Open Banking and Digital Infrastructure: SAMA's API-First Financial Data Framework

SAMA’s Open Banking Framework, mandated in January 2022 and fully operational since 2024, requires all 23 Saudi-licensed banks to provide standardized API access to account data and payment initiation services. Payment Initiation Services (PIS) went live in September 2024, marking a major milestone in Saudi Arabia’s digital financial infrastructure. Eight licensed third-party providers (TPPs) now operate under the framework, creating a digital data layer that serves as foundational infrastructure for Saudi Arabia’s broader financial digitization — including the tokenization ecosystem. The framework has processed over 180 million API calls in 2025, with monthly volumes growing at approximately 15% quarter-over-quarter.

Framework Architecture

Saudi Arabia’s open banking architecture follows a regulated API model with three participant categories:

Account Servicing Payment Service Providers (ASPSPs): Licensed banks that maintain customer accounts and must provide API access. All 23 Saudi-licensed banks are ASPSPs under the mandate.

Third-Party Providers (TPPs): Licensed entities authorized to access bank APIs on behalf of customers, divided into:

• Account Information Service Providers (AISPs) — authorized to read account data
• Payment Initiation Service Providers (PISPs) — authorized to initiate payments from customer accounts
• Combined AISPs/PISPs — authorized for both functions

Technical Service Providers (TSPs): Technology companies providing API gateway, security, and data management infrastructure. TSPs are registered (not licensed) with SAMA.

API Standards

SAMA mandates a standardized API specification based on international open banking standards, adapted for Saudi requirements:

• Authentication: OAuth 2.0 with Saudi-specific identity verification using Absher (national identity platform)
• Data Format: JSON over HTTPS, with Arabic language support mandatory
• Security: TLS 1.3 minimum, mutual TLS authentication between TPPs and ASPSPs
• Availability: 99.5% uptime requirement for bank APIs, with SLA penalties for non-compliance
• Response Time: Maximum 4 seconds for account information, 10 seconds for payment initiation

Tokenization Infrastructure Synergies

Open banking creates critical infrastructure for Saudi Arabia’s tokenization ecosystem:

Investor Onboarding: Open banking APIs enable instant income and asset verification for investor suitability assessments, reducing the onboarding friction for tokenized securities platforms. Rather than requiring manual bank statement uploads, platforms can verify investor financial status in real-time through AISP connections.

Payment Rail Integration: PISP capabilities enable direct bank-to-platform payment initiation for tokenized securities purchases, bypassing card networks and reducing transaction costs. Several CMA sandbox participants have integrated open banking payment initiation for token subscription flows.

Automated Compliance: Open banking data feeds support ongoing AML/CFT compliance monitoring, enabling tokenized securities platforms to monitor customer transaction patterns across banking relationships in real-time (with customer consent).

Digital Riyal Distribution: Open banking infrastructure is expected to serve as the distribution layer for digital riyal retail rollout, with licensed TPPs acting as intermediaries for CBDC wallet services.

Market Landscape

Licensed Third-Party Providers

Eight TPPs hold SAMA licenses as of March 2026:

Combined monthly API volume exceeds 78 million calls, representing approximately 40% of Saudi adults actively using open banking-powered services (though many are unaware the underlying technology is open banking).

Use Cases in Production

Operational open banking use cases relevant to tokenization:

1. Instant account verification for CMA-regulated digital asset platforms
2. Automated income verification for investor suitability categorization
3. Direct payment initiation for tokenized securities subscription
4. Real-time balance monitoring for margin requirements on tokenized trading platforms
5. Dividend/distribution payment automation for tokenized sukuk holders

Data Protection and Privacy

SAMA’s open banking data protection requirements align with Saudi Arabia’s Personal Data Protection Law (PDPL):

• Explicit consent: Customer must provide granular, informed consent for each data sharing arrangement
• Purpose limitation: Data accessed through open banking APIs may only be used for the stated purpose
• Data minimization: TPPs must request only the minimum data necessary for the stated service
• Retention limits: Account data must be deleted within 90 days of consent withdrawal
• Cross-border restrictions: Open banking data may not be transferred outside Saudi Arabia without SAMA-specific authorization

These protections are particularly important for the tokenization ecosystem, where open banking data could reveal investor financial profiles and trading patterns.

Regulatory Roadmap

SAMA’s open banking roadmap for 2026-2028:

• Q3 2026: Launch of variable recurring payments (VRP), enabling subscription-based payment collection through open banking — directly applicable to tokenized fund subscription and redemption flows
• Q1 2027: Insurance data API mandate, extending open banking to the insurance sector
• Q3 2027: Investment account API development, potentially enabling open banking access to CMA-regulated investment account data
• 2028: Integration with digital riyal infrastructure for CBDC-native open banking services

The investment account API development is particularly significant for the tokenization ecosystem, as it would enable TPPs to aggregate customer holdings across conventional and tokenized securities platforms, creating a unified view of diversified portfolios.

International Comparison

Saudi Arabia’s open banking framework is among the most advanced in the Middle East and positions competitively against global benchmarks:

Saudi Arabia’s advantage is the mandatory universal compliance — all 23 licensed banks must participate, unlike voluntary frameworks where smaller banks may lag. The 99.5% uptime requirement and 4-second response time SLA also exceed most international standards.

The GCC cooperation framework includes open banking interoperability as a medium-term objective. Harmonized API standards across Gulf states would enable cross-border data sharing for GCC-distributed tokenized securities, allowing investors in one Gulf state to access bank data from another for suitability assessment and AML/CFT verification.

