Our Team recently contributed to the Legal500 Country Comparative Guides. We are pleased to be an exclusive contributor to the 2024 Country Comparative Guide for Saudi Arabia – Fintech.
Read the country guide below or you may access the article here
1. What are the sources of payments law in your jurisdiction?
In Saudi Arabia, the regulatory landscape for payments is primarily defined by the Saudi Central Bank (“SAMA”), overseeing a wide spectrum of financial activities. This includes establishing policies related to monetary and financial stability, traditional and digital banking practices, insurance, payments, money exchanges, credit bureaus, and various other financial services that do not fall under the classification of security products.
The main legislation issued by SAMA are the Laws of Payments and Payment Services (2022) and the Implementing Regulations for the Laws of Payments and Payment Services (2023).
Ancillary provisions relevant to payments are issued by the Capital Market Authority (“CMA”) which exercises regulatory powers on security products and services. These encompass activities such as dealing, arranging, managing, advising, and custody of securities, as well as other activities within the capital market domain. Notable examples include the regulation of investment platforms, equity crowdfunding, robo-advisers, and similar capital market-related functions.
Finally, provisions also relevant for compliance of payment infrastructures are set forth by the Communications, Space and Technology Commission (CST).
2. Can payment services be provided by non-banks, and if so, on what conditions?
In Saudi Arabia, non-bank entities, particularly fintechs, can provide payment services within the regulatory framework set forth by SAMA and CMA.
SAMA issues licenses for different financial services, and compliance depends on the nature of the fintech’s service offerings. SAMA’s catalogue of regulated services includes enabling funds to be deposited on a payment account, enabling cash withdrawals from payment accounts, execution of payment transactions, issuing of payment instruments, acquiring payee transactions, issuing e-money (opening e-wallets or otherwise), payment initiation services, payment account information services and the recently added aggregated payment services and payment account services as well as any other service that SAMA may decide to consider as a payment service.
In instances where a fintech’s activities do not align with any existing licenses, reporting to SAMA is required, especially considering the open-ended list of regulated services. Furthermore, regulatory constraints may impose that different business verticals are carried out with distinct vehicles, especially where provisions on capital adequacy and protection of customers’ funds apply.
For activities related to securities, CMA oversees matters, including the usage of distributed ledger technologies for arranging and offering securities, custody services, or managing investment and real estate funds distribution platforms.
In cases involving overlapping activities, both SAMA and CMA may exercise regulatory powers.
Specific conditions and provisions govern fintechs’ payment services, covering aspects such as consumer protection, lending, additional paid features, deferral of payment, fee restrictions, card services, QR code payments, and incentives policies. Notably, SAMA requires fintechs to disclose to consumers details of fees, charges, and commissions, and to notify them in advance of any changes in fees or charges, including those imposed by a third party. Thresholds for credit limits and late payment fees are also in place to protect cardholders.
Under the CMA’s instructions, fintechs should not persuade any customer to complete any transactions by offering gifts or incentives. Considering the importance of prize-giving operations in the digital economy, fintechs planning such actions should cautiously assess their marketing operations to ensure compliance.
Also, third-party services supporting fintechs may need to comply with relevant terms, typically through contractual arrangements rather than direct regulatory intervention.
3. What are the most popular payment methods and payment instruments in your jurisdiction?
The payment scene is dominated by debit and credit cards as widely used instruments for making electronic transactions, offering a convenient and direct way to access funds in bank accounts. Electronic means and IoT have made the payment experience smoother and frictionless. Especially, e-wallets are increasingly popular and continue to drive the rise of the fintech economy. QR code payments have also gained popularity in the past years, allowing users to scan codes for swift and contactless transactions. Lately, consumers have increasingly adopted “buy now, pay later” (BNPL) solutions.
4. What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so, to which entities, and what is state of implementation in practice?
In January 2021, SAMA officially announced the release of the open banking policy, outlining a vision for Saudi Arabia and the steps to achieve it. SAMA strongly supports open banking and expects that open banking will benefit customers by enabling bespoke products based on consumption patterns and by increasing competition among market players.
At present, SAMA is working with participants in the financial sector to build an integrated ecosystem, and various fintechs have been licensed to provide open banking services. As part of this fostering exercise for open banking, SAMA has recently refreshed its regulations with the view of enabling open banking. Notably, the Implementing Regulations for the Laws of Payments and Payment Services (2023) provide that Payment Service Providers must enable access to their payment services in accordance with the decisions and instructions related to open banking issued by SAMA. This clearly demonstrates SAMA’s intention to implement open-banking at a systemic level in the financial industry.
