Cyber Risk Control
Cyber Resilience
Cyber Resilience Fundamental Requirements (CRFR)
To read the Cyber Resilience Fundamental Requirements (CRFR), click here.
Cyber Security Framework
Translation of this section is for demo purposes only.Foreword
In view of the ever-growing seriousness of cyber-attacks, we are conscious of the need to stay one-step ahead. The issuance of a Cyber Security Framework (“CSF”) seeks to support our regulated entities in their efforts to have an appropriate cyber security governance and to build a robust infrastructure along with the necessary detective and preventive controls. The Framework articulates appropriate controls and provide guidance on how to assess maturity level.
The adoption and implementation of the Framework is a vital step for ensuring that Saudi Arabian Banking, Insurance and Financing Companies sectors can manage and withstand cyber security threats. In designing the Framework, we have considered the ways that our regulated entities are leveraging technology and felt that each entity will be able to adopt a common approach for addressing cyber security. This will ensure cyber security risks are properly managed throughout the sectors.
Financing Companies must adhere to implement the Cyber Security Framework as follows:
First: Conduct an in-depth and accurate assessment of the current status of cyber security at the financial institution. This should be compared against the requirements stated within the CSF to identify weaknesses and assess the level of maturity as described within the CSF under the definition of "Maturity Level".
Second: Develop a business plan to meet all requirements of the third maturity level, as mentioned in the CSF, as a minimum.
Third: Present the business plan to the board of directors/managers or general manager, for their review, approval and for seeking any further necessary support.
Fourth: Send the approved business plan to the SAMA by the end of the fourth quarter of the year 2019*.
Fifth: Provide SAMA with quarterly reports starting from the end of the second quarter of the year 2019* until full compliance with the CSF.
Sixth: Fully comply with the requirements stated in the CSF by the end of the fourth quarter of the year 2019*.
Seventh: The Cyber Security Committee –or equivalent- of the financial institution must follow up on the implementation of the CSF to ensure full support and resources are provided where necessary. Further to ensure timely escalation of obstacles and other related hindrances to the competent authority that may prevent complete implementation of the CSF.
To achieve the above, the full support and oversight from the Board of Directors and Senior Management are required for its implementation.
The Information Technology Risk team within the Deputyship of Supervision is at your disposal for any clarifications and we remain committed to guiding our regulated entities in creating a safer cyber environment.
The business plan and quarterly reports to be sent to: (CRC.Compliance@SAMA.GOV.SA).
To read the Cyber Security Framework ("CSF"), click here.
*Amended in accordance to SAMA circular No (51610/99) dated 17/08/1440H.
Financial Sector Cyber Threat Intelligence Principles
To read the Financial Sector Cyber Threat Intelligence Principles, click here.
Minimum Verification Controls
To read the Minimum Verification Controls, click here.
Business Continuity Management Framework
To read the Business Continuity Management Framework, click here.
Financial Entities Ethical Red-Teaming
To read the Financial Entities Ethical Red-Teaming, click here.
Information Technology Governance
Outsourcing and Third Party
Counter Fraud
Rules on Outsourcing for Finance Companies
No: 65338/99 Date(g): 13/1/2019 | Date(h): 7/5/1440 Status: In-Force Chapter 1: Definitions
a. The terms and phrases used in these Rules shall have the same meaning assigned thereto in the Finance Companies Control Law and its Implementing Regulations.
b. For the purpose of applying the provisions of these Rules, the following terms and phrases, wherever mentioned herein, shall have the meaning assigned thereto unless the context otherwise requires:
Rules: Rules on Outsourcing for Finance Companies.
Outsourcing: Any contract or agreement by which an external service provider undertakes to provide services to the finance company.
External Service Provider: Any service provider to whom an activity is outsourced. An External Service Provider can be a member of the group to which the finance company belongs, a related party, or an unrelated third party.
Material Functions: Any function that the default or disruption of which may have an impact on the finance company’s activities, reputation or the financial situation or if the outsourced functions include sharing, transferring, processing or storing data and information of consumers.
Chapter 2: Application of the Rules
2- These Rules set the regulatory requirements for licensed finance companies under Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433H which have entered into or intend to enter into outsourcing contracts/agreements.
3- These Rules shall be read in conjunction with the Finance Companies Control Law and its Implementing Regulations in addition to the relevant laws, regulations, instructions, controls and rules.
Chapter 3: Liability and Obligations
4- The finance company shall establish and annually update a written outsourcing policy approved by the Board of Directors.
5- The finance company should establish appropriate internal controls and procedures to ensure compliance with these Rules.
