CMA Enforcement Actions for Digital Assets: Penalties, Sanctions, and Compliance Outcomes

Seven enforcement actions related to digital asset activities have been issued by the CMA since the Digital Assets Regulatory Framework took effect in Q3 2024, with combined penalties totaling SAR 20.5 million. The enforcement actions span four violation categories: unlicensed digital asset promotion (3 cases), capital requirement breaches (1 case), AML/CFT compliance failures (2 cases), and smart contract non-compliance (1 case). The escalating pace of enforcement — 5 actions in the first quarter of 2026 alone — signals the CMA’s shift from a guidance-oriented approach to active supervisory enforcement.

Enforcement Framework

The CMA’s enforcement powers for digital assets derive from the Capital Market Law, supplemented by the Digital Assets Regulatory Framework’s specific penalty provisions. The enforcement spectrum includes:

Administrative Measures:

• Written warnings (no financial penalty)
• Directed remediation with compliance deadlines
• Enhanced supervisory requirements (increased reporting frequency, on-site monitoring)
• Restrictions on business activities (temporary prohibition on new client onboarding, volume caps)

Financial Penalties:

• Up to SAR 10M per violation for licensed entities
• Up to SAR 5M per violation for unlicensed entities
• Daily penalties of SAR 50,000 for continuing violations
• Disgorgement of profits derived from non-compliant activities

License Actions:

• License suspension (temporary, with reinstatement conditions)
• License revocation (permanent prohibition from digital asset activities)
• Sandbox removal (for sandbox participants violating sandbox conditions)

Criminal Referral:

• Fraud involving digital assets
• Market manipulation of tokenized securities
• Operating an unlicensed digital asset business (repeated offense)
• Money laundering through digital asset channels

Case Analysis: All 7 Enforcement Actions

Case 1: Unlicensed Digital Asset Promotion (Q4 2024)

Respondent: A social media influencer operating from Riyadh Violation: Promoting foreign-domiciled digital asset investment platforms to Saudi residents without CMA authorization Key Facts: The respondent promoted 3 offshore crypto exchanges and 2 token offerings through a social media following of 450,000, receiving approximately SAR 2.1M in referral commissions over 8 months Penalty: SAR 3.0M (disgorgement of SAR 2.1M in commissions plus SAR 900,000 administrative penalty) Outcome: Permanent prohibition on promoting any securities, digital or conventional, without CMA authorization

This case established that CMA jurisdiction over digital asset promotion extends to social media activity targeting Saudi residents, regardless of where the promoted service is domiciled. The ruling cited Saudi Arabia’s territorial approach to investor protection, consistent with SAMA’s position on payment token promotion. The enforcement stance reflects a broader trend: CMA enforcement actions across all capital markets have grown by 40% in the last two years, with the Standing Committee on Unauthorized Securities — a joint CMA-SAMA body — intensifying its mandate to reduce marketing of illicit virtual currency investments since its 2018 statement declaring virtual currencies illegal in Saudi Arabia.

Case 2: Unlicensed Digital Asset Promotion (Q1 2025)

Respondent: A Dubai-based digital asset marketing firm Violation: Operating a website in Arabic targeting Saudi investors, promoting tokenized securities products not authorized by CMA Penalty: SAR 2.5M (in absentia, enforceable through GCC regulatory cooperation mechanisms) Outcome: Website blocked by Saudi communications authority; referral to UAE authorities under mutual cooperation agreement

Case 3: Capital Requirement Breach (Q2 2025)

Respondent: A sandbox participant Violation: Failure to maintain the SAR 1M minimum sandbox capital requirement for 47 days Key Facts: The entity’s capital dropped to SAR 720,000 following an unexpected technology expense. The breach was discovered during routine CMA monitoring, not self-reported by the entity. Penalty: SAR 1.5M plus mandatory capital restoration within 30 days Outcome: Entity restored capital and remained in the sandbox, but with enhanced weekly capital reporting requirements

Case 4: AML/CFT Compliance Failure (Q2 2025)

Respondent: A licensed digital asset trading platform Violation: Failure to implement travel rule compliance for transactions above SAR 3,750 Penalty: SAR 3.0M Outcome: 90-day remediation period with weekly compliance reporting; travel rule implementation verified by independent auditor

