The Financial Technology Law Review: Saudi Arabia


The boom of financial technology (fintech) in Saudi Arabia has led the Saudi Arabian Monetary Authority (SAMA) and the Capital Market Authority (CMA) to introduce new programmes and regulations to regulate the entities wishing to carry out fintech-related activities. In its efforts to contribute to Saudi Arabia's Vision 2030 and diversify the economy, SAMA announced its acceptance of applications to its sandbox programmes starting from January 2018 to focus on the digitalised market Saudi Arabia is shifting towards. For fintech companies to enter the market in Saudi Arabia, they will be required to obtain the necessary licences from SAMA, the CMA or both, depending on the activities the fintech company wishes to carry out.2 During the past two years, the licences issued by SAMA or the CMA or both were merely temporary and in the form of a letter allowing the accepted entities to engage in fintech-related activities for a trial period until being approved by the relevant authority. Because of the high demand in the fintech sector and the increase in applications to the sandbox, and because of SAMA's efforts in ensuring that such demand is addressed by enforcing new relevant laws governing the fintech field, SAMA further introduced three types of licences for entities wishing to carry out fintech activities.

As mentioned above, during the past two years, both SAMA and the CMA granted temporary experimental licences as an initiative to encourage the growth of fintech in Saudi Arabia. These licences are issued through an application to the relevant entity's sandbox programme, but were still governed by the same laws that govern conventional financial transactions, which are as follows:

  1. general banking control laws;
  2. general finance company control laws;
  3. the E-banking Rules; and
  4. the Electronic Transactions Law.

Nevertheless, in 2020, SAMA approved the introduction of new laws governing the fintech sector, notably debt-based crowdfunding and payment service provider (PSP) activities in Saudi Arabia. While both licences are still covered by the same conventional financial laws aforementioned, an applicant can now seek a licence in line with its activities as opposed to merely taking part in the sandbox programme with a temporary licence.

To further demonstrate Saudi Arabia's initiatives to cope with the digital market, a fintech guide was issued in February 2019 by Fintech Saudi3 highlighting the regulations governing the industry, the framework of their application and the options available for foreign investors to enter the Saudi fintech market. An updated version was published in July 2019 and July 2020. The release of new annual versions indicates that changes are happening rapidly in Saudi Arabian fintech law and that the country is paying close attention to the growth of fintech.

This is also evidenced through the introduction of Fintech Saudi and its regular updates on the new laws and activities issued regarding the formation and regulation of fintech companies.

Furthermore, Fintech Saudi updated its 2019 report by issuing its 2020 version, which serves as a summary of the fintech ecosystem in Saudi Arabia while highlighting the developments undertaken by the relevant authorities to regulate the fintech boom in Saudi Arabia along with the major initiatives introduced to ensure that the Saudi ecosystem is well informed in the field.

The aforementioned report further highlighted the initiatives undertaken by SAMA to establish a fintech hub for the public for the purpose of creating a fintech-friendly ecosystem in Saudi Arabia. This is evident in the fact that in addition to Fintech Saudi's efforts in 2018 and 2019, Fintech Saudi started four major initiatives to further spread knowledge and awareness in the fintech field. The first initiative was the introduction of the fintech internship programme, which is an opportunity for interns to get a taste of working in leading companies in the fintech field in Saudi Arabia. During the past two years, Fintech Saudi received 6,500 applications for 41 seats in different companies – the huge number of applicants demonstrates the growth in fintech in Saudi. The second initiative is Fintech Tour: a series of events and activities hosted by the partners of Fintech Saudi across Saudi Arabia and the Gulf Cooperation Council with a focus on spreading fintech knowledge and accelerating fintech entrepreneurship. Fintech Tour 19 consisted of 44 events across 12 cities that were open to the public as a means to provide everyone with the opportunity to participate and learn. Despite the lockdown caused by the covid-19 pandemic, Fintech Tour 20 took place in December 2020 offering exposure to 50 different organisations and offering 24 workshops, lectures and panels. The third initiative is that Fintech Saudi launched its own podcast, which is easily accessible by the public on SoundCloud. The podcast is composed of various episodes hosted by leaders of major fintech companies in Saudi Arabia. Finally, the Fintech Accelerator Programme has been launched, powered by Flat6Labs, which started its first programme on 15 November 2020 and ended on 15 February 2021.

