CMA vs DFSA: Regulatory Approach to Tokenized Securities
The CMA (Saudi Capital Market Authority) — overseeing 261 fintech companies with cumulative investment of SAR 7.9 billion ($2.1 billion) and a Tadawul market included in MSCI, S&P Dow Jones, and FTSE Russell global indices — and the DFSA (Dubai Financial Services Authority) represent the two most significant securities regulators in the GCC for tokenized asset oversight. The CMA abolished the QFI concept entirely in February 2026, opening direct access for all foreign investors to Saudi Arabia’s $72.84 billion real estate market. Their differing approaches — CMA’s methodical sandbox-to-permanent-framework pathway versus DFSA’s early-mover permanent licensing regime — create distinct environments for tokenization platform development and investor protection.
Licensing Architecture
CMA approach: Sandbox-first model where applicants test innovations under temporary authorization with limited customer numbers and transaction volumes. Successful sandbox participants receive a pathway to permanent licensing. This approach prioritizes safety but creates timeline uncertainty — sandbox participants may operate for 12-24 months before knowing if permanent licensing will be granted.
DFSA approach: Dual-track model where established financial institutions can apply directly for Innovation Testing Licence (sandbox equivalent) or full DFSA authorization for technology-enabled services including tokenization. The DFSA’s Investment Token regime (introduced 2021) provides a permanent regulatory category for tokenized securities.
Assessment: DFSA’s permanent framework provides greater certainty for platform operators and investors. CMA’s sandbox approach is more cautious but builds regulatory competence through supervised experimentation. For institutional investors, CMA authorization (when granted permanently) will carry greater weight given CMA’s larger market and longer institutional history.
Investor Protection Standards
| Protection | CMA | DFSA |
|---|---|---|
| Minimum capital requirements | Higher (SAR 2-50M by category) | Lower ($10K-$500K by category) |
| Segregation of assets | Mandatory | Mandatory |
| Disclosure requirements | Comprehensive prospectus | Prospectus or exemption |
| Shariah board | Mandatory | Not required |
| Compensation fund | No (proposed) | Yes (DFSA Financial Markets Tribunal) |
| Cooling-off period | 10 business days | 14 calendar days |
Cross-Border Recognition
Neither regulator currently provides automatic recognition of the other’s licensing decisions. A CMA-licensed platform cannot offer services in DIFC without separate DFSA authorization, and vice versa. However, a bilateral MOU between CMA and DFSA enables regulatory information sharing and coordinated supervision — a potential precursor to mutual recognition that would enable cross-border tokenized asset trading.
For investors building GCC-wide tokenized RE portfolios spanning Saudi and Dubai properties, this regulatory fragmentation creates operational complexity. Platforms serving both markets must maintain dual licensing, duplicate compliance infrastructure, and navigate different disclosure requirements. The portfolio construction framework addresses this complexity with allocation models that account for dual-jurisdiction regulatory costs.
The absence of mutual recognition means that a token representing a Riyadh property, issued under CMA authorization, cannot be traded on a DFSA-regulated secondary market without the issuer obtaining separate DFSA recognition. This limits secondary market liquidity to single-jurisdiction pools until bilateral or multilateral recognition frameworks are established.
Disclosure and Transparency Standards
Disclosure requirements reveal fundamentally different regulatory philosophies. CMA mandates comprehensive prospectus-level disclosure for all securities offerings, including tokenized instruments. This mirrors CMA’s approach to traditional Tadawul IPOs and REIT listings, where disclosure documents routinely exceed 200 pages covering financial projections, risk factors, property valuations, Shariah compliance opinions, and management backgrounds.
DFSA provides more flexible disclosure pathways. Offerings to “qualified investors” (professionals and institutional investors with AED 500,000+ in liquid assets) may use abbreviated prospectuses or prospectus exemptions. This flexibility accelerates time-to-market but reduces transparency for retail investors.
| Disclosure Requirement | CMA | DFSA |
|---|---|---|
| Prospectus for retail offerings | Mandatory, comprehensive | Mandatory, standard format |
| Qualified investor exemption | Limited (CMA discretion) | Yes (AED 500K+ threshold) |
| Ongoing reporting frequency | Quarterly financial, annual audited | Semi-annual, annual audited |
| Valuation methodology disclosure | Mandatory, RICS-based | Mandatory, RICS or equivalent |
| Shariah compliance opinion | Mandatory, published | Not required (optional) |
| Related-party transaction disclosure | Full disclosure, CMA review | Disclosure required |
| Platform fee transparency | All fees in prospectus | All fees in prospectus |
| NAV calculation methodology | CMA-prescribed formula | DFSA guidelines |
For institutional investors, CMA’s stricter disclosure regime produces higher-quality offering documents that reduce due diligence costs. The tradeoff is longer time-to-market: CMA prospectus review typically takes 3-6 months versus 1-3 months for DFSA. The due diligence checklist details the documentation review process for both jurisdictions.
