CMA · Investment Operations · Saudi Arabia

CMA Investment Operations in Saudi Arabia: Running a Regulated Investment Platform

The Capital Market Authority governs every investment product offered in Saudi Arabia — ETFs, wealth management, and fund operations. Here's what compliant investment operations actually look like from the inside.

By Ashraf Alhemiry Business Operations Manager, Malaa Technologies June 2026 · Riyadh, Saudi Arabia

The CMA: Saudi Arabia's investment regulator

In Saudi Arabia's fintech landscape, two regulators matter. SAMA (Saudi Central Bank) governs open banking — the infrastructure that connects users to their bank accounts. CMA (Capital Market Authority) governs investments — every product that manages, grows, or allocates user capital.

If a fintech wants to offer an ETF portfolio, a goal-based savings product, a robo-advisory service, or any form of fund management to Saudi users, it needs CMA authorisation. This is non-negotiable. The CMA's remit covers securities, investment funds, wealth management, portfolio management, and all capital market activities in the Kingdom.

I work at Malaa Technologies — Saudi Arabia's first open banking and investment platform. We operate under both regulators: SAMA for our bank connectivity layer, CMA for our investment products. Running compliant operations across both frameworks simultaneously is one of the defining operational challenges of our business.

CMA
Regulates all investment products in Saudi Arabia
68+
CMA Fintech Lab experimental permits issued (2026)
50+
Fintech companies in the CMA Fintech Lab

The CMA Fintech Lab: the path to investment authorisation

For fintech companies seeking to offer investment products in Saudi Arabia, the CMA Fintech Lab — also called the ExPermit programme — is the entry point. It allows companies to test investment products with real users under CMA supervision before receiving full authorisation.

The Fintech Lab is not a shortcut. It is a structured pathway that requires companies to demonstrate:

As of 2026, the CMA Fintech Lab has issued over 68 experimental permits covering robo-advisory, digital trading platforms, securities crowdfunding, AI-driven advisory, and goal-based investment products. This is not a small sandbox — it is an active, growing ecosystem of investment fintechs building under CMA oversight.

Key distinction: The CMA Fintech Lab covers investment products. SAMA's regulatory sandbox covers open banking and payments. A fintech offering both — like Malaa — must satisfy both programmes independently. There is no combined licence.

The two-regulator reality

One of the most common misconceptions about operating a fintech in Saudi Arabia is treating SAMA and CMA as alternatives or overlapping bodies. They are entirely separate, with distinct mandates, distinct teams, and distinct compliance requirements.

Regulator

SAMA

Saudi Central Bank. Regulates bank connectivity, payment initiation, open banking data sharing, and financial data infrastructure.

Regulator

CMA

Capital Market Authority. Regulates all investment products — ETFs, mutual funds, robo-advisory, wealth management, and securities trading.

At Malaa, the open banking layer — connecting users' Saudi bank accounts, reading financial data, and enabling payment flows — operates under SAMA's framework. The investment products we offer — Shariah-compliant ETF portfolios, goal-based investing, and wealth management tools — are regulated by the CMA. Two regulators, two compliance frameworks, one platform.

What CMA investment operations actually involves day-to-day

CMA authorisation is not a one-time event. It establishes ongoing operational obligations that shape every part of how an investment platform runs. Here is what that looks like in practice:

Client onboarding and KYC

Every investment user must go through a CMA-compliant onboarding process. This includes identity verification, suitability assessment (understanding the user's risk appetite and investment knowledge), and formal documentation of consent. The standard is higher than a typical bank account opening — because the CMA holds investment platforms to institutional-grade KYC requirements, even when operating a consumer app at scale.

Fund performance monitoring and reporting

CMA-regulated investment products require real-time monitoring of fund performance metrics: NAV (net asset value), returns, cashflow movements, and portfolio composition. Operations teams must track these continuously, generate regulatory reports on defined schedules, and flag anomalies immediately. At Malaa, I work with our data and product teams to build the dashboards and automated checks that make this possible at scale.

