New Banking Products and Services Regulation
No: 45032226 Date(g): 30/11/2023 | Date(h): 16/5/1445 Status: In-Force This regulation was issued under circular No. (391000006163), dated 18/01/1439H, corresponding to 08/10/2017G, and updated by Circular No. (45032226), dated 16/05/1445H, corresponding to 30/11/2023G.Based on the powers granted to SAMA according to Saudi Central Bank Law issued by Royal Decree No. (M/36) dated 11/04/1442 H and related regulations. And referring to SAMA Circular No. (391000006163) dated 18/01/1439 H regarding SAMA's New Banking Products and Services Guidelines, and in continuation of what SAMA issued in this regard.
Attached is the first update of the above-mentioned guidelines, which seeks to achieve several objectives, most notably promoting sound practices in managing the risks associated with products and services, clarifying the roles and responsibilities of the board of directors and senior management in the governance, development and oversight of banking products and services. In addition to improving the mechanism for receiving and processing bank notifications to introduce new banking products and services, clarifying the products and services that require no written objection or notification to SAMA (provided that the requirements in the instructions are met), and creating a unified model for introducing new banking products and services. These instructions will replace the previous instructions.
For your information and action accordingly as of March 1, 2024 G.
1. Introduction
Banks frequently introduce new products and services and/or modify existing products and services in normal course of business. These new or modified products and services could expose the banks or the financial system as a whole to new risks or could amplify existing risks. Therefore, the risks posed by the introduction and/or modification of products and services must be identified, assessed, monitored and managed appropriately by the banks.
New Banking Products and Services Guidelines were issued by SAMA in 2017; due to changes in the financial system and regulatory framework, SAMA decided to update these guidelines. The key objectives of this regulation is to promote sound risk management practices and/or manage risks associated with banking products and services. The banks must adhere to this regulation as minimum set of regulatory requirements.
2. Objective
This Regulation sets out SAMA’s requirements with regard to banks’ offering of new products and services and regulatory requirements of notifying SAMA prior offering a new product or service, and the required supporting documents to be submitted. In addition, the regulation aim to improve the time-to-market for banks to introduce new product and service, and promoting sound risk management practices in managing and controlling risks associated with banking products and services.
3. Scope of Application
This Regulation shall be applicable to all licensed banks in Saudi Arabia under the Banking Control Law.
4. Definitions
4.1 Product or Service
A product or service are what the banks offer to their customers within the scope of banking business as defined in the Banking Control Law.
4.2 New Product or Service
A new product or service is one that a bank offers for the first time in Saudi Arabia notwithstanding the fact that a bank, its parent bank, branches or subsidiaries in a foreign jurisdiction may have offered similar product and service outside of Saudi Arabia, or a variation to an existing product offered by bank in Saudi Arabia or a combination of product or service with another existing or new product or service, that results in a material change(1) to the structure, features or risk profile of the existing product or service.
(1) Material changes or modifications may include, for example, significant changes to key terms related to payout, rights and obligations of the counterparties/customers, the changes in nature of assets underlying the product or service, changes result in new or additional risk exposure to the bank or the customer.
4.3 Existing Product or Service
An existing product or service, which a bank had offered, and continue to offer, until the bank decides to discontinue or make material modifications to the product or service.
5. Board of Directors and Senior Management Responsibilities
5.1 Board of Directors (The Board)
5.1.1 The Board has an oversight responsibility (2) to ensure that senior management develop and implement the detailed internal policies and procedures for offering of new products and services.
5.1.2 The Board is responsible for ensuring that product and service risks are well managed, and the needs and rights of consumers are appropriately addressed.
5.1.3 The Board must review whether the offering of products and services by the bank remains consistent with the risk appetite approved by the board and internal policies and procedures for offering of new products and services.
