Implementing Regulations of Payments and Payment Services Law
No: 000044093096 Date(g): 13/6/2023 | Date(h): 24/11/1444 Status: In-Force Based on the powers granted to SAMA under the Law of Payments and Payment Services issued by Royal Decree No. (M/26) dated 22/03/1443H, and stemming from SAMA 's supervisory and regulatory role in shaping the strategic directions of the payments sector in the Kingdom, we inform you of the issuance of the Implementing Regulations of the Law of Payments and Payment Services on 24/11/1444H corresponding to 13/06/2023G, as per the attached version. The regulatory framework for payment service providers issued by SAMA on 05/06/1441H corresponding to 30/01/2020G is hereby repealed and replaced by the Implementing Regulations effective from the date of issuance.
SAMA emphasizes the obligation of payment service providers and payment system operators subject to the Law and Regulations to comply with all provisions contained in the Implementing Regulations. Additionally, SAMA stresses the importance of submitting a plan outlining corrective actions to ensure compliance with the provisions of the Law and Regulations within no more than six months from the effective date of the Regulations.
Part 1: General Provisions
Article 1
(1) The terms and phrases referenced in the Implementing Regulation shall have the meanings prescribed to them in the Law of Payment and Payment Services unless the context requires otherwise.
(2) For the purpose of applying the provisions of this Implementing Regulation, the following terms and phrases, wherever mentioned herein, shall have the meanings assigned thereto unless the context requires otherwise.
Law: Law of Payments and Payment Services, promulgated by Royal Decree No. (M/26) dated 22/03/1443 H.
Implementing Regulation: The Implementing Regulation of the Law.
Governor: Governor of the Central Bank.
SAR: Saudi Arabian Riyal.
PFMI: The “Principles for financial market infrastructures” issued by CPMIIOSCO on April 2012 (and any publications or amendment thereof).
Controller: a Person who, either jointly or severally, can influence the actions or decisions of the Licensee or the holding company that owns the Licensee under any of the following cases:
(A) Holds 10% or more of the shares in either the Licensee or a Holding Company of that Licensee;
(B) Is entitled to exercise, or controls the exercise of, 10% or more of the voting rights in either the Licensee or a Holding Company of that Licensee; or
(C) Is able to exercise significant influence over the management of the Licensee as a result of holding shares of the Licensee or the holding company of the Licensee or being able to exercise voting rights connected to these shares, or having a currently exercisable right to acquire such shares or voting rights.
Holding Company: Notwithstanding the relevant provision of the Companies Law, a joint-stock, a simplified joint-stock, or a limited liability company that controls another joint-stock, simplified joint-stock, or limited liability company (that is referred to as its subsidiary) by owning more than half of the capital of such companies or by controlling the formation of their boards of directors.
Complaint: Expression of consumer or client dissatisfaction or objections, submitted to a Licensee through the available channels.
License: The license that is given by SAMA to operate a Payment System or to provide Payment Services in accordance with the provisions of the Law and the Implementing Regulation, including activities that are specified in the License.
Applicant: A legal person -or who is acting on his behalf- that has applied for licensing.
Licensee: a Payment System Operator or Payment Service Provider licensed under the provision of the Law and the Implementing Regulation and the like.
Licensed Bank: A bank licensed to carry on banking business pursuant to the Banking Control Law, promulgated by Royal Decree No. (M/5) dated 22/02/1386 H.
Payment Service Provider: Any of the following entities:
(A) An entity licensed as a major PI, a major EMI, or a micro EMI.
(B) An entity licensed as a micro PI.
Relevant Payment Services: Any Payment Services that are activities specified in Article 6 of the Implementing Regulation.
Agent: a Person that acts on behalf of a Payment Service Provider in the provision of Relevant Payment Services.
Payment service user: Any person who makes use of, or receives, one or more Relevant Payment Services in the capacity of Payer, Payee or both; or any Person who makes use of the Relevant Payment Services of a Payment Account Information Service Provider.
Payment System Operator: The legal person licensed as an operator of one or more Payment Systems by SAMA.
Non-Systemically Important Payment System: a Payment System not designated by SAMA as a Systemically Important Payment System.
National Payment system: a Payment System owned or operated by SAMA directly or indirectly.
Service Provider Related to Payment System: The service provider that forms part of the payments system operating arrangements.
Payer: a Person who holds a Payment Account and allows a Payment Services Order from that Payment Account, or where there is no Payment Account, a person who gives a Payment Services Order.
Payee: a Person who is the intended recipient of Funds which have been the subject of a Payment Transaction.
Payment Account: : An account held in the name of one or more Payment Service Users which is used for the execution of Payment Transactions.
Money Remittance: An operation where Funds are received from a Payer, without any Payment Accounts being created in the name of the Payer or the Payee, for the purpose of transferring a corresponding amount to a Payee or to a Payment Service Provider or a Person licensed under the Rules Regulating Money Changing Business acting on behalf of the Payee or to an entity with an equivalent license, or such Funds are received on behalf of and made available to the Payee.
Credit Transfer: An operation that results in crediting the Payment Account of a Payee with a Payment Transaction (or a series of Payment Transactions) which is carried out in accordance with the instruction given by the Payer through his Payment Account with the Payment Service Provider.
Direct Debit: An operation that results in debiting the Payer’s Payment Account following a Payment Transaction that is initiated by the Payee on the basis of the consent given by the Payer to the Payee’s Payment Service Provider or to the Payer’s own Payment Service Provider.
Payment Aggregation Service: Operations provided by a Payment Service Provider of facilitating payment on a pooled basis and do not require a relationship with a Payment Service Provider that provides the Payment Service of Payee Acquiring.
Payment Transaction: The depositing, transferring or withdrawing of Funds initiated by the Payer or on his behalf or by the Payee.
Payment Transaction Aquiring: The Payment Service provided by a Payment Service Provider to a Payee to accept and process a Payment Transaction, which results in a credit transfer to the Payee.
Payment Account Information Service: A service to provide consolidated information about one or more Payment Accounts (in the original format or subject to processing), held by the Payment Service User with one or more Payment Account Service Providers, with enabling the Payment Service User to modify and present account information in alternative ways, which is shared through the electronic channels or otherwise with Payment Service User or any other Person’s instructions and Consent.
Payment Initiation Service: A service (as an on-line tool or otherwise) to initiate a Payment Services Order at the request of a Payment Service User in connection with his Payment Account with the Payment Account Service Provider on the basis of Consent provided by that Payment Service User.
Payments Account Service Provider: a Payment Account Service Provider, including the licensed bank, which provides and maintains a Payment Account for the Payment Service User.
Payments Instrument: Any tools or procedures provided by the Payment Service Provider to the Payment Service User, which is used to initiate Payment Services Orders through the online channels or otherwise.
Card-Based Payments: The Payment Instrument provided by the Payment Service Provider through a card used to initiate a Payment Transaction from a Payment Account held with another Payment Service Provider.
Closed Loop Account: The monetary value stored on a Payment Instrument and is issued by a one-off issuer, which cannot be redeemed in cash or to any other account, which can only be used to acquire goods or services within a limited network of service providers that have direct commercial agreements with the issuer and are in the same corporate group or are otherwise affiliated by the same commercial name or trademark.
Restricted Loop Account: The monetary value stored on a Payment Instrument, which cannot be redeemed in cash or transferred to any other account and can only be used to acquire goods or services within a clearly defined area, goods or services within a limited network of service providers which have direct commercial agreements with the issuer.
Limited Network Service: Payment Transactions made using a Closed Loop Account or a Restricted Loop Account.
Payment services Order: Any instructions by a Payment Service User acting as Payer or Payee to its Payment Service Provider, requesting the execution of a Payment Transaction.
One-off Payment Contract: A contract for a one-off Payment Transaction not made under a Framework Contract.
Framework Contract: A contract for Relevant Payment Services which is intended to govern the subsequent execution of individual and successive Payment Transactions.
Electronic Money: Electronically (including magnetically) stored monetary value as represented by a claim on the issuer, which is issued on receipt of Funds for the purpose of making Payment Transactions and accepted by a Person other than the issuer as means of payment (excluding virtual assets).
Electronic Money Institution or “EMI”: an entity that is licensed to issue Electronic Money.
Electronic Money Distributor: a Person that distributes or sells Electronic Money or redeems Electronic Money on behalf of an EMI but does not provide any Payment Service (including the issuance of Electronic Money) or act as an Agent of the EMI.
Safeguarded Funds: Means safeguarded funds according to the following cases:
(a) For Payment Institutions, Funds received from, or for the benefit of, a Payment Service User for the execution of Payment Transactions, or Funds received from another Payment Service Provider for the execution of Payment Transactions on behalf of a Payment Service User; and
(b) For Electronic Money Institutions (and Electronic Money Distributors), Funds received in exchange for Electronic Money that has been or is to be issued and does not include deposits held at banks.
Cash-Out Transaction: The redemption and withdrawal of Electronic Money at par value.
Total Average Outstanding Electronic Money: The arithmetic means of the total amount of financial liabilities related to Electronic Money issued by the EMI at the end of each calendar day over the last twelve calendar months.
Total Outstanding Electronic Money: The total value of Electronic Money issued by an EMI, calculated on the first day of each calendar month and applied for that calendar month.
Payment Institution or “PI”: a Payment Service Provider licensed to provide one or more Relevant Payment Services, except for the issuing of Electronic Money.
Accounting Records: Underlying documents and information (stored electronically or otherwise) used to prepare, verify and audit financial statements.
Average Monthly Payment Transaction Value: The rolling monthly average over any period of twelve calendar months preceding the date of calculation of the total amount of Payment Transactions executed by the Payment Service Provider, including Payment Transactions executed by its Agents, and does not include the issuance or redemption of Electronic Money.
Authentication: A procedure (that may be subject to further SAMA’s regulations, rules, circulars, controls or instructions, including those related to cyber security) which allows a Payment Service Provider to verify the identity of a Payment Service User or the validity of the use of a specific Payment Instrument, and “Authenticated” shall be interpreted accordingly.
Consent: The authorization by an Authenticated Payer of a Payment Transaction, recorded in accordance with Article 38 of the Implementing Regulation.
Personalized Security Credentials: Personalized features provided by a Payment Service Provider to a Payment Service User, which can be used for the purposes of Authentication.
Fit and Proper Requirements: The rules, instructions and requirements issued by SAMA and all amendments thereto which includes the standards of competence and propriety for Senior Positions of Payment System Operators and Payment Service Providers.
Senior Positions: The functions, roles and responsibilities entrusted to those positions who take strategic decisions or manage the Licensee’s business processes, including the board of directors and senior management, according to the positions specified in the Requirements for Appointments to Senior Positions.
Fit and Proper Form: The form issued by SAMA in accordance with the requirements for appointments to senior positions.
Operating Rules: The operating rules of a registered payment system.
Outsourcing Rules: The regulations, rules, circulars, principles and instructions related to third-party outsourcing, issued by SAMA, with the aim of regulating the provisions of assigning activity to a third party.
Unique Identifier Number: The account number of the Payment Service User.
Unauthorized Payment Transactions: The payment transactions that are initiated by a non-user of Payment Services without the authority to initiate them.
Article 2
The objectives of the Implementing Regulation are:
(1)
Enacting the framework and regulatory requirements of payment service operators and providers in the Kingdom, particularly in determining the relevant licensing, supervision and oversight procedures and requirements.
(2) Ensuring the presence of the necessary mechanisms to manage the risk of Payment Systems and Payment Services, which may affect the payment sector and monetary and financial settlement; and
(3) Contributing to the enhancement of transparency and fair competition with the aim of supporting the effective and efficient functioning of payment systems and monetary and financial settlement.
(4) Incentivizing and developing the payment systems and services sector by SAMA.
Article 3
(1) SAMA shall carry out its duties and authorities set out in the Law and all relevant regulations and policies, taking into consideration best international standards and practices.
(2) SAMA shall carry out the supervision and oversight functions on Relevant Payment Services, in particular, the following:
(a) Licensing entities to engage in one or more Relevant Payment Services in accordance with the Law and the Implementing Regulation;
(b) Issuing regulations, rules, instructions, and circulars relating to the provision of Relevant Payment Services and its amendments;
(c) Ensuring the compliance of Payment Service Providers with the Implementing Regulation and all related regulations, rules, instructions, and circulars issued by SAMA;
(d) Ensuring and supervising the licensed Payment Service Providers and the Senior Positions adherence to the highest standards of corporate governance;
(e) Taking enforcement or remedial action in respect of contraventions of the provisions of the Law, the Implementing Regulation and all related regulations, rules, instructions, and circulars issued by SAMA;
(f) Dealing with Complaints and mechanisms for resolving them; (g) Creating and maintaining a public register of Payment Service Providers; and.
(h) Suspending or revoking licenses of Payment Service Providers in accordance with the powers of SAMA pursuant to the Law.
(3) SAMA shall carry out the supervision and oversight functions on Payment Systems, in particular, the following
(a) Licensing the entities to operate Payment Systems in accordance with the Law and the Implementing Regulation;
(b) Designating Payment Systems according to the Criteria of Systemically Important Payment System;
(c) Issuing regulations, rules, instructions, and circulars relating to the operation of Payment Systems taking into consideration the PFMI;
(d) Ensuring and monitoring the compliance of Payment System Operators with the Law, Implementing Regulation, and related regulations, rules, instructions and circulars issued by SAMA;
(e) Carrying out the specific authorities in relation to Payment Systems, including but not limited to ensuring the execution of Settlement Finality and bankruptcy of Payment Systems and their Members;
(f) Ensuring and overseeing the Payment System Operators and the Senior Positions adherence to high standards of corporate governance;
(g) Taking enforcement or remedial action in respect of contraventions of the provisions of the Law, the Implementing Regulation and related regulations, rules, instructions and circulars issued by SAMA;
(h) Dealing with Complaints and mechanisms for resolving them;
(i) Maintaining a public register of Payment System Operators; and
(j) Suspending or revoking licenses of Payment System Operators in accordance with the powers of SAMA pursuant to the Law.
Article 4
(1) The Implementing Regulation apply to all Persons that carry out Relevant Payment Services in the Kingdom if any of the following apply:
(a) Provides Relevant Payment Services from an establishment located in the Kingdom;
(b) Holds itself out by any means as providing a Payment Service in the Kingdom;
(c) Invites or induces a Person located in the Kingdom to enter into, or offer to enter into, an agreement in relation to a Payment Service;
(d) Markets or otherwise promotes any Payment Service to one or more Persons in the Kingdom; or
(e) Appoints another Person operating from an establishment located in the Kingdom where such appointee:
(i) Has a mandate to provide a Payment Service in the Kingdom on behalf of the appointer;
(ii) Accustomed to act in accordance with the instructions of that appointer; and
(iii) Provides a Payment Service on the appointer’s behalf or invites or induces a Person in the Kingdom to enter into, or offer to enter into, an agreement in relation to a Payment Service.
(2) The Implementing Regulation apply to all Persons that carry out Payment System operating -whether the Payment Systems Operator is established in the Kingdom or abroad or whether the Payment System is operated in the Kingdom or abroad - if any of the following apply:
(a) The Payment System operating rules specified rules and conditions for enabling Credit Transfers relating to Payment Transactions initiated by Payers or Payees residing in the Kingdom; or
(b) The Payment System provides services for the handling and settling of Payment Orders to Members residing in or operating in the Kingdom.
Part 2: Licensing
Article 5
SAMA may approve or reject a licensing application as a Relevant Payment Service Provider or Payment System Operator, taking into account the following:
(1) Whether the activities and services are consistent with the objectives of the Law and the Implementing Regulation;
(2) Whether the activities and services are consistent with the consumer protection and competition objectives set out in the Law and the Implementing Regulation;
(3) The economic value resulting from providing the activities in the Kingdom and the impact of these activities on financial stability in the Kingdom;
(4) SAMA assessment of the Applicant’s ability to satisfy the requirements of the Law and the Implementing Regulation; and
(5) Whether there are factors that might hinder SAMA’s ability to oversee the applicant effectively.
Article 6
SAMA licenses the payments service provider to practice one or more of the following services when conducted as a business or as usual:
(1) Services enabling Funds to be deposited on a Payment Account as well as all the operations required for operating a Payment Account;
(2) Services enabling cash withdrawals from a Payment Account as well as all the operations required for operating a Payment Account;
(3) Execution of Payment Transactions, including Credit Transfers on a Payment Account with the user’s Payment Service Provider or with another Payment Service Provider, which include the following:
(a) Execution of Direct Debits, including one-off direct debits;
(b) Execution of Payment Transactions through a payment card or a similar digital device; and
(c) Execution of Credit Transfers, including standing orders.
