3. Governance
The Board and Executive Leadership of the Member Organisation is ultimately responsible for creation of a Counter-Fraud Programme; providing leadership and direction; and projecting a Counter-Fraud culture inside and outside the organisation. The programme should include a Counter-Fraud Strategy to define organisational objectives, a Counter-Fraud Policy outlining responsibilities and mandatory requirements, and a Governance Structure with associated internal and external reporting aligned to the organisation's size and complexity to monitor and oversee fraud risk management.
Figure 4 - Governance Domain3.1. Governance Structure
Principle
Member Organisations should establish and maintain a Counter-Fraud Governance Structure owned by Senior Management with responsibility for oversight and control of all aspects of the organisational Counter-Fraud Programme.
Control Requirements
a. Member Organisations should establish and maintain a dedicated Counter-Fraud Governance Committee (CFGC).
b. The CFGC should be headed by a member of the Executive Committee (e.g., CEO, CRO or equivalent).
c. The following positions at a minimum should be represented in the CFGC:
1. Head of Counter-Fraud/Senior Manager accountable for the Counter-Fraud Programme.
2. Chief Risk Officer.
3. Chief Operating Officer.
4. Head of Digital.
5. Heads of relevant business departments or product owners (e.g., General Manager of Retail/Corporate).
6. Senior Managers from all departments involved in fraud risk management (e.g., Operational Risk Management, Cyber Security, Counter-Fraud Department, Analytics, Compliance).
7. Internal Audit should attend as an “observer”.
d. A CFGC charter should be developed, approved, and reflect the following:
1. Committee objectives.
2. Authority and accountability of the committee.
3. Roles and responsibilities.
4. Minimum number and role of meeting participants required to meet quorum.
5. Meeting frequency (minimum on a quarterly basis).
6. Escalation process for fraud issues or incidents to Board level.
7. Documentation and retention of meeting minutes and decisions.
e. The CFGC should at a minimum be responsible for:
1. Approving, supporting, communicating, and monitoring:
a. Counter-Fraud Strategy.
b. Counter-Fraud Policy.
c. Fraud Risk Management Framework that should include at a minimum:
i. Intelligence Monitoring process.
ii. Fraud Risk Assessment.
iii. Fraud Risk Appetite
iv. KRIs for fraud.
d. Management Information
2. Providing leadership, direction, and oversight of the Member Organisation’s Counter-Fraud Programme.
f. Member Organisations should appoint an appropriately qualified and experienced Head of Counter-Fraud as accountable for the Counter-Fraud Programme at Senior Management level (see control requirement 3.5.e).
g. Member Organisations should establish a documented and approved process for Counter-Fraud budget and spending prioritisation which should align with fraud strategic objectives.
h. The overall Counter-Fraud budget should be monitored, reviewed periodically, and adjusted accordingly by the CFGC to meet the Counter-Fraud and business needs.
i. Member Organisations should define roles and responsibilities of Senior Management and Counter-Fraud Department employees using a responsibility assignment matrix, also known as RACI. The RACI Matrix should outline who is responsible and accountable for Counter-Fraud processes and controls, as well as who should be consulted or informed.
3.2. Counter-Fraud Strategy
Principle
Member Organisations should define, approve, implement and maintain a Counter-Fraud Strategy aligning to the overall strategic objectives of the organisation that identifies short and long-term Counter-Fraud initiatives and communicates a plan of action to achieve them.
Control Requirements
a. Counter-Fraud Strategy should be defined, approved, implemented and maintained.
b. Counter-Fraud strategic initiatives should be translated into a defined roadmap including but not limited to, consideration of:
1. Timescales to deliver initiatives.
2. The owner responsible for delivering the initiative.
3. How the initiatives will close the gaps between current and target environments.
4. The integration of initiatives into a coherent Counter-Fraud Strategy that aligns with the business strategy.
5. Dependencies, overlaps, synergies and impacts among projects, and prioritisation.
c. Counter-Fraud Strategy should be aligned with:
1. The Member Organisation’s overall business strategic objectives.
2. Broader strategies that may influence fraud risks and controls, e.g., Cyber Security, IT, Financial Crime (Anti-Money Laundering (AML) & Customer Due Diligence (CDD)).
