During the year 2022, the world began to face one of its worst economic declines since the 2007–2008 financial crisis. Among the most impacted industries was the technology field, where companies suffered significant stock price drops, hiring freezes and widespread lay-offs. 

While there are plenty of reasons for such circumstances, the Kingdom of Saudi Arabia (KSA or Saudi Arabia) has emerged as one of the top countries experiencing economic growth, demonstrating that its policies are fully capable of achieving Saudi Vision 2030. 

KSA’s goals have been clearly set for the years to come. By 2025, KSA expects Riyadh to become a global fintech hub similar to London and Singapore. By 2030, it plans to have 525 fintech companies, 18,000 fintech jobs, SAR13.3 billion of its GDP coming from the fintech industry and SAR12.2 billion of cumulative venture capital investments. KSA not only has clearly defined goals, the measures it takes also demonstrate that it is fully invested in making them a reality. This is one of the key reasons why, during 2022, the number of active fintech companies in Saudi Arabia almost doubled in comparison to 2021.

While the six years until the completion of Saudi Vision 2030 might seem like a long time, KSA’s drive to accomplish its purpose will almost certainly have a positive impact on the industry. As such, it should come as no surprise that 2024–2025 is scheduled to see new and updated regulation, increased investment, and an open embrace of fintech companies designing and implementing new technologies.

Fintech Saudi, the entity launched by the Capital Market Authority (CMA) and the Saudi Central Bank (“SAMA”) for the development of the fintech industry in Saudi Arabia, reported that in 2022 the predominant fintech verticals in KSA were:

• payments and currency exchanges;
• private fundraising;
• business tools and provision of information;
• lending and finance;
• capital markets;
• personal finance and treasury management;
• insurance;
• infrastructure;
• digital banking; and
• regulation and risk management.

In KSA, fintechs performing services that fall under the regulatory lenses of the competent authorities are generally required to comply with the applicable framework. Specific regulation may apply depending on the relevant vertical.

Third parties supporting fintechs with provision of services that are not regulated by the competent authorities, such as licensing of software, may be required to comply with some terms applicable to fintechs. However, this would usually occur as part of the contracting activity with the relevant fintech, rather than by means of a direct regulatory exercise by the competent authorities on such third party. 

On another note, the use and allocation of customers’ money on a company’s books (being recognised on or off the balance sheet) must also be handled in such a way that impacts a fintech’s valuation as a company.

Fintechs may be regulated by the CMA and/or SAMA. See 2.6 Jurisdiction of Regulators for details on the jurisdiction of each authority. 

The compensation models that industry participants are allowed to use vary depending on the nature of their business and the associated regulatory framework. Regulatory complexities are focused on B2C models rather than B2B models.

Consumer Protection

Notably, SAMA’s regulatory framework provides protections for consumers, such as a company’s obligation to disclose to consumers details of fees, charges and commissions, and to notify them in advance of any changes in fees or charges, including those imposed by a third party.

Lending

With respect to lending:

• charges to other businesses cannot generally exceed the equivalent of 1% of the financed amount or SAR5,000, whichever is less; however,
• charges to consumers from companies providing microfinance cannot exceed the amount equivalent to 1% of the financed amount or SAR100, whichever is higher.

No additional paid features

Specific provisions apply to fintechs that provide payments services, which should not add or embed additional paid features in their cards (such as credit or default insurance products) which are optional to the primary product feature of their cards. Thresholds for credit limits and late payment fees are also in place to protect cardholders.

Deferral of payment

In addition, where deferral or skipping of a payment is offered, card issuers must disclose the conditions and any additional charges related to the offer. 

Prohibition on extra fees

Card issuers’ revenue streams are also impacted by the prohibition to impose any fees for transfer transactions between a cardholder’s current account and the cardholder’s card account at the same bank. 

Non-prepaid and prepaid cards

Notably, in fintechs, non-prepaid cards enjoy lower operational costs than prepaid cards, as only transactions relating to the latter have to flow on the Saudi payment network, MADA. Saudi Payments (SAMA’s arm for managing the various payment channels) sets the MADA rules as well as any other rules relating to the other payment channels. It has set the fee structure applicable to prepaid cards and any deviation (eg, a fintech company shifting a cost to a customer) must be disclosed in the terms and conditions of the customer. 

QR code payments

For completeness, payments enabled by QR codes can be offered only by companies approved by SAMA and according to the SAQR standards. Payments with QR codes trigger specific disclosure obligations for fintechs, including sending a digital receipt in accordance with the format specified by MADA to wallet users, which must be available on the app in addition to any associated web-based platform.

No gifts or incentives

Under the CMA’s instructions, fintechs should not encourage any customer to conclude any transactions by offering or giving gifts or incentives. Considering the importance of prize-giving operations in the digital economy, fintechs planning such operations should carefully assess their marketing campaigns to ensure compliance.

Legacy players enjoy the benefits of an established regulatory framework and a track record of compliance standards developed in the Saudi Arabian market. The regulatory framework of fintechs, however, is constantly evolving and expanding along with the development of innovative business models and technologies. The regulatory authorities in KSA are generally supportive of fintechs but, at the same time, their resolutions may have a substantial impact on fintechs’ proposed business concepts. As a consequence, fintechs may need to adjust their initial business concepts to align with the requirements mandated by the regulatory authorities to launch in the market.

The regulatory provisions applicable to fintechs tend to be tailored to the specific service or products offered. Nonetheless, bespoke regulations for fintechs generally incorporate, by reference, obligations that are also applicable to legacy players.

