OM-A.1.1

The Operational Risk Management Module sets out the Central Bank of Bahrain's ('CBB's') rules and guidance to Conventional Bank licensees operating in Bahrain on establishing parameters and control procedures to monitor and mitigate operational risks. The contents of this Module apply to all conventional banks, except where noted in individual Chapters.

OM-A.1.2

This Module provides support for certain other parts of the Rulebook, mainly:

OM-A.1.3

This Module contains the CBB's Directive (as amended from time to time) relating to Operational Risk Management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all conventional bank licensees (including their approved persons).

OM-A.1.4

For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

OM-A.3.4

[Deleted in October 2007 updates]

OM-1.1.1

The papers below provide guidance which promotes best practice and can be generally applied by all licensees to their activities.

OM-1.1.2

The paper (see www.bis.org/publ/bcbs40.pdf) issued in September 1998 presents the first internationally accepted framework for supervisors to use in evaluating the effectiveness of the internal controls over all on- and off-balance-sheet activities of banking organisations.

OM-1.1.3

The paper describes elements that are essential to a sound internal control system, recommends principles that supervisors can apply in evaluating such systems, and discusses the role of bank supervisors and external auditors in this assessment process.

OM-1.1.4

The paper (see www.bis.org/publ/bcbs195.pdf) issued in June 2011 by the Basel Committee on Banking Supervision, outlines a set of principles that provide a framework for the effective management and supervision of operational risk, for use by banks and supervisory authorities when evaluating operational risk management policies and practices.

OM-1.1.5

The paper also recognises that clear strategies and oversight by the Board of Directors and senior management, a strong operational risk culture and internal control culture (including, among other things, clear lines of responsibility and segregation of duties), effective internal reporting, and contingency planning are all crucial elements of an effective operational risk management framework for banks of any size and scope.

OM-1.1.6

The paper (see www.bis.org/publ) issued in March 1998 provides guidelines for supervisory authorities and banking organisations as they develop methods for identifying, assessing, managing and controlling the risks associated with electronic banking and electronic money.

OM-1.1.7

The paper indicates that, while providing new opportunities for banks, electronic banking and electronic money activities carry risks as well as benefits and it is important that these risks are recognised and managed in a prudent manner.

OM-1.1.8

The paper (see www.bis.org/publ) issued in July 2003 recognizes new risks associated with the increase in distribution of financial services through electronic channels, or e-banking. To emphasize the importance of these risks, the Committee has placed responsibility on the shoulders of the Board and senior management to ensure their institutions have analysed, identified and modified operations to mitigate these risks.

OM-1.1.9

To facilitate these developments, the Committee has identified fourteen Risk Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities.

OM-1.1.10

The Risk Management Principles fall into three broad, and often overlapping, categories of issues that are grouped to provide clarity: Board and Management Oversight; Security Controls; and Legal and Reputational Risk Management.

OM-1.1.11

This paper provides a broad framework for business continuity standards, and contains seven principles for regulators and industry participants to follow. It was published in August 2006 and is available in the "publications" section of the Basel Committee portion of the BIS website (www.bis.org).

OM-2.2.3

The Board of Directors must be aware of the major aspects of the bank's operational risk as a distinct and controllable risk Category.

OM-2.2.4

The responsibilities of the Board of Directors of the bank must include:

OM-2.2.5

The responsibilities of the senior management of the bank must include:

OM-2.2.6

The management information system of a banking organisation plays a key role in establishing and maintaining an effective operational risk management framework.

OM-2.2.7

'Communication flow' serves the purpose of establishing a consistent operational risk management culture across the bank. 'Reporting flow' enables:

OM-3.1.7

[This Paragraph was deleted in July 2011].

OM-3.9.7

For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place:

OM-5.1.1

All businesses may experience serious disruptions to their business operations. These disruptions may be caused by external events such as flooding, power failure or terrorism, or by internal factors such as human error or a serious computer breakdown. The probability of some events may be small, but the potential consequences may be massive, whereas other events may be more frequent and with shorter time horizons. The Joint Forum (the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS)) have given additional background and context to the need for business continuity in its paper of August 2006 titled "High Level Principles for Business Continuity" (www.bis.org).

