Regulatory Alerts2019-01-13
Rules on Outsourcing for Finance Companies
The Saudi Central Bank (SAMA) issued the Rules on Outsourcing for Finance Companies to establish a comprehensive regulatory framework governing how licensed finance companies outsource tasks to external service providers. The Rules mandate that finance companies implement a Board-approved outsourcing policy, conduct thorough risk assessments, secure written non-objection from SAMA for core tasks, and ensure strict contractual safeguards covering data privacy, business continuity, audit rights, and compliance monitoring. Finance companies are granted a 180-day transition period to align their policies and a 365-day period to regularize existing contracts, with non-compliance constituting a violation of the Finance Companies Control System.
In the Name of Allah, the Most Gracious, the Most Merciful Saudi Central Bank (SAMA) Head Office
General Directorate for Supervision of Finance Companies Ref. No.: ........................................ Date: ........................................ Attachments: ........................................
Circular
Dear Sirs, Peace, mercy, and blessings of Allah be upon you,
Subject: Decision on the Adoption of the Rules on Outsourcing for Finance Companies.
With reference to the powers granted to the Saudi Central Bank under the Finance Companies Control System issued by Royal Decree No. (M/51) dated 13/08/1433H, and pursuant to Article Two of the Executive Regulations of the Finance Companies Control System issued by Governor's Decision No. 2/M.S.T dated 14/04/1434H, which stipulates that "the Bank shall regulate the financing sector and supervise the operations of finance companies in accordance with the System and Regulations, including the following: 4- Issuing the necessary rules and instructions to regulate the work of the financing sector."
We hereby inform you of the issuance of His Excellency the Governor's Decision No. 73/M.S.T dated 24/04/1440H, which approves the Rules on Outsourcing for Finance Companies.
For your information and compliance.
Yours sincerely,
Fahd bin Ibrahim Al-Shathry Deputy Governor for Supervision
Distribution Scope
- Finance companies licensed by the Bank.
Rules on Outsourcing for Finance Companies
Rabi' Thani 1440H / December 2018
Table of Contents
| Part | Page No. |
|---|---|
| Chapter One | 3 |
| 1- Definitions | 3 |
| Chapter Two: Application of the Rules | 3 |
| Chapter Three: Responsibility and Compliance | 3 |
| Chapter Four: Outsourcing Policy to an External Service Provider | 4 |
| Chapter Five: Contract Requirements | 5 |
| Chapter Six: Requirements for Outsourcing to an External Service Provider | 6 |
| Chapter Seven: Monitoring and Follow-up | 6 |
| Chapter Eight: Final Provisions | 6 |
| Appendix (1): Examples of Core Tasks (Non-exhaustive) | 8 |
| Appendix (2): Examples of Non-Core Tasks (Non-exhaustive) | 8 |
Chapter One:
1- Definitions a- The words and expressions used in these Rules shall have the meanings assigned to them in the Finance Companies Control System and its Executive Regulations. b- For the purpose of applying the provisions of these Rules, the words and expressions below shall have the meanings specified opposite each of them, unless the context otherwise dictates: Rules: Rules on Outsourcing for Finance Companies. Outsourcing tasks to an external service provider: Any contract or agreement under which an external service provider undertakes to perform tasks for a finance company. External service provider: Any service provider to whom tasks are outsourced, whether it is a member of the group to which the finance company belongs, a related party, or an independent third party with no affiliation. Core tasks: Any tasks whose breach or suspension would impact the finance company's operations, reputation, or financial standing, or if the tasks outsourced to the external service provider involve sharing, transferring, processing, or storing beneficiary data and information.
Chapter Two: Application of the Rules 2- These Rules specify the regulatory requirements for finance companies licensed under the Finance Companies Control System issued by Royal Decree No. (M/51) dated 13/08/1433H, which have entered into or intend to enter into contracts/agreements for outsourcing tasks to an external service provider. 3- Reviewing these Rules must be accompanied by the Finance Companies Control System and its Executive Regulations, as well as all related systems, regulations, instructions, controls, and rules.
