New KYC Rules for Foreign Investors in Saudi Arabia: How to Stay Compliant

From February 1, 2026, the Capital Market Authority opened direct Main Market participation to all categories of foreign investors, eliminated the Qualified Foreign Investor (QFI) concept for the Main Market, and abolished the swap-agreement framework that non-residents previously used for synthetic economic exposure. 

Foreign investors now hold legal title and exercise full shareholder rights, including voting rights, while existing swap arrangements must be unwound or restructured. More applicants can apply from outside the Kingdom, and every passport, face match, beneficial-owner file, sanctions result, PEP result, and review note has to support one defensible onboarding decision.

The amended Rules for Foreign Investment in Securities allow foreign natural and legal persons, whether resident or non-resident, to invest in listed securities, debt instruments, and investment fund units, subject to Saudi capital market rules and other applicable law.

For KYC teams, the practical changes are:

• A wider applicant pool: non-resident individuals, foreign legal persons, fund structures, and authorized signatories can move through account-opening channels.

• QFI concept eliminated for Main Market access: the old qualification filter has been removed from the path before foreign investors reach the onboarding queue.

• Swap-agreement framework abolished: non-resident investors can hold securities directly, with legal title and shareholder rights, instead of relying on synthetic exposure.

• Ongoing ownership controls: the amended rules retain a 10% cap on the shareholding of a non-residing foreign investor, excluding a foreign strategic investor, in any listed issuer. They also retain a 49% aggregate foreign ownership limit per listed issuer, excluding foreign strategic investors.

• Resident foreign investor nuance: foreign investors resident in the Kingdom are outside the 10% individual cap, but they count toward the 49% aggregate cap.

• Foreign strategic investor lock-up: foreign strategic investors remain excluded from both caps and are subject to a two-year lock-up under Article 6(c).

• Issuer and market rules: issuer constitutional restrictions, sectoral caps, and the 5% shareholding notification obligation under Tadawul rules continue to apply.

Capital market institutions still have AML/CFT and account-opening duties. The amended foreign investment rules state that capital market institutions must comply with Saudi AML law and its implementing regulations. The Investment Accounts Instructions require client acceptance checks before account opening, verification through reliable and independent sources where documents, data, or information must be verified, and risk-based CDD when technology is used for investment account opening.

For natural-person applicants, the Investment Accounts Instructions list six identity document categories:

• a Saudi national must provide a valid national identification card;

• a GCC citizen must provide a valid passport or national identification card;

• a foreign resident in the Kingdom must provide a valid Iqama or resident ID;

• a holder of the Five-Year Premium Residency Card must provide that card;

• a foreign person resident in a GCC member state must provide valid resident identity information together with valid passport information;

• a foreign person outside Saudi Arabia and the GCC must provide valid passport information.

Saudi AML/CFT obligations also come from the Anti-Money Laundering Law and its implementing regulations, the Law on Combating Terrorism Crimes and Its Financing and its implementing regulations, together with the CMA Investment Accounts Instructions and the Capital Market Institutions Regulations.

A local workflow can be strong for domestic investors yet perform poorly when applicant diversity rises. The failure usually comes from four gaps.

KYC for foreign investors requires a different operating model from a domestic investor flow. The institution has to identify the applicant, validate the document, confirm that the applicant is the document holder, assess the relationship, check ownership and authority for legal persons, and preserve evidence for audit and later review.

Many digital onboarding failure points already come from poor capture quality, manual entry, unclear routing, and weak fraud controls; cross-border intake makes each defect more expensive.

Broader foreign investor access attracts legitimate capital and increases the number of document types, jurisdictions, languages, and remote sessions that fraud teams must process.

The main pressure points are:

• Forged or altered documents: passports, residence permits, corporate documents, or powers of attorney that look plausible in a low-resolution upload.

• Stolen identity data: genuine document data paired with someone other than the rightful holder.

• Synthetic identities: partial or fabricated identity profiles built to pass weak checks.

• Mule accounts: applicants who pass onboarding while acting for another party.

• AI-generated evidence: deepfake photos, videos, or altered ID images used to bypass remote checks.

• Injected media: camera-feed manipulation during selfie or video checks, a risk covered in Regula’s guide to video injection attacks.

In February 2025, FATF amended the Interpretive Note to Recommendation 10 to clarify that non-face-to-face business relationships and transactions are a potentially higher-risk case only where appropriate risk-mitigation measures have not been set up. FATF also recognized that non-face-to-face interactions have become standard business practice and that digital identity systems, when properly governed, can reduce associated risk.

A useful readiness test starts with expected foreign investor profiles: can the current process reach a defensible decision without improvised manual work?

A parser can produce a tidy name and passport number while leaving authenticity untested. That creates a clean-looking record from a bad document.

KYC teams should test whether the process can:

• recognize the document type and issuing country;

• read visual zones, MRZs, barcodes, and chips where present;

• detect expired, altered, copied, or screen-presented documents;

• compare data from different document zones;

• flag missing or abnormal security features.

Document authenticity checks and document liveness checks deserve separate review because a remote upload gives no proof that a physical ID was present at capture. A screenshot, printed copy, recorded image, or document shown on another screen can pass weak upload checks while failing a stronger physical-presence test.

