Financial Technology Experimental Permit Instructions

Financial Technology Experimental Permit Instructions Issued by the Board of the Capital Market Authority Pursuant to its Resolution Number 1-4-2018 Dated 23/4/1439H Corresponding to 10/1/2018G Based on the Capital Market Law Issued by Royal Decree No M/30 dated 2/6/1424H Updated Pursuant to the Board of the Capital Market Authority Resolution Number 2-9-2021 Dated 25/12/1442H Corresponding to 4/8/2021G

2 CONTENT PART A OVERVIEW 1 Introduction 3 2 Objectives & Principles 4 3 Target Applicants 4 PART B FINTECH REQUIREMENTS 4 Permit Requirements 6 5 Permit Application Process 8 6 Additional Regulatory Requirement 8 7 Fulfilling the Commencement of Business Requirements 9 8 Business Commencement 10 9 Supervisory Requirements 12 10 FinTech ExPermit Validity Period 12 11 Appendix Cancellation of Approval Appendix (A): Application Process 13 14 www.cma.org.sa

3 PART A OVERVIEW

1. Introduction A. The purpose of these Instructions is to provide a regulatory framework that is conducive for the innovation of financial technology ("FinTech") in the capital market within the Kingdom of Saudi Arabia (The Kingdom). B. For the purpose of implementing these Instructions, the following expressions and terms shall have the meaning they bear as follows unless the contrary intention appears: FinTech products: innovative FinTech products, services and business models related to the securities activities. FinTech ExPermit: a permit to enable applicants to participate in the FinTech Lab to deploy and experiment their innovative FinTech products related to capital market within specified parameters and timeframes. Applicant: Any natural or legal person who submits an application to the Authority to obtain a Fintech Expermit. Fintech company/companies: Wherever they are mentioned in these instructions, they mean the company/companies that have obtained a permit to experiment with FinTech within the jurisdiction of the Capital Market Authority. Client(s): A person for whose account a permitted FinTech company within the FinTech Lab is executing securities activities. C. The Capital Market Authority ("Authority") has the right to waive or modify the requirements set out in these Instructions at its discretion where appropriate. D. The Authority receives applications for obtaining a permit to experiment with financial technology throughout the year. The assessment of applications will be conducted through batches announced via CMA's website, provided that all documents and data

4 necessary are complete prior to commencement of the application's assessment. E. The Authority will consider, during each batch, the number of applicants and FinTech business models that can be effectively supported in the FinTech Lab at any time to ensure adequate guidance is provided to applicants and to identify additional relevant regulatory requirements. 2. Objectives & Principles A. This section outlines the objectives and principles of these Instructions, and provides the eligibility and suitability of the FinTech product prior to the application for the FinTech ExPermit. B. The applicant should clearly understand the objectives and principles of the Instructions. It must be emphasized that the FinTech ExPermit cannot be used to avoid local laws and regulations. C. These instructions shall be read in conjunction with and in addition to the Capital Market Law and Regulations. D. In considering an application to participate in the FinTech ExPermit, the Authority will take into account, among others, the following:

1. the potential benefits of the proposed FinTech product;
2. the potential risks and mitigating measures associated with the proposed FinTech product; and
3. the integrity, capability and track record of the FinTech applicant. E. The FinTech ExPermit is not intended to create a risk-free FinTech environment. The FinTech ExPermit aims to promote FinTech innovation in a controlled environment which the consequences of failure can be contained.
4. Target Applicants A. Any person who intends to test a FinTech product related to securities activities can apply to the FinTech ExPermit, even if they are not a Market Institution Authorized by the Authority.

5 B. A Market Institution does not need to apply for FinTech ExPermit to test its FinTech product which complies with all relevant regulatory requirements to a wider market, if it has authorization for the activity it wishes to carry on. Alternatively, if it does not have the relevant authorization for the activity, it will need to apply to the Authority to amend its License to obtain that authorization in accordance to the Capital Market Institutions Regulation. C. The FinTech ExPermit is not intended to be a platform for a person to launch an established FinTech product which complies with all relevant regulatory requirements to a wider market. A person, who intends to deploy its complying Fintech products will need to apply to the Authority to obtain a License for the activity it wishes to carry on in accordance to the Capital Market Institutions Regulations. D. If a Market Institution / person considers that the FinTech ExPermit is the only appropriate regulatory framework to the testing of its Fintech product, they can apply for FinTech ExPermit and the Authority may accept or reject its application.