The SAMA Sandbox

As part of Vision 2030, SAMA introduced its regulatory sandbox environment in early 2018 (the “SAMA Sandbox”) and invited companies to apply with new business concepts that did not at the time have a clear regulatory path to launch to consumers.

The SAMA Sandbox has been recently refreshed to address the increasing demand in the market with respect to innovative business concepts. Further evidence of government support for the market is noticeable in the fintech strategy agenda approved by the decision of the Saudi council of ministers in May 2022 to transform the financial sector and to attract and grow the fintech ecosystem on a global scale.

The SAMA Sandbox is a live environment that enables traditional financial institutions and fintech companies to test an innovative financial product and/or service in the market with real consumers within a defined period and with controls. Within the SAMA Sandbox environment, innovators may require relaxation/waivers of some of the usual requirements for licence applications to facilitate the experimental phase. 

The SAMA Sandbox is open for applications from innovators (whether incumbents or fintech companies) proposing (i) new digital business concepts and/or (ii) non-regulated technology which are not currently covered under existing SAMA regulations.

Applications from innovators not yet licensed by SAMA for the provision of other services, including overseas companies, are supported either by partnering with a licensed firm or by obtaining specific permission from SAMA.

The SAMA Sandbox is open to applicants that satisfy four key eligibility criteria:

• the proposed technology or business concept has genuine innovative or scale-up features;
• there are envisaged benefits to consumers;
• there is a detailed plan describing the minimum viable product (MVP) and operational readiness, including envisaged testing activities and criteria; and
• there is an exit strategy from the SAMA Sandbox, including a scale-up strategy and protection of consumers.

The lifecycle of the SAMA Sandbox is divided into four stages:

• application – innovators complete and submit the relevant application form and SAMA assesses its completeness and compliance with the eligibility criteria and responds to the applicant within 60 days;
• operational readiness – innovators are informed of pre-go live requirements in the form of a bespoke assessment checklist drafted by SAMA considering the proposed business concept, and SAMA will support innovators to finalise the operational readiness against the checklist within 120 days (successful operational readiness grants innovators temporary permission);
• testing – innovators with temporary permission can proceed with the testing plan as agreed during the operational readiness and updated with SAMA’s input included in the temporary permission (innovators have between six months and 12 months to complete their tests); and
• exit – innovators completing the testing successfully will be able to exit the SAMA Sandbox and apply for a licence that SAMA deems compatible with the proposed business concept (it is also possible that the innovator does not pursue the required licence and halts its business concept, or that SAMA confirms the product does not require a licence).

The CMA Sandbox

Like SAMA, the CMA supports the vision for Saudi Arabia to be a pioneer in the financial sector, aiming to keep pace with the technology advancement capital markets. As such, in 2018 the CMA launched the FinTech Lab, implementing a simplified regulatory framework to attract innovative business models and emerging technologies in capital markets (the “CMA Sandbox”). 

Applicants must meet specific requirements, both with respect to personal capacity and to the features of the proposed innovative solution. 

If the CMA deems that the applicant meets the eligibility requirements, it will grant a so-called “Fintech ExPermit” to allow the innovator to experiment with its product. Notably, the CMA may require the innovator to: 

• establish a commercial entity in KSA;
• fulfil information security requirements and technology tests as determined by the CMA; and
• provide the CMA with the key final agreements with any external parties related to the company’s main activity.

Due to continuity requirements applicable to capital markets, an innovator cannot stop working during the FinTech ExPermit without notifying the CMA in advance and in writing of the date on which it intends to temporarily stop (for a maximum period of three months), and providing justification for the reasons for stopping, the plan to return to work and the procedures for notifying customers. Furthermore, innovators are required to submit periodic reports on indicators as determined by the CMA.

The period of the FinTech ExPermit cannot exceed two years from the date of commencing the business, although the period can be extended with the approval of the CMA. Upon expiry of the FinTech ExPermit, the applicant can choose to either: 

• execute the exit strategy; or
• deploy the fintech product on a wider scale in compliance with the CMA laws and regulations.

However, the CMA may decide not to permit the deployment of the fintech product in the market if the testing is not successful based on agreed test criteria, or the product has unintended negative consequences for the market.

SAMA’s and the CMA’s powers to demand compliance with additional requirements, indicate that the liaison with the authorities is material and constant throughout the sandbox process, and that the approach of the regulators is hands-on and supportive.

The CMA exercises regulatory powers on security products and services, including dealing, arranging, managing, advising, custody of securities and other capital market-related activities (eg, investment platforms, equity crowdfunding and robo-advisers, among others).

SAMA is in charge of regulating matters related to KSA’s monetary and financial policies and stability, including traditional banking and digital-only banking activities, finance, payments, money exchanges, credit bureaus and, more generally, financial services that do not qualify as security products. In late 2023, the Saudi Insurance Authority (IA) started operations and took over all matters related to insurance.

Any activity or business concept that does not fall under any of the existing licences should be brought to the attention of SAMA. However, if the innovative solution is within the business of securities, the CMA should have jurisdiction. This might include distributed ledger technologies to arrange and offer securities and custody services or investment and real estate funds distribution platforms.

Both SAMA and the CMA may exercise regulatory powers if the proposed business concept entails various activities that are partially covered by both the CMA and SAMA.

In general, both authorities are strongly supportive of the development of the fintech ecosystem in Saudi Arabia. As an example, Fintech Saudi successfully acts as a catalyst for the industry, by supporting the development of the required infrastructure, building the skills and knowledge necessary for the future of financial services, and supporting entrepreneurs in the launch of their ventures.

Other authorities supporting the ecosystem at a systemic level are listed in 2.10 Implications of Additional, Non-financial Services Regulations.