OM-5.1.2

According to the Joint Forum, in its paper, Business Continuity is "a whole of business approach for insuring that specified operations can be maintained or recovered in a timely fashion in the event of disruption. Its purpose is to minimize the operational, financial, legal, reputational, and other material consequences arising from a disruption". The objectives of a good business continuity plan ("BCP") are:

OM-5.1.3

Banks play a critical role in an economy, in providing payment services, as holders of people's savings, and as providers of finance. Hence, a BCP is especially critical for banks. It helps ensure that their business operations are resilient and the effects of disruptions in service are minimized and thus helps maintain confidence in the banking system.

OM-5.1.4

The requirements of this Chapter apply to all retail and wholesale banks (whether locally incorporated or a branch).

OM-5.1.5

Branch Licensees of foreign banks may apply alternative arrangements to those specified in this module, where they are subject to comprehensive BCP arrangements implemented by their head office or other member of their group, provided that:

OM-5.1.6

The requirements in this Chapter must be complied with in full by 1 October 2007. Failure to comply with these requirements after that will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

OM-5.1.7

For contingency planning relating to outsourcing activities, see Section OM-3.6.

OM-5.3.1

A Bank's Board of Directors and Senior Management are collectively responsible for a bank's business continuity. The Board must endorse the policies, standards and processes for a licensee's BCP, as established by its senior management. The Board and senior management must delegate adequate resources to develop the BCP, and for its maintenance and periodic testing.

OM-5.3.2

Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members of senior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).

OM-5.3.3

Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).

OM-5.3.4

The CMT must submit regular reports to the Board and senior management on the results of the testing of the BCP (refer to section OM-5.9). Major changes must be developed by CMT, reported to senior management, and endorsed by the Board.

OM-5.3.5

The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCP documentation and will be reviewed as part of the CBB's on-site examinations.

OM-5.4.1

Licensees' BCPs must be based on (i) a business impact analysis (ii) an operational impact analysis, and (iii) a financial impact analysis. These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.

OM-5.4.2

The key objective of a Business Impact Analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.

OM-5.4.3

A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.

OM-5.4.4

Operational impact analysis focuses on the firm's ability to maintain communications with customers and to retrieve key activity records. It identifies the organizational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.

OM-5.4.5

A Financial Impact Analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.

OM-5.4.6

In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.

OM-5.4.7

Licensees should analyse a threat by focusing on its impact on the business processes, rather than on the source of a threat. Certain scenarios can be viewed purely in terms of business disruption in specific work areas, systems or facilities. The scenarios should be sufficiently comprehensive to avoid the BCPs becoming too basic and thereby avoiding steps that could improve the resiliency of the licensee to disruptions.

OM-5.4.8

Business continuity plans must take into account different types of likely or plausible scenarios to which the bank may be vulnerable. In particular, the following specific scenarios must at a minimum, be considered in the BCP:

OM-5.4.9

Licensees must distinguish between threats with a higher probability of occurrence and a lower impact to the business process (e.g. brief power interruptions) to those with a lower probability and higher impact (e.g. a terrorist bomb).

OM-5.4.10

As a starting point, licensees must perform a "gap analysis". This gap analysis is a methodical comparison of what types of plans the licensee requires in order to maintain, resume or recover critical business operations or services in the event of a disruption, versus what the existing BCP provides. Management and the Board can address the areas that need development in the BCP, using the gap analysis.

OM-5.5.5

The BCP must contain a list of all key personnel. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone or pager number so they may be contacted in case of a disaster or other emergency.

OM-5.5.6

The BCP must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.

OM-5.5.7

Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or a site within the Licensee's real estate portfolio. A useable, functional alternate site is an integral component of BCP.

OM-5.5.8

Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).

OM-5.5.9

Licensees' alternate sites must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with Licensee's security policy.

OM-5.5.10

Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.

OM-5.5.11

Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.

OM-5.5.12

Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.

OM-5.5.13

The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.

OM-5.5.14

Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability (e.g. Cheque sorting and cash handling). Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for Licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.

OM-5.6.2

A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:

OM-5.6.3

If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.

