Robo-Advisory Operations in Saudi Arabia: Building the Infrastructure

Why robo-advisory is one of the fastest-growing fintech categories in Saudi Arabia

Saudi Arabia is an unusual market for automated investing. On one hand, it has the highest smartphone penetration in the GCC, a median age under 30, and a population that increasingly manages its finances digitally. On the other hand, investment participation has historically been low — most Saudi savings sit in current accounts, not diversified portfolios. Vision 2030's financial inclusion goals explicitly target changing this.

Robo-advisory sits at the intersection of both realities: a digital-first product that can make investing accessible to a population that has never invested before. The result is explosive growth. Saudi Arabia's robo-advisory sector now manages over SAR 5.4 billion in assets under management, with active portfolios growing at roughly 90% year-on-year.

I've worked inside this ecosystem at Malaa Technologies — Saudi Arabia's first open banking and investment platform — running operations across both our CMA-regulated investment layer and our SAMA-regulated open banking infrastructure. What follows is what the operational reality of building and running a robo-advisory platform in Saudi Arabia actually looks like.

Who regulates robo-advisory in Saudi Arabia: CMA, not SAMA

This is the single most important thing to understand about building a robo-advisory product in Saudi Arabia: robo-advisory is a CMA product, not a SAMA product.

SAMA (Saudi Central Bank) regulates banking and payments — including open banking, which allows fintech apps to securely read users' bank data and initiate payments. But the moment you start automatically allocating user capital into investment products — ETFs, funds, any portfolio — you are in CMA territory.

The CMA (Capital Market Authority) regulates all investment and capital market activities in the Kingdom. Robo-advisory, by definition, involves managing user capital. That requires CMA authorisation regardless of how automated, lightweight, or fintech-friendly your product appears.

The CMA Fintech Lab: the entry point for new robo-advisory platforms

For a new fintech wanting to launch a robo-advisory product, the CMA Fintech Lab — formally the ExPermit programme — is the primary pathway. It grants a Financial Technology Experimental Permit (ExPermit) that allows live testing with real users under CMA supervision, before full authorisation.

As of 2026, the CMA Fintech Lab has issued permits for robo-advisory products, AI-driven investment tools, digital portfolio management, and goal-based investing. Getting in requires demonstrating:

• A product with genuine user value and a credible market case
• Technical infrastructure that meets CMA data security and operational requirements
• Capital adequacy — the CMA wants to see you can absorb operational risk
• A defined service scope: exactly what you will and will not do for users
• A governance structure — who is responsible for compliance, risk, and operations

The ExPermit phase is not a soft entry. It includes active CMA oversight, reporting obligations, and defined user limits. Companies that successfully graduate from the Fintech Lab apply for full CMA authorisation to operate without restrictions.

The five operational pillars of a robo-advisory platform in Saudi Arabia

Running a robo-advisory operation at scale means maintaining five distinct operational domains simultaneously. Each is non-trivial. None can be deprioritised without creating regulatory or product risk.

1. Portfolio algorithm governance

The "robo" in robo-advisory is the algorithm that decides how user capital is allocated across asset classes — typically a mix of local and global ETFs, weighted by the user's risk profile and investment goal. But the algorithm is not a set-and-forget system. It requires ongoing governance: backtesting new market scenarios, rebalancing logic that executes cleanly under market volatility, drift threshold monitoring, and documentation of every change to the algorithm's logic.

From a CMA compliance standpoint, any change to the core allocation methodology must be documented and defensible. Operations teams need clear processes for who approves algorithm changes, how they are tested before deployment, and how they are communicated to users and the regulator.

