Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
  Versions

 
Download Original PDF

  • Principles of compliance for commercial banks operating in the Kingdom of Saudi Arabia

    No: 42005223 Date(g): 15/9/2020 | Date(h): 28/1/1442Status: In-Force

    Translated Document

     

    Based on the powers vested to SAMA under its Law issued by Royal Decree No. (23) dated 23/05/1377H, and the Banking Control Law issued by Royal Decree No. (M/5) dated 22/02/1386H, and with reference to the Compliance Manual for Banks Working in Saudi Arabia issued in the year (1429H/2008G). and in light of SAMA's supervisory and regulatory role, as well as its efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions.

    Attached are the Principles of Commitment for Banks and Commercial Banks Operating in the Kingdom of Saudi Arabia, which aim to activate supervisory roles and enhance sound practices in banking institutions, replacing the aforementioned guide.

    These principles shall apply as guiding rules until the end of 2020G, and a mandatory basis from 01/01/2021G.

    • Definitions

      The terms and phrases below—wherever they appear in these principles—mean the definitions given next to each term, unless the context indicates otherwise:
             		 
      1-Central Bank: The Saudi Central Bank.  
      2-Bank: Local commercial banks and branches of foreign banks licensed to conduct banking activities in the Kingdom in accordance with the Banking Control Law.
             		 
      3-Council: The Board of Directors of the local bank. The primary officer in a foreign bank branch assumes the tasks and responsibilities of the Board of Directors in local banks wherever referenced in these principles.
             		 
      4-Senior Management: The executive management of the local bank (CEO, Managing Director, General Manager) and senior executives responsible for managing the bank's operations, proposing and implementing strategic decisions, and the branch manager for foreign bank branches licensed to conduct banking activities in the Kingdom.
             		 
      5-Compliance Function: An independent function at the first managerial level in senior management that identifies, evaluates, advises on, monitors, and reports on non-compliance risks related to the bank's exposure to regulatory, administrative penalties, financial losses, or harm to its reputation due to non-compliance with regulations, instructions, financial crime prevention requirements, or standards of conduct and professional practice. This function is carried out by an independent compliance unit in banks.
             		 
      6-Compliance Policy: The policy approved by the Board of Directors of the bank and the head of the foreign bank branch that defines and outlines the comprehensive responsibilities of compliance, the authority of the compliance unit, and the main principles, pillars, and methodology the bank follows to manage compliance risks, including the elements outlined in Principle (1).
             		 
      7-Compliance Unit: A unit at the group, sector, or department level, depending on the structure of first managerial level units in local banks, or a department, division, or section, etc., at the first managerial level reporting to the primary officer in foreign bank branches, where the head and compliance staff are solely responsible for compliance-related tasks and responsibilities.
             		 
      8-Chief Compliance Officer: The CEO of the compliance unit in local banks and the executive in the first managerial level reporting directly to the head of the branch in foreign bank branches, whose responsibilities include coordinating the process of identifying non-compliance risks, providing advice to senior management on how to manage them, and overseeing the activities of compliance officers and staff.
             		 
      9-Compliance Staff: All individuals performing compliance duties and responsibilities within the compliance unit.
             		 
      10-Compliance Officer: An employee from other operational units, different from the compliance unit staff, designated by the Chief Compliance Officer to handle specific compliance responsibilities and tasks within their operational unit.
             		 
      11-Compliance Risks: Risks resulting in or leading to the imposition of penalties and regulatory actions against the bank or significant financial losses, or damage to its reputation due to non-compliance with relevant regulations, instructions, and standards applicable to the bank, and ethical and behavioral codes governing banking activities, collectively referred to as "non-compliance risks."
             		 
      12-Compliance Role: The description of responsibilities assigned to compliance staff within the bank.
             		 
      13-Regulations: The regulations and rules applicable to the banking sector and its personnel.
             		 
      14-Instructions: All directives issued by SAMA in its role as a supervisory and regulatory authority, and by other relevant authorities, including regulations, rules, principles, frameworks, guides, and mandatory circulars.
             		 
      15-Compliance Systems, Rules, and Standards: The regulations and instructions applicable to the banking sector and its personnel.
             		 
      16-Conflict of Interest: A situation where the Chief Compliance Officer, compliance staff, or compliance officers in other units may have a direct or indirect interest or relationship in a matter being reviewed by them for decision-making purposes; such that this interest or relationship prevents or leads to the belief that it interferes with their ability to express their opinion or make a decision independently and impartially, without considering this interest or relationship. 

      * The name "Saudi Central Bank" replaced "Saudi Arabian Monetary Authority" according to the Saudi Central Bank Law No. (M/36) dated 11/04/1442H.

    • Introduction

       

      17-SAMA issued these principles based on the powers granted to it and its supervisory and regulatory responsibilities as follows:
             		 
       a.The Saudi Arabian Monetary Law, issued by Royal Decree No. (23) dated 23/05/1377H.
             		 
       b.The Banking Control Law, issued by Royal Decree No. (M/5) dated 22/02/1386H.
             		 
       c.The Anti-Money Laundering Law issued by Royal Decree No. M/20 dated 05/02/1439 H. and its implementing regulations issued by the State Security Presidency Decision No. (14525) dated 19/02/1439H
             		 
       d.The Law on Combating the Financing of Terrorism issued by Royal Decree No. (M21) dated 12/02/1439H and its Implementing Regulations issued by the Cabinet Decision No. (228) dated 02/05/1440H.
             		 
