GUIDANCE NOTES ON COMPLETING THE

SAMA REGULATORY SANDBOX

APPLICATION FORM

Fintech Development
Regulatory Sandbox
December 2023
Guidance Notes on SAMA Application Form

The purpose of the below guidance notes is to assist applicants in completing the application
form by providing sufficient and appropriate information that enables SAMA to perform its
assessment. The guidance notes also provide applicants with a line-of-sight on the different
stages of the Regulatory Sandbox environment.

Please expect a response from SAMA in relation to the outcome of the application within Sixty
(60) business days from the date of submission of the application form.
Should you be successful in this initial stage of evaluation, SAMA will request additional
information as part of its second stage of evaluation. Please refer to Stage 2 for more details.
Should you have any questions about the Regulatory Sandbox or the application form, please
contact us at Sandbox@sama.gov.sa.

1
Overview of the Regulatory Sandbox Stages
SAMA has updated its Regulatory Sandbox operating model and processes to give greater guidance to
applicants on the stages and requirements to move between the different Sandbox stages.

The new operating model gives applicants greater clarity on the different stages, the timeframes for
stages and more transparency on the requirements to move from Stage 1 (Application Submission) to
Stage 2 (Operational Readiness), and to Stage 3 (Regulatory Sandbox Live Testing).

Stage (1) One: Application Stage “60 business days”

 Innovators complete and submit the application form.

 Thereafter, SAMA will assess the application form completeness against the eligibility
criteria demonstrated in the Regulatory Sandbox framework and revert back to the
innovator within the frame of 60 business days with the final decision.

Stage (2) Two: Operational Readiness “120 days”

 The eligible innovators are informed of pre-go live requirements in the form of an Assessment
Criteria (AC), which is based on the business model/concept.
 The Regulatory Sandbox team will provide support in order to finalize the innovators operational
readiness against the communicated AC through providing clarifications on the requirements.
 Successful compliance with the AC within the specified period, will result in obtaining the
temporary permission “LoA”

Stage (3) Three: Testing phase “Up to 12 months”

 Permitted innovators will test their solutions and products in the Regulatory Sandbox for a
minimum period of six months and up to 12 months.
 Upon successful testing SAMA will have issued and/or amended regulations, which would enable
the Innovator to apply for a full Regulatory License.

Stage (4) Four: Exit the Sandbox “Graduation”

 Upon successfully accomplishing the objectives of the testing phase, the applicant will be eligible
to graduate and exit the Regulatory Sandbox environment. And follow one of the mentioned paths:
o Apply for a full license and/or amend existing license.
o Executing the exit plan without pursing a license.
o SAMA confirms the product does not require a license/permission.

2
Stage 1: Application Form Completion - Initial Stage of Evaluation

There are four sections to the Stage 1 Application Form:

A – About Your Business: This section will give information about the company applying to
the Regulatory Sandbox.

B – About Your Innovation: This section will allow to assess the concepts’ suitability for the
Regulatory Sandbox versus the other options like the licensing route (regulations are already
available and license application can be made) and in some cases, whether the concept falls
under SAMA’s regulatory perimeter.

C – Minimum Viable Product and Technological Readiness: This section will allow to assess
the technical readiness (testing MVPs).

D – Your Background: This section will give information about the team you have formed and
their experiences in relation to the Regulatory Sandbox application.

A. ABOUT YOUR BUSINESS

A1 Identification/Contact Details
i. Please provide point of contact details including name, email and telephone of the
company’s representative.
Your answer should include the name and details of the Senior Executive/Founder or the
contact point for communications with SAMA.

ii. Please provide your intended business name.

Your answer should include the full name of the business/company and the use of any trade
names.

iii. Please provide the country of incorporation.

Your answer should specify the country of incorporation if existing operations exist
elsewhere.

iv. Please provide the registered address, telephone and website URL of the business
Your answer should:
- Include a valid address and telephone number

3
 - Include the URLs of the business or company's websites, if applicable.
- Please note that response to this question is optional and will not affect the evaluation
of your application.

