Saudi Tokenized Real Estate Due Diligence Checklist

Due Diligence Framework

Evaluating a tokenized Saudi real estate offering requires due diligence across six domains: property fundamentals, platform and operator, regulatory compliance, smart contract and technology, financial projections, and legal structure. This checklist provides the 47 verification points that institutional investors should confirm before committing capital.

Domain 1: Property Fundamentals (12 Points)

1. Title verification: Confirm property registration in the Mulkiya system via Ministry of Justice title search. For SPV-owned properties, verify SPV’s registered ownership.
2. Wafi license: For off-plan properties, confirm valid Wafi project license from REGA. Verify license number in REGA’s public registry.
3. Physical inspection: Independent property condition assessment by a licensed surveyor for completed properties.
4. Valuation: Independent valuation by a CMA-approved appraiser, using the price index methodology appropriate for the property type and location.
5. Rental income verification: Cross-reference reported rental income with Ejar platform registered contracts.
6. Vacancy history: Historical vacancy data from Ejar for the specific property and comparable properties in the district.
7. Tenant quality: Assessment of tenant credit quality, lease duration, and renewal probability.
8. Location analysis: District-level demand drivers, supply pipeline, infrastructure development, and comparable property performance.
9. Environmental and structural: Building code compliance, structural integrity certification, and environmental assessment (especially for coastal and mega-project properties).
10. Insurance coverage: Verification of property insurance covering fire, natural disaster, and third-party liability.
11. Capital expenditure: Assessment of deferred maintenance, required upgrades, and capital expenditure reserves.
12. Zoning and permitted use: Confirmation that current and projected property use is consistent with municipal zoning regulations.

Domain 2: Platform and Operator (8 Points)

13. CMA authorization: Verify current CMA license or sandbox approval for relevant activities (dealing, arranging, managing, custody).
14. SAMA licensing: Verify payment service licensing for fund flows (EMI, PSP as applicable).
15. Operator track record: Management team experience in both real estate and blockchain/tokenization.
16. Financial statements: Audited financial statements of the platform operator, confirming adequate capitalization.
17. Client asset segregation: Confirmation that investor funds and tokens are segregated from platform operating assets.
18. Business continuity: Disaster recovery and business continuity plans, including provisions for platform failure.
19. Insurance: Professional indemnity insurance and cybersecurity insurance.
20. Conflict of interest: Disclosure of related-party transactions between platform operator, property developers, and service providers.

Domain 3: Regulatory Compliance (8 Points)

21. Securities classification: CMA confirmation that the token is properly classified and regulated.
22. KYC/AML compliance: Verification that the platform’s AML/CFT procedures meet SAMA and CMA requirements.
23. Shariah compliance: Shariah board approval documentation from qualified scholars.
24. Foreign ownership: Confirmation that the offering structure permits foreign investor participation under MISA rules.
25. Prospectus filing: CMA-filed offering document meeting disclosure requirements.
26. Tax structuring: ZATCA tax treatment confirmation for the SPV and investor-level obligations.
27. Sanctions compliance: Confirmation that the platform screens all participants against applicable sanctions lists.
28. Data protection: Compliance with Saudi Personal Data Protection Law for investor data handling.

Domain 4: Smart Contract and Technology (7 Points)

29. Smart contract audit: Independent audit by a recognized firm (OpenZeppelin, Trail of Bits, Certik, or equivalent).
30. Token standard: Confirmation of token standard used (ERC-3643 for regulated securities recommended).
31. Access controls: Review of admin key management, multi-sig requirements, and upgrade mechanisms.
32. Distribution logic: Verification that the rental distribution smart contract correctly calculates and distributes proportional income.
33. Transfer restrictions: Confirmation that token transfers enforce KYC, travel rule, and suitability requirements.
34. Blockchain selection: Assessment of the blockchain platform’s security, performance, and regulatory acceptance.
35. Custody solution: Verification of key management and custody arrangements for the underlying tokens.

