Regulatory Playbook: Saudi Arabia¶
| Field | Value |
|---|---|
| Market | Saudi Arabia (KSA) |
| Regulator | Saudi Central Bank (SAMA) |
| Status | Draft — requires local compliance review |
| Owner | CDO / Market Entry Lead KSA |
| Created | 2026-04-04 |
| Review | Semi-annually |
| Reference | Cross-Border Compliance Framework |
Purpose¶
This is the market entry playbook for Simpaisa's planned expansion into Saudi Arabia. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what must be in place before launch: what licence is needed, what infrastructure must exist, what processes must be established, and what the regulatory expectations are.
Simpaisa status in KSA: Pre-entry / planning stage. No active licence or operations yet.
Saudi Arabia represents a significant new market opportunity. SAMA has established a comprehensive regulatory framework for payment services, including an Open Banking licensing framework launched in March 2026. Market entry requires a SAMA Payment Service Provider licence, which carries substantial compliance prerequisites. This playbook serves as the readiness checklist — nothing in the operational sections is active until licence acquisition is complete.
Regulatory Landscape¶
| Dimension | Requirement | Source |
|---|---|---|
| Primary licence | Payment Service Provider (PSP) licence | Payments and Payment Services Law (Royal Decree M/20, 2019); SAMA Implementing Regulations |
| Open Banking | Open Banking licence framework available (launched March 2026; Lean Technologies first licensee) | SAMA Open Banking Framework |
| AML/KYC | Full CDD, EDD for high-risk, sanctions screening. STR filing with Saudi Financial Intelligence Unit (SAFIU). | Anti-Money Laundering Law (Royal Decree M/31 of 2012); SAMA AML/CFT Rules |
| Data localisation | Financial data must be hosted within KSA or SAMA-approved jurisdictions. | SAMA regulations; Personal Data Protection Law (PDPL, Royal Decree M/19 of 2021, enforcement September 2023) |
| PII handling | PDPL governs collection, processing, and cross-border transfer of personal data. Consent and lawful basis required. | Personal Data Protection Law (PDPL), Royal Decree M/19 of 2021 |
| Transaction limits | Per SAMA-prescribed limits by licence category | SAMA Implementing Regulations |
| Reporting | STRs to SAFIU. Regulatory returns per SAMA schedule. | AML Law; SAMA regulations |
| Audit | Annual external audit. SAMA inspection at SAMA's discretion. | SAMA regulations |
| Incident reporting | Significant incidents reported to SAMA within 24–48 hours. | SAMA regulations |
| Capital adequacy | SAMA-prescribed minimum capital per licence category. | Payments and Payment Services Law; SAMA Implementing Regulations |
| Cybersecurity | SAMA Cyber Security Framework. Business continuity requirements. | SAMA Cyber Security Framework |
| Consumer protection | SAMA Consumer Protection Principles. | SAMA Consumer Protection Principles |
| Record retention | Minimum 10 years per SAMA regulations. | SAMA regulations |
Current Compliance Status¶
Not yet applicable — pre-entry. No licence application submitted. No operations in KSA.
The table below reflects readiness status against what SAMA will require at the time of licence application and launch.
| Requirement | Status | Gap | Risk |
|---|---|---|---|
| SAMA PSP Licence | Not applied | Full licence application required. No existing relationship with SAMA. | CRITICAL |
| KSA legal entity | Not established | Must incorporate a KSA entity (or establish an authorised branch) prior to licence application. | CRITICAL |
| Capital adequacy | Not applicable | SAMA-prescribed minimum capital must be deposited before licence is granted. Amount TBD per licence category. | HIGH |
| AML/KYC processes | Not in place for KSA | Must establish KSA-specific AML programme aligned to Royal Decree M/31 and SAMA AML/CFT Rules before operations commence. | HIGH |
| Data localisation (KSA) | Not in place | No KSA-based infrastructure. Must provision data hosting within KSA or SAMA-approved jurisdictions before launch. | CRITICAL |
| PDPL compliance | Not in place | Privacy impact assessment, data processing register, and PDPL-compliant consent mechanisms required before processing KSA personal data. | HIGH |
| Encryption at rest | Non-compliant (group-wide) | PII stored in plain text across the group (SECURITY-ARCHITECTURE.md, Finding R2). Must be resolved before KSA launch — SAMA Cyber Security Framework will not tolerate this. | CRITICAL |
| SAMA Cyber Security Framework | Not assessed | Full gap assessment against SAMA CSF required. Group security posture rated 4/10 (Critical). | CRITICAL |
| Business continuity / DR | Unknown | SAMA requires business continuity planning. Current DR posture not documented for KSA. | HIGH |
| Incident reporting to SAMA | Not in place | Process must be established before operations commence. | HIGH |
| Record retention (10 years) | Not configured for KSA | SAMA requires 10-year retention. Must be built into architecture from day one. | MEDIUM |
Operational Processes¶
1. Merchant Onboarding (KSA) — Pre-Launch Design¶
The following process must be established and documented before SAMA licence application. It is not currently active.
MERCHANT ONBOARDING FLOW (KSA) — PRE-LAUNCH DESIGN
─────────────────────────────────────────────────────
SAMA Licence Application CDD/KYC Technical Go-Live
──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Obtain │──▶│ Merchant │──▶│ Identity │──▶│ API Key │──▶│ Live │
│ PSP │ │ applies │ │ verified │ │ Sandbox │ │ traffic │
│ licence │ │ │ │ Docs │ │ Testing │ │ │
└──────────┘ └──────────┘ │ checked │ │ Webhook │ └──────────┘
└──────────┘ │ config │
└──────────┘
PREREQUISITE: SAMA PSP licence must be granted before any merchant onboarding.
Owner: Commercial (KSA) Compliance (KSA) Engineering Operations (KSA)
SLA: TBD TBD TBD TBD
Total: TBD — to be established during licence application process
Required documents for CDD (KSA) — anticipated: - Commercial Registration (CR) certificate from Ministry of Commerce - National address registration - National ID (Saudi) or Iqama (resident) of directors and beneficial owners - Bank account verification letter (Saudi bank) - Business address verification - Beneficial ownership declaration (>25% shareholders) - VAT registration certificate (if applicable)
Enhanced Due Diligence triggers (anticipated): - High monthly transaction volume (threshold per SAMA regulation) - High-risk merchant category (gambling is prohibited in KSA; crypto per SAMA guidance; precious metals) - PEP (Politically Exposed Person) as beneficial owner - Adverse media screening hit - Sanctions list match (UN, OFAC, local lists)
2. Transaction Monitoring — Pre-Launch Design¶
No transactions are processed in KSA. The following monitoring framework must be implemented before launch:
| Check | Frequency | Threshold | Action |
|---|---|---|---|
| Velocity check | Real-time | Per SAMA/Simpaisa thresholds (TBD) | Alert + temporary hold |
| Amount anomaly | Real-time | > 3x average daily volume | Alert + manual review |
| New merchant spike | Daily | > 10x first-day average within first 30 days | Manual review |
| Dormant reactivation | On event | No transactions > 90 days, then sudden high volume | Manual review + re-KYC |
| STR screening | Daily batch | Rule-based pattern matching against SAMA typologies | STR filed with SAFIU within prescribed timeline |
STR filing process (to be established): 1. Alert generated by monitoring system or flagged by operations staff. 2. Compliance Officer (KSA) reviews within 24 hours. 3. If suspicious: STR prepared per SAFIU format. 4. STR filed with Saudi Financial Intelligence Unit (SAFIU) within prescribed timeline. 5. Internal record retained for 10 years minimum (SAMA retention requirement). 6. No tipping-off: merchant not informed of STR filing.
3. Incident Response (KSA-Specific) — Pre-Launch Design¶
In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):
| Requirement | SLA | Owner |
|---|---|---|
| SAMA notification for significant incidents | Within 24–48 hours of detection | Country Manager KSA + CDO |
| SAMA notification for data breaches | Within 24–48 hours of detection | Country Manager KSA + CDO |
| SAMA ad-hoc inspection response | Immediate cooperation | Country Manager KSA |
SAMA notification template (to be confirmed with SAMA):
TO: Saudi Central Bank (SAMA) — Payment Services Supervision
FROM: [Simpaisa KSA Entity Name] — PSP Licence No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Security Incident Notification — [Brief Description]
1. Nature of incident: [description]
2. Date/time detected: [timestamp]
3. Systems affected: [list]
4. Customer impact: [number affected, data exposed if any]
5. Containment actions taken: [list]
6. Root cause (preliminary): [if known]
7. Estimated resolution: [timeline]
8. Contact for follow-up: [name, phone, email]
4. Data Localisation — Pre-Launch Design¶
Current architecture: - No KSA infrastructure exists. - No data is processed or stored in KSA.
Target architecture (must be in place before launch): - Financial data hosted within KSA or SAMA-approved jurisdictions. - KSA-resident database infrastructure (cloud or on-premises within KSA). - PDPL-compliant cross-border transfer mechanisms for any data flowing to UAE holding company. - 10-year data retention configured from day one. - Column-level encryption for all PII — mandatory given group security posture.
Action items (pre-licence application): 1. Select KSA-based hosting provider or cloud region (AWS me-south-1 Bahrain or local KSA DC — confirm SAMA approval for Bahrain region). 2. Design KSA data architecture with mandatory encryption at rest from inception. 3. Establish data classification framework for KSA operations. 4. Prepare PDPL compliance documentation (privacy impact assessment, data processing register, consent mechanisms). 5. Design cross-border data transfer mechanism for group reporting (aggregated/anonymised only, or PDPL-compliant transfer with appropriate safeguards).
