SAMA New Banking Products and Services Regulation

SaudiCentral Bank (SAMA) New Banking Productsand ServicesRegulation November 2023

Page Number 2 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Contents

1. Introduction 3
2. Objective 3
3. Scope of Application 3
4. Definitions 3
5. Board of Directorsand Senior Management Responsibilities 4
6. Products and Services Policy Requirements 5
7. Notification and Non-Objection Requirements 10
8. Effective Date 13
9. Annexure 14

Page Number 3 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023

1. Introduction Banks frequently introduce new products and services and/or modify existing products and services in normal course of business. These new or modified products and services could expose the banks or the financial system as a whole to new risks or could amplify existing risks. Therefore, the risks posed by the introduction and/or modification of products and services must be identified, assessed, monitored and managed appropriately by the banks. New Banking Products and Services Guidelines were issued by SAMA in 2017; due to changes in the financial system and regulatory framework, SAMA decided to update these guidelines. The key objectives of this regulation is to promote sound risk management practices and/or manage risks associated with banking products and services. The banks must adhere to this regulation as minimum set of regulatory requirements.
2. Objective This Regulation sets out SAMA’s requirements with regard to banks’ offering of new products and services and regulatory requirements of notifying SAMA prior offering a new product or service, and the required supporting documents to be submitted. In addition, the regulation aim to improve the time-to-market for banks to introduce new product and service, and promoting sound risk management practices in managing and controlling risks associated with banking products and services.
3. Scope of Application This Regulation shall be applicable to all licensed banks in Saudi Arabia under the Banking Control Law.
4. Definitions 4.1 Product orService A product or service are what the banks offer to their customers within the scope of banking business as defined in the Banking Control Law. 4.2 New Product orService A new product orservice is one that a bank offers for the first time in Saudi Arabia notwithstanding the fact that a bank, its parent bank, branches or subsidiaries in a foreign jurisdiction may have offered similar product and service outside of Saudi Arabia, or a variation to an existing product offered by bank in Saudi Arabia or a combination of product or service with anotherexisting or new product or service, that results in a material change(1) to the structure, features or risk profile of the existing product or service. (1) Material changes or modifications may include, for example, significant changes to key terms related to payout, rights and obligations of the counterparties/customers, the changes in nature of assets underlying the product or service, changes result in new or additional risk exposure to the bank or the customer.

Page Number 4 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 4.3 Existing Product orService An existing product or service, which a bank had offered, and continue to offer, until the bank decides to discontinue or make material modifications to the product or service. 5. Board of Directorsand Senior Management Responsibilities 5.1 Board of Directors (The Board): 5.1.1 The Board has an oversight responsibility (2) to ensure that senior management develop and implement the detailed internal policiesand proceduresfor offering of new products and services. 5.1.2 The Board is responsible for ensuring that product and service risks are well managed, and the needs and rights of consumers are appropriately addressed. 5.1.3 The Board must review whether the offering of products and services by the bank remains consistent with the risk appetite approved by the board and internal policies and procedures for offering of new products and services. 5.1.4 The Board must review and revise the bank’s risk appetite when the offering of products and services by the bank is no longer consistent with the approved risk appetite. Any changes to the risk appetite must be justified and documented with detailed risk assessment, taking into consideration the risk management capabilities and risk bearing capacity of the bank. The Board must also ensure that internal policies and procedures are updated by senior management accordingly following changes in risk appetite. 5.2 Senior Management: 5.2.1 Senior management are responsible for the design, implementation, and compliance of the bank’s new products and services with the Board approved internal policies and procedures for offering of new products and services. 5.2.2 Senior management must ensure that offering of any new or existing products and services must fall within the scope of banking business as defined in the Banking Control Law. 5.2.3 Senior management must ensure that that risks arising from new products and services are well understood and aligned to the bank’s risk appetite and tolerance level. 5.2.4 Senior management has to determine whether the change to any product or service is considered to be a material change (3) . (2) The management function responsible for overseeing the operations of Foreign Bank Branch (FBB) are to ensure that policies and procedures for new products and services are consistent with the requirement of this regulation, and effectively implemented in its operations. (3) Chief Risk Officer (CRO) and Chief Compliance Officer (CCO), in coordination with the product or service developer, are responsible for determining whether the change to any product or service is considered to be a material change.

