Nov 21, 2022
5 min read

AML/KYC Guide to Saudi Arabia, a Fintech Destination to Look Out For

Learn how to comply with strict Saudi Arabian anti-money laundering (AML) rules and why you may actually be interested in opening a business in the country.

Saudi Arabia is becoming an increasingly attractive destination for fintechs and startups. The Saudi Central Bank (SAMA), the nation’s leading financial institution, recently updated its Regulatory Sandbox Framework to an “Always Open Approach”, which gives financial institutions, as well as local and international startups, greater flexibility to apply and bring more innovative business models to their clients.

This trend is unsurprising given the unprecedented growth that the Saudi fintech market has experienced in recent years. To put it in numbers, the Kingdom saw a 37 percent year-on-year increase in active financial technology companies in 2021, and the sector is projected to continue growing.

However, before entering the Saudi market, incoming fintechs should fully understand the country’s strict anti-money laundering (AML) regulations, since any violation may be punishable by up to 15 years imprisonment.

Read our guide to learn everything you need to stay compliant and out of prison.

Who’s affected?

Institutions that are based in the Kingdom of Saudi Arabia and are engaged in one or more financial, commercial, or economic activities must adhere to the AML regulations. Such institutions may include:

Per the regulations, financial institutions must adopt a risk-based approach proportionate with the nature and size of their business.

Who’s the regulator?

There are multiple Saudi authoritative bodies that regulate fintech companies, including: 

  • The Ministry of Anti-Money Laundering founded by the Minister of Trade and Industry
  • The Saudi Arabian Monetary Agency
  • The Capital Markets Authority (CMA)
  • The Communications and Information Technology Commission (CITC)
  • The Saudi Central Bank (SAMA)
  • The Saudi Arabia Financial Intelligence Unit (SAFIU)

What are the main regulations?

Saudi Arabia has been a FATF member since June 2019, is part of the Middle East and North Africa Financial Action Task Force (MENAFATF), and has largely introduced FATF recommendations into its legislation.

According to the Mutual Evaluation Report of 2020, of the 40 FATF recommendations, Saudi Arabia was partially compliant with four, largely compliant with 17, and compliant with 19.

According to the 1st Enhanced Follow-up Report & Technical Compliance Re-Rating,
Saudi Arabia has made progress in addressing the technical compliance deficiencies identified in the 2018 MER concerning Recommendations 6 and 7,  which were previously rated as partially compliant. Saudi Arabia was eventually re-rated as largely compliant with respect to Recommendations 6 and 7.

The Kingdom also took steps to improve compliance with Recommendations 2, 18, and 21, but the FATF considered the efforts insufficient. As of today, Saudi Arabia remains largely compliant with Recommendations 2, 18, and 21.

Today, the FATF recommendations are reflected in the following AML laws:

  • The Saudi Arabia Anti-Money Laundering Law of 2003
  • The Implementing Regulations to the Anti-Money Laundering Law of 2017

The full list of Saudi AML regulations and laws can be found on the official website.

How to stay compliant

As mentioned earlier, financial institutions in Saudi Arabia are required to adopt a risk-based approach. 

This includes a Know Your Customer (KYC) assessment, proper due diligence measures towards potential customers, appointing a Money-Laundering Reporting Officer (MLRO), as well as transaction monitoring. Here’s a breakdown of each requirement:

Customer Due Diligence (CDD)

Per Saudi regulators, the following ID attributes are required to identify a natural person (i.e., individual):

  • Full Name
  • Address
  • Date and place of birth
  • Nationality

The following documents can be used to verify identity:

  • National Identification Card
  • Residence permit (Iqamah) or five-year special residence permit
  • Passport

The following documents can be used verify an address:

  • A utility bill (e.g., electricity or telephone bill) that is no older than three months and contains the user’s name and address
  • A bank statement that is no older than three months and contains the user’s name and address 

Enhanced Due Diligence (EDD)

Businesses are also required to rule out the possibility that a potential client is a Politically Exposed Person (PEP), holds a public office, or represents a higher risk of money laundering or terrorist financing. In such cases, businesses must apply more extensive due diligence measures, including:

  • ​​Obtaining and verifying information about the client’s job, activity, or profession
  • Identifying the customer’s source of funds before engaging in any business dealings 
  • Obtaining information regarding the customer’s size of assets and transactions
  • Conducting on-site visits to verify the nature of the customer’s business
  • Obtaining any additional documents or information to know the client 

If a high-risk client is identified, the financial institution must obtain approval from senior management before dealing with that client.

