Financial Consumer Protection Principles & Rules

Section 1: Introduction, Purpose and Definitions


SAMA is the authority responsible for monitoring and supervising the financial institutions licensed by it. SAMA has regulatory powers, including framing and regulating the rights of financial institutions’ customers, based on the Saudi Central Bank Law issued by Royal Decree No. M/36 dated 11/04/1442H and its amendments as well as Article (4) of the Law which states that “SAMA shall carry out its duties according to the provisions of the Law, the regulations and policies issued by the Board, and in line with international best standards and practices. The Bank shall have all powers necessary to be able to achieve its objectives and carry out its duties. To this end, SAMA may exercise the following duties, powers and responsibilities: (9) developing instructions and procedures that would protect the consumers of financial institutions.” This is also based on the Banking Control Law issued by Royal Decree M/5 dated 22/02/1386H and its amendments, granting SAMA the authority to determine the procedures and conditions that banks must follow when dealing with consumers, in addition to the provisions in the Cooperative Insurance Companies Control Law issued Royal Decree No. M/32 dated 02/06/1424H and its amendments regarding SAMA’s powers to set the rules and controls that guarantee the rights of beneficiaries. The Finance Companies Control Law issued by Royal Decree No. M/51 dated 13/08/1433H and its amendments and regulations include the necessary rules to protect transactions, ensure their fairness, and protect the rights of consumers. Moreover, the Credit Information Law issued under Royal Decree No. M/37 dated 05/07/1429H and its regulations are aimed at regulating consumer rights in the credit information sector, and one of the goals of the Law of Payments and Payment Services issued by Royal Decree M/26 dated 22/03/1443H is to enhance the protection of the rights of parties dealing with payment systems and payment service providers.


  1. To establish the principle of financial consumer protection and keep abreast of the instructions issued internationally, namely the High-Level Principles on Financial Consumer Protection.
  2. To ensure that consumers of financial institutions supervised by SAMA are treated with transparency, honesty and fairness.
  3. To ensure that consumers can easily obtain financial services and products at reasonable costs and with high quality.


The following terms and phrases, wherever mentioned in this document, shall have the meanings assigned to them unless the context otherwise requires:

Saudi Arabia: The Kingdom of Saudi Arabia.

SAMA: The Saudi Central Bank.

Financial institution: An entity supervised and regulated by SAMA according to the applicable laws.

Bank: Any natural or juristic person that is basically practicing any of the banking business in Saudi Arabia and is licensed according to the provisions of the Banking Control Law.

Finance company: A joint stock company licensed to engage in finance activities according to the Finance Companies Control Law.

Insurance company: A joint stock company conducting insurance and/or reinsurance activities according to the Insurance Companies Control Law.

Payments institutions: Payment service providers licensed by SAMA according to the Law of Payments and Payment Services.

Remittance service providers: Financial institutions providing remittance services under the license issued by SAMA.

Credit and charge card issuers: Financial institutions licensed to issue credit and charge cards in Saudi Arabia.

Credit bureaus: Companies licensed to collect and maintain credit information on consumers and provide the same to members upon request according to the Credit Information Law.

Credit record: A report issued by a credit bureau containing consumer credit information.

Conflict of interest: A situation in which the objectivity and independence of a financial institution or any of its employees is adversely affected during the performance of tasks in pursuit of its own interests or the interests of any of its employees, in a manner that violates justice, fairness, integrity and responsibility to consumers.

Consumer: A natural person who is a beneficiary of products and services provided by licensed financial institutions.

Complaint: Any expression, written or verbal, entailing dissatisfaction with the provided services, whether such dissatisfaction is justified or not.

Complaint resolution: When a financial institution reaches a final outcome regarding the consumer's complaint by following the measures and procedures necessary to settle the complaint fairly and effectively within the specified time period.

Inquiries: A consumer’s inquiries about products and services provided by a financial institution.

Requests: A consumer’s request to obtain products or services provided by a financial institution.

Clearance letter: An official statement issued by the financial institution confirming that the consumer has no financial liabilities related to a product or a service previously obtained by the consumer.

Employees: Individuals responsible for providing services and products offered by the financial institution, including all employees, whether directly contracted or outsourced.

Error: An act violating the documented policy and work procedures, which has a financial effect and/or a breach of the statutory or regulatory rights of one or more consumers.

Outsourcing: An arrangement with a third party that the financial institution contracts with to provide a service on its behalf.

Documented channels: A recorded and verifiable contact method that can be retrieved in written or electronic format.