Page Number 5 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 5.2.5 Senior management must periodically review the appropriateness of the products and services internal policies and procedures and whether they continue to meet the objectives as set out in this regulation, and must propose to the Board that the policiesand procedures be amended if this is no longer the case. 5.2.6 Senior management must identifyand mitigate potential negative effects on the bank's reputation either actual or perceived. 5.2.7 Senior management must ensure that there are full operational readinessto support new products and services, including processes, controls and systems infrastructure and approvals from other authorities are obtained prior to offering new products and services, where relevant. 6. Products and Services Policy Requirements 6.1 General Requirements: Banks are required to have in place an internal policies and procedures that set out the oversight and governance arrangements for the offering of new products and services. These internal policies and procedures must at minimum satisfythe following: 6.1.1 To be integrated as part of the bank’s governance, risk management and internal control framework. 6.1.2 Defining the roles and responsibilities of all stakeholders including the Board and all control functions involved in developing and launching new products and services. 6.1.3 Defining parameters for the authority which approves new products and services including the circumstances under which such authority may be delegated. 6.1.4 Defining the requirements to have a pilot or testing phase for new products and services. A bank is required to assess the effect of a product and service on target market before its commercial launch and take appropriate changes where scenario analysis shows adverse results for the target market. 6.1.5 Consumer protection requirements including the bank’s standards for management of customer suitability and mis-selling risks along with a requirement to conduct annual assessment of all products and services against such established standards. 6.1.6 The internal policies and procedures must be reviewed and updated on a regular basis or when it’s needed, ideally on an annual basis, and at least once every (3) years. 6.1.7 The policiesand proceduresmust be communicated by the bank in a timelymanner to all relevant partsand levels within the organization, and to ensure that the new product and service offering are fully integrated throughout a bank’s line functions.

Page Number 6 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 6.2 Considerations: When developing products and services internal policies and procedures, banks must consider the following: 6.2.1 Designingand bringing to the market products and services with features, charges and risks that meet the interests, objectives and characteristics of, and are of benefit to the market segment identified for the products and services. In this regard, a formal customer appropriateness and customer fairness assessment must form part of bank’s processes before approval of new products and services. 6.2.2 The products and services offered to customers are fair and suitable. 6.2.3 Avoid any conflicts of interest, potential for mis-selling, terms and conditions that are inherently unfair to consumers, and business practices that restrict the freedom of choice to consumers. 6.2.4 To be proportionate to the nature, scale, risk, and complexity of a bank’s products and services, and designed to identify and control product risk across the value chain, including at minimum the stages of product development, authorization and governance, price, marketing, sale and distribution. 6.2.5 The gradual commercial launch of any new product and service taking into consideration the market segment, riskiness and complexity of the product and service. 6.2.6 Compliance with all applicable rules and regulations issued by SAMA and all other relevant regulators when developing a new product and serviceas well asany subsequent updates to the rules and regulations. Examples of such rules and regulations (but not limited to): a. Responsible Lending Principle for Individual Customers (issued in 2018). b. Financial Consumer Protection Principles and Rules (issued in 2022). c. Rules for Advertising Products and Services Provided by Financial Institutions (issued in 2023). d. Debt Collection Regulations and Procedures for Individual Customers (issued in 2018). e. SAMA Cybersecurity Framework(issued in 2017). f. SAMA Counter-Fraud Framework(issued in 2022). g. SAMA Business ContinuityManagementFramework(issued in 2017). h. Information Technology Governance Framework(issued in 2021). i. Rulesrelated to touch\face ID, Tahaqaq requirements, digital signature, national and global payment requirements for MADA, Visa, MasterCard, Face recognition.

