Professional Documents
Culture Documents
Third-Party Framework
October 2023
SAMA’s draft third-party framework on baseline requirements for third-party/outsourcing arrangements
In order to ensure effective & responsive risk management, SAMA has proposed draft baseline requirements on third-
party/outsourcing arrangement
Applicable entities
Market information
Global Network
data providers Infrastructure
(Bloomberg, Moody’s)
Any regulated entity supervised by SAMA, including but not (VISA, MasterCard)
lifecycle management
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 2
Summarized view of SAMA’s draft third-party framework
The framework is intended to mitigate most common risks FIs may identify when entering in any arrangements with a third-party. It
also includes set of principles and requirements to be used as a baseline by all FIs and its subsidiaries.
The domain emphasizes the importance of The domain outlines the controls that FIs should The domain highlights the importance of
implementing effective controls within a financial implement throughout the lifecycle management implementing relevant processes and controls at
institution concerning third-party relationships and process of third-party arrangements. Before entering different stages of the third-party lifecycle within FIs.
outsourcing. The FI's governance model should into any arrangements and periodically thereafter, FIs These controls are designed to manage the risks
establish a comprehensive approach to managing should implement the risk controls associated with associated with third-party arrangements effectively.
these third-party arrangements. This involves using a third-party (such as cyber, technology, privacy, The framework emphasizes the significance of second
incorporating strong practices for governance, resilience, concentration, financial, operational, legal, level controls and independent reviews to ensure that
documentation, and reporting to gain a complete regulatory, and reputational risks), and perform due potential risks related to third-party engagements are
understanding of its third-party arrangements, diligence on the third-party. Additionally, when the adequately mitigated. Monitoring based on key risk
enabling informed risk management decisions and the third-party provides a critical service for the financial indicators and comprehensive reporting are essential
proper implementation of risk mitigation measures. institution, a risk assessment should be conducted on components of the process to gain a holistic view of
the critical asset underlying the service, considering third-party risk. Periodic independent reviews of the
Following are the controls under this domain, which specific requirements set by SAMA. process are also necessary to maintain its
FIs needs to implement: effectiveness.
• Proportionality Following are the controls under this domain, which
FIs needs to implement: Following are the controls under this domain, which
• Sound Governance
• Assessment of Materiality FIs needs to implement:
• Intragroup Arrangement • Continuous monitoring and reporting
• Risk Assessment
• Business Continuity • Independent Review
• Due Diligence
• Third-Party Arrangement Register
• Contractual Phase
• Sub-Contracting
• Termination
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 4
Principles and requirements to be used as baseline by all FIs/subsidiaries
SAMA’s draft third-party framework consists of three domains (i.e., Governance, third-party arrangement lifecycle and
ongoing third-party management)
1. Governance
Third-Party Arrangement
Proportionality Sound Governance Intragroup Arrangement Business Continuity
Register
*FIs to implement & perform *FIs to clearly define *For third-party arrangement, *FIs must establish business *FIs must document all third-party
proportionate evaluation for nontransferable roles & governance over intragroup continuity plans for outsourcing arrangements in dedicated
all third-party arrangements responsibilities w.r.t third-party arrangements shall be established arrangement prior Board of repository
considering: arrangement to ensure: & cover the following: Directors approval, in conjunction *FIs to perform annual review of
• Nature of customer data • Board of Directors has ultimate • Conflict of interest check with Business Continuity the register
• Third-party experience and risk responsibility to approve & • Governance structure and Management Framework & *FIs to update the register for
profile implement strategies allocation of Board of Directors document the following: critical third-parties periodically &
• Cost & complexity of • Third-party policy is reviewed & • Financial interest, dependency, • Possible event of failures share with SAMA annually
arrangement updated periodically control and influence • Alternate third-party service *FIs to update the register for non-
• Affiliation between third-party • Third-party policy must include • Group wide internal policies and providers & in-house transition critical third-parties annually
and financial institution at minimum, defined procedures plans *The register must include:
• Financial, operational, regulatory components as per SAMA third- • Risk identification and mitigation • Timeline & procedure to select • Reference number for
& reputational impact in case of party framework strategy alternate third-party arrangement
third-party failure • Conflict of interest check • Compliance with respect to • Service Level Agreements • Description of the function
• Potential losses to FIs covering: intragroup entity • Transition plans for another • Classification of arrangement
customers/affected parties • Financial interest • FIs participation in third-party third-party for new arrangement • Materiality assessment & Past
• Responsibilities policy making process • Recovery time objective, assessment outcome
*Determine resource/activity for • Classification of third-party recovery point objective & • Severity of third-party
third-party or outsourcing relationship *For outsourcing arrangement only, resumption of operations • Severity of the service
arrangement based on above • Benchmarking of third-Party cover the following: • Risk assessment outcome