Capital adequacy and asset segregation

The CMA requires investment platforms to maintain defined capital thresholds and to segregate client assets from company assets at all times. Client money — money waiting to be invested, money in transit, dividends — must be held in separate, designated accounts. Operationally, this means building and auditing the treasury management processes that enforce this segregation daily.

Shariah compliance governance

Investment products in Saudi Arabia must comply with Islamic finance principles. For Malaa's CMA-regulated products, this means every fund, ETF, and investment instrument must be reviewed and approved by a Shariah supervisory board. Operationally, this adds a governance layer to every new product launch — legal review, Shariah board approval, documentation — and ongoing monitoring to ensure existing products remain compliant as market conditions change.

Regulatory reporting

The CMA requires regular formal reporting: on active users, assets under management, transaction volumes, incident reports, and compliance status. Building the operational processes to produce accurate, timely regulatory reports — and the internal controls to ensure the data behind them is trustworthy — is a significant ongoing responsibility for investment operations teams.

Why the CMA matters for Saudi Arabia's investment future

Saudi Arabia has one of the lowest investment participation rates in the world relative to its wealth. The vast majority of Saudi savings sit in current accounts or property — not in diversified investment portfolios. Vision 2030 explicitly targets changing this, with goals to grow the percentage of Saudis who invest and to deepen Saudi Arabia's capital markets.

The CMA is the regulatory architecture that makes this possible. By creating a clear, structured path for fintech companies to offer investment products — through the Fintech Lab, formal authorisation, and an evolving regulatory framework — the CMA is enabling a new generation of Saudi investors to access diversified, digital-first investment products for the first time.

The operational work required to deliver on this at a fintech level — running compliant, high-volume, digital-speed investment operations under the CMA framework — is demanding, detailed, and largely invisible to the users whose financial futures depend on it being done right.

Frequently asked questions

What does the CMA regulate in Saudi Arabia's fintech sector?
The CMA (Capital Market Authority) regulates all investment and capital market activities in Saudi Arabia — including ETF portfolios, mutual funds, wealth management products, robo-advisory services, and securities trading. Any fintech offering investment products to Saudi users requires CMA authorisation. SAMA separately regulates banking, payments, and open banking.
What is the difference between SAMA and CMA in Saudi Arabia?
SAMA (Saudi Central Bank) regulates open banking, payments, and bank connectivity. CMA (Capital Market Authority) regulates investment products. A platform that connects bank accounts (SAMA) and offers investment portfolios (CMA) must satisfy both regulators independently. There is no combined fintech licence covering both.
What is the CMA Fintech Lab?
The CMA Fintech Lab (ExPermit programme) is the CMA's regulatory sandbox for investment fintech. Companies receive a Financial Technology Experimental Permit to test investment products with real users under CMA supervision. As of 2026, the Lab has issued over 68 permits covering robo-advisory, digital trading, and AI-driven investment tools.
What operational requirements does the CMA impose on investment platforms?
CMA-regulated platforms must maintain capital adequacy thresholds, rigorous KYC and suitability assessments, client asset segregation, Shariah compliance for Islamic products, real-time fund performance reporting, and regular regulatory submissions. Every step of the investment lifecycle — onboarding, execution, settlement, reporting — must operate within CMA's governance framework.
How is CMA investment compliance different from SAMA open banking compliance?
SAMA open banking compliance focuses on data security, consent management, API standards, and bank connectivity. CMA investment compliance focuses on capital adequacy, fund governance, suitability assessment, client asset segregation, and Shariah compliance. Both require dedicated operational infrastructure — but the investment obligations under CMA are generally more complex and carry higher capital requirements.

More from Ashraf

Open Banking · SAMA
How Open Banking Works in Saudi Arabia: An Operations Perspective
SAMA Licensing · 2026
SAMA Open Banking Licensing 2026: What Changed for Fintech Operations
Investment Operations · KSA
Investment Operations in Saudi Arabia's Fintech Ecosystem

Working in fintech or investment in Saudi Arabia?

I'm always open to conversations about CMA compliance, investment operations, and building regulated fintech products in KSA.

Send me an email → View my profile