Financial Technology

Experimental Permit
Instructions
Issued by the Board of the Capital Market Authority Pursuant to its
Resolution Number 1-4-2018 Dated 23/4/1439H Corresponding to
10/1/2018G Based on the Capital Market Law Issued by Royal Decree No
M/30 dated 2/6/1424H Updated Pursuant to the Board of the Capital
Market Authority Resolution Number 2-9-2021 Dated 25/12/1442H
Corresponding to 4/8/2021G
 CONTENT
PART A OVERVIEW

1 Introduction 3
2 Objectives & Principles 4
3 Target Applicants 4

PART B FINTECH REQUIREMENTS

4 Permit Requirements 6
5 Permit Application Process 8
6 Additional Regulatory Requirement 8
7 Fulfilling the Commencement of Business 9
Requirements
8 Business Commencement 10
9 Supervisory Requirements 12
10 FinTech ExPermit Validity Period 12
11 Cancellation of Approval 13

Appendix

Appendix (A): Application Process 14

www.cma.org.sa

2
PART A OVERVIEW

1. Introduction

A. The purpose of these Instructions is to provide a regulatory

framework that is conducive for the innovation of financial
technology ("FinTech") in the capital market within the Kingdom of
Saudi Arabia (The Kingdom).
B. For the purpose of implementing these Instructions, the following
expressions and terms shall have the meaning they bear as follows
unless the contrary intention appears:
FinTech products: innovative FinTech products, services and
business models related to the securities activities.
FinTech ExPermit: a permit to enable applicants to
participate in the FinTech Lab to deploy and experiment their
innovative FinTech products related to capital market within
specified parameters and timeframes.
Applicant: Any natural or legal person who submits an
application to the Authority to obtain a Fintech Expermit.
Fintech company/companies: Wherever they are
mentioned in these instructions, they mean the
company/companies that have obtained a permit to
experiment with FinTech within the jurisdiction of the Capital
Market Authority.
Client(s): A person for whose account a permitted FinTech
company within the FinTech Lab is executing securities
activities.
C. The Capital Market Authority ("Authority") has the right to waive or
modify the requirements set out in these Instructions at its
discretion where appropriate.
D. The Authority receives applications for obtaining a permit to
experiment with financial technology throughout the year. The
assessment of applications will be conducted through batches
announced via CMA's website, provided that all documents and data

3
 necessary are complete prior to commencement of the application's
assessment.
E. The Authority will consider, during each batch, the number of
applicants and FinTech business models that can be effectively
supported in the FinTech Lab at any time to ensure adequate
guidance is provided to applicants and to identify additional relevant
regulatory requirements.

2. Objectives & Principles

A. This section outlines the objectives and principles of these

Instructions, and provides the eligibility and suitability of the FinTech
product prior to the application for the FinTech ExPermit.
B. The applicant should clearly understand the objectives and principles
of the Instructions. It must be emphasized that the FinTech ExPermit
cannot be used to avoid local laws and regulations.
C. These instructions shall be read in conjunction with and in addition
to the Capital Market Law and Regulations.
D. In considering an application to participate in the FinTech ExPermit,
the Authority will take into account, among others, the following:
1. the potential benefits of the proposed FinTech product;
2. the potential risks and mitigating measures associated with the
proposed FinTech product; and
3. the integrity, capability and track record of the FinTech
applicant.
E. The FinTech ExPermit is not intended to create a risk-free FinTech
environment. The FinTech ExPermit aims to promote FinTech
innovation in a controlled environment which the consequences of
failure can be contained.

3. Target Applicants

A. Any person who intends to test a FinTech product related to

securities activities can apply to the FinTech ExPermit, even if they
are not a Market Institution Authorized by the Authority.

4
B. A Market Institution does not need to apply for FinTech ExPermit to
test its FinTech product which complies with all relevant regulatory
requirements to a wider market, if it has authorization for the activity
it wishes to carry on. Alternatively, if it does not have the relevant
authorization for the activity, it will need to apply to the Authority to
amend its License to obtain that authorization in accordance to the
Capital Market Institutions Regulation.
C. The FinTech ExPermit is not intended to be a platform for a person
to launch an established FinTech product which complies with all
relevant regulatory requirements to a wider market. A person, who
intends to deploy its complying Fintech products will need to apply
to the Authority to obtain a License for the activity it wishes to carry
on in accordance to the Capital Market Institutions Regulations.
D. If a Market Institution / person considers that the FinTech ExPermit
is the only appropriate regulatory framework to the testing of its
Fintech product, they can apply for FinTech ExPermit and the
Authority may accept or reject its application.

5
PART B FITECH REQUIREMENTS

4. Permit Requirements

A. An applicant must comply with the following:

1. the applicant has adequate and appropriate resources,
including financial resources, to develop the FinTech product;
2. the applicant is fit and proper to experiment the FinTech
product;
3. the applicant is acting with integrity and with due skill, care and
diligence, including but not limited to the following;
a. communicating information to their clients in a way which
is clear, fair and not misleading;
b. paying due regard to clients’ interests, by treating them
fairly;
c. the ability to ensure confidentiality of client information;
4. the applicant will disclose to the Authority any material event
or change in its business model;
5. the applicant has conducted their due diligence, including
knowing the relevant rules and regulatory requirements for
deploying the proposed FinTech product; and
6. is able to satisfy all additional regulatory requirements that the
Authority may impose.
B. The application should also contain the necessary supporting
information to explain and depict on the following requirements:
1. the applicant has relevant technical and business knowledge
and experience to develop and experiment the FinTech
product;
2. is able to clearly define the FinTech product's targeted clients.
3. is able to clearly define the key milestones and intended
outcomes;

6
 4. is able to clearly define the significant risks arising from the
FinTech product, how it should be assessed and mitigated, and
details of the necessary safeguards; and
5. is able to set out a fair and proper exit strategy for clients should
the FinTech product be discontinued for any reasons, including
but not limited to the following:
a. to cease the offering of the FinTech product to their new
and existing clients;
b. provide notification to their clients informing them of the
decision and related reasons;
c. dispose all confidential information including clients'
personal information collected during the FinTech
experiment period; and
d. submit a report to the Authority on the actions taken under
this paragraph.
C. The applicant must ensure that the proposed FinTech product meets
the following criteria before submitting an application for a FinTech
ExPermit:
1. it must involve a security activity (i.e. it is within the scope of the
activities that the Authority regulates);
2. it promotes FinTech innovation, in terms of the business model
and the application of technology;
3. it has the potential to:
a. promote significant growth, efficiency or competition in
the capital market;
b. promote better compliance and monitoring and risk
management solutions for the capital market; or
c. improve the choices and welfare of clients.
4. it is at a sufficiently advanced stage of development to mount a
FinTech experiment.
D. The Authority may at any time modify or impose additional criteria,
that it reasonably considers to be necessary to address a regulatory
concern.

7
5. Permit Application Process

A. If an applicant is fit to participate in the FinTech ExPermit regulatory

framework (as defined in Section 3 above) and satisfies the permit
requirements (set out in Section 4 above), he/she is entitled to
submit a permit application
B. The application for a FinTech ExPermit is submitted through the
channels available on the FinTech Lab web page on the CMA
website.
C. Once the applicant has submitted their application form, the
Authority will review the application and inform the applicant of its
eligibility to qualify for the FinTech ExPermit.
D. The Authority will work with the applicant to determine the
additional regulatory requirements (set out in Section 6 below) to
be applied to the applicant and its FinTech product during the
experiment period. The applicant will then assess their ability to
meet these requirements.
E. If the applicant is able and willing to meet the additional regulatory
requirements (set out in Section 6 below) as prescribed by the
Authority for the experiment period, the applicant will be granted a
FinTech ExPermit.
F. Once the Authority grants the FinTech ExPermit, the applicant will
be able to experiment its product within the additional regulatory
requirements (set out in Section 6 below).
G. Details of the application process are set out in Appendix A.

6. Additional Regulatory Requirements

A. To grant the FinTech ExPermit, the Authority may impose additional

regulatory requirements including limitations and/or conditions on the
applicant and their FinTech product. These regulatory requirements
may be elicited from existing CMA's regulations as applicable.

8
B. These may include, but are not limited to, any of the following:
1. the number and type of clients with or for whom the applicant
carries on, or intends to carry on within the FinTech ExPermit;
2. the type and size of client transactions that the applicant is
permitted to enter into;
3. Evaluate the suitability of clients and their expressed consent
prior to carrying on the regulated activity;
4. the applicant's ability to protect client’s assets;
5. the requirements surrounding the applicant’s handling and
protection of client information;
6. the manner and type of financial promotion that the applicant
may undertake and the associated disclosures that the applicant
is required to make to clients;
7. the key information required to be contained in a client's
agreement;
8. the FinTech applicant's capital requirements (if any); and
9. the FinTech applicant’s financial and other reporting
requirements.
C. The Authority may, at any time through the life‐cycle of the FinTech
ExPermit, by notice in writing to the applicant, cancel or change any
additional regulatory requirements imposed on the applicant or
impose such further additional regulatory requirements.

7. Fulfilling the Commencement of Business Requirements

A. If the authority decides to grant the applicant the ExPermit, it will

inform him/her of its decision in writing with the conditions and
restrictions it deems appropriate to start commencing the business.
The applicant must fulfill the Commencement of Business
Requirements within the period specified by the Authority from the
date of approval of the ExPermit. -For example but not limited to :-
1. Establishing a commercial entity in the Kingdom, and submitting
all final incorporation documents to the Authority, including the
articles of incorporation, articles of association and commercial
registry.

9
 2. Presenting the approved policies and procedures to manage
conflict of interest between its clients, or between it and its
clients.
3. Fulfillment of all obligations under the Anti-Money Laundering
Law and its Executive Regulations, the Counter Terrorism and
Financing Law and its Executive Regulations, and the relevant
rules and regulations in force in the Kingdom.
4. Fulfilling information security requirements and technology tests
in accordance with the process determined by the Authority.
5. Providing the Authority with the key final agreements with any
external parties related to the company's main activity, as
determined by the Authority.
6. Providing the Authority with the policies and procedures that
regulate the governance of external contracts.
B. An applicant who has obtained the Authorities approval for the Fintech
Experiment may submit to the Authority an application for an
extension of the period for fulfilling the commencement of business
requirements, stating justifications and submitting relevant
documents and information. And the Authority has the right to:
1. accept the request and extend the period, or
2. Reject the request and revoke the approval of the ExPermit.
C. The applicant who has obtained the FinTech ExPermit must submit
what demonstrates the readiness progress to start commencing the
business periodically within the period specified for fulfilling the
requirements.

8. Business Commencement

A. The FinTech company must notify the Authority and obtain its
approval before Commencing its Business.
B. Suspension of the Business:
1. The Authority may completely suspend the activity of the
FinTech company, in order for it to correct the fundamental
errors, provided that the total periods of suspension do not

10
 exceed a maximum of three months and are calculated from the
total period of the ExPermit.
2. The Authority may suspend the activity of the FinTech company
if it deems that it must be subject to evaluation.
3. After the FinTech company begins the business commencement,
it may not stop working during the ExPermit period without
notifying the Authority in advance and in writing of the date on
which it intends to temporarily stop, and providing justifications
for the reasons for stopping, the plan to return to work and the
procedures for notifying customers, and in case the suspension
period exceeds three months, the authority will suspend the
ExPermit and direct the FinTech company to apply for the
ExPermit at later periods.
C. This section applies to all FinTech businesses practiced by a FinTech
company that is within the jurisdiction of the Authority, inside or
outside the Kingdom, with a client in the Kingdom or for his account.
D. The FinTech company must clearly demonstrate that it has obtained a
FinTech ExPermit from the Authority in all its correspondence,
advertisements and notices issued to the public that are used by its
employees and agents.
E. Incentives and Sharing of Losses:
1. It is prohibited for a FinTech company, who is commencing its
business, to do the following:
a. Encourage any customer to conclude any
transaction by offering or giving gifts or incentives.
b. Accept gifts or incentives if doing so would lead to a
material conflict with any duty bound for the client.
2. The Authority considers any gift or incentive given or received by
a FinTech company affiliate or a third party under the direction of
the FinTech company as an incentive given or received by the
FinTech company.
3. The FinTech company may not participate or offer to participate
in any losses suffered by a client.
F. Owners of FinTech companies are prohibited from fully or partially
exiting the company during the validity period of the ExPermit,

11
 provided that the entry of new partners will be by increasing the
FinTech company’s capital, after obtaining the approval from the
Authority.
G. Responsibility of the FinTech Company:
The FinTech company may not exempt or limit itself from
liability, whether under the terms of the provision of services or
otherwise - if the exemption or limitation of liability conflicts with
the obligations of the FinTech company under the Capital Market
Law, or the FinTech Experimental Permit Instructions, or The
Additional Regulatory Requirements imposed by the Authority.

9. Supervisory Requirements:

A. The FinTech company is obligated to submit periodic reports to the

Authority that includes periodic and statistical information,
performance indicators determined by the Authority and data
specified within the Additional Regulatory Requirements that are
issued at the time of the ExPermit, provided that they include all
customer complaints and the approach for dealing with and
addressing these complaints, as determined by the Authority.

10. FinTech ExPermit Validity Period

A. The FinTech ExPermit validity period (Experiment Period) shall not

exceed two years from the date of commencing the business.
B. To extend the experiment period, a written application must be
submitted by the FinTech Company to the Authority no later than
three months before its expiry, or at such time as is otherwise agreed
by the Authority. The application should state the additional time
required and clearly explain reasons for requiring the extension.
C. The Experiment period may only be extended in exceptional
circumstances and the Authority shall reserve the right to reject any
application for an extension.
D. Upon the Expiration of the FinTech ExPermit, the applicant can choose
to either:

12
 1. execute the exit strategy; or
2. proceed to deploy the FinTech product on a wider scale, if the
FinTech company proves its ability to do so, provided that the
financial technology company is able and willing to fully comply
with CMA Laws and Regulations.
E. The Authority may also prohibit deployment of the FinTech product in
the market upon the completion of the testing due to the following
reasons:
1. in the event of an unsuccessful testing based on agreed test
measures; or
2. the FinTech product has unintended negative consequences to
the market.
In such cases, the FinTech Company must immediately execute its
exit strategy.

11. Cancellation of Approval

A. The Authority may cancel an approval to participate in the FinTech

ExPermit at any time before the end of the experiment period if the
FinTech Company:
1. has failed to achieve its intended purpose, based on the latest
experimenting scenarios, expected outcomes and schedule;
2. is unable to fully comply with the relevant legal and regulatory
requirements at the end of the experimenting period;
3. a flaw has been discovered in the FinTech product where the risks
posed outweigh the benefits of the product, and the FinTech
Company acknowledges that the flaw cannot be resolved within
the duration of the experiment;
4. breaching any condition imposed for the duration of the FinTech
ExPermit; or
5. breaching any of the CMA's Implementing Regulations or any
applicable law in the Kingdom or abroad which may affect the
FinTech Company’s integrity and reputation.
B. Upon cancellation of the approval, the FinTech Company must
immediately execute its exit strategy.

13
 Appendix (A)
Application Process

14
15