| 43. | Foreign bank branches are required to book KSA business in the Saudi branch, unless SAMA otherwise agrees to an alternative treatment for specific business activities where local booking is not practical.
|
| 44. | Foreign bank branches are required to maintain appropriate and sufficient local staffing to demonstrate adequate local control over the KSA business and compliance with all of SAMA's prudential requirements applicable to foreign bank branches. However, during the initial stages of a foreign bank branch operations in the Kingdom, SAMA would take a reasonable and proportionate view of local staffing requirements keeping in view the nature, scale, size and complexity of their business.
|
| 45. | Key management responsibilities, such as business decision-making, along with functions such as compliance and Anti-Money Laundering (AML)/Combatting the Financing of Terrorism (CFT) are not allowed to be outsourced. Foreign bank branches could decide on the outsourcing model of other functions (e.g. Internal Audit, Risk Management) based on the nature, scale and complexity of the branch). Outsourcing to Head Office or a related party does not diminish the obligations of the foreign bank branch, and those of its management to comply with relevant laws and regulations in Saudi Arabia.
|
| 46. | The outsourced operation to the head office/other group member must be audited annually by the group internal audit team or by an independent third party and the audit findings shared with SAMA.
|
| 47. | Any report to or by any other regulatory authority on the quality of controls of the outsourcing arrangement must be submitted immediately by the foreign bank branch to SAMA.
|
| 48. | Foreign bank branches must ensure that head office/other group member outsourcing arrangements do not constrain SAMA's ability to provide effective prudential supervision of the local operations or they do not contravene the Banking Control Law and other applicable Laws and Regulations.
|
| 49. | Foreign bank branches should adopt good risk management practices to mitigate any potential outsourcing risks. At a minimum and subject to the Rules, a foreign bank branch entering into an outsourcing arrangement with its head office or a member of its group should:
|
| | a) | Establish policies and procedures relating to ownership and access, resolution of differences, sub-contracting confidentiality and security, separation of property, business continuity management, monitoring of the performance and circumstances of outsourcing arrangements and annual reviews to gauge compliance with agreed service levels.
|
| | b) | Perform a due diligence process to address all aspects of the arrangement, particularly those pertaining to any unique operational requirements of the branch.
|
| | c) | Develop an outsourcing agreement that details, among other things, the scope of the arrangement, the services to be supplied, the nature of the relationship between the branch and the head office/other group member (e.g., roles, responsibilities and expectations).
|
| | d) | Develop procedures governing any subcontracting of services.
|
| | e) | Develop an appropriate business continuity plan (BCP) that should be supported with IT disaster recovery plan. In addition, a branch's BCP plan should consider applicable controls from SAMA business continuity management framework.
|
| | f) | Implement a process for monitoring and oversight.
|
| | g) | Implement procedures for record keeping.
|
| 50. | Given a foreign bank branch is a dependent unit of a bank and is integrated into the parent entity, whether by legal set-up and/or other organizational designs, outsourcing certain functions/services containing customer information to their head office or other members of the group may occasionally be needed. Subject to the Rules, the foreign bank branch, in outsourcing functions/services containing customer information to head office and other group members is required to put in place a policy that, at minimum, ensures that the following additional conditions are met:
|
| | a) | A service level agreement that should clearly state that SAMA has the legal right to conduct examinations of the head office/member of the group having outsourcing arrangement with the branch if required.
|
| | b) | A customer's consent for data sharing with the head office and to transmit the data through reliable secure channel supported by a strong encryption mechanism.
|
| | c) | Access to such information at the head office/other group member is limited to key control functions such as compliance, risk management, operations, IT and internal audit. Any such customer information should only be for the sole use of the bank and should not be shared with any party outside of the bank without prior written approval of SAMA. The bank is also required to keep a log of who and when such information is accessed.
|
| | d) | Any changes to customer data stored or in transit shall be completely logged and monitored.
|
| 51. | For Foreign bank branches that would like to use the services of a third party already contracted by their Head Offices or other member of the group, SAMA will only consider such a third party outsourcing arrangement if the Head Office submits to SAMA a letter of comfort which specifies which operations are to be outsourced and must also include the following conditions:
|
| | a) | The Head office declares its ultimate responsibility of ensuring that adequate controlling measures for the outsourcing arrangement are in place; and
|
| | b) | The Head Office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate outsourcing controls applied by the third party service provider.
|
| 52. | In line with SAMA's risk-based supervisory framework, SAMA may have additional expectations (for all or specific foreign bank branches) depending on the risks related to such outsourcing arrangements and following its supervisory review. Furthermore, SAMA has the right to revoke any outsourcing arrangements, if such an arrangement poses risk to the bank.
|
| 53. | Foreign bank branches would still be required to comply with all other aspects of these outsourcing requirements in relation to outsourcing arrangements with unrelated third parties.
|