Case 5: AML/CFT Compliance Failure (Q3 2025)

Respondent: A licensed custody provider Violation: Inadequate blockchain analytics deployment — the entity was using manual wallet screening rather than automated blockchain analytics from a CMA-approved provider Penalty: SAR 2.2M Outcome: Mandatory deployment of Chainalysis or equivalent within 60 days; retrospective screening of all existing client wallets

Case 6: Unlicensed Digital Asset Promotion (Q4 2025)

Respondent: A Riyadh-based technology company Violation: Marketing a “tokenized equity” product to Saudi retail investors without CMA authorization, describing the product as “not a security” to avoid regulatory requirements Key Facts: The product was functionally equivalent to a security under CMA classification criteria — it represented fractional ownership in a commercial asset with expected profit distributions. The entity had raised SAR 4.8M from 320 retail investors. Penalty: SAR 5.0M plus mandatory refund of all investor funds (SAR 4.8M) Outcome: Entity prohibited from any capital markets activity; matter referred for potential criminal prosecution

This case established the CMA’s substance-over-form approach to digital asset classification — the CMA will look through marketing descriptions to the functional reality of a digital asset product when determining regulatory jurisdiction.

Case 7: Smart Contract Non-Compliance (Q1 2026)

Respondent: A licensed digital asset issuer Violation: Unauthorized smart contract modification without CMA notification, changing the token’s distribution schedule without filing a material event disclosure Key Facts: The issuer modified the smart contract to delay a scheduled distribution payment by 60 days. The modification was not disclosed to CMA or to token holders until discovered by a market participant analyzing on-chain data. Penalty: SAR 3.3M plus mandatory compensation to affected token holders Outcome: Issuer placed under enhanced supervision with all future smart contract modifications requiring pre-approval from CMA

Enforcement Trends and Implications

Increasing Enforcement Intensity

The pace of enforcement is accelerating: 2 actions in the first 15 months of the framework (Q4 2024 - Q4 2025), followed by 5 actions in Q1 2026 alone. This reflects:

1. Growing CMA enforcement capacity (the Digital Assets Supervision team expanded from 20 to 35 staff in 2025)
2. Expanded market activity providing more opportunities for violations
3. CMA’s deliberate strategy of establishing precedents through enforcement during the framework’s early years

Key Regulatory Signals

The enforcement record communicates several clear signals to market participants:

Territorial jurisdiction: The CMA will pursue enforcement against entities promoting digital assets to Saudi residents regardless of the entity’s domicile (Cases 1, 2, 6).

Substance over form: Marketing a product as “not a security” does not exempt it from CMA jurisdiction if it functions as a security (Case 6).

Self-reporting expectation: Entities that fail to self-report violations receive harsher treatment than those that proactively disclose (Case 3 versus Cases 4, 5).

Smart contract governance: On-chain actions are subject to the same disclosure requirements as off-chain corporate actions (Case 7).

The CMA has indicated that enforcement activity will continue to increase as the tokenized securities market grows, with particular focus on investor protection, AML/CFT compliance, and disclosure obligations. Market participants should anticipate a regulatory environment that prioritizes enforcement credibility during the formative period of Saudi digital asset markets.

Enforcement Infrastructure

The CMA’s enforcement capability for digital assets rests on several institutional pillars:

Digital Assets Supervision Team: Expanded from 20 to 35 staff members during 2025, this team includes blockchain analysts, former cybersecurity professionals, and experienced securities regulators who have cross-trained in digital asset technology. The team operates both routine supervisory programs (scheduled inspections, reporting review) and reactive investigations triggered by complaints, market surveillance alerts, or intelligence from international partners.

On-Chain Surveillance Technology: The CMA has deployed proprietary on-chain monitoring tools that continuously scan all approved blockchain protocols for transaction patterns indicative of unlicensed activity, market manipulation, or AML/CFT violations. These tools process approximately 50,000 daily on-chain transactions related to Saudi digital asset securities and generate automated alerts for analyst review.

Whistleblower Program: The CMA launched a digital asset-specific whistleblower program in Q3 2025, offering financial rewards of up to 10% of resulting penalties (capped at SAR 1M) for information leading to successful enforcement actions. Three of the seven enforcement actions to date involved whistleblower intelligence.

