Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Principles

    • Responsibilities of the Board of Directors Regarding Compliance.

      • Principle (1): Oversight of Non-Compliance Risk Management

        The responsibility for effective oversight of non-compliance risk management lies with the Board of Directors in local banks and with the CEO/Branch Manager in foreign bank branches. To fulfill this responsibility, the following must be done:
                 		 
        32-

        Approve an effective compliance policy and oversee it, which includes at a minimum:

        1. 1. Establishing a permanent and effective compliance unit and updating its organization from time to time.

        2. 2. Promoting a culture of compliance, employee responsibilities, and penalties for neglect and the levels that must be achieved.

        3. 3. Supporting and promoting values of integrity and honesty throughout the bank.

        4. 4. Comprehensive and total commitment in all of the bank's policies to comply with regulations and instructions.

        5. 5. The necessary requirements for managing non-compliance risk matters.

        6. 6. Supervising the implementation of the policy, including ensuring that compliance-related issues are addressed by senior management quickly and effectively with the help of the compliance unit.

        7. 7. Committing to providing adequate resources to the compliance unit on a continuous basis.

        8. 8. Granting the compliance unit the necessary independency as per Principle (5).

        9. 9. Precisely defining the responsibilities of the compliance unit.

        10. 10. Having the internal audit unit review the activities of the compliance unit and compliance risks periodically.

        11. 11. Continuously overseeing efforts towards implementing the compliance policy, the performance level achieved through periodic reports, assessing the compliance unit's activities, identifying weaknesses, and efforts in training and awareness.
        		 
        33-The board or a committee delegated by it must evaluate the effectiveness of non-compliance risk management in the bank at least once a year.
                 		 
        34-Approve updates to the compliance policy from time to time to enhance the effectiveness and efficiency of compliance, in line with instructions from SAMA regarding policy updates.
                 		 
        35-Approve the annual compliance report and provide SAMA with a copy. 

    • Responsibilities of Senior Management Regarding Compliance

      • Principle (2) General Principle: Effective Management of Non-Compliance Risks

        The responsibility for effective management of non-compliance risks rests with the senior management of the bank. Principles (3 and 4) outline the key elements of this principle

      • Principle (3) Preparation, Update, and Approval of Compliance Policy, Responsibility, Sanctions, Monitoring, and Reporting on Non-Compliance Risks

        The senior management of the bank is responsible for preparing, updating, and obtaining board approval for the compliance policy, and ensuring its dissemination. They must also ensure adherence to the policy and report on non-compliance risk management to the board.
                 		 
        Responsibility for Preparing, Updating, and Communicating the Compliance Policy
         
        37-

        The senior management of the bank is responsible for preparing and updating the compliance policy for managing compliance matters and obtaining board approval for local banks, and the branch head for foreign bank branches, and communicating it to all bank sectors. The policy should include:

        1. The compliance principles that work units and their personnel must adhere to.
           
        2. An explanation of the key procedures for identifying and managing compliance risks throughout all levels of the bank's system.
           
        3. Enhancement of clarity and transparency by distinguishing between general standards applicable to all employees and specific standards and procedures that apply only to certain employee groups.
           
        		 
        Responsibility for Adhering to the Compliance Policy, Taking Corrective Actions, and Applying Sanctions
         
        38-The senior management has the duty to ensure adherence to the compliance policy and to ensure that appropriate corrective and disciplinary actions are taken in case of policy violations.
                 		 
        Oversight and Reporting
         
        39-

        The senior management, with the assistance of the compliance unit, are responsible for:

        • Identifying the principal non-compliance risks facing the bank, developing plans to manage and assess these risks at least annually. These plans should address any deficiencies in the policy, procedures, or implementation related to the effectiveness of the existing non-compliance risk management, as well as determine the need for any additional policies or procedures to address new non-compliance risks identified in the annual non-compliance risk assessment.
           