      18-SAMA issued these principles as the first update to the Compliance Manual for Banks Working in Saudi Arabia issued by Circular No. 56202/M A T/787 dated 19/12/1429H. This issuance is part of SAMA’s efforts to continuously improve and address banking regulatory issues and enhance sound practices in banking institutions. It also emphasizes that bank officials must be convinced that compliance policies and procedures are effective and applied, and that senior management has appropriate corrective actions to address any non-compliance or deficiencies when detected.
             		 
      19-Compliance with regulations and instructions starts from the top of the hierarchy, where the chairman, board members, and senior management should serve as examples in managing work and compliance.
             		 
      20-Effective compliance requires continuous affirmation from senior management that a culture based on high standards of integrity and professional ethics prevails. Compliance should be an integral part of the bank’s culture and should not be limited to the compliance unit only. Each individual in the bank carries responsibility for compliance, and this responsibility must be integrated into the bank's operations and activities, ensuring high standards are met in its operations by constantly adhering to the spirit and letter of the regulations. It must also consider the impact of actions related to shareholders, customers, employees, and the market environment that could lead to significant negative reactions affecting the bank’s reputation, even if there is no actual violation of regulations.
             		 
      21-Trust and integrity are the core values and highest priority in the relationship between the bank and its customers, forming the foundation upon which the bank builds its reputation with customers and stakeholders. Reputation protection must be a fundamental concern for managers and employees. They must exhibit a high level of trust, integrity, and professionalism in their duties and ensure their actions are always in compliance with the letter and spirit of regulations and instructions governing the banking sector.
             		 
      22-These principles establish a framework for governance of compliance within the bank, consisting of the board and its responsibility for approving the compliance policy and overseeing the management of non-compliance risks, senior management and its responsibility for managing non-compliance risks, and the compliance unit with its responsibility for overall coordination of compliance and supporting senior management.
             		 
      23-These principles begin by defining the responsibilities of the board and senior management regarding compliance as a primary importance, followed by the principles that should support the compliance unit within the bank.
             		 
      24-Compliance systems, rules, and standards cover matters such as adherence to appropriate market practices, managing conflicts of interest, treating customers fairly, ensuring the suitability of advice given to customers, and specific areas such as anti-money laundering, combating terrorism financing, preventing the spread of weapons, Know Your Customer (KYC), anti-financial fraud, anti-corruption, and handling reports of violations.
             		 
      25-Compliance systems, rules, and standards are based on multiple sources including the regulations and instructions applicable to the banking sector under the supervision of SAMA, regulations and instructions overseen by other official authorities with jurisdiction or in other countries where banks operate, prevailing banking practices, industry-supported business practices, internal conduct rules applied to bank employees, integrity and ethical behavior standards, and relevant requirements issued by international organizations and groups responsible for setting policies governing the supervision of banking and financial institutions, such as the Basel Committee on Banking Supervision, among others.
             		 
      ‏26-Compliance principles require that the compliance unit be independent, adequately resourced, clearly define its responsibilities, and be subject to independent and periodic review by the internal audit unit, as detailed in principles (5) to (8) below. These principles reflect the effectiveness of the compliance unit’s work.
             		 
      27-

      The compliance unit and function in banks are considered one of the most important foundations and factors for their success, as they play a crucial role in maintaining their reputation and credibility, protecting shareholder and depositor interests, and providing protection from penalties. This is achieved through its activities and contributions as follows:

      • Mitigating non-compliance risks, particularly regulatory, reputational, and financial penalty risks.
         
      • Strengthening relationships with regulatory and supervisory authorities and addressing their feedback to identify and rectify deficiencies on a regular basis before they escalate.
         
      • Contributing to the establishment of sound management and governance principles within banks.
         
      • Ensuring compliance with regulations and instructions issued by supervisory and regulatory authorities, as well as other relevant authorities.
         
      • Developing appropriate mechanisms and frameworks to combat money laundering, terrorism financing, weapons proliferation, financial fraud, and corruption, and providing insights, advice, and recommendations to address and correct deficiencies and violations.
         
      • Carrying out the necessary procedures to address reports of violations submitted by bank employees and stakeholders, in alignment with the whistleblowing policy for financial institutions issued by SAMA. This ensures an objective and escalatory approach to handling the reports and devising a corrective action plan.
         
      • Upholding values and professional practices in banking operations.
         
      • Raising awareness among bank employees about the positives and negatives of their compliance and the risks associated with non-compliance with regulations and instructions issued by relevant regulatory and supervisory authorities.
         
      		 
      28-The bank must organize its compliance unit such that the priorities for managing non-compliance risks align with its risk management strategy.
             		 
      29-It should be understood that the scope of compliance frameworks and the diversity and complexity of compliance rules and their sources place the responsibility for managing non-compliance risks, verifying the level of compliance, and establishing the necessary controls to ensure compliance, whether at the level of business procedures, technical systems, or data protection, on the shoulders of senior management and all business units (groups and business sectors). This is achieved through conducting the necessary reviews and ensuring effective and continuous implementation. The role of the compliance unit is limited to compiling, communicating, and explaining the regulations and instructions to the business sectors immediately upon receiving them from supervisory and regulatory authorities or other relevant entities, obtaining confirmation from these sectors, ensuring they are included in policies and procedures, conducting continuous monitoring, and periodically identifying, detecting, and assessing non-compliance risks. It also involves reporting violations of compliance systems, rules, and standards, as well as submitting reports on non-compliance risks and violations.
             		 
