Compliance Principles for Finance Companies and Real Estate Refinance Companies

Compliance Principles for Finance Companies and Real Estate Refinance Companies
No: 46020562 Date(g): 1/10/2024 | Date(h): 28/3/1446 Status: In-Force
Based on the powers vested to Sama under the Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433H, and its Implementing Regulations issued by the Decision of SAMA Governor No. (2/MFC) dated 14/04/1434H,
We would like to inform you of the issuance of the decision of His Excellency the Governor No. (161/MFC) dated 14/02/1446H, which includes the approval of the Compliance Principles for Financing Companies and Real Estate Refinance Companies, according to the attached version. These principles will be implemented (180) days after their publication on the SAMA’s website.
For your information and action accordingly.
SAMA issued these Principles based on the powers vested in SAMA under the Finance Companies Control Law issued by Royal Decree No. (M/51) dated 13/08/1433H and its Implementing Regulations issued by the Decision of SAMA Governor No. (2/MFC) dated 14/04/1434H.

Chapter I: Definitions, General Provisions and Scope of Application

1. Definitions

For the purpose of applying the provisions of these Principles, the following terms and phrases, wherever mentioned herein, shall have the meanings assigned thereto unless the context otherwise requires:

Term	Definition
SAMA	The Saudi Central Bank.
Principles	Compliance Principles for Finance and Real Estate Refinance Companies.
Company	Finance Company and Real Estate Refinance Company licensed by SAMA.
Board	Company's Board of Directors.
Executive Management	Individuals who run the Company's day-to-day business and propose and implement strategic decisions. The Executive Management is considered the senior management.
Unit	The Company's compliance function/department, which reports directly to the Audit Committee.
Compliance Officer	Compliance Unit's officer/manager in the Company.
Unit Staff	All Compliance Unit's staff who perform compliance-related duties and responsibilities.
Laws	The laws that apply to the Company and its Staff.
Instructions	All binding regulations, rules, principles, frameworks, guidelines and circulars issued by SAMA, in exercise of its role as a regulatory and supervisory authority, and other competent entities.
Non-Compliance Risk	Risks that result in the application of penalties or regulatory measures against the Company, or lead to it incurring financial losses or harming its reputation as a result of non-compliance with laws and instructions.

2. General Provisions

a.	These Principles aim to:
	1.	Promote sound practices in the Company, and continuously ensure the effectiveness and implementation of compliance policies.
	2.	Promote a compliance culture that is integral to the Company's culture, taking into account that its scope of integration goes beyond the Unit Staff to include all of the Company's employees.
	3.	Define the responsibilities of the Board, the Audit Committee, the Executive Management, the Compliance Unit, the Company's o employees, and the Internal Audit Department towards compliance.
	4.	Set the minimum requirements to enable the Unit to perform its duties efficiently, professionally and effectively.
b.	These Principles shall not prejudice the requirements imposed on finance and real estate refinance companies under relevant laws and instructions, including but not limited to:
		Finance Companies Control Law and its Implementing Regulations. Real Estate Finance Law and its Implementing Regulations. Anti-Money Laundering Law and its Implementing Regulations. Law of Combating Crimes of Terrorism and its Financing and its Implementing Regulations. The Rules Governing Real Estate Refinance Companies. Rules for Engaging in Debt-Based Crowdfunding. Rules for Regulating Buy-Now-Pay-Later (BNPL) Companies. Anti-Fraud Rules for Finance Companies. Key Principles of Governance in Financial Institutions under the Control and Supervision of the Saudi Central Bank. Code of Conduct and Work Ethics in Financial Institutions Financial Consumer Protection Principles and Rules. The Requirements for Appointments to Senior Positions in Financial Institutions Supervised by SAMA. Debt Collection Regulations and Procedures for Individual Customers Rules for Establishing a Customer Care Department in Finance Companies. The Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide. Whistle Blowing Policy for Financial Institutions.

3. Scope of Application

a.	The provisions of these Principles shall apply to finance and real estate refinance companies.
b.	These Principles shall serve as a guide to finance support companies and finance lease contract registration companies. SAMA may, at any time, enforce all or some of these Principles.

Chapter II: Duties and Responsibilities of the Board, Audit Committee and Executive Management Towards Compliance

Principle 1: Duties and Responsibilities of the Board Towards Compliance

1.	Subject to its duties and responsibilities contained in relevant laws and regulations and SAMA-issued instructions, the Board shall:
	a.	Buttress and promote the values of honesty and integrity throughout the Company.
	b.	Ensure the existence of a compliance unit that is effective, well-developed and independent. It shall be granted appropriate powers and resources, and its employees provided with specialized training while developing their abilities and skillsets in the field of compliance.
	c.	Approve a written policy for compliance that sets out the powers,tasks and responsibilities of the Compliance Unit , as well as compliance programs and relevant processes.
	d.	Appoint the Compliance Officer based on the Audit Committee’s recommendation after obtaining a no-objection letter from SAMA.
	e.	Accept the Compliance Officer’s resignation based on the Audit Committee’s approval, and notify SAMA thereof.
	f.	Set a clear outline of the responsibility and accountability of the Company; enforce compliance thereof by its employees; and establish complete separation of responsibilities at the level of Executive Management.
	g.	Review the periodic compliance report submitted by the Compliance Officer.