        • Providing written reports to the board or its delegated committee, highlighting the bank's management of non-compliance risks at least once annually, to support board members in making informed decisions based on accurate information regarding the effectiveness of the bank’s non-compliance risk management.
           
        • Reporting in writing to the board or its delegated committee immediately about any significant failures, deficiencies, or violations of non-compliance (e.g., non-compliance situations that may result in significant risks leading to legal or regulatory penalties, severe financial losses, or damage to the bank’s reputation).
        		 

      • Principle (4) Responsibility for Establishing and Developing the Compliance Unit

        The senior management is responsible, under the compliance policy approved by the board, for establishing and developing a permanent and effective compliance unit within the bank, as follows:
                 		 
        Establishing, Supporting, and Developing the Compliance Unit
         
        40-As a fundamental requirement of compliance, senior management in local banks, according to the compliance policy approved by the board, must establish, support, and develop an independent, permanent, and effective compliance unit with sufficient powers and responsibilities to oversee compliance. This includes having an independent compliance unit or head of compliance at the senior management level reporting directly to the top executive for foreign bank branches. The role of the compliance unit should be clearly communicated to all employees, encouraging them to consult the unit on compliance matters.
                 		 
        Reliance on the Compliance Unit
         
        41-Senior management must take necessary measures to ensure that the bank relies on a permanent and effective compliance unit, which performs its duties in accordance with the "Compliance Unit Principles" mentioned later.
                 		 
        Coordination and Integration with Other Business Units
         
        42-Achieving compliance requires senior management to foster a climate of trust and integration between the compliance unit and other business units, and to take the necessary measures and coordination to facilitate this relationship.
                 		 
        Appointment of the Head of Compliance and Compliance Unit Staff
         
        43-The selection and nomination of the head of compliance and the staff of the compliance unit are subject to the Requirements for Appointments to Senior Positions issued by SAMA and any other relevant guidelines issued by SAMA. The responsibility for selecting compliance unit staff lies with the head of compliance in accordance with the bank’s internal employment and appointment requirements. 

    • Compliance Unit Principles

      The main principles from Principle (5) to Principle (8) detail the practices, requirements, and proper applications necessary for the compliance unit. However, the methods for implementing these principles depend on various factors such as the size of the bank, the nature and complexity of the bank's activities, its geographic scope, and the regulatory framework and instructions under which it operates.

      • Principle (5) Independence

        44-The compliance unit in the bank must be independent.
                 		 
        Concept of Independence for the Compliance Unit
         
        45-The concept of independence in this principle refers to "the independence of the compliance unit from external interference by other operational units in performing its compliance duties or influencing them." This does not mean that the compliance unit should not work closely with other business units to facilitate compliance; rather, the working relationship should be cooperative between the compliance unit and other units, supporting the early identification and management of non-compliance risks. The various elements outlined below should serve as preventive measures to help ensure the effectiveness of the compliance unit. Regardless of the close working relationship between the compliance unit and other units, the method of implementing preventive measures depends to some extent on the specific responsibilities of each compliance unit employees.
                 		 
        Elements of the Concept of Independence
         
        ‎46-

        The concept of independence includes four interrelated elements that must be applied as follows:

        1. Element One: The Compliance Unit Must Have an Official Status in the Bank.

          Element Two: In local banks, the compliance unit should be headed by an executive at the first managerial level. In branches of foreign banks, the unit should be led by a senior executive at the first managerial level who reports directly to the head of the branch. This position should include the overall responsibility for coordinating the management of compliance risks within the bank.
           
        2. Element Three: The personnel of the compliance unit, particularly the head of compliance, should not be placed in a position that could lead to potential conflicts of interest between their compliance responsibilities and any other responsibilities associated with their role.
           
        3. Element Four: All personnel within the compliance unit should have the right and authority to access and review all relevant information, records, and files, and communicate with bank employees as necessary to perform their duties.
           
