Contributed By AX Law
During the year 2022, the world began to face one of its worst economic declines since the 2007–2008 financial crisis. Among the most impacted industries was the technology field, where companies suffered significant stock price drops, hiring freezes and widespread lay-offs.
While there are plenty of reasons for such circumstances, the Kingdom of Saudi Arabia (KSA or Saudi Arabia) has emerged as one of the top countries experiencing economic growth, demonstrating that its policies are fully capable of achieving Saudi Vision 2030.
KSA’s goals have been clearly set for the years to come. By 2025, KSA expects Riyadh to become a global fintech hub similar to London and Singapore. By 2030, it plans to have 525 fintech companies, 18,000 fintech jobs, SAR13.3 billion of its GDP coming from the fintech industry and SAR12.2 billion of cumulative venture capital investments. KSA not only has clearly defined goals, the measures it takes also demonstrate that it is fully invested in making them a reality. This is one of the key reasons why, during 2022, the number of active fintech companies in Saudi Arabia almost doubled in comparison to 2021.
While the six years until the completion of Saudi Vision 2030 might seem like a long time, KSA’s drive to accomplish its purpose will almost certainly have a positive impact on the industry. As such, it should come as no surprise that 2024–2025 is scheduled to see new and updated regulation, increased investment, and an open embrace of fintech companies designing and implementing new technologies.
Fintech Saudi, the entity launched by the Capital Market Authority (CMA) and the Saudi Central Bank (“SAMA”) for the development of the fintech industry in Saudi Arabia, reported that in 2022 the predominant fintech verticals in KSA were:
In KSA, fintechs performing services that fall under the regulatory lenses of the competent authorities are generally required to comply with the applicable framework. Specific regulation may apply depending on the relevant vertical.
Third parties supporting fintechs with provision of services that are not regulated by the competent authorities, such as licensing of software, may be required to comply with some terms applicable to fintechs. However, this would usually occur as part of the contracting activity with the relevant fintech, rather than by means of a direct regulatory exercise by the competent authorities on such third party.
On another note, the use and allocation of customers’ money on a company’s books (being recognised on or off the balance sheet) must also be handled in such a way that impacts a fintech’s valuation as a company.
Fintechs may be regulated by the CMA and/or SAMA. See 2.6 Jurisdiction of Regulators for details on the jurisdiction of each authority.
The compensation models that industry participants are allowed to use vary depending on the nature of their business and the associated regulatory framework. Regulatory complexities are focused on B2C models rather than B2B models.
Consumer Protection
Notably, SAMA’s regulatory framework provides protections for consumers, such as a company’s obligation to disclose to consumers details of fees, charges and commissions, and to notify them in advance of any changes in fees or charges, including those imposed by a third party.
Lending
With respect to lending:
No additional paid features
Specific provisions apply to fintechs that provide payments services, which should not add or embed additional paid features in their cards (such as credit or default insurance products) which are optional to the primary product feature of their cards. Thresholds for credit limits and late payment fees are also in place to protect cardholders.
Deferral of payment
In addition, where deferral or skipping of a payment is offered, card issuers must disclose the conditions and any additional charges related to the offer.
Prohibition on extra fees
Card issuers’ revenue streams are also impacted by the prohibition to impose any fees for transfer transactions between a cardholder’s current account and the cardholder’s card account at the same bank.
Non-prepaid and prepaid cards
Notably, in fintechs, non-prepaid cards enjoy lower operational costs than prepaid cards, as only transactions relating to the latter have to flow on the Saudi payment network, MADA. Saudi Payments (SAMA’s arm for managing the various payment channels) sets the MADA rules as well as any other rules relating to the other payment channels. It has set the fee structure applicable to prepaid cards and any deviation (eg, a fintech company shifting a cost to a customer) must be disclosed in the terms and conditions of the customer.
QR code payments
For completeness, payments enabled by QR codes can be offered only by companies approved by SAMA and according to the SAQR standards. Payments with QR codes trigger specific disclosure obligations for fintechs, including sending a digital receipt in accordance with the format specified by MADA to wallet users, which must be available on the app in addition to any associated web-based platform.
No gifts or incentives
Under the CMA’s instructions, fintechs should not encourage any customer to conclude any transactions by offering or giving gifts or incentives. Considering the importance of prize-giving operations in the digital economy, fintechs planning such operations should carefully assess their marketing campaigns to ensure compliance.