Day: Any calendar day including weekends and holidays.

Business day: Any calendar day excluding weekends and holidays.

Third party: An entity that is assigned an activity to perform on behalf of the financial institution.

Section 2: Consumer Protection Principles

These principles form the general framework for protecting consumers of financial institutions and must be observed by financial institutions in all their dealings with consumers. Such principles are as follows:

Principle 1: Equitable and Fair Treatment

The financial institution must treat consumers equitably, honestly and fairly at all stages of their relationship to the point that it becomes an integral part of the financial institution’s culture. Moreover, due care must be exercised and special attention must be given to low- income and less educated people, older people and those with special needs of both sexes.

Principle 2: Disclosure and Transparency

The financial institution must ensure that the information about products and services provided to consumers is clear and comprehensible and that it is updated, clear, concise, accurate, not misleading, and easy to access especially the key terms and features. This information must include a description of the rights and responsibilities of each party and details of prices and commissions charged by the financial institution, taxes, exceptions, fines, types of major risks and benefits, and the mechanism and consequences of terminating the relationship. Furthermore, the financial institution must provide information about the alternative products and services it offers.

Principle 3: Education and Awareness

The financial institution must develop appropriate programs and mechanisms to improve the knowledge and skills of consumers, raise their level of awareness, enable them to understand major risks, and help them to make informed and effective decisions as well as help them know the concerned entity to obtain information if needed.

Principle 4: Behavior and Work Ethic

The financial institution must work in a highly professional manner for the benefit of consumers during their relationship, where a financial institution is primarily responsible for the protection of the financial interests of the consumer. The financial institution must also provide the necessary human resources to achieve the above, perform its business operations, and serve its consumers in all regions of Saudi Arabia where it is located. Additionally, the financial institution must provide appropriate centers and documented communication channels to serve these consumers.

Principle 5: Protection Against Fraud and Misuse

The financial institution must protect costumers’ assets against fraud and put in place technical and control systems that are highly efficient and effective to limit and detect fraud, embezzlement or misuse and take the necessary action if any incident occurs, in accordance with the relevant regulations and instructions.

Principle 6: Protection of Data and Information Privacy

The financial institution must develop appropriate mechanisms according to the relevant applicable regulations, instructions and policies to protect the privacy of consumers’ financial, credit, insurance and/or personal information, provided that these mechanisms include all rights mentioned in the Personal Data Protection Law. The financial institution must also establish high-level control systems that include appropriate mechanisms specifying the purposes for which data is collected.

Principle 7: Complaints Handling

The financial institution must have an appropriate mechanism in place for consumers to submit their complaints, and the mechanism must be clear and effective. In addition, the financial institution must consider each complaint, take the measures and procedures necessary to fairly and effectively resolve the complaint, and provide the best and most appropriate solutions without delay in accordance with the relevant regulations and instructions.

Principle 8: Competition

The financial institution must enable consumers to easily search and compare the best services and products and their providers. It must also provide the best products, services, and prices to meet consumers’ needs and desires, promote innovation, and maintain the quality of services and products.

Principle 9: Outsourcing

When outsourcing services that involve dealing with consumers, the financial institution must ensure that outsourced service providers comply with the requirements of these Principles and Rules (where applicable), serve the interests of consumers, and bear the responsibility for protecting them. Financial institutions are not exempted from responsibility if the outsourced service provider fails to comply with applicable laws, regulations and instructions in any of the assigned operations or tasks as stipulated in the relevant instructions issued by SAMA.

Principle 10: Conflict of Interest

The financial institution must establish a written policy on conflict of interests. It must also ensure the existence and implementation of the policies that help in identifying transactions that are likely to be a source of conflict of interest. If a conflict of interest is likely to occur between the finance institution and any other party, the finance institution must inform the responsible authority of these cases.

Section 3: General Conduct Rules

Rule 1: The financial institution must encourage consumers to read the contracts and their annexes, the initial disclosure form, the terms and conditions, and any documents that require the consumer’s approval or signature. Moreover, the financial institution must verify consumers' knowledge of the content of these documents and provide the updated terms and conditions through its electronic channels.

Rule 2: The financial institution must provide information and/or documents to consumers clearly and accurately, and it must avoid misinformation, fraud and deception.

Rule 3: The financial institution must include all terms and conditions in the product or service application form, provided that the warning statements include the potential risks if the product or service is used in a way other than agreed upon. These terms and conditions must be drafted in Arabic in a simple, clear and direct language. An English copy must be provided upon the consumer’s request.

