Policies and Procedures to Preserve Registry Accuracy and Consistency

Introduction

Updating and maintaining the shareholder registry are among the most sensitive and important operations in corporate governance. The registry is not a static document but a living entity that changes continuously with ownership transfers, shareholder data updates, and the imposition and release of restrictions. Any delay in updating, error in data, or weakness in maintenance procedures may translate into legal disputes, breaches of shareholder rights, or regulatory violations subject to penalties.

Accurate updating and regular maintenance are not merely technical procedures—they are pillars of sound governance, reflecting the extent of the company’s commitment to protecting its shareholders’ rights and complying with regulatory requirements. With the digital transformation underway in the Kingdom of Saudi Arabia under Vision 2030, electronic registry management systems have become a fundamental pillar for achieving these objectives with high efficiency.

In this article, we explore the policies and procedures necessary to maintain an accurate and up-to-date registry, focusing on operational, technical, and oversight aspects.

 

Part One: Why Periodic Registry Updates Are a Necessity, Not a Choice

Before delving into procedural details, it is important to grasp the fundamental reasons that make periodic updates an utmost necessity:

1. Regulatory Compliance

The Saudi Companies Law and its Implementing Regulations require companies to maintain accurate and up-to-date records, with legal liabilities for breaches. The Corporate Governance Regulations also require the board to oversee information systems related to shareholders and ensure their integrity.

2. Protection of Shareholder Rights

Delays in updating the registry may deprive a new shareholder of their rights (such as voting or receiving dividends) or enable the former owner to exercise rights they no longer have. The company is ultimately the guarantor of all parties’ rights.

3. Integrity of Operations

Many of the company’s core operations rely on registry data: general assemblies, dividend distributions, new issuances, periodic disclosures. Any defect in this data affects all these operations.

4. Transparency and Trust

An accurate and up-to-date registry builds investor and shareholder trust in the company and enhances its market reputation. Conversely, recurring errors undermine shareholder trust and may negatively affect share price.

5. Compliance with Disclosure Requirements

Periodic disclosures required by regulators—such as the monthly major shareholders report—must be accurate. Any error may expose the company to financial penalties and reputational risks.

 

Part Two: Types of Updates to the Shareholder Registry

Updates to the shareholder registry vary according to the nature of the change that necessitates them. They can be classified into several main categories:

1. Ownership Updates

These are updates resulting from changes in share ownership, including:

• Ownership transfer through sale or purchase.
• Ownership transfer through inheritance.
• Ownership transfer through gift or will.
• Acquisition or merger.
• Judicial execution and sale of shares at auction.
• Issuance of new shares (capital increase).
• Cancellation of shares (capital reduction).
• Share splits or consolidations.

2. Shareholder Data Updates

These are updates to the shareholder’s personal data without changes in ownership:

• Updating the national address or correspondence address.
• Updating mobile number and email.
• Renewal of national ID or residency.
• Updating bank account information.
• Name changes (in cases of marriage or legal procedures).
• Updating the data of the legal representative of a juridical shareholder.

3. Restriction Updates

These updates relate to imposing restrictions on shares or releasing them:

• Recording pledges and releasing them.
• Recording attachments and lifting them.
• Lock-up period restrictions.
• Other contractual restrictions.

4. Representation Updates

• Registering agents and legal representatives.
• Updating guardian and trustee data.
• Expiration or cancellation of proxy periods.
• Registering representatives of juridical shareholding companies.

5. Corrective Updates

These are updates made to correct previous errors in the registry:

• Correction of spelling errors in names.
• Correction of ID numbers or commercial registrations.
• Handling duplicate entries.
• Completion of missing data.

 

Part Three: Real-Time vs. Periodic Updates

The nature of updates varies according to the appropriate timeline. They can be divided into two main types:

1. Real-Time Updates

These are updates that must be executed immediately upon the occurrence of the triggering event, including:

In Listed Companies

All ownership updates take place in real time through the Securities Depository Center’s system. Every sale or purchase in the market is reflected in the registry immediately upon settlement (T+2). This model ensures the highest levels of accuracy and immediacy.

In Unlisted Companies

Although there is no real-time system, good practice requires executing updates within 1-3 business days of document completion. Delays beyond that may require justification and could raise concerns among shareholders.

