SAMA Rules on Outsourcing

In the name of Allah, the Most Gracious, the Most Merciful Saudi Arabian Monetary Authority Head Office

Banking Policy Department No.: 41027017 Date: 18/04/1441 Attachments: 17 pages

Circular

To: Respected Banks, Peace be upon you, Subject: First Update to Third-Party Outsourcing Instructions.

Reference is made to the Third-Party Outsourcing Instructions issued under SAMA Circular No. 24698/B.C.S/453 dated 10/05/1430 H, and the Institution's Instructions issued under Circular No. 39100014241 dated 06/02/1439 H regarding the controls for outsourcing functions of foreign bank branches to head offices.

Attached is the First Update to the Third-Party Outsourcing Instructions, aligned with international best practices. Banks must amend their internal policies within 90 days from the date hereof, and must update all existing outsourcing contracts to comply with the updated Instructions within 180 days.

For information and action, effective from the date hereof. Yours sincerely,

Fahd bin Ibrahim Al-Shathri Deputy Governor for Supervision

Distribution Scope:

• Banks operating in the Kingdom and branches of foreign banks.

P.O. Box 2992, Riyadh 11169, Telegram: MARKAZI, Telex: 404400, Tel: 4633000, Fax: 4662414 Mujahed

---

Saudi Arabian Monetary Authority Rules on Outsourcing December 2019

---

Table of contents

I. INTRODUCTION .................................................................................................................................... 2 A. Background ........................................................................................................................................ 2 B. Definitions .......................................................................................................................................... 3 II. APPLICABILITY OF THE RULES ........................................................................................................ 5 C. Level of Application ........................................................................................................................... 5 D. Scope ................................................................................................................................................. 5 E. Related regulations and “no objections” requirements ...................................................................... 5 III. GOVERNANCE .................................................................................................................................... 6 F. Board of Directors .............................................................................................................................. 6 G. Reporting requirements ...................................................................................................................... 6 IV. OUTSOURCING POLICY AND PROCEDURES ................................................................................. 6 H. Assessment of outsourcing options ................................................................................................... 6 I. Contractual arrangements .................................................................................................................. 7 J. Material outsourcing ........................................................................................................................... 8 K. Data confidentiality and security ........................................................................................................ 8 L. Control and monitoring of outsourcing ............................................................................................... 9 M. Risk assessment ................................................................................................................................ 9 N. Business continuity management ....................................................................................................... 10 O. Access to outsourced data ................................................................................................................ 10 P. Monitoring the relationship ................................................................................................................ 10 Q. Audit arrangements ............................................................................................................................ 11 R. Documentation requirements .............................................................................................................. 11 V. OUTSOURCING TO THIRD-PARTY SERVICE PROVIDERS LOCATED OVERSEAS .................... 12 VI. OUTSOURCING FOR FOREIGN BANK BRANCHES (MATERIAL AND NON-MATERIAL) ........... 13 ANNEX 1 – ANNUAL RETURN ON OUTSOURCING SERVICES PROVIDED AND RECEIVED ........... 16

---

i. Introduction

A. Background

1. Banks are increasingly using third party services to carry out activities, functions and processes such as outsourcing arrangements. While outsourcing can bring down cost and provide other benefits, it may increase the risk profile of an institution through such risks as strategic, reputation, compliance, financial and operational risks arising from failure of a third-party or a related party service provider in providing the service, breaches in security, or inability to comply with legal and regulatory requirements by the institution. Banks can also be exposed to country risk when a third-party or a related party service provider is located overseas and systemic risk when there is lack of control by a group of banks over a common third-party service provider. It is therefore important that banks adopt a sound and responsive risk management framework when outsourcing. These requirements aim to ensure that all outsourcing arrangements are subjected to appropriate due diligence, approval and ongoing monitoring. All risks arising from outsourcing must be appropriately managed to ensure that the bank is able to meet both its financial and service obligations to its depositors.
2. These rules shall supersede the existing SAMA Rules in Outsourcing issued vide SAMA circular no. 34720/ B.C.S dated 20 July 2008 and Outsourcing for Foreign Banks Branches vide SAMA circular no. 39100014241 dated 06/02/1439 H.

---

B. Definitions 3. Unless otherwise stated, the key terms used in this document are set out below.

Banking agent: A legal entity authorized by SAMA to provide a financial services on behalf of the commercial bank based on the Regulation of Agent Banking (circular No. 37541/67 dated 1440/06/15 H).

