AML/CFT Compliance for Digital Assets: CMA and SAMA Joint Requirements

Saudi Arabia’s AML/CFT framework for digital assets is jointly administered by the CMA and SAMA, creating a dual-regulatory compliance obligation for licensed digital asset entities. The framework, aligned with FATF Recommendations 15 and 16 (the “travel rule”), requires enhanced due diligence for digital asset transactions, mandatory blockchain analytics deployment, and suspicious transaction reporting through Saudi Arabia’s Financial Intelligence Unit (SAFIU). Four enforcement actions totaling SAR 8.2 million have been issued through Q1 2026.

Regulatory Architecture

The CMA and SAMA divide AML/CFT oversight for digital assets based on activity type:

CMA jurisdiction: AML/CFT compliance for digital asset securities activities including issuance, trading, custody, and advisory services. All entities licensed under the CMA Digital Assets Regulatory Framework report to CMA for AML/CFT purposes.

SAMA jurisdiction: AML/CFT compliance for payment tokens, digital currency activities, and fintech payment services. Entities licensed under SAMA’s fintech regulations report to SAMA.

Joint jurisdiction: Entities holding both CMA and SAMA authorizations must comply with both sets of requirements and report to both regulators. The CMA-SAMA Joint Digital Assets AML/CFT Committee, established in Q2 2025, coordinates supervisory activity to minimize duplication.

Customer Due Diligence Requirements

Standard CDD for Digital Asset Clients

All digital asset entities must conduct CDD including:

• Identity verification using Saudi national ID (Absher system) for Saudi nationals, or passport verification with liveness check for non-nationals
• Beneficial ownership identification for corporate clients (ownership threshold: 25%)
• Source of funds verification for initial deposits exceeding SAR 50,000
• Purpose of digital asset activity assessment
• Ongoing monitoring of transaction patterns against the client’s declared activity profile

Enhanced Due Diligence Triggers

Enhanced due diligence (EDD) is mandatory for:

• Politically exposed persons (PEPs) and their associates
• Clients from FATF-listed jurisdictions (grey list or black list)
• Transactions involving privacy-enhancing protocols or mixing services
• Wallet addresses previously associated with sanctioned entities
• Single transactions exceeding SAR 200,000
• Cumulative monthly transactions exceeding SAR 500,000
• Cross-chain transactions where the origin chain has limited transparency

EDD measures include:

• Senior management approval for the client relationship
• Enhanced source of funds documentation (bank statements, asset declarations)
• Increased transaction monitoring frequency (daily versus weekly for standard CDD clients)
• Annual relationship review (versus biennial for standard CDD clients)

Travel Rule Implementation

Saudi Arabia implemented FATF Recommendation 16 (the travel rule) for digital asset transfers effective January 2025. All licensed entities must:

Originator Information (transfers above SAR 3,750):

• Full name of the originator
• Originator’s account number or wallet address
• Originator’s physical address, national identity number, or date and place of birth

Beneficiary Information:

• Full name of the beneficiary
• Beneficiary’s account number or wallet address

Technical Implementation: The CMA has approved two travel rule technology solutions:

1. TRISA (Travel Rule Information Sharing Architecture) — The default solution recommended by CMA, supporting both on-chain and off-chain information sharing
2. OpenVASP — Approved as an alternative for entities with existing OpenVASP deployments

Licensed entities must be capable of exchanging travel rule data with counterparties in all FATF member jurisdictions. For transfers to jurisdictions without travel rule implementation, enhanced due diligence on the receiving entity is required.

Unhosted Wallet Transfers

Transfers to or from unhosted (self-custody) wallets face additional requirements:

• Transfers to unhosted wallets: Permitted only for the account holder’s own verified wallets. The entity must verify wallet ownership through a signed message or micro-transaction test.
• Transfers from unhosted wallets: Subject to enhanced source-of-funds verification for amounts exceeding SAR 15,000. Blockchain analytics must be performed to assess the wallet’s transaction history for sanctions exposure.

Blockchain Analytics Requirements

All licensed digital asset entities must deploy blockchain analytics tools capable of:

• Sanctions screening: Real-time screening of all wallet addresses against OFAC SDN, UN Security Council, and Saudi-specific sanctions lists
• Risk scoring: Transaction-level risk scoring based on counterparty wallet history, exposure to high-risk services (mixers, darknet markets, gambling platforms), and jurisdictional risk
• Clustering analysis: Identification of related wallets controlled by the same entity or individual
• Cross-chain tracking: Monitoring of assets that traverse multiple blockchain protocols, including bridge protocols and decentralized exchanges
• Pattern recognition: Detection of structuring (splitting large transactions to avoid reporting thresholds), rapid movement patterns, and unusual trading activity

The CMA has approved three blockchain analytics providers for use by Saudi-licensed entities: Chainalysis, Elliptic, and Crystal Blockchain. Entities may use additional providers subject to CMA technical assessment.