outcome policy & integrate into internal • Compliance with regulatory • Geographical location of third-
polices framework part and sub-contractor, if
*Annually (at least ) evaluate • Identity risks & mitigation involved
governance & implementation measures
• Higher level of control
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 5
Principles and requirements to be used as baseline by all FIs/subsidiaries for material outsourcing
SAMA’s draft third-party framework consists of three domains (i.e., Governance, third-party arrangement lifecycle and
ongoing third-party management)
2. Third-Party Arrangement Lifecycle (1/2)
*FIs to classify outsourced function as material’, if *FIs must perform risk assessment to identity potential risk *FIs must perform due diligence before entering third-
disruption affects the following: from third-party arrangement & determine mitigation measure party arrangement as per risk appetite
• Financial stability of Saudi Arabia’s financial sector *Risk assessment requirements for all third-party arrangement: *Due diligence for all third-party & outsourcing
• Operational resilience and reputation • Identify potential cyber, security, privacy, resilience, & arrangements must consider the following but not
• Compliance with regulations concentrations risk etc. & assess their impact on FI’s risk limited to:
• Profitability of customers and affected parties profile • Level of due diligence required as per
• Protection and CIA of customer data • Evaluate risk assessment result as following: arrangement/materiality of the function
• Prior to entering a third-party arrangement • Business model, nature, complexity, ownership
*FIs must perform materiality assessment prior to • Pre-defined annual assessment • Financial position
entering in an outsourcing arrangement considering: • Change in the nature of the arrangement/parties • Expertise & reputation
• Pre-defined annual monitoring plan is in place Implement risk mitigation by considering the following, but not • Operational & technology resources
• Change in the nature of the arrangement/parties limited to: • Governance, incident management, BCP
• Contractual agreement with other third-party • Data Privacy
• Shorter duration of contractual agreement • Security & Quality
• BCP and incident management plan • Sub-contractor security control
*Risk assessment requirements for all outsourcing
arrangement only, addition to above requirements:
• Potential risks such as operational, regulatory etc.
• Concentration risks – Level of dependency or multiple
contracts
• Risk mitigation plans
• Location, political stability, intragroup connection, data and
security measures, sub-contractor arrangement
• Scenario analysis and document the same in third-party
register
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 6
Principles and requirements to be used as baseline by all FIs/subsidiaries for material outsourcing
SAMA’s draft third-party framework consists of three domains (i.e., Governance, third-party arrangement lifecycle and
ongoing third-party management)
2. Third-Party Arrangement Lifecycle (2/2)
*FIs must establish expectations in agreed & written *FIs must consider supply chain risks if third-party transfers *FIs must establish termination processes, including exit
legally binding contract to set clear expectations, roles, performance of activities to an additional third-party service strategies and rights of the parties stated in the agreed
responsibilities. provider contract
*Contractual requirement for all third-party arrangement:
• Cover relevant laws & regulations *Sub-contracting requirement for all third-party arrangement: *Termination requirement for all third-party
• Obligations • To be onboard only if no undue operational or other risks arrangement:
• Knowledge transfer process • Identify potential risks from sub-contractor through risk FIs to ensure that contract can be terminated in
• NDA provisions such as: assessment & due diligence activities accordance with applicable law and regulations, including
• Confidential information definition • To obtain list of all sub-contracting service providers from in the following situations:
• Use of confidentialinformation third-party • In case of any legal & regulatory breach
• Duration of agreement (reviewed at least • Ownership is with third-party even if sub-contractor is • Non-performance
annually) involved • Material changes
*Contractual requirement for outsourcing arrangement: • Concentration risk (E.g., level of dependency) • Identification security weakness,
• Policy defining SLA program • SAMA instruction
• SLA monitoring process *Sub-contracting requirement for outsourcing arrangement:
• Escalation process • Prior approval of FI before sub-contracting *Termination requirement for outsourcing arrangement:
• Non-performance & resolution process • Ensure third-party has performance reporting & monitoring FIs to ensure that contract includes provisions regarding:
• Right of SAMA to access the subcontractor in the same for sub-contractor Support during transfer
capacity • SAMA approval for ‘material’ sub-contractor activities • Transition period
• To include provisions regarding: • Sub-contractor consent to cooperate with SAMA • Audit and access rights
• CIA • Return and disposal of data
• Data privacy and security of data
• Sub-contractor security
• NDA provisions similar to third-party
arrangement
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 7
Principles and requirements to be used as baseline by all FIs/subsidiaries for material outsourcing
SAMA’s draft third-party framework consists of three domains (i.e., Governance, third-party arrangement lifecycle and
ongoing third-party management)
3. Ongoing third-party management
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 8
Steps to comply with SAMA’s Third Party Framework
Customized TPRM framework to operationalize third Risk assessments across risk domains such as cyber • “TRYGNA” Deloitte’s Third-party risk management
party risk management in line with regulatory security, privacy, resilience, concentration, legal & and monitoring tool
requirements and industry leading practices regulatory, financial & operational, reputational, anti- • Risk sensing and continuous monitoring
money laundering, etc.