A2 Nature of financial services

Please provide details as to whether your business belongs in the Financial Services industry
and in particular in the: Banking Sector, Money Exchanges, Finance Sector, Payments Sector,
Other (please specify)
Your answer should:
- Include whether your business belongs in the Financial services industry
- Determine the sector to which the business belongs, in case the business does not fall
under the financial services sectors mentioned above.
- Please note that response to this question is optional and will not affect the evaluation
of your application.

B. ABOUT YOUR INNOVATION

B1 Summary of the Idea
i. Please provide a summary of your innovation.
Your answer should:
- Include an outline of the idea and the stage of its development (initial, intermediate,
advanced) outlining the reasoning behind this, at the time of the application.
- Please attach a brief description of the innovation, in the form of a presentation that
includes a clear pictorial way that outlines the business model.
ii. Please describe what problem the idea is addressing and solving
Your answer should:
- Include a description of the problem and an explanation of how this can be addressed
by the innovation.

iii. Please describe any benefits and returns of the idea for: consumers, other businesses,
economy (quantifiable estimations if applicable)
Your answer should:
- Specify the type of benefits and returns of the idea for all stakeholders involved
- Include for example improvements in security, access to financial services, customer
experience, cost efficiency, operational efficiency, or expansion into new market
segments as well as others
- Include quantifiable estimations of these benefits and returns of the project

iv. Please provide an outline of how innovation promotes effective competition

Your answer should:
- Include an explanation of how a competitive environment is promoted through the idea
- Please note that your response to this question is optional and will not affect the
evaluation of your application.

4
 v. Please provide an outline of how the proposed innovation includes new or emerging
technology or uses existing technology in an innovative / novel way
Your answer should provide details on use of Distributed Ledger Technology, Hyper
ledger, AI, ML, etc.

vi. Please provide an outline of key similarities and differences between the innovation and
other ideas in the market
Your answer should:
- Detail key similarities and differences between the idea and other innovations/ideas
that are currently in the market
- Please attach the main similarities and differences between the proposed innovation
and other ideas. (If possible).
B2 Business Plan
i. Please specify which type of customers your idea is targeting
Your answer should:
- Provide details relating to customers that are expected to be targeted by the idea.
- Specify whether the idea targets individuals, corporations, government, or others (if
any).

ii. Please specify the size of the total expected customer base (market size)
Your answer should:
- Provide an approximate numeric value of the expected customer base during the
Regulatory Sandbox period.

iii. Please provide an explanation as to the main sources of income to be generated over a
period of 3 years.
Your answer should:
- Specify which are the main sources of income and how these are expected to be
generated.
- Include an approximate total numeric estimation of the expected income - the value
should be expressed in SAR and in the nearest 1,000s.
- Include stage wise estimates for the testing stage (up to 12 months) and post completing
the testing stage (beyond 12 months).
- Be provided in the textbox using bullet points.

B3 Risk Management
i. Please provide an outline of material risks that the innovation could incur, along with how
each of these is assessed and mitigated
Your answer should:
- Include for example operational, cyber-security, AML, CFT, financial crime, conduct,
technology, financial stability and legal risks.
- It should be provided in a tabular format as provided in the example below.

5
 Risk Area Risk Description Mitigation Plan
Operational .... ….

ii. Please provide an outline of potential frauds that the innovation could incur, along with
how each of these are to be assessed and mitigated
Your answer should:
- Include a list of potential frauds that the consumers may be exposed to by using the
innovation/solution, along with how each of these are assessed and mitigated.
- Be provided in a tabular format as provided in the example below

Potential Fraud Assessment Method Mitigation Plan

Operational …. ….

B4 Genuine Need for Sandbox

i. Please describe why you think you need to gain access to the sandbox i.e. why is it
essential for your innovation to be tested in a live environment for its full development
Your answer should include the need for testing the innovation in a live environment,
along with how this will lead to the innovation’s full development in the future.

B5 Alignment with Vision 2030

i. Please demonstrate as to how the solution acts as an enabler towards any of the
initiatives of Vision 2030.
Your answer should:
- Include an explanation of how the solution acts as a catalyst for Vision 2030 initiatives.
- Please refer to the link below for more information and guidance on these initiatives
Link: Vision 2030

C. Minimum Viable Product and Technological Readiness

C1 Readiness for Testing
i. Do you have a Minimum Viable Product (MVP) ready for testing?
Your answer should be provided as Yes or No.
ii. Have you integrated with any other entities in their development environment? If so,
please provide information on which companies you have integrated with.
- Your answer should be provided as Yes or No.
- If the answer is yes, please specify the companies and provide information about them.

