Risk Management Framework for Shari’ah Compliant Banking
No: 43038156 Date(g): 2/12/2021 | Date(h): 27/4/1443 Status: In-Force Based on the powers granted to the Central Bank under Saudi Central Bank Law issued by Royal Decree No. (M/36) dated 11/04/1442 H and related regulations. Referring to the Central Bank Circular No. 41042498 dated18/06/1441 H on the Shariah Governance Framework for Local banks Operating in Saudi Arabia, which is considered the first stage of establishing a supervisory framework for banks and banks practicing Islamic banking.
And as a complement to the Central Bank's issuance in this regard, and in order to enhance the environment of compliance with the provisions and principles of Shariah, we inform you of the issuance of the “Risk Management Framework for Banks Practicing Islamic Banking”, which aims to set minimum principles for risk management, market risk and operational risk.
For your information, and action accordingly as from May 1, 2022 G.
1. Introduction
This Risk Management Framework for shari’ah compliant Banking is issued by SAMA in exercise of the powers vested upon it under its charter issued by the Royal Decree No. M/36 on 11-04-1442H (26 Nov 2020G) and the Banking Control Law issued by the Royal Decree No. M/5 on 22-02-1386H (26 June 1966G) and the rules for Enforcing its Provisions issued by Ministerial Decision No 3/2149 on 14-10-1406H.
In February 2020, SAMA has issued Shari’ah Governance Framework for enhancing governance, risk management and compliance practices of Banks conducting Shari'ah compliant Banking. The Risk Management Framework for Shari'ah compliant Banking provides 2 set of rules for establishing and implementing effective risk management in Banks offering Shari'ah compliant product and services. The Risk Management Framework for Shari'ah compliant Banking will further complement and enhance the current Risk Management regime by identifying and suggesting techniques to manage various types of risks unique to Shari’ah compliant Banking. The Risk Management Framework for Shari'ah Compliant Banking should be considered in addition to the various risk management regulations and guidelines issued by SAMA from time to time and Banks will be required to comply with all sets of rules and guidelines. Shari ‘ah compliant Banking products and services are also exposed to various types of risks including the following major categories of risks:
• Credit risk
• Equity investment risk
• Market risk
• Liquidity risk
• Rate of return risk
• Operational risk
SAMA will roll out the Risk Management Framework for Shari’ah Compliant Banking in phases. This will allow a reasonable timespan for Banks to implement various rules stipulated in each phase of the framework. In the first phase, this circular specifies rules regarding overall management of the risks by Banks conducting Shari'ah compliant Banking as well as 2 minimum set of regulatory requirements for managing market risk and operational risk relating to Shari’ah compliant Banking.
2. Definitions
The following terms and phrases used in this document shall have the corresponding meanings unless otherwise stated:
SAMA: Saudi Central Bank.
Rules: Principles and regulations mentioned in the Risk Management Framework for Shari'ah compliant Banking.
Bank: For the purpose of these rules, the Bank means 2 Bank conducting Shari'ah compliant Banking either as a full fledged Islamic Bank or through an Islamic window.
Full Fledged Islamic Bank: A Bank that conducts only Shari 'ah compliant Banking.
Islamic Window: That part of a conventional Bank (which may be a branch or a dedicated unit of that Bank) that provides Shari’ah compliant finance and investment services both for assets and liabilities products.
Fiduciary Risk: The risk that arises from a Bank’s failure to perform in accordance with explicit and implicit standards applicable to their fiduciary responsibilities.
Salam: The sale of a specified commodity that is of a known type, quantity and attributes for a known price paid at the time of signing the contract for its delivery in the future in one or several batches.
Parallel Salam: A second Salam contract with a third party to acquire for a specified price a commodity of known type, quantity and attributes, which corresponds to the specifications of the commodity in the first Salam contract without the presence of any links between the two contracts.
Sukuk: Certificates that represent a proportional undivided ownership right intangible assets, or a pool of tangible assets, receivables and other types of assets. These assets could be in a specific project or specific investment activity that is Shari'ah compliant.
Murabahah: A sale contract whereby the bank sells to a customer a specified asset, where the selling price is the sum of the cost price and an agreed profit margin. The Murabahah contract can be preceded by a promise to purchase from the customer.
Commodity Murabahah (Tawarruq): A Murābahah transaction based on the purchase of a commodity from a seller or a broker and its resale to the customer on the basis of deferred Murābahah, followed by the sale of the commodity by the customer for a spot price to 2 third party for the purpose of obtaining liquidity, provided that there are no links between the two contracts.
