1 Part I: Approach and Corporate Governance
No: 42019124 Date(g): 9/11/2020 | Date(h): 24/3/1442 Status: In-Force Chapter 1: SAMA Approach to Deposit Taking Finance Companies (DTFC) Regulation
Introduction
1. These SAMA regulations are applicable to all Deposit Taking Finance Companies (DTFCs) operating in the Kingdom of Saudi Arabia (KSA).
2. Subject to the provisions of Finance Companies Control law, promulgated by Royal Decree No. M/51 dated 13/8/1433H and its Implementing Regulation, these Rules determine the requirements of exercising deposit-taking activity, and shall govern finance companies that are authorized to mobilize savings and time deposits from non-individual customers and to grant loans, credits and advances out of such deposits.
3. In addition to these DTFC-specific prudential requirements, DTFCs are also required to comply with the Finance Companies Control Law, SAMA regulations for Finance Companies (FCs), and other relevant laws and regulations as applicable to all Finance Companies (FCs).
Deposit Taking Activities / Products and Services
4. DTFCs are authorized to mobilize savings and time deposits from non-individual customers and to grant loans, credits and advances out of such deposits while observing liquidity ratios with regard to its liquid assets vis-à-vis total deposit liabilities and other prudential regulations as prescribed for DTFCs.
5. DTFCs shall maintain one or more records of specified particulars in the case of every depositor such as name, address of depositor, types of deposit, date of receipt/date or renewal, date of maturity and profit rate payable. The registers are required to be kept at the place of business and preserved in good order for five calendar years following the financial year in which the latest entry was made of the repayment or the renewal of the deposit.
Chapter 2: SAMA Authorization of DTFCs
6. No Finance Company (FC) shall carry out deposit taking business without prior SAMA written approval to designate it as Deposit Taking Finance Company (DTFC).
7. An application for a SAMA approval to carry out deposit taking business shall be accompanied by the Feasibility study and three-year business plan of the proposed deposit-taking business, detailing the mission, vision, scope and nature of business operations, profitability analysis and internal controls and monitoring procedures, including but not limited to:
i. the proposed organizational structure ii. the market to be served by the FC; iii. a schedule of all the preliminary expenses including the FC costs, all expenses relating to the establishment or transformation of the FC; iv. projected balance sheets, income and expenditure statements and cash flow for three years supported by:
a. projected deposit mobilization and profit payable, stating separately anticipated sources of deposits; b. forecasted lending and advances to be made and profit receivable, stating major areas of lending including the intended sectoral lending composition; c. forecasted cash and other liquid assets to be maintained; d. the required provision for bad and doubtful debts and loan write-offs, including the policy and procedures manual; e. projected operating expenses including rents, salaries, employee benefits, and director's remuneration, etc.; f. proposed levels of fixed assets, including business premises and equipment; g. other income, including commissions, fees and discounts etc. h. profit rate sensitivity analysis on the projections submitted or other similar analysis, providing necessary levels of scenario planning should economic conditions change or when business expectations fall short; assumptions underpinning the pro-forma financial statements, the sensitivity analysis and scenario planning must be fully elaborated; i. statistical data and other market information, which may have been collected and analyzed covering economic activities and the planned areas of operation, where revenue and expenses will be incurred, including detailed competitive analysis; and j. the planned scope of operations including services and products to be offered, the capability to provide these services, the projected demand for the services, and different groups of customers or market segments the FC wants to serve; k. the FC's risk-management policies and internal control systems including, among others, board and senior management oversight, internal controls, physical infrastructure, use of information technology, including but not limited to the following: — I. deposit mobilization strategies or plans and marketing methodologies; m. lending and credit administration policy manual; n. human resource development manual; o. assets manual; p. liquidity and funds management policies and procedures; q. management information system and Information Security; r. capital, planning and budgeting; s. accounting procedures manual; and t. internal audit and control manuals (including compliance and AML/CTF controls);
v. evidence of sources and availability of capital including copies of bank statements, Treasury Bills, or other forms in which the capital is held.
