SAMA AML/CFT Compliance for Digital Financial Services: Enhanced Framework for Fintech and Payment Providers

SAMA’s AML/CFT framework for digital financial services applies to all 82 licensed fintech entities in Saudi Arabia, establishing requirements that exceed conventional banking AML obligations in several respects. The framework mandates real-time transaction monitoring, blockchain analytics for entities handling digital assets, and suspicious transaction reporting to the Saudi Financial Intelligence Unit (SAFIU) within 24 hours. Twelve enforcement actions totaling SAR 18.4 million have been issued through March 2026, with enforcement activity accelerating as the licensed fintech population grows.

Framework Scope

SAMA’s digital financial services AML/CFT requirements apply to:

• Licensed payment service providers (including stc pay and all digital wallet operators)
• Licensed fintech companies operating under SAMA authorization
• Payment token issuers (including stablecoin operators)
• Open banking third-party providers handling payment data
• Digital banking licensees
• Sandbox participants (from day one of sandbox operations)

These requirements complement the CMA’s digital asset AML/CFT framework for securities-related activities. Entities holding both SAMA and CMA authorizations must comply with both frameworks, with the SAMA-CMA Joint Digital Assets Committee providing guidance on overlapping obligations.

Customer Due Diligence

Digital Onboarding CDD

SAMA permits fully digital customer onboarding for fintech entities, with specific requirements:

Identity Verification: Integration with Saudi Arabia’s Absher national identity platform is mandatory for Saudi nationals. Non-nationals must undergo passport verification with liveness detection and document authentication. Biometric verification (facial recognition) is required for all accounts with transaction limits above SAR 20,000 per month.

Risk Assessment: Customer risk classification must be performed at onboarding and reviewed annually. SAMA prescribes a minimum 12-factor risk assessment model covering:

• Geographic risk (residence and nationality)
• Product/service risk (higher for payment tokens versus basic payments)
• Channel risk (digital-only versus hybrid channels)
• Transaction profile risk (expected versus actual volumes)
• Occupation and source of income risk
• PEP and sanctions screening results

Ongoing Monitoring: Transaction monitoring must be continuous and automated. SAMA does not accept manual transaction review for digital financial service providers with more than 10,000 active customers.

Enhanced Due Diligence Triggers

EDD requirements mirror the CMA framework and additionally include:

• Rapid accumulation of payment token balances inconsistent with declared income
• Cross-border transfers exceeding SAR 50,000 monthly through digital channels
• Multiple accounts across different SAMA-licensed fintech providers linked to the same identity
• Transactions with counterparties in FATF grey-list or black-list jurisdictions

Blockchain Analytics for Payment Token Activities

All entities handling payment tokens or stablecoins must deploy blockchain analytics capable of:

• Real-time sanctions screening of wallet addresses
• Transaction risk scoring incorporating counterparty history
• Identification of funds originating from or destined for mixing services, darknet markets, or ransomware-associated wallets
• Self-custody wallet risk assessment for transfers to/from unhosted wallets
• Cross-chain transaction tracking where applicable

SAMA accepts the same three approved blockchain analytics providers as the CMA: Chainalysis, Elliptic, and Crystal Blockchain.

Suspicious Transaction Reporting

SAMA-licensed entities filed 892 digital financial service-related STRs with SAFIU in 2025, representing approximately 15% of all Saudi STR filings. Key reporting patterns:

• Structuring: 34% of STRs — transactions structured to remain below reporting thresholds
• Unusual transaction patterns: 28% — activity inconsistent with declared purpose or customer profile
• Sanctions-related: 12% — transactions involving wallets or entities with sanctions exposure
• Fraud indicators: 18% — patterns suggesting payment fraud, account takeover, or social engineering
• Other: 8% — including unhosted wallet concerns and cross-border anomalies

The 24-hour STR filing deadline for digital financial services is stricter than the 48-hour deadline for conventional banking STRs, reflecting the speed at which digital transactions can be layered or dissipated.

