Skip to main content
Custom print
Download Original PDF

G. Confidentiality and Disclosure Mechanisms

No: 72203/67 Date(g): 5/8/2019 | Date(h): 4/12/1440

Effective from 2019-08-05 - Aug 04 2019
To view other versions open the versions tab on the right

Information is an important asset to the businesses of the Financial Institution and information protection is an important factor for its success and continuity. In addition, all information related to the Financial Institution's Stakeholders or Staff shall be the property of the institution. The Financial Institution shall prepare a set of controls and procedures for the destruction of unused or damaged documents and devices.

The Financial Institution shall classify information in terms of confidentiality as follows:

1. Classification of Financial Institution Information

 a.General Information:
 General information available to the public for free through the institution's authorized channels.
 		  
 b.Insider Information:
Information not disclosed to any person outside the institution.
 		  
 c.Confidential Information:
All non-public information related to the Financial Institution, staff or Stakeholders. Financial Institution Staff, with access to such information, shall protect and only disclose the information to other staff members as necessary. Unauthorized disclosure of confidential information may result in legal ramifications, such as lawsuits, legal penalties or damage to reputation. Examples of confidential information include: private information, Financial Institution strategies, competitively sensitive information, trade secrets, specifications, stakeholder lists or research data. Unauthorized persons shall not have access to such information.
 		  
 d. Highly Confidential Information:
Information entrusted to some employees that could significantly affect the Financial Institution, staff or Stakeholders if disclosed without permission. Such information should be made available to the staff only as required by the Financial Institution's work. The Financial Institution Staff shall comply with the information security policy, especially that addresses dealing with different types of information. Highly confidential information shall only be available to authorized employees.
 		  

2. Classification of Confidentiality

a.Confidentiality of Stakeholder Information:
It shall be the duty and responsibility of the Financial Institution to protect the confidentiality of stakeholder information. The staff shall be entrusted with the stakeholder important information which is also important to maintain the Financial Institution's ability to provide quality products and services. Such information includes personal data, information on products; services; accounts; balances; transactions; mergers or acquisitions; status of securities; pending requests or plans prepared to increase capital. Stakeholder information protection shall be the sole and collective responsibility of the Financial Institution Staff. Information shall be handled with the utmost confidentiality in accordance with the highest standards applied. The obligation to maintain the confidentiality of information shall continue even after the end of the work/ service of the employee. Stakeholder information shall not be shared with anyone who does not have access to it inside or outside the Financial Institution.
 		  
b.

Confidentiality of Property Information:
While working at the Financial Institution, staff may provide, develop and/or access information, ideas, innovations, systems, intellectual properties, technologies, policies, procedures, processes, software, hardware, operational processes, profitability results and forecasts, business plans, strategies, programs, staff data, reports, studies, records; stakeholder data, lists and information; trade secrets and other information related to the Financial Institution, its products or services, Stakeholders, potential stakeholders or any other relevant parties that are not publicly available. Such information may be original, copy of the original, electronic, saved, written or any other type.

As a requirement for employment/ service, the Financial Institution Staff shall acknowledge or agree that such information is the property of the Financial Institution alone and shall not have any rights or interests with respect thereto. It shall be the duty of the Financial Institution Staff to maintain property information and not use such information outside the limits of the Financial Institution's business. Furthermore, unauthorized use of property information shall be prohibited. Financial Institution Staff shall not record any communications that include property information through the use of electronic devices or personal recording devices, including mobile phone cameras, and such information shall not be used, spread or disclosed to any unauthorized third party during working at the institution or after leaving the job. Financial Institution Staff shall not spread or destroy property information. In case of resignation, Financial Institution Staff shall delete/ return property information in possession, including the information saved on personal devices, such as electronic devices or personal computers.
 

  
c.

Confidentiality of Insider Information:
Financial Institution Staff may sometimes be entrusted with material Insider Information. Such Information may be kept, but shall not be misused.

The definition of "material Insider Information" is board. However, Insider Information is considered "material" if it is highly likely that an adult will consider it important to make investment/ business decisions or if the spread of such information will affect the price of the company's securities in the market. Insider information may also be considered material if it is related to the future or potential or expected events; or if considered material only when combined with publicly available information. All information shall be considered "Insider" unless disclosed and enough time has passed. Examples of adequate information disclosure include: information submitted to securities markets and regulators (such as Tadawul and CMA) or issued in a press release or through meetings with members of the media and the public. Financial Institution Staff shall not discuss or pass Insider Information on to any other employee unless the exchange of such information serves the purposes of the Financial Institution. Financial Institution Staff shall not trade, directly or indirectly, through granting power of attorney, through arranging a trading deal in which one of the parties has personal, business or contractual relationship with one of the Financial Institution Staff, or through giving a legal agent or any other person the authority to act on his/her behalf, in the shares or securities of a listed company, and shall not offer recommendations to do so based on Insider Information they have access to by virtue of their work/ service in the Financial Institution. Financial Institution Staff shall not make investment or business decisions, that are not related to the work of the Financial Institution, based on information they have obtained for the Financial Institution. Such act is a punishable violation. Therefore, if any member of the Financial Institution believes that he/she has access to Insider Information, he/she shall not trade in securities based on such information, except after consulting the compliance department. In case of carrying out trading activities or owning securities before joining the Financial Institution, the competent department shall be informed.
 

