.
6- The finance company shall verify the External Service Provider’s compliance with relevant laws, regulations and instructions. The finance company shall remain responsible if the External Service Provider shows lack of compliance with the applicable laws, regulations and instructions in any outsourced operations and tasks.
7- The finance company should ensure that all existing and proposed outsourcing contracts/agreements have been subject to a comprehensive risk review process at inception and renewal. This process should evaluate key risk factors, namely operational, legal, reputation and regulatory risks.
8- SAMA, the finance company and the external auditor may obtain any information or documents related to the work of the External Service Provider or examine such data in its offices.
9- The finance company must exert due diligence to verify that the External Service Provider has obtained the necessary licenses to carry out its activity, and that it has the required technical and legal qualification.
10- Without prejudice to Article (34) of the Implementing Regulations of the Finance Companies Control Law, the finance company shall maintain all documents that demonstrate compliance with these Rules, including outsourcing contracts and agreements and outsourcing policy in an orderly, transparent and safe manner.
Chapter 4: Outsourcing Policy
11- The finance company should establish proper safeguards to protect the confidentiality of consumers’ data and retrieve or destroy all such data upon the expiration or termination of the outsourcing contract for whatever reason.
12- The Outsourcing Policy should include in particular the following:
a. Terms of reference and responsibilities of the Board of Directors and senior management with regard to outsourcing.
b. The functions allowed to be outsourced and the eligibility criteria of the External Service Provider by conducting due diligence on the following:
1) Experience and financial and technical capabilities of the External Service Provider;
2) Impact of the outsourcing on the overall risk profile of the finance company, risk identification criteria and risk mitigation measures;
3) Impact of the outsourcing on systems and controls within the finance company;
4) Rules for the continuous control and monitoring of the outsourced operations;
5) Criteria to identify conflicts of interest as well as rules and procedures which ensure safeguarding the interests of the finance company and not putting the interest of the other party over the company's interest;
6) Procedures to protect information and maintain confidentiality and privacy;
7) A clear mechanism to verify the External Service Provider’s compliance with the laws and instructions relevant to the outsourced services whether issued by SAMA or any other authority, including the Finance Consumer Protection Principles; and
8) All requirements of these Rules.
Chapter 5: Contract Requirements
13- The finance company shall document the outsourcing in a legally binding written contract or agreement with the External Service Provider that is compliant with the applicable regulatory requirements. The Contract or Agreement shall include, at a minimum, the following:
a. Parties to the Contract or Agreement;
b. Scope of Contract or Agreement;
c. Term of Contract or Agreement;
d. Type of service and performance requirements;
e. Audit and monitoring procedures;
f. Business Continuity Plans;
g. Default arrangements;
h. Pricing and fee structure;
i. Dispute resolution mechanism;
j. Liability and indemnity;
k. The commitment of the External Service Provider to the confidentiality and privacy of information;
l. The compliance with relevant laws, regulations, rules, controls and instructions;
m. Reporting mechanism;
n. Commitment from the External Service Provider to report to the finance company, within the period agreed upon in the contract or agreement, any control weaknesses or adverse developments in its financial performance that may lead to a breach of its obligations under the contract or agreement;
o. Commitment from the External Service Provider that there are no regulatory impediments preventing the finance company from accessing data and records related to outsourced services;
p. Commitment from the External Service Provider to return or destroy all data related to the outsourced services upon the expiration of the outsourcing contract or agreement, as long as there are no regulatory requirements to keep such data;
q. The consequences of renewal, renegotiation, default termination and early exit of the contract or agreement so as to enable the finance company to retain control over the outsourced activity; The necessary arrangements to deal with failure to fulfill the terms of the contract or agreement or in the event of the termination of the contract or agreement;
r. The right of SAMA, the finance company, and the external auditor to obtain any information or documents related to the work of the External Service Provider or examine such data in its offices;
s. Commitment from the External Service Provider not to subcontract Material Functions;
t. Statement that the Saudi judicial authorities are the relevant authorities for the settlement of disputes arising from the execution or interpretation of the outsourcing contract or agreement and that any exception to the requirements of this article is subject to SAMA’s prior non-objection; and
u. The governing language in case of discrepancies with respect to contracts or agreements that are made in more than one language.