        		 
        The Official Organizational Status of the Compliance Unit
         
        47-The Compliance Unit must have an official status within the bank that grants it appropriate recognition, authority, and independency. This should be outlined in the bank's compliance policy or in an official document related to the policy. All bank employees should be informed of the document specifying this status.
                 		 
        Key Items of the Compliance Unit's Organizational Document
         
        ‎48-

        The organizational document for the Compliance Unit, related to the compliance policy, must include at a minimum the following requirements:

        1. ‎ The role and responsibilities of the Compliance Unit.  
           
        2. Procedures necessary to ensure the independency of the Compliance Unit.
           
        3. The relationship of the Compliance Unit with other risk units within the bank, and its relationship with the internal audit unit.
           
        4. The method for distributing compliance responsibilities in exceptional cases where, due to technical or specialized reasons, or where there is not a significant relationship with non-compliance risks, some compliance responsibilities may be assigned to employees in other operational units such as human resources, administrative affairs, branches, etc., and must be according to specific procedures outlining the role and authority of those units and designated officials.
           
        5. The Compliance Unit has the right to access the necessary information, records, and data to perform its responsibilities, and the requirement for bank employees to cooperate in providing this information.
           
        6. The Compliance Unit has the right to conduct necessary investigations by itself or through delegated external experts for potential policy violations or shortcomings in compliance policy implementation, and its authority to appoint or request external experts if needed.
           
        7. The Compliance Unit has the right to freely report investigation results to senior management and, when necessary, to the board or its authorized committee.
           
        8. The official obligations of the Compliance Unit regarding reporting to senior management.
           
        9. The Compliance Unit has the right to direct access to the board or its authorized committee.
        		 
        Compliance Officer

        Job Level
        49-Every local bank must appoint a Chief Compliance Officer, and every branch of a foreign bank must appoint a high-ranking officer at the first managerial level who reports directly to the branch’s chief officer. This role includes the overall responsibility of coordinating the identification of non-compliance risks at the bank, advising on their management, and supervising the activities of compliance officers and staff within the compliance unit.
                 		 
        Job Affiliation
         
        ‎50-The compliance officer at the first managerial level in the bank should be directly linked to the chief executive only in the senior management of local banks (Managing Director/CEO/General Manager) or to the chief officer of the branch in the case of foreign bank branches (according to the highest job title in the branch). The Chief Compliance Officer should not hold any direct or indirect responsibilities related to banking activities. They must have the authority to report and notify the board or its delegated committee of any significant weaknesses, deficiencies, or violations without fear of negative repercussions from management, other business units, or bank employees. No actions should be taken against them when reporting.
                 		 
        Notification of Appointment and Changes to the Board
         
        51-For local banks, the board members must be notified when there is an appointment or change (resignation, transfer to another role, retirement, termination of service, etc.) of the Chief Compliance Officer, including documentation and reasons for the change.
                 		 
        SAMA's Non-Objection to Appointments and Changes
         
        52-The bank must obtain a non-objection letter from SAMA for the appointment of the Chief Compliance Officer, in accordance with the Requirements for Appointments to Senior Positions. SAMA's non-objection is also required if the Chief Compliance Officer leaves the position (resignation, transfer to another role, termination of service, etc.), with documentation and reasons for the change.
                 		 
        Notifying Regulatory Authorities in the Host Countries
         
        53-For banks licensed to conduct international banking activities with compliance officers from those countries, the regulatory authority in the host countries must be notified of the Chief Compliance Officer's appointment or departure if such notification is required by the host country regulations.
                 		 
        The Affiliation of the Compliance Officers and Staff with the Chief Compliance Officer
        54-All staff in the compliance unit must report directly to the Chief Compliance Officer, ensuring that the unit can fulfill all responsibilities independently of other business units within the bank. Compliance officers assigned to compliance tasks in other business units should have a functional reporting relationship to those units but must also have a reporting line to the Chief Compliance Officer concerning their compliance responsibilities and reports. To avoid dual hierarchy, the compliance officers' reporting path to the Chief Compliance Officer regarding non-compliance risks should be the controlling and mandatory line.
                 		 
