Saudi Arabia’s CMA issued its Digital Asset Custody Standards in December 2024, establishing what ranks among the most prescriptive custody frameworks for tokenized securities in any jurisdiction. Eleven entities hold custody authorization as of March 2026, with combined assets under custody exceeding SAR 3.8 billion. The standards mandate segregated cold storage, quarterly proof-of-reserves attestations, and insurance coverage that exceeds requirements in Singapore, Bahrain, and the UAE.
Custody License Requirements
The CMA custody license (Category: Digital Asset Custody — DAC) requires:
- Minimum capital: SAR 25M (approximately $6.7M), maintained at all times
- Board composition: Minimum two directors with cybersecurity or blockchain technology qualifications
- Saudi presence: Physical infrastructure including key management hardware must be located within the Kingdom
- Insurance: Professional indemnity and cyber insurance totaling minimum SAR 50M
- Annual audit: By a CMA-approved auditor with digital asset competency certification
Application Process
The DAC license application follows a four-stage process spanning 8-14 months:
Stage 1 — Pre-Application Assessment (2-3 months): Preliminary review of the applicant’s governance structure, technology stack, and capital position. The CMA assigns a dedicated case officer and provides feedback on readiness gaps.
Stage 2 — Formal Application (1-2 months): Submission of the complete application package including business plan, technology architecture documentation, risk management framework, key personnel CVs, and financial projections.
Stage 3 — Technical Assessment (3-5 months): CMA technical team conducts on-site inspections of custody infrastructure, penetration testing of systems, review of key management procedures, and disaster recovery testing. This phase also includes evaluation of the applicant’s blockchain protocol compliance capabilities.
Stage 4 — Conditional Approval and Testing (2-4 months): Conditional license issued with restrictions on asset volume and client numbers. The entity operates under enhanced supervision, reporting daily to the CMA. Upon satisfactory completion, the full license is granted.
Segregation Requirements
The CMA mandates strict asset segregation at multiple levels:
Client-Level Segregation: Each client’s digital assets must be held in individually identifiable wallets or sub-accounts. Commingling of client assets is prohibited under any circumstances, including for operational efficiency.
Custodian Asset Separation: The custodian’s own digital assets (if any) must be held in completely separate infrastructure from client assets, with no shared key management personnel or hardware security modules.
Blockchain-Level Verification: Segregation must be independently verifiable on-chain, meaning each client’s holdings must be traceable to specific blockchain addresses controlled by the custodian on the client’s behalf.
This segregation standard exceeds the UAE’s custody requirements where omnibus wallet structures are permitted under certain conditions.
Cold Storage and Key Management
The CMA requires a minimum of 95% of custodied digital assets to be held in cold storage (offline, air-gapped infrastructure). The remaining 5% may be held in warm or hot wallets for operational liquidity, subject to:
- Real-time monitoring by the custodian’s security operations center
- Automated alerts for any withdrawal exceeding SAR 100,000
- Multi-signature requirements (minimum 3-of-5 signatories for any withdrawal)
- Daily reconciliation against cold storage records
Hardware Security Module (HSM) Requirements
All private key operations must use FIPS 140-2 Level 3 (or higher) certified hardware security modules. The CMA’s Approved HSM Registry currently lists 4 approved vendors:
- Thales Luna Network HSM
- Utimaco SecurityServer
- nCipher nShield (Entrust)
- Securosys Primus HSM
HSMs must be physically located in Saudi Arabia, in data centers that meet Tier III or higher standards. The CMA has rejected applications from entities proposing to use HSMs located in Bahrain, UAE, or other jurisdictions, reinforcing the data residency requirement.
Key Ceremony Protocols
The CMA prescribes specific requirements for key generation ceremonies:
- Minimum 3 key custodians physically present, from different organizational reporting lines
- Independent witness from a CMA-approved auditing firm
- Video recording of the entire ceremony, retained for 10 years
- Shamir’s Secret Sharing or equivalent scheme for key backup, with a minimum 3-of-5 reconstruction threshold
- Geographic distribution of key shares across at least 2 separate Saudi locations
Proof-of-Reserves Requirements
All licensed custodians must publish quarterly proof-of-reserves attestations:
On-Chain Verification: Custodians must provide cryptographic proof demonstrating control of all wallets claimed to hold client assets. This proof must be independently verifiable by any third party using the blockchain’s native verification capabilities.