5. Reporting Calendar — Pre-Launch Design¶
The following reporting obligations will apply once the SAMA PSP licence is granted:
| Report | Frequency | Due Date | Recipient | Owner |
|---|---|---|---|---|
| Regulatory returns | Per SAMA schedule | Per SAMA requirements | SAMA | Operations KSA |
| Suspicious Transaction Reports | As needed | Per SAFIU prescribed timeline | SAFIU | Compliance KSA |
| Annual compliance report | Annually | Per SAMA-specified timeline | SAMA | Compliance KSA + CDO |
| External audit report | Annually | Per SAMA-specified timeline | SAMA | Finance + CDO |
| SAMA Cyber Security Framework assessment | Annually | Per SAMA CSF requirements | SAMA | CDO |
| AML/KYC programme review | Annually | Per AML Law requirements | Internal + SAMA on request | Compliance KSA |
| Business continuity test results | Annually | Per SAMA requirements | SAMA | CDO |
6. Key Contacts¶
| Role | Responsibility | Name |
|---|---|---|
| Market Entry Lead KSA | Licence acquisition, SAMA relationship, entity establishment | TBD |
| Country Manager KSA (post-launch) | Overall KSA operations | TBD |
| Compliance Officer KSA | AML/KYC, STR filing, regulatory reporting | TBD |
| Operations Lead KSA | Transaction monitoring, merchant support | TBD |
| Legal Counsel KSA | KSA corporate law, SAMA licensing, PDPL compliance | TBD |
| CDO | Technology, security, data architecture decisions | Daniel O'Reilly |
Remediation Priorities¶
These are not remediation items (as there is nothing to remediate in a pre-entry market). These are prerequisites for market entry — items that must be completed before a SAMA PSP licence can be obtained and operations can commence.
| Priority | Item | Criticality | Owner | Target |
|---|---|---|---|---|
| 1 | Group PII encryption at rest (blocks all new market entries) | CRITICAL | CDO | Q2 2026 |
| 2 | Group security posture uplift from 4/10 (SAMA CSF will require substantially higher) | CRITICAL | CDO | Q3 2026 |
| 3 | KSA legal entity incorporation | CRITICAL | Legal / Market Entry Lead | Q3 2026 |
| 4 | SAMA PSP licence application | CRITICAL | Market Entry Lead + CDO | Q4 2026 |
| 5 | KSA data hosting infrastructure provisioned | CRITICAL | CDO | Q3 2026 |
| 6 | PDPL compliance documentation | HIGH | Legal / Compliance KSA | Q3 2026 |
| 7 | KSA AML programme design (aligned to Royal Decree M/31) | HIGH | Compliance KSA | Q3 2026 |
| 8 | SAMA Cyber Security Framework gap assessment | HIGH | CDO | Q3 2026 |
| 9 | Business continuity and DR plan for KSA | HIGH | CDO | Q4 2026 |
| 10 | KSA merchant onboarding process design | MEDIUM | Commercial + Compliance KSA | Q4 2026 |
Connection to Strategy¶
This playbook directly supports: - SG4 (Market Expansion): KSA is a target new market. This playbook defines the regulatory prerequisites for entry. The licence acquisition timeline and infrastructure requirements feed directly into the market expansion roadmap. - SG1 (Operational Excellence): KSA must be built right from inception — no legacy compliance debt. The group security and data maturity issues (security 4/10, data maturity 1/5, PII in plain text) must be resolved before KSA entry, which creates positive pressure to uplift the entire group. - Foundational Support #5 (Standardised global network): KSA will follow the same playbook structure as all Simpaisa markets, ensuring consistency from day one.
Licence Acquisition Roadmap¶
The following is a high-level roadmap for KSA market entry. Timelines are estimates and depend on SAMA processing times and group remediation progress.
| Phase | Activities | Dependencies | Target |
|---|---|---|---|
| Phase 1: Foundation | PII encryption, security uplift, group compliance baseline | None — must start immediately | Q2–Q3 2026 |
| Phase 2: Entity & Infrastructure | KSA legal entity incorporation, KSA hosting provisioned, PDPL compliance, AML programme designed | Phase 1 substantially complete | Q3 2026 |
| Phase 3: Application | SAMA PSP licence application submitted, SAMA CSF gap assessment complete, business continuity plan in place | Phase 2 complete | Q4 2026 |
| Phase 4: SAMA Review | Respond to SAMA queries, on-site inspection preparation, process documentation finalisation | Application submitted | Q4 2026–Q1 2027 |
| Phase 5: Launch | Licence granted, first merchants onboarded, monitoring active, reporting commenced | SAMA approval | TBD (est. Q1–Q2 2027) |
Critical path blocker: Group security posture (4/10) and PII in plain text are the primary blockers for KSA entry. SAMA will not licence a payment service provider that cannot demonstrate robust cybersecurity and data protection. These group-level issues must be resolved before the KSA application has any reasonable prospect of success.