The Financial Technology Law Review: Saudi Arabia
The boom of financial technology (fintech) in Saudi Arabia has led the Saudi Arabian Monetary Authority (SAMA) and the Capital Market Authority (CMA) to introduce new programmes to regulate the entities wishing to carry out fintech-related activities. In its efforts to contribute to Saudi Arabia's Vision 2030 and diversify the economy, SAMA announced its acceptance of applications to its sandbox programmes starting from January 2018 to focus on the digitalised market Saudi Arabia is shifting towards. For fintech companies to enter the market in Saudi Arabia, they will be required to obtain the necessary licences from SAMA, the CMA or both, depending on the activities the fintech company wishes to carry out.2 These licences are merely temporary and in the form of letter allowing the accepted entities to engage in fintech-related activities for a trial period until being approved by the relevant authority.
Despite the fact that there have not been changes in the laws to fit fintech companies' purposes, both SAMA and the CMA grant temporary experimental licences as an initiative to encourage the growth of fintech in Saudi Arabia. These licences are issued through an application to the relevant entity's sandbox programme, but are still governed by the same laws which govern conventional financial transactions, which are as follows:
- general banking control laws;
- general finance company control laws;
- the E-banking Rules; and
- the Electronic Transactions Law.
To further demonstrate Saudi Arabia's initiative to cope with the digital market, a fintech guide was issued in February 2019 by Fintech Saudi3 highlighting the regulations governing the industry, the framework of their application and the options available for foreign investors to enter the Saudi fintech market. An updated version was published in July 2019. The release of a new version so soon after the original indicates that changes are happening rapidly in Saudi Arabian fintech law and that the country is paying close attention to the growth of fintech.
This is also evendenced through the introduction of Fintech Saudi and its regular updates on the new laws and activities issued regarding the formation and regulation of fintech companies.
Furthermore, Fintech Saudi recently issued its 2019 report, which serves as a summary of the fintech ecosystem in Saudi Arabia while highlighting the developments undertaken by the relevant authorities to regulate the fintech boom in Saudi Arabia. The report further states that the governor of SAMA along with the governor of the CMA have been recently working on establishing the Fintech Saudi Hub, which will provide co-working spaces for entrepreneurs with fintech innovations while also hosting events and lectures related to the fintech field.
Since fintech transactions are still governed by conventional financial transactions laws, there are no specific tax regulations that apply to fintech companies. The General Authority of Zakat and Tax generally applies zakat on local companies and tax on foreign companies. The zakat is calculated to be 2.5 per cent of the capital of the company, while the tax on foreign companies or foreign shareholders in a company is usually 20 per cent of the revenue of the company, as opposed to the capital. Thus, fintech companies will be required to pay the same amounts based on the shareholders' nationality. We believe that applying only a 2.5 per cent on local companies' capital and 20 per cent on foreign shareholders' revenue demonstrates the way in which tax laws in Saudi Arabia are company-friendly, which in fact means that they are fintech-friendly as well.
i Licensing and marketing
Generally speaking, there have not been any alterations in the laws governing fintech as opposed to conventional financial transactions. Accordingly, all financial transactions are governed by the same laws, whether fintech or conventional.
Nevertheless, the relevant authorities are attempting to introduce fintech regulations to keep pace with the developments in Saudi Arabia. In the meantime, these are the options available for fintech companies to enter the Saudi market:
- alter the business carried out by the company to one that does not require SAMA or CMA licensing,
- partner with a local entity licensed by the relevant authorities; or
- enter the sandbox programmes offered by SAMA and the CMA that grant temporary or experimental licences. Fintech companies that carry out activities licensed by SAMA will have up to six months, subject to renewal, to practise their activities in the Saudi market.Companies that carry out activities regulated by the CMA will be given the opportunity to conduct business for up to two years and they may renew this licence once.
The temporary licence is a letter from the relevant authority allowing the specific company to practise its activities in Saudi Arabia while being monitored by such authority. A letter is only granted upon SAMA or the CMA's acceptance of the application submitted by the entity. The application form is offered on SAMA/CMA's website4 to provide clarity with regard to what is expected from the applicants. Upon CMA/SAMA's acceptance of the application, the trial period shall commence, granting the entity the right to enter the Saudi market while carrying out its fintech activities. Once the licensed entity successfully completes its trial period, SAMA or the CMA will consider licensing the entity permanently. While there are 19 companies to date in the SAMA sandbox programme, on 2 February 2020, Menabytes, which covers technology and digital stories from the Middle East and North Africa, announced that two companies have been issued fintech licences by SAMA for the first time in Saudi Arabia upon successful completion of the SAMA sandbox trial period.5 STC Pay and Geidea, both offering payment fintech services, are now the first two companies to graduate from the SAMA sandbox programme and obtain a fintech licence.
