Saudi Arabia -- Licensing Requirements Regulatory Overview

Saudi Arabia maintains a conservative and restrictive regulatory stance on cryptocurrencies and virtual assets, with no clear, publicly available general licensing regime for retail exchanges, custody providers, or payment processors as of 2026; public cryptocurrencies like Bitcoin remain effectively illegal for general use per longstanding warnings from the Saudi Central Bank (SAMA), Capital Markets Authority (CMA), and Ministry of Finance.[5][2][8]

Licensing Requirements for Exchanges, Custody Providers, and Payment Processors

• No standardized licenses: There is no broadly public VASP (Virtual Asset Service Provider) or crypto-specific license for retail exchanges, custody, or payment processing; activities like crypto trading, wallet services, or brokerage fall outside approved perimeters without explicit regulatory approval.[2][5][8]
• Limited permitted activities: Under SAMA's 2023 Payment Service Provider Regulations (enabled by the 2022 Law of Payments and Payment Providers), related services such as digital banking, electronic payment processing, P2P lending/investment, asset/wealth investment, crypto/blockchain applications, and BNPL may qualify indirectly, but not pure crypto trading or custody.[3]
• Exchanges and custody: Require entry via SAMA's Regulatory Sandbox as the primary (and currently only recognized) route for testing and potential approval; full operations demand ongoing compliance verification.[1][9]
• Payment processors: Must align with payment regulations; foreign entities can apply pre-incorporation but must form a local entity upon issuance.[3]

Registration vs. Licensing Regime

• Primarily a licensing regime with sandbox entry: Business registration alone (e.g., via Ministry of Investment - MISA portal) is insufficient; it precedes a preliminary sandbox application to SAMA for crypto-related activities. No "one-click" registration substitutes for licensing, and unlicensed operations face administrative penalties, unannounced inspections, and potential legal action.[1][2][6]
• Entity setup first: Legally register a company (e.g., LLC), disclose UBOs/shareholding, define business objects, then seek sandbox admission; foreign firms may operate if activities align with SAMA approvals.[1][3]

Key Requirements

Application Process

1. Register entity and obtain investment license via MISA portal (upload documents, select authorized activity).[1][6]
2. Submit preliminary application to SAMA Regulatory Sandbox electronically (full documentation on solvency, audits, AML systems, business model).[1][3]
3. Undergo review/testing (up to 1 year); meet ongoing reporting, security, and client protection standards.[1][3]
4. Post-sandbox: Secure full operational approval; continuous audits required.[1]

Regulatory References (official sources not directly linked in results; warnings stem from SAMA/CMA/MOF statements):

• SAMA Payment Service Provider Regulations (2023): https://www.sama.gov.sa (search regulations).[3]
• SAMA Regulatory Sandbox: https://www.sama.gov.sa/en-US/FinTech/Pages/RegulatorySandbox.aspx[1]
• 2018 Standing Committee Declaration (via SAMA/CMA): Virtual assets illegal/unlicensed.[5]
• MISA Portal: https://misa.gov.sa[1]

Caveats: Information from consultancy sites conflicts (e.g., some claim VASP paths exist[3], others affirm no clear framework[2][5][8]); official SAMA/CMA positions prioritize caution, with sandbox as the evidentiary route only. No comprehensive retail licensing confirmed; consult SAMA directly for 2026 updates.[2][5][7][8]