1. What are the Payment Services Provider Regulations?
Payment Services Provider Regulations (PSP) applies to all entities that carry on one or more Payment Services in the Kingdom. The regulations provides the regulatory framework for the licensing and supervision of Payment Service Providers that carry on one or more Payment Services (as defined in the Article 5.1).
The Regulations provide classification of payment services providers by type and size of activities. The regulations also include the minimum legal regulatory requirements for conducting payment service activities, such as those related to the minimum capital requirements according to the type of activities as well as requirements for customer protection, data protection, corporate governance, risk management and compliance.
2. Given that the payments sector is a sector that is innovative and constantly evolving, were these characteristics considered when developing the Regulations?
The regulations were developed taking into account the innovative nature of payment services and related activities. Detailed assessment of various jurisdiction were also undertaken to ensure the development of flexible regulatory requirements aligned with best international practice. Consequently, various innovative types of payment services such as electronic money issuance and others were allowed to be undertaken by the licensed institution.
3. What is the purpose of issuing the Payment Services Provider Regulations?
These Regulations aim to set the minimum regulatory requirements and conditions for the provision of payment services, the issuing of licenses to payment services providers, and their governance in accordance with supervisory and regulatory procedures. They include the following objectives:
- Maintaining the integrity and stability of the financial sector, and payments sector in Saudi Arabia
- Enhancing the integrity and efficiency of the payment system infrastructure.
- Protecting users of payment services.
- Encouraging fair and effective competition in the payments sector.
- Encouraging innovation in Saudi Arabia.
4. Which legal entities are eligible to provide payment services in Saudi Arabia?
Based on the payment services offered by the entities, the legal form for these can be either a limited liability company (for Micro Payment Institutions) or a Joints Stock Company (for all other Payment Service Providers)
5. What is the scope of application of these Regulations?
All persons providing one or more of the payment services in Saudi Arabia are subject to the provisions of the Regulations. A person is considered a payment service provider in Saudi Arabia when that person:
- Provides one or more payment services from an institution established in Saudi Arabia.
- Carries out the activity of payment services in Saudi Arabia.
- Invites or urges a person in Saudi Arabia to enter into an agreement related to a payment service.
- Markets or otherwise promotes any payment service in Saudi Arabia.
- Appoints an agent to provide payment services in Saudi Arabia on its behalf (see Article 3 of the Regulations).
6. What are the payment services allowed to be provided according to the Regulations?
The Regulations include a list of payment services to which they apply. These services are as follows:
a) Execution of payment transactions, including transfers of funds on a payment account with the payment service provider of the payment service user or with another payment service provider and where the funds are covered by a credit line, through:
- Execution of credit transfers, including standing orders.
- Execution of direct debits, including one-off direct debits.
- Execution of payments transactions through payment instruments.
b) Issuance of payment instruments.
c) Issuance of electronic money (E-wallets).
d) Acquiring payment transactions.
e) Money remittance.
f) Services enabling cash to be placed on or withdrawn from a payment account and the operation of a payment account.
g) Payment initiation services.
h) Account information services.
i) Any other activity defined by SAMA as a payment service.
7. What are the types of licensed companies?
The Saudi Central Bank grants licenses to four types of companies:
- Micro electronic money institutions (Micro EMIs) (E-wallet).
- Major electronic money institutions (Major EMIs) (E-wallet).
- Micro payment institutions (Micro PIs).
- Major Payment institutions (Major PIs).
8. What is the difference between an electronic money institution and a payment institution?
Electronic Money Institution (E-wallet): a payment service provider licensed to issue electronic money.
Payment Institution (PI): a payment service provider that provides one payment service or more, with the exception of issuing electronic money.
9. What are the general requirements for license applicants?
Each applicant must submit and provide the following:
- A complete application form accompanied by supporting documents as specified by SAMA (see Article 6.6 of the Regulations).
- A risk-based policy setting customer transaction limits.
- Evidence that each beneficial owner, each member of the governing body, and each member of the senior management is fit and proper for carrying out the relevant payment services.
- Evidence that it has a registered office in Saudi Arabia and a valid commercial register from the relevant authorities in Saudi Arabia.
- Annual financial statements.