Legacy players enjoy the benefits of an established regulatory framework and a track record of compliance standards developed in the Saudi Arabian market. The regulatory framework of fintechs, however, is constantly evolving and expanding along with the development of innovative business models and technologies. The regulatory authorities in KSA are generally supportive of fintechs but, at the same time, their resolutions may have a substantial impact on fintechs’ proposed business concepts. As a consequence, fintechs may need to adjust their initial business concepts to align with the requirements mandated by the regulatory authorities to launch in the market.
The regulatory provisions applicable to fintechs tend to be tailored to the specific service or products offered. Nonetheless, bespoke regulations for fintechs generally incorporate, by reference, obligations that are also applicable to legacy players.
The SAMA Sandbox
As part of Vision 2030, SAMA introduced its regulatory sandbox environment in early 2018 (the “SAMA Sandbox”) and invited companies to apply with new business concepts that did not at the time have a clear regulatory path to launch to consumers.
The SAMA Sandbox has been recently refreshed to address the increasing demand in the market with respect to innovative business concepts. Further evidence of government support for the market is noticeable in the fintech strategy agenda approved by the decision of the Saudi council of ministers in May 2022 to transform the financial sector and to attract and grow the fintech ecosystem on a global scale.
The SAMA Sandbox is a live environment that enables traditional financial institutions and fintech companies to test an innovative financial product and/or service in the market with real consumers within a defined period and with controls. Within the SAMA Sandbox environment, innovators may require relaxation/waivers of some of the usual requirements for licence applications to facilitate the experimental phase.
The SAMA Sandbox is open for applications from innovators (whether incumbents or fintech companies) proposing (i) new digital business concepts and/or (ii) non-regulated technology which are not currently covered under existing SAMA regulations.
Applications from innovators not yet licensed by SAMA for the provision of other services, including overseas companies, are supported either by partnering with a licensed firm or by obtaining specific permission from SAMA.
The SAMA Sandbox is open to applicants that satisfy four key eligibility criteria:
The lifecycle of the SAMA Sandbox is divided into four stages:
The CMA Sandbox
Like SAMA, the CMA supports the vision for Saudi Arabia to be a pioneer in the financial sector, aiming to keep pace with the technology advancement capital markets. As such, in 2018 the CMA launched the FinTech Lab, implementing a simplified regulatory framework to attract innovative business models and emerging technologies in capital markets (the “CMA Sandbox”).
Applicants must meet specific requirements, both with respect to personal capacity and to the features of the proposed innovative solution.
If the CMA deems that the applicant meets the eligibility requirements, it will grant a so-called “Fintech ExPermit” to allow the innovator to experiment with its product. Notably, the CMA may require the innovator to:
Due to continuity requirements applicable to capital markets, an innovator cannot stop working during the FinTech ExPermit without notifying the CMA in advance and in writing of the date on which it intends to temporarily stop (for a maximum period of three months), and providing justification for the reasons for stopping, the plan to return to work and the procedures for notifying customers. Furthermore, innovators are required to submit periodic reports on indicators as determined by the CMA.
The period of the FinTech ExPermit cannot exceed two years from the date of commencing the business, although the period can be extended with the approval of the CMA. Upon expiry of the FinTech ExPermit, the applicant can choose to either:
However, the CMA may decide not to permit the deployment of the fintech product in the market if the testing is not successful based on agreed test criteria, or the product has unintended negative consequences for the market.
SAMA’s and the CMA’s powers to demand compliance with additional requirements, indicate that the liaison with the authorities is material and constant throughout the sandbox process, and that the approach of the regulators is hands-on and supportive.
The CMA exercises regulatory powers on security products and services, including dealing, arranging, managing, advising, custody of securities and other capital market-related activities (eg, investment platforms, equity crowdfunding and robo-advisers, among others).
SAMA is in charge of regulating matters related to KSA’s monetary and financial policies and stability, including traditional banking and digital-only banking activities, finance, payments, money exchanges, credit bureaus and, more generally, financial services that do not qualify as security products. In late 2023, the Saudi Insurance Authority (IA) started operations and took over all matters related to insurance.
Any activity or business concept that does not fall under any of the existing licences should be brought to the attention of SAMA. However, if the innovative solution is within the business of securities, the CMA should have jurisdiction. This might include distributed ledger technologies to arrange and offer securities and custody services or investment and real estate funds distribution platforms.