(4) Execution of Payment Transactions where the Funds are covered by a credit line for a Payment Service User:
(a) Execution of Direct Debits, including one-off direct debits;
(b) Execution of Payment Transactions through a payment card or a similar device; and
(c) Execution of Credit Transfers, including standing orders.
(5) Issuing of Payment Instruments;
(6) Payee transactions Acquiring;
(7) Payment Aggregation Services;
(8) Issuing Electronic Money (by opening e-wallets or otherwise);
(9) Payment Initiation Services; and
(10) Payment Account Information Services.
(11) Payment Account Service.
(12) Any other service that SAMA may decide to consider as a payment service.
Article 7
Subject to other related laws, the following services do not constitute Payment
Services:(1) Payment that is made exclusively in cash directly from the Payer to the Payee, without any intermediary intervention.
(2) The payment that is made from the Payer to the Payee through a commercial agent authorized via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of any person.
(3) Professional physical transport of banknotes and coins, including their collection, processing and delivery.
(4) The payment that is consisting of the non-professional cash collection and delivery within the framework of a non-profit or charitable activity.
(5) Services where cash is provided by a person to another as part of a Payment Transaction following an explicit request by the Payment Service User just before the execution of the Payment Transaction through a payment for the purchase of goods or services.
(6) Currency exchange operations carried out independently and outside the scope of payment services.
(7) The payment that is based on cheques, traveller’s cheques, and paperbased vouchers.
(8) Payment that is related to securities asset servicing, including dividends, income or other distributions, or redemption or sale, or by investment institutions, credit institutions, collective investment institutions or asset management companies that provide investment services and any other entities allowed to have the custody of financial instruments.
(9) Services provided by technical service providers, For example, technical services.
(10) Services based on specific Payment Instruments that can be used only in a Limited Network.
(11) Payment Transactions by a provider of electronic communications networks, in addition to electronic communications services for a subscriber to the network or services for any of the following:
(a) For the purchase of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content and charged to the unrelated bill; or
(b) Services performed through electronic means and included in the relevant receipt as part of a charitable activity or ticket purchase.
(12) Payment Transactions carried out among Payment Service Providers, their Agents or branches for their own accounts.
(13) Payment Transactions and related services between a Holding Company and its subsidiary or between subsidiaries of the same parent company, including Payment Transactions and services that is made through Payment Services Provider belongs to the same parent group.
(14) Withdrawal services offered by means of ATM by providers acting on behalf of one or more card issuers, which are not a party to the Framwork Contract with the Payment Service User withdrawing money from a payment account, on condition that those providers do not conduct other Relevant Payment Services as referred to in Article 6.
(15) Banking business regulated pursuant to the Banking Control Law, and the activities of finance companies regulated pursuant to the Finance Companies Control Law.
(16) Money exchange business regulated pursuant to the Rules Regulating Money Changing Business, where Funds are not held on a Payment Account.
(17) Money Remittance. Article 8
A person who seeks to get a license of Payment Services Provider, or his representative, shall apply to SAMA for a License and provide the following:
(1) An application form as may be required by SAMA;
(2) A detailed specification of each of the services set out in Article 6 for which a License is requested;
(3) A draft of articles of incorporation and articles of association of the Applicant, or the authenticated copies if the Applicant is incorporated outside the kingdom, subject to the related laws in the Kingdom;
(4) A description of the organizational structure of the Applicant showing all department units and their main functions and tasks and the details of the Senior Positions roles;
(5) A list of all controllers, which sets out the number and percentage of ownership that each controller will own; with submitting the Fit and Proper Form for controllers signed by each controller, as determined by the Requirements for Appointments to Senior Positions, issued by SAMA for all financial sectors.
(6) The Fit and Proper Form for Senior Positions, as determined by the Requirements for Appointments to Senior Positions, issued by SAMA for all financial sectors.
(7) A feasibility study shows the target segment, the services to be provided, the proposed business model, and the strategy of the Applicant and signed by the Applicant.
(8) A three-year business plan that sets out at least the following:
(a) A detailed description of the activities for which a License is requested, products and a marketing plan;
(b) Estimated financial data, projected annual revenue, expenses, financial margins and targeted growth rates, taking into account the requirements of capital adequacy and liquidity assessments of SAMA;
(c) Projected establishment costs and funding thereof;
(d) Projected ongoing financing of operations;
(e) Expansion Plan and branch offices to be established in the Kingdom – if any -;
(f) Plan and programs for monitoring and managing risks and ensuing the effective management of the compliance function;
(g) Recruitment and training plan, including the projected number of employees and the percentage of non-Saudi nationals, in accordance with the related requirement, in each department and each organizational level, and the qualification programs for employees; and
(h) Information on other commercial and investment activities beyond the scope of the Law and the Implementing Regulation that the applicant will conduct directly or under its control or direction (including through a subsidiary); and
(9) Relevant draft policies and procedures demonstrating the ability to comply with the requirements set forth under the Law and the Implementing Regulation and any other instructions from SAMA;
(10) An irrevocable bank guarantee issued in favour of SAMA by one of the Licensed Banks in the Kingdom for an amount equivalent to the required minimum capital for the licensed activity or activities for which the Applicant requests to be licensed, in accordance with the model set by SAMA. Such bank guarantee must be renewable automatically until the required capital is paid up in full in accordance with the Implementing Regulation. This guarantee shall be released upon the following cases:
(a) Paying up the capital in full in accordance with the Implementing Regulation. SAMA may require full or partial continuation of the bank guarantee, and may require as additional prudential requirements providing a bank guarantee for a post-licensing stage as it deems appropriate;
(b) Withdrawing the License application; and
(c) Refusal of the License application by SAMA.
(11) Drafts of proposed material agreements and contracts with third parties, including material agreements and contracts with related parties and external service providers; and
(12) The Applicant’s business continuity and recovery plans and its wind-down plan, showing how the Applicant will manage liquidity, operational and wind-down risk; if the Applicant is proposing to become a Major PI or Major EMI.
(13) Any other documents or information that SAMA may request.
Article 9
A person who seeks to get a license of Payment System Operator, or his representative, shall apply to SAMA for a License and provide the following:
(1) An application form as may be required by SAMA;
(2) A draft of articles of incorporation and articles of association of the Applicant, or the authenticated copies if the Applicant is incorporated outside the kingdom, subject to the related laws in the Kingdom. A description of the organizational structure of the Applicant showing all departments units and functions and their main tasks;
(3) A description of the organizational structure of the Applicant showing all department units and their main functions and tasks.
(4) A list of all controllers, which sets out the number and percentage of ownership that each controller will own; with submitting the Fit and Proper Form for controllers signed by each controller, as determined by the Requirements for Appointments to Senior Positions, issued by SAMA for all financial sectors.
(5) Fit and Proper Form for Senior Positions, as determined by the Fit and Proper Requirements, issued by SAMA for all financial sectors.
(6) The Operating Rules;
(7) A description of its systems and controls and a copy of its recovery and wind-down plans where required under Paragraph (1) (f) of Article 105, and an initial self-assessment for the purposes of Article 106 of the Implementing Regulation.
(8) A detailed programme of operations (including relevant policies, procedures and a description of systems and controls) that demonstrates the ability to satisfy (on an on-going basis) the REQUIREMENTS SET FORTH under the Law and the Implementing Regulation in a format agreeable to SAMA;
(9) An irrevocable bank guarantee issued in favour of SAMA by one of the Licensed Banks in the Kingdom for an amount equivalent to the required minimum capital for the licensed activity or activities for which the Applicant requests to be licensed, in accordance with the model set by SAMA. Such a bank guarantee is renewable automatically until the required capital is paid up in full. This guarantee shall be released in the following cases:
(a) Paying up the capital in full in accordance with the Implementing Regulation. SAMA may require full or partial continuation of the bank guarantee, and may require as additional prudential requirements providing a bank guarantee for a post-licensing stage as it deems appropriate;
(b) Withdrawing the License application; and
(c) Refusal of the License application by SAMA.
(10) Drafts of proposed material agreements and contracts with third parties, including material agreements and contracts with related parties and external service providers; and . (11) Any other documents or information that SAMA may request. Article 10
National Payment Systems and their operators are considered licensed in accordance with the Governor's decision in this regard.
Article 11
(1) SAMA shall inform the Applicant in writing that the application reception has been accepted, upon examining and confirming that all supporting documents are correct and complete, provided that the Applicant has submitted all information and documentation necessary to satisfy the requirements stipulated in Article 8 and Article 9 of the Implementing Regulations.
(2) The Applicant must provide SAMA with any additional information or documents that it requests within thirty calendar days from the date of request unless otherwise indicated by SAMA. SAMA may reject the License application where an Applicant does not provide such documents and information to the satisfaction of SAMA within that period.
(3) SAMA may take such measures as it deems necessary to assess the extent to which the Applicant meets the requirements for licensing.
(4) SAMA shall notify Applicant in writing of its decision in relation to a License application within ninety calendar days from the date on which it notifies the Applicant that the License application is complete in accordance with Paragraph (1) of this Article.
(5) If there is a delay beyond this period of ninety calendar days referred to in Paragraph (4) of this Article, SAMA will notify the Applicant of the adjusted timeline for assessing their application.
Article 12
(1) Upon issuance of the approval of a License application, SAMA may impose limitations on the services or activities for which the Applicant has requested a License.
(2) SAMA may include a License application, such requirements as it deems appropriate. Such a requirement may be imposed so as to require the Applicant, or a Person within the Applicant’s group, to take a specified action or to refrain from taking a specified action.
Article 13
(1) SAMA may refuse the licensing application when the data, information or documents provided by the Applicant do not satisfy the requirements stipulated in Article 8 and Article 9 of the Implementing Regulation or when the additional requirements have not been met within the specified period provided that the refusal must be justified.
(2) The Applicant may submit a request to reconsider the rejected application if a period of twelve months has passed from the date of rejection or any shorter period specified by SAMA.
Article 14
(1) Applicants must establish the Licensee as a joint stock company if the applicant is either a major PI, a major EMI, or a micro EMI.
(2) In the case of an Applicant applying for a License as a Micro PI, it should be either as a joint stock company or as a simplified joint-stock or as a limited liability company.
(3) Applicants must complete the establishment within one hundred and eighty days of granting the in-principle approval and provide SAMA with copies of the Licensee’s commercial registration and article of association, reflecting the licensed activities in accordance with the in-principle* approval.
* initial.
Article 15
(1) Upon receipt of an application submitted to SAMA by the Applicant as set forth in Article 11, SAMA may issue an in-principle approval to the applicant when it is proven to SAMA that an Applicant is able to meet the relevant License requirements. The Applicant must ensure the satisfaction of the relevant License requirements and conditions within a period of no more than one year. SAMA may, in its sole discretion, extend the preliminary approval duration for an additional 180 calendar days as a maximum.
(2) In addition to the requirement set forth in Article 14 of the Implementing Regulation, SAMA will outline in its in-principle approval all outstanding requirements that must be addressed by the Applicant in order for SAMA to be satisfied with any licensing conditions and concerns raised therein, subject to the duration set forth in Paragraph (1) of this Article.
(3) The Applicant is required to address the outstanding requirements outlined in the in-principle approval before the in-principle approval expires further to Paragraph (1) of this Article.
(4) The in-principle approval does not grant the Applicant the right to carry out any service or activity for which a License is required from SAMA under the Law.
Article 16
(1) Upon licensing, SAMA will enter the Licensee information into an online registry accessible to the public through the means determined by SAMA.
(2) A Licensee’s information entered in the register must include the following:
(a) The category of License determined for that Licensee;
(b) The services and activities for which it is licensed; and
(c) Any restrictions imposed by SAMA on the License.
Article 17
(1) A License for a Payment Service Provider shall be granted for a term of five years as a maximum.
(2) A License for a Payment System Operator shall be granted for a term deemed appropriate (in a case-by-case basis) in the sole determination of SAMA.
(3) A License may be renewed by SAMA based on a request by the Licensee, for a similar period or another period in the sole determination of SAMA, after fulfilling the requirements stipulated in the Implementing Regulation.
(4) The renewal application must be submitted to SAMA at least six months prior to the expiry of the License period or the renewed period in accordance with the application determined by SAMA.
(5) The renewal application of a Payment System Operator must be accompanied by a program of operations in a format agreeable to SAMA.
(6) The Payment Service Provider must submit a three-year business plan in addition to the following:
(a) A marketing plan taking into account existing and planned products;
(b) Relevant policies and procedures
(c) Projected financial statements, annual revenue and expenses, financial margins and targeted growth rates against the performance of the Payment Service Provider over the past three years, taking into account any modifications to its’ strategy and business plan;
(d) Projected liquidity and capital adequacy ratios against the levels of liquidity and capital solvency ratios of the past three years, taking into account any modifications to its’ strategy and business plan;
(e) The estimated ongoing finance of operations;
(f) Branch offices to be established (if applicable);
(g) Report on risk incidents sustained by the Payment Service Provider through the past three years and how the Payment Service Provider dealt with such risk incidents, including incidents of non-compliance with applicable laws, regulations, and decisions; and future plans and programs to manage risk and the compliance function;
(h) Current number of employees and the percentage of Saudi nationals thereof in accordance with the related laws and instructions at each department and each organizational level;
(i) Recruitment and training plan, including training and qualification programs for employees; and
(j) Any other documents and information that SAMA may request.
(7) The fees required for renewing the License must be paid in full at the time of the submission of the renewal application.
Article 18
The Licensee must not cease any of its services or activities totally or partially unless SAMA has granted its prior written approval and without prejudice to the Licensee’s obligations towards its Clients, creditors, shareholders, Members (as applicable) or the integrity and the stability of the financial sector.
Article 19
(1) The Licensee shall receive a non-objection letter from SAMA prior to engaging or participating in establishing any entities or any additional commercial or investment activities or commencing the practice of any of these activities.
(2) SAMA may make it a condition of a License to require the Licensee or Applicant to create a separate legal entity for such business that is beyond the scope of the Law and the Implementing Regulation if such business could:
(a) Impact the Licensee’s financial soundness;
(b) Impact the ability of SAMA to supervise the Licensee;
(c) Impact the Licensee’s ability to comply with the laws, regulations and decisions applicable to it; or
(d) Impact the Licensee in any other way as deemed by SAMA.
Article 20
The Licensee may apply for an amendment of the License for the addition or deletion of some activities or services or amendment of any term or limitation thereof. An amendment application must be based on reasonable justifications and supported by studies, documents and information and accompanied by any documents, information or studies required by SAMA.
Article 21
(1) Without prejudice to SAMA’s other powers under applicable laws, regulations and decisions, SAMA may revoke or suspend a License granted to a Licensee in any one or more of the following circumstances:
(a) A Payment Service Provider has not provided any payment services in the Kingdom for a period of at least six consecutive months;
(b) A Payment System has not processed any Payments Orders in the Kingdom for a period of at least twelve consecutive months;
(c) A Licensee notifies SAMA that it intends to cease carrying on the Relevant Payment Services or Payment System operations;
(d) A Licensee no longer meets or failed to meet the requirements of the License;
(e) A Licensee fails to inform SAMA, in accordance with the provision of Article 39 of the Implementing Regulation, of a change in circumstances that SAMA deems to be materially relevant to its compliance with the requirements of the Implementing Regulation;
(f) A Licensee has committed a material breach of a provision of the Law and the Implementing Regulation;
(g) A Licensee constitutes a threat to the stability of or trust in a Payment System as per assessment by SAMA; or
(h) SAMA deems that revocation is otherwise desirable in order to protect the interests of Payment Service users or Members or for market protection or the financial stability in the Kingdom.
(2) Subject to Paragraph (4) of this Article, before suspending or revoking a License, SAMA will notify the Licensee of the reason for the suspension or revocation and allow it thirty calendar days from the date of dispatch of the notification to appeal the decision, the appeal does not affect the validity of the suspension or revocation decision unless SAMA decides otherwise.
(3) SAMA may take the necessary measures and decisions to close or liquidate the licensed entity upon revocation of its license.
(4) Where SAMA decides to suspend a License, it may prescribe a certain period for the suspension or notify the Licensee that the suspension will continue until the licensee is able to demonstrate compliance with the licensing conditions and the Implementing Regulation provisions or completion of actions prescribed by SAMA.
Article 22
(1) A Licensee may apply to SAMA for cancellation of its License as prescribed by SAMA taking into consideration the impact on the sector’s integrity and financial stability in the Kingdom.
(2) A License cancellation Applicant must provide SAMA with the following:
(a) The reasons for the request to cancel its License;
(b) The impact resulting from its cessation of carrying out providing Relevant Payment Services or operating a Payment System;
(c) The projected date on which it will cease to carry on providing Relevant Payment Services or operating a Payment System; and
(d) The evidence of discharging, or its ability to discharge, all obligations owed to its Clients.