Attestation by Independent Auditor: A CMA-approved auditor must verify the proof-of-reserves against the custodian’s client records, confirming that total on-chain holdings equal or exceed total client entitlements.
Public Disclosure: A summary of the proof-of-reserves (total assets, number of clients, attestation date, auditor identity) must be published on the custodian’s website and filed with the CMA within 15 days of each quarter-end.
Penalty for Non-Compliance: Failure to publish proof-of-reserves on schedule triggers an automatic SAR 500,000 penalty and a 30-day compliance deadline. Continued non-compliance results in license suspension.
The CMA’s proof-of-reserves standard draws on lessons from the collapse of centralized crypto exchanges globally. The quarterly requirement is more frequent than the annual attestations required in many jurisdictions but less demanding than the real-time proof-of-reserves that some industry advocates have proposed.
Disaster Recovery and Business Continuity
Custodians must maintain:
- Recovery Time Objective (RTO): Maximum 4 hours for full operational recovery following any disaster scenario
- Recovery Point Objective (RPO): Zero data loss for all client holdings information
- Geographic redundancy: Backup facilities in at least two separate Saudi cities
- Annual DR testing: Full disaster recovery simulation at least once per year, with results reported to the CMA
- Client communication plan: Tested process for notifying all clients within 2 hours of any service disruption
The CMA has specified that Edaa will serve as the custodian of last resort for tokenized securities if a licensed custodian fails, ensuring continuity of asset safekeeping even in extreme scenarios.
Insurance Coverage
The minimum insurance coverage for DAC licensees includes:
| Coverage Type | Minimum Amount | Purpose |
|---|---|---|
| Professional Indemnity | SAR 25M | Operational errors, negligence |
| Cyber Insurance | SAR 25M | Hacking, unauthorized access |
| Crime Insurance | SAR 10M | Internal fraud, employee theft |
| Directors & Officers | SAR 5M | Governance failures |
The combined SAR 65M minimum insurance requirement has been cited by industry participants as the single largest cost barrier to obtaining a DAC license. Only 4 global insurance carriers currently offer Saudi digital asset custody policies meeting CMA specifications.
Current Market Landscape
The 11 licensed custodians as of March 2026 include:
- 3 Saudi banks adding digital asset custody to existing securities custody operations
- 2 international custody specialists establishing Saudi subsidiaries
- 3 fintech firms offering technology-native custody solutions
- 2 Tadawul-affiliated entities providing custody for exchange-traded digital securities
- 1 Islamic finance institution specializing in Sharia-compliant digital asset custody
Combined assets under custody reached SAR 3.8B in Q1 2026, up from SAR 800M at the end of 2024. The CMA projects this figure will reach SAR 15B by end of 2027 as tokenized sukuk and equity tokens scale production volumes.
Comparison with International Standards
| Requirement | Saudi CMA | UAE VARA | Singapore MAS | Bahrain CBB |
|---|---|---|---|---|
| Minimum Capital | SAR 25M | AED 5M | SGD 5M | BHD 1M |
| Cold Storage % | 95% | 70% | Not specified | 80% |
| Proof of Reserves | Quarterly | Annual | Not required | Semi-annual |
| Insurance Minimum | SAR 65M | AED 15M | Case by case | BHD 2M |
| Data Residency | Mandatory Saudi | UAE preferred | Not required | Bahrain preferred |
The Saudi standards are the most demanding in the Gulf region, reflecting the CMA’s position that digital asset custody risk must be managed at institutional-grade levels to protect the Kingdom’s capital markets integrity.
Client Onboarding and Due Diligence
Licensed custodians must implement rigorous client onboarding procedures that extend beyond standard KYC requirements:
Institutional Clients: Full beneficial ownership verification to the ultimate natural person level, assessment of the client’s digital asset experience and operational capabilities, verification of regulatory status in home jurisdiction (for international clients), and execution of a custody services agreement that specifies asset segregation, reporting, and liability terms. The CMA’s AML/CFT framework requires enhanced due diligence for institutional clients with complex ownership structures, particularly those involving jurisdictions not covered by CMA bilateral cooperation agreements.