AML/CFT and Sanctions Compliance
Both CMA and DFSA maintain AML/CFT frameworks aligned with FATF recommendations, and both Saudi Arabia and the UAE received “Largely Compliant” ratings in their most recent FATF Mutual Evaluation Reports. However, implementation details differ significantly for tokenization platforms.
CMA requirements for tokenization platforms include: customer due diligence (CDD) through NAFATH digital identity verification, enhanced due diligence (EDD) for non-Saudi investors, suspicious transaction reporting (STR) to the Saudi Financial Intelligence Unit (SAFIU), sanctions screening against UN, OFAC, and Saudi-specific sanctions lists, and ongoing monitoring of all token transfers for unusual patterns.
DFSA requirements include: CDD through UAE Pass or equivalent verification, risk-based approach allowing simplified due diligence for low-risk customers, STR to the UAE Financial Intelligence Unit (goAML platform), sanctions screening against UN, OFAC, EU, and UAE-specific lists, and travel rule compliance for virtual asset transfers.
The practical difference: CMA’s mandatory enhanced due diligence for non-Saudi investors creates a higher onboarding friction for international investors but also produces a more thoroughly vetted investor base. DFSA’s risk-based approach allows faster onboarding for low-risk international investors, supporting Dubai’s positioning as an open, globally accessible market. See Saudi AML/CFT compliance for detailed requirements.
Custody and Settlement
Custody requirements represent another area of regulatory divergence. CMA requires that all tokenized securities be held through authorized custodians — typically Saudi banks or licensed custody providers with segregated omnibus accounts. Self-custody (where investors manage their own private keys) is not permitted for CMA-regulated tokens.
DFSA similarly requires authorized custody but has shown greater flexibility regarding custody technology, permitting both traditional omnibus custody and qualified custodians using multi-signature wallet technology. DFSA has also acknowledged hardware security module (HSM) based custody solutions, while CMA has not yet provided specific technology guidance.
| Custody Requirement | CMA | DFSA |
|---|---|---|
| Authorized custodian required | Yes | Yes |
| Self-custody permitted | No | No |
| Multi-sig wallet custody | Guidance pending | Permitted with DFSA approval |
| Segregation of client assets | Mandatory (per client) | Mandatory (per client or omnibus) |
| Insurance requirements | Mandatory (professional indemnity) | Mandatory (professional indemnity) |
| Smart contract audit | Expected (not yet mandated) | Required for custody contracts |
For tokenization platforms, CMA’s custody requirements increase operational costs but align with institutional investor expectations. The blockchain and token standards glossary explains the technical custody mechanisms relevant to both frameworks.
Enforcement Track Records
CMA’s enforcement record is substantially longer and more active than DFSA’s, reflecting CMA’s larger market jurisdiction and longer institutional history. CMA has imposed penalties exceeding SAR 500 million since 2015 for securities violations, including insider trading, market manipulation, and unauthorized offering of securities. DFSA’s enforcement actions are fewer in number but include notable cases against firms operating without proper authorization.
For tokenized real estate, enforcement credibility matters because it determines whether regulatory protections are meaningful in practice. Investors should prefer jurisdictions where the regulator has demonstrated willingness and capacity to pursue violations. On this dimension, CMA’s extensive enforcement history provides stronger investor confidence.
Practical Implications for Tokenization Platforms
Platforms targeting the Saudi market specifically should prioritize CMA licensing, accepting the sandbox timeline in exchange for access to the $72.84 billion Saudi RE market (growing at 7.17 percent CAGR to $102.96 billion by 2031). The CMA entity profile details the sandbox application process and timeline expectations. Platforms targeting the broader GCC should consider DFSA licensing first (faster path to operational) with CMA sandbox application in parallel. The GCC platform comparison evaluates platforms that have navigated these licensing decisions.
The competitive dynamic is accelerating both regulators: DFSA has expanded its tokenization framework in response to Abu Dhabi ADGM’s aggressive licensing, and CMA is accelerating its sandbox-to-permanent pathway in response to DFSA’s head start. This regulatory competition benefits the industry by reducing unnecessary barriers while maintaining investor protection standards.
Convergence Outlook
Over the medium term (2027-2030), CMA and DFSA frameworks are expected to converge on core principles while maintaining jurisdictional differences in implementation. The GCC Financial Markets Committee, which includes representatives from all six GCC securities regulators, has been working toward harmonized standards for digital asset regulation. Key convergence areas include: token classification taxonomy, cross-border offering recognition, unified disclosure standards for tokenized securities, and interoperable settlement infrastructure.
For investors, convergence means that the current regulatory fragmentation — which makes Saudi vs Dubai a binary choice — will gradually give way to a more integrated GCC tokenized asset market. Platforms that establish presence in both jurisdictions early will be best positioned to benefit from this convergence.