Article 23
(1) Upon approval of the application and prior to the issuance of the License, the Applicant shall pay SAMA the License issuance fee pursuant to Article 7 of the Law, which corresponds with the type of License being applied for, as follows:
(a) Twenty thousand Saudi Riyals (SAR 20,000) for a Micro PI License;
(b) Fifty thousand Saudi Riyals (SAR 50,000) for a Major PI License;
(c) Twenty thousand Saudi Riyals (SAR 20,000) for a Micro EMI License;
(d) Fifty thousand Saudi Riyals (SAR 50,000) for a Major EMI License;
(e) Twenty thousand Saudi Riyals (SAR 20,000) for a Payment Initiation Services License; and
(f) Twenty thousand Saudi Riyals (SAR 20,000) for a Payment Account Information Services License.
(2) In the event of an amendment of a License further to Article 20 of the Implementing Regulation, a Licensee will be subject to re-evaluation and the License issuance date will be amended in such circumstances.
(3) SAMA may review and adjust the fees mentioned in Paragraph (1) of this as it deems appropriate.
(4) SAMA determines License issuance and renewal fees applicable to Payment System Operators on a discretionary basis, commensurate with the size as well as the nature of and complexity of the Payment System Operator and the complexity of relevant operations.
Part 3: Agents and Electronic Money Distributors
Article 24
(1) A Payment Service Provider must obtain a non-objection letter from SAMA before it appoints an Agent for the provision of any Payment Service and submit a business plan in a form satisfactory to SAMA; the Application must include at least the following:
(a) The anticipated number and location of the Agents;
(b) The data of Persons that are intended to be appointed as Agents, as well as evidence that such Persons have obtained all necessary registrations, licenses and permissions from SAMA and other competent authorities in order to carry out their activities;
(c) The policies, procedures, systems and controls that the Payment Service Provider will use to select and supervise the Agent;
(d) The activities relating to the provision of Relevant Payment Services that are to be carried out by the Agents; and
(e) Such other information, data or documents as SAMA may request.
(2) SAMA’s non-objection to the appointment of an Agent shall be deemed cancelled if the approved Agent does not commence its activities within a nine-month period from the date of issuing SAMA’s non-objection. SAMA may extend this period if it deems appropriate.
(3) SAMA may revoke its non-objection to the appointment of an Agent where an Agent or the Payment Service Provider that appointed it has contravened the provisions of the Implementing Regulation or other applicable laws, regulations or decisions.
(4) The Payment Service Provider must ensure the compliance of the Agent when acting on its behalf according to the following:
(a) May distribute or redeem Electronic Money on behalf of an EMI into an Electronic Money account but may not issue Electronic Money on behalf of an EMI;
(b) Must ensure that it does not contravene any provision of the Outsourcing Rules; and
(c) Must only carry out activities for which it is duly licensed in accordance with applicable laws and regulations.
Article 25
(1) An Electronic Money Institution that wishes to appoint an Electronic Money Distributor must comply with the following:
(a) At least thirty calendar days before that Electronic Money Distributor commences work under its appointment, submit a business plan to SAMA describing the following:
i. The anticipated number and location of the Electronic Money Distributors;
ii. The data of Persons that are intended to be appointed as Electronic Money Distributors, as well as evidence that such Persons have obtained all necessary registrations, licenses and permissions from SAMA and other competent authorities in order to carry out their activities;
iii. The policies, procedures, systems and controls that the Payment Service Provider will use to select and oversee the Electronic Money Distributors;
iv. The activities relating to the provision of Relevant Payment Services that are to be carried out by the Electronic Money Distributors; and
v. Such other information, data or documents as SAMA may request;
(b) Within ten calendar days of entering into a contractual agreement to appoint an Electronic Money Distributor, notify SAMA of such entry, with the right of SAMA to refuse within this period.
(2) The Payment Service Provider must ensure the compliance of the Electronic Money Distributor according to the following:
(a) Is prohibited from issuing the electronic money but may distribute Electronic Money on behalf of an EMI into an Electronic Money account or redeem Electronic Money;
(b) Must ensure that it does not contravene any provision of the Outsourcing Rules.
(c) Must only carry out activities for which it is duly licensed in accordance with applicable laws and regulations.
Article 26
(1) Notwithstanding the Payment Service Provider’s responsibilities towards its Agents and Electronic Money Distributors specified in Paragraph (2) below, SAMA may supervise an Agent or Electronic Money Distributor directly or take any enforcement or remedial action in accordance with its powers where it deems it necessary. For such purposes only, Agents and Electronic Money Distributors are considered Payment Service Providers.
(2) A Payment Service Provider that appoints an Agent or an Electronic Money Distributor must comply with the following:
(a) Must take all necessary steps to ensure that the Agent and Electronic Money Distributor are acting in compliance and must be responsible for all acts and omissions of the Agent and Electronic Money Distributor (including the compliance with the obligations to safeguard Safeguarded Funds according to the provisions of Part 7 of the Implementing Regulation;
(b) Must put in place policies, procedures and systems and controls necessary to meet its obligations, including but not limited to the following:
(i) The occupants of Senior Positions at Agent and Electronic Money Distributor are fit and proper to carry out the activities for which they have been appointed (taking into account the Fit and Proper Requirements);
(ii) The powers to oversee activities relating to the provision of Relevant Payment Services that are carried out by an Agent or Electronic Money Distributor;
(iii) Disclosure to Payment Services users of its relationship with the Agent or Electronic Money Distributor;
(iv) Risks associated with the use of Agents and Electronic Money Distributors are addressed and documented;
(v) Personnel of Agents and Electronic Money Distributors receive appropriate training in order to ensure that they carry out their activities competently and in compliance with the Implementing Regulation and other relevant laws, regulations and decisions; and
(vi) Procedures to remove any Agent or Electronic Money Distributor that has contravened a requirement of the Law and the Implementing Regulation and other relevant laws, regulations, decisions and instructions.
(c) Payment service provider must submit an annual report to SAMA regarding the Agents and Electronic Money Distributor, their activities and tasks, their performance evaluation, accidents and problems, and the mechanism for addressing them, according to the form determined by SAMA.
Part 4: Licensee Obligations
Chapter 1: Outsourcing Rules and Auditing and Risk Management
Article 27
1. A Licensee must comply with the Outsourcing Rules in a manner sufficient to ensure compliance with its obligations under Part 4 of the Implementing Regulation.
2. A Licensee must obtain a non-objection letter from SAMA in the event of its intention to enter into a contract with another Person under which that other Person will carry out material functions relating to its provision of Relevant Payment Services or operation of a Payment System.
3. Where a Licensee intends to outsource material functions, the Licensee shall consider the following:
(a) The outsourcing is not undertaken in such a way as to impair or adversely affect:
(i) The quality of the licensee’s internal controls (including over the outsourced services);
(ii) The powers of SAMA to monitor the licensee’s compliance with the Law and the Implementing Regulation and the licensing requirements.
(iii) The relationship and obligations of the Licensee towards its Payment Service Users or Members.
(iv) Compliance with the conditions which the licensee must observe in order to be licensed; and
(v) Adherence to the conditions of the License.
(b) Outsourcing of functions shall not lead to delegating the Licensee's responsibilities to comply with the Implementing Regulation by the Senior Positions;
4. For the purposes of the Paragraph (3) of this Article, functions are considered material if a defect or failure in its performance would materially impair any of the following :
(a) Compliance with the licensee with the Law and the Implementing Regulation or any of the License requirements;
(b) The financial performance of the licensee.
(c) The soundness or business continuity of the Relevant Payment Services or the Payment System.
5. The licensee must notify SAMA of any change in outsourced functions or the Persons to which functions are outsourced.
6. Where a Licensee outsources functions, it remains liable to its Clients and to SAMA.
Article 28
1. A Licensee must have risk management, compliance policies and business continuity, procedures, systems and controls that are comprehensive and proportionate to the nature, scale and complexity of the provided activities and services by the Licensee, and the policies, procedures, systems and controls must take into account the types of activities performed by the Licensee, the nature, scale and complexity of its business model, any operational challenges and the degree of risk associated with its operations.
2. A Licensee must ensure that its risk management and compliance policies, and business continuity, procedures, systems and controls are kept up-to-date and must review them at least once per year, submitting copies when there are any material updates to SAMA. SAMA may request additional information or changes to be made.
3. A licensee’s risk management and compliance systems and controls must include the following:
(a) Effective procedures for identifying, managing, monitoring and reporting any risks to which the entity may be exposed;
(b) Adequate internal control mechanisms, including sound administrative, risk management and accounting procedures;
(c) Appropriate mechanisms for the verification of compliance with all relevant requirements under the Law and the Implementing Regulation, as well as all other relevant applicable laws, regulations, instructions and circulars and decisions.
(d) Policies and procedures to detect and respond to fraud incidents; and
(e) Policies and procedures to inform SAMA and the competent authorities of fraud incidents.
4. Subject to Paragraph (3) above, a Licensee’s risk management and compliance systems and controls must include the following:
(a) The establishment of a risk management function, internal audit function and compliance function, with the heads of such functions being provided with sufficient independence and resources to carry out their duties; and
(b) The establishment of an integrated control framework between the internal audit, risk management, and compliance functions, and external audits.
Article 29
The Licensee must have sufficient and eligible staff that have the appropriate knowledge and experience in order to fulfill the operational needs of the Licensee. The remuneration and incentives of staff must be fair and aligned with the Licensee’s risk management strategy, taking into account the principles of sound governance, non-conflict of interests and the principles of customer protection; and the Licensee must comply with laws, regulations and decisions applicable in the Kingdom in relation to non-Saudi employee percentage.
Article 30
A Licensee must have corporate governance rules, systems and controls that are commensurate with the nature, scale and complexity of its business and structure, designed to address matters that include but are not limited to its organizational structure, independence and separation of duties, roles of the company management and board members and its committees – including the appointment of the managers and members and their duties, remuneration and compensation policies, conflict of interest controls, integrity and transparency controls, compliance with applicable laws, regulations and decisions, confidentiality and protection of company assets. In so doing, the Licensee must meet the applicable standards and principles as promulgated by SAMA and competent authorities in this regard.
Article 31
The Licensee must establish an internal audit department unit reporting directly to the audit committee (or its equivalent) of its board or the company directors. The internal audit department shall be independent in performing its duties, and its employees shall not be assigned any other responsibilities in accordance with the following:
(1) The internal audit unit assesses the internal policies and controls and will ensure the extent to which the Licensee and its employees comply with the applicable laws, regulations and decisions, and Licensee’s policies and procedures, including outsourced functions. The internal audit unit must have unfettered access to information and documents as necessary.
(2) The internal audit unit shall operate according to a comprehensive audit plan approved by the audit committee of its board, which shall include major activities and operations, including those related to risk management and compliance, and must be updated on an annual basis.
(3) The internal audit unit must prepare and submit to the audit committee a written report on its work every three months. This report must include the scope of the audit, all findings and recommendations. It must also include the procedures taken by each department in respect of the findings and recommendations of the previous audit, especially if they have not been settled on time and the reasons for their unsettlement, and any other related observations.
(4) The internal audit unit must prepare and submit to the audit committee of its board a report on all of its audits in each fiscal year, compared with the approved audit plan and stating any gaps or deviations from the audit plan, if any. This report shall be submitted within the first quarter following the end of every fiscal year.
(5) The Licensee shall maintain the working documents and approved audit reports that show in a transparent manner the work carried out, as well as the approved findings and recommendations and what has been accomplished regarding these recommendations.
Article 32
(1) A Licensee must appoint an external auditor (and must receive a non-objection letter from SAMA prior to doing so) to conduct an external audit. The appointed auditor must be subject to rotation on a five-year basis.
(2) The external auditor must be approved by the competent authorities in the Kingdom and must have no conflict of interest in acting for the Licensee.
(3) A Licensee must ensure that its terms of appointment with an auditor require that the auditor, at a minimum:
(a) Carries out, for the year in respect of which the auditor is appointed, an audit of the financial statements or consolidated financial statements of the Licensee prepared in accordance with the financial and accounting standards and practices approved for use in the Kingdom;
(b) Carries out an audit of the transactions in relation to the regulated services (separately from any audit carried out on activities not related to regulated services); and
(c) Submits a report of the audit to SAMA in such form as may be prescribed by SAMA and within such timeframe as SAMA may allow (including separate accounting information in respect of regulated activities) In accordance with the provisions of the Implementing regulation.
4. SAMA may make further requests of the auditor, including but not limited to the following:
(a) To submit any additional information in relation to the audit;
(b) To enlarge or extend the scope of the audit of the Licensee’s business; and
(c) To carry out any other examination that it requests in relation to the audit.
(5) If SAMA is not satisfied with the performance of the auditor, SAMA may direct the Licensee to remove the auditor and appoint another auditor at the Licensee’s expense.
(6) The auditor’s reports prepared in accordance with this Article must be attached to the balance sheet and the profit and loss account, the financial statements or the consolidated financial statements of the Licensee, which must submit copies of these reports to SAMA in such form and time as may be prescribed by SAMA.
(7) A Licensee must ensure that its terms of appointment with an auditor require that, if the auditor believes that any of the following matters have occurred, the auditor must immediately report such matter to SAMA:
(a) There has been a contravention of any provision of the Law and the Implementing Regulation or other applicable laws, regulations, decisions and instructions;
(b) A criminal offense involving fraud or dishonesty has been committed;
(c) Losses have been incurred that have led to the capital requirements set out in the Implementing Regulation not being satisfied;
(d) There is any irregularity that has or may have a material effect on the accounts of the Licensee, including any irregularity that had caused a major disruption to the provision of any type of regulated service to the Clients of the Licensee; and
(e) The auditor is unable to confirm that the assets of the licensee exceed the liabilities of the Licensee or satisfy another test of solvency applicable in the Kingdom.
(8) A report made under Paragraph (7) of this Article must not be considered a breach of any restriction upon the disclosure imposed by any applicable laws, regulations or contractual terms. The auditor and its employees are not liable for any loss arising from the disclosure or any act or omission in consequence of the disclosure, provided that the auditor or its employees disclose in good faith to SAMA the following:
(a) The knowledge or suspicion of any of the matters mentioned in Paragraph (8) of this Article; and
(b) Any information or other matter on which that knowledge or suspicion is based.
(9) Except as may be necessary for compliance with the Implementing Regulation or relevant laws, regulations, or decisions, a Licensee must instruct the external auditor appointed in accordance with this Article not to disclose any information that comes to its knowledge in the course of performing its duties to any Person other than the Licensee or SAMA.
(10) If a Licensee or any of its employees intentionally commits the following (or conspires with any other Person to do any such act), then they shall in contravention of the Implementing Regulation:
(a) Prevent, delay or obstruct the carrying out of an audit
(b) Destroy, conceal or replace any property, records or documents relating to the business of a licensee; or
(c) Sends out of the Kingdom any record, document or asset of any description belonging to or in the possession of or under the control of the Licensee.
Article 33
A Licensee must comply with the Implementing Regulation and decisions related to business continuity management issued by SAMA, taking into account the types of activities performed, as well as the nature, scale and complexity of their business model.
Article 34
A Licensee must comply with the Implementing Regulation and decisions related to cyber security requirements issued by SAMA and other applicable regulations of competent authorities in the Kingdom.
Article 35
A Licensee must comply with the Implementing Regulation, rules, decisions and circulars on data and technology governance requirements in relation to information technology systems issued by SAMA, in addition to any other applicable laws, regulations or relevant decisions issued by competent authorities in the Kingdom and a Licensee must adhere to the relevant approved technical standards of the Payment System of which they are Members or that would otherwise apply to them, and any other technical standards relevant for the execution of Payment Transactions (including the Payment Card Industry – Data Security Standards as may be applicable and amended).
Article 36
(1) The Licensee must comply with the laws, regulations, resolutions and instructions issued in relation to the Anti-Money Laundering, Counter-terrorism Crimes and Financing and the internal policies issued in this regard.
(2) The Licensee must adopt a risk-based approach in developing its Anti-money laundering and counter-terrorist financing internal policies and procedures to ensure that measures used to mitigate the risks of money laundering and terrorist financing are commensurate to the risks identified.
Article 37
(1) A Licensee must comply with the applicable laws in relation to data protection in the Kingdom, as well as with any other regulations, resolutions, instructions and circulars issued by SAMA.
(2) A Licensee must protect Client Data and maintain their confidentiality, including when it is held by a third party or an Agent of the Licensee. The personal information of Clients may be accessed and used by personnel authorized by the Licensee only to comply with regulatory requirement applicable in the Kingdom, including in relation to suspicion of money laundering reporting, fraud and financial crime reporting.