  
‏d.

Exchange of Confidential Information on the Basis of Need:
 

Financial Institution Staff shall not disclose confidential information to other employees, supervisory and control authorities or external lawyers and/or advisors, except after obtaining the required approvals. Disclosure shall be in accordance with following cases:

  • if the recipient is authorized and has a legitimate need for such information in relation to his/her responsibilities of work/ service according to the relevant instructions.
  • if disclosing such information will not cause damage.


The Financial Institution Staff shall not give any information about the Financial Institution to third parties unless they have the authority to do so. As an exception, some information may be disclosed if disclosure is normal when carrying out the Financial Institution's business, for example, information requested about solvency and/or by a supervisory or regulatory authority or if disclosure is in the interest of the Financial Institution and its Stakeholders. The following are examples of cases that are subject to the exemption, however, the exception will only be applied after obtaining the approval of the concerned officials at the Financial Institution:

  1. general periodic disclosures requested by regulators.
  2. information requested by competent authorities for investigation purposes.

Regulation and supervision information requests shall be referred to the compliance department. Thus, no employee shall have the right to respond to any enquiry about regulation or supervision or provide such authorities with the requested information except through the compliance department or if he/she is authorized to do so.
 

  

Duties of Financial Institution Staff:

The Financial Institution Staff shall be obliged to protect confidential information. In addition to complying with the detailed requirements stated in the information security policy prepared by the Financial Institution, the staff, as a minimum, shall:

  • adhere to the information security policy and procedures, and the laws and instructions related to confidentiality.
  • not access non-public stakeholder or property information for purposes unrelated to their work, as accessing such information must be within their powers and for work reasons.
  • not try to obtain confidential information that are unrelated to their work.
  • not provide any unauthorized person inside or outside the Financial Institution with confidential information or facilitate his/her access to it.
  • provide authorized persons with information according to the required limits.
  • maintain stakeholder and property information or other confidential information in a way that allows access to authorized persons only.
  • not leave any confidential information in places where they can be accessed, such as shared offices or areas.
  • use envelopes, postal services or emails marked as confidential when exchanging confidential information within the Financial Institution.
  • not copy any document or text that is not related to work before obtaining the approval of the direct line manager.
  • not enter vaults, strongrooms or other restricted areas unless authorized or required by their work.
  • only put the documents they are currently working on on the desk, and keep the other documents in drawers, preferably in locked places.
  • turn off all devices and lock all drawers before leaving the office.
  • destroy all documents that are no longer needed and contain sensitive or confidential information, and keep other papers and documents in files inside lockers.
  • not disclose any confidential information about the Financial Institution to any person, including the institution employees who are unauthorized to access or do not need such information.
  • take precautionary measures to avoid unauthorized disclosure of confidential information.
  • not discuss any sensitive or confidential information in public places, such as elevators, corridors and public transportations.
  • maintain the confidentiality of the Financial Institution information during working at the institution or after leaving the job, and not share, collect, record or spread such information at any time or for any reason unless after obtaining a written approval from the competent department.
  • not access the premises of the Financial Institution outside working hours unless after obtaining the approval of the direct line manager and the security and safety department.
  • understand and acknowledge that any intellectual property developed for the Financial Institution or created using its resources are the property of the Financial Institution alone.
  • maintain the confidentiality of the access codes and passwords of strongrooms, IT systems and any other codes or passwords.
  • prevent intentional or unintentional disclosure of confidential information.
  • obtain prior approval from the authorized person to copy or keep any document or text outside the Financial Institution building to conduct work outside the building.

 

The information security department shall be informed when any employee receives confidential information he/she does not need at that time. In addition to the abovementioned duties, the Financial Institution Staff shall be responsible for meeting the following security obligations:

  1. comply with legal, regulatory and other contractual requirements applied in their field of business.
  2. maintain work ID and passwords of the IT systems and change them periodically; understand that they are responsible for any action carried out using their work IDs, and follow information security policies to prevent misuse of work ID.
  3. not tamper with the security and protection of the IT systems.
  4. take the necessary steps to protect the information stored on computers.
  5. comply with the additional security procedures established to prevent unintentional disclosure of confidential information by employees who have laptops, remote access to the systems or permission to use any other portable devices to perform the business of the Financial Institution.