CMA Digital Asset Licensing FAQ: Common Questions About Authorization

Frequently asked questions about obtaining CMA digital asset licensing in Saudi Arabia — covering application timelines, capital requirements, sandbox entry, ELDAP for existing licensees, and the 7 license categories available under the Digital Assets Regulatory Framework.

License Categories

Q: What digital asset license categories does the CMA offer?

The CMA’s Digital Assets Regulatory Framework establishes 7 license categories:

Q: Can one entity hold multiple license categories?

Yes. The CMA permits license bundling — a single entity can hold multiple categories. For example, a firm could hold both broker-dealer and custodian licenses. Each category’s capital requirements are additive, and compliance obligations for each category apply independently. As of Q1 2026, 8 of the 34 licensed entities hold 2 or more license categories.

Q: How do these categories differ from SAMA fintech licenses?

CMA licenses cover securities-related digital asset activities — anything involving tokenized sukuk, equity tokens, digital bonds, or commodity tokens. SAMA licenses cover payment-related activities — payment tokens, stablecoins, digital banking, and open banking. Firms whose activities span both securities and payments (e.g., a platform offering tokenized securities with integrated payment settlement) may need licenses from both regulators. The Joint Digital Assets Committee coordinates dual-licensing processes between CMA and SAMA.

Application Process

Q: What are the two pathways to CMA licensing?

1. CMA Sandbox: For new market entrants and firms without existing CMA licenses. The sandbox provides a controlled testing environment with limited customer exposure before full licensing. Average timeline: 14 months from application to full license. The sandbox has processed 43 participants with a 37% graduation rate.

2. ELDAP (Existing Licensee Digital Asset Pathway): For firms already holding CMA licenses (e.g., existing broker-dealers, asset managers) seeking to add digital asset capabilities. Average timeline: 8 months. Requires technology assessment, incremental capital, and staff competency verification rather than full sandbox testing.

Q: What does the sandbox application require?

Sandbox applications require:

• Business plan with 3-year financial projections
• Technology architecture documentation including DLT protocol selection rationale
• AML/CFT compliance program design
• Investor protection mechanisms
• Sharia compliance board engagement (if offering Sharia-certified products)
• Key personnel CVs demonstrating digital asset expertise
• SAR 1M minimum capital deposit
• Data residency and PDPL compliance plan
• Cybersecurity assessment
• Exit plan (how clients would be protected if the firm exits during sandbox)

Processing time from application submission to sandbox entry averages 90 days (60 days for Fintech Saudi accelerator graduates with fast-track access).

Q: What happens during the sandbox period?

Sandbox participants operate under controlled conditions for 12-24 months:

• Limited customer base (typically 50-500 users)
• Transaction volume caps
• Enhanced CMA reporting (monthly rather than quarterly)
• Dedicated CMA relationship manager
• Testing against Tadawul’s digital platform sandbox environment
• Edaa sandbox API integration testing
• Regular compliance reviews and technology assessments

Graduation to full license requires demonstrating operational stability, AML/CFT compliance effectiveness, technology resilience, and financial sustainability during the sandbox period.

Q: What is the ELDAP process for existing licensees?

ELDAP involves:

1. Digital asset capability assessment (Month 1-2) — CMA evaluates the firm’s technology infrastructure readiness for DLT integration
2. Gap analysis (Month 2-3) — Identifying required investments in technology, compliance, and personnel
3. Implementation (Month 3-6) — Building digital asset capabilities, hiring staff, integrating with Tadawul platform
4. CMA review (Month 6-8) — Final assessment and license category addition
5. Operational launch (Month 8) — Digital asset activities commence

Four Saudi banks have used ELDAP to add digital asset capabilities to their existing CMA-licensed broker-dealer operations.

Capital and Financial Requirements

Q: Are capital requirements paid upfront?

Yes. Minimum capital must be deposited in a Saudi bank before license issuance. Capital is maintained throughout the license period — the CMA conducts quarterly capital adequacy reviews. Falling below minimum capital triggers a 90-day remediation period before potential license suspension.

Q: What insurance requirements apply?