Under the CMA’s Supervision

Innovators under the supervision of the CMA must comply with the provisions on outsourcing set out under the Capital Market Institutions Regulations, requiring that capital market institutions that delegate specific compliance or other functions to an external party must adopt “appropriate safeguards”. These include:

• assessing whether the delegate is suitable to carry out the outsourced activity;
• agreeing on clear documentation regarding the extent and limits of the outsourced activity; 
• entering suitable arrangements for the supervision of the outsourced activity, including warranties on the continuity of the services provided by the vendor and on access to relevant documentation within a maximum of ten days from the request; and
• ensuring appropriate remedial actions if any concerns arise about the delegate’s services. 

To the extent that the outsourced activities fall under the scope of the CMA’s supervision, the delegate must be licensed by the CMA to carry out such activity.

Thus, delegates must undergo a thorough due diligence exercise from the relevant institution and must demonstrate and ensure that they can comply with the applicable requirements. Notably, they must demonstrate the same level of cybersecurity protection applicable to capital markets institutions.

Under SAMA’s Supervision

Significantly more detailed provisions are applicable to innovators operating under a licence issued by SAMA. Vendors must undergo a thorough due diligence exercise for the innovator and, where engaged, they must comply with provisions aimed at guaranteeing continuity of services.

Notably, under SAMA’s outsourcing rules, innovators are required to include certain provisions in the outsourcing agreement signed with vendors. To the extent that vendors are supportive of compliance with the applicable regulatory framework, they must ensure that the outsourcing does not reduce the protection that would be available if the activities were not outsourced. This includes obligations on service levels, audit and monitoring rights, business continuity plans, liability, indemnities and dispute resolution. Generally, SAMA’s outsourcing rules aim at making the financial entity in full control of the outsourced activities. 

SAMA sets forth additional obligations applicable to material outsourcing (ie, the outsourcing of activities which, if disrupted, will have a material impact on the financial entity’s business operations), including prior written approval of the arrangement.

SAMA tends to perform regular audits on licensed entities that, most often, include the review of outsourcing agreements. Where the relevant agreement does not ensure the appropriate safeguards, SAMA may require the financial entity to amend it or terminate it where vendors are not co-operative. In addition to the written requirements set out in the outsourcing rules, which are generally not exhaustive, SAMA has developed a standard set of requirements that it expects to be met by way of various inspection and assessment checklists. From a practical perspective, vendors and financial entities that align with the standard set of requirements are less exposed to a risk of intervention by SAMA, which could jeopardise their relationship.

Across all SAMA-regulated verticals of the fintech ecosystem, provisions on outsourcing are included either by a cross-reference to the general SAMA outsourcing rules or by specific provisions in the applicable regulation.

Where fintechs are in a position to act as gatekeepers, they are not expressly held liable under a specific liability regime in such capacity. However, concerns associated with their capacity as gatekeepers, including unfair competition, users’ lock-in practices, restricted access to data and services, and limited interoperability, are addressed as part of the regulatory clearing process in the applicable sandbox. After the launch, regulatory authorities continuously monitor fintechs and their business operations, thus ensuring that unfair business practices are not enacted. 

In the wake of increasing regulatory requirements specific to gatekeepers, especially in the European Union, and of increasingly interlaced relationships between providers, it is expected that KSA will adopt more specific regulations in the near future.        

As an example of how existing regulations address concerns on gatekeeper liabilities, SAMA’s Consumer Protection Rules oblige banks to permit smooth account opening, closing, and transferring. Similarly, SAMA’s Payment Service Providers Regulation sets forth customers’ rights to access accounts, obtain correction of errors in payment transactions, as well as other general protections.

Finally, recent trends show that legacy players are commonly placed in the position of being exposed to gatekeeper liability. With respect to the opening of aggregated accounts, for example, banks act as gatekeepers for fintechs that maintain aggregated accounts with them. This is in line with the government’s approach to ease innovators’ position and foster the development of the ecosystem.

Enforcement actions are not publicly available. However, SAMA does conduct audits on a regular basis. Depending on the findings, SAMA may issue monetary penalties, the value of which varies based on the criticality of non-compliance with any SAMA requirements. 

In addition to the CMA and SAMA, the following regulators may have an impact on fintechs, depending on the specific business activities of the company:

• the Ministry of Commerce, which issues regulations applicable to all companies in KSA, including regulations on e-commerce activities;
• the Ministry of Investment, which regulates foreign investment in KSA and provides support to investors;
• the Ministry of Communications and Information Technology, which regulates electronic transactions, telecommunications and digital signatures, which are relevant to the infrastructure layers upon which the fintech service runs;
• the Small and Medium Enterprises General Authority in charge of developing, implementing and supporting programmes to promote innovation and to diversify funding sources for small and medium projects;
• the Communications, Space & Technology Commission, which regulates cloud computing; 
• the National Cybersecurity Authority, which regulates matters in respect of cybersecurity; and
• the Saudi Data and Artificial Intelligence Authority, which is in charge of supervising compliance with Saudi Arabia’s Personal Data Protection Law and of defining the data and AI strategy and framework in KSA.

For details on providers of services that support or complement finance activities, see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.

Regulated entities with licences from SAMA and the CMA are subject to external audit requirements from external auditors. 

Under the CMA’s regulation, the external auditor audits the company’s annual accounts. Its appointment is subject to meeting the following requirements:

• nomination based on recommendation by the company’s audit committee;
• authorisation from the competent authority;
• no conflict of interests; and
• at least two external auditors must be nominated. 

Whereas for companies under SAMA’s regulation, the following criteria (among other general requirements) must be met:

• the company must have a non-objection from SAMA;
• it must provide a warranty of independence; 
• it must report any non-compliance that it comes across to SAMA; and
• it must perform the audit with accuracy and integrity.