6 PART B FITECH REQUIREMENTS 4. Permit Requirements A. An applicant must comply with the following:

1. the applicant has adequate and appropriate resources, including financial resources, to develop the FinTech product;
2. the applicant is fit and proper to experiment the FinTech product;
3. the applicant is acting with integrity and with due skill, care and diligence, including but not limited to the following; a. communicating information to their clients in a way which is clear, fair and not misleading; b. paying due regard to clients’ interests, by treating them fairly; c. the ability to ensure confidentiality of client information;
4. the applicant will disclose to the Authority any material event or change in its business model;
5. the applicant has conducted their due diligence, including knowing the relevant rules and regulatory requirements for deploying the proposed FinTech product; and
6. is able to satisfy all additional regulatory requirements that the Authority may impose. B. The application should also contain the necessary supporting information to explain and depict on the following requirements:
7. the applicant has relevant technical and business knowledge and experience to develop and experiment the FinTech product;
8. is able to clearly define the FinTech product's targeted clients.
9. is able to clearly define the key milestones and intended outcomes;

7 4. is able to clearly define the significant risks arising from the FinTech product, how it should be assessed and mitigated, and details of the necessary safeguards; and 5. is able to set out a fair and proper exit strategy for clients should the FinTech product be discontinued for any reasons, including but not limited to the following: a. to cease the offering of the FinTech product to their new and existing clients; b. provide notification to their clients informing them of the decision and related reasons; c. dispose all confidential information including clients' personal information collected during the FinTech experiment period; and d. submit a report to the Authority on the actions taken under this paragraph. C. The applicant must ensure that the proposed FinTech product meets the following criteria before submitting an application for a FinTech ExPermit:

1. it must involve a security activity (i.e. it is within the scope of the activities that the Authority regulates);
2. it promotes FinTech innovation, in terms of the business model and the application of technology;
3. it has the potential to: a. promote significant growth, efficiency or competition in the capital market; b. promote better compliance and monitoring and risk management solutions for the capital market; or c. improve the choices and welfare of clients.
4. it is at a sufficiently advanced stage of development to mount a FinTech experiment. D. The Authority may at any time modify or impose additional criteria, that it reasonably considers to be necessary to address a regulatory concern.

8 5. Permit Application Process A. If an applicant is fit to participate in the FinTech ExPermit regulatory framework (as defined in Section 3 above) and satisfies the permit requirements (set out in Section 4 above), he/she is entitled to submit a permit application B. The application for a FinTech ExPermit is submitted through the channels available on the FinTech Lab web page on the CMA website. C. Once the applicant has submitted their application form, the Authority will review the application and inform the applicant of its eligibility to qualify for the FinTech ExPermit. D. The Authority will work with the applicant to determine the additional regulatory requirements (set out in Section 6 below) to be applied to the applicant and its FinTech product during the experiment period. The applicant will then assess their ability to meet these requirements. E. If the applicant is able and willing to meet the additional regulatory requirements (set out in Section 6 below) as prescribed by the Authority for the experiment period, the applicant will be granted a FinTech ExPermit. F. Once the Authority grants the FinTech ExPermit, the applicant will be able to experiment its product within the additional regulatory requirements (set out in Section 6 below). G. Details of the application process are set out in Appendix A. 6. Additional Regulatory Requirements A. To grant the FinTech ExPermit, the Authority may impose additional regulatory requirements including limitations and/or conditions on the applicant and their FinTech product. These regulatory requirements may be elicited from existing CMA's regulations as applicable.

9 B. These may include, but are not limited to, any of the following:

1. the number and type of clients with or for whom the applicant carries on, or intends to carry on within the FinTech ExPermit;
2. the type and size of client transactions that the applicant is permitted to enter into;
3. Evaluate the suitability of clients and their expressed consent prior to carrying on the regulated activity;
4. the applicant's ability to protect client’s assets;
5. the requirements surrounding the applicant’s handling and protection of client information;
6. the manner and type of financial promotion that the applicant may undertake and the associated disclosures that the applicant is required to make to clients;
7. the key information required to be contained in a client's agreement;
8. the FinTech applicant's capital requirements (if any); and
9. the FinTech applicant’s financial and other reporting requirements. C. The Authority may, at any time through the life‐cycle of the FinTech ExPermit, by notice in writing to the applicant, cancel or change any additional regulatory requirements imposed on the applicant or impose such further additional regulatory requirements.
10. Fulfilling the Commencement of Business Requirements A. If the authority decides to grant the applicant the ExPermit, it will inform him/her of its decision in writing with the conditions and restrictions it deems appropriate to start commencing the business. The applicant must fulfill the Commencement of Business Requirements within the period specified by the Authority from the date of approval of the ExPermit. -For example but not limited to :-
11. Establishing a commercial entity in the Kingdom, and submitting all final incorporation documents to the Authority, including the articles of incorporation, articles of association and commercial registry.

