Regulatory Alerts2021-04-18
Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom
The Saudi Central Bank (SAMA) issued this circular to mandate minimum control and awareness measures for branch and customer service employees in banks operating across the Kingdom. The directive requires financial institutions to implement robust information security policies, enforce strict access controls and password management, monitor employee system usage for at least five years, and conduct periodic awareness campaigns and audits to mitigate operational risks and protect customer data. Banks must align these measures with existing regulatory guides, ensure privileged access is restricted to authorized personnel, and maintain alternative business continuity plans to safeguard against unauthorized data breaches.
==Start of PDF==
[Saudi Central Bank Logo] Saudi Central Bank
Ref: 42063179 Date: 1442/09/06 Attachments: 6 pages
Circular
Respected Banks, Peace be upon you,
Subject: Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom.
Based on the authorities vested in the Saudi Central Bank under relevant regulations and instructions, and in line with the Bank's regulatory and supervisory role to enhance the protection of customer privacy for financial institutions under its supervision and their employees, and the continuous improvement and enhancement of sound practices in banks.
Enclosed herewith are the Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom, which aim to limit operational risks related to interactions with banking systems and ensure that operations are executed in accordance with regulations, instructions, and approved authorities to protect banks and customers from losses.
For information and implementation before the end of Q3 2021. Yours sincerely,
[Signature] Fahd bin Ibrahim Al-Shathri Deputy Governor for Supervision
Distribution Scope:
- Banks operating in the Kingdom.
P.O. Box 2992 Riyadh 11169, Kingdom of Saudi Arabia Tel: +966 11 463 3000
==Screenshot for page 2== Kingdom of Saudi Arabia Saudi Arabian Monetary Authority (SAMA) Headquarters, Riyadh
Alert Attachments sent via email. Circular Sent via Email
==Screenshot for page 3== Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom
April 2021
[Saudi Central Bank Logo] Saudi Central Bank
==Screenshot for page 4== Table of Contents
First: Introduction ................................................................................................................................... 3 A. Objective ........................................................................................................................................ 3 B. Scope ...................................................................................................................................... 3 Second: Definitions ................................................................................................................................. 3 Third: Control Measures ........................................................................................................................ 3 Fourth: Awareness Measures ...................................................................................................................... 5 Fifth: General Provisions ............................................................................................................................. 6
| Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom | Version No. | Issue Date | Page No. |
|---|---|---|---|
| 1.0 | April 2021 | 2-6 |
==Screenshot for page 5== First: Introduction
A. Objective These measures aim to establish the minimum control and awareness measures for branch and customer service employees in banks operating in the Kingdom that must be adhered to, in order to limit operational risks related to interactions with banking systems and ensure that operations are executed in accordance with regulations, instructions, and approved authorities to protect banks and customers from losses.
B. Scope These measures apply to banks operating in the Kingdom, without prejudice to any other related regulations or instructions, including but not limited to: the Information Security Regulatory Guide and the Business Continuity Management Regulatory Guide.
Second: Definitions The following words and phrases, wherever used in these measures, carry the meanings indicated next to each of them, unless the context dictates otherwise: SAMA: Saudi Central Bank. Banks: Banks operating in the Kingdom. Branches: Branches of commercial banks operating in the Kingdom. Employees: Branch and customer service employees. Customers: Bank customers.
Third: Control Measures Banks must comply with the required maturity level of the Information Security Regulatory Guide and the Business Continuity Management Regulatory Guide, taking into consideration the following:
- The information security policy must include aspects related to employees' information security activities, and be reviewed periodically, at a minimum: a. Access rights to banking systems, and verification of the identity of those accessing the system.
| Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom | Version No. | Issue Date | Page No. |
|---|---|---|---|
| 1.0 | April 2021 | 3-6 |
==Screenshot for page 6== b. Linking banking system rights to job grades and defining the authority level for each grade. c. Password management, including: 1- Passwords must consist of numbers, letters, and symbols. 2- Passwords must be changed every three months. 3- If employees enter banking system login credentials incorrectly three consecutive times, the username is suspended and restored only according to specific procedures per the bank's internal policy. 4- Employees must be reminded to maintain user accounts or login credentials and not disclose or share them. d. Restricting access to devices and systems used in banks according to adopted information security best practices and business needs based on the "Need-to-Know" principle, including but not limited to: hiding customer balances from employees whose tasks do not require knowledge of the balance. e. Defining security practices and policies to maintain information confidentiality. f. Identifying unsafe and unsound banking practices. g. Developing scenarios to detect suspicious transactions upon system access. h. Prohibiting the copying or sharing of data, or installing software, without the authorized person's approval. i. Establishing login, closing, and saving procedures, and confirming the closure of data screens when not in use. j. Authentication and access controls must be risk-based, depending on the sensitivity of the systems and data to be accessed. 2. Periodic review of minimum access rights to banking systems, operations, and bank account data, documented in periodic audit logs. 3. Hiding signatures and balances of all accounts that are unclaimed or dormant. 4. Monitoring employee accounts designated for accessing banking systems, and automatically storing all login information to bank account data for a minimum of (5) years, which must include at a minimum: a. Employee name and ID number. b. Internet Protocol "IP Address".
| Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom | Version No. | Issue Date | Page No. |
|---|---|---|---|
| 1.0 | April 2021 | 4-6 |
==Screenshot for page 7== c. Login date and time. d. Authority/Role. e. Authentication method. f. Action performed. 5. Establishing all necessary technical and security controls that enable accurate identification of the employee using a computer or any banking system. 6. Restricting access to banking systems via branch computers after official working hours, and establishing necessary precautionary controls when accessing banking systems outside official working hours. 7. Ensuring the availability of alternative plans and solutions to ensure business continuity and enable secure access to banking systems. 8. Taking necessary measures if unauthorized persons are found accessing customer data. 9. Verifying that access rights for privileged administrative employees and key personnel are restricted, and limiting specialist staff (such as IT and technical support) to network maintenance without accessing confidential customer information. 10. In case of branch system maintenance, verifying that the specialized branch maintenance team is among the staff whose names are submitted by the competent management before commencing the required work, with adequate control measures in place.
Fourth: Awareness Measures Banks must comply with the following:
- Establishing a specific policy for the safe use of banking systems, and a mechanism for handling usernames and passwords for accessing these systems, which must be reviewed periodically.
- Raising employee awareness of the need to ensure they are not being observed when entering their username or password.
- Training and qualifying employees with a minimum of information security domain knowledge.
- Periodic employee awareness of instructions issued by SAMA and banks' policies, particularly regarding information confidentiality and data related to customer accounts, and penalties for non-compliance through continuous awareness campaigns and bulletins at a minimum of once every three months.
| Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom | Version No. | Issue Date | Page No. |
|---|---|---|---|
| 1.0 | April 2021 | 5-6 |
==Screenshot for page 8== 5. Periodic employee awareness in information security and financial fraud prevention through continuous awareness campaigns and bulletins at a minimum of once every three months. 6. Conducting periodic tests and surveys (Survey) of employees at a minimum of once every six months to verify the efficiency and effectiveness of the awareness measures mentioned in items (4) and (5) above. 7. Obtaining employee acknowledgment upon commencing work, annually (physically or electronically), of reviewing and complying with all policies related to the safe use of banking systems and the mechanism for handling usernames and passwords.
Fifth: General Provisions
- These measures are to be read together with all related regulations and instructions.
- These measures constitute a minimum for banks to activate the supervisory and awareness aspects regarding employees.
- Current policies, guides, and procedures must be reviewed and developed periodically to ensure alignment with these measures and related instructions.
- Assigning one of the supervisory departments (Internal Audit or Compliance) to conduct periodic inspections or reviews (maximum every two years) to verify the application of requirements in these measures.
| Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom | Version No. | Issue Date | Page No. |
|---|---|---|---|
| 1.0 | April 2021 | 6-6 |