SAMA Counter-Fraud Framework: A Guide for Saudi Banks

The SAMA Counter-Fraud Framework is the Saudi Central Bank's unified, assessable standard for managing fraud risk across the Kingdom's financial institutions. It raises the bar from a simple "do you fight fraud?" to a much harder question: can you prove your counter-fraud capability is governed, measured and mature — at a level SAMA considers acceptable?

Most Saudi banks already run a counter-fraud function of some kind — a fraud team, a transaction-monitoring tool, a case-management process that has grown up over years. The Framework asks whether that capability is governed, measured and demonstrable, and whether you can evidence it at a defined maturity level when SAMA assesses you.

That shift, from activity to assessable capability, is the reason the Framework matters. It is no longer enough to detect and investigate fraud. A SAMA-regulated entity now has to show a board-approved strategy, a defined risk appetite, key risk indicators, structured due diligence on employees, customers and third parties, and a regulatory reporting process that fires the moment a significant fraud event occurs. This is the practitioner's guide to what the Framework requires and how to build toward compliance.

What the SAMA Counter-Fraud Framework is

The Counter-Fraud Framework is Version 1.0 of SAMA's unified approach to fraud risk, issued on 11 October 2022 (15/3/1444H) under Circular No. 44021528 and effective from 29 June 2023. It replaced SAMA's earlier anti-fraud guidance and consolidated fraud expectations into a single, structured, assessable document for the banking sector.

SAMA's stated objectives for the Framework are threefold: to establish a common approach to addressing fraud risk across Member Organisations, to achieve an appropriate maturity level of fraud controls, and to ensure fraud risk is properly and systematically managed throughout each organisation. The Framework defines fraud expansively — "any intentional act that aims to obtain an unlawful benefit or cause loss to another party… by exploiting technical or documentary means, relationships or social means, using functional powers, or deliberately neglecting or exploiting weaknesses in systems or standards, directly or indirectly." That definition deliberately captures internal fraud, external fraud, and the grey zone in between where employees and third parties collude.

Who is in scope

The Counter-Fraud Framework applies to banks operating in the Kingdom — the "Member Organisations" of the banking sector — with SAMA reserving the discretion to extend it to other regulated entities. For the broader financial sector, SAMA issued the Counter-Fraud Fundamental Requirements on 14 April 2025 (Circular No. 106897184), effective 13 April 2026, covering finance companies and payment service providers including electronic money institutions, account information service providers, payment and fund-transfer providers, credit-card issuers, microfinance lenders, BNPL providers, and any entity safeguarding customer funds.

If you operate a finance company or a PSP, the Fundamental Requirements carry concrete, near-term submission deadlines:

The four domains

The Counter-Fraud Framework is built around four domains. Each domain contains sub-domains, and each sub-domain states a Principle followed by Control Requirements the organisation must satisfy. The structure mirrors the logic of the SAMA Cyber Security Framework, which means teams already running a CSF programme will recognise the assessable shape immediately.

The architecture is deliberately end-to-end. Govern sets the mandate and the accountability. Prevent stops fraud at the perimeter — including the third-party perimeter, which is where many institutions are weakest. Detect catches what prevention misses. Respond contains the damage, recovers what can be recovered, and reports to the regulator. A programme that is strong in detection but weak in governance will not pass assessment, because the Framework scores the whole chain, not the favourite link.

The Counter-Fraud Maturity Model

The Framework does not grade compliance as a binary pass/fail. It assesses maturity on a six-level model, and this is the single most important concept for any team preparing for a SAMA review.

To claim a given level, an organisation must satisfy all criteria of the levels beneath it — maturity is cumulative, not cherry-picked. SAMA's expectation for Member Organisations is to operate at maturity level 3 or higher: controls that are defined, formally approved and documented, not merely happening in practice. Level 3 is where most compliance programmes are graded, and the gap between "we do this" (level 2) and "we have a board-approved, documented, evidenced control for this" (level 3) is exactly the gap a SAMA assessment is designed to expose.

The maturity model rewards evidence, not intention. An institution that prevents fraud effectively but cannot produce the approved policy, the KRI dashboard and the audit trail behind it will still be assessed below the level it believes it deserves.