- A business plan in accordance with the requirements mentioned in the regulations.
- A detailed organizational chart.
- A policy and risk management framework demonstrating compliance with the governance arrangements and risk management requirements.
- A chart setting out the shareholder structure.
- A certificate that the applicant meets the relevant initial capital requirements.
- An undertaking by the applicant to adhere to the requirements of these Regulations and other applicable regulations issued by SAMA.
- A description of the applicant's consumer protection measures in accordance with the requirements mentioned in these Regulations.
- Plans for the information technology infrastructure.
10. How to get the license application form?
License application forms can be found in SAMA's website in the 'Payment Systems and Companies Control' section.
11. How to find the names of payment companies licensed by SAMA?
The official website of SAMA provides a list of licensed entities.
12. How long is the validity period of a license?
Licenses granted under the Payment Services Provider Regulations will be valid for three calendar years from the date of issuance.
13. What are the capital requirements to obtain a license?
The initial capital requirements for a payment services provider license are as follows:
- SAR 1,000,000 for a Micro PI.
- SAR 3,000,000 for a Major PI.
- SAR 2,000,000 for a Micro EMI (E-wallet).
- 10,000,000 for a Major EMI (E-wallet).
14. What are the ongoing capital requirements?
a) A Micro PI must maintain a value equal to the initial capital requirement.
b) A Major PI must maintain a value equal to whichever is the higher of:
- The initial capital requirement.
- 1% of the Major PI's average monthly payment transaction value.
c) A Micro EMI (E-wallet) must maintain a value equal to the initial capital requirement.
d) A Major EMI (E-wallet) must maintain a value equal to whichever is the higher of:
- The initial capital requirement.
- 2% of the total average outstanding electronic money.
15. How is meeting the capital requirement proven?
An applicant and a payment service provider may prove its compliance with initial and ongoing capital requirements by providing the following:
- A certified copy of the license issued by the competent licensing authority in Saudi Arabia proving the paid-up capital.
- Audited financial statements from a certified public accountant who is a member of the Saudi Organization for Certified Public Accountants (SOCPA).
- Any other method accepted by SAMA.
16. How can a payment service provider meet the capital requirement?
The capital requirements stipulated in the Regulations can be met by demonstrating the existence of any of the following:
- Capital instruments (including paid-up ordinary shares of the payment service provider or applicant).
- Retained earnings.
- Other reserves.
17. Is it necessary to obtain a non-objection letter from SAMA when making capital changes?
SAMA's non-objection must be obtained prior to taking any action that could cause a material change to the financial resources of the payment services provider, including the capital.
18. Do the Regulations include requirements for risk management and governance?
The Regulations include the minimum requirements for payment services providers and specify the most important risks to be considered and the most important committees to be formed by payment services providers.
19. What should a payment services provider consider when developing policies, procedures and controls?
When developing policies, procedures and controls, the payment services provider must take into account the types of its activities carried out, the scope, nature and complexity of its business model, any operational challenges, and the level of risks associated with its operations.
20. What are the risks that must be assessed when developing policies, procedures and systems for the payment services provider's activities and products?
Policies, procedures, systems and controls must indicate the method for identifying, monitoring, managing and reporting potential risks. The most prominent of these are operational, fraud, money laundering and terrorist financing, cybersecurity, and liquidity risks (as mentioned in Article 8 of the Regulations)
21. When should SAMA be notified of the occurrence or possibility of a breach of the Regulations or the occurrence of fraud cases?
The payment services provider must notify SAMA as soon as possible and within a maximum period of (14) days when it learns that an actual or possible breach of the Regulations was committed by the institution or that cases of fraud occurred.
22. Should the payment services provider establish a separate legal entity in the event of conducting business activities outside the scope of the license?
The provision of services outside the scope of the payment services license must be through a separate entity in cases where such activity affects the payment services provider's ability to comply with the rules and regulations issued by SAMA.
23. The nature of payment services requires storing and processing data related to customers and their financial transactions. What are the measures to protect such data?
The Regulations stipulate various regulatory requirements that licensed companies must comply with in order to ensure the protection and confidentiality of customer data. In addition, the regulatory and supervisory role of SAMA enables it to verify companies' compliance with these requirements.