Domain 5: Financial Projections (7 Points)

36. Yield assumptions: Validation of rental income projections against Ejar data and market comparables.
37. Expense assumptions: Verification of management fee, maintenance, insurance, and vacancy assumptions.
38. Capital appreciation: Assessment of price growth assumptions against Saudi RE price index trends.
39. Sensitivity analysis: Stress-test projections under adverse scenarios (20% rent decline, 30% vacancy, 15% price correction).
40. Exit assumptions: Evaluation of projected exit timeline, mechanism, and pricing.
41. Fee impact: Total expense ratio calculation including all platform, management, and transaction fees.
42. Benchmark comparison: Return projections benchmarked against Saudi REITs and global tokenized RE.

Domain 6: Legal Structure (5 Points)

43. SPV structure: Review of SPV incorporation, governance, and investor rights documentation.
44. Token holder rights: Confirmation of voting rights, information rights, and distribution priority.
45. Dispute resolution: Identification of applicable dispute resolution mechanism (CMA committee, Saudi courts, arbitration).
46. Wind-up provisions: Procedures for orderly liquidation if the platform ceases operations.
47. Governing law: Confirmation that Saudi law governs the offering and applicable dispute resolution.

Red Flag Indicators

Beyond the 47 verification points above, investors should watch for specific red flags that indicate elevated risk in a tokenized offering:

Property red flags:

• Valuation significantly above recent comparable transactions in the Saudi RE transaction volume database
• Rental projections exceeding district averages without documented justification (verify against Ejar data)
• Developer classified below First Tier by REGA without compelling justification for the premium pricing
• Property located in areas with high supply pipeline that could suppress future rental growth
• Off-plan properties without valid Wafi license number verifiable in REGA’s public registry

Platform red flags:

• CMA sandbox authorization expired or approaching expiry without renewal confirmation
• Management team without documented real estate industry experience
• No independent smart contract audit report available for review
• Client asset segregation documentation incomplete or relying on platform self-attestation
• Fee structure that is unclear, variable, or includes hidden charges not disclosed in offering documents

Regulatory red flags:

• Offering structure that does not clearly address CMA securities classification
• Shariah compliance opinion from scholars not recognized by the Saudi Shariah governance framework
• Foreign ownership provisions that do not address MISA and CMA requirements clearly
• AML/CFT procedures that do not reference NAFATH digital identity verification for Saudi investors

Financial red flags:

• Projected yields more than 200 basis points above market averages for comparable properties (see yield analysis)
• Sensitivity analysis absent or showing only favorable scenarios
• Exit timeline unrealistic given current secondary market development
• Total expense ratio exceeding 5 percent annually without clear value justification

Due Diligence Timeline and Resources

A thorough due diligence review of a single tokenized Saudi RE offering requires 40-80 hours of analyst time across the six domains. Institutional investors should budget the following resources:

For institutional investors evaluating multiple offerings, developing a standardized due diligence template reduces per-offering review time by approximately 40 percent after the first assessment. The template should incorporate the 47 checkpoint scoring methodology with weighted risk ratings for each domain.

Scoring Methodology

Each of the 47 checkpoints should be scored on a three-point scale:

• Pass (3): Fully satisfactory — documentation complete, verification successful, no concerns identified
• Conditional Pass (2): Substantially satisfactory with minor gaps that can be remediated — additional documentation requested, minor clarification needed
• Fail (1): Unsatisfactory — documentation missing, verification failed, or significant concerns identified

Scoring thresholds:

• Minimum aggregate score for investment: 120/141 (85 percent pass rate)
• No single domain below 75 percent: Ensures no critical domain is neglected
• Any Domain 3 (Regulatory) checkpoint scoring Fail: Automatically disqualifies the offering until remediated

This scoring methodology creates an auditable, repeatable evaluation process that institutional investment committees can use for approval decisions. The risk framework provides complementary quantitative risk scoring for positions that pass the due diligence assessment.

