12 March 2020
SAUDI ARABIA: Additional Digital Banking Rules Released
The Saudi Arabian Monetary Authority (SAMA), the country’s financial regulatory body, has issued additional licensing guidelines for digital-only banks in the kingdom. The new guidelines add a number of supplementary conditions to the existing requirements under SAMA’s Banking Licensing Guidelines and Minimum Criteria. The supplementary rules, published on SAMA’s website, are dated 24 February 2020.
The additional guidelines and criteria define a digital-only bank as any “that conducts a banking business mainly through digital channels (e.g. the web and mobile applications)”. Any such bank must operate via a locally incorporated joint-stock company and maintain a significant physical presence in Saudi Arabia, such as a head office. Physical branches, however, are not required, although in some instances the regulator may require the setting up of customer service centres. The organisation behind the bank should also have appropriate experience and knowledge in the financial industry and technology-related expertise, as well as sufficient financial capacity to support the business.
There are also detailed minimum business plan requirements that must be submitted as part of the licence application. These include providing an IT infrastructure plan, with details of any innovative technologies that will be rolled out, financial projections, the targeted customer segment (with an underlying study and analysis), and details on the proposed products and services to be provided to the targeted segment.
SAMA also requires any licence application for digital banking to include an internal capital adequacy assessment plan and an internal liquidity adequacy assessment plan. There must also be details on how the operation will meet the country’s requirements for Compliance & Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT), how the proposed risk management and control policies will be adequate and appropriate for monitoring and limiting risk exposures as per section D of the SAMA Banking Licensing Guidelines and Minimum Criteria, and how technology and cyber security risks will be managed in compliance with SAMA’s Cybersecurity Framework and BCM Framework. SAMA also requires that applicants take account of other relevant regulations, such as those from the country’s National Cybersecurity Authority.