3. Legal and regulatory compliance requirements of the Member Organisation and any other applicable laws in the Kingdom of Saudi Arabia (KSA).
d. Counter-Fraud Strategy should at a minimum address:
1. The current state maturity of the Member Organisation, including the most significant fraud related challenges faced.
2. The people, process, and technology requirements to deliver the strategy and proactively manage fraud within risk appetite.
3. The future direction of the Member Organisation’s Counter-Fraud Programme, and the initiatives required to successfully migrate to the desired future state.
4. Known changes to the fraud landscape (e.g., the increasing digitalisation of financial services products, new external threats, new regulation, or guidance).
e. A Member Organisation should review and when required update its Counter-Fraud Strategy on a periodic basis or whenever there is a material change:
1. Internally (e.g., the Member Organisation’s business model, operational environment, or business strategy).
2. Externally (e.g., the fraud landscape or applicable laws and regulations).
3.3. Counter-Fraud Policy and Procedures
Principle
Member Organisations should define, approve, communicate, and implement a Counter-Fraud Policy to set the commitment and objectives for Counter-Fraud and provide requirements to relevant stakeholders; and associated procedures to outline the step-by-step tasks and activities that should be performed by employees.
Control Requirements
a. Counter-Fraud Policy and procedures should be defined, approved, communicated and implemented.
b. Counter-Fraud Policy and procedures should take into consideration the risks identified in the Fraud Risk Assessment, the evolving fraud landscape and the Member Organisation’s business model and operations, and should be periodically reviewed to ensure the identified risks are managed effectively.
c. Counter-Fraud Policy should be readily accessible to all employees, contractors and relevant third parties, including all branches and majority-owned subsidiaries.
d. Counter-Fraud Policy should require Member Organisations to follow all applicable Counter-Fraud laws and regulations, and payment operator requirements.
e. Counter-Fraud Policy should include at a minimum, the following:
1. A defined owner of appropriate seniority and role (e.g., Head of Counter-Fraud).
2. The Member Organisation’s overall fraud objectives and scope.
3. A statement of the Board’s intent, supporting the fraud objectives.
4. Core requirements to provide a consistent, proportionate, and effective approach to the management of fraud risk.
5. Responsibilities for key stakeholders and relevant third parties who play a role in fraud governance, prevention, detection, or response across the three lines of defence (e.g., Senior Management, Compliance, Internal Audit).
6. Escalation and reporting requirements in the event of a policy breach.
f. Counter-Fraud procedures should outline the step-by-step tasks and activities that should be performed by employees in the operating environment for Counter-Fraud process and control operation (e.g., product risk assessment, alert handling, investigations).
g. For Member Organisations with a headquarters in the KSA, the Counter-Fraud Policy should apply across all international branches and subsidiaries. If the law of another jurisdiction prohibits compliance, an exemption should be documented and approved.
3.4. Roles and Responsibilities
Principle
Member Organisations should define, approve and implement Counter-Fraud roles and responsibilities across the three lines of defence and all relevant stakeholders should have an adequate level of understanding of the expectations related to their role.
Control Requirements
a. Member Organisations should define, approve and implement Counter-Fraud roles and responsibilities for all relevant stakeholders and ensure they have been communicated and understood.
b. The Board should be accountable for:
1. The establishment of a Counter-Fraud Programme.
2. Setting the tone from the top to establish a Counter-Fraud culture through a Code of Conduct (or equivalent).
3. Ensuring that a robust Fraud Risk Management framework is established and maintained to manage fraud risks.
4. Ensuring that sufficient budget for Counter-Fraud is allocated, utilised, and monitored.
5. Approving the CFGC charter.
6. Endorsing (after being approved by the CFGC):
a. The roles and responsibilities of Senior Management accountable for the Counter-Fraud Programme.
b. The Counter-Fraud Strategy.
c. The Counter-Fraud Policy.
d. The output of the Fraud Risk Assessment.
e. Fraud Risk Appetite.
c. The Head of Counter-Fraud should be accountable for:
1. Developing, implementing, and maintaining:
a. Counter-Fraud Strategy.
b. Counter-Fraud Policy.
c. Fraud Risk Assessment.
d. Fraud Risk Appetite.
e. KRIs for fraud.
2. Reinforcing and maintaining the tone from the top to deliver a culture of compliance with the Code of Conduct.
3. Developing a risk-based Counter-Fraud Programme that addresses people, process, and technology, including adequate systems to prevent, detect and respond to fraud.