      30-The compliance principles apply to all commercial banks operating in the Kingdom and their branches and offices in foreign countries where they conduct banking activities, unless they conflict with the regulations and instructions of those countries. They represent the minimum necessary to achieve overall compliance effectiveness and specifically the effectiveness of the compliance unit and function. SAMA expects adherence to higher and more sound practices.
             		 
      31-

      These principles should be read and applied in conjunction with several related instructions for the unit's operations, including but not limited to the following:

      		 

    • Principles

      • Responsibilities of the Board of Directors Regarding Compliance.

        • Principle (1): Oversight of Non-Compliance Risk Management

          The responsibility for effective oversight of non-compliance risk management lies with the Board of Directors in local banks and with the CEO/Branch Manager in foreign bank branches. To fulfill this responsibility, the following must be done:
                     		 
          32-

          Approve an effective compliance policy and oversee it, which includes at a minimum:

          1. 1. Establishing a permanent and effective compliance unit and updating its organization from time to time.

          2. 2. Promoting a culture of compliance, employee responsibilities, and penalties for neglect and the levels that must be achieved.

          3. 3. Supporting and promoting values of integrity and honesty throughout the bank.

          4. 4. Comprehensive and total commitment in all of the bank's policies to comply with regulations and instructions.

          5. 5. The necessary requirements for managing non-compliance risk matters.

          6. 6. Supervising the implementation of the policy, including ensuring that compliance-related issues are addressed by senior management quickly and effectively with the help of the compliance unit.

          7. 7. Committing to providing adequate resources to the compliance unit on a continuous basis.

          8. 8. Granting the compliance unit the necessary independency as per Principle (5).

          9. 9. Precisely defining the responsibilities of the compliance unit.

          10. 10. Having the internal audit unit review the activities of the compliance unit and compliance risks periodically.

          11. 11. Continuously overseeing efforts towards implementing the compliance policy, the performance level achieved through periodic reports, assessing the compliance unit's activities, identifying weaknesses, and efforts in training and awareness.
          		 
          33-The board or a committee delegated by it must evaluate the effectiveness of non-compliance risk management in the bank at least once a year.
                     		 
          34-Approve updates to the compliance policy from time to time to enhance the effectiveness and efficiency of compliance, in line with instructions from SAMA regarding policy updates.
                     		 
          35-Approve the annual compliance report and provide SAMA with a copy. 

      • Responsibilities of Senior Management Regarding Compliance

        • Principle (2) General Principle: Effective Management of Non-Compliance Risks

          The responsibility for effective management of non-compliance risks rests with the senior management of the bank. Principles (3 and 4) outline the key elements of this principle

        • Principle (3) Preparation, Update, and Approval of Compliance Policy, Responsibility, Sanctions, Monitoring, and Reporting on Non-Compliance Risks

          The senior management of the bank is responsible for preparing, updating, and obtaining board approval for the compliance policy, and ensuring its dissemination. They must also ensure adherence to the policy and report on non-compliance risk management to the board.
                     		 
          Responsibility for Preparing, Updating, and Communicating the Compliance Policy
           
          37-

          The senior management of the bank is responsible for preparing and updating the compliance policy for managing compliance matters and obtaining board approval for local banks, and the branch head for foreign bank branches, and communicating it to all bank sectors. The policy should include:

          1. The compliance principles that work units and their personnel must adhere to.
             
          2. An explanation of the key procedures for identifying and managing compliance risks throughout all levels of the bank's system.
             
          3. Enhancement of clarity and transparency by distinguishing between general standards applicable to all employees and specific standards and procedures that apply only to certain employee groups.
             
          		 
          Responsibility for Adhering to the Compliance Policy, Taking Corrective Actions, and Applying Sanctions
           
          38-The senior management has the duty to ensure adherence to the compliance policy and to ensure that appropriate corrective and disciplinary actions are taken in case of policy violations.
                     		 
          Oversight and Reporting
           
          39-

          The senior management, with the assistance of the compliance unit, are responsible for:

          • Identifying the principal non-compliance risks facing the bank, developing plans to manage and assess these risks at least annually. These plans should address any deficiencies in the policy, procedures, or implementation related to the effectiveness of the existing non-compliance risk management, as well as determine the need for any additional policies or procedures to address new non-compliance risks identified in the annual non-compliance risk assessment.
             
          • Providing written reports to the board or its delegated committee, highlighting the bank's management of non-compliance risks at least once annually, to support board members in making informed decisions based on accurate information regarding the effectiveness of the bank’s non-compliance risk management.
             
          • Reporting in writing to the board or its delegated committee immediately about any significant failures, deficiencies, or violations of non-compliance (e.g., non-compliance situations that may result in significant risks leading to legal or regulatory penalties, severe financial losses, or damage to the bank’s reputation).
          		 