2. Periodic Updates

These are updates conducted according to specified schedules, even in the absence of actual changes, to verify data integrity:

Periodic Update	Frequency	Responsible Party
Reconciliation of data with official documents	Monthly	Registry Custodian
Review of major shareholders data	Monthly	Disclosure Department
Full registry review	Quarterly	Registry Custodian + Internal Audit
Comprehensive audit (Full Audit)	Annually	External Auditor
Update of registry management policies	Annually	Board / Governance Committee
Review of permissions and access rights	Semi-annually	Information Security

 

Part Four: Detailed Update Procedures

To ensure proper registry updates, methodical procedures covering all stages must be followed, from receiving a change request to final documentation.

Step 1: Receipt of the Update Request

Every update begins with an official request that may come from one of the following sources:

• The shareholder themselves or their legal representative.
• Judicial or executive authority (attachment cases).
• The pledgee (pledge and release cases).
• Heirs or their representatives.
• The company (in correction cases).
• Regulatory authorities (in cases requiring it).

Step 2: Request Verification

The request’s completeness and validity must be verified before execution begins:

1. Review the completeness of data in the form.
2. Verify supporting documents and their validity.
3. Ensure signatures match those registered.
4. Verify the validity of the issuing authority.
5. Confirm the absence of restrictions preventing execution.
6. Review payment of any due fees.

Step 3: Execution and Entry

7. Access the registry management system with appropriate permissions.
8. Enter the requested modification with reference to the supporting document.
9. Full documentation of the operation in the audit trail.
10. Verify the entry before final approval.
11. Approval by the authorized person.

Step 4: Verification and Validation

12. Independent second review (Four-Eyes Principle).
13. Verify the match between new data and what was requested.
14. Confirm no impact on other data.
15. Sign final approval.

Step 5: Notification and Documentation

16. Notify the shareholder (and related parties) of the update’s completion.
17. Issue a certificate or proof of update if requested.
18. Archive original documents in the institutional system.
19. Maintain electronic copies per document retention policies.
20. Update any linked systems (CRM, financial systems, etc.).

🔐 The Four-Eyes Principle One of the most important principles in shareholder registry management is the “Four-Eyes Principle,” which requires that the update be performed by one person and reviewed and approved by another. This separation between entry and approval significantly reduces the chances of error and fraud and is considered a fundamental requirement for any effective internal control system.

 

Part Five: Preventive Maintenance Policies

Preventive maintenance refers to procedures taken proactively to preserve registry integrity and prevent errors before they occur. They include:

1. Quality Policies

• Setting precise standards for data acceptance (Data Quality Standards).
• Using checklists for each type of update.
• Periodic review of error rates and analysis of their causes.
• Developing procedures based on lessons learned.

2. Security Policies

• Applying graded access controls (Role-Based Access Control).
• Encrypting data at rest and in transit.
• Identity and permissions management system.
• Maintaining complete audit logs.
• Periodic backups in multiple geographic locations.
• Testing business continuity and disaster recovery plans.

3. Document Retention Policies

• Specifying retention periods for each type of document per regulatory requirements.
• Electronic archiving with effective search capability.
• Keeping original documents in secure vaults.
• Document destruction policies upon expiration of retention period.

4. Training and Development Policies

• Training everyone dealing with the registry on procedures.
• Periodic training on regulatory and technical updates.
• Professional certifications for practitioners.
• Knowledge transfer and documentation of procedures.

 

Part Six: Periodic Registry Reconciliation

Reconciliation is the process of comparing registry data with other sources to verify their match and detect any discrepancies. It is one of the most important preventive maintenance mechanisms.

1. Reconciliation with Issued Capital

The total shares registered for all shareholders must exactly equal the total issued shares. Any difference requires immediate investigation.

2. Reconciliation with Accounting Records

Verifying the match between registry data and the capital recorded in financial statements and any changes thereto.

3. Reconciliation with Company Documents

Comparing the registry with minutes of general assemblies and the board for any resolutions related to share issuance, reduction, or repurchase.

4. Reconciliation with External Parties

For listed companies, periodic reconciliation takes place with Edaa to verify the match between internal records and Edaa’s system.

5. Discrepancy Resolution Mechanism

21. Document the discrepancy in detail (Difference Documentation).
22. Analyze the causes (Root Cause Analysis).
23. Gather documents and evidence needed for correction.
24. Approve the correction by the authorized party.
25. Execute and document the correction.
26. Review procedures to prevent recurrence.

 

Part Seven: Roles and Responsibilities

Clear definition of roles and responsibilities is a pillar of effective registry management. Below are the most prominent roles in the shareholder registry management ecosystem:

1. The Board of Directors

• Approving registry management policies.
• Strategic oversight of registry accuracy and integrity.
• Ultimate responsibility before regulatory authorities.
• Approving periodic reports related to the registry.