Rule 4: Without prejudice to Rule (8) of this section, the financial institution must inform the consumer, through a text message to the mobile phone number registered with the financial institution and the other documented channels, of any change in the terms and conditions (if the agreement and relevant instructions allow this change) at least 30 days before the change comes into effect. In addition, the financial institution must enable the consumer to object in the event of their non-consent to the notification received through one of the documented channels.

Rule 5: When concluding the contract or agreement, the financial institution must provide the consumer with an initial disclosure form that has an easy, clear and simple language, containing information on products and services, details of calculating fees and commissions, and the term cost (if any). The financial institution must also obtain an acknowledgment from the consumer that they have read and understood such information and agree to its content.

Rule 6: The financial institution must standardize the font size used (14 as a minimum) and ensure that it is clear and readable in contracts and annexes, which include initial disclosure forms, terms and conditions, documents, exceptions, and any other document requiring the consumer’s review or signature. In addition, the financial institution must not request the consumer's signature (of any type) on any empty or incomplete document, and it must protect and maintain consumers' documents and signatures.

Rule 7: The financial institution must provide the consumer with all documents related to the products or services in paper or electronic format - according to the consumer's preference - immediately upon obtaining them. If provided in paper format, the financial institution must obtain an acknowledgment of receipt from the consumer. Such documents include the contract and its annexes, insurance documents, terms and conditions, schedule of fees and commissions.

Rule 8: The financial institution must not raise the amount of fees and commissions to be paid by a consumer after obtaining the service or product and signing the contract/agreement or the like. An exception is the fees and commissions related to a third party, provided that they are associated with the consumer’s benefit from the financed asset, and the consumer must be notified of this when signing the contract.

Rule 9: The financial institution must set a list of fees and commissions (including third party fees) in a visible place in the head office and branches and publish it on the websites.

Rule 10: When a consumers applies for a service or product, the financial institution must:

  1. Send a text message to the consumer (immediately after submitting the application) containing, as a minimum: the application subject, the reference number, expected implementation date, and toll-free number for inquiries.
  2. Notify the consumer of the acceptance or rejection of the application via a text message, within a maximum of (3) working days. If the application is rejected, the notification must include the reason for this rejection in addition to the mechanism of objection to it.
  3. As an exception from Paragraph (b), notification of insurance claims must be in writing, and its period is determined according to the periods specified in the relevant instructions. This notification must include, at a minimum, the following:
    • If the claim is totally or partially accepted: the settlement amount, clarification of how the settlement amount was calculated, justification for the amount reduction or the partial acceptance of the claim.
    • If the claim is rejected: the reason for rejection, documents supporting the rejection decision if requested by the consumer.

Rule 11: The financial institution is responsible for protecting consumer information and maintaining its confidentiality, whether the information is maintained by the institution or by a third party. Moreover, the financial institution must:

  1. Provide a secure and confidential environment in all its channels to ensure the confidentiality of consumer information when executing transactions, establish appropriate work procedures and effective control systems for protecting consumer information, and detect and address any current or expected infringements.
  2. Ensure that all permanent and temporary employees as well as employees of the third party, whether they are on the job or after leaving their posts, sign the consumer information confidentiality form, ensure not to disclose personal information, and limit access to such information to authorized persons only.
  3. Maintain the confidentiality of consumer information in accordance with the relevant laws and instructions.

Rule 12: The financial institution must ensure that all electronic channels are available and secure. In the event that consumers experience direct loss as a result of penetration of these channels and/or weak security, these consumers must be compensated for the losses. In addition, the financial institution must:

  1. Adopt a number of identity authentication methods for accessing electronic services and take the necessary measures to reduce electronic fraud.
  2. Mention the purpose of any text message containing a one-time password (OTP) to consumers by stating, for example, that it is for identification of a beneficiary, password reset, access to account, or money transfer.

Rule 13: The financial institution must ensure that its systems and services are continuous and ready to meet the needs of consumers at all times. Additionally, it must not benefit from any refunds that may arise due to a technical error or malfunction; such refunds must be returned to each affected consumer without delay and within (5) working days without waiting for claims. Moreover, the institution must repair the malfunction according to the requirements of business continuity, communicate with the affected consumers to inform them of the error and the corrective measures taken through any of the documented channels, and announce the same through all available channels.