Based on the above, SAMA's efforts in recent years can be summarised as follows:

  1. 2018: launch of Fintech Saudi and establishment of the regulatory sandbox for experimental permits to carry out fintech activities where seven entities commenced its operations;
  2. 2019: second batch of 14 fintech companies operating in the sandbox; and
  3. 2020: third batch of 11 fintech companies operating and introduction of licences for non-bank financial institutions (PSP licence and debt-based crowdfunding licence) along with the introduction of the Open Banking Policy, which should be implemented by the first half of 2022.

However, while new licences were introduced to carry out fintech activities in Saudi Arabia, fintech transactions are still governed by conventional financial transactions laws. As such, there are no specific tax regulations that apply to fintech companies. The General Authority of Zakat and Tax generally applies zakat on local companies and tax on foreign companies. The zakat is calculated to be 2.5 per cent of the capital of the company, while the tax on foreign companies or foreign shareholders in a company is usually 20 per cent of the revenue of the company, as opposed to the capital. Thus, fintech companies will be required to pay the same amounts based on the shareholders' nationality. We believe that applying only a 2.5 per cent on local companies' capital and 20 per cent on foreign shareholders' revenue demonstrates the way in which tax laws in Saudi Arabia are company-friendly, which in fact means that they are fintech-friendly as well.


i Licensing and marketing

Generally speaking, there have not been any alterations in the laws governing fintech as opposed to conventional financial transactions. Accordingly, all financial transactions are governed by the same laws, whether fintech or conventional.

Nevertheless, the relevant authorities introduced specific licences for certain fintech activities along with the guidelines for applying to said licences to keep pace with the developments in Saudi Arabia. As such, we list below the options available for fintech companies to enter the Saudi market:

  1. alter the business carried out by the company to one that does not require SAMA or CMA licensing;
  2. partner with a local entity licensed by the relevant authorities;
  3. enter the sandbox programmes offered by SAMA and the CMA that grant temporary or experimental licences;
  4. apply for a debt-based crowdfunding licence that is subject to the Finance Companies Control Law;
  5. apply for the payment service provider licence that is subject to Finance Companies Control Law and its implementing regulations; or
  6. apply for Finance Support activities subject to the Finance Companies Control Law.

Fintech companies that carry out activities licensed by SAMA and apply through the sandbox programme will have up to six months, subject to renewal, to practise their activities in the Saudi market. Companies that carry out activities regulated by the CMA and apply through their sandbox programme will be given the opportunity to conduct business for up to two years and they may renew this licence once. Where the activity of an entity falls under debt-based crowdfunding, payment service provider or finance support, then each licence shall be valid for a range of three to five years (as applicable) subject to renewal.

With respect to the temporary licence granted through the sandbox programmes, said licence is a letter from the relevant authority allowing the specific company to practise its activities in Saudi Arabia while being monitored by that authority. A letter is only granted upon SAMA or the CMA's acceptance of the application submitted by the entity. The application form is offered on SAMA/CMA's website4 to provide clarity with regard to what is expected from the applicants. Upon CMA/SAMA's acceptance of the application, the trial period shall commence, granting the entity the right to enter the Saudi market while carrying out its fintech activities. Once the licensed entity has successfully completed its trial period, SAMA or the CMA will consider licensing the entity permanently. While there are 19 companies to date in the SAMA sandbox programme, on 2 February 2020, Menabytes, which covers technology and digital stories from the Middle East and North Africa, announced that two companies have been issued fintech licences by SAMA for the first time in Saudi Arabia upon successful completion of the SAMA sandbox trial period.5 STC Pay and Geidea, both offering payment fintech services, are now the first two companies to graduate from the SAMA sandbox programme and obtain a fintech licence.

