CMA investor protection standards for digital asset securities establish a five-layer safeguard framework that applies to all 34 entities authorized for digital asset activities in Saudi Arabia. These protections operate within a rapidly maturing fintech ecosystem of 261 companies — up 21% year-over-year — where cumulative investment has reached SAR 7.9 billion ($2.1 billion), according to data from Fintech Saudi. With SAR 2.1 billion in tokenized securities outstanding as of March 2026, the investor protection regime addresses the unique risks of blockchain-based securities while maintaining consistency with Saudi Arabia’s conventional securities protection framework established under the Capital Market Law.
Suitability Assessment Requirements
All intermediaries dealing in digital asset securities must conduct investor suitability assessments before facilitating any transaction. The CMA’s suitability framework categorizes investors into three tiers:
Qualified Investors (QIs): Institutional investors, high-net-worth individuals with net assets exceeding SAR 10M, and entities with professional financial expertise. QIs have unrestricted access to all tokenized securities products, subject to standard KYC/AML obligations.
Semi-Qualified Investors (SQIs): Individuals with net assets between SAR 1M and SAR 10M, or annual income exceeding SAR 600,000. SQIs may invest in tokenized securities up to SAR 500,000 per annum without additional restrictions, and above that threshold only with documented advisory engagement from a CMA-licensed digital asset advisor.
Retail Investors: All other investors. Retail access to tokenized securities is limited to products specifically approved by the CMA for retail distribution, which as of March 2026 includes only tokenized sukuk with credit ratings of A- or higher and tokenized equity funds with at least SAR 500M in assets under management.
Suitability Assessment Process
The suitability assessment must cover:
- Financial literacy evaluation — A standardized 15-question assessment covering blockchain technology basics, digital asset risks, and private key management responsibilities
- Risk tolerance assessment — Standard CMA risk profiling questionnaire adapted for digital asset-specific risks including smart contract failure, blockchain protocol risk, and regulatory change risk
- Investment experience review — Prior experience with digital assets, conventional securities, and derivatives
- Concentration risk check — Digital asset securities must not exceed 20% of a retail investor’s total investment portfolio
- Cooling-off period — 72-hour cooling-off period for first-time retail digital asset investors, during which the transaction may be reversed without penalty
The suitability assessment must be refreshed annually for all investor categories, or immediately following any material change in the investor’s financial circumstances.
Disclosure Standards
Pre-Investment Disclosures
All digital asset securities offerings must include standardized risk disclosures covering:
- Technology risk: Potential for smart contract bugs, blockchain protocol failures, or custody infrastructure failures
- Regulatory risk: The evolving nature of digital asset regulation in Saudi Arabia and internationally
- Liquidity risk: Limited secondary market liquidity for certain tokenized securities
- Valuation risk: Challenges in independently valuing tokenized securities, particularly during periods of market stress
- Operational risk: Key-man risk, including the possibility of losing access to digital assets due to private key loss
- Sharia compliance risk: The possibility that a previously Sharia-compliant token may lose its certification
These disclosures must be presented in standardized format using CMA-prescribed templates, in both Arabic and English, with Arabic taking legal precedence.
Ongoing Disclosures
Licensed entities must provide investors with:
- Monthly account statements showing all digital asset holdings, transaction history, and current valuations
- Quarterly performance reports for each tokenized security, including comparison against relevant benchmarks
- Immediate notification of any material event affecting the tokenized security, the issuer, or the underlying asset
- Annual summary of all fees charged, presented in both absolute and percentage terms
Fee Transparency
The CMA requires a standardized fee disclosure format for digital asset services:
| Fee Category | Must Disclose |
|---|---|
| Transaction fees | Per-transaction cost in SAR and as percentage of transaction value |
| Custody fees | Annual rate as percentage of assets under custody |
| Gas/network fees | Estimated blockchain transaction costs passed to investors |
| Management fees | Annual rate for managed products |
| Performance fees | Methodology and calculation basis |
| Exit fees | Any charges for redemption or withdrawal |
Undisclosed fees discovered by CMA inspection result in mandatory fee refund to all affected investors plus a penalty of twice the undisclosed fee amount.
