Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

Principle (7) Responsibilities of the Compliance Unit

No: 42005223 Date(g): 15/9/2020 | Date(h): 28/1/1442 Status: In-Force

Translated Document

Assisting Senior Management in Compliance Implementation

63-The responsibility for compliance and managing non-compliance risks at the bank lies with senior management. The role of the Compliance Unit is to assist senior management in effectively managing and addressing non-compliance risks (through advising, monitoring, and oversight). The Chief Compliance Officer supervises the implementation of compliance duties, which include executing the compliance program with its objectives and projects, and other approved tasks required for the effectiveness and role of compliance, aligned with the bank's risk strategy. If some of these responsibilities are carried out by employees in different business units (compliance officers), the distribution of these responsibilities must be clearly defined.
 		 
64-The responsibility for addressing and correcting any deficiencies or violations identified by the Compliance Unit rests with senior management and the heads of business units where deficiencies or violations have been observed. The Compliance Unit's role is limited to providing advice and follow-up with the heads of business units and reporting any shortcomings in addressing and correcting issues.
 		 
Communicating Regulations and Instructions and Monitoring Compliance
 
‎65-The Compliance Unit must ensure that senior management and various business units are appropriately and timely informed of regulations issued and instructions received from SAMA and other relevant official internal and external entities (such as countries and organizations related to banking regulation). These must be stored in a database and maintained continuously and accessibly, ensuring that policies, procedures, products, services, and advertising models comply with the relevant regulations and instructions. It is essential to understand the communicated instructions and seek clarifications from the Compliance Unit or SAMA if needed. The bank will not be exempt from regulatory penalties due to incorrect application of instructions.
 
66-All business units within the bank must obtain the Compliance Unit's approval before submitting requests for SAMA's approval for new products and services. The request for approval or non-objection from SAMA should be submitted to SAMA only by the Chief Compliance Officer.
 
67-The Compliance Unit must be involved in the decision-making process when assigning tasks to third parties to ensure there is no conflict with any instructions issued from SAMA or other relevant authorities.
 
Organizing Responsibilities
 
‎68-Not all compliance responsibilities are executed solely by the Compliance Unit. Some compliance tasks can be carried out by employees in various bank units and its foreign branches (compliance officers), with the Chief Compliance Officer overseeing their work through an organization approved by the board or a delegated committee.
 
69-Bank's organizational structures include specialized supervisory units requiring specialized expertise, such as credit risk monitoring units, information security units, and finance units. These specialized supervisory units are responsible for implementing compliance requirements related to their specialized tasks (e.g., taxation, zakat, credit risk, market risk, operational risk, information security, etc.). The Compliance Unit’s role concerning these specialized units is to obtain necessary assurances, documents, and evidence of their compliance responsibilities and required role, unless specialized expertise and competencies are assigned to the compliance unit to implement the compliance requirements related to the activities and tasks of those units, these responsibilities must be documented through a compliance policy to ensure the prevention of any overlap that may arise due to the similarity of supervisory roles between those units and the compliance unit.
 
70-To ensure that the Chief Compliance Officer and the Compliance Unit staff can perform their responsibilities effectively, the Compliance Unit must have the right to request the bank's legal department to:
 
 
  • Provide advice on regulations and the drafting of instructions for the Compliance Unit, and to prepare necessary guidelines for employees. The Compliance Unit will focus on monitoring compliance, instructions, policies, and procedures, and prepare and submit reports to senior management.
 
  • Investigate deficiencies and violations related to the implementation of relevant regulations and instructions concerning the tasks and operations of all units within the Compliance Unit.
 
  • Provide legal opinions on the results of investigations conducted by the Compliance Unit from time to time.
Consultation
 
71-The Compliance Unit must provide advice to senior management regarding compliance regulations, rules, and standards, including updates on local and international developments in this area. This advisory role involves close collaboration between the Compliance Unit staff and the bank’s business units, offering support and guidance on their daily operations. The Compliance Unit is responsible for advising on compliance matters and serving as the point of contact for any compliance-related inquiries from its staff.
 
Guidance and Awareness
 
72-Training and educating all bank staff on relevant regulations and instructions pertaining to their individual responsibilities is a fundamental aspect of senior management's efforts to instill a compliance culture and encourage reporting of any violations to the Compliance Unit. Therefore, the Compliance Unit must continuously and proactively assist senior management in:
 
 
  • Raising employee awareness about compliance issues and potential violations, recognizing that they are the first line of defense, and serving as an internal contact point for compliance-related questions from bank employees.
 
  • Developing written guidance for employees that addresses the appropriate application of relevant regulations, compliance rules, and standards through policies and procedures. This includes preparing other guidance documents such as compliance manuals, internal codes of conduct, and practical guides.
 
