Circular Re. Compliance Principles for Finance Companies and Real Estate Refinance Companies

Reference No.: 46020562 Date: 28/03/1446 AH Attachments: None

Circular

Dear Sirs,

Peace, mercy, and blessings of God be upon you,

Subject: Compliance Principles for Finance Companies and Real Estate Refinance Companies.

Based on the authorities vested in the Saudi Central Bank (SAMA) under the Financing Companies Supervision System issued by Royal Decree No. (M/51) dated 13/08/1433 AH, and its Executive Regulations issued by the decision of His Excellency the Governor of the Saudi Central Bank No. (2/M SH T) dated 14/04/1434 AH.

We inform you of the issuance of His Excellency the Governor's Decision No. (161/M SH T) dated 14/02/1446 AH, which approves the Compliance Principles for Finance Companies and Real Estate Refinance Companies according to the attached format. These Principles will be enforced 180 days after their publication on the Saudi Central Bank's website.

For your information and action.

Accept my regards,

[Signature] Yazeed bin Ahmed Al-Sheikh Deputy Governor for Supervision

Distribution Scope:

• Finance companies operating in the Kingdom.
• Real estate refinance companies operating in the Kingdom.

---

Compliance Principles for Finance Companies and Real Estate Refinance Companies

(Rabi' al-Awwal 1446 AH / September 2024 CE)

The Saudi Central Bank issued these Principles based on the authorities granted to it under the Financing Companies Supervision System issued by Royal Decree No. (M/51) dated 13/08/1433 AH, and its Executive Regulations issued by the decision of His Excellency the Governor of the Saudi Central Bank No. (2/M SH T) dated 14/04/1434 AH.

Important Note: To follow updates and amendments to these Principles, the Saudi Central Bank emphasizes the necessity of always relying on the version of the Principles published on its website: www.sama.gov.sa

---

Table of Contents

Chapter	Page No.
Chapter One: Definitions, General Provisions, and Scope of Application	3
Chapter Two: Duties and Responsibilities of the Board, Audit Committee, and Executive Management regarding Compliance	5
Principle One: Duties and Responsibilities of the Board regarding Compliance	5
Principle Two: Duties and Responsibilities of the Audit Committee regarding Compliance	6
Principle Three: Duties and Responsibilities of Executive Management regarding Compliance	6
Chapter Three: Characteristics, Duties, and Responsibilities of the Unit	7
Principle Four: Key Characteristics of the Unit	7
Principle Five: Duties and Responsibilities of the Unit	9
Principle Six: Responsibilities of Company Employees regarding Compliance	10
Principle Seven: Responsibilities of Internal Audit Management regarding Compliance	11
Chapter Four: Final Provisions	11

---

Chapter One

Definitions, General Provisions, and Scope of Application

1. Definitions For the purpose of applying the provisions of these Principles, the following terms and expressions - wherever they appear in these Principles - have the meanings indicated opposite each of them, unless the context dictates otherwise:

Term	Definition
The Bank	The Saudi Central Bank.
The Principles	Compliance Principles for Finance Companies and Real Estate Refinance Companies.
The Company	A finance company or real estate refinance company licensed by the Bank.
The Board	The Board of Directors of the Company.
Executive Management	Persons entrusted with managing the Company's daily affairs, proposing strategic decisions, and implementing them; they are considered the senior management.
The Unit	The Compliance function or department in the Company, directly linked to the Audit Committee.
Compliance Officer	The officer or manager of the Compliance Unit in the Company.
Unit Staff	All personnel performing compliance duties and responsibilities from the Compliance Unit staff.
Regulations	The regulations applicable to the Company and its personnel.
Instructions	All issuances by the Bank in carrying out its supervisory and oversight role, and all issuances by other competent authorities including regulations, rules, principles, frameworks, guides, and binding circulars.
Non-Compliance Risks	Risks resulting in the application of penalties or regulatory measures against the Company, leading to financial losses, or damaging its reputation due to non-compliance with regulations and instructions.