6- The finance company shall verify the External Service Provider’s compliance with relevant laws, regulations and instructions. The finance company shall remain responsible if the External Service Provider shows lack of compliance with the applicable laws, regulations and instructions in any outsourced operations and tasks.
7- The finance company should ensure that all existing and proposed outsourcing contracts/agreements have been subject to a comprehensive risk review process at inception and renewal. This process should evaluate key risk factors, namely operational, legal, reputation and regulatory risks.
8- SAMA, the finance company and the external auditor may obtain any information or documents related to the work of the External Service Provider or examine such data in its offices.
9- The finance company must exert due diligence to verify that the External Service Provider has obtained the necessary licenses to carry out its activity, and that it has the required technical and legal qualification.
10- Without prejudice to Article (34) of the Implementing Regulations of the Finance Companies Control Law, the finance company shall maintain all documents that demonstrate compliance with these Rules, including outsourcing contracts and agreements and outsourcing policy in an orderly, transparent and safe manner.
Chapter 4: Outsourcing Policy
11- The finance company should establish proper safeguards to protect the confidentiality of consumers’ data and retrieve or destroy all such data upon the expiration or termination of the outsourcing contract for whatever reason.
12- The Outsourcing Policy should include in particular the following:
a. Terms of reference and responsibilities of the Board of Directors and senior management with regard to outsourcing.
b. The functions allowed to be outsourced and the eligibility criteria of the External Service Provider by conducting due diligence on the following:
1) Experience and financial and technical capabilities of the External Service Provider;
2) Impact of the outsourcing on the overall risk profile of the finance company, risk identification criteria and risk mitigation measures;
3) Impact of the outsourcing on systems and controls within the finance company;
4) Rules for the continuous control and monitoring of the outsourced operations;
5) Criteria to identify conflicts of interest as well as rules and procedures which ensure safeguarding the interests of the finance company and not putting the interest of the other party over the company's interest;
6) Procedures to protect information and maintain confidentiality and privacy;
7) A clear mechanism to verify the External Service Provider’s compliance with the laws and instructions relevant to the outsourced services whether issued by SAMA or any other authority, including the Finance Consumer Protection Principles; and
8) All requirements of these Rules.
Chapter 5: Contract Requirements
13- The finance company shall document the outsourcing in a legally binding written contract or agreement with the External Service Provider that is compliant with the applicable regulatory requirements. The Contract or Agreement shall include, at a minimum, the following:
a. Parties to the Contract or Agreement;
b. Scope of Contract or Agreement;
c. Term of Contract or Agreement;
d. Type of service and performance requirements;
e. Audit and monitoring procedures;
f. Business Continuity Plans;
g. Default arrangements;
h. Pricing and fee structure;
i. Dispute resolution mechanism;
j. Liability and indemnity;
k. The commitment of the External Service Provider to the confidentiality and privacy of information;
l. The compliance with relevant laws, regulations, rules, controls and instructions;
m. Reporting mechanism;
n. Commitment from the External Service Provider to report to the finance company, within the period agreed upon in the contract or agreement, any control weaknesses or adverse developments in its financial performance that may lead to a breach of its obligations under the contract or agreement;
o. Commitment from the External Service Provider that there are no regulatory impediments preventing the finance company from accessing data and records related to outsourced services;
p. Commitment from the External Service Provider to return or destroy all data related to the outsourced services upon the expiration of the outsourcing contract or agreement, as long as there are no regulatory requirements to keep such data;
q. The consequences of renewal, renegotiation, default termination and early exit of the contract or agreement so as to enable the finance company to retain control over the outsourced activity; The necessary arrangements to deal with failure to fulfill the terms of the contract or agreement or in the event of the termination of the contract or agreement;
r. The right of SAMA, the finance company, and the external auditor to obtain any information or documents related to the work of the External Service Provider or examine such data in its offices;
s. Commitment from the External Service Provider not to subcontract Material Functions;
t. Statement that the Saudi judicial authorities are the relevant authorities for the settlement of disputes arising from the execution or interpretation of the outsourcing contract or agreement and that any exception to the requirements of this article is subject to SAMA’s prior non-objection; and
u. The governing language in case of discrepancies with respect to contracts or agreements that are made in more than one language.
Chapter 6: Outsourcing Requirements
14- Prior to applying for SAMA’s non-objection, the finance company should qualitatively and quantitatively assess each proposed outsourcing function on a case-by-case basis and classify it as material or non-material.
15- Prior to outsourcing or renewing outsourcing of material functions and in the event of material changes to the contract or agreement, the finance company should request SAMA’s non-objection in writing at least 30 working days prior to the proposed date of commencement or renewal of the contract or agreement.