Both SAMA and the CMA may exercise regulatory powers if the proposed business concept entails various activities that are partially covered by both the CMA and SAMA.
In general, both authorities are strongly supportive of the development of the fintech ecosystem in Saudi Arabia. As an example, Fintech Saudi successfully acts as a catalyst for the industry, by supporting the development of the required infrastructure, building the skills and knowledge necessary for the future of financial services, and supporting entrepreneurs in the launch of their ventures.
Other authorities supporting the ecosystem at a systemic level are listed in 2.10 Implications of Additional, Non-financial Services Regulations.
Under the CMA’s Supervision
Innovators under the supervision of the CMA must comply with the provisions on outsourcing set out under the Capital Market Institutions Regulations, requiring that capital market institutions that delegate specific compliance or other functions to an external party must adopt “appropriate safeguards”. These include:
To the extent that the outsourced activities fall under the scope of the CMA’s supervision, the delegate must be licensed by the CMA to carry out such activity.
Thus, delegates must undergo a thorough due diligence exercise from the relevant institution and must demonstrate and ensure that they can comply with the applicable requirements. Notably, they must demonstrate the same level of cybersecurity protection applicable to capital markets institutions.
Under SAMA’s Supervision
Significantly more detailed provisions are applicable to innovators operating under a licence issued by SAMA. Vendors must undergo a thorough due diligence exercise for the innovator and, where engaged, they must comply with provisions aimed at guaranteeing continuity of services.
Notably, under SAMA’s outsourcing rules, innovators are required to include certain provisions in the outsourcing agreement signed with vendors. To the extent that vendors are supportive of compliance with the applicable regulatory framework, they must ensure that the outsourcing does not reduce the protection that would be available if the activities were not outsourced. This includes obligations on service levels, audit and monitoring rights, business continuity plans, liability, indemnities and dispute resolution. Generally, SAMA’s outsourcing rules aim at making the financial entity in full control of the outsourced activities.
SAMA sets forth additional obligations applicable to material outsourcing (ie, the outsourcing of activities which, if disrupted, will have a material impact on the financial entity’s business operations), including prior written approval of the arrangement.
SAMA tends to perform regular audits on licensed entities that, most often, include the review of outsourcing agreements. Where the relevant agreement does not ensure the appropriate safeguards, SAMA may require the financial entity to amend it or terminate it where vendors are not co-operative. In addition to the written requirements set out in the outsourcing rules, which are generally not exhaustive, SAMA has developed a standard set of requirements that it expects to be met by way of various inspection and assessment checklists. From a practical perspective, vendors and financial entities that align with the standard set of requirements are less exposed to a risk of intervention by SAMA, which could jeopardise their relationship.
Across all SAMA-regulated verticals of the fintech ecosystem, provisions on outsourcing are included either by a cross-reference to the general SAMA outsourcing rules or by specific provisions in the applicable regulation.
Where fintechs are in a position to act as gatekeepers, they are not expressly held liable under a specific liability regime in such capacity. However, concerns associated with their capacity as gatekeepers, including unfair competition, users’ lock-in practices, restricted access to data and services, and limited interoperability, are addressed as part of the regulatory clearing process in the applicable sandbox. After the launch, regulatory authorities continuously monitor fintechs and their business operations, thus ensuring that unfair business practices are not enacted.
In the wake of increasing regulatory requirements specific to gatekeepers, especially in the European Union, and of increasingly interlaced relationships between providers, it is expected that KSA will adopt more specific regulations in the near future.
As an example of how existing regulations address concerns on gatekeeper liabilities, SAMA’s Consumer Protection Rules oblige banks to permit smooth account opening, closing, and transferring. Similarly, SAMA’s Payment Service Providers Regulation sets forth customers’ rights to access accounts, obtain correction of errors in payment transactions, as well as other general protections.
Finally, recent trends show that legacy players are commonly placed in the position of being exposed to gatekeeper liability. With respect to the opening of aggregated accounts, for example, banks act as gatekeepers for fintechs that maintain aggregated accounts with them. This is in line with the government’s approach to ease innovators’ position and foster the development of the ecosystem.
Enforcement actions are not publicly available. However, SAMA does conduct audits on a regular basis. Depending on the findings, SAMA may issue monetary penalties, the value of which varies based on the criticality of non-compliance with any SAMA requirements.
In addition to the CMA and SAMA, the following regulators may have an impact on fintechs, depending on the specific business activities of the company:
For details on providers of services that support or complement finance activities, see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.
