CMA disclosure requirements for tokenized securities constitute one of the most comprehensive transparency regimes in the global digital asset space. All 8 authorized issuers must comply with pre-issuance, ongoing, and event-driven disclosure obligations that cover both traditional securities data and blockchain-specific information. The framework, effective since November 2024 as part of the Securities Tokenization Standards, has generated over 340 regulatory filings in its first 16 months of operation.
Pre-Issuance Disclosure: Digital Asset Prospectus
Every tokenized security issued under CMA jurisdiction requires a Digital Asset Prospectus (DAP) filed at least 30 days before the token generation event. The DAP must contain:
Standard Securities Disclosures
All disclosures required under the CMA’s conventional securities offering rules apply unchanged:
- Issuer financial statements (audited, last 3 years or since incorporation)
- Business description and strategy
- Risk factors (minimum 15 specific risks, not generic boilerplate)
- Use of proceeds
- Management and governance structure
- Material contracts and related-party transactions
- Legal and regulatory proceedings
Digital Asset-Specific Disclosures
Beyond standard securities content, the DAP must include 14 additional disclosure categories:
Blockchain Protocol Disclosure: Complete technical description of the blockchain protocol used, including version, consensus mechanism, network type (public/private/consortium), node operator details, and the rationale for protocol selection versus alternatives.
Smart Contract Disclosure: Full smart contract source code (or hash reference for verified deployments), security audit results, Sharia compliance review results, upgrade mechanism description, and admin key holder identification.
Token Economics: Total supply, distribution schedule, any burn/mint mechanisms, fee structures embedded in the smart contract, and economic modeling supporting the token’s value proposition.
Custody Arrangements: Identity of the custody provider, custody technology description, insurance coverage, segregation methodology, and the custodian’s CMA license number.
Technology Risk Assessment: Specific risks related to the chosen blockchain protocol, smart contract complexity, dependency on third-party infrastructure, and disaster recovery capabilities.
Interoperability Disclosure: Any cross-chain functionality, bridge protocols used, and associated risks. If the tokenized security will be tradable on multiple platforms, each platform must be identified with its CMA authorization status.
Data Privacy: How investor data is collected, processed, stored, and protected, with specific reference to Saudi data protection requirements and blockchain pseudonymity limitations.
Sharia Compliance: Full Sharia board opinion, the specific Islamic finance standards applied, and conditions under which Sharia compliance could be affected.
Valuation Methodology: How the tokenized security will be valued for reporting purposes, including the independent valuation provider’s identity and methodology.
Secondary Market: Whether and where secondary trading will be available, expected liquidity, market-making arrangements if any, and trading restrictions.
Redemption Terms: Process for redeeming tokens for the underlying asset or cash, timeframes, fees, and minimum redemption amounts.
Tax Treatment: Saudi tax treatment of the tokenized security including VAT, withholding tax, and zakat implications, with disclosure that non-Saudi investors should seek local tax advice.
Conflict of Interest: Any conflicts arising from the issuer’s relationship with the blockchain protocol, custody provider, or trading platform.
Exit Provisions: What happens to token holders if the issuer becomes insolvent, the blockchain protocol is abandoned, or the CMA revokes the issuer’s license.