Chapter 3: Corporate Governance and Risk Management
Introduction
8. These regulatory requirements are relevant to all DTFCs. It sets out SAMA's requirements for the internal governance and risk management of the DTFCs and how they should comply with these regulations. These regulations cover the following areas:
i. General requirements; ii. Senior Management Function & Responsibilities; iii. Segregation of Functions; General Requirements
9. SAMA requires that the governance and risk management arrangements, processes and mechanisms implemented by a DTFC should be proportionate to the nature, scale and complexity of the risks inherent in its business and its activities.
Expectations in Relation to the Senior Management and Their Responsibilities
10. SAMA requires a DTFC to have robust governance and risk management arrangements, which includes a clear organisational structure with well-defined, transparent and consistent lines of responsibility. All DTFCs are required to put in place a Job description (JD) for each member of the senior management. More specifically, JDs must:
i. Clearly set out the areas of the DTFC's activities for which the senior manager is responsible; ii. Be included in every application to SAMA for pre-approval as a senior manager as per SAMA's fit and proper regulations; and iii. Be updated and resubmitted if there is a significant change to the senior manager's responsibilities as per SAMA's fit and proper regulations.
11. A DTFC is also required to produce and maintain a Management Responsibilities Description Document (MRDD), which is a single, up-to-date document setting out the DTFC's management, governance and risk management arrangements. The MRDD should be proportionate and include information about the business relationship with the head office and the group.
Board and Senior Management Responsibilities
12. SAMA looks to the Board of the DTFC to oversee the activities of the DTFC, including matters of a corporate governance nature that relate to the DTFC. As such, SAMA requires that the Board will be accountable for the DTFC's operations.
13. While the Board may not conduct all responsibilities or activities directly, SAMA requires the Board to retain its overall accountability for the operations of the DTFC. Regardless of who conducts the various functions, SAMA requires the Board to:
i. Ensure that business objectives, strategies, and plans set for the DTFC are prudent in the context of the DTFC. ii. Be satisfied that appropriate policies and procedures (i.e. control systems) are in place to manage the risks regardless of where the controls may reside; iii. Receive sufficiently comprehensive and frequent reports to understand and monitor the business of the DTFC; and iv. Undertake or obtain, periodically, an independent assessment of the adequacy and effectiveness of the controls. Independent assessment may be obtained from individuals or groups designated with that role, such as internal audit or risk management (either at the DTFC or head office), or qualified third parties.
14. The Board is required to ensure that there are robust policies and procedures to manage the assets and liabilities recorded on the DTFC's books and records and related accounts (e.g. deposit, loan, investment, etc.).
15. The Board should ensure the DTFC is in compliance with all applicable legislation and regulations, and is conducting its business and affairs in a manner that is consistent with applicable SAMA requirements.
16. While the Board may delegate responsibility for day-to-day management to management, SAMA requires the Board to be in a position to oversee the DTFC's regulatory returns. Therefore, SAMA would expect the Board to have, or to ensure the individuals undertaking activities with respect to the DTFC have, a good understanding of applicable legislation, regulations and guidelines, as well as the activities and related records of the DTFC, including its assets, liabilities, revenues and expenses. SAMA would also expect the Board to be satisfied with any work performed by others (e.g., head office or another entity within the group) and should ensure any deficiencies are corrected.
Segregation of Functions
17. A DTFC should ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally. The senior personnel within the DTFC should define arrangements concerning the segregation of duties within the DTFC and the prevention of conflicts.
18. A DTFC should ensure that no single individual has unrestricted authority to do all of the following:
i. Initiate a transaction; ii. Bind the DTFC; iii. Make payments; and iv. Account for it.
19. Where a DTFC is unable to ensure the complete segregation of duties because the DTFC has a limited number of staff, it should ensure that there is adequate compensating controls in place such as frequent review of an area by relevant DTFC senior managers.