Legal Requirements for Employing Artificial Intelligence Technologies in Saudi Financial Institutions in Light of the Personal Data Protection Law, the Civil Transactions Law of 2023, and International Conventions

1. Introduction

Financial institutions face increasing legal and regulatory challenges related to compliance with national and international legislation, and ensuring the protection and preservation of customer rights, in light of rapid digital developments. This necessitates that these institutions adopt financial technology (FinTech), artificial intelligence technologies, and smart contracts, as tools to help overcome information problems and ethical risks (Mhlanga, 2021).

Data protection and information security are among the foremost of these challenges, prompting central banks to take regulatory measures aimed at achieving financial stability. Developing strict regulatory mechanisms to control smart technologies, and obliging financial institutions to align their systems with international standards such as ISO standards, quality and accreditation standards, Financial Action Task Force (FATF) standards, and Basel Committee decisions (Mohammed Ahmed, 2016).

In this context, the Saudi Central Bank (SAMA), in cooperation with the Capital Market Authority, has launched a number of initiatives since April 2018 aimed at supporting the digital transformation of the financial sector through the integration of financial technology and artificial intelligence applications, with the goal of enhancing credit analysis, risk management, and combating financial fraud (Qwaideri and Abdul Qader, 2025).

The global digital revolution associated with artificial intelligence applications has had a direct and profound impact on financial institutions, prompting national legislators to face the challenges of developing legislation that keeps pace with digital developments (Al-Qaffas, & Mona. (2025)). This has contributed to protecting the financial system and enhancing trust and financial sustainability. This is due to the broad capabilities that artificial intelligence technologies provide in performing complex technical tasks, detecting patterns, recognizing people, objects, and voices, and early detection of risks (Singh, 2024).

Saudi Arabia is not immune to these transformations, as its Vision 2030 has given great attention to strengthening the digital economy, and considered artificial intelligence as one of the main strategic pillars of the vision ) (https://www.vision2030.gov.sa/ar(/.

Although there is no specific legislation regulating artificial intelligence yet, the Saudi Data & Artificial Intelligence Authority (SDAIA) has developed a guiding framework for the governance of AI applications. The financial sector has also been active in this area.

The financial sector, led by the Saudi Central Bank, is at the forefront of sectors that have benefited from artificial intelligence applications, especially in the areas of personal data protection, financial fraud detection, algorithmic trading, risk management, and money laundering detection (Makram Awad, 2022).

Nevertheless, several legal and regulatory challenges remain, which require legislative intervention to establish a comprehensive legal framework capable of addressing the issues arising from the use of artificial intelligence technologies in financial institutions. Such a framework would contribute to reducing potential risks. Therefore, it is essential to rely on international standards, particularly ISO 38507 on the digital governance of artificial intelligence)Janaćković, G., Vasović, D., & Vasović, B. (2024), ISO 31000 on risk management, and ISO 27001 on information security, as these standards serve as regulatory tools that enhance protection and promote financial stability.

The Saudi Central Bank has proven its efficiency in managing risks effectively during the COVID-19 pandemic (Atim.2021). A study by KPMG indicates a significant global expansion in the use of artificial intelligence within financial institutions, reaching up to 71% in 23 countries and across six different sectors (KPMG Global AI in Finance Report, 2023), Based on this, this study seeks to achieve a set of research objectives by posing a number of questions that it works to answer through an analysis of legal systems, executive regulations and related circulars, with the aim of assessing the readiness of the Saudi legal framework to regulate the use of artificial intelligence technologies in financial institutions.

This study aims to identify and analyze the legal requirements regulating the use of artificial intelligence technologies in Saudi financial institutions, within the framework of the Kingdom’s Vision 2030 digital transformation policy. The research stems from a central question: identifying the legal frameworks necessary to address the regulatory and legal challenges associated with the use of artificial intelligence technologies in Saudi financial institutions, and the extent to which these frameworks align with relevant international standards. To answer this question, the study examines several sub-aspects. The most important of these is the extent to which the Saudi system has benefited from relevant international standards in building legal rules and requirements that regulate the ethics of artificial intelligence uses, and the role of the Saudi Central Bank and the General Authority for Data and Artificial Intelligence (SDAIA) in this context. In addition to examining the legal basis for the liability of financial institutions for errors that may result from the application of artificial intelligence technologies in the absence of specific legislation regulating artificial intelligence and protecting users' personal data, the study also explores the extent to which legal requirements are linked to defining the scope of this liability.