        • Principle (4) Responsibility for Establishing and Developing the Compliance Unit

          The senior management is responsible, under the compliance policy approved by the board, for establishing and developing a permanent and effective compliance unit within the bank, as follows:
                     		 
          Establishing, Supporting, and Developing the Compliance Unit
           
          40-As a fundamental requirement of compliance, senior management in local banks, according to the compliance policy approved by the board, must establish, support, and develop an independent, permanent, and effective compliance unit with sufficient powers and responsibilities to oversee compliance. This includes having an independent compliance unit or head of compliance at the senior management level reporting directly to the top executive for foreign bank branches. The role of the compliance unit should be clearly communicated to all employees, encouraging them to consult the unit on compliance matters.
                     		 
          Reliance on the Compliance Unit
           
          41-Senior management must take necessary measures to ensure that the bank relies on a permanent and effective compliance unit, which performs its duties in accordance with the "Compliance Unit Principles" mentioned later.
                     		 
          Coordination and Integration with Other Business Units
           
          42-Achieving compliance requires senior management to foster a climate of trust and integration between the compliance unit and other business units, and to take the necessary measures and coordination to facilitate this relationship.
                     		 
          Appointment of the Head of Compliance and Compliance Unit Staff
           
          43-The selection and nomination of the head of compliance and the staff of the compliance unit are subject to the Requirements for Appointments to Senior Positions issued by SAMA and any other relevant guidelines issued by SAMA. The responsibility for selecting compliance unit staff lies with the head of compliance in accordance with the bank’s internal employment and appointment requirements. 

      • Compliance Unit Principles

        The main principles from Principle (5) to Principle (8) detail the practices, requirements, and proper applications necessary for the compliance unit. However, the methods for implementing these principles depend on various factors such as the size of the bank, the nature and complexity of the bank's activities, its geographic scope, and the regulatory framework and instructions under which it operates.

        • Principle (5) Independence

          44-The compliance unit in the bank must be independent.
                     		 
          Concept of Independence for the Compliance Unit
           
          45-The concept of independence in this principle refers to "the independence of the compliance unit from external interference by other operational units in performing its compliance duties or influencing them." This does not mean that the compliance unit should not work closely with other business units to facilitate compliance; rather, the working relationship should be cooperative between the compliance unit and other units, supporting the early identification and management of non-compliance risks. The various elements outlined below should serve as preventive measures to help ensure the effectiveness of the compliance unit. Regardless of the close working relationship between the compliance unit and other units, the method of implementing preventive measures depends to some extent on the specific responsibilities of each compliance unit employees.
                     		 
          Elements of the Concept of Independence
           
          ‎46-

          The concept of independence includes four interrelated elements that must be applied as follows:

          1. Element One: The Compliance Unit Must Have an Official Status in the Bank.

            Element Two: In local banks, the compliance unit should be headed by an executive at the first managerial level. In branches of foreign banks, the unit should be led by a senior executive at the first managerial level who reports directly to the head of the branch. This position should include the overall responsibility for coordinating the management of compliance risks within the bank.
             
          2. Element Three: The personnel of the compliance unit, particularly the head of compliance, should not be placed in a position that could lead to potential conflicts of interest between their compliance responsibilities and any other responsibilities associated with their role.
             
          3. Element Four: All personnel within the compliance unit should have the right and authority to access and review all relevant information, records, and files, and communicate with bank employees as necessary to perform their duties.
             
          		 
          The Official Organizational Status of the Compliance Unit
           
          47-The Compliance Unit must have an official status within the bank that grants it appropriate recognition, authority, and independency. This should be outlined in the bank's compliance policy or in an official document related to the policy. All bank employees should be informed of the document specifying this status.
                     		 
          Key Items of the Compliance Unit's Organizational Document
           
          ‎48-

          The organizational document for the Compliance Unit, related to the compliance policy, must include at a minimum the following requirements:

          1. ‎ The role and responsibilities of the Compliance Unit.  
             
          2. Procedures necessary to ensure the independency of the Compliance Unit.
             
          3. The relationship of the Compliance Unit with other risk units within the bank, and its relationship with the internal audit unit.
             
          4. The method for distributing compliance responsibilities in exceptional cases where, due to technical or specialized reasons, or where there is not a significant relationship with non-compliance risks, some compliance responsibilities may be assigned to employees in other operational units such as human resources, administrative affairs, branches, etc., and must be according to specific procedures outlining the role and authority of those units and designated officials.
             
          5. The Compliance Unit has the right to access the necessary information, records, and data to perform its responsibilities, and the requirement for bank employees to cooperate in providing this information.
             
          6. The Compliance Unit has the right to conduct necessary investigations by itself or through delegated external experts for potential policy violations or shortcomings in compliance policy implementation, and its authority to appoint or request external experts if needed.
             
          7. The Compliance Unit has the right to freely report investigation results to senior management and, when necessary, to the board or its authorized committee.
             
          8. The official obligations of the Compliance Unit regarding reporting to senior management.
             
          9. The Compliance Unit has the right to direct access to the board or its authorized committee.
          		 
          Compliance Officer

          Job Level
          49-Every local bank must appoint a Chief Compliance Officer, and every branch of a foreign bank must appoint a high-ranking officer at the first managerial level who reports directly to the branch’s chief officer. This role includes the overall responsibility of coordinating the identification of non-compliance risks at the bank, advising on their management, and supervising the activities of compliance officers and staff within the compliance unit.
                     		 
