Based on the regulations and instructions that authorized SAMA to supervise banks, and money exchange operators, and to issue mandatory rules, procedures, and instructions for them.

 You will find Attached a copy of the Governor's decision No. 361000082764 dated 11/06/1436H regarding the rules, procedures, and regulatory instructions for payment systems in the Kingdom of Saudi Arabia. Banks, and licensed money exchange operators are required to continue adhering to and implementing these rules, procedures, and regulatory instructions, as well as any amendments that may be introduced by SAMA in the future. It should be noted that SAMA will monitor the implementation and application of these rules, procedures, and instructions in accordance with the provisions of the Banking Control Law and its Implementation Rules. SAMA will also take legal action against any breach or violation in this regard.

As the sole owner, operator, and regulatory authority for payment systems in the Kingdom, the Saudi Central Bank is responsible for ensuring the security and safety of these systems.

This responsibility entails a key task: identifying payment systems that are essential to the financial system, facilitating the functioning of the financial infrastructure, and addressing economic needs.

<<Systemically Important Payment Systems>> are defined as those whose disruption could hinder participants or lead to systemic failure of the financial infrastructure in the Kingdom.

As part of its supervisory duties, the Central Bank has established a set of criteria for classifying those systems that are considered important to the financial system.

The Central Bank has decided to classify any system that meets any of the following criteria as important to the financial system:

1. Any system that handles payments between banks or with customers that may pose risks to financial stability.
2. A payment system that is primary in terms of the total volume and value of daily payments.
3. Any system used for settlements within other financial infrastructures that are important to the financial system.
4. Any central payment infrastructure system that is trusted by clients based on the number and type of participants, its market depth, and the absence of alternatives

In this regard, the Central Bank has classified the following systems as important to the financial system in the Kingdom:

1. The Saudi Fast Payment System (SADAD): A real-time gross settlement system for payments.
2. The Saudi Payment Network: A system for ATM services and electronic payments via Point of Sale terminals.
3. SADAD Payment System: An electronic bill presentation and payment system.

Given the increasing cyber attacks and threats faced by the financial sector in the Kingdom, SAMA emphasizes the commitment to adhere to the policies, frameworks, standards, and regulations related to cybersecurity issued by SAMA, the National Cybersecurity Authority, and related instructions.

SAMA emphasizes the necessity of taking the required measures to implement the basic cybersecurity controls and the cybersecurity controls for sensitive systems, and to prioritize cybersecurity in spending from the approved budgets to enhance its cybersecurity readiness.

Referring to the receipt of a letter from His Excellency the Minister of Human Resources and Social Development addressing the challenges facing the "Payroll Management" system on the (Mudad) platform regarding the integration with partner financial institutions, as well as the technical malfunctions affecting the compliance of establishments with the 'Wage Protection' program, and the delays in employees receiving their entitlements as a result.

Therefore, SAMA emphasizes the importance of adhering to the terms outlined in the "Service Level Agreement" between the company and the (Mudad) platform, and taking the necessary measures to resolve the technical issues as per the signed terms, which will help prevent establishments from failing to comply with timely wage payments.

Referring to the receipt by the Central Bank of a letter from His Excellency the Governor of the Communications, Space, and Technology Authority, No. (374/1445/H T) dated 05/02/1445 H, which references Article (2) of the Law of Telecommunications and Information Technology, and the launch of the Authority's guide to local technical products on its website. This guide serves as a reference list of technical products developed by leading local companies to serve various business sectors, including banking, insurance, and finance.

For your information and awareness, with a confirmation of compliance with the relevant instructions issued by SAMA, particularly those concerning the rules on outsourcing.

Based on the powers vested to SAMA under The Law of Payments and Payment Services issued by Royal Decree No. M/26 dated 22/03/1443 H, and its Implementing Regulations issued on 24/11/1444 H—which stipulates in paragraph Two of "Article 120" that "A Licensee is obliged to submit to SAMA quarterly financial reports (to be reviewed by an external auditor), which include any information that SAMA deems necessary." Furthermore, paragraph Three of the same article states that "A Licensee is obliged to submit to SAMA annual financial statements (reviewed and audited by an external auditor) in a way determined by SAMA."

Accordingly, SAMA emphasizes to payment service providers the necessity of complying with the following requirements to provide SAMA with:

Based on the powers vested to the Central Bank under its law issued by Royal Decree No. (23) dated 23/05/1377 H*, and The Banking Control Law issued by Royal Decree No. (M/5) dated 22/02/1386 H, and the Minister Council Decision No. (226) dated 02/05/1440 H, which confirms that SAMA is the legally designated authority responsible for operating payment systems and financial settlement services in the Kingdom, monitoring and supervising them, and has the authority to issue rules, regulations, and licenses according to the standards applied by SAMA in this regard. In reference to the decision by the Communications and Information Technology Commission to update the technical specifications for terminal devices connected to mobile networks, mandating that these devices support at least 4G networks to be approved and allowed for clearance by the General Authority for Customs, and the shift by telecommunications service providers in the Kingdom are moving to discontinue 2G and 3G networks, replacing them with the more advanced 4G and 5G networks, it is noted that this decision will have a direct impact on point-of-sale devices operating in the Kingdom.

I would like to inform you that, in coordination with the Communications and Information Technology Commission, it has been decided to start shutting down the third-generation network by the end of 2022 and to deactivate the second-generation network during the fourth quarter of 2024. Accordingly, SAMA and the Saudi Payments Company have developed an action plan to replace the current point-of-sale devices in the Saudi market with modern devices that comply with the aforementioned decisions of the Communications and Information Technology Commission, as follows:

1. All point-of-sale device suppliers are required to provide devices that support the 4G network starting from June 2020 until the end of this year. These devices must be submitted to the Saudi Payments Company’s authorization center for technical approval and to ensure compatibility with the payment network (Mada).

