Self-Custody Regulatory Position: SAMA and CMA Approach to Non-Custodial Digital Asset Wallets

Saudi Arabia permits individual self-custody of digital assets but regulates the interface between self-custody (unhosted) wallets and the licensed financial system. SAMA and the CMA jointly published a Regulatory Position on Self-Custody Digital Wallets in September 2025, establishing requirements for licensed entities when processing transfers to or from unhosted wallets. The position is issued by SAMA as the central bank overseeing payment systems and by the CMA as the capital markets regulator, reflecting the dual-authority structure that governs all aspects of Saudi Arabia’s digital asset ecosystem. The position stops short of banning self-custody — a measure some jurisdictions have considered — but creates a compliance framework that effectively channels most digital asset activity through regulated intermediaries.

Regulatory Position Summary

The joint SAMA-CMA position establishes three principles:

Principle 1: Self-custody is not prohibited. Individuals and entities in Saudi Arabia may hold digital assets in self-custody wallets without obtaining any license or registration. The right to self-custody is recognized as consistent with property rights under Saudi law.

Principle 2: Licensed entities must manage the risk. All SAMA-licensed and CMA-licensed entities must implement enhanced controls when processing transfers involving unhosted wallets, including source-of-funds verification, wallet ownership confirmation, and blockchain analytics screening.

Principle 3: Thresholds apply. Enhanced due diligence requirements are tiered based on transaction value, with the lowest-friction requirements for small transactions and progressively stricter requirements as values increase.

Licensed Entity Requirements for Unhosted Wallet Transfers

Outbound Transfers (Licensed Entity to Unhosted Wallet)

When a customer requests a transfer from their account at a licensed entity to an unhosted wallet:

Transactions below SAR 3,750:

• Standard KYC must be completed on the customer (one-time)
• Wallet ownership declaration by the customer (self-certification that the wallet belongs to them or to an identified recipient)
• No additional source-of-funds verification required

Transactions SAR 3,750 to SAR 15,000:

• Wallet ownership verification (signed message or micro-transaction test confirming the customer controls the destination wallet)
• Travel rule data collection (originator and beneficiary information)
• Blockchain analytics screening of the destination wallet for sanctions and adverse history

Transactions above SAR 15,000:

• All requirements above, plus:
• Source-of-funds documentation (bank statement, salary certificate, or investment account statement demonstrating the origin of the funds used to acquire the digital assets)
• Enhanced blockchain analytics report including clustering analysis and transaction history review of the destination wallet
• Senior compliance officer approval for the transfer

Inbound Transfers (Unhosted Wallet to Licensed Entity)

When a customer deposits digital assets from an unhosted wallet into their account at a licensed entity:

Transactions below SAR 3,750:

• Wallet ownership verification
• Blockchain analytics screening of the source wallet

Transactions SAR 3,750 to SAR 15,000:

• All requirements above, plus:
• Travel rule data collection
• Source-of-funds verification (documentation demonstrating how the digital assets were acquired)

Transactions above SAR 15,000:

• All requirements above, plus:
• Enhanced source-of-funds verification including on-chain transaction history analysis
• Senior compliance officer review
• Potential STR filing consideration (licensed entity must document its assessment of whether the transaction warrants a suspicious transaction report)

Wallet Ownership Verification Methods

SAMA and CMA accept three methods for verifying wallet ownership:

1. Cryptographic signature: The customer signs a standardized message using the private key associated with the wallet, proving control. This is the preferred method as it provides the strongest verification.

2. Micro-transaction test: The licensed entity sends a small, predetermined amount to the wallet and asks the customer to return it. Completion confirms the customer controls the wallet.

3. Multi-factor documentation: For hardware wallets or institutional custody arrangements where signature verification is impractical, the customer may provide wallet registration documentation, hardware wallet purchase receipts, or institutional custody agreement copies.