(3) Subject to applicable laws, a Licensee must not disclose Client Data except where the following:
(a) In compliance with SAMA requirements or under the request of other competent authorities from SAMA inside and outside the Kingdom.
(b) The disclosure is made with the prior specified written consent of the Client.
(4) A Licensee must put in place and maintain adequate policies, procedures and controls, as well as employee awareness training, to protect Client data from any information security risks.
(5) A Licensee must put in place data protection controls in accordance with what is issued by SAMA and other competent authorities in the Kingdom in this regard.
Article 38
(1) A Licensee must make and keep records of transactions, data and information relating to compliance with requirements of Part 4 of the Implementing Regulation, in a form where such records would enable SAMA to supervise such compliance effectively.
(2) The records which SAMA requires Licensees to keep and include:
(a) Financial information (including financial statements, bank statements, and Client accounts) and Accounting Records, including (but not limited to): cheques, records of electronic Fund transfers (including as relevant, bank statements), invoices, contracts, general and subsidiary ledgers, journal entries and adjustments to the financial statements that are not reflected in journal entries; and Worksheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures.
(b) Reports relating to the activities performed by the Licensee, the volume of business and Relevant Payment Services (including the volume and value of Payment Transactions);
(c) Minutes of the board or the company directors and related business decisions;
(d) Information on any security or material operational incidents that are (when viewed in isolation or jointly with other incidents) not immaterial;
(e) Records of Consents given to Payment Transactions;
(f) Records of security logs, including authentication logs;
(g) Details of changes required to be submitted in accordance with Article 121 of the Implementing Regulations.
(h) Reports on risk management (including in relation to incidents of fraud that must be disclosed);
(i) Reports on data protection and privacy measures taken;
(j) Complaints from Payment Service users, including any remedial action taken;
(k) Reports of any errors, delays, refunds or other matters dealt with;
(l) Reports on compliance with the requirements of protecting safeguarded funds ;
(m) Any information related to know-your-customer requirements, Client due diligence and sanctions screening in accordance with the laws, regulations and instructions of Anti-Money Laundering and Counter-Terrorism Crimes and Financing;
(n) Reports on compliance with the Implementing Regulation or other applicable laws, regulations, decisions, instructions and circulars.
(o) Material legal documentation, including employment contracts, auditor appointment contracts, agreements relating to business continuity and outsourcing agreements, as well as corporate governance documentation.
(3) A Licensee must maintain such records and keep them for at least ten years from the date on which the relevant record was created. SAMA, however, may (at its discretion) amend the Licensee’s retention period of records as deemed appropriate.
(4) A Licensee must put in place and maintain policies, procedures, systems and controls that regulate the electronic storage of documents and records, satisfying the following minimum requirements:
(a) Creating and storing records and documents on highly reliable, secure storage media;
(b) Clearly indexing and categorizing records and any related documents in a manner that enables further use or reference;
(c) Providing a reliable and secure system for granting and organizing access privileges for electronic and physical systems, ensuring that there is no unauthorized access to electronically or physically held data;
(d) Creating and maintaining a backup policy providing the utmost level of protection and the ability to retrieve backup copies in case of the loss of the original copy of any kind and testing the backup copies periodically;
(e) Using digital certification and electronic encryption;
(f) Storing the records and related documents in the same format in which it was created or received, without any additions, omissions or modifications;
(g) Logging all actions made in relation to a record; and
(h) Ensuring that personnel with authorization to access electronic and physical records, documents and data maintain their confidentiality during and after the period of their employment or work at the Payment Service Provider.
(5) The Licensee must conduct regular reviews, at least on an annual basis, to ensure compliance with the provisions of this Article.
Chapter 2: Structural Changes
Article 39
(1) Before making any of the changes set out in Paragraph (2) of this Article, a Licensee must obtain a non-objection letter from SAMA and provide reasons for making such changes with details of the proposed date on which each change is suggested to come into effect.
(2) The changes include the following:
(a) The changes to the details of the Licensee, including but not limited to the following:
(i) Legal name (as shown on the public register); and trading name;
(ii) Principal place of business;
(iii) Address of the registered office in the Kingdom;
(iv) Opening and closer of branches.
(v) The contact details of the member of the Senior Positions that is the primary contact for communications with SAMA;
(vi) Its website; and
(vii) Details of any commercial registrations of its subsidiaries -where applicable -.
(b) The changes to the operation, management or financing of the Licensee’s business, including but not limited to:
(i) Any proposed restructuring, reorganization or business expansion, with a detailed explanation of any foreseeable that might result from changes to the Licensee’s risk profile;
(ii) Any action that would result in a material change to the Licensee’s financial resources; and
(iii) Changes to material outsourcing arrangements or material new agreements with service providers for outsourcing;
(c) Changes to the policy documenting the methods adopted for Safeguarded Funds;
(d) Changes to the natural persons making up the Senior Positions of a Licensee or changes affecting the fitness and propriety of any Controller or member of Senior Management;
(e) Changes to policy for setting transaction or other limits required by Article 70 of the Implementing Regulations.
(f) Changes to its commercial activities beyond the scope of the Implementing Regulation;
(g) Any other changes that SAMA specifies.
(3) The Licensee must obtain prior written approval from SAMA in the event that it wishes to go public with its shares or part thereof.
Article 40
(1) A Licensee must keep a register in respect of each of its Controllers and update it within forty days of becoming aware of any changes. Accordingly, Controllers shall provide the Licensee with all necessary information to be included in the register, which includes (as a minimum) the following particulars:
(a) Full name;
(b) Current residential address;
(c) Date and place of birth;
(d) Nationality; and
(e) Copy of current government identity document.
(2) A Licensee shall send to SAMA an annual report identifying its Controllers in the mechanism and format set by SAMA.
(3) A Licensee shall notify SAMA as soon as possible after it becomes aware of any significant changes in the conduct or circumstances of existing Controllers that may impact the fitness and propriety of a Controller or the ability of the Licensee to conduct its business properly.
Article 41
(1) A Licensee that is incorporated in the Kingdom must obtain prior written approval from SAMA in the event that any Person wishes to become a Controller or to increase their level of control.
(2) Upon receiving a request under the above Paragraph of this Article, SAMA may approve or reject the request to add the Controller or increase the level of control or impose any conditions on the Licensee or Controller.
(3) Where SAMA proposes to approve a proposed Controller or an increase in the level of control in the Licensee, it shall do so in writing within ninety calendar days of the receipt of a completed application;
(4) TAn approval, including a conditional approval granted by SAMA pursuant to this Article, is valid for a period of six months from the date of the approval unless an extension is granted by SAMA in writing.
(5) A Person who has been approved by SAMA as a Controller must comply with the relevant conditions of approval. A Licensee shall not enable the Person who has been notified by SAMA as unacceptable to proceed with the proposed acquisition of control of the Licensee.
(6) In the case of the Licensee being a branch of an entity that is incorporated outside the Kingdom, a written notification to SAMA must be submitted by a Controller or a Person proposing to become a Controller of that Licensee or proposing to exceed the level of control.
(7) A Controller who proposes to stop being a Controller or who proposes to decrease their level of control must notify SAMA before taking any action that results to decrease their level of control.
Chapter 3: Licensing Requirements for Payment Service Providers
Article 42
(1) A Payment Service Provider is considered a Micro PI if the following conditions are met:
(a) Carries on one or more Relevant Payment Services, except issuing Electronic Money;
(b) Does not provide Relevant Payment Services cross-border to Persons outside the Kingdom;
(c) Does not exceed the Average Monthly Payment Transaction Value of ten million SAR.
(2) A Payment Service Provider is considered a Major PI in the event that one or more Relevant Payment Services are implemented, except for the issuance of Electronic Money, and the average value of monthly payments exceeds ten million SAR.
Article 43
(1) An EMI is considered a Micro EMI if the following conditions are met:
(a) Ensures that its Total Average Outstanding Electronic Money does not exceed ten million SAR;
(b) Does not exceed an Average Monthly Payment Transaction Value of ten million SAR;
(c) Does not permit any Payment Service User to hold more than twenty thousand SAR of Electronic Money in aggregate across all accounts held by that Payment Service User, subject to Paragraph (3) of this Article;
(d) Does not permit any Payment Service User to execute Payment Transactions of more than twenty thousand SAR per calendar month in aggregate, including Cash-Out Transactions (but excluding those made in the event of the closure of an Electronic Money account), subject to Paragraph (3) of this Article.
(2) An EMI is considered a Major EMI in the event that it exceeds any of the limits stipulated in the above Paragraph of this Article.
(3) A Micro EMI must comply, in the cases prescribed below, with the following:
(a) A Micro EMI that has yet to start issuing Electronic Money, or has been issuing Electronic Money for fewer than twelve calendar months, must ensure that its projected Total Average Outstanding Electronic Money for its initial twelve-month period of operations does not exceed ten million SAR; and
(b) A Micro EMI that has yet to commence the provision of Relevant Payment Services, or has been providing Relevant Payment Services for fewer than twelve calendar months, must ensure that its projected Average Monthly Payment Transaction Value does not exceed ten million SAR.
(4) SAMA may increase one or more of the limits set out in Paragraph (1) of this Article if the Micro EMI submits an application that includes adequate causes and is committed to having sufficient systems and controls to monitor those limits, taking into account the power of SAMA to restrict its approval until additional conditions as deems appropriate are met.
(5) A Major EMI must comply with the following:
(a) Not permit any Payment Service User to hold Electronic Money of more than one hundred thousand SAR in aggregate across all accounts held by that Payment Service User; and
(b) Not permit any Payment Service User to execute Payment Transactions of more than one hundred thousand SAR (per calendar month in aggregate, including Cash-Out Transactions (but excluding those made in the event of the closure of an Electronic Money account).
(6) SAMA may increase one or more of the limits set out in Paragraph (5) of this Article if the Major EMI submits an application that includes adequate causes and is committed to having sufficient systems and controls to monitor those limits, taking into account the power of SAMA to restrict its approval until additional conditions as deems appropriate are met.
Article 44
(1) An Applicant must provide evidence satisfactory to SAMA that it meets the initial capital requirement for licensing as follows:
(a) Provide evidence of possession of at least one million SAR in paid-up equity for a Micro PI License.
(b) Provide evidence of possession of at least three million SAR in paid-up equity for a Major PI License.
(c) Provide evidence of possession of at least two million SAR in paid-up equity for a Micro EMI License.
(d) Provide evidence of possession of at least ten million SAR in paid-up equity for a Major EMI License.
(e) Provide evidence of possession of at least one million SAR in paid-up equity for a Payment Initiation Service License independently or with a Payment Account Information Services License.
(f) Provide evidence of possession of at least five hundred thousand SAR in paid-up equity for a Payment Account Information Services License.
(2) An Applicant for a License to act as a Payment System Operator must comply with such initial capital requirements as determined by SAMA that are commensurate with the projected size, as well as the nature, scale and complexity of the proposed Payment System or Systems proposed to be operated by it.
Article 45
(1) As an on-going capital requirement, Licensees must maintain regulatory capital as set out in this Article.
(2) A Micro PI and Micro EMI must maintain an amount equal to the initial capital requirement stated in Article 44 of the Implementing Regulations.
(3) A Major PI must maintain an amount equal to the higher of:
(a) The initial capital requirement stated in Article 44 of the Implementing Regulations.
(b) 1% of the Major PI’s Average Monthly Payment Transaction Value.
(4) A Major EMI must maintain an amount equal to the higher of:
(a) The initial capital requirement stated in Article 44 of the Implementing Regulations.
(b) 2% of the Total Average Outstanding Electronic Money.
(5) A Payment Service Provider must provide evidence of its compliance with its on-going capital requirements by providing the following:
(a) A certified copy of a license issued by the competent licensing authority in the Kingdom showing its paid-up capital;
(b) Audited financial statements by a certified public accountant in the Kingdom;
(c) Any other method deemed acceptable by SAMA.
(6) A Payment Service Provider must comply with the relevant accounting standards applicable in the Kingdom, as determined by SAMA in this regard.
Article 46
(1) Payment Account Information Services Provider or Payment Initiation Services Provider must hold professional indemnity insurance or a comparable guarantee.
(2) The professional indemnity insurance must cover potential liability to Payment Account Service Providers and Payment Service Users, resulting from - unless there is a specific value indicated by SAMA :
(a) In respect of its Payment Account Information Services, unauthorized or fraudulent access to, or use of, Payment Account information;
(b) In respect of its Payment Initiation Services, Unauthorized Payment Transactions and non-execution or defective or late execution of transactions and associated liability for charges and interest and right of recourse.
Chapter 4: Scope of Application on the Licensees
Article 47
Article 48
(1) A Licensed Bank that provides Relevant Payment Services is exempted from the requirement to apply for a License under the Implementing Regulation.
(2) SAMA shall specify the provisions of the Implementing Regulation that a licensed bank must comply with when providing Relevant Payment Services, in accordance with its nature and in a manner that achieves the objectives of the Law and the Implementing Regulations.
Article 49
(1) Subject to the remainder of this Article, the provider of a Limited Network Service must register with SAMA as a provider of a Limited Network Service in the manner designated by SAMA.
(2) A registered Provider of a Limited Network Service-with SAMA- must notify SAMA immediately if its execution of transactions within the context of a Limited Network Service exceeds (or will likely be expected to exceed) the aggregate value of five million SAR in any period of twelve consecutive calendar months, or the value of two million SAR in any month in that twelve-month period.
(3) The notification to SAMA must include a description of Limited Network Service provider services and its reasons for categorizing the relevant transactions as a Limited Network Service.
(4) Notifications and information provided to SAMA under Paragraph (2) of this Article must be given within such time and in such form as SAMA may direct after the end of the relevant month or period of twelve months.
(5) A Person to which this Article applies may be required by SAMA to apply for a License.
Part 5: Consumer Protection and Financial Inclusion
Chapter 1: Consumer Protection
Article 50
A Payment Service Provider must comply with all consumer protection principles and requirements issued by SAMA.
Article 51
SAMA shall determine the provisions of the Implementing Regulation that a Payment Service Provider may agree with a Payment Service user not to apply when providing services to a consumer who’s a legal person in a commercial or professional context.
Chapter 2: Financial Inclusion
Article 52
(1) Payment Service Providers shall uphold the principles of financial inclusion issued by SAMA when providing Relevant Payment Services.
(2) Payment System Operators shall ensure that their Payment Systems are made available to Members on a fair, open and transparent basis.
(3) Notwithstanding the Law and other applicable laws and in order to achieve the principle of fairness and empowerment, SAMA may require the Operator of a Systemically Important Payment System to enable an applicant to become a Member in relation to that Systemically Important Payment System or require a Direct Member in a Systemically Important Payment System to permit an Applicant with indirect membership.
Part 6: Relevant Payment Services
Chapter 1: Contract Requirements and Information Providing
Article 53
(1) A Payment Service Provider – when providing relevant Payment Services under a Framework Contract- must provide to each of its Payment Service Users services with the Framework Contract before the execution of the Payment Services, or immediately afterward where the service is provided at the Payment Service User’s request through a means of distance communication and it is not possible to provide the information beforehand, and such agreement must (at minimum) include the following information:
(a) The schedule of fees, charges, commissions and currency, including conversion rates and withdrawal charges,
(b) The legal name, registered address and relevant contact details for the Payment Service Provider;
(c) The provisions and procedures for giving consent to the initiation of a Payment Services Order or execution of a Payment Transaction and for the withdrawal of consent;
(d) The means of communication between the Payment Service Provider and the Payment Service User;
(e) How and within what period of time the Payment Service User is to notify the Payment Service Provider of any unauthorized or incorrectly initiated or executed Payment Transactions and the Payment Service Provider’s liability for such Transactions;
(f) Information relating to how terms and conditions can be amended, the duration of the contract and the rights of the parties to terminate a Framework Contract;
(g) The maximum time in which Payment Transactions will be executed; and
(h) Any other necessary information to meet the Consumer Protection Requirements and Principles in accordance with Article 50.
(2) A Payment Service Provider should provide a copy of the Framework Contract to the Payment Service User on request through the term of the contractual relationship.
Article 54
(1) A Payment Service Provider must include in the Framework Contract the right of the Payment Service User to terminate the Framework Contract, without imposing any penalties, within a period of not less than ten working days.
(2) The Payment Service Provider can start the provision of Relevant Payment Services during the cooling-off period, provided the Payment Service User agrees and compliance with all the relevant requirements verification has been completed. Accordingly, the Payment Service User’s right to terminate the Framework Contract during that period shall not be affected.
