What is the SAMA Third-Party Risk Management Framework?

The SAMA Third-Party Risk Management (TPRM) Framework is a mandatory regulatory framework issued by the Saudi Central Bank (SAMA) that governs how SAMA-supervised entities identify, assess, manage and monitor risks arising from third-party and outsourcing relationships. It covers governance, due diligence, contractual requirements, ongoing monitoring and exit planning across approximately 55 controls organised into 5 domains.

What counts as a 'material' third party under SAMA TPRM?

A third party is considered material under SAMA TPRM when it supports a critical or important business function, handles sensitive customer or financial data, or where its failure or underperformance would materially impact the entity's operations, reputation or regulatory obligations. Entities must maintain a classified inventory distinguishing critical from non-critical vendors, with critical vendors subject to the full due diligence and ongoing monitoring requirements.

What must be in a SAMA-compliant vendor contract?

SAMA TPRM requires that contracts with material third parties include mandatory clauses covering: defined and measurable service levels (SLAs/KPIs), audit rights and physical access rights for the entity and SAMA, data protection and confidentiality obligations aligned to PDPL, sub-contractor approval and visibility provisions, regulatory notification and cooperation obligations, business continuity and recovery requirements, and documented exit and transition arrangements including data portability.

How often must third parties be re-assessed under SAMA TPRM?

SAMA TPRM requires at minimum an annual re-assessment of all material third parties, with event-triggered re-assessment whenever a significant security incident, material service failure, ownership change or regulatory sanction occurs. Concentration risk at the portfolio level must also be reviewed periodically, and performance against SLAs must be reviewed on a schedule aligned to the criticality classification.

How does SAMA TPRM relate to SAMA CSF Domain 4?

SAMA TPRM is the governance and risk management layer: it defines the full lifecycle from vendor selection through contract, monitoring and exit. SAMA CSF Domain 4 (Third-Party Cybersecurity) is the cyber-security execution layer for those same third parties — specifying the specific security controls (access management, secure development, penetration testing requirements) that must flow down to vendors via the contractual and assessment processes defined in SAMA TPRM. In practice, an entity uses SAMA TPRM to manage the relationship and SAMA CSF D4 to set and verify the technical security baseline for each vendor.

What is concentration risk under SAMA TPRM?

Concentration risk under SAMA TPRM arises when an entity has excessive dependency on a single third party (or a small group of related third parties) for critical services — such that a failure of that provider would trigger widespread operational disruption. SAMA TPRM requires entities to actively monitor portfolio-level concentration, set risk appetite thresholds for single-vendor dependency, and maintain documented contingency and substitution plans for systemically important vendors.

SAMA Third-Party Risk Management — Compliance Guide for Saudi Financial Entities

What is SAMA TPRM?

The SAMA Third-Party Risk Management Framework is a mandatory regulatory instrument issued by the Saudi Central Bank that defines the minimum standards for how SAMA-supervised entities govern, assess and oversee their third-party and outsourcing relationships. It applies to all arrangements with external parties that support material business functions, handle customer or financial data, or create operational dependencies — covering banks, insurance and reinsurance companies, finance companies, payment service providers, money exchangers and credit bureaus.

SAMA TPRM matters because the outsourcing and vendor ecosystems of Saudi financial entities have grown substantially in complexity and criticality. Failures in third-party governance — poor due diligence, missing contractual protections, inadequate ongoing monitoring or absent exit plans — have been central to operational and cyber incidents across the global financial sector. SAMA TPRM provides the governance scaffolding to prevent these failures, mandating a risk-based lifecycle approach from vendor selection through contract management, ongoing performance oversight, and controlled exit.

SAMA TPRM works in tandem with the SAMA Cyber Security Framework (CSF). While SAMA TPRM is the governance and risk management layer — defining how to select, contract, monitor and exit vendors — SAMA CSF Domain 4 (Third-Party Cybersecurity) is the technical execution layer, specifying the specific cyber-security controls that must be assessed and flowed down to vendors via the processes SAMA TPRM establishes. Together they form a complete end-to-end regime for managing third-party risk in Saudi financial services.