        Periodic Meetings
         
        55-

        The Chief Compliance Officer should have the authority to hold regular meetings with senior management and heads of different business units to discuss compliance with regulations and instructions relevant to the operations and activities of each group, department, or sector. These meetings should be officially documented. It is preferable that senior management and heads of business units attend these meetings personally rather than sending representatives, as their active participation demonstrates:

        • Leadership by example.
           
        • Understanding of their responsibilities regarding compliance.
           
        • Continuous reinforcement of compliance.
           
        • Support for the compliance process.
           
        		 
        Delegation of Responsibilities by the Chief Compliance Officer
         
        56-The Chief Compliance Officer may delegate some of their authority to certain employees within the bank for performing tasks related to compliance, such as those in the Treasury Unit or the bank's overseas branches and offices. Any employee delegated these tasks will act as an assistant to the Chief Compliance Officer and will be under their authority concerning non-compliance risks while maintaining full independency in other banking tasks. The size of the bank and its operational capacity should be considered. Any delegation by the Chief Compliance Officer does not exempt them from responsibility; they remain accountable for all compliance-related tasks to the relevant parties.
                 		 
        Conflict of Interest
         
        57-To ensure the independency and professionalism of the Chief Compliance Officer and the Compliance Unit staff, they should only hold responsibilities related to the Compliance Unit. For compliance officers in other business units assigned compliance oversight tasks within those units—if present—they must avoid conflicts of interest and disclose any situations that may result in a conflict of interest.
                 		 
        58-To ensure the independency of the Chief Compliance Officer and compliance unit staff is not undermined, their financial rewards must not be tied to the financial performance of the business activity for which they are executing compliance responsibilities. However, financial rewards may be linked to the overall financial performance of the bank. In all cases, the final approval of the rewards for the Chief Compliance Officer and compliance unit staff must come from the Board of Directors or a committee derived from it.
                 		 
        Direct Access to Information and Employees
         
        59-

        To effectively manage compliance responsibilities as outlined in the compliance documentation and at all administrative levels within the bank where non-compliance risks may exist, the Compliance Unit must have the following principal rights and capabilities, without waiting for orders or instructions:

        1. The right to communicate with any employee and access any necessary information, records, and files needed to fulfill its responsibilities.
           
        2. The ability to carry out its responsibilities independently across all business units where non-compliance risks are present, including the right to investigate any potential violations of compliance policies and to seek assistance from internal specialists (e.g., legal affairs or internal audit) or engage external experts if necessary.
           
        3. The freedom to report any potential violations or transgressions uncovered during its investigations to senior management, without fear of retaliation or dissatisfaction from business units or other employees.
           
        4. Although the Compliance Unit should report administratively to the CEO/Managing Director/General Manager, it must also have the right to communicate directly with the board or its delegated committee, bypassing usual administrative reporting lines if necessary.
           
        5. The Chief Compliance Officer should meet with the board or its delegated committee at least once a year to help assess the board's evaluation of the bank's ability to manage non-compliance risks effectively.
           
        6. The Chief Compliance Officer must promptly and directly notify SAMA/General Directorate of Bank Supervision upon identifying strong indicators of significant or serious compliance failures or violations that impact the reputation of the banking sector and must ensure that SAMA is informed.
        		 

         

         

      • Principle (6): Resources

        The bank must provide the Compliance Unit with the necessary resources to perform its responsibilities effectively. 

        Resources and Effectiveness in Achieving Tasks

        60-The resources provided to the Compliance Unit must be both sufficient and appropriate to ensure effective coordination of non-compliance risk management within the bank.
                 		 