OM-5.6.4

Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.

OM-5.6.5

Generally, the business resumption process consists of three major phases:

OM-5.6.6

For the first two phases above, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCP.

OM-5.6.7

Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.

OM-5.6.8

Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.

OM-5.6.9

Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.

OM-5.6.10

There are various disaster recovery models that can be adopted by licensees to handle prolonged disruptions. The traditional model is an "active/back-up" model, which is widely used by many organizations. This traditional model is based on an "active" operating site with a corresponding alternate site (back-up site), both for data processing and for business operations.

OM-5.6.11

A split operations model, which is increasingly being used by major institutions, operates with two or more widely separated active sites for the same critical operations, providing inherent back up for each other (e.g. branches). Each site has the capacity to take up some or all of the work of another site for an extended period of time. This strategy can provide nearly immediate resumption capacity and is normally able to handle the issue of prolonged disruptions.

OM-5.6.12

The split operations model may incur higher operating costs, in terms of maintaining excess capacity at each site and added operating complexity. It may also be difficult to maintain appropriately trained staff and the split operations model can pose technological issues at multiple sites.

OM-5.6.13

The question of what disaster recovery model to adopt is for individual licensees' judgment based on the risk assessment of their business environment and the characteristics of their own operations.

OM-5.8.1

Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.

OM-5.8.2

Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.

OM-5.8.3

Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, counterparties, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers and counterparties as well as the public in general.

OM-5.8.4

The BCP must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or licensees' intranet).

OM-5.8.5

Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.

OM-5.8.6

As regards internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, parent bank, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff, Licensees websites, e-mails, intranet and instant messaging).

OM-5.8.7

Licensees must have proper insurance coverage to reduce the financial losses that they may face during a disaster. Licensees must regularly review the adequacy and coverage of their insurance policies in reducing any foreseeable risks caused by disasters (e.g. loss of offices, critical IT facilities and equipment).

OM-5.8.8

Licensees may need to coordinate with community and government officials and the media to ensure the successful implementation of the BCP. This establishes proper protocol in case a city- wide or region- wide event impacts the licensee's operations. During the recovery phase, facilities access, power, and telecommunications systems should be coordinated with various entities to ensure timely resumption of operations. Facilities access should be coordinated with the police and fire department and, depending on the nature and extent of the disaster.

OM-5.8.9

Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope. Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. The licensees might make these disclosures on their websites, or through mailing to key external parties upon request. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.

OM-5.9.1

A BCP is not complete if it has not been subject to proper testing. Testing is needed to ensure that the BCP is operable. Testing verifies the awareness of staff and the preparedness of differing departments/functions of the bank.

OM-5.9.2

Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).

OM-5.9.3

All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided or depending on the situation. The following points must be included in the annual testing:

OM-5.9.4

Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by Licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.

OM-5.9.5

Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreements.

OM-5.9.6

Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.

OM-5.9.7

The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.

OM-5.9.8

Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.

OM-5.9.9

Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to senior management and other key personnel.

OM-5.9.10

The internal audit function of a licensee or its external auditors must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing the adequacy of business process identification, threat scenario development, business impact analysis and risk assessments, the written plan, testing scenarios and schedules, and communication of test results and recommendations to the Board.

OM-5.9.11

Significant findings must be brought to the attention of the Board and Senior Management within three months of the completion of the review. Furthermore, Senior Management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

OM-6.1.1

Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 30th April 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

OM-6.1.1.A

In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

OM-6.1.2

All head offices are required to maintain Ministry of Interior ("MOI") guards or alternatively MOI trained and permanently licensed private security guards of licensed private security companies, on a 24 hours basis. All branches must also maintain a 24 hour MOI guard. However, if branches satisfy the criteria mentioned in Paragraphs OM-6.1.3 to OM-6.1.22 below, they may maintain MOI guards during opening hours only. Furthermore, branches will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI.

OM-6.1.3

Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

OM-6.1.4

Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances must have the following security measures:

OM-6.1.5

If additional security measures to those mentioned in OM-6.1.3 and OM-6.1.4 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

OM-6.1.6

External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, banks may also wish to add steel grills fastened into the wall.