Board or Board of Directors: a) In the case of an institution incorporated in Saudi Arabia, the board of Directors. b) In the case of an institution incorporated outside Saudi Arabia, a local board, a management committee or body beyond local management empowered with oversight and supervision responsibilities for the institution in Saudi Arabia.

Customer data: Any information or document relating to the affairs or account of a customer (whether held physically or electronically and whether held by the Banks themselves or by Third Party Service Provider on their behalf).

Financial data: All financial data including books of accounts, general and sub-ledger, financial statements and various financial data other than Customer Data.

Insourcing: An arrangement where a Bank is utilizing personnel provided under a contract with a Third Party Service Provider to undertake certain functions within or outside the Bank's premises, under its direct supervision, control and management.

Material outsourcing: Outsourcing of a function or activity that has the potential, if disrupted, to have a material impact on the bank’s business operations or its ability to manage risks effectively. The materiality can be assessed by taking the following into consideration: a) The financial and operational impact and impact on reputation of a failure of the third party service provider to perform over a given period. b) The cost of the outsourcing arrangement as a share of total cost of operations.

---

c) The degree of difficulty, including the time taken, in finding an alternative third party service provider or bringing the business function or activity in-house. d) The ability of the bank to meet regulatory requirements if there are problems with the third party service provider. e) Potential losses to the bank’s customers and other affected parties in the event of a third party service provider failure. f) Affiliation or other relationship between the bank and the third party service provider. g) Sharing any customer data whether it is personal, financial or credit. h) Sharing any non-published financial data with a third party service provider. i) The complexity of the outsourced function or activity i.e., the number of the party that have been involving in the function or the activity include subcontracting.

Outsourcing: Involves a bank entering into an arrangement with another party (both domestic and Foreign) to perform, on a continuing basis, a business function or activity which currently is, or could be, undertaken by the bank itself.

Overseas: Entities located outside of Saudi Arabia and subject to laws and regulations of the jurisdiction in which they are located.

Third-party service provider: An entity undertaking the outsourced activity on behalf of the Banks. (Head Offices and Related entities of Foreign Bank Branches operating in KSA are not considered as Third-Party Service Providers)

---

ii. Applicability of the Rules

C. Level of Application 4. The rules are applicable to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), including all branches of local and foreign banks and banking subsidiaries (“Banks”) located in Saudi Arabia. The banks are required to ensure that their branches and subsidiaries located overseas are aware of these rules.

D. Scope 5. The rules set out in this document enumerate SAMA’s requirements of banks that have entered or are planning to enter into outsourcing arrangements. These rules are applicable to all outsourcing arrangements with domestic as well as foreign third party and related party (in the case of foreign bank branches) service providers. 6. Insourcing contracts utilizing third party personnel under the direct supervision, control and management of Banks are exempt from the purview of these outsourcing Rules. 7. In addition to the above, the following are examples of activities that are not considered as part of outsourcing arrangements: a) Contractual arrangement with market information data providers (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch). b) Clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members. c) Correspondent banking relationship arrangements. d) Utilities services (e.g. electricity, gas, water, telephone line).

E. Related regulations and “no objections” requirements 8. While deciding to outsource any function, banks should ensure that outsourcing does not reduce the protection available to depositors nor be used as a way of avoiding compliance with regulatory requirements. It is the responsibility of the bank to continue to satisfy all regulatory and legal requirements when entering into any outsourcing arrangements. 9. Banks are not allowed to outsource any services or activities mentioned in article 19 of the Regulation of Agent Banking that has been issued under circular No. 37541/67 dated 15/06/1440 H). 10. Banks are explicitly required to obtain a written “no objection” from SAMA for Material outsourcing to Third Party Service Providers.

---

iii. Governance

F. Board of Directors 11. The Board of Directors of the bank retains the ultimate responsibility for the outsourcing policy and all outsourcing arrangements, including compliance with all relevant legal and regulatory requirements. The bank and the Board are responsible for complying with all prudential requirements relating to the outsourced business activity. 12. The Board of Directors should ensure that appropriate policies are developed and implemented within the proper risk management framework for outsourcing arrangements. The Board or its delegated authority must approve the bank’s outsourcing policy, which must set out its approach to outsourcing of Material business activities, including a detailed framework for managing all outsourcing arrangements.

