NCA Compliance for Fintech and BNPL in Saudi Arabia
Hisham Mir
June 3, 2026
A Saudi fintech does not answer to one regulator. It answers to three. SAMA licenses and supervises it, the NCA mandates its cybersecurity controls, and the Personal Data Protection Law governs how it handles customer data each with its own requirements, its own assessments, and its own consequences for getting it wrong. No other sector in the Kingdom carries a compliance stack this dense, and few founders realise it until they are mid-launch.
For buy-now-pay-later companies, it is sharper still. Since SAMA issued its formal BNPL rules in December 2023, providers of the market and every new entrant behind them operate under a defined licensing regime that includes explicit information security obligations, on top of everything the NCA and PDPL already demand.
This guide maps the entire stack for Saudi fintech and BNPL companies: why it is so complex, what the SAMA BNPL rules require on cybersecurity, which NCA controls apply, what PDPL obliges you to do with customer data, the open banking security expectations, when you need a penetration test, and a 90-day roadmap to get a new fintech compliant before it goes live. For the framework overlaps in detail, pair this with our NCA and SAMA dual compliance guide.
- Why Fintech and BNPL Have the Most Complex Stack
- SAMA BNPL Rules — Cybersecurity Obligations
- NCA ECC Requirements That Apply to Fintech
- PDPL Obligations for Fintech Platforms
- Open Banking Security Requirements
- When a Fintech Needs a Penetration Test
- The 90-Day Compliance Roadmap
- SecurityWall's Fintech Compliance Support
Why Fintech and BNPL Have the Most Complex Stack
Most companies in Saudi Arabia deal with one cybersecurity regulator. A fintech deals with three overlapping regimes at once, because it sits at the intersection of financial services, national cybersecurity, and personal data.
| Regulator | Governs | Framework |
|---|---|---|
| SAMA Saudi Central Bank | Financial conduct and cybersecurity | CSF, BNPL rules, open banking |
| NCA National Cybersecurity Authority | National cybersecurity controls | ECC (if CNI) or NCNICC (if not) |
| SDAIA via the PDPL | Personal data protection | PDPL |
Three regulators, heavily overlapping controls. The efficient path is one programme built to all three, not three separate projects.
The saving grace is overlap: governance, access control, encryption, logging, and third-party management appear in all three regimes, so a well-designed control environment serves them together. The danger is treating them separately most fintechs do one well and discover the other two late.
SAMA BNPL Rules — Cybersecurity Obligations
SAMA issued its Rules for Regulating Buy-Now-Pay-Later Companies in December 2023, bringing BNPL firmly under the Central Bank's supervision. A BNPL company must be a SAMA-licensed joint stock company, and the rules set out licensing requirements, internal policies and procedures, financial-crime controls, and — most relevant here — explicit information security standards.
In practice, being SAMA-licensed means a BNPL provider inherits SAMA's wider cybersecurity expectations: the Cyber Security Framework, its maturity model, and the requirement to demonstrate that controls operate rather than merely exist. A BNPL business handling consumer credit decisions and payment data at scale is exactly the kind of entity SAMA expects to evidence operational security maturity, not just written policy.
NCA ECC Requirements That Apply to Fintech
On top of SAMA, fintechs answer to the NCA. Which framework applies depends on scale and classification: an institution treated as Critical National Infrastructure falls under the Essential Cybersecurity Controls (ECC), while a smaller, non-CNI fintech falls under NCNICC-1:2025 the binding standard the NCA introduced for the private sector in January 2026.
Either way, the practical obligations are recognisable: governance with an independent security function, identity and access management with MFA, encryption, logging and monitoring, vulnerability management, penetration testing, and third-party oversight. The ECC also brings cybersecurity Saudization the requirement that cybersecurity roles be filled by qualified Saudi nationals which catches many foreign-founded fintechs by surprise.
PDPL Obligations for Fintech Platforms
The third regulator is the one fintechs most often underestimate, because it is not a cybersecurity authority at all. The Personal Data Protection Law is administered by SDAIA, the Saudi Data and AI Authority, and it became fully enforceable in September 2024 with enforcement and penalties stepping up through 2025.
For a fintech processing customer identity, financial, and transaction data, PDPL is central, not peripheral. It sets expectations around lawful basis and consent, data governance and minimisation, the rights of data subjects, cross-border transfer rules, breach handling, and vendor oversight. Crucially, PDPL is separate from your NCA and SAMA obligations: strong cybersecurity controls support PDPL but do not satisfy it, because PDPL is about how you handle personal data, not only how you secure it. A fintech needs a data-protection posture mapping, consent, and transfer controls — alongside its cybersecurity programme.
Open Banking Security Requirements
If your fintech participates in Saudi Arabia's open banking ecosystem, SAMA's open banking framework adds another security layer. Open banking is built on sharing account and payment data through APIs, which makes API security the centre of gravity: strong authentication, secure and consent-driven data sharing, protection of the APIs themselves, and tight control over who can access what.
For fintechs, this raises the bar on exactly the areas attackers probe first authentication flows, authorisation logic, and API endpoints. It is also why API-focused penetration testing matters so much in this sector: the open banking attack surface is precisely where a generic, network-only test would miss the real risk.
When a Fintech Needs a Penetration Test
The simplest answer: effectively every SAMA-licensed fintech needs penetration testing, and needs it for more than one regulator at once.