        Adequacy and Appropriateness of Resources
         
        ‎61-The Compliance Unit should have staff with the necessary qualifications, experience, and personal and professional attributes required to carry out its defined duties. Compliance Unit staff must also have a sound understanding of regulations and instructions and their actual impact on the bank's operations. Additionally, the professional skills of the Compliance Unit staff should be maintained and developed, especially in keeping up with developments in regulations, instructions, and technology, through ongoing and regular education and training.
         
        Responsibility for Providing Resources and Its Impact
         
        ‎62-The responsibility for providing the necessary financial, human, and technical resources and directing them towards the compliance process lies with the board according to the approved policy and with senior management during the implementation and management of non-compliance risks and their development. It should be noted that increased compliance costs (e.g., development plans) can lead to enhanced effectiveness in identifying, measuring, monitoring, and controlling risks, thereby resulting in higher profits, better coordination of activities, and improved quality. Therefore, a periodic assessment should be conducted to ensure the adequacy of human and technical resources and determine whether additional support or development is needed to ensure the effective and efficient management of the compliance process.
         

      • Principle (7) Responsibilities of the Compliance Unit

        Assisting Senior Management in Compliance Implementation

        63-The responsibility for compliance and managing non-compliance risks at the bank lies with senior management. The role of the Compliance Unit is to assist senior management in effectively managing and addressing non-compliance risks (through advising, monitoring, and oversight). The Chief Compliance Officer supervises the implementation of compliance duties, which include executing the compliance program with its objectives and projects, and other approved tasks required for the effectiveness and role of compliance, aligned with the bank's risk strategy. If some of these responsibilities are carried out by employees in different business units (compliance officers), the distribution of these responsibilities must be clearly defined.
                 		 
        64-The responsibility for addressing and correcting any deficiencies or violations identified by the Compliance Unit rests with senior management and the heads of business units where deficiencies or violations have been observed. The Compliance Unit's role is limited to providing advice and follow-up with the heads of business units and reporting any shortcomings in addressing and correcting issues.
                 		 
        Communicating Regulations and Instructions and Monitoring Compliance
         
        ‎65-The Compliance Unit must ensure that senior management and various business units are appropriately and timely informed of regulations issued and instructions received from SAMA and other relevant official internal and external entities (such as countries and organizations related to banking regulation). These must be stored in a database and maintained continuously and accessibly, ensuring that policies, procedures, products, services, and advertising models comply with the relevant regulations and instructions. It is essential to understand the communicated instructions and seek clarifications from the Compliance Unit or SAMA if needed. The bank will not be exempt from regulatory penalties due to incorrect application of instructions.
         
        66-All business units within the bank must obtain the Compliance Unit's approval before submitting requests for SAMA's approval for new products and services. The request for approval or non-objection from SAMA should be submitted to SAMA only by the Chief Compliance Officer.
         
        67-The Compliance Unit must be involved in the decision-making process when assigning tasks to third parties to ensure there is no conflict with any instructions issued from SAMA or other relevant authorities.
         
        Organizing Responsibilities
         
        ‎68-Not all compliance responsibilities are executed solely by the Compliance Unit. Some compliance tasks can be carried out by employees in various bank units and its foreign branches (compliance officers), with the Chief Compliance Officer overseeing their work through an organization approved by the board or a delegated committee.
         
        69-Bank's organizational structures include specialized supervisory units requiring specialized expertise, such as credit risk monitoring units, information security units, and finance units. These specialized supervisory units are responsible for implementing compliance requirements related to their specialized tasks (e.g., taxation, zakat, credit risk, market risk, operational risk, information security, etc.). The Compliance Unit’s role concerning these specialized units is to obtain necessary assurances, documents, and evidence of their compliance responsibilities and required role, unless specialized expertise and competencies are assigned to the compliance unit to implement the compliance requirements related to the activities and tasks of those units, these responsibilities must be documented through a compliance policy to ensure the prevention of any overlap that may arise due to the similarity of supervisory roles between those units and the compliance unit.
         
