Regulatory Alerts2023-05-21
Circular Re. Instructions for Practicing Digital Mediation Activity
The Saudi Central Bank issued these Instructions to establish minimum technical, operational, and contractual standards for licensed digital mediation institutions. The document mandates robust cybersecurity, accurate client identification, strict data retention, and clear disclosure of fees and conflicts of interest through a centralized platform. It further requires formalized agreements between institutions, clients, and financing entities, while granting the Central Bank authority to exempt institutions from specific provisions or enforce compliance under the Financing Companies Monitoring System.
Instructions for Practicing Digital Mediation Activity
Shawwal 1444 / May 2023
The Central Bank issued these Instructions pursuant to the powers delegated to it under the Financing Companies Monitoring System, issued by Royal Decree No. (51/M) dated 13/8/1433 AH.
Important Note:
To keep pace with updates and amendments to the Instructions issued by the Central Bank, the Central Bank emphasizes the necessity of always relying on the version published on its website: www.sama.gov.sa
Table of Contents
| Page No. | Chapter |
|---|---|
| 3 | Chapter One: Definitions and General Provisions |
| 1. Definitions | |
| 2. General Provisions | |
| 4 | Chapter Two: Technical and Regulatory Instructions |
| 3. Technical Infrastructure | |
| 4. Requirements for Accuracy of Submitted Information | |
| 5. Requirements for Retention of Submitted Information | |
| 5 | 6. Conflicts of Interest |
| 7. Disclosure | |
| 8. Institution Obligations | |
| 6 | Chapter Three: Contract Requirements between Relationship Parties |
| 9. Contract between the Institution and the Client | |
| 7 | 10. Contract between the Institution and the Financing Entity |
| 7 | Chapter Four: Final Provisions |
Chapter One
Definitions and General Provisions
1. Definitions:
1,1 The terms and expressions used in these Instructions carry the meanings specified in the Licensing Rules for Supporting Activities to Financing.
1,2 The following terms and expressions -wherever used in these Instructions- carry the meanings specified opposite each of them, unless the context otherwise dictates:
- 1,2,1 Central Bank: The Saudi Central Bank.
- 1,2,2 Instructions: Instructions for Practicing Digital Mediation Activity.
- 1,2,3 Activity: Digital Mediation Activity.
- 1,2,4 Financing Entity: Banks, finance companies, financing companies, and licensed entities permitted to practice financing activities under the prevailing systems in the Kingdom.
- 1,2,5 Client: The person to whom the Institution's services are directed.
- 1,2,6 Institution: The entity licensed by the Central Bank to practice the Activity.
- 1,2,7 Platform: Any electronic means used to practice the Activity, including websites or mobile applications.
- 1,2,8 Authenticated Channels: A verified and approved communication means that can be authenticated and retrieved electronically, such as voice messages or emails.
2. General Provisions:
2,1 These Instructions aim to establish the minimum standards and procedures necessary for practicing the Activity.
2,2 These Instructions apply to the Institution licensed by the Central Bank to practice the Activity.
2,3 Practicing the Activity is prohibited after obtaining a license from the Central Bank in accordance with the provisions of the Licensing Rules for Supporting Activities to Financing and related systems.
2,4 These Instructions do not derogate from the provisions contained in related systems and instructions, including but not limited to:
- 2,4,1 The Financing Companies Monitoring System issued by Royal Decree No. (51/M) dated 13/8/1433 AH and its Executive Regulations.
- 2,4,2 The Licensing Rules for Supporting Activities to Financing issued by the Central Bank.
- 2,4,3 The Information Security Regulatory Guide issued by the Central Bank.
- 2,4,4 The Business Continuity Regulatory Guide issued by the Central Bank.
- 2,4,5 Principles and Rules for Protecting Financial Institution Clients issued by the Central Bank.
Chapter Two
Technical and Regulatory Instructions
3. Technical Infrastructure:
The technical infrastructure within the Institution must be sufficient for operational needs and the nature of the Activity in accordance with best practices, and commensurate with what is issued by the Central Bank regarding this matter. The Institution must commit, as a minimum, to maintaining, developing, and operating the Platform to practice the Activity in accordance with the Central Bank's Instructions, and establishing standard technical interfaces for dealing with Financing Entities to exchange information, receive financing application offers, and process them.
4. Requirements for Accuracy of Submitted Information:
4,1 The Institution must identify the Client and verify his identity and the accuracy of the information and documents submitted electronically through reliable and independent sources before sending them to the Financing Entity, and provide this in accordance with the Instructions issued by the Central Bank.
4,2 The Institution must adopt the necessary internal procedures to verify the validity and accuracy of financing offers before presenting them to the Client.
4,3 The Institution must create an electronic record for each Client and take measures to protect the information submitted through the Electronic Transactions System and its Executive Regulations, and establish the necessary procedures and measures to verify the Client's phone number by sending a verification code -as a minimum- as follows:
4,3,1 Verifying the Client's phone number by sending a verification code.
4,3,2 Establishing necessary procedures to ensure the freshness of submitted information, including but not limited to: the National Address.
5. Requirements for Retention of Submitted Information:
Subject to systems and instructions related to data and information protection issued by competent authorities, the Institution must commit, as a minimum, to the following:
5,1 Establishing the necessary procedures and controls to maintain the confidentiality of all data and information obtained through the Platform, and not disclosing such data and information to any party outside the relationship, except with the Central Bank's approval and in a manner consistent with related systems.
5,2 Ensuring the security, integrity, and availability of information provided through the Platform, including but not limited to: information supplied by the Client, and information collected and stored by the Institution or the contracted service provider. The Institution must specifically protect the Client's personal information from loss or unauthorized access, including but not limited to: use, modification, or disclosure.