SAMA expects regular, structured penetration testing within its Cyber Security Operations and Technology domain, as evidence that technical controls work and tied to its maturity expectations. The NCA requires penetration testing within the ECC's Cybersecurity Defence domain. And the open banking and API-heavy nature of fintech means the testing has to go beyond network scanning into application, API, and authorisation testing.
The efficient move is a single engagement scoped to satisfy both regulators and to cover the fintech-specific attack surface web, API, cloud, and authentication with reporting formatted for SAMA and NCA review alike. The detail is in our NCA penetration testing requirements and SAMA penetration testing guides.
SecurityWall scopes a single penetration test to satisfy both SAMA and the NCA, covering the web, API, cloud, and authentication surface that open banking exposes. See penetration testing services →
The 90-Day Compliance Roadmap
For a new fintech heading toward launch, here is a realistic 90-day sequence to get the stack in order built so each phase feeds the next rather than running three programmes in parallel.
| Phase | Focus | Key actions |
|---|---|---|
| Month 1 | Scope and assess | Confirm your NCA framework (ECC or NCNICC), check vendor NCA registration, run a combined SAMA, NCA, and PDPL gap assessment |
| Month 2 | Implement controls | Governance, access and MFA, encryption, logging and monitoring; begin PDPL data mapping and consent flows |
| Month 3 | Test and prove | Penetration testing for SAMA and NCA, finish PDPL data mapping, assemble evidence packs, complete self-assessments |
Ninety days is achievable for a focused team with the right help. The common failure is leaving penetration testing and PDPL mapping to the end instead of planning for them from day one.
SecurityWall's Fintech Compliance Support
SecurityWall is an NCA-registered cybersecurity firm that helps Saudi fintech and BNPL companies handle the full stack NCA, SAMA, and the security side of PDPL as one coordinated programme rather than three. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials and works to the current requirements of each regulator.
One Programme Across Three Regulators
- A single gap assessment mapped to SAMA, the NCA, and PDPL, so controls are built once
- A prioritised roadmap that sequences the work toward launch
- Coordination across SAMA and NCA compliance in one engagement
Fintech-Specific Penetration Testing
- Penetration testing across web, API, cloud, and authentication the open banking attack surface
- Scoped to satisfy both SAMA and the NCA from a single engagement
- Reporting formatted for both supervisory and assessment review, with retesting included
BNPL and Open Banking Focus
- Familiar with the security expectations behind SAMA's BNPL rules and open banking framework
- API and authorisation testing where the real fintech risk concentrates
- Support building the maturity SAMA expects, not just policies on paper
NCA-Registered and Financial-Sector Ready
- A registered provider within the Kingdom's regulated cybersecurity ecosystem
- Built for the pace of a fintech heading to launch
- A single partner from gap assessment through testing and evidence
Related reading:
- NCA and SAMA Dual Compliance for Banks and Fintech
- SAMA Cybersecurity Framework: Compliance Guide for Saudi Financial Institutions
- NCNICC-1:2025: Every Saudi Private Company Now in Scope
- NCA Penetration Testing Requirements in Saudi Arabia
- PDPL Compliance in Saudi Arabia
Frequently Asked Questions
What compliance do fintech companies need in Saudi Arabia?
Saudi fintechs typically face three regimes at once: SAMA (the Cyber Security Framework plus sector rules such as the BNPL rules and open banking), the NCA (the ECC if they are critical infrastructure, or NCNICC-1:2025 if not), and the PDPL administered by SDAIA for personal data. The controls overlap heavily, so they are best handled as one programme.
Do BNPL companies in Saudi Arabia have cybersecurity obligations?
Yes. SAMA's Rules for Regulating Buy-Now-Pay-Later Companies, issued in December 2023, include information security standards, and being SAMA-licensed brings BNPL providers under SAMA's wider Cyber Security Framework and its maturity expectations alongside their NCA and PDPL obligations.
Does PDPL apply to fintech companies?
Yes. The Personal Data Protection Law, administered by SDAIA and fully enforceable since September 2024, applies to any fintech processing personal data. It governs consent, data governance, cross-border transfers, and breach handling and it is separate from cybersecurity compliance, so strong security controls support but do not satisfy PDPL.
Do Saudi fintechs need a penetration test?
Effectively yes. SAMA expects regular penetration testing within its Operations and Technology domain, and the NCA requires it within the ECC's Cybersecurity Defence domain. Given the API and open banking attack surface, fintech testing should cover web, API, cloud, and authentication, and a single engagement can satisfy both regulators.
What are the open banking security requirements in Saudi Arabia?
SAMA's open banking framework centres on API security: strong authentication, consent-driven and secure data sharing, and protection of the APIs that move account and payment data. For fintechs, this raises the bar on authentication and authorisation testing in particular.
How long does it take a fintech to become compliant in Saudi Arabia?
A focused team with the right support can reach launch-ready compliance in around 90 days: scope and gap assessment in month one, control implementation in month two, and penetration testing plus PDPL data mapping in month three. The usual delay is leaving testing and data mapping to the end.
Tags
About Hisham Mir
Hisham Mir is a cybersecurity professional with 10+ years of hands-on experience and Co-Founder & CTO of SecurityWall. He leads real-world penetration testing and vulnerability research, and is an experienced bug bounty hunter.