Who needs a CMA license in Saudi Arabia
The Capital Market Authority (CMA) regulates all investment and capital market activities in Saudi Arabia. If your fintech touches any of the following, you need CMA authorization before going live:
- Robo-advisory — algorithmically allocating user capital into investment portfolios
- Digital wealth management — managing user investments on a discretionary or advisory basis
- Investment fund management — establishing, managing, or distributing investment funds in Saudi Arabia
- ETF platforms — enabling users to buy or sell exchange-traded funds
- Portfolio management services — managing client portfolios on a managed or advisory basis
- Securities dealing — executing buy and sell orders in capital market instruments
This is the CMA's domain, not SAMA's. SAMA governs banking, payments, and open banking. The moment a fintech product involves allocating, managing, or advising on capital — regardless of how the user experience is designed — it requires CMA authorization.
Critical distinction: A fintech that connects bank accounts (SAMA) and also offers investment portfolios (CMA) must obtain both authorizations independently. There is no unified Saudi fintech license that covers both regulators. Planning for a dual-regulator structure from day one is essential.
The CMA Fintech Lab: the primary pathway for new investment fintechs
For most new investment fintechs in Saudi Arabia, the CMA Fintech Lab — formally the ExPermit programme — is the entry point. It was created specifically to allow fintech companies to test investment products in a live environment under CMA supervision, before going through the full authorization process.
The Fintech Lab grants a Financial Technology Experimental Permit (ExPermit), which allows the company to operate with real users, real money, and real regulatory oversight — within defined limits — while the CMA assesses whether the company is ready for full authorization.
As of 2026, the CMA Fintech Lab has issued over 68 experimental permits. Companies in the lab are testing products across robo-advisory, digital fund distribution, AI-driven investment advice, securities crowdfunding, and goal-based investing. The lab is an active, growing ecosystem — not a token regulatory gesture.
The CMA licensing pathway: phase by phase
Pre-application and preparation (2–6 months)
Before submitting to the CMA Fintech Lab, companies must build the substance that supports the application. This means: defining the product scope precisely, assembling the governance and compliance documentation, demonstrating technical readiness, and ensuring minimum capital requirements are met. The CMA reviews applications critically — a weak application is not an invitation to iterate; it is a rejection.
CMA Fintech Lab application (3–6 months review)
The formal ExPermit application is submitted to the CMA. The application must include: a detailed business plan, a product description and user journey, a technology and security assessment, a governance framework, an AML/CFT policy, and evidence of capital adequacy. The CMA reviews applications in cohorts and may request additional information or meetings before making a decision. Successful applicants receive an ExPermit and defined operating conditions.
Sandbox operation under ExPermit (12–24 months)
During the ExPermit phase, the company operates under active CMA oversight. This includes regular progress reporting, defined user and AUM limits, compliance reporting, and incident disclosure. The sandbox is not a free pass — it carries the same substantive obligations as full operation, with the additional burden of demonstrating ongoing improvement toward full authorization readiness.
Full CMA authorization application (6–12 months)
After successfully completing the sandbox phase, companies apply for full CMA authorization. This is the formal Capital Market Institutions Authorization application. It requires a comprehensive compliance record from the sandbox period, full governance documentation, audited financials, and demonstrated operational readiness. Companies that operated cleanly during the sandbox have a materially faster path through full authorization.
Ongoing compliance as a CMA-authorized entity
CMA authorization is not a certificate — it is an ongoing relationship. Authorized entities must maintain capital adequacy, submit periodic regulatory reports, maintain an approved compliance function, disclose material incidents, and seek CMA approval for significant product or business changes. Operations teams are responsible for maintaining this compliance infrastructure continuously.
What the CMA looks for in a Fintech Lab application
The CMA Fintech Lab is selective. Not every application is accepted. Based on the profile of companies that have successfully entered the lab and progressed to full authorization, the CMA appears to weight the following factors heavily:
Product innovation and genuine user value
The ExPermit is designed for products that are genuinely new — that expand what's available to Saudi investors, not just replicate existing services in a different interface. Applications that can articulate a clear, specific gap they are filling in the Saudi investment market are better received than applications that describe a "better version" of something that already exists.
Governance and compliance infrastructure
The CMA is an investment regulator. Its primary concern is that authorized entities protect client assets, manage conflicts of interest, and operate with institutional-grade governance. Applications that arrive with a credible compliance framework — not a placeholder — are taken more seriously. This means a defined compliance function, an AML policy with substance, a risk management framework, and evidence that the team has thought through the operational risks of running an investment platform.
Technology and security readiness
Investment platforms handle user capital. The CMA expects technology infrastructure that is robust, secure, and resilient. Applications should include a technology architecture overview, a data security assessment, and business continuity / disaster recovery planning. Startups that treat the tech documentation as a formality to complete after the real work lose credibility quickly.