Ijarah: A contract made to lease the usufruct of a specified asset for an agreed period against a specified rental. It could be preceded by a unilateral binding promise from one of the contracting parties. As for the Ijarah contract, it is binding on both contracting parties.
Ijarah Mawsufah fial-Dhimmah (Forward Lease): A contract where the lessor leases the usufruct of a specific future asset, which will be delivered by the lessor to the lessee for the latter to acquire the usufruct on a specific date in the future. This usufruct can be of an asset (manfa‘at‘ayn) or 0 service (manfa ‘at khidmah).
Ijarah Muntahia Bi Al Tamilk: A lease contract combined with a separate promise from the giving the lessee a binding promise to own the asset at the end of the end lease period either by purchase of the asset through a token consideration, or by the payment of an agreed upon price or the payment of its market value. This can be done through a promise to sell, a promise to donate, or a contract of conditional donation.
Istisna: The sale of a specified asset, with an obligation on the part of the seller to manufacture/construct it using his own materials and to deliver it on a specific date in return for a specific price to be paid in one lump sum or instalments.
Parallel Istisna: A second Istisna contract whereby a third party commits to manufacture/construct a specified asset, which corresponds to the specifications of the asset in the first Istisna contract without the presence of any links between the two contracts.
Wakalah: An agency contract where the customer (principal) appoints an institution as agent (wakīl) to carry out the business on his behalf. The contract can be for a fee or without a fee.
Musharakah: A partnership contract in which the partners agree to contribute capital to an enterprise, whether existing or new. Profits generated by that enterprise are shared in accordance with the percentage specified in the Musharakah contract, while losses are shared in proportion to each partner’s share of capital.
Mudarabah: A partnership contract between the capital provider (rabb al-māl) and an entrepreneur (mudārib) whereby the capital provider would contribute capital to an enterprise or activity that is to be managed by the entrepreneur. Profits generated by that enterprise or activity are shared in accordance with the percentage specified in the contract, while losses are to be borne solely by the capital provider unless the losses are due to misconduct, negligence or breach of contracted terms.
Market risk: The risk of losses in on- and off-balance sheet positions arising from movement in market price, i.e. fluctuations in market values in tradable, marketable or leaseable assets (including Sukuk) and in off-balance sheet individual portfolios.
Operational risk: The risk of losses resulting from inadequacy or failure of interna l processes, people and systems, or from external events, which includes, but is not limited to, legal risk, Shari'ah non-compliance risk and the failure in conducting fiduciary responsibilities.
Shari’ah non-compliance risk: The risk that arises from a Bank’s failure to comply with the shari’ah rules and principles prescribed by Shari'ah Committee of the Bank.
The Board: The Board of Directors appointed by the shareholders in line with applicable laws and regulations.
Senior Management: the Senior Management consists of a key group of individuals responsible for overseeing the day-to-day management of the Bank and they shall be accountable in this respect. These individuals should have the necessary experience, competence and integrity to manage the business under the Board’s supervision. The Board shall have appropriate controls applicable to these individuals.
The definitions of Shari’ah compliant products mentioned above are extracted from the set of definitions proposed by Islamic Financial Services Board (IFSB). These definitions do not limit offering the Shari’ah compliant products and services that are approved by the respective Shari’ah Committee of each Bank.
3. Scope and Level, of Application
Risk Management Framework for Shari'ah Compliant Banking shall be applicable to the following institutions:
i. All locally incorporated Banks that are licensed and operating in the Kingdom of Saudi Arabia and are conducting Shari'ah compliant Banking.
ii. Where a locally incorporated Bank has 2 majority owned subsidiary(ies) licensed and operating outside Saudi Arabia and/or has branch operations in any foreign jurisdiction that conduct Shari'ah compliant Banking shall follow these rules provided that there is no inconsistency with the legal and regulatory requirements of host country.
4. General Principle
4.1 Principle 1.0: Banks conducting Shari'ah compliant Banking shall have in place a comprehensive risk management and reporting processes, including appropriate board and senior management oversight, to identify, measure, monitor, report and control all relevant categories of risks. The process shall take into account appropriate steps to comply with Shari'ah rules and principles.
Board of Directors (BOD) oversight;
4.2 The Board of Directors is responsible for establishing a robust and effective risk management framework for the Bank.
