The Fraud and Compliance Guide for Saudi Fintechs

Saudi Arabia ranks among the lowest in global cybercrime incidents — but does that mean financial fraud isn’t a threat? Not quite.

‍

As cybercrime operations in this kingdom are projected to increase by 15% annually, and hit $10.5 trillion by 2025, even a modest share of that impact could cost Saudi Arabia tens of billions of riyals. That’s an estimated $3,000 per person in potential fraud-related losses — despite the Kingdom's comparatively lower fraud rate.

‍

The risks and complexities tied to fraud have been growing alongside digital banking booming — according to a research by Kumar and Yadav (2023), from 2024 to 2028, the adoption of online banking is Saudi is expected to rise by 16.7%. While no official loss figures have been publically disclosed for 2024, Saudi Arabia has rolled out a wave of anti-fraud initiatives in recent years — from launching its first Cyber Anti-Fraud Program to introducing new digital identity verification services for the financial sector. These evolving regulatory efforts point to a clear strategic priority: staying ahead of increasingly sophisticated fraud tactics.

‍

In this article, we break down:

The key regulators driving Saudi Arabia’s anti-fraud and AML efforts — namely SAMA and CMA, as well as other core stakeholders shaping the fintech compliance ecosystem.

Essential regulations that affect the day-to-day operations of banks and fintechs.

And finally, the gaps in the current fraud prevention landscape.

‍

“Based on investigations conducted by the Public Prosecution, no financial fraud crimes resulting from cyber system breaches have been recorded in the Kingdom, Al Wakid said, stating that all registered crimes were due to .” — Saudi Press Agency, 2024

‍

Regulators and Stakeholders in the Saudi Fintech Ecosystem

Saudi Arabia’s fight against financial fraud is driven by a network of regulators and ecosystem enablers, each playing a distinct role in maintaining trust, enforcing compliance, and enabling innovation.

‍

Saudi Payments Ecosystem Overview – SAMA, Fintech Saudi, and Digital Payment Infrastructure, recreated based on Saudi Arabia's Fintech Ecosystem, SAMA, Nov. 2023

‍

Saudi Central Bank (SAMA)

As the Kingdom’s financial regulator, SAMA oversees the core of Saudi Arabia’s financial system — from traditional banks to digital lenders, e-wallets, payment institutions, and credit bureaus.

‍

SAMA is also the force behind foundational frameworks like:

The Counter-Fraud Framework, which lays out prevention, detection, and response standards

The Cybersecurity Framework, ensuring resilience across digital infrastructure

The AML/CTF Guide, offering detailed compliance expectations for financial institutions

‍

Through these tools, SAMA sets the tone for how fraud should be addressed — emphasizing real-time monitoring, strong KYC/KYT standards, and proactive internal controls.

‍

Capital Market Authority (CMA)

While SAMA governs the banking and payments side, CMA regulates capital markets and investment-related fintechs, including:

Brokerages

Robo-advisory platforms

Asset managers and crowdfunding portals

‍

CMA’s role is critical as investment platforms grow in popularity — bringing with them new fraud typologies like pump-and-dump schemes, misleading financial promotions, or identity spoofing during onboarding.

‍

Saudi Payments

A subsidiary of SAMA, Saudi Payments operates the Kingdom’s critical financial rails:

Mada (domestic card network)

Sarie (instant payments)

Sadad (bill payment)

‍

It plays a behind-the-scenes but vital role in fraud mitigation, offering real-time transaction screening infrastructure and ensuring all payment flows comply with SAMA’s fraud and cybersecurity policies.

‍

Fintech Saudi

Launched by SAMA and CMA, Fintech Saudi isn’t a regulator, but it’s the beating heart of the Kingdom’s fintech innovation. It provides:

Regulatory sandbox support

Fintech accelerators and hackathons

Research, reports, and talent pipelines

‍

For fintechs navigating compliance and fraud risk in their early stages, Fintech Saudi acts as a bridge between innovators and regulators.

‍

Key Regulations That Shape Anti-Fraud Practices in Saudi Arabia

At the heart of Saudi Arabia’s fight against financial fraud is the Saudi Central Bank (SAMA) — not just as a supervisor, but as the primary policy architect. Most of the Kingdom’s foundational frameworks for fraud prevention, cybersecurity, and AML compliance originate from SAMA, and apply across banks, fintechs, payment providers, and finance companies.

Here’s a breakdown of the most relevant regulations:

1. SAMA’s Counter-Fraud Framework (2022)

This framework is a cornerstone document for structuring anti-fraud programs across financial institutions. It defines not only what controls are required, but how they should evolve over time based on maturity levels and changing threats.

‍

Institutions must align their fraud strategy with broader enterprise objectives — for example, every organization should have a Counter Fraud Governance Committee led by senior executives like CRO or COO to meet at least quarterly to monitor, review, or adjust their anti-fraud strategy and spending. The framework also mandates formal policies and procedures for fraud prevention, detection, and response, which must be accessible and regularly updated across all branches and subsidiaries, and making sure proper fraud detection system is in place for 24/7 monitoring.

