AML Compliance in Saudi Arabia (2026): Guide for Fintechs and Regulated Businesses

Saudi Arabia has one of the most active AML enforcement environments in the Gulf. The Kingdom removed itself from FATF's grey list in 2019, completed a mutual evaluation with strong ratings in 2020, and has continued tightening its framework ahead of the next evaluation cycle. In 2025, the combination of mandatory UBO disclosure, expanding digital payment infrastructure, and SAMA's increasingly granular supervision means AML compliance is an operational requirement with real consequences — not a background function.

This guide covers the Saudi-specific AML layer: the regulatory framework, key obligations, sector-specific risks, and enforcement context. For the underlying AML system architecture, see our AML Requirements guide.

The Legal Framework

Saudi Arabia's AML regime is anchored in the Anti-Money Laundering Law (Royal Decree No. M/20 of 2017), updated in 2019. The law requires:

• Customer due diligence for all regulated entities
• Record-keeping for a minimum of 10 years
• Prompt reporting of suspicious transactions to SAFIU
• Appointment of a dedicated Money Laundering Reporting Officer (MLRO)

Saudi Arabia is a member of both FATF and MENAFATF (Middle East and North Africa Financial Action Task Force). As of the most recent evaluation, the Kingdom is compliant with 17 FATF recommendations and largely compliant with 21 others — strong ratings that reflect genuine institutional commitment and effective supervision, though gaps in virtual asset regulation remain.

In 2025, Saudi Arabia signed an AML/CFT information-sharing MoU with Kuwait through MENAFATF, reflecting the broader regional trend toward cross-border coordination.

Regulatory Authorities

SAMA (Saudi Central Bank) supervises banks, fintechs, payment service providers, and insurance companies. It issues AML/CTF guidelines, conducts inspections, and enforces penalties. SAMA's supervision has become increasingly real-time focused — guidelines now explicitly require transaction monitoring systems, not just periodic review.

CMA (Capital Market Authority) oversees investment firms, fund managers, and capital market participants. AML compliance is a licensing condition and an ongoing audit requirement.

SAFIU (Saudi Arabian Financial Investigation Unit) operates under the Ministry of Interior. It receives and analyses Suspicious Transaction Reports (STRs), coordinates with law enforcement, and contributes to MENAFATF intelligence sharing. In 2024, SAFIU handled a significant volume of reports, contributing to multiple high-profile prosecutions.

Ministry of Commerce supervises DNFBPs — real estate agents, lawyers, accountants, and dealers in precious metals — and operates the new UBO register effective April 2025.

Non-compliance carries fines of up to SAR 5 million under the AML Law, with criminal liability and imprisonment in severe cases.

FATF Standing and Enforcement Context

Saudi Arabia's removal from FATF grey list in 2019 and subsequent positive mutual evaluation reflect real institutional progress. Key areas of strength include supervisory effectiveness, international cooperation through MENAFATF, and beneficial ownership frameworks.

The enforcement record is concrete:

• In 2022, six individuals were convicted for trade-based money laundering (TBML) schemes and sentenced to a combined 31 years in prison — one of the most significant TBML prosecutions in the region
• SAMA has imposed penalties on financial institutions for AML control failures, including inadequate UBO verification and weak transaction monitoring
• SAFIU's STR volume and quality metrics have both increased year-over-year

Key AML Obligations

Customer Due Diligence

CDD under Saudi AML law is not limited to identity verification. Regulated entities must:

• Verify customer identity through reliable sources
• Understand the purpose and intended nature of the relationship
• Assess risk and classify accordingly
• Apply EDD for high-risk clients, PEPs, non-residents, and complex ownership structures

For business clients, this extends into full KYB — ownership verification, UBO identification through the Ministry of Commerce register, and business model assessment. The corporate verification workflow is covered in our KYB Compliance in Saudi Arabia guide.

UBO Disclosure

The UBO Disclosure Regulation effective April 3, 2025 adds a specific AML obligation: all companies must register beneficial owners with the Ministry of Commerce, and changes must be reported within 15 days. For regulated entities, this means UBO data on corporate clients must be verified against the register — not just collected through self-declaration.

Transaction Monitoring

SAMA guidelines explicitly require ongoing transaction monitoring — not just point-in-time checks. Systems must flag:

• Unusual patterns in cross-border transfers
• Transaction volumes inconsistent with declared business activity
• Trade-based discrepancies (over/under-invoicing, misrepresented goods)
• Rapid movement of funds shortly after account activation

STR Reporting

Suspicious transactions must be reported to SAFIU promptly — immediately for urgent cases. The reporting obligation is not threshold-based; any transaction where suspicion exists must be reported regardless of amount.

Record-keeping obligations: 10 years for all customer and transaction data — significantly longer than EU standards and a common gap for internationally-operating compliance teams.

Sector-Specific AML Risks

Digital Payments and Fintechs

Electronic payments accounted for approximately 75-79% of retail transactions in Saudi Arabia in 2024, surpassing Vision 2030 targets ahead of schedule. This rapid digitisation creates scale that legacy compliance systems weren't built for. SAMA's response has been to explicitly require automated, real-time monitoring capabilities — manual review processes are not considered adequate for platforms operating at payment scale.

Trade Finance and TBML

Saudi Arabia's position as a major trading hub — particularly through Jeddah — creates elevated trade-based money laundering exposure. Invoice manipulation, over/under-valuation of goods, and phantom shipments are the primary typologies. For businesses involved in trade finance, AML controls must include business model validation for corporate clients, not just identity verification.

Real Estate

Real estate is a priority AML risk sector in Saudi Arabia. High-value property transactions, joint ventures with foreign investors, and complex funding structures make it one of the harder sectors to monitor. Ministry of Commerce oversight of real estate agents under AML law has expanded, and platforms onboarding real estate businesses as clients must treat them as regulated counterparties.

Virtual Assets and Crypto

Cryptocurrency remains in a restricted zone. SAMA prohibits banks from dealing in virtual assets without explicit approval, and a licensed VASP framework is still under development. Until legislation is finalised, any crypto-adjacent product or partnership requires legal counsel. SAFIU has flagged crypto-to-fiat layering as an emerging risk, particularly through foreign platforms accessed by Saudi residents.

What Tightening Enforcement Means Operationally

For fintechs and regulated businesses, Saudi Arabia's AML environment in 2026 translates into several practical realities:

Real-time monitoring is the standard, not an upgrade. SAMA has been explicit that transaction monitoring must be automated and operate in or near real-time for payment platforms. Periodic manual review is not sufficient.

UBO remediation is an active obligation. The April 2025 regulation means existing corporate client books need to be reviewed — not just new onboarding. Firms that have not started this process are already behind.

Arabic-language documentation requires specialist handling. Saudi corporate records, commercial licenses, and identity documents are in Arabic. Compliance systems that don't accommodate Arabic OCR and document processing create systematic verification gaps.

10-year record retention catches international teams off-guard. Firms accustomed to EU's 5-year standard need to adjust data retention policies for their Saudi operations.

VOVE ID is used by fintechs and regulated businesses in Saudi Arabia to structure onboarding and KYB workflows — Arabic-language document verification, biometric identity checks, and sanctions screening aligned with SAMA standards.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. AML requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.