Building Compliant FinTech Apps for GCC Markets — Our Approach

The Regulatory Landscape

Each GCC country has its own financial regulator, and they don't always align. The key bodies you'll encounter:

• Saudi Arabia: Saudi Central Bank (SAMA) and Capital Market Authority (CMA)
• UAE: Central Bank of UAE (CBUAE), ADGM Financial Services Regulatory Authority (FSRA), and DIFC Dubai Financial Services Authority (DFSA)
• Qatar: Qatar Central Bank (QCB) and Qatar Financial Centre Regulatory Authority (QFCRA)

If you're building a product that operates across multiple GCC countries, you may need separate regulatory approvals in each jurisdiction. This is not a technical problem — it's a legal and business problem that needs to be solved before you write a line of code.

KYC/AML: The Non-Negotiable Foundation

Every fintech product in the GCC requires Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The technical implementation typically involves:

For the GCC specifically, you need to support Arabic national IDs (Saudi Iqama, UAE Emirates ID, etc.) in addition to passports. Most Western KYC vendors support these, but you need to verify explicitly — not all do.

Data Residency Requirements

Saudi Arabia's Personal Data Protection Law (PDPL) and UAE's Federal Decree-Law No. 45 of 2021 both impose data localization requirements for certain categories of data. Financial data, in particular, often must be stored within the country.

This has direct infrastructure implications. AWS, Azure, and GCP all have regions in the GCC (AWS Riyadh, Azure UAE North, etc.), but you need to explicitly configure your architecture to keep data in-region. This means no cross-region replication for regulated data, careful configuration of CDN edge caching, and explicit data residency clauses in your vendor contracts.

We've seen products fail compliance audits because their logging infrastructure was sending data to US-based log aggregation services. Audit your entire data flow, not just your primary database.

Arabic Language & RTL Support

This is where many engineering teams underestimate the work. Arabic is right-to-left (RTL), and proper RTL support is more than just flipping the layout. You need:

• CSS logical properties instead of left/right (use margin-inline-start not margin-left)
• Bidirectional text handling for mixed Arabic/English content
• Arabic-aware number formatting (Eastern Arabic numerals vs. Western)
• Date formatting (Hijri calendar support for Saudi Arabia)
• Font selection — not all Arabic fonts render well at small sizes

In Next.js, we use the dir attribute on the HTML element and Tailwind's RTL variant (rtl: prefix) for layout adjustments. We also maintain separate translation files for Arabic content rather than relying on machine translation.

Payment Infrastructure

The GCC has its own payment rails that you need to integrate with. The key ones:

• Saudi Arabia: SADAD (bill payments), mada (debit network), STC Pay
• UAE: UAEFTS (interbank transfers), Apple Pay / Google Pay (widely adopted)
• Regional: Tabby and Tamara for BNPL, Checkout.com and Stripe (limited GCC support)

Stripe's GCC support has improved significantly but is still limited compared to its US/EU coverage. For Saudi Arabia specifically, you'll likely need a local payment gateway (HyperPay, Moyasar, or Paytabs) in addition to or instead of Stripe.

Our Checklist Before Launch

Before we launch any fintech product in the GCC, we run through this checklist:

• Regulatory license or sandbox approval obtained
• KYC/AML flow tested with GCC-specific ID documents
• Data residency verified for all data stores and third-party services
• Arabic RTL layout tested on real devices (not just browser emulation)
• Local payment gateway integrated and tested in production mode
• VAPT (Vulnerability Assessment and Penetration Testing) completed
• Privacy policy and terms of service reviewed by local legal counsel
• Incident response plan documented and tested