In addition, payment service providers that are engaged in cards business have to comply with certain standards that also require having regular (at least annual) audits in respect of security and related standards.

Fintechs are limited to the activities authorised by the CMA and SAMA, as applicable. As such, any unregulated product should fall under the activities permitted by the CMA or SAMA, and should be subject to prior review and approval from the regulators. 

In practice, licensed companies wanting to provide services that are different to the ones approved on their licence, or unregulated services, ideally look to provide them using the same entity. However, due to regulatory constraints, they have to set up new entities to carry out such unregulated activities, especially in instances where capital adequacy and protection of customers’ funds require that the regulated business is operated separately from other commercial non-regulated businesses.

As fintechs generally attract consumers based on the ease of accessing and utilising the services, one of the main challenges they face is to maintain a smooth onboarding process while complying with the applicable anti-money laundering/know your customer (AML/KYC) requirements.

AML/KYC provisions require financial institutions to adopt a risk-based approach based on their business concepts. Thus, while every fintech should comply with the applicable AML provisions, precautions to be implemented vary depending on the identified risk profiles.

Under the applicable AML/KYC provisions, fintechs must conduct a KYC assessment, run a customer due diligence, keep records and continuously monitor transactions, documents and data to ensure that they are consistent with the information collected. 

Moreover, supervisory tools must be tested once a year to ensure their adequacy and effectiveness.

Any suspicious transaction must be reported to the Financial Intelligence Unit at the Ministry of Interior (“SAFIU”) and procedures for reporting suspicious transactions must be approved at the level of the board of directors. To supervise and ensure compliance with the AML/KYC framework, fintechs must also appoint an anti-money laundering/countering terrorism financing (AML/CTF) compliance officer.

In practice, fintechs tend to handle this process by engaging specialised service providers that can offer ready-to-market solutions ensuring compliance with the regulatory framework. The international status of such providers also contributes to the credibility of the financial ecosystem in KSA. 

Compliance with AML/KYC provisions inevitably results in additional costs which should be considered as part of the initial investment for going live.

Digitalisation of financial services has boosted the proliferation of robo-advisory platforms, which have given the tech-savvy population of KSA access to services in line with their needs and expectations. There may be slight differences between robo-advisory services based on the particular asset class to which they refer. However, a common thread unites them all – they provide easier access to wealth management and customised products and risks based on the individual profiles of investors. 

Challenges to the business models proposed by robo-advisers might arise from the chosen delivery model: on-premise licensing models are generally supported by SAMA over software as a service (SaaS) solutions.

Interest in robo-advisory services by legacy players is driven by the efficiency of the automation of portfolio management and the demand from consumers. However, in light of the fundamental tech nature of these services, legacy players are seeking to acquire the required knowledge and capabilities from innovators, either by acquiring the provider of robo-adviser services or by contracting service agreements with such providers. 

Legacy players in KSA are expected to increase their presence in the robo-advisory market, in view of the growth outlook for robo-adviser services and for the consolidation of different expertise.

Assets under management in the robo-adviser segment are expected to show an annual growth rate of 12.63% from 2023 to 2027, resulting in a projected total amount of USD2.48 billion by 2027.

Robo-advisory has also recently gained traction among companies directly owned by the Saudi National Bank. For example, SNB Capital, the largest Asset Manager in KSA and the largest Sharia-compliant asset manager globally, with over SAR140 billion in assets under management, launched robo-advisory services, including a savings calculator and an auto-deposit feature providing access to key SNB Capital funds.

Moreover, developments in the market aim at answering the investment needs of the local population. The robo-advisory service provider Madkhol, which obtained a Fintech ExPermit from the CMA, announced last year that it had received Shariyah certification for its platform and investment activities from the Shariyah Review Bureau (SRB).

Best execution rules may apply to robo-advisers, depending on the nature of the activities conducted by the service provider.

Under the Market Conduct Regulations issued by the CMA, when a capital market institution deals with or for a client, it must provide best execution. When the institution is acting as an agent, best execution is ensuring that the order is executed at the best prevailing price in the relevant market or markets for the size of the order. When the institution is acting as a principal, best execution is executing the transaction at a better price for the client than it would have obtained if it had executed the order at the best prevailing price.

Companies licensed by SAMA should deal fairly and honestly with consumers at all stages of their relationship.

See 7.5 Order-Handling Rules.

Regulatory Framework

Licensed financial services

SAMA offers various licences related to financial services. These include real estate finance, production asset finance, small and medium enterprise finance, finance lease, credit card finance, consumer finance and microfinance. Evidently, the rules governing these activities depend on the kind of services offered by the financial company. 

Capacity of borrower

The different capacities of borrowers also have an impact on which regulatory framework applies. Notably, SAMA adopted special rules for (i) microfinance activities in favour of the production activities of small businesses and craftsmen, etc, and for (ii) consumer microfinance activities in favour of consumers.

Responsible Lending Principles for Individual Consumers

In addition to governance, audit and broader corporate requirements, companies financing consumers must comply with the Responsible Lending Principles for Individual Consumers issued by SAMA. 

Microfinance companies

The amount of finance that a microfinance company can loan to consumers may not exceed SAR50,000 but, if the company carries out its activity using financial technology, the amount may not exceed SAR25,000, although SAMA has the power to adjust the amount based on the market conditions or geographical scope of the company. Thus, companies relying on financial technologies should assess with SAMA what threshold applies to them based on the extent to which their business is run via financial technologies.