For remote onboarding, the document and the person must be tied together. A valid passport leaves a second question open: is the remote applicant the rightful holder?

The workflow should support:

• selfie capture or video-based identity proofing;

• face matching between selfie, document portrait, and chip portrait where available;

• active or passive liveness checks, based on risk level;

• presentation attack detection for printed photos, screens, masks, recorded videos, deepfakes, and injected streams;

• step-up review when identity evidence conflicts.

In this setting, facial liveness detection acts as a fraud control between a remote applicant and biometric spoofing, with active or passive checks selected by risk level.

Foreign companies, funds, and private-wealth structures add work that individual passport checks miss. The onboarding file may include registry data, articles, signatory authority, powers of attorney, ownership charts, and beneficial-owner identity documents. The Investment Accounts Instructions also permit accounts for foreign legal persons for securities allowed under Saudi law and require review of the relationship between the client and agents, trustees, or authorized signatories.

KYC teams need a process that answers four questions:

• Is the entity genuine, in good standing, and properly documented?

• Who owns, controls, or benefits from it?

• Is the person applying allowed to act for it?

• Have all authorized persons operating or trading the account been subject to identity verification?

Each answer needs evidence, reviewer ownership, and a decision record.

Identity verification works best when its results feed AML review. If the passport, selfie, extracted data, declared residence, IP location, beneficial ownership, source-of-funds data, sanctions result, PEP result, and expected trading activity contradict one another, the file should route to review.

This is where identity signal integrity becomes useful as an operating concept. It means that all identity-related evidence in the onboarding file is consistent, traceable, and strong enough for the risk level of the investor relationship. The goal is targeted evidence, with stronger checks reserved for higher-risk cases; the result should be a file where document proof, biometric proof, AML screening, risk evaluation, and review routing support the same decision. In banking and fintech, identity orchestration usually joins these checks into one decision flow.

Cross-border onboarding brings more questions from compliance, audit, and regulators. Teams should be able to show:

• which document was submitted;

• what data was extracted;

• which authenticity and biometric checks were run;

• what failed, passed, or required manual review;

• which reviewer changed the decision, and why;

• whether later activity matched the expected profile.

A customer file with missing verification history leaves the institution exposed during review. A defensible file shows the evidence, the check results, the reviewer action, and the reason for the final decision.

For onboarding international investors, identity verification in Saudi Arabia needs a fit-for-purpose cross-border IDV setup that covers seven areas:

1. Document coverage: passports, national IDs, residence permits, visas, and driver’s licenses from many issuing authorities.

2. Document authenticity: checks for copies, screen-presented images, photo substitution, abnormal geometry, missing security features, and inconsistent data zones.

3. Document data quality: reliable extraction from VIZ, MRZ, barcodes, and electronic chips, including cross-checks between fields and zones. For passports and many IDs, MRZ verification remains a high-value control because check digits, layout, and data comparison can reveal tampering.

4. Biometric holder proof: face matching and liveness checks, with step-up review for higher-risk cases.

5. Evidence consistency: comparison between document data, biometric result, declared data, IP or device context, sanctions/PEP screening, source-of-funds data, and expected activity.

6. Workflow rules by investor type: separate paths for individuals, PEPs, non-residents, legal persons, beneficial owners, and authorized signatories.

7. Audit-ready case records: preserved evidence, timestamps, check results, reviewer actions, and final decision logic.

Cross-border investor onboarding should work as identity evidence infrastructure: a way to collect, test, compare, route, and preserve identity evidence from the first document scan to later account review. Institutions that build this discipline can approve legitimate foreign investors with less friction, reject bad applications with stronger proof, and show regulators why each decision was made.

Regula IDV Platform fits this problem when a financial institution needs one operating environment for diverse workflows and scenarios, e.g. document checks, biometric proof, risk-based routing, and review evidence. For Saudi foreign investor onboarding, the most relevant strengths are:

• Global identity document coverage: support for passports, IDs, residence permits, visas, driver’s licenses, and other document types, backed by 16,000 document templates from 254 countries and territories and support for 138+ languages and scripts.

• Document reading and validation: extraction from VIZ, MRZ, barcodes, and RFID chips where available, with data comparison between zones to reduce manual-entry errors and detect inconsistencies.

• Document authenticity and liveness checks: document type detection, security-feature checks, image-quality control, and flags for copies, screens, replacements, abnormal geometry, or other signs of tampering.

• NFC-based document verification: NFC/RFID reading and server-side validation for zero-trust-to-mobile cases, adding stronger proof for electronic passports and other NFC-enabled documents.

• Biometric holder proof: 1:1 face matching between the applicant and the document or chip portrait, with active and passive liveness checks to detect printed photos, recorded videos, deepfakes, injections, and masks.

• AML and risk screening: checks for sanctions, PEP status, and adverse media exposure, with risk-based flows for applicants who require EDD or additional review.

• Anti-fraud and context checks: duplicate-application detection, blacklist management, device intelligence, behavioral risk settings, geo/IP checks, and device history to help spot suspicious repeat patterns.

• Case management and compliance evidence: configurable verification flows, requests for supplementary documents or information, reviewer decisions, timestamps, retained evidence, and deployment options for regulated institutions with strict security requirements.

Curious about how Regula IDV Platform can make you KYC-compliant? Let's talk.