SAR 3.8 billion in assets under custody across 11 Saudi-licensed custodians versus approximately AED 8 billion across 15 UAE-licensed custodians makes the Saudi-UAE custody comparison the most commercially significant in the GCC digital asset space. This analysis compares the custody regulatory frameworks of the two largest Gulf economies, covering capital requirements, cold storage mandates, proof-of-reserves obligations, insurance minimums, and operational standards.
Custody License Requirements
| Requirement | Saudi CMA | UAE (VARA + ADGM) |
|---|---|---|
| Minimum capital | SAR 25M (~$6.7M) | AED 5M (~$1.4M) VARA / $2M ADGM |
| Board requirements | 2+ directors with cybersecurity/blockchain qualifications | 2+ directors (general) |
| Physical presence | Mandatory Saudi infrastructure | UAE jurisdiction required |
| Insurance minimum | SAR 65M combined | AED 15M (VARA) / Case-by-case (ADGM) |
| Annual audit | CMA-approved auditor with digital asset certification | Licensed auditor |
| License processing | 8-14 months | 4-8 months (VARA) / 6-12 months (ADGM) |
Saudi Arabia’s custody capital requirement is approximately 5x VARA’s and 3x ADGM’s, reflecting the CMA’s position that digital asset custodians must maintain institutional-grade financial resilience to protect the Kingdom’s capital markets integrity.
Cold Storage and Key Management
| Standard | Saudi CMA | UAE VARA | UAE ADGM |
|---|---|---|---|
| Cold storage minimum | 95% | 70% | 80% |
| Hot wallet maximum | 5% | 30% | 20% |
| HSM certification | FIPS 140-2 Level 3+ | FIPS 140-2 Level 2+ | FIPS 140-2 Level 2+ |
| Data residency | Mandatory Saudi | UAE preferred | ADGM preferred |
| Multi-signature | 3-of-5 minimum | 2-of-3 minimum | 2-of-3 minimum |
| Key ceremony witness | CMA-approved auditor | Not required | Not required |
| Key share distribution | 2+ Saudi locations | Single location | Single location |
The 95% versus 70% cold storage differential is the most operationally significant difference. Saudi custodians must maintain extraordinarily high cold-to-hot ratios, limiting the assets available for immediate withdrawal to just 5% of total custody. This creates operational challenges for custody providers serving active trading clients, but dramatically reduces the attack surface for cyber theft — the primary risk vector for digital asset custody.
The Saudi requirement for FIPS 140-2 Level 3 HSMs (versus Level 2 in the UAE) imposes higher hardware costs. Level 3 certification requires physical tamper resistance and identity-based authentication, adding approximately SAR 500,000-1,000,000 per HSM deployment compared to Level 2 alternatives.
Proof-of-Reserves
| Requirement | Saudi CMA | UAE VARA | UAE ADGM |
|---|---|---|---|
| Frequency | Quarterly | Annual | Semi-annual |
| On-chain verification | Mandatory | Recommended | Not required |
| Independent auditor | CMA-approved, digital asset certified | Licensed auditor | Licensed auditor |
| Public disclosure | Summary required on website | Not required | Not required |
| Penalty for non-compliance | SAR 500K auto-penalty + 30-day cure | Case-by-case | Case-by-case |
Saudi Arabia’s quarterly proof-of-reserves with mandatory on-chain verification and public disclosure is the most rigorous in the Gulf. The requirement for on-chain cryptographic proof ensures that the custody provider demonstrates actual control of the blockchain addresses claimed to hold client assets — not merely an auditor’s assertion of balance. This standard was influenced by global crypto exchange collapses where custodians made false claims about asset reserves.
Segregation Standards
| Requirement | Saudi CMA | UAE VARA | UAE ADGM |
|---|---|---|---|
| Client-level segregation | Mandatory individual wallets | Permitted omnibus | Segregated sub-accounts |
| On-chain verifiability | Mandatory | Not required | Recommended |
| Custodian asset separation | Complete infrastructure separation | Logical separation | Logical separation |
Saudi Arabia’s prohibition on omnibus wallet structures is a fundamental divergence from the UAE approach. In Saudi Arabia, each client’s digital assets must be held in individually identifiable wallets, traceable on-chain to specific blockchain addresses. VARA permits omnibus wallets where multiple clients’ assets are held in a single blockchain address, with internal records maintaining individual entitlements. The Saudi approach provides stronger protection in the event of custodian insolvency (each client’s assets are identifiable and separable), while the UAE approach offers operational efficiency and lower cost.