5.1.4 The Board must review and revise the bank’s risk appetite when the offering of products and services by the bank is no longer consistent with the approved risk appetite. Any changes to the risk appetite must be justified and documented with detailed risk assessment, taking into consideration the risk management capabilities and risk bearing capacity of the bank. The Board must also ensure that internal policies and procedures are updated by senior management accordingly following changes in risk appetite.
(2) The management function responsible for overseeing the operations of Foreign Bank Branch (FBB) are to ensure that policies an d procedures for new products and services are consistent with the requirement of this regulation, and effectively implemented in its operations.
5.2 Senior Management
5.2.1 Senior management are responsible for the design, implementation, and compliance of the bank’s new products and services with the Board approved internal policies and procedures for offering of new products and services.
5.2.2 Senior management must ensure that offering of any new or existing products and services must fall within the scope of banking business as defined in the Banking Control Law.
5.2.3 Senior management must ensure that that risks arising from new products and services are well understood and aligned to the bank’s risk appetite and tolerance level.
5.2.4 Senior management has to determine whether the change to any product or service is considered to be a material change (3).
5.2.5 Senior management must periodically review the appropriateness of the products and services internal policies and procedures and whether they continue to meet the objectives as set out in this regulation, and must propose to the Board that the policies and procedures be amended if this is no longer the case.
5.2.6 Senior management must identify and mitigate potential negative effects on the bank's reputation either actual or perceived.
5.2.7 Senior management must ensure that there are full operational readiness to support new products and services, including processes, controls and systems infrastructure and approvals from other authorities are obtained prior to offering new products and services, where relevant.
(3) Chief Risk Officer (CRO) and Chief Compliance Officer (CCO), in coordination with the product or service developer, are responsible for determining whether the change to any product or service is considered to be a material change.
6. Products and Services Policy Requirements
6.1 General Requirements
Banks are required to have in place an internal policies and procedures that set out the oversight and governance arrangements for the offering of new products and services. These internal policies and procedures must at minimum satisfy the following:
6.1.1 To be integrated as part of the bank’s governance, risk management and internal control framework.
6.1.2 Defining the roles and responsibilities of all stakeholders including the Board and all control functions involved in developing and launching new products and services.
6.1.3 Defining parameters for the authority which approves new products and services including the circumstances under which such authority may be delegated.
6.1.4 Defining the requirements to have a pilot or testing phase for new products and services. A bank is required to assess the effect of a product and service on target market before its commercial launch and take appropriate changes where scenario analysis shows adverse results for the target market.
6.1.5 Consumer protection requirements including the bank’s standards for management of customer suitability and mis-selling risks along with a requirement to conduct annual assessment of all products and services against such established standards.
6.1.6 The internal policies and procedures must be reviewed and updated on a regular basis or when it’s needed, ideally on an annual basis, and at least once every (3) years.
6.1.7 The policies and procedures must be communicated by the bank in a timely manner to all relevant parts and levels within the organization, and to ensure that the new product and service offering are fully integrated throughout a bank’s line functions.
6.2 Considerations
When developing products and services internal policies and procedures, banks must consider the following:
6.2.1 Designing and bringing to the market products and services with features, charges and risks that meet the interests, objectives and characteristics of, and are of benefit to the market segment identified for the products and services. In this regard, a formal customer appropriateness and customer fairness assessment must form part of bank’s processes before approval of new products and services.
6.2.2 The products and services offered to customers are fair and suitable.
6.2.3 Avoid any conflicts of interest, potential for mis-selling, terms and conditions that are inherently unfair to consumers, and business practices that restrict the freedom of choice to consumers.
6.2.4 To be proportionate to the nature, scale, risk, and complexity of a bank’s products and services, and designed to identify and control product risk across the value chain, including at minimum the stages of product development, authorization and governance, price, marketing, sale and distribution.
6.2.5 The gradual commercial launch of any new product and service taking into consideration the market segment, riskiness and complexity of the product and service.