From an operational and business perspective, open banking in Saudi Arabia is undergoing technical and infrastructural adaptation. As open banking involves an integration layer atop existing banking infrastructure, legacy players are currently shifting from centralized and closed infrastructures to distributed and open infrastructure to enable this paradigmatic shift. As market players in the financial services heavily rely on datasets held by legacy players, the delivery of their own solutions is dependent on the completion of the technological renovation by traditional institutions. From this perspective, considering the interconnected nature of the services underpinning open banking, all stakeholders will need to coordinate with each other to ensure that there is no gap in the delivery chain of financial services.
5. How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
The recently adopted Personal Data Protection Legislation (PDPL) and its implementing regulations will significantly influence the landscape of financial services in Saudi Arabia. Although SAMA has always emphasized the importance of secure processing of customers’ personal data, aligning with general data protection principles, the impact of the PDPL will be much more systematic. Saudi Arabia has adopted a regulatory framework which resembles the GDPR, in terms of principles and complexity. Consequently, businesses falling under its scope of application will have to undergo significant compliance exercises.
The PDPL mandates businesses to prioritize the security and privacy of personal data and implement robust security measures preventing unauthorized access, disclosure, or breaches of personal data.
The PDPL strongly limits the availability of legal bases other than consent for processing activities that are rather common among financial institutions. Consequently, businesses will have to revise their data collection policies to avoid implementing hostile UX by bombarding users with requests for consent.
To achieve this goal, businesses will have to abide by the key principles of the PDPL. Namely, by leveraging the data minimization principle, businesses should be able to reduce their compliance burden to a set of personal data that is indeed limited to the necessary.
Furthermore, financial service providers must inform customers about the data processing activities with appropriate privacy policies and ensure that customers can exercise their rights, including access, rectification, erasure, portability, et alia.
It can be expected that SAMA will continue to support businesses also under the new PDPL, in a joint effort with the competent data protection authority (SDAIA). Further guidance from SDAIA and SAMA is expected with respect to the processing of personal data in the context of financial services.
6. What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
SAMA is actively supporting innovation in the financial sector as a key element in shaping Saudi Arabia’s evolving economic landscape. Cooperation with financial sector stakeholders is a central aspect of SAMA’s strategy, aiming to establish a cohesive and integrated ecosystem. This approach not only elevates the competitiveness and sophistication of the financial sector but also contributes to the broader growth of the Saudi economy as an attracting factor for international players.
Open consultation is also an effective mechanism adopted by SAMA to engage stakeholders and gather their input before the issuance of binding regulations. This has proved helpful to align the risks and needs of offerings of financial services.
In addition, SAMA and CMA have each introduced a regulatory sandbox environment serving as a testament to the authorities’ commitment to encouraging innovation in the financial sector. These sandbox models provide a controlled environment for financial entities to test and develop innovative solutions.
As part of Vision 2030, SAMA introduced the SAMA Sandbox in early 2018, a regulatory environment designed to accommodate novel business concepts lacking a clear regulatory framework. The SAMA Sandbox enables traditional financial institutions and fintech companies to test an innovative financial product and/or service in the market with real consumers within a defined period and subject to stringent controls. Within the SAMA Sandbox, innovators may require waivers of certain usual requirements for license applications to facilitate the experimental phase. This sandbox is open for applications from both established entities and fintech startups proposing (i) new digital business concepts; and/or (ii) non-regulated technology which are not currently covered under existing SAMA regulations.
For innovators not yet licensed by SAMA, including overseas companies, the application process is facilitated by partnering with a licensed firm or obtaining specific permission from SAMA.
In parallel, the CMA launched an initiative in 2018, the FinTech Lab, implementing a simplified regulatory framework, known as the CMA Sandbox, to attract innovative business models and emerging technologies in capital markets. Under this framework, innovators can obtain a “Fintech ExPermit” to experiment with their products.
Thes process for such applications, involves meeting specific requirements related to personal capacity and the features of the proposed innovative solution.
7. Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
While the fintech market in Saudi Arabia is experiencing rapid growth, there are potential risks that could impact its trajectory.
One notable risk is the need for comprehensive regulatory frameworks to keep the pace with evolving technologies and business models. So far, the regulators have been effectively supportive of the business and have adopted a competent and prompt approach to resolve blocking issues and uncertainty.
Additionally, cybersecurity threats pose a significant risk to the fintech sector. As financial services increasingly rely on digital platforms, the industry becomes more susceptible to cyberattacks. Ensuring robust cybersecurity measures is crucial to maintaining trust and safeguarding sensitive financial data.