Rule 14: The financial institution must ensure that all employees perform their duties efficiently and effectively and that they follow codes of conduct and ethics with high professionalism when serving current or potential consumers at all times. It must also train front-line employees who deal directly with consumers on a regular basis and ensure that they obtain the necessary professional certificates to be familiar with the skills of dealing with consumers, the products and services provided to consumers, and the relevant instructions issued by SAMA.

Rule 15: Without prejudice to the relevant instructions, the financial institution must monitor the performance of front-line employees through (periodic/confidential) visits to the branches, call center, and collection staff (including third party employees) to ensure that they follow the best practices when dealing with consumers and that they are familiar with the instructions issued by SAMA as well as the products and services provided by the institution. In addition, semi-annual reports must be submitted to the senior management to monitor the performance of employees.

Rule 16: The financial institution must continue to educate consumers, through all of its channels, about topics including, as a minimum: products and services and their risks, handling of debt and default, fraud, dealing with unlicensed companies or financial or investment institutions, savings, financial education and planning.

Rule 17: The financial institution must provide multiple channels dedicated to receiving complaints, inquiries and requests and enable consumers to submit complaints easily and timely according to their preference, in line with the nature of the financial institution. These channels must include at a minimum: the toll-free number, branches and/or website, smart phone applications, email.

Rule 18: The financial institution must display the complaint handling mechanism in a visible place in the head office and branches and publish it on the websites and smart phone applications.

Rule 19: The mechanism for handling complaints and inquiries must include the following:

  1. Procedures for submitting a complaint and/or inquiry.
  2. Documenting receipt of the complaint and/or inquiry and providing the consumer with the main reference number and the specified complaint-handling period via a text message to the mobile phone number registered with the financial institution.
  3. Providing the consumer with contact information of the department concerned with handling complaints and/or inquiries in case the consumer needs to communicate with the financial institution to follow up on the complaint and/or inquiry.
  4. Documenting the channel used to communicate with the consumer and maintain its records for a minimum of five years.
  5. Handling complaints and/or inquiries sent directly to the financial institution in accordance with the instructions issued by SAMA.
  6. Providing the consumer with the results of complaint handling and/or answers to the inquiries in detail with documents that confirms correct handling through one of the documented channels, in addition to responding to their inquiries clearly and with high quality.
  7. If a consumer is not satisfied with the result of the complaint handling and wants to escalate, the consumer should be provided with the escalation mechanism to a higher level within the financial institution or be directed to the competent authority, as preferred.

Rule 20: The financial institution must develop performance indicators to measure the handling of directly-filed complaints, including (measuring customer satisfaction, measuring complaint handling quality). The results must be reported quarterly to the highest executive position in the financial institution.

Rule 21: The financial institution must provide, within (5) working days, the following documents at the request of the consumer:

  1. A copy of the original forms for any service or product.
  2. A copy of the updated terms and conditions of the product or service.
  3. A copy of the contracts concluded with the consumer, including the documents of collaterals and guarantees.
  4. A copy of the insurance policy, if any.

Rule 22: The financial institution must provide a toll-free number for consumers to call from inside Saudi Arabia via landline and mobile phones, in addition to a phone number for calling from outside Saudi Arabia (for banks and insurance companies) to submit complaints and inquiries. The toll-free number must be clearly displayed on the home page of the financial institution’s website in addition to all other channels.

Rule 23: The financial institution must take into account the humanitarian cases and its social responsibility when dealing with consumers who have emergency financial difficulties and find suitable solutions before starting to take the legal actions against them.

Rule 24: The financial institution, along with its personnel, must not treat current and future consumers differently in a biased or unfair manner in their various dealings based on their race, gender, religion, color, age, disability, martial status or any other forms of discrimination.

Rule 25: The financial institution must publish the Financial Consumer Protection Principles and Rules on its website in a visible place.

Rule 26: The financial institution must display the branch working hours at the branch’s main entrance and on the website, in addition to the working hours for phone services.

Section 4: Specific Conduct Rules:

Rule 1: Fees, commissions and administrative service charges to be received by the bank or finance company from the consumer must not exceed the amount equivalent to (1%) of the financing amount or SAR 5,000, whichever is less. These fees, commissions and administrative service charges may not be deducted before signing the contract, with the exception of real estate valuation fees, which may be deducted after the consumer obtains the initial approval for real estate financing.

Rule 2: Without prejudice to Rule (1) of this section, the bank or finance company must, when granting real estate financing, take an acknowledgement from the consumer (before starting the contracting procedures) that states the bank’s right not to refund the real estate valuation fees if that the procedures are not completed for a reason related to the consumer. However, real estate valuation fee must be refunded in the following cases:

  • Failure to grant the financing for a reason not related to the consumer.
  • If the consumer cancelled the request before the real estate valuation.