Domain & Subdomain Library

TPRM Governance

Establishes the governance foundation: policies, risk appetite, board-level accountability and defined ownership for all third-party risk activities.

D1.1

TPRM Policy & Framework

D1.2

Third-Party Risk Appetite

D1.3

Board & Senior Management Oversight

D1.4

Roles & Responsibilities

D1.5

TPRM Regulatory Compliance

Third-Party Due Diligence

Governs how entities identify, classify and assess third parties before engagement — covering security, financial health, reputation and sub-contractor chains.

D2.1

Third-Party Inventory & Classification (critical vs non-critical)

D2.2

Pre-Contract Assessment

D2.3

Security & Operational Assessment

D2.4

Financial & Reputational Due Diligence

D2.5

Sub-Contractor Assessment

Contractual Requirements

Defines what must appear in every material vendor contract: SLAs, audit rights, data protection clauses, and obligations to notify and cooperate with SAMA.

D3.1

Mandatory Contract Clauses

D3.2

Service Level Agreements

D3.3

Audit Rights & Inspection

D3.4

Data Protection & Confidentiality

D3.5

Regulatory Notification & Cooperation

Ongoing Monitoring & Review

Requires structured in-life oversight — performance tracking, incident reporting, annual re-assessment, concentration risk limits and portfolio-level risk views.

D4.1

Periodic Performance Review

D4.2

Third-Party Security Incident Reporting

D4.3

Annual Re-Assessment

D4.4

Concentration Risk Management

D4.5

Portfolio-Level Monitoring

Exit & Transition Management

Ensures entities can safely exit any vendor relationship — with documented plans for data portability, knowledge transfer and uninterrupted service continuity.

D5.1

Exit Planning

D5.2

Data Portability & Return

D5.3

Knowledge Transfer

D5.4

Business Continuity During Transition

Six-Level Maturity Model

SAMA TPRM uses the same 0–5 maturity scale as SAMA CSF and SAMA IT Governance. Each entity must assess its current maturity per domain and define a roadmap to reach the target level required by SAMA.

Level	Label	Description
0	Non-existent	No TPRM processes, policies or controls are in place. Third-party risks are unrecognised.
1	Initial	Ad hoc TPRM activities exist but are undocumented, inconsistent and person-dependent.
2	Developing	TPRM policy and basic inventory established; due diligence applied to some vendors but not systematically.
3	Defined	Documented TPRM framework applied consistently across all material third parties with board-level reporting.
4	Managed	TPRM controls are measured, KPIs tracked, concentration risk monitored and re-assessments on schedule.
5	Optimised	Continuous improvement; TPRM is fully integrated with enterprise risk management and exceeds regulatory expectations.

Who Must Comply

SAMA TPRM is mandatory for all SAMA-supervised entities when entering or maintaining any material outsourcing or vendor arrangement.

Licensed Banks

Full TPRM requirements for all material outsourcing

Insurance & Reinsurance Companies

Including foreign branches operating in KSA

Finance Companies

Consumer, real-estate and micro-finance entities

Payment Service Providers

Licensed under the Payment Services Regulation

Money Exchangers

Licensed exchange and remittance businesses

Credit Bureaus

SAMA-licensed credit information companies

SAMA TPRM vs SAMA CSF Domain 4

These two frameworks operate at different layers but are deeply complementary. Use this comparison to understand where each framework's obligations begin and end.

Dimension	SAMA TPRM	SAMA CSF Domain 4
Focus	End-to-end third-party risk governance lifecycle	Cyber-security controls applied to third parties
Scope	All material outsourcing and vendor arrangements	Third parties with access to systems, data or infrastructure
Assessment	Risk-based due diligence (financial, legal, security, reputational)	Technical security assessment against CSF control objectives
Controls	~55 controls across 5 domains	Domain 4 of the SAMA CSF (~15 sub-controls)
Who governs	Board, Senior Management, Procurement/Risk function	CISO / Information Security function
Evidence	Vendor contracts, risk assessments, performance reports, exit plans	Security questionnaires, penetration test results, audit reports
Key output	Vendor register, risk ratings, SLA monitoring, exit plans	Vendor security baseline, remediation tracking
Overlap	TPRM is the governance layer that mandates security assessment	CSF D4 defines what that security assessment must cover

GRC Vantage · SAMA TPRM

End-to-end SAMA TPRM compliance — from vendor inventory to exit plan

GRC Vantage maps directly to SAMA TPRM's five domains, giving every SAMA-supervised entity the tools to operationalise third-party risk governance without spreadsheets or manual evidence chasing.

