SAMA Open Banking Licensing 2026: What Changed for Fintech Operations in Saudi Arabia

Q: What changed operationally when SAMA moved from sandbox to full licensing?

The transition from SAMA sandbox to full licensing introduced stricter operational, capital, and governance requirements. Licensed companies face more rigorous ongoing compliance obligations, formal audit requirements, defined capital adequacy thresholds, and mandatory incident reporting. Operationally, this means investment in compliance infrastructure, formal process documentation, and greater accountability for data handling, security, and user consent management.

Q: What is Phase 2 of Saudi Arabia's open banking framework?

Phase 2 of Saudi Arabia's open banking framework, which SAMA is prioritising following the initial account information services (AIS) phase, focuses on payment initiation services (PIS). This will allow licensed fintech platforms to initiate payments directly from users' bank accounts with their consent — significantly expanding the use cases for open banking beyond financial visibility to include payments, transfers, and automated financial management.

The sandbox era is over

In March 2026, SAMA (Saudi Central Bank) issued its first formal open banking licences, with Lean Technologies becoming the first company to receive a major payment institution licence specifically for open banking in the Kingdom. This is a significant moment — not just for the companies that received licences, but for the entire Saudi fintech ecosystem.

For the past several years, open banking in Saudi Arabia operated within SAMA's regulatory sandbox. The sandbox was genuinely useful — it gave fintech companies like Malaa Technologies the space to build, test, and iterate on open banking products under SAMA's supervision without the full weight of a licensed regulatory regime. But sandboxes are, by design, temporary. They are the proof of concept phase, not the production environment.

The March 2026 licences signal that SAMA believes the framework is mature enough, and the technology proven enough, to move into full regulatory accountability. That is both good news and a significant operational challenge.

I have been building and running operations at Malaa Technologies through the sandbox period and into the licensing transition. The shift is real, and the operational implications are substantial. Here's what it actually changes.

A brief timeline of Saudi open banking

2019–2020

Framework development

SAMA develops the Open Banking Policy framework, engaging banks, fintechs, and international regulators to design KSA's approach.

2021

Sandbox launches

SAMA's regulatory sandbox opens. Early fintech companies — including Malaa Technologies — begin building and testing open banking products under SAMA supervision.

2022–2023

Technical standards published

SAMA publishes detailed technical standards for open banking APIs, consent management, and data security. Banks begin building their open banking API infrastructure.

2024–2025

Ecosystem matures

Multiple platforms go live within the sandbox. Consumer adoption grows. SAMA refines the framework based on real-world data from sandbox operations.

Mar 2026

First licences issued ✓

SAMA issues first formal open banking licences. Lean Technologies is the first licensed open banking provider. The sandbox era officially ends.

What changes operationally: sandbox vs. licensed

The differences between operating in a regulatory sandbox and operating as a licensed entity are not just legal technicalities — they have direct operational consequences.

Sandbox operation

Lighter-touch compliance requirements
SAMA oversight but no formal licence conditions
More flexibility to iterate and change direction
Lower capital requirements
Informal incident reporting
Process documentation encouraged but not mandated

Licensed operation

Full SAMA compliance obligations
Formal licence conditions with ongoing audit
Material changes require SAMA notification or approval
Defined capital adequacy requirements
Mandatory incident reporting to SAMA
Formal process documentation and evidence required

The three biggest operational shifts

1. Compliance infrastructure is now load-bearing

In the sandbox, compliance was important but had some flexibility. In a licensed environment, compliance infrastructure is load-bearing — it is what keeps your licence. Operations teams need to invest in formal process documentation, internal audit functions, and systems that generate the evidence SAMA requires on an ongoing basis.

This means building the kind of operational rigour that can survive an audit at any time. It means processes cannot live in one person's head. It means every exception, every incident, every data anomaly needs to be captured, classified, and resolved through a documented workflow.

2. Incident management becomes regulated

Under the SAMA sandbox, incidents were managed primarily as a product and engineering concern. Under a full licence, incidents that meet certain thresholds must be reported to SAMA within defined timeframes. This requires building a formal incident management capability — detection, classification, escalation, resolution, and regulatory reporting — that did not necessarily exist in the sandbox phase.

For operations teams, this is significant. It is not just about fixing the problem; it is about documenting what happened, why it happened, what the user impact was, and what you did to prevent recurrence — all in a format that satisfies SAMA's requirements.

3. Capital and governance requirements tighten

A SAMA open banking licence comes with capital adequacy requirements and governance obligations. This means fintech companies need to demonstrate that they have the financial stability and governance structures to operate as regulated entities — not just as innovative startups. For operations leaders, this means contributing to board reporting, being able to speak to risk frameworks, and ensuring that operational processes meet the bar set by SAMA's expectations for licensed firms.