Where an entity is carrying out debt-based crowdfunding activities, that entity may avoid the sandbox step and apply directly for the debt-based crowdfunding licence as issued by SAMA, which will subject the entity to ensure compliance with the Finance Companies Control Law. To obtain this type of licence, applicants must submit: (1) a licence application; (2) articles of association (AoA) and by-laws; (3) a list of founding members or shareholders along with the details of their ownership percentages; (4) draft agreements to be entered into with third parties; (5) a business model; and (6) where the entity is under incorporation, a bank guarantee of 5 million riyals issued in favour of SAMA up until the capital is paid up. Additionally, executive positions in the entity should be held by Saudi nationals who are professionally qualified in finance. The minimum capital requirement for establishing an entity licence to carry out debt-based crowdfunding is 5 million riyals subject to increase or decrease at SAMA's discretion on a case-by-case basis. Finally, upon submission, a notice from SAMA is received, and the entity shall attend to any additional information requested by SAMA within 30 days so that SAMA to issue its initial acceptance or rejection within 60 days. Upon receiving SAMA's initial acceptance, applicants will be given a period of six months to provide SAMA with the commercial registration and AoA stating the necessary activities (failure to submit will cause the initial approval to expire). Finally, these licences are valid for five years subject to renewal via a three-month renewal letter to be sent to SAMA.

In March 2020, SAMA decided to introduce new regulations on obtaining Payment Service Provider Licences as a result of the increase in applications to the sandbox programme by applicants carrying out payment service providers. This type of licence covers entities involved in payment activities such as execution of payment transactions, issuing payment instruments, developing e-wallets, withdrawal of cash, or any relevant payment initiation services. PSP regulations offer four types of licences: (1) micro payment institution; (2) macro payment institution; (3) microelectronic money institution (e-wallet); and (4) macro electronic institution (e-wallet). The first two are for the purpose of carrying out all payment activities other than issuing e-wallets with the difference between micro and macro being that macro allows for cross-border remittance and does not involve limitation on transaction values, while the micro does not allow cross-border remittance and enforces limits on transactions value. The two latter licences allow for all payment activities including issuing e-wallets with the only difference being in the limits imposed on transaction value (micro imposes limits while macro does not).

Furthermore, where the activities carried out by an entity fall outside the scope of the aforementioned licences, and where the entity does not wish to enter the sandbox programme, said entity may seek the application of the Finance Support Activities licence. While the application process does not differ from the two licences mentioned above, the capital requirement differs based on the finance support activity carried out. An applicant seeking a licence for the purpose of carrying out finance aggregators' activity is subject to a minimum capital requirement of 2 million riyals, applicants who fall under debt collection are subject to a 10 million riyals capital requirement, and where an entity considers itself to be carrying out a 'finance support activity' other than the two aforementioned, SAMA shall decide upon both its qualification for the licence and the minimum capital requirement. SAMA's approval for an applicant's qualification is granted on a case-by-case basis at its own discretion. Moreover, once the application and supporting documents are submitted, SAMA will have a period of 30 days to issue its initial approval and acceptance, and the applicant shall have a period of 15 days to abide by any further requests issued by SAMA. This type of licence is valid for three years subject to renewal by virtue of a written renewal request to be sent by the entity to SAMA three months prior to the expiry of the licence.

In addition to granting temporary licences to practice fintech activities and the licences aforementioned for PSP, finance support and debt-based crowdfunding activities, an Open Banking Policy was introduced by SAMA for the purpose of developing financial solutions for the benefit of financial institutions and end customers. The open banking policy is an innovation that enables customers to securely share their data with third parties so fintech companies can benefit from access to customers' data allowing new financial services to be offered. While it is currently undergoing a design process so SAMA can assess the level of governance required, it is estimated that the market implementation phase will commence in the second half of 2021 covering the development of the finalised framework – which shall include testing with financial entities and enhancing customer awareness – which, upon its completion will prepare the policy for the 'go-live' phase for the design to be formally launched in Saudi Arabia. The go-live phase is expected to take place in the first half of 2022.

