Saudi Arabia EbankingRules.docx

Saudi Arabia EbankingRules.docx

《Saudi Arabia EbankingRules.docx》由会员分享，可在线阅读，更多相关《Saudi Arabia EbankingRules.docx（31页珍藏版）》请在冰豆网上搜索。

SaudiArabiaEbankingRules

SaudiArabianMonetaryAgency

e-BankingRules

BankingTechnologyDepartment

APRIL2010

TableofContents

1Introduction:

4

1.1ElectronicBankingDefinition:

4

1.2E-bankingEvolution:

5

1.3E-BankingRules:

5

1.4ObjectiveoftheRules:

6

1.5ScopeofApplication:

6

1.6EffectiveDate:

6

2SupervisionofE-Banking:

7

2.1SupervisoryApproach:

7

2.2NewE-bankingProducts:

7

2.3LegalandRegulatoryRequirements:

7

2.4EnforcementMechanism:

8

2.5ReportingRequirements:

8

3CustomerProtectionandEducation:

9

3.1RightsandLiabilitiesofBanksandCustomers:

9

3.2CustomerSecurityandEducation:

9

3.3Banks’Obligations:

10

4E-BankingRisks:

12

4.1TypesofServices:

12

4.2RiskProfiles12

4.3AssociatedRisks:

13

4.4RiskManagementApproach:

15

4.4.1RiskIdentification15

4.4.2RiskAnalysisandquantification16

4.4.3Risktreatment16

4.4.4Riskmonitoringandreview16

4.4.5Summary17

5RiskManagementPrinciplesforE-Banking:

18

5.1Principles1-3:

BoardandManagementOversight:

18

5.2Principles4-10:

SecurityControls:

20

5.3Principles11-14:

LegalandReputationalRiskManagement:

23

Appendix126

Glossary26

Appendix232

SecurityControlsRequirements32

Appendix336

IncidentReporting36

1

Introduction:

1.1ElectronicBankingDefinition:

Theterm“ElectronicBanking”or“e-banking”isdefinedasremotebankingservicesprovidedbyauthorizedbanks,ortheirrepresentativesthroughdevicesoperatedeitherunderthebank'sdirectcontrolandmanagementorundertheoutsourcingagreement.Inotherwords,e-bankingisanumbrellatermfortheprocessbywhichacustomermayperformbankingtransactionselectronicallywithoutvisitingabranchandincludesthesystemsthatenablecustomersofbanks,individualsorbusinesses,toaccessaccounts,transactbusiness,orobtaininformationonfinancialproductsandservicesthroughapublicorprivatenetwork,includingtheInternet.

A“remotebankingservice”isdefinedasa:

∙DedicatedbankingserviceforwhichtheCustomerhasexplicitlyregisteredandauthorized.

∙ServicesuppliedusingdevicesthatarenotunderthecontroloftheProvider;

∙ServicewhichdemandstheauthenticationoftheCustomer.

Cross-bordere-bankingisdefinedastheprovisionoftransactionalon-linebankingproductsorservicesbyabankinonecountrytoauthorizedcustomerinothercountries.Thisdefinitionwouldincludesituationswhereaforeignbankprovidese-bankingproductsorservicestoresidentsinaforeigncountryfrom（i）alocationinthebank’shomecountry,or（ii）an“onshore”physicalestablishmentinanotherforeigncountry.

Thefollowingtermsusedtodescribethevariousformsofe-bankingareoftenusedinterchangeably:

personalcomputer（PC）banking;Internetbanking;virtualbanking;onlinebanking;homebankingandremoteelectronic-banking.

ServicesExclusions

Usually,e-bankingalsoinvolvesphonebankingandtheuseofautomatedtellermachines（ATMs）butthesearenotcoveredundertheabovee-bankingdefinitionforthepurposeoftheseRules.

Furthermore,individualcommunicationssuchase-mail（digitallysignedorotherwise）receivedbytheProviderfromaCustomeroutsidethecontextofaremotebankingservice,arealsonotcoveredunderthisdefinition.

VariousotherrelatedtermsaredefinedintheGlossaryatAppendix1totheseRules.

1.2E-bankingEvolution:

Technologydevelopmentsandinnovationsarehavingasignificantimpactonthebankingbusiness.Banksfacethechallengeofadapting,innovatingandrespondingtotheopportunitiesprovidedbythetechnologicaladvancements.Thegrowthofe-bankinghasbenefitedenormouslytobanksandtheircustomers.Ithasallowedbankstoexpandoutreach,reducetransactioncosts,improveefficiency,andprovidevirtualbankingservices.Ontheotherhand,customershavebenefitedfromefficientbankingservicesatrelativelylowercostsandhavingtheoptiontochoosefromalternatedeliverychannels.Thee-bankinghasalsofacilitatedswiftmovementoffundsdomesticallyandacrossborders.

Thischangingfinanciallandscapehasposednewchallengesforbanksandpolicymakers/supervisors.BanksnowhaveincreasedrelianceontechnologytocompeteinanincreasinglycompetitivebusinessenvironmentandthusneedtoeffectivelymanagetheITsecurityandotherrelatedrisks.CentralBanksandsupervisoryauthoritiesarefacingnewchallengesinbankingsupervisionaswellasindesigningandimplementingmonetarypolicy.Thegrowingscopeofe-bankingandincreasingcomplexityofbankingproductsandservicesdemandscontinuousadaptationofregulatoryframeworkandeffectivesupervisoryoversight.