2. Audit Committee

• Oversight of internal control systems related to the registry.
• Review of external auditor reports concerning the registry.
• Follow-up on resolution of any regulatory observations.

3. Board Secretary

• Operational oversight of registry management.
• Communication with shareholders.
• Coordination with Edaa for listed companies.
• Oversight of disclosure operations.

4. Registry Custodian (Registrar)

• Daily execution of update operations.
• Document verification.
• Preserving data accuracy.
• Preparation of periodic reports.

5. Risk and Compliance Management

• Identifying registry risks and addressing them.
• Ensuring compliance with regulatory requirements.
• Monitoring legislative updates.

6. Information Security

• Protecting registry data from breaches.
• Managing permissions and access.
• Monitoring suspicious activities.
• Periodically testing systems.

 

Part Eight: Key Performance Indicators (KPIs)

To measure the efficiency of shareholder registry management, a set of key performance indicators can be adopted:

Indicator	Description	Target
Update Execution Time	Average time between receipt and completion of request	Less than 3 business days
Error Rate	Percentage of transactions containing errors	Less than 0.5%
Successful Reconciliation Rate	Percentage of periodic reconciliations without discrepancies	More than 99.5%
Disclosure Accuracy	Percentage of accurate disclosures on time	100%
Shareholder Satisfaction Rate	Survey results	More than 85%
Inquiry Response Time	Average response time to shareholders	Less than 48 hours
System Uptime Rate	Percentage of electronic system availability	More than 99.9%
Security Incidents	Number of breach or data leak incidents	Zero

 

Part Nine: Common Challenges in Update and Maintenance

1. Large Data Volume

Challenge: In large companies, the number of shareholders may reach tens of thousands, making registry management a complex operation.

Solution: Use of advanced management systems capable of handling large volumes, automation of routine operations, focus on exceptional cases.

2. Diverse Update Sources

Challenge: Update sources are numerous (shareholders, judicial authorities, heirs, etc.), creating difficulty in standardizing procedures.

Solution: Developing standardized procedures for each type of update, unified forms, comprehensive operations manual.

3. Regulatory Changes

Challenge: Continuous updates to laws and regulations require constant adaptation.

Solution: Regular monitoring of legislative updates, subscription to official bulletins, periodic team training.

4. Maintaining Security and Privacy

Challenge: With the Personal Data Protection Law, handling shareholder data has become more complex.

Solution: Privacy impact assessment, multi-layered protection controls, training on privacy requirements.

5. System Integration

Challenge: Integration of the shareholder registry with the company’s other systems (financial, communication, disclosure) can be technically complex.

Solution: Developing unified APIs, using international data exchange standards, investing in integrated technical solutions.

 

Part Ten: Best Practices in Update and Maintenance

27. Full automation wherever possible to reduce human errors.
28. Separation of duties (Segregation of Duties) in update operations.
29. Multiple verification before approving any update.
30. Full documentation of each operation with supporting documents.
31. Periodic reconciliation with all relevant sources.
32. Regular backups in multiple locations.
33. Periodic testing of disaster recovery plans.
34. Continuous training for the working team.
35. Use of performance indicators to measure efficiency.
36. Periodic independent review by an external party.
37. Proactive communication with shareholders to encourage data updates.
38. Transparency in procedures and accessibility of information.

 

Comprehensive Checklist for Registry Update and Maintenance

Daily Level

• Review new update requests.
• Execute approved updates per procedures.
• Verify integrity of backups.
• Monitor electronic system performance.

Weekly Level

• Brief reconciliation of total registered shares.
• Review of exceptional operations.
• Follow-up on pending requests.
• Review of access logs and permissions.

Monthly Level

• Comprehensive reconciliation of the registry with other sources.
• Preparation of the major shareholders report.
• Review of error rates and their causes.
• Preparation of the monthly performance indicators report.

Quarterly Level

• Comprehensive review of all data.
• Audit of procedures and policies.
• Testing of business continuity plans.
• Review of permissions and roles.

Annual Level

• Comprehensive external audit.
• Review and update of policies.
• Annual training for the team.
• Assessment of technical systems and development needs.

 

Conclusion and Key Takeaways

Effective updating and regular maintenance of the shareholder registry are not merely administrative procedures—they are core pillars of sound governance, protection of shareholder rights, and regulatory compliance. Companies that invest in developing robust systems and procedures for registry management reap sustainable benefits in terms of trust, reputation, and operational efficiency.

The digital transformation underway in the Kingdom of Saudi Arabia opens broad horizons for enhancing registry management efficiency through automation, integration, and real-time reconciliation. However, technology alone is not enough; it must be supported by clear policies, strict procedures, and qualified personnel.