Page Number 7 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 6.3 Products and Services Risk Assessments: 6.3.1 Banks must establish lines of responsibility for managing risks related to new products and services. 6.3.2 Banks must conduct a full risk assessment of new products and services which form the basis on whether or not to introduce them to the market taking into account reviewing all the associated risk throughout the life cycle of the products and services. 6.3.3 Banks must haverisk management standards for developing and launching any new products and services to the market. These include, inter alia, adequate due diligence and approvals, procedures to identify, measure, monitor, report, and mitigate risks, effective change management processes and technologies, ongoing performance monitoring and review mechanisms. 6.3.4 Banks must have risk classification process for each product and service that the bank intend to launch. The classification process must result with an overall risk classification for the product or service (for example: high, medium or low risk). 6.3.5 Banks must have a risk management, controls and monitoring processes in respect of third party risks management, where the bank’s products and services are offered in partnership with Fintech companies, agents or similar entities. 6.3.6 The risk management function must have internal organizational and operational capacity i.e. effective controls, monitoring and reporting systems and procedures in place, to monitor and manage potential risks of the proposed new products and services poses to the bank's own financial health, as well as to the financial well-being of the customers and overall market stability. 6.3.7 The risk management function must document, review and approve risk profile(associated risks) of new products and services before its launch. Risk profile of the new products and services must include at least detailed description of all associated risks i.e. identification, quantification (if possible), assessment, classification and its mitigation plan. 6.3.8 The risk management function must perform comprehensive fraud risk assessment covering fraudulent events across different channels and assessment of prevention, detection, and investigation capabilities from people, process and technology perspective taking into consideration emerging technologies. The risk assessment must also include evaluation of all possible scenarios and dynamic fraud techniques such as social engineering, phishing. that ensures safety and soundness of the bank against dynamic fraudulent scenarios. In addition, the bank must enforce defense in depth mechanism in their environment to ensure deep protection for the customers such as using multichannel technique to ensure customer identity and confirmation of the financial service/transaction for example: registration and activation/approval of services from different channels whenever applicable.

Page Number 8 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 6.3.9 The risk management function must conduct comprehensive risk assessment which cover cyber resilience and data privacy including evaluating threats, vulnerabilities and weaknesses needed to be analyzed for potential impact on the bank that leads to improve member organizations cyber posture. 6.3.10 The risk management function must assure that its people, systems and processes have the ability to adequately capture and report risks and financial commitments relating to its new products and services in a timely manner. 6.3.11 The risk management function must assure that all material risks posed bythe introduction of new products and services or by the modification of existing products and services are identified, assessed, monitored and managed appropriately; and must be regularly reviewed in light of the changing market conditions not previously factored. 6.3.12 The risk management function must assess how new products and services will affect the bank's current and projected financial and capital positions. 6.4 Products and Services Compliance: The compliance function must ensure the following: 6.4.1 Review all new products and services from compliance, regulatory and financial crimes perspectiveand ensure that they conform to all applicable rules and regulations issued by SAMA and all other relevant regulators. 6.4.2 Productsand services offered are compliantwith all rules and regulations issued by SAMA and all other relevant authorities at all time. 6.4.3 Identify the risks of non-compliance that might arise from products and services, set plans to manage it, and evaluate these risks at least once annually. 6.4.4 Report to the Board at least once annually the risks of non-compliance and how it would be mitigated. 6.4.5 The compliance function must be the main contact point for liaison for submission of all applications for non-objection to introduce new products and servicesand to notify SAMA of any products and services in cases where non-objection is not required. 6.5 Products and Services Auditing: The internal audit function must ensure the following: 6.5.1 Timely identification of internal control weaknesses, adherence to regulatory requirements and products and services policies and procedures.

Page Number 9 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 6.5.2 To auditall new products and services in a reasonable time i.e. within one year after launching the product or service depending on the nature, type, complexity, and riskiness of the new products and services. 6.5.3 Report to the Audit Committee the results of the audit process that was conducted on the bank’s products and services at least once annually. In case, products and services associated risks increase or violating any rules and regulations issued by SAMA and all other relevant regulators, the internal audit must include them in theiryearly audit plan. 6.6 Product Development Function: The product development function (business units) must ensure the following: 6.6.1 Theyare familiar with products and services policies and proceduresand all applicable rules and regulations issued by SAMA and all other relevant regulators. 6.6.2 They are competent and appropriately trained; and thoroughly understand the products and services’ features, characteristics, risks, and ensure that corrective actions are taken to mitigate identified risks related to products and services. 6.7 Products and Services On-going Monitoringand Control: 6.7.1 Banks mustensure that the requirement of monitoring products and services on an ongoing basis is in place and implemented, to ensure that the interests, objectives and characteristics of targets market continue to be appropriately taken into account. In addition, the banks must address consumer complaints and rectify them on timely basis. 6.7.2 If the bank identifies a problem/risk related to products or services in the market, or when monitoring the performance of the products or services as required, the bank must take necessary corrective actions and implement measures to prevent future recurrence. The corrective action plan, which may include suspension or withdrawal of products or services must be approved by the senior management function or other functions within the bank accountable for approval of product and services. Banks must also report to SAMA such incidents including the corrective action plan that have been or will be taken. 6.7.3 In the case of product or services suspension or withdrawal, banks are required to notify SAMA at least prior to (45) business days by email before suspending or withdrawing any products or services via (PSBanking@sama.gov.sa). The notification must include justifications for the suspension or withdrawal and the plan to deal with beneficiary customers (exiting plan) affected by discontinuation of products or services. 6.7.4 After the introduction of new products or services, SAMA may, at any time, suspended the product or service if any regulatory incompliance has been identified and/or there is a negative impact on