In addition to granting temporary licences to practice fintech activities, SAMA and the CMA aim to regulate fintech in Saudi Arabia as follows. The CMA is the financial regulatory authority responsible for overseeing securities activities and crowdfunding solutions. SAMA, established by two royal decrees, is a regulatory, legislative and judicial body. Its legislative features emphasise, first, its responsibility for drafting and approving the laws on financial transactions – for instance, it approved the Charter of the Saudi Arabian Monetary Authority. Second, its regulatory element gives SAMA the authority to oversee and license entities that carry out financial activities. Finally, its judiciary feature allows for SAMA to establish its own judicial body to assume jurisdiction over claims related to financial activities such as e-wallets, payment mechanisms to validate e-signatures and e-transactions.
Fintech Saudi identified seven activities that do not require licensing by either SAMA or the CMA. These are:
- aggregation of publicly available financial information;
- business tools;
- back-office bank operations;
- enhancing bank's customer experience;
- personal management;
- regulation technology (regtech), which involves the use of technology to support financial organisations to comply with financial services regulations. Fintechs can develop regtech solutions that do not conduct regulated activities but support financial organisations to remain compliant; and
Thus, carrying out such activities shall not trigger the application of the requirements to be licensed by the CMA or SAMA. Moreover, credit information services, falling under back-office bank operations, shall also be exempted from the requirement to be licensed since they are one of the seven activities that can be carried out with a licence.
Setting up an asset management company in Saudi Arabia is subject to licensing by the CMA as set out in the latter's Investment Fund Regulations6 and Authorised Persons Regulations.7 This means that the entity must satisfy a number of requirements, such as a minimum capital requirement and establishing multiple internal key functions and appointing the required specialised officers, before being able to carry out its activities in Saudi Arabia.
Marketing and advertising of banking and financial services in Saudi Arabia are subject to the Banking Consumer Protection Principles issued by SAMA in June 2013. It is important to note that these principles govern and control only the content of the marketing material to be advertised by the financial institution.
Marketing is generally regulated by the Ministry of Culture and Information (MCI). The MCI obliges entities wishing to carry out advertising activities whether in print or electronically to obtain a licence, whether the entity is local or foreign. In accordance with MCI laws, the entity shall obtain a licence to be able to market its activities. Upon obtaining the relevant licence, the entity must comply with the banking Consumer Protection Principles with regard to the content of the material it desires to advertise.
It is important to note that these principles are applicable to financial institutions, and since Saudi Arabia remains silent with regard to the introduction of any special marketing laws applicable to fintech services, we believe that the same laws and principles will likely govern the marketing of fintech services in Saudi Arabia.
ii Cross-border issues
Activities that are regulated or licensed by a foreign jurisdiction cannot be passported to Saudi Arabia's jurisdiction. For a foreign company to carry out its activities in Saudi Arabia, it must have local legal presence in Saudi Arabia subject to local licensing. Hence, the company from another jurisdiction will be required to seek the relevant licensing in Saudi Arabia depending on its activities from SAMA, the CMA or both, and from the Ministry of Investment (MISA).
If the foreign entity attempts to undertake its activities in Saudi Arabia without legal presence in Saudi Arabia, the transfer of monetary amounts from the local account to the foreign account may trigger a red flag with the banks, which may subject the entity to investigation. To avoid this, the foreign entity should have a local bank account and opening a local bank account entails having a local presence.
Cross-border services or products cannot be offered without a local presence. Hence, the fintech service or product can be offered in Saudi Arabia once the company offering the service or product establishes local presence either by establishing a new company and obtaining a MISA licence or, in limited instances, appointing a Saudi-licensed agent in Saudi Arabia to provide the services or products on their behalf.
Marketing is subject to specific licensing, whether carried out by a local or foreign entity. Accordingly, if the foreign entity wishes to appoint a local entity to solicit the services, it shall ensure that the local entity is licensed by the MCI to carry out marketing and advertisement activities provided that such advertisement is in line with the Banking Consumer Protection Principles issued by SAMA. The only difference between appointing a local partner and actively marketing is where the entity chooses the option to appoint a partner to solicit the service; this will exempt that entity from seeking the necessary marketing licence provided that the local partner is licensed by the relevant authorities. Owing to the importance of the licensing requirement, we usually ask foreign entities to conduct licensing related due diligence before deciding to appoint a local partner.