Enforcement Record

Twelve AML/CFT enforcement actions against SAMA-licensed fintech entities through March 2026:

The largest single penalty — SAR 3.0M — was issued to a payment service provider for operating without automated transaction monitoring for 4 months following a system migration. SAMA’s enforcement approach has shifted from warnings (predominant in 2023-2024) to financial penalties (predominant in 2025-2026) as the fintech sector matures.

Compliance Technology Requirements

SAMA mandates specific technology capabilities for AML/CFT compliance:

Real-Time Monitoring: All transactions must be screened in real-time against sanctions lists, internal watchlists, and risk rules. Batch processing (post-transaction review) is not acceptable for digital financial services.

Machine Learning Models: Entities with more than 100,000 active customers must deploy machine learning-based transaction monitoring that adapts to evolving patterns. Rule-based systems alone are insufficient for large-scale digital payment operations.

Integrated Case Management: Compliance teams must use integrated case management systems that link alerts, investigations, STR filings, and customer records in a single platform.

Regulatory Reporting Automation: SAFIU reporting must be automated with direct system-to-system connectivity, eliminating manual STR compilation and submission.

These technology requirements create a compliance cost floor of approximately SAR 1-3 million annually for mid-size fintech entities, a significant expense that has influenced market structure toward consolidation among smaller providers.

International Coordination

SAMA participates in international AML/CFT coordination for digital financial services through:

• FATF Virtual Assets Contact Group
• Egmont Group financial intelligence sharing
• Gulf Financial Crime Task Force
• Bilateral intelligence sharing with FinCEN (US), NCA (UK), and MAS (Singapore)

SAMA’s approach to digital financial service AML/CFT has been recognized by the FATF in its 2024 mutual evaluation of Saudi Arabia as a model for integrating blockchain analytics into the conventional AML framework, providing reference for other jurisdictions developing similar capabilities. Saudi Arabia has been a FATF member since 2019.

Travel Rule Implementation

The FATF Travel Rule — requiring originator and beneficiary information to accompany virtual asset transfers above the threshold — is fully implemented in Saudi Arabia:

Threshold: SAR 3,750 (approximately $1,000), aligned with the FATF minimum and consistent with the self-custody wallet regulatory position thresholds.

Required Data Fields:

• Originator: Full name, account number (or wallet address), physical address or national ID number, institution name
• Beneficiary: Full name, account number (or wallet address), institution name

Messaging Protocols: SAMA accepts Travel Rule compliance through TRUST (Travel Rule Universal Solution Technology), OpenVASP, and Sygna Bridge protocols. Licensed entities must deploy at least one Travel Rule messaging protocol and demonstrate interoperability testing with counterparties.

Sunset Exemptions: No exemptions for small transactions below the threshold — while Travel Rule data collection is not required below SAR 3,750, sanctions screening and basic counterparty identification apply to all transactions regardless of size.

AML/CFT Compliance for Tokenized Securities

The intersection of SAMA’s fintech AML/CFT framework and CMA tokenized securities regulation creates specific compliance obligations:

Payment Leg: When an investor purchases tokenized securities on Tadawul’s digital platform, the SAR payment leg — processed through payment tokens, bank transfer, or digital riyal — is subject to SAMA’s AML/CFT framework. The payment provider must screen the transaction.

Securities Leg: The token transfer — delivery of the tokenized sukuk, equity token, or other security — is subject to CMA’s AML/CFT framework. The CMA-licensed broker-dealer must screen the transaction.

Atomic Settlement Implications: Atomic DvP settlement on Tadawul’s platform (3-7 seconds) requires both payment and securities AML/CFT screening to complete within that settlement window. This demands pre-trade screening — both SAMA and CMA frameworks require screening to occur before the trade is executed, not during settlement.

Cross-Chain Considerations: For multi-chain tokenized securities deployed on different CMA-approved protocols, AML/CFT monitoring must cover all chains. A unified monitoring dashboard aggregating transaction data from R3 Corda, Ethereum ERC-3643, and other approved protocols is a practical necessity for multi-chain issuers.

