The Capital Market Authority (“CMA”) has, within the span of two weeks during May and June 2026, issued three separate enforcement announcements targeting individuals within listed companies on the Saudi Exchange. The actions span conviction, collective compensation, and criminal referral to the Public Prosecution covering in a single fortnight the full arc of Saudi capital markets enforcement. For directors, audit committee members, financial managers, and external auditors operating in this market, the signal is unambiguous: personal accountability for the integrity of financial disclosures is no longer a theoretical risk. It is an active and immediate one.
1. The Regulatory Landscape: What the CMA Is Signaling
The three enforcement actions, published on 20 May, 21 May, and 2 June 2026 respectively, span three distinct stages of the Saudi enforcement pipeline. The first resulted in a final conviction decision issued by the Appeal Committee for the Resolution of Securities Disputes (“ACRSD”), imposing collective fines exceeding SAR 18 million on eleven individuals and banning them from working in CMA-supervised entities, following findings of financial statement manipulation across a four-year period in violation of Article 49(a) of the Capital Market Law (“CML”) and Article 7 of the Market Conduct Regulations. The second entered the compensation phase, with the Committee for the Resolution of Securities Disputes (“CRSD”) accepting a collective compensation claim filed by an affected investor against convicted board and audit committee members, opening a ninety-day window for other affected investors to join. The third and most consequential in terms of its breadth, saw the CMA refer seventeen suspects to the Public Prosecution following a forensic inspection, with suspects spanning current and former board members, executive management, financial managers, and members of the engagement team at the company’s former external auditor.
What makes this pattern significant is not any single action in isolation. It is the simultaneity, the diversity of enforcement stages represented, and the explicit invocation of both the CML and the Companies Law in the most recent referral. The CMA is not responding to isolated complaints. It operates a coordinated, multi-track enforcement programme and it uses the full range of tools available to it.
2. The Legal Framework: What the Law Requires
The three enforcement actions are grounded in an interlocking framework of Saudi capital markets and corporate legislation that places significant personal obligations on those who govern and audit listed companies.
Under Article 49(a) of the CML, reinforced by Article 7 of the Market Conduct Regulations, any person is prohibited from engaging, directly or indirectly, in any act, practice, or course of conduct that creates or is likely to create a false or misleading impression with respect to a security or the financial condition of an issuer. Critically, this prohibition is not limited to active falsification. It extends to the approval of financial statements known or constructively known to be inaccurate, the recognition of revenues whose collectability is materially doubtful, and the failure to record asset impairment losses that applicable accounting standards require to be recognised.
The Companies Law operates in parallel, imposing specific fiduciary obligations on board members in respect of financial oversight, internal controls, and the accuracy of market disclosures.
Under the Corporate Governance Regulations, audit committees of listed companies carry independent and non-delegable responsibility for the integrity of financial reporting and direct substantive engagement with external auditors. Audit committee membership, as the enforcement record now makes clear, is not a formal appointment. It is a source of active personal accountability.
3. Personal Liability: The Shift from Institution to Individual
The convictions in the first matter were not founded on evidence that the individuals concerned had personally fabricated financial data. The ACRSD’s findings rested on a broader basis: that the convicted individuals approved financial statements whilst knowing or having the means to know given their position and access to information, that the revenues being recognized carried a low probability of collection. This is the constructive knowledge standard in operation. It does not require proof of active deception. It requires only that a person in a position of governance responsibility either knew, or ought to have known, that the disclosures they were approved of did not reflect the company’s true financial position.
The second matter adds a further dimension: the role of external auditor qualifications. In that case, the company’s external auditor issued reservations in respect of the financial statements for three consecutive years. The board and audit committee nonetheless approved those statements without adequately resolving the basis for the auditor’s concerns. A qualified audit opinion is not a formality to be noted and set aside. It is a trigger for active inquiry, documented deliberation, and demonstrable resolution. The CMA’s enforcement decisions indicate that a board or audit committee member who approves accounts in the face of repeated external auditor qualifications, without adequate engagement with the substance of those qualifications, will find it difficult to sustain a defence of good faith before the ACRSD.
The third matter extends the liability perimeter further still. The inclusion of financial managers and members of the external audit engagement team within the scope of the criminal referral confirms that personal liability is not confined to those who hold board seats or committee appointments. It extends to any professional whether employed by the company or engaged as an external adviser whose work materially contributes to the integrity, or the compromise, of a listed company’s financial disclosures.
Taken together, the three matters establish a liability framework that is personal, broad in their reach, and applied with reference to what a person in a particular role ought to have known. Ignorance, passivity, and deference to management are no longer tenable postures for those who sit on boards, serve on audit committees, or sign off on the financial statements of Saudi listed companies.
4. Recommendations
For board members and audit committee members of listed companies:
- Review financial reporting processes immediately. Conduct an immediate review of your company’s revenue recognition policies, asset impairment assessments, and the adequacy of the internal controls underpinning published financial statements. The enforcement record indicates that the CMA’s scrutiny is directed precisely at these areas.
- Treat your audit committee role as substantive, not ceremonial. Saudi listed companies are already required under the Corporate Governance Regulations to maintain an audit committee. What the enforcement record now makes clear is that formal existence is not enough. Audit committee members must actively interrogate financial reporting assumptions, ensure they have access to independent financial expertise, and establish direct communication channels with external auditors outside of management’s presence. A committee that meets to approve rather than to question is not discharging its legal obligations.
- Act on auditor reservations and document that you did. Where an external auditor issues a qualified opinion or reservation, the audit committee must investigate the substance of that concern, satisfy itself as to its resolution, and maintain contemporaneous records of that process. The enforcement record indicates that approving financial statements over repeated auditor reservations, without documented engagement, will not be treated as good faith reliance on management.
- Ensure financial statements reflect true and accurate numbers. The personal liability demonstrated across these cases flows directly from financial statements that did not reflect the company’s true financial position. Board members and audit committee members should satisfy themselves, through independent enquiry where necessary, that the figures presented for approval accurately represent the company’s revenues, assets, and liabilities before approving any financial statements for publication.
Conclusion
The three enforcement actions of May and June 2026 are not a coincidence of timing. They are the visible output of a CMA operating with expanded investigative capacity, a willingness to pursue personal liability at every level of the corporate governance chain, and a clear institutional commitment to holding individuals, not merely companies, accountable for the integrity of Saudi capital market disclosures. For those who govern, audit, and invest in Saudi listed companies, the central question is no longer whether the regulator will act. It is whether the structures, processes, and professional advice currently in place are adequate to ensure that when it does, there is nothing to find.