DeFi Considerations for the Saudi Market: Regulatory Position and Institutional Exploration

Decentralized finance protocols remain outside Saudi Arabia’s formal regulatory perimeter as of March 2026 — the CMA and SAMA have adopted a monitor-and-assess approach while 3 sandbox participants explore regulated DeFi service integration and institutional DeFi access through permissioned protocol deployments.

Regulatory Position on DeFi

The CMA’s Digital Assets Regulatory Framework does not explicitly address decentralized finance. This is deliberate — the CMA has stated in regulatory consultation documents that DeFi’s permissionless, pseudonymous characteristics are fundamentally incompatible with Saudi Arabia’s securities regulation model, which requires identified intermediaries, licensed operators, and centralized accountability.

The regulatory position can be summarized as follows:

Prohibited activities: Saudi residents are prohibited from operating unlicensed exchanges, lending platforms, or derivatives protocols — which encompasses most public DeFi applications. The CMA’s enforcement framework has issued 4 warnings regarding unauthorized DeFi platform marketing targeting Saudi investors.

Permitted exploration: CMA sandbox participants may explore DeFi protocol integration within controlled environments. Three sandbox participants are testing specific DeFi functionalities — automated market making for tokenized securities, programmable yield distribution for tokenized sukuk, and collateralized lending against digital securities.

Institutional access: The CMA has not prohibited qualified investors from accessing international DeFi protocols, provided that such activities do not constitute offering unauthorized securities services within Saudi Arabia. This creates a grey area that institutional investors and family offices navigate through offshore structures.

Why DeFi Matters for Saudi Tokenization

Despite the regulatory constraints, DeFi protocol innovation is directly relevant to Saudi Arabia’s tokenization infrastructure:

Automated Market Making (AMM): Tadawul’s digital securities platform currently relies on 3 designated market makers maintaining continuous two-sided quotes with 15-25 bps average spreads. AMM protocols could supplement traditional market making for less liquid digital securities, reducing spread costs and improving price discovery. One CMA sandbox participant is testing a permissioned AMM for tokenized corporate sukuk with known, KYC-verified liquidity providers.

Programmable Yield: Tokenized sukuk profit distributions currently flow through conventional payment channels via Edaa. DeFi-inspired smart contract architecture could automate yield distribution directly to token holder wallets, reducing settlement costs and eliminating the T+2 payment lag for profit distributions. This is technically a smart contract enhancement rather than DeFi per se, but the engineering draws directly from DeFi protocol design.

Collateralized Lending: Institutional holders of tokenized securities seek to use those holdings as collateral for SAR financing without selling the underlying tokens. DeFi lending protocol mechanics — over-collateralization, liquidation triggers, automated margin calls — provide the technical architecture for building this functionality within SAMA’s regulatory framework.

Cross-Border Liquidity: GCC tokenization interoperability requires liquidity bridges between Saudi, UAE, and Bahraini digital securities markets. DeFi bridge protocols, adapted for permissioned environments, offer technical solutions for cross-border tokenized securities settlement without requiring a centralized intermediary.

Permissioned DeFi: The Saudi Approach

The Saudi Blockchain Lab has published research identifying “permissioned DeFi” as the viable pathway for integrating DeFi protocol innovation within Saudi Arabia’s regulatory architecture. The concept preserves DeFi’s automation and efficiency benefits while satisfying regulatory requirements for:

The permissioned DeFi model deploys DeFi protocol smart contracts on R3 Corda (the same DLT protocol powering Tadawul’s platform) rather than public Ethereum or Solana. Participation is restricted to CMA-licensed entities and KYC-verified investors. Smart contracts include regulatory compliance logic — automated Sharia screening, investor classification verification, and AML/CFT transaction monitoring.

Sandbox Exploration: Three Active Pilots

Three CMA sandbox participants are exploring DeFi-adjacent functionalities:

Pilot 1 — Permissioned AMM for Corporate Sukuk: A CMA sandbox participant is testing an automated market making protocol for tokenized corporate sukuk listed on Tadawul’s digital platform. The protocol uses a constant-product formula adapted for fixed-income securities, with liquidity provided by 5 institutional participants. Early results show a 40% reduction in bid-ask spreads compared to the traditional market making arrangement for the same instruments.