        70-To ensure that the Chief Compliance Officer and the Compliance Unit staff can perform their responsibilities effectively, the Compliance Unit must have the right to request the bank's legal department to:
         
         
        • Provide advice on regulations and the drafting of instructions for the Compliance Unit, and to prepare necessary guidelines for employees. The Compliance Unit will focus on monitoring compliance, instructions, policies, and procedures, and prepare and submit reports to senior management.
         
        • Investigate deficiencies and violations related to the implementation of relevant regulations and instructions concerning the tasks and operations of all units within the Compliance Unit.
         
        • Provide legal opinions on the results of investigations conducted by the Compliance Unit from time to time.
        Consultation
         
        71-The Compliance Unit must provide advice to senior management regarding compliance regulations, rules, and standards, including updates on local and international developments in this area. This advisory role involves close collaboration between the Compliance Unit staff and the bank’s business units, offering support and guidance on their daily operations. The Compliance Unit is responsible for advising on compliance matters and serving as the point of contact for any compliance-related inquiries from its staff.
         
        Guidance and Awareness
         
        72-Training and educating all bank staff on relevant regulations and instructions pertaining to their individual responsibilities is a fundamental aspect of senior management's efforts to instill a compliance culture and encourage reporting of any violations to the Compliance Unit. Therefore, the Compliance Unit must continuously and proactively assist senior management in:
         
         
        • Raising employee awareness about compliance issues and potential violations, recognizing that they are the first line of defense, and serving as an internal contact point for compliance-related questions from bank employees.
         
        • Developing written guidance for employees that addresses the appropriate application of relevant regulations, compliance rules, and standards through policies and procedures. This includes preparing other guidance documents such as compliance manuals, internal codes of conduct, and practical guides.
         
        • Ensuring that the annual training and awareness program for all employees includes a plan that meets the bank’s ongoing needs and can be promptly adjusted in response to new issues, observations, significant changes, or updates in regulations, or high employee turnover. Training should be provided through available methods within or outside the bank, particularly for new employees, to familiarize them with compliance requirements related to their banking operations before starting their duties, and for those who interact directly with the public, to periodically remind them of requirements such as sales and marketing instructions, anti-money laundering and counter-terrorism financing, due diligence, reporting suspicious transactions, and internal violations.
        Identifying, Measuring, and Evaluating Non-Compliance Risks

        Identifying Risks 
        73-The Compliance Unit should proactively identify, document, and assess non-compliance risks related to the bank’s activities (regulatory, financial, reputational, or strategic risks), including new product developments, business practices, new types of business or customer relationships, or significant changes in the nature of these relationships. If the bank has a New Products Committee, representatives from the Compliance Unit should participate in this committee.
         
        Measuring Risks
         
        74-The Compliance Unit should study methods for measuring non-compliance risks both quantitatively and qualitatively (e.g., performance indicators related to compliance) and use these metrics to support the assessment, reduction, and management of non-compliance risks. Techniques such as aggregating or filtering data to identify potential non-compliance risk indicators (e.g., increasing customer complaints, fraud cases, reports, penalties, and payments) can be employed.
         
        Evaluating Risks
         
        75-The Compliance Unit should evaluate the adequacy of the bank's compliance policy and procedures, promptly address any identified deficiencies, and propose amendments when necessary, based on technical capability. It should also encourage and monitor the relevant departments to make necessary adjustments and corrections.
         
        Monitoring, Testing, and Reporting
         
        ‎76-The Compliance Unit must continuously monitor and test compliance through adequate and representative tests. The results of compliance tests should be reported according to their administrative hierarchy and in accordance with the bank’s internal risk management procedures.
         
        77-The chief compliance officer must submit regular written reports to senior management addressing compliance issues. These reports should include an assessment of non-compliance risks during the reporting period, note any changes in the level of non-compliance risk based on relevant metrics (e.g., performance indicators), and provide a summary of any identified violations and deficiencies, proposed corrective actions, and required correction dates, along with details of actions already taken. The reporting format should align with the bank's non-compliance risk profile and activities.
         