4. Ensuring that detailed Counter-Fraud standards and procedures are established, approved, and implemented.
5. Ensuring that Counter-Fraud systems and controls remain effective in light of evolving threats identified through Intelligence Monitoring.
6. Periodically informing CFGC on the latest developments on Counter-Fraud strategic initiatives and implementation status.
7. Establishing a Counter-Fraud Department that is adequately resourced and has responsibility for the requirements outlined in sub-domain 3.5.
8. Collating and overseeing organisation-wide Management Information reporting produced in relation to Counter-Fraud risks and performance.
9. Promptly notifying SAMA of new fraud typologies and significant fraud incidents in line with the Supervisory Notification requirements included in sub-domain 3.7.
10. Taking action when a notification is received of any significant fraud incidents, investigations or breaches of Counter-Fraud policy or standards, and reporting to the Board or CFGC as required.
11. Defining the organisation’s ongoing fraud awareness programme in coordination with relevant departments (e.g., operations, Communications, Human Resources (HR)).
d. At a minimum, Senior Management should be accountable for:
1. Ensuring that employees are compliant with the Code of Conduct and CounterFraud policies, standards, and procedures.
2. Ensuring that employees receive training in line with the requirements of the fraud training and awareness programme.
3. Developing and reviewing regular Management Information reporting to monitor Counter-Fraud risks and performance.
4. Notifying the CFGC where escalation is required (e.g., adverse internal findings relating to Counter-fraud controls or fraud risk appetite is exceeded).
5. Managing fraud losses through processes and controls in own area of accountability within the organisation’s agreed Fraud Risk Appetite.
6. Maintaining appropriate systems and controls to prevent, detect and respond to fraud.
e. Manager(s) accountable for fraud operations (e.g., managing fraud alerts, responding to reported fraud and dealing with fraud cases) should be responsible for:
1. Ensuring that all suspected fraud, including system alerts and manual employee and customer referrals are adequately prioritised, investigated and the outcome is appropriately recorded.
2. Taking immediate steps to prevent further exposure and corrective action(s) when a fraud is identified.
3. Notifying relevant external parties (e.g., law enforcement).
f. The Internal Audit function should be responsible for:
1. The identification of a comprehensive set of auditable areas for fraud risk.
2. Assessment and prioritisation of fraud risks during audit planning.
3. Performing fraud audits and producing independent objective reports.
g. All Member Organisation employees should be responsible for:
1. Complying with applicable Counter-Fraud policies, standards, and procedures.
2. Reporting any suspicions of fraud in a timely manner.
h. Member Organisations should ensure that suspected or actual cases of internal fraud are investigated by individuals of appropriate seniority (e.g., if the fraud involves a manager, an individual of higher seniority should take responsibility for the oversight and approval of the investigation); and independence (e.g., internal audit or an equivalent control function should conduct the investigation with the investigators free from potential conflicts of interest).
i. Member Organisations should periodically review the roles and responsibilities of employees with fraud related responsibilities to ensure they reflect best practice, address trending fraud typologies and are aligned with the fraud landscape and business model.
j. Member Organisations should develop a formal Counter-Fraud succession plan in coordination with the HR Department taking into consideration the reliance on key Counter-Fraud employees having critical roles and responsibilities.
3.5. Counter-Fraud Department
Principle
Member Organisations should establish and maintain a Counter-Fraud Department that has responsibility for the day-to-day operation of the Counter-Fraud Programme.
Control Requirements
a. Member Organisations should establish and maintain a Counter-Fraud Department that has responsibility for the day-to-day operation of the Counter-Fraud Programme, including at a minimum:
1. Monitoring and overseeing compliance with Counter-Fraud policies, standards, and procedures.
2. Designing and implementing organisation wide required counter-fraud controls covering people, process and technology dimensions.
3. Performing an in-depth organisation wide Fraud Risk Assessment.
4. Analysis of Counter-Fraud data and intelligence to proactively identify fraud trends.
5. Sharing Counter-Fraud Intelligence with SAMA and other organisations in the sector.
6. Proactively and reactively tuning Counter-Fraud systems.
7. Monitoring of Counter-Fraud Operations.
8. Performing comprehensive fraud investigations, identifying root causes of fraud incidents and documenting corrective actions.
9. Monitoring Fraud Risk Appetite measures and actively engaging a crisis management task force if the defined limit is breached with an impact on customers (see control requirement 4.1.3.d).