          Job Affiliation
           
          ‎50-The compliance officer at the first managerial level in the bank should be directly linked to the chief executive only in the senior management of local banks (Managing Director/CEO/General Manager) or to the chief officer of the branch in the case of foreign bank branches (according to the highest job title in the branch). The Chief Compliance Officer should not hold any direct or indirect responsibilities related to banking activities. They must have the authority to report and notify the board or its delegated committee of any significant weaknesses, deficiencies, or violations without fear of negative repercussions from management, other business units, or bank employees. No actions should be taken against them when reporting.
                     		 
          Notification of Appointment and Changes to the Board
           
          51-For local banks, the board members must be notified when there is an appointment or change (resignation, transfer to another role, retirement, termination of service, etc.) of the Chief Compliance Officer, including documentation and reasons for the change.
                     		 
          SAMA's Non-Objection to Appointments and Changes
           
          52-The bank must obtain a non-objection letter from SAMA for the appointment of the Chief Compliance Officer, in accordance with the Requirements for Appointments to Senior Positions. SAMA's non-objection is also required if the Chief Compliance Officer leaves the position (resignation, transfer to another role, termination of service, etc.), with documentation and reasons for the change.
                     		 
          Notifying Regulatory Authorities in the Host Countries
           
          53-For banks licensed to conduct international banking activities with compliance officers from those countries, the regulatory authority in the host countries must be notified of the Chief Compliance Officer's appointment or departure if such notification is required by the host country regulations.
                     		 
          The Affiliation of the Compliance Officers and Staff with the Chief Compliance Officer
          54-All staff in the compliance unit must report directly to the Chief Compliance Officer, ensuring that the unit can fulfill all responsibilities independently of other business units within the bank. Compliance officers assigned to compliance tasks in other business units should have a functional reporting relationship to those units but must also have a reporting line to the Chief Compliance Officer concerning their compliance responsibilities and reports. To avoid dual hierarchy, the compliance officers' reporting path to the Chief Compliance Officer regarding non-compliance risks should be the controlling and mandatory line.
                     		 
          Periodic Meetings
           
          55-

          The Chief Compliance Officer should have the authority to hold regular meetings with senior management and heads of different business units to discuss compliance with regulations and instructions relevant to the operations and activities of each group, department, or sector. These meetings should be officially documented. It is preferable that senior management and heads of business units attend these meetings personally rather than sending representatives, as their active participation demonstrates:

          • Leadership by example.
             
          • Understanding of their responsibilities regarding compliance.
             
          • Continuous reinforcement of compliance.
             
          • Support for the compliance process.
             
          		 
          Delegation of Responsibilities by the Chief Compliance Officer
           
          56-The Chief Compliance Officer may delegate some of their authority to certain employees within the bank for performing tasks related to compliance, such as those in the Treasury Unit or the bank's overseas branches and offices. Any employee delegated these tasks will act as an assistant to the Chief Compliance Officer and will be under their authority concerning non-compliance risks while maintaining full independency in other banking tasks. The size of the bank and its operational capacity should be considered. Any delegation by the Chief Compliance Officer does not exempt them from responsibility; they remain accountable for all compliance-related tasks to the relevant parties.
                     		 
          Conflict of Interest
           
          57-To ensure the independency and professionalism of the Chief Compliance Officer and the Compliance Unit staff, they should only hold responsibilities related to the Compliance Unit. For compliance officers in other business units assigned compliance oversight tasks within those units—if present—they must avoid conflicts of interest and disclose any situations that may result in a conflict of interest.
                     		 
          58-To ensure the independency of the Chief Compliance Officer and compliance unit staff is not undermined, their financial rewards must not be tied to the financial performance of the business activity for which they are executing compliance responsibilities. However, financial rewards may be linked to the overall financial performance of the bank. In all cases, the final approval of the rewards for the Chief Compliance Officer and compliance unit staff must come from the Board of Directors or a committee derived from it.
                     		 
          Direct Access to Information and Employees
           
          59-

          To effectively manage compliance responsibilities as outlined in the compliance documentation and at all administrative levels within the bank where non-compliance risks may exist, the Compliance Unit must have the following principal rights and capabilities, without waiting for orders or instructions:

          1. The right to communicate with any employee and access any necessary information, records, and files needed to fulfill its responsibilities.
             
          2. The ability to carry out its responsibilities independently across all business units where non-compliance risks are present, including the right to investigate any potential violations of compliance policies and to seek assistance from internal specialists (e.g., legal affairs or internal audit) or engage external experts if necessary.
             
          3. The freedom to report any potential violations or transgressions uncovered during its investigations to senior management, without fear of retaliation or dissatisfaction from business units or other employees.
             
          4. Although the Compliance Unit should report administratively to the CEO/Managing Director/General Manager, it must also have the right to communicate directly with the board or its delegated committee, bypassing usual administrative reporting lines if necessary.
             
          5. The Chief Compliance Officer should meet with the board or its delegated committee at least once a year to help assess the board's evaluation of the bank's ability to manage non-compliance risks effectively.
             
          6. The Chief Compliance Officer must promptly and directly notify SAMA/General Directorate of Bank Supervision upon identifying strong indicators of significant or serious compliance failures or violations that impact the reputation of the banking sector and must ensure that SAMA is informed.
          		 

           

           

        • Principle (6): Resources

          The bank must provide the Compliance Unit with the necessary resources to perform its responsibilities effectively. 

