A quick guide to Saudi Arabia’s fintech regulatory landscape—covering fraud, AML, and cybersecurity roles across SAMA, CMA, and other key players.
June 3, 2025
7 minutes
Yuqi Chen
Saudi Arabia ranks among the lowest in global cybercrime incidents — but does that mean financial fraud isn’t a threat? Not quite.
As cybercrime operations in this kingdom are projected to increase by 15% annually, and hit $10.5 trillion by 2025, even a modest share of that impact could cost Saudi Arabia tens of billions of riyals. That’s an estimated $3,000 per person in potential fraud-related losses — despite the Kingdom's comparatively lower fraud rate.
The risks and complexities tied to fraud have been growing alongside digital banking booming — according to a research by Kumar and Yadav (2023), from 2024 to 2028, the adoption of online banking is Saudi is expected to rise by 16.7%. While no official loss figures have been publically disclosed for 2024, Saudi Arabia has rolled out a wave of anti-fraud initiatives in recent years — from launching its first Cyber Anti-Fraud Program to introducing new digital identity verification services for the financial sector. These evolving regulatory efforts point to a clear strategic priority: staying ahead of increasingly sophisticated fraud tactics.
In this article, we break down:
“Based on investigations conducted by the Public Prosecution, no financial fraud crimes resulting from cyber system breaches have been recorded in the Kingdom, Al Wakid said, stating that all registered crimes were due to .” — Saudi Press Agency, 2024
Saudi Arabia’s fight against financial fraud is driven by a network of regulators and ecosystem enablers, each playing a distinct role in maintaining trust, enforcing compliance, and enabling innovation.
As the Kingdom’s financial regulator, SAMA oversees the core of Saudi Arabia’s financial system — from traditional banks to digital lenders, e-wallets, payment institutions, and credit bureaus.
SAMA is also the force behind foundational frameworks like:
Through these tools, SAMA sets the tone for how fraud should be addressed — emphasizing real-time monitoring, strong KYC/KYT standards, and proactive internal controls.
While SAMA governs the banking and payments side, CMA regulates capital markets and investment-related fintechs, including:
CMA’s role is critical as investment platforms grow in popularity — bringing with them new fraud typologies like pump-and-dump schemes, misleading financial promotions, or identity spoofing during onboarding.
A subsidiary of SAMA, Saudi Payments operates the Kingdom’s critical financial rails:
It plays a behind-the-scenes but vital role in fraud mitigation, offering real-time transaction screening infrastructure and ensuring all payment flows comply with SAMA’s fraud and cybersecurity policies.
Launched by SAMA and CMA, Fintech Saudi isn’t a regulator, but it’s the beating heart of the Kingdom’s fintech innovation. It provides:
For fintechs navigating compliance and fraud risk in their early stages, Fintech Saudi acts as a bridge between innovators and regulators.
At the heart of Saudi Arabia’s fight against financial fraud is the Saudi Central Bank (SAMA) — not just as a supervisor, but as the primary policy architect. Most of the Kingdom’s foundational frameworks for fraud prevention, cybersecurity, and AML compliance originate from SAMA, and apply across banks, fintechs, payment providers, and finance companies.
Here’s a breakdown of the most relevant regulations:
This framework is a cornerstone document for structuring anti-fraud programs across financial institutions. It defines not only what controls are required, but how they should evolve over time based on maturity levels and changing threats.
Institutions must align their fraud strategy with broader enterprise objectives — for example, every organization should have a Counter Fraud Governance Committee led by senior executives like CRO or COO to meet at least quarterly to monitor, review, or adjust their anti-fraud strategy and spending. The framework also mandates formal policies and procedures for fraud prevention, detection, and response, which must be accessible and regularly updated across all branches and subsidiaries, and making sure proper fraud detection system is in place for 24/7 monitoring.
View the full document 👉 https://rulebook.sama.gov.sa/en/counter-fraud-framework-0
Issued through royal decree and overseen by SAMA and the Presidency of State Security, these regulations set the foundation for AML compliance. They introduce a risk-based approach to identifying and mitigating money laundering and terrorist financing risks.
