Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • III. Policy Content

    • a. General obligations

      A financial institution shall observe the following:

      1. It shall prepare a policy on whistle blowing to be approved by its board of directors. If the financial institution does not have a board of directors, this policy shall be approved by a chief executive officer or a general director and reviewed annually.
      2. It shall submit a periodic report to its board of directors and audit committee on the cases received and actions taken.
      3. . It shall encourage its employees and stakeholders to report any violation committed inside or outside the financial institution within the scope of their work.
      4. . It shall raise awareness among, and reassure, its employees and stakeholders about the confidentiality of the whistle blowers’ identity and the information contained in reports for all stages of the processing of each report.
      5. It shall protect whistle blowers against any retaliation.
      6. It shall encourage its employees and stakeholders not to hesitate to report any violation due to being uncertain of the authenticity of the report and whether or not it can be supported with facts. The financial institution shall also stress that all employees and stakeholders are expected to refrain from rumors, irresponsible behavior and false allegations, and that, if a claim is made in good faith but has not been established as valid during investigation, no action will be taken against the whistle blower.
      7. It shall provide its employees and stakeholders with information on all channels for whistle blowing, which should include as a minimum: a direct telephone number, website, postal service, and e-mail address.
      8. It shall prepare awareness programs that urge its employees and stakeholders to report violations and clarify their responsibilities.

    • b. Violation Report Processing Unit

      Financial institutions shall establish an independent administrative unit to receive and process violation reports and to report to the compliance department.

    • c. Whistle Blowing Cases

      Financial institutions must encourage their employees and stakeholders to report incidents that might lead to correcting errors or actions, detecting violations or promoting values. Such reports may include any of the following cases:

      1.  Financial and administrative corruption, which is any illegal exploitation of financial resources or administrative organization in a financial institution; 
      2.  Breach of the laws, regulations, instructions and policies which must be followed as required by the financial institution's scope of work; 
      3.  Violations related to the environment, health and safety in the workspace, including any negative behavior that might harm the environment or workplace or threaten the safety of any individual; 
      4. Indecent conduct contrary to public order, Islamic ethics, customs and traditions; 
      5.  Misuse of the financial institution's property or assets; 
      6.  Abuse of power or decision making by employees of the financial institution, which may go against the financial institution's interest; 
      7.  Passing of illegal operations of the financial institution, circumvention of laws, or concealment of regulatory errors; 
      8.  Conflict of interest in any business arrangement or contract carried out by the financial institution; 
      9.  Misuse of the powers granted by the financial institution to its employees, such as exchanging passwords, etc.;
      10.  Obtaining undeserved benefits or rewards; 
      11. Unlawful disclosure of confidential information; 
      12. Acts of concealment involving bad faith or intentional negligence, destruction of official documents, or concealment of fraudulent financial reports; 
      13. Serious negligence which may result in damage to the financial institution; and 
      14. Concealment of any of the acts mentioned above.

    • d. Obligations of Whistle Blowers

      A whistle blower shall:

      1. ensure credibility in reporting by avoiding rumors and allegations that are not based on facts, and report whenever real and reasonable information indicating a suspicion of violations is found; 
      2.  avoid malicious reports aimed at defaming others, taking reprisal or retaliation against them, or undermining confidence in the financial institution, its employees or stakeholders; 
      3.  exercise due diligence by ensuring accuracy in reporting, providing all necessary details relating to the case reported, and attaching all documents containing details and evidence as required by the nature of the violation; 
      4.  report violations as soon as possible; 
      5.  maintain full confidentiality of the report for the good of the financial institution; and 
      6.  bear the responsibility for malicious allegations that defame or damage the financial institution or any of its employees or stakeholders.

    • e. Obligations of Financial Institutions upon Receiving Reports

      Upon receiving a violation report, a financial institution shall:

      1.  treat such report with the necessary seriousness, regardless of the nature, language, adequacy of information, impact or importance of the report; 
      2.  take all necessary measures to protect the whistle blower; 
      3.  notify the whistle blower of receipt of the report and, if possible, the decision made; 
      4.  take corrective actions for the violation if proved; 
      5.  take into account the interest of its employees and stakeholders; 
      6.  refer reports to the department responsible for control and investigation, either inside or outside of the financial institution; 
      7.  keep violation reports and relevant documents, including recordings, for the durations specified by the laws and instructions; and 
      8.  prepare reports on whistle blowing instances and the procedures followed.

    • f. General Obligations for Protecting Whistle Blowers

      1.  Financial institutions shall protect whistle blowers providing unmalicious reports from any potential retaliatory action taken by their employees. 
      2.  A whistle blower, whose identity was not revealed and could not be discovered by the financial institution, may not claim protection as prescribed by Clause (e/ 2) under Part (III)
      3.  Financial institutions shall not disclose any information about any whistle blower except to competent authorities, such as investigation and judicial authorities.

    • g. Processing of Reports

      • 1. Reporting Channels (Means for Reporting)

        Financial institutions shall provide effective channels that ensure confidentiality of information for all of their employees and stakeholders.

      • 2. Objective Processing of Reports

        Financial institutions shall handle the reports received according to internal instructions that ensure objective and progressive processing of reports and formulation of a corrective action plan. Each report will be classified by type of processing, in line with the financial institution’s administrative structure.

      • 3 Approval and Supervision

        A financial institution shall develop an internal policy for the approval and supervision on the mechanism for processing violation reports. It shall also assign the individuals authorized to handle these reports.

      • 4. Automated Reporting System

        A financial institution shall establish the controls necessary to review and clearly understand the content of reports. It shall develop an automated system through which, at least, the following information can be viewed:

        1.  The channel for receiving reports; - Total number of reports; 
        2.  Total number of reports by subject; 
        3.  Number of reports processed and reports in progress; and 
        4.  Type of processing

        Such automated system should be designed to generate any reports for any of the processing stages requested by SAMA.

      • 5. Report Processing Stages

        The financial institution shall establish working procedures for the processing of reports, describing detailed steps of each procedure and specifying the inputs, outputs, models and automated systems used for each procedure as well as the individuals authorized. These working procedures should include at least the following stages:

        1. Report reception; 
        2. Initial assessment;
        3. Identification of verification plan;
        4. Documentation of rationale supporting the processing decision;
        5. Decision taken for processing;
        6. Follow-up on decision implementation; and
        7. Record keeping.

    • h. Key Performance Indicators

      There should be an indicator for each stage of the working procedures aimed to determine the performance level by measuring the extent of meeting all the requirements of each procedure established by the financial institution.