Firstly, a quick summary. There has been a lot of buzz about Saudi Arabia embracing FinTech as “the new oil”, a key pillar of its ambitious economic reform programme designed to move away from a dependence on crude oil. It is competing with its neighbours, especially the UAE and Bahrain, to become a regional FinTech hub, encouraging the best talent and most promising start-ups to make Riyadh their home. The government has launched numerous initiatives including FinTech Saudi - a joint venture by the central bank (SAMA) and the Capital Markets Authority (CMA), a regulatory sandbox, and the CMA FinTech Lab among others. The government’s Vision 2030 sets a target for moving away from cash and increasing cashless payments to 70%. Next year will see the launch of the FinTech Saudi Hub in the King Abdullah Financial District, and new regulations on FinTech activities. Most major Saudi banks have also initiated FinTech programmes and invested large sums in digital transformation to explore new opportunities and stave off the competition.
But behind the positive headlines, is the regulatory environment and compliance culture in the Kingdom ready for such large-scale change? And how can Saudi Arabia embrace FinTechs and digitisation while guarding against financial crime threats?
Regulatory Environment
There are many components to establishing a thriving FinTech ecosystem, not least a conducive regulatory environment. FinTechs have only been able to receive licenses in Saudi Arabia since January 2020, when SAMA issued its first licences to non-bank financial institutions (STCPay and Geidea). In the same month SAMA introduced the Payment Services Provider Regulations (updated in August 2020), and in February 2020 it issued guidelines for digital-only banks. These guidelines stated digital banks had to meet the requirements of existing regulation plus demonstrate compliance with AML/CTF regulations “in a fully digitised environment”.
Despite the positive moves, there are still a number of grey areas where FinTechs need more clarification to understand their regulatory obligations. Interaction with the regulator is extremely useful, but is difficult for small start-ups who lack the communication channels and existing relationships of major banks. This is where initiatives like FinTech Saudi can play a really helpful role, acting as an aggregator for queries and serving as an intermediary for the whole FinTech community.
RegTech
Like most markets, Saudi Arabia professes that it is keen to embrace RegTech as a way to improve efficiency and effectiveness in tackling financial crime. The digital banking guidelines published in 2020 describe banks operating “in a fully digitised environment”, which appears to open the way for using RegTech for processes like e-KYC. However, more details are needed around what is allowed in practice and how the regulations are to be interpreted. For instance, the use of facial biometric technology is still not permitted in financial services, which limits onboarding tools such as selfie and video verification (although banks are testing the water around biometrics - Riyad Bank has started using voice authentication, and Al Rajhi Bank has rolled out self-service terminals featuring fingerprint biometrics). Another complication is data storage; Saudi regulations place restrictions on the hosting, transfer and storing of customer data outside the Kingdom, restricting the use of many compliance platforms and tools.
Open Banking
Looking ahead, the next hot topic is open banking. SAMA has announced an open banking framework which is due to go live in the first half of 2022. This will compel financial institutions to allow third parties access to customer data (with the customer’s consent), resulting in greater competition and innovation. So far, Bahrain is the only Gulf state to have adopted open banking, although individual financial institutions in the UAE have introduced open banking APIs.
This development will supercharge the growth of the FinTech sector and create both challenges and possibilities in relation to financial crime. Saudi banks can learn from their international counterparts that have developed security measures to protect their open banking APIs from fraud, such as multifactor authentication (MFA), but opening up their systems to third parties does inevitably create new fraud risks. For money laundering, open banking can theoretically be a game changer; data can be shared across multiple providers, enabling each institution to form a more complete picture of customers and their transactions. However, this only works if they change their KYC and monitoring controls to capitalise on this possibility.
FinTechs and other market entrants will also have to play catch-up to prevent an unequal playing field; banks have spent years developing rigorous controls under strict regulatory supervision, whereas new firms will have less experience in financial crime risk management, and regulators may struggle to effectively monitor the increasing number of small companies. Money launderers and fraudsters are extremely good at identifying and targeting weak links, so it’s important for the whole financial sector to apply the same high standards. Ultimately, regulators need to reconsider what data can be shared between institutions and how, to improve customer experiences and develop a holistic understanding of customers to improve financial crime detection.
Recruitment and hiring
A final challenge in both Saudi Arabia and the wider GCC is finding the right compliance talent for an increasingly digital world. The ideal candidates would be people with experience in FinTechs and digital products, but given the lack of such expertise in Saudi Arabia, that would mean recruiting people from other markets like the UK who wouldn’t necessarily understand the regional context or local regulatory nuances. The next best thing, then, is people who thrive on change and are happy to challenge received wisdom and upend the traditional way of doing things. They want to engage with their peers and with the regulators to share insights, ask questions and develop guidelines that will help the sector grow responsibly. For the right people, it’s a hugely exciting opportunity!
Final Thoughts
The next couple of years will be critical for the Saudi FinTech sector. One factor that will determine how quickly new firms can get up and running is if they can assure regulators and banking partners that their compliance programmes are sufficiently robust and that they can successfully balance customer experience with suitable risk controls. Saudi firms can look to international counterparts for guidance and ideas, although they should be aware that even these firms don’t have all the answers, and more developed markets still face real challenges around fraud and money laundering. Nonetheless, benchmarking against international best practice will provide reassurance to regulators and partners, and show a level of sophistication beyond the baseline of meeting minimum regulatory requirements.
However, it is not just FinTechs themselves who need to be open-minded and ready to learn to get the sector off the ground. Regulators also need to be receptive to new ideas, technologies and ways of working, and should be prepared to seek expert advice in areas where they may lack experience, such as cryptocurrencies. The good news is that SAMA and other government bodies in Saudi Arabia genuinely seem prepared to do this, and to work collaboratively with the private sector to encourage growth and work through the details to ensure the regulatory environment permits FinTechs to thrive while successfully minimising financial crime risks.
If you would like to speak to FINTRAIL about any of the issues raised in this article, please contact Maya Braine, Managing Director for the Middle East and Africa at maya.braine@fintrail.com. We work with FinTechs in Saudi Arabia and the wider Middle East region to build out their financial crime compliance controls, secure banking partnerships, select and integrate RegTech vendors, perform health checks and audits, provide interim compliance support, and run training.