Digital Certification of Products for Finance Companies Customers

In the Name of Allah, the Most Gracious, the Most Merciful
Saudi Arabian Monetary Authority
Headquarters

General Department for Finance Companies Supervision
No.: ………………………………
Attachments: ………………………………

Circular

To: Respected,
Peace, mercy of Allah and His blessings be upon you.

Subject: Regarding Digital Certification of Products for Finance Companies Customers.

Reference is made to the Authority's instructions communicated via email on 15/10/1441H (corresponding to 6/7/2020G) regarding the digital certification of products for finance companies customers.
Attached is the template of these instructions, which must be adhered to from the date of their email dispatch.

Yours sincerely,
Badr bin Hazaa Al-Otaibi
General Manager, Finance Companies Supervision

Distribution Scope:

• Finance companies operating in the Kingdom

P.O. Box 2992, Riyadh 11169 | Tel: +966 11 4662070 | Fax: +966 11 4662488

---

From:
Sent: Saturday, June 6, 2020 11:33 PM
Subject: Instruction: Digital Certification of Products for Finance Companies Customers

To: Respected Finance Companies,
Peace, mercy of Allah and His blessings be upon you.

In line with the Authority's commitment to enabling all financing sector customers to obtain their financing needs easily and conveniently, and in support of the Authority's strategic objectives aimed at accelerating the sector's digital transformation through strengthening and securing the underlying technological environment, and with a view to facilitating and improving services by enabling finance companies to benefit from the digital certification services approved in the Kingdom,

We inform you that finance companies may provide all financing products and credit cards via electronic channels for individual customers, as well as small and medium products through digital certification services, provided that compliance with the provisions of the Electronic Transactions Law (Royal Decree No. 18/M dated 8/3/1428H) and its Executive Regulations is maintained. The company shall assess the risks associated with the service, determine the types of financing covered by this service, establish adequate safeguards, policies, and precautionary procedures, and apply the following requirements as a minimum:

1. Verification of full compliance with the Information Security Regulatory Guide (Maturity Level 3) by assessing the level of compliance through an independent party as stipulated in the Guide.

2. The company must have obtained a No Objection from the Authority to provide electronic services according to the Information Security Regulatory Guide; otherwise, if not available, the company is permitted to provide digital certification services only after obtaining the Authority's No Objection for electronic services.

3. The digital certification service provider must be accredited by the National Center for Digital Certification.

4. Providing digital certification services shall not affect the company's basic verification procedures to apply the "Know Your Customer" (KYC) principle, as well as the eligibility and identity of the customer, agent, or authorized signatory.

5. The financing application must be created through one of the electronic channels, taking into account necessary procedural controls and notifying the customer via SMS regarding the application, in addition to the following:
   • Regarding individuals: The application must be activated through another channel, for example: applying the controls for adding and activating beneficiaries as stated in the Information Security Regulatory Guide.
   • Regarding establishments: Taking into account necessary procedural controls, including but not limited to: authorizing multiple approval authorities for financing applications, activating the application through another channel, etc.

6. Confirmation of the establishment owner's or authorized person's approval for executing the application must be obtained through a phone call by the company's contact center or customer service.

7. The company is responsible for verifying the information provided by the customer/establishment before executing the transaction.

8. Approval of the application must occur after at least 24 hours for individuals, and three business days for establishments, from the time of submission.

9. Establishing adequate security standards to protect data and communication with the digital certification service provider, considering operational security standards for data as well as data privacy.

10. Retaining copies of documents and all legal records related to digital certification.

11. Updating agreements and contracts to clarify that this service is conducted electronically using digital certification, and its electronic execution cannot be challenged.

12. Setting a maximum financing amount provided through the digital certification service, commensurate with the company's risk policy.

13. Periodic evaluation and monitoring of precautionary controls to ensure their effectiveness.

For information and action as of its date, noting that the digital certification service does not apply to products subject to the Authority's regulatory sandbox.

Our regards,
Finance Companies Supervision Department - Offsite Division

Saudi Arabian Monetary Authority
Saudi Arabian Monetary Authority