Article 38

Date(g): 13/6/2023 | Date(h): 25/11/1444

Status: In-Force

Effective from Jun 13 2023 - Jun 12 2023
To view other versions open the versions tab on the right

1.

The licensee shall prepare and maintain records that include all transactions, data and information in relation to compliance with the requirements of Chapter IV of the Regulations, in a way that enables SAMA to effectively supervise the same.

2.

The records that licensees shall maintain include:

A.	Financial information: It includes financial statements, bank data records, and client accounts, in addition to accounting records, including - but is not limited to - cheques and records of electronic financial transfers - including bank statements - invoices, contracts, general and subsidiary ledgers, journal entries, adjustments to financial statements that are not recorded in journal entries, work papers and spreadsheets supporting cost allocations, accounts, adjustments and disclosures.
B.	Reports relating to the activities carried out by the licensee and the volume of business and services, including the volume and values of payment transactions.
C.	Minutes of meetings and decisions of the board of directors or managers of the company.
D.	Information relating to any material security or operational incidents [whether alone or when evaluated with other incidents].
E.	Records of approvals issued for payments.
F.	Security records including authentication records.
G.	Information about the changes required to be submitted under Article 121 of the Regulations.
H.	Risk management reports and fraud incidents required to be disclosed.
I.	Data protection reports and privacy measures.
J.	Complaints submitted by the payment service users and any corrective action taken.
K.	Reports regarding any faults, delays, refunds or other issues encountered and addressed.
L.	Reports on compliance with the requirements for protecting and preserving protected funds.
M.	Any information in relation to “know your customer” requirements and due diligence with respect to the client, taking into account examining the sanctions list in accordance with the laws, regulations and instructions in relation to Anti-Money Laundering and Counter-Terrorism Crimes and Financing.
N.	Reports in relation to compliance with the Regulations or other relevant rules, regulations, decisions, instructions and circulars.
O.	Essential legal documents, such as employment contracts, contracts for the appointment of the external auditor, agreements relating to business continuity and task assignment agreements, in addition to documents relating to company governance.

3.

The licensee shall maintain records for at least ten years from the date of their creation, and SAMA may amend the period for the licensee to retain records as it deems appropriate.

4.

The licensee shall develop policies, procedures, laws and controls that regulate the electronic storage of documents and records, while fulfilling the following requirements as a minimum:

A.	Create and store records and documents on reliable and secure storage media.
B.	Index and classify records and any relevant documents clearly and in a manner that facilitates their use or reference.
C.	Provide a reliable and secure system for granting and regulating access to electronic and physical systems, in addition to ensuring that there is no unauthorized access to electronic or physical data.
D.	Establish and implement a backup policy in a way that provides the maximum level of protection and the ability to find backup copies in the event of the loss of the original copy, whatever its type, and conduct periodic tests of backup copies.
E.	Use digital certificates and electronic encryption.
F.	Store records and related documents in the same format in which they are created or received and never make any additions, modifications or deletions therein.
G.	Record all actions undertaken in connection with the records.
H.	Verify that employees authorized to access electronic and physical records, documents and data are committed to maintaining their confidentiality during and after their employment with the payment service provider.

5.

The licensee shall conduct a regular review with the aim of ensuring compliance with the provisions stipulated in this Article on an annual basis as a minimum.