Suspicious Transaction Reporting

Licensed entities must file Suspicious Transaction Reports (STRs) with SAFIU within 24 hours of identifying suspicious activity. The CMA has published 12 digital asset-specific red flag indicators:

1. Transactions with wallet addresses previously identified in ransomware or fraud cases
2. Rapid conversion of tokenized securities into stablecoins or fiat currency following purchase
3. Multiple accounts opened using similar KYC documentation within a short period
4. Transactions involving privacy coins or mixing services
5. Unusual concentration of tokenized securities in a single wallet followed by rapid distribution
6. Trading patterns inconsistent with the client’s declared investment strategy
7. Cross-border transfers to jurisdictions with weak AML/CFT frameworks immediately following domestic digital asset acquisition
8. Structured transactions designed to remain below reporting thresholds
9. Use of multiple intermediaries or layered transactions without clear economic purpose
10. Client resistance to providing enhanced due diligence documentation
11. Transactions involving known sanctioned jurisdictions through intermediary wallets
12. Smart contract interactions with DeFi protocols designed to obscure transaction origins

SAFIU received 342 digital asset-related STRs in 2025, a 280% increase from 2024. The increase reflects both growing digital asset activity and improved detection capabilities among licensed entities.

Record-Keeping Requirements

Licensed entities must retain all AML/CFT records for a minimum of 10 years:

• Client identification and verification documents
• Transaction records including blockchain transaction hashes and associated metadata
• Travel rule correspondence with counterparty entities
• Blockchain analytics reports and risk assessments
• STR filings and supporting documentation
• Internal compliance reviews and audit reports

Records must be stored in Saudi Arabia and available for CMA or SAFIU inspection within 24 hours of request. Blockchain transaction records must include both on-chain data and any off-chain supplementary information used in the compliance decision process.

Enforcement Track Record

Four AML/CFT enforcement actions related to digital assets through Q1 2026:

The escalating frequency of enforcement actions reflects the CMA’s increasing supervisory capacity for digital asset AML/CFT compliance. The CMA has hired 15 additional staff with blockchain analytics expertise since Q1 2025, bringing the total Digital Assets Supervision team to 35 members.

International Coordination

Saudi Arabia participates in several international AML/CFT coordination mechanisms for digital assets:

• FATF Virtual Assets Contact Group — Saudi representatives contribute to global virtual asset regulatory standards
• Egmont Group — Financial intelligence sharing with 166 member FIUs for digital asset-related cases
• GCC Financial Crime Task Force — Regional coordination with UAE, Bahrain, Qatar, Kuwait, and Oman on cross-border digital asset money laundering
• Bilateral agreements — Enhanced information sharing arrangements with the US (FinCEN), UK (NCA), and Singapore (STRO) specifically covering digital asset financial crime

The FATF Mutual Evaluation of Saudi Arabia, conducted in 2024, rated the Kingdom’s digital asset AML/CFT framework as “largely compliant” with FATF standards, noting the travel rule implementation and blockchain analytics requirements as areas of strength while recommending enhanced supervision of unhosted wallet transfers.

Compliance Cost Analysis

The AML/CFT compliance burden for licensed digital asset entities includes several recurring cost categories:

Blockchain Analytics Licensing: Annual subscription costs for CMA-approved analytics platforms range from SAR 200,000 to SAR 800,000 depending on transaction volume and feature requirements. Chainalysis, the most widely deployed platform among Saudi licensees, charges approximately SAR 500,000 annually for a mid-tier license.

Compliance Staffing: The CMA requires a minimum of 2 dedicated AML/CFT compliance officers for digital asset entities, with at least one holding a certified anti-money laundering specialist (CAMS) qualification. Fully-loaded annual cost for a compliance team meeting CMA standards: SAR 600,000-1,200,000.

Travel Rule Infrastructure: Implementation of TRISA or OpenVASP travel rule technology requires SAR 150,000-400,000 in initial deployment costs and SAR 50,000-100,000 in annual maintenance. Integration with the entity’s existing KYC systems adds complexity for entities operating both conventional and digital asset services.