Moreover, SAMA and the CMA aim to further regulate fintech in Saudi Arabia as follows. The CMA is the financial regulatory authority responsible for overseeing securities activities and crowdfunding solutions. SAMA, established by two royal decrees, is a regulatory, legislative and judicial body. Its legislative features emphasise: (1) its responsibility for drafting and approving the laws on financial transactions – for instance, it approved the introduction of the regulations governing the aforementioned licences, and the enforcement of regulations governing insurance aggregation activities, digital-only banks (in addition to meeting the Banking Licence Guidelines), consumer microfinancing and finance aggregators; and (2) its regulatory element gives SAMA the authority to oversee and license entities that carry out financial activities as explained above. Finally, its judiciary feature allows for SAMA to establish its own judicial body to assume jurisdiction over claims related to financial activities such as e-wallets, payment mechanisms to validate e-signatures and e-transactions.

Fintech Saudi identified eight activities that do not require licensing by either SAMA or the CMA. These are:

  1. aggregation of publicly available financial information;
  2. business tools;
  3. back-office bank operations;
  4. enhancing bank's customer experience;
  5. personal management;
  6. regulation technology (regtech), which involves the use of technology to support financial organisations to comply with financial services regulations. Fintechs can develop regtech solutions that do not conduct regulated activities but support financial organisations to remain compliant;
  7. gamification; and
  8. reward-based crowdfunding (added as an exempted activity in 2020).

Thus, carrying out these activities shall not trigger the application of the requirements to be licensed by the CMA or SAMA. Moreover, credit information services, falling under back-office bank operations, shall also be exempted from the requirement to be licensed as they are one of the seven activities that can be carried out with a licence.

Setting up an asset management company in Saudi Arabia is subject to licensing by the CMA as set out in the latter's Investment Fund Regulations6 and Authorised Persons Regulations.7 This means that the entity must satisfy a number of requirements, such as a minimum capital requirement and establishing multiple internal key functions and appointing the required specialised officers, before being able to carry out its activities in Saudi Arabia.

Marketing and advertising of banking and financial services in Saudi Arabia are subject to the Banking Consumer Protection Principles issued by SAMA in June 2013. These principles govern and control only the content of the marketing material to be advertised by the financial institution.

Marketing is generally regulated by the Ministry of Culture and Information (MCI). The MCI obliges entities wishing to carry out advertising activities whether in print or electronically to obtain a licence, whether the entity is local or foreign. In accordance with MCI laws, the entity shall obtain a licence to be able to market its activities. Upon obtaining the relevant licence, the entity must comply with the banking Consumer Protection Principles with regard to the content of the material it desires to advertise.

These principles are applicable to financial institutions, and we believe that the same laws and principles will likely govern the marketing of fintech services in Saudi Arabia.

ii Cross-border issues

Activities that are regulated or licensed by a foreign jurisdiction cannot be passported to Saudi Arabia's jurisdiction. For a foreign company to carry out its activities in Saudi Arabia, it must have local legal presence in Saudi Arabia subject to local licensing. Hence, the company from another jurisdiction will be required to seek the relevant licensing in Saudi Arabia depending on its activities from SAMA, the CMA or both, and from the Ministry of Investment (MISA).

If the foreign entity attempts to undertake its activities in Saudi Arabia without legal presence in Saudi Arabia, the transfer of monetary amounts from the local account to the foreign account may trigger a red flag with the banks, which may subject the entity to investigation. To avoid this, the foreign entity should have a local bank account and opening a local bank account entails having a local presence.

Cross-border services or products cannot be offered without a local presence. Hence, the fintech service or product can be offered in Saudi Arabia once the company offering the service or product establishes local presence either by establishing a new company and obtaining a MISA licence or, in limited instances, appointing a Saudi-licensed agent in Saudi Arabia to provide the services or products on their behalf.

Marketing is subject to specific licensing, whether carried out by a local or foreign entity. Accordingly, if the foreign entity wishes to appoint a local entity to solicit the services, it shall ensure that the local entity is licensed by the MCI to carry out marketing and advertisement activities provided that the advertisement is in line with the Banking Consumer Protection Principles issued by SAMA. The only difference between appointing a local partner and actively marketing is where the entity chooses the option to appoint a partner to solicit the service; this will exempt that entity from seeking the necessary marketing licence provided that the local partner is licensed by the relevant authorities. Owing to the importance of the licensing requirement, we usually ask foreign entities to conduct licensing-related due diligence before deciding to appoint a local partner.

