Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
  Versions

 
Download Original PDF

Outcome 1

Your application is deemed suitable for the Regulatory Sandbox and you will be given a Regulatory Sandbox initial approval letter to proceed to Stage 2 of the evaluation, which is your readiness for operations.

The letter will allow you to update/form your company at the Ministry of Commerce as a FinTech and will confirm to other stakeholders that SAMA has approved your Sandbox Concept and you are in the operational readiness stage.

This letter does not permit you to commence operations.

As part of the operational readiness stage, the Regulatory Sandbox team will assess your compliance with a number of specific requirements, which are detailed in the Regulatory Sandbox Operational Readiness Assessment Criteria (known as AC). The AC is reviewed and updated periodically, so please ensure you are using the latest version at the time of your completion of Stage 1 and not one which you have sourced from anywhere other than SAMA’s Regulatory Sandbox team or the SAMA website.
The AC requirements are a list of minimum compliance requirements that FinTechs must meet prior to being permitted to go live with operations and onboarding their clients/customers. The Regulatory Sandbox has a Risk Management Unit consisting of technical resources to assess the Fintech’s compliance with the AC requirements and they will monitor and report completion through the Operational Readiness stage.

The AC requirements consists of assessment and compliance requirements across:

i.  Fit and Proper forms and approvals for management
ii.  Shareholders’ approval
iii.  Financial Model detailing 3 years projections for income statement, cash flow and balance sheet
iv.  Strategy & Solution Architecture
v.  Technology & Cyber Risk Management
vi.  Governance & Operational Risk Matrix
vii.  Vulnerability Assessment & Penetration Testing
viii.  Cybersecurity, Policy, Standards and Processes
ix.  Scalability Plans
x.  Data Sovereignty
xi.  Cyber Response and BCM Plans
xii. Security monitoring & Incident Management
xiii. Cybersecurity Regulatory Compliance
xiv.  Corporate & Manpower Compliance
xv.  Other SAMA Rules Compliance
xvi.  Data Privacy Compliance
xvii.  Functional and Non-Functional Testing
xviii.  Change & Release Management
xix. Performance Metrics
xx. IT/Helpdesk Support

Once the AC requirements have been met, the Regulatory Sandbox will issue a No Objection Letter for the Fintech to commence operations, which is Regulatory Sandbox Stage 3.