Ongoing Disclosure Obligations
Quarterly Reports
Issuers must file quarterly reports within 30 days of each quarter-end:
- Financial performance of the underlying asset or business
- Token holder demographics (aggregate, anonymized)
- Secondary market trading volumes and price data
- Smart contract activity log (upgrades, parameter changes, emergency actions)
- Custody provider attestation confirming asset segregation
- Sharia compliance confirmation from the approved Sharia board
- Investor complaint summary and resolution status
Annual Reports
Annual reports due within 90 days of fiscal year-end must include:
- Audited financial statements (both issuer-level and token-level)
- Annual smart contract security re-audit results
- Updated risk assessment reflecting any changes in technology, market, or regulatory conditions
- Independent valuation report for the tokenized asset
- Comparison of actual performance against prospectus projections
- Updated token economics data including actual versus projected distribution schedules
Material Event Disclosure
Material events must be disclosed within 24 hours of occurrence. The CMA has defined 18 specific material event categories for tokenized securities:
- Smart contract vulnerability discovery
- Emergency smart contract upgrade or freeze
- Blockchain protocol hard fork affecting the tokenized security
- Change of custody provider or custody arrangement
- Breach of minimum capital requirements by the issuer
- Change of CMA-approved Sharia board or Sharia compliance status
- Significant change in token holder concentration (single holder exceeding 10% of supply)
- Secondary market trading suspension
- Cybersecurity incident affecting token holders
- Regulatory action by CMA or any international regulator affecting the issuer
- Change of blockchain protocol or migration to a new network
- Material change to the underlying asset or business
- Change in issuer governance (board changes, CEO appointment)
- Cross-border regulatory developments materially affecting the token
- Insurance coverage change or lapse
- Proof-of-reserves attestation failure
- Technology infrastructure provider change
- Legal proceedings involving the issuer or the tokenized asset
Non-disclosure or late disclosure of material events triggers automatic CMA investigation and potential penalties of up to SAR 5M per event. Two penalties have been issued under these provisions as of March 2026, totaling SAR 3.7M.
Filing and Publication Requirements
All CMA filings for tokenized securities must be:
- Filed electronically through the CMA Digital Assets Filing System (DAFS)
- Published simultaneously on the issuer’s website and on Tadawul’s digital securities information platform
- Available in both Arabic and English, with Arabic as the legally binding version
- Retained for a minimum of 10 years from the date of filing
- Machine-readable (the CMA is implementing XBRL tagging for digital asset disclosures, effective Q3 2026)
The transition to XBRL-tagged digital asset disclosures will enable automated compliance monitoring and integration with the CMA’s supervisory technology platform, reducing manual review burden for both regulators and market participants.
Comparison with International Standards
Saudi CMA disclosure requirements for tokenized securities exceed those of most comparable jurisdictions in both scope and frequency. The 14 additional digital-asset-specific prospectus categories, the quarterly on-chain activity reporting, and the 24-hour material event disclosure window collectively create the most granular transparency regime for tokenized securities in the Gulf region.
The framework has drawn praise from IOSCO for its comprehensive treatment of technology-specific risks and its integration of Sharia compliance into the disclosure framework. However, industry participants have noted the compliance cost burden, estimated at SAR 200,000-500,000 annually per token, which may limit issuance to larger-scale tokenization projects in the near term.
On-Chain Disclosure Innovation
A distinctive feature of the CMA’s disclosure framework is the integration of on-chain disclosure capabilities:
Smart Contract Event Logs: All material events must be logged as smart contract events on the blockchain, creating an immutable audit trail. This on-chain record supplements the traditional DAFS filing system and provides real-time event notification to token holders who monitor blockchain events.
Automated Distribution Reports: For tokenized sukuk and bond tokens, distribution calculations and payments are recorded on-chain, enabling investors to independently verify that distributions are calculated correctly and distributed proportionally. This transparency exceeds conventional securities disclosure, where distribution calculations are opaque to investors.
Real-Time Holdings Transparency: The blockchain register provides real-time visibility into aggregate token distribution — total holders, concentration metrics, and trading activity — without requiring the quarterly reporting delays inherent in conventional securities. The CMA accesses this data continuously through its on-chain surveillance infrastructure.
Digital Asset Prospectus Accessibility: The DAP is stored on the blockchain with a content hash, ensuring that the prospectus available to investors is identical to the version filed with the CMA. Any modification to the prospectus requires a new filing and a corresponding update to the on-chain hash, preventing unauthorized alterations.
Practical Compliance Guidance
Based on the 340+ filings processed since the framework’s launch, the CMA has published supplementary guidance addressing common disclosure challenges:
Technology Disclosure Complexity: Many issuers struggle with the balance between technical accuracy and investor accessibility in blockchain protocol and smart contract disclosures. The CMA recommends a layered approach: a plain-language summary in the main prospectus body, with technical appendices providing detailed specifications for technically sophisticated investors.
Sharia Disclosure Integration: The integration of Sharia compliance disclosures with standard securities disclosures requires coordination between legal counsel, Sharia advisors, and technology teams. The CMA has published template language that issuers can adapt, reducing the risk of inconsistency between Sharia and securities disclosure requirements.