          Resources and Effectiveness in Achieving Tasks

          60-The resources provided to the Compliance Unit must be both sufficient and appropriate to ensure effective coordination of non-compliance risk management within the bank.
                     		 
          Adequacy and Appropriateness of Resources
           
          ‎61-The Compliance Unit should have staff with the necessary qualifications, experience, and personal and professional attributes required to carry out its defined duties. Compliance Unit staff must also have a sound understanding of regulations and instructions and their actual impact on the bank's operations. Additionally, the professional skills of the Compliance Unit staff should be maintained and developed, especially in keeping up with developments in regulations, instructions, and technology, through ongoing and regular education and training.
           
          Responsibility for Providing Resources and Its Impact
           
          ‎62-The responsibility for providing the necessary financial, human, and technical resources and directing them towards the compliance process lies with the board according to the approved policy and with senior management during the implementation and management of non-compliance risks and their development. It should be noted that increased compliance costs (e.g., development plans) can lead to enhanced effectiveness in identifying, measuring, monitoring, and controlling risks, thereby resulting in higher profits, better coordination of activities, and improved quality. Therefore, a periodic assessment should be conducted to ensure the adequacy of human and technical resources and determine whether additional support or development is needed to ensure the effective and efficient management of the compliance process.
           

        • Principle (7) Responsibilities of the Compliance Unit

          Assisting Senior Management in Compliance Implementation

          63-The responsibility for compliance and managing non-compliance risks at the bank lies with senior management. The role of the Compliance Unit is to assist senior management in effectively managing and addressing non-compliance risks (through advising, monitoring, and oversight). The Chief Compliance Officer supervises the implementation of compliance duties, which include executing the compliance program with its objectives and projects, and other approved tasks required for the effectiveness and role of compliance, aligned with the bank's risk strategy. If some of these responsibilities are carried out by employees in different business units (compliance officers), the distribution of these responsibilities must be clearly defined.
                     		 
          64-The responsibility for addressing and correcting any deficiencies or violations identified by the Compliance Unit rests with senior management and the heads of business units where deficiencies or violations have been observed. The Compliance Unit's role is limited to providing advice and follow-up with the heads of business units and reporting any shortcomings in addressing and correcting issues.
                     		 
          Communicating Regulations and Instructions and Monitoring Compliance
           
          ‎65-The Compliance Unit must ensure that senior management and various business units are appropriately and timely informed of regulations issued and instructions received from SAMA and other relevant official internal and external entities (such as countries and organizations related to banking regulation). These must be stored in a database and maintained continuously and accessibly, ensuring that policies, procedures, products, services, and advertising models comply with the relevant regulations and instructions. It is essential to understand the communicated instructions and seek clarifications from the Compliance Unit or SAMA if needed. The bank will not be exempt from regulatory penalties due to incorrect application of instructions.
           
          66-All business units within the bank must obtain the Compliance Unit's approval before submitting requests for SAMA's approval for new products and services. The request for approval or non-objection from SAMA should be submitted to SAMA only by the Chief Compliance Officer.
           
          67-The Compliance Unit must be involved in the decision-making process when assigning tasks to third parties to ensure there is no conflict with any instructions issued from SAMA or other relevant authorities.
           
          Organizing Responsibilities
           
          ‎68-Not all compliance responsibilities are executed solely by the Compliance Unit. Some compliance tasks can be carried out by employees in various bank units and its foreign branches (compliance officers), with the Chief Compliance Officer overseeing their work through an organization approved by the board or a delegated committee.
           
          69-Bank's organizational structures include specialized supervisory units requiring specialized expertise, such as credit risk monitoring units, information security units, and finance units. These specialized supervisory units are responsible for implementing compliance requirements related to their specialized tasks (e.g., taxation, zakat, credit risk, market risk, operational risk, information security, etc.). The Compliance Unit’s role concerning these specialized units is to obtain necessary assurances, documents, and evidence of their compliance responsibilities and required role, unless specialized expertise and competencies are assigned to the compliance unit to implement the compliance requirements related to the activities and tasks of those units, these responsibilities must be documented through a compliance policy to ensure the prevention of any overlap that may arise due to the similarity of supervisory roles between those units and the compliance unit.
           
          70-To ensure that the Chief Compliance Officer and the Compliance Unit staff can perform their responsibilities effectively, the Compliance Unit must have the right to request the bank's legal department to:
           
           
          • Provide advice on regulations and the drafting of instructions for the Compliance Unit, and to prepare necessary guidelines for employees. The Compliance Unit will focus on monitoring compliance, instructions, policies, and procedures, and prepare and submit reports to senior management.
           
          • Investigate deficiencies and violations related to the implementation of relevant regulations and instructions concerning the tasks and operations of all units within the Compliance Unit.
           
          • Provide legal opinions on the results of investigations conducted by the Compliance Unit from time to time.
          Consultation
           
          71-The Compliance Unit must provide advice to senior management regarding compliance regulations, rules, and standards, including updates on local and international developments in this area. This advisory role involves close collaboration between the Compliance Unit staff and the bank’s business units, offering support and guidance on their daily operations. The Compliance Unit is responsible for advising on compliance matters and serving as the point of contact for any compliance-related inquiries from its staff.
           