(3) If the Payment Service User terminates a Framework Contract during the cooling-off period, the Payment Service User will be entitled to a full refund of any previously paid fees that are not yet attributable to a Payment Service provided to them.
Article 55
The Payment Service Provider must notify the Payer -when initiating an individual Payment Transaction under a Framework Contract- of the maximum execution time and the fees and charges payable by the Payer in respect of the Payment Transaction.
Article 56
The Payment Service Provider must provide the Payer with the information of the payment transactions executed under a Framework Contract at least once per month free of charge. Such information shall include the following:
(a) A reference enabling the Payer to identify their Payment Transactions and information relating to the Payee;
(b) The amounts of their Payment Transactions in the currency in which the Payer’s Payment Account is debited or in the currency used for the Payment Services Order;
(c) The amount of any charges for the Payment Transaction and a breakdown of the amounts of such charges, by the Payer;
(d) The exchange rates used in the Payment Transactions by the Payment Service Provider and the amount of the Payment Transaction after that currency conversion; and
(e) The debit value date or the date of receipt of the Payment Services Order.
Article 57
The Payment Service Provider must provide the Payee with the information of the payment transactions executed under a Framework Contract at least once per month free of charge. Such information shall include the following:
(a) A reference enabling the Payee to identify the Payment Transaction and the Payer, and any information transferred with the Payment Transaction;
(b) The amount of the Payment Transaction in the currency in which the Payee’s payment account is credited;
(c) The amount of any charges for the Payment Transaction and a breakdown of the amounts of such charges by the Payee;
(d) The exchange rate used in the Payment Transaction by the Payment Service Provider to the Payee, and the amount of the Payment Transaction before that currency conversion; and
(e) The credit value date. Article 58
(1) A Payment Service User may terminate a Framework Contract at any time unless the parties have agreed on a notice period for termination. Such notice period must not exceed thirty calendar days.
(2) A Payment Service Provider cannot amend the terms of a Framework Contract, including fees and charges, unless the requirements for amending the terms are specified in the Framework Contract.
(3) A Payment Service Provider may change fees that are linked to floating rates, such as exchange rates, without notice to the Payment Service User, provided that this is stipulated in the Framework Contract and based on a reference rate agreed upon and available to the Payment Service User.
(4) A Payment Service Provider must notify its Payment Service Users of any changes to the terms of a Framework Contract at least thirty days before making such changes and give Payment Service Users the right to terminate the Framework Contract during this notice period at no cost unless a termination fee is agreed upon in the Framework Contract.
Article 59
The Payment Service Provider must, immediately after receipt of the Payment Services Order under the One-off Payment Contract, provide to the Payer the following information:
(a) A reference enabling the Payer to identify the Payment Transaction and information relating to the Payee;
(b) The amount of the Payment Transaction in the currency used in the Payment Services Order;
(c) A breakdown of the charges payable by the Payment Service User for the service;
(d) The actual rate used in the Payment Transaction- where an exchange rate is used in the Payment Transaction -and the amount of the Payment Transaction after that currency conversion; and
(e) The date on which the Payment Services Order was received.
Article 60
The Payment Service Provider must, upon providing the relevant Payment Services under the One-off Payment Contract, provide the Payment Services User with the following information:
(a) The information or Unique Identifier (as the method of expressing Consent) that has to be provided by the Payment Service User in order for a Payment Services Order to be properly initiated or executed;
(b) The maximum time in which the Payment Service will be executed;
(c) A breakdown of the fees payable by the Payment Service User for the service; and
(d) The actual or reference exchange rate that will be used in the Payment Transaction.
Article 61
The Payment Service Provider must, immediately after the execution of the Payment Transaction under the One-off Payment Contract, provide the Payee with the following information:
(a) A reference enabling the Payee to identify the Payment Transaction and the Payer and any information transferred with the Payment Transaction;
(b) The amount of the Payment Transaction in the currency in which the Funds are at the Payee’s disposal;
(c) A breakdown of any fees for the Payment Transaction payable by the Payee; and
(d) The exchange rate used in the Payment Transaction by the Payee’s Payment Service Provider, and the amount of the Payment Transaction before that currency conversion; and
(e) The credit value date.
Article 62
Notwithstanding any provisions in this Part, any information provided by the Payment Service Provider to the Payment Service User must take into account the following:
(a) Provide the information in an easily accessible manner, whether that may include the use of digital channels, emails or SMS or any other durable medium;
(b) Provide the information in a written form or another durable form;
(c) Provide the information in easily understandable language and in a clear and comprehensible form; and
(d) Provide the information in Arabic or in any other language agreed upon by the parties.
(e) Any additional methods The Framework Contract may prescribe whereby information is provided.
Article 63
(1) A Payment Service Provider may not charge for providing information that is required to be provided under the provision of this Part.
(2) The Payment Service Provider and the Payment Service User may agree on fees for any information which is provided at the request of the Payment Service User, provided that any fees charged correspond to the actual costs of the payment service provider, where such information is additional to the information required in accordance with the provisions of this Part, or to be provided more frequently than is specified or transmitted by means of communication other than those specified in the Framework Contract.
Article 64
A Payment Service Provider must ensure that Payment Transactions are executed in the currency agreed upon between the parties. Where a currency conversion service is offered at an automatic teller machine or at the point of sale or by the Payee, all fees must be disclosed to the payer as well as the exchange rate to be used for converting the Payment Transaction before executing the Payment Transactions.
Article 65
(1) The Payment Service Provider must inform the Payment Service User of any required fees for the use of a particular Payment Instrument before the initiation of the Payment Transaction.
(2) A Payment Service Provider must not oblige a Payment Service User to pay any fees if he was not informed of the full amount of the fees in accordance with the provisions of the relevant Article.
Article 66
(1) If a Payment Service Provider is not able to execute a Payment Services Order in a timely fashion, it must inform the Payment Service User immediately of the time by which it expects to have executed such an order.
(2) In the event of any planned down-time of a Payment Service, a Payment Service Provider must inform each of its Payment Service Users at least five business days in advance.
Article 67
A Payment Service Provider is obliged to ensure that the contracts are balanced in the rights and obligations and are not unfair to the Payment Service User. Such obligation shall not affect the validity of any other provisions in the contract.
Article 68
(1) A Payment Service Provider must ensure that any advertising or promotional or marketing material for its Relevant Payment Services is clear and not misleading and must also be made available in the Arabic language. All text and numbers stated in such material should be clearly visible and understandable, with a legible font size used for all text, including footnotes.
(2) A Payment Service Provider must take into account the following when presenting any advertising or promotional or marketing material relating to a Relevant Payment Service:
(a) Promotional, Advertising, or marketing materials must include the name of the relevant Payment Service Provider;
(b) Promotional, Advertising, or marketing materials must be accurate and not emphasize the benefits of a particular product/service without also presenting any relevant risks;
(c) Comparative advertising must compare the relevant products or services of other Payment Service providers on a fair and equivalent basis;
(d) Information on fees, costs, or savings should be accurate and identical;
(e) Information on fees, costs or savings should be clear and not misleading;
(3) A Payment Service Provider must ensure that advertising and promotional or marketing material is designed and presented so that any Payment Service User can reasonably be expected to understand that it is an advertisement and that the availability of the product or service may require the Payment Service User to meet certain criteria.
(4) A Payment Service Provider must maintain a formal compliance process for reviewing and approving advertising and promotional or marketing material.
(5) A Payment Service Provider must not send promotional material to any natural person under the age of eighteen years where such material presents an unsuitable risk to such Payment Service Users.
(6) SAMA may order the withdrawal of any advertising or promotional or marketing materials by the Payment Services that do not meet the minimum requirement of this Implementing Regulation or do not comply with the provisions of the Law.
Chapter 2: Issuance and Redemption of Electronic Money
Article 69
(1) A contract for services provided by an EMI must be consistent with the requirements for EMIs as set forth in this Article.
(2) An EMI must issue Electronic Money at par value on receipt of Funds.
(3) An EMI may not:
(a) Grant interest related to the length of time the Electronic Money is held by the EMI;
(b) Provide any other benefit related to the length of time during which the Electronic Money is held by the EMI;
(c) Offer an overdraft facility to a Payment Service User (but an EMI may partner with a Licensed Bank or other appropriately licensed entity, approved by SAMA, for such Licensed Bank or approved entity to offer an overdraft facility, provided the EMI has obtained the prior approval of SAMA; or
(d) Use any Safeguarded Funds for any other purposes than in accordance with the Implementing Regulation, including lending.
(4) At the request of the Payment Service User, an EMI must redeem the Funds’ value of the Electronic Money held at any time and at par value.
(5) An EMI must ensure that the contract between it and a Payment Service User prominently and clearly states the conditions of redemption, including any fees relating to redemption.
(6) Any fees for redemption must be proportionate and commensurate with the actual costs incurred by the EMI.
(7) Upon termination of the contract between a Payment Service User and an EMI, the EMI must redeem the total remaining Funds’ value of the Electronic Money held by the Payment Service User. In cases where the redemption fees exceed the remaining balance of Electronic Money, such that the proceeds of any redemption would be nil, the EMI may cease to safeguard the relevant Safeguarded Funds.
(8) An EMI must show the holder of the Electronic Money how the balance has been used up by any redemption fee.
Chapter 3: Provision of Relevant Payment Services
Article 70
(1) A Payment Service Provider must have a policy for setting risk-based Payment Service User transaction limits and limits on its Total Outstanding Electronic Money.
(2) A Payment Service Provider shall, prior to making any changes to the policy referred to in the Paragraph above, obtain a non-objection letter from SAMA in accordance with Article 39 of the Regulations of the Implementing Regulation and, if required by SAMA, provide details of the updated policy.
(3) SAMA may direct a Payment Service Provider to set Payment Service User transaction limits at levels specified by SAMA, and that’s in case -for example- where specific regulatory criteria related to risk management and governance are not complied with to the satisfaction of SAMA.
Article 71
(1) A Payment Service Provider issuing a Payment Instrument must:
(a) Ensure that the Personalized Security Credentials are not accessible to Persons other than the Payment Service User to whom the Payment Instrument has been issued;
(b) Ensure that appropriate means are available at all times to enable the Payment Service User to notify the Payment Service Provider of the loss, theft, or unauthorized use of a Payment instrument or exploitation and prevent any use of the Payment Instrument once notification has been made.
(2) A Payment Service User should take all reasonable steps to keep safe Personalized Security Credentials relating to a Payment Instrument or a Payment Account Information Service and notify the Payment Service Provider in the agreed manner in The Framework Contract, and without undue delay on becoming aware of the loss, theft, exploitation or unauthorized use of the Payment Instrument.
Article 72
(1) A Payment Service Provider must not execute a Payment Transaction unless it has received a Payment Services Order.
(2) If received within the business hours specified by the Payment Service Provider, a Payment Services Order is considered received on that business day. If a Payment Services Order is not received within such business hours, it is considered received at the beginning of the next business day.
(3) The execution of the Payment Services Order may be scheduled to be executed at a future date or time agreed between the Payer and the Payment Service Provider (or on the date on which the Payer has put Funds at the disposal of the Payment Service Provider).
Article 73
(1) A Payment Service Provider may refuse a Payment Services Order or suspend a Payment Account only if:
(a) The conditions for accepting or executing Payment Services Orders that set out in a contract between the Payment Service User and the Payment Service Provider have not been met;
(b) The Payment Service Provider has grounds to suspect that the Payment Transaction to which the Payment Services Order relates is fraudulent or poses a money-laundering or terrorism-financing risk; or
(c) The Payment Transaction to which the Payment Services Order relates would breach any of the Payment Service Provider’s obligations under applicable Laws, regulations and decisions.
(2) When a Payment Services Order is refused, the Payment Service Provider must notify the Payment Service User in a timely manner of the refusal and provide objectively justifiable reasons for the refusal, as well as details on how to rectify the problem, and the refused payment service must resume once the grounds for refusal have been resolved or terminated.
(3) A Payment Service User may not be charged for a refused transaction, except where such charge is stipulated in its contract with the Payment Service Provider.
Article 74
(1) A Payment Service User may not revoke a Payment Services Order after it has been received by the Payer’s Payment Service Provider.
(2) The Payer may not revoke the Payment Services Order after giving Consent to the Payment Initiation Service Provider to initiate the Payment Transaction or giving Consent to execute the Payment Transaction to the Payee.
(3) In the case of a Direct Debit, the Payer may not revoke the Payment Services Order after the end of the business day preceding the day agreed upon for debiting the Funds.
(4) The Payment Service User may not revoke a Payment Services Order after the end of the business day preceding the agreed day to execute the order.
(5) The Payment Services Order cannot be revoked after the expiry of the revocation period mentioned in this Article unless it’s agreed between the Payment Service User and the Payment Service Provider to revoke the order; or in the case of a Payment Transaction initiated by or through the Payee, including in the case of a Direct Debit, also agreed with the Payee.
(6) A Payment Service User may not be charged for a revoked Payment Services Order unless the charge is stipulated in its contract with the relevant Payment Service Provider.
Article 75
(1) The Payment Service Provider of the Payer and the Payment Service Provider of the Payee must ensure that the full amount of the Payment Transaction is transferred to the Payee In accordance with the provisions of this Article.
(2) The Payment Service Provider must clearly communicate to the Payer any fees or charges, and it must be shown in the transaction history, taking into account the service agreements signed with the payer.
(3) Where the Payee and its Payment Service Provider have agreed upon a fee or charge, the amount may be deducted from the amount transferred before crediting it to the Payee’s Payment Account, provided that the fee or charge has been clearly communicated to the Payee, and shown in the transaction history provided.
(4) In the case of a Payment Transaction initiated by the Payer, the Payer’s Payment Service Provider must ensure that the Payee receives the full amount of the Payment Transaction.
(5) In the case of a Payment Transaction initiated by the Payee, the Payee’s Payment Service Provider must ensure that the Payee receives the full amount of the Payment Transaction.
Article 76
(1) The Payer’s Payment Service Provider must ensure that the amount of the Payment Transaction is credited to the Payee’s Payment Service Provider’s account in the event of executing a payment transaction in SAR or parts thereof by the end of the business day following the time of receipt of the Payment Services Order. The Payment Service User, however, may agree with the Payment Service Provider not to apply the provisions of this paragraph.
(2) Where a payment transaction is not in SAR or parts thereof but is to be wholly executed within the Kingdom, the Payer’s Payment Service Provider must ensure that the amount of the Payment Transaction is credited to the Payee’s Payment Service Provider’s account by the end of the third business day following the time of receipt of the Payment Services Order (or such other day as agreed with the Payment Service User).
(3) The Payee’s Payment Service Provider must transmit a Payment Services Order initiated by or through the Payee to the Payer’s Payment Service Provider within the time limits agreed between the Payee and its Payment Service Provider, enabling settlement in respect of a Direct Debit to occur on the agreed due date.
Article 77
The Payment Service Provider may return the received Funds to the Payer’s Payment Service Provider when the Payee does not have a Payment Account with that Payment Service Provider, with the explanation that the Payee does not hold an account with the Payment Service Provider.
Article 78
(1) A Payee’s Payment Service Provider shall apply a credit date to the Payee’s Payment Account no later than the business day on which the amount of the Payment Transaction is credited to the account of the Payment Service Provider.
(2) A Payee’s Payment Service Provider must ensure that the amount of the Payment Transaction is put at the Payee’s disposal immediately after that amount has been credited to that Payment Service Provider’s account unless additional time is required to execute a currency conversion, which shall be executed as soon as practically possible.
(3) The debit value date for the Payer’s Payment Account must be no earlier than the time at which the amount of the Payment Transaction is debited to that Payer’s Payment Account.
Article 79
(1) A Payment Transaction is considered to be authorized by the Payer when the Payer has given Consent to its execution in accordance with the approach agreed with their Payment Service Provider.
(2) Where a Payer claims not to have authorized an executed Payment Transaction or that a Payment Transaction has not been properly executed by a Payment Service Provider, it is for the Payment Service Provider to prove that the Payment Transaction was authenticated, accurately recorded and not deficient.
(3) If a Payment Service Provider considers that a Payer has acted fraudulently, it is for the Payment Service Provider to prove that and provide supporting evidence during a dispute settlement process.
(4) If a Payment Transaction was initiated through a Payment Initiation Service Provider, it is for the Payment Initiation Service Provider to prove that, within its sphere of competence, the Payment Transaction was authenticated, accurately recorded and not subject to a deficiency arising from the Payment Initiation Service.
Article 80
(1) The Payer’s Payment Service Provider shall be liable to the Payer for the correct execution of a Payment Transaction unless it can prove in a timely manner to the Payer and to the Payee’s Payment Service Provider that the Payment Transaction has been correctly executed to the Payee’s Payment Service Provider.
