The Kingdom Is Rewriting the Rules of Money Movement

SAMA’s Updated Payment Oversight Framework — What It Means for Consumers, Businesses, and the GCC’s Financial Future

On March 8, 2026, the Saudi Central Bank (SAMA) published its revised Oversight Framework on Payment Systems and Their Operators — superseding the 2021 framework and formally anchoring Saudi Arabia’s digital payment governance to global PFMI standards. This is not a routine update. It is a sovereign infrastructure declaration.

Why Now?

Saudi Arabia didn’t just digitize payments — it transformed them at a civilizational scale. From a cash-payment ratio above 90% in 2009, the Kingdom has engineered one of the fastest financial inclusion stories on record. The financial inclusion rate has now reached nearly 94% of the adult population, with platforms like mada, STC Pay, and a growing cohort of licensed finTechs reshaping how 35 million people and millions of businesses move money every day.

The old 2021 framework was written before Open Banking went live, before real-time rails became the default expectation, and before fintechs began carrying systemic weight. The Kingdom needed rules that matched the reality on the ground — and the ambition ahead. The March 2026 update is that answer.

Figure 1: Saudi Arabia Digital Payment Volume & Cashless Share (2019–2025*) | Source: SAMA, Vision 2030 FSR

What Actually Changed?

The framework’s core changes can be understood across three structural dimensions: who gets watched, how risk is classified, and how oversight is exercised.

1. Scope — Who Gets Watched

The revised framework now explicitly covers all entities operating within Saudi Arabia’s payment stack — payment systems, trade repositories, payment instruments and platforms, financial institutions interacting with payment systems, and critically, third-party providers. That last category — cloud vendors, API aggregators, payment middleware companies — previously operated in a supervisory grey zone. No longer.

2. Classification — A Tiered Risk Architecture

The framework introduces formal designation criteria for Systemically Important Payment Systems (SIPS) based on thresholds of volume, value, and participant count. Higher designation means deeper scrutiny, more frequent assessment, and mandatory annual PFMI self-evaluation. This is proportionate regulation done right — calibrating oversight intensity to actual systemic weight.

3. Methodology — From Reactive to Predictive

SAMA’s oversight toolkit now includes real-time transaction monitoring, operator interviews, documentation reviews, and on-site inspections. The dual-assessment model — operators self-assess, SAMA verifies — distributes compliance responsibility intelligently across the ecosystem.

Figure 2: Regulatory Coverage Index — 2021 vs 2026 SAMA Framework Across Key Oversight Dimensions

Key Framework Changes at a Glance

The Technology Dimension

This is where the story becomes genuinely consequential for anyone building in the Kingdom’s payments space. The framework is not just a governance document — it is a technology mandate dressed in regulatory language.

PFMI as the Global API Standard

Embedding the Principles for Financial Market Infrastructures (PFMI) — as issued by CPMI-IOSCO — means Saudi payment systems now speak the same technical governance language as the Bank of England, the European Central Bank, and the Federal Reserve. This is the architecture of cross-border interoperability. For the first time, the Kingdom’s payment rails are certifiably compatible with global infrastructure.

Cyber-Resilience as a Non-Negotiable Stack

Technical requirements now address cybersecurity controls, data protection measures, and operational resilience benchmarks — with mandatory compliance timelines. Security-by-design is no longer aspirational. SAMA can walk into an operator’s infrastructure environment and test their Recovery Time Objective (RTO) against published benchmarks. Operators that built systems without this in mind face expensive retrofits.

Annual Self-Assessment as a Compliance Technology Loop

SIPS are required to conduct annual self-assessments against PFMI principles — or whenever a material change occurs. This mandate is RegTech’s biggest opportunity in the Kingdom. Automated compliance dashboards, real-time risk scoring engines, AI-assisted audit trails calibrated to SAMA’s parameters — this is the product layer the framework is implicitly commissioning.

Critical Infrastructure Providers Now in Scope

Cloud providers, telecom networks, and IT messaging infrastructure that touch the payment stack in KSA are now formally part of the regulatory story. Expectations include formal risk identification and management frameworks, information security policies, and high levels of operational uptime. AWS, Huawei, Oracle — whether they wanted it or not, they are now compliance participants.

Figure 3: SAMA Payment Ecosystem Architecture — Entities Under the 2026 Oversight Framework

What It Means for Consumers

The everyday user in Riyadh, Jeddah, or Al Khobar will not read the framework. But they will feel its effects — and mostly for the better.

What It Means for Businesses

For Banks and Large Payment Operators

SIPS designation triggers annual PFMI self-assessments — a significant internal compliance exercise requiring dedicated GRC tooling, specialised payment compliance roles, and board-level attestation. The upside: the framework reduces regulatory ambiguity. Operators can now benchmark their own posture against SAMA’s published expectations before formal assessments begin.

For FinTechs

The explicit inclusion of third-party providers is a double-edged sword. It raises the cost of compliance but simultaneously raises the barrier to entry — creating a structural moat for those who invest in compliant infrastructure from day one. FinTechs that treat compliance as a product feature, not an afterthought, will accelerate faster in this environment.

For Multinationals

International standards alignment reduces compliance friction for multinationals entering the Kingdom. The PFMI baseline means global payment networks can assess KSA’s regulatory environment against a known framework — rather than navigating a bespoke local regime. For global operators eyeing Saudi Arabia, this is a green light wrapped in a compliance checklist.

Compliance Investment Priorities

• GRC Platform Deployment — automated self-assessment tools aligned to PFMI principles

• Cybersecurity Architecture Review — gap analysis against SAMA’s operational resilience benchmarks

• Incident Response Playbooks — tested, documented, and reportable within SAMA’s specified timeframes

• Third-Party Risk Management — formal vendor risk registers covering cloud, messaging, and telecom providers

• Payment Compliance Talent — dedicated roles with PFMI/SAMA regulatory expertise, not general compliance generalists

The GCC Ripple Effect

Saudi Arabia does not write regulation in isolation. What SAMA codifies in Riyadh, regulators in Abu Dhabi, Manama, and Doha study carefully. The Kingdom’s updated framework positions it as the de facto standard-setter for GCC payment governance — ahead of the UAE’s CBUAE Open Finance Regulation, Bahrain’s progressive fintech sandbox, and the nascent digital payment frameworks in Kuwait, Qatar, and Oman.

The Bigger Story

This framework is not a compliance document. It is a sovereign infrastructure declaration. Saudi Arabia is stating, with legal force: our payment rails are now built to global standards, governed by international principles, audited with institutional rigour — and open for business on our terms.

The cashless transformation that began from a 90%+ cash economy a decade ago has now reached its regulatory maturity point. SAMA has progressively built and operated a payment ecosystem guaranteeing an ‘always-on’ infrastructure while preserving consumer trust — and this framework is the capstone of that architecture.

The Kingdom is not just building fintech. It is building the governance architecture for a digital economy at scale — and the March 2026 Oversight Framework is the blueprint made law.