Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom
No: 42063179 Date(g): 17/4/2021 | Date(h): 6/9/1442 Status: In-Force Translated Document
Based on the powers vested to SAMA under the relevant regulations and instructions, and in line with the SAMA's supervisory and regulatory role in enhancing the protection of the privacy of customers of the financial institutions under its supervision and their employees, as well as in continuously improving and strengthening sound practices in banks.
Enclosed are the regulatory and awareness procedures for branch staff and customer service employees in banks operating in the Kingdom. These procedures aim to mitigate operational risks related to handling banking laws and to ensure that operations are conducted in accordance with approved regulations, instructions, and powers to protect banks and customers from exposure to losses.
Please take note and act accordingly by the end of the third quarter of 2021.
First: Introduction
A. Objective
These procedures aim to establish the minimum regulatory and awareness measures for branch staff and customer service employees in banks operating in the Kingdom. Compliance with these measures is required to mitigate operational risks related to dealing with banking laws and to ensure that operations are conducted in accordance with approved regulations, instructions, and authorities, thereby protecting banks and clients from potential losses.
B. Scope
These procedures apply to banks operating within the Kingdom. This is without prejudice to any other relevant regulations or guidelines, including but not limited to: Cyber Secuity Framework and the Business Continuity Management Framework.
Second: Definitions
The terms and phrases mentioned in these procedures are defined as follows, unless the context indicates otherwise:
Central Bank: The Saudi Central Bank.
Banks: Banks operating within the Kingdom.
Branches: Branches of commercial banks operating within the Kingdom.
Employees: Employees of branches and customer service.
Customers: Customers of the banks.
Third: Supervisory Procedures
Banks must adhere to the required maturity level as Cyber Security Framework and the Business Continuity Management Framework, with particular attention to the following:
Fourth: Awareness Procedures
Banks are required to adhere to the following:
1. Establish a policy for the secure use of banking laws, including procedures for handling usernames and passwords, and review it periodically. 2. Ensure employees are aware of the importance of checking that they are not being observed when entering their username or password. 3. Provide training and qualification for employees on essential information related to information security. 4. Conduct periodic awareness campaigns for employees regarding the instructions issued by SAMA and the banks' own policies, especially concerning the confidentiality of customer account information and the penalties for non-compliance. This should include ongoing educational materials and be conducted at least every three months. 5. Conduct regular awareness campaigns for employees on information security and financial fraud prevention, with ongoing educational materials provided at least every three months 6. Perform tests and surveys of employees at least every six months to assess the effectiveness of the awareness procedures outlined in points (4) and (5). 7. Obtain a declaration from employees, both upon starting work and annually (either in paper or electronic form), acknowledging that they have reviewed and are committed to all policies related to the secure use of banking laws and the handling of usernames and passwords.
Fifth: General Provisions
1. These procedures should be read in conjunction with all related regulations and instructions.
2. These procedures represent the minimum requirements for banks to implement in terms of enhancing the monitoring and awareness aspects for employees. 3. Existing policies, manuals, and procedures should be reviewed and updated periodically to ensure they align with the requirements set forth in these procedures and related instructions. 4. One of the supervisory departments (Internal Audit or Compliance Department) should be assigned to conduct periodic examinations or reviews (within a maximum of two years) to verify compliance with the requirements outlined in these procedures.
Soft Launch
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.