Page Number 10 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 the banking sector or on consumers. SAMA will direct banks to provide corrective actions in such case for approval and implementation. 6.8 Documentations and Reporting Requirement: 6.8.1 Banks are required to submit areport to SAMAwhich include all products and services.The report must be signed by the Chief Executive Officer, and submitted by ComplianceFunction to Banking Licensing Division via (PSBanking@sama.gov.sa) – by 1 st March of each year, according to the table provided in (Annexure 5). 6.8.2 Banks must document all actions taken while implementing the internal policies and procedures, preserve these documents for audit purposes and to make them available to SAMA upon request. In addition, the banks must retain all the documents relating to the risk assessment of the new products and services including key risks from both the bank’s and customer’s perspective, together with the systems and processes that are in place to mitigate these risks. 6.8.3 An inventory of bank’s existing products and services containing information such as (but not limited to): name of a product and service, target market, risk classification, developer of the product or service, reviewer of the product, approver of the product, approval date, launch date, last review date, latest changes made including the description and the date of changes. 7. Notification and Non-Objection Requirements 7.1 Notification Requirements: The following requirements applies to banks that satisfy the required maturity level in Cyber Security Framework, Counter-Fraud Framework, Business Continuity Framework, and Information Technology Governance Framework, which must be independently validated by a qualified and experienced third party on annual basis. 7.1.1 Banks are required to notify SAMA by emailat least (10) business days beforelaunching any new products and services via (PSBanking@sama.gov.sa). 7.1.2 SAMA will acknowledge receipt of the notification within (10) business days of receiving the bank’s request. In case, a bank does not receive acknowledgement receipt from SAMA within (10) business days from sending the notifications, it is the bank’s responsibility to follow up with Banking Licensing Division via (PSBanking@sama.gov.sa) for confirming that whether SAMA has received the notification or not. 7.1.3 Banks will be able to launch new products and services once they receive SAMA’s acknowledgement of receipt of the bank’s notification.

Page Number 11 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 7.1.4 Banks must launch their new products and services within (12) months of receiving the acknowledgment receipt from SAMA, otherwise the bank must submit a new notification. 7.1.5 SAMA have the right to ask banks for further information about products and services despite the fact that bank has launched the products and services or not. 7.1.6 SAMA may prohibit a bank from introducing or continuing to offer any products or services if SAMA concludes that such product or service will undermine SAMA’s primary objective of maintaining safety and soundness of the financial sector. 7.1.7 Banks must not reintroduce a product or service that has been stopped or discontinued by the bank for more than (12) months without notifying SAMA by following the notification requirements as per clause (7.1.1). 7.2 Non-objection Requirements for Specified Products and Services: 7.2.1 Banks are required to seek SAMA’s non-objection for the below products and services prior launching,as an exception to the notification requirements:

1. Home Loans Products.
2. Financial Lease Products.
3. Financial Derivatives.
4. Products and services that are not covered in existing rules and regulations issued by SAMA. 7.2.2 Banks that do not comply with required maturity level stated in clause (7.1), must apply for non￾objection for all types of products and services. 7.2.3 Banks must launch their new products and services within (12) months of receiving the SAMA’s non-objection, otherwise the bank must submit a new application. 7.2.4 Banks must not reoffer a product or service that has been stopped or discontinued for more than (12) months without a new non-objection from SAMA, as per clauses (7.2.1) and (7.2.2) for products or services that require SAMA’s non-objection. 7.3 Offering ofFinancial Derivatives Products: Banks mustensurethe following are satisfied before submitting a non-objection application to SAMA: 7.3.1 Banks seeking to introduce new financial derivatives products for their customers are required to develop and implement internal customer suitability procedures ensuring that these products are only sold to suitable customers. 7.3.2 Customer suitability procedures must be designed to seek sufficient knowledge about the customer to establish that the customer has a practical understanding of the features of the product and the risks to be assumed.