Principle 2: Duties and Responsibilities of the Audit Committee Towards Compliance

1.	Subject to its duties and responsibilities contained in relevant laws and regulations and SAMA-issued instructions, the Audit Committee shall:
	a.	Review the periodic compliance report submitted by the Compliance Officer; document the actions taken regarding to, and decisions resulting from, the report; and submit it to the Board.
	b.	Verify the implementation and evaluate the effectiveness of, update, and propose the necessary amendments to the compliance policy approved by the Board on an annual basis.
	c.	Approve the plan that encompasses the main activities and operations of the Unit, subject to annual update by the Compliance Officer.
	d.	Submit recommendations to the Board for the appointment of the Compliance Officer along with the reasons and justifications.
	e.	Approve the resignation request of the Compliance Officer.
	f.	Assess the Compliance Officer’s performance according to the Company’s approved plan.
	g.	Evaluate the effectiveness and efficiency of compliance policies, procedures, reporting mechanism and the extent of compliance with such policies on an annual basis; and submit recommendations to the Unit for improvement to the policies before their approval by the Board.
	h.	Review and approve the risk-based compliance program implemented by the Unit in their work.
	i.	Review the outcomes of SAMA’s reports, and ensure that the Company has taken the necessary actions in this regard.
	j.	Escalate issues to the Board as needed, and give recommendations on the actions that must be taken.
	k.	Verify the Company’s compliance with relevant laws, regulations, policies and instructions, and take the necessary measures to improve the level of regulatory compliance in the Company.
	l.	Verify that the number of employees in the Unit is sufficient to match the size of the Company’s business and business model.

Principle 3: Duties and Responsibilities of the Executive Management Towards Compliance

1.	Subject to its duties and responsibilities contained in relevant laws and regulations and SAMA-issued instructions, the Executive Management shall:
	a.	Comply with applicable laws and instructions, and take the necessary measures and controls to prevent violations thereof.
	b.	Establish an independent unit for compliance and describe its role to all Company employees.
	c.	Create a work atmosphere built on trust and harmony between the Unit and other departments, and take the necessary measures to achieve that.
	d.	Develop a written policy for compliance approved by the Board that sets out the powers, tasks and responsibilities of the Unit, as well as relevant compliance programs.
	e.	Incorporate into the Company’s internal regulations guarantees of compliance with relevant laws and instructions.
	f.	Develop a written organizational policy that includes work guidelines and procedures, and update it continuously in line with changes. The policy shall be communicated to the concerned employees in the appropriate manner and within a timeframe that allows for compliance. Such policy shall include the rules regulating compliance to the relevant laws and instructions.
	g.	Provide appropriate training to the Company’s employees on an annual basis with periodic follow-ups, with the aim of keeping pace with developments in their respective fields of work and ensuring that they perform their duties and responsibilities effectively to help achieve compliance.
	h.	Support the Unit to undertake its duties, including AML/CTF, by qualifying staff and upgrading technical and information systems, and budget setting in order to effectively implement, manage and monitor the AML/CTF program requirements, in the event that the AML/CTF unit is reporting to the Compliance Unit.

Chapter III: Features, Duties and Responsibilities of the Unit

Principle 4: Key Features of the Unit

Autonomy
1.	Autonomy is inclusive of the following:
	a.	The Unit shall have an official status in the company.
	b.	The Unit shall functionally report to the Audit Committee and administratively to the Executive Management.
	c.	The Compliance Officer and Unit Staff shall perform the tasks assigned to them with autonomy, and they may not perform any other administrative tasks.
	d.	The Compliance Officer and Unit staff shall have the authority to access all information and documents, and communicate with any of the Company staff to the extent necessary to discharge their responsibilities.
	e.	Other departments shall not interfere with the Unit’s work, without prejudice to the Unit’s cooperation with other departments in a manner that serves the compliance.
Compliance Officer
2.	Compliance Officer selection and nomination is subject to the Requirements for Appointment to Senior Positions issued by SAMA and any relevant SAMA instructions issued at a later date.
3.	The Compliance Officer shall have the necessary knowledge and skills to perform the Unit’s duties and maintain its effectiveness. To this end, the Compliance Officer shall:
	a.	Obtain Compliance for Financing Companies Sector Professional Certificate, excluding any incumbents assigned to the position.
	b.	Have broad expertise in the finance sector and understanding of all laws and instructions related to various finance operations and other relevant regulations.
4.	Submit periodic compliance reporting to the Audit Committee. The report shall identify the main non-compliance risks facing the Company, and key observations reached as a result of reviewing the work of the departments during the reporting period; analyze existing processes and procedures related to compliance and assess their effectiveness; and suggest any amendments or changes relevant to these functions.
5.	Have the authority to hold periodic meetings with the Executive Management and directors of other departments and units to discuss compliance implementation in accordance with the relevant regulations and instructions.
6.	Meet with the Audit Committee during the submission period of periodic compliance reporting to assess the extent of the company’s ability and effectiveness in managing its non-compliance risks.
7.	Verify any possibility of non-compliance, and may request support from specialists within the Company (such as the internal auditor), or involve an external specialist to carry out the task if necessary. Have the authority to directly contact concerned officials, whether in the Board, the Executive Management or the Audit Committee, in the event of any observation or violation.
Unit Staff
8.	The number of employees in the Unit shall be sufficient and consistent with the Company’s business model and size. Unit employees shall report solely to the Compliance Officer.
9.	Unit employees shall have the appropriate qualifications and expertise to perform their job duties and keep abreast of developments in their field of work.
10.	Unit employees shall have full understanding of the instructions and their impact on the Company's business.