6.2.6 Compliance with all applicable rules and regulations issued by SAMA and all other relevant regulators when developing a new product and service as well as any subsequent updates to the rules and regulations. Examples of such rules and regulations (but not limited to):
a. Responsible Lending Principle for Individual Customers (issued in 2018).
b. Financial Consumer Protection Principles and Rules (issued in 2022).
c. Rules for Advertising Products and Services Provided by Financial Institutions (issued in 2023).
d. Debt Collection Regulations and Procedures for Individual Customers (issued in 2018).
e. SAMA Cyber security Framework (issued in 2017).
f. SAMA Counter-Fraud Framework (issued in 2022).
g. SAMA Business Continuity Management Framework (issued in 2017).
h. Information Technology Governance Framework (issued in 2021).
i. Rules related to touch\face ID, Tahaqaq requirements, digital signature, national and global payment requirements for MADA, Visa, MasterCard, Face recognition.
6.3 Products and Services Risk Assessments
6.3.1 Banks must establish lines of responsibility for managing risks related to new products and services.
6.3.2 Banks must conduct a full risk assessment of new products and services which form the basis on whether or not to introduce them to the market taking into account reviewing all the associated risk throughout the life cycle of the products and services.
6.3.3 Banks must have risk management standards for developing and launching any new products and services to the market. These include, inter alia, adequate due diligence and approvals, procedures to identify, measure, monitor, report, and mitigate risks, effective change management processes and technologies, ongoing performance monitoring and review mechanisms.
6.3.4 Banks must have risk classification process for each product and service that the bank intend to launch. The classification process must result with an overall risk classification for the product or service (for example: high, medium or low risk).
6.3.5 Banks must have a risk management, controls and monitoring processes in respect of third party risks management, where the bank’s products and services are offered in partnership with Fintech companies, agents or similar entities.
6.3.6 The risk management function must have internal organizational and operational capacity i.e. effective controls, monitoring and reporting systems and procedures in place, to monitor and manage potential risks of the proposed new products and services poses to the bank's own financial health, as well as to the financial well-being of the customers and overall market stability.
6.3.7 The risk management function must document, review and approve risk profile (associated risks) of new products and services before its launch. Risk profile of the new products and services must include at least detailed description of all associated risks i.e. identification, quantification (if possible), assessment, classification and its mitigation plan.
6.3.8 The risk management function must perform comprehensive fraud risk assessment covering fraudulent events across different channels and assessment of prevention, detection, and investigation capabilities from people, process and technology perspective taking into consideration emerging technologies. The risk assessment must also include evaluation of all possible scenarios and dynamic fraud techniques such as social engineering, phishing. that ensures safety and soundness of the bank against dynamic fraudulent scenarios. In addition, the bank must enforce defense in depth mechanism in their environment to ensure deep protection for the customers such as using multichannel technique to ensure customer identity and confirmation of the financial service/transaction for example: registration and activation/approval of services from different channels whenever applicable.
6.3.9 The risk management function must conduct comprehensive risk assessment which cover cyber resilience and data privacy including evaluating threats, vulnerabilities and weaknesses needed to be analyzed for potential impact on the bank that leads to improve member organizations cyber posture.
6.3.10 The risk management function must assure that its people, systems and processes have the ability to adequately capture and report risks and financial commitments relating to its new products and services in a timely manner.
6.3.11 The risk management function must assure that all material risks posed by the introduction of new products and services or by the modification of existing products and services are identified, assessed, monitored and managed appropriately; and must be regularly reviewed in light of the changing market conditions not previously factored.
6.3.12 The risk management function must assess how new products and services will affect the bank's current and projected financial and capital positions.
6.4 Products and Services Compliance
The compliance function must ensure the following:
6.4.1 Review all new products and services from compliance, regulatory and financial crimes perspective and ensure that they conform to all applicable rules and regulations issued by SAMA and all other relevant regulators.
