Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Part 1 General Provisions

    • First Business Plan

      1. The company must, prior to requesting Saudi Central Bank's approval for conducting online insurance activities, develop a business plan specific to the online insurance business activities. The business plan must be reviewed by the Board of Directors before being submitted to Saudi Central Bank and should include but not be limited to:
        1. Analysis of the forecasted volume of online insurance activities over the next 3 years.
        2. Analysis of the risks associated with online business and the measures that will be taken to mitigate these risks, including but not limited to adverse selection risks, money laundering, strategic risks, and potential website unauthorized access.
        3. Contingency plan documenting the actions to be taken in the event of a failure of one or several components of the online system, including corrective and business continuity measures, as well as the obligation to report the event to the proper authorities within the Company and Saudi Central Bank.
      2. The company must obtain Saudi Central Bank's written approval before adopting its online business plan. In addition, the company must obtain Saudi Central Bank's written approval on any significant amendments or modifications to the business plan and Saudi Central Bank might require a modification or change to the business plan when it sees necessary.
      3. The business plan of online insurance activities must be approved and set by the board of directors after obtaining Saudi Central Bank's written approval and must be reviewed annually, or when making any fundamental change to the company's strategy related to online insurance activities.

    • Second Insurance Products

      1. The company should submit a request to Saudi Central Bank for obtaining an approval on its insurance products that will be sold on its website, taking into consideration the Not selling any Protection and Savings Insurance policies on its website or any other website.

    • Third Management of the Website

      1. The company must establish a unit within the IT department to be in charge of the website and its operational aspects including but not limited to posting content, monitoring performance, handling customer inquiries, tracking key performance indicators, measuring the traffic of data, and handling maintenance.
      2. The company must obtain Saudi Central Bank's written approval before signing a contract for outsourcing the management of the website to any third party.
      3. After obtaining Saudi Central Bank's written approval for outsourcing the management of the website to a third party, the company must check the compliance of that party with the articles of this regulation and other related laws and regulations.
      4. In case of outsourcing the management of the website to a third party that approved to work in the Kingdom according to the relevant laws, the company must appoint a communication officer in charge of the relation with the third party to whom the management of the website has been outsourced. The communication officer's responsibilities include but are not limited to monitoring the content of the website, answering customer inquiries and requests, ensuring that the third party meets the conditions and standards defined in the outsourcing agreement, and ensuring compliance of the third party with the relevant laws and regulations.

    • Fourth Transparency and Disclosures

      1. The company must provide and clarify on its website the information that is necessary for customers who want to have an insurance cover through its website.
      2. The company must ensure that the information presented on its website is correct, accurate, clear, up-to-date, and comprehensive.

    • Fifth Security and Safety of Data

      1. The company must ensure the confidentiality of all information collected through its website and not disclose such information to any party without the written approval of Saudi Central Bank. And it is the responsibility of the company to establish appropriate procedures and controls to secure the confidentiality of information.
         
      2. The company commits at all times to ensure the security and safety of information provided on its website , this includes—but is not limited to— information provided to customers, information collected and stored through the company or the third party contracted by the company whether this party is responsible to connect the internet service, host, or manage the website. And the company must, in particular, ensure the protection of customers' personal information from loss or unauthorized access, this includes—but is not limited to -the use, edit or disclosure of information.
      3. The company must set different levels of control and supervision on insurance activities that are practiced on its website as follows:
        1. The company must implement the minimum required security procedures to prevent unauthorized changes to the basic content of information displayed on its website.
        2. The company must take additional security procedures to protect exchanged information, with customers or website visitors, from editing, theft, or unauthorized use.
        3. The company must implement the maximum procedures and provide up to- date techniques and IT programs to ensure the protection and safety of payments made on its website. This includes—but is not limited to—using the payment systems adopted and licensed by Saudi Central Bank for payments related to issuance or renewal of an insurance policy.
      4. The unit responsible for the website must supervise the design, execution, follow up, and update of the security system of the website.
      5. Without prejudice to Article (10/c) of this regulation and to avoid the failure of the website's system or any related part, the company must establish the appropriate procedures to face emergency or catastrophe cases. This includes—but is not limited to— keeping backup copies for all information and data displayed by the company, issued to customers, or submitted to the company's website, and setting a clear procedure to restore systems on the website in the case of damage to a part or more of the system.

    • Sixth Size of the Website

      1. The company must verify the capacity of its website to be expanded and to assimilate any additions that might arise in the future this includes—but is not limited to—capacity of the website to assimilate any increase in the number of users, and assimilate the online insurance activities resulting from sales of insurance policies, receiving claims and handling complaints.

    • Seventh Website Accessibility

      1. The company's website must be accessible twenty-four hours a day during the whole year and the website's unit must monitor the website's availability.

        In case the website is undergoing maintenance procedures, the website's unit must ensure that it does not exceed twenty-four hours as a maximum. In case the maintenance procedures are not finalized within the set period (i.e., twenty-four hours), the company must notify Saudi Central Bank in writing about the reasons that caused the damage to the website and specify the timeframe expected to reactivate the website.

    • Eighth Outsourcing the Online Insurance Activities

      1. The company must—after applying the procedures included in this regulation— when outsourcing online insurance activities to another party or outsourcing the development, hosting, management, or maintenance of its website or any other work related to the website, include a specific text in the outsourcing contract that obliges the other party to abide by the rules set in this regulation, the Outsourcing Regulation to Insurance and/or Reinsurance and Insurance service providers, the Market Code of Conduct Regulation and other regulations related to the content specified in Article (3) of this regulation.
      2. A company, wishing to sell its insurance products through a third-party website licensed to do so, must obtain Saudi Central Bank's prior written approval. The company must also verify that the third party's website meets the following conditions:
        1. If the same third party's website is used to sell insurance products related to other companies, each insurance product offered must be clearly linked to the company offering it.
        2. Include all information and statements that the company must disclose, this includes—but is not limited to—the name of the company, its address, its licensing status, the nature of its insurance activities, and the contact details of the company.
        3. The third party must clarify, on its website, the role it undertakes and its obligations with respect to the users such as the insured. It must also specify whether it is an agent, or a broker licensed by Saudi Central Bank.