Economic Impact

SAMA estimates open banking’s economic contribution at SAR 2.8 billion in 2025, growing to SAR 12 billion by 2030 through:

• Reduced onboarding costs: Instant bank verification reduces customer acquisition costs for financial platforms by 40-60% compared to manual document-based processes
• Payment cost savings: PISP-initiated payments cost 50-70% less than card-based payments for merchants and platforms
• Credit access: Open banking data enables alternative credit scoring for the 30% of Saudi adults with thin credit files, expanding access to lending products
• Financial aggregation: Consumers using open banking-powered aggregation tools make more informed financial decisions, increasing savings and investment rates

For the tokenization ecosystem specifically, open banking reduces the cost of investor onboarding from an estimated SAR 500-1,000 per investor (manual process) to SAR 50-100 (API-automated process). At scale — with the Vision 2030 target of broad retail participation in tokenized securities — this cost reduction is significant.

Technical Implementation for Tokenization Platforms

CMA-licensed tokenized securities platforms integrating open banking APIs follow a standardized implementation pathway:

1. TPP licensing: Either obtain an AISP/PISP license from SAMA (SAR 1M minimum capital, 6-month process) or partner with an existing licensed TPP
2. API integration: Connect to the Saudi Open Banking API gateway, implementing OAuth 2.0 flows with Absher identity verification
3. Consent management: Build consent capture and management infrastructure compliant with PDPL and SAMA requirements — including granular consent controls, consent expiration, and withdrawal mechanisms
4. Data handling: Implement data residency compliant storage for open banking data, with 90-day retention limits post-consent withdrawal
5. Compliance integration: Connect open banking data feeds to AML/CFT monitoring systems for ongoing transaction surveillance
6. Testing: Complete SAMA’s open banking testing certification, including functional testing, security testing, and consent flow validation

Three CMA sandbox participants have completed this integration, demonstrating end-to-end open banking-powered investor onboarding for tokenized sukuk subscription. The process reduces onboarding time from 3-5 business days to under 15 minutes.

Challenges and Risks

Despite strong regulatory mandates, Saudi open banking faces operational challenges:

• Bank API quality variation: While all 23 banks are compliant, API reliability and data quality vary. Larger banks (Al Rajhi, SNB, Riyad Bank) deliver more consistent API performance than smaller institutions
• Consumer awareness: Approximately 60% of Saudi consumers are unaware of open banking capabilities, limiting demand-side adoption
• Liability framework: SAMA is developing a comprehensive liability framework for open banking disputes — currently, liability allocation between banks, TPPs, and consumers follows general banking law rather than open banking-specific provisions
• Security risks: Open banking expands the attack surface for financial data breaches. SAMA mandates annual penetration testing for all TPPs and has issued 2 enforcement actions related to API security deficiencies

Competitive Dynamics and Market Development

The open banking ecosystem is developing competitive dynamics that shape the tokenization infrastructure:

TPP Consolidation: The 8 licensed TPPs are expected to consolidate to 5-6 by 2028, as larger players (Lean Technologies, Tarabut Gateway) acquire smaller competitors to achieve scale. Consolidated TPPs will offer more comprehensive data services to tokenized securities platforms.

Bank API Monetization: Saudi banks are evolving from reluctant API providers to active participants in the open banking ecosystem. Several banks now offer premium API tiers with faster response times, richer data sets, and dedicated support — creating revenue from open banking compliance rather than treating it purely as a regulatory cost.

Embedded Finance: Open banking enables embedded financial services within non-financial applications. Tokenized securities platforms can embed payment initiation, account verification, and balance checking directly into their user interfaces — creating seamless investment experiences that reduce friction and increase conversion rates.

Data-Driven Investment Products: Open banking data, with customer consent, enables personalized investment recommendations. Tokenized securities platforms can analyze customer spending patterns, income flows, and savings behavior to recommend appropriate tokenized sukuk or equity token investments matching the customer’s financial profile and risk tolerance — supporting CMA investor suitability requirements.

Open Banking and Financial Literacy

SAMA’s open banking deployment includes a financial literacy component targeting both consumers and the fintech industry:

Consumer Education: SAMA publishes educational materials explaining open banking benefits, consent mechanisms, and data protection rights. Awareness campaigns, conducted in partnership with Fintech Saudi, have reached an estimated 5 million Saudi residents through social media, bank notifications, and public events. Despite these efforts, consumer awareness of open banking remains at approximately 40% — well below the 95%+ smartphone banking adoption rate.

Developer Education: SAMA’s open banking documentation portal provides API specifications, sandbox testing environments, and integration guides for developers building financial applications. Over 1,200 developers have registered for the sandbox API, with 300+ applications built and tested. The developer ecosystem is critical for the tokenization infrastructure, as CMA-licensed platforms need developers who understand both open banking APIs and blockchain technology.

Resources

• Digital Banking License Framework — Banking infrastructure
• Payment Token Framework — Payment integration
• Digital Riyal CBDC — CBDC distribution layer
• AML/CFT Compliance — Compliance integration
• Data Privacy and Tokenized Securities — PDPL compliance
• Investor Protection Framework — Suitability assessment
• Saudi Fintech Licensing — License categories

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

SAMA’s open banking roadmap includes Phase 3 expansion targeting real-time portfolio data sharing between banks and CMA-licensed digital asset platforms, enabling investors to view tokenized securities holdings alongside conventional banking products in a single consolidated interface — a capability that supports the Vision 2030 objective of seamless financial services integration across traditional and digital asset markets.

For open banking integration inquiries: info@sauditokenisation.com