AML/CFT Compliance in Saudi Arabia: SAMA, CMA, and the 2026 Regulatory Landscape

Saudi Arabia’s AML/CFT regime is at a crossroads. The Saudi Central Bank (SAMA) and the Capital Market Authority (CMA) have stepped up supervision in 2025-2026, levying record-size fines and issuing new guidance that reshapes the compliance playbook for banks, insurers, payment providers and securities firms. For any institution that touches the Kingdom’s financial system, the rulebook has become more prescriptive, more data-driven, and far less tolerant of gaps in governance.

The Regulatory Landscape

The Anti-Money Laundering Law (Royal Decree No. M/20) establishes the substantive offences, penalties and the duty to report. Article 4 defines money-laundering as the concealment or conversion of proceeds of any crime, while Article 7 prescribes imprisonment of up to ten years and fines of up to five million riyals. The Counter-Terrorism Law (Royal Decree No. M/16 of 2020) adds a parallel offence for financing terrorism, with similar penalties and a mandatory reporting clause in Article 5.

SAMA’s AML/CFT Rules, issued as Circular No. 1/2025, translate the law into operational requirements for banks, finance companies, insurers and payment service providers. The rules set out a risk-based approach (Section 5), customer due-diligence standards (Section 8), ongoing monitoring (Section 12) and the SAR filing timetable (Section 15). The CMA’s AML Guidelines for Securities Firms (Decision No. 2/2025) extend comparable obligations to broker-dealers, asset managers and public-offering platforms, adding a specific focus on market-abuse detection (Section 9) and the handling of politically exposed persons (PEPs) in securities transactions (Section 11).

Both regulators rely on the Saudi Arabia Financial Intelligence Unit (SAFIU) as the central reporting hub. SAFIU operates the goAML-compatible portal “SAFIU-Connect”, which became mandatory for all SAR submissions on 1 January 2025. The platform requires structured data fields that map directly to the AML Law’s Article 15 reporting elements.

SAMA’s Updated AML/CFT Regulations and Guidance (2025-2026)

In March 2025 SAMA released Circular No. 3/2025 on “Targeted Financial Sanctions”. The circular obliges all licensed entities to screen customers against the United Nations Consolidated List, the EU Consolidated Financial Sanctions List and any Saudi-issued designations. Failure to block a prohibited transaction within 24 hours triggers an administrative fine of SAR 500 000 per breach, as demonstrated in the 2025 enforcement action against a money-exchange centre that processed SAR 2 million in prohibited transfers.

A second amendment, issued in July 2025, introduced the “Enhanced Transaction Monitoring Framework” (ETMF). The framework requires institutions to adopt real-time analytics, retain transaction logs for at least five years, and produce a quarterly risk-assessment report for SAMA’s supervisory review. Non-compliance with the ETMF was the basis for the SAR 8.2 million fine imposed on Alinma Bank in November 2024 for delayed SAR filing and inadequate monitoring of high-value wire transfers.

SAMA’s 2026 supervisory roadmap, published in February 2026, highlights three priority areas: (1) digital payments and fintech, (2) non-bank financial institutions (NBFIs) and (3) cross-border correspondent banking. The roadmap mandates that all fintech licences obtained after 1 July 2026 must embed AML controls that meet the same standards as traditional banks, including mandatory SAR filing within the same-day window.

CMA’s AML Guidance for Securities and Investment Firms

The CMA’s Decision No. 2/2025 expands the AML obligations to cover securities-related activities. Section 4 of the decision requires broker-dealers to perform source-of-wealth checks for high-net-worth clients whose cumulative investment exceeds SAR 10 million. Section 7 mandates the use of a “transaction-level risk score” that must be recalibrated at least quarterly.

In September 2025 the CMA issued a “Market Abuse and AML Integration” circular, which aligns the AML reporting obligations with the existing market-abuse framework (Rule 3 of the Capital Market Law). The circular clarifies that any suspicious trade pattern that could indicate insider dealing must be reported to SAFIU under the same SAR template used for money-laundering suspicions. The first enforcement of this provision occurred in March 2026 when the CMA fined a securities brokerage SAR 4.5 million for failing to file a SAR on a series of rapid, large-volume trades that later proved to be a pump-and-dump scheme.

Customer Due Diligence and KYC

Under Article 8 of the AML Law, natural-person identification must capture full name, date of birth, nationality, residential address and a government-issued ID number. For legal entities, verification relies on the Saudi Commercial Register (CR) extract, Articles of Association, and a Beneficial Ownership Register (BOR) that became mandatory in 2020. The BOR requires disclosure of any individual holding 25 percent or more of the equity or voting rights, in line with FATF Recommendation 10.

The SAMA AML/CFT Rules (Section 8) prescribe a risk-based approach to the depth of CDD. Low-risk retail customers may be subject to simplified due diligence (SDD) if the institution can demonstrate that the transaction profile is limited to SAR 5 million per year and the customer is a Saudi national with a verified national ID. High-risk customers, including PEPs, non-resident entities and crypto-asset service providers, trigger enhanced due diligence (EDD) that must include source-of-wealth documentation and ongoing monitoring at least every six months.