View the full document 👉 https://rulebook.sama.gov.sa/en/counter-fraud-framework-0

‍

2. AML/CTF Law and Implementing Regulations

Issued through royal decree and overseen by SAMA and the Presidency of State Security, these regulations set the foundation for AML compliance. They introduce a risk-based approach to identifying and mitigating money laundering and terrorist financing risks.

‍

Institutions must implement customer due diligence (CDD) and enhanced due diligence (EDD) based on risk levels. Suspicious transaction reports (STRs) must be filed with SAFIU — the Saudi Financial Intelligence Unit, and if any suspicious transaction is detected, SAFIU has the authority to suspend the transaction for up to 72 hours upon receipt of the STR.

‍

Institutions are also required to monitor account activity on an ongoing basis, maintain audit trails, and apply national/international sanction lists — this requires continuous real-time screening against updated lists.

View the full document 👉 https://rulebook.sama.gov.sa/en/implementing-regulation-anti-money-laundering-law-0

‍

3. AML/CTF Guide (2019)

SAMA’s detailed guide operationalizes the AML Law. It outlines internal control expectations across governance, transaction monitoring, and employee training. One key regulation is that, institutions must establish a dedicated compliance unit with independent reporting lines, staffed by Saudi nationals and equipped with sufficient resources. An independent audit function is also required to regularly test AML/CTF controls and report separately from compliance. And conduct effective AML/CTF training programs for all level of staffs and assess them at least annually with official records.

‍

Notably, the guide provides detailed protocols for onboarding Politically Exposed Persons (PEPs), handling wire transfers, and relying on third-party CDD providers:

PEP Onboarding: Foreign PEPs are always high-risk and require enhanced due diligence — senior management approval, source of wealth checks, and ongoing monitoring.

Wire Transfers: Institutions must collect full sender/recipient details and verify the purpose; incomplete transfers must be refused. Data must be shareable with authorities within three working days.

Third-Party CDD: Reliance is allowed only if the third party is regulated, CDD data is immediately accessible, and the institution conducts annual capability reviews.

View the full document 👉 https://rulebook.sama.gov.sa/en/anti-money-laundering-and-counter-terrorism-financing-amlctf-guide

‍

4. Account Opening Rules (2022)

While technical in nature, this regulation has major implications for fraud prevention — especially in digital onboarding.

‍

It outlines document verification, ID expiry handling, and the types of permissible accounts by customer profile (e.g., foreign nationals, minors, charities). Crucially, it reinforces the application of KYC principles, mandates ongoing monitoring of customer behavior, and requires banks to invest in automated transaction monitoring systems, noting that manual methods are insufficient in today's threat landscape.

View the full document 👉 https://www.aml.gov.sa/en-us/Rules%20and%20Instructions/Rules%20for%20Bank%20Accounts%20(2022).pdf

‍

5. Financial Sector Cyber Threat Intelligence (CTI) Principles (2022)

Issued by SAMA, this framework guides how financial institutions collect, analyze, and share cyber threat intelligence to proactively counter cyber-enabled fraud.

It covers four key domains: strategic, operational, technical, and tactical intelligence. Institutions are expected to integrate CTI with fraud detection systems — linking indicators like device spoofing, phishing patterns, or credential abuse with real-time risk monitoring.

The regulation also mandates internal collaboration between CTI, cybersecurity, and fraud teams to break down silos and improve response times.

View the full document 👉 https://rulebook.sama.gov.sa/en/financial-sector-cyber-threat-intelligence-principles-0

‍

What’s Still Missing?

While Saudi Arabia has successfully avoided large-scale breaches of its tech infrastructure, recent statements from the Public Prosecution reveal a more subtle but growing threat:

‍

Most fraud cases aren’t just caused by system-wise data breaches — more often, they originate from the misuse of personal information. KYC helps verify identities at a point in time — but that alone isn’t enough. Just like the study by Kumar and Yadav (2023) points out, as fraud becomes more dynamic and behavior-driven, the real differentiator lies in how institutions implement and sustain their fraud prevention strategies across the entire customer journey.

‍

In practice, this means moving beyond one-time compliance activities to a continuous decisioning approach, where fraud risk is treated as a business-wide responsibility, not just a compliance function.

‍

The study ranks implementation quality as the most critical success factor — yet many organizations in the Kingdom still lack:

Structured and connected stakeholder involvement across fraud, compliance, and business teams.

Adaptive response frameworks that evolve with changing fraud tactics.

Real-world training and simulations tailored to local fraud patterns.

‍

To stay ahead, financial institutions — especially outside Tier 1 banks — must stop treating fraud prevention as a back-office control. The smarter players are now approaching it as a reputation-critical capability, one that can either build customer trust or quietly erode it over time.

‍

The next frontier in Saudi Arabia’s fraud defense strategy isn’t just about stronger verification. It’s about embedding intelligence, accountability, and adaptability into the daily operating rhythm of every digital bank and fintech platform. Because in today’s threat landscape, how you prevent fraud may matter just as much as whether you can detect it at all.

‍