  • Ensuring that the annual training and awareness program for all employees includes a plan that meets the bank’s ongoing needs and can be promptly adjusted in response to new issues, observations, significant changes, or updates in regulations, or high employee turnover. Training should be provided through available methods within or outside the bank, particularly for new employees, to familiarize them with compliance requirements related to their banking operations before starting their duties, and for those who interact directly with the public, to periodically remind them of requirements such as sales and marketing instructions, anti-money laundering and counter-terrorism financing, due diligence, reporting suspicious transactions, and internal violations.
Identifying, Measuring, and Evaluating Non-Compliance Risks

Identifying Risks 
73-The Compliance Unit should proactively identify, document, and assess non-compliance risks related to the bank’s activities (regulatory, financial, reputational, or strategic risks), including new product developments, business practices, new types of business or customer relationships, or significant changes in the nature of these relationships. If the bank has a New Products Committee, representatives from the Compliance Unit should participate in this committee.
 
Measuring Risks
 
74-The Compliance Unit should study methods for measuring non-compliance risks both quantitatively and qualitatively (e.g., performance indicators related to compliance) and use these metrics to support the assessment, reduction, and management of non-compliance risks. Techniques such as aggregating or filtering data to identify potential non-compliance risk indicators (e.g., increasing customer complaints, fraud cases, reports, penalties, and payments) can be employed.
 
Evaluating Risks
 
75-The Compliance Unit should evaluate the adequacy of the bank's compliance policy and procedures, promptly address any identified deficiencies, and propose amendments when necessary, based on technical capability. It should also encourage and monitor the relevant departments to make necessary adjustments and corrections.
 
Monitoring, Testing, and Reporting
 
‎76-The Compliance Unit must continuously monitor and test compliance through adequate and representative tests. The results of compliance tests should be reported according to their administrative hierarchy and in accordance with the bank’s internal risk management procedures.
 
77-The chief compliance officer must submit regular written reports to senior management addressing compliance issues. These reports should include an assessment of non-compliance risks during the reporting period, note any changes in the level of non-compliance risk based on relevant metrics (e.g., performance indicators), and provide a summary of any identified violations and deficiencies, proposed corrective actions, and required correction dates, along with details of actions already taken. The reporting format should align with the bank's non-compliance risk profile and activities.
 
High-Risk Cases and Urgent Developments
 
‏78-The board or its delegated committee overseeing compliance policy implementation should be informed immediately of any significant compliance failures or deficiencies that could lead to substantial regulatory penalties, legal actions, financial losses, or damage to reputation. If the impact is deemed significant to the banking sector's reputation, SAMA and the general administration for bank supervision should be notified directly and immediately.
 
Annual Compliance Report
 
79-An annual compliance report should be prepared by senior management and presented to the board, covering at a minimum the requirements set forth by SAMA from time to time.
 
80-SAMA should receive the board-approved version of the annual compliance report by the end of April each year, sent by the Chairman of the Board of the local bank or the Chief of the foreign bank branch, as part of the bank’s self-assessment of its compliance.
 
Regulatory Responsibilities and Communication
 
‎81-As a regulatory basis, the Compliance Unit must undertake responsibilities and tasks directly and indirectly related to non-compliance risks, including: (1) compliance oversight (monitoring, relationship with SAMA, consultations), (2) anti-money laundering and counter-terrorism financing, (3) anti-fraud measures, (4) anti-corruption, (5) self-supervision, and (6) handling violation reports, and to take on the responsibility of developing the appropriate mechanisms and coordination for how to effectively meet the requirements of implementing the communicated security procedures within the institution.
 
82-The Compliance Unit is responsible for monitoring external regulatory bodies, standard-setting entities, and external experts concerning its regulatory responsibilities, particularly in anti-money laundering, counter-terrorism financing, and non-proliferation.
 
Compliance Program
 
‎83-The Compliance Unit should implement its responsibilities under a compliance program that outlines its planned activities, such as applying and reviewing specific policies and procedures, assessing non-compliance risks, conducting compliance tests, and raising employee awareness on compliance issues. The compliance program should be risk-based and overseen by the Chief Compliance Officer to ensure it adequately covers all activities and coordinates between the compliance units (monitoring compliance with regulations, anti-money laundering and counter-terrorism financing, anti-fraud, anti-corruption, and handling violation reports).
 
Compliance Unit Database
 
84-The Compliance Unit should establish and continuously update a database of all compliance regulations, rules, and standards, ensuring that all bank employees can access and benefit from it at all times.
 
Documentation
 
85-The Compliance Unit must document policies, procedures, plans, events, and work papers to fulfill its duties and responsibilities.
 
Warning Signs (Red Flags)
 
86-The compliance program must include a principle for warning signs to alert about violations of internal and external regulations and situations exposing the bank to non-compliance risks, such as rapid bank growth, opening new branches, high employee turnover, changes in programs, and the introduction of automated systems in workflows. This principle should also protect whistleblowers and include incentives in accordance with SAMA’s whistleblowing policy.