1.3E-BankingRules:

Inordertoenablebankstoprotectcustomers’information,reducefraudincidents,andmanagee-bankingrelatedrisksasalsotominimizethenumberofcomplaintsfrome-bankingusers,SAMAhasdecidedtoissuenew“E-BankingRules”.TheseRuleswillreplacethe“InternetBankingSecurityGuidelines”issuedin2001.

ThenewE-BankingRulesarerisk-basedandsetoutSAMA’sprudentialregulatoryapproachtothesupervisionofe-bankingservices.Theyprovideguidancetobanksonriskmanagementinelectronicbankingandemphasizeon:

∙BoardofDirectorsandSeniorManagementaccountability;

∙Customerprotectionandeducation;

∙Customerprivacy;

∙Minimumsecuritystandardsconsistentwithbestinternationalstandard;

∙ProperincidentmanagementandreportingtoSAMA;

∙ProperAvailabilityManagement

∙Capacitybuildingandbusinesscontinuityplanning.

Banksareexpectedtoreviewand,ifrequired,tomodifytheirexistingriskmanagementpoliciesandprocessestobringtheire-bankingactivitiesinlinewiththeseRules.

1.4ObjectiveoftheRules:

Themainobjectiveofthe“E-BankingRules”istoprovideguidancetobanksonimplementationofsecuritycontrolsintheire-bankingproductsandservicesandeffectivemanagementofrisksassociatedtherewith.TheRulesarenotaimedatdiscouragingbanksfrominnovationandcreativityine-bankingprovidedtheyremainwithintheregulatoryframeworkandensurecustomers’facilitation.

1.5ScopeofApplication:

The“E-BankingRules”shallbeapplicabletoallformsofe-bankingasdefinedunderSection1.1oftheseRules.However,thee-bankingservicesprovidedthroughAutomatedTellerMachines（ATMs）,PointsofSale（POS）andPhoneBankingarenotcoveredundertheseRules.

AllbankslicensedbySAMAandauthorizedtoprovidee-bankingserviceswhetherlocallyorabroadthroughtheirbranches/subsidiaries,arerequiredtoensurecomplianceoftheseRules.

Theprovisionofcross-bordere-bankingserviceswouldbesubjecttoproperauthorizationandcomplianceofhomeandhostjurisdictions’lawsandrules/regulations.ForeignbanksnotlicensedbySAMAtooperateinSaudiArabiaarenotallowedtoengageincross-bordere-bankingactivitiesinSaudimarket.

1.6EffectiveDate:

TheseRulesshallcomeintoforcewithimmediateeffect.AllbanksarerequiredtotakenecessarymeasurestoensurecomplianceoftheRules.

2

SupervisionofE-Banking:

2.1SupervisoryApproach:

SAMA’ssupervisoryapproachistoestablishandmaintainaprudentregulatoryframeworkforthegrowthofe-bankingservicesinSaudiArabia.Banksareexpectedtoimplementtheriskmanagementcontrolsthatarecommensuratewiththerisksassociatedwiththetypes,complexityandvolumeoftransactionscarriedoutandtheelectronicdeliverychannelsadopted.TheyshouldadoptrobustriskmanagementprocessesandITsecuritymeasuresconsistentwiththeire-bankingbusinessstrategyandtheestablishedrisktolerancelevel.Theriskmanagementcontrolsestablishedfore-bankingshouldbefullyintegratedintotheoverallriskmanagementsystems.Banksarealsoexpectedtointroduceelaborateprocessestoensuretimelyresolutionofsecurityrelatedissues.

Inordertoensurecompliancewiththebestinternationalstandards,SAMAhasendorsedtheprinciplesandrecommendationsfore-bankingoutlinedbytheBaselCommitteeonBankingSupervision’spaper-“RiskManagementPrinciplesforElectronicBanking”（http:

//www.bis.org/publ/bcbs98.htm）.

Giventhedynamicnatureofe-bankingandrelatedtechnology,SAMArecognizesthattheissuestobeaddressedmayvaryovertimeandfromonebanktoanother.Forthisreason,theseRulesdistinguishbetweenminimumrequirementsandadditionalrecommendedcontrols.

2.2NewE-bankingProducts:

BanksshallseekpriornoobjectionfromSAMAbeforelaunchinganynewe-bankingproductorsignificantlymodifyingtheexistingproductand/orlaunchinganewproductwithsamename.Forthispurpose,theywillapproachtheAgencyalong-withtherelevantinformationincludingsalientfeaturesoftheproduct,targetmarket,relatedsystemsandcontrolsandaconfirmationtotheeffectthattheproposedproductcomplywithalltherelevantlawsandrules/regulations.TheAgencymaygrantorwithholditsnoobjectionorgrantitsubjecttosuchconditionsasitmaydeemfit.

2.3LegalandRegulatoryRequirements:

InadditiontotheseRules,banksarerequiredtoensurecomplianceofotherrelatedlawsandregulatoryrequirements.Foroutsourcingofe-bankingrelatedoperationsandactivities,banksshouldfollow“SAMA’sRulesonOutsourcing”asamendedfromtimetotime.

Otherrelatedlawsandguidelinesinclude,inter-alia,thefollowing:

☒BankingControlLaw;

☒Anti-MoneylaunderingLaw;

☒RulesGoverningAnti-MoneyLaundering&CombatingTerroristFinancing;

☒CombatingEmbezzlement&FinancialFraud&ControlGuidelines;

☒ComplianceManuelforBanks;

☒SARIEoperatingrulesandregulations;

☒OtherrelevantSAMARules,GuidelinesandCirculars