Skip to main content
Custom print
Download Original PDF

  • Part 8: Requirements for Providing Payment Initiation Service and Payment Account Information Service

    • Article 95

      (1)Payment Service Providers must provide access to their Relevant Payment Services in accordance with the decision and instructions related to open banking, cyber security and data privacy issued by SAMA and other competent authorities in the Kingdom.
       
      (2)Payment Service Providers must observe high standards in relation to the secure storage, sharing and transmission of client data when engaging in Payment Account Information Services or Payment Initiation Services. 
       

    • Article 96

       

       (1) A Payment Account Service Provider must grant a Payment Initiation Service Provider and a Payment Account Information Service Provider and each other Payment Service Provider access to Payment Accounts provided that the Payment Services User Consent is received, taking into account providing the access on an objective, non-discriminatory and proportionate basis and in such a way as to allow the Payment Service Provider to deliver Relevant Payment Services in an unhindered and efficient manner.
       
       (2)

      The payer's payments account service provider must:

      (a) Communicate with and transfer information securely to a Payment Initiation Service Provider and a Payment Account Information Service Provider in accordance with the regulations, rules, circulars, controls and instructions related to cyber security issued by SAMA and competent authorities in the Kingdom;
       
      (b) Put in place the necessary policies and procedures to ensure that Payment Services Orders and other requests by the Payer are Authenticated and authorized correctly;
       
      (c) Ensure that any fees applied have been agreed to by the Payer and that such fees are consistent with any regulations, rules, circulars, controls and instructions issued by SAMA;
       
      (d)Immediately after receipt of the Payment Services Order, provide to the Payment Initiation Service Provider all information on the execution of the Payment Transaction and all accessible information.
       
      (e)Treat a Payment Services Order from the Payment Initiation Service Provider in the same ways as a Payment Services Order received directly from the Payer;
       
      (f)Respond to a Payment Services Order from the Payment Initiation Service Provider in a timely manner; 
       
      (g) Treat the data request from the Payment Account Information Service Provider in the same way as a data request received directly from the Payer; 
       
      (h) Respond to data requests from the Payment Account Information Service Provider in a timely manner;
       
      (i)Not require the Payment Initiation Service Provider or Payment Account Information Service Provider to enter into a commercial contract before complying with the preceding requirements in this Article.
       
       (3) 

      A Payment Account Service Provider may deny the Payment Transactions initiation or the access to a Payment Account by a Payment Account Information Service Provider or a Payment Initiation Service Provider based on reasonably justified and duly evidenced reasons relating to unauthorized or fraudulent access. In such cases, the Payment Account Service Provider must:

      (a) Inform the Payment Account Information Service Provider or Payment Initiation Service Provider of the incident and the reason for denial of access;
       
      (b) Notify SAMA immediately regarding the incident in such form that SAMA may direct and include the details of the case and the reasons for taking a deny action; and
       
      (c) Restore account access to the Payment Account Information Service Provider or Payment Initiation Service Provider once the denial of access is no longer justified.
       

    • Article 97

      (1)A Payment Initiation Service Provider must obtain consent from the relevant Payment Service User before providing its service.
       
      (2)A Payment Initiation Service Provider shall not hold, at any time, a Payment Service User’s Funds.
       
      (3)A Payment Initiation Service Provider shall not modify the amount, the Payee or any other feature of a Payment Transaction that it initiates.
       
      (4)A Payment Initiation Service Provider must keep all Payment Service Users’ security credentials, including data related to Personalized Security Credentials, secure and inaccessible to other parties.
       
      (5)A Payment Initiation Service Provider shall not use, access or store any of the Payment Service Users’ data except as necessary to provide the service (and in accordance with its License).
       
      (6)A Payment Initiation Service Provider shall not provide any other information about the Payment Service User except to the relevant Payee, and with explicit consent from the Payment Service User.
       
      (7) A Payment Initiation Service Provider may not request from the Payment Service User any data other than that necessary to provide the Payment Initiation Service according to what is required by the nature of this service and what is determined by SAMA.
       