OM-6.1.7

Branch alarm systems should have the following features:

OM-6.1.8

Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.

OM-6.1.9

All areas where cash is handled must be screened off from customers and other staff areas.

OM-6.1.10

Access to teller areas must be restricted to authorised staff only. The design of the teller area must not allow customers to pass through it.

OM-6.1.11

Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.

OM-6.1.12

Cash precious metals and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes must be located in strong rooms.

OM-6.1.13

Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

OM-6.1.14

Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

OM-6.1.15

[This Paragraph was deleted in April 2016.]

OM-6.1.16

[This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]

OM-6.1.17

[This Paragraph was deleted in April 2016.]

OM-6.1.18

[This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]

OM-6.1.19

[This Paragraph was deleted in April 2016 and requirements are now covered under Paragraph OM-6.4.14.]

OM-6.1.20

All head offices and branches must have a CCTV network and alarm system which are connected to a central monitoring unit located in the head office, along with a Video Monitoring System (VMS) and to the MOI Central Monitoring Unit.

OM-6.1.21

At a minimum, CCTV cameras must cover the following areas:

OM-6.1.22

Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system must be operational 24 hours per day.

OM-6.1.23

Banks must establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks must produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position must be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

OM-6.1.24

The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

OM-6.1.25

Banks must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).

OM-6.1.26

Further rules on ATM Physical Security Measures are contained in Section OM-6.4.

OM-6.3.1

The requirements in this Section must be complied with in full by 30^th April 2017, or as specified otherwise. Failure to comply with these requirements will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

OM-6.3.1A

All cards (debit, credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all ATMs, CDMs, POS, etc. must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that conventional bank licensees bear full responsibility in case of fraud occurrence.

OM-6.3.1B

Conventional bank licensees are allowed to provide cash withdrawal and payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

OM-6.3.1C

Conventional retail bank licensees must ensure that all currently installed ATMs support contactless payment using Near Field Communication "NFC" technology. The changes necessary to the software/hardware to meet this requirement must be completed no later than 1^st April 2020.

OM-6.3.1D

Conventional retail bank licensees must ensure, with effect from 18^th August 2019, that all new installations of ATM machines support contactless payment using Near Filed Communication "NFC" technology.

OM-6.3.1E

Conventional retail bank licensees must ensure, with effect from 1^st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

OM-6.3.1F

Conventional retail bank licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12^th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

OM-6.3.2

All conventional bank licensees issuing debit, prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS).

OM-6.3.2A

All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by some merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

OM-6.3.2B

For the purpose of Paragraph OM-6.3.2A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

OM-6.3.2C

For the purpose of Paragraph OM-6.3.2A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

OM-6.3.2D

All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

OM-6.3.2E

All card acquirer licensees must:

OM-6.3.3

If the Automated Teller Machines (ATM) environment permits access to internal areas where account data is processed and/or stored (e.g., for service or maintenance), these areas must be effectively protected from access by unauthorised persons to mitigate the risk associated with attaching/inserting malicious additional components, especially those which may be designed to capture sensitive data. Banks must encrypt account data or secure access to such data by effective physical barriers such as strong walls, doors, and mechanical locks.

OM-6.3.4

All entry to sensitive areas must be recorded, including the name of the persons accessing the area; the date; and the time of access to and exit from the area. CCTV cameras must be installed, and used to record all activities within the ATM environment.

OM-6.3.5

Banks are required to implement best industry practice in respect of hardware and software development and integration, including but not limited to formal specification, test plans, and documentation. Hardware and software should only be introduced to the environment following a successful programme of testing.

OM-6.3.6

All test plans and the outcomes of these plans must be retained by the bank for a minimum of five years from the date of testing and be available on request to the CBB or their authorised representatives. Examples of instances in which a detailed testing process must be undertaken prior to installation and integration of components include, but are not limited to, secure card readers or EPPs. In all instances the applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must be fully complied with.

OM-6.3.7

Banks must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

OM-6.3.8

Banks must ensure that all ATMs, including offsite ATMs, are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

OM-6.3.9

Banks must ensure that their ATM software security measures comply with the following:

OM-6.3.10

ATMs should incorporate dedicated tampering protection capabilities.