Regulated entities with licences from SAMA and the CMA are subject to external audit requirements from external auditors.
Under the CMA’s regulation, the external auditor audits the company’s annual accounts. Its appointment is subject to meeting the following requirements:
Whereas for companies under SAMA’s regulation, the following criteria (among other general requirements) must be met:
In addition, payment service providers that are engaged in cards business have to comply with certain standards that also require having regular (at least annual) audits in respect of security and related standards.
Fintechs are limited to the activities authorised by the CMA and SAMA, as applicable. As such, any unregulated product should fall under the activities permitted by the CMA or SAMA, and should be subject to prior review and approval from the regulators.
In practice, licensed companies wanting to provide services that are different to the ones approved on their licence, or unregulated services, ideally look to provide them using the same entity. However, due to regulatory constraints, they have to set up new entities to carry out such unregulated activities, especially in instances where capital adequacy and protection of customers’ funds require that the regulated business is operated separately from other commercial non-regulated businesses.
As fintechs generally attract consumers based on the ease of accessing and utilising the services, one of the main challenges they face is to maintain a smooth onboarding process while complying with the applicable anti-money laundering/know your customer (AML/KYC) requirements.
AML/KYC provisions require financial institutions to adopt a risk-based approach based on their business concepts. Thus, while every fintech should comply with the applicable AML provisions, precautions to be implemented vary depending on the identified risk profiles.
Under the applicable AML/KYC provisions, fintechs must conduct a KYC assessment, run a customer due diligence, keep records and continuously monitor transactions, documents and data to ensure that they are consistent with the information collected.
Moreover, supervisory tools must be tested once a year to ensure their adequacy and effectiveness.
Any suspicious transaction must be reported to the Financial Intelligence Unit at the Ministry of Interior (“SAFIU”) and procedures for reporting suspicious transactions must be approved at the level of the board of directors. To supervise and ensure compliance with the AML/KYC framework, fintechs must also appoint an anti-money laundering/countering terrorism financing (AML/CTF) compliance officer.
In practice, fintechs tend to handle this process by engaging specialised service providers that can offer ready-to-market solutions ensuring compliance with the regulatory framework. The international status of such providers also contributes to the credibility of the financial ecosystem in KSA.
Compliance with AML/KYC provisions inevitably results in additional costs which should be considered as part of the initial investment for going live.
Digitalisation of financial services has boosted the proliferation of robo-advisory platforms, which have given the tech-savvy population of KSA access to services in line with their needs and expectations. There may be slight differences between robo-advisory services based on the particular asset class to which they refer. However, a common thread unites them all – they provide easier access to wealth management and customised products and risks based on the individual profiles of investors.
Challenges to the business models proposed by robo-advisers might arise from the chosen delivery model: on-premise licensing models are generally supported by SAMA over software as a service (SaaS) solutions.
Interest in robo-advisory services by legacy players is driven by the efficiency of the automation of portfolio management and the demand from consumers. However, in light of the fundamental tech nature of these services, legacy players are seeking to acquire the required knowledge and capabilities from innovators, either by acquiring the provider of robo-adviser services or by contracting service agreements with such providers.
Legacy players in KSA are expected to increase their presence in the robo-advisory market, in view of the growth outlook for robo-adviser services and for the consolidation of different expertise.
Assets under management in the robo-adviser segment are expected to show an annual growth rate of 12.63% from 2023 to 2027, resulting in a projected total amount of USD2.48 billion by 2027.
Robo-advisory has also recently gained traction among companies directly owned by the Saudi National Bank. For example, SNB Capital, the largest Asset Manager in KSA and the largest Sharia-compliant asset manager globally, with over SAR140 billion in assets under management, launched robo-advisory services, including a savings calculator and an auto-deposit feature providing access to key SNB Capital funds.
Moreover, developments in the market aim at answering the investment needs of the local population. The robo-advisory service provider Madkhol, which obtained a Fintech ExPermit from the CMA, announced last year that it had received Shariyah certification for its platform and investment activities from the Shariyah Review Bureau (SRB).
Best execution rules may apply to robo-advisers, depending on the nature of the activities conducted by the service provider.
Under the Market Conduct Regulations issued by the CMA, when a capital market institution deals with or for a client, it must provide best execution. When the institution is acting as an agent, best execution is ensuring that the order is executed at the best prevailing price in the relevant market or markets for the size of the order. When the institution is acting as a principal, best execution is executing the transaction at a better price for the client than it would have obtained if it had executed the order at the best prevailing price.