CMA guidance (Section 5 of Decision No. 2/2025) adds that securities firms must obtain a “source-of-wealth statement” for any client whose investment exceeds SAR 10 million, and must retain that statement for a minimum of ten years. Failure to do so was the basis for the SAR 3 million fine imposed on a brokerage in December 2024.

Sanctions Screening

The sanctions regime in Saudi Arabia is driven by United Nations Security Council resolutions, the EU sanctions framework (as incorporated by Royal Decree No. M/30 of 2022), and domestic designations issued by the Ministry of Interior. SAMA Circular No. 3/2025 requires real-time screening of all onboarding and transaction data against these lists. The circular also mandates that any match with a “high-risk” designation (e.g., individuals on the UN Al-Qaeda Sanctions List) must be escalated to the AML compliance officer within two hours.

In February 2026 SAMA fined a digital payments firm SAR 6.3 million after an internal audit revealed that the firm’s screening engine missed 12 matches with the EU Consolidated List over a six-month period, resulting in prohibited transfers totalling SAR 4.5 million. The fine reflected both the breach of Circular No. 3/2025 and the failure to remediate the screening gaps within the 30-day remediation window set out in Section 9 of the AML Rules.

SAR/STR Reporting

Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) must be filed through SAFIU-Connect. Article 15 of the AML Law requires filing “without undue delay”, which SAMA interprets as the same-day deadline for electronic submissions, or the next working day if technical issues arise. Section 15 of the SAMA AML/CFT Rules codifies this timetable and imposes a SAR-non-compliance fine of SAR 250 000 per day of delay, up to a maximum of SAR 5 million per incident.

Risk-Based Approach

SAMA’s risk-management requirement (Section 5 of the AML Rules) obliges each entity to conduct a full, institution-wide risk assessment at least annually, and whenever a material change occurs (e.g., acquisition of a new business line). The assessment must cover product risk, customer risk, geographic risk and delivery channel risk, and must be documented in a “Risk Register” that is reviewed by the board.

The CMA’s risk-based guidance (Section 6 of Decision No. 2/2025) adds a market-risk dimension for securities firms, requiring a “trade-pattern risk matrix” that evaluates the likelihood of market abuse, insider trading and pump-and-dump schemes. The matrix must be updated quarterly and submitted to the CMA’s AML Unit as part of the firm’s periodic supervisory filing.

Crypto-Assets

While the AML Law does not explicitly mention crypto-assets, SAMA issued a “FinTech AML Circular” in August 2025 that treats virtual-currency service providers (VCSPs) as “money-service businesses” under Section 8 of the AML Rules. The circular requires VCSPs to perform the same CDD, EDD and SAR filing obligations as traditional payment service providers, and to implement blockchain-analytics tools capable of tracing wallet addresses to real-world identities.

In December 2025 the CMA published a “Digital Asset Market Guidance” that extends AML obligations to crypto-asset exchanges listed on the Saudi Stock Exchange (Tadawul). The guidance mandates that exchanges maintain a “crypto-wallet risk register” and conduct source-of-wealth checks for any wallet that receives more than SAR 1 million in a single transaction. Non-compliance with this guidance formed the basis of the SAR 2.5 million fine imposed on a local exchange in March 2026 for inadequate wallet-ownership verification.

Recent Enforcement (2024-2026)

The enforcement record from 2024 through early 2026 illustrates the regulators’ willingness to impose substantial penalties for both AML and sanctions breaches. The table below summarises the most significant actions.

Beyond the headline fines, SAMA has issued dozens of “notice-and-cure” letters requiring institutions to remediate gaps in SAR filing, transaction monitoring and sanctions screening. The regulator’s 2025-2026 supervisory inspections have also resulted in “name-and-warn” notices that publicly identify firms with recurring AML deficiencies, a practice previously limited to the banking sector.

Practical Compliance Checklist for Saudi Institutions

Common Pitfalls

Recent supervisory reports highlight three recurring weaknesses. First, many institutions still rely on weekly SAR aggregation rather than the same-day filing required by Section 15 of the AML Rules, exposing them to daily SAR-non-compliance fines. Second, fragmented governance structures - where AML investigations are split across multiple business units - lead to duplicated effort and missed deadlines, a factor cited in the Alinma Bank penalty. Third, over-reliance on commercial screening vendors without documented algorithmic parameters has resulted in “black-box” defenses that regulators reject, as seen in the DigitalPay FinTech case.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation for Saudi entities, citing the Anti-Money Laundering Law (Royal Decree No. M/20 of 5 Safar 1438 H), the Counter-Terrorism Law (Royal Decree No. M/16 of 2020), SAMA AML/CFT Rules (Circular No. 1/2025) and CMA Decision No. 2/2025 directly in the text. Generated outputs include a board-approved risk-assessment template, a full AML policy manual, KYC/CDD procedures aligned with Article 8, a sanctions-screening policy referencing UN, EU and Saudi lists, SAR/STR filing SOPs keyed to SAFIU-Connect, and a staff-training curriculum meeting the 20-hour annual requirement. All documents are exportable as branded DOCX files ready for board sign-off and regulator inspection.