Investor Protection Depth Comparison
The practical impact of regulatory differences is most visible in investor protection mechanisms — the safeguards that determine whether token holders can recover capital when things go wrong:
Cooling-off periods: CMA mandates 10 business days for retail real estate securities; DFSA mandates 15 days for collective investment fund units. For tokenized RE, the CMA’s cooling-off period applies to initial token purchases (not secondary market trades), giving Saudi retail investors a window to review offering documents and rescind their purchase without penalty.
NAV reporting frequency: CMA requires quarterly NAV reporting for fund-structured tokens; DFSA requires semi-annual for some fund categories. More frequent reporting improves price transparency for secondary market trading. CMA’s quarterly requirement, combined with Ejar real-time rental data, enables Saudi platforms to provide monthly or even weekly NAV estimates — a data advantage that supports more accurate token pricing.
Segregation of client assets: Both regulators require segregation of investor assets from platform operating funds. CMA’s implementation through SAMA-regulated bank accounts provides a banking-system-level protection layer. DFSA’s requirement operates through DIFC-licensed custodians, which may include non-bank entities with different capital adequacy standards.
Compensation schemes: DFSA participates in the DIFC Client Compensation Scheme providing up to $100,000 per investor if a DIFC-licensed firm fails. CMA does not currently operate an equivalent compensation scheme for tokenized offerings, though the Wafi escrow framework provides property-level protection for off-plan tokens that achieves a similar protective function.
The net assessment: CMA provides stronger property-level protections (Wafi escrow, Ejar data verification, REGA developer licensing) while DFSA provides stronger platform-level protections (compensation scheme, longer cooling-off, established judicial track record). Sophisticated investors evaluating portfolio construction across both jurisdictions should weight these protection differences based on their primary risk concern — property risk (favoring CMA) or platform risk (favoring DFSA).
Data Protection and Privacy Regulatory Divergence
Data protection requirements create an additional layer of regulatory distinction between CMA and DFSA that affects tokenized platform operations. Saudi Arabia’s Personal Data Protection Law (PDPL), effective September 2023, imposes data localization requirements for certain categories of personal data — meaning that some investor data processed by CMA-licensed tokenization platforms must be stored on servers physically located in Saudi Arabia. DFSA operates under the DIFC Data Protection Law (modeled on GDPR), which permits cross-border data transfers subject to adequacy assessments but does not mandate data localization.
For tokenized RE platforms operating across both jurisdictions, this divergence creates infrastructure requirements: platforms must maintain separate data processing environments for Saudi and DIFC investor data, with Saudi data hosted domestically per PDPL requirements. Cloud infrastructure providers (AWS, Azure, Google Cloud) have established Saudi data center regions that satisfy PDPL localization, but the additional infrastructure cost — estimated at SAR 500,000-1,000,000 annually — adds to the dual-jurisdiction compliance burden.
The PDPL’s consent requirements also affect how CMA-licensed platforms collect and use investor data for portfolio analytics, marketing, and risk profiling. Explicit consent must be obtained for each processing purpose, with investors retaining the right to withdraw consent and request data deletion. DFSA’s DIFC framework, while similarly protective, operates under established GDPR-equivalent interpretive guidance that provides greater operational clarity for compliance teams.
Shariah Supervision Model Differences
The CMA’s mandatory Shariah compliance requirement versus DFSA’s optional approach creates structural differences in how tokenized offerings are designed and supervised:
CMA model: Every tokenized real estate offering must be reviewed and approved by a qualified Shariah board before launch. The Shariah board must include at least three members with recognized Islamic finance qualifications (AAOIFI certification or equivalent). Ongoing Shariah supervision — including quarterly compliance reviews and annual Shariah audit — is mandatory. The cost of Shariah board engagement and compliance monitoring typically adds 0.3-0.5 percent to the annual operating cost of a tokenized offering, but this cost is offset by automatic eligibility for distribution to the $4.5 trillion global Islamic finance investor base.
DFSA model: Shariah compliance is optional and product-specific. DFSA-licensed platforms may offer both conventional and Islamic tokenized products, with Shariah-compliant products requiring independent Shariah board approval but conventional products exempt from Islamic finance requirements. This flexibility enables faster product launch for conventional offerings but fragments the investor base between Shariah-compliant and conventional token series.
For institutional investors constructing cross-border GCC portfolios, the Shariah model difference means that CMA-authorized tokens can be held in any Islamic mandate without additional verification, while DFSA-authorized tokens require per-product Shariah compliance confirmation — an operational distinction that affects custody, reporting, and allocation processes.
See also: Saudi vs Dubai Tokenization | CMA Securities Rules | CMA Entity Profile | Foreign Ownership Rules | AML/CFT Compliance | GCC Platforms | SAMA Profile | Fintech Sandbox Tracker
Updated March 19, 2026