Buy now, pay later

Increasingly popular buy now, pay later (BNPL) solutions also fall under the supervision of SAMA. The regulations applicable to BNPL were issued as part of a successful application of fintechs to the SAMA Sandbox, thus demonstrating SAMA’s encouraging and supportive approach to market trends and innovations. 

The Additional Licensing Guidelines and Criteria for Digital-Only Banks

As a further demonstration of SAMA’s advanced positioning as a regulatory authority in the financial ecosystem, the Additional Licensing Guidelines and Criteria for Digital-Only Banks issued by SAMA in February 2020 set out the licensing criteria for banks conducting a banking business mainly through digital channels. These are additional requirements to be met, along with other core SAMA regulations, and clearly provide that compliance with Banking Consumer Protection Principles must be ensured. As a consequence, the increasingly widespread services offered by digital banks providing loans to consumers must comply with consumer protections provisions.

Support services

Finally, specific provisions are applicable to providers of services that support or complement finance activities (including debt collection, finance aggregator services and any other activity approved by SAMA).

Industry participants use underwriting processes that enable compliance with the regulatory framework applicable to their specific financing services. Usually these involve creditworthiness analysis, registration of credit information at companies licensed to collect credit information, regular monitoring of financing and the channels to address complaints. Underwriting processes must be approved at board level and be revised at least once every two years.

Financing by regulated companies to a foreign borrower non-resident in KSA, and financing in currencies other than Saudi riyals are subject to SAMA’s non-objection. 

The above is in addition to the standard AML and KYC requirements.

The sources of funds permitted depend on the nature of the business performed by the lender. With the view to fostering the start-up ecosystem in KSA, SAMA has set out a specific framework applicable to debt-based crowdfunding and the CMA has set out a specific framework for equity-based crowdfunding. See 7.6 Rise of Peer-to-Peer Trading Platforms.

Although syndication of loans is generally permitted, this is usually limited to institutional borrowers.

Payment processors either use the official Saudi Arabian payment rails, or the ones provided by the existing schemes.

In KSA, remittances are services for transmitting money or monetary value either within KSA or cross-border. The funds received by the payment service provider (PSP) are either solely for the purpose of transferring the amount to either the receiving party or to another PSP on behalf of the receiving party, or received on behalf of and made available to the receiving party.

Cross-border payments and remittances are considered payment services, and therefore, only licensed companies may carry out such services. However, fintechs usually enable their customers to perform cross-border payments and remittances by partnering with duly licensed providers, bringing international exposure and cross-border payment capabilities to the table. 

Remittances are generally conducted through internationally recognised network providers, although recently a few business initiatives have been building up their own limited network. 

Fund administrators are regulated by the CMA. The regulation applies to the activity of managing investments and operating funds. 

Fund administrators must:

• manage the investment fund;
• offer the fund’s units; and
• ensure the fund’s terms and conditions are accurate, complete, clear and not misleading.

Fund advisers are appointed by fund administrators, and their remuneration comes directly from them. It is unlikely that any unusual terms would be imposed on fund administrators as the focus of the relevant regulation is generally to protect investors and investments while allowing market institutions to sort out their arrangements among each other.

In Saudi Arabia, there are two official exchanges: the Saudi Stock Exchange (also known as “Tadawul”) and the secondary market (also known as “Nomu”). 

A number of trading platforms have been authorised in Saudi Arabia. Licences differ depending on the business model of the trading platform. 

There are various asset classes in Saudi Arabia (equities, bonds, etc). While the assets themselves are subject to their own regulations, there are no unusual regulatory regimes that govern certain asset classes. 

In 2018, KSA placed a ban on banks processing transactions related to cryptocurrencies. In practice, there are cryptocurrency exchanges providing services to Saudi Arabian nationals and residents. It is expected that, in the short-term, KSA will issue specific regulation that allows legal certainty in respect of cryptocurrency exchanges’ activities. See 12. Blockchain for a more detailed description of this matter.

The current applicable listing conditions are as follows.

• Securities must:
1. comply with KSA’s statutory conditions;
2. be issued subject to the issuer’s by-laws or applicable documents;
3. be deposited, settled and cleared through the depositary centre once approved; and
4. be freely transferable and tradable.
• Shares must be:
1. issued by a joint stock company; and
2. issued on markets that have sufficient liquidity for the shares, with at least 200 public shareholders at listing and at least 30% of the class of shares to be owned by the public (however, lower requirements may be approved by the CMA). 

Restrictions on the transferability must be approved by the CMA. Depending on the type of security, additional conditions may apply. 

There are also conditions for listing debt instruments, and for cross-listing of foreign issuers and units of investment funds. 

Prior to listing, the issuer must apply by providing supporting documents to the Saudi Stock Exchange.

Order-handling rules and best execution of customer trades applicable to the Saudi Stock Exchange are set out in the Trading and Membership Procedures. The main rules are as follows.

• Limit order: whenever the price is better than the order’s price limit on the opposite side, the trading system will improve the execution prices of limit orders by either reducing them for buyers or increasing them for sellers. If there is no better price, the order is then executed at the limit price.
• Market order: during the Second Session (from 10am to 3pm KSA time), the trading system executes market orders (partially or fully) at one price. Unmatched parts of partially matched market orders are converted into limit orders at their traded prices. 
• Tick size requirement for transmitting orders: 
1. below SAR10, tick size of SAR0.01;
2. SAR10 to 24.98, tick size of SAR0.02;
3. SAR25 to 49.95, tick size of SAR0.05;
4. SAR50 to 99.90, tick size of SAR0.10; and
5. eat or above SAR100, tick size of SAR0.20.

Debt instruments are priced at a tick size of 0.001% over their par value.