A critical distinction: SAMA licences open banking, CMA licences investment

It is worth being precise about something that is frequently misunderstood: SAMA does not regulate investment products. SAMA's open banking licensing covers the connectivity layer — accessing bank account data, initiating payments, sharing financial information between banks and licensed fintechs.

Investment products — ETF portfolios, fund management, wealth management tools, securities — are regulated by the CMA (Capital Market Authority), Saudi Arabia's capital markets regulator. Any platform that wants to offer investment products to Saudi users needs CMA authorisation, separately from any SAMA open banking licence.

At Malaa Technologies, this means operating across two regulatory frameworks simultaneously. The open banking layer — connecting users' Saudi bank accounts to the platform — is under SAMA. The investment products we build on top of that infrastructure are under CMA. The operational complexity of maintaining compliance with both regulators, meeting their separate audit requirements, and building processes that satisfy both frameworks, is one of the defining challenges of running operations at a platform like Malaa.

When people ask "is Malaa a SAMA-regulated company?" — the answer is yes, for the open banking side. And "is Malaa CMA-regulated?" — also yes, for the investment side. Both are required. Neither is optional.

What Phase 2 means for investment platforms

SAMA's open banking framework is being rolled out in phases. Phase 1 focused on account information services (AIS) — the ability to connect accounts and view data. Phase 2 prioritises payment initiation services (PIS) — the ability to initiate payments directly from bank accounts.

For investment platforms, Phase 2 is potentially transformative. It enables seamless investment funding — users could invest directly from their bank account without any manual transfer steps. It enables automated savings — platforms could move money into investment products automatically, with consent. And it enables real-time portfolio rebalancing triggered by user-defined rules.

The operational work to support Phase 2 is substantial. Payment initiation is higher-stakes than account information — errors in investment funding flows have direct financial consequences for users. The reconciliation requirements, error handling, and user communication processes are all more demanding than in the AIS phase.

The broader significance for Saudi fintech

The move from sandbox to licensing is a maturity signal for the entire Saudi fintech ecosystem. It tells international investors, strategic partners, and talent that Saudi Arabia's open banking market is real — not a regulatory experiment, but a licensed industry. That changes the conversation significantly.

It also raises the bar for all operators. The fintech companies that invested in building serious operational infrastructure during the sandbox phase are better positioned. Those that treated the sandbox as a reason to defer operational rigor will find the licensing transition more difficult.

Saudi Arabia is building one of the most intentional open banking ecosystems in the world. SAMA's approach — sandbox first, licensing second, international standards throughout — is a model other markets are watching. Being here, building here, during this moment, is what makes this work genuinely exciting.

Frequently asked questions

When did SAMA issue open banking licences in Saudi Arabia?

SAMA issued its first formal open banking licences in March 2026. Lean Technologies became the first fully licensed open banking provider in Saudi Arabia. This marked the official transition from SAMA's regulatory sandbox, which had been operating since 2021, into a fully-fledged licensed regulatory regime for open banking in the Kingdom.

What does a SAMA open banking licence allow fintech companies to do?

A SAMA open banking licence allows fintech companies to operate account information services (AIS) under the formal SAMA regulatory framework, and in subsequent phases, payment initiation services (PIS). Licensed companies can securely connect to users' bank accounts, access financial data with user consent, and offer integrated financial products — all under SAMA's oversight, capital requirements, and operational governance standards.

What changed operationally when SAMA moved from sandbox to full licensing?

The transition introduced stricter operational, capital, and governance requirements. Licensed companies face more rigorous ongoing compliance obligations, formal audit requirements, defined capital adequacy thresholds, and mandatory incident reporting to SAMA. Operationally, this means investment in compliance infrastructure, formal process documentation, and greater accountability for data handling, security, and user consent management.

What is Phase 2 of Saudi Arabia's open banking framework?

Phase 2 focuses on payment initiation services (PIS) — allowing licensed fintech platforms to initiate payments directly from users' bank accounts with their consent. This significantly expands open banking use cases beyond financial visibility to include payments, transfers, automated investing, and real-time portfolio management. SAMA is prioritising PIS development following the Phase 1 account information services rollout.

How does SAMA's open banking licensing affect investment platforms?

For investment platforms like Malaa Technologies, SAMA's formal licensing covers the open banking layer — bank account connectivity, data sharing, and payment initiation. Investment products (ETFs, fund management, wealth management) are separately regulated by the CMA (Capital Market Authority). The SAMA licensing transition brings greater regulatory certainty for the open banking side and requires investment in compliance infrastructure, audit readiness, and formal process documentation across both regulatory frameworks.

Building or operating in Saudi fintech?

I'm always open to conversations about open banking, licensing, and operations in Saudi Arabia's fintech ecosystem.

Send me an email → View my profile