Chapter 6: Outsourcing Requirements
14- Prior to applying for SAMA’s non-objection, the finance company should qualitatively and quantitatively assess each proposed outsourcing function on a case-by-case basis and classify it as material or non-material.
15- Prior to outsourcing or renewing outsourcing of material functions and in the event of material changes to the contract or agreement, the finance company should request SAMA’s non-objection in writing at least 30 working days prior to the proposed date of commencement or renewal of the contract or agreement.
16- The finance company shall submit to SAMA a letter requesting non objection to outsourcing material functions that includes, at a minimum, the following information:
a. Details on the outsourced function;
b. Reasons for outsourcing;
c. Details on the External Service Provider (e.g. name, address, and commercial register); and
d. Any other information or documents requested by SAMA.
Chapter 7: Control and Monitoring
17- The finance company should put in place internal procedures to monitor and manage all of their outsourcing activities and to provide timely reports to senior management.
18- The finance company should ensure that its business continuity is not compromised by any outsourcing contracts or agreements. The finance company should have a contingency plan which outlines the procedures to be followed in the event of sudden termination of any outsourcing contract or agreement or the inability of the External Service Provider to fulfill its obligations for any reason. In addition, the finance company should document within its business continuity plans the availability of an alternative External Service Provider or the procedures for bringing the outsourced function in-house.
Chapter 8: Concluding Provisions
19- The Finance Company shall:
a. Develop or update an outsourcing policy, ensure that it is in compliance with these Rules, and provide a copy of the policy duly approved by the Board of Directors to SAMA within 180 days from the date of promulgation of these Rules;
b. Review All existing outsourcing contracts/agreements against these Rules and seek SAMA’s non-objection for material outsourcing contracts within 365 days from the date of promulgation of these Rules or on renewal of the contract or agreement, whichever comes first; and
c. Notify SAMA in the event of any legal or regulatory violation in their outsourcing contracts or agreements.
20- SAMA may restrict the granting of its non-objection to the finance company’s outsourcing of material or non-material functions for a specific period, function, geographical area, or external service provider whenever it deems necessary.
21- SAMA has the right to ask the finance company to review, modify, or terminate the outsourcing contract or agreement in case of non-compliance with these Rules or any other relevant laws, regulations, rules, controls and instructions.
22- SAMA may exempt some operations and activities from some of the provisions of these Rules whenever it deems necessary.
23- Non-compliance with the requirements set forth herein shall be deemed a violation of the Finance Companies Control Law and its Implementing Regulation.
24- These Rules shall enter into force after 180 days from the day of their promulgation, and shall be published on SAMA’s website.
Appendix 1: Examples of Material Functions (Non-Exhaustive List)
1- External auditor.
2- Internal Audit Department.
3- Customer care department, including complaint handling.
4- Management, operation and maintenance of technical/security systems, such as storing data outside the finance company, including cloud computing services and monitoring security operations.
5- brokerage activity including marketing finance products and receiving finance applications.
6- Agency activity including processing and studying finance applications.
7- Provision of human resources.
8- Debt collection for finance companies.
9- Archiving documents.
Appendix 2: Examples of Non-Material Functions (Non-Exhaustive List)
1- Services and utilities such as telephone and electricity.
2- Advisory services (e.g., legal opinions, updating company’s regulatory policies, independent consulting, and market information functions).
3- Credit information check and information services.
4- Mail and courier services.
5- Printing services (e.g., policy wording, forms, and business cards).
6- Security functions.
7- Property management, building maintenance, cleaning services, etc.
8- Litigation on behalf of the company (e.g. bad debt collection).
9- Technical support for the company’s website.
10- Real estate valuation by accredited real estate valuers.
11- Back office management (call centers, complaint handling).