In line with SAMA’s commitment to enable all customers in the financing sector to obtain their financing needs easily and efficiently, and to enhance the SAMA’s strategic goals of accelerating digital transformation in the sector through strengthening and securing technological infrastructure, and to facilitate and improve services by enabling financing companies to utilize approved digital certification services in the Kingdom.

We inform you that financing companies can offer all financing products and credit cards via electronic channels to individual customers as well as small and medium enterprises through digital certification services, provided that adherence with the Electronic Transactions Law, issued by Royal Decree No. (M/18) dated 8/3/1428 H and its implementing regulations, is maintained. The company must assess the associated risks and identify the types of financing covered by this service and establish sufficient controls, policies, and precautionary procedures, and apply the following minimum requirements:

1. Ensure full compliance with the Cyber Security Framework Maturity Level 3 by evaluating compliance through an independent party as per the framework.
    
2. The company must have obtained SAMA’s no-objection to provide electronic services as per the Cyber Security Framework. Without this, the company cannot provide digital certification services until it receives SAMA’s no-objection for providing electronic services.
    
3. The digital certification service provider must be accredited by the National Digital Certification Center.
    
4. Providing digital certification services should not affect the company's core procedures for applying the "Know Your Customer" principle or the eligibility and identity of the customer, agent, or authorized signatory.
    
5. The financing request must be created through one of the electronic channels, with the necessary procedural controls in place and the customer must be notified via SMS about the request. Additionally:
    

• For individuals: The request must be activated via another channel, for example, implementing the rules for adding and activating beneficiaries as outlined in the Cyber Security Framework.
   
• For enterprises: Consider necessary procedural controls, for example but not limited to: delegating multiple authorities for approving financing requests, activating the request from another channel, etc.
   

6. The company must verify the approval of the customer/enterprise owner or authorized representative for the request through a phone call from the call center or customer service.
    
7. The company is responsible for verifying the information provided by the customer/enterprise before executing the transaction.
    
8. Approval of the request must occur at least 24 hours after submission for individuals and three business days for enterprises.
    
9. Implement sufficient security standards to protect data and communication with the digital certification service provider, including data encryption standards and data privacy.
    
10. Retain copies of documents and all legal matters related to digital certification.
     
11. Update agreements and contracts to specify that this service is conducted electronically using digital certification and it is not permissible to appeal its execution electronically.
     
12. Set a maximum limit for the financing amount provided through digital certification in line with the company's risk policy.
     
13. Periodically evaluate and monitor precautionary controls and ensure their effectiveness.
     

For your information, and to act accordingly from this date, noting that digital certification services do not apply to products subject to a test environment.