6. Products and Services Policy Requirements
6.1 General Requirements
Banks are required to have in place an internal policies and procedures that set out the oversight and governance arrangements for the offering of new products and services. These internal policies and procedures must at minimum satisfy the following:
6.1.1 To be integrated as part of the bank’s governance, risk management and internal control framework.
6.1.2 Defining the roles and responsibilities of all stakeholders including the Board and all control functions involved in developing and launching new products and services.
6.1.3 Defining parameters for the authority which approves new products and services including the circumstances under which such authority may be delegated.
6.1.4 Defining the requirements to have a pilot or testing phase for new products and services. A bank is required to assess the effect of a product and service on target market before its commercial launch and take appropriate changes where scenario analysis shows adverse results for the target market.
6.1.5 Consumer protection requirements including the bank’s standards for management of customer suitability and mis-selling risks along with a requirement to conduct annual assessment of all products and services against such established standards.
6.1.6 The internal policies and procedures must be reviewed and updated on a regular basis or when it’s needed, ideally on an annual basis, and at least once every (3) years.
6.1.7 The policies and procedures must be communicated by the bank in a timely manner to all relevant parts and levels within the organization, and to ensure that the new product and service offering are fully integrated throughout a bank’s line functions.
6.2 Considerations
When developing products and services internal policies and procedures, banks must consider the following:
6.2.1 Designing and bringing to the market products and services with features, charges and risks that meet the interests, objectives and characteristics of, and are of benefit to the market segment identified for the products and services. In this regard, a formal customer appropriateness and customer fairness assessment must form part of bank’s processes before approval of new products and services.
6.2.2 The products and services offered to customers are fair and suitable.
6.2.3 Avoid any conflicts of interest, potential for mis-selling, terms and conditions that are inherently unfair to consumers, and business practices that restrict the freedom of choice to consumers.
6.2.4 To be proportionate to the nature, scale, risk, and complexity of a bank’s products and services, and designed to identify and control product risk across the value chain, including at minimum the stages of product development, authorization and governance, price, marketing, sale and distribution.
6.2.5 The gradual commercial launch of any new product and service taking into consideration the market segment, riskiness and complexity of the product and service.
6.2.6 Compliance with all applicable rules and regulations issued by SAMA and all other relevant regulators when developing a new product and service as well as any subsequent updates to the rules and regulations. Examples of such rules and regulations (but not limited to):
a. Responsible Lending Principle for Individual Customers (issued in 2018).
b. Financial Consumer Protection Principles and Rules (issued in 2022).
c. Rules for Advertising Products and Services Provided by Financial Institutions (issued in 2023).
d. Debt Collection Regulations and Procedures for Individual Customers (issued in 2018).
e. SAMA Cyber security Framework (issued in 2017).
f. SAMA Counter-Fraud Framework (issued in 2022).
g. SAMA Business Continuity Management Framework (issued in 2017).
h. Information Technology Governance Framework (issued in 2021).
i. Rules related to touch\face ID, Tahaqaq requirements, digital signature, national and global payment requirements for MADA, Visa, MasterCard, Face recognition.
6.3 Products and Services Risk Assessments
6.3.1 Banks must establish lines of responsibility for managing risks related to new products and services.
6.3.2 Banks must conduct a full risk assessment of new products and services which form the basis on whether or not to introduce them to the market taking into account reviewing all the associated risk throughout the life cycle of the products and services.
6.3.3 Banks must have risk management standards for developing and launching any new products and services to the market. These include, inter alia, adequate due diligence and approvals, procedures to identify, measure, monitor, report, and mitigate risks, effective change management processes and technologies, ongoing performance monitoring and review mechanisms.
6.3.4 Banks must have risk classification process for each product and service that the bank intend to launch. The classification process must result with an overall risk classification for the product or service (for example: high, medium or low risk).
6.3.5 Banks must have a risk management, controls and monitoring processes in respect of third party risks management, where the bank’s products and services are offered in partnership with Fintech companies, agents or similar entities.
6.3.6 The risk management function must have internal organizational and operational capacity i.e. effective controls, monitoring and reporting systems and procedures in place, to monitor and manage potential risks of the proposed new products and services poses to the bank's own financial health, as well as to the financial well-being of the customers and overall market stability.
6.3.7 The risk management function must document, review and approve risk profile (associated risks) of new products and services before its launch. Risk profile of the new products and services must include at least detailed description of all associated risks i.e. identification, quantification (if possible), assessment, classification and its mitigation plan.
6.3.8 The risk management function must perform comprehensive fraud risk assessment covering fraudulent events across different channels and assessment of prevention, detection, and investigation capabilities from people, process and technology perspective taking into consideration emerging technologies. The risk assessment must also include evaluation of all possible scenarios and dynamic fraud techniques such as social engineering, phishing. that ensures safety and soundness of the bank against dynamic fraudulent scenarios. In addition, the bank must enforce defense in depth mechanism in their environment to ensure deep protection for the customers such as using multichannel technique to ensure customer identity and confirmation of the financial service/transaction for example: registration and activation/approval of services from different channels whenever applicable.