G. Reporting requirements 13. Banks are required to notify SAMA of any breaches of legal or regulatory requirements in their outsourcing arrangements. In such event, SAMA may require the bank to modify or cancel the arrangement, or re-integrate an outsourced function into the organization. 14. All Banks are required to provide annual report of their outsourcing activities using the prudential return in Annex 1 as of the end of each year within 30 business days to be sent to BankingDataSection@SAMA.GOV.SA.

iv. Outsourcing Policy and Procedures 15. The policy and procedures should cover, at minimum, all requirements stated below.

H. Assessment of outsourcing options 16. Banks must be able to demonstrate to SAMA that, in assessing the options for outsourcing a Material business function or activity to a third party, it has: a) Prepared and analyzed a business case for outsourcing the Material business function or activity; b) Analyzed the impact of the outsourcing on the overall risk profile and its impact on systems and controls within the bank; c) Undertaken a tender or other selection process for third-party service providers; d) Undertaken a due diligence review of the chosen third-party service providers, and its financial, technical and ethical capabilities;

---

e) Considered the risk arising from outsourcing multiple activities to the same third-party service provider; f) Involved the Board or its delegated authority or a Board committee, in approving the agreement; g) Has put in place a comprehensive outsourcing agreement; h) Established procedures for monitoring performance under the outsourcing agreement on a continuing basis; i) Addressed the renewal process for outsourcing agreements and how the renewal will be conducted; and j) Developed contingency plans that would enable the outsourced business function or activity to be provided by an alternative third party service provider or brought in-house, if required. 17. Banks are required to ensure that the process of awarding outsourcing contracts is free from any conflict of interest. Banks must declare to SAMA any affiliation or relationship with the third party service provider.

I. Contractual arrangements 18. Banks should document all their outsourcing arrangements through a written and legally binding agreement. As a minimum, the contract should incorporate the following: a) Scope of the Contract; b) Regulatory status (legal entity & registered) of the third party service provider c) Service levels and performance requirements; d) Audit and monitoring procedures; e) Business continuity plans; f) Default arrangements, termination clause and minimum periods to execute a termination provisions. The clause should take into account insolvency or any material changes. g) Pricing and fee structure; h) Dispute resolution mechanisms; i) Liability and indemnity; j) Confidentiality, privacy and security of information; k) Ensuring access to SAMA and the Bank's internal and external auditors; l) Compliance with all applicable regulatory and legal requirements; m) Contractual obligations of the third-party service provider in case of subcontracting all or part of the outsourcing; n) Mechanisms for reporting and escalation;

---

o) Commitment of the third-party service provider to report to the bank any control weaknesses or adverse developments in its financial performance; p) Commitment of foreign third-party service provider that there are no regulatory impediments to the data and record access as per Article 33 and 34 of these rules. 19. The contract should allow for renewal, renegotiation, default termination and early exit, to enable the bank to retain control over the outsourced function or activity and should include provisions that prohibit sub-contracting of the Material outsourcing under the contract without the prior approval of the Bank and no objection from SAMA. 20. The contract should also incorporate a clause for providing SAMA access to documentation and accounting records in relation to the outsourcing arrangements. The contract should require the third-party service provider to cooperate with SAMA. 21. The contract should preferably include Saudi Arabia as the legal jurisdiction of the contract. 22. Banks should institute a defined internal mechanism for receipt and resolution of any customer complaints regarding their outsourced services and the outsourcing contract should include appropriate clauses to ensure that the third party service provider will facilitate the resolution mechanism.

J. Material outsourcing 23. Proposals for all Material outsourcing should be submitted in writing for SAMA no objection, at least 15 business days for domestic banks and 30 days for foreign, of the proposed commencement of the outsourcing arrangement.

K. Data confidentiality and security 24. Banks should ensure that, prior to providing customer and financial data to a third-party service provider, the proposed outsourcing arrangement complies with the relevant statutory requirements related to confidentiality of its customers. In particular, with the provision of Article #19 of the Banking Control Law dated 22/2/1386 H, regulations and instructions issued by SAMA and other relevant local laws. 25. Banks should establish appropriate safeguards to protect the integrity and confidentiality of customer and financial data.

---

26. Upon termination of the outsourcing arrangement and contract, banks should ensure that any sensitive/confidential data is either retrieved from the third-party service provider or destroyed in a controlled manner, with any exceptions to be reported immediately to SAMA.