Page Number 12 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 7.3.3 For complex financial derivatives such as structured products, the complexity of the payoff structure can make it difficult for customers to accurately assess the value and risk of the structured product. Banks must clearly demonstrate to the customer the potential profit and loss scenarios for the structured products over the time horizon. 7.3.4 Banks must ensure that customers are fully aware of risks involved in complex products such as financial derivatives and structured products, the product must meet the customer’s business or investment objectivesand risk appetite, the customer have prior investment experience and fully understood and sign-off the terms of contract accordingly. 7.3.5 Banks must not recommend a financial derivative product to a customer unless it is reasonably satisfied that the product is suitable for that particular customer and the nature of the customer’s business. Such a decision must be made based on information sought and obtained from the customer. 7.3.6 Banks seeking to introduce newfinancial derivative products must demonstrate that the proposed financial derivative instrument has a bona fide economic purpose and does not merely provide means of financial speculation, leverage, or regulatory arbitrage. To meet this test, a bank would have to identify the intended customers for the proposed new financial derivative products and describe (with sufficient specificity) potential uses. 7.3.7 Banks intending to introduce a new financial derivatives products must demonstrate that it has the internal organizational and operational capacity to monitor and manage potential risks of the proposed new products pose to a bank’s own financial health, as well as to the financial well-being of the customers and overall market stability. 7.3.8 Banks must demonstrate that effective control, monitoring & reporting systems, and procedures are in place to ensure on-going operational compliance with a bank’s, the customer’s and the counterparty’s risk appetite. A bank must also have a strong governance process around the valuation of financial derivatives, which includes robust control processes and documented procedures. 7.3.9 Banks intending to introduce a new financial derivatives products will have to demonstrate that the proposed products do not pose potentially unacceptable systemic risk. It is the responsibility of the bank to ensure that suitability of customers for the new financial derivatives product are assessed not only based on a bank’s exposure to an individual customer but also based on the industry’s exposure to the customer. A bank would therefore need to obtain full disclosure from the customers about their financial derivative exposures with other banks and non-banking entities prior to selling new financial derivative products.

Page Number 13 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 7.3.10 Banks must ensure that the new financial derivative such as, structured products that seeks to market is not likely to have a negative impact on broader socio-economic policy goals of the country, for example an impact on SAIBOR orSAR. 7.3.11 Financial derivatives involving SAR against a foreign currency are subject to the requirements of a separate SAMA circular that banks must comply with. 7.3.12 Banks are required to ensure newfinancial derivative products comply with SAMA Rules on Trade Repository Reporting & Risk Mitigation Requirements for Over-the-Counter ("OTC") Derivatives Contracts issued by SAMA (issued in 2019)and any subsequent updates. 7.4 Documentation Requirements: 7.4.1 A bank notifying or seeking a non-objection from SAMA for the introduction of a new product or service must fully complete the checklist and provide the supporting documents as stated in (Annexure 1). 7.4.2 SAMA will not process any application that does not meet or fulfill the above mentioned documentations. 8. Effective Date This regulation shall be effective by 1st of March 2024. Once effective, this regulation shall supersede the existing SAMA New Banking Products and Services Guidelines issued by circular No. 391000006163 in 18-01-1439H (08-10-2017G).

Page Number 14 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 9. Annexure Filling Form Instructions

1. This form is for new banking products and services in accordance with the New Banking Products and Services Regulation (second version / Nov 2023).
2. The form must be fully filled out by the bank.
3. The bank must verify the accuracy of the information filled in this form.
4. The form must not be modified in any way.
5. This form and supporting documents such as contracts, terms and conditions should be sent in two formats (Word-PDF) along with the other requirements as shown in annexure (1) to Banking Licensing Division via (PSBanking@sama.gov.sa) Bank name Product or service name ☐ Notifying SAMA before launching a new product or service. ☐ Obtaining SAMA’s no-objection for launching a new product or service according to clause(7.2.1) ☐ Obtaining SAMA’s no-objection for launching a new product or service according to clause(7.2.2). Purpose of the application ☐ Yes ☐ No Is it a material change to an existing product or service? New product or service expected launch date: Day/Month/Year Provide date of previous Notification/Non-objection: Day/Month/Year Launching date: Day/Month/Year The rules and regulations that were taken into account in developing this product or service ☐Savings ☐Personal finance ☐ Credit card Product orservice type (You can check more than one) ☐ Financial Derivatives ☐ Home finance ☐Prepaid cards ☐ Financial lease ☐ Corporate finance ☐ Banking services ☐E-service ☐ Treasury product ☐ Other:

Page Number 15 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Annexure(1): Checklist Attached No. Document Not Applicable Yes No ☐ ☐ A formal letter signed by the Chief Compliance Officer notifying or requesting SAMA’s no￾objection to offer new product or service 1 2 Application form for new banking products and services (Annexure 2) ☐ ☐ 3 Statement of compliance (Annexure 3) ☐ ☐ ☐ ☐ ☐ Consumer protection checklist (for retail products and services) signed by the Product or Service Developerand Chief Compliance Officer (Annexure 4) 4 ☐ ☐ ☐ Copies of supporting documents e.g. terms and conditions, contracts, process workflow (Images), promotional materialand any other related documents 5 ☐ ☐ ☐ Contract draft / service level agreement (SLA) / non-disclosure agreement (NDA) if there is a third party in the product and service 6 ☐ ☐ ☐ Risk assessment report which describe the product or serviceall inherent risks from both the bank's and customer’s perspective together with the systems and processes that are in place to mitigate these risks. The following risks need to be considered at minimum:  Credit Risk  Market Risk  Operational Risk  Strategic Risk  AML&CFT Risk  Legal Risk  Technology Risk  Cyber Risk  Fraud Risk  Business Continuity Risk  Data Privacy Risk  Reputational Risk 7 8 Necessary Shari’ah Committee Approvals for new Shari’ah Compliant Products orServices. ☐ ☐ ☐ I, the undersigned, acknowledge that all the above-mentioned data and information and attached documents are correct, accurate and complete Chief Compliance Officer Date Day/Month/Year Signature

Page Number 16 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Annexure (2): Application form for new banking products orservices A detailed description of the product or service: Product or Service Risk Classification (For example: High, medium, low risk): Did The bank completed the independent evaluation required under clause(7.1)? ☐Yes ☐No Evaluation date: Day/Month/Year Isthe bank complied with the required maturity level in the frameworks mentioned in clause(7.1)? ☐Yes ☐No Notes: Product or service objectives: Product or service features: Product or service offering journey: Product or service delivery channel(s): ☐ Bank branches ☐ E-Channels ( ☐ Phone Banking, ☐ Mobile Banking, ☐ Bank’s Website) ☐ Relationship Mangers ☐ Other: Targeted customers: ☐ Existing bank customers ☐Non-existing bank customers Targeted segment: ☐Retail ☐ Small/Medium enterprises ☐ Corporate ☐ Government sector ☐ Non-profit sector ☐Other: Customer identity verification mechanism:

Page Number 17 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Fees, commissions and any other additional amounts might beincurred by the customer: Product or service launching plan in the local market: Similar products or services offered in the local market (if any): The potential impact on the bank’s liquidity ratios (SAMA Liquidity Ratio, CAR, LCR & NFSR) and any other regulatory indicators: Technological requirements, details and the integration method with third parties and other technological systems, including but not limited to Robot, Cloud, Biometrics: System classification by the entity, whether it is a main or secondary system: In case of storing data, clarify the location of the datastorage, the storage method and the type of data shall be clarified in detail, with reasons and justifications: In case of contracting with third parties, the details of the third parties shall be provided, including the name, location, duties, responsibilities, and any relevant information. Third-party remote access method (if applicable): In case of contracting with third parties, what are the type of data will be shared, and what measures will be taken to maintain information privacy and security: Has the verification method been clarified for the product/service, e.g. two factor authentication (2FA) using the password and the one-time password (OTP):

Page Number 18 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Has the product/service been added to fraud monitoring systems with the ability to directly add and modify scenarios: Do third parties comply with the cloud computing cybersecurity controls (in the case of using cloud computing technology): In case of technological integration, explain the integrationmethod in detail: The internal bank function responsible for monitoring the product or service: The method of cancelling the product or service by the customer and cancelation fees (if applicable): Information/correspondences with SAMA regarding the above product or service(If any): Additional information: Product or service developer name and contact information (email, mobile phone, landline):