Vendor Inventory

Centralised register of all third-party relationships with criticality classification, contact details and regulatory notification status.

Due Diligence Workflows

Automated questionnaire issuance, evidence collection and scoring aligned to SAMA criticality tiers — with reviewer routing and audit trail.

Contract Management

Capture and track mandatory clauses, SLAs, audit rights, data protection provisions and renewal dates in one auditable vault.

Ongoing Monitoring Dashboards

Real-time SLA performance tracking, incident flags and re-assessment scheduling with board-ready reporting exports.

Concentration Risk Tracking

Portfolio-level views of single-vendor dependencies, geographic exposure and critical service concentration against defined risk appetite thresholds.

Exit Plan Management

Structured exit and transition plans with data portability checklists, knowledge transfer milestones and business continuity playbooks.

Schedule a demo

Frequently Asked Questions

What is the SAMA Third-Party Risk Management Framework?: The SAMA Third-Party Risk Management (TPRM) Framework is a mandatory regulatory framework issued by the Saudi Central Bank (SAMA) that governs how SAMA-supervised entities identify, assess, manage and monitor risks arising from third-party and outsourcing relationships. It covers governance, due diligence, contractual requirements, ongoing monitoring and exit planning across approximately 55 controls organised into 5 domains.
What counts as a 'material' third party under SAMA TPRM?: A third party is considered material under SAMA TPRM when it supports a critical or important business function, handles sensitive customer or financial data, or where its failure or underperformance would materially impact the entity's operations, reputation or regulatory obligations. Entities must maintain a classified inventory distinguishing critical from non-critical vendors, with critical vendors subject to the full due diligence and ongoing monitoring requirements.
What must be in a SAMA-compliant vendor contract?: SAMA TPRM requires that contracts with material third parties include mandatory clauses covering: defined and measurable service levels (SLAs/KPIs), audit rights and physical access rights for the entity and SAMA, data protection and confidentiality obligations aligned to PDPL, sub-contractor approval and visibility provisions, regulatory notification and cooperation obligations, business continuity and recovery requirements, and documented exit and transition arrangements including data portability.
How often must third parties be re-assessed under SAMA TPRM?: SAMA TPRM requires at minimum an annual re-assessment of all material third parties, with event-triggered re-assessment whenever a significant security incident, material service failure, ownership change or regulatory sanction occurs. Concentration risk at the portfolio level must also be reviewed periodically, and performance against SLAs must be reviewed on a schedule aligned to the criticality classification.
How does SAMA TPRM relate to SAMA CSF Domain 4?: SAMA TPRM is the governance and risk management layer: it defines the full lifecycle from vendor selection through contract, monitoring and exit. SAMA CSF Domain 4 (Third-Party Cybersecurity) is the cyber-security execution layer for those same third parties — specifying the specific security controls (access management, secure development, penetration testing requirements) that must flow down to vendors via the contractual and assessment processes defined in SAMA TPRM. In practice, an entity uses SAMA TPRM to manage the relationship and SAMA CSF D4 to set and verify the technical security baseline for each vendor.
What is concentration risk under SAMA TPRM?: Concentration risk under SAMA TPRM arises when an entity has excessive dependency on a single third party (or a small group of related third parties) for critical services — such that a failure of that provider would trigger widespread operational disruption. SAMA TPRM requires entities to actively monitor portfolio-level concentration, set risk appetite thresholds for single-vendor dependency, and maintain documented contingency and substitution plans for systemically important vendors.

Get started

Put your vendor estate on auditable rails

Talk to our team about a SAMA TPRM readiness assessment, vendor inventory sprint and Board-level reporting setup — designed for Saudi banks, insurers and payment providers.

Schedule a demo Explore all SAMA frameworks