16- The finance company shall submit to SAMA a letter requesting non objection to outsourcing material functions that includes, at a minimum, the following information:
a. Details on the outsourced function;
b. Reasons for outsourcing;
c. Details on the External Service Provider (e.g. name, address, and commercial register); and
d. Any other information or documents requested by SAMA.
Chapter 7: Control and Monitoring
17- The finance company should put in place internal procedures to monitor and manage all of their outsourcing activities and to provide timely reports to senior management.
18- The finance company should ensure that its business continuity is not compromised by any outsourcing contracts or agreements. The finance company should have a contingency plan which outlines the procedures to be followed in the event of sudden termination of any outsourcing contract or agreement or the inability of the External Service Provider to fulfill its obligations for any reason. In addition, the finance company should document within its business continuity plans the availability of an alternative External Service Provider or the procedures for bringing the outsourced function in-house.
Chapter 8: Concluding Provisions
19- The Finance Company shall:
a. Develop or update an outsourcing policy, ensure that it is in compliance with these Rules, and provide a copy of the policy duly approved by the Board of Directors to SAMA within 180 days from the date of promulgation of these Rules;
b. Review All existing outsourcing contracts/agreements against these Rules and seek SAMA’s non-objection for material outsourcing contracts within 365 days from the date of promulgation of these Rules or on renewal of the contract or agreement, whichever comes first; and
c. Notify SAMA in the event of any legal or regulatory violation in their outsourcing contracts or agreements.
20- SAMA may restrict the granting of its non-objection to the finance company’s outsourcing of material or non-material functions for a specific period, function, geographical area, or external service provider whenever it deems necessary.
21- SAMA has the right to ask the finance company to review, modify, or terminate the outsourcing contract or agreement in case of non-compliance with these Rules or any other relevant laws, regulations, rules, controls and instructions.
22- SAMA may exempt some operations and activities from some of the provisions of these Rules whenever it deems necessary.
23- Non-compliance with the requirements set forth herein shall be deemed a violation of the Finance Companies Control Law and its Implementing Regulation.
24- These Rules shall enter into force after 180 days from the day of their promulgation, and shall be published on SAMA’s website.
Appendix 1: Examples of Material Functions (Non-Exhaustive List)
1- External auditor.
2- Internal Audit Department.
3- Customer care department, including complaint handling.
4- Management, operation and maintenance of technical/security systems, such as storing data outside the finance company, including cloud computing services and monitoring security operations.
5- brokerage activity including marketing finance products and receiving finance applications.
6- Agency activity including processing and studying finance applications.
7- Provision of human resources.
8- Debt collection for finance companies.
9- Archiving documents.
Appendix 2: Examples of Non-Material Functions (Non-Exhaustive List)
1- Services and utilities such as telephone and electricity.
2- Advisory services (e.g., legal opinions, updating company’s regulatory policies, independent consulting, and market information functions).
3- Credit information check and information services.
4- Mail and courier services.
5- Printing services (e.g., policy wording, forms, and business cards).
6- Security functions.
7- Property management, building maintenance, cleaning services, etc.
8- Litigation on behalf of the company (e.g. bad debt collection).
9- Technical support for the company’s website.
10- Real estate valuation by accredited real estate valuers.
11- Back office management (call centers, complaint handling).
Anti-Fraud Rules for Finance Companies
Introduction: General Provisions
1- Saudi Arabian Monetary Authority (SAMA) has issued these Rules based on the powers vested therein under Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/8/1433H and its Implementing Regulation issued by SAMA’s Governor decision No. (2/MFC) dated 14/4/1434H.
2- The objective of these Rules is to introduce general principles and minimum standards that shall be met by Finance Companies to detect and prevent Fraud.
3- A Finance Company shall make these Rules part of its internal regulations and procedures. The Rules shall also be applied in conjunction with the provisions and articles of Finance Companies Control Law and its Implementing Regulation. Non-compliance with the requirements set forth herein shall be deemed a violation of Finance Companies Control Law and its Implementing Regulation and may subject the Finance Company to regulatory penalties.
Chapter I: Definitions
4- The following terms and phrases, wherever mentioned herein, shall have the meanings assigned thereto unless the context requires otherwise:
Rules: Anti-Fraud Rules for Finance Companies.
SAMA: Saudi Arabian Monetary Authority.
Fraud: An act or omission intended to gain, directly or indirectly, an advantage, that would not be gained otherwise, for the party committing the fraud or for other parties. This includes, but is not limited to, the following:
a. use of documents containing incorrect information;
b. non-disclosure or deliberate concealment of information required by law;
c. abuse of authority, a position of trust, or a fiduciary relationship; and
d. asset misappropriation.
