Tokenisation in the GCC: Infrastructure Modernisation and Financial Risk

Spotlight:

• Tokenisation offers the potential to further modernise GCC financial infrastructure, enabling faster settlement, deepening capital markets, and facilitating integration with global systems.
• Its value extends beyond assets, supporting AI-driven financial innovation through secure, anonymised data flows.
• Without strong Anti-Money Laundering (AML) alignment and cybersecurity, tokenisation risks enabling illicit finance and undermining trust in digital ownership systems.

Introduction

Tokenisation, defined as the representation of financial or real-world assets as digital tokens on programmable ledgers, is increasingly being framed as the next phase of capital-market evolution. Rather than relying on fragmented, message-based financial infrastructure in which transactions conducted between banks, custodians and clearing houses must be reconciled across multiple separate records, tokenisation introduces a unified system of record with verifiable ownership. As the World Economic Forum notes, it offers “proof of value, proof of ownership and proof of transaction,” enabling quicker settlement times. In addition to speed and verifiability, tokenisation also allows assets to be divided into smaller, more affordable pieces (fractionalisation) and combined or programmed together in flexible ways (composability), meaning that investments can be bundled, or traded more easily than within traditional financial systems.

The UAE and Saudi Arabia are embedding tokenisation within state-led digital transformation strategies and seeing success due to strong regulatory support for tokenisation in the finance sector as well as the popular use-cases such as sending remittances driving usage among residents.

For the Gulf Cooperation Council (GCC), tokenisation intersects with member states’ economic diversification, digital sovereignty, financial competitiveness and geopolitical positioning. The United Arab Emirates (UAE) has already begun licensing tokenised real-world asset platforms under the Virtual Assets Regulatory Authority (VARA), and has experimented with cross-border central bank digital currency (CBDC) via “Project Aber” alongside Saudi Arabia. Yet the GCC states are not all equally placed to harness or manage this “tokenisation transformation”. The UAE and Saudi Arabia are embedding tokenisation within state-led digital transformation strategies and seeing success due to strong regulatory support for tokenisation in the finance sector as well as the popular use-cases such as sending remittances driving usage among residents. Tokenisation has also been encouraged by proactive regulatory sandboxes that allow controlled experimentation with digital assets, notably for the real estate industry.

Tokenisation Efforts in the UAE and Saudi Arabia

Saudi Arabia and the UAE in particular are increasingly viewing tokenisation as an extension of sovereign infrastructure-building rather than speculative experimentation. Both countries have aggressively digitised government services and financial and payment systems over the past decade. The UAE ranks highly in global e-government indices and has positioned Dubai as a virtual assets hub under VARA.

In this context, tokenisation aligns closely with national objectives. The UAE’s launch and Saudi Arabia’s ongoing sandboxing of national real estate tokenisation infrastructure could eventually integrate programmable ledgers with official property registries, advancing a “registry-as-truth” model. This is beneficial to the large Gulf economies firstly because tokenisation facilitates transparency, effectively creating a tamper-proof “ledger” linked to physical real estate assets that tracks verified ownership history and transaction flows, facilitating due diligence and reducing fraud risk which in turn strengthens the credibility and efficiency of the countries’ already lucrative real estate markets. Secondly, it creates a tradeable secondary asset class out of traditionally illiquid property holdings, enabling Gulf economies deepen and diversify capital markets as part of their longer-term transition away from oil. This broadens the range of investable instruments, attracting a wider investor base, and increases overall market liquidity.

It creates a tradeable secondary asset class out of traditionally illiquid property holdings, enabling Gulf economies deepen and diversify capital markets as part of their longer-term transition away from oil.

The UAE; forerunner among GCC states in digital asset regulation and tokenisation initiatives, also announced the launch of a “digital dirham” stablecoin (known as DDSC) earlier in February 2026. In a similar vein to real estate tokenisation, the DDSC aims to similarly lower friction in cross-border financial transitions by providing a digital payment system that allows transactions to settle instantly without relying on traditional banking intermediaries. It is important to note that this step is facilitated by the federation’s already sophisticated regulatory ecosystem that includes the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC). These financial free zones operate under internationally aligned legal frameworks, enabling tokenised instruments to interface more easily with UK or other popular international markets.