Insurance Coverage
| Coverage | Saudi CMA | UAE VARA |
|---|---|---|
| Professional Indemnity | SAR 25M | AED 5M |
| Cyber Insurance | SAR 25M | AED 5M |
| Crime Insurance | SAR 10M | AED 3M |
| D&O Insurance | SAR 5M | AED 2M |
| Total minimum | SAR 65M (~$17.3M) | AED 15M (~$4.1M) |
The 4.2:1 insurance coverage ratio reflects Saudi Arabia’s expectation that custody failures in a market handling tokenized securities linked to the $2.7 trillion Tadawul exchange must be insured at levels consistent with conventional securities custody. Only 4 global insurance carriers currently offer Saudi digital asset custody policies meeting CMA specifications, compared to approximately 10 carriers offering UAE-compliant policies.
Disaster Recovery and Business Continuity
| Standard | Saudi CMA | UAE VARA |
|---|---|---|
| RTO | 4 hours | 24 hours |
| RPO | Zero data loss | Minimal data loss |
| Geographic redundancy | 2+ Saudi cities | UAE jurisdiction |
| Annual DR testing | Mandatory with CMA reporting | Recommended |
| Client notification | 2 hours post-disruption | Reasonable time |
Saudi Arabia’s 4-hour RTO is 6x more demanding than VARA’s 24-hour standard, and the zero RPO (no data loss) requirement mandates synchronous replication between geographically distributed sites — an infrastructure investment of SAR 2-5M above what asynchronous replication would require.
Custodian of Last Resort
Saudi Arabia designates Edaa as the custodian of last resort for tokenized securities, ensuring continuity if a licensed custodian fails. The UAE has no equivalent provision — if a UAE custodian fails, the resolution process relies on general insolvency law without a designated institutional backstop for digital asset recovery.
Cross-Border Custody
For international investors accessing both markets, the custody comparison creates practical implications:
Saudi cross-border custody: International custodians must establish Saudi-subsidiary operations meeting all CMA standards, including Saudi data residency and FIPS 140-2 Level 3 HSMs located within the Kingdom. Three international custody specialists have completed this process.
UAE cross-border custody: VARA and ADGM both permit international custodians to operate through branches or subsidiaries, with more flexible data residency requirements that allow key management infrastructure in partner jurisdictions.
The CMA’s bilateral cooperation agreements include custody-specific provisions enabling supervisory information sharing between Saudi and UAE custody regulators. These provisions support the planned GCC cross-border trading framework where an investor may hold tokenized securities from one jurisdiction in a custodian licensed in another.
Market Implications
Saudi Arabia’s premium custody standards serve the Kingdom’s strategic objective of positioning its tokenized securities market for institutional capital. The higher standards create costs (SAR 65M insurance, 95% cold storage, quarterly proof-of-reserves) that filter the custodian market toward well-capitalized, operationally mature institutions. The UAE’s lower thresholds attract a broader custodian base, including specialized crypto custodians that may not meet Saudi standards, but provide faster market entry for emerging custody providers.
For institutions evaluating digital asset custody across the Gulf, the Saudi standard represents the highest available protection level, while the UAE offers competitive alternatives at lower cost for entities with smaller custody volumes or less stringent investor protection requirements.
FATF Compliance and Cross-Border Custody Standards
Both Saudi Arabia and the UAE are FATF members, ensuring that custody AML/CFT standards meet international benchmarks. However, the FATF’s 2024 mutual evaluations revealed different compliance postures:
Saudi Arabia: Rated “largely compliant” with FATF digital asset standards. The CMA’s custody framework requires mandatory blockchain analytics integration, real-time transaction monitoring, and enhanced due diligence for unhosted wallet transfers. Custodians must file STRs within 24 hours — one of the shortest deadlines globally.
UAE: Rated “partially compliant” in several FATF assessment categories related to virtual asset supervision. VARA’s custody AML requirements are comprehensive but the multi-regulator structure (VARA, ADGM, SCA) creates potential supervisory gaps that the FATF evaluation highlighted.
