LogoRegulatory Alerts
2018-01-08

Instructions on Documentation and Record Keeping

The Saudi Arabian Monetary Authority (SAMA) issued these Instructions to mandate that banks operating in the Kingdom transition paper records and documents to secure electronic storage after an initial ten-year paper retention period. The regulations require financial institutions to establish internal policies covering electronic system procedures, indexing, access controls, data integrity standards, and information security with disaster recovery capabilities. Furthermore, banks must enforce strict access permissions, maintain confidentiality, certify long-term electronic copies upon request, and undergo annual internal audit and compliance reviews to ensure ongoing adherence.

Saudi Central Bank logo

Saudi Arabia

Saudi Central Bank

Click to view thumbnail

==Start of PDF==

==Screenshot for page 1== In the Name of Allah, the Most Gracious, the Most Merciful Saudi Arabian Monetary Authority Headquarters

Banking Policy Department No.: 391000045986 Date: 21/04/1439 (Hijri) Enclosures: 3

Circular

To the Esteemed, Greetings, Subject: Instructions on Documentation and Record Keeping.

In continuation of the Authority's Circular No. (381000092226) dated 2/9/1438 AH and No. (371000093889) dated 24/8/1437 AH regarding the keeping of paper records and documents for at least ten years, with electronic storage to follow through high-reliability secure means.

Please find enclosed the Instructions regarding electronic record and document keeping, for your information and implementation, and to advise on measures taken within a maximum period of six months from its date.

Yours sincerely,

Ahmed bin Abdullah Al-Sheikh Deputy Governor for Supervision

Distribution Scope:

  • Banks operating in the Kingdom.
  • General Secretariat of the Banking Disputes Committee.
  • General Administration of Legal Affairs.
  • Supervision Department Administrations.

P.O. Box 2992, Riyadh 11169, Telegram: MARKAZI, Telex: 404400, Phone: 4633000, Fax: 4662414

==Screenshot for page 2== Saudi Arabian Monetary Authority General Administration of Banking Supervision Banking Policy Department

Instructions on Documentation and Record Keeping

Rabi' al-Thani 1439 AH - January 2018 AD First Edition

==Screenshot for page 3== Saudi Arabian Monetary Authority Instructions on Documentation and Record Keeping

The Saudi Arabian Monetary Authority has issued these Instructions based on the Noble Royal Order No. (32749) dated 16/7/1438 AH, and in accordance with the statutory powers granted to it under the SAMA System issued by Royal Decree No. (23) dated 23/5/1377 AH, and under the Banking Control System issued by Royal Decree No. (M/5) dated 22/2/1386 AH. These Instructions represent the minimum procedures that banks and financial institutions operating in the Kingdom must comply with regarding electronic record and document keeping, after ten years of paper-based storage.

Banks and financial institutions operating in the Kingdom must adhere to the following Instructions: First: Establish internal policies and rules governing electronic record and document keeping, which shall include at a minimum the following:

  1. Procedures for creating and storing records and documents via electronic systems (document preparation, scanning, data entry, uploading records to the system, retrieving records from the system).
  2. Indexing and classification of records and documents (transactions, subjects, document types, confidentiality level, keywords, source, etc.).
  3. Access rights to electronic systems and authorization mechanisms.
  4. Clear and documented standards to ensure the integrity and quality of stored documents and records.
  5. Information security policy and backup policy, including the use of digital certificates, electronic encryption operations, ensuring unauthorized access or review is prevented, and providing maximum protection and disaster recovery capabilities for backup restoration.

Second: Observe the following as a minimum for electronic record and document keeping:

  1. Store the record or document in the form it was created, sent, or received, without any addition, deletion, or modification.
  2. The electronic record or document remains stored clearly and properly, enabling its use and subsequent reference.
  3. Information enabling identification of the creator and recipient, along with sending/receiving dates and times according to both Hijri and Gregorian calendars, must be stored with the electronic record or document. The time shall be specified to the hour, minute, and second, without allowing modification of these data.

1

==Screenshot for page 4== Saudi Arabian Monetary Authority Instructions on Documentation and Record Keeping

  1. Record and store all operations performed on electronic records and documents, without allowing modification of these data.

Third: Accessing or dealing with electronic records, documents, and data is prohibited for personnel without authorized permissions.

Fourth: Authorized personnel accessing electronic records, documents, and data must maintain their confidentiality during their employment or after leaving the organization.

Fifth: At least two levels of permissions must be defined when dealing with electronic records, documents, and data in any procedure, such that there is, for example, an execution permission and an approval/verification permission.

Sixth: The bank must certify copies of electronic records and documents that have been stored for more than ten years upon the Authority's request, confirming their conformity with the original. This is done by stamping and signing authorized persons (e.g., Compliance Department Manager, Legal Affairs Department Manager), while verifying the integrity and clarity of submitted copies.

Seventh: Periodic reviews by the Internal Audit Department and Compliance Department shall be conducted annually to verify proper and complete storage, compliance with these Instructions, and the bank's internal policies mentioned above.

End

2

==End of PDF==

Share