The importance of this study lies in its attempt to identify the Saudi legal requirements related to the use of artificial intelligence technologies within financial institutions. These are the requirements that have been codified by the legislator to achieve the objectives of Vision 2030. The study also contributes to bridging the research gap related to the legal requirements for the use of artificial intelligence and the legal responsibility resulting from it. The study also examines the relationship between AI and the legal and regulatory framework governing its applications within financial institutions. Furthermore, the findings offer potential benefits for legislators and policymakers in developing regulations that protect the financial system from potential risks associated with AI technologies and enhance digital governance in this vital sector.

Previous literature indicates a growing interest in artificial intelligence applications in the financial, banking and industrial sectors, but most of these studies have focused on technical or administrative aspects without addressing the legal frameworks regulating these applications, These studies explored fields unrelated to law, including: A study by Abdel Rahim Sayed Ahmed, Yasmine, Samir Mohamed Abdel Aal, & Heba Allah. (2024). The impact of employing artificial intelligence techniques as a tool to promote green marketing to achieve environmental sustainability requirements, applied to the food industry sector. This study aimed to find out how the food industry sector uses artificial intelligence in making financial decisions. A study by Abdel Rahim Sayed Ahmed, Yasmine, Samir Mohamed Abdel Aal, & Heba Allah. (2024). The impact of employing artificial intelligence techniques as a tool to promote green marketing to achieve environmental sustainability requirements, with application to the food industry sector. This study aimed to understand how the food industry sector uses artificial intelligence in financial decision-making. Another banking study by Mohammed Fawzi Khashaba in 2022, entitled "Banking Governance and its Role in Improving Banking Performance: A Field Study on the Iraqi Banking System," aimed to identify the ability of institutions to accurately and enlightened Ly manage the most important tasks in the financial sector, It concluded that intelligence tools help in assessing credit more clearly by analyzing historical data, market trends, and customer information, Another study by Al-Bayda in 2024, entitled "The Impact of Artificial Intelligence on the Development of Financial Technology in Financial Institutions," aimed to highlight the impact of artificial intelligence on the development of financial technology in the Agricultural and Rural Development Bank, The study results showed a statistically significant impact of artificial intelligence on financial technology in the study area.

Another study by( Alaq in 2022 , titled "Artificial Intelligence Applications in Financial Institutions: An Approach to Activating Financial Inclusion," aimed to examine the contribution of artificial intelligence applications in financial institutions to enhancing levels of financial inclusion, The study concluded that artificial intelligence has effectively contributed to making financial services available to marginalized groups excluded from formal financial systems, Another study by Pandey, M. K., & Sergeeva, I. (2022) aimed to analyze the impact of artificial intelligence in financial institutions and its contribution to digital transformation, product and service development, and reshaping business models. It concluded that the use of artificial intelligence in financial institutions depends on data quality and governance. Among the studies within the Saudi context is the study by Al-Saqqat & Dr. Ahmed Abdul Qader Al-Saqqaf (2025), entitled "The Impact of Artificial Intelligence on Risk Management in Saudi Banks." This study aimed to analyze the extent to which banks adopt artificial intelligence in risk management and to evaluate the impact of artificial intelligence on improving risk management strategies, It concluded that artificial intelligence plays an increasingly important role in risk management in Saudi banks, providing advanced tools for data analysis and risk prediction. Another study by Al-Qahtani (2022), titled "The Role of Artificial Intelligence in Achieving Sustainable Development within the Framework of Saudi Arabia's Vision 2030," aimed to identify the role of artificial intelligence in achieving the Sustainable Development Goals within the framework of Saudi Arabia's Vision 2030. It concluded that Saudi Arabia has implemented artificial intelligence in several health and financial sectors.

Following those studies, we find that our current study — which falls under the category of private law and is entitled “Legal Requirements for the Employment of Artificial Intelligence Technologies in Financial Institutions” — represents a rare perspective in the literature, as the study focused on analyzing the legal framework for the use of artificial intelligence, a perspective that previous studies have not given sufficient attention to. This study was predominantly economic, administrative, or technical in nature, without delving deeply into the legal dimensions of the subject. It was also distinguished by its integration of the Saudi legal system with international conventions and standards, specifically: the Personal Data Protection Law, the Civil Transactions Law of 2023, and the European Union's Artificial Intelligence Law (2024), The UNESCO Recommendation (2021), the OECD Principles (2019), and the international standard ISO/IEC 42001:2023 are examined in a comparative analytical approach that highlights the compatibility and mutual influence between the two systems. Furthermore, The study addressed the applied dimension by studying the case of Saudi financial institutions as a model for activating artificial intelligence, which gave the research a practical dimension that distinguishes it from previous studies, and clearly reveals a research gap related to the absence of specialized legal analysis of the requirements of artificial intelligence in the Saudi financial sector.