🎯 Core Takeaways 1) Periodic updating is a legal and operational necessity, not a choice. 2) Updates are divided into real-time (with each event) and periodic (per schedules). 3) The Four-Eyes Principle is the foundation for preventing errors and fraud. 4) Periodic reconciliation with various sources is the most important preventive maintenance mechanism. 5) KPIs are essential for measuring registry management efficiency and continuous improvement. 6) Automation and technical integration are the key to world-class registry management.

FAQ

What is the shareholder lifecycle and why does it matter?

The shareholder lifecycle refers to the successive stages a person passes through from the moment they decide to acquire shares in a company until they dispose of those shares. It encompasses three main phases: acquiring shareholder status, retaining shares and exercising associated rights, and finally disposing of shares. Understanding this lifecycle in detail is essential for shareholder registry specialists because each stage requires specific procedures, defined documents, and timely registry updates. Any breach exposes the company to legal risk and may harm shareholders' rights.

When does a person officially become a shareholder in Saudi Arabia?

A person acquires shareholder status in the full legal sense only upon formal entry of their name in the shareholder registry, regardless of how they came to own the shares—whether through subscription at incorporation, purchase on the secondary market, inheritance, or gift. Until that entry is completed, rights remain with the previously registered owner. This makes registry entry not merely administrative, but the definitive legal act that transfers all associated rights to the new owner.

What are the main ways to acquire shares in Saudi Arabia?

The Saudi system recognizes six primary means of share acquisition. Subscription at the company's incorporation or during a capital increase. Purchase on the secondary market through Tadawul for listed companies, with automated settlement within two business days. Ownership transfer via a documented sale agreement for unlisted companies. Inheritance, where shares transfer to heirs upon issuance of an inheritance limitation deed and Sharia-based division. Gift, through an authenticated contract between donor and recipient. And judicial execution, where shares are sold at public auction by court order.

How does ownership transfer work in an unlisted Saudi company?

Ownership transfer in unlisted companies follows six steps. First, the buyer and seller agree on terms and complete the approved ownership transfer form. Second, signatures are authenticated with a notary public or licensed authentication provider. Third, the request is submitted to the company's board chairman or the entity responsible for the registry. Fourth, the company reviews the request and verifies document completeness. Fifth, the transfer is entered in the registry. Finally, both parties are notified, and the Ministry of Commerce registry is updated for simplified joint-stock companies. The process typically takes one to three business days from document completion.

What restrictions may be placed on shares during the retention period?

Three types of restrictions may be imposed. A pledge is placed voluntarily by the shareholder as in-rem security for a creditor, preventing disposition of the pledged shares without the pledgee's consent while maintaining the shareholder's voting rights unless agreed otherwise. An attachment is an involuntary legal measure imposed by judicial order or a competent authority, prohibiting ownership transfer until the case is resolved. Disposition prohibitions arise from IPO lock-up periods, shareholder agreement restrictions, regulatory blackout periods for insiders, or CMA-mandated restrictions on certain shareholder categories. All must be formally recorded in the registry immediately upon notification.

What procedures apply when a shareholder dies?

Share inheritance in Saudi Arabia follows five steps. The heirs obtain the inheritance limitation deed and heir division deed from the competent court. They then submit the request to the company or Edaa along with all official documents, including valid identification for each heir. The company verifies the authenticity and completeness of the documents. Shares are then divided among the heirs according to their Sharia-determined shares. Finally, each heir is registered in the shareholder registry with their allocated portion, and voting and dividend rights continue according to the new distribution. The process typically takes five to ten business days.

What are the best practices for managing the shareholder lifecycle?

Eight practices distinguish high-performing registry operations. Proactive communication means initiating contact with shareholders rather than waiting for them to reach out. Full electronification of all services reduces errors and accelerates processing. Comprehensive documentation ensures every operation is preserved with its original supporting documents. Multiple verification layers protect against fraud and manipulation at every stage. Continuous training keeps staff current with regulatory updates and procedural changes. Periodic registry review catches inconsistencies before they escalate. Multiple secure backups protect data against loss or disaster. Transparency with shareholders about the status of their shares, including any restrictions, builds long-term trust.

References and Sources

• The Saudi Companies Law and its Implementing Regulations.
• The Corporate Governance Regulations, Saudi Capital Market Authority.
• The Deposit and Registration Rules, Securities Depository Center.
• The Personal Data Protection Law in the Kingdom of Saudi Arabia.
• International standards for managing investor records (ISSA Standards).
• COSO Internal Control standards.
• Securities Industry Best Practices in Shareholder Registry Management.