10. Ensuring alignment of Counter-Fraud capabilities with Cyber Security and Financial Crime.
11. Periodic reporting to senior management covering at minimum:
a. Fraud Risk Assessment results.
b. Fraud typologies identified.
c. Fraud Risk Appetite measures and performance against thresholds and limits.
d. Operational and customer fraud losses.
b. Member Organisations should assess the most appropriate reporting line for the CounterFraud Department based on organisational structure; decision making authority; visibility to the Executive Committee/Board; and Senior Management accountability and responsibilities.
c. Member Organisations should evaluate the staffing requirements of the Counter-Fraud Department on a periodic basis and in response to material changes to the business, operational and fraud landscape or the Member Organisation Fraud Risk Assessment.
d. Evaluation of staffing requirements should consider both the capacity (number of resources) and the capability (skills and experience) required.
e. The Head of Counter-Fraud should have skills and experience at a minimum consisting of:
1. An in-depth understanding of fraud risks in the financial sector.
2. Strong knowledge of digital fraud threats and common typologies, along with emerging trends impacting financial sector organisations and their customers.
3. Designing and implementing technology and controls based on use-cases to mitigate fraud risks and threats.
4. The use of data and analytics to proactively prevent fraud and protect customers.
f. The Counter-Fraud Department should at a minimum include employees with skills and experience in:
1. Fraud risks and typologies related to the products offered by the organisation (e.g., experience in payment fraud; scams; and social engineering).
2. Fraud risks and typologies related to the delivery channels offered by the organisation, in particular digital channels such as online and mobile.
3. Counter-Fraud data analytics to enable the analysis of large volumes of transactions and proactive identification of fraud threats.
4. Counter-Fraud technology to ensure systems are operating effectively with scenarios relevant to the risks faced by the Member Organisation.
5. The analysis of intelligence and data to identify fraud trends and the root cause of fraud incidents.
6. Fraud investigations, from initial notification of a potential incident to closure and corrective actions.
7. Reporting and production of Management Information to monitor organisational fraud performance.
g. Member Organisations should consider fraud qualifications for roles in the Counter-Fraud Department.
h. Member Organisations should establish a training plan and provide periodic training to develop and maintain the competency of the employees in the Counter-Fraud Department.
i. Where third party services or resources (e.g., contractors or Managed Services) are used to fulfil responsibilities of the Counter-Fraud Department, Member Organisations should ensure the resource is appropriately vetted and monitored.
3.6. Management Information
Principle
Member Organisations should define, approve and implement a process for the reporting of Management Information to enable Senior Management to monitor Counter-Fraud risks and performance.
Control Requirements
a. Member Organisations should define, approve and implement a process for the reporting of Management Information to monitor Counter-Fraud risks and performance.
b. Fraud Management Information should be reported to Senior Management and the CFGC on a periodic basis and on an ad hoc basis as required (e.g., if a new or unusual typology is identified).
c. Member Organisations should coordinate the collation of fraud Management Information to ensure a holistic picture can be reported of all fraud impacting the organisation or its customers.
d. Member Organisations should identify appropriate Management Information to adequately inform Senior Management of Counter-Fraud risks and performance. At a minimum this should include:
1. Fraud Risk Assessment results.
2. Fraud Risk Appetite measures and performance against thresholds and limits.
3. Volume of fraud alerts notified by:
a. Customers
b. Employees
c. Fraud systems
4. Volume and trends of Fraud cases handled, split by product and typology.
5. New typologies identified.
6. Value of near misses or potential frauds that were detected and prevented.
7. Case value of fraud handled (the total value of the fraud case, including actual and potential losses).
8. Fraud losses, split by product, payment type (where applicable) and typology, including:
a. Customer losses
b. Operational losses.
9. Value of customer refunds following fraud.
3.7. Supervisory Notifications
Principle
Member Organisations should immediately notify SAMA of new fraud typologies and significant fraud incidents to mitigate the risk of the fraud impacting additional customers, other organisations, or the financial sector in the KSA.
Control Requirements
a. Member Organisations should notify SAMA General Department of Cyber Risk Control immediately of the following:
1. Any new fraudulent typology whether it resulted in financial loss or not (e.g., type of fraud not previously observed or new scam attempt detected).
2. Where an external person has committed or attempted to commit a significant fraud against it.
3. Where an employee of a Member Organisation has committed a significant internal fraud against one of its customers or may be guilty of serious misconduct concerning honesty or integrity related to the organisation's regulatory obligations.