Companies licensed by SAMA should deal fairly and honestly with consumers at all stages of their relationship.
See 7.5 Order-Handling Rules.
Regulatory Framework
Licensed financial services
SAMA offers various licences related to financial services. These include real estate finance, production asset finance, small and medium enterprise finance, finance lease, credit card finance, consumer finance and microfinance. Evidently, the rules governing these activities depend on the kind of services offered by the financial company.
Capacity of borrower
The different capacities of borrowers also have an impact on which regulatory framework applies. Notably, SAMA adopted special rules for (i) microfinance activities in favour of the production activities of small businesses and craftsmen, etc, and for (ii) consumer microfinance activities in favour of consumers.
Responsible Lending Principles for Individual Consumers
In addition to governance, audit and broader corporate requirements, companies financing consumers must comply with the Responsible Lending Principles for Individual Consumers issued by SAMA.
Microfinance companies
The amount of finance that a microfinance company can loan to consumers may not exceed SAR50,000 but, if the company carries out its activity using financial technology, the amount may not exceed SAR25,000, although SAMA has the power to adjust the amount based on the market conditions or geographical scope of the company. Thus, companies relying on financial technologies should assess with SAMA what threshold applies to them based on the extent to which their business is run via financial technologies.
Buy now, pay later
Increasingly popular buy now, pay later (BNPL) solutions also fall under the supervision of SAMA. The regulations applicable to BNPL were issued as part of a successful application of fintechs to the SAMA Sandbox, thus demonstrating SAMA’s encouraging and supportive approach to market trends and innovations.
The Additional Licensing Guidelines and Criteria for Digital-Only Banks
As a further demonstration of SAMA’s advanced positioning as a regulatory authority in the financial ecosystem, the Additional Licensing Guidelines and Criteria for Digital-Only Banks issued by SAMA in February 2020 set out the licensing criteria for banks conducting a banking business mainly through digital channels. These are additional requirements to be met, along with other core SAMA regulations, and clearly provide that compliance with Banking Consumer Protection Principles must be ensured. As a consequence, the increasingly widespread services offered by digital banks providing loans to consumers must comply with consumer protections provisions.
Support services
Finally, specific provisions are applicable to providers of services that support or complement finance activities (including debt collection, finance aggregator services and any other activity approved by SAMA).
Industry participants use underwriting processes that enable compliance with the regulatory framework applicable to their specific financing services. Usually these involve creditworthiness analysis, registration of credit information at companies licensed to collect credit information, regular monitoring of financing and the channels to address complaints. Underwriting processes must be approved at board level and be revised at least once every two years.
Financing by regulated companies to a foreign borrower non-resident in KSA, and financing in currencies other than Saudi riyals are subject to SAMA’s non-objection.
The above is in addition to the standard AML and KYC requirements.
The sources of funds permitted depend on the nature of the business performed by the lender. With the view to fostering the start-up ecosystem in KSA, SAMA has set out a specific framework applicable to debt-based crowdfunding and the CMA has set out a specific framework for equity-based crowdfunding. See 7.6 Rise of Peer-to-Peer Trading Platforms.
Although syndication of loans is generally permitted, this is usually limited to institutional borrowers.
Payment processors either use the official Saudi Arabian payment rails, or the ones provided by the existing schemes.
In KSA, remittances are services for transmitting money or monetary value either within KSA or cross-border. The funds received by the payment service provider (PSP) are either solely for the purpose of transferring the amount to either the receiving party or to another PSP on behalf of the receiving party, or received on behalf of and made available to the receiving party.
Cross-border payments and remittances are considered payment services, and therefore, only licensed companies may carry out such services. However, fintechs usually enable their customers to perform cross-border payments and remittances by partnering with duly licensed providers, bringing international exposure and cross-border payment capabilities to the table.
Remittances are generally conducted through internationally recognised network providers, although recently a few business initiatives have been building up their own limited network.
Fund administrators are regulated by the CMA. The regulation applies to the activity of managing investments and operating funds.
Fund administrators must:
Fund advisers are appointed by fund administrators, and their remuneration comes directly from them. It is unlikely that any unusual terms would be imposed on fund administrators as the focus of the relevant regulation is generally to protect investors and investments while allowing market institutions to sort out their arrangements among each other.