From another perspective, the adoption of fintech services depends on the willingness of consumers and business to embrace digital financial solutions. Overcoming resistance to change and building trust in new technologies are ongoing challenges.
Furthermore, the competitive landscape and the ability of traditional financial institutions to adapt to technological advancements could impact the fintech market. Collaboration between fintechs and incumbents, as well as addressing potential market concentration, will be crucial for sustained growth.
Finally, the potential introduction of a Central Bank Digital Currency (CBDC) raises complex issues, notably regarding interoperability with the existing landscape, both regionally and internationally.
8. What tax incentives exist in your jurisdiction to encourage fintech investment?
Currently, there are no tax incentives in Saudi Arabia specific to investments and fintech.
9. Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
CMA and SAMA reported that the predominant fintech verticals in the past years were:
- payments and currency exchanges;
- private fundraising;
- business tools and provision of information;
- lending and finance;
- capital markets;
- personal finance and treasury management;
- insurance;
- infrastructure;
- digital banking; and
- regulation and risk management.
Investment rounds span across a broad array: from friends and family rounds to Series C, the investment scene in the fintech market in Saudi Arabia is certainly dynamic.
10. If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
Choosing Saudi Arabia for fintech operations can be attractive for several reasons:
- the introduction of the regulatory sandboxes provides a controlled environment for testing new concepts and products, and ongoing initiatives and it showcases progressive financial services regulations;
- a distinctive feature of the Saudi Arabian financial market is also the tech-savvy and young population which contributes to consumers’ demands for innovative and seamless services;
- Saudi Arabia’s geographical location provides a strategic advantage for fintech entrepreneurs looking to operate in the Middle East and beyond;
- Saudi Arabia is investing in digital infrastructure, including advanced payment systems and telecommunications; and
- Fintech entrepreneurs may find access to funding and investment opportunities through various channels (including crowdfunding) and benefit from the overall excitement spread among the country for its growing economy.
11. Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
Saudization policy, known as Nitaqat, has been in effect since 1985, requiring the hiring of Saudi nationals on a quota basis for companies operating within Saudi border. Recently, the Saudi government updated this policy to better align with their Vision 2030 program goals. The Ministry of Human Resources and Social Development (MOHRSD) have released effective target dates and rates of employment ranging from 25% to 40% that must be met by March 2024. The minimum quotas vary by industry and are updated regularly.
12. If there are gaps in access to talent, are regulators looking to fill these and, if so, how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
Local talent has been playing a vital role in the progression of the fintech industry in Saudi Arabia. The local talent’s contribution to innovation in the fintech sector has been outstanding, supporting the growth of Saudi-born fintech projects with potential to grow in the region leveraging on their cross-border experience. Specific international know-how is obtained on specific matters, however there are no concerns in respect to access to talent in the Saudi market
13. What protections can a fintech use in your jurisdiction to protect its intellectual property?
The protection of IP in Saudi Arabia is aligned with global standards. The Kindgom recognizes the protection of trademarks, patents, copyrights, and industrial designs. Saudi Arabia has ratified the Berne Convention for the Protection of Literary and Artistic Works of 1886, revised in Paris on 24 July 1971, the Paris Convention for the Protection of Industrial Property of 1883, and the Patent Cooperation Treaty (PCT).
The Saudi Authority for Intellectual Property (“SAIP”) is the competent authority for the protection of IP and it sets forth a clear procedure to file applications.
Finally, the SAIP recently issued a draft legislation on IP to refresh the Saudi framework on intellectual property with the view of fostering innovation in the economy and updating the framework to cope with the changed circumstances in the market, including the advent of AI and the issues related to training phases.
14. How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
Saudi Arabia has a neutral approach towards cryptocurrencies: it does not openly support them, but it does not totally block them either. In practice, there are cryptocurrency exchanges providing services to Saudi Arabian nationals and residents and there is an increased use and trading of cryptocurrencies in Saudi Arabia. For instance, existing crypto exchanges in Saudi Arabia have faced minimal regulatory inspection.
It is expected that, in the short-term, Saudi Arabia will issue specific regulations that allow legal certainty in respect of cryptocurrency exchanges’ activities.
At present, there are no specific regulations pertaining to cryptocurrencies in Saudi Arabia. However, SAMA has been experimenting through the launch of Project Aber, a collaboration between SAMA and the Central Bank of the United Arab Emirates (CBUAE). SAMA and CBUAE explored through this project whether distributed ledger technology can enable cross-border payments between the two countries with a jointly issued digital currency. It remains to be seen whether SAMA will issue any clear guidance on cryptocurrencies.