Chapter Three: Responsibility and Compliance 4- The finance company shall prepare a written policy governing the outsourcing of tasks to external service providers, which must be approved by the Board of Directors and updated annually. 5- The finance company shall establish internal controls and procedures to ensure compliance with these Rules. 6- The finance company shall verify the external service provider's compliance with applicable systems, regulations, and instructions. The finance company shall not be exempt from responsibility if the external service provider fails to comply with applicable systems, regulations, and instructions in any of the operations and tasks outsourced to it.
7- The finance company shall ensure that all existing and proposed outsourcing contracts/agreements have undergone a comprehensive risk review at the time of contracting and renewal. This process must evaluate key risk factors, particularly operational, legal, reputational, and regulatory risks. 8- The Bank, the external auditor, and the finance company shall have the right to obtain or access any information or documents related to the external service provider's operations at its premises. 9- The finance company shall exercise due diligence to verify that the external service provider holds the necessary licenses to conduct its business and possesses the required technical and regulatory qualifications. 10- Without prejudice to Article (34) of the Executive Regulations of the Finance Companies Control System, the finance company shall maintain all documents demonstrating compliance with these Rules, including outsourcing contracts, agreements, and the outsourcing policy, in an organized, transparent, and secure manner.
Chapter Four: Outsourcing Policy to an External Service Provider 11- The finance company shall implement appropriate preventive measures to protect the confidentiality of beneficiary data and information and prevent unauthorized disclosure. It shall also be authorized to recover or destroy all beneficiary data and information upon termination or cancellation of the outsourcing contract for any reason. 12- The outsourcing policy to an external service provider shall specifically include the following: a- The authorities and responsibilities of the Board of Directors and senior management regarding outsourcing tasks to an external service provider. b- Identification of permissible outsourced tasks, determination of the external service provider's qualification criteria, and exercising due diligence in this regard, particularly concerning:
- The external service provider's expertise, financial, and technical capabilities.
- The impact of outsourcing on the level of risks the finance company may face, and criteria for risk identification and mitigation strategies.
- The impact of outsourcing on the systems and controls within the finance company.
- Rules for continuous monitoring and supervision of operations outsourced to external service providers.
- Criteria for identifying conflicts of interest and rules/procedures ensuring that the finance company's interests are not compromised or overridden by another party's interests.
- Information protection measures to maintain confidentiality and privacy.
- A clear mechanism to verify the external service provider's compliance with applicable systems and instructions related to the outsourced tasks, whether issued by the Bank or any other authority, including the Finance Companies Customer Protection Principles.
- All requirements stipulated in these Rules.
Chapter Five: Contract Requirements 13- The finance company shall document the outsourcing of tasks through a written, legally binding contract or agreement with the external service provider, consistent with applicable regulatory requirements. The contract or agreement shall include, at a minimum, the following: a. Parties to the contract or agreement. b. Scope of the contract or agreement. c. Duration of the contract or agreement. d. Nature of the task and performance requirements. e. Audit, monitoring, and review procedures. f. Business continuity plans. g. Arrangements for addressing performance deficiencies. h. Pricing and fee structure. i. Dispute resolution mechanism. j. Liability and compensation. k. The external service provider's commitment to information confidentiality and privacy. l. Confirmation of compliance with applicable systems, regulations, rules, and instructions. m. Reporting mechanism. n. The external service provider's commitment to notify the finance company within the period agreed upon in the contract or agreement of any control weaknesses or negative developments in its financial performance that may lead to a breach of its obligations stipulated in the contract or agreement. o. The external service provider's commitment that there are no regulatory obstacles preventing the finance company from accessing and reviewing data and records related to the outsourced tasks. p. The external service provider's commitment to return or destroy all data related to the outsourced tasks upon expiration or termination of the contract or agreement, unless regulatory requirements mandate retention. q. Implications of contract/agreement renewal, renegotiation, termination, and early exit, enabling the finance company to control the outsourced tasks. Establishing necessary arrangements to handle non-compliance with contract/agreement terms or in case of contract/agreement termination. r. The Bank's, external auditor's, and finance company's right to obtain or access any information or documents related to the external service provider's operations at its premises. s. The external service provider's commitment not to subcontract core tasks. t. A provision stating that the judicial authorities in the Kingdom of Saudi Arabia are the competent judicial authority to resolve any dispute arising from the interpretation or execution of this contract or agreement, and any exception to this is subject to the Bank's prior non-objection. u. A provision specifying the governing language in case of discrepancies in contracts or agreements drafted in multiple languages.