For international institutional investors evaluating custody jurisdiction, Saudi Arabia’s stronger FATF compliance rating provides an advantage. Sovereign wealth funds, pension funds, and global asset managers subject to their own AML/CFT compliance obligations prefer custodians in jurisdictions with strong FATF standing, reducing the compliance risk assessment burden.
Emerging Technology Standards
Both jurisdictions are developing next-generation custody standards:
Saudi Arabia: The CMA is developing quantum-safe cryptography requirements (expected 2028) and multi-party computation (MPC) custody standards that would supplement or replace traditional multi-signature cold storage. The Saudi Blockchain Lab is coordinating research into post-quantum key management that would protect custodied assets against future quantum computing threats.
UAE: VARA is exploring decentralized custody models and DeFi-integrated custody arrangements. Abu Dhabi’s ADGM has published consultation papers on smart contract-based custody (where custody logic is encoded in self-executing contracts rather than managed by human operators). These approaches are more innovative but carry higher technology risk than Saudi Arabia’s conservative evolution of proven custody models.
The custody standards comparison ultimately reflects each jurisdiction’s positioning strategy. Saudi Arabia’s CMA framework prioritizes institutional safety and FATF compliance at the cost of higher entry barriers, creating a custody market dominated by well-capitalized institutions serving Tadawul-listed digital securities. The UAE prioritizes market breadth and innovation at the cost of lower minimum standards, creating a custody market serving a wider range of digital assets including both regulated securities and unregulated virtual assets. For entities serving institutional capital — the primary target of Saudi Arabia’s Vision 2030 financial sector strategy — Saudi custody standards provide the regulatory credibility that institutional mandates require.
Institutional Infrastructure Depth
Saudi Arabia’s custody standards benefit from the Kingdom’s broader institutional infrastructure. Elm Company’s Nafath digital identity platform provides the KYC verification layer used by all 11 CMA-licensed custodians, ensuring consistent identity verification standards across the custody ecosystem. The Saudi Digital Academy’s “Digital Asset Safekeeping” certification has trained 45 custody operations professionals, addressing the talent pipeline that custodians identified as their primary scaling constraint. The Saudi Blockchain Lab’s HSM evaluation research — conducted in partnership with KAUST — directly informed the CMA’s Approved HSM Registry that specifies permissible key management hardware for custody operations.
The Public Investment Fund’s exploration of tokenization for portfolio company equity creates potential custody demand at sovereign scale. PIF’s approximately $1 trillion in assets under management — if even partially tokenized — would require custody infrastructure of a scale that only Saudi Arabia’s institutional-grade standards are designed to support. This sovereign-scale custody demand reinforces the CMA’s strategy of high minimum capital requirements (SAR 25M) and stringent cold storage mandates (95%) — standards calibrated for institutional rather than retail custody volumes. The UAE’s lower barriers (AED 5M capital, 70% cold storage) reflect a market designed for broader participation but with correspondingly lower institutional safeguards. For international sovereign wealth funds, pension funds, and central banks evaluating GCC custody options for tokenized securities portfolios, Saudi Arabia’s custody framework provides the regulatory certainty and institutional protection that fiduciary mandates demand.
The SEC qualified custodian concept and ESMA’s MiCA custody provisions serve as international reference points that both Saudi and UAE frameworks draw upon, though Saudi Arabia’s 95% cold storage mandate exceeds both international benchmarks, reflecting the CMA’s deliberately conservative approach to digital asset safekeeping.
PIF’s exploration of tokenization for portfolio company equity creates institutional demand for custody infrastructure capable of handling sovereign-scale digital securities — positioning the Saudi CMA custody framework as the standard for institutional-grade digital asset safekeeping in the GCC. The Saudi Digital Academy’s custody operations training, Elm Company’s Nafath identity integration, and the Saudi Blockchain Lab’s HSM architecture research collectively provide the institutional infrastructure depth that supports Saudi Arabia’s premium custody standard. The Fintech Saudi ecosystem facilitates coordination between CMA-licensed custodians and international institutional investors requiring cross-border custody arrangements for Saudi tokenized securities. International custodians evaluating GCC market entry should note that Saudi Arabia’s 11 licensed custodians and the Edaa custodian-of-last-resort mechanism provide an investor protection infrastructure that reduces the systemic risk concerns that have historically limited institutional digital asset custody adoption in emerging markets.
For comparative analysis inquiries: info@sauditokenisation.com