In KSA, equity crowdfunding platforms are regulated by the CMA and debt-based crowdfunding platforms are regulated by SAMA.

Equity-based crowdfunding platforms must be carried out by a licensed capital market institution that is authorised to perform securities crowdfunding arrangements. 

Debt-based crowdfunding platforms must request a licence from SAMA, complying with a list of documents and forms, the minimum capital (SAR5,000 as of March 2023) and minimum requirements for members that have supervisory and executive positions.

Debt-based crowdfunding platforms have already begun their activities by applying to the SAMA Sandbox, and became licensed after succeeding in the tests. 

See 7.5 Order-Handling Rules.

There are no specific regulations in respect of payment for order flow. 

A capital market institution must comply with the following principles: 

• integrity in the way it conducts its business;
• skill, care and diligence in the way it conducts its business; 
• efficiency of management and control, by taking reasonable care to organise its affairs responsibly and effectively, with adequate risk-management policies and systems; 
• financial prudence, by maintaining adequate financial resources in accordance with the rules issued by the authority; 
• proper market conduct in the way it conducts its business; 
• protection of clients’ assets in the way it conducts its business; 
• co-operation with regulators, including disclosing to the authority any material event or change in the capital market institution’s business operations or organisation; 
• communications with clients that are clear, fair and not misleading; 
• to pay due regard to a client’s interests in the way it conducts its business and to treat the client fairly; 
• to resolve conflicts of interest fairly, both between itself and its clients and between a client and another client; and
• to take reasonable care to ensure the suitability of its advice and to take discretionary management decisions for any client to whom it provides such services.

Additionally, the CMA’s Financial Sector Development Plan 2021–2023 was launched to achieve the objectives of Vision 2030. It seeks five main objectives: 

• financial diversity;
• financial inclusiveness;
• financial stability;
• digital transformation; and
• depth of the financial sector.

Algorithmic trading is not yet fully regulated by the CMA. A general reference to the matter is found in the Regulations of the Securities Exchanges and Depository Centre, which provide that the exchanges enabling algorithmic trading must have in place arrangements to mitigate the related risks.

Further guidance can be found in the CMA’s Market Conduct Regulations, which mention the use of technology to create orders automatically, with reference to the prohibition of any means to engage in, or participate in, any manipulative or deceptive acts or practices regarding securities. 

It is worth noting that the trading and membership procedures of the Saudi Stock Exchange expressly provide that automated orders based on pre-defined calculated instructions must be placed on a specifically dedicated channel (so-called Channel G).

The above demonstrates the CMA’s awareness of the topic and suggests that extensive regulation may follow.

This has been confirmed by recent CMA statements clarifying that, as a board member of the International Organisation of Securities Commissions, the CMA follows developments in the use of technology by market participants and that studies relating to financial technology and algorithmic trading have been conducted with an eye towards policy adoption.

Under the CMA’s regulations, the Saudi Stock Exchange may allow market making (ie, authorise to carry out dealing activity where a capital market institution enters continuous orders for buying and selling securities for the purpose of providing liquidity to those securities) subject to prior approval from the CMA. 

The Saudi Stock Exchange implements effective rules, procedures and systems required for the market making activity and the management of risks arising from it, and ensures that the market maker fulfils, on an ongoing basis, the systems, procedures and rules for market making.

There are no specific provisions which distinguish between funds and dealers providing algorithmic trading services.

There are no specific provisions which govern the developing of trading algorithms. However, the development of such algorithms should not breach general confidentiality and data protection obligations as applicable to the data set used to train the algorithm. 

For the sake of completeness, there are currently no exemptions for processing data for the testing and development of algorithms. However, in the wake of exemptions being increasingly permitted on a global scale, it is expected that KSA authorities may adopt regulations facilitating such activities.

Decentralised finance (DeFi) uses distributed ledger technologies for the delivery of finance products (eg, borrowing, lending and investing) traditionally offered by legacy finance entities. DeFi’s purpose is to disintermediate financial activities, and it achieves this purpose by using complex technology architectures encompassing multiple layers (eg, decentralised applications and smart contracts). Due to its decentralised nature, off-chain financial activity (ie, not executed and recorded in a distributed ledger), and financial activity performed through an intermediary (eg, through a crypto-exchange) cannot be considered DeFi.

Given DeFi (currently) requires DLT and cryptocurrency to operate, KSA’s prudent position regarding these matters would apply. For a detailed description, please see 12. Blockchain.

Financial research platforms would be subject to registration when the nature of their services, including the contents that they provide, overlap with activities supervised by the CMA. 

Notably, financial research platforms are subject to registration if their activities or contents invite the public to subscribe to securities, involve direct or indirect marketing of securities, or contain any statement, announcement or communication that has the effect of selling, issuing or offering securities.

Spreading of rumours and unverified information by a financial research platform is prohibited to the extent that it may manipulate the market and/or mislead capital markets operators. In general, the CMA’s regulations forbid the circulation, directly or indirectly, of an untrue statement of material fact or a statement of opinion for the purpose of influencing the price or value of a security, or for any manipulative or deceptive purpose.

Under the CMA’s provisions, communications must be clear, fair and not misleading, and should not in any way determine market abuse. Exerting any undue pressure or making misleading statements is also forbidden.

There are no specific rules on the processes of underwriting that companies must follow. 

In practice, already established insurance companies have been exploring the introduction of new technologies to the existing processes. Underwriting is considered as a material activity for insurers and reinsurers and, as such, any process that will be developed with third parties and not in-house must follow SAMA’s outsourcing rules. 