        High-Risk Cases and Urgent Developments
         
        ‏78-The board or its delegated committee overseeing compliance policy implementation should be informed immediately of any significant compliance failures or deficiencies that could lead to substantial regulatory penalties, legal actions, financial losses, or damage to reputation. If the impact is deemed significant to the banking sector's reputation, SAMA and the general administration for bank supervision should be notified directly and immediately.
         
        Annual Compliance Report
         
        79-An annual compliance report should be prepared by senior management and presented to the board, covering at a minimum the requirements set forth by SAMA from time to time.
         
        80-SAMA should receive the board-approved version of the annual compliance report by the end of April each year, sent by the Chairman of the Board of the local bank or the Chief of the foreign bank branch, as part of the bank’s self-assessment of its compliance.
         
        Regulatory Responsibilities and Communication
         
        ‎81-As a regulatory basis, the Compliance Unit must undertake responsibilities and tasks directly and indirectly related to non-compliance risks, including: (1) compliance oversight (monitoring, relationship with SAMA, consultations), (2) anti-money laundering and counter-terrorism financing, (3) anti-fraud measures, (4) anti-corruption, (5) self-supervision, and (6) handling violation reports, and to take on the responsibility of developing the appropriate mechanisms and coordination for how to effectively meet the requirements of implementing the communicated security procedures within the institution.
         
        82-The Compliance Unit is responsible for monitoring external regulatory bodies, standard-setting entities, and external experts concerning its regulatory responsibilities, particularly in anti-money laundering, counter-terrorism financing, and non-proliferation.
         
        Compliance Program
         
        ‎83-The Compliance Unit should implement its responsibilities under a compliance program that outlines its planned activities, such as applying and reviewing specific policies and procedures, assessing non-compliance risks, conducting compliance tests, and raising employee awareness on compliance issues. The compliance program should be risk-based and overseen by the Chief Compliance Officer to ensure it adequately covers all activities and coordinates between the compliance units (monitoring compliance with regulations, anti-money laundering and counter-terrorism financing, anti-fraud, anti-corruption, and handling violation reports).
         
        Compliance Unit Database
         
        84-The Compliance Unit should establish and continuously update a database of all compliance regulations, rules, and standards, ensuring that all bank employees can access and benefit from it at all times.
         
        Documentation
         
        85-The Compliance Unit must document policies, procedures, plans, events, and work papers to fulfill its duties and responsibilities.
         
        Warning Signs (Red Flags)
         
        86-The compliance program must include a principle for warning signs to alert about violations of internal and external regulations and situations exposing the bank to non-compliance risks, such as rapid bank growth, opening new branches, high employee turnover, changes in programs, and the introduction of automated systems in workflows. This principle should also protect whistleblowers and include incentives in accordance with SAMA’s whistleblowing policy.

         

      • Principle (8): Relationship Between the Compliance Unit and the Internal Audit Unit

        Internal Audit Activities

        87-The activities and scope of the Compliance Unit should be subject to periodic review by the Internal Audit Unit.
                 		 
        Independence of Both Units
         
        ‎‎88-The Compliance Unit and the Internal Audit Unit should be separate and independent within the bank. One of the primary responsibilities of the Compliance Unit is to monitor the bank's adherence to compliance rules. The Internal Audit Unit has a broader scope of responsibilities. Although there may be some overlap between the responsibilities of the two units in certain areas, each unit operates independently and any overlap should not impact the functioning of either unit.
         
        Review of Compliance Unit Activities
         
        ‎89-To assess the efficiency and effectiveness of the Compliance Unit, non-compliance risks should be included in the risk assessment methodology adopted by the Internal Audit Unit. A periodic review program of the Compliance Unit’s activities should be established, including testing controls that align with the level of potential risks, in accordance with the requirements of these principles.
         