First, regarding foreign exchange or currency control, for an entity to open a bank account in Saudi Arabia it must establish legal local existence, which subjects it to MISA licensing. Also, if it is seeking local existence then opening a bank account in Saudi Arabia is required.

Once an entity has successfully established itself in Saudi Arabia and has opened a local bank account, the transfer of the amounts collected in Saudi Arabia to the parent company's offshore account will be permissible.

To contribute to diversifying the economy in support of Saudi Arabia's Vision 2030, MISA minimised its requirements for foreigners to obtain the necessary licences to establish entities in Saudi Arabia. Thus, for foreign persons to enjoy the right of ownership in Saudi Arabia, they will be subject to MISA licensing based on the activities they wish to carry out. However, there are some activities that may not be carried out by foreigners as per MISA's list of activities that are restricted for foreign visitors. In addition, some activities may entail the satisfaction of certain requirements or partnering with a local shareholder. These requirements differ based on the activities carried out by the company to be established in Saudi Arabia. The foreign entity has four available options to carry out its activity in Saudi Arabia. It may:

  1. establish a subsidiary of an existing foreign company by obtaining the relevant MISA licence;
  2. start a new fintech company through MISA's entrepreneurial licence;
  3. license the fintech company to a Saudi start-up; or
  4. appoint a sales agent in Saudi Arabia.

Digital identity and onboarding

The only digital identity available in Saudi Arabia is issued by the state and is only offered for the government sector. Each citizen shall have his or her identity registered with Saudi Arabia's Ministry of Interior (MOI) by registering their fingerprints and creating an account on the Absher platform. Upon registering with the MOI, a number of government services can be provided using the digital identity, such as the issuance of powers of attorney and the issuance and payment of traffic fines. Furthermore, with the global spread of the covid-19 pandemic, the Ministry of Health introduced a number of applications for the purpose of monitoring exposure to the virus that are directly linked to a person's Absher account. As such, while several applications have been introduced that are directly linked to one's digital identity, the unified identity remains to be the Absher accounts of the residents.

The registration of Absher accounts is only available for residents of Saudi Arabia, whether they are nationals or not. Nationals will register electronically using their national ID numbers, then activate the account by registering their fingerprints on machines offered in a number of locations in Saudi Arabia (mainly in malls for ease of access). Non-national residents, on the other hand, register electronically using their 'iqama' number, then register their fingerprints in the same manner nationals do for activation of an account. Upon successful activation, residents of Saudi Arabia will be able to enjoy the services offered by the MOI electronically.

As mentioned above, digital identity is only provided for the government sector. We still do not see it being applicable to financial services, but we believe it may be introduced in the next couple of months, with the introduction of open banking services, as mentioned earlier, and Saudi British Bank (SABB)'s attempts to offer cross-border blockchain transactions, as mentioned in Section V.

Digital markets, payment services and funding

Collective investment, governed by SAMA, is generally allowed but subject to licensing and minimum capital requirements. Any activity with the purpose of financing is regulated by the Finance Companies Control Law promulgated by Royal Decree No. M/51 dated 13/08/1433 H (corresponding to 02/07/2012 G) (the Finance Companies Law) and its implementing regulations. Because the purpose of collective investment is to finance companies, it will trigger the application of the Finance Companies Law. As per the Finance Companies Law and its implementing regulations, financing activities may not be carried out in Saudi Arabia without obtaining the necessary licences from SAMA, provided that such activities are in compliance with shariah principles. Thus, any entity desiring to manage investments for the purpose of financing other entities will be subject to SAMA licensing requirements.

To be able to create a portal to regulate collective investments, the entity that is the manager of the investment shall seek to obtain the necessary licence offered by SAMA. Furthermore, because such activity may trigger money laundering risks, being the manager of such an investment may be subject to investigation. As a result of these risks, SAMA is reluctant to allow individuals or entities to collect amounts, fearing that they may be used for wrongful purposes unless they can demonstrate sufficient evidence of how they intend to monitor closely every transaction made. Hence, to obtain the necessary licensing, we advise the entity to consider how to mitigate any money laundering-related risks and communicate these considerations to SAMA.

