The last five years have seen widespread societal and economic reforms and a raft of major projects in Saudi Arabia across urbanisation, housing, healthcare, energy and tourism and cultural activities, as the country opens up to the world and aims to place Riyadh as a top 10 world city by 2030.
The scale of such projects is astonishing. For example, Neom on the Red Sea is seeing infrastructural development across 26,500 square kilometres to create an area 35 times the size of Singapore; the Sakaka Solar Power Plant is being built across six square kilometres and will house 1.2m solar panels; and the Riyadh metro is expected to span over 170km.
Regulatory developments are required across the legal sector and the insurance sector to assist in shaping the framework.
Legal practice
In the legal sector, a code of conduct for legal professionals was approved in September 2021 providing rules governing topics such as conflicts of interest, lawyer client relationships, confidentiality, litigation procedures and the advertising of legal services.
February 2022 heralded cabinet approval for the country’s Legal Practice Law which specifies new conditions for foreign law firms in country. Various provisions aim to enhance the standards and efficiency of the legal profession, with changes to the period of experience required to obtain a licence (a reduction from three to two years), the rule that allowed non-licenced agents to plead being abolished, and filing and review procedures for disciplinary cases being overhauled.
Inherent defects insurance
In the insurance sector, various rules and regulations have recently been introduced. Regarding inherent defects insurance (IDI), a standard form has been established with wording that cannot be amended without written prior approval from the Saudi Central Bank (SAMA). Since May 2020, all contractors are required to obtain IDI against inherent defects for qualifying projects, and from July 2021 IDI became mandatory for residential buildings of three floors or less.
IDI cover must be taken out for a 10-year period, after an occupancy certificate has been issued and the insurer has received a certificate of approval. The occupancy certificate is issued by the relevant authority and confirms substantial completion of the premises. The certificate of approval is issued by a technical inspection service (TIS) – an independent third-party entity appointed by the insurer, at the expense of the contractor. The TIS will examine the plans, specifications, bills of quantities and any other documentation as required by the insurer.
The policyholder is responsible for submitting a copy of the occupancy certificate once this has been issued and to take all reasonable precautions to prevent physical damage or threat of collapse to the premises. Premiums are stated to be between 1.5-2% of the construction cost of the building.
InsurTech
In October 2021, SAMA published draft rules to regulate the activities of InsurTech companies within the country. The rules introduce a framework to regulate the operations of InsurTech companies, set out certain obligations to ensure the protection of consumer rights and encourage fair competition with respect to providing InsurTech solutions. There are various requirements that InsurTech companies must comply with, including licensing, data protection and customer due diligence.
The rules apply to ‘InsurTech activities’, which are defined as “any solutions or services that use technology and are provided in an integrated manner within the scope of insurance activities.” Insurance activities include activities that result in “shifting burdens of risks from a person to an insurance company, which is obligated to indemnify the insured against loss or damage”, as well as “any other necessary, complementary or supporting activities of the insurance activities”.
Companies that aim to conduct InsurTech activities must submit a license request to SAMA, which should include relevant information about their business model, the product (and its vision, mission, and objectives), senior officers and the minimum paid-up capital. A feasibility study, which sets out the technical infrastructure of the solution (including any technical arrangements in place), must accompany the application.
The business plan must be approved by the InsurTechs board of directors. SAMA’s prior approval is required to effect any material changes. InsurTech companies may be required to introduce amendments to an existing business plan in line with SAMA’s feedback. Following this, an applicant must submit constitutional documents (including the memorandum of association and articles); a fit and proper questionnaire (completed by senior management); a regulatory compliance plan; a professional liability insurance policy; and a business continuity plan (setting out a response to manage any emergencies).
The initial license obtained will enable applicants to commence operations in country. Companies cannot market or advertise licensed InsurTech activities without SAMA’s prior approval.
Medical malpractice
Effective from January 2022, SAMA announced the issuance of a model insurance policy for medical malpractice errors mandating minimum terms regarding coverage, exclusions and limits of indemnity. The decision was influenced by an increasing number of malpractice claims brought against practitioners within the country.
The policy covers malpractice arising from “any bodily, physical injury or mental injury, sickness, illness, disease, or death of any patient” arising from an act, error, omission or negligence of a medical practitioner. This includes ordinary treatments, emergency treatments, home medical visits and telehealth care.
Domestic workers
In February 2022, SAMA approved a model insurance policy for domestic workers setting out conditions under which an insurer must indemnify the employer or the domestic worker, with a maximum policy liability of SAR25,000 ($6,664).
Data protection
In March 2022, the Personal Data Protection Law came into effect – applicable to personal data controlled or processed by any businesses or public entities within Saudi Arabia by any means whatsoever, including the personal data of residents by entities located outside the country.
The law requires data controllers to, inter alia: Ensure the accuracy, completeness and relevancy of personal data prior to processing; maintain a record of processing (for a period to be prescribed under implementing regulations); train staff to ensure compliance with the law; implement a privacy policy and make it available to data subjects prior to collection of their personal data; evaluate the impact of processing personal data, and cease collection if such data is no longer required to achieve the intended purpose; notify the relevant supervisory authority upon discovery of a data breach, leakage or unauthorised access; and notify data subjects of any incidents that cause material harm.
In respect of transferring data outside of the country, the law prohibits controllers from transferring or disclosing personal data to entities outside of Saudi Arabia except where: The transfer or disclosure will not adversely affect national security or vital interests; sufficient guarantees are provided to safeguard and protect the confidentiality of the data; the transferred personal data is limited to the minimum amount necessary; and the consent of the competent authority has been obtained. Data controllers have one year from the effective date of the implementing regulations to comply.
As Saudi Arabia continues its transformation and economic diversification, more regulatory developments are anticipated. For example, SAMA is encouraging insurers to develop products to cover private sports facilities and player/participant injuries. Mandatory rules and awareness-raising initiatives are expected to increase demand for motor insurance policies. The scale and pace of change within the country is unprecedented, and the volume of recent and forthcoming regulatory developments is reflective of this paradigm shift. M
Messrs Justin Whelan and John Barlow are partners at HFW.