Your application is deemed suitable for the Regulatory Sandbox and you will be given a Regulatory Sandbox initial approval letter to proceed to Stage 2 of the evaluation, which is your readiness for operations.

The letter will allow you to update/form your company at the Ministry of Commerce as a FinTech and will confirm to other stakeholders that SAMA has approved your Sandbox Concept and you are in the operational readiness stage.

This letter does not permit you to commence operations.

As part of the operational readiness stage, the Regulatory Sandbox team will assess your compliance with a number of specific requirements, which are detailed in the Regulatory Sandbox Operational Readiness Assessment Criteria (known as AC). The AC is reviewed and updated periodically, so please ensure you are using the latest version at the time of your completion of Stage 1 and not one which you have sourced from anywhere other than SAMA’s Regulatory Sandbox team or the SAMA website.
The AC requirements are a list of minimum compliance requirements that FinTechs must meet prior to being permitted to go live with operations and onboarding their clients/customers. The Regulatory Sandbox has a Risk Management Unit consisting of technical resources to assess the Fintech’s compliance with the AC requirements and they will monitor and report completion through the Operational Readiness stage.

The AC requirements consists of assessment and compliance requirements across:

i.  Fit and Proper forms and approvals for management
ii.  Shareholders’ approval
iii.  Financial Model detailing 3 years projections for income statement, cash flow and balance sheet
iv.  Strategy & Solution Architecture
v.  Technology & Cyber Risk Management
vi.  Governance & Operational Risk Matrix
vii.  Vulnerability Assessment & Penetration Testing
viii.  Cybersecurity, Policy, Standards and Processes
ix.  Scalability Plans
x.  Data Sovereignty
xi.  Cyber Response and BCM Plans
xii. Security monitoring & Incident Management
xiii. Cybersecurity Regulatory Compliance
xiv.  Corporate & Manpower Compliance
xv.  Other SAMA Rules Compliance
xvi.  Data Privacy Compliance
xvii.  Functional and Non-Functional Testing
xviii.  Change & Release Management
xix. Performance Metrics
xx. IT/Helpdesk Support

Once the AC requirements have been met, the Regulatory Sandbox will issue a No Objection Letter for the Fintech to commence operations, which is Regulatory Sandbox Stage 3.

Your application is deemed unsuitable for the Regulatory Sandbox. Some examples of why your application would not be suitable could be one or a combination of the following:

• Regulations have been issued for your business model/concept and you should apply directly for a License not for Regulatory Sandbox permissions.
• Your business model/concept does not fall under the regulatory perimeter of SAMA, but may fall under a different regulatory authority.
• Your business model/concept does not require regulatory oversight.

The reasons will be communicated to you at the time you are notified.