Digital asset custodians must maintain SAR 65M in professional indemnity insurance covering client asset loss through operational failure, cyber breach, or key management failure. Other license categories require SAR 5-20M in professional indemnity insurance depending on the category and transaction volume.

Q: What are the ongoing fee obligations?

Licensed entities pay annual supervision fees to the CMA ranging from SAR 50,000 (advisory) to SAR 500,000 (exchange). Transaction-based fees apply for entities using Tadawul’s digital platform and Edaa’s settlement services.

Compliance Requirements

Q: What AML/CFT obligations apply to licensed entities?

All licensed entities must comply with the joint CMA-SAMA AML/CFT framework, which requires:

• Blockchain analytics tools for transaction monitoring
• Travel Rule compliance for transfers above SAR 3,750 (aligned with FATF standards — Saudi Arabia has been a FATF member since 2019)
• Suspicious transaction reporting to SAFIU within 24 hours
• Customer due diligence using Absher/Nafath government ID verification
• Enhanced due diligence for politically exposed persons (PEPs) and high-risk jurisdictions
• Annual AML/CFT program audit by an independent auditor
• Staff AML/CFT training (minimum 20 hours annually)

Q: What disclosure requirements apply?

CMA disclosure requirements mandate:

• Prospectus/offering document for each tokenized security issued
• Technology risk disclosure covering DLT protocol, smart contract, and custody risks
• Smart contract audit reports from CMA-approved auditors
• Sharia compliance certification (if Sharia-certified)
• Quarterly financial reporting
• Material event disclosure within 24 hours
• Beneficial ownership transparency

Q: What Sharia compliance obligations exist?

If offering Sharia-certified tokenized securities, licensed entities must:

• Engage a CMA-recognized Sharia board (minimum 3 qualified scholars)
• Obtain Sharia certification before each product launch
• Implement continuous Sharia monitoring (automated or manual)
• Disclose Sharia compliance methodology in offering documents
• Report Sharia non-compliance events to the CMA within 48 hours

Sharia certification is mandatory for all tokenized sukuk and optional for other instrument types. 85% of outstanding tokenized securities carry Sharia certification.

Technology Requirements

Q: Which blockchain protocols are approved?

The CMA’s Securities Tokenization Standards approve 5 protocols: R3 Corda (used by Tadawul’s platform), Ethereum (ERC-3643 standard), Hyperledger Fabric, Polygon zkEVM, and Hedera Hashgraph. Additional protocols may be approved following Saudi Blockchain Lab evaluation and CMA review.

Q: What smart contract requirements apply?

All smart contracts deployed in production for tokenized securities must:

• Complete formal verification or third-party audit by a CMA-approved auditor
• Include regulatory compliance logic (investor classification verification, AML/CFT screening triggers, Sharia compliance enforcement)
• Support emergency pause functionality controllable by the CMA
• Maintain upgradability without disrupting existing token holders
• Pass penetration testing against CMA-specified attack vectors

Q: What data residency requirements apply?

All DLT nodes, KYC databases, and transaction data must be hosted within Saudi Arabia. International firms must establish Saudi-based data processing infrastructure before license issuance. Cloud hosting is permitted only on Saudi-region cloud infrastructure from CMA-approved providers.

International Considerations

Q: Can international firms obtain CMA digital asset licenses?

Yes. International firms may apply through the CMA sandbox or through the Fintech Saudi international partnership program. Requirements include Saudi-based legal entity establishment, local data residency, appointment of Saudi-resident compliance officer, and compliance with all Kingdom-wide regulations including PDPL data protection.

Q: How does Saudi licensing compare to other jurisdictions?

Saudi Arabia’s framework is the most comprehensive in the GCC in terms of license categories and investor protection. Key comparisons: Saudi CMA vs. UAE VARA, GCC regulatory comparison, international frameworks comparison.

Q: Are there bilateral recognition agreements?

The CMA has executed 4 bilateral cooperation agreements with GCC regulators (ADGM, VARA, DFSA, CBB) and 11 agreements with international regulators. These cover information sharing and supervisory cooperation but do not provide automatic license recognition — each jurisdiction requires separate licensing.