(2) Where the Payer’s Payment Service Provider is liable under the Paragraph above, it must promptly refund the amount of the non-executed or defective Payment Transaction to the Payer and restore the debited Payment Account to the position it would have been had the defective Payment Transaction not occurred.
(3) Where a Payment Transaction is executed late, on request from the Payer’s Payment Service Provider, the Payee’s Payment Service Provider should adjust the credit date of the Payment Transaction to the date as if the Payment Transaction had been executed properly.
Article 81
(1) The Payee’s Payment Service Provider is liable to the Payee for the correct transmission of the Payment Services Order initiated by the Payee to the Payer’s Payment Service Provider and where it does so incorrectly, it shall immediately re-transmit the relevant Payment Services Order correctly.
(2) The Payee’s Payment Service Provider must ensure that the Payment Transaction is handled, given the fact that the value of the payments process was deposited into the payment account of the Payee on the date of the transaction properly and in a timely manner.
(3) The Payer’s Payment Service Provider is liable to the Payer if the Payee’s Payment Service Provider proves to the Payee and the Payer’s Payment Service Provider that it is not liable in respect of a non-executed or defectively executed Payment Transaction.
(4) If the Payer’s Payment Service Provider proves that the Payee’s Payment Service Provider has received the amount of the Payment Transaction, it is for the Payee’s Payment Service Provider to value date the amount on the Payee’s Payment Account as if the transaction had been executed correctly.
Article 82
(1) This Article applies where a Payment Services Order is initiated by the Payer through a Payment Initiation Service.
(2) The Payment Account Service Provider must refund the Payer the amount of the non-executed or defective Payment Transaction and bring the debited Payment Account back to the position in which it would be if there were no defective Payment Transaction.
(3) When requested by the Payment Account Service Provider, the Payment Initiation Service Provider must promptly compensate the Payment Account Service Provider for any loss forthwith as a result of the refund to the Payer. This is if the Payment Initiation Service Provider cannot prove that:
(a) The Payment Services Order was received by the Payer’s Payment Account Service Provider in accordance with Article 72 of the Implementing Regulations.
(b) Within the Payment Initiation Service Provider’s sphere of influence, the Payment Transaction was authenticated, properly recorded and not affected by a deficiency connected to the non-execution, defective or late execution of the Payment Transaction. Article 83
(1) If the Payment Service Provider discovers or is made aware of a systemic error in the execution of Payment Transactions, it must investigate and refund all Payment Service Users who are affected by that systemic error within thirty calendar days of discovering the systemic error or being aware of it.
(2) The Payment Service Provider should, as soon as practicable, communicate with and notify SAMA about the systemic error through the appropriate channels.
(3) The Payment Service Provider should, as soon as practicable, issue a communication to all affected Payment Service Users, advising them of the systemic error and the steps taken to correct it, including the amount of any refund to the Payment Service Users’ accounts.
(4) If the Payment Service Provider fails to correct the systemic error within the period prescribed in Paragraph (1) of this Article, it must notify SAMA of the reason for that delay. Article 84
A Payment Service Provider is liable to the Payment Service User for any charges incurred due to the non-execution or defective or late execution of the Payment Transaction in accordance with the provisions of the Implementing Regulation.
Article 85
Where the liability of a Payment Service Provider under Part 6 of the Regulations of the Implementing Regulation is attributable to another Payment Service Provider, including in respect of Payment Transactions that are unauthorized, defective, non-executed or late, or where liability is the result of the other Payment Service Provider’s failure to use the Payment Service User’s Authentication as measures required by applicable laws, regulations, instructions and circulars, The assigned payments service provider must compensate the assigning Payment Service Provider for any loss incurred or sums paid.
Article 86
(1) A Payment Service Provider is not liable for errors made by a Payment Service User if that Payment Service User initiated a Payment Transaction and provided the incorrect Payee-related Unique Identifier Number or provided incorrect bank details.
(2) The Payment Service Provider must make reasonable efforts to recover the Funds from the incorrect recipient of the Funds and the recipient’s Payment Service Provider. The Payment Service Provider may charge the Payment Service User a fee for trying to recover the Funds in accordance with the contract between a Payer and a Payment Service Provider. The Payee’s Payment Service Provider must provide co-operation to the Payer’s Payment Service Provider in recovering the Funds as much as possible.
(3) If the Payer’s Payment Service Provider is unsuccessful in recovering the Funds, it has to provide - based on a written request from the payer- to the Payer all available relevant information in order for the Payer to claim recovery of the Funds.
(4) SAMA may direct the Payment Service Provider to take specific actions according to the controls it sets, including refunding the Payer. Article 87
(1) Subject to Article 90 of the Implementing Regulation, a Payment Service Provider is liable for Unauthorized Payment Transactions.
(2) Where a Payment Service User raises a Complaint in relation to an allegedly fraudulent Payment Transaction, the Payment Service Provider must handle such Complaint in accordance with Article 129 of the Implementing Regulation.
(3) If such a Complaint is submitted to SAMA, then the Payment Service Provider must provide evidence that the conditions stated in Paragraph (1) of Article 75 of the Implementing Regulation are met and present such evidence to SAMA. SAMA will then seek to decide if such conditions are met.
Article 88
(1) Notwithstanding the provisions of Paragraphs (2), (3) and (4) of this Article, a Payment Service Provider which is liable under Article 87 of the Implementing Regulations may require that the Payer is liable up to a maximum of one hundred fifty SAR for any losses incurred in respect of Unauthorized Payment Transactions arising from the use of a lost or stolen or misappropriated Payment Instrument.
(2) The provisions of the previous Paragraph do not apply if:
(a) The loss, theft or exploitation of the Payment Instrument was not detectable by the Payer prior to the payment, except where the Payer acted fraudulently; or
(b) The loss was caused by acts or omissions of an employee, Agent or branch of a Payment Service Provider or of an entity that carried out activities on behalf of the Payment Service Provider.
(3) The Payer is liable for all losses incurred in respect of an Unauthorized Payment Transaction where the Payer:
(a) Has acted fraudulently; or
(b) Has, with intent or gross negligence, failed to comply with its obligations to keep safe its Payment Instrument and its Personalized Security Credentials.
4. Except where the Payer has acted fraudulently, the Payer is not liable for any losses incurred in respect of an Unauthorized Payment Transaction, where:
(a) The unauthorized Payment Transaction arises after the Payer has notified the Payment Service Provider of the loss, theft, exploitation or unauthorized use of its Payment Instrument;
(b) Where the Payment Service Provider has failed at any time to provide the Payer with the appropriate means for notification; or
(c) Where the Payment Service Provider is required by the provisions of the Implementing Regulation -or any other SAMA’s regulations, rules, circulars, or decisions relevant to Authentication requirements - to apply certain Authentication measures that address any potential risks, but the Payer’s Payment Service Provider does not require such strong Authentication.
(5) Where the Implementing Regulation or other SAMA’s regulations, rules, circulars, controls or instructions require the application of certain Authentication measures that address any potential risks, but the Payee or the Payee’s Payment Service Provider does not accept such Authentication, the Payee or the Payee’s Payment Service Provider, or both (as the case may be), must compensate the Payer’s Payment Service Provider for the losses incurred or sums paid as a result of complying with Paragraph (1) of Article 87 of the Implementing Regulation. Article 89
(1) Notwithstanding the provision of Paragraph (8) of this Article and Paragraph (1) of Article 79 of the Implementing Regulation, where an executed Payment Transaction was not authorized correctly, the Payment Service Provider must refund the amount of the Unauthorized Payment Transaction to the Payer and, where applicable, restore the debited Payment Account to the state it would have been in had the Unauthorized Payment Transaction not taken place.
(2) The Payment Service Provider must provide a refund to the Payer by crediting a Payment Account under Paragraph (1) of this Article as soon as practicable and in any event no later than the end of the business day following the day on which it becomes aware of the unauthorized transaction.
(3) Paragraphs (1), (2) and (6) of this Article do not apply where the Payment Service Provider has reasonable grounds to suspect fraudulent behavior by the Payment Service User and notifies SAMA (and any other competent authority in the Kingdom) of those grounds in writing.
(4) When providing a refund through crediting a Payment Account under Paragraph (2) of this Article, a Payment Service Provider must ensure that the date on which the amount of a Payment Transaction is credited to a& Payee’s Payment Account is no later than the date on which the amount of the Unauthorized Payment Transaction was debited.
(5) Where an Unauthorized Payment Transaction was initiated through a Payment Initiation Service Provider, the Payment Account Service Provider must comply with Paragraph (1) of this Article, and if the Payment Initiation Service Provider is liable for the Unauthorized Payment Transaction (in relation to which see Paragraph (4) of Article 79 of the Implementing Regulation), the Payment Initiation Service Provider must, on the request of the Payment Account Service Provider, compensate the Payment Account Service Provider immediately for the losses incurred or sums paid including the amount of the Unauthorized Payment Transaction.
(6) Notwithstanding the provisions in Paragraphs (1),(2),(3),(4),and (5) of this Article, the Payment Service Provider must notify the Payment Service User of the conclusion of an investigation and must pay any refund or monetary compensation due to a Payment Service User within seven days of from the completion of any investigation of an error or a complaint by the Payment Service Provider, or on receipt of an instruction from any competent authority in the Kingdom. In case of a delay in payment of any refund or compensation, the Payment Service Provider should notify the Payment Service User of the expected time for crediting the amount due, along with a justification for the delay.
(7) A Payment Service Provider must hold records on the processing of refunds or monetary compensation, including those referred to under Article 87 and Article 88 of the Implementing Regulation, response timelines and reasons for delays, for a period of ten years from the date of the conclusion of an investigation. Additionally, a Payment Service Provider must submit such records to SAMA on an on-going basis, as specified by SAMA, and must record such refunds against the original transaction with the original transaction sequence number.
(8) A Payment Service User is entitled to a refund under this Article if it notifies the Payment Service Provider without undue delay, and in any event no later than six months after the debit date, upon becoming aware of any Unauthorized Payment Transaction, except where the Payment Service Provider has failed to provide the information concerning a Payment Transaction required by Part 6. Article 90
(1) Notwithstanding the provisions in Paragraph (1) of Article 91 of the Implementing Regulation, the Payer is entitled to a refund from the Payee’s Payment Service Provider of the full amount of any authorized Payment Transaction initiated by or through the Payee if the following conditions are met:
(a) The Payment Transaction authorization did not specify the exact amount of the Payment Transaction when Consent for the authorization was given; and
(b) The amount of the Payment Transaction exceeds the amount that is expected to be paid by the Payer, taking into account the Payer’s previous spending pattern and the conditions of the Framework Contract and the circumstances of the case.
(2) When providing a refund through crediting a Payment Account of the Payer under Paragraph (1) of this Article, a Payment Service Provider must ensure that the credit value date is no later than the date on which the amount of the Unauthorized Payment Transaction was debited.
(3) For the purposes of Paragraph (1) (b) of this Article, a Payer cannot rely on currency exchange fluctuations where the reference exchange rate provided under the contract was applied.
(4) The payer and the payment service provider may agree in the framework contract that the right to a refund does not apply where:
(a) The Payer has given Consent directly to the Payment Service Provider for the Payment Transaction to be executed; and
(b) Information on the Payment Transaction was provided in an agreed manner to the Payer for at least four weeks before the due date by the Payment Service Provider or by the Payee
Article 91
(1) The Payer must request a refund from the Payee’s Payment Service Provider for any Payment Transaction Authorized by or through the Payee within eight weeks from the date on which the Funds were debited.
(2) The Payment Service Provider may require the Payer to provide such information as is reasonably necessary to prove that the conditions in Paragraph (1) of Article 90 of the Implementing Regulation are satisfied. The Payment Service Provider may not refuse the refund until such information is received from the Payer.
(3) The Payment Service Provider of the Payee must provide any refund or justification for refusing a refund within ten business days of receiving a request for a refund or within 10 business days of receiving any further information requested and indicating the bodies to which the Payer may refer the matter if the Payer does not accept the justification provided.
Article 92
a Payment Service Provider - on a request from their Payment Service User must make efforts to trace any non-executed or defectively executed Payment Transaction and notify the Client of the outcome free of charge where the Payment Service Provider is liable for the non-executed or defectively executed Payment Transaction, or at a reasonable charge where a Payment Service Provider is not liable under the Implementing Regulation.
Part 7: Safeguarding Safeguarded Funds
Article 93
(1) A Payment Service Provider must safeguard Safeguarded Funds immediately upon receipt. The Payment Service Provider must comply with the following:
(a) The placing of Safeguarded Funds in a separate account with a Licensed Bank, or any other method determined or deemed acceptable by SAMA; or
(b) To be always in accordance with further applicable SAMA regulations, rules, instructions, controls, or circulars relevant to Safeguarded Funds.
(2) Notwithstanding the generality of Paragraph (1) of this Article, where the Payment Service Provider continues to hold the Safeguarded Funds at the end of the business day following the day on which they were received, it must:
(a) Place them in a separate account maintained by the Payment Service Provider with a Licensed Bank, that shall be named “Deposit and Safeguard of Funds of a Payment Service Provider’s Clients“ and include the name of the Payment Service Provider; or
(b) Obtaining SAMA approval before investing the Safeguarded Funds, provided that the investment must be in such secure, liquid assets, and place those assets in a separate account with an authorized custodian.
(3) The Payment Service Provider must verify that an agreement for an account in which Safeguarded Funds are placed with the Licensed Bank includes all the obligations stipulated in the Implementing Regulation or any instructions, controls or circulars issued by SAMA in this regard, provided that they include - as a minimum - the following:
(a) Be governed by terms of business that clearly set out the roles and responsibilities of the Licensed Bank and the Payment Service Provider in accordance with relevant laws, regulations and rules.
(b) Be designated as an account held for the purpose of safeguarding Safeguarded Funds and may not serve any other purpose and may not be linked to any financial obligation of that Payment Service Provider or of any other Person;
(c) Be used only for holding Safeguarded Funds and not hold any funds received by way of the payment of fees or for use in the payment of operational expenses or the carrying on of any other Payment Service;
(d) Be an account that no Person other than that Payment Service Provider may have any right to or interest in;
(e) Be subject to a daily reconciliation mechanism with the relevant Payment Transactions and outstanding Electronic Money in accordance with the policies, procedures and controls of the Payment Service Provider;
(f) Not be opened, closed, replaced or merged with another account before obtaining a non-objection letter from SAMA; and
(g) Be compliant, at all times, with the Implementing Regulation and such other requirements as SAMA may specify.
(4) A Payment Service Provider must obtain SAMA non-objection before the implementation of such policies and procedures relevant to Safeguarded Funds. SAMA may require changes to be made to such policies and procedures.
(5) The policies, procedures and controls applicable to Safeguarded Funds must include relevant controls that govern access to Safeguarded Funds and make appropriate provisions for the seniority of employees that may exercise access to Safeguarded Funds.
(6) A Payment Service Provider must obtain SAMA's approval before adopting additional safeguarding methods. Article 94
(1) A Payment Service Provider must ensure that Safeguarded Funds are protected for the duration of the retention of these Safeguarded Funds in accordance with the provisions of the Implementing Regulation, whether when received directly or through an agent or Electronic Money Distributor.
(2) No Person other than the Payment Service Provider may have any interest in or right over the Safeguarded Funds;
(3) Notwithstanding other applicable laws, the Payment Service Provider must return Safeguarded Funds to the relevant Payment Service Users in the event of bankruptcy, winding up or other liquidation of the Payment Service Provider.
Part 8: Requirements for Providing Payment Initiation Service and Payment Account Information Service
Article 95
(1) Payment Service Providers must provide access to their Relevant Payment Services in accordance with the decision and instructions related to open banking, cyber security and data privacy issued by SAMA and other competent authorities in the Kingdom.
(2) Payment Service Providers must observe high standards in relation to the secure storage, sharing and transmission of client data when engaging in Payment Account Information Services or Payment Initiation Services.
Article 96
(1) A Payment Account Service Provider must grant a Payment Initiation Service Provider and a Payment Account Information Service Provider and each other Payment Service Provider access to Payment Accounts provided that the Payment Services User Consent is received, taking into account providing the access on an objective, non-discriminatory and proportionate basis and in such a way as to allow the Payment Service Provider to deliver Relevant Payment Services in an unhindered and efficient manner.