2. General Provisions a. These Principles aim to:

1. Enhance sound practices in the Company and continuously affirm the effectiveness of compliance policies and their application.
2. Enhance the culture of compliance, making compliance an integral part of the Company's culture, noting that this is not limited to Unit employees only, but extends to all Company personnel.
3. Define the responsibilities of the Board of Directors, Audit Committee, Executive Management, Compliance Unit, Company employees, and Internal Audit Management regarding compliance.
4. Establish minimum requirements to enable the Unit to perform its duties efficiently, professionally, and effectively.

b. These Principles do not derogate from the requirements imposed on finance companies and real estate refinance companies under other related regulations and instructions, including but not limited to:

• The Financing Companies Supervision System and its Executive Regulations.
• The Real Estate Financing System and its Executive Regulations.
• The Anti-Money Laundering System and its Executive Regulations.
• The Combating Terrorism Financing System and its Executive Regulations.
• Rules regulating real estate refinance companies.
• Rules governing crowdfunding activities.
• Rules regulating deferred payment companies (BNPL).
• Rules combating fraud in finance companies.
• Key Governance Principles for Financial Institutions subject to the supervision and oversight of the Saudi Central Bank.
• Principles of Conduct and Business Ethics in Financial Institutions.
• Principles and Rules for Protecting Customers of Financial Institutions.
• Appointment Requirements for Leadership Positions in Financial Institutions subject to the supervision of the Saudi Central Bank.
• Controls and Procedures for Collecting from Individual Customers.
• Controls for Establishing Customer Due Diligence at Finance Companies.
• Anti-Money Laundering and Combating Terrorism Financing Guide.
• Whistleblowing Policy for Financial Institutions.

3. Scope of Application a. The provisions of these Principles apply mandatorily to finance companies and real estate refinance companies. b. These Principles apply on a voluntary basis to companies supporting the financing activity and real estate lease contract registration companies. The Bank may, at any time, mandate all or part of the provisions of these Principles.

Chapter Two

Duties and Responsibilities of the Board, Audit Committee, and Executive Management regarding Compliance

Principle One: Duties and Responsibilities of the Board regarding Compliance

1. Subject to the duties and responsibilities of the Board of Directors outlined in related regulations, rules, and instructions issued by the Bank, the Board is responsible for the following: a. Supporting and promoting values of honesty and integrity throughout the Company. b. Ensuring the existence of an effective Compliance Unit and working to develop it, ensuring the independence of this Unit from other departments, granting it appropriate authorities and resources, training its staff, and developing their capabilities and skills in this field. c. Approving a written Compliance Policy detailing the authorities, obligations, and responsibilities of the Compliance Unit, as well as compliance programs and related procedures. d. Appointing the Compliance Officer based on the recommendation of the Audit Committee and after obtaining a letter from the Bank stating no objection to such appointment. e. Accepting the resignation of the Compliance Officer based on the approval of the Audit Committee and notifying the Bank thereof. f. Establishing clear boundaries for responsibility and accountability, binding all Company personnel to them, and ensuring complete separation of responsibilities at the Executive Management level. g. Reviewing the periodic compliance report submitted by the Compliance Officer.

Principle Two: Duties and Responsibilities of the Audit Committee regarding Compliance

1. Subject to the duties and responsibilities of the Audit Committee outlined in related regulations, rules, and instructions issued by the Bank, the Committee is responsible for the following: a. Reviewing and discussing the periodic compliance report submitted by the Compliance Officer, documenting actions taken regarding it, resulting decisions, and reporting it to the Board. b. Verifying the application of the Board-approved Compliance Policy, evaluating its effectiveness, updating it, and proposing necessary amendments annually. c. Approving the plan detailing the main activities and operations of the Unit and updating it annually based on the Compliance Officer's input. d. Providing recommendations to the Board for the appointment of the Compliance Officer, stating the reasons and justifications for such appointment. e. Approving the request for the resignation of the Compliance Officer. f. Evaluating the Compliance Officer according to the plan approved by the Company. g. Evaluating the effectiveness of compliance policies and procedures, the reporting mechanism, and adherence to them annually, and providing recommendations to the Unit for improvement before Board approval. h. Reviewing and approving the risk-based compliance program followed by the Unit in its operations. i. Reviewing the Bank's report results and verifying that the Company has taken necessary actions regarding them. j. Reporting to the Board matters deemed necessary to take action on, and providing recommendations on the actions to be taken. k. Verifying the Company's compliance with related regulations, rules, policies, and instructions, and taking necessary actions to improve the level of regulatory compliance in the Company. l. Verifying that the number of Unit staff is sufficient relative to the size of the Company's business and its business model.