Post-Investment Monitoring

Due diligence is not a one-time activity. Ongoing monitoring should include:

Monthly: Review property occupancy and rental income against projections using Ejar data, monitor platform operational status and any CMA notices

Quarterly: Independent property revaluation and NAV recalculation, platform financial statement review, regulatory compliance confirmation

Annually: Full re-underwriting of the investment thesis, assessment of exit strategy viability, review of smart contract audit validity (audits should be refreshed annually or after any contract upgrades)

Event-driven: Immediate review triggered by: CMA regulatory announcements affecting tokenized securities, material tenant departures or rent renegotiations, construction delays for off-plan tokens, platform operational incidents or management changes, or Saudi macro-economic developments (oil price shocks, currency pressure)

Due Diligence Adaptations for Mega-Project Tokens

Mega-project tokens — representing positions in NEOM, Qiddiya, Red Sea Global, Diriyah Gate, and The Line — require due diligence modifications beyond the standard 47-checkpoint framework. These projects have unique risk profiles driven by unprecedented scale, government backing, and development-stage exposure.

Construction progress verification: Standard Wafi milestone verification applies, but mega-projects require additional verification of: master plan phasing (which components will be delivered first and generate income), infrastructure interdependencies (whether the specific tokenized component depends on broader project infrastructure not yet built), and workforce sufficiency (whether labor resources are available for the projected construction timeline). NEOM’s projected requirement of 300,000+ peak construction workers creates a labor market constraint that should be independently assessed.

Demand modeling: Unlike established urban properties where Ejar data provides verified demand metrics, mega-project demand is projected rather than verified. Due diligence should evaluate: comparable project demand analysis (using international precedents such as Dubai Palm Jumeirah, Maldives resort developments, and Singapore Marina Bay for relevant comparisons), government commitment indicators (budget allocations, Royal Decree mandates, PIF capital deployment schedules), and population target feasibility (assessing whether NEOM’s 1 million resident target or Riyadh’s 15 million target are achievable within stated timelines).

PIF credit assessment: Government-backed mega-project tokens carry quasi-sovereign credit risk rather than private developer risk. Due diligence should verify: PIF’s current AUM and capital allocation commitments ($1 trillion AUM with multiple mega-project commitments), credit ratings (Moody’s A1, Fitch A), and any conditions under which PIF support could be reduced (fiscal stress scenarios where oil prices fall below $50/barrel for sustained periods, requiring government spending prioritization).

Regulatory framework assessment: Mega-projects operating under special regulatory frameworks — particularly NEOM’s autonomous legal structure — require verification that: CMA securities jurisdiction applies to tokens regardless of the project’s regulatory autonomy, property registration is compatible with REGA’s Mulkiya system (or an equivalent system recognized by Saudi courts), and dispute resolution mechanisms are clearly defined and enforceable.

International Best Practice Benchmarking

The due diligence framework should be calibrated against international standards established by recognized industry bodies. The International Organization of Securities Commissions (IOSCO) has published recommendations for crypto and digital asset markets that provide a benchmark for evaluating CMA-regulated tokenized offerings. IOSCO’s nine recommendations cover: conflicts of interest, operational and technology risks, cross-border risks, and custody — all addressed by this checklist’s six domains.

Similarly, the Royal Institution of Chartered Surveyors (RICS) International Property Measurement Standards should be referenced when verifying property valuations under Domain 1. RICS standards ensure that property measurements and valuations follow internationally recognized methodologies, providing consistency for international investors comparing Saudi tokenized RE offerings against global alternatives. The global tokenized RE benchmark analysis uses RICS-compatible valuations for cross-market comparison.

For Shariah compliance verification under Domain 3, the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) standards provide the authoritative framework. Specifically, AAOIFI Shariah Standard No. 17 (investment sukuk) and Standard No. 20 (commodities and futures markets) govern the permissibility of tokenized real estate structures. Due diligence should verify that the offering’s Shariah board opinion references specific AAOIFI standards and is issued by scholars recognized within the Saudi Shariah governance framework.

See also: Risk Framework | Institutional Entry Strategies | CMA Securities Rules | Shariah Compliance | Portfolio Construction | Methodology | Tax Optimization | GCC Platforms

Updated March 19, 2026