Finance Company: A joint-stock company licensed by SAMA to engage in finance activities.
Chapter II: Strategy and Organizational Structure
5- The Finance Company shall develop an anti-fraud strategy aligned with its risk profile and business. The strategy shall be approved by the Finance Company’s board of directors and updated regularly to ensure its alignment with corporate ever-evolving business environment.
6- The Finance Company shall design a structure for fraud control. The structure shall be commensurate with the size and nature of the Company’s business so as to facilitate control and implementation of anti-fraud policies by the Company’s management and ease communication between departments in case of suspicion or detection of fraud.
Chapter III: Policies and Procedures
7- The Finance Company shall put in place policies and procedures to implement anti-fraud and risk management strategies. Such policies and procedures shall be updated regularly and tested in terms of effectiveness to keep abreast of developments in fraud. A copy of such policies and procedures shall also be provided to SAMA.
8- Policies shall be based on an analysis of fraud risks to which a Finance Company is exposed.
9- Policies and procedures shall include, at a minimum, the following:
a. the role of employees in the implementation of anti-fraud strategy, and identification of individuals responsible for its implementation;
b. standards for the detection and prevention of fraud;
c. a mechanism clarifying the procedures and communication methods for internal reporting of suspicious or actual cases of fraud, identifying the party responsible for investigating fraud cases inside the Company, and designating the available external reporting channels and the protection offered to whistleblowers;
d. a policy on retention of documents containing details of suspicious and actual cases of fraud; and
e. a mechanism for training the Company’s employees on a regular basis to raise awareness of fraud risks and prevention methods.
10- The Finance Company shall develop a mechanism to ensure the soundness of financed asset’s valuation carried out by the accredited valuer.
11- The Finance Company shall establish a mechanism to ensure the implementation of its credit policy on financing contracts.
Training
12- The Finance Company shall ensure that its board of directors and employees understand anti-fraud policies through training programs in fraud control. The training materials shall be updated regularly to keep abreast of developments in fraud.
13- The scope of training shall vary depending on the role and responsibilities of individuals, and shall cover the responsibility of employees when suspecting fraudulent acts and the steps of escalating fraud incidents within the Company or to competent authorities.
14- The Finance Company shall provide training programs dedicated to new employees, especially those dealing directly with the public.
Reporting
15- The Finance Company shall develop a policy describing the steps of escalating a fraud incident within the Company or to external competent authorities, and providing for confidentiality of the report and protection offered to whistleblowers.
Documentation and Record Retention
16- The Finance Company shall document the actions taken in fraud incidents, inside and outside the Company, and shall maintain, for 10 years, records containing detailed information of suspicious and actual cases of fraud.
Exchange of Information
17- The Finance Company shall, using the form attached hereto, inform SAMA of any fraud incidents within 10 business days from closing the investigation.
18- Without prejudice to any other regulations or instructions on the confidentiality of consumer information and transactions, Finance Companies may enhance cooperation mechanisms among them to exchange information on fraud incidents. SAMA’s non-objection shall be required for any agreed cooperation mechanism.
Chapter IV: Anti-Fraud Standards
Fraud Detection
19- The Finance Company shall develop indicators of fraud and update them regularly to ensure their effectiveness and suitability to detect fraud at an early stage. The General Indicators set forth in Chapter VI may, without limitation, be used in detecting internal fraud committed by individuals inside the Company and external fraud committed by external parties.
Fraud Prevention
20- The Finance Company shall apply KYC and CDD measures to consumers.
21- The Finance Company shall draft finance contracts based on fraud reports issued by the audit committee and in a way that would minimize, to the extent possible, fraud occurrences.
22- When developing a new product, the Finance Company shall assess its associated fraud risks.
23- The Finance Company shall notify consumers and any third party of the consequences of providing the Company with misleading information.
24- The Finance Company shall, prior to hiring permanent or temporary personnel or contracting with external service providers, perform due diligence and check applicant information to ensure the integrity and proper ethics of potential recruits. Standards of scrutiny shall be increased for positions most likely to encounter or commit fraud.
25- The Finance Company shall develop and apply information security rules to prevent access to and tighten control over its information, and shall also review user accounts regularly.
26- The Finance Company shall develop job descriptions for positions across the Company and detail responsibilities of management and employees. Functions that might be susceptible to conflict of interest shall be separated. Job rotations and vacations for employees in sensitive positions shall be mandatory.
Chapter V: Roles and Responsibilities
27- Board of Directors of Finance Company: The Company’s board of directors is responsible for the control of fraud. The board’s activities shall include, at a minimum, the following:
a. approving anti-fraud strategy and policies.
b. ensuring the provision of resources necessary for the implementation of the strategy and policies.