Principle Three: Duties and Responsibilities of Executive Management regarding Compliance

1. Subject to the duties and responsibilities of Executive Management outlined in related regulations, rules, and instructions issued by the Bank, Executive Management is responsible for the following:

a. Adhering to prevailing regulations and instructions, and taking necessary measures and controls to prevent violation of their provisions. b. Establishing an independent unit responsible for compliance duties and clarifying its role to all Company personnel. c. Creating an atmosphere of trust and cohesion in the relationship between the Unit and other departments, and taking necessary measures to achieve this. d. Preparing a written Compliance Policy to be approved by the Board of Directors, detailing the Unit's authorities, obligations, and responsibilities, as well as related compliance programs. e. Including guarantees for compliance with related regulations and instructions in the Company's internal regulations. f. Establishing a written regulatory policy containing work guides and operational procedures, updating it continuously to align with changes, and notifying relevant employees in a manner and time that allows them to comply with it; such policies must include rules governing compliance with related regulations and instructions. g. Providing appropriate training to Company employees annually and monitoring it periodically; to keep pace with developments in their fields of work and ensure the effective performance of their duties and responsibilities, contributing to achieving compliance. h. Supporting the Unit in performing its duties, including those related to combating money laundering and terrorism financing, by qualifying personnel, technical systems, information, and budget to effectively implement, manage, and monitor the requirements of the anti-money laundering and terrorism financing program, if the AML/CTF unit is subordinate to the Compliance Unit.

Chapter Three

Characteristics, Duties, and Responsibilities of the Unit

Principle Four: Key Characteristics of the Unit Independence

1. The concept of independence encompasses the following elements: a. The Unit must have an official status within the Company. b. The Unit must be functionally linked to the Audit Committee and administratively linked to Executive Management.

c. The Compliance Officer and Unit staff must enjoy independence in performing their assigned duties, and they are not permitted to perform any other administrative tasks. d. The Compliance Officer and Unit staff must have the authority to access and review all information and documents, and to communicate with Company personnel to the extent necessary to fulfill their responsibilities. e. Other departments must not interfere in the Unit's work, without compromising the Unit's cooperation with other departments to serve compliance objectives.

Compliance Officer 2. The selection and nomination of the Compliance Officer are subject to the appointment requirements for leadership positions issued by the Bank, and any further issuances by the Bank in this regard. 3. The Compliance Officer must possess the necessary knowledge and skills to perform the Unit's duties and maintain its effectiveness. To achieve this, the following must be available: a. Holding a Compliance Certification in the finance companies sector, except for those appointed to fill the position temporarily. b. Extensive experience in the financing sector and understanding of all regulations and instructions related to various financing operations and other related regulations. 4. The Compliance Officer must submit a periodic compliance report to the Audit Committee. The report must include risks facing the Company related to non-compliance, key findings resulting from reviewing departmental operations during the reporting period, and an analysis and evaluation of the effectiveness of existing compliance-related operations and procedures, along with proposals for any amendments or changes related to these duties. 5. The Compliance Officer has the authority to hold periodic meetings with Executive Management and managers of other departments and units to discuss compliance application according to related regulations and instructions. 6. The Compliance Officer has the authority to meet with the Audit Committee during the period of submitting periodic compliance reports; to evaluate the effectiveness and capability of Company management in managing non-compliance risks. 7. The Compliance Officer has the authority to verify any potential non-compliance instances, and may request support from internal specialists (such as Internal Audit), or involve an external specialist to perform the task if necessary. The Compliance Officer has the authority to communicate directly with relevant parties, whether the Board, Executive Management, or the Audit Committee, in the event of any observations or violations.

Unit Staff 8. The number of Unit staff must be sufficient and commensurate with the Company's business model and size. Unit staff are not linked in their performance of duties to anyone other than the Compliance Officer. 9. Unit staff must possess appropriate qualifications and experience to perform their job duties, and keep pace with developments in their field of work. 10. Unit staff must have a thorough understanding of instructions and their impact on the Company's operations.

