I. The Scale of the Opportunity
$1.3T
Saudi Arabia's GDP in 2025 — the largest economy in the Middle East, with a young, digitally-native population of approximately 35 million and one of the fastest-growing payment infrastructure investments in any emerging market.
Saudi Vision 2030 Progress Report, April 2026²²
Vision 2030's Financial Sector Development Programme has been one of the most transformative regulatory programmes in the GCC. Between 2017 and 2025, SAMA issued multiple rounds of payment institution licences, established a dedicated fintech regulatory sandbox, and introduced open banking infrastructure through the Open Banking Lab. The FSDP's explicit goals include significant foreign investment in digital financial services and the establishment of Riyadh as a regional financial technology hub.²³
International payment firms and fintechs bring two things that domestic operators typically lack: cross-border payment infrastructure and international compliance experience. SAMA has demonstrated a preference for international applicants who can demonstrate automated, AI-driven compliance programmes — firms whose control architecture is designed to scale rather than dependent on team size.
II. The SAMA Licensing Framework
Licence Categories and Capital Requirements
Payment institution licensing in Saudi Arabia is governed by SAMA's Payment Services Provider Regulations. The framework distinguishes between payment service providers (PSPs) operating domestically and those with international scope.²⁴ Capital requirements vary by licence category and transaction scope; applicants should consult current SAMA guidance directly, as requirements have been updated periodically within the Fintech Strategy 2030 programme.
A realistic timeline from initial engagement to SAMA PI licence award is 9 to 15 months for well-prepared applicants. The preparation phase — compliance programme design, management team assembly, Saudi banking relationship establishment, and technology infrastructure configuration — typically takes 3 to 6 months before formal submission. Firms that present a live, automated compliance system at the examination stage consistently achieve faster outcomes than those presenting a compliance manual and a forward-looking implementation commitment.
AML and KYC Programme Requirements
SAMA's AML Framework Circular and associated AML/CFT guidelines require payment institutions to implement a risk-based programme encompassing customer risk classification, enhanced due diligence for higher-risk customers, UBO identification consistent with FATF standards, and suspicious transaction reporting to the Saudi Financial Intelligence Unit (SAFIU).¹⁰ The requirements broadly align with FATF Recommendations but include specific GCC-market obligations around PEP classification for the Saudi political context and screening against SAMA's own domestic lists.
Sharia Compliance
Saudi Arabia is an Islamic finance jurisdiction. Payment products are generally expected not to incorporate structures that conflict with Sharia principles — most relevantly, interest-bearing float structures or investment arrangements that do not comply with Sharia investment standards. Firms will typically require Sharia Board review of product structures, and ongoing compliance monitoring to ensure that product configurations and investment mandates remain Sharia-consistent as market conditions evolve.
Arabic Language and Regulatory Reporting
Licensed payment institutions are required to submit regulatory returns to SAMA in Arabic, following SAMA-specified templates covering financial position, transaction volumes, AML statistics, and operational incident reporting.¹⁰ For international firms with limited Arabic-language compliance capability, manual compilation of SAMA returns is a significant recurring overhead — one that is substantially addressable through automated regulatory reporting configured for SAMA's specific template requirements.
III. The CBUAE Parallel: UAE Market Dynamics
For firms considering parallel UAE market entry, the regulatory landscape has significant structural similarities with Saudi Arabia — both are FATF-aligned, both require robust KYC and AML frameworks, and both operate within a rapidly evolving payment technology environment — but important differences in supervisory style and product expectations.
Mainland UAE operations are governed by the CBUAE's Retail Payment Services and Card Schemes Regulation. The DIFC and ADGM operate under the DFSA and FSRA respectively — with regulatory frameworks that have closer alignment to UK FCA standards and are often used as initial market entry points by international firms.²⁵ UAE Pass — the national digital identity infrastructure — is increasingly integrated into compliant consumer onboarding workflows for CBUAE-licensed firms, providing biometric verification that meets CDD standards.
IV. Building for the GCC From an International Base
The most efficient market entry approach for international payment firms is to extend an existing compliance infrastructure — built for FCA or EBA regulatory requirements — rather than build GCC compliance from scratch. The core capabilities required in both environments are structurally identical: AI-powered KYC, UBO mapping, transaction monitoring, and sanctions screening. The GCC-specific layer consists of jurisdictional reporting templates, Arabic language configuration, Sharia compliance monitoring, and local sanctions list integration.
360 Fintech AI's GCC module delivers exactly this architecture. Firms already deployed on the UK platform can activate the GCC module — including CBUAE and SAMA regulatory reporting, Arabic language support, Sharia compliance monitoring, and UAE Pass integration — without rebuilding core compliance infrastructure. The regulatory overlay is jurisdiction-configurable, enabling the same platform to simultaneously meet FCA, CBUAE, SAMA, and MAS requirements.
Contact our GCC market entry team at gcc@360fintech.ai.