10 2. Presenting the approved policies and procedures to manage conflict of interest between its clients, or between it and its clients. 3. Fulfillment of all obligations under the Anti-Money Laundering Law and its Executive Regulations, the Counter Terrorism and Financing Law and its Executive Regulations, and the relevant rules and regulations in force in the Kingdom. 4. Fulfilling information security requirements and technology tests in accordance with the process determined by the Authority. 5. Providing the Authority with the key final agreements with any external parties related to the company's main activity, as determined by the Authority. 6. Providing the Authority with the policies and procedures that regulate the governance of external contracts. B. An applicant who has obtained the Authorities approval for the Fintech Experiment may submit to the Authority an application for an extension of the period for fulfilling the commencement of business requirements, stating justifications and submitting relevant documents and information. And the Authority has the right to:

1. accept the request and extend the period, or
2. Reject the request and revoke the approval of the ExPermit. C. The applicant who has obtained the FinTech ExPermit must submit what demonstrates the readiness progress to start commencing the business periodically within the period specified for fulfilling the requirements.
3. Business Commencement A. The FinTech company must notify the Authority and obtain its approval before Commencing its Business. B. Suspension of the Business:
4. The Authority may completely suspend the activity of the FinTech company, in order for it to correct the fundamental errors, provided that the total periods of suspension do not

11 exceed a maximum of three months and are calculated from the total period of the ExPermit. 2. The Authority may suspend the activity of the FinTech company if it deems that it must be subject to evaluation. 3. After the FinTech company begins the business commencement, it may not stop working during the ExPermit period without notifying the Authority in advance and in writing of the date on which it intends to temporarily stop, and providing justifications for the reasons for stopping, the plan to return to work and the procedures for notifying customers, and in case the suspension period exceeds three months, the authority will suspend the ExPermit and direct the FinTech company to apply for the ExPermit at later periods. C. This section applies to all FinTech businesses practiced by a FinTech company that is within the jurisdiction of the Authority, inside or outside the Kingdom, with a client in the Kingdom or for his account. D. The FinTech company must clearly demonstrate that it has obtained a FinTech ExPermit from the Authority in all its correspondence, advertisements and notices issued to the public that are used by its employees and agents. E. Incentives and Sharing of Losses:

1. It is prohibited for a FinTech company, who is commencing its business, to do the following: a. Encourage any customer to conclude any transaction by offering or giving gifts or incentives. b. Accept gifts or incentives if doing so would lead to a material conflict with any duty bound for the client.
2. The Authority considers any gift or incentive given or received by a FinTech company affiliate or a third party under the direction of the FinTech company as an incentive given or received by the FinTech company.
3. The FinTech company may not participate or offer to participate in any losses suffered by a client. F. Owners of FinTech companies are prohibited from fully or partially exiting the company during the validity period of the ExPermit,

12 provided that the entry of new partners will be by increasing the FinTech company’s capital, after obtaining the approval from the Authority. G. Responsibility of the FinTech Company: The FinTech company may not exempt or limit itself from liability, whether under the terms of the provision of services or otherwise - if the exemption or limitation of liability conflicts with the obligations of the FinTech company under the Capital Market Law, or the FinTech Experimental Permit Instructions, or The Additional Regulatory Requirements imposed by the Authority. 9. Supervisory Requirements: A. The FinTech company is obligated to submit periodic reports to the Authority that includes periodic and statistical information, performance indicators determined by the Authority and data specified within the Additional Regulatory Requirements that are issued at the time of the ExPermit, provided that they include all customer complaints and the approach for dealing with and addressing these complaints, as determined by the Authority. 10. FinTech ExPermit Validity Period A. The FinTech ExPermit validity period (Experiment Period) shall not exceed two years from the date of commencing the business. B. To extend the experiment period, a written application must be submitted by the FinTech Company to the Authority no later than three months before its expiry, or at such time as is otherwise agreed by the Authority. The application should state the additional time required and clearly explain reasons for requiring the extension. C. The Experiment period may only be extended in exceptional circumstances and the Authority shall reserve the right to reject any application for an extension. D. Upon the Expiration of the FinTech ExPermit, the applicant can choose to either:

13

1. execute the exit strategy; or
2. proceed to deploy the FinTech product on a wider scale, if the FinTech company proves its ability to do so, provided that the financial technology company is able and willing to fully comply with CMA Laws and Regulations. E. The Authority may also prohibit deployment of the FinTech product in the market upon the completion of the testing due to the following reasons:
3. in the event of an unsuccessful testing based on agreed test measures; or
4. the FinTech product has unintended negative consequences to the market. In such cases, the FinTech Company must immediately execute its exit strategy.
5. Cancellation of Approval A. The Authority may cancel an approval to participate in the FinTech ExPermit at any time before the end of the experiment period if the FinTech Company:
6. has failed to achieve its intended purpose, based on the latest experimenting scenarios, expected outcomes and schedule;
7. is unable to fully comply with the relevant legal and regulatory requirements at the end of the experimenting period;
8. a flaw has been discovered in the FinTech product where the risks posed outweigh the benefits of the product, and the FinTech Company acknowledges that the flaw cannot be resolved within the duration of the experiment;
9. breaching any condition imposed for the duration of the FinTech ExPermit; or
10. breaching any of the CMA's Implementing Regulations or any applicable law in the Kingdom or abroad which may affect the FinTech Company’s integrity and reputation. B. Upon cancellation of the approval, the FinTech Company must immediately execute its exit strategy.

14 Appendix (A) Application Process

15