SAMA AML/CTF Requirements for Cloud Architecture
SAMA(Saudi Central Bank) AML/CTF Requirements for Cloud Architecture
Data Sovereignty, 10-Year Record Retention, and Technology Risk Under Saudi Regulation
Primary source: SAMA AML/CTF Guide (November 2019)
Jurisdiction: Kingdom of Saudi Arabia
OVERVIEW: The Intersection of Data Sovereignty and Financial Crime
For financial institutions and fintechs operating in the Kingdom of Saudi Arabia, regulatory compliance is no longer a siloed exercise. Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations increasingly impose direct constraints on technology architecture, data location, and system governance.
This resource explains how specific, binding clauses in the SAMA AML/CTF Guide translate into concrete requirements for cloud strategy, data retention, and technology risk management — without relying on vendor claims or secondary interpretations.
All regulatory references below are derived directly from official SAMA documentation. Interpretations are clearly labeled as such.
1. Ongoing Monitoring Requires “Appropriate Systems” — Not Just Policies
The regulatory requirement
The SAMA AML/CTF Guide requires financial institutions to establish and maintain systems capable of monitoring customer transactions and activities to detect suspicious behavior, as part of their preventive AML/CTF framework under Monitoring of Transactions and Activities.
This is a systems obligation, not merely a policy obligation.
What “appropriate systems” means (interpretation)
While the Guide does not prescribe specific technologies, it requires that monitoring systems be:
effective at scale
continuously operating
auditable and traceable
aligned with the institution’s ML/TF risk profile
In practice, if the integrity, availability, or security of these systems is compromised, the institution’s monitoring results — alerts, investigations, and reports — become legally unreliable.
Cloud governance implication (interpretation)
When AML monitoring systems are deployed in cloud environments, the security posture of the cloud itself becomes part of AML compliance.
This creates a necessary alignment between:
AML monitoring obligations (SAMA)
cloud cybersecurity controls (e.g., national cloud security frameworks such as NCA Cloud Cybersecurity Controls)
If the underlying environment cannot demonstrate controlled access, integrity, and availability, the monitoring system fails the “appropriate systems” standard — regardless of software functionality.
2. The 10-Year Record-Keeping Requirement Is an Architectural Constraint
The regulatory requirement
The SAMA AML/CTF Guide explicitly requires financial institutions to:
keep records for a period of no less than ten years from the date of the end of the business relationship or transaction, and make such records available to competent authorities upon request
— Section 6.1: Record Keeping
This applies to:
transaction records
customer due diligence documentation
investigation and reporting records
Why this is more than “storage” (interpretation)
A ten-year requirement creates obligations around:
long-term data integrity
controlled access and auditability
retrievability for supervisory review
continuity across system changes and migrations
Data that exists but cannot be reliably retrieved, verified, or produced for regulators does not meet the requirement.
Sovereign data implication (interpretation)
Because these records must remain:
accessible to Saudi competent authorities
governed under Saudi jurisdiction
protected from external legal conflicts
institutions must design jurisdiction-aware retention architectures. This is where data residency, cloud region selection, and long-term governance become regulatory — not technical — concerns.
3. Risk Assessment Is Mandatory Before Using New Technologies
The regulatory requirement (verbatim)
The SAMA AML/CTF Guide states:
“The financial institution shall assess risks before launching new products, services or business practices and before using new technologies or technologies under development, and it shall take appropriate measures to manage and reduce the identified risks.”
— Section 1.7: ML/TF Risk Assessment SAMA _AML CFT
This clause is explicit, mandatory, and applies to all supervised financial institutions.
Why this clause matters
Section 1.7 makes clear that:
technology adoption is not neutral
system changes trigger formal ML/TF risk assessment
risks must be assessed before implementation
The Guide explicitly includes:
“new technologies or technologies under development”
Cloud migration implication (interpretation)
Migrating AML, KYC, monitoring, or record-keeping systems to cloud platforms constitutes use of new technology.
Under Section 1.7, institutions are therefore required to:
conduct a documented ML/TF risk assessment prior to migration
identify risks related to access, data exposure, continuity, and jurisdiction
implement and document mitigating controls
This is where Cloud Governance, Risk, and Compliance (Cloud GRC) becomes legally relevant — as evidence of compliance, not as a best practice.
Regulatory Convergence: Why Architecture and Compliance Are Now Linked
Taken together, these requirements converge:
| Regulatory Obligation | Architectural Consequence |
|---|---|
| Ongoing monitoring | Requires scalable, reliable monitoring systems capable of continuous operation |
| 10-year record retention | Requires durable, auditable data architecture with long-term integrity and retrievability |
| Pre-technology risk assessment | Requires governed system design, documented controls, and evidence for supervisory review |
This convergence means AML compliance cannot be separated from infrastructure decisions.
Conclusion: Cloud Strategy Is a Regulatory Decision in Saudi Arabia
This analysis does not claim that:
cloud is mandatory
specific providers are endorsed
AI systems are legally required
It demonstrates that:
AML/CTF obligations impose architectural constraints
technology decisions are subject to regulatory scrutiny
governance and documentation are as critical as functionality
In the Saudi regulatory environment, cloud strategy is part of the institution’s financial-crime risk posture.
Download (Reference Document)
This article is accompanied by a practical reference document designed for compliance and audit use.
Auditor Checklist: Cloud Alignment with SAMA AML/CTF Requirements
A concise, clause-referenced checklist covering:
monitoring system integrity
10-year record retention & availability
Section 1.7 technology risk assessment evidence
Disclaimer
This guide is provided for informational purposes as a reference to official NCA publications. The Arabic version of ECC is the legally binding text for all matters relating to meaning or interpretation. Organizations should consult the official NCA documentation and seek professional guidance for compliance implementation.
Global Compliance Code provides vendor-neutral, source-based regulatory reference materials. All content is derived from official regulatory publications.