        Integration in Risk Assessment
         
        ‎90-It is important to have a clear understanding within the bank regarding how the activities of risk assessment and testing are divided between the two units, and this should be documented in the bank’s compliance policy. The Internal Audit Unit should inform the head of Compliance Unit the audit results related to compliance within the bank.
         
        Monitoring the Compliance of the Internal Audit Unit
         
        91-The Compliance Unit plays a crucial role in monitoring the compliance process within the bank, which includes overseeing that the Internal Audit Unit carries out the tasks, responsibilities, and activities as required by SAMA in the specified manner and timeframe.
         
        Oversight from a Specific Perspective
         
        ‎92-For further clarification regarding the role of both the Compliance Unit and the Internal Audit Unit as two independent entities, both the Compliance Unit and the Internal Audit Unit are responsible for overseeing the bank's activities, but each has its own perspective on oversight. The Compliance Unit focuses on identifying and clarifying the regulations, instructions, policies, and procedures that need to be implemented in the bank, ensuring that these are incorporated into the approved policies, procedures, and work programs, and continuously verifying that these policies and procedures are actually followed and effective in mitigating non-compliance risks, with regular updates. The role of the Internal Audit Unit involves conducting field and documentation audits on all bank units through sampling or comprehensive coverage, continually monitoring the internal control systems of the bank, and assessing compliance with the policies and procedures that the Compliance Unit has worked to implement and assist in preparing, based on regulations, instructions, and guidelines.

         

    • Other Matters

      • Principle (9) Matters Related to External Operations

        Compliance with Regulations and Instructions in the Host Country

        93-Banks that choose to conduct banking activities in certain countries must adhere to the regulations, instructions, and laws applicable in those countries. The branches or offices, as well as the structure and responsibilities of the compliance function, must be aligned with the regulatory requirements and local instructions of those countries.
                 		 
        Higher Standards as a Basis When Regulatory Requirements Differ
         
        ‎94-When engaging in banking operations in specific countries, whether through branches or subsidiaries, it is important to recognize that regulatory requirements and instructions may vary from one country to another. These differences might depend on the type of business the bank is conducting or the form of its presence in those countries. Therefore, particular emphasis should be placed on the requirements outlined in Paragraph (2/6) of Section Two of the Anti-Money Laundering and Counter-Terrorism Financing Guide.
         
        Compliance Officers in Host Countries
         
        ‎95-Banks that choose to operate in specific countries must comply with all local regulations and instructions applicable in those countries. For example, banks operating as subsidiaries must meet the regulatory and instructional requirements for companies in the host countries. Banks operating as foreign branches must fulfill the requirements specified for foreign bank branches. The bank must ensure that compliance responsibilities in host countries are carried out by employees with local knowledge and expertise, in addition to oversight by the Chief Compliance Officer in collaboration with other risk and control units in the home country.
         
        Risk Assessment for Overseas Activities
         
        96-Each bank must have implemented and updated procedures to identify and assess potential or increasing risks to its reputation regarding the products and activities offered in host countries through its subsidiaries or branches that are not permitted or practiced in the Kingdom.

      • Principle (10) Delegation of Compliance Unit Tasks

        Limited Delegation Agreement and Responsibility

        ‎97-The activity of the compliance unit is considered a primary function in managing non-compliance risks within the bank. While some specific activities may be delegated to specialized entities, they must remain under the supervision and responsibility of the Chief Compliance Officer. The Chief Compliance Officer is ultimately responsible for ensuring compliance and cannot delegate their responsibility to others.
                 		 
        Suitability of Agreements with Tasks
         
        98-The bank must ensure that any agreements or arrangements for delegating some compliance tasks do not impede the effectiveness of supervision by SAMA or other regulatory and supervisory bodies. Regardless of delegating certain tasks that the bank deems necessary, the primary responsibility for ensuring compliance with all regulations and instructions remains with the board and senior management.
         
        SAMA Approval
         
        ‎99-The delegation of any compliance activities is subject to the instructions issued by SAMA, including obtaining its non-objection prior to entering into any delegation agreements.