Training: Annual AML/CFT training for all staff is mandatory, with digital asset-specific modules required for client-facing personnel. Training costs range from SAR 50,000-150,000 annually depending on entity size.

Total annual AML/CFT compliance costs for a mid-sized digital asset entity in Saudi Arabia range from SAR 1.5M to SAR 3M — a significant operational expense that influences the economics of tokenized securities businesses. However, industry participants note that these costs are proportionally lower than equivalent compliance costs for conventional financial institutions, given that blockchain analytics provides automated monitoring capabilities that manual compliance processes cannot match.

Emerging Threats and Regulatory Response

The CMA-SAMA Joint Committee has identified several emerging AML/CFT threats specific to the Saudi digital asset market:

Cross-Chain Laundering: Criminals using bridge protocols to move funds between blockchain networks, exploiting gaps in cross-chain monitoring capabilities. The CMA’s response includes mandating cross-chain analytics capability for all licensed entities and requiring enhanced due diligence for transactions involving bridge protocols.

DeFi Protocol Exposure: Interaction between CMA-regulated digital assets and unregulated DeFi protocols creates potential for regulatory bypass. The CMA has prohibited licensed entities from facilitating transfers to known DeFi protocol addresses without enhanced screening.

Privacy Coin Conversion: Conversion of regulated tokenized securities into privacy-enhanced cryptocurrencies (Monero, Zcash) for laundering purposes. Licensed entities must block deposits from and withdrawals to wallet addresses associated with privacy coin exchanges.

Trade-Based Laundering: Using tokenized securities for trade-based money laundering, where the securities serve as a value transfer mechanism rather than a genuine investment. Pattern detection algorithms monitoring for rapid purchase-and-transfer patterns have been deployed across all Tadawul digital securities platform participants.

FATF Membership and Mutual Evaluation

Saudi Arabia’s FATF membership, secured in 2019, provides the international framework within which the CMA-SAMA joint AML/CFT regime operates. The FATF’s 2024 mutual evaluation of Saudi Arabia assessed the Kingdom’s digital asset AML/CFT framework specifically, rating it “largely compliant” with FATF Recommendations 15 (new technologies) and 16 (wire transfer rules, including the travel rule for virtual assets).

The evaluation highlighted several strengths: the mandatory blockchain analytics requirement for all licensed entities, the SAR 3,750 travel rule threshold (below the FATF’s recommended $1,000 equivalent), the 24-hour STR filing deadline, and the real-time sanctions screening capability. The evaluation recommended improvements in two areas: enhanced supervision of unhosted wallet transfers and increased cross-border information sharing for suspicious transaction investigations involving digital assets.

The CMA has addressed both recommendations. Unhosted wallet transfer monitoring has been enhanced through updated blockchain analytics requirements that mandate transaction graph analysis for all transfers to or from non-custodial addresses. Cross-border information sharing has been strengthened through the CMA’s bilateral cooperation agreements, with dedicated digital asset information-sharing channels established with 8 of the 11 agreement partner jurisdictions.

Saudi Arabia’s FATF compliance also supports the Kingdom’s Vision 2030 objective of establishing a top-10 global financial center. International financial institutions evaluating Saudi Arabia’s tokenized securities market cite FATF compliance as a fundamental requirement for market participation, and the Kingdom’s “largely compliant” rating provides the assurance needed to attract institutional capital flows to the digital securities ecosystem.

Supervisory Architecture

The CMA-SAMA joint supervisory architecture for digital asset AML/CFT operates through a division of responsibilities that avoids duplication while ensuring comprehensive coverage:

CMA Supervision: Entities licensed for digital asset securities activities — including issuers, custodians, trading platforms, and advisory firms — are supervised by the CMA’s Digital Assets Division. CMA supervision includes annual on-site inspections, quarterly desk-based reviews, and real-time on-chain monitoring through the CMA’s blockchain surveillance infrastructure.

SAMA Supervision: Entities licensed for payment token activities, digital banking, and fintech services are supervised by SAMA’s Fintech Department. SAMA’s supervisory approach mirrors its conventional bank supervision methodology, adapted for the technology-specific risks of digital asset operations.

Joint Oversight: Entities holding both CMA and SAMA licenses (such as stablecoin issuers that also facilitate securities settlement) are subject to joint supervision through the CMA-SAMA Joint Digital Assets Committee. This committee meets monthly and coordinates supervisory actions to avoid conflicting requirements or duplicative inspections.

For AML/CFT compliance inquiries: info@sauditokenisation.com