15. How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
ICO’s in general are still flagged by Saudi regulators as high-risk businesses with unknown exposures. We suspect that ICO’s may become supported once risks become clearly mapped and it is possible to be addressed adequately in regulation.
16. Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
The use of blockchain has significantly increased since the first glimpses of it back in 2017 and 2018. The list below shows examples of developments in the use of blockchain which have revolutionized the legacy financial system in Saudi Arabia:
- 2017: Al Rajhi Bank completed the first cross-border money transfer (from Saudi Arabia to Jordan), using Ripple. This was reportedly the first use of the technology by a bank in Saudi Arabia.
- 2018: Saudi Arabia placed a ban on banks processing transactions related to cryptocurrencies. This same year, SAMA and Ripple joined forces to improve the local banking settlement system with blockchain.
- 2019: A joint central bank digital currency (CBDC) between SAMA and the Central Bank of the United Arab Emirates (CBUAE) was launched. In late 2019, the Saudi British Bank (SABB) and HSBC announced that they had used blockchain to issue a letter of credit using R3’s Corda system.
- 2020: SAMA announced the deployment of blockchain technology to inject liquidity into the banking sector. At the end of 2020, SAMA and CBUAE published a final report declaring the CBDC experiment a success.
- 2021: SABB announced it was using Ripple to launch an instant cross-border transfer service for the US Corridor.
- 2022: SAMA appointed its first virtual assets and CBDC programme lead. Al Rajhi Bank announced a partnership with Contour for a cross-border digital trade solution for letters of credit. Additionally, the Saudi Ministry of Tourism and the Saudi Tourism Authority announced the creation of non-fungible tokens (NFTs).
- 2023: In early 2023, SAMA announced that it would continue experimenting on a local wholesale CBDC, and a partnership between Saudi Arabia and The Sandbox (a decentralised virtual gaming world) was announced.
17. To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
AI is increasingly making its presence felt in the financial sector in Saudi Arabia, contributing to the development of innovative fintech solutions. In the past years, algorithmic trading and robo-advisory paved the way for the advent of a broader adoption of AI in the financial sector.
Recent regulation and soft law will encourage using AI in the financial sector. The Saudi Data and Artificial Intelligence Authority, which oversees supervising compliance with Saudi Arabia’s Personal Data Protection Law and of defining the data and AI strategy and framework in Saudi Arabia, issued guidelines on AI which will act as catalyst for the development of AI solutions that are aligned with the local economy and values. As opposed to the hard law provisions adopted in the European Union, Saudi Arabia seems to be following a more business-friendly approach to foster innovation while setting forth guiding principles.
18. Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
Insurtech is gaining momentum in Saudi Arabia, with SAMA recently approving a comprehensive set of rules to guide the sector. As part of its efforts to enhance the insurance sector, Saudi Arabia is in the process of establishing an insurance authority to regulate and enforce the new framework. Established insurance companies are also integrating new technologies, particularly in underwriting, adhering to SAMA’s outsourcing rules for third-party collaborations.
The recent regulatory initiative signifies the Kingdom’s commitment to enhancing development in the Insurtech landscape.
19. Are there any areas of fintech that are particularly strong in your jurisdiction?
Several fintech and payment institutions have already established a strong presence in the market in Saudi Arabia with a specific focus a broad range of payment solutions, including money transfers, mobile payments, and e-commerce platforms.
20. What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
In Saudi Arabia, the landscape between fintechs and incumbent financial institutions involves a significant display of collaboration rather than disruption. SAMA encourages collaboration between traditional financial institutions and fintechs. The aim is to enhance financial services and innovations. SAMA’s initiatives, including the regulatory sandbox, provide a platform for both established financial players and fintech startups to work together in testing innovative solutions.
21. To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
Banks and other incumbent financial institutions in Saudi Arabia are actively engaged in fintech development and innovation. Generally, their involvement is in a capacity as traditional financial institutions but there are growing trends of in-house development of fintech offerings.
22.Are there any strong examples of disruption through fintech in your jurisdiction?
The fintech ecosystem in Saudi Arabia is experiencing rapid emergence of several unicorns and profitable companies. The disruption initiated by digital payments is now fully accomplished and the next phase of disruption will likely be powered by automated services, including robo-advisory powered by AI, and welfare management. The latter is a particularly ‘hot’ market considering the high demand for welfare services by younger generations and expats.