6.4.2 Products and services offered are compliant with all rules and regulations issued by SAMA and all other relevant authorities at all time.
6.4.3 Identify the risks of non-compliance that might arise from products and services, set plans to manage it, and evaluate these risks at least once annually.
6.4.4 Report to the Board at least once annually the risks of non-compliance and how it would be mitigated.
6.4.5 The compliance function must be the main contact point for liaison for submission of all applications for non-objection to introduce new products and services and to notify SAMA of any products and services in cases where non-objection is not required.
6.5 Products and Services Auditing
The internal audit function must ensure the following:
6.5.1 Timely identification of internal control weaknesses, adherence to regulatory requirements and products and services policies and procedures.
6.5.2 To audit all new products and services in a reasonable time i.e. within one year after launching the product or service depending on the nature, type, complexity, and riskiness of the new products and services.
6.5.3 Report to the Audit Committee the results of the audit process that was conducted on the bank’s products and services at least once annually. In case, products and services associated risks increase or violating any rules and regulations issued by SAMA and all other relevant regulators, the internal audit must include them in their yearly audit plan.
6.6 Product Development Function
The product development function (business units) must ensure the following:
6.6.1 They are familiar with products and services policies and procedures and all applicable rules and regulations issued by SAMA and all other relevant regulators.
6.6.2 They are competent and appropriately trained; and thoroughly understand the products and services’ features, characteristics, risks, and ensure that corrective actions are taken to mitigate identified risks related to products and services.
6.7 Products and Services On-going Monitoring and Control
6.7.1 Banks must ensure that the requirement of monitoring products and services on an ongoing basis is in place and implemented, to ensure that the interests, objectives and characteristics of targets market continue to be appropriately taken into account. In addition, the banks must address consumer complaints and rectify them on timely basis.
6.7.2 If the bank identifies a problem/risk related to products or services in the market, or when monitoring the performance of the products or services as required, the bank must take necessary corrective actions and implement measures to prevent future recurrence. The corrective action plan, which may include suspension or withdrawal of products or services must be approved by the senior management function or other functions within the bank accountable for approval of product and services. Banks must also report to SAMA such incidents including the corrective action plan that have been or will be taken.
6.7.3 In the case of product or services suspension or withdrawal, banks are required to notify SAMA at least prior to (45) business days by email before suspending or withdrawing any products or services via (PSBanking@sama.gov.sa). The notification must include justifications for the suspension or withdrawal and the plan to deal with beneficiary customers (exiting plan) affected by discontinuation of products or services.
6.7.4 After the introduction of new products or services, SAMA may, at any time, suspended the product or service if any regulatory incompliance has been identified and/or there is a negative impact on the banking sector or on consumers. SAMA will direct banks to provide corrective actions in such case for approval and implementation.
6.8 Documentations and Reporting Requirement
6.8.1 Banks are required to submit a report to SAMA which include all products and services. The report must be signed by the Chief Executive Officer, and submitted by Compliance Function to Banking Licensing Division via (PSBanking@sama.gov.sa) – by 1st March of each year, according to the table provided in (Annexure 5).
6.8.2 Banks must document all actions taken while implementing the internal policies and procedures, preserve these documents for audit purposes and to make them available to SAMA upon request. In addition, the banks must retain all the documents relating to the risk assessment of the new products and services including key risks from both the bank’s and customer’s perspective, together with the systems and processes that are in place to mitigate these risks.
6.8.3 An inventory of bank’s existing products and services containing information such as (but not limited to): name of a product and service, target market, risk classification, developer of the product or service, reviewer of the product, approver of the product, approval date, launch date, last review date, latest changes made including the description and the date of changes.
7. Notification and Non-Objection Requirements
7.1 Notification Requirements
The following requirements applies to banks that satisfy the required maturity level in Cyber Security Framework, Counter-Fraud Framework, Business Continuity Framework, and Information Technology Governance Framework, which must be independently validated by a qualified and experienced third party on annual basis.