(2) The payer's payments account service provider must:
(a) Communicate with and transfer information securely to a Payment Initiation Service Provider and a Payment Account Information Service Provider in accordance with the regulations, rules, circulars, controls and instructions related to cyber security issued by SAMA and competent authorities in the Kingdom;
(b) Put in place the necessary policies and procedures to ensure that Payment Services Orders and other requests by the Payer are Authenticated and authorized correctly;
(c) Ensure that any fees applied have been agreed to by the Payer and that such fees are consistent with any regulations, rules, circulars, controls and instructions issued by SAMA;
(d) Immediately after receipt of the Payment Services Order, provide to the Payment Initiation Service Provider all information on the execution of the Payment Transaction and all accessible information.
(e) Treat a Payment Services Order from the Payment Initiation Service Provider in the same ways as a Payment Services Order received directly from the Payer;
(f) Respond to a Payment Services Order from the Payment Initiation Service Provider in a timely manner;
(g) Treat the data request from the Payment Account Information Service Provider in the same way as a data request received directly from the Payer;
(h) Respond to data requests from the Payment Account Information Service Provider in a timely manner;
(i) Not require the Payment Initiation Service Provider or Payment Account Information Service Provider to enter into a commercial contract before complying with the preceding requirements in this Article.
(3) A Payment Account Service Provider may deny the Payment Transactions initiation or the access to a Payment Account by a Payment Account Information Service Provider or a Payment Initiation Service Provider based on reasonably justified and duly evidenced reasons relating to unauthorized or fraudulent access. In such cases, the Payment Account Service Provider must:
(a) Inform the Payment Account Information Service Provider or Payment Initiation Service Provider of the incident and the reason for denial of access;
(b) Notify SAMA immediately regarding the incident in such form that SAMA may direct and include the details of the case and the reasons for taking a deny action; and
(c) Restore account access to the Payment Account Information Service Provider or Payment Initiation Service Provider once the denial of access is no longer justified.
Article 97
(1) A Payment Initiation Service Provider must obtain consent from the relevant Payment Service User before providing its service.
(2) A Payment Initiation Service Provider shall not hold, at any time, a Payment Service User’s Funds.
(3) A Payment Initiation Service Provider shall not modify the amount, the Payee or any other feature of a Payment Transaction that it initiates.
(4) A Payment Initiation Service Provider must keep all Payment Service Users’ security credentials, including data related to Personalized Security Credentials, secure and inaccessible to other parties.
(5) A Payment Initiation Service Provider shall not use, access or store any of the Payment Service Users’ data except as necessary to provide the service (and in accordance with its License).
(6) A Payment Initiation Service Provider shall not provide any other information about the Payment Service User except to the relevant Payee, and with explicit consent from the Payment Service User.
(7) A Payment Initiation Service Provider may not request from the Payment Service User any data other than that necessary to provide the Payment Initiation Service according to what is required by the nature of this service and what is determined by SAMA.
(8) A Payment Initiation Service Provider must securely communicate with the Payment Account Service Provider and identify itself for each communication session.
Article 98
(1) Before initiating the payment, the Payment Initiation Service Provider must provide clear and comprehensive information to the Payer in the agreed language. Such information must include -as a minimum- the following:
(a) The name of the Payment Initiation Service Provider;
(b) The address of the head office of the Payment Initiation Service Provider;
(c) Where applicable, the address of the head office of the Agent or branch offices through which the Payment Initiation Service Provider delivers services in the Kingdom;
(d) Contact details relevant to communication with the Payment Initiation Service Provider, including an electronic mail address; and
(e) The contact details of SAMA.
(2) The Payment Initiation Service Provider must immediately after the initiation of the Payment Services Order provide to the Payer and the Payee, where applicable, the following:
(a) Confirmation of the successful initiation of the Payment Services Order with the Payer’s Payment Account Service Provider;
(b) A reference enabling the Payer and the Payee to identify the Payment Transaction and the Payee to identify the Payer, and any information transferred with the Payment Services Order;
(c) The amount of the payment transaction.
(d) Where applicable, the amount of any charges payable to the Payment Initiation Service Provider.
(e) Provide a Payment Transaction reference to the Payer’s Payment Account Service Provider. Article 99
(1) A Payment Account Information Service Provider must obtain consent from the Payment Service User before providing its service.
(2) A Payment Account Information Service Provider must delete the relevant data and information belonging to the Payment Service User when consent is withdrawn or cancelled (insofar as it does not conflict with applicable obligations under the relevant laws, regulations and instructions).
(3) A Payment Account Information Service Provider must ensure that the Personalized Security Credentials of the Payment Service User are not, with the exception of the user and the issuer of the Personalized Security Credentials, accessible to other parties and that they are transmitted through safe and efficient channels.
(4) A Payment Account Information Service Provider must securely communicate with the Payment Account Service Provider and identify itself for each communication session.
(5) A Payment Account Information Service Provider shall only access information from designated Payment Accounts and associated with the relevant Payment Transactions.
(6) A Payment Account Information Service Provider shall not request Sensitive Data linked to Payment Accounts that could be used to carry out fraudulent transactions.
(7) A Payment Account Information Service Provider shall not use, access or store any data for purposes other than performing the service requested by the Payment Service User.
Article 100
(1) A Payment Service Provider which issues Card-Based Payments may request that a Payment Account Service Provider confirms whether an amount necessary for the execution of Payment Transactions related to the provided service is available on the Payment Account of the Payer. Before submitting such a confirmation request, the Payer consent must be provided and the authentication and secure communication requirements set forth by SAMA must be applied.
(2) A Payment Account Service Provider must immediately, when receiving a request to confirm the availability of funds from the Payment Service Provider, provide the requested confirmation in the form of a ‘yes’ or ‘no’ answer, and in accordance with the following conditions:
(a) The Payment Account is accessible online when the Payment Account Service Provider receives the request;
(b) The Payer has given the Payment Account Service Provider in advance consent to provide confirmation in response to such requests by that Payment Service Provider.
(3) If the Payer so requests, the Payment Account Service Provider must also inform the Payer of the Payment Service Provider which made the request and the provided answer.
(4) A Payment Account Service Provider must not include with a confirmation provided under this Article a statement of the account balance or block Funds on a Payer’s Payment Account as a result of a request.
(5) The Payment Service Provider which makes a request under this Article must not store any confirmation received or use the confirmation received for a purpose other than the execution of the Card-Based Payment Transaction for which the request was made.
(6) This Article does not apply to Payment Transactions initiated through Electronic Money which is stored and executed through Card-Based Payments.
Part 9: Payment Systems
Chapter 1: Designation of Systemically Important Payment Systems
Article 101
SAMA shall consider the following criteria in order to determine whether a Payment System is, or is likely to become, a Systemically Important Payment System:
(a) Whether the Payment System could pose a risk to financial stability in the Kingdom or could trigger or transmit systemic disruption to the other Payment Systems. Factors informing this may include size, criticality, interconnectedness to the financial markets and the
absence of alternative Payment Systems;
(b) Evaluating the Payment System’s degree of connection to financial market infrastructures, whether within or outside the Kingdom, including settlement and clearing systems;
(c) The estimated aggregate value, average value, or volume of transfer orders transferred, cleared or settled through the Payment System on a normal day on which the Payment System is operational and the nature of those transfer orders; and
(d) The estimated number of direct and indirect Members in the Payment System. Article 102
(1) Where SAMA determines that it will commence a designation assessment under Article 101 provisions, SAMA shall issue a notice to the Operator. Such designation assessment may occur simultaneously with the licensing of an Applicant and a designation assessment may occur more than once according to the cases determined by SAMA (for instance, in the event that the previous designation assessment resulted in recommendations for re-assessment or if it was found through the results of the assessment that the payment system may become a Systemically Important Payment System
(2) The operator, its staff and senior management, its board members, and its critical service providers, as well as their agents and any other relevant Persons shall cooperate with SAMA and provide all the documents, information and data related to the characteristics of the Payment System, and clarify its standing against the designation criteria.
(3) SAMA may require of the Operator or other relevant Persons- whether they were established, located or incorporated in the Kingdom or outside the Kingdom- that:
(a) Data or information or documents regarding the Payment System and its operations are made available as SAMA may determine.
(b) Access to the Operator’s staff or such other Persons or representatives is granted to SAMA; and
(c) Such reports or assessments as SAMA determines are necessary to facilitate its determination are provided.
(4) Notwithstanding other applicable laws, SAMA may coordinate with any competent central bank or regulatory authority in other jurisdictions for the purpose of requesting such data or information or documents as may be relevant to a designation assessment.
(5) SAMA shall determine the duration of the designation process depending on the particular circumstances of each case, including the nature and complexity of the Payment System and the interconnection of its operations.
(6) Before deciding on the designation, SAMA may coordinate with the formal representative of the Payment System in question and the international bodies concerned with the supervision and oversight of the Payment System.
(7) SAMA shall notify the Payment System Operator of the outcome of a designation assessment. Where SAMA designates a Payment System as a Systemically Important Payment System, its notification shall state the scope of that designation, including a reference to the date from which this categorization will take effect for the purposes of the Payment System’s compliance with the provision of the Law and the Implementing Regulation, the Operating Rules of the Payment System, and the activities that are allowed to be carried out through the Systemically Important Payment System.
(8) SAMA shall publish a notice of designation and record a designation of a Payment System as a Systemically Important Payment System on its public register.
(9) SAMA may enter Payment System Operators that are already subject to its supervision into the register of licensed Payment System Operators after satisfying the relevant requirements.
(10) SAMA may require the Operator of Systemically Important Payment System to cease or amend any of the operations of the Payment System in accordance with the provisions of the Law and the Implementing Regulation and as SAMA may determine. Article 103
SAMA shall set the frameworks and principles related to the interdependence of the various Payment Systems inside and outside the Kingdom.
Chapter 2: PFMI Requirements
Article 104
(1) The Operator of a Systemically Important Payment System must, in relation to its scope of designation, comply with the guidance and standards.
(2) An Operator of a Non- Systemically Important Payment System may have regard to the guidance and standards in accordance with:
(a) Standards and directions related to risk management objectives and the assurance of its compatibility with the Operator work methodology; to ensure the protection and promotion of financial stability.
(b) Standards and principles proportionate to the nature, scale and complexity of the Payment System and Interconnectedness of its operations.
(c) Instructions issued by SAMA within the licensing process or after.
(3) SAMA may impose higher requirements than the PFMI for Payment System Operators on the basis of risks posed by that Payment System and the potential impact on financial stability.
(4) The Payment System Operator should apply these requirements on an ongoing basis in the operation of their Payment Systems and business, including when reviewing their own performance, or proposing new services, or proposing changes to risk controls.
Article 105
(1) A Payment System Operator shall ensure that the following requirements are complied with in relation to the management and operation of the system, namely:
(a) The risks of the Payment Systems are robustly managed to ensure their safety and promote financial stability;
(b) That the operations of the system are conducted in a safe and efficient manner so as to minimize the likelihood of any outage or disruption to the functioning of the system and to achieve a target of at least a 99.98% uptime;
(c) that there are in place Operating Rules that comply with the requirements specified in Paragraph (2) of this Article and with any requirements set by SAMA relating to the Operating Rules of a Systemically Important Payment System, as well as operational agreements as required;
(d) That there are in place adequate arrangements to monitor and enforce compliance with the Operating Rules of the system, including arrangements regarding the resources available to the system operator;
(e) That there are available to the system financial resources appropriate for the proper performance of the system’s particular functions;
(f) Prepare and annually update recovery and wind-down plans in accordance with the relevant international standards and requirements and consistent with the PFMI
(2) The Operating Rules of a Systemically Important Payment System must:
(a) Provide that if a Member becomes bankrupt, he may be suspended from the system;
(b) Provide default arrangements that are appropriate for the Payment System, and ensure that it is comprehensive for all possible circumstances and cases.
(c) Provide appropriate and adequate arrangements to deal with the situation where a system operator, a service provider or a settlement institution of the system is likely to become unable to meet its obligations under or in respect of the system.
(d) Require members to cooperate with SAMA and provide any data, information or necessary documents that may be requested.
(3) SAMA approval must be obtained before approving the Operating Rules for a Payment System or making any changes thereto.
(4) A Payment System Operator must ensure that the operations of the system are being conducted in a safe manner, including:
(a) Verifying the execution and settlement of transfer orders for the purposes of the Payment System and including this in the Operating Rules;
(b) The reliability and robustness of the operation of the system;
(c) Access control over the system;
(d) The integrity of, and access control over, the information held within the system;
(e) The risk management and control procedures relating to the operation of the system;
(f) The soundness of the system, including financial soundness; and (g) The soundness of the services provided to the system by the infrastructure associated with the system;
(5) A Payment System Operator must ensure that the operations of the system are being conducted in an efficient manner, including, in& particular, any matter relating to:
(a) The speed and efficiency with which operations relating to transfer orders within the system are carried out;
(b) The overall reasonableness cost to a Member of his participation in the system, taking into account the services provided by the system to its Members;
(c) The reasonableness of criteria for admission as a Member in the system; and
(d) The reasonableness of measures taken to ensure fair competition, or not to be exploited by the absence of competition, in relation to the functions performed by the system.
(6) A Payment System Operator must ensure a proper and continued functioning of the Payment System and comply with any instructions issued by SAMA and any relevant international standards (including the PFMI). Article 106
(1) The Operator of Systemically Important Payment System must conduct a self-assessment to test its compliance with the PFMI at least once every year or in the event of a material change to its operating systems or as requested by SAMA.
(2) The Payment System Operator shall enable SAMA such access to its Payment System and related information and cooperate as SAMA requires to conduct an assessment of the Payment System in accordance with its authority by the Law.
(3) The Operator of a Systemically Important Payment System must, after obtaining a non-objection letter from SAMA, publicly disclose its responses to a summary of its PFMI self-assessment in-line with the CPMI-IOSCO Disclosure Framework.
(4) The Operator of a Non-Systemically Important Payment System must conduct a self-assessment to test its compliance with the PFMI on the periodic basis agreed with SAMA under its license authorization or as otherwise determined by SAMA. Article 107
(1) The Operator of a Systemically Important Payment System shall ensure that adequate financial resources of its business, including its own capital soundness, are assessed and maintained in respect of the Payment System.
(2) The Operator of a Non-Systemically Important Payment System shall ensure that adequate financial resources of its business, including its own capital soundness, are assessed and maintained as relevant to its business and in a way that is proportionate to its business.
(3) The financial resources to do business maintained in respect of a Non-Systemically Important Payment System shall equal as a minimum the higher of six months’ operating costs arising in connection with the Payment System and ten million SAR in paid-up equity. Chapter 3: Payment Systems Authorities
Article 108
(1) SAMA may request information or documents from the Payment System Operator or one of its Members when performing its duties and functions under the Law and the Implementing Regulation.
(2) Notwithstanding any other powers of SAMA, The Payment System Operator or the Member of the Payment System is required to submit the information or documents within the period specified in the request and the Payment System Operator must procure that the relevant Member provides the requested information or documents.
(3) SAMA may examine any books, accounts or transactions of the Payment System Operator when performing its functions and the Payment System Operator must procure cooperation from the Member as required.
(4) SAMA may require a Payment System Operator or one of its Members to submit to SAMA a report prepared by one or more auditors on matters that SAMA requires for discharging or exercising its duties and powers under the Law and the Implementing Regulation and the Payment System Operator must procure cooperation from the relevant Member as necessary.
Article 109
(1) SAMA may require the Operator of a Payment System to establish rules for the operation of the system, including the operation of services that form part of the Payment System Operation arrangements and provided by a service provider related to the Payment System, or request any amendment or change on the rules.
(2) A Payment System Operator must notify SAMA of any proposed amendment or change to its rules and not change the rules without the approval of SAMA.
Article 110
SAMA may direct a Payment System Operator to take any action necessary to ensure the Payment System compliance with the Law and the Implementing Regulation. Such a direction shall specify the justifications and the actions to be taken or set the standards that must be met in the operation of the system or the services provided through it within the period which SAMA deems appropriate.
Article 111
Notwithstanding any other powers of SAMA, SAMA may appoint one or more Persons other than its employees to inspect the operation of a Payment System or a service provider related to a Payment System and the provision of all services to such a system by a service provider. The Operator of a Payment System must- In accordance with the written permission granted to the person appointed by SAMA:
(a) Grant an inspector access, on request and at any time, to premises on or from which any part of the system is operated or (as the case may be) premises on or from which any part of the services is provided; and
(b) Co-operate with an inspector and Provide all the necessary data, information and documents to help perform their functions. Article 112
SAMA may require the Operator of a Payment System to appoint an expert to report on the operation of the system and impose requirements about the experiences and specialization of the expert to be appointed, the content of the report, treatment of the report (including disclosure and publication) and timing. In the following cases:
(a) The Operator is not taking –as required- sufficient account of guidance, standards and principles set out in the PFMIs; or
(b) A report is necessary for any other reason to assist SAMA in the performance of its functions under the Law and the Implementing Regulation relating to Payment Systems. Article 113
Where action has been taken under default arrangements of a Payment System by the Payment System Operator in respect of a Member in the Payment System, SAMA may direct the Payment System Operator to give information relating to the default to any employee nominated by SAMA. The nominated employee is responsible for assessing and examining any matter arising out of or connected with the default of the Member in that Payment System. The liabilities of Members for any loss arising from the default of the concerned Member and the arrangements to handle any disputes over Members’ liability with respect to default transactions should be clearly set out in the rules and procedures, and any such disputes are subject to the disputes provisions included in the Law and the Implementing Regulation.