In Saudi Arabia, there are two official exchanges: the Saudi Stock Exchange (also known as “Tadawul”) and the secondary market (also known as “Nomu”).
A number of trading platforms have been authorised in Saudi Arabia. Licences differ depending on the business model of the trading platform.
There are various asset classes in Saudi Arabia (equities, bonds, etc). While the assets themselves are subject to their own regulations, there are no unusual regulatory regimes that govern certain asset classes.
In 2018, KSA placed a ban on banks processing transactions related to cryptocurrencies. In practice, there are cryptocurrency exchanges providing services to Saudi Arabian nationals and residents. It is expected that, in the short-term, KSA will issue specific regulation that allows legal certainty in respect of cryptocurrency exchanges’ activities. See 12. Blockchain for a more detailed description of this matter.
The current applicable listing conditions are as follows.
Restrictions on the transferability must be approved by the CMA. Depending on the type of security, additional conditions may apply.
There are also conditions for listing debt instruments, and for cross-listing of foreign issuers and units of investment funds.
Prior to listing, the issuer must apply by providing supporting documents to the Saudi Stock Exchange.
Order-handling rules and best execution of customer trades applicable to the Saudi Stock Exchange are set out in the Trading and Membership Procedures. The main rules are as follows.
Debt instruments are priced at a tick size of 0.001% over their par value.
In KSA, equity crowdfunding platforms are regulated by the CMA and debt-based crowdfunding platforms are regulated by SAMA.
Equity-based crowdfunding platforms must be carried out by a licensed capital market institution that is authorised to perform securities crowdfunding arrangements.
Debt-based crowdfunding platforms must request a licence from SAMA, complying with a list of documents and forms, the minimum capital (SAR5,000 as of March 2023) and minimum requirements for members that have supervisory and executive positions.
Debt-based crowdfunding platforms have already begun their activities by applying to the SAMA Sandbox, and became licensed after succeeding in the tests.
See 7.5 Order-Handling Rules.
There are no specific regulations in respect of payment for order flow.
A capital market institution must comply with the following principles:
Additionally, the CMA’s Financial Sector Development Plan 2021–2023 was launched to achieve the objectives of Vision 2030. It seeks five main objectives:
Algorithmic trading is not yet fully regulated by the CMA. A general reference to the matter is found in the Regulations of the Securities Exchanges and Depository Centre, which provide that the exchanges enabling algorithmic trading must have in place arrangements to mitigate the related risks.
Further guidance can be found in the CMA’s Market Conduct Regulations, which mention the use of technology to create orders automatically, with reference to the prohibition of any means to engage in, or participate in, any manipulative or deceptive acts or practices regarding securities.
It is worth noting that the trading and membership procedures of the Saudi Stock Exchange expressly provide that automated orders based on pre-defined calculated instructions must be placed on a specifically dedicated channel (so-called Channel G).
The above demonstrates the CMA’s awareness of the topic and suggests that extensive regulation may follow.
This has been confirmed by recent CMA statements clarifying that, as a board member of the International Organisation of Securities Commissions, the CMA follows developments in the use of technology by market participants and that studies relating to financial technology and algorithmic trading have been conducted with an eye towards policy adoption.
Under the CMA’s regulations, the Saudi Stock Exchange may allow market making (ie, authorise to carry out dealing activity where a capital market institution enters continuous orders for buying and selling securities for the purpose of providing liquidity to those securities) subject to prior approval from the CMA.
The Saudi Stock Exchange implements effective rules, procedures and systems required for the market making activity and the management of risks arising from it, and ensures that the market maker fulfils, on an ongoing basis, the systems, procedures and rules for market making.
There are no specific provisions which distinguish between funds and dealers providing algorithmic trading services.
There are no specific provisions which govern the developing of trading algorithms. However, the development of such algorithms should not breach general confidentiality and data protection obligations as applicable to the data set used to train the algorithm.
For the sake of completeness, there are currently no exemptions for processing data for the testing and development of algorithms. However, in the wake of exemptions being increasingly permitted on a global scale, it is expected that KSA authorities may adopt regulations facilitating such activities.
Decentralised finance (DeFi) uses distributed ledger technologies for the delivery of finance products (eg, borrowing, lending and investing) traditionally offered by legacy finance entities. DeFi’s purpose is to disintermediate financial activities, and it achieves this purpose by using complex technology architectures encompassing multiple layers (eg, decentralised applications and smart contracts). Due to its decentralised nature, off-chain financial activity (ie, not executed and recorded in a distributed ledger), and financial activity performed through an intermediary (eg, through a crypto-exchange) cannot be considered DeFi.