Cross-Border Disclosure Harmonization: For tokenized securities with international distribution, issuers must reconcile CMA disclosure requirements with those of destination jurisdictions. The CMA’s international cooperation agreements include provisions for mutual recognition of disclosure standards, but practical harmonization remains issuer-by-issuer.
Ongoing Disclosure Automation: Several fintech ecosystem companies are developing disclosure automation tools that integrate with smart contract event logs and Tadawul data feeds to generate quarterly and annual reports automatically. The CMA has endorsed this approach, noting that automated disclosure reduces human error and improves timeliness.
FATF Alignment and Beneficial Ownership Disclosure
Saudi Arabia’s FATF membership (since 2019) shapes the disclosure framework’s beneficial ownership requirements. All tokenized securities issuers must disclose the beneficial ownership structure of the issuing entity to the ultimate natural person level, consistent with FATF Recommendation 24 (transparency of legal persons). This disclosure is more granular than the conventional securities framework, reflecting the FATF’s updated guidance on virtual asset transparency.
For tokenized securities with complex ownership structures — such as multi-layered fund structures or SPVs used for private placements — the CMA requires a visual ownership chart tracing all layers to the ultimate beneficial owners. This chart must be updated within 5 business days of any ownership change and filed through the DAFS system. The beneficial ownership data feeds into the CMA’s AML/CFT monitoring infrastructure, enabling automated screening of issuers and their ultimate controllers against sanctions lists and adverse media databases.
Disclosure Framework Evolution
The CMA has published a disclosure framework evolution roadmap addressing planned enhancements:
Machine-Readable Disclosures (Q3 2026): Mandatory structured data format (XBRL-based) for all periodic disclosures, enabling automated analysis by institutional investors, regulators, and data aggregators. This initiative aligns with Tadawul’s broader market data modernization program and will support the development of digital asset analytics tools by fintech ecosystem participants.
ESG Disclosure Integration (Q4 2026): Environmental, social, and governance disclosure requirements for tokenized securities, building on IOSCO’s sustainability disclosure standards. Tokenized green bonds and ESG-linked sukuk will be subject to enhanced impact reporting requirements, with on-chain verification of sustainability claims.
Cross-Border Disclosure Passporting (2027): Under the CMA’s mutual recognition agreements, disclosures filed with the CMA will be automatically recognized by partner jurisdiction regulators (currently Malaysia and Bahrain, with UAE and Kuwait expected). This eliminates duplicative filing requirements for cross-border tokenized securities distribution.
Real-Time Disclosure (2028): As part of the digital-traditional convergence roadmap, the CMA targets real-time material event disclosure for all securities (not just tokenized instruments). Smart contract event logs will serve as the primary disclosure channel, with DAFS filings becoming a secondary record.
The CMA’s disclosure framework has been recognized by IOSCO as a reference model for emerging market digital asset transparency regulation. The framework’s requirement for smart contract source code disclosure — making the governing code of each tokenized security available for public inspection — is unique among G20 jurisdictions and reflects the CMA’s commitment to transparency as the foundation of investor confidence in the tokenized securities market.
The Elm Company’s digital infrastructure supports the DAFS platform’s document processing pipeline, providing the secure document management and electronic signature capabilities that enable the 30-day pre-issuance filing timeline. Saudi Digital Academy training programs for CMA disclosure review staff include specialized modules on smart contract code assessment, blockchain analytics interpretation, and digital asset risk factor evaluation — ensuring that the regulatory team reviewing 340+ filings has the technical competency to assess digital-asset-specific disclosures effectively. The Saudi Blockchain Lab contributes technical research that informs the CMA’s ongoing refinement of smart contract disclosure standards, particularly around the adequacy of formal verification reports and the interpretability of complex DeFi-adjacent smart contract architectures.
The CMA has issued 68 capital market permits to date, and each permitted entity operating in the digital asset space must comply with these disclosure standards — ensuring consistent transparency across the Kingdom’s expanding tokenization ecosystem of 261 fintech companies.
For disclosure compliance inquiries: info@sauditokenisation.com