Pilot 2 — Automated Sukuk Yield Distribution: Testing smart contract-based automatic distribution of sukuk profit payments to token holder wallets. The pilot processes distributions for a SAR 200 million tokenized sukuk issuance, reducing distribution time from T+2 to T+0 and eliminating manual reconciliation between Edaa and paying agents.

Pilot 3 — Tokenized Securities Lending: Testing a permissioned lending protocol where institutional holders of tokenized securities can borrow SAR against their holdings through over-collateralized smart contracts. The protocol integrates real-time price feeds from Tadawul, automated margin calls, and SAMA-supervised settlement of SAR loan proceeds.

Risk Assessment

The CMA and Saudi Blockchain Lab have identified specific risks associated with DeFi protocol integration:

Smart Contract Risk: DeFi protocols depend entirely on smart contract code. Vulnerabilities in AMM, lending, or bridge contracts could result in loss of tokenized securities or SAR collateral. The CMA’s securities tokenization standards require formal verification and third-party audit for all smart contracts deployed in production.

Oracle Risk: DeFi protocols require external price feeds (oracles) for liquidation triggers, margin calculations, and yield computation. Oracle manipulation could trigger unauthorized liquidations of tokenized securities collateral. The CMA requires that oracle price feeds for Tadawul-listed digital securities come exclusively from Tadawul’s official market data feed.

Liquidity Risk: AMM protocols can suffer impermanent loss and liquidity withdrawal cascades. For tokenized sukuk and equity tokens with limited float, AMM liquidity concentration risks are amplified.

Regulatory Arbitrage Risk: Saudi investors accessing international DeFi protocols through VPNs or offshore accounts circumvent CMA investor protection requirements. The CMA has flagged this as an enforcement priority under the anti-money laundering framework.

FATF and International Coordination

Saudi Arabia’s FATF membership (since 2019) imposes specific obligations regarding DeFi:

The FATF’s Updated Guidance on Virtual Assets (2021) applies the Travel Rule to DeFi protocols where an identifiable intermediary exists. Saudi Arabia’s position — restricting DeFi to permissioned environments with licensed operators — aligns with the FATF recommendation that virtual asset service providers (VASPs) maintain regulatory compliance regardless of the underlying technology architecture.

The CMA’s international regulatory cooperation agreements include DeFi monitoring provisions with counterpart regulators in the UAE (VARA), Singapore (MAS), and the UK (FCA). Information sharing on cross-border DeFi enforcement actions supports Saudi Arabia’s regulatory monitoring capabilities.

Outlook

The CMA’s regulatory roadmap indicates that formal DeFi-specific regulation may be developed by 2028, informed by sandbox pilot results and international regulatory developments. The most likely outcome is an extension of the existing digital assets regulatory framework to cover specific DeFi functionalities — AMM, lending, yield aggregation — within permissioned, licensed environments.

Vision 2030 financial sector objectives do not explicitly mention DeFi, but the program’s emphasis on financial innovation, digital payment adoption (70% target), and capital markets depth creates the policy space for regulated DeFi integration. The Fintech Saudi accelerator program has included DeFi infrastructure as a target sector since 2025, signaling institutional openness to regulated DeFi innovation.

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

Institutional DeFi Infrastructure and PIF Exploration

The Public Investment Fund’s technology portfolio includes investments in blockchain infrastructure companies internationally, positioning PIF to evaluate institutional DeFi applications for its portfolio management operations. While PIF has not publicly announced DeFi-specific initiatives, the fund’s engagement with Tadawul on digital securities infrastructure and its interest in tokenization for portfolio companies suggests that permissioned DeFi capabilities — particularly securities lending and automated treasury management — may become relevant to sovereign-scale investment operations.

The Saudi Digital Academy has introduced a “Decentralized Financial Protocols” module within its Digital Capital Markets certification program, training 40 regulatory and compliance professionals on DeFi protocol architecture, smart contract risk assessment for automated market makers, and the specific AML/CFT challenges that DeFi protocols present. This training investment signals institutional preparation for regulated DeFi integration even before formal regulatory frameworks are established.