OM-6.3.11

Banks must ensure that their device management/operation controls comply with the following:

OM-6.3.12

Banks must ensure that their ATM application management complies with the following:

OM-6.4.1

The requirements in this Section must be complied with in full by 31^st March 2017. Failure to comply with any of these requirements will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

OM-6.4.2

Banks must record the details of the site risk assessments and retain such records for a period of five years from the date of the ATM installation, or whatever other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

OM-6.4.3

Applications for the installation of off-site ATMs must be sent in writing, and in accordance with the requirements set out in Paragraphs OM-6.4.6 to Paragraphs OM-6.4.12 to the Supervisory Point of Contact (SPoC), at the CBB.

OM-6.4.4

The purpose of the content of Paragraphs OM-6.4.5 to OM-6.4.12 is to set out the minimum criteria to be followed by banks for the installation and usage of off-site ATMs in the Kingdom of Bahrain.

OM-6.4.5

The ownership and operations of any off-site ATMs is subject to the prior written approval of the CBB and must comply with the Rules outlined in Paragraph OM-6.4.6.

OM-6.4.6

Off-site ATMs must be owned either individually or jointly by banks or ancillary service providers which are members of the BENEFIT Switch. Each relevant owning bank must already have linked its ATM capability to the BENEFIT Switch prior to requesting the CBB's permission to install an off-site ATM and, furthermore, must conform to the general standards set by the Benefit Company from time to time or the ancillary service provider licensed by the CBB.

OM-6.4.7

Banks must bear full legal responsibility for their respective off-site ATMs, as well as all costs associated with such ATMs (including, but not limited to, cash replenishment, installation, security etc.).

OM-6.4.8

Banks wishing to install an off-site ATM must submit an application (in writing) for the CBB's approval (see Paragraph BR-5.3.3). A copy of the written permission (for installation of that off-site ATM) of the legal owner of the proposed location must be provided to the CBB, as well as a copy of the written permission of any other relevant authorities in this context (e.g. the Ministry of Interior).

OM-6.4.9

The CBB will consider applications on a 'first come, first served' basis for a particular location. If more than one application is received to install an off-site ATM in the same location, the number of such applications which are approved will depend upon whether the location appears to the CBB to be capable of sustaining multiple off-site ATMs subject to the exact details of each individual application regarding security being acceptable to the CBB.

OM-6.4.10

Each application will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:

OM-6.4.11

In addition to the information required by the CBB under Paragraph OM-6.4.8, the CBB may require further information/clarification to be provided to it before it takes a decision regarding the application. The CBB's decision in this regard will be notified to each relevant applicant bank in writing.

OM-6.4.12

A bank must request in writing the CBB's permission to close any of its off-site ATMs.

OM-6.4.13

The CBB may, at its sole discretion, require an off-site ATM to be closed and decommissioned at any time.

OM-6.4.14

In addition to alarming the premises, banks must alarm the ATM itself, in a way which activates audibly when the ATM is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of the Interior. Banks must consider the following:

OM-6.4.15

Banks must ensure that ATMs are equipped with Closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the ATM are recorded, however keypad entry are not recorded. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

OM-6.4.15A

For the purposes of Paragraph OM-6.4.15, the location of camera installation in drive-thru ATMs must be carefully chosen to ensure that the images of the vehicle number plates are clearly captured at both daytime and nighttime.

OM-6.4.16

As a minimum, CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by a third party ARC.

OM-6.4.17

When an ATM is located in an area where a public CCTV system operates, the deployer or agent must liaise with the agency responsible for the CCTV system to include the ATM site in any preset automatic camera settings or to request regular sweeps of the site. The CCTV system must not be able to view the ATM keypad thereby preventing observation of PIN entry.

OM-6.4.18

Banks must ensure that the specifications of CCTV cameras meet the following minimum requirements:

OM-6.4.19

Banks must ensure that the following network requirements are met for connecting the Banks CCTV system to MOI Control room:

OM-6.4.20

Banks must ensure that adequate and effective lighting is operational at all times within the ATM environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

OM-6.4.20A

Banks must ensure that adequate and effective lighting is operational within drive-thru ATMs to enable the CCTV cameras to capture the vehicle number plates at both daytime and nighttime.