Prohibited Self-Custody Activities

While self-custody itself is permitted, certain activities involving self-custody wallets are prohibited:

• Providing custodial services from a self-custody wallet: Holding digital assets on behalf of others without a CMA custody license
• Operating a trading or exchange service using self-custody wallets: Facilitating peer-to-peer trading without a CMA or SAMA license
• Promoting self-custody as a means of regulatory avoidance: Marketing self-custody solutions specifically positioned as an alternative to using licensed entities

Impact on Tokenized Securities

The self-custody regulatory position has direct implications for tokenized securities:

Tokenized securities in self-custody: Under the current CMA framework, tokenized securities with identity restrictions (ERC-3643 or similar) may technically prevent transfers to unregistered wallets. However, if a tokenized security permits self-custody transfers, the CMA requires the issuer to maintain KYC records for all wallet addresses holding the security, effectively extending investor protection requirements to self-custody.

Tokenized sukuk: Self-custody of tokenized sukuk is permitted but the sukuk issuer must be able to distribute profit payments to all registered holders, including those in self-custody wallets. This requires the smart contract to support distribution to any wallet address, not just those at licensed custodians.

DeFi interaction: Self-custody wallets enable interaction with decentralized finance protocols, raising questions about the regulatory treatment of DeFi activities by Saudi residents. SAMA and CMA’s current position is that DeFi protocol use by individuals is not specifically prohibited but is “at the user’s own risk” with no regulatory protection.

International Comparison

Saudi Arabia’s approach is moderate by international standards:

The SAR 3,750 threshold aligns with the FATF travel rule minimum (Saudi Arabia has been a FATF member since 2019), creating consistency between travel rule and unhosted wallet compliance obligations.

Compliance Cost for Licensed Entities

Implementing self-custody wallet controls creates additional compliance costs for SAMA-licensed and CMA-licensed entities:

These costs are additive to the baseline AML/CFT compliance costs already required for all licensed entities. Smaller fintech firms may find it more cost-effective to prohibit unhosted wallet transfers entirely rather than building the required controls — a market dynamic that effectively concentrates self-custody interface services among larger, better-capitalized entities.

Hardware Wallets and Cold Storage Devices

The regulatory position addresses hardware wallet devices (Ledger, Trezor, and similar) specifically:

• Hardware wallets are classified as self-custody wallets — transfers to and from hardware wallets are subject to the same tiered requirements as any other unhosted wallet
• Licensed entities may not provide hardware wallet procurement, setup, or technical support services without specific CMA authorization under the custody standards
• Saudi importers of hardware wallet devices are not required to obtain SAMA or CMA licenses for hardware sales, but may not market the devices as alternatives to regulated custody

The distinction matters because CMA-licensed custodians use hardware security modules (HSMs) and cold storage devices as part of their regulated custody infrastructure — the 95% cold storage requirement for custodians uses institutional-grade hardware, not consumer hardware wallets.

Self-Custody and the Digital Riyal

The regulatory position anticipates the digital riyal CBDC launch and addresses self-custody wallets in the CBDC context:

• Digital riyal wallets provided by SAMA or licensed intermediaries are classified as hosted wallets, not self-custody
• Self-custody of digital riyal (holding digital riyal in non-SAMA-affiliated wallets) is a design decision that has not yet been finalized. The Phase 2 pilot is testing both account-based and token-based models — the token-based model would technically permit self-custody, while the account-based model would not
• If self-custody of digital riyal is permitted, the same tiered threshold framework would apply to transfers between SAMA-hosted and self-custody digital riyal wallets

Self-Custody and Sharia Considerations

Self-custody raises specific Sharia compliance considerations for tokenized sukuk and other Islamic instruments:

• Profit distribution: Smart contracts must be able to distribute sukuk profits to self-custody wallet addresses, not only to wallets held at licensed custodians
• Sharia screening: Ongoing Sharia compliance monitoring typically relies on custodian-held position data. Self-custody introduces monitoring gaps that issuers must address through on-chain position tracking
• Purification payments: Sharia purification obligations apply regardless of custody arrangement. Self-custody holders are responsible for their own purification calculations and payments, whereas custodian-held positions can benefit from automated purification through smart contract logic

Enforcement and Penalties

SAMA and CMA enforcement actions related to self-custody wallet controls:

• 2 CMA enforcement actions have involved inadequate unhosted wallet controls — one for processing above-threshold transfers without source-of-funds verification, another for failing to deploy blockchain analytics for inbound transfers
• Combined penalties: SAR 2.1 million
• SAMA has issued 3 advisory letters (non-penalty) to fintech entities regarding inconsistent wallet ownership verification practices

The relatively small number of enforcement actions reflects the novelty of the regulatory position (published September 2025) and the compliance lead time provided to licensed entities (6-month implementation deadline, expiring March 2026).

Industry Perspectives

Market participants have expressed mixed views on the self-custody regulatory position:

• Institutional investors generally favor the framework, as it provides regulatory clarity while preserving the option for sophisticated investors to manage their own keys
• Retail platforms report increased compliance costs and are concerned that the verification requirements may deter customers from using licensed platforms, potentially driving activity to unregulated channels
• International investors seeking exposure to Saudi tokenized securities through the cross-border custody framework generally do not use self-custody, making the position less relevant for international institutional participation

Emerging Regulatory Considerations

Several regulatory developments will shape the future of self-custody in Saudi Arabia:

Multi-Signature Wallets: SAMA and CMA are developing guidance on multi-signature (multisig) wallet arrangements where multiple parties hold keys. Multisig wallets that require signatures from both the asset holder and a licensed entity blur the boundary between self-custody and custodial arrangements. The draft guidance, expected Q4 2026, will clarify whether multisig qualifies as self-custody, institutional custody, or a distinct category.

Smart Contract Wallets: Programmable wallets that execute transactions based on predefined conditions (time locks, spending limits, social recovery) introduce additional classification complexity. A wallet with automated Sharia screening logic embedded at the wallet level could satisfy some compliance requirements currently borne by licensed custodians, potentially creating a regulated self-custody category.

Institutional Self-Custody: Corporate treasuries and family offices increasingly seek to self-custody digital assets using institutional-grade hardware security modules. SAMA and CMA’s current position requires CMA custody licensing for any entity holding digital assets on behalf of others, but institutional self-custody of the entity’s own assets follows the same rules as individual self-custody — subject to the tiered threshold framework for transfers to and from licensed entities.

Cross-Border Self-Custody: International investors holding Saudi tokenized securities in self-custody wallets present jurisdictional challenges. The CMA’s bilateral cooperation agreements with 11 jurisdictions do not specifically address self-custody — this gap is expected to be addressed as cross-border custody frameworks mature.

Resources

• CMA Digital Asset Custody Standards — Licensed custody requirements
• AML/CFT Compliance — Travel Rule and due diligence
• SAMA AML/CFT Framework — Fintech compliance
• Payment Token Framework — Payment token custody
• DeFi Considerations — Self-custody and DeFi interaction
• Digital Riyal CBDC — CBDC wallet design
• Investor Protection — Investor classification

Primary regulatory sources: SAMA — sama.gov.sa | CMA — cma.org.sa

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

The CMA and SAMA continue to monitor self-custody adoption rates and associated risk indicators, with the Joint Digital Assets Committee reviewing the self-custody regulatory position semi-annually to ensure that the framework appropriately balances individual autonomy with systemic risk management as the tokenized securities market scales toward SAR 50 billion in outstanding instruments by 2030.

SAMA’s achievement of 79% cashless transaction penetration reinforces the institutional payment infrastructure that channels most digital asset activity through regulated intermediaries rather than self-custody wallets.

For self-custody regulatory inquiries: info@sauditokenisation.com