7.1.1 Banks are required to notify SAMA by email at least (10) business days before launching any new products and services via (PSBanking@sama.gov.sa).
7.1.2 SAMA will acknowledge receipt of the notification within (10) business days of receiving the bank’s request. In case, a bank does not receive acknowledgement receipt from SAMA within (10) business days from sending the notifications, it is the bank’s responsibility to follow up with Banking Licensing Division via (PSBanking@sama.gov.sa) for confirming that whether SAMA has received the notification or not.
7.1.3 Banks will be able to launch new products and services once they receive SAMA’s acknowledgement of receipt of the bank’s notification.
7.1.4 Banks must launch their new products and services within (12) months of receiving the acknowledgment receipt from SAMA, otherwise the bank must submit a new notification.
7.1.5 SAMA have the right to ask banks for further information about products and services despite the fact that bank has launched the products and services or not.
7.1.6 SAMA may prohibit a bank from introducing or continuing to offer any products or services if SAMA concludes that such product or service will undermine SAMA’s primary objective of maintaining safety and soundness of the financial sector.
7.1.7 Banks must not reintroduce a product or service that has been stopped or discontinued by the bank for more than (12) months without notifying SAMA by following the notification requirements as per clause (7.1.1).
7.2 Non-objection Requirements for Specified Products and Services
7.2.1 Banks are required to seek SAMA’s non-objection for the below products and services prior launching, as an exception to the notification requirements:
1. Home Loans Products.
2. Financial Lease Products.
3. Financial Derivatives.
4. Products and services that are not covered in existing rules and regulations issued by SAMA.
7.2.2 Banks that do not comply with required maturity level stated in clause (7.1), must apply for nonobjection for all types of products and services.
7.2.3 Banks must launch their new products and services within (12) months of receiving the SAMA’s non-objection, otherwise the bank must submit a new application.
7.2.4 Banks must not reoffer a product or service that has been stopped or discontinued for more than (12) months without a new non-objection from SAMA, as per clauses (7.2.1) and (7.2.2) for products or services that require SAMA’s non-objection.
7.3 Offering of Financial Derivatives Products
Banks must ensure the following are satisfied before submitting a non-objection application to SAMA:
7.3.1 Banks seeking to introduce new financial derivatives products for their customers are required to develop and implement internal customer suitability procedures ensuring that these products are only sold to suitable customers.
7.3.2 Customer suitability procedures must be designed to seek sufficient knowledge about the customer to establish that the customer has a practical understanding of the features of the product and the risks to be assumed.
7.3.3 For complex financial derivatives such as structured products, the complexity of the payoff structure can make it difficult for customers to accurately assess the value and risk of the structured product. Banks must clearly demonstrate to the customer the potential profit and loss scenarios for the structured products over the time horizon.
7.3.4 Banks must ensure that customers are fully aware of risks involved in complex products such as financial derivatives and structured products, the product must meet the customer’s business or investment objectives and risk appetite, the customer have prior investment experience and fully understood and sign-off the terms of contract accordingly.
7.3.5 Banks must not recommend a financial derivative product to a customer unless it is reasonably satisfied that the product is suitable for that particular customer and the nature of the customer’s business. Such a decision must be made based on information sought and obtained from the customer.
7.3.6 Banks seeking to introduce new financial derivative products must demonstrate that the proposed financial derivative instrument has a bona fide economic purpose and does not merely provide means of financial speculation, leverage, or regulatory arbitrage. To meet this test, a bank would have to identify the intended customers for the proposed new financial derivative products and describe (with sufficient specificity) potential uses.
7.3.7 Banks intending to introduce a new financial derivatives products must demonstrate that it has the internal organizational and operational capacity to monitor and manage potential risks of the proposed new products pose to a bank’s own financial health, as well as to the financial well-being of the customers and overall market stability.
