Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Effective from Oct 11 2022 - Oct 10 2022 To view other versions open the versions tab on the right
Principle
Member Organisations should define, approve and implement a strategy for the sourcing or development and implementation of counter-fraud systems and technology to manage the fraud risks they are exposed to.
Control Requirements
a.
Member Organisations should define, approve and implement a strategy for the sourcing or development of Counter-Fraud systems and technology to prevent, detect and respond to fraud.
b.
Member Organisations should implement Counter-Fraud systems and technology and verify that they are operating as intended.
c.
The output of the Fraud Risk Assessment should inform the technology required, and systems should be proportionate to the risk appetite of the organisation.
d.
Whether a fraud system is sourced from a vendor or developed in-house, Member Organisations should consider the below requirements at a minimum:
1.
The Counter-Fraud Department are engaged in the design and implementation of the system with oversight from the CFGC.
2.
The rationale for scenarios developed and thresholds applied is documented.
3.
The system and rules are designed or can be customised to align to the products, services, and fraud risks of the organisation.
4.
New rules can be implemented on a timely basis to target prevention and detection of new or emerging typologies identified through Intelligence Monitoring.
5.
Awareness of rules to prevent and detect potential internal fraud is limited to a restricted, documented set of roles which does not include employees or third parties responsible for the operation of processes and controls being monitored (e.g., branch/customer facing staff or operational payments teams).
6.
Configuration changes should follow the System Change Management Principles and Control Requirements in SAMA’s Information Technology Governance Framework (“The IT Governance Framework”).
7.
The organisation can explain and outline the fraud threats that scenarios are designed to monitor and mitigate.
8.
Where Machine Learning or Artificial Intelligence are used the system should not be 'black box' and should be capable of being audited (e.g., the organisation should have the capability to test what the algorithms are designed to do and whether they are correctly implemented).