2. Methods

The study focuses on the following financial institutions (banks, finance companies, nationalization companies, money technology companies, and exchange offices) on the legal side and is limited to identifying the requirements for using artificial intelligence by analyzing the relevant Saudi regulations and instructions of the Saudi Central Bank compared with the international standards related to the study. The study does not include detailed technical aspects of artificial intelligence (infrastructure, algorithms, and command engineering), nor financial or administrative aspects. The study's timeframe focuses on the period from 2023, which is considered the digital transformation period for Vision 2030.

This study employs a descriptive, analytical, and comparative approach, examining the legal frameworks governing the use of artificial intelligence technologies within financial institutions, with a focus on relevant Saudi regulations. These legal texts were interpreted and analyzed to identify their strengths and weaknesses, This approach involves comparing the national legal framework with international standards, particularly ISO standards, as well as examining comparative legal applications in foreign systems. Its aim is to arrive at legal findings and recommendations that will support Saudi legislators within the framework of the digital transformation of Vision 2030, Developing countries can benefit from the Saudi experience in creating requirements or legislation that regulate the scope of use of artificial intelligence within their financial institutions.

3. Conceptual Framework

3.1. Definition of a Financial Institution in the Saudi System

Article) 2 (of the Saudi Central Bank Law of 1444 AH defines it as: any person subject to the supervision, control, and regulation of the bank, whether a natural or legal person. It is also defined in the Basic Principles of Governance in Financial Institutions Law issued in 2021 as an entity subject to the Saudi Central Bank. Furthermore, the Regulations for the Protection of Customers of Financial Institutions for the year 2021 define it as an entity subject to the supervision and control of the Central Bank in accordance with applicable regulations.

3.1. The Legal and Regulatory Framework Supporting Digital Transformation in Financial Institutions:

First: The Basic Law of Governance issued by Royal Decree No. 90 of 1412 AH: Article 8 of the Law stipulates that "Governance in the Kingdom of Saudi Arabia is based on justice, consultation, and equality, in accordance with Islamic Sharia ", It is clear that the Kingdom of Saudi Arabia has permitted digital transformation in its system of governance because it represents a just tool and achieves equality and transparency in terms of equitable access to services on governmental and non-governmental digital platforms for citizens and residents. According to Article 29 of the same Law, the state must consider science and commit to encouraging scientific research. The use of artificial intelligence in financial institutions is considered an integral part of scientific innovation, which has been codified by the Saudi legislator. According to Article 27, the state guarantees the right of the citizen and his family to emergency and disability benefits and supports the social security system. We find that financial technology (Fintech) contributes to delivering support and social security in a transparent and equitable manner (Alamoodi, Mohammed 2021).

Second: The Cabinet System:

Studying the legal requirements and regulations governing artificial intelligence in the Kingdom of Saudi Arabia falls within the purview of the Cabinet. Article (21) of the Cabinet System, issued by Royal Decree No. (A/13) of 1414 AH, stipulates that the Cabinet studies draft laws and regulations submitted to it. This authority is based on Article (19) of the same system, which outlines the Cabinet's responsibilities in formulating domestic, foreign, financial, economic, educational, and defense policies, as well as other public affairs of the state, in addition to overseeing their implementation and monitoring their execution, Based on these powers, Cabinet Resolution No. (741), dated August 24, 2019, established the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Data Management Office, in support of the digital transformation targeted by the Kingdom's Vision 2030.

Third: Vision 2030, Artificial Intelligence and Digital Transformation:

The Kingdom of Saudi Arabia’s Vision was launched in 2016 AD, and it includes three main pillars: a vibrant society, a thriving economy, and an ambitious nation based on digital transformation in administration and services. Artificial intelligence is considered one of the most important drivers of digital transformation (Alshuwaikhat, H. M., & Mohammed, I. (2017)). In order to achieve the objectives of the Vision, the Saudi Authority for Data and Artificial Intelligence (SDAIA) was established to lead the program for regulating artificial intelligence and its legal requirements in the Kingdom of Saudi Arabia.

Third: Vision 2030, Artificial Intelligence, and Digital Transformation:

The Kingdom of Saudi Arabia's Vision 2030 was launched in 2016 and includes three main pillars: a vibrant society, a thriving economy, and an ambitious nation built on digital transformation in administration and services. Artificial intelligence is considered one of the most important drivers of digital transformation (Alshuwaikhat, H. M., & Mohammed, I. (2017)). To achieve the Vision's objectives, the Saudi Data and Artificial Intelligence Authority (SDAIA) was established to lead the program for regulating artificial intelligence in the Kingdom, organizing its legal requirements in Saudi Arabia, and developing public policies for its use, in accordance with ethical standards.

Fourth: Establishing Bodies to Oversee Artificial Intelligence Applications

Given the importance of digital transformation within the framework of the Kingdom’s Vision 2030, and the fact that 66 out of 96 goals are directly or indirectly linked to data and artificial intelligence, the Kingdom established the Saudi Data and Artificial Intelligence Authority (SDAIA) as the national body responsible for regulating this vital sector (https://sdaia.gov.sa/ar/SDAIA/about/Pages/RegulationsAndPolicies.aspx).

In this context, the Saudi legislature issued the Regulations for the Saudi Data and Artificial Intelligence Authority pursuant to Cabinet Resolution No. (292) dated 27/4/1441 AH, amended by Cabinet Resolution No. (195) dated 15/3/1444 AH. Article (3) of the Regulations stipulates that one of the most important objectives of the Authority is the governance of data and artificial intelligence, including serving as the national authority on all matters related to the development, regulation, handling, and oversight of artificial intelligence technologies. Article (4) also authorizes the Authority to develop and disseminate policies, standards, and regulations pertaining to the data and artificial intelligence sectors to governmental and non-governmental entities,(SDAIA )published the Principles of Ethics for Artificial Intelligence in September 2023 (Dr. Athari Saad Al-Baijan, 2024), which aimed to govern AI models in a way that minimizes their potential negative economic, social, and other impacts. These principles also regulate the protection of the privacy and rights of data subjects—whether their data is personal or sensitive—during processing, regardless of whether it is personal or corporate.

Regarding the data office: The National Data Management Office (NDMO) was established in 2019, concurrently with the creation of the Saudi Data and Artificial Intelligence Authority (SDAIA). It is one of the entities affiliated with SDAIA and is responsible for regulating, controlling, and managing data, ensuring adherence to governance and compliance policies, and guaranteeing its ethical use within the governmental and non-governmental sectors (Mutanabbik, E.B.M. (2022)). This is achieved through developing the necessary strategies, regulations, and controls, and overseeing their implementation (https://sdaia.gov.sa/ar/Sectors/NDMO/Pages/default.aspx). Despite the existence of SDAIA, no legal guidelines have yet been issued regarding legal liability for AI errors.

3.2. Definition of Artificial Intelligence

Artificial intelligence is defined as the simulation of human cognitive abilities in machines programmed to think like humans and mimic their behavior. It was explained that the spectrum of artificial intelligence includes technologies such as machine learning, deep learning, computer vision, natural language processing, and speech recognition (Pandey, M. K., & Sergeeva, 2022).

The Principles of Ethics for Artificial Intelligence issued by the General Authority for Data and Artificial Intelligence (2023) defined artificial intelligence systems and models as a set of predictive models and advanced algorithms that can be used to analyze data, predict the future, or facilitate decision-making for anticipated future events. Artificial intelligence was also defined as a set of technologies that enable a machine or system to learn, understand, act, and sense. Artificial intelligence is also defined as the science concerned with making electronic systems possess intelligence similar to human intelligence (Rifaat Muhammad Shehata & Nashwa, 2022). The 2025 Guide to the Use of Generative Artificial Intelligence defines artificial intelligence as systems that use technologies capable of collecting data and using it for prediction, recommendation, or decision-making with varying levels of autonomy, selecting the best course of action to achieve specific objectives (https://moe.gov.sa/ar/mediacenter/MOEnews/DocLib/Artificial_Intelligence_Guide.pdf), From these definitions, it is understood that artificial intelligence in financial institutions involves adopting intelligent technologies that mimic human thinking, analyze financial data, and make banking decisions. The aim is to improve the performance of the financial institution, attract customers, enhance financial security, and ensure compliance with legal requirements and national and international standards (KAUR, N., SAHDEV, S. L., SHARMA, M., & SIDDIQUI, L., 2020). Some studies have shown Artificial intelligence (AI) technologies contribute to increased profitability for financial institutions, which has encouraged these institutions to adopt and develop these technologies within their technological systems when dealing with users (Smart and Beloved, 2024). AI is closely linked to reducing the inherent risks associated with technology or privacy violations (Mawj Abbas Jassim Al-Hajimi, Ali Mahdi Hamid, 2025). This is due to the ability of these smart technologies to solve complex problems by providing intelligent solutions (Azibi & Yahya, 2024). This has been reflected in improving the quality of services provided to customers, which has prompted the Kingdom of Saudi Arabia to promote the use of AI within financial institutions (Noura Abdullah Al-S, 2025).

4. Results & Findings:

4.1. The Reality of Artificial Intelligence Use in Saudi Financial Institutions

Digital transformation in financial institutions has had a significant impact on addressing challenges, improving performance, and enhancing customer trust (Shabo, Rania, Zarfawi, and Abdul Karim, 2024). Reliance on artificial intelligence has increased in several areas within Saudi financial institutions, with full integration between the Saudi Central Bank and the Saudi Authority for Data and Artificial Intelligence. Some of the most important practical manifestations of this are as follows:

First: The role of the Saudi Central Bank (SAMA): Within the framework of its regulatory, supervisory and oversight powers over financial institutions: In 2020, it signed an agreement with the General Authority for Data and Artificial Intelligence aimed at linking financial institutions with AI-supported technologies in order to build a unified legal and financial system, aimed at accurately organizing customer data and updating their identity and financial and legal status through machine learning algorithms. The Saudi Center for Smart Technologies, which supports compliance with anti-money laundering and financial crime regulations according to Financial Action Task Force (FATF) standards (SALWA, H. R. I., & FATIMAH, S. M. (2020)), has also adopted measures related to identity verification, customer-level risk assessment, and reporting of suspicious transactions. Furthermore, the Saudi Central Bank (SAMA) has allowed financial institutions to adopt artificial intelligence (AI) technologies through a regulatory sandbox. According to SAMA's official website, there are 4 digital banks out of a total of 39 banks, and 5 banks have explicitly announced the introduction of AI technologies (https://www.sama.gov.sa/en-US/News/Pages/news-1112.aspx).

4.2. Artificial Intelligence Applications in Saudi Financial Institutions

A. Saudi Telecom Company (stc), which includes more than 14 subsidiaries across Saudi Arabia, the Middle East, North Africa, and Europe, launched the first digital bank (stc bank) in Saudi Arabia with a comprehensive suite of customer services powered by artificial intelligence. These include stc pay services that incentivize customers, such as financial spending tracking and savings promotion (https://stcpay.com.sa/?lang=ar). stc also utilizes artificial intelligence to analyze customer data, understand their behavior, and categorize them through Clears cape analytics to provide them with better legal services (https://www.teradata.com/customers/stc-innovating-in-ai?utm_source=chatgpt.com).

B. The National Commercial Bank (NCB), one of the largest financial institutions subject to the Financial Institutions Regulations, signed an agreement in 2024 with Knowledge Network for Computer Technology (Knowledge) to improve its banking transactions by utilizing a smart technology program aimed at identifying customers through the analysis of seals and signatures on documents and contracts. (Maal Newspaper, July 2024) In addition, it launched a Know Your Customer (KYC) program to monitor customer status in case of changes. (https://www.alahli.com/ar/pages/about-us/security/compliance?utm_source=chatgpt.com)

C. 1- Riyad Bank: Launched an internal center specializing in artificial intelligence technologies aimed at conducting proactive analyses of legal and financial risks. https://www.riyadbank.com/ar/personal-banking/media-center/-

D. In March 2025, the Saudi Arabian Bank, in collaboration with IBM, launched an AI-powered technology service for detecting financial fraud.)https://mea.newsroom.ibm.com/ar-anb-ibm-collaboration?utm_source=chatgpt.com(

It is clear that Saudi financial institutions, under the supervision of the Saudi Central Bank (SCAD), have adopted artificial intelligence (AI) technologies as a means of managing risks and improving the quality of services provided to customers and their trust. This has contributed to enhancing the efficiency of the Saudi financial system. However, this expansion requires a unified legal framework that ensures safety and security and is capable of protecting customer rights (Al-Bayoumi, & Reda Ibrahim Abdullah (2023).), Within the framework of the digital transformation policy that Saudi Arabia is pursuing within its financial institutions, it is essential to leverage international principles that have established rules governing the use of AI. These principles form the basis and reference for regulating these technologies and mitigating the associated risks. Therefore, we will review the most prominent relevant international instruments and clarify their compatibility with the instructions and directives issued by SCADA and other relevant regulations.

4.3. Key International Instruments for Artificial Intelligence Requirements

4.3.1. United Nations Recommendation 2021

The Recommendation on the Ethics of Artificial Intelligence adopted by the United Nations on November 23, 2021 (https://www.unesco.org/en/articles/recommendation-ethics-artificial-intelligence)is considered the ethical basis for the legal requirements upon which the legislative system is built, to regulate artificial intelligence technologies in various fields, including financial institutions. Paragraph (e)/8 of it emphasized that one of the objectives of the Recommendation is to protect human rights and freedoms. In addition, the Recommendation is linked to four main axes, which are: transparency and accountability, data protection and privacy, non-discrimination and fairness, in addition to the need to direct artificial intelligence towards achieving the Sustainable Development Goals (Recommendation 2021).

4.3.2. EU AI Act 2024

The European Union's Artificial Intelligence Act 2024, known as the EU AI Act, is the first legislative framework to establish rules for regulating the development, marketing, and use of AI-based products, services, and systems, including data protection systems (Artzt, M., & Dung, T. V. (2022)). The Act focuses on the security of AI technologies by promoting regulatory compliance for risk management, enhancing data protection, developing quality management systems, and ensuring transparency. It also addresses cybersecurity and its implications for the security of personal data. The EU Act classifies AI systems used in financial institutions as Level 2 High-Risk AI Systems because they affect users' rights. This necessitates mandatory conformity assessments before market launch, while also granting users the right to file complaints regarding these systems. However, some argue that the Act still contains limited guidance on how to implement conformity assessments and ex-post monitoring. This necessitates building international consensus on these regulatory issues (helisson, E., & Verma, H. (2024). Conformity).

4.3.3. ISO International Standards and Their Role in Regulating Artificial Intelligence Requirements

The international standard ISO/IEC 42001:2023 is considered the first international standard for artificial intelligence management systems issued by the International Organization for Standardization and the International Electrotechnical Commission, as it aims to establish a regulatory framework for artificial intelligence applications within organizations through their safe and ethically responsible use (Mohammed, E.A.E. (2025)).

The international guidance standard ISO/IEC 38507:2022, issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), aims to help countries make responsible decisions regarding the use of artificial intelligence while taking into account values and legal requirements. This standard focused on key areas, including accountability and responsibility for the harms caused by artificial intelligence technologies, respect for values and ethics of artificial intelligence and privacy, and compliance with legal regulations and instructions (Janaćković, G., Vasović, D., B. (2024).

The ISO 31000 international standard for risk management also emphasized the importance of this framework for financial institutions, enabling them to identify digital risks associated with artificial intelligence technologies and assisting countries in identifying risks of breaches of customers' personal data privacy, while establishing proactive control mechanisms in line with its instructions (M.M. Qasim Hajim Sahib Al-Maamouri & M.M. Noor Hashim Muhammad Al-Husseini, 2024).

The international standard ISO/IEC 27001 for information security, issued by the International Organization for Standardization (ISO) and the Electrotechnical Commission (IEC) in 2022, is also considered. Its standards are concerned with protecting the information and financial assets of financial institutions. This document aims to establish legal and regulatory controls that ensure the confidentiality of information by adopting systematic mechanisms for risk analysis, which contributes to reducing threats through the analysis and evaluation of potential risks (M. Qasim Hajim Sahib Al-Maamouri, & M. M. Noor Hashim Muhammad Al-Husseini. (2024)).

A review of these international instruments regulating the use of artificial intelligence reveals that they constitute a system for governing legal and ethical requirements aimed at strengthening the principles and rules for the use of AI technologies in institutions, particularly financial institutions, due to their direct link to standards of transparency, )Cestonaro, C., Delicati, (2023),accountability, and the protection of personal data. In comparison with the Saudi regulatory framework, a convergence in legal methodology becomes evident. This alignment aligns with the objectives of Vision 2030 and the digital transformation policies led by the General Authority for Data and Artificial Intelligence and the Saudi Central Bank. This convergence serves as an analytical basis for moving to the discussion section, which focuses on interpreting the findings in light of the aforementioned international instruments and assessing the readiness and adequacy of the Saudi legal framework for regulating AI applications in financial institutions.

5. Discussion

5.1. Saudi Regulatory Requirements for the Use of Artificial Intelligence Within Financial Institutions

In the context of digital transformation, financial institutions are striving to adopt artificial intelligence (AI) technologies to build a smart cyber defense system aimed at protecting against cyberattacks (Kashmir, & Hassan Hassan Ahmed, 2025). This is done to protect financial assets, enhance customer trust, and achieve compliance with international standards related to risk governance. However, adopting AI technologies raises legal and ethical challenges related to privacy and the protection of customers' personal data, in addition to challenges of legal liability for decisions issued by intelligent systems (Fares, O. H., Butt, I., & Lee, S. H. M., 2023). Consequently, among the most prominent challenges facing those responsible for employing AI technologies within Saudi financial institutions are: establishing clear controls for AI ethics, defining legal liability for AI errors in Saudi law, and establishing a legal and regulatory framework for the protection of personal data. These topics will be discussed in turn:

5.1.1. Artificial Intelligence Ethics in the Kingdom of Saudi Arabia

Although there is no specific law regulating artificial intelligence in the Kingdom of Saudi Arabia, the Saudi legislator has adopted an approach similar to the European Union's AI law and international conventions regarding the ethical aspects of smart technologies (Mohammed Abu Zaid & Dr. Moataz, Consultant (2024)). In 2025, the Kingdom issued ethical principles for artificial intelligence as a guiding framework aimed at achieving proactive measures when employing and using AI within financial institutions. However, adherence to these principles is not sufficient in itself. It must be accompanied by clear legal responsibility in case of breach of the requirements or the occurrence of operational or technical errors, given that the relationship between legal requirements and legal responsibility is complementary and inseparable. The Saudi AI Ethics Code of 2025 defines ethics as "a set of values, principles, and methods to guide ethical conduct in the development and use of artificial intelligence technologies" (Saudi AI Ethics 2025).

In line with international instruments, particularly the European Intelligence Regulation of 2024, the Code classifies the levels of risk associated with the deployment and use of artificial intelligence into four categories: low risk, limited risk, high risk, and unacceptable risk. Furthermore, Article 2 of the Code states that "AI technologies must be protected in a secure manner that complies with regulatory requirements related to the protection of personal data and cybersecurity standards."

5.1.2. Legal Liability for Artificial Intelligence Errors in Saudi Law

Liability is defined as: a person bearing the consequences of negligence committed by them or by those under their supervision (Dr. Abdul Mohsen Karim Shaghati, 2025). It is also defined as the legal obligation of a person to compensate for damages caused to others as a result of a harmful act committed by them, whether intentional or unintentional, and whether resulting from a breach of contract or an unlawful act (Abdul Mohsen Karim Shaghati, 2025). As for the liability of artificial intelligence, it has been defined as a legal obligation to provide financial compensation for damages caused by artificial intelligence technologies due to a defect in their design, programming, or method of operation, or if they make incorrect decisions without direct human intervention (Rahman, R. A., & Habibulah, R., 2019).

The Saudi system does not provide a direct definition of liability in the Saudi Transactions Law of 2023, but Article (Article 120 defines negligence as "any error that causes harm to another, obligating the perpetrator to provide compensation." Article 132 also stipulates that anyone entrusted with the safekeeping of things requiring special care—by their nature or according to regulations—to prevent harm is responsible for any damage caused by those things, unless they prove that the damage was due to a cause beyond their control (Article 132 of the Civil Transactions Law 2023). Analyzing this legal text and considering the provisions of the Saudi Artificial Intelligence Ethics Regulations 2025, it can be concluded that the financial institution operating the smart technology is considered a custodian in the legal sense. This is based on the legal requirements set by the Saudi Central Bank and the requirements and instructions issued by the General Authority for Data and Artificial Intelligence 2025 for financial institutions. Thus, liability shifts from mere personal negligence to liability for safekeeping unless the institution proves that the damage occurred due to an external cause beyond its control. This analysis is further supported by Principle Seven of the Saudi Artificial Intelligence Ethics Regulations 2025, which stipulates that the institution bears responsibility for the damage caused by the technology. AI designers, managers, and evaluators bear ethical responsibility for decisions that result in harm to users. The regulations also require financial institutions to identify and assign someone responsible for AI ethics practices, appoint someone responsible for personal data protection governance, and select and assign a qualified evaluator to conduct audits of AI systems within the institution (page 27 of the AI Ethics Regulations 2025). It is clear that responsibility for AI errors in the Saudi system is based on the principle of regulatory oversight of the financial institution. This ensures that financial entities adhere to the ethical standards stipulated in the regulations, thus achieving safe and responsible use, which is consistent with the International Recommendation 2021.

5.1.3. Digital Rights Requirements:

The United Nations Human Rights Council, in Resolution 20/8 of 2012, affirmed that the rights enjoyed by individuals offline must also be respected online. This established the concept of digital rights as an integral part of the global human rights system. Digital rights focus on protecting and ensuring the use of financial technology and artificial intelligence in a way that guarantees the privacy and rights of customers. These rights include: the right to the confidentiality of financial data, the right to cybersecurity, the right to know and to be transparent about the use of their data, and their right to access electronic services fairly and without discrimination, along with their right to object and file complaints (Al-Mahdi & Dr. Ibrahim Attia Mahmoud, 2023).

The Saudi Central Bank (SAMA) emphasized in its Financial Customer Protection Policy - 2021 issue, particularly in its second section, the necessity for financial institutions to adhere to the principles and standards that constitute the general framework for customer protection, which they must observe in all their dealings with customers. Principle Five stipulated the necessity for institutions to protect their customers' assets by establishing high-tech control systems that prevent their misuse, while Principle Six indicated the necessity of implementing appropriate technologies to protect customers' credit information and data. Rule 12 of the regulations also emphasized the financial institution's obligation to provide a secure environment that ensures the confidentiality of customer information, otherwise it is obligated to compensate for any losses resulting from breaches of its smart and electronic technologies (Saudi Financial Customer Protection Policy Regulations, Part Two - 2021).

The Saudi legislator has been concerned with regulating specific rules for the protection of personal data while adhering to Islamic privacy principles (Jawahitha Sarabdeen and Mohamed Mazahir Ishak2024م). This is evident in the issuance of the Personal Data Protection Law, issued by Cabinet Resolution No. (98) dated 7/2/1443 AH, along with the Data Governance Policy Regulations - Second Edition, dated May 21, 2021. Article 1 of the Personal Data Protection Law and the 2021 Data Governance Regulations defines personal data as "any data - regardless of its source or form - that may affect the identification of an individual specifically, or make him/her identifiable directly or indirectly when combined with other data. This includes his/her name, personal identification numbers, addresses, and numbers." Contact information, bank account numbers, credit cards, or images of the individual, whether still or moving (Article 1 of the Saudi Personal Data System 2021).

The Saudi system has urged institutions to establish a clear data protection policy that serves their interests (Najm Abdullah Al-Shammari, 2023). The Saudi legislator, in the Personal Data Protection Regulations of 2021, established ten fundamental principles that form the cornerstone of data processing within various sectors, particularly financial institutions. These principles, which must be observed with regard to personal data, are: responsibility, transparency, and the data subject's consent to the processing of their data; limiting data use and retention; establishing secure means for accessing and updating data; and limiting data disclosure. The eighth principle emphasizes the necessity of protecting the security of personal data from leakage, damage, loss, embezzlement, or unauthorized misuse – in accordance with the regulations issued by the National Cybersecurity Authority or other competent authorities. The ninth principle emphasizes that personal data must be retained accurately and recognizably. Finally, the tenth principle stipulates the necessity of monitoring financial institutions and ensuring their compliance. Regarding privacy policies and procedures (2/2/4 The Ten Principles Data Governance Policy, Second Edition, 21-5-2021), these ten principles are not merely regulatory guidelines, but rather legally binding requirements for financial institutions that ensure the safe and innovative use of artificial intelligence technologies in the financial sector. This contributes to building customer trust and enhancing digital transformation, thus achieving the objectives of Vision 2030 (Al-Turki & Abdullah bin Abdulrahman, 2025). Integrating these ten principles into the artificial intelligence system of financial institutions is a fundamental step that ensures the compatibility of smart technologies with legal requirements that guarantee the protection of customer privacy. These principles obligate financial institutions to apply the rules of responsibility and transparency and obtain customer consent, while limiting the use of data and restricting it to financial purposes only (Sultan bin Abdulrahman bin Abdulqader Al-Obaidan, 2024).

The Saudi legislator has established a set of fundamental rights that are essentially mandatory legal requirements. Entities using individuals' data—including financial institutions that rely on artificial intelligence technologies in their systems—must adhere to these requirements, as stipulated in Article 4 of the Personal Data Protection Law 2021. These institutions may not process or analyze customer data without complying with these rights; otherwise, they will be considered in violation of the Saudi Personal Data Protection Law 2021. Thus, the rights outlined in Article 4 become prerequisites for the use of data in customer-related artificial intelligence applications, representing the legal basis for the legitimacy of intelligent data processing within financial institutions. These rights include:

- The data subject has the right to be fully informed about the collection of their personal data and the purpose for which it is collected.

- The data subject has the right to access their personal data held by the financial institution, in accordance with the regulations and procedures stipulated by the applicable laws.

- The data subject has the right to obtain a copy of their personal data held by the financial institution in a legible and clear format, in accordance with the regulations and procedures stipulated by the applicable laws.

- The data subject has the right to request the correction and updating of their personal data held by the financial institution.

- The data subject has the right to request the destruction of their personal data held by the financial institution upon completion of the purpose for which it was collected.

It is clear that these legal requirements represent fundamental customer rights and form a framework that defines legitimacy at each stage of the data lifecycle, from collection to processing, analysis, prediction, and finally, storage or destruction (Amal Hussein Abdulqader, 2024). These rights prevent financial institutions from transforming artificial intelligence into an illegitimate surveillance or analytical tool that could infringe upon customer privacy, Compliance with these requirements is a prerequisite for financial institutions to continue operating their intelligent systems legitimately and in accordance with the Saudi Personal Data Protection Law, the violation may extend to imprisonment or a fine. “Without prejudice to any more severe penalty stipulated in another law, anyone who discloses or publishes sensitive data in violation of the provisions of the law, if this is done with the intent to harm the data subject or with the intent to achieve a personal benefit, shall be punished by imprisonment for a period not exceeding (two years) and a fine not exceeding (three million) riyals, or by one of these two penalties.” (Article 1/35 of the Personal Data Protection Law 1443). the law also granted the Saudi Central Bank the authority to supervise the extent of financial institutions’ compliance with the rules for the protection of personal data contained in the law and its regulations (Article 30 of the Personal Data Protection Law 1443).