Under Saudi Arabia’s Regulation for Implementing the Cooperative Insurance Companies Control Law, the following classes of insurance are recognised: 

• general insurance, which includes:
1. accident and liability insurance;
2. motor insurance;
3. property insurance;
4. marine insurance;
5. aviation insurance;
6. energy insurance;
7. engineering insurance; and
8. other classes of insurance;
• health insurance, which may be either individual or for groups; and
• protection and savings insurance, which includes: 
1. protection insurance;
2. protection and savings insurance; and
3. other protection and savings insurance.

SAMA has issued specific regulation in respect of forming and managing health insurance risk pools through brokers, comprehensive insurance of motor vehicles financially leased to individuals, inherent defects insurance, and the Unified Compulsory Motor Insurance Policy, among others. Moreover, the Saudi Council of Cooperative Health Insurance regulates the mandatory benefits and covers of medical/health insurance.

Banks that want to dive into the insurance industry are additionally regulated by the Rules Governing Bancassurance Activities. 

In practice, the offering of insurance companies reflects the regulation. Companies are able to request the approval of insurance products by following SAMA’s Rules of Insurance Products Approval.

Although regtech is not currently extensively regulated, it is included among the activities that could potentially be regulated as part of the SAMA Sandbox or CMA Sandbox.

However, as SAMA clarified as part of its guidelines for new products and services, regtech solutions are unlikely to be regulated at the moment if they are not involved in providing regulated activities. They would still need to be compliant with existing regulation, such as regulation related to the use and transfer of financial data. As most companies that are likely to use regtech solutions will be regulated, the financial company using the solution will be held accountable and therefore will need to comply with the relevant regulations related to such area. 

Notably, Fintech Saudi’s own Fintech Regulatory Assessment Tool provides a helpful regtech solution to innovators willing to start their business in KSA.

From a business perspective, offering of regtech solutions is increasing in KSA and is expected to scale up in the coming years, in line with the digitalisation of financial services.

Contractual terms may be significantly impacted by the compliance requirements of the financial company, especially with respect to confidentiality, data protection, cybersecurity and outsourcing provisions, depending on the activities being performed.

In line with KSA’s digital transformation plan for the Saudi Vision 2030 initiative, distributed ledger technology (DLT) innovation in KSA has been non-stop during the past few years (blockchain is a type of DLT). 

The use of blockchain has significatively increased since the first glimpses of it back in 2017 and 2018. The list below shows annual examples of developments in the use of blockchain which have revolutionised the legacy financial system in KSA.

• 2017: Alrajhi Bank completed the first cross-border money transfer (from KSA to Jordan), using Ripple. This was reportedly the first use of the technology by a bank in KSA.
• 2018: KSA placed a ban on banks processing transactions related to cryptocurrencies. This same year, SAMA and Ripple joined forces to improve the local banking settlement system with blockchain.
• 2019:  A joint central bank digital currency (CBDC) between SAMA and the Central Bank of the United Arab Emirates (CBUAE) was launched (Project Aber). In late 2019, the Saudi British Bank (SABB) and HSBC announced that they had used blockchain to issue a letter of credit using R3’s Corda system.
• 2020: SAMA issued a press release announcing it had deployed blockchain technology to inject liquidity into the banking sector. At the end of 2020, SAMA and CBUAE published a final report declaring the CBDC experiment a success. 
• 2021: SABB announced it was using Ripple to launch an instant cross-border transfer service for the US Corridor.
• 2022: SAMA appointed its first virtual assets and CBDC programme lead. Alrajhi Bank announced a partnership with Contour for a cross-border digital trade solution for letters of credit. Additionally, the Saudi Ministry of Tourism and the Saudi Tourism Authority announced the creation of non-fungible tokens (NFTs).
• 2023: In early 2023, SAMA announced that it would continue experimenting on a local wholesale CBDC, and a partnership between KSA and The Sandbox (a decentralised virtual gaming world) was announced. 

Saudi Arabia and SAMA’s perspective on the use of blockchain is both optimistic and encouraging. While the ban on banks processing transactions related to cryptocurrencies has not been lifted, recent developments, such as the announcement of an experiment with a local wholesale CBDC and the partnership with The Sandbox virtual gaming world, demonstrate that KSA is working hands-on to promote the effective use of blockchain for the benefit of its citizens. 

Additionally, the ban is overshadowed in practice by the increased use and trading of cryptocurrencies in KSA. This is shown, for instance, in the fact that there are no penalties on transacting with cryptocurrencies, and that existing crypto-exchanges in KSA have faced minimal regulatory scrutiny.

There is no official classification of Blockchain Assets in KSA. In practice, the approach divides cryptocurrencies and NFTs. Banks are banned from dealing with the former, whereas the latter have been promoted by Saudi Arabian regulators and are not subject to the ban. 

There are no specific regulations on issuing blockchain assets in KSA. 

To date, there is no regulation applicable to blockchain asset trading platforms in KSA. However, it is expected that this will change sooner rather than later due to the hiring of the virtual assets and CBDC lead in 2022. There are a number of cryptocurrency exchanges focused in the Middle East region that are also available in Saudi Arabia. 

There are no specific regulations on funds investing in blockchain assets. 

Public funds can only invest in investments set out in the regulations, none of which include blockchain assets. Private funds may invest in any types of assets, however, the restrictions on cryptocurrency transactions may impact the possibility of these types of investments. This would not be the case for investments dealing with NFTs, which are treated differently in practice by the regulators.

The different approaches taken by the regulators on the differences between virtual currencies and blockchain assets can be seen in the treatment initially given to cryptocurrencies, KSA’s use of NFTs and the experiments performed by Saudi Arabia in testing CBDCs. 

