An introduction to SAMA's minimum verification controls

06 November 2023 4 min. read

As Saudi Arabia’s financial services sector embraces digital innovation, the need to safeguard sensitive information and digital services from cyber risk has become paramount. In this pursuit, the Saudi Arabian Monetary Authority (SAMA) has introduced a set of minimum verification controls in addition to the SAMA regulations.

The primary aim of these controls is to protect financial information and digital services from emerging cyber threats. They provide a set of guidelines and best practices that SAMA-regulated organizations must adhere to, ensuring the security of their operations and the safety of their customers.

For SAMA-regulated organizations, adhering to these controls is paramount, both from a business continuity management as well as compliance perspective.

An introduction to SAMA's minimum verification controls

Syed Sajjad, a Senior Manager at ECOVIS Al Sabti, a leading Saudi-based risk consultancy, outlines the contours of the minimum verification controls and what is expected from financial institutions.

Applicable to whom?

These controls apply to member organizations that offer e-wallets, lending products, crowdfunding, or other fintech business models under SAMA's supervision. Let's break down these controls into simple language to understand their importance and relevance.

Registration and onboarding controls

  • Single Application per Phone Number or National ID: Each phone number or ID should be linked to a single application to prevent misuse.
  • Secure User Validation: Member organizations must establish a secure process to verify users' identities.
  • Registration Process: Depending on the business model, lending and e-wallet platforms must use strong authentication methods. Other models should implement robust controls.
  • Phone Number Ownership Verification: Ensure that the registered phone number matches the user's name and national ID through a trusted third party.
  • One-Time-Password (OTP): Use OTP as a form of verification and send it to a verified phone number.
  • Session Timeout: Implement session timeout controls for all OTPs.
  • SMS Notifications: Send SMS notifications for registration, account status changes, and device re-registration.
  • Single-Device Assignment: Each application should be linked to one device only, or OTPs should be used for each login.
  • Account Deactivation and Reactivation: Develop secure processes for account deactivation, reactivation, and device re-registration.

General controls

  • SAMA Cybersecurity Requirements: Implement Cybersecurity regulatory requirements set by SAMA.
  • Official Application Stores: Use official app stores for distribution.
  • Installation Restriction: Implement mechanisms to prevent privilege escalation through jailbreaking or rooting.
  • Disaster Recovery: Have backup and recovery measures in place to cater to disasters.
  • Terms & Conditions: Ensure terms and conditions cover data privacy and customer consent for displaying account owner names.
  • User Awareness Programs: Educate users about terms & conditions and general security practices related to OTP/password.
  • Inactive Accounts Policy: Develop a policy for handling inactive accounts.
  • Multi-Factor Authentication (MFA): Implement MFA for all logins.
  • OTP for Transactions: Use different OTPs Mechanism and Delivery Channel for specific transactions.
  • Short Message Service (SMS) Notifications: Send SMS notifications for all transactions and account changes.
  • Fraud Prevention: Employ comprehensive use cases and scenarios to combat fraud through user behavior monitoring.
  • Handling Fraud Cases: Establish processes to handle fraud cases, including investigation and account deactivation.
  • Data Privacy and Security: Safeguard user data privacy and security, including displaying account owner names.
  • Clear SMS Messages: Ensure SMS messages are clear, direct, purposeful, and include the organization's name.
  • Policy Integration: Reflect these controls in internal policies and periodically review them.

Lending application special controls

In addition to the above controls, lending companies must adhere to the following:

  • Recipient International Bank Account Number (IBAN) Verification: Verify that the recipient's IBAN belongs to the loan requester.
  • Digital Signature: Use a trusted digital signature provider.
  • Promissory Note Management: Securely create, save, and manage promissory notes using a nationally trusted party.
  • Customer Communication: Notify customers via SMS about their loan requests and approvals.

Benefits for organizations

In an era of digital finance, safeguarding sensitive information and ensuring the security of financial services is crucial.

SAMA’s minimum verification controls provide a roadmap for financial organizations to navigate these challenges and protect their customers and operations effectively. By implementing these controls, member organizations can enhance their cybersecurity posture, build trust with their users, and enhance their brand reputation.