Compensation Mechanisms
CMA Investor Protection Fund
The CMA’s Investor Protection Fund has been extended to cover digital asset securities. Contributions are mandatory for all licensed digital asset entities:
- Issuers: 0.1% of total token issuance value
- Trading platforms: 0.05% of annual trading volume
- Custodians: 0.02% of assets under custody, annually
- Advisors: SAR 50,000 annual flat contribution
The fund covers investor losses arising from licensed entity fraud, insolvency, or material operational failure. Maximum compensation per investor is SAR 1M. The fund’s digital asset allocation reached SAR 47M in Q1 2026.
Mandatory Professional Indemnity Insurance
All licensed digital asset entities must maintain professional indemnity insurance covering:
- Negligence and errors in digital asset operations
- Smart contract failures attributable to inadequate audit processes
- Cybersecurity breaches resulting in investor asset losses
- Unauthorized transactions caused by internal control failures
Minimum coverage levels vary by license category, ranging from SAR 10M for advisory firms to SAR 50M for custody providers.
Complaint Resolution Framework
The CMA has established a dedicated Digital Assets Complaint Resolution Unit (DACRU), operational since March 2025:
Stage 1 — Entity Resolution (15 business days): Complaints must first be directed to the licensed entity’s internal complaints function. The entity must acknowledge receipt within 24 hours and provide a substantive response within 15 business days.
Stage 2 — CMA Mediation (30 business days): If the investor is unsatisfied with the entity’s response, the complaint may be escalated to DACRU. The CMA mediator reviews both parties’ positions and proposes a resolution.
Stage 3 — CMA Adjudication (60 business days): If mediation fails, DACRU may adjudicate the dispute, issuing a binding decision. Adjudication decisions may be appealed to the Committee for the Resolution of Securities Disputes (CRSD).
DACRU has processed 127 complaints since its establishment, with 78% resolved at Stage 1, 18% at Stage 2, and 4% reaching Stage 3. The median resolution time is 22 business days.
Market Conduct Rules
The CMA has extended its market conduct rules to digital asset securities, with specific adaptations:
Market Manipulation: Standard market manipulation prohibitions apply, supplemented by specific rules addressing:
- Wash trading through multiple wallets controlled by the same entity or person
- Spoofing via smart contract-based order placement and cancellation
- Front-running using blockchain mempool information
Insider Trading: Standard insider trading rules apply to tokenized securities. The definition of “material non-public information” has been extended to include information about smart contract upgrades, blockchain protocol changes, and pending Sharia compliance decisions.
Market Surveillance: Tadawul’s market surveillance systems have been extended to monitor on-chain trading activity for tokenized securities listed on CMA-authorized platforms. The surveillance system processes approximately 15,000 on-chain transactions daily as of Q1 2026.
Cross-Border Investor Protection
For tokenized securities with cross-border distribution:
- Saudi investor protection standards apply to all transactions executed through Saudi-licensed entities, regardless of the investor’s nationality or residence
- Foreign-domiciled investors accessing Saudi tokenized securities through cross-border custody arrangements are covered by the Saudi Investor Protection Fund
- Reciprocal investor protection agreements exist with Bahrain and the UAE, enabling coordinated complaint resolution for GCC investors
The CMA’s investor protection framework positions Saudi Arabia as the most protective jurisdiction in the Gulf for tokenized securities holders, supporting the Kingdom’s objective of attracting institutional capital to its digital securities markets.
Investor Education Initiatives
The CMA has launched dedicated investor education programs for digital asset securities:
Digital Asset Investor Awareness Program: A mandatory online course for first-time retail digital asset investors, covering blockchain basics, digital asset risks, wallet security, and regulatory protections. The course takes approximately 90 minutes and must be completed before a retail investor’s first digital asset purchase. As of March 2026, 12,400 investors have completed the program.
Fintech Saudi Coordination: Fintech Saudi coordinates industry-funded investor education campaigns, including social media content, educational webinars, and in-person workshops at Saudi universities. The campaigns target the 18-35 demographic that Vision 2030 financial inclusion objectives prioritize.
