Learn how to comply with strict Saudi Arabian anti-money laundering (AML) rules and why you may actually be interested in opening a business in the country.
Saudi Arabia is becoming an increasingly attractive destination for fintechs and startups. The Saudi Central Bank (SAMA), the nation’s leading financial institution, recently updated its Regulatory Sandbox Framework to an “Always Open Approach”, which gives financial institutions, as well as local and international startups, greater flexibility to apply and bring more innovative business models to their clients.
This trend is unsurprising given the unprecedented growth that the Saudi fintech market has experienced in recent years. To put it in numbers, the Kingdom saw a 37 percent year-on-year increase in active financial technology companies in 2021, and the sector is projected to continue growing.
However, before entering the Saudi market, incoming fintechs should fully understand the country’s strict anti-money laundering (AML) regulations, since any violation may be punishable by up to 15 years imprisonment.
Read our guide to learn everything you need to stay compliant and out of prison.
Institutions that are based in the Kingdom of Saudi Arabia and are engaged in one or more financial, commercial, or economic activities must adhere to the AML regulations. Such institutions may include:
Per the regulations, financial institutions must adopt a risk-based approach proportionate with the nature and size of their business.
There are multiple Saudi authoritative bodies that regulate fintech companies, including:
Saudi Arabia has been a FATF member since June 2019, is part of the Middle East and North Africa Financial Action Task Force (MENAFATF), and has largely introduced FATF recommendations into its legislation.
According to the Mutual Evaluation Report of 2020, of the 40 FATF recommendations, Saudi Arabia was partially compliant with four, largely compliant with 17, and compliant with 19.
According to the 1st Enhanced Follow-up Report & Technical Compliance Re-Rating,
Saudi Arabia has made progress in addressing the technical compliance deficiencies identified in the 2018 MER concerning Recommendations 6 and 7, which were previously rated as partially compliant. Saudi Arabia was eventually re-rated as largely compliant with respect to Recommendations 6 and 7.
The Kingdom also took steps to improve compliance with Recommendations 2, 18, and 21, but the FATF considered the efforts insufficient. As of today, Saudi Arabia remains largely compliant with Recommendations 2, 18, and 21.
Today, the FATF recommendations are reflected in the following AML laws:
The full list of Saudi AML regulations and laws can be found on the official website.
As mentioned earlier, financial institutions in Saudi Arabia are required to adopt a risk-based approach.
This includes a Know Your Customer (KYC) assessment, proper due diligence measures towards potential customers, appointing a Money-Laundering Reporting Officer (MLRO), as well as transaction monitoring. Here’s a breakdown of each requirement:
Customer Due Diligence (CDD)
Per Saudi regulators, the following ID attributes are required to identify a natural person (i.e., individual):
The following documents can be used to verify identity:
The following documents can be used verify an address:
Enhanced Due Diligence (EDD)
Businesses are also required to rule out the possibility that a potential client is a Politically Exposed Person (PEP), holds a public office, or represents a higher risk of money laundering or terrorist financing. In such cases, businesses must apply more extensive due diligence measures, including:
If a high-risk client is identified, the financial institution must obtain approval from senior management before dealing with that client.
As part of AML/KYC compliance, businesses are required to retain the due diligence data on their clients for no less than ten years. If this information is processed, collected, and managed by a third party, businesses must collect all the necessary information from that third party.
Monitoring and following up on transactions and activities
According to Article 13 of the Anti-Money Laundering Law and Article 69 of the Law on Combating Terrorism Crimes and Financing, a financial institution is obligated to continuously monitor transactions, documents, and data to ensure that they are consistent with the information that the financial institution has about the customer or business relationship.
The financial institution must also use appropriate technologies that enable it to monitor transactions and activities and detect any unusual or unexpected behavior from customers—manual monitoring is considered insufficient.
Suggested read: AML Transaction Monitoring Guide
The financial institution should also test its supervisory tools once a year to ensure that they are effective and adequate. Depending on the test results, which must be documented, companies may need to make improvements accordingly.
Reporting of suspicious transactions
Any suspicious transaction must be reported to the SAFIU. According to Saudi legislation, institutions must set up and document procedures for reporting suspicious transactions, and ensure that they are approved at the level of the board of directors.
The procedures may include:
A technical report on reported cases must be submitted to the SAFIU and should include:
The financial institution should also notify the Saudi Central Bank of any accounts, business relationships, or financial transactions involving the names included in the lists of UN Security Council Committees 2253/1989/1267 and 1988. The institution should also notify SAMA of business relationships involving the names included in the national list in implementation of the Security Council Resolution No. 1373.
Independent audit function
Financial institutions need to have their internal AML/CTF controls tested by an independent party to ensure that they are resilient to ML/TF risks and implemented effectively. The independent auditor should not be directly involved in any of the functions or measures audited.
The auditor typically evaluates the appropriateness, adequacy, and effectiveness of the AML/CTF compliance program and related procedures at the level of the financial institution, documents the audit results, and sends these results to the board of directors for review and further action. Senior management is required to address any discovered weaknesses or deficiencies.
The financial institution should allocate a sufficient budget for anti-money laundering training to senior management and employees. The training must be based on real cases and discuss industry trends and new methods used in ML/TF transactions.
Appointing a Money-Laundering Compliance Officer
In order for the financial institution to implement the risk-based approach effectively, its board should set up appropriate arrangements at the level of the financial institution and appoint an officer (MLCO) to fulfill the AML/CTF compliance function.
Saudi Arabia has imposed severe penalties for money launderers:
A Saudi citizen convicted of money laundering will be banned from traveling outside the country for a period similar to that of a prison sentence. A non-Saudi convicted of money laundering would face deportation.
The penalty may be reduced if the criminal reports themselves to the authorities before the latter finds out. Leniency may likewise be granted if a criminal reports associates, and these reports lead to the arrest or seizure of funds, instrumentalities, or proceeds of the crime.
As stated in the Royal Decree No M/39, money laundering is committing or attempting to commit any act for the purpose of concealing or falsifying the true origin of funds acquired by means contrary to Shari’ah law, thus making them appear as if they came from a legitimate source.
KYC, or “Know Your Customer”, includes a number of processes that support financial institutions in screening and verifying the identity of their customers during onboarding and periodic refresh phases.
Yes. Although the FATF in its Mutual Evaluation report stated the country has strong and well-established AML/CFT measures in the financial sector, Saudi Arabia still faces a high risk of terrorism financing. The risks are linked to terrorism committed both within Saudi Arabia, and to countries experiencing conflicts within the region, including the presence of Al Qaeda, ISIS, and other terrorist groups.