      (8)A Payment Initiation Service Provider must securely communicate with the Payment Account Service Provider and identify itself for each communication session.
       

    • Article 98

       

       (1)

      Before initiating the payment, the Payment Initiation Service Provider must provide clear and comprehensive information to the Payer in the agreed language. Such information must include -as a minimum- the following:

      (a)The name of the Payment Initiation Service Provider;
       
      (b)The address of the head office of the Payment Initiation Service Provider;
       
      (c) Where applicable, the address of the head office of the Agent or branch offices through which the Payment Initiation Service Provider delivers services in the Kingdom;
       
      (d) Contact details relevant to communication with the Payment Initiation Service Provider, including an electronic mail address; and
       
      (e) The contact details of SAMA.
       
       (2)

      The Payment Initiation Service Provider must immediately after the initiation of the Payment Services Order provide to the Payer and the Payee, where applicable, the following:

      (a)Confirmation of the successful initiation of the Payment Services Order with the Payer’s Payment Account Service Provider;
       
      (b) A reference enabling the Payer and the Payee to identify the Payment Transaction and the Payee to identify the Payer, and any information transferred with the Payment Services Order;
       
      (c) The amount of the payment transaction.
       
      (d)Where applicable, the amount of any charges payable to the Payment Initiation Service Provider.
       
      (e) Provide a Payment Transaction reference to the Payer’s Payment Account Service Provider.

    • Article 99

      (1)A Payment Account Information Service Provider must obtain consent from the Payment Service User before providing its service.
       
      (2)A Payment Account Information Service Provider must delete the relevant data and information belonging to the Payment Service User when consent is withdrawn or cancelled (insofar as it does not conflict with applicable obligations under the relevant laws, regulations and instructions). 
       
      (3)A Payment Account Information Service Provider must ensure that the Personalized Security Credentials of the Payment Service User are not, with the exception of the user and the issuer of the Personalized Security Credentials, accessible to other parties and that they are transmitted through safe and efficient channels.
       
      (4)A Payment Account Information Service Provider must securely communicate with the Payment Account Service Provider and identify itself for each communication session.
       
      (5)A Payment Account Information Service Provider shall only access information from designated Payment Accounts and associated with the relevant Payment Transactions.
       
      (6) A Payment Account Information Service Provider shall not request Sensitive Data linked to Payment Accounts that could be used to carry out fraudulent transactions.
       
      (7) A Payment Account Information Service Provider shall not use, access or store any data for purposes other than performing the service requested by the Payment Service User.
       

    • Article 100

       

       (1)A Payment Service Provider which issues Card-Based Payments may request that a Payment Account Service Provider confirms whether an amount necessary for the execution of Payment Transactions related to the provided service is available on the Payment Account of the Payer. Before submitting such a confirmation request, the Payer consent must be provided and the authentication and secure communication requirements set forth by SAMA must be applied.
       
       (2) 

      A Payment Account Service Provider must immediately, when receiving a request to confirm the availability of funds from the Payment Service Provider, provide the requested confirmation in the form of a ‘yes’ or ‘no’ answer, and in accordance with the following conditions:

      (a) The Payment Account is accessible online when the Payment Account Service Provider receives the request;
       
      (b) The Payer has given the Payment Account Service Provider in advance consent to provide confirmation in response to such requests by that Payment Service Provider.
       
       (3)If the Payer so requests, the Payment Account Service Provider must also inform the Payer of the Payment Service Provider which made the request and the provided answer.
       
       (4)A Payment Account Service Provider must not include with a confirmation provided under this Article a statement of the account balance or block Funds on a Payer’s Payment Account as a result of a request.
       
       (5) The Payment Service Provider which makes a request under this Article must not store any confirmation received or use the confirmation received for a purpose other than the execution of the Card-Based Payment Transaction for which the request was made.
       
       (6) This Article does not apply to Payment Transactions initiated through Electronic Money which is stored and executed through Card-Based Payments.