7.3.8 Banks must demonstrate that effective control, monitoring & reporting systems, and procedures are in place to ensure on-going operational compliance with a bank’s, the customer’s and the counterparty’s risk appetite. A bank must also have a strong governance process around the valuation of financial derivatives, which includes robust control processes and documented procedures.
7.3.9 Banks intending to introduce a new financial derivatives products will have to demonstrate that the proposed products do not pose potentially unacceptable systemic risk. It is the responsibility of the bank to ensure that suitability of customers for the new financial derivatives product are assessed not only based on a bank’s exposure to an individual customer but also based on the industry’s exposure to the customer. A bank would therefore need to obtain full disclosure from the customers about their financial derivative exposures with other banks and non-banking entities prior to selling new financial derivative products.
7.3.10 Banks must ensure that the new financial derivative such as, structured products that seeks to market is not likely to have a negative impact on broader socio-economic policy goals of the country, for example an impact on SAIBOR or SAR.
7.3.11 Financial derivatives involving SAR against a foreign currency are subject to the requirements of a separate SAMA circular that banks must comply with.
7.3.12 Banks are required to ensure new financial derivative products comply with SAMA Rules on Trade Repository Reporting & Risk Mitigation Requirements for Over-the-Counter ("OTC") Derivatives Contracts issued by SAMA (issued in 2019) and any subsequent updates.
7.4 Documentation Requirements
7.4.1 A bank notifying or seeking a non-objection from SAMA for the introduction of a new product or service must fully complete the checklist and provide the supporting documents as stated in (Annexure 1).
7.4.2 SAMA will not process any application that does not meet or fulfill the above mentioned documentations.
8. Effective Date
This regulation shall be effective by 1st of March 2024. Once effective, this regulation shall supersede the existing SAMA New Banking Products and Services Guidelines issued by circular No. 391000006163 in 18-01-1439H (08-10-2017G).
9. Annexure
Filling Form Instructions 1. This form is for new banking products and services in accordance with the New Banking Products and Services Regulation (second version / Nov 2023). 2. The form must be fully filled out by the bank. 3. The bank must verify the accuracy of the information filled in this form. 4. The form must not be modified in any way. 5. This form and supporting documents such as contracts, terms and conditions should be sent in two formats (Word-PDF) along with the other requirements as shown in annexure (1) to Banking Licensing Division via (PSBanking@sama.gov.sa) Bank name Product or service name Purpose of the application ☐ Notifying SAMA before launching a new product or service.
☐ Obtaining SAMA's no-objection for launching a new product or service according to clause (7.2.1)
☐ Obtaining SAMA's no-objection for launching a new product or service according to clause (7.2.2).
Is it a material change to an existing product or service? ☐ Yes ☐ No Provide date of previous Notification/Non-objection:
Day/Month/Year
Launching date:
Day/Month/Year
New product or service expected launch date:
Day/Month/Year
The rules and regulations that were taken into account in developing this product or service Product or service type
(You can check more than one)☐ Savings ☐ Personal finance ☐ Credit card ☐ Financial Derivatives ☐ Home finance ☐ Prepaid cards ☐ Financial lease ☐ Corporate finance ☐ Banking services ☐ E-service ☐ Treasury product ☐ Other: Annexure (1): Checklist
No. Document Attached Yes No Not Applicable 1 A formal letter signed by the Chief Compliance Officer notifying or requesting SAMA's no-objection to offer new product or service ☐ ☐ 2 Application form for new banking products and services (Annexure 2) ☐ ☐ 3 Statement of compliance (Annexure 3) ☐ ☐ 4 Consumer protection checklist (for retail products and services) signed by the Product or
Service Developer and Chief Compliance Officer (Annexure 4)
☐ ☐ ☐ 5 Copies of supporting documents e.g. terms and conditions, contracts, process workflow (Images), promotional material and any other related documents ☐ ☐ ☐ 6 Contract draft / service level agreement (SLA) / non-disclosure agreement (NDA) if there is a third party in the product and service ☐ ☐ ☐ 7 Risk assessment report which describe the product or service all inherent risks from both the bank's and customer's perspective together with the systems and processes that are in place to mitigate these risks. The following risks need to be considered at minimum:
