The advancement of technology has brought rapid changes in the financial sector. While allowing customers instant access to products and services, this digital transformation has increased their vulnerability to fraud. Small scale incidents impacting individuals have been replaced by large scale cyber-enabled fraud attacks orchestrated by international organised groups. These attacks expose customers to ever more sophisticated threats and it is vital that financial institutions properly safeguard assets and mitigate the risk of customers being exploited. Fraud not only causes emotional harm and financial losses to customers, it can also damage the reputation and financial health of organisations, reducing confidence in the overall financial sector in the Kingdom of Saudi Arabia. 

 The financial sector recognizes the rate at which fraud risks are evolving and the importance of controls to prevent, detect and respond to suspected fraud. Delivering an effective approach to fraud risk management will help the Kingdom of Saudi Arabia achieve the 2030 Vision aim to build a stable, thriving, and diversified business environment while protecting members of society and making the Kingdom an unattractive place for fraudsters. 
 

The Saudi Central Bank* ("SAMA") has established a Counter-Fraud Framework (“the Framework”) to enable organisations it regulates ("the Member Organisations”) to effectively identify and address risks related to fraud. The objectives of the Framework are as follows: 

1. To create a common approach for addressing fraud risks within the Member Organisations.

2. To achieve an appropriate maturity level of fraud controls within the Member Organisations.

3. To ensure fraud risks are properly managed throughout the Member Organisations.

The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the Counter-Fraud controls at Member Organisations. The Framework is based on SAMA requirements and industry fraud standards. 

* The "Saudi Arabian Monetary Agency" was replaced by the "Saudi Central Bank" in accordance with The Saudi Central Bank Law No. (M/36), dated 11/04/1442H, corresponding in 26/11/2020G.

Fraud is defined as any intentional act that aims to obtain an unlawful benefit or cause loss to another party. This can be caused by exploiting technical or documentary means, relationships or social means, using functional powers, or deliberately neglecting or exploiting weaknesses in systems or standards, directly or indirectly.

To support the definition of fraud, Member Organisations should take note of the non-exhaustive list of fraud types included in the Appendix.

The Framework defines Principles and Control Requirements for initiating, implementing, maintaining, monitoring, and improving Counter-Fraud controls within Member Organisations regulated by SAMA. The Principles and Control Requirements span the prevention, detection, and response to fraud, as well as the governance of an organisation’s Counter-Fraud Programme. The Framework should be implemented in conjunction with other SAMA frameworks, in particular SAMA’s Cyber Security Framework (“The Cyber Security Framework”), which should be referred to for specific Cyber Security related requirements.

The Framework is applicable to all Member Organisations operating in Saudi Arabia based on SAMA discretion. Member Organisations required to implement and comply with the Framework will be notified by SAMA.

The Framework is mandated by SAMA and will be circulated to Member Organisations for implementation. SAMA is the owner and is responsible for periodically updating the Framework. The Member Organisations are responsible for implementing and complying with the Framework.

SAMA, as the owner of the Framework, is solely responsible for providing interpretations of the Principles and Control Requirements, if required.

The Framework is intended for Senior and Executive Management, business owners, members of the Member Organisation’s Counter-Fraud Department and those who are responsible for, and involved in planning, defining, implementing, and reviewing CounterFraud controls across the three lines of defence.

SAMA will review the Framework periodically to determine the Framework’s effectiveness, including the effectiveness of the Framework to address emerging fraud threats and risks. If applicable, SAMA will update the Framework based on the outcome of the review.

If a Member Organisation considers that an update to the Framework is required, the Member Organisation should formally submit the requested update to SAMA. SAMA will review the requested update, and if applicable, the Framework will be adjusted on the next updated version. The Member Organisation will remain responsible to be compliant with the Framework pending the version update.

Please refer to ‘Appendix C - How to request an Update to the Framework’ for the process of requesting an update to the Framework.

Version control will be implemented for maintaining the Framework. Whenever any changes are made, the preceding version shall be retired and the new version shall be published and communicated to all Member Organisations. For the convenience of the Member Organisations, changes to the Framework shall be clearly indicated.

The Framework is structured as follows. Chapter 2 elaborates on the structure of the Framework and provides instructions on how to apply the Framework. Chapters 3 to 6 present the actual Framework, including the Counter-Fraud domains and sub-domains, Principles, and Control Requirements.