Rule 3: The bank and the finance company must issue and provide the consumer with a letter of clearance through one of the documented channels immediately after the payment of the debt dues or the agreed settlement amount without a request from the consumer, except for cases in which judicial decisions are issued.

Rule 4: The bank or finance company must inform the consumer through documented channels of the consequences on their credit record with credit information companies when a settlement is reached with the bank or finance company to drop the remaining unpaid amounts of the total loan.

Rule 5: The bank or the finance company must provide the consumer, upon their request, with a detailed amortization schedule free of charge within one business day that includes all fees, term cost and other costs, including any additional costs, for one time in the event of defaulting or for early payment.

Rule 6: Banks, payment companies, and credit and charge card issuers must ensure that the merchant customers do not pass and/or impose any additional charges on credit, charge, or debit card holders when paying at points of sale and e-commerce websites or making transactions carried out through payment service providers. Banks, payment companies, and credit and charge card issuers are also responsible for monitoring merchants’ deposits to ensure that they are proportionate to the nature of business. In addition, they are responsible for providing training to store staff on the use of POSs, while providing them with the required operational guidelines.

Rule 7: Banks, payment companies, and credit and charge card issuers must include in the agreement concluded with their merchant customers that the merchant must not charge additional fees on the cost of products or services if consumers use credit, debit and prepaid cards or payment service providers to pay at points of sale and e-commerce websites.

Rule 8: Banks, payment companies and credit and charge card issuers must notify consumers immediately of debit or credit or debit transactions in their accounts through SMS messages in accordance with the relevant instructions.

Rule 9: Banks and payment companies must set the maximum limit for the following: Transfers, daily withdrawals, POS transactions, online purchases and Sadad transactions. Moreover, banks and payment companies must notify customers of such limit when they receive the service and they must review the limit annually as a minimum.

Rule 10: Banks and credit and charge card issuers must provide a 7/24 toll-free number that allows consumers to call from inside Saudi Arabia via landline and mobile phones, in addition to a number for calling from outside Saudi Arabia, provided that it offers the following services, as a minimum:

  1. Reporting lost or stolen debit or credit cards.
  2. Reporting fraud, suspicious unauthorized transactions or unauthorized access to their data or accounts.
  3. Objecting to credit card transactions.

Rule 11: Banks must provide a new debit card to the consumer free of charge upon their request through a trusted channel or at the request of a legally authorized person. The debit card must be reissued at least (30) days before the expiry date, unless the consumer requests otherwise. In addition, banks must ensure that the card has been issued and delivered to the consumer or the legally authorized person with a mechanism in place to verify the identity of the consumer.

Rule 12: Banks must verify that all ATMs, POS and other online services meet the needs of consumers and facilitate the completion of transactions according to the latest methods. The banks must comply with the following:

  1. Performing periodic maintenance of all ATMs and check their readiness and status at all times.
  2. Using modern and advanced technologies to remotely monitor the performance of ATMs.
  3. Circulating fit banknotes and replacing and withdrawing damaged banknotes from circulation at all times.

Rule 13: Banks must properly processclaims relate to incorrect and inplet cards in all services (ATMs, POS, e-commerce transactions) within two working days from the date of the transaction.

Rule 14: Credit and charge card issuers must comply with the following:

  1. Issuing a credit or charge card based on a request submitted by the consumer through the documented channels.
  2. Informing consumers of the cash withdrawal limit and fees on withdrawals from technical machines and systems such as ATMs for credit and charge cards.
  3. Not to charge the annual fees for credit or charge cards until they are activated by the consumer. The card issuer may cancel the card if it is not activated within 90 days from the date of issuance.

Section 5: Concluding Provisions

  • These Principles and Rules set the minimum customer due diligence obligations to be met by financial institutions, as they must continuously work on developing their own internal procedures, in line with the nature and size of their business and in accordance with the best relevant local and international standards and practices.
  • SAMA may follow up on the application of these Principles and Rules and take any necessary actions as it deems appropriate against the violations detected, including imposing penalties or fines or requesting corrective actions.
  • All provisions of these Principles and Rules shall enter into force from the date of their approval by the authorized person.
  • These Principles and Rules shall replace the Consumer Protection Principles previously issued by SAMA.
  • These Principles and Rules shall supersede any provisions to the contrary.