4.3 As there are specific risks associated with Shari'ah compliant Banking, the risk management activities of Banks conducting Shari'ah Compliant Banking require active oversight by the Board of Directors and Senior Management. The Board of Directors or the related committee of the Board shall approve the risk management objectives, strategies and policies that are consistent with the risk profile, risk appetite and risk tolerance for the Bank.
4.4 The Board of Directors or the related committee of Board shall ensure the existence of an effective risk management structure for conducting activities including adequate systems for measuring, monitoring, reporting and controlling risk exposures commensurate with the scope, size and complexity of the Bank’s business and operations.
4.5 The Board of Directors or the related committee of Board shall review the effectiveness of the risk management activities periodically and make appropriate changes as and when necessary.
Senior Management oversight:
4.6 The senior management shall develop and implement well defined procedures for identifying, measuring, monitoring and controlling risks in line with the risk management objectives, strategies and policies approved by the Board of Directors or the related committee of Board.
4.7 Senior Management shall execute the strategic direction set by the Board of Directors or the related committee of Board on an ongoing basis and set clear lines of authority and responsibility for managing, monitoring and reporting risks. The Senior Management shall ensure that the financing and investment activities are within the approved appetite and risk tolerance limits.
4.8 Senior Management shall ensure that the risk management function should be separated from risk taking function and is reporting directly to the Chief Executive officer/General Manager. In addition, the Chief Risk Officer shall have independent access to the related committee of the Board ultimately responsible for establishing the risk management in the Bank. The risk management function shall define the policies, establish procedures and monitor compliance with the established limits and report to the related committee of the Board and Senior Management on risk matters accordingly.
Risk Management Process:
4.9 The Bank shall have a sound process for executing all elements of risk management including risk identification, measurement, mitigation, monitoring, reporting and control. This process requires the implementation of appropriate policies, limits, procedures and effective management information systems (MIS) for internal risk reporting and decision making that are commensurate with the scope, complexity and nature of the Banks’ activities.
4.10 The Bank shall ensure that an adequate system of controls with appropriate checks and balances is set in place. The controls shall (a) comply with the shari’sah rules and principles; (b) comply with applicable regulatory and internal policies and procedures; and (c) take into account the integrity of risk management processes.
4.11 The Bank shall make appropriate and timely disclosure of information to depositors having deposits on Profit and Loss Sharing basis (also known as Profit-sharing Investment Accounts, PSIAs) so that they are able to assess the potential risks and rewards of their deposits and protect their own interests in their decision making process.
4.12 In addition to the above, the following general requirements shall also be taken into account by Banks:
i. Application of Emergency and Contingency Plan: The Senior Management shall draw up an emergency and contingency plan, approved by the Business Continuity Committee as required under the Business Continuity Management Framework issued by SAMA in February 2017 or the updated version as applicable in order to be able to deal with risks and problems which may arise from unforeseen events.
ii. Integration of Risk Management: While assessing and managing risk, the management should have an overall view of risks the Bank is exposed to. This requires having a structure in place to look at risk interrelationships across the Bank. Such a setup could be in the form of a separate department or Bank’s Risk Management Committee could perform such a function. The structure should be such that ensures effective monitoring and control over risks being taken.
iii. Risk Measurement: For each category of risk, the Bank is encouraged to establish systems/models that quantify its risk profile. The results of these models should be assessed and validated by an independent function within or outside the Bank.
iv. Utilization: The Bank should develop a mechanism which should, to the highest possible extent, monitor that funds provided by the depositors and investors were utilized for the purpose these were advanced.
v. Role of Risk Administration Department: It should be separated from the department originating the risk. It should be among the responsibilities of Risk Administration Department to monitor that the documents are obtained according to the requirements as specified in the product. For example, the dates play a very important role in Murabahah transactions and any transaction can be rendered invalid if the sequencing of obtaining documents is changed.
vi. Management Information System: The Bank should specify control reports to be prepared by the independent risk management department that should be periodically (at least quarterly) submitted to the related committee of Board and the Senior Management.
vii. Human Resources: The Bank shall ensure that the board members, senior management and staff working on related Shari’ah compliant products and processes have been adequately trained regarding Shari'ah principles and procedures.
4.13 The risk management approaches and methodologies must be able to distinguish the different nature and combination of risks that are associated with various types of Shari'ah compliant contracts used to structure financial products. A robust and dynamic risk assessment approach is required for products that involve different types of Shari’ah compliant contracts throughout the life of the product.
