Further to SAMA Circular No. (381000092226) dated 02/09/1438H and No. (371000093889) dated 24/08/1437H regarding the retention of records and paper documents for at least ten years, records and documents must thereafter be stored electronically through secure and highly reliable preservation methods.

Attached are the instructions for electronically preserving records and documents for your information and action accordingly, and feedback on the measures taken within a maximum period of six months from this date.

Instructions on Documentation and Record Keeping

SAMA has issued these instructions based on the Royal Order No. (32749) dated 16/07/1438H, and in accordance with the powers granted to SAMA by the Saudi Arabian Monetary Authority Law issued by Royal Decree No. (23) dated 23/05/1377H and by the Banking Control Law issued by Royal Decree No. (M/5) dated 22/02/1386H. These instructions represent the minimum procedures that banks operating in the Kingdom must adhere to in electronically documentation and record keeping after ten years of paper storage. 

Banks operating in the Kingdom must adhere to the following instructions:

First: Establish internal policies and regulations to organize the processes for electronically preserving records and documents, including at least the following:

1. Procedures for creating, documentation and record keeping through electronic systems (preparing documents, imaging, data entry, uploading records to the system, retrieving records from the system).
    
2. Indexing and classifying records and documents (operations, subjects, document types, confidentiality levels, keywords, source, etc.).
    
3. Access permissions for electronic systems and the mechanisms for granting them.
    
4. Clear and documented standards to ensure the integrity and quality of documentation and record keeping.
    
5. Information security policy and backup policy that includes the use of digital certificates and conducting electronic encryption processes, ensuring no unauthorized access or inspection, while providing maximum protection and recovery capability in case of disasters.

Second: Consider the following as a minimum for documentation and record keeping electronically:

1. Keeping the record or document in the form it was created, sent, or delivered without any addition, deletion, or modification.
    
2. Ensure the electronic record or document remains preserved in a clear and sound manner, allowing for later use and reference.
    
3. The electronic record or document must be kept alongside information enabling the identification of the creator and recipient, along with the date and time of sending and receiving, according to both the Hijri and Gregorian calendars, specifying the time down to the hour, minute, and second, without allowing modifications to this data.
    
4. All operations performed on electronic records and documents must be recorded and kept without allowing modifications to this data.

Third: Access to and handling of electronic records, documents, and data is prohibited for unauthorized employees.

Fourth: Employees authorized to access electronic records, documents, and data must maintain their confidentiality during their work or after leaving the job.

Fifth: At least two levels of permissions must be specified when dealing with electronic records, documents, and data in any procedure, where, for example, there is a permission for action and a permission for approval of the action.

Sixth: The bank must authenticate copies of electronic records and documents that have been stored for more than ten years when requested by SAMA, certifying that they match the original, with the bank's stamp and signatures of authorized individuals (e.g., Compliance Department Manager, Legal Department Manager), ensuring the clarity and integrity of the provided copies.

Seventh: There should be periodic reviews by the Internal Audit and Compliance Departments on an annual basis to verify the integrity and completeness of Retention and compliance with the provisions of these instructions and the internal policies of the bank mentioned above.