Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
  Versions

 
Download Original PDF

  • Control and Awareness Measures for Branch and Customer Service Employees in Banks Operating in the Kingdom

    No: 42063179 Date(g): 17/4/2021 | Date(h): 6/9/1442Status: In-Force

    Translated Document

    Based on the powers vested to SAMA under the relevant regulations and instructions, and in line with the SAMA's supervisory and regulatory role in enhancing the protection of the privacy of customers of the financial institutions under its supervision and their employees, and in continuously improving and strengthening sound practices in banks.

    Attached are the regulatory and awareness procedures for branch staff and customer service employees in banks operating in the Kingdom. These procedures aim to mitigate operational risks related to handling banking laws and to ensure that operations are conducted in accordance with approved regulations, instructions, and powers to protect banks and customers from exposure to losses.

    Please take note and act accordingly by the end of the third quarter of 2021.

    • First: Introduction

      • A. Objective

        These procedures aim to establish the minimum regulatory and awareness measures for branch staff and customer service employees in banks operating in the Kingdom. Compliance with these measures is required to mitigate operational risks related to dealing with banking laws and to ensure that operations are conducted in accordance with approved regulations, instructions, and authorities, thereby protecting banks and customers from potential losses.

         

         

    • Second: Definitions

      The terms and phrases mentioned in these procedures are defined as follows, unless the context indicates otherwise:

      Central Bank: The Saudi Central Bank.

      Banks: Banks operating within the Kingdom.

      Branches: Branches of commercial banks operating within the Kingdom.

      Employees: Employees of branches and customer service.

      Customers: Customers of the banks.

    • Third: Supervisory Procedures

      Banks must adhere to the required maturity level as Cyber Security Framework and the Business Continuity Management Framework, with particular attention to the following:

      1.The cyber security policy should include aspects related to cyber security for employees' work, and review them periodically, with the following minimum:
       
        a.Access to banking systems and verification of the identity of the person who made the login.
       
        b.Linking the powers on banking systems to job grades and determining the level of validity for each job grade.
       
        c.Manage passwords including the following:
       
          1-The password must consist of numbers, letters and symbols.
       
          2-Password must be changed every three months.
       
          3-In the event that employees enter the login data of the banking systems incorrectly three consecutive times, the username will be suspended and will not be restored except according to certain procedures as per the bank's internal policy.
       
          4-Emphasize on employees to maintain user accounts or login data and not to disclose or share them.
       
        d.Restricting access to devices and systems used in banks in accordance with best practices in cyber security, and business needs based on the principle of "Need-to-Know", to name a few: Hide customer balance from employees whose work tasks do not require knowing the balance.
       
        e.Identify security practices and policies to maintain the confidentiality of information.
       
        f.Identify unsafe and unsound banking practices.
       
        g.Develop scenarios to detect suspicious operations when accessing systems.
       
        h.Do not allow copying or sharing data or installing software without the consent of the authorized person.
       
        i.Setting entry, closing, and saving procedures and confirming that the data screen is closed when not in use.
       
        j.Authentication and access controls should be based on the risks and sensitivity of the systems and data to be accessed.
       
      2-Review the minimum permissions to access banking systems, conduct operations, and access bank account data, periodically, and document this in periodic review records.
       
      3- Hide customer signatures and balances for all accounts that are in an unclaimed or abandoned state.
       
      4-Monitor the accounts of employees designated to access banking systems, and save all access information on bank account information automatically for reference when needed and for a minimum period of (5) years, provided that the information saved at a minimum includes the following:
       
        a.Employee name and job number.
       
        b.Internal Protocol Address “IP Address”.
       
        c.Date and time of entry.
       
        d.Validity.
       
        e.Authentication.
       
        f.Action performed.
       
      5-Develop all the necessary technical and security controls that enable the identification of the employee who uses the computer or any of the banking systems accurately.
       
      6-Restricting access to banking systems through computers located in branches after the end of official working hours, and setting the necessary precautionary controls when needed to access banking systems outside official working hours.
       
      7-Ensure the provision of alternative plans and solutions to ensure business continuity and enable secure access to banking systems.
       
      8-Take the necessary measures in the event that customer data is found to be accessed by an unauthorized person.
       
      9-To ensure access to employees with administrative privileges and key employees only, and limit access to the competent employee - such as IT staff and technical support - to network maintenance, without access to confidential information of customers.
       
      10-In the case of maintenance work for the branch's systems, it must be verified that the branch's maintenance team is among the crew listed for maintenance work and sent by the competent department before starting the required work, with adequate control procedures in place.
       

    • Fourth: Awareness Procedures

      Banks are required to adhere to the following:

      1.Establish a policy for the secure use of banking laws, including procedures for handling usernames and passwords, and review it periodically.
      2.Ensure employees are aware of the importance of checking that they are not being observed when entering their username or password.
      3.Provide training and qualification for employees on essential information related to information security.
      4.Conduct periodic awareness campaigns for employees regarding the instructions issued by SAMA and the banks' own policies, especially concerning the confidentiality of customer account information and the penalties for non-compliance. This should include ongoing educational materials and be conducted at least every three months.
      5.Conduct regular awareness campaigns for employees on information security and financial fraud prevention, with ongoing educational materials provided at least every three months
      6.Perform tests and surveys of employees at least every six months to assess the effectiveness of the awareness procedures outlined in points (4) and (5).
      7.

      Obtain a declaration from employees, both upon starting work and annually (either in paper or electronic form), acknowledging that they have reviewed and are committed to all policies related to the secure use of banking laws and the handling of usernames and passwords.

       

       

       

    • Fifth: General Provisions

      1.These procedures should be read in conjunction with all related regulations and instructions.
      2.These procedures represent the minimum requirements for banks to implement in terms of enhancing the monitoring and awareness aspects for employees.
      3.Existing policies, manuals, and procedures should be reviewed and updated periodically to ensure they align with the requirements set forth in these procedures and related instructions.
      4.One of the supervisory departments (Internal Audit or Compliance Department) should be assigned to conduct periodic examinations or reviews (within a maximum of two years) to verify compliance with the requirements outlined in these procedures.