First, regarding foreign exchange or currency control, in order for an entity to open a bank account in Saudi Arabia it must establish legal local existence, which subjects it to MISA licensing. Also, if it is seeking local existence then opening a bank account in Saudi Arabia is required.
Once an entity has successfully established itself in Saudi Arabia and has opened a local bank account, the transfer of the amounts collected in Saudi Arabia to the parent company's offshore account will be permissible.
Furthermore, with regard to cryptocurrencies specifically, despite its warning abouttransacting with the cryptocurrencies that are in existence today,8 SAMA has been experimenting with the United Arab Emirates' (UAE) Central Bank blockchain cross-border transfers and payments in its efforts to issue its own digital currency to be used in cross-border transactions.9 Moreover, the Saudi Central Bank has contracted with US-based Ripple to introduce pilot programmes for Saudi banks. This programme attempts to radically shift the banking system in Saudi Arabia by allowing transactions in digital currencies.10 At the Financial Sector Conference in April 2019, Saudi British Bank (SABB) stated that it will launch its Ripple-based cross-border payments through blockchain.11 Accordingly, Saudi Arabia's efforts to introduce its own digital currencies are evident through its contracts with the UAE's Central Bank and US-based Ripple.
To contribute to diversifying the economy in support of Saudi Arabia's Vision 2030, MISA minimised its requirements for foreigners to obtain the necessary licences to establish entities in Saudi Arabia. Thus, for foreign persons to enjoy the right of ownership in Saudi Arabia, they will be subject to MISA licensing based on the activities they wish to carry out. It is important to note, however, that there are some activities that may not be carried out by foreigners as per MISA's list of activities that are restricted for foreign visitors. In addition, some activities may entail the satisfaction of certain requirements or partnering with a local shareholder. These requirements differ based on the activities carried out by the company to be established in Saudi Arabia. The foreign entity has four available options to carry out its activity in Saudi Arabia. It may:
- establish a subsidiary of an existing foreign company by obtaining the relevant MISA licence;
- start a new fintech company through MISA's entrepreneurial licence;
- license the fintech company to a Saudi start-up; or
- appoint a sales agent in Saudi Arabia.
Digital identity and onboarding
The only digital identity available in Saudi Arabia is issued by the state and is only offered for the government sector. Each citizen shall have his or her identity registered with Saudi Arabia's Ministry of Interior (MOI) by registering their fingerprints and creating an ABSHR account. Upon registering with the MOI, a number of government services can be provided using the digital identity, such as the issuance of powers of attorney, and the issuance and payment of traffic fines.
The registration of ABSHR accounts is only available for residents of Saudi Arabia, whether they are nationals or not. Nationals will register electronically using their national ID numbers, then activate the account by registering their fingerprints on machines offered in a number of locations in Saudi Arabia (mainly in malls for ease of access). Non-national residents, on the other hand, register electronically using their 'iqama' number, then register their fingerprints in the same manner nationals do for activation of account. Upon successful activation, residents of Saudi Arabia will be able to enjoy the services offered by the MOI electronically.
As mentioned above, digital identity is only provided for the government sector. We still do not see it being applicable to financial services, but we believe it may be introduced in the next couple of months, with SABB attempting to offer cross-border blockchain transactions, as mentioned earlier.
Digital markets, payment services and funding
Collective investment, governed by SAMA, is generally allowed but subject to licensing and minimum capital requirements. Any activity with the purpose of financing is regulated by the Finance Companies Control Law promulgated by Royal Decree No. M/51 dated 13/08/1433 H (corresponding to 02/07/2012 G) (the Finance Companies Law) and its Implementing Regulations. Since the purpose of collective investment is to finance companies, it will trigger the application of the Finance Companies Law. As per the Finance Companies Law and its implementing regulations, financing activities may not be carried out in Saudi Arabia without obtaining the necessary licences from SAMA, provided that such activities are in compliance with shariah principles. Thus, any entity desiring to manage investments for the purpose of financing other entities will be subject to SAMA licensing requirements.
To be able to create a portal to regulate collective investments, the entity that is the manager of the investment shall seek to obtain the necessary licence offered by SAMA. Furthermore, since such activity may trigger money laundering risks, being the manager of such investment may be subject to investigation. As a result of these risks, SAMA is reluctant to allow individuals or entities to collect amounts, fearing that they may be used for wrongful purposes unless they can demonstrate sufficient evidence of how they intend to monitor closely every transaction made. Hence, to obtain the necessary licensing, we advise the entity to consider how to mitigate any money laundering-related risks and communicate these considerations to SAMA.