5,3 Retaining all of the Client's documents, records, and files in an organized, clear, and secure manner, verifying file completeness and updating them periodically, for a period of at least ten years from the date of termination of the relationship with the Client.
6. Conflicts of Interest:
The Institution must establish a suitable written regulatory policy to clarify potential conflicts of interest, which must include adequate measures to mitigate such conflicts and a mechanism for handling them to ensure fair treatment of the Client and the Financing Entity.
7. Disclosure:
The Institution must commit to the following:
7,1 Clarifying and disclosing all information related to Platform privacy, Platform terms and conditions, security instructions, payment methods, information confidentiality, and any other instructions related to Platform use, in addition to all data required to be disclosed under related systems and instructions.
7,2 Disclosing all fees and returns due for utilizing the Institution's services.
7,3 Disclosing the Institution's licensing information through the Platform.
8. Institution Obligations:
8,1 Enhancing the Platform's cybersecurity and promptly addressing breach incidents, with immediate notification to the Central Bank in case of any breaches.
8,2 The primary purpose of the electronic linkage between the Institution and the Financing Entity must be practicing the Activity, and not for other purposes, except with the Central Bank's approval.
8,3 Providing a recordable and verifiable service that enables the Client to communicate directly with the Institution through the Platform to facilitate submitting feedback and complaints.
8,4 Establishing appropriate declarations and undertakings for Client acceptance and approval before using the Platform, with declarations taking the form of a Pop-Up Window.
8,5 Notifying the Client -in case financing cannot be completed or if additional documents are requested through Authenticated Channels.
8,6 Considering the Client's needs and preferences, and delivering information to the Client in a clear, transparent, and non-misleading manner.
8,7 Providing messages and visual materials to raise the Client's awareness level and enable him to understand fundamental risks, assisting him in making informed and effective decisions before obtaining financing.
8,8 Not receiving or delivering any amounts on behalf of the Financing Entity, except with the Central Bank's approval.
8,9 Providing a list containing the contracted Financing Entities to enable the Client to review them and choose the most suitable.
8,10 Not participating in any marketing campaigns for any Financing Entity, and not favoring one Financing Entity over another.
8,11 Obtaining the Client's consent before checking his credit record with one or more credit information companies, and before sharing his credit information with the Financing Entity, in a manner consistent with these Instructions and related systems.
8,12 Presenting the financing options available to the Client, which must comply with the policies or credit standards communicated by the Financing Entity, while notifying the Client through the Platform about the reasons for non-application of the Financing Entity's approved policies or credit standards to the dealing Client.
8,13 Sending a message to the Client through Authenticated Channels in case financing is approved, with clear and accurate basic information about the financing product that is easily understood and non-misleading, along with the complaints management or customer care number at the Institution and the Financing Entity.
8,14 Periodically updating information about services and products provided by the Financing Entity and standardized for the Client, so that they are clear, specialized, easily understood, accurate, and non-misleading. This information must include, as a minimum:
- 8,14,1 Main terms and justifications.
- 8,14,2 Clarification of each party's rights and responsibilities.
- 8,14,3 Details of prices and commissions charged by the Financing Entity.
- 8,14,4 Details of penalties and risks, the relationship termination mechanism, and its consequences.
- 8,14,5 Providing information about alternative products and services offered by other Financing Entities.
Chapter Three
Contract Requirements between Relationship Parties
9. Contract between the Institution and the Client:
The Institution must draft a contract between the Institution and the Client that complies with related regulatory requirements, and each party must be delivered a copy containing -as a minimum- the following:
9,1 Contract parties.
9,2 Scope of the contract.
9,3 Contract duration.
9,4 Type of desired financing, its duration, specifications (if any), and requirements.
9,5 Obligations and rights of the contract parties.
9,6 Pricing and fee structures.
9,7 Withdrawal procedures and conditions.
9,8 Dispute resolution mechanism.
9,9 Contract termination and expiration procedures.
9,10 Any other data or information approved by the Central Bank.
10. Contract between the Institution and the Financing Entity:
The Institution must draft a written contract (paper or electronic) between the Institution and the Financing Entity that complies with related regulatory requirements, and each party must be delivered a copy containing -as a minimum- the following:
10,1 Contract parties.
10,2 Financing Entity license number and date.
10,3 Scope of the contract.
10,4 Contract duration, with its validity linked to the validity of licenses required for both parties.
10,5 Obligations and rights of the contract parties.
10,6 Pricing and fee structures.
10,7 Mechanism for exchanging financing offer data and information, with periodic updates.
10,8 Withdrawal procedures and conditions.
10,9 Service levels and performance requirements, and reporting and escalation mechanisms.
10,10 Financing Entity's obligation to notify the Institution through the Platform upon issuance of the financing contract.
10,11 Dispute resolution mechanism.
10,12 Confidentiality, privacy, and information security.
10,13 Both parties' obligation to perform commitments stipulated in related systems, regulations, rules, controls, and instructions; the Financing Entity is not exempt from performing its commitments.
10,14 Prevention of void contracting.
10,15 Consequences of contract renewal and renegotiation.
10,16 Contract termination and expiration procedures.
10,17 Any other data or information approved by the Central Bank.
Chapter Four
Final Provisions
11. Failure to comply with the requirements of these Instructions constitutes a violation of the Financing Companies Monitoring System.
12. The Central Bank may exempt the Institution from applying any of the requirements stipulated in these Instructions.
13. These Instructions are published on the Central Bank's official website and take effect from their approval date.
P.O. Box 2992 Riyadh 11169, Kingdom of Saudi Arabia
Tel.: +966 11 463 3000
www.sama.gov.sa
Share