Third-party due diligence: section 4.2.3

For most banks, third-party fraud risk is the domain where the gap between current practice and the Framework's expectation is widest — and it is explicitly codified. Under the Prevent domain, section 4.2.3 Third Party Due Diligence sets a clear principle: Member Organisations must conduct proportionate due diligence on third parties to understand the fraud risk inherent in their business relationships and manage it to an acceptable level.

In practice, the control requirements translate into a lifecycle obligation:

• Risk-based vetting before engagement. Due diligence must happen before entering a new relationship or commitment — not after the contract is signed and the third party already has access.
• Proportionality. The depth of diligence scales with the fraud risk the third party presents, anchored to your Fraud Risk Assessment.
• Enhanced due diligence for higher-risk third parties and any party providing critical services.
• Policy flow-down. When services are outsourced, the third party must comply with the Member Organisation's Counter-Fraud Policy or apply an equivalent approach — your controls have to reach into the supplier's environment.
• Ongoing and event-triggered review. Diligence is not a one-time gate. It is reviewed periodically and re-run when something changes — concerns about conduct, adverse media, or a shift in the fraud-risk environment.

This is the point where the Counter-Fraud Framework stops being a fraud-team document and becomes a procurement, vendor-management and contracting problem. The obligation to flow your counter-fraud policy down to suppliers means contracts need fraud clauses, onboarding needs a fraud-risk gate, and your vendor register needs to record fraud-risk tiering alongside the cyber and continuity tiering you may already track.

How it connects to SAMA's wider third-party regime

The Counter-Fraud Framework does not operate in isolation. A SAMA-regulated bank carries a layered set of third-party obligations, and an assessor expects to see them working together.

SAMA Cyber Security Framework — Domain 3.4

The SAMA Cyber Security Framework defines third parties broadly (outsourcing providers, cloud providers, vendors, suppliers, even government agencies) and, in Domain 3.4 (Third Party Cyber Security), requires third-party risk assessment, contractual cybersecurity clauses including data protection, incident reporting and a right to audit, plus ongoing monitoring. Critically, SAMA holds the primary institution fully accountable for a vendor's failure.

SAMA Rules on Outsourcing

The SAMA Rules on Outsourcing (December 2019) require the bank to verify a provider's ability, capacity and authorisation; maintain a method to periodically assess the provider; satisfy statutory confidentiality before sharing customer or financial data; and run an internal structure to control, monitor and report on outsourcing arrangements.

Personal Data Protection Law — Article 14

The Personal Data Protection Law (PDPL) reinforces strict data-handling agreements with third-party processors in Article 14, directly relevant where vendor fraud and personal-data exposure intersect.

The common thread across all of these is the same principle the Counter-Fraud Framework makes explicit: you can outsource the activity, but you cannot outsource the accountability. When a third party enables a fraud — a compromised vendor, a colluding service provider, an outsourced process with no fraud controls — SAMA looks first at the regulated institution.

Reporting and enforcement

The Respond domain closes the loop with a regulatory reporting obligation that compliance teams must operationalise, not just document. When a significant fraud event occurs, the Member Organisation must notify SAMA's Executive Department of Operational Resilience Control (ORC) immediately, using the standard reporting template in Appendix C of the Framework.

"Significant" is judged on a basket of factors — the value of the loss, the number of customers impacted, reputational damage, regulatory breach, and the potential for contagion to other Member Organisations. The Framework specifies immediate notification rather than a fixed hour-bound SLA, which in practice means the threshold decision and the reporting owner must be pre-agreed, because no one wants to be debating "is this significant?" while the clock the regulator cares about is already running.

On enforcement, SAMA's supervisory toolkit is the same one that gives the rest of its frameworks teeth: it runs gap assessments and periodic self-assessments (a SAMA questionnaire reviewed and audited by SAMA to confirm compliance and maturity), and for non-compliance it can impose escalating fines and, ultimately, suspend or revoke licences. The reputational cost of a fraud event that reveals an immature counter-fraud programme typically exceeds the direct loss.