6
 iii. Please provide a detailed description of three or four testing scenarios outcomes to
remove uncertainty, which could be arising from regulatory technology or business model
and could not be reasonably or effectively simulated in a test environment. Specifically
for each testing scenario, include a detailed description of the following:
 Testing objectives.
 A thorough description of tests to be performed is required.
 Relaxations/Waivers for any regulatory controls requested by SAMA to be used
during testing.

 Associated risks and suggested mitigation plan for each scenario.

 Respective KRIs and KPIs for each testing need to be outlined as well as reference to
threshold limits.
 Customer Safeguards to be put in place (eg. compensation to customers for any losses
etc.)
 Please attach the testing scenarios (If possible).

C2 Partnerships

Please provide details of the types of companies you expect to integrate with in order to go
live and start operational activities in the Regulatory Sandbox.
Your answer should:
- Provide details of the following types of companies: other FIs, infrastructure providers,
government entities, etc.
- Outline the ways in which these partners are going to assist towards achieving the
testing objectives as these were outlined in Section B1 of the Form.
- Please note that your response to this question is optional and will not affect the
evaluation of your application.

C3 Exit Strategy
i. Please provide an exit and transition plan by including possible end-games of tests to be
performed and the intended action for each end-game.
Examples of possible end games are, for example:

- test/s is/are completed successfully and results support deployment of technology at a

larger scale;
- test/s is/are completed successfully but results do not support the deployment of
technology at a larger scale;
- test(s) has/have to be discontinued due to a technological failure, operational failure,
indication of consumer detriment, etc.
ii. Please provide evidence of a communications plan that would inform customers with:
- The duration, boundary conditions and associated risks for participating in the
Regulatory Sandbox.
- Advance notification of the termination or when the proposed financial service can
proceed to be deployed on a broader scale

7
 iii. Please attach the exit strategy (If possible).

D. YOUR BACKGROUND
D1 Background of the Team
Please provide professional qualifications and experience of your Team relevant to your
application and business model / concept.
Your answer should:
- Include the background (including professional qualifications and past experience) of
the directors, shareholders, senior management (people responsible for key control
functions) and key employees (being the most senior employees responsible for the day
to day tasks of the business), as applicable.
- Please attach the team information in a tabular format as provided below and limited
to no more than 5 people.

Name Role Qualifications Relevant past experience

D2 Year(s) in Operation and Past Achievements

Please provide the years the applicant has been in existence and any past achievements of the
business, if applicable
Your answer should:
- If your company has been operating in other countries, please specify where and what
the products/services are.
- Specify the number of years your business/company has been in operation.
- Use bullet points.
- Please note that your response to this question is optional and will not affect the
evaluation of your application.

D3 Access to Funding
i. Please provide an outline of how the business will be funded until it becomes profitable
Your answer should:
- Indicate if you are self-funding, have investors ready or are planning to fund raise.
- Please attach a summary of how the business will be funded.

ii. Please provide an outline of current shareholder structure (if applicable)

Your answer should:

8
 - Attach an organogram (diagram) and shareholding structure (excel sheet) detailing all
shareholders and their shareholding.

iii. Please provide a copy of funding commitments evidencing that the business has sufficient
access to funding (if applicable)
Your answer should:
- Provide a document of commitments provided to the company detailing access to
funding.
- Please attach the document of commitments (if applicable).

D4 Focus on Environmental, Social and Governance (ESG)

- Please specify if the business places focus on any ESG goals.
- Please note that your response to this question is optional and will not affect the evaluation
of your application.

9
 Stage 2: Operational Readiness
Once the initial application has been screened and assessed for its suitability for the
Regulatory Sandbox, there are two potential outcomes.
Outcome 1

Your application is deemed suitable for the Regulatory Sandbox and you will be given a
Regulatory Sandbox initial approval letter to proceed to Stage 2 of the evaluation, which is
your readiness for operations.