Given DeFi (currently) requires DLT and cryptocurrency to operate, KSA’s prudent position regarding these matters would apply. For a detailed description, please see 12. Blockchain.
Financial research platforms would be subject to registration when the nature of their services, including the contents that they provide, overlap with activities supervised by the CMA.
Notably, financial research platforms are subject to registration if their activities or contents invite the public to subscribe to securities, involve direct or indirect marketing of securities, or contain any statement, announcement or communication that has the effect of selling, issuing or offering securities.
Spreading of rumours and unverified information by a financial research platform is prohibited to the extent that it may manipulate the market and/or mislead capital markets operators. In general, the CMA’s regulations forbid the circulation, directly or indirectly, of an untrue statement of material fact or a statement of opinion for the purpose of influencing the price or value of a security, or for any manipulative or deceptive purpose.
Under the CMA’s provisions, communications must be clear, fair and not misleading, and should not in any way determine market abuse. Exerting any undue pressure or making misleading statements is also forbidden.
There are no specific rules on the processes of underwriting that companies must follow.
In practice, already established insurance companies have been exploring the introduction of new technologies to the existing processes. Underwriting is considered as a material activity for insurers and reinsurers and, as such, any process that will be developed with third parties and not in-house must follow SAMA’s outsourcing rules.
Under Saudi Arabia’s Regulation for Implementing the Cooperative Insurance Companies Control Law, the following classes of insurance are recognised:
SAMA has issued specific regulation in respect of forming and managing health insurance risk pools through brokers, comprehensive insurance of motor vehicles financially leased to individuals, inherent defects insurance, and the Unified Compulsory Motor Insurance Policy, among others. Moreover, the Saudi Council of Cooperative Health Insurance regulates the mandatory benefits and covers of medical/health insurance.
Banks that want to dive into the insurance industry are additionally regulated by the Rules Governing Bancassurance Activities.
In practice, the offering of insurance companies reflects the regulation. Companies are able to request the approval of insurance products by following SAMA’s Rules of Insurance Products Approval.
Although regtech is not currently extensively regulated, it is included among the activities that could potentially be regulated as part of the SAMA Sandbox or CMA Sandbox.
However, as SAMA clarified as part of its guidelines for new products and services, regtech solutions are unlikely to be regulated at the moment if they are not involved in providing regulated activities. They would still need to be compliant with existing regulation, such as regulation related to the use and transfer of financial data. As most companies that are likely to use regtech solutions will be regulated, the financial company using the solution will be held accountable and therefore will need to comply with the relevant regulations related to such area.
Notably, Fintech Saudi’s own Fintech Regulatory Assessment Tool provides a helpful regtech solution to innovators willing to start their business in KSA.
From a business perspective, offering of regtech solutions is increasing in KSA and is expected to scale up in the coming years, in line with the digitalisation of financial services.
Contractual terms may be significantly impacted by the compliance requirements of the financial company, especially with respect to confidentiality, data protection, cybersecurity and outsourcing provisions, depending on the activities being performed.
In line with KSA’s digital transformation plan for the Saudi Vision 2030 initiative, distributed ledger technology (DLT) innovation in KSA has been non-stop during the past few years (blockchain is a type of DLT).
The use of blockchain has significatively increased since the first glimpses of it back in 2017 and 2018. The list below shows annual examples of developments in the use of blockchain which have revolutionised the legacy financial system in KSA.
Saudi Arabia and SAMA’s perspective on the use of blockchain is both optimistic and encouraging. While the ban on banks processing transactions related to cryptocurrencies has not been lifted, recent developments, such as the announcement of an experiment with a local wholesale CBDC and the partnership with The Sandbox virtual gaming world, demonstrate that KSA is working hands-on to promote the effective use of blockchain for the benefit of its citizens.
Additionally, the ban is overshadowed in practice by the increased use and trading of cryptocurrencies in KSA. This is shown, for instance, in the fact that there are no penalties on transacting with cryptocurrencies, and that existing crypto-exchanges in KSA have faced minimal regulatory scrutiny.
There is no official classification of Blockchain Assets in KSA. In practice, the approach divides cryptocurrencies and NFTs. Banks are banned from dealing with the former, whereas the latter have been promoted by Saudi Arabian regulators and are not subject to the ban.