          Guidance and Awareness
           
          72-Training and educating all bank staff on relevant regulations and instructions pertaining to their individual responsibilities is a fundamental aspect of senior management's efforts to instill a compliance culture and encourage reporting of any violations to the Compliance Unit. Therefore, the Compliance Unit must continuously and proactively assist senior management in:
           
           
          • Raising employee awareness about compliance issues and potential violations, recognizing that they are the first line of defense, and serving as an internal contact point for compliance-related questions from bank employees.
           
          • Developing written guidance for employees that addresses the appropriate application of relevant regulations, compliance rules, and standards through policies and procedures. This includes preparing other guidance documents such as compliance manuals, internal codes of conduct, and practical guides.
           
          • Ensuring that the annual training and awareness program for all employees includes a plan that meets the bank’s ongoing needs and can be promptly adjusted in response to new issues, observations, significant changes, or updates in regulations, or high employee turnover. Training should be provided through available methods within or outside the bank, particularly for new employees, to familiarize them with compliance requirements related to their banking operations before starting their duties, and for those who interact directly with the public, to periodically remind them of requirements such as sales and marketing instructions, anti-money laundering and counter-terrorism financing, due diligence, reporting suspicious transactions, and internal violations.
          Identifying, Measuring, and Evaluating Non-Compliance Risks

          Identifying Risks 
          73-The Compliance Unit should proactively identify, document, and assess non-compliance risks related to the bank’s activities (regulatory, financial, reputational, or strategic risks), including new product developments, business practices, new types of business or customer relationships, or significant changes in the nature of these relationships. If the bank has a New Products Committee, representatives from the Compliance Unit should participate in this committee.
           
          Measuring Risks
           
          74-The Compliance Unit should study methods for measuring non-compliance risks both quantitatively and qualitatively (e.g., performance indicators related to compliance) and use these metrics to support the assessment, reduction, and management of non-compliance risks. Techniques such as aggregating or filtering data to identify potential non-compliance risk indicators (e.g., increasing customer complaints, fraud cases, reports, penalties, and payments) can be employed.
           
          Evaluating Risks
           
          75-The Compliance Unit should evaluate the adequacy of the bank's compliance policy and procedures, promptly address any identified deficiencies, and propose amendments when necessary, based on technical capability. It should also encourage and monitor the relevant departments to make necessary adjustments and corrections.
           
          Monitoring, Testing, and Reporting
           
          ‎76-The Compliance Unit must continuously monitor and test compliance through adequate and representative tests. The results of compliance tests should be reported according to their administrative hierarchy and in accordance with the bank’s internal risk management procedures.
           
          77-The chief compliance officer must submit regular written reports to senior management addressing compliance issues. These reports should include an assessment of non-compliance risks during the reporting period, note any changes in the level of non-compliance risk based on relevant metrics (e.g., performance indicators), and provide a summary of any identified violations and deficiencies, proposed corrective actions, and required correction dates, along with details of actions already taken. The reporting format should align with the bank's non-compliance risk profile and activities.
           
          High-Risk Cases and Urgent Developments
           
          ‏78-The board or its delegated committee overseeing compliance policy implementation should be informed immediately of any significant compliance failures or deficiencies that could lead to substantial regulatory penalties, legal actions, financial losses, or damage to reputation. If the impact is deemed significant to the banking sector's reputation, SAMA and the general administration for bank supervision should be notified directly and immediately.
           
          Annual Compliance Report
           
          79-An annual compliance report should be prepared by senior management and presented to the board, covering at a minimum the requirements set forth by SAMA from time to time.
           
          80-SAMA should receive the board-approved version of the annual compliance report by the end of April each year, sent by the Chairman of the Board of the local bank or the Chief of the foreign bank branch, as part of the bank’s self-assessment of its compliance.
           
          Regulatory Responsibilities and Communication
           
          ‎81-As a regulatory basis, the Compliance Unit must undertake responsibilities and tasks directly and indirectly related to non-compliance risks, including: (1) compliance oversight (monitoring, relationship with SAMA, consultations), (2) anti-money laundering and counter-terrorism financing, (3) anti-fraud measures, (4) anti-corruption, (5) self-supervision, and (6) handling violation reports, and to take on the responsibility of developing the appropriate mechanisms and coordination for how to effectively meet the requirements of implementing the communicated security procedures within the institution.
           
          82-The Compliance Unit is responsible for monitoring external regulatory bodies, standard-setting entities, and external experts concerning its regulatory responsibilities, particularly in anti-money laundering, counter-terrorism financing, and non-proliferation.
           
          Compliance Program
           
          ‎83-The Compliance Unit should implement its responsibilities under a compliance program that outlines its planned activities, such as applying and reviewing specific policies and procedures, assessing non-compliance risks, conducting compliance tests, and raising employee awareness on compliance issues. The compliance program should be risk-based and overseen by the Chief Compliance Officer to ensure it adequately covers all activities and coordinates between the compliance units (monitoring compliance with regulations, anti-money laundering and counter-terrorism financing, anti-fraud, anti-corruption, and handling violation reports).
           
          Compliance Unit Database
           
          84-The Compliance Unit should establish and continuously update a database of all compliance regulations, rules, and standards, ensuring that all bank employees can access and benefit from it at all times.
           
          Documentation
           
          85-The Compliance Unit must document policies, procedures, plans, events, and work papers to fulfill its duties and responsibilities.
           