Building toward compliance: practical sequencing

For an institution that recognises its current counter-fraud capability is not yet at a defensible maturity level, the sequence that works in practice is:

1. Run the gap assessment. Map your current state against the four domains and score each sub-domain on the 0–5 maturity model honestly. The honest score, not the flattering one, is what makes the remediation plan real.
2. Fix governance first. Without a board-approved counter-fraud strategy, a defined risk appetite, and a counter-fraud policy, every downstream control is capped at a low maturity level regardless of how good the technology is.
3. Stand up the Fraud Risk Assessment and KRIs. These are the spine of the Prevent and Detect domains and the evidence an assessor asks for first.
4. Close the third-party gap. Tier your vendors by fraud risk, add counter-fraud flow-down clauses to contracts, and build the due-diligence gate into onboarding. This is usually the longest pole.
5. Operationalise reporting. Pre-agree the significance threshold, assign the ORC reporting owner, and pre-stage the Appendix C template so a significant fraud can be reported immediately.
6. Connect it to the GRC platform. Move the maturity scores, the fraud risk register, the KRI dashboard, the third-party register and the case log into one system, so the evidence chain — from a control, to the risk it mitigates, to the fraud case that tested it — is end-to-end and inspection-ready.

How GRC Vantage supports SAMA counter-fraud compliance

GRC Vantage's compliance module ships the Counter-Fraud Framework pre-mapped across all four domains, with the 0–5 maturity model built into the assessment workflow so your gap assessment, self-assessment and target-state plan live in one place. The fraud risk register, key risk indicators and case-management log connect directly to the risk management module, closing the loop between a control, the fraud risk it addresses, and the cases that test it.

Third-party due diligence under section 4.2.3 is handled in the vendor and third-party risk workflow, where suppliers are tiered by fraud risk, counter-fraud policy flow-down is tracked against each contract, and re-assessment triggers fire automatically on adverse media or contract change — the same register that carries your SAMA CSF Domain 3.4 and Outsourcing Rules obligations, so third-party assurance is run once, not three times. The platform is deployed inside Saudi Arabia to meet data-residency expectations under PDPL and the SAMA Outsourcing Rules, with Riyadh and Dammam delivery teams who pre-populate the framework content for the Saudi regulatory landscape.

For the full picture of SAMA's framework family — CSF, BCM, IT Governance and Outsourcing — read our SAMA frameworks pillar guide, and for the related cyber controls see our SAMA CSF compliance guide. If you are preparing for a SAMA counter-fraud assessment or building the programme from a low maturity base, book a session with our team and we will walk through how Saudi banks and finance companies use GRC Vantage to reach a defensible maturity level before the regulator asks.

Frequently asked questions

What are the four domains of the SAMA Counter-Fraud Framework?

The Framework is structured around four domains: Govern (governance, strategy, policy, the counter-fraud department and internal audit), Prevent (fraud risk management and due diligence on employees, customers and third parties), Detect (fraud detection systems, alert management and scenario analysis), and Respond (case management, investigation and regulatory reporting to SAMA).

When did the SAMA Counter-Fraud Framework take effect?

Version 1.0 was issued on 11 October 2022 (15/3/1444H) under Circular No. 44021528 and became effective on 29 June 2023. It applies to banks operating in the Kingdom.

Does the SAMA Counter-Fraud Framework apply to finance companies and payment providers?

The Counter-Fraud Framework itself applies to banks. SAMA addressed finance companies and payment service providers separately through the Counter-Fraud Fundamental Requirements, issued 14 April 2025 and effective 13 April 2026, with gap-assessment, quarterly-reporting and compliance-verification deadlines through 2025–2026.

What maturity level does SAMA expect?

The Framework uses a 0–5 Counter-Fraud Maturity Model. SAMA's expectation for Member Organisations is to operate at level 3 (Structured & Formalised) or higher — controls that are defined, formally approved, documented and evidenced, not merely happening in practice.

What does the Framework require for third-party fraud risk?

Section 4.2.3 (Third Party Due Diligence) requires risk-based, proportionate due diligence on third parties before engagement, enhanced due diligence for critical-service providers, and that outsourced third parties comply with the bank's Counter-Fraud Policy or an equivalent approach — with periodic and event-triggered review through the relationship.