Risk Warning Standards: All digital asset marketing materials must include standardized risk warnings in Arabic and English, with specific language prescribed by the CMA. The warnings must address technology risk, liquidity risk, and the possibility of total loss. Non-compliant marketing triggers automatic CMA enforcement investigation.
Institutional Investor Guidance: For qualified and semi-qualified investors, the CMA has published guidance on digital asset portfolio risk management, custody provider due diligence, and smart contract risk assessment. This guidance reflects the CMA’s recognition that institutional investors require specialized knowledge beyond conventional securities analysis to evaluate tokenized products effectively.
FATF Standards and International Benchmarking
Saudi Arabia’s investor protection framework for digital assets benefits from the Kingdom’s FATF membership (since 2019) and G20 participation. The FATF’s updated virtual asset guidance (2023) emphasizes investor protection as a core regulatory objective alongside financial crime prevention, and the CMA’s framework is fully aligned with these international standards.
The FATF’s 2024 mutual evaluation of Saudi Arabia specifically assessed the digital asset investor protection regime, noting the comprehensive suitability assessment requirements, the extension of the Investor Protection Fund to digital assets, and the mandatory cooling-off period for first-time retail investors as areas of strength. The evaluation recommended enhanced monitoring of cross-border digital asset custody arrangements, which the CMA has addressed through updated bilateral cooperation agreements with partner jurisdictions.
International benchmarking demonstrates that Saudi Arabia’s investor protection standards for digital assets exceed those of most comparable jurisdictions. The SAR 1 million per-investor IPF coverage is the highest in the GCC region, the three-tier investor classification provides more granular access controls than the UAE VARA binary classification, and the mandatory Digital Asset Investor Awareness Program is unique among G20 jurisdictions. These protections support Vision 2030 financial inclusion objectives by ensuring that broader market access does not come at the expense of investor safety.
Complaint Resolution Framework
The CMA’s complaint resolution framework for digital asset investors operates through a structured escalation process:
Level 1 — Licensed Entity Resolution: Investors must first direct complaints to the licensed entity, which has 15 business days to respond. The entity must acknowledge receipt within 2 business days and provide a substantive response addressing the investor’s specific concerns.
Level 2 — CMA Complaint Department: If the investor is unsatisfied with the entity’s response, the complaint escalates to the CMA Complaint Department. The CMA reviews the complaint against the regulatory framework and issues a determination within 30 business days. The CMA’s determination is binding on the licensed entity.
Level 3 — Committee for Resolution of Securities Disputes (CRSD): For disputes exceeding SAR 100,000, the CRSD provides quasi-judicial resolution. The CRSD has established a dedicated panel for digital asset disputes, with members trained in blockchain technology and smart contract interpretation. CRSD decisions are enforceable as court orders under Saudi law.
As of March 2026, the CMA has received 47 complaints related to digital asset activities. Of these, 38 were resolved at Level 1, 7 at Level 2, and 2 are pending CRSD proceedings. The most common complaint categories are unauthorized fee charges (15 complaints), trade execution disputes (12), and custody-related issues (8).
The CMA’s investor protection framework operates within the broader context of Saudi Arabia’s Vision 2030 financial inclusion objectives. By creating graduated access pathways — from retail investors with as little as SAR 100 to qualified institutional investors — the framework ensures that tokenization’s efficiency benefits are accessible to a broad investor base without compromising safety standards. The Saudi Digital Academy’s financial literacy programs, delivered in partnership with Fintech Saudi, complement the CMA’s mandatory awareness requirements by providing ongoing digital asset education through mobile and online channels. Elm Company’s Nafath identity platform provides the biometric verification backbone that all 34 licensed entities use for investor classification verification, ensuring consistent KYC standards that support the three-tier investor protection architecture across the entire ecosystem.
The CMA has issued 68 capital market permits across all categories, reinforcing the institutional licensing depth that underpins investor protection across the digital asset ecosystem.
For investor protection inquiries: info@sauditokenisation.com