| 1. | The board of directors shall issue and annually update a written policy regulating outsourcing. Such policy shall include in particular the following:
|
| | a. | Functions and responsibilities of the board of directors and senior management related to outsourcing as well as material functions that may not be outsourced except in emergency cases and for a short period of time.
|
| | b. | Eligibility criteria for outsourcing providers.
|
| | c. | Risk identification criteria and risk hedging measures
|
| | d. | Rules for continuous monitoring and controlling of outsourced operations.
|
| | e. | Criteria for identifying conflict of interest as well as rules and procedures which ensure safeguarding the interests of the Company and not putting the interest of the other party over the Company's interest.
|
| | f. | Procedures to protect information and maintain its confidentiality and privacy.
|
| 2. | The outsourcing contract must provide that SAMA, the external auditor and the Company may obtain any information or documents related to the work of the outsourcing provider or examine such data at its offices.
|
| 3. | The Company shall ensure the outsourcing provider’s compliance with relevant laws, regulations and instructions. The Company shall be held liable if the outsourcing provider shows lack of compliance with the applicable laws, regulations and instructions in all operations and tasks assigned to it.
|
| 4. | The Company must obtain a no-objection letter from SAMA prior to any outsourcing arrangement that, in case of disruption or termination, may affect the Company’s activities, reputation or financial situation, or if the tasks assigned include transferring, processing or saving the data and information of borrowers. In this case, the outsourcing provider shall not subcontract these tasks to any other provider unless the Company obtains a no-objection letter from SAMA.
|