There are no specific regulations on issuing blockchain assets in KSA.
To date, there is no regulation applicable to blockchain asset trading platforms in KSA. However, it is expected that this will change sooner rather than later due to the hiring of the virtual assets and CBDC lead in 2022. There are a number of cryptocurrency exchanges focused in the Middle East region that are also available in Saudi Arabia.
There are no specific regulations on funds investing in blockchain assets.
Public funds can only invest in investments set out in the regulations, none of which include blockchain assets. Private funds may invest in any types of assets, however, the restrictions on cryptocurrency transactions may impact the possibility of these types of investments. This would not be the case for investments dealing with NFTs, which are treated differently in practice by the regulators.
The different approaches taken by the regulators on the differences between virtual currencies and blockchain assets can be seen in the treatment initially given to cryptocurrencies, KSA’s use of NFTs and the experiments performed by Saudi Arabia in testing CBDCs.
There is currently no regulation in KSA in respect of decentralised finance platforms.
Currently, KSA has no regulation in respect of NFTs. However, the NFT industry has demonstrated exponential growth potential since 2021, and the Saudi Arabian government has been promoting NFTs through multiple actions, the latest being the Memorandum of Understanding signed with The Sandbox, the platform of which is NFT-focused. Considering this, it is likely that KSA will introduce regulation on NFTs and blockchain assets in the near future.
SAMA strongly supports open banking as it “enables customers to securely share their data with a third party, which opens the way for the innovation and provision of new financial services towards innovation and financial inclusion”.
Accordingly, SAMA adopted an open banking policy in January 2021 to nurture open-banking expansion.
At present, SAMA is working with participants in the financial sector, such as banks and fintechs, to build an integrated ecosystem and, as part of the SAMA Sandbox, various fintechs have been licensed to provide open banking services.
SAMA expects that open-banking will benefit customers by enabling bespoke products related to consumption patterns, and the entire ecosystem by increasing competition among market players. Open banking will also increase competition among providers, thereby promoting a competitive run on better services and pricing for consumers.
As part of this fostering exercise for open banking, SAMA is currently revising the PSP Regulation to include provisions enacting the Open Banking Framework.
The Open Banking Lab
Stakeholders operating within the boundaries of the Open Banking Lab promoted by SAMA are well positioned to ensure compliance with data privacy and security concerns. SAMA thoroughly assesses risks associated with security and data privacy and provides continuous support to innovators to ensure that the highest standards are met.
As part of the Open Banking Lab, SAMA identified technological standards that gold-plate international best practices with the aim of creating an interoperable and secure ecosystem.
Notably, these standards and guidelines pursue the goal of giving control over data to customers, thus providing technical features for processing data that are prone to compliance with the applicable regulatory framework.
From this perspective, the current challenge within the boundaries of the Open Banking Lab comes rather from a technological and infrastructural perspective, as financial companies are required to update their infrastructure to the new requirements of open banking. This is an enormous assignment considering the fundamental differences between closed-banking and open-banking models and the implications of the two different approaches on the infrastructures supporting them.
Open Finance
Regulatory burdens that might need additional intervention from the competent authorities will be triggered once open banking evolves into open finance, where other financial institutions (eg, insurance providers, pension and investment funds, credit institutions, e-money institutions, etc) besides banks will develop innovative use cases based on exchanging data. In this context, as data will not pertain to the same business environment and will likely be subject to different regulations, regulators and innovators will need to co-operate to identify the applicable regulatory framework and round off the corners of each vertical to ensure interoperability and compatibility of the data flow.
In October 2022, SAMA issued the Counter-Fraud Framework, a set of principle-based rules that apply to SAMA-regulated entities, with the purpose of identifying and addressing fraud-related risks.
The main objectives of the Counter-Fraud Framework are:
Fraud is defined in the Counter-Fraud Framework as “any act that aims to obtain an unlawful benefit or cause loss to another party. This can be caused by exploiting technical or documentary means, relationships or social means, using functional powers, or deliberately neglecting or exploiting weaknesses in systems or standards, directly or indirectly”. Given this definition, the components of fraud under the framework are:
The Counter-Fraud Framework intends to ensure SAMA-regulated entities have strong anti-fraud risk management procedures across four domains:
The Counter-Fraud Framework addresses the following examples of fraud as a non-exhaustive list to be considered by the SAMA-regulated entities when implementing the framework: