For a crypto asset to be classified as a security by the KSA Capital Markets Authority (CMA), it must fall within the definition of a security as per Article two of the Capital Markets Law. This is defined as (a) convertible and tradeable shares of companies; (b) tradeable debt instruments issued by companies; (c) investment units issued by investment funds; or (d) any instruments representing profit participation rights or rights in the distribution of assets.

The CMA reserves Article 2(e) as a catch-all provision for other types of security instruments as determined by the board on a discretionary basis.

In the context of crypto assets, an initial coin offering or a tokenised security offering can fall within the traditional definition of a security by conferring ownership in return for investment returns such as profits or dividends.

However, most crypto assets would hardly satisfy the traditional definition of a security albeit resemble certain aspects of it. Examples include:

• a utility token that provides access to a digital platform is not strictly a security but could be classified as such if bought or held for capital appreciation by investors.
• a revenue-sharing token issued by an e-commerce marketplace may not resemble a traditional share but mirror a profit-participating arrangement for investors.

With the current securities law framework adopted by the CMA, most security-related crypto models would fall within the Article 2(e) catch-all provision, leaving authorisation in the hands of the CMA with no regulatory certainty on whether licensing will be granted.

While the CMA has shown a willingness to authorise security token-based FinTech business models by creating a controlled FinTech Lab sandbox regime and issuing FinTech ExPermits, to date less than 50 companies have been issued a permit since the sandbox’s launch back in 2022. This suggests that the CMA has either not been responsive to the sheer innovation taking place across the Kingdom or that FinTechs are severely discouraged from applying for a permit given the limitations of the current framework.

As we move into 2026, it is imperative that the CMA looks to adopt a standalone regulation that recognises the unique characteristics and nuances of digitally native crypto securities.

Traditional concepts cannot always be stretched to fit the requirements of emerging technology. At some point, regulation must evolve to remain relevant and effective in the world of crypto assets.

#CMA #Technology #Regulation #Cryptoassets #KSA