Principle 5: Duties and Responsibilities of the Unit

1.	The Unit shall, without limitation:
	a.	Cooperate and communicate with control and supervisory authorities effectively, taking into account their reported observations to identify shortcomings periodically, and coordinate with other departments to address and resolve them.
	b.	List, communicate and explain the relevant laws and instructions to other departments and units immediately upon receiving them from the supervisory authorities, and ensure that they are incorporated into the work policies and procedures of each department and unit according to their competencies; and implemented within the specified period.
	c.	Cooperate with the Company staff and provide them with support and advice in their compliance-related daily work.
	d.	Identify and address all risks of non-compliance and ways to avoid them, provide advice on them, and monitor their developments.
	e.	Analyze new policies, procedures and processes and suggest necessary recommendations to address non-compliance risks therewith.
	f.	Adopt a risk-based compliance program and include its findings in the periodic compliance report.
	g.	Collect compliance-related complaints and formulate written guidance to staff, where necessary.
	h.	Draft internal policies and procedures to combat financial crimes, such as money laundering, terrorism and combating fraud, and test their effectiveness in line with developments and recent changes.
	i.	Monitor compliance with AML/CTF laws, regulations, and rules.
	j.	Promote awareness of compliance issues and provide training to staff on compliance-related matters through periodic programs, and clarify the risks of non-compliance with laws and instructions.
	k.	Report to SAMA and the Audit Committee upon the identification of any irregularities or violations resulting from non-compliance.
	l.	Review the work of the customer care department semiannually at least to ensure the soundness of its workflow, with the exception of real estate refinance companies.
	m.	Review the work of the department concerned with collection procedures and/or the third party to which the collection task was assigned on an annual basis – at least – to ensure the soundness of the procedures and their compliance with Debt Collection Regulations and Procedures for Individual Customers and the relevant instructions, taking into account that the review of such department and/or third party’s work does not include real estate refinance companies.
	n.	Develop methods to measure the risks of non-compliance quantitatively and qualitatively, and use these measures to support the assessment, management and addressing of non-compliance risks. Technology can be used as a means of developing risk indicators by aggregating or filtering data that may be indicative of potential non-compliance risks; for example, but not limited to, increased customer complaints, fraud cases, reports, penalties and sanctions imposed, with determination being made as to the extent to which additional measures are needed to address them.
	o.	Create a database for all instructions, classify them according to the work of each department or unit, update them continuously, and enable all Company employees to access and benefit from such database continuously.
	p.	Recommend approval of contracting with external service providers and verify their compliance with relevant instructions.

Principle 6: Responsibilities of Company Staff Towards Compliance

1.	Company employees shall be responsible for compliance with and implementation of the policies, procedures and controls issued by the relevant control and supervisory authorities.
2.	Company employees shall refer regulation- and supervision-related inquiries received from the competent authorities to the Unit. Moreover, no employee shall have the right to respond to any such inquiry or provide such authorities with the requested information except through the Unit or unless otherwise authorized to do so. Company employees shall cooperate in providing documents that support the Unit to respond to such inquiries.
3.	Before applying for SAMA’s no-objection, the approval of the Unit, in addition to the approval of other relevant departments, for the offering of products and services to be provided by the Company to its individual clients or beneficiaries of microfinance shall be obtained, with documentation of the Unit’s verification that the product or service does not violate the relevant laws and instructions.

Principle 7: Responsibilities of Internal Audit Department Towards Compliance

1.	Subject to its duties and responsibilities contained in relevant laws and regulations and SAMA-issued instructions, the Internal Audit Department shall:
	a.	Assess the internal control system to ensure that the Company and its employees comply with relevant laws and instructions as well as the Company's policies and procedures, whether the management of operations is carried out internally or outsourced.
	b.	Review the main activities and operations of the Unit at least annually in accordance with the plan approved by the Audit Committee, and update this plan annually.
	c.	Conduct regular assessment to verify the effectiveness of Company policies and procedures, provided that procedures undertaken are properly documented, and such information is included in the Internal Audit Department’s report prescribed in the Implementing Regulations of the Finance Companies Control Law.

Chapter IV: Concluding Provisions
1. These Principles shall enter into force (180) days as of the date of its publication on SAMA’s official website.