KYC in Saudi Arabia: more complex than it looks from the outside
To a user opening a fintech app, KYC feels like a few taps — scan your ID, take a selfie, answer some questions, done. From the operations side, those few taps trigger a compliance workflow that spans identity verification, government database checks, AML screening, and — for investment products — a formal suitability assessment mandated by the CMA.
I run operations at Malaa Technologies, Saudi Arabia's first open banking and investment platform regulated by both SAMA and the CMA. Our KYC and onboarding process must satisfy two separate regulators with different requirements, different risk frameworks, and different documentation standards. What follows is how that actually works.
The two KYC regimes in Saudi fintech
The first thing to understand about KYC at a Saudi fintech is that the requirements depend entirely on which regulatory framework governs your product:
SAMA-regulated products (open banking, payments, bank connectivity) require identity verification, consent capture, and AML/CFT screening. The standards are set by SAMA's Open Banking Framework and broader SAMA regulations on financial crime compliance.
CMA-regulated products (investment portfolios, wealth management, robo-advisory) require everything SAMA requires — plus a formal suitability assessment. The suitability assessment is a CMA mandate: before a user can invest a single riyal, the platform must document their financial situation, investment experience, risk appetite, and investment objectives.
A platform offering both — like Malaa — must conduct both levels of KYC. In practice, this means the SAMA layer activates during initial registration, and the CMA layer activates when the user first attempts to access investment features. Two regulators, two KYC standards, one onboarding journey.
Key point: SAMA KYC and CMA KYC are not interchangeable. Passing SAMA's requirements does not satisfy the CMA's suitability assessment obligation, and vice versa. Both must be completed and documented independently.
The digital KYC flow at a Saudi fintech: step by step
Here is what a complete onboarding flow looks like at a dual-regulated Saudi fintech:
National ID verification
Saudi nationals verify identity via their national ID card. Most platforms use OCR to capture ID data, then verify it against government records electronically via Absher or Nafath — Saudi Arabia's national digital identity infrastructure. This step confirms the user is who they claim to be and that their ID is valid and current.
Liveness check
A selfie or short video sequence confirms that the person presenting the ID is physically present — not a photo of a photo, a mask, or a deepfake. Liveness detection technology has become a standard component of Saudi fintech onboarding following SAMA guidance on digital identity verification.
AML screening
The user's name, ID number, and date of birth are checked against sanctions lists (UN, OFAC, local Saudi lists), politically exposed persons (PEP) databases, and adverse media sources. This step runs automatically in real time. Users who return a match — even a potential match — are flagged for manual review before their account is activated.
Risk classification
Based on the data collected — identity, AML result, geographic indicators, transaction type — the system assigns a risk classification (low, medium, high). Low-risk users proceed automatically. Medium-risk users may require additional questions. High-risk users go to enhanced due diligence — a deeper review of source of funds, source of wealth, and purpose of account.
Consent capture (SAMA)
For open banking features, the user provides explicit, granular consent for data access: which accounts, which data types, for how long. SAMA's Open Banking Framework requires this consent to be informed, specific, and revocable. The consent record must be stored and auditable.
Suitability assessment (CMA)
For investment features, the user completes a structured questionnaire covering their financial situation, investment experience, risk appetite, and investment objectives. The CMA mandates that this assessment is conducted, documented, and used to inform the products offered to the user. If the user's risk profile is "conservative," the platform should not offer them high-volatility products without additional disclosure.
The operations behind the flow
The user-facing flow above takes 5–10 minutes. The operations infrastructure that makes it work is considerably larger.
Exception management
Automated KYC does not work for every user. ID OCR fails on worn or damaged cards. Liveness checks fail in poor lighting. AML screening returns false positives — users with common names who share a name with a PEP. Each exception case requires a manual review process: a trained operations analyst who can evaluate the evidence, make a compliant determination, and document the decision.
At scale, exception management is a significant operational workload. The goal is not to eliminate exceptions — some will always exist — but to reduce the exception rate through better UX, better pre-validation, and better tooling, and to resolve exceptions quickly when they occur. A user stuck in a manual review queue for 72 hours is a user who may not complete onboarding at all.
AML monitoring after onboarding
KYC is not a one-time event. AML obligations continue throughout the customer lifecycle. Transaction monitoring systems flag unusual patterns — transactions inconsistent with the user's stated profile, sudden spikes in activity, transfers to high-risk jurisdictions. Flagged transactions go to a compliance review queue. Analysts assess whether the activity is explainable or requires escalation.
The CMA and SAMA both require documented AML frameworks that cover both onboarding screening and ongoing transaction monitoring. Operations teams must maintain these frameworks, train analysts, and produce periodic AML compliance reports for regulators.
Periodic KYC refresh
User information changes over time. The CMA's suitability assessment must be reviewed periodically — typically annually — to ensure the user's investment profile remains accurate. If a user's financial situation changes significantly (job loss, inheritance, major investment gain), the suitability assessment should be triggered proactively. Operations teams must build the workflows that identify when a refresh is due, prompt the user to complete it, and handle the edge cases when users don't respond.
Data governance and audit trail
Every step of the KYC and onboarding process must produce a structured, auditable record. Regulators — both SAMA and CMA — may request documentation of any user's onboarding journey during an audit. Operations teams must ensure that the evidence is captured correctly, stored securely, retained for the required period (minimum five years for AML purposes), and retrievable quickly when needed.
Operations insight: The most common audit finding in KYC operations is not a missing check — it is a missing record of a check that was performed. Investing in documentation quality is as important as investing in the quality of the checks themselves.
What makes Saudi Arabia's KYC environment distinctive
Saudi Arabia has some advantages that make digital KYC unusually powerful here. The national digital identity infrastructure — Absher, Nafath, and the NID database — allows Saudi fintechs to verify identity with a high degree of confidence in seconds. The penetration of the Absher app (used by virtually all Saudi adults to manage government services) means that identity verification tied to government records is an expectation, not a novelty.
At the same time, Saudi Arabia's KYC environment is demanding in ways that simpler markets are not. The dual regulatory framework (SAMA and CMA) means a single onboarding flow must satisfy two distinct sets of requirements. The AML environment is sophisticated — Saudi Arabia is an active FATF member with stringent anti-financial-crime expectations. And the Shariah compliance dimension means that investment product onboarding must include not just suitability assessment but also appropriate disclosure of the Islamic finance principles governing the products.
Getting all of this right — in a 5-minute mobile flow, for hundreds of thousands of users — is one of the defining operational challenges of running a regulated Saudi fintech.
Frequently asked questions
What are the KYC requirements for fintech companies in Saudi Arabia?
How does digital KYC work at a Saudi fintech?
What is the difference between KYC for SAMA and CMA products in Saudi Arabia?
What AML obligations apply to Saudi fintechs during onboarding?
How long does KYC onboarding take at a Saudi fintech?
Scaling KYC operations at a Saudi fintech?
I'm available for conversations about KYC design, AML frameworks, and building compliant onboarding at a regulated Saudi platform.