          Warning Signs (Red Flags)
           
          86-The compliance program must include a principle for warning signs to alert about violations of internal and external regulations and situations exposing the bank to non-compliance risks, such as rapid bank growth, opening new branches, high employee turnover, changes in programs, and the introduction of automated systems in workflows. This principle should also protect whistleblowers and include incentives in accordance with SAMA’s whistleblowing policy.

           

        • Principle (8): Relationship Between the Compliance Unit and the Internal Audit Unit

          Internal Audit Activities

          87-The activities and scope of the Compliance Unit should be subject to periodic review by the Internal Audit Unit.
                     		 
          Independence of Both Units
           
          ‎‎88-The Compliance Unit and the Internal Audit Unit should be separate and independent within the bank. One of the primary responsibilities of the Compliance Unit is to monitor the bank's adherence to compliance rules. The Internal Audit Unit has a broader scope of responsibilities. Although there may be some overlap between the responsibilities of the two units in certain areas, each unit operates independently and any overlap should not impact the functioning of either unit.
           
          Review of Compliance Unit Activities
           
          ‎89-To assess the efficiency and effectiveness of the Compliance Unit, non-compliance risks should be included in the risk assessment methodology adopted by the Internal Audit Unit. A periodic review program of the Compliance Unit’s activities should be established, including testing controls that align with the level of potential risks, in accordance with the requirements of these principles.
           
          Integration in Risk Assessment
           
          ‎90-It is important to have a clear understanding within the bank regarding how the activities of risk assessment and testing are divided between the two units, and this should be documented in the bank’s compliance policy. The Internal Audit Unit should inform the head of Compliance Unit the audit results related to compliance within the bank.
           
          Monitoring the Compliance of the Internal Audit Unit
           
          91-The Compliance Unit plays a crucial role in monitoring the compliance process within the bank, which includes overseeing that the Internal Audit Unit carries out the tasks, responsibilities, and activities as required by SAMA in the specified manner and timeframe.
           
          Oversight from a Specific Perspective
           
          ‎92-For further clarification regarding the role of both the Compliance Unit and the Internal Audit Unit as two independent entities, both the Compliance Unit and the Internal Audit Unit are responsible for overseeing the bank's activities, but each has its own perspective on oversight. The Compliance Unit focuses on identifying and clarifying the regulations, instructions, policies, and procedures that need to be implemented in the bank, ensuring that these are incorporated into the approved policies, procedures, and work programs, and continuously verifying that these policies and procedures are actually followed and effective in mitigating non-compliance risks, with regular updates. The role of the Internal Audit Unit involves conducting field and documentation audits on all bank units through sampling or comprehensive coverage, continually monitoring the internal control systems of the bank, and assessing compliance with the policies and procedures that the Compliance Unit has worked to implement and assist in preparing, based on regulations, instructions, and guidelines.

           

      • Other Matters

        • Principle (9) Matters Related to External Operations

          Compliance with Regulations and Instructions in the Host Country

          93-Banks that choose to conduct banking activities in certain countries must adhere to the regulations, instructions, and laws applicable in those countries. The branches or offices, as well as the structure and responsibilities of the compliance function, must be aligned with the regulatory requirements and local instructions of those countries.
                     		 
          Higher Standards as a Basis When Regulatory Requirements Differ
           
          ‎94-When engaging in banking operations in specific countries, whether through branches or subsidiaries, it is important to recognize that regulatory requirements and instructions may vary from one country to another. These differences might depend on the type of business the bank is conducting or the form of its presence in those countries. Therefore, particular emphasis should be placed on the requirements outlined in Paragraph (2/6) of Section Two of the Anti-Money Laundering and Counter-Terrorism Financing Guide.
           
          Compliance Officers in Host Countries
           
          ‎95-Banks that choose to operate in specific countries must comply with all local regulations and instructions applicable in those countries. For example, banks operating as subsidiaries must meet the regulatory and instructional requirements for companies in the host countries. Banks operating as foreign branches must fulfill the requirements specified for foreign bank branches. The bank must ensure that compliance responsibilities in host countries are carried out by employees with local knowledge and expertise, in addition to oversight by the Chief Compliance Officer in collaboration with other risk and control units in the home country.
           
          Risk Assessment for Overseas Activities
           
          96-Each bank must have implemented and updated procedures to identify and assess potential or increasing risks to its reputation regarding the products and activities offered in host countries through its subsidiaries or branches that are not permitted or practiced in the Kingdom.

        • Principle (10) Delegation of Compliance Unit Tasks

          Limited Delegation Agreement and Responsibility

          ‎97-The activity of the compliance unit is considered a primary function in managing non-compliance risks within the bank. While some specific activities may be delegated to specialized entities, they must remain under the supervision and responsibility of the Chief Compliance Officer. The Chief Compliance Officer is ultimately responsible for ensuring compliance and cannot delegate their responsibility to others.
                     		 
          Suitability of Agreements with Tasks
           
          98-The bank must ensure that any agreements or arrangements for delegating some compliance tasks do not impede the effectiveness of supervision by SAMA or other regulatory and supervisory bodies. Regardless of delegating certain tasks that the bank deems necessary, the primary responsibility for ensuring compliance with all regulations and instructions remains with the board and senior management.
           
          SAMA Approval
           
          ‎99-The delegation of any compliance activities is subject to the instructions issued by SAMA, including obtaining its non-objection prior to entering into any delegation agreements.