Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Effective from May 24 2017 - May 23 2017 To view other versions open the versions tab on the right
The Framework is applicable to all Member Organizations regulated by SAMA, which include the following:
•
All Banks operating in Saudi Arabia;
•
All Insurance and/or Reinsurance Companies operating in Saudi Arabia;
•
All Financing Companies operating in Saudi Arabia;
•
All Credit Bureaus operating In Saudi Arabia;
•
The Financial Market Infrastructure
All domains are applicable for the banking sector. However, for other financial institutions the following exceptions apply:
•
Sub-domain (3.1.2) the alignment with cyber security strategy of banking sector is mandatory when applicable.
•
Exclude sub-domain (3.2.3). However, if the organization store, process or transmit cardholder data or deal with SWIFT services, then PCI standard and/or SWIFT Customer Security Controls Framework should be implemented.
Exclude sub-domain (3.3.13). However, if the organization provides online services for customers, a Multi Factor Authentication capability should be implemented.
