SAMA Issues Revised Oversight Framework For Payment Systems

Introduction

On 19/09/1447H (corresponding to 8 March 2026), the Saudi Central Bank issued Circular No. 472047719, introducing a revised Oversight Framework for Payment Systems and Their Operators (the "Framework").

The Framework replaces in full the previous oversight framework issued in 2021 and is promulgated under the Payments and Payment Services Law (Royal Decree No. M/26 dated 22/03/1443H) and its implementing regulations.

While the Framework does not introduce a new regulatory concept, it formalises and intensifies existing supervisory expectations, particularly through structured assessment and disclosure mechanisms aligned with international standards.

Scope of application

The Framework applies to:

• payment systems operated within the Kingdom, whether domestic or cross-border;
• the national payment system operated directly or indirectly by SAMA; and
• payment systems subject to cooperative oversight with other regulatory authorities.

Both systemically important payment systems (SIPS) and non-systemically important systems (Non-SIPS) fall within scope.

Supervisory model

The Framework establishes two primary supervisory tools.

First, continuous monitoring, through which SAMA collects and analyses data relating to system performance, operational resilience, risk exposure and compliance.

Secondly, formal assessment, comprising both operator-led self-assessments and independent supervisory reviews conducted by SAMA.

This structure is not conceptually new. However, the Framework places greater emphasis on regularised assessment cycles and evidencing compliance, rather than reliance on periodic supervisory engagement.

Self-assessment and disclosure obligations

Operators of SIPS are required to conduct self-assessments against the Principles for Financial Market Infrastructures (PFMIs):

• at least annually;
• following any material change to the system; or
• upon request by SAMA.

Non-SIPS operators are required to conduct assessments periodically in accordance with their licensing conditions.

A notable development is the introduction of public disclosure requirements. Following receipt of a non-objection letter from SAMA, SIPS operators must publish a summary of their self-assessment results in accordance with the CPMI-IOSCO disclosure framework.

This introduces a degree of external transparency which was not a feature of the previous framework.

Applicable standards and compliance sources

The Framework makes clear that operator obligations are derived from a combination of sources, including:

• the Payments and Payment Services Law and its implementing regulations;
• SAMA rules, guidance and supervisory instructions;
• the PFMIs; and
• CPMI-IOSCO disclosure standards.

In addition, the Framework confirms that 18 of the 24 PFMI principles apply to payment systems operated by SAMA, reflecting established BIS guidance on central bank-operated financial market infrastructures.

Practical implications

The principal implication of the Framework lies in how compliance is demonstrated and supervised.

Operators should expect:

• more structured and frequent supervisory engagement;
• a requirement to maintain internal capability to conduct PFMI-aligned assessments; and
• increased scrutiny of governance, risk management and operational resilience frameworks.

For SIPS operators in particular, the introduction of disclosure obligations necessitates a more formalised internal review and approval process for assessment outputs.

Z&Co. view

The Framework does not signal a fundamental change in regulatory direction. Rather, it hardens and operationalises an existing supervisory approach, aligning it more closely with international financial market infrastructure standards.

Its significance lies in the shift from supervisory expectation to structured, repeatable and externally visible compliance processes.

Payment system operators should treat the Framework as an implementation exercise requiring:

• internal assessment capability;
• governance alignment with PFMI standards; and
• readiness for both supervisory review and public disclosure.

Early engagement and structured preparation will be key to managing regulatory expectations under the revised regime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.