Chapter 3: Corporate Governance and Risk Management
Introduction
8. These regulatory requirements are relevant to all DTFCs. It sets out SAMA's requirements for the internal governance and risk management of the DTFCs and how they should comply with these regulations. These regulations cover the following areas:
i. General requirements; ii. Senior Management Function & Responsibilities; iii. Segregation of Functions; General Requirements
9. SAMA requires that the governance and risk management arrangements, processes and mechanisms implemented by a DTFC should be proportionate to the nature, scale and complexity of the risks inherent in its business and its activities.
Expectations in Relation to the Senior Management and Their Responsibilities
10. SAMA requires a DTFC to have robust governance and risk management arrangements, which includes a clear organisational structure with well-defined, transparent and consistent lines of responsibility. All DTFCs are required to put in place a Job description (JD) for each member of the senior management. More specifically, JDs must:
i. Clearly set out the areas of the DTFC's activities for which the senior manager is responsible; ii. Be included in every application to SAMA for pre-approval as a senior manager as per SAMA's fit and proper regulations; and iii. Be updated and resubmitted if there is a significant change to the senior manager's responsibilities as per SAMA's fit and proper regulations.
11. A DTFC is also required to produce and maintain a Management Responsibilities Description Document (MRDD), which is a single, up-to-date document setting out the DTFC's management, governance and risk management arrangements. The MRDD should be proportionate and include information about the business relationship with the head office and the group.
Board and Senior Management Responsibilities
12. SAMA looks to the Board of the DTFC to oversee the activities of the DTFC, including matters of a corporate governance nature that relate to the DTFC. As such, SAMA requires that the Board will be accountable for the DTFC's operations.
13. While the Board may not conduct all responsibilities or activities directly, SAMA requires the Board to retain its overall accountability for the operations of the DTFC. Regardless of who conducts the various functions, SAMA requires the Board to:
i. Ensure that business objectives, strategies, and plans set for the DTFC are prudent in the context of the DTFC. ii. Be satisfied that appropriate policies and procedures (i.e. control systems) are in place to manage the risks regardless of where the controls may reside; iii. Receive sufficiently comprehensive and frequent reports to understand and monitor the business of the DTFC; and iv. Undertake or obtain, periodically, an independent assessment of the adequacy and effectiveness of the controls. Independent assessment may be obtained from individuals or groups designated with that role, such as internal audit or risk management (either at the DTFC or head office), or qualified third parties.
14. The Board is required to ensure that there are robust policies and procedures to manage the assets and liabilities recorded on the DTFC's books and records and related accounts (e.g. deposit, loan, investment, etc.).
15. The Board should ensure the DTFC is in compliance with all applicable legislation and regulations, and is conducting its business and affairs in a manner that is consistent with applicable SAMA requirements.
16. While the Board may delegate responsibility for day-to-day management to management, SAMA requires the Board to be in a position to oversee the DTFC's regulatory returns. Therefore, SAMA would expect the Board to have, or to ensure the individuals undertaking activities with respect to the DTFC have, a good understanding of applicable legislation, regulations and guidelines, as well as the activities and related records of the DTFC, including its assets, liabilities, revenues and expenses. SAMA would also expect the Board to be satisfied with any work performed by others (e.g., head office or another entity within the group) and should ensure any deficiencies are corrected.
Segregation of Functions
17. A DTFC should ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally. The senior personnel within the DTFC should define arrangements concerning the segregation of duties within the DTFC and the prevention of conflicts.
18. A DTFC should ensure that no single individual has unrestricted authority to do all of the following:
i. Initiate a transaction; ii. Bind the DTFC; iii. Make payments; and iv. Account for it.
19. Where a DTFC is unable to ensure the complete segregation of duties because the DTFC has a limited number of staff, it should ensure that there is adequate compensating controls in place such as frequent review of an area by relevant DTFC senior managers.