KYC Compliance in Saudi Arabia (2026): Identity Verification Requirements for Fintechs and Regulated Businesses

Saudi Arabia has built one of the most digitally ambitious KYC infrastructures in the Gulf — combining national identity platforms, a SAMA-driven sandbox for e-KYC innovation, and a legal framework that aligns closely with FATF standards. For fintechs and regulated businesses, this means KYC is not just a compliance exercise but an operational system that needs to integrate with Saudi national identity infrastructure to work properly.

This guide covers the Saudi-specific KYC layer: legal framework, accepted documents, digital identity infrastructure, risk classification, and where onboarding breaks in practice. For the underlying KYC system architecture and verification logic, see our KYC Requirements guide.

The Legal Framework

KYC obligations in Saudi Arabia are anchored in the Anti-Money Laundering Law (Royal Decree No. M/20 of 2017), amended in 2019 to strengthen UBO transparency and e-KYC adoption. The law mandates customer due diligence, record-keeping, and suspicious activity reporting for all regulated entities.

SAMA (Saudi Central Bank) is the primary KYC regulator for banks, fintechs, payment service providers, and insurance companies. SAMA's KYC guidelines require financial institutions to verify customer identities, assess risk, and appoint a dedicated Money Laundering Reporting Officer (MLRO). Customer profiles must be reviewed and updated at least every five years.

CMA (Capital Market Authority) applies equivalent KYC requirements to investment firms, fund managers, and capital market participants.

Non-compliance carries fines of up to SAR 7 million and imprisonment of up to seven years under Article 23 of the AML Law.

Who Must Comply

KYC obligations apply to:

• Banks, finance companies, and money exchange businesses
• Payment service providers, e-money institutions, and licensed fintechs
• Insurance companies
• Capital market participants (CMA-supervised)
• Virtual asset service providers — currently operating in a restricted environment (see crypto section below)
• DNFBPs: real estate agents, lawyers, accountants, precious metals dealers

Accepted Identity Documents

Saudi nationals: The National ID (Huwiyya) issued by the Ministry of Interior is the primary identity document. It must be current — SAMA has specifically flagged expired National IDs as a compliance gap that can lead to account restrictions.

Expatriates and foreign residents: The Iqama (residency permit) is the standard document for expatriates legally resident in Saudi Arabia. For non-residents, passport is the primary document.

Additional documentation — utility bills no older than three months, proof of address, or source of funds documentation — may be required for higher-risk relationships or EDD scenarios.

Saudi Arabia's Digital Identity Infrastructure

Saudi Arabia has invested significantly in digital identity platforms that directly shape how KYC can be conducted:

Absher is the national government services portal for Saudi citizens and residents. It integrates with multiple government databases and is used for identity authentication, visa processing, and other official interactions. For KYC purposes, Absher provides a government-verified identity layer that regulated entities can leverage to confirm identity data against official records.

Nafath is Saudi Arabia's national digital authentication system, providing secure, real-time identity verification for online services. For fintechs conducting digital onboarding, Nafath-based authentication provides a high-assurance identity confirmation that reduces reliance on document capture alone.

Yaqeen is the identity verification service for expatriates, allowing verification of residency and legal status through government data. For platforms with significant expatriate client bases — common in financial services given Saudi Arabia's large expat population — Yaqeen integration is operationally important.

SAMA's Regulatory Sandbox — launched and updated multiple times since 2018 — has actively encouraged fintechs to test e-KYC solutions, including biometric verification and API-based identity checks. This has created an environment where digital KYC is not just permitted but actively expected as the standard for regulated platforms.

This is where platforms like VOVE ID complement the infrastructure — Arabic-language document OCR, biometric liveness detection, and face matching in one API, with audit logging aligned with SAMA evidentiary standards.

Risk Classification Under SAMA

Saudi KYC operates on a risk-based approach mandated by SAMA guidelines. Entities must classify customers by risk and calibrate verification depth accordingly:

Standard CDD applies to typical low-to-medium risk relationships. Identity verification, document check, and basic screening are the baseline.

Enhanced Due Diligence (EDD) is mandatory for:

• Politically exposed persons (PEPs) and their close associates
• Non-residents and clients from high-risk jurisdictions
• Complex corporate structures or foreign ownership chains
• Relationships where source of funds is unclear

Simplified due diligence is permitted for clearly low-risk entities — listed companies, government bodies — but must be documented.

Risk classification must be reviewed periodically — at minimum every five years per SAMA guidelines, and immediately when the client's circumstances change.

Crypto and Virtual Assets

Cryptocurrency remains in a restricted zone in Saudi Arabia. SAMA prohibits banks from dealing in virtual assets without explicit approval, and a framework for licensed VASP activity is still under development. Until legislation passes, any crypto-adjacent onboarding requires legal counsel. Platforms should not assume that international VASP licensing transfers to Saudi operations.

SAFIU Reporting

Suspicious transactions must be reported to SAFIU (Saudi Arabian Financial Investigation Unit) promptly — immediately for urgent cases. SAFIU operates under the Ministry of Interior and feeds intelligence to law enforcement for financial crime investigations.

Records must be retained for a minimum of 10 years under Saudi AML Law — longer than the standard in most EU jurisdictions and a point that catches some internationally-oriented compliance teams off-guard.

Where KYC Breaks in Practice

Expatriate population complexity. Saudi Arabia has one of the largest expatriate populations in the world — over 13 million non-Saudi residents. Iqama documentation, passport diversity, and varying residency statuses create significant verification complexity for platforms onboarding at scale. VOVE ID supports document verification across 190+ countries, which matters in a market where a large proportion of customers are non-nationals.

Arabic-language documentation. National IDs, Iqamas, and supporting documents are issued in Arabic. KYC systems that do not natively support Arabic OCR and document processing will create systematic gaps in verification quality.

National ID expiry. SAMA has specifically flagged expired National IDs as a KYC failure point — similar to the Emirates ID issue in the UAE. Platforms need automated re-verification triggers, not just point-in-time checks.

Profile update obligation. SAMA's five-year review requirement for customer profiles is an active obligation. Many platforms build strong onboarding KYC but have no structured process for periodic re-verification. This is a recurring finding in SAMA inspections.

PEP density. Saudi Arabia's political and economic structure means a meaningful proportion of business clients have PEP exposure through family ties or government connections. Proximity screening — not just name matching — is essential.

Getting KYC Right in Saudi Arabia

Saudi Arabia's digital identity infrastructure — Absher, Nafath, Yaqeen, and SAMA's e-KYC-friendly sandbox — makes it one of the more automation-ready KYC environments in the Gulf. The challenge is building workflows that integrate with this infrastructure, handle Arabic-language documentation properly, and connect initial verification to the ongoing review obligations SAMA actually requires.

VOVE ID is used by fintechs and regulated businesses in Saudi Arabia to build KYC workflows that meet this standard — Arabic-language document verification, biometric checks, sanctions screening, and audit-ready logging aligned with SAMA requirements.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.