6.3.9 The risk management function must conduct comprehensive risk assessment which cover cyber resilience and data privacy including evaluating threats, vulnerabilities and weaknesses needed to be analyzed for potential impact on the bank that leads to improve member organizations cyber posture.
6.3.10 The risk management function must assure that its people, systems and processes have the ability to adequately capture and report risks and financial commitments relating to its new products and services in a timely manner.
6.3.11 The risk management function must assure that all material risks posed by the introduction of new products and services or by the modification of existing products and services are identified, assessed, monitored and managed appropriately; and must be regularly reviewed in light of the changing market conditions not previously factored.
6.3.12 The risk management function must assess how new products and services will affect the bank's current and projected financial and capital positions.
6.4 Products and Services Compliance
The compliance function must ensure the following:
6.4.1 Review all new products and services from compliance, regulatory and financial crimes perspective and ensure that they conform to all applicable rules and regulations issued by SAMA and all other relevant regulators.
6.4.2 Products and services offered are compliant with all rules and regulations issued by SAMA and all other relevant authorities at all time.
6.4.3 Identify the risks of non-compliance that might arise from products and services, set plans to manage it, and evaluate these risks at least once annually.
6.4.4 Report to the Board at least once annually the risks of non-compliance and how it would be mitigated.
6.4.5 The compliance function must be the main contact point for liaison for submission of all applications for non-objection to introduce new products and services and to notify SAMA of any products and services in cases where non-objection is not required.
6.5 Products and Services Auditing
The internal audit function must ensure the following:
6.5.1 Timely identification of internal control weaknesses, adherence to regulatory requirements and products and services policies and procedures.
6.5.2 To audit all new products and services in a reasonable time i.e. within one year after launching the product or service depending on the nature, type, complexity, and riskiness of the new products and services.
6.5.3 Report to the Audit Committee the results of the audit process that was conducted on the bank’s products and services at least once annually. In case, products and services associated risks increase or violating any rules and regulations issued by SAMA and all other relevant regulators, the internal audit must include them in their yearly audit plan.
6.6 Product Development Function
The product development function (business units) must ensure the following:
6.6.1 They are familiar with products and services policies and procedures and all applicable rules and regulations issued by SAMA and all other relevant regulators.
6.6.2 They are competent and appropriately trained; and thoroughly understand the products and services’ features, characteristics, risks, and ensure that corrective actions are taken to mitigate identified risks related to products and services.
6.7 Products and Services On-going Monitoring and Control
6.7.1 Banks must ensure that the requirement of monitoring products and services on an ongoing basis is in place and implemented, to ensure that the interests, objectives and characteristics of targets market continue to be appropriately taken into account. In addition, the banks must address consumer complaints and rectify them on timely basis.
6.7.2 If the bank identifies a problem/risk related to products or services in the market, or when monitoring the performance of the products or services as required, the bank must take necessary corrective actions and implement measures to prevent future recurrence. The corrective action plan, which may include suspension or withdrawal of products or services must be approved by the senior management function or other functions within the bank accountable for approval of product and services. Banks must also report to SAMA such incidents including the corrective action plan that have been or will be taken.
6.7.3 In the case of product or services suspension or withdrawal, banks are required to notify SAMA at least prior to (45) business days by email before suspending or withdrawing any products or services via (PSBanking@sama.gov.sa). The notification must include justifications for the suspension or withdrawal and the plan to deal with beneficiary customers (exiting plan) affected by discontinuation of products or services.
6.7.4 After the introduction of new products or services, SAMA may, at any time, suspended the product or service if any regulatory incompliance has been identified and/or there is a negative impact on the banking sector or on consumers. SAMA will direct banks to provide corrective actions in such case for approval and implementation.
6.8 Documentations and Reporting Requirement
6.8.1 Banks are required to submit a report to SAMA which include all products and services. The report must be signed by the Chief Executive Officer, and submitted by Compliance Function to Banking Licensing Division via (PSBanking@sama.gov.sa) – by 1st March of each year, according to the table provided in (Annexure 5).
6.8.2 Banks must document all actions taken while implementing the internal policies and procedures, preserve these documents for audit purposes and to make them available to SAMA upon request. In addition, the banks must retain all the documents relating to the risk assessment of the new products and services including key risks from both the bank’s and customer’s perspective, together with the systems and processes that are in place to mitigate these risks.
6.8.3 An inventory of bank’s existing products and services containing information such as (but not limited to): name of a product and service, target market, risk classification, developer of the product or service, reviewer of the product, approver of the product, approval date, launch date, last review date, latest changes made including the description and the date of changes.