Decoding KSA's SAMA Mandate

Decoding KSA's SAMA Mandate

Sourabh Sharma
Sourabh Sharma

April 6, 2023

Sourabh Sharma

April 6, 2023

Saudi Arabia has deployed many reform initiatives, like Open Banking, in the financial services sector to advance the digital transformation and accelerate economic growth of the country. While these initiatives are intended to meet critical objectives like economic inclusion, access to credit, convenience, etc., ironically, they also expand the threat landscape and can lead to increased financial fraud. The financial services sector is a high-value target for financially-motivated fraudsters because the ROI on their scams, schemes, and hacks usually is very robust. 

Saudi Arabia banks have experienced a surge in fraud over the last few years. In 2021, the Saudi Arabian Monetary Authority (SAMA) reported that 4.84 million bank accounts were opened remotely without going through identity verification protocols to ensure the identity identification number matched the identity number of the mobile user. In 2020, SAMA reported financial institutions experienced 4,377 financial fraud cases, which resulted in a total loss of approximately SAR765 million (~USD204 million). Furthermore, the total number of reported financial fraud cases increased by 34.1% compared to 2019, and the total amount of losses increased by 17.5%. 

To curb the deluge, SAMA recently enacted an updated mandate to combat financial fraud to ensure broadly the financial service sector remains a trusted part of the economy and consumers are protected from various fraudulent methods while having a seamless experience onboarding and transacting. 

Titled the Counter Fraud Framework, the mandate requires all financial services companies (i.e. banks, fintechs, payments companies, insurers, etc.) operating in the country to comply with regulations aimed at stopping fraud in its tracks. 

When is the SAMA mandate compliance deadline?

The updated SAMA mandate was enacted in October 2022, and the compliance deadline for financial services companies is June 29, 2023. This means all financial services companies operating in Saudi Arabia must be fully compliant with the updated regulations by the end of the second quarter 2023 to avoid negative consequences.

What is the SAMA Counter-Fraud Framework?

The updated SAMA Counter-Fraud Framework is aimed at preventing financial fraud by increasing the maturity level at which the financial services sector proactively fights fraud and mitigates the wholesale risk of fraud. According to the mandate the objectives are: 

1. To create a common approach for addressing fraud risks within the Member Organisations. 

2. To achieve an appropriate maturity level of fraud controls within the Member Organisations. 

3. To ensure fraud risks are properly managed throughout the Member Organisations.

The regulation covers a range of areas, including fraud detection, fraud prevention, governance and response and remediation. 

Source: SAMA 

What’s New in the SAMA Counter-Fraud Framework?

The most prominent requirement of the updated framework is the expectation that all financial services companies will have reached a specific level of maturity in their fraud detection and prevention strategies by the June 29 deadline. 

The maturity model has six levels starting at zero, which represents least mature. The goal is that the financial services sector will reach maturity level three, at a minimum, by the deadline. 

Maturity level three reflects a “structured and formalized” counter-fraud approach.  At this level, SAMA expects:

  1. Counter-fraud controls are defined, approved, and implemented in a structured and formalized way.  
  2. Fraud detection system capability is implemented and embedded.  
  3. The implementation of Counter-Fraud controls can be demonstrated.  
  4. Reporting is in place to monitor Counter-Fraud control performance. 

Of note is the second bullet, which has been a sticking point for the many banks, fintechs, etc. we have been talking to to help them prepare for the deadline. To achieve the framework’s maturity level three, the financial services sector must ensure “counter-fraud controls are implemented and embedded, and fraud detection system capability is in place to prevent and proactively detect fraud across all products and channels.”

Traditional rules-based fraud management just isn’t going to cut it anymore when it comes to “prevent and proactively detect fraud.” Fraudsters have innovated workarounds to legacy solutions at the same time they have developed highly sophisticated new types of fraud attacks, especially when it comes to account takeovers, credential stuffing, fake account creations, and synthetic identity fraud. Even more disturbing is that fraudsters aren’t just keeping their innovations to themselves. Instead, they’ve built massive dark-web communities, on sites like Telegram, to share their knowledge, train up new, inexperienced fraudsters, and sell off-the-shelf fraud tools.

Modern solutions do exist and can be deployed quickly so that banks experience material results on Day 1. Bureau is actively meeting with and helping KSA companies comply by working with them to deploy device intelligence and behavioral biometrics solutions – two of the most impactful approaches that tend to detect fraud attacks immediately and prevent them permanently. Get the details below.