Retail Clients: Identity verification through Saudi National ID or iqama (residency permit), suitability assessment confirming the client understands digital asset custody risks, and a mandatory 24-hour cooling period before the first deposit. Retail custody clients must also complete the CMA’s Digital Asset Investor Awareness Program before their accounts are activated.
Ongoing Monitoring: Custodians must continuously monitor client accounts for suspicious activity patterns, including unusual deposit or withdrawal frequency, transfers to high-risk jurisdictions, and wallet addresses flagged by blockchain analytics platforms. Any suspicious activity triggers a mandatory STR filing with the Saudi Financial Intelligence Unit within 24 hours.
Operational Risk Management
The CMA prescribes detailed operational risk management requirements for custody licensees:
Staff Security: All key management personnel must undergo enhanced background checks, including financial crime screening, social media review, and reference verification. No individual may have sole access to client assets — all operations require multi-person authorization. Staff with access to key management systems are subject to restricted trading policies and annual disclosure of personal digital asset holdings.
Technology Stack: Custodians must maintain technology infrastructure that meets Saudi National Cybersecurity Authority (NCA) standards. Annual penetration testing by NCA-approved firms is mandatory, with results reported to the CMA. The technology stack must include real-time intrusion detection, automated threat response, and comprehensive logging of all system access and key management operations.
Smart Contract Integration: Custodians providing custody for tokenized securities traded on Tadawul’s digital platform must integrate with the smart contract infrastructure governing those securities. This integration enables automated settlement, distribution receipt, and corporate action processing on behalf of custody clients. The integration must be tested quarterly against Tadawul’s staging environment to ensure compatibility with platform updates.
Custodian of Last Resort
Edaa’s role as custodian of last resort is a critical safety net in the Saudi custody framework. If a licensed custodian fails — whether through insolvency, regulatory action, or operational failure — Edaa assumes custody of all client assets and manages the transition to replacement custodians. The custodian of last resort mechanism ensures that no client’s tokenized securities are stranded due to custodian failure, providing a level of systemic protection that exceeds most international frameworks. Edaa maintains standing capability to absorb custody transfers from any licensed custodian within 48 hours of activation, with clients receiving notifications through Tadawul’s communication infrastructure.
The custody standards continue to evolve as the Saudi tokenized securities market scales. The CMA has announced plans to review the standards annually, incorporating lessons from operational experience, enforcement actions, and international best practices. The CMA’s international cooperation framework facilitates the exchange of custody supervisory intelligence with partner jurisdictions, ensuring that Saudi standards remain aligned with global developments in digital asset safekeeping.
PIF Portfolio Company Integration
The Public Investment Fund’s portfolio companies play a growing role in the custody ecosystem infrastructure. Elm Company, PIF’s digital solutions subsidiary, provides the Nafath digital identity verification used by all 11 licensed custodians for client onboarding — ensuring consistent KYC standards across the custody market. The Saudi Digital Academy, another government initiative, has trained 45 custody operations professionals through its specialized “Digital Asset Safekeeping” certification program, addressing the talent shortage that custodians identified as their primary scaling constraint during 2025. KAUST and King Saud University blockchain research programs have contributed cryptographic key management research that the Saudi Blockchain Lab incorporated into its HSM evaluation methodology, directly informing the CMA’s Approved HSM Registry. These institutional linkages ensure that Saudi custody infrastructure benefits from the Kingdom’s broader digital transformation investments under Vision 2030.
The Saudi FinTech Strategy 2025 — a joint SAMA-CMA initiative — specifically identified digital asset custody as a priority subsector requiring dedicated infrastructure investment. The strategy allocated SAR 150 million in matching grants for custody technology development, supporting 3 of the 11 licensed custodians in establishing Saudi-based cold storage facilities that meet the CMA’s stringent 95% cold storage mandate. This government-backed investment in custody infrastructure underscores the Kingdom’s commitment to institutional-grade digital asset safekeeping as a foundational requirement for the tokenized securities market.
For custody licensing inquiries: info@sauditokenisation.com