Article 114
(1) SAMA may, taking into account the considerations in Paragraph (2) of this Article, determine that the Cross-Border Payment System does not need to be licensed pursuant to the provisions of the Implementing Regulations or that certain provisions and obligations will not be applied or waived, in the event that the conditions of the Cross-Border Payment System comply with the following:
(a) Where a Payment System falls or will fall within the jurisdictional scope set out in Article 4 of the Implementing Regulations, and
(b) In addition to the Kingdom, it or its Operator operates or will operate in one or more additional jurisdictions.
(2) In making such a determination, SAMA shall take into account the following considerations:
(a) The extent to which the Payment System is or will be subject to a regulatory regime and lead or co-supervision by one or more overseas authorities outside the Kingdom, taking into account the nature and basis of that regime and supervision and whether SAMA has an adequate basis for co-operation with such authorities;
(b) The accepted alternate basis for licensing on which SAMA can supervise and enforce the Payment System’s operations as they relate to the Kingdom, including as to rights to information, to give direction and to enforce non-compliance;
(c) The extent to which an alternate basis of oversight and regulation of the Payment System facilitates SAMA having regard to the objective of the Implementing Regulation; and
(d) The extent to which SAMA is able to supervise and ensure the Payment System’s compliance with the PFMI and is able to meet the responsibilities of market regulators identified under the PFMI.
(3) SAMA shall announce the decision taken with regard to dealing with the Cross-Border Payment System and clarify the approach adopted in this regard, taking into account the principles of transparency and disclosure.
(4) Where a Cross-Border Payment System falls within Paragraphs (a) and (b) of Paragraph (1) of this Article, and it or its Operator conducts additional Payment System business outside the Kingdom or otherwise settles Payment Orders to overseas Members, the following must apply:
(a) There must be a Memorandum of Understanding in place between SAMA and the competent authority of the relevant jurisdiction in relation to the supervision of Payment Systems; and/or
(b) SAMA must be satisfied that the jurisdiction in question is regulated on a basis that is equivalent or otherwise enables SAMA to supervise the Systemically Important Payment System in terms of information exchange, cooperation and enforceability. Chapter 4: Finality and Bankruptcy
Article 115
(1) A Systemically Important Payment System must establish rules and procedures as part of its Operating Rules to enable Final Settlement to take place no later than the end of the intended settlement time and date.
(2) The related rules and procedures must also ensure certainty in terms of circumstances under which Final Payment Orders effected through the Systemically Important Payment System are to be regarded as achieving Final Settlement.
(3) Notwithstanding Article 6 of the Law, the result of a transfer of Funds and the Final Settlement of a Final Payment Order and Clearing Arrangements and settlement transactions, Default Management Arrangements and Security arrangements will be irrevocable and shall not be reversed, repaid or set aside. The implementation of the above must not conflict with the Procedures defined in Paragraph (6) of this Article.
(4) In accordance with the application of Articles 6, 9 and 10 of the Law, the Operating Rules of a Systemically Important Payment System must describe the provisions and procedures necessary for all operations and functions, and that including but not limited to:
(a) Payment orders;
(b) Settlement procedures;
(c) Arrangements in relation to Security;
(d) Clearing arrangements;
(e) Guarantees; and
(f) Default management arrangements.
(5) SAMA may request any documents or reports that prove the Operating Rules’ compliance with all the provisions of this Article in any form it deems appropriate.
(6) A Systemically Important Payment System must ensure that its Operating Rules are sufficiently clear on the application of Articles 6, 9 and 10 of the Law, and shall state that the Operating Rules:
(a) The Operating Rules do not conflict with the requirements of protection, validity and binding nature of Final Payment Orders, arrangements in relation to Collateral and Clearing Arrangements; and
(b) The Operating Rules do not conflict with bankruptcy procedures, resolution procedures, winding up procedures (voluntary or otherwise), and any special administration procedures (or similar measures, howsoever named) that are put in place under applicable legislation and regulations related to the Payment System or its Members where such measures involve the suspending of, or imposing limitations on, the execution or completion of payments resulting from Payment Orders.
(7) The provisions of Article 6 of the Law do not apply to Final Payment Orders initiated after the expiry of the calendar day in the Kingdom on which the “Procedures” result in a duly published and notified and enforceable order or instruction of the relevant authority for the cessation of business, winding up, bankruptcy or re-organization of the concerned Systemically Important Payment System or its Members (or the expiry of the day that the voluntary winding up is completed).
(8) SAMA may Exclude a Systemically Important Payment System from some of the provisions of this Article, provided that the exception decision is applied starting from the day following the day on which the decision was issued; the decision shall be published according to the method specified by SAMA.
(9) SAMA may apply some or all the provisions included in this Article on the Operating Rules of a specific Non-Systemically Important Payment System. Article 116
Notwithstanding any other applicable laws and regulations in the Kingdom:
(1) A Payment System Operator must notify SAMA in the event of a Serious Disruption and shall take appropriate measures.
(2) A payment System Operator must prepare the necessary policies and procedures for measures to handle Serious Disruption incidents that result in a total or partial actual or potential failure or suspension of the Payment system or lead to actual or potential bankruptcy of the Payment Systems Operator, and they must include:
(a) Communications to internal and external stakeholders in a timely and methodical manner; and
(b) Steps to resolve issues caused by the Serious Disruption as efficiently as possible. Article 117
(1) The Operating Rules of a Payment System Operator must compel each Member to notify that Payment System Operator forthwith of the bankruptcy, potential bankruptcy or the commencement of bankruptcy proceedings relating to any Member.
(2) A Payment System Operator must notify SAMA immediately of the bankruptcy, potential bankruptcy of a Member or the commencement of bankruptcy procedures relating to that Member. Part 10: Supervision and Control
Article 118
(1) SAMA is responsible for the monitoring of actions conducted by Payment Service Providers and Payment System Operators and evaluating their compliance, and the monitoring and examination of potential violations of the Law, the Implementing Regulation, and any instructions, decisions or circulars issued by SAMA.
(2) In conducting its supervisory functions, SAMA may conduct supervisory or inspection visits to the licensee's headquarters, branches and agents, including the power to request reports and risk assessments that it deems necessary for the exercise of its functions. Article 119
A committee or more may be formed comprising Payment Service Providers and Payment System Operators after obtaining approval from SAMA to be responsible for studying the proposals and recommendations necessary to develop the Payment Systems and Payment Services sector.
Article 120
(1) Licensees will be required to provide data and submit reports periodically as mandated by SAMA.
(2) A Licensee is obliged to submit to SAMA quarterly financial reports (to be reviewed by an external auditor), which include any information that SAMA deems necessary.
(3) A Licensee is obliged to submit to SAMA annual financial statements (reviewed and audited by an external auditor) in a way determined by SAMA.
(4) SAMA may amend and supplement the list and contents of the reports required to be submitted by a Licensee. SAMA may require that a Licensee hires an external auditor to review specific areas of its operations and report directly to SAMA in the manner specified by SAMA. Article 121
(1) A Licensee must notify SAMA as soon as possible, and within ten calendar days in any event, if it becomes aware that any of the following events have occurred or are likely to occur:
(a) Any event that prevents access to or disrupts the operations of one or more of its Relevant Payment Services offered by it or Payment Systems operated by it;
(b) Any breach of its obligations under the Implementing Regulation or other applicable laws, regulations and decisions;
(c) Any legal proceeding against it or any criminal proceeding against any member of its Senior Positions, either in the Kingdom or outside;
(d) The commencement of any bankruptcy, winding up or other liquidation proceedings, or the appointment of any receiver, administrator or provisional liquidator under the law of any country;
(e) Any disciplinary measure or sanction taken against it or imposed on it by a regulatory body other than SAMA, whether in the Kingdom or outside;
(f) Any change in supervisory or regulatory requirements to which it is subject beyond those of SAMA, whether in the Kingdom or outside;
(g) Fraud; and
(h) Any other event specified by SAMA.
Unless any other applicable laws, regulations or rules specify a shorter timeframe, in which case the notification must be made within that shorter timeframe.
(2) Notwithstanding the specific notification obligations set out in Paragraph (1) of this Article, a Licensee must notify SAMA immediately upon identification of any ‘Medium’ or higher classified cyber incident or any operational incident that may affect Clients in compliance with related instructions. Article 122
(1) Inspectors, appointed based on a decision of the Governor of SAMA pursuant to Paragraph (1) of Article 15 of the Law, shall receive notices, collect information, control necessary evidence and complete legal procedures.
(2) Inspectors may seek assistance from criminal investigation employees if necessary.
(3) Inspectors may hire specialists either as individuals or companies when conducting their survey, examination, and seizing materials connected with violations. The duty of such individuals and companies shall be confined to showing places and materials that require search and capturing during an investigation.
(4) Inspectors shall be subject to any relevant laws, rules, procedures and permissions related to their work. Article 123
(1) SAMA may require a report on any matter about which SAMA has required or could require the giving of specified information, or production of specified documents, as SAMA deems necessary and desirable to meet the objectives of the Law, from any of the following:
(a) A Payment Service Provider;
(b) A Payment Systems Operator;
(c) Member of Senior Positions, employee, Agent, or external auditor of the payment service provider or the payment system operator; or
(d) A controller.
(2) The Person appointed to make a report, as required by the above Paragraph, must be a Person either nominated or approved by SAMA and must, in SAMA’s views, have the skills necessary to make a report on the matter concerned. Article 124
Notwithstanding relevant provisions as applicable – which in the event of possible contradiction will take precedence - a Licensee must not partially or totally shut down its business activities or apply for a winding up, liquidation or other bankruptcy proceedings without first receiving a non-objection letter from SAMA, which may request information and documents to be provided by the Licensee in this regard.
Article 125
SAMA may exclude a Person or group of Persons from certain licensing requirements for purposes of stimulating innovation and development in the provision of Relevant Payment Services and the operation of Payment Systems, taking into account transparency and justice.
Article 126
An inspector appointed pursuant to a decision from the Governor under Paragraph (1) of Article 15 of the Law shall:
(1) Be a Saudi national;
(2) Be of good conduct;
(3) Have not been sentenced of a breach of trust offense or a crime involving moral turpitude, unless rehabilitated; and
(4) Hold a bachelor's degree from the Kingdom of Saudi Arabia, or the degree has been equated. Article 127
(1) SAMA may direct the licensee to take one –or more- corrective actions to ensure their commitment to the provisions of the Law and the Implementing Regulation and any relevant instructions, decisions or circulars issued in implementation thereof as follows:
(a) To take any actions to correct the existing situation in the form and time specified.
(b) To close one of its branches or platforms.
(c) To stop using one or more of its Agents or distributors.
(d) Suspending, restricting or prohibiting specific provided services or products.
(e) The development of progressive cessation restrictions and controls.
(2) Subject to the relevant provisions contained in Article 12 of the Law, SAMA shall issue a penalty decision against anyone who violates the provisions of the Law, Implementing Regulation, instructions or relevant decisions in accordance with the classification schedule of violations and the determination of penalties.
(3) Notwithstanding the competence of the Banking Dispute Committee, the Licensee must, if so directed by SAMA to revoke the license:
(a) Immediately stop practicing the activity related to the License revoked;
(b) Announce the dissolution of the Licensee in a manner as prescribed by SAMA, notwithstanding any other requirements under applicable laws, regulations and decisions;
(c) Enter into liquidation within a period not exceeding six months from the date the Licensee is notified of the License revocation, provided that this is done in accordance with the relevant laws and SAMA has the right to assign a liquidator to carry out the liquidation process; and
(d) Maintain and keep records and data at the disposal of SAMA for the period it specifies without prejudice to the provisions of the relevant laws.
(4) SAMA will monitor such corrective action plan in accordance with a timeframe and reporting mechanism that SAMA will stipulate. Article 128
Inspectors - appointed further to a decision from the Governor under Paragraph (1) of Article 15 of the Law - law enforcement personnel, experts and specialists assisting them shall not disclose confidential information which they come across in the course of their work even after terminating their services unless such disclosure is necessary for purposes of implementing the Law or the Implementing Regulation or any other applicable laws.
Part 11: Complaints and Disputes
Article 129
(1) A Payment Service Provider must ensure that Complaints are handled and addressed in a fair and timely manner, taking proper account of the provisions of the contract signed with the client, the Law and related regulations, rules, instructions, and circulars.
(2) When a Payment Service Provider receives a Complaint, the Payment Service Provider must make every possible effort to address all points raised in a written reply to the Complaint or through means and channels that have been agreed upon between the Payment Service Provider and Payment Service User.
(3) A Payment Service Provider must, at a minimum:
(a) Have a role, function and channels that handle Complaints and operate a complaint handling system that facilitates the recording, tracking, categorization and status of Complaints and provide access to SAMA contact details for complaints handling;
(b) Prepare Complaints handling policies, controls and procedures that adhere to all SAMA documents that regulate the relationships between a Payment Service Provider and its Payment Service Users;
(c) Provide business phone numbers (landline and mobile) for Payment Service Users to contact free of charge from inside the Kingdom to report Complaints. A Payment Service Provider must publish those phone numbers and services on all channels it makes available to Payment Service Users;
(d) Provide additional online communication channels, such as online live chat or the option for Payment Service Users to register their phone numbers online for Payment Service Provider representatives to contact them;
(e) Submitting a document on the procedures for dealing with complaints and enabling clients to view them, provided that it includes the procedures for submitting a complaint and the required documents and an explanation of the channels and means available for submitting it.
(f) Provide all necessary details to be used by the Payment Service User for following up on a Complaint;
(g) Document the channel used to communicate with a Payment Service User about Complaints and retain details of each Complaint and its handling mechanism; and
(h) Provide the information required by a Payment Service User who wishes to escalate its Complaint within the Payment Service Provider or to SAMA as a result of being dissatisfied with the result of the resolution of their Complaint and direct the Payment Service User to the relevant party.
(4) A Payment Service Provider must adhere to the following timings when addressing a Complaint:
(a) An acknowledgment of the Complaint must be sent within forty-eight hours of receipt.
(b) A full reply must be provided within an adequate timeframe and at the latest ten calendar days after the day on which the Payment Service Provider received the Complaint.
(c) If a full reply cannot be given for reasons beyond the control of the Payment Service Provider, the Payment Service Provider must send a holding reply, clearly indicating the reasons for the delay in providing a full reply to the Complaint and specifying the deadline by which the Payment Service User will receive a full reply, the reply shall not exceed 30 calendar days from the date of receipt of the complaint.
(5) A Payment Service Provider must submit details of its Complaints handling procedures to SAMA. SAMA may review these procedures and direct it to alter or amend the complaints handling procedures in accordance with the requirements of applicable laws and regulations, rules, instructions, and circulars.
(6) A Payment Service Provider must report to SAMA on an annual basis the Complaints that it has received from its Payment Service Users in such form as SAMA may direct.
(7) In addition to the Payment Service Provider’s Complaints handling procedures, SAMA will maintain arrangements to receive Payment Service User Complaints. SAMA will consider such Complaints and may follow them up with a Payment Service Provider to determine any corrective actions to be taken. Further, SAMA may refer the Payment Service User to other competent authorities or entities for the purposes of addressing their Complaints.
Article 130
The Banking Disputes Committee shall be responsible for the settlement of all disputes arising between stakeholders of Payment Systems and Payment Service Providers and shall be responsible for the settlement of any grievances of stakeholders from the relevant decisions of SAMA.
Part 12: Final Provisions
Article 131
The Implementing Regulation shall eliminate and supersede the Payment Service Provider Regulations issued by SAMA dated 5/6/1441H, corresponding to 30/1/2020G.
Article 132
(1) A Payment Service Provider licensed under the Payment Service Provider Regulations shall be deemed to be licensed under and subject to the Implementing Regulation from its effective date.
(2) A Payment Service Provider or Payment System Operator must provide a plan for undertaking corrective procedures to comply with the provisions of the Law and the Implementing Regulation within a maximum of six months from the effective date on which the Implementing Regulation come into effect.
Article 133
The Implementing Regulation shall come into force from the date of issuance.
Soft Launch
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.