Data Tokenisation, AI and Financial Innovation

Asset tokenisation is only part of the larger picture in which tokenisation is set to play a central role in securing and enabling data flows in digital financial systems. Demand for services that can anonymise sensitive data in financial services is predicted to more than double, reaching US$3.76 billion by 2030. This has been driven by the increasing frequency and cost of data breaches, alongside stricter data protection and compliance requirements across financial markets. While encryption, one of the current most popular means of anonymising data, works by encoding sensitive information into unreadable ciphertext that requires decryption keys to restore it, data tokenisation is increasingly being eyed as a more secure alternative that removes sensitive data entirely from operational environments. This latter method replaces sensitive data with non-exploitable tokens that have no mathematical relationship to the original data, meaning that even if intercepted, they cannot be reverse-engineered without access to a separate secure mapping system. This approach has already been deployed in practice, most notably through Visa’s Token Service which replaces card numbers with tokens in digital transactions, significantly reducing fraud and limiting the exposure of sensitive payment data.

Asset tokenisation is only part of the larger picture in which tokenisation is set to play a central role in securing and enabling data flows in digital financial systems.

For the GCC’s increasingly digitised economies, tokenisation can also support the countries’ ambitions to integrate further artificial intelligence (AI) functions within their finance and banking sectors. The UAE and Saudi Arabia generate vast volumes of digital payments and transaction data through increasingly digitised banking and retail ecosystems; if these datasets are tokenised and anonymised appropriately, banks could use this data to train and improve AI models for fraud detection, credit risk assessment and liquidity forecasting while remaining compliant with privacy and data localisation laws.

This dual function that enhances privacy while enabling data-driven analytics aligns with global regulatory trends such as the EU’s GDPR, and similar local privacy regulations such as the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data in the UAE and the Personal Data Protection Law (PDPL) in Saudi Arabia. In this sense, tokenisation may become a foundational layer for AI-enabled financial services rather than merely a vehicle for crypto-style asset issuance.

Risks of Tokenisation

While tokenisation can promise greater efficiency and transparency, it can also be used counterintuitively to obscure the link between a financial transaction and the underlying identity of the user. In particular, tokenised or blockchain-based systems that prioritise pseudonymity or anonymity can make it more difficult for regulators and financial institutions to conduct customer due diligence, monitor transactions, and trace illicit financial flows. The World Economic Forum has emphasised that fully anonymous on-chain systems conflict with Financial Action Task Force (FATF) guidelines, which require the identification of transacting parties, noting that illicit on-chain activity reached nearly US$25 billion in 2021. To mitigate these risks, regulators and industry bodies such as the FATF have recommended implementing robust Know Your Customer (KYC) requirements, applying the “Travel Rule” to virtual asset transfers, and using permissioned or hybrid blockchain systems that preserve auditability while ensuring that verified identity data remains accessible to authorised institutions.

The World Economic Forum has emphasised that fully anonymous on-chain systems conflict with Financial Action Task Force (FATF) guidelines, which require the identification of transacting parties, noting that illicit on-chain activity reached nearly US$25 billion in 2021.

Cybersecurity risk further complicates the equation. The Bank for International Settlements (BIS) has warned that quantum computing in particular may eventually undermine widely used anonymisation systems, posing a risk to traditional forms of anonymisation and particularly encryption. While tokenisation has been posed as a viable alternative which removes the risk of quantum-enabled actors being able to decrypt sensitive financial information, cybersecurity measures are all the same only as robust as the underlying systems that store, map, and manage tokenised data. If these systems are compromised, ownership records that rely primarily on digital ledgers rather than legally recognised off-chain registries will be vulnerable to unauthorised manipulation or loss of control, creating uncertainty in dispute resolution and weakening confidence in tokenised financial markets.

Conclusion 

Despite risks, the UAE and Saudi Arabia; states that possess fiscal capacity and regulatory sophistication, are continuing to experiment and implement tokenisation cautiously. For the region, tokenisation represents both an opportunity to modernise financial systems and a test of digital security resilience. In Saudi Arabia and the UAE, it is being embedded within sovereign-grade infrastructure including real estate registries, digital currency frameworks and capital market reform. These states possess the fiscal and regulatory capacity to treat tokenisation as infrastructure modernisation rather than speculative innovation.

In Saudi Arabia and the UAE, it is being embedded within sovereign-grade infrastructure including real estate registries, digital currency frameworks and capital market reform.

Across the region, important factors will determine whether tokenisation strengthens financial systems or introduces new risks:

• Integration of data tokenisation frameworks that support AI innovation while safeguarding privacy and sovereignty
• Alignment with FATF guidelines and broader global AML standards
• Sustained Investment in advanced cybersecurity infrastructure to protect digital assets and financial networks

If these conditions are met, tokenisation could enable GCC economies to deepen financial integration with international markets that are similarly embracing the tokenisation trend, reduce settlement friction, and build AI-enhanced financial sectors using secure, anonymised data. If not, it risks becoming another channel for illicit finance, cyber and quantum vulnerability.

Elizabeth Heyes is a Junior Fellow, Emerging Technology, ORF Middle East.