The letter will allow you to update/form your company at the Ministry of Commerce as a
FinTech and will confirm to other stakeholders that SAMA has approved your Sandbox
Concept and you are in the operational readiness stage.
This letter does not permit you to commence operations.
As part of the operational readiness stage, the Regulatory Sandbox team will assess your
compliance with a number of specific requirements, which are detailed in the Regulatory
Sandbox Operational Readiness Assessment Criteria (known as AC). The AC is reviewed and
updated periodically, so please ensure you are using the latest version at the time of your
completion of Stage 1 and not one which you have sourced from anywhere other than SAMA’s
Regulatory Sandbox team or the SAMA website.
The AC requirements are a list of minimum compliance requirements that FinTechs must meet
prior to being permitted to go live with operations and onboarding their clients/customers.
The Regulatory Sandbox has a Risk Management Unit consisting of technical resources to
assess the Fintech’s compliance with the AC requirements and they will monitor and report
completion through the Operational Readiness stage.
The AC requirements consists of assessment and compliance requirements across:

i. Fit and Proper forms and approvals for management

ii. Shareholders’ approval
iii. Financial Model detailing 3 years projections for income statement, cash flow and
balance sheet
iv. Strategy & Solution Architecture
v. Technology & Cyber Risk Management
vi. Governance & Operational Risk Matrix
vii. Vulnerability Assessment & Penetration Testing
viii. Cybersecurity, Policy, Standards and Processes
ix. Scalability Plans
x. Data Sovereignty
xi. Cyber Response and BCM Plans
xii. Security monitoring & Incident Management
xiii. Cybersecurity Regulatory Compliance
xiv. Corporate & Manpower Compliance
xv. Other SAMA Rules Compliance
xvi. Data Privacy Compliance
xvii. Functional and Non-Functional Testing
xviii. Change & Release Management

10
xix. Performance Metrics
xx. IT/Helpdesk Support

Once the AC requirements have been met, the Regulatory Sandbox will issue a No Objection
Letter for the Fintech to commence operations, which is Regulatory Sandbox Stage 3.

Outcome 2
Your application is deemed unsuitable for the Regulatory Sandbox. Some examples of why
your application would not be suitable could be one or a combination of the following:
 Regulations have been issued for your business model/concept and you should apply
directly for a License not for Regulatory Sandbox permissions.
 Your business model/concept does not fall under the regulatory perimeter of SAMA,
but may fall under a different regulatory authority.
 Your business model/concept does not require regulatory oversight.

The reasons will be communicated to you at the time you are notified.

11
Appendix 1: Additional Information

Below is a list of links, which provide readers of the different types of requirements which
FinTechs may need to comply with depending on their business model/concept.
It is important for applicants to know most of the companies providing products or services in
the financial services industry are regulated to safeguard users of the products/services and
the regulatory requirements most likely will be greater than those requirements detailed in
the Regulatory Sandbox Stage 2. FinTechs should assess the commercial viability of their
propositions as part of the overall consideration as having a good idea that removes friction
does not always mean the idea will lead to enough revenue generation to cover the
operational costs of running the business.
Existing Regulations
1. Payments Rules and Instructions
2. Finance Rules and Instructions
3. Banking Rules and Instructions
4. AML Rules and Instructions
5. Cybersecurity Rules and Instructions
6. Credit Information Rules and Instructions
7. Money Exchange Rules and Instructions
8. Consumer protection Rules And Regulations

Laws

1. Banking Control
2. Credit Information
3. Anti-Money Laundering
4. Combating Terrorism Crimes & Financing Law
5. Finance Laws and Instructions
6. Law of Payments and Payment Services
7. Credit Information

Guidelines
1. The Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Guide.
2. Implementing Regulation to the AML Law
3. SAMA Consumer Protection
4. Rules on Outsourcing.
5. Code of Conduct and Work Ethics in Financial Institutions
6. Whistle Blowing Policy for Financial Institutions.
7. SAMA Cybersecurity Framework
8. SAMA BCM Framework.
9. Fit and Proper Forms
10. Key Principles of Governance in Financial Institutions under the Control and
Supervision of the Saudi Central Bank
11. Other Circulars

12