Risk-Based Approach by Entity Type

SAMA calibrates AML/CFT requirements by entity type and risk profile:

The risk-based approach allows smaller fintech entities to maintain proportionate compliance programs while ensuring that high-risk activities receive appropriate scrutiny.

SAFIU and Intelligence Sharing

The Saudi Financial Intelligence Unit (SAFIU) is the national financial intelligence unit receiving STRs from all SAMA-licensed and CMA-licensed entities. SAFIU’s digital asset capabilities include:

• Blockchain analytics: SAFIU operates its own blockchain analytics infrastructure, enabling independent verification of STR submissions and proactive intelligence gathering
• International cooperation: SAFIU is a member of the Egmont Group, enabling financial intelligence sharing with 167 member jurisdictions
• Typologies research: SAFIU publishes annual digital financial services typologies reports, identifying emerging money laundering and terrorism financing methods relevant to Saudi Arabia’s digital financial services sector
• Feedback loop: SAFIU provides confidential feedback to reporting entities on the quality and utility of their STR submissions, enabling continuous improvement of detection capabilities

Compliance Program Review and Audit

SAMA requires annual independent review of AML/CFT compliance programs for all licensed fintech entities:

• Scope: The review must cover governance, risk assessment methodology, CDD practices, transaction monitoring effectiveness, STR quality, Travel Rule compliance, sanctions screening, and staff training
• Reviewer qualifications: The reviewer must be an independent audit firm or consultancy with digital financial services AML/CFT expertise. SAMA maintains a list of 8 approved reviewers
• Reporting: Review findings must be submitted to SAMA within 30 days of completion, along with a remediation plan for any identified deficiencies
• Remediation timeline: Critical findings must be remediated within 60 days; material findings within 120 days; minor findings within 180 days

Staff Training and Certification

SAMA mandates ongoing AML/CFT training for all employees of licensed fintech entities:

Mandatory Training Hours: Minimum 16 hours annually for compliance staff, 8 hours for non-compliance staff with customer-facing or transaction-processing responsibilities. Training must cover Saudi AML/CFT regulations, FATF standards, digital asset-specific typologies, and blockchain analytics interpretation.

Specialist Certification: Compliance officers at entities handling digital assets or payment tokens must hold recognized AML/CFT certification — CAMS (Certified Anti-Money Laundering Specialist), ICA Diploma, or equivalent. SAMA accepts 5 certification programs as meeting this requirement.

Board Awareness: Board members of licensed fintech entities must complete annual AML/CFT awareness training, ensuring governance-level understanding of compliance obligations. The training must cover enforcement trends, regulatory changes, and the entity’s specific risk profile.

Sandbox Training: SAMA sandbox participants must demonstrate AML/CFT training completion for all key personnel before sandbox admission. This pre-admission requirement ensures that compliance capabilities are in place from day one of testing, rather than being developed during the sandbox period.

Resources

• CMA AML/CFT Framework — Securities-specific AML/CFT
• Self-Custody Regulatory Position — Unhosted wallet controls
• Payment Token Framework — Payment token compliance
• Stablecoin Regulation — Stablecoin AML/CFT
• Saudi Fintech Licensing — Licensed entity population
• CMA Enforcement Actions — Securities enforcement
• Cross-Border Custody — International compliance

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

The Saudi FinTech Strategy 2025 — a joint SAMA-CMA initiative — identified AML/CFT compliance infrastructure as a critical enabler for the Kingdom’s tokenization ambitions. SAMA has invested in upgrading SAFIU’s blockchain analytics capabilities through partnerships with international compliance technology providers, enabling real-time transaction graph analysis across all CMA-approved blockchain protocols. The Saudi Digital Academy delivers specialized “Digital Financial Crime Prevention” training for compliance professionals at licensed fintech entities, with 120 professionals certified through March 2026. These investments ensure that Saudi Arabia’s digital financial services sector maintains the FATF compliance standards that underpin institutional investor confidence in the Kingdom’s tokenized securities market.

For AML/CFT compliance inquiries: info@sauditokenisation.com