L. Control and monitoring of outsourcing 27. Banks should setup an internal structure to effectively control, monitor and manage all of their outsourcing activities, and to provide timely reports to senior management, depending on the level and complexity of the outsourcing activities. 28. In case of poor performance by a third-party service provider, banks must account for potential additional costs, which may accrue if the bank decides to change the third party service provider, moving the activity in-house or even exiting the business. Banks should negotiate those probabilities and specify it in the contract.

M. Risk assessment 29. The Board of Directors should ensure the existence of relevant policies and procedures that would require existing and proposed outsourcing arrangements to be subjected to a comprehensive risk review process. The risk review process should identify and evaluate the exposure relating to operational, legal, financial reputation and regulatory risks and assess the risk mitigation strategies. This should be undertaken by: a) Conducting a comprehensive risk evaluation of the outsourcing at inception and for all subsequent renewals. b) Evaluating risk of outsourcing at inception and then reviewed at renewal only in case of a change in scope or occurrence of operational errors etc. 30. In analyzing the business case, and the suitability of the third-party service provider, the level and extent of due diligence should depend on the nature of outsourcing arrangement i.e. Material outsourcing will entail a more comprehensive exercise. At a minimum: a) Banks should ensure that the third-party service provider has the ability, capacity and authorization to perform the outsourced function reliably and professionally. b) Banks must establish a method for periodically assessing the third-party service provider. c) The Bank must retain the necessary expertise to supervise the outsourced functions effectively.

---

N. Business continuity management 31. Banks should ensure that their business continuity is not compromised by any outsourcing arrangements. For all Material outsourcing, banks should have a separate contingency plan for each outsourcing arrangement, which outlines the procedures to be followed in the event that the arrangement is suddenly terminated or the third-party service provider is unable to fulfill its obligations under the outsourcing agreement for any reason. 32. Banks should document within their business continuity plans, the availability of alternate third-party service providers, or the procedures and time for selecting an alternative third-party service providers. In addition, banks must set a procedure if they choose to bring the outsourced function in-house for each of their Material outsourcing contracts.

O. Access to outsourced data 33. Banks are required to ensure that for all outsourcing arrangements, SAMA has unrestricted and timely access to current and accurate records pertaining to the outsourcing as per Article # 17 and 18 of the Banking Control Law dated 22/2/1386 H (11/6/1966). 34. Banks are also required to ensure that for all outsourcing arrangements, SAMA has unrestricted access to data pertaining to the outsourcing, if located at the premises of the third-party service provider; and SAMA and the Banks' auditors must be able to exercise those rights of access.

P. Monitoring the relationship 35. Banks must ensure they have sufficient and appropriate resources to manage and monitor the outsourcing relationship. The type and extent of resources required will depend on the materiality of the outsourced business function or activity. At a minimum, monitoring must include: a) Maintaining appropriate levels of regular contact with the third-party service provider. This will range from daily operational contact to senior management involvement; and b) A process for regular monitoring of performance under the agreement, including meeting criteria concerning service levels. 36. Banks should immediately report any breaches of legal or regulatory requirements or any adverse developments and problems affecting the outsourcing arrangement to SAMA. The report should also include measures proposed and taken for continuity of the service.

---

37. Where a Material outsourcing agreement is terminated, banks must notify SAMA immediately and provide a statement about the transition arrangements and future strategies for carrying out the outsourced material business function or activity.

Q. Audit arrangements 38. Banks’ internal audit function must audit Material outsourced activities on a regular basis and report to the Board or Board Audit Committee on compliance with the outsourcing policy. 39. SAMA may request an appropriate external expert to provide an assessment of the risk management processes in place in regards to the outsourcing of a Material business function or activity. This could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans.

R. Documentation requirements 40. Banks are required to keep a register of all their outsourcing arrangements. The documentation for each outsourcing arrangement should include at least the following information:

With regard to the outsourcing arrangement a) A reference number for each outsourcing arrangement; b) A brief description of the function that is outsourced; c) Whether it is considered Material or not, the reasons why it is considered as such and the date of the last respective assessment; and d) Whether or not personal and confidential data is processed, transferred or held by the third party service provider.

With regard to the third party service provider a) Their name and registered address; and b) Location of third party service provider.

In addition, the outsourcing register should include at least the following information with regard to the outso