2. Approval of the installation of point-of-sale devices that support the 4G network as a minimum requirement for new installations requests starting from January 2021. This also includes devices being replaced due to technical malfunctions.

I would also like to inform you that banks and companies hosting electronic payment services must implement the aforementioned replacement plan starting from January 2021 for all currently operating point-of-sale devices in the Kingdom. This entails replacing at least 4% devices monthly from the total number of point-of-sale devices for each entity. The replacement plan, along with progress percentages and remaining quantities, should be shared with SAMA and the Saudi Payments Company on a monthly basis starting from the end of January 2021.

* The Saudi Central Bank Law issued by Royal Decree No.(M/36), dated 11/04/1442H replace the Saudi Arabian Monetary Agency Law issued by Royal Decree No. (23), dated 23/05/1377H.

We refer to the receipt by the central bank of a letter from His Excellency the President of the Oversight and Anti-Corruption Authority, No. (15929/45), dated 01/04/1445H, which mentions the amendment of paragraph (7) of Article (8) of the Anti-Bribery Law to include the criminalization of bribing foreign public officials in relation to international business transactions. The letter also notes the Authority's work on an awareness booklet regarding issues related to the Crime of Foreign Bribery.

Therefore, and in line with the instructions issued by SAMA, including those outlined in The principles of conduct and work ethics in financial institutions, and given the awareness-raising potential of the aforementioned booklet regarding the seriousness of the crime of foreign bribery and ways to detect it, along with contact information for reporting such crimes, SAMA urges all financial institutions to review this booklet and benefit from its contents. Additionally, we would like to inform you of the Authority's readiness to hold remote workshops to raise awareness about the content of the aforementioned booklet.

Further to the instructions of SAMA issued by Circular No. (371000119129) dated 18/11/1437H, which included a request to suspend from providing mobile (GPRS) point-of-sale devices to charities and non-profit organizations and to replace them with point-of-sale devices connected exclusively to the fix (landline) telephone, and to Circular No. (41061590) dated 01/11/1441H, regarding upgrading point-of-sale devices operating in the Kingdom to "4G" technology.

I inform you that in coordination with the relevant authorities, it was decided to provide electronic payment solutions authorized by SAMA, including mobile point of sale (GPRS) devices, provided that associations or institutions obtain the approval of the National Center for the Development of the Non-Profit Sector to benefit from the service.
 

Based on the powers vested to SAMA under the Saudi Central Bank Law issued by Royal Decree No. (M/36) dated 11/04/1442 H, and referring to Cabinet Decision No. 226 dated 02/05/1440 H, which affirms that SAMA is the legally authorized entity to operate payment and financial settlement systems and their services in the Kingdom and to oversee them.

We would like to inform you that the team at Saudi Payments has been working on a project to develop the payment environment using Quick Response Code (QR Code) technology. This project aims to enhance operations in accordance with the principle of interoperability of payment systems among participants in this vital sector, including banks and licensed fintech companies in the Kingdom, while striving to offer multiple payment options in line with the ongoing developments in the payments sector in the Kingdom.

Accordingly, SAMA would like to emphasize that all entities that launched the service previously must comply with the implementation of the technical and commercial requirements and standards related to the payment environment associated with this project. They are also required to carry out the necessary testing procedures by completing the technical authorization process with Saudi Payments before the end of 2021. For communication with the relevant team at the Saudi Payments Authorization Center, please contact them via email.

Based on SAMA's commitment to safeguarding the data of financial institutions and their customers, given its significant impact on the trust of stakeholders and the stability of transactions, and referring to the instructions issued by SAMA in this regard.

We would like to inform you that all financial institutions must refrain from using social media applications to exchange any official data or documents, whether directly or indirectly. Such data or document exchanges should be conducted through secure and approved official channels. This is due to the potential negative impacts and risks associated with using social media and instant messaging applications for data or document exchange on the activities of entities and the interests of individuals.

Referring to the receipt by SAMA of a letter from His Excellency the Governor of the Communications and Information Technology Commission regarding the establishment of governance for the registration of sender names in bulk SMS messages (Tag Names) through the organization of a unified electronic portal for SMS service providers, which enables the Commission to protect the public interest from the misuse of SMS.

Accordingly, SAMA emphasizes the importance of cooperation and prompt communication with the contracted SMS service providers to complete the registration process in the system within the transitional period specified by the commission.

Further to the instructions issued by SAMA as communicated in Circular No. (44037856) dated 03/05/1444 H, regarding the approval of using biometric authentication for remote customer relationship initiation/establishment, and completing the integration procedures with the approved service provider by a maximum deadline of 31/01/2023.

Accordingly, SAMA emphasizes the commitment to refrain from initiating any "remote" relationships through various channels without using biometric authentication with a high level of verification or higher. Please note that SAMA will take regulatory actions in case of non-compliance.

For your information and action accordingly as of this date. If there are any inquiries regarding this matter, please contact SAMA via email.

Further to SAMA Circular No. (42023876) on 14/04/1442 H regarding the standardization of notification elements sent to financial institution customers, aimed at enhancing customer awareness through notification messages for transactions on their accounts, memberships, and electronic wallets.

And due to the existence of some newly introduced transactions related to Mada transactions, the key elements of SMS notifications for those transactions are attached. Financial institutions are required to comply with sending the relevant notifications accordingly, no later than the end of the first quarter of 2022.

For your information and act accordingly, and provide SAMA with the implementation plan before the end of the working day of November 4, 2021.