Additional Resources

• CMA Framework — Complete regulatory coverage
• SAMA Fintech — Payment and fintech regulation
• Capital Markets — Market infrastructure
• Guides — Step-by-step process guides including the CMA sandbox application guide
• Glossary — Key terminology

Network Intelligence: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

Saudi FinTech Strategy 2025 and Licensing Pipeline

The CMA’s digital asset licensing framework operates within the institutional context established by the Saudi FinTech Strategy 2025 — the joint SAMA-CMA policy initiative targeting 150 licensed fintech entities by 2030 across both regulators. The 34 CMA-licensed digital asset entities as of Q1 2026 represent approximately 23% of this target, with the licensing pipeline accelerating as Fintech Saudi accelerator cohorts produce sandbox-ready applicants at increasing rates.

The CMA FinTech Lab — a 12-person team within the CMA’s Technology and Innovation Division — provides pre-application guidance to prospective licensees, reducing the average sandbox application rejection rate from 45% in 2023 to 28% in 2025. The Lab’s Implementation Guide covers technology architecture requirements, AML/CFT program design templates, and investor protection mechanism specifications that applicants must address.

PIF’s exploration of tokenization for portfolio company equity creates institutional demand for CMA-licensed entities capable of handling sovereign-scale tokenization. The Tadawul digital platform requires CMA-licensed broker-dealers, custodians, and advisory firms to provide the full-service infrastructure for institutional tokenized securities trading — creating commercial incentives for existing financial institutions to pursue ELDAP authorization.

Elm Company’s Nafath digital identity platform integrates directly into the CMA licensing infrastructure, providing the KYC verification backbone that all licensed entities rely on for investor onboarding and AML/CFT compliance. The Saudi Digital Academy’s “Capital Markets Digital Infrastructure” certification program has trained 120 professionals in digital asset regulatory compliance, building the workforce pipeline that licensed entities need for compliance officer and technology staff positions.

Saudi Arabia’s FATF membership (since 2019) provides the international credibility framework within which CMA digital asset licenses operate. The FATF’s 2024 mutual evaluation rated Saudi Arabia “largely compliant” across all digital asset-relevant recommendations, validating the CMA’s licensing standards against global benchmarks and providing international firms with confidence to pursue Saudi licensing. The CMA’s international cooperation agreements with 11 regulators — including informal dialogue with the SEC and ESMA — facilitate cross-border regulatory coordination for internationally active licensed entities.

The Saudi Blockchain Lab’s protocol evaluation work directly informs the CMA’s approved protocol list — the 5 currently approved blockchain protocols were selected based on the Lab’s 42-criteria assessment framework covering performance, security, regulatory compliance, and Sharia compatibility. Licensed entities seeking to deploy on additional protocols must submit evaluation requests through the Lab’s assessment process before CMA approval.

The GCC regulatory comparison demonstrates that Saudi Arabia’s 7-category licensing framework is the most granular in the region — UAE VARA offers 4 categories, while Bahrain CBB operates a 3-category system. This granularity enables specialized entities to obtain precisely scoped authorization, reducing compliance burden for firms focused on a single activity (such as custody or advisory) while providing comprehensive oversight across the full value chain. The CMA’s international cooperation agreements with SEC, ESMA, and 9 additional regulators facilitate cross-border licensing coordination for internationally active firms seeking Saudi digital asset authorization. The IOSCO principles for securities regulation inform the CMA’s licensing standards, ensuring that Saudi digital asset licensing meets international benchmarks for market integrity and investor protection across all 7 license categories. The CMA’s Digital Assets Division — staffed with 45 regulatory professionals — provides the supervisory capacity to monitor all licensed entities for ongoing compliance with licensing conditions, capital adequacy requirements, and operational standards. Prospective applicants should engage Fintech Saudi’s regulatory navigation service as a first step, which provides no-cost pre-application assessment including license category recommendation, estimated capital requirements, and indicative timeline based on the applicant’s specific business model and regulatory history.

For FAQ inquiries: info@sauditokenisation.com