What specific types of fraud is the SAMA mandate supposed to stop?

The SAMA mandate is designed to prevent a wide range of fraudulent activities, including money laundering, terrorist financing, and other types of financial crimes, requiring financial services companies to conduct thorough customer due diligence (CDD), transaction monitoring for suspicious activity, and then reporting any suspicious transactions to the relevant authorities.

It also addresses specific types of identity-based fraud, including but not limited to: 

  1. Account takeover (ATO) and credential stuffing, when a malicious bot or human fraud ring uses legitimate user names and passwords purchased on the dark web to access consumers’ real accounts.
  2. Identity impersonation attacks, when fraudsters pretend to be legitimate, trusted consumers, including people in authoritative positions, to trick an employee into transferring money to a fraudulent account, sharing sensitive information (i.e. payroll information), or revealing login credentials that the fraudsters can use to access accounts and steal money.
  3. Application fraud, when someone provides false documents, or fails to disclose information at the time of a loan or credit card application. 
  4. Banking and payment products, when a fraudster leverages a consumer's identity and uses their credit card information to make unauthorized purchases or withdraw cash from the card.

Fraudsters are very innovative and as such they quickly and nimbly develop workarounds to traditional prevention solutions financial services companies put in place only a few years ago. To comply with the updated SAMA mandate, companies need to ensure they deploy the most updated fraud detection and fraud prevention solutions possible, like device intelligence and behavioral biometrics. 

What happens if financial services companies don't meet the deadline?

If a bank or financial services company operating in Saudi Arabia doesn't meet the SAMA Counter Fraud Framework regulations by the deadline of June 29, 2023, serious consequences may arise.

First, the institution or company may face penalties and fines for non-compliance with SAMA regulations. These penalties may be significant and may increase over time if the company continues to be non-compliant.

In addition, the company's reputation and customer trust may be negatively impacted if they are found to be non-compliant with SAMA regulations. This could result in a loss of customers, as well as damage to the company's brand and reputation.

Furthermore, SAMA has the authority to take regulatory action against non-compliant banks, fintechs, payments companies, etc., which may include revoking or suspending their license to operate in the financial services industry. This would be a significant blow to the company's business operations and would likely result in significant financial losses.

Ultimately, financial services companies and financial institutions operating in Saudi Arabia must take the updated SAMA Counter Fraud Framework regulations seriously and work to ensure that they are fully compliant by June 29, 2023. Failure to do so could have serious financial and reputational consequences for the company.

The Most Important Two Steps to Take Today to Comply with SAMA

With the compliance deadline quickly approaching, banks, payments companies, and fintechs can take two steps today to accelerate their SAMA compliance and stop fraud attacks. The first step is to deploy device intelligence and the second is to implement behavioral biometrics. Here at the Bureau we’ve been working with many institutions, fintechs and payments companies to review and upgrade their device intelligence and behavioral biometrics solutions. 

Together device intelligence and behavioral biometrics are a one-two punch that knocks out fraudsters. Here’s how: 

Bureau Device Intelligence™ is a seamless blend of technology, including device fingerprinting, which helps uniquely identify a device based on multiple parameters.

This solution also detects sophisticated attack techniques such as emulators, malicious bots, cloned apps, tampered apps, etc. When we detect potentially fraudulent activity, we’ll alert you in real-time so that you can take action immediately. Meanwhile, Bureau Device Intelligence resolves trustworthy identities just as quickly and ensures they have a streamlined, delightful experience. 

An average consumer spends a minimum of 4-6 hours a day on their mobile device, and the way they interact with the device is unique to every individual. Bureau Behavioral Biometrics™ understands trustworthy consumers’ interactions with their devices to determine set patterns and then using that information as a mechanism to authenticate or verify that consumer is legitimate, all in real-time. Fraudsters have become experts at stealing consumers’ identities, but it is much harder to copy or impersonate the way consumers interact with their devices because that interaction is distinct to the individual. Bureau Behavioral Biometrics’ machine learning models are used to learn patterns such as the keystroke while typing, navigational patterns, screen pressure, typing speed, mobile movements, or device orientation. Once trained, the machine learning models can detect the occurrence of behaviors and tag them to legitimate individuals.

These two solutions are powerful in fraud detection and prevention. Curious to learn more? Please reach out to me or set up a demo

You might also like

Learn More

See How Bureau Can Help Fight Fraud
Talk To Us