Training & awareness programs for clients and their Review/ manage contract for different third parties to Post assessment follow ups for remediation along
third parties ensure they are aligned with the SAMA guidelines with remediation tracking mechanism
Third party onboarding/ performance monitoring Third party risk profiling, onboarding and periodic
(SLA/ KPI compliance) assessments, performance monitoring across
applicable risk domains
Risk profiling
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 9
Third Party Risk Management (TPRM) Framework in line with SAMA’s Third Party Framework
Reporting
Enablers - Automation
Views Work Flow Data Repository Analytics and Reporting
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 10
Deloitte’s Capability - Overview of Deloitte’s Vendor Intelligence Center (VIC)
10,000+ assessments delivered to clients. We have a pool of risk management professionals who can address multiple domains of TPRM
Extended Enterprise
Managed Services TECHNOLOGY
1. GRC-TPM solutions
Service now, One Trust, Coupa Risk etc
CAPABILITY • Design, Implement, Operate
2. Inhouse TPRM Tool
Plan, evaluate and select Trygna
End to end
Contract & on-board • Scalable • Flexible • Secure
Third-Party
Lifecycle Manage & monitor DELIVERY MODELS
Designed for Managed Service
Discontinue & de-board Remote
Cloud ready
Onsite
Access anytime on any device
Hybrid
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 11
Frequently Asked Questions (FAQ’s)
1
Who is covered under SAMA’s third-party framework?
• Any regulated entity supervised by SAMA, including but not limited to Banks, Insurance companies, Finance
Companies, FinTech, Aggregators, Payment Service Providers (PSPs), Financial Market Infrastructures (FMIs).
• Foreign branches & subsidiaries operating in Saudi Arabia (Not applicable if outsourcing to their head office)
4
What is ‘Materiality Assessment’ & ‘Material Outsourcing’ ?
• Materiality Assessment : Evaluation of the service provided by vendor to determine the significance & impact on
organization’s operations, goals, reputation & identify potential risks
• Material Outsourcing : Outsourcing of significant or critical business functions, services or processes to external vendor
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 12
Frequently Asked Questions (FAQ’s)
5
What is the difference between Saudi or foreign branch & Saudi legal entity?
• Saudi or foreign branch is an extension of foreign company’s operations in Saudi Arabia, that shall be subject to
regulations of both the parent company’s home country & Saudi Arabia (SAMA)
• Saudi legal entity is a separate & independent company registered under Saudi Arabia laws & will be governed by
SAMA guidelines
8
What are the key phases in a third-party risk assessment lifecycle?
• Assessment of Materiality • Contracting and Sub-contracting
• Risk Assessment • Continuous monitoring and reporting
• Due-diligence • Termination
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 13
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon
the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this
publication.
Deloitte & Touche (M.E.) LLP (“DME”) is the affiliate for the territories of the Middle East and Cyprus of Deloitte NSE LLP (“NSE”), a UK limited liability partnership and
member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”).
Deloitte refers to one or more of DTTL, its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its
member firms are legally separate and independent entities. DTTL, NSE and DME do not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more
than 130 countries and territories, serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 410,000 people make an impact that
matters at www.deloitte.com.
DME would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. DME accepts no duty of care or
liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
DME is a leading professional services firm established in the Middle East region with uninterrupted presence since 1926. DME’s presence in the Middle East region is
established through its affiliated independent legal entities, which are licensed to operate and to provide services under the applicable laws and regulations of the
relevant country. DME’s affiliates and related entities cannot oblige each other and/or DME, and when providing services, each affiliate and related entity engages
directly and independently with its own clients and shall only be liable for its own acts or omissions and not those of any other affiliate.
DME provides audit and assurance, consulting, financial advisory, risk advisory and tax, services through 29 offices in 15 countries with more than 5,900 partners,
directors and staff.
© 2023©Deloitte
2023 Deloitte & Touche
& Touche (M.E.). (M.E.). SAMA’s Third-Party Framework Consultation Paper 14