Page Number 19 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Annexure (3): Statement of compliance Product/Service name We, the undersigned, acknowledge that the aforementioned product or service has been fully reviewed and does not violate any laws, instructions or professional practices. We also acknowledge that submitting this application (notification or non-objection) to SAMA does not burden it with any responsibility whatsoever and does not indicate that SAMA guarantees the product or service soundness. In addition, we acknowledge that we bear all the risks that may result from launching the product or service. Furthermore, we confirm that failure to comply with this acknowledgment entitles the authorities to take all measures, including inflicting penalties, holding violators accountable, withdrawing the product or service from the market, committing to correcting any adverse results, and compensating customers for any losses that may occur due to default or negligence on the bank’s part. Product or Service Developer Head of Customer Care Head of Legal Affairs Head of Data Privacy Head of Financial Fraud Head of Business Continuity Head of Information Security Head of Information Technology Chief Risk Officer Head of Anti-Money Laundering and Counter-Terrorist Financing Chief Compliance Officer

Page Number 20 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 Annexure(4): Consumer protection checklist Before or upon concluding a product/service agreement with the customer: Cases No Requirements Not Applicable Yes No ☐ ☐ ☐ Has the bank done a complete study on the product or service suitability to customer needs 1 ☐ ☐ ☐ Were the expected risks to customers from the product or service identified when advertising, and disclosed in the initial disclosure form (before signing the contract) 2 ☐ ☐ ☐ The bank must disclose the discounts and their conditions to customers - if available -and include them in the initial disclosure form (before signing the contract) 3 ☐ ☐ ☐ Ensuring that customer service staff and/or marketers are clearly familiar with the product or service provided helps customers make a decision before entering into a contract 4 ☐ ☐ ☐ The bank must study the customer’s financial solvency before granting the product/service and keep it in the customer’s file in a way that enables it to:

1. The customer’s ability to fulfill the due payments without delay
2. The customer’s understanding of the characteristics of the product or service.
3. The product or service meets the customer's need
4. The customer’s ability to bear the risks of the product or service 5 ☐ ☐ ☐ The bank must disclose the product/service provider in the initial disclosure form if the product or service provider is a third party 6 ☐ ☐ ☐ Advertising the product or service to customers is appropriate, does not use a seductive or misleading method of marketing, and uses language that is easy to understand and in clear writing, including margins 7 ☐ ☐ ☐ Are the terms and conditions explained in clear language, including fees, and are they fair to customers? A summary of this is provided in the initial disclosure statement, and this is explained to the customer before signing the contract 8 ☐ ☐ ☐ The potential fines and penalties that the customer will bear if the product or service is used on other than theagreed terms must be explained 9 After concluding the product or service agreement with the customer: ☐ ☐ ☐ The product or service must be compatible with Sama Care’s main or sub￾classifications of complaints 1

Page Number 21 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 ☐ ☐ ☐ Clarifying the mechanism for submitting a complaint and the contact information with the bank in the product or service contract 2 ☐ ☐ ☐ Providing beneficiaries with a free statement of account (paper or electronic) on a monthly basis showing the payments made and the remaining payments 3 ☐ ☐ ☐ Having specialized staff to provide advice to customers who face financial and technical difficulties during contract periods and providing appropriate solutions for them to overcome these difficulties 4 Product orService Developer Chief Compliance Officer Date Date Day/Month/Year Day/Month/Year Signature Signature

Page Number 22 of 22 New Banking Products and Services Version Issuance Date Regulation 2.0 November 2023 التقريرالسنوي للمنتجات والخدمات البنكية :(5) Annexure بنك مالحظات إضافية حالة املنتج أو عدد العمالء الخدمة العمالء املستهدفين قنوات التقديم تاريخ إطالق املنتج/ الخدمة وصف املنتج/ الخدمة التصنيف املحاسبي التو افق مع أحكام ومبادئ الشريعة تصنيف مخاطر املنتج/الخدمة نوع املنتج/ الخدمة التصنيف اسم املنتج/ الخدمة م أفراد شركات صغيرة ومتوسطة شركات القطاع الحكومي القطاع الغيرربحي Day/Month/Year 1 Day/Month/Year 2 Day/Month/Year 3 Day/Month/Year 4 Day/Month/Year 5 Day/Month/Year 6 Day/Month/Year 7 Day/Month/Year 8 Day/Month/Year 9 عدد عمالء البنك)أفراد( عدد عمالء البنك)الشركات الصغيرة واملتوسطة( عدد عمالء البنك)شركات( عدد عمالء البنك )القطاع الحكومي( عدد عمالءالبنك)القطاع الغيرربحي(