1. Banks are required to have a Board (or its delegated authority) approved New Products/Services Policy to guide the development and approval process for new banking products and services. The New Product and Services Policy should detail the process to be followed regarding the review and approval of new products and services. Such a policy should at least cover the following areas;

   a. The policy shall give due regard to the interests of consumers in the development, marketing and sale of new products and services. The bank's new products policy should describe the appropriate parameters and guidance for the fair treatment of consumers which shall serve to avoid the potential for mis-selling, terms and conditions that are inherently unfair to consumers, and business practices that restrict the freedom of choice to consumers.

   b. For retail products, the new products/services policy must comply with relevant regulations for retail products and services on standards of business conduct issued by SAMA as may be applicable.

   c. For retail products, the policy must require that all applicants complete the 'New Products - Consumer Protection Checklist' (SAMA will provide this checklist in due course). This checklist must be signed by the Business owner and the Head of Compliance. In the event that the application for the new product does not comply with consumer protection requirements, the product cannot be introduced to the marketplace, even if other approval requirements are in place. After the introduction of the product, SAMA can, at any time, request suspension or withdrawal of the product if there is a negative impact on consumers.

   d. The policy should require that senior management and/or the board as appropriate approve all new products and services.

   e. A full risk assessment of a new product and service should form the basis on whether or not to introduce it to the market.

   f. The policy should define the requirement to have a pilot or testing phase for the new product/service before its commercial launch.

   g. The policy should define parameters for the authority which approves new products and services including the circumstances under which such authority may be delegated.

   h. The policy should establish restrictions and/or prudent concentration limits for exposures to geographic regions, product lines, economic sectors or any other relevant risk dimension where applicable.

   i. The policy should establish lines of responsibility for managing related new product/service risks and;

   j. Establish internal communication flows to ensure that the new product or service offerings are fully integrated throughout the bank's line functions.

2. The board of directors (The Board) and senior management of the bank are responsible to ensure that the new product/service risks are well managed. Banks must have in place appropriate policies and procedures to prudently manage risks associated with the new products/services it offers
3. The new product/services must fall within the ambit of banking business.
4. The bank should correctly classify the new product as per the accounting and SAMA trading and banking book prudential rules.
5. The bank should have the organizational and operational capacity to adequately manage and control the risks associated with the new product/service.
6. In offering its new product/services, the bank must comply with all applicable regulatory requirements and its internal policies as well as regulatory requirements issued by other domestic and international regulators (for overseas subsidiaries and branches). The compliance department of the bank is required to review the new product (s) or service (s) request from compliance, regulatory and financial crimes perspective and ensure that the new product (s) and service (s) conform to all rules and regulations applicable in the Kingdom. The Internal Audit function of the bank is required to audit any new product or service within six months of the launch of the product. Bank Audit departments must also ensure that Shariah compliant products remain complaint throughout the life of the product/service.
7. A bank that offers new Shariah-compliant product/service shall ensure a sound and robust Shariah technical and governance framework is in place that includes a comprehensive end-to-end Shariah-compliant product/service development and implementation process. The product/service (including its accompanying documentations) must be approved by the bank's Shariah Committee
8. Banks offering Shariah-compliant products/services must also have a robust bridging methodology for conversion from Shariah to conventional products status for the purposes of complying with Basel rules for capital and risk determination.
9. For Shariah-compliant products, banks must ensure that the new product development process is comprehensive and robust to minimise the possibilities of the new product to be later nullified on Shariah grounds

Derivatives play an important role in the economy. However, they are also complex in nature and are associated with certain risks that are unique to them. Banks that seek to introduce new derivatives products for their customers shall develop and implement internal customer suitability procedures aimed at ensuring that these products are only sold to suitable customers. Customer suitability procedures should be designed to seek sufficient knowledge about the customer to establish that;

(a) The customer has a practical understanding of the features of the product and the risks assumed. For the more complex derivatives such as structured products, the complexity of the payoff structure can make it difficult for customers to accurately assess the value and risk of the structure product. Banks should illustrate the potential profit and loss scenarios over the structured product's time horizon. Banks must also ensure that the senior management and the board (where a board exists) of the customers are made aware in cases where the bank is offering the more complex derivatives such as structured products..

(b) The product would meet the customer's business objectives and;

(c) The product is consistent with the customer's appetite for risk.

A bank should not recommend a derivative product to a customer unless it is reasonably satisfied that the product is suitable for that particular customer and the nature of the customer's business. Such a decision should be made based on information sought and obtained from the customer.

Given their complex nature, greater due diligence is expected for new derivatives products. As such, banks must ensure that a new derivatives product, at a minimum, meets the following three (3) key tests:

(1) An Economic Purpose Test

Banks seeking to introduce new derivative products should demonstrate that the proposed derivative instrument has a bona fide economic purpose and does not merely provide a means of financial speculation, leverage, or regulatory arbitrage. To meet this test, the bank would have to;

(1) Identify the intended customers for the proposed new derivative product and describe (with sufficient specificity) potential uses;

(2) Show that the new derivative product will fulfill a specific business need of potential customers, which existing financial products fail to fulfill; and

(3) Demonstrate that this legitimate business need significantly outweighs any potential uses of the new derivative product for speculative purposes, leverage or regulatory arbitrage as the core motivation for the customer or the bank to enter into the proposed transaction.

