Sama Rules of Outsourcing Processes

Outsourcing contracts are obliged to prevent service providers from subcontracting any of the services concerned without the prior consent of the banks and subject to prior confirmation that SAMA does not object. In contrast, non-basic work includes services that are common to many companies and for which outsourcing does not pose a serious risk to customers. Examples include cleaning, printing and postal functions. Non-essential work may be subcontracted to third party service providers without first obtaining confirmation from SAMA that no objections will be raised. Outsourcing rules require banks` senior management to ensure that risks related to existing and potential outsourcing arrangements are considered and addressed. For the allocation of baseline work, a thorough risk assessment must be conducted for all new contracts and contract renewals. In the case of non-essential work, a thorough review is only required if the content of services under an outsourcing agreement changes. SAMA has published additional licensing guidelines and criteria for digital-only banks in Saudi Arabia. These guidelines apply to applications for digital-only banking licenses in Saudi Arabia. The guidelines should be considered as additional requirements that must be met, as well as the banking licensing guidelines and minimum criteria previously published by SAMA.

Additional requirements relate to licensing conditions, capital and liquidity requirements, governance, technology and cybersecurity risks, independent assessment, outsourcing, exit plan, supervisory and supervisory requirements and consumer protection. SAMA has also issued actuarial labour rules for insurance and rules for insurance aggregation activities. Outsourcing rules divide the functions and tasks that can be outsourced into two main categories: “basic work” and “non-basic work”. There are different considerations for outsourcing each of these categories of work, and there is a general prohibition (with a few exceptions) of outsourcing work related to the processing of customer data. Outsourcing rules oblige banks to conclude full outsourcing contracts with service providers. These contracts must meet a variety of requirements, including scope of work, service levels and performance requirements, control and audit procedures, business continuity, pricing, confidentiality and privacy, information security, breach impact, and dispute resolution. The rules on outsourcing state that for the applicable law and jurisdiction of outsourcing contracts, it is preferable to that of Saudi Arabia. Banks operating in Saudi Arabia need to be aware of outsourcing rules. This is to ensure that they remain compliant from a regulatory point of view, but also to ensure that the outsourcing of certain business operations does not result in harm to their customers or to their own operations, reputation and profitability.

Banks are forced to be more rigorous and diligent in outsourcing basic work, as the agreement has more serious consequences if the agreement results in the non-provision of services. For this reason, outsourcing of basic work is generally not allowed unless the bank first obtains SAMA`s permission. The outsourcing rules contain detailed requirements on what is to be taken into account in outsourcing contracts for core work, and these are mainly aimed at reducing the potential damage that could result from outsourcing these essential tasks and responsibilities. Outsourcing is a business practice in which a company hires external service providers to perform certain business functions instead of having them performed by its own staff. The increasing complexity of bank outsourcing agreements and the potential harm to consumers from offshoring agreements beyond the reach of regulators led to a report by the Basel Committee on Banking Supervision in 2005. The report included recommendations to tighten the way banks outsource their activities. SAMA then published the outsourcing rules in 2008. Outsourcing can lead to interruptions or failures in banking services. Business continuity is very important for banks, especially when it comes to IT service continuity. Outsourcing rules require banks to have a plan in place to ensure business continuity in the event of a disruption to the outsourced service. This can be either a plan for the bank to take over the function itself, or another service provider to be willing to take over the services in the short term.

Outsourcing rules require banks to notify SAMA of any problems or disruptions arising from outsourcing agreements.