The CMA allows for equity-based crowdfunding in Saudi Arabia, subject to regulation by CMA laws and regulations. The entity shall first apply via the CMA's portal to obtain a temporary licence to carry out crowdfunding activities during a trial period. Similar to collective investment, because money collection is a sensitive activity, it is important to note that the entity wishing to crowdfund must provide sufficient evidence of how it intends to monitor closely any money laundering activities that may occur. Upon the entity's acceptance by the CMA and successful completion of the trial period, it may be granted a permanent licence allowing the entity to carry out crowdfunding activities in Saudi Arabia.
Similar to collective investment, since peer-to-peer lending falls under financing activities, it shall be governed by SAMA and subject to the Finance Companies Law. In order for an entity to carry out the activities related to peer-to-peer lending, it shall ensure that its entity is licensed by SAMA and that the activities being conducted are in line with shariah principles.
Furthermore, it is important to note that where the entity is responsible for managing the amounts, it will be subject to CMA regulations. This is because management activities fall under Securities Business activities as listed in the Securities Business Regulation issued by the CMA. Thus, due to peer-to-peer lending being a financial activity and its management falling under Security Business activities, such entity will trigger SAMA and CMA licensing requirements. Once all licences are obtained, the entity will be authorised to carry out lending and management activities in Saudi Arabia.
We are not aware of such activities yet being carried out in Saudi Arabia nor of the way in which the laws would govern such trading.
Payment services in Saudi Arabia will trigger the application of the Banking Control Law which applies to banks generally. Thus, any payment services activities will require licensing by SAMA (i.e., PayPall, HyperPay and PayTab). Accordingly, where an entity desires to carry out payment services, it must obtain the necessary licences from SAMA, partner with an entity licensed by SAMA, or appoint a local agent licensed by SAMA and licence the local agent to carry out the payment services activities.
With regard to making client data accessible to third parties, there are no laws mandating that clients' information be kept confidential. However, it is common practice to keep such information confidential, especially with the introduction of the E-Commerce Law in July 2019 and its implementing regulations earlier this year. The E-Commerce Law is the first law to put an obligation on entities to keep its clients and users' information confidential when transacting electronically. Based on this provision, we believe Saudi Arabia is moving towards imposing a legal duty on entities to keep clients' information confidential and making this a legal obligation subject to sanctions in case of violation.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
Despite SAMA's warning on transacting with cryptocurrencies in existence today, it has been experimenting with the UAE Central Bank and US-based company Ripple to introduce blockchain cross-border transfers and payments while considering whether to issue their own digital currency. However, there are no special laws governing blockchain technology yet, so it remains subject to conventional financial transactions laws.
There are no legal standards governing blockchain and cryptocurrencies so far. Therefore, the laws are unclear with regard to the qualification of tokens as securities. We do believe that money laundering rules and tax laws will be applied to new technology in a similar way to conventional financial transactions.
Other new business models
There are no laws governing the permissibility of self-executed contracts yet. However, contracts in general are governed by shariah principles in Saudi Arabia. As long as an offer, acceptance and consideration are demonstrated, a contract shall be held valid under shariah principles. Hence, we believe that if smart contracts follow the same process, they shall be admissible in Saudi Arabia.
With regard to arbitration, we believe the same arbitration laws governing conventional contracts shall be enforceable on self-executed contracts. This is because Saudi Arabia's laws of arbitration apply to any arbitration, regardless of the nature of the legal relationship between the parties in dispute.12
As discussed above, automated processes are not yet permitted. Nevertheless, we presume that if it is executed in a manner that complies with shariah principles then it shall be permitted.
Third-party websites comparing products or providing information about financial products are subject to SAMA regulations. Such websites are currently considered brokers by SAMA and are therefore subject to licensing requirements to enter into its sandbox programme.
Saudi Arabia has recently been developing new laws in its efforts to address the changes following Crown Prince Mohammed Bin Salman's Vision 2030. However, there are still no specific laws regulating fintech in Saudi Arabia. Nevertheless, with Saudi Arabia undertaking rapid changes to diversify the economy and the flourishing of fintech-related activities and companies in Saudi Arabia, we expect new regulations to be developed and new laws introduced that are tailored to fit the industry. Furthermore, we believe that establishing an entity responsible for regulating the new developments in fintech is a strong indicator that Saudi is monitoring the growth in fintech and is preparing a targeted response.