(2) An Institutional Capacity Test

A bank that intends to introduce a new derivatives product must demonstrate that it has the internal organizational and operational capacity to monitor and manage potential risks the proposed new product poses to the bank's own financial health, as well as to the financial well-being of the customers and overall market stability.

The bank must demonstrate that effective control, monitoring and reporting systems and procedures are in place to ensure on-going operational compliance with the bank's, the customer's and the counterparty's risk appetite. The bank should also have a strong governance process around the valuation of derivatives, which includes robust control processes and documented procedures.

(3) A Systemic Risk Test

A bank intending to introduce a new derivatives product will have to demonstrate that the proposed product does not pose potentially unacceptable systemic risk. It is the responsibility of the bank to ensure that suitability of customers for the new derivatives product are assessed not only based on the bank's exposure to an individual customer but also based on the industry's exposure to the customer. The bank would therefore need to obtain full disclosure from the customers about their derivative exposures with other banks and nonbanking entities prior to selling a new derivative product. Future access by banks to aggregate position information in Saudi Arabian Trade Repository (SATR) will help banks meet this objective but until then, banks must get their customers to disclose this as part of their facility application process. The bank must also ensure that the new derivative it seeks to market is not likely to have a negative impact on broader socio-economic policy goals of the country (Impact on SAIBOR, SAR etc). In this regard, structured products like multi-legged non-linear derivatives involving SAR against a foreign currency warrant close monitoring for their impact on the financial markets. SAMA also expects that banks report any reportable new derivatives product transactions to the Saudi Arabian Trade Repository (SATR) as per SATR reporting guidelines.

Fintech refers to the application of information and communication technology ("ICT") in the field of financial services, including such areas as digital payment and remittance, financial product investment and distribution platforms, peer-to-peer financing platforms, cybersecurity and data security technology, big data and data analytics, and distributed ledger application to new asset classes and processes.

Banks are keen to develop innovative Financial Technology (Fintech) products and services but may not be able to do as they either require additional regulation or the current regulation does not allow for the products and services.

SAMA has adopted the SANDBOX concept to help create an environment to provide fintech regulation clarity and provides regulation check for Fintechs and financial institutions that want to check new products and services.

SANDBOX is a monitored light touch regulatory environment that enables financial institutions and startups to experiment and test financial technology solutions that may not be allowed under current regulations. A sandbox provides a period of time for the promoter and SAMA to understand the impact of the technology.

All banks wanting to introduce on their own or partner with others to introduce new Fintech products or services are required to apply to SAMA to ensure such technology is first tested and evaluated comprehensively in SAMA's SANDBOX before being released to the public.

Below is a brief description of the processes that the Fintech product/service could go through under the SAMA SANDBOX concept.

Sandbox Application Process

1. Banks intending to introduce new product/service are required to notify SAMA.
2. SAMA will not grant approval or a 'no objection' for new products/services but in line with its primary supervisory objectives, SAMA can object to the introduction of a new product/service by a bank if it believes that such an introduction will go against this objective.
3. SAMA will base any decision (2 above) on documents submitted by the bank as well as representations as to the process that has been followed by the bank in the development of the new product or service.

A bank notifying SAMA of its intention to introduce a new product/service should complete the checklist in Appendix A, which at minimum, requires the submission of the following supporting documents/information;

a) A detailed new product/service program/description document outlining the product/service's features, structure, and target customers. Banks should provide product illustrations and flow charts where appropriate.

b) Description of the product/service's key inherent risks from both the bank's perspective and the perspective of the customer, together with the systems and processes that are in place to mitigate these risks.

c) A signed statement by the Chief Risk Officer (CRO) and the Head of Compliance of the bank that the new product/service is developed in accordance with the bank's approved New Products/Service Policy, this guideline, all other regulations and the Banking Control Laws.

d) A Copy of the New Product/Service Development Policy as approved by the Board or its delegated authority.

e) Copies of supporting documents such as Term Sheets and other constituent documents where applicable.

f) Necessary Shariah approvals for Islamic products/services.

4. SAMA will acknowledge receipt of such a notification within seven (7) business days of receiving the notification. In case the bank does not receive a notification within (7) days from SAMA, it is the responsibility of the bank to follow up this and confirm whether SAMA has received its new products/service notification application. SAMA will notify the bank if it needs further information and discussions about the new product/service or if it objects to the introduction of the new product within fourteen (14) business days of receiving the notification. If the bank does not receive any objection or request for further information/discussions from SAMA after fourteen (14) business days, the bank can go ahead and launch the new product as long as it meets the requirements of this guideline, Banking Control Laws, all other SAMA regulations and the bank's own internal policies.

1. SAMA has the right, at a future date, to object to the continued offering of a product or service if it believes that the continued offering of that product or service poses risks to the bank or the system as a whole
2. Banks are required to regularly review identified risk exposures of the products and services in the light of changing market conditions not previously factored in to ensure that all material risks of the new product or service are identified and monitored
3. Banks are required to keep an updated register of all their products for future inspections by SAMA

...........Bank (Name of bank) hereby concurs that the.................. product/service (Name of product) has been developed in accordance with SAMA's new products/services guideline, the banks' approved new products policy, Banking Control Law and all other relevant laws and regulations

-----------------------------------                                                      --------------------------------

Chief Risk Officer (CRO)                                              Head of Compliance/Chief Compliance Officer