Chapter Six: Requirements for Outsourcing to an External Service Provider 14- The finance company shall individually assess each proposed outsourced task qualitatively and quantitatively, and classify tasks as core or non-core, before submitting a non-objection request to the Bank for outsourcing. 15- The finance company shall request the Bank's written non-objection prior to outsourcing any core tasks or renewing them (in case of material amendments to the contract or agreement) at least 30 business days before the proposed start or renewal date of the contract or agreement. 16- The finance company shall submit a non-objection letter to the Bank for outsourcing core tasks, containing at a minimum the following information: a. Details of the task to be outsourced. b. Reason and justification for outsourcing. c. Details of the external service provider (e.g., name, address, commercial registration). d. Any other information or documents requested by the Bank.
Chapter Seven: Monitoring and Follow-up 17- The finance company shall establish appropriate internal procedures to manage and monitor all its outsourcing-related activities and report timely to senior management. 18- The finance company shall ensure that its operational continuity is not jeopardized by outsourcing contracts or agreements. The finance company must have an emergency plan outlining procedures to be followed in the event of sudden termination of any outsourcing contracts or agreements, or if the external service provider is unable to fulfill its obligations for any reason. The finance company shall also document its business continuity plans, particularly regarding the availability of an alternative external service provider or procedures to bring the outsourced task back in-house.
Chapter Eight: Final Provisions 19- The finance company shall comply with the following: a- Establish or update the outsourcing policy to an external service provider, ensure its compliance with these Rules, and provide the Bank with a Board-approved copy within (180 days) from the date of circulation of these Rules.
b- Review all existing outsourcing contracts/agreements to ensure compliance with these Regulations, and obtain the Bank's non-objection for outsourced core tasks within (365 days) from the date of circulation of these Rules or upon contract/agreement renewal, whichever is sooner. c- Notify the Bank in the event of any legal or regulatory violation in outsourcing contracts or agreements.
20- The Bank may restrict granting non-objection to the finance company for outsourcing core or non-core tasks to an external service provider for a specific period, specific task, specific geographic area, or specific external service provider, whenever the Bank deems it necessary. 21- The Bank has the right to require the finance company to review, modify, or cancel an outsourcing contract or agreement in case of violation of these Rules or any related systems, regulations, rules, or instructions. 22- The Bank may exempt certain operations and activities from some of the provisions stipulated in these Rules whenever the Bank deems it necessary. 23- Failure to comply with the requirements stipulated in these Rules constitutes a violation of the Finance Companies Control System and its Executive Regulations. 24- These Rules shall take effect after (180 days) from the date of their circulation, and shall be published on the Bank's website.
Appendix (1): Examples of Core Tasks (Non-exhaustive): 1- External auditor. 2- Internal audit management. 3- Customer care management, including (complaint handling). 4- Management, operation, and maintenance of technical/security systems (e.g., data storage and retention outside the finance company, including cloud computing services, security operations monitoring). 5- Brokerage activities, including marketing financing products and receiving financing applications. 6- Agency activities, including processing and reviewing financing grant applications. 7- Provision of human resources. 8- Collection of finance companies' debts. 9- Document archiving and retention.