Capital adequacy
The CMA requires applicants to demonstrate sufficient capital to absorb operational risk and protect client assets. The specific thresholds depend on the type of authorization sought. Companies entering the Fintech Lab face lower initial capital requirements during the sandbox phase, but must demonstrate a clear path to meeting full authorization capital requirements. Undercapitalized applications are not competitive.
Team quality and relevant experience
The CMA assesses the people behind the application. Key personnel — particularly the compliance officer, risk manager, and senior operations leads — must demonstrate relevant experience in regulated financial services. A founding team of engineers with no investment or compliance experience will face much harder scrutiny than a team that includes people who have operated under the CMA or equivalent regulators before.
Operations insight: The single most common reason for Fintech Lab application delays is governance documentation that is structurally present but operationally empty — policies that describe what the company intends to do rather than what it has actually built. The CMA can tell the difference. Build the infrastructure first; document what exists, not what you plan to create.
What operations teams must prepare for the CMA application
Building the application documentation is one part of the preparation. Building the underlying operational infrastructure that the documentation describes is the harder part. Key operational readiness requirements include:
KYC and AML infrastructure
The CMA requires a documented, operational KYC/AML framework — not a policy document, but a working system that conducts identity verification, AML screening, risk classification, and suitability assessment for every new user. This system must be in place and demonstrable before the application, not planned for after ExPermit approval.
Client asset segregation
Client money must be segregated from company money at all times. This means separate bank accounts, defined treasury management processes, and a reconciliation process that confirms segregation daily. The CMA will ask how client assets are protected in a scenario where the company becomes insolvent. The answer must be a real structural protection, not a promise.
Regulatory reporting capability
During the sandbox phase and after full authorization, the CMA requires regular formal reporting: user metrics, AUM, transaction volumes, incident reports, and compliance status. Operations teams must build the data infrastructure and processes to produce these reports accurately and on time from day one of ExPermit operations.
Shariah compliance governance
Investment products offered to Saudi users must comply with Islamic finance principles. For CMA-regulated investment platforms, this means establishing a Shariah supervisory board — or engaging an approved Shariah advisory firm — to review and certify the investable universe, monitor ongoing compliance, and approve new product additions. This governance structure must be in place before the investment product launches under ExPermit.
SAMA licensing: if you need both
Many investment fintechs also want to offer open banking features — connecting users' Saudi bank accounts to give them a complete financial picture alongside their investment portfolio. This requires a separate SAMA license or framework participation under SAMA's Open Banking Framework.
SAMA and CMA authorizations run in parallel. There is no combined application process, no shared regulatory pathway, and no timeline advantage from applying to both simultaneously or sequentially. Each regulator assesses the application independently.
At Malaa Technologies, we operate under both frameworks. Managing two separate regulatory relationships — two sets of compliance obligations, two reporting cycles, two teams of regulatory contacts — is a significant operational commitment. It is also what enables a product that connects Saudi users' bank accounts to their investment portfolios in a way that no single-license platform can.
Common mistakes in CMA applications
From the perspective of someone who has navigated this process, the most common operational mistakes in CMA Fintech Lab applications fall into a few patterns:
Submitting too early. The application should reflect what exists, not what is planned. A company that submits before its compliance infrastructure, capital position, and governance structure are genuinely in place wastes time and erodes credibility with the regulator.
Underestimating the compliance function. The compliance role at a CMA-regulated entity is a senior, substantive role — not a title given to a junior team member to satisfy a checkbox. The CMA assesses the compliance officer's experience and authority within the organization. A compliance function without real teeth is a red flag.
Treating capital as a one-time requirement. Capital adequacy is not just an application requirement — it is an ongoing obligation. Companies that hit their capital minimums at application time and then watch them erode as the business spends through the sandbox phase create serious regulatory risk. Capital planning must extend through the full licensing timeline.
Ignoring the Shariah layer. For investment products targeting Saudi users, Shariah compliance is a regulatory expectation, not an optional feature. Applications that address Shariah governance superficially are not competitive. Engage with an established Shariah advisory firm early and make their involvement substantive from the start.
Frequently asked questions
What is the CMA license and who needs it in Saudi Arabia?
What is the CMA Fintech Lab and how does it work?
What are the capital requirements for a CMA license in Saudi Arabia?
How long does it take to get a CMA license in Saudi Arabia?
What is the difference between CMA authorization and SAMA licensing in Saudi Arabia?
Navigating CMA licensing for an investment fintech?
I'm available for conversations about CMA authorization, investment operations, and building regulated fintech products in Saudi Arabia.