5. Market Risk
5.1 Principle 2.0: Banks shall have in place an appropriate framework for market risk management (including reporting) in respect of all assets held, including those that do not have 2 ready market and/or are exposed to high price volatility.
5.2 Banks shall develop a market risk strategy including the level of acceptable market risk appetite taking into account contractual agreements with fund providers, types of risk- taking activities and target markets in order to maximize returns while keeping exposures at or below the pre-determined levels. The strategy should be reviewed periodically by the Bank, communicated to relevant staff and disclosed to fund providers.
5.3 Banks shall establish a sound and comprehensive market risk management process and information system which (among others) comprise:
• a conceptual framework to assist in identifying underlying market risks;
• appropriate frameworks for pricing, valuation and income recognition;
• a strong MIS for controlling, monitoring and reporting market risk exposure and performance to appropriate levels of senior management.
Given that all the required measures are in place (e.g. pricing, valuation and income recognition frameworks, strong MIS for managing exposures etc.), the applicability of any market risk management framework that has been developed should be assessed taking into account of consequential business and reputation risks.
5.4 Banks should be able to quantify market risk exposures and assess exposure to the probability of future losses in their net open asset positions.
5.5 The risk exposures in the investment securities are similar to the risks faced by conventional financial intermediaries, namely market price, liquidity and foreign exchange rates. In this regard, Banks shall ensure that their strategy includes the definition of their risk appetite for these tradable assets.
5.6 In the valuation of assets where no direct market prices are available, Banks shall incorporate in their own product program a detailed approach to valuing their market risk positions. Banks may employ appropriate forecasting techniques to assess the potential value of these assets.
5.7 Where available valuation methodologies are deficient, Banks shall assess the need (a) to allocate funds to cover risks resulting from illiquidity, new assets and uncertainty in assumptions underlying valuation and realization; and (b) to establish a contractual agreement with the counterparty specifying the methods to be used in valuing the assets.
5.8 The policies and related procedures for market risk management shall also account for the risks associated to the following Shari’ah compliant products:
• The risks that relate to the current and future volatility of market values of specific assets (for example, the commodity price of a Salam asset, the market value of a Sukuk, the market value of Murabahah assets purchased to be delivered over 2 specific period) and of foreign exchange rates.
• In salam, Banks can be exposed to counterparty credit risk on a long position and commodity price fluctuations while holding the subject matter until it is disposed of. In the case of Parallel salam, there is also the risk that a failure of delivery of the subject matter would leave the Banks exposed to commodity price risk as a result of the need to purchase a similar asset in the spot market in order to honor the Parallel Salam contract.
5.9 When Banks are involved in buying assets that are not actively traded with the intention of selling them, it is important to analyze and assess the factors attributable to changes in liquidity of the markets in which the assets are traded and which give rise to greater market risk. Assets traded in illiquid markets may not be realizable at prices quoted in other more active markets.
5.10 Banks are also exposed to foreign exchange fluctuations arising from general FX spot rate changes in both cross-border transactions and the resultant foreign currency receivables and payables. These exposures may be hedged using Shari'ah compliant methods.
5.11 In addition to the above, there should be a middle office or an independent function to perform market risk management function and to independently monitor, measure and analyze risks inherent in the treasury operations of a Shari'ah compliant Banking. In addition, the unit should also prepare control reports indicating deviations for the information of senior management.
6. Operational Risk
6.1 Principle 3.0: Banks shall have in place adequate systems and controls, including Shari'ah Committee, Shari’ah Compliance and Shari’ah Audit to ensure compliance with Shari'ah rules and principles.
6.2 Operational risk is inherent in all activities, products and services of Banks and can transverse multiple activities and business lines within Banks. Operational risk may result in direct financial losses as well as indirect financial losses (e.g. loss of business and market share) due to reputational damage.
6.3 In addition to the usual form of operational risks, the Shari'ah compliant Banks and Islamic Windows are exposed to risks relating to Shari'ah non-compliance and risks associated with the Banks’ fiduciary responsibilities towards different fund providers. These risks expose Banks to fund providers’ withdrawals, loss of income or voiding of contracts leading to an impairment of reputation and/or the limitation of business opportunities.
6.4 Banks shall consider the full range of material operational risks affecting their operations, including the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Banks shall also incorporate possible causes of loss resulting from Shari'ah non-compliance and the failure in their fiduciary responsibilities.
