Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom

Saudi Central Bank

Reference: 42063179 Date: 1442/09/06 (Hijri) Attachments: 6 pages

Circular

Dear Sirs,

Peace, mercy, and blessings of God be upon you,

Subject: Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom.

Based on the authorities vested in the Saudi Central Bank under relevant systems and regulations, and in light of the Bank's supervisory and oversight role in striving to enhance the protection of the privacy of customers of financial institutions under its supervision and their employees, and to continue improving and enhancing sound practices in banks.

Attached herewith are the Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom, which aim to mitigate operational risks related to dealing with banking systems, and ensure the execution of operations in accordance with approved systems, regulations, and authorities to protect banks and customers from suffering losses.

For your information and action before the end of the third quarter of 2021.

Yours sincerely,

[Signature] Fahd bin Ibrahim Al-Shathri Deputy Governor for Supervision

Distribution Scope:

• Banks and banks operating in the Kingdom.

---

Kingdom of Saudi Arabia Saudi Arabian Monetary Authority Head Office, Riyadh

Alert Attachments sent Circular Via Email

---

Control and Awareness Measures

for Branch and Customer Service Employees in Banks

Operating in the Kingdom

April 2021

Saudi Central Bank Saudi Central Bank

---

Index

First: Introduction ................................................................................................................................... 3 A. Objective ........................................................................................................................................ 3 B. Scope ...................................................................................................................................... 3 Second: Definitions ................................................................................................................................. 3 Third: Control Measures ........................................................................................................................ 3 Fourth: Awareness Measures ...................................................................................................................... 5 Fifth: General Provisions ............................................................................................................................. 6

Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom	Issue Number	Issue Date	Page Number
	1.0	April 2021	2-6

---

First: Introduction

A. Objective These measures aim to establish the minimum control and awareness measures for branch and customer service employees in banks operating in the Kingdom that must be adhered to, in order to mitigate operational risks related to dealing with banking systems, and ensure the execution of operations in accordance with approved systems, regulations, and authorities to protect banks and customers from suffering losses.

B. Scope These measures apply to banks operating in the Kingdom, without prejudice to any other related systems or instructions, for example, but not limited to: the Information Security Regulatory Guide, and the Business Continuity Management Regulatory Guide.

Second: Definitions

The following words and phrases - wherever they appear in these measures - have the meanings indicated next to each of them, unless the context dictates otherwise: Central Bank: The Saudi Central Bank. Banks: Banks operating in the Kingdom. Branches: Branches of commercial banks operating in the Kingdom. Employees: Branch and customer service employees. Customers: Bank customers.

Third: Control Measures

Banks must adhere to the required maturity level of the Information Security Regulatory Guide and the Business Continuity Management Regulatory Guide, taking into account the following:

1. The Information Security Policy must include aspects related to employee information security, and be reviewed periodically, at a minimum including the following:

Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom	Issue Number	Issue Date	Page Number
	1.0	April 2021	3-6

a. Access rights to banking systems, and verification of the identity of the person who performed the login.

b. Linking banking system permissions to job grades and determining the permission level for each job grade.

c. Password management, including the following:

1. Passwords must consist of numbers, letters, and symbols.
2. Passwords must be changed every three months.
3. If employees enter banking system login credentials incorrectly three times consecutively, the username is suspended and can only be restored according to specific procedures based on the bank's internal policy.
4. Emphasizing to employees to maintain user accounts or login data and not to disclose or share them.

d. Restricting access to devices and systems used in banks in accordance with accepted information security best practices and business needs based on the "Need-to-Know" principle, for example, but not limited to: hiding customer balances from employees whose job tasks do not require knowledge of the balance.

e. Defining security practices and policies to maintain information confidentiality.

f. Defining unsafe and unsound banking practices.

g. Developing scenarios to detect suspicious operations when accessing systems.

h. Prohibiting the copying or sharing of data or installation of software without the permission of the authorized person.

i. Establishing procedures for login, logout, and saving, and emphasizing closing the data screen when not in use.

j. Authentication and access controls must be based on the risks and sensitivity of the systems and data to be accessed.

2. Review the minimum access rights to banking systems, perform operations, and access bank account data, periodically, and document this in periodic audit logs.

3. Hide signatures and balances of customers for all accounts that are unclaimed or abandoned.

4. Monitor employee accounts designated for accessing banking systems, and automatically save all login information to bank account information for reference when needed for a minimum period of (5) years, with the saved information including at a minimum the following:

Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom	Issue Number	Issue Date	Page Number
	1.0	April 2021	4-6

a. Employee name and employee number. b. Internet Protocol "IP Address".

c. Login date and time. d. Permission. e. Authentication. f. The procedure performed.

5. Establish all necessary technical and security controls that enable the precise identification of the employee using the computer or any of the banking systems.

6. Restrict access to banking systems through computers located in branches after official working hours, and establish necessary precautionary controls when access to banking systems outside official working hours is needed.

7. Ensure the provision of alternative plans and solutions to ensure business continuity and enable secure access to banking systems.

8. Take necessary measures if it is found that customer data has been accessed by an unauthorized person.

9. Ensure that access rights are limited to employees with administrative privileges and key employees only, and restrict the access of specialized employees (such as IT and technical support staff) to network maintenance, without accessing customer confidential information.

10. In the event of branch system maintenance, it must be verified that the branch maintenance team is among the staff whose names were submitted for maintenance by the competent management before commencing the required work, with adequate control measures in place.

Fourth: Awareness Measures

Banks must adhere to the following:

1. Establish a specific policy for the secure use of banking systems, and a mechanism for dealing with usernames and passwords to access these systems, and review it periodically.

2. Educate employees on the necessity of ensuring that no one is observing them when entering their username or password.

3. Train and qualify employees with a minimum amount of information related to the field of information security.

4. Periodically educate employees on the instructions issued by the Central Bank and the policies held by banks regarding them, especially those related to the confidentiality of information and data pertaining to customer accounts, and the penalties resulting from violating them, through continuous awareness campaigns and newsletters at a minimum of once every three months.

Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom	Issue Number	Issue Date	Page Number
	1.0	April 2021	5-6

5. Periodically educate employees in the field of information security and financial fraud prevention through continuous awareness campaigns and newsletters at a minimum of once every three months.

6. Conduct periodic tests and surveys of employees at a minimum of once every six months to verify the efficiency and effectiveness of the awareness measures mentioned in items (4) and (5) above.

7. Obtain an acknowledgment from employees upon commencing work, and annually (physically or electronically), confirming that they have read and committed to all policies related to the secure use of banking systems and the mechanism for dealing with their usernames and passwords.

Fifth: General Provisions

1. These measures shall be read together with all related systems and regulations.

2. These measures constitute a minimum of what banks must take to activate the supervisory and awareness aspects for employees.

3. Current policies, guides, and procedures must be reviewed and developed periodically to ensure their compatibility with what is stated in these measures and related instructions.

4. Assign one of the supervisory departments (Internal Audit Department or Compliance Department) to conduct an inspection or review periodically (maximum every two years) to verify the application of the requirements contained in these measures.

Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom	Issue Number	Issue Date	Page Number
	1.0	April 2021	6-6