Intellectual property and data protection
There are four means of protecting intellectual property:
- trademark registration;
- patent registration;
- industrial designs registration; and
Trademarks are registered through the Ministry of Commerce's (MOCI) portal where the applicant may register the name and logo of his or her entity. Industrial designs may also be registered through the MOCI. Patents, on the other hand, are protected by registration with either the King Abdulaziz University for Science and Technology (KAUST), where KAUST will be entitled to a percentage of the patent to be registered, or the King Abdulaziz City for Science and Technology (KACST), though the process is lengthy and complex.
Based on the above, the options available for IP registration and protection in Saudi Arabia, are, generally speaking, difficult to implement in practice. Due to the complexity of the process, clients usually resolve to protect their rights via registering them in the United States then equalising the certificate to be used in Saudi Arabia. This is the case for patents, too.
In order for software to be protected, its code shall be revealed in detail for copyright purposes since codes cannot be patented. Upon revealing the code of the software, it will be subject to copyright laws, since copyright in Saudi Arabia is protected for 50 years after publication, subject to renewal. Owing to the level of exposure this process entails, this mechanism is not that preferred by software owners. Thus, we advise software owners wishing to protect their software to register the software's trademark for protection, since the software itself cannot be protected.
Where an employee develops software, its ownership rights merely depend on the contract between the employee and his/her company. There are no specific laws governing this matter.
As mentioned above, the first law enforcing an obligation on entities to keep their clients' or users' information confidential was introduced in July 2019. The E-Commerce Law13 demonstrates Saudi Arabia's attempts to highlight the importance of keeping clients' data safe. Hence, despite the fact that there are no laws imposing a legal duty on entities to keep their clients' data confidential, we believe that the E-Commerce Law and its implementing regulations will set a threshold to be met by entities to ensure their clients' data is protected. Based on that, we also believe new laws may be introduced on data protection and old laws amended to impose duties on parties to protect the confidentiality of individuals' data and information.
Year in review
With the growth of fintech in Saudi Arabia, SAMA and the CMA's efforts to support the industry can be clearly demonstrated through the number of experimental and permanent licences they have granted to fintech companies during the last three years. Accordingly, despite the fact that there are no developments in the legal treatment of fintech companies and new regulations governing this type of companies have not yet been introduced, the CMA and SAMA have accommodate the fintech market's needs by allowing more companies to carry out fintech activities through their sandbox programmes and by granting licences for fintech activities. SAMA has gone so far as to grant two entities a permanent licence upon the successful completion of their trial period. Based on this initiative by SAMA and the CMA, and their close monitoring process during the trial period, we believe Saudi Arabia may introduce new laws to accommodate the market's needs in the near future.
Outlook and conclusions
The Saudi market is adapting quickly to global market trends and innovation is occurring faster than the legislation regulating it. SAMA and the CMA are still examining the fintech companies operating within their sandbox and experimental programmes very closely. They are continuing to regulate the operation of fintech companies through existing legislation, which was not drafted with the introduction of technology to the financial sector in mind.While their efforts to support the ecosystem are commendable, the current regulations should be updated and new guidelines developed on licensing and operating fintech companies with new concepts such as crowdfunding, robo-advice and micro-lending.
1 Suhaib Adli Hammad is a partner at Hammad and Al-Mehdar.
2 Check the activities listed by both to understand the relevant authority and seek the necessary license.
3 Fintech Saudi is a body that supports fintech companies by publishing guidelines to assist in understanding the framework available in Saudi Arabia. It is important to note that Fintech Saudi is not the body responsible for developing these regulations, but both SAMA and the CMA are strategic partners of Fintech Saudi.
4 You can find the application form by clicking the 'Fintech Application' button provided on this link: https://cma.org.sa/en/Market/Fintech/Pages/Default.aspx.
5 MB staff, STC Pay and Geidea Become First Two Companies to Get Fintech License from SAMA, February 2020.
6 Link to the Investment Fund Regulations: https://cma.org.sa/en/RulesRegulations/Regulations/Documents/IFRs%20Regulations-%20Final%20English.pdf.
7 Link to the Authorized Persons Regulations: https://cma.org.sa/en/RulesRegulations/Regulations/Documents/AUTHORISED%20PERSON.pdf.
8 SAMA website; http://www.sama.gov.sa/en-US/News/Pages/news12082018.aspx.
9 Arab News; What is Blockchain, and Why Do the UAE and Saudi Arabia Want to Use it.
11 SABB website.
12 Article 2 of the Law of Arbitration of Saudi Arabia.
13 Approved on 9 July 2019 pursuant to Royal Decree No. M/126.