28- Employees of Finance Company: The Finance Company’s employees, whether permanent or contractors, shall be responsible for monitoring fraud in their work and shall report any suspicious cases of fraud immediately.
29- Internal Audit Department: The Internal Audit Department shall be responsible for the following:
a. tracking fraud incidents during the performance of its work, collecting necessary evidence in case of a suspicion, and investigating suspicious transactions; and
b. conducting regular assessment to verify the effectiveness of and compliance with anti-fraud policies and procedures and ensure appropriate and timely dealing with suspicious cases of fraud، proper documentation of actions taken، and inclusion of said information in the audit department’s report prescribed in the Implementing Regulation of the Finance Companies Control Law.
30- External Auditor: The external auditor shall be responsible for verifying the Company’s compliance with anti-fraud policies.
Chapter VI: General Indicators of Fraud
Internal Fraud Governance&
Organizational
Structure
- An individual or a group of individuals monopolizes running operations or taking financial decisions.
- Company’s strategy is inconsistent and changes rapidly.
-Company’s organizational structure is complex.
- Managers, members of staff, external businesses, and contractors have conflict of interest.
- Board of directors or management displays dominant management style, discouraging critical or opposing views from employees.
Operational
Management
- Training provided for employees is weak. - Activities of the Finance Company are inconsistent with its declared policies.
- Staff turnover at the department level is high, especially in finance or accounting departments.
- Tasks and transactions are complex and require special skills to be understood.
- Original documents are lost and replaced with copies.
Accounting& Finance - Costs are unjustifiably high or are higher than those of competitors.
- Financial results and ratios are unmatched. - Company’s return is much lower than that of its counterparts in the market.
Internal Audit - Internal control structure is weak.
- Information from prior audits is insufficient.
- Results of internal audits are weak or missing.
- Internal auditors are not completely independent.
- Board of directors or managers place undue pressure on auditors.
- Board of directors or managers display aggressive attitude toward the Company’s financial reporting.
Employees’ Conduct - Unjustified wealth of employees and sudden change in their lifestyle.
- Employees frequently work outside official working hours.
- Employees do not go on leaves.
- New employees resign quickly.
Information
Technology
- Information and asset security system is weak.
External Fraud Finance
Procedures
- Consumer age and qualifications are not compatible with the number of his/her work years.
- Employer’s address provided is a postal box only.
- Use of consumer’s personal phone number as the employer phone number.
- Applicant’s handwriting is not similar on different documents.
- Attempt by consumer to pay all financial obligations in cash other than usual means, especially in early repayment.
- Installments are paid by another individual or party and not by the consumer.
- Consumer’s income and credit record are not consistent with his/her personal profile.
- Signatures on finance documents are different.
- Information Provided by the Consumer is not Consistent in Different service Request forms Submitted to the finance company.
- Transfer of the ownership of financed assets immediately after the completion of sale, indicating that the consumer has obtained the finance for an ineligible third party.
Valuation - Valuer is not one of the accredited valuers by theFinance Company.
- Valuer is not familiar with the region of the financed asset and the local market value.
- Valuation is based only on making adjustments to the financed asset.
- Valuation is based on data of more than 9 months in a rapidly changing market.
- Valuation of the financed assetis based on comparison with previous valuations carried out by the same valuer.
- Mismatch between the pictures of the financed asset and the description provided in the valuation report.
- Valuation fee is based on a specified percentage of the estimated value of the financed asset.
- There are indications that the financed asset has been sold more than once during a short period of time, indicating that its value does not reflect the actual value of the asset in the market.
Job
Information
- The employment letter is not printed on employer’s letter head. - The date of the employment letter is old.
- The signature on the employment letter is not accompanied by the name or position of the signee.
- The employment letter contains handwritten modifications. - The original copy of the employment letter is not provided. Chapter VII: Effective Date
31- These Rules shall enter into force after 180 days from the day of their promulgation, and shall be published on SAMA’s website.
Form For Reporting Fraud to SAMA
Form For Reporting Fraud to SAMA
a. Company Information b. Name Line of
Business
Headquarters City Name of Branch (if any)
City Telephone No. E-mail c. Information on Fraud Incident
Date of
Incident
Total Amount (if any) in words
SAR
in numbers SAR
Fraud Incident Description Actions Taken Subsequent Actions d. Information on Alleged Fraudster
Name(s) ID/ Iqama No. Nationality e. Attached Documents
Report Writer Signature Date Counter-Fraud Framework
To read the Counter-Fraud Framework, click here.
Data Privacy
To read the Data Privacy, click here.