Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
Haroun Khwaja - Senior Counsel - Digital and Data
FinTech (short for ‘Financial Technology’) is an umbrella term that refers to the application of technological innovation to the financial services industry. It is quite a broad term, and as such, FinTech firms often have very little in common with one another. Although most people associate FinTech with crypto-currency, the reality is that it is much more than that. In fact, FinTech encompasses a diverse range of platforms, applications and service offerings for both individuals and corporates, including:
The technology industry (and FinTech is no exception) loves jargon. Here are some commonly used terms in this space (in order of appearance in this article):
FinTech has, and continues to disrupt the financial services industry by providing better, cheaper, and more personalised offerings to individuals and businesses (including banks) often by utilising the internet, mobile applications, cloud services, software and other technology. Add to this the proliferation of user-friendly interfaces and frictionless customer experience (for example, being able to buy stocks or transfer money at the click of a button) – and it is no wonder that customers are increasingly transacting digitally and moving away from cash and visiting branches.
In Australia for example, the Australian Prudential Regulatory Authority’s data shows nearly 300 branches closed around the country in the year to June 2019, up from the 201 branches closed in the previous financial year. Banks in the Middle East have been equally affected by this seismic shift in peoples’ preferences when it comes to financial services, and they have responded by investing heavily in digital transformation. EmiratesNBD has been leading the charge, with an AED 1 billion digital transformation initiative aimed at improving its technology infrastructure so as to continuously improve its digital banking offerings and customer experience.
The impact of FinTech is evident with banks looking to appoint Chief Digital Officers who report directly to the Board. And their role is not just about automation; it is about transforming the whole bank (and not just automation) – this means streamlining existing operations, rethinking client journeys, creating new opportunities by building digital products and services, and most importantly reshaping the internal culture to one that is agile and focused on putting the customer at the centre of every single process.
FinTechs were initially considered a major threat to traditional brick-and-mortar banks and other financial services firms, with the expectation that banks would look to acquire lots of FinTech firms. In reality, this has not eventuated largely because of issues around incompatibility with the legacy technology infrastructure of banks, differences between the Start-up culture of FinTech s (driven by small autonomous teams tasked with delivering customer value) and the more conservative environment prevalent at banks, and competition law restrictions. Instead, the much touted rivalry has given way to a more collaborative approach with banks looking to work with different FinTech firms (including neobanks) and other technology vendors to accelerate the innovation process and co-create solutions that are customised to the needs of banks and which serve to fill a gap in servicing their existing and prospective customers.
The FinTech sector has experienced phenomenal growth in the last five years or so, with t FinTech deals having soared to approximately 1,700 deals (and a combined value of US$39 billion) in 2018. The number of FinTech unicorns globally grew from 25 (with a total value of approximately US$75 billion) in 2018 to 39 unicorns in 2019 (worth close to US$150 billion).
Although the MENA region accounts for a small proportion of venture capital investments in FinTech globally, the FinTech sector in the region is said to be growing at a compounded annual growth rate of 30 per cent. Also, on the consumer side, the region is an attractive market for FinTech firms, boasting a population of roughly 450 million people (half of which is below the age of 25 – presenting a strong base of early technology adopters). The challenge for foreign FinTech firms expanding in to the region will be maintaining their global brand whilst modifying their offerings to be relevant to the local market.
A number of jurisdictions in the region have established regulatory sandboxes, including the Dubai Financial Services Authority (‘DFSA’), the Abu Dhabi Global Markets (‘ADGM’), Bahrain and Saudi Arabia to provide exemptions for entities that would otherwise be subject to the existing banking regulatory framework. Although mainland UAE does not have a sandbox, the UAE Central Bank recently announced that it will be setting up a dedicated FinTech office to develop countrywide regulations in order to enable and facilitate FinTech activities in the country.
While each sandbox has its own rules, generally, to be admitted into a sandbox, an applicant needs to demonstrate that its solution is genuinely innovative (i.e. that its offering is significantly different from those that already exist, that it offers a new use for existing technologies or represents a significant scale-up in existing technologies), offers consumer benefit, is ready for testing and that it has a plan to exit the sandbox and deploy its solution in the market.
Please see the related article entitled ‘FinTech Space in the United Arab Emirates‘ from our banking team on the regulatory framework (including sandboxes and testing licenses) for crypto-assets in the UAE.
Often, FinTech solutions adopt AI (including machine learning) technologies, mathematical rules or algorithms to automate certain tasks and make decisions. Such cases include Chatbots, Robo-Advisors, fraud detection and claims management software and predictive analysis in financial services.