2. Trade execution and settlement

Every time a user deposits, withdraws, or triggers a rebalance, the platform must execute actual trades — typically buying or selling ETF units through a CMA-licensed broker. At scale, this means managing thousands of daily trade instructions with:

• Accurate order routing to the broker
• Settlement reconciliation — matching executed trades to user portfolio records
• Failed trade handling — detecting and resolving execution failures before they become client-facing errors
• End-of-day positions reconciliation against broker records

At Malaa, the settlement and reconciliation layer is one of the most operationally intensive parts of the investment infrastructure. It is also one of the highest-risk: a reconciliation failure means user portfolios may show incorrect balances, which triggers both user complaints and regulatory reporting obligations.

3. KYC, suitability assessment, and CMA-compliant onboarding

Every investment user must complete a CMA-compliant onboarding process before a single riyal is allocated. This goes beyond identity verification. The CMA requires a formal suitability assessment — a structured process that establishes the user's:

• Financial situation and investment experience
• Risk tolerance and investment objectives
• Time horizon for investment
• Understanding of the risks involved

The suitability assessment result must be documented, stored, and reviewed periodically. If a user's profile changes significantly, the platform must reassess suitability before recommending new products. Operationally, this means the onboarding flow must capture meaningful data — not just check a box — and the backend must maintain a structured record that satisfies CMA audit requirements.

4. Shariah compliance governance

All investment products offered to Saudi users must comply with Islamic finance principles. For a robo-advisory platform, this means every ETF and fund in the investable universe must be screened for Shariah compliance — which includes screening both the underlying companies (no interest-based revenues, no prohibited sectors) and the income distributed (no riba).

This is not a one-time filter. It is an ongoing governance process: the Shariah supervisory board must approve the initial investable universe, monitor it for compliance drift as underlying companies change, and approve any new instruments added to the portfolio. Operationally, this adds a governance gate to every new ETF or fund the investment team wants to include — and requires periodic re-screening of existing holdings.

5. Regulatory reporting and client asset segregation

CMA-regulated platforms must segregate client assets from company assets at all times. This is not just an accounting convention — it is a structural requirement enforced through treasury management processes that operations teams must actively maintain and audit.

Alongside segregation, the CMA requires periodic regulatory reporting: assets under management by product, user activity metrics, transaction volumes, incident reports, and compliance status updates. Building the operational infrastructure to produce accurate, timely regulatory reports is a significant investment — and one that scales in complexity as the user base grows.

What makes Saudi robo-advisory operationally different from global markets

Saudi Arabia presents a specific set of operational challenges that differ from robo-advisory in the US, UK, or European markets.

First, the dual-regulator structure. Many Saudi robo-advisory platforms integrate open banking (SAMA) with investment portfolios (CMA). Connecting the two creates a product that spans two independent regulatory frameworks, each with its own compliance, reporting, and operational requirements. There is no combined licence. Operations teams must satisfy both regulators simultaneously.

Second, the Shariah compliance layer. This is a governance overhead that does not exist in most Western markets. Every instrument, every allocation decision, every new product must pass Shariah review. Managing this process without slowing down product velocity requires well-designed workflows between the investment, legal, and Shariah governance teams.

Third, institutional-grade compliance at consumer scale. The CMA's governance requirements were originally designed for traditional fund managers with small numbers of high-value clients. Robo-advisory platforms must meet the same requirements with hundreds of thousands of users, automated onboarding, and algorithmic execution. The operational challenge is not understanding what CMA compliance requires — it is building systems that deliver it at digital speed and consumer volume.

The opportunity ahead

Saudi Arabia's robo-advisory market is still early. 500,000 active portfolios sounds substantial, but it represents a fraction of the addressable market in a country of 36 million people with a young, digitally-engaged population and a government mandate to increase investment participation.

The platforms that will win this market are the ones that build robust operations infrastructure — not just compelling UX. CMA compliance, Shariah governance, settlement reconciliation, and scalable KYC processes are not features. They are the foundation that allows a robo-advisory product to grow from 50,000 to 500,000 to 5 million users without breaking.

Building that foundation is the work I do every day at Malaa. It is detailed, unglamorous, and absolutely essential.

Frequently asked questions