- Credit Risk
- Market Risk
- Operational Risk
- Strategic Risk
- AML&CFT Risk
- Legal Risk
- Technology Risk
- Cyber Risk
- Fraud Risk
- Business Continuity Risk
- Data Privacy Risk
- Reputational Risk
☐ ☐ ☐ 8 Necessary Shari’ah Committee Approvals for new Shari’ah Compliant Products or Services. ☐ ☐ ☐ I, the undersigned, acknowledge that all the above-mentioned data and information and attached documents are correct, accurate and complete Chief Compliance Officer Date Day/Month/Year Signature Annexure (2): Application Form for New Banking Products or Services
No: 45032226 Date(g): 28/11/2023 | Date(h): 16/5/1445 Status: In-Force A detailed description of the product or service: Product or Service Risk Classification (For example: High, medium, low risk): Did The bank completed the independent evaluation required under clause (7.1) ? ☐Yes ☐No Evaluation date: Day/Month/Year Is the bank complied with the required maturity level in the frameworks mentioned in clause (7.1) ? ☐Yes ☐No Notes: Product or service objectives: Product or service features: Product or service offering journey: Product or service delivery channel(s): ☐ Bank branches ☐ E-Channels ( ☐ Phone Banking, ☐ Mobile Banking, ☐ Bank's Website) ☐ Relationship Mangers ☐ Other: Targeted customers: ☐ Existing bank customers ☐ Non-existing bank customers Targeted segment: ☐ Retail ☐ Small/Medium enterprises ☐ Corporate ☐ Government sector ☐ Non-profit sector ☐ Other: Customer identity verification mechanism: Fees, commissions and any other additional amounts might be incurred by the customer: Product or service launching plan in the local market: Similar products or services offered in the local market (if any): The potential impact on the bank's liquidity ratios (SAMA Liquidity Ratio, CAR, LCR & NSFR) and any other regulatory indicators: Technological requirements, details and the integration method with third parties and other technological systems, including but not limited to Robot, Cloud, Biometrics: System classification by the entity, whether it is a main or secondary system: In case of storing data, clarify the location of the data storage, the storage method and the type of data shall be clarified in detail, with reasons and justifications: In case of contracting with third parties, the details of the third parties shall be provided, including the name, location, duties, responsibilities, and any relevant information. Third-party remote access method (if applicable): In case of contracting with third parties, what are the type of data will be shared, and what measures will be taken to maintain information privacy and security: Has the verification method been clarified for the product/service, e.g. two factor authentication (2FA) using the password and the one-time password (OTP): Has the product/service been added to fraud monitoring systems with the ability to directly add and modify scenarios: Do third parties comply with the cloud computing cybersecurity controls (in the case of using cloud computing technology): In case of technological integration, explain the integration method in detail: The internal bank function responsible for monitoring the product or service: The method of cancelling the product or service by the customer and cancelation fees (if applicable): Information/correspondences with SAMA regarding the above product or service(If any): Additional information: Product or service developer name and contact information (email, mobile phone, landline): Annexure (3): Statement of Compliance
Product/Service name We, the undersigned, acknowledge that the aforementioned product or service has been fully reviewed and does not violate any laws, instructions or professional practices. We also acknowledge that submitting this application (notification or non-objection) to SAMA does not burden it with any responsibility whatsoever and does not indicate that SAMA guarantees the product or service soundness. In addition, we acknowledge that we bear all the risks that may result from launching the product or service. Furthermore, we confirm that failure to comply with this acknowledgment entitles the authorities to take all measures, including inflicting penalties, holding violators accountable, withdrawing the product or service from the market, committing to correcting any adverse results, and compensating customers for any losses that may occur due to default or negligence on the bank's part. Product or Service Developer Head of Customer Care Head of Legal Affairs Head of Data Privacy Head of Financial Fraud Head of Business Continuity Head of Information Security Head of Information Technology Chief Risk Officer Head of Anti-Money Laundering and Counter-Terrorist Financing Chief Compliance Officer Annexure (4): Consumer Protection Checklist
Before or upon concluding a product/service agreement with the customer: No Requirements Cases Yes No Not Applicable 1 Has the bank done a complete study on the product or service suitability to customer needs ☐ ☐ ☐ 2 Were the expected risks to customers from the product or service identified when advertising, and disclosed in the initial disclosure form (before signing the contract) ☐ ☐ ☐ 3 The bank must disclose the discounts and their conditions to customers - if available - and include them in the initial disclosure form (before signing the contract) ☐ ☐ ☐ 4 Ensuring that customer service staff and/or marketers are clearly familiar with the product or service provided helps customers make a decision before entering into a contract ☐ ☐ ☐ 5 The bank must study the customer's financial solvency before granting the product/service and keep it in the customer's file in a way that enables it to:
1. The customer's ability to fulfill the due payments without delay
2. The customer's understanding of the characteristics of the product or service.
3. The product or service meets the customer's need
4. The customer's ability to bear the risks of the product or service
☐ ☐ ☐ 6 The bank must disclose the product/service provider in the initial disclosure form if the product or service provider is a third party ☐ ☐ ☐ 7 Advertising the product or service to customers is appropriate, does not use a seductive or misleading method of marketing, and uses language that is easy to understand and in clear writing, including margins ☐ ☐ ☐ 8 Are the terms and conditions explained in clear language, including fees, and are they fair to customers? A summary of this is provided in the initial disclosure statement, and this is explained to the customer before signing the contract ☐ ☐ ☐ 9 The potential fines and penalties that the customer will bear if the product or service is used on other than the agreed terms must be explained ☐ ☐ ☐ After concluding the product or service agreement with the customer: 1 The product or service must be compatible with SAMA Care's main or sub-classifications of complaints ☐ ☐ ☐ 2 Clarifying the mechanism for submitting a complaint and the contact information with the bank in the product or service contract ☐ ☐ ☐ 3 Providing beneficiaries with a free statement of account (paper or electronic) on a monthly basis showing the payments made and the remaining payments ☐ ☐ ☐ 4 Having specialized staff to provide advice to customers who face financial and technical difficulties during contract periods and providing appropriate solutions for them to overcome these difficulties ☐ ☐ ☐ Product or Service Developer Chief Compliance Officer Date Date Day/Month/Year Day/Month/Year Signature Signature Annexure (5): Annual Report for Banking Products and services
Soft Launch
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.
Your access and use of SAMA Regulatory Rulebook and its content is considered as an acceptance and approval of commitment by you without any limitation or condition to the following:
SAMA Regulatory Rulebook is a platform that aims to assist the regulated entities to access SAMA regulatory content adeptly and efficiently.
SAMA Regulatory Rulebook is still on its development and soft launch stage. SAMA is not liable for its contents and does not warrant or represent that (the Services related to the platform, information or material presented in the platform) is displayed free of any inaccuracies, omissions, or errors (“Faults”). SAMA accepts no liability for any loss, claim or damage resulting from any use of the platform, and any decisions made, or actions taken based on the information contained in or generated by the platform.
SAMA Regulatory Rulebook has no legal effect and it does not aim to amend or revoke any legal provisions. The Rulebook still Contains some documents under review, including translated versions. Therefore, SAMA Regulatory content circulated through SAMA official channels remains in force.
Without prejudice to the terms of use of SAMA website Hereby, you acknowledge that any illegal, unauthorized use and/or any breach of any of these provisions may result in legal actions against you.