Institutions must implement customer due diligence (CDD) and enhanced due diligence (EDD) based on risk levels. Suspicious transaction reports (STRs) must be filed with SAFIU — the Saudi Financial Intelligence Unit, and if any suspicious transaction is detected, SAFIU has the authority to suspend the transaction for up to 72 hours upon receipt of the STR.
Institutions are also required to monitor account activity on an ongoing basis, maintain audit trails, and apply national/international sanction lists — this requires continuous real-time screening against updated lists.
View the full document 👉 https://rulebook.sama.gov.sa/en/implementing-regulation-anti-money-laundering-law-0
SAMA’s detailed guide operationalizes the AML Law. It outlines internal control expectations across governance, transaction monitoring, and employee training. One key regulation is that, institutions must establish a dedicated compliance unit with independent reporting lines, staffed by Saudi nationals and equipped with sufficient resources. An independent audit function is also required to regularly test AML/CTF controls and report separately from compliance. And conduct effective AML/CTF training programs for all level of staffs and assess them at least annually with official records.
Notably, the guide provides detailed protocols for onboarding Politically Exposed Persons (PEPs), handling wire transfers, and relying on third-party CDD providers:
View the full document 👉 https://rulebook.sama.gov.sa/en/anti-money-laundering-and-counter-terrorism-financing-amlctf-guide
While technical in nature, this regulation has major implications for fraud prevention — especially in digital onboarding.
It outlines document verification, ID expiry handling, and the types of permissible accounts by customer profile (e.g., foreign nationals, minors, charities). Crucially, it reinforces the application of KYC principles, mandates ongoing monitoring of customer behavior, and requires banks to invest in automated transaction monitoring systems, noting that manual methods are insufficient in today's threat landscape.
View the full document 👉 https://www.aml.gov.sa/en-us/Rules%20and%20Instructions/Rules%20for%20Bank%20Accounts%20(2022).pdf
Issued by SAMA, this framework guides how financial institutions collect, analyze, and share cyber threat intelligence to proactively counter cyber-enabled fraud.
It covers four key domains: strategic, operational, technical, and tactical intelligence. Institutions are expected to integrate CTI with fraud detection systems — linking indicators like device spoofing, phishing patterns, or credential abuse with real-time risk monitoring.
The regulation also mandates internal collaboration between CTI, cybersecurity, and fraud teams to break down silos and improve response times.
View the full document 👉 https://rulebook.sama.gov.sa/en/financial-sector-cyber-threat-intelligence-principles-0
While Saudi Arabia has successfully avoided large-scale breaches of its tech infrastructure, recent statements from the Public Prosecution reveal a more subtle but growing threat:
Most fraud cases aren’t just caused by system-wise data breaches — more often, they originate from the misuse of personal information. KYC helps verify identities at a point in time — but that alone isn’t enough. Just like the study by Kumar and Yadav (2023) points out, as fraud becomes more dynamic and behavior-driven, the real differentiator lies in how institutions implement and sustain their fraud prevention strategies across the entire customer journey.
In practice, this means moving beyond one-time compliance activities to a continuous decisioning approach, where fraud risk is treated as a business-wide responsibility, not just a compliance function.
The study ranks implementation quality as the most critical success factor — yet many organizations in the Kingdom still lack:
To stay ahead, financial institutions — especially outside Tier 1 banks — must stop treating fraud prevention as a back-office control. The smarter players are now approaching it as a reputation-critical capability, one that can either build customer trust or quietly erode it over time.
The next frontier in Saudi Arabia’s fraud defense strategy isn’t just about stronger verification. It’s about embedding intelligence, accountability, and adaptability into the daily operating rhythm of every digital bank and fintech platform. Because in today’s threat landscape, how you prevent fraud may matter just as much as whether you can detect it at all.
Let’s chat!
Let us get to know your business needs, and answer any questions you may have about us. Then, we’ll help you find a solution that suits you