Record keeping

As part of AML/KYC compliance, businesses are required to retain the due diligence data on their clients for no less than ten years. If this information is processed, collected, and managed by a third party, businesses must collect all the necessary information from that third party.

Monitoring and following up on transactions and activities

According to Article 13 of the Anti-Money Laundering Law and Article 69 of the Law on Combating Terrorism Crimes and Financing, a financial institution is obligated to continuously monitor transactions, documents, and data to ensure that they are consistent with the information that the financial institution has about the customer or business relationship. 

The financial institution must also use appropriate technologies that enable it to monitor transactions and activities and detect any unusual or unexpected behavior from customers—manual monitoring is considered insufficient.

Suggested read: AML Transaction Monitoring Guide

The financial institution should also test its supervisory tools once a year to ensure that they are effective and adequate. Depending on the test results, which must be documented, companies may need to make improvements accordingly.

Reporting of suspicious transactions

Any suspicious transaction must be reported to the SAFIU. According to Saudi legislation, institutions must set up and document procedures for reporting suspicious transactions, and ensure that they are approved at the level of the board of directors.

The procedures may include: 

  • Internal procedures to be followed by the employees and senior officers in the event of suspicion of money laundering and terrorist financing (ML/TF)
  • Determining the employee or officer responsible for reporting to the SAFIU about suspicious transactions
  • Enacting a mechanism that allows employees to report suspicious activity to the responsible officer
  • Internal investigation procedures relating to suspicious cases
  • Establishing adequate measures for maintaining the confidentiality of reports and ensuring that customers are not alerted 

A technical report on reported cases must be submitted to the SAFIU and should include: 

  • The account statement or transactions carried out under the contract for a period of six months
  • Documents obtained to apply due diligence measures
  • An additional report examining the suspicious account or contract

The financial institution should also notify the Saudi Central Bank of any accounts, business relationships, or financial transactions involving the names included in the lists of UN Security Council Committees 2253/1989/1267 and 1988. The institution should also notify SAMA of business relationships involving the names included in the national list in implementation of the Security Council Resolution No. 1373.

Independent audit function

Financial institutions need to have their internal AML/CTF controls tested by an independent party to ensure that they are resilient to ML/TF risks and implemented effectively. The independent auditor should not be directly involved in any of the functions or measures audited.

The  auditor typically evaluates the appropriateness, adequacy, and effectiveness of the AML/CTF compliance program and related procedures at the level of the financial institution, documents the audit results, and sends these results to the board of directors for review and further action. Senior management is required to address any discovered weaknesses or deficiencies.

AML/CFT training

The financial institution should allocate a sufficient budget for anti-money laundering training to senior management and employees. The training must be based on real cases and discuss industry trends and new methods used in ML/TF transactions.

Appointing a Money-Laundering Compliance Officer

In order for the financial institution to implement the risk-based approach effectively, its board should set up appropriate arrangements at the level of the financial institution and appoint an officer (MLCO) to fulfill the AML/CTF compliance function.

Suggested read: Money Laundering Reporting Officer: The Role and Responsibilities

Penalties

Saudi Arabia has imposed severe penalties for money launderers:

  • A fine of up to 7 million riyals ($1.8 million)
  • Up to 15 years of imprisonment

A Saudi citizen convicted of money laundering will be banned from traveling outside the country for a period similar to that of a prison sentence. A non-Saudi convicted of money laundering would face deportation.

The penalty may be reduced if the criminal reports themselves to the authorities before the latter finds out. Leniency may likewise be granted if a criminal reports associates, and these reports lead to the arrest or seizure of funds, instrumentalities, or proceeds of the crime.

FAQ

  • What is money laundering in Saudi Arabia

    As stated in the Royal Decree No M/39, money laundering is committing or attempting to commit any act for the purpose of concealing or falsifying the true origin of funds acquired by means contrary to Shari’ah law, thus making them appear as if they came from a legitimate source.

  • What is KYC in Saudi Arabia?

    KYC, or “Know Your Customer”, includes a number of processes that support financial institutions in screening and verifying the identity of their customers during onboarding and periodic refresh phases.

  • Is Saudi Arabia a high-risk country?

    Yes. Although the FATF in its Mutual Evaluation report stated the country has strong and well-established AML/CFT measures in the financial sector, Saudi Arabia still faces a high risk of terrorism financing. The risks are linked to terrorism committed both within Saudi Arabia, and to countries experiencing conflicts within the region, including the presence of Al Qaeda, ISIS, and other terrorist groups.

See Sumsub in action