Principle Five: Duties and Responsibilities of the Unit

1. The Unit is responsible, including but not limited to, for the following duties and responsibilities: a. Cooperating and communicating effectively with regulatory and supervisory authorities, considering their communicated observations to identify deficiencies periodically, and coordinating with other departments to address and correct them. b. Identifying, conveying, and explaining related regulations and instructions to other departments and units immediately upon receipt from regulatory authorities, and ensuring their inclusion in the policies and work procedures of each department and unit according to their jurisdiction, and applying them within the specified timeframe. c. Cooperating with Company personnel and providing support and advice to them in their daily compliance-related work. d. Identifying all non-compliance risks, methods to avoid them, providing advice on them, dealing with them, and monitoring their developments. e. Analyzing new policies, procedures, and operations, and providing necessary recommendations to deal with non-compliance risks. f. Following a risk-based compliance program, and including the results achieved in the periodic compliance report. g. Collecting compliance-related complaints, and preparing written guidelines for employees whenever necessary. h. Preparing internal policies and procedures to combat financial crimes such as money laundering, terrorism financing, and fraud, and testing their effectiveness in line with developments and updates.

i. Monitoring compliance with anti-money laundering and terrorism financing regulations, rules, and codes. j. Raising awareness of compliance issues, and training employees on their topics through periodic programs, and clarifying the risks of non-compliance with regulations and instructions. k. Notifying the Bank and the Audit Committee immediately upon discovering any violations or breaches resulting from non-compliance. l. Reviewing the work of the Customer Due Diligence Management at least semi-annually to ensure the soundness of the department's operations, except for real estate refinance companies. m. Reviewing the work of the management concerned with collection procedures and/or the third party entrusted with collection duties at least annually to ensure the soundness of procedures and their compliance with controls and procedures for collecting from individual customers and related instructions, noting that the review of the management concerned with collection procedures does not apply to real estate refinance companies. n. Establishing methods to measure non-compliance risks quantitatively and qualitatively, and using these measures to support the assessment and management of non-compliance risks and working to address them; technology can be used as a means to set risk indicators by aggregating or filtering data that may indicate potential non-compliance risks - including but not limited to - an increase in customer complaints, fraud cases, reports, penalties and sanctions imposed, and determining the need for additional measures to deal with them. o. Creating a database for all instructions, classifying them according to the work of each department or unit, updating them continuously, and enabling all Company employees to access and benefit from them permanently. p. Recommending approval of contracts with external service providers and verifying their compliance with related instructions.

Principle Six: Responsibilities of Company Employees regarding Compliance

1. Company employees are responsible for adhering to and implementing policies, procedures, and controls issued by relevant regulatory and supervisory authorities.
2. Company employees must refer regulatory and supervisory inquiries received from competent authorities to the Unit, and no employee is permitted to respond to any regulatory or supervisory inquiry or provide these authorities with any information requested except through the Unit, unless authorized to do so. Company employees must cooperate in providing documents that support the Unit in answering inquiries.
3. Approval from the Unit, in addition to other relevant departments, must be obtained before launching products and services that the Company will offer to its individual customers or microfinance beneficiaries, prior to applying for the Bank's no-objection letter, documenting that the Unit has verified that the product or service does not violate related regulations and instructions.

Principle Seven: Responsibilities of Internal Audit Management regarding Compliance

1. Subject to the duties and responsibilities of Internal Audit Management outlined in related regulations, rules, and instructions issued by the Bank, Internal Audit Management is responsible for the following: a. Evaluating the internal control system, and verifying the Company's and its employees' compliance with related regulations and instructions, and the Company's policies and procedures, whether operations are managed by the Company or an external service provider. b. Reviewing the main activities and operations of the Unit at least annually according to the plan approved by the Audit Committee, and updating this plan annually. c. Conducting regular evaluation processes to verify the effectiveness of policies and procedures in the Company, documenting actions taken in an appropriate manner, and including this information in the Internal Audit Management report stipulated in the Executive Regulations of the Financing Companies Supervision System.

Chapter Four

Final Provisions

1. These Principles will be enforced 180 days after their publication on the Bank's website.

---