Under some regional data protection laws (for example the Bahrain Data Protection Law), an individual may object to decisions that are made solely on automated processing of personal data intended to assess him / her (for example in the context of a loan application). Please see Andrew Fawcett’s and Krishna Jhala’s article titled ‘Borrowers in Bahrain may be able to Object to Automated Loan Processing Decisions‘.
Guidelines have been developed around the world to provide a framework for the ethical use of AI. Regulators globally have in general sought to avoid enacting laws so as to avoid stifling innovation. Given the infancy of AI technologies, it is believed that a soft regulatory approach will help the industry flourish whilst enabling regulators to better understand the associated risks. The focus is more on working with business to develop an agile approach to regulation that is industry specific.
In large part, the various guidelines are focused on ensuring that AI is explainable, non-discriminatory, unbiased, fair, transparent and accountable. In the context of the automated loan processing example above, AI developers would need to be able to explain the algorithms they use so that ‘black box’ systems do not make arbitrary decisions that have a significant impact on a person’s life. Also, they would need to be able to demonstrate that the data sets being fed into their AI systems are unbiased. Consider if the data set is taken from a loan officer who routinely rejected loan applications because of their race, religion, gender or some other factor that is not relevant to assessing their ability to repay a loan. If that data set were to be given to the AI system as a basis for assessing future loan applications, then that human bias and discrimination would be ingrained into AI systems, and similar applicants would have their loan applications rejected because of irrelevant factors, thereby resulting in algorithmic bias and perpetual discrimination.
Early this year, Smart Dubai launched its own guidelines on the ethical use of AI together with a toolkit that allows developers to assess their AI systems’ level of compliance with Smart Dubai’s guidelines. Although the guidelines are not legally binding, breach of certain principles could nevertheless amount to a breach of relevant national laws such as the UAE’s Federal Law Combating Discrimination and Hatred.
Compliance with a raft of data protection regimes is a key concern for FinTech offerings as the underlying systems and applications contain vast amounts of data, including personal data. In the region, there are myriad of data protection laws that apply in various free zones (such as the DIFC and ADGM), as well as in Bahrain, Qatar and other jurisdictions with new laws expected to be enacted in the UAE and Saudi Arabia.
From a data protection perspective, Banks, FinTech firms and other technology vendors will need to ensure they have, in place, appropriate documentation (for example privacy policies and data protection / transfer agreements for sharing data with one another as well as other data controllers and processors, both domestically and across borders) in addition to technical and operational measures so as to comply with regional data protection laws. A data breach incident can result in civil (and even criminal penalties), and in cases where the personal data relates to persons in more than one jurisdiction, it may result in fines being imposed by multiple regulators. We will discuss this issue in greater detail in a publication to be published in the next couple of months.
The risk of data breach increases as banks and FinTech firms collaborate and novel business models such as BaaS become more common. Well known FinTech platforms could be an easy target for cyberattacks, and in addition to the measures noted above, FinTech firms and banks ought to ensure they have adequate cybersecurity and cyber insurance in place to meet regulatory requirements. Please see Zil Ur Rehman’s articles in relation to proposed cybersecurity standards for Information Communication Technology (‘ICT’) service providers in Saudi Arabia that are likely to be relevant to telecommunications service providers who are looking to offer mobile or ‘internet of things’ wallets in conjunction with banks.
Open Banking started out as a regulatory initiative in the EU as part of a concerted effort to increase competition and innovation in the banking sector, which is now gaining momentum globally. In certain countries, such as Bahrain, banks are required to share customers’ financial information with authorised third parties, resulting in numerous benefits, namely:
It is yet to be seen, if and when, other countries in the region will follow suit. It is envisaged that Open Banking will lead to ‘open finance’ and ultimately ‘open utilities’ as the model can be replicated in other industries such as utilities and real estate. For example, the use of aggregated data and APIs will enable changes in a person’s financial life to be identified (e.g. an annual increase in their rental payments) and personalised services to be solicited from comparison sites.
Collaboration and outsourcing with FinTech firms and other technology vendors can unwittingly introduce new points of compliance failure for banks, particularly in an environment where the technology supply chain and ecosystem is becoming ever more interconnected and complex. The proliferation of numerous FinTech solutions, third party software, and cloud services etc. requiring configuration, integration and/or implementation with legacy technology infrastructure will require special contracting focus in order to ensure regulatory compliance and mitigate risk.