Shari'ah Non-Compliance Risk:
6.5 Principle 4.0: Banks shall ensure that the policies and related procedures shall be in place to measure, mitigate and monitor the Shari'ah non-compliance risk. Shari'ah compliance is critical to a Bank’s operations and such compliance requirements must be communicated throughout the Bank and their products and activities.
6.6 In Shari’ah compliant Banking, a majority of the fund providers use Shari’ah compliant Banking services. As a matter of principle, their perception regarding the Bank’s compliance with Shari’ah rules and principles is of great importance to the sustainability of the Bank. In this regard, the Bank must consider Shari'ah compliance as falling within a higher priority category in relation to other identified risks.
6.7 Banks are also exposed to reputational risk arising from failures in governance, business strategy and process. Negative publicity about a Shari'ah compliant Banking business practices, particularly relating to Shari'ah non-compliance in their products and services, could have an impact upon their market position, profitability and liquidity.
6.8 Banks shall ensure that they comply at all times with the Shari'ah rules and principles as approved/instructed by the Banks’ Shari'ah Committee with respect to its products and activities. This means that Shari'ah compliance considerations are taken into account whenever the Banks accept deposits and investment funds, provide finance and carry out investment services for their customers.
6.9 Banks shall ensure that their contract documentation complies with Shari'ah rules and principles - with regard to formation, termination and elements possibly affecting contract performance such as fraud, misrepresentation, duress or any other rights and obligations.
6.10 Banks shall undertake a Shari'ah compliance review at least annually, performed either by a separate a Shari'ah audit department or as part of the existing internal audit function by persons having the required knowledge and expertise for the purpose. The objective is to ensure that (a) the nature of the Banks’ financing and equity investment and (b) the operations relating to all Shari'ah compliant products and services are executed in adherence to the applicable Shari'ah rules and principles, policies and procedures approved by the Bank’s Shari'ah Committee.
6.11 Banks shall keep track of income not recognized arising out of Shari’ah non-compliance and assess the probability of similar cases arising in the future. Based on historical reviews and potential areas of Shari'ah non-compliance. Banks may assess potential profits that cannot be recognized as eligible Banks’ profits, the Bank shall seek its Shari’ah Committee ruling and direction with regard to the appropriate cleansing and disposal of Non-Shari’ah Compliant income.
Fiduciary risk:
6.12 Principle 5.0: Banks shall have in place appropriate mechanisms to safeguard the interests of all fund providers. Where Profit & Loss Sharing depositors’ funds are comingled with the Banks’ own funds, Banks shall ensure that the bases for the asset, revenue, expenses and profit allocations are established, applied and reported in a manner consistent with the Banks’ fiduciary responsibilities.
6.13 Banks failure to perform in accordance with their fiduciary responsibilities could result losses in investments, the Bank may become insolvent and therefore unable to (a) meet the demands of current account holders for repayment of their funds; and (b) safeguard the interests of their Profit & Loss Sharing deposit holders. The Bank may fail to act with due care when managing investments resulting in the risk of possible forgone profits to Profit & Loss Sharing deposit holders.
6.14 Banks shall establish and implement a clear and formal policy for undertaking their different and potentially conflicting roles in respect to managing different types of investment accounts. The policy relating to safeguarding the interests of their Profit & Loss Sharing deposit holders may include the following:
i. Identification of investing activities that contribute to investment returns and taking reasonable steps to carry on those activities in accordance with the Banks' fiduciary and agency duties and to treat all their fund providers appropriately and in accordance with the terms and conditions of their investment agreements, if any;
ii. Allocation of assets and profits between Banks and their Profit and Loss Sharing deposit holders will be managed and applied appropriately to Profit & Loss Sharing deposit holders having funds invested over different investment periods; and
iii. Limiting the risk transmission between current and investment accounts.
6.15 A reliable IT system is necessary for profit & loss sharing mechanism, failure of which may lead to Shari'ah non-compliance risk. The Bank should identify key risk indicators and should place key control activities like Code of Conduct, Delegation of authority, segregation of duties, succession planning, mandatory leave, staff compensation, recruitment and training, dealing with customers, compliant handling, record keeping, MIS, physical controls etc.
6.16 Banks shall adequately disclose information on a timely basis to their Profit & Loss Sharing deposit holders and markets in order to provide a reliable basis for assessing their risk profiles and investment performance.
7. Effective Date
These Rules shall come into force in 1 May 2022.