The CMA FinTech Lab maintains a dedicated DeFi monitoring desk that tracks international DeFi protocol developments, security incidents, and regulatory responses across the 11 jurisdictions covered by the CMA’s bilateral cooperation agreements. Intelligence from this monitoring desk informs both the CMA’s enforcement priorities (identifying unauthorized DeFi platform marketing targeting Saudi residents) and the regulatory development roadmap for eventual DeFi-specific regulation. The SEC’s enforcement-led approach to DeFi in the US and ESMA’s MiCA regime in Europe provide regulatory reference points that the CMA monitors through IOSCO coordination.

The Fintech Saudi-CMA accelerator has included DeFi infrastructure as a target sector since Cohort 2 (2025), with one startup building Sharia-compliant permissioned AMM infrastructure and another developing institutional-grade DeFi lending protocols. The accelerator’s SAR 100,000-500,000 non-dilutive grants and Saudi Blockchain Lab technical resources support the controlled development of DeFi capabilities within Saudi Arabia’s regulatory perimeter, ensuring that innovation occurs within CMA-supervised environments rather than in regulatory grey zones.

SAMA’s position on DeFi is closely tied to the digital riyal CBDC program. Programmable money capabilities built into the digital riyal could enable DeFi-like automated financial services — conditional payments, programmable escrow, and automated compliance — without the counterparty risks associated with privately-operated DeFi protocols. The convergence of CBDC programmability with CMA-supervised permissioned DeFi protocols represents the Kingdom’s preferred pathway for capturing DeFi’s efficiency benefits while maintaining the institutional safeguards that Vision 2030 financial sector objectives require.

The Saudi Blockchain Lab’s interoperability and cross-chain research program assesses DeFi bridge security and multi-ledger settlement architectures, providing the technical analysis that informs the CMA’s DeFi regulatory development. The Lab’s evaluation of cross-chain protocols against 42 criteria — including security, regulatory compliance, and Sharia compatibility — applies to DeFi bridge contracts that would enable cross-chain settlement between Saudi tokenized securities on R3 Corda and DeFi liquidity pools on other approved protocols.

Saudi Arabia’s FATF membership (since 2019) constrains the regulatory approach to DeFi — the FATF’s Updated Guidance on Virtual Assets requires that DeFi protocols with identifiable intermediaries comply with Travel Rule and AML/CFT requirements. The CMA’s approach of restricting DeFi to permissioned environments with licensed operators directly implements FATF guidance, ensuring that Saudi DeFi innovation maintains the international compliance standards that institutional investors require.

The Elm Company’s Nafath digital identity platform could provide the identity layer that makes permissioned DeFi viable — enabling KYC-verified participants to access DeFi protocols while maintaining the investor protection and AML/CFT compliance that the CMA mandates. The Saudi Digital Academy’s blockchain engineering programs include DeFi protocol design modules, building the technical workforce for regulated DeFi development within the Kingdom’s expanding digital asset ecosystem. PIF’s exploration of tokenization for portfolio company equity could eventually intersect with institutional DeFi — using automated market makers for secondary market liquidity provision in tokenized PIF securities alongside traditional Tadawul market-making arrangements. The GCC cooperation framework on digital asset regulation includes DeFi harmonization discussions, with Saudi Arabia’s permissioned DeFi approach serving as a potential model for GCC-wide regulatory coordination on decentralized financial services. The Edaa custodian-of-last-resort mechanism could extend to DeFi-based settlement by providing the institutional safety net that permissioned DeFi protocols require to meet CMA custody standards. The digital riyal programmable payment capabilities represent the most promising convergence pathway — enabling DeFi-like automation within CBDC-settled tokenized securities trades that carry zero counterparty risk on the payment leg, positioning Saudi Arabia’s regulated DeFi approach as a model for institutional digital finance innovation. The CMA’s DeFi monitoring desk — tracking developments across 11 jurisdictions — provides the intelligence foundation for iterative regulatory calibration, ensuring that Saudi Arabia’s permissioned DeFi framework evolves in response to international best practices and emerging risk patterns observed in both regulated and unregulated DeFi markets globally.

SAMA’s achievement of 79% cashless transaction penetration by 2025 — exceeding the original 70% target — demonstrates the digital payment infrastructure readiness that permissioned DeFi protocols require for SAR-settled automated financial services within the Kingdom’s regulated environment.

For ecosystem inquiries: info@sauditokenisation.com