OM-6.4.21

This Paragraph was deleted in July 2017.

OM-6.4.22

This Paragraph was deleted in April 2017.

OM-6.4.23

This Paragraph was deleted in April 2017.

OM-6.4.24

Banks must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all ATMs. These alarms must be linked to the "General Directorate of Civil Defense" in Bahrain.

OM-6.4.25

All cash movements between branches, to and from the CBB and to off-site ATMs must be performed by specialised service providers.

OM-6.4.26

Banks must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

OM-6.5.2

Banks should ensure that street-based ATMs are installed with an audible alarm sounder, and a visual flashing warning light, to indicate when the ATM is under attack.

OM-6.5.3

Banks should obtain and act upon advice provided by the Ministry of the Interior in respect of protecting the ATM installation with an armored anti-bandit shroud which is placed around the ATM to prevent any bombing or other physical attempts to damage the ATM.

OM-7.3.1

Conventional bank licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

OM-7.3.2

In the case of Bahrain conventional bank licensees, these requirements apply to the licensee as a whole, including any overseas branches. In the case of overseas conventional bank licensees, all the requirements of Chapter OM-7 are limited to the business booked in their branch in Bahrain and the records of that branch (see Rule OM-7.1.1). They are thus not required to hold copies of shareholders' and Directors' meetings, except where relevant to the branch's operations.

OM-7.3.3

Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime). These requirements address specific requirements under the Amiri Decree Law No. 4 of 2001, the standards promulgated by the Financial Action Task Force, as well as to the best practice requirements of the Basel Committee Core Principles methodology, and its paper on "Customer due diligence for banks".

OM-7.3.4

Conventional bank licensees must maintain all materials related to promotional schemes as outlined in Section BC-1.1 for a minimum period of 5 years.

OM-8.2.2

Principle 1: The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

OM-8.2.3

Banks with a strong culture of risk management and ethical business practices are less likely to experience potentially damaging operational risk events and are better placed to deal effectively with those events that do occur. The actions of the board and senior management, and policies, processes and systems provide the foundation for a sound risk management culture. More details on the role of the board and senior management are to be found in Chapters HC-1, HC-2, and HC-6 as well as in Chapters CM-1 and OM-2.

OM-8.2.4

The board must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (see Section HC-2.2).

OM-8.2.5

Clear expectations and accountabilities ensure that bank staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

OM-8.2.6

Compensation policies must be aligned to the bank's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward (see Chapter HC-5 concerning remuneration).

OM-8.2.7

Banks should refer to the Financial Stability Board's Principles for Sound Compensation Practices, published in September 2009 regarding compensation policies.

OM-8.2.8

Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

OM-8.2.9

Principle 2: Banks must develop, implement and maintain a Framework that is fully integrated into the bank's overall risk management processes. The Framework for operational risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.

OM-8.2.10

The fundamental premise of sound risk management is that the board of directors and bank management understand the nature and complexity of the risks inherent in the portfolio of bank products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.

OM-8.2.11

A vital means of understanding the nature and complexity of operational risk is to have the components of the Framework fully integrated into the overall risk management processes of the bank. The Framework should be appropriately integrated into the risk management processes across all levels of the organisation including those at the group and business line levels, as well as into new business initiatives' products, activities, processes and systems. In addition, results of the bank's operational risk assessment should be incorporated into the overall bank business strategy development processes.

OM-8.2.12

The Framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss. Banks that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their Framework.

OM-8.2.13

Framework documentation must clearly:

OM-8.2.14

Principle 3: The board of directors must establish, approve and periodically review the Framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.

OM-8.2.15

The board of directors must:

OM-8.2.16

Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions.

OM-8.2.17

Principle 4: The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume.

OM-8.2.18

When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the bank's level of risk aversion, its current financial condition and the bank's strategic direction. The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a bank and ensure that they are consistent. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.

OM-8.2.19

The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

Senior Management

OM-8.2.30

Principle 6: Senior management must ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.

OM-8.2.31

Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and advances in technology). Sound risk assessment allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.

OM-8.2.32

Examples of tools that may be used for identifying and assessing operational risk include:

OM-8.2.33

The bank must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance.

OM-8.2.34

Principle 7: Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

OM-8.2.35

In general, a bank's operational risk exposure is increased when a bank engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A bank should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

OM-8.2.36

A bank must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should consider:

OM-8.2.37

The approval process should also include ensuring that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

OM-8.2.38

Principle 8: Senior management must implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms must be in place at the board, senior management, and business line levels that support proactive management of operational risk.

OM-8.2.39

Banks are encouraged to continuously improve the quality of operational risk reporting. A bank should ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products. Reports should be manageable in scope and volume; effective decision-making is impeded by both excessive amounts and paucity of data.

OM-8.2.40

Reporting should be timely and a bank should be able to produce reports in both normal and stressed market conditions. The frequency of reporting should reflect the risks involved and the pace and nature of changes in the operating environment. The results of these monitoring activities should be included in regular management and board reports, as should assessments of Framework performed by the internal audit and/or risk management and compliance functions. Reports generated by (and/or for) supervisory authorities should also be reported internally to senior management and the board, where appropriate.

OM-8.2.41

Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making. Operational risk reports should include:

OM-8.2.42

Data capture and risk reporting processes should be analysed periodically with a view to continuously enhancing risk management performance as well as advancing risk management policies, procedures and practices.

OM-8.2.43

Principle 9: Banks must have a strong control environment that utilises:

OM-8.2.44

Internal controls must be designed to provide assurance that a bank will:

OM-8.2.45

A sound internal control programme consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components are outlined in more detail in the Basel Committee paper "Framework for Internal Control Systems in Banking Organisations".

OM-8.2.46

Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

OM-8.2.47

An effective internal control environment also requires appropriate segregation of duties. Assignments that establish conflicting duties for individuals, or a team without dual controls or other countermeasures may enable concealment of losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.

OM-8.2.48

In addition to segregation of duties and dual controls, banks should ensure that other traditional internal controls are in place as appropriate to address operational risk. Examples of these controls include:

OM-8.2.49

Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that must be addressed through sound technology governance and infrastructure risk management programmes.

OM-8.2.50

The use of technology related products, activities, processes and delivery channels exposes a bank to strategic, operational, and reputational risks and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:

OM-8.2.51

Management should ensure the bank has a sound technology infrastructure that:

OM-8.2.52

Mergers and acquisitions resulting in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine a bank's ability to aggregate and analyse information across risk dimensions or the consolidated enterprise, manage and report risk on a business line or legal entity basis, or oversee and manage risk in periods of high growth. Management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.

OM-8.2.53

In those circumstances where internal controls do not adequately address risk and exiting the risk is not a reasonable option, management can complement controls by seeking to transfer the risk to another party such as through insurance. The board of directors should determine the maximum loss exposure the bank is willing and has the financial capacity to assume, and should perform an annual review of the bank's risk and insurance management programme.

OM-8.2.54

Because risk transfer is an imperfect substitute for sound controls and risk management programmes, banks should view risk transfer tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (eg counterparty risk).

OM-8.2.55

Principle 10: A bank's public disclosures must allow stakeholders to assess its approach to operational risk management.

OM-8.2.56

A bank's public disclosure of relevant operational risk management information can lead to transparency and the development of better industry practice through market discipline. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a bank's operations, and evolving industry practice. See also Chapter HC-8 and Chapter PD-1 on disclosure requirements.

OM-8.2.57

A bank should disclose its operational risk management Framework in a manner that will allow stakeholders to determine whether the bank identifies, assesses, monitors and controls/mitigates operational risk effectively.

OM-8.2.58

A bank's disclosures should be consistent with how senior management and the board of directors assess and manage the operational risk of the bank.

OM-8.2.59

A bank must have a formal disclosure policy approved by the board of directors that addresses the bank's approach for determining what operational risk disclosures it will make and the internal controls over the disclosure process. In addition, banks must implement a process for assessing the appropriateness of their disclosures, including the verification and frequency of them.