Further to SAMA's instructions regarding SAMA's non-objection to provide personal finance products and issuing credit cards for individuals by utilizing Digital Confirmation services. In line with SAMA's commitment to enabling all customers to easily obtain their banking and financing needs, and enhancing the strategic goals related to digital transformation.

We inform you that SAMA has no objection to provide all financing products through electronic channels to individual bank customers, as well as small and medium enterprises through digital certification services. This is provided that the requirements in the Electronic Transactions Law issued by Royal Decree No. (M/18) dated 08/03/1428 H and the Implementing Regulations are followed, and the bank must assess the risks associated with the service, determine the types of financing covered by this service, and set adequate controls, policies, and precautionary measures. The following minimum requirements must be met:

1. The digital certification service provider must be accredited by the National Digital Certification Center.
2. The provision of digital certification services must not affect the bank's basic procedures for verifying the eligibility and identity of the customer, agent, or authorized signatory.
3. The financing request must be initiated through one of the electronic channels, taking into account the necessary procedural controls and notifying the customer via SMS about the request. Additionally:
   • For individuals: the request must be activated through another channel, for example, the controls for adding and activating beneficiaries as detailed in the Cyber Security Framework
   • For enterprises: consider the necessary procedural controls, including but not limited to: authorizing multiple approvals for financing requests, activating the request from another channel, etc.
4. Ensure that the customer/business owner or authorized representative approves the execution of the request by contacting the customer via a phone call from the call center or customer service.
5. It is the bank's responsibility to verify the information provided by the customer/business before executing the transaction.
6. Approval of the request must be obtained at least 24 hours after submission for individuals and three business days for enterprises.
7. Adequate security standards must be established to protect data and communication with the digital certification service provider, considering the security encryption standards for data as well as data privacy.
8. Maintain copies of documents and all legal matters concerning digital certification.
9. Update agreements and contracts to clarify that this service is conducted electronically using digital certification and that there shall be no objection to its electronic execution.
10. Specify the type of financing and its maximum limit in accordance with the bank's policies and potential risks based on the bank's classification.
11. Periodically evaluate and monitor the precautionary controls and ensure their effectiveness.

These instructions replace SAMA's instructions regarding the SAMA’s non-objection to offering personal financing products and issuing credit cards for individuals through digital certification services.