There is currently no regulation in KSA in respect of decentralised finance platforms.

Currently, KSA has no regulation in respect of NFTs. However, the NFT industry has demonstrated exponential growth potential since 2021, and the Saudi Arabian government has been promoting NFTs through multiple actions, the latest being the Memorandum of Understanding signed with The Sandbox, the platform of which is NFT-focused. Considering this, it is likely that KSA will introduce regulation on NFTs and blockchain assets in the near future.

SAMA strongly supports open banking as it “enables customers to securely share their data with a third party, which opens the way for the innovation and provision of new financial services towards innovation and financial inclusion”. 

Accordingly, SAMA adopted an open banking policy in January 2021 to nurture open-banking expansion.

At present, SAMA is working with participants in the financial sector, such as banks and fintechs, to build an integrated ecosystem and, as part of the SAMA Sandbox, various fintechs have been licensed to provide open banking services. 

SAMA expects that open-banking will benefit customers by enabling bespoke products related to consumption patterns, and the entire ecosystem by increasing competition among market players. Open banking will also increase competition among providers, thereby promoting a competitive run on better services and pricing for consumers.

As part of this fostering exercise for open banking, SAMA is currently revising the PSP Regulation to include provisions enacting the Open Banking Framework.

The Open Banking Lab

Stakeholders operating within the boundaries of the Open Banking Lab promoted by SAMA are well positioned to ensure compliance with data privacy and security concerns. SAMA thoroughly assesses risks associated with security and data privacy and provides continuous support to innovators to ensure that the highest standards are met. 

As part of the Open Banking Lab, SAMA identified technological standards that gold-plate international best practices with the aim of creating an interoperable and secure ecosystem.

Notably, these standards and guidelines pursue the goal of giving control over data to customers, thus providing technical features for processing data that are prone to compliance with the applicable regulatory framework.

From this perspective, the current challenge within the boundaries of the Open Banking Lab comes rather from a technological and infrastructural perspective, as financial companies are required to update their infrastructure to the new requirements of open banking. This is an enormous assignment considering the fundamental differences between closed-banking and open-banking models and the implications of the two different approaches on the infrastructures supporting them.

Open Finance

Regulatory burdens that might need additional intervention from the competent authorities will be triggered once open banking evolves into open finance, where other financial institutions (eg, insurance providers, pension and investment funds, credit institutions, e-money institutions, etc) besides banks will develop innovative use cases based on exchanging data. In this context, as data will not pertain to the same business environment and will likely be subject to different regulations, regulators and innovators will need to co-operate to identify the applicable regulatory framework and round off the corners of each vertical to ensure interoperability and compatibility of the data flow.

In October 2022, SAMA issued the Counter-Fraud Framework, a set of principle-based rules that apply to SAMA-regulated entities, with the purpose of identifying and addressing fraud-related risks.

The main objectives of the Counter-Fraud Framework are:

• to establish a unified strategy for managing fraud risks across the SAMA-regulated entities;
• to attain a suitable level of fraud control maturity within the SAMA-regulated entities; and
• to guarantee the effective management of fraud risks across the SAMA-regulated entities.

Fraud is defined in the Counter-Fraud Framework as “any act that aims to obtain an unlawful benefit or cause loss to another party. This can be caused by exploiting technical or documentary means, relationships or social means, using functional powers, or deliberately neglecting or exploiting weaknesses in systems or standards, directly or indirectly”. Given this definition, the components of fraud under the framework are:

• intent – fraud involves a deliberate intention;
• unlawful gain or loss – the purpose of the act must be to secure a benefit or to cause harm financially or otherwise to someone else; and
• manner of execution – the fraudulent action can be executed through various mechanisms and either directly by the individual involved or indirectly using different intermediaries.

The Counter-Fraud Framework intends to ensure SAMA-regulated entities have strong anti-fraud risk management procedures across four domains:

• Governance – the Counter-Fraud Framework introduces principles that apply to the SAMA-regulated entities’ governance structure, strategy, policies, use of technology and intra-organisation roles.
• Prevention – the framework covers risk management, due diligence measures, training and awareness, authentication, alignment of fraud, financial crime and cybersecurity, and prevention standards.
• Detection – the framework includes standards and principles for fraud detection, monitoring and whistleblowing.
• Response – SAMA-regulated entities must comply with fraud response plan principles, alert and case management, investigation and fraud remediation.

The Counter-Fraud Framework addresses the following examples of fraud as a non-exhaustive list to be considered by the SAMA-regulated entities when implementing the framework:

• Social engineering – including as examples, capture of customer credentials, investment scams, purchase scams, invoice scams, and advance fee scams.
• Account takeover – including as example, gaining access to a customer product or device to control assets or transact.
• Impersonation – including as examples, obtaining personal information to use for own benefit, assuming the identity of another to access products, and impersonating a government body to obtain customer information.
• Internal fraud – including as examples, misappropriation of assets procurement fraud, theft of assets or cash, theft of intellectual property, falsification of information, unauthorised passing of information to third parties, false expense claims, abuse of authority, collusion, use of organisation assets for own gain and diversion of funds.
• Accounting fraud – including as examples, concealment, false invoicing, payroll fraud, improper revenue recognition, overstatement of assets, understatement of liabilities, customer overbilling, treasury and investment fraud.
• Application fraud – including as examples, failing to disclose information, falsification of information, and providing false documents.
• Wholesale payment endpoint security fraud.
• Banking and payment products – including as examples, credit/debit card fraud, online or mobile app payment fraud, cheque fraud, ATM fraud, and mule fraud.
• Credit and lending products – including as examples, mortgage fraud and loan fraud.