4. Where Wholesale Payment Endpoint Security Fraud is suspected or identified.
5. Where a significant irregularity is identified in the organisation's accounting records that may be indicative of fraud.
b. When assessing whether a fraud is considered significant to meet the notification requirements above, Member Organisations should consider at a minimum:
1. The value of any monetary loss or potential monetary loss to the organisation or its customers (the value should consider an individual fraud incident or total losses from connected incidents).
2. The number of customers impacted.
3. Reputational damage to the organisation and the wider financial sector.
4. Whether any regulation has been breached.
5. Whether the incident reflects weaknesses in the organisation's Counter-Fraud controls.
6. If the incident has the potential to impact other Member Organisations.
c. Member Organisations should use the standard reporting template in Appendix G to notify SAMA.
d. At a minimum, Member Organisations should include the origin of the incident; the methods used; related parties (internal and external); corrective actions; and losses, if any, in the notification to SAMA. Where all required information is not available at the time of notification, any gaps should be supplied to SAMA promptly as the investigation progresses.
3.8. Counter-Fraud Technology
Principle
Member Organisations should define, approve and implement a strategy for the sourcing or development and implementation of counter-fraud systems and technology to manage the fraud risks they are exposed to.
Control Requirements
a. Member Organisations should define, approve and implement a strategy for the sourcing or development of Counter-Fraud systems and technology to prevent, detect and respond to fraud.
b. Member Organisations should implement Counter-Fraud systems and technology and verify that they are operating as intended.
c. The output of the Fraud Risk Assessment should inform the technology required, and systems should be proportionate to the risk appetite of the organisation.
d. Whether a fraud system is sourced from a vendor or developed in-house, Member Organisations should consider the below requirements at a minimum:
1. The Counter-Fraud Department are engaged in the design and implementation of the system with oversight from the CFGC.
2. The rationale for scenarios developed and thresholds applied is documented.
3. The system and rules are designed or can be customised to align to the products, services, and fraud risks of the organisation.
4. New rules can be implemented on a timely basis to target prevention and detection of new or emerging typologies identified through Intelligence Monitoring.
5. Awareness of rules to prevent and detect potential internal fraud is limited to a restricted, documented set of roles which does not include employees or third parties responsible for the operation of processes and controls being monitored (e.g., branch/customer facing staff or operational payments teams).
6. Configuration changes should follow the System Change Management Principles and Control Requirements in SAMA’s Information Technology Governance Framework (“The IT Governance Framework”).
7. The organisation can explain and outline the fraud threats that scenarios are designed to monitor and mitigate.
8. Where Machine Learning or Artificial Intelligence are used the system should not be 'black box' and should be capable of being audited (e.g., the organisation should have the capability to test what the algorithms are designed to do and whether they are correctly implemented).
9. Business Continuity and IT Disaster Recovery Plans are in place aligned to the requirements of the SAMA Business Continuity Management Framework.
3.9. Counter-Fraud Internal Audits
Principle
Member Organisations should conduct audits in accordance with generally accepted auditing standards and relevant SAMA framework(s) to verify that the fraud control design is adequately implemented and operating as intended.
Control Requirements
a. Member Organisations should ensure that Counter-Fraud audits are performed independently and according to generally accepted auditing standards and relevant SAMA frameworks.
b. Member Organisations should establish an audit cycle that determines the frequency of Counter-Fraud audits.
c. Member Organisations should develop a formal Counter-Fraud audit plan addressing people, process and technology components.
d. The frequency of Counter-Fraud audit should be aligned with the output of the Fraud Risk Assessment and consider the criticality and risk of the Counter-Fraud system, control or process.
e. The Internal Audit function of Member Organisations should complete periodic validation of the implementation of Counter-Fraud related corrective actions, including those resulting from SAMA instruction.
f. Member Organisations should ensure that the Counter-Fraud auditors have the requisite level of competencies and skills to effectively assess and evaluate the adequacy of Counter-Fraud policies, procedures, processes and controls implemented.
g. Counter-Fraud audit reports, at a minimum, should:
1. Include the findings, recommendations, management's response with defined action plan, and responsible party and limitations in scope with respect to the Counter-Fraud audits.
2. Be signed, dated and distributed according to the format defined.
3. Be submitted to the audit committee on periodical basis.
h. A follow-up process for audit observations should be established to track and monitor Counter-Fraud audit observations.