While debt-based crowdfunding is now governed by the newly issued laws, the CMA allows for equity-based crowdfunding in Saudi Arabia, subject to regulation by CMA laws and regulations. The entity shall first apply via the CMA's portal to obtain a temporary licence to carry out crowdfunding activities during a trial period. Similar to collective investment, because money collection is a sensitive activity, the entity wishing to crowdfund must provide sufficient evidence of how it intends to monitor closely any money laundering activities that may occur. Upon the entity's acceptance by the CMA and successful completion of the trial period, it may be granted a permanent licence allowing the entity to carry out equity-based crowdfunding activities in Saudi Arabia.

Similar to collective investment, because peer-to-peer lending falls under financing activities, it shall be governed by SAMA and subject to the Finance Companies Law. For an entity to carry out the activities related to peer-to-peer lending, it shall ensure that its entity is licensed by SAMA and that the activities being conducted are in line with shariah principles.

Furthermore, where the entity is responsible for managing the amounts, it will be subject to CMA regulations. This is because management activities fall under securities business activities as listed in the Securities Business Regulation issued by the CMA. Thus, because peer-to-peer lending is a financial activity and its management falls under security business activities, such entity will trigger SAMA and CMA licensing requirements. Once all licences are obtained, the entity will be authorised to carry out lending and management activities in Saudi Arabia.

Payment services in Saudi Arabia will trigger the application of the Banking Control Law, which applies to banks generally. Thus, any payment services activities will require licensing by SAMA (i.e., PayPal, HyperPay and PayTab). Accordingly, where an entity desires to carry out payment services, it must obtain the necessary licences from SAMA, partner with an entity licensed by SAMA, or appoint a local agent licensed by SAMA and licence the local agent to carry out the payment services activities.

With regard to making client data accessible to third parties, the introduction of the Open Banking Policy should enable customers to securely share their data with third parties so fintech companies can benefit from access to customers' data allowing new financial services to be offered. As mentioned above, this policy is still undergoing different phases until its full implementation by 2022. As such, we should expect developments in this sector by 2022.

Other than the open banking policy, there are no laws regulating the protection of client's information. However, it is common practice to keep such information confidential, especially with the introduction of the E-Commerce Law in July 2019 and its implementing regulations earlier in 2021. The E-Commerce Law is the first law to put an obligation on entities to keep its clients' and users' information confidential when transacting electronically. Based on this provision, we believe Saudi Arabia is moving towards imposing a legal duty on entities to keep clients' information confidential and making this a legal obligation subject to sanctions in case of violation.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Furthermore, with respect to cryptocurrencies, despite its warning about transacting with the cryptocurrencies that are in existence today,8 SAMA with the United Arab Emirates' (UAE) Central Bank has introduced a new cryptocurrency: Aber. Aber will allow blockchain cross-border transfers and payments between Saudi and the UAE in its efforts to explore, experiment and gain a deeper understanding of cryptocurrencies and distributed ledger technology. The introduction of Aber will also allow Saudi to benchmark findings against those of central banks to ensure that SAMA-issued cryptocurrencies overcome any issue facing other products. Moreover, the Saudi Central Bank has contracted with US-based Ripple to introduce pilot programmes for Saudi banks. This programme attempts to radically shift the banking system in Saudi Arabia by allowing transactions in digital currencies.9 At the Financial Sector Conference in April 2019, SABB stated that it will launch its Ripple-based cross-border payments through blockchain.10 Accordingly, Saudi Arabia's efforts to introduce its own digital currencies are evident through its contracts with the UAE's Central Bank and US-based Ripple.

There are no legal standards governing blockchain and cryptocurrencies so far. Therefore, the laws are unclear with regard to the qualification of tokens as securities. We do believe that money laundering rules and tax laws will be applied to new technology in a similar way to conventional financial transactions.

Other new business models

There are no laws governing the permissibility of self-executed contracts yet. However, contracts in general are governed by shariah principles in Saudi Arabia. As long as an offer, acceptance and consideration are demonstrated, a contract shall be held valid under shariah principles. Hence, we believe that if smart contracts follow the same process, they shall be admissible in Saudi Arabia.