Cross-Border Enforcement: The CMA’s enforcement reach extends beyond Saudi borders through bilateral cooperation agreements with 11 international regulators. The Q1 2025 enforcement action against a Dubai-based entity demonstrated the CMA’s willingness and ability to pursue cross-border cases, using GCC regulatory cooperation mechanisms to enforce penalties and block unauthorized services.

Comparison with International Enforcement

Saudi Arabia’s digital asset enforcement activity compares favorably with regional peers:

Saudi Arabia’s enforcement profile is distinguished by the inclusion of smart contract governance violations — a category that few other jurisdictions have yet addressed through formal enforcement actions. This reflects the CMA’s forward-looking approach to regulating the technical aspects of tokenized securities, not merely the business conduct of licensed entities.

Lessons for Market Participants

The seven enforcement actions provide clear guidance for digital asset market participants:

1. Register before promoting: Any marketing of digital asset products to Saudi residents requires CMA authorization, regardless of where the product is domiciled or how it is labeled
2. Invest in AML infrastructure: Manual compliance processes are insufficient — deploy CMA-approved blockchain analytics from day one
3. Treat smart contracts as regulated instruments: Any modification to a live smart contract is a material event requiring CMA disclosure
4. Self-report promptly: The CMA has shown leniency toward entities that self-disclose compliance breaches and harsher treatment for those who attempt to conceal violations
5. Maintain capital buffers: Capital requirement breaches, even temporary ones, trigger automatic CMA investigation and potential penalties
6. Monitor continuously: Quarterly Sharia audits, proof-of-reserves attestations, and ongoing compliance monitoring are not optional — they are enforced requirements

FATF Compliance and Enforcement Standards

Saudi Arabia’s FATF membership (since 2019) directly influences the CMA’s enforcement approach for digital asset AML/CFT violations. The FATF’s updated Recommendation 15 guidance on virtual assets sets specific expectations for enforcement effectiveness, requiring member jurisdictions to demonstrate that penalties are “effective, proportionate, and dissuasive.” The CMA’s enforcement actions meet this standard — the SAR 8.2 million in AML/CFT-specific penalties represents a meaningful deterrent for entities with typical annual revenues of SAR 10-50 million.

The FATF’s 2024 mutual evaluation of Saudi Arabia specifically assessed digital asset enforcement, noting the CMA’s willingness to pursue cross-border cases and the integration of blockchain analytics into the enforcement investigation toolkit. The evaluation recommended that the CMA increase enforcement staff dedicated to digital asset supervision, which the CMA has addressed by expanding the Digital Assets Division enforcement team from 8 to 15 investigators in Q1 2026.

Enforcement Pipeline and Future Priorities

The CMA has signaled future enforcement priorities through public statements and industry guidance:

Disclosure Compliance: The CMA has noted “room for improvement” in the timeliness and completeness of quarterly on-chain activity reports. Entities failing to meet the 15-day post-quarter filing deadline should expect enforcement scrutiny.

Custody Standards: The CMA’s routine inspections of custody licensees have identified preliminary concerns about proof-of-reserves attestation quality. The CMA expects to issue the first custody-specific enforcement action in 2026 if compliance gaps are not addressed proactively.

Investor Suitability: Three ongoing CMA investigations involve potential investor suitability assessment failures — specifically, allegations that licensed entities granted semi-qualified investor access to individuals who did not meet the SAR 1-10 million net asset threshold. These investigations could result in the CMA’s first investor protection-focused enforcement actions for digital assets.

Market Manipulation: As secondary market liquidity grows on the Tadawul digital platform, the CMA expects wash trading and spoofing attempts to increase. The CMA’s cross-market surveillance infrastructure monitors both on-chain and off-chain trading activity, and the first market manipulation enforcement action for digital securities is anticipated in 2026-2027.

The CMA’s enforcement approach — escalating in both frequency and severity as the market matures — provides the regulatory credibility that institutional participants require to commit capital to Saudi tokenized securities. The 7 enforcement actions to date have established clear regulatory boundaries without stifling market development, demonstrating the CMA’s ability to balance innovation facilitation with market integrity protection consistent with Vision 2030 financial sector objectives.

For compliance inquiries: info@sauditokenisation.com