Back Custom print Link Text Only Rich Text Print

  • OM-A.3 OM-A.3 Module History

    • OM-A.3.1

      This Module was first issued in July 2004 as part Volume one of the CBB Rulebook (Volume one). All directives in this Module have been effective since this date. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

      October 07

    • OM-A.3.2

      When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 1 was updated in October 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

      October 07

    • OM-A.3.3

      The most recent changes made to this Module are detailed in the table below:

      Summary of Changes

      Module Ref. Change Date Description of Changes
      OM-5.1 01/04/05 Physical security measures.
      OM-4.2 01/10/05 Succession planning for locally incorporated banks.
      OM-5.1 01/10/05 Clarification of security manager role for smaller banks.
      OM-B & OM-1.2 01/04/06 Minor amendments concerning roles of Board and management.
      OM-5.1.15–OM-5.1.24 01/04/06 New security requirements for ATM security arrangements and reporting of security related complaints.
      OM-A.2.1–OM-A.2.6 01/10/07 Purpose (expanded)
      OM-A.2.1–OM-A.2.6 01/10/07 Key Requirements (deleted)
      OM-2.1–2.2 & 2.4 01/10/07 Relocation of Succession Planning Requirements from OM-4
      OM-5.1–OM-5.9 01/10/07 Business Continuity Planning (expanded)
      OM-7 01/10/07 Books and Records Chapter transferred from Module GR
      OM-8 01/04/08 Basel II Qualitative Operational Risk Requirements
      OM 01/2011 Various minor amendments to ensure consistency in CBB Rulebook.
      OM-A.1.3 and OM-A.1.4 01/2011 Clarified legal basis.
      OM-7.1.4 04/2011 This Paragraph was deleted as Ministerial Order 23 does not apply to CBB licensees.
      OM-7.3.4 04/2011 Clarified retention period of records for promotional schemes.
      OM 07/2011 Various minor amendments to clarify Rules and have consistent language.
      OM-2.4 07/2011 Amended CBB reporting requirements regarding succession planning.
      OM-3.1.7 07/2011 Paragraph deleted as no longer applicable since standard conditions and licensing criteria document has now been incorporated as part of Volume 1.
      OM-6.2 10/2011 Added new Section on internet security.
      OM-7.1.7 10/2011 Corrected typo.
      OM-A.1.3 01/2012 Updated legal basis.
      OM-2.1.4 01/2012 Corrected cross reference.
      OM-3.2.2 04/2012 Deleted last sentence of Paragraph as it repeats the requirement under Paragraph OM-3.3.1
      OM-6.2.2 04/2012 Clarified penetration testing interval for internet security.
      OM-1.1.4 10/2012 Amended to reflect updated version of Basel Committee document.
      OM-3.2.6, OM-5.2.1, OM-5.4.8, OM-8 10/2012 Amended to reflect the Basel June 2011 paper on Principles for the Sound Management of Operational Risk.
      OM-6.2 07/2013 Amended reporting requirements related to internet security measures.
      OM-6.2.1 10/2013 Amended Rule to apply to all banks.
      OM-3.7.2 10/2015 Clarified Rule on internal audit outsourcing.
      OM-6 04/2016 Updated ATM security measures for banks.
      OM-3.9 07/2016 Added new Section dealing with outsourcing of functions containing customer information.
      OM-5.10 10/2016 Added new Section on Cyber Security Risk Management
      OM-6.4.3 10/2016 Corrected cross references
      OM-6.4.4 10/2016 Corrected cross references
      OM-6.4.5 10/2016 Corrected cross references
      OM-6.6 10/2016 Added new Section on Cyber Security Measures
      OM-3.9.2 01/2017 Amended paragraph on customer information
      OM-3.9.6 01/2017 Added new guidance paragraph on customer information
      OM-6.4.22 04/2017 ATM requirement on Solid Wall deleted.
      OM-6.4.23 04/2017 ATM requirement on Solid Wall deleted.
      OM-6.3.1 07/2017 Clarified requirements on compliance date.
      OM-6.3.2A 07/2017 Added new paragraph on Prohibition of Double Swiping.
      OM-6.3.2B 07/2017 Added new paragraph on Prohibition of Double Swiping.
      OM-6.3.2C 07/2017 Added new paragraph on Prohibition of Double Swiping.
      OM-6.3.2D 07/2017 Added new paragraph on Prohibition of Double Swiping.
      OM-6.3.2E 07/2017 Added new paragraph on Prohibition of Double Swiping.
      OM-6.4.21 07/2017 Deleted paragraph.
      OM-7.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
      OM-7.2.2 07/2017 Deleted paragraph.
      OM-3.1.2 10/2017 Amended paragraph to allow the utilization of cloud services.
      OM-3.1.5A 10/2017 Added a new paragraph on outsourcing requirements.
      OM-3.2.3 10/2017 Amended paragraph.
      OM-3.3.1 10/2017 Amended paragraph.
      OM-3.3.2 10/2017 Amended paragraph.
      OM-3.3.3 10/2017 Amended paragraph.
      OM-3.3.4 