With regard to arbitration, we believe the same arbitration laws governing conventional contracts shall be enforceable on self-executed contracts. This is because Saudi Arabia's laws of arbitration apply to any arbitration, regardless of the nature of the legal relationship between the parties in dispute.11

As discussed above, automated processes are not yet permitted. Nevertheless, we presume that if it is executed in a manner that complies with shariah principles then it shall be permitted.

Third-party websites comparing products or providing information about financial products are subject to SAMA regulations. Such websites are currently considered brokers by SAMA and are therefore subject to licensing requirements to enter into its sandbox programme.

Intellectual property and data protection

There are four means of protecting intellectual property:

  1. trademark registration;
  2. patent registration;
  3. industrial designs registration; and
  4. copyright.

Trademarks are registered through the Ministry of Commerce's (MOCI) portal where the applicant may register the name and logo of his or her entity. Industrial designs may also be registered through the MOCI. Patents, on the other hand, are protected by registration with either the King Abdulaziz University for Science and Technology (KAUST), where KAUST will be entitled to a percentage of the patent to be registered, or the King Abdulaziz City for Science and Technology, though the process is lengthy and complex.

Based on the above, the options available for IP registration and protection in Saudi Arabia, are, generally speaking, difficult to implement in practice. Because of the complexity of the process, clients usually resolve to protect their rights via registering them in the United States then equalising the certificate to be used in Saudi Arabia. This is the case for patents, too.

For software to be protected, its code shall be revealed in detail for copyright purposes because codes cannot be patented. Upon revealing the code of the software, it will be subject to copyright laws, because copyright in Saudi Arabia is protected for 50 years after publication, subject to renewal. Owing to the level of exposure this process entails, this mechanism is not that preferred by software owners. Thus, we advise software owners wishing to protect their software to register the software's trademark for protection, because the software itself cannot be protected.

Where an employee develops software, its ownership rights merely depend on the contract between the employee and his or her company. There are no specific laws governing this matter.

As mentioned above, the first law enforcing an obligation on entities to keep their clients' or users' information confidential was introduced in July 2019. The E-Commerce Law12 demonstrates Saudi Arabia's attempts to highlight the importance of keeping clients' data safe, which we believe will set a threshold to be met by entities to ensure their clients' data is protected.

Year in review

With the growth of fintech in Saudi Arabia, SAMA and the CMA's efforts to support the industry can be clearly demonstrated through the issuance of new regulations and licences and the number of experimental and permanent licences they have granted to fintech companies during the past few years. SAMA has gone so far as to issue rules governing specific fintech activities in its efforts to make use of the benchmarks it has concluded from its sandbox programmes during the past three years. Based on such initiatives by SAMA and the CMA, and their close monitoring process during the trial period, we believe Saudi Arabia may introduce more new laws to accommodate the market's needs in the near future.

Outlook and conclusions

While the Saudi market is adapting quickly to global market trends, and innovation is occurring faster than the legislation regulating it, SAMA has been on top of issuing new legislation for specific fintech activities. SAMA has issued new laws governing PSP, finance support and debt-based crowdfunding activities, while the CMA is still examining the fintech companies operating within its sandbox and experimental programmes very closely. The issuance of new guidelines demonstrates SAMA and the CMA's efforts in developing the fintech ecosystem in the Kingdom.


1 Suhaib Adli Hammad is a partner at Hammad and Al-Mehdar. The information in this chapter was accurate as at April 2021.

2 Check the activities listed by both to understand the relevant authority and seek the necessary licence.

3 Fintech Saudi is a body that supports fintech companies by publishing guidelines to assist in understanding the framework available in Saudi Arabia. Fintech Saudi is not the body responsible for developing these regulations, but both SAMA and the CMA are strategic partners of Fintech Saudi.

4 The application form can be found by clicking the 'Fintech Application' link at:

5 MB staff, 'STC Pay and Geidea become first two companies to get fintech license from SAMA', 2 February 2020 (

11 Article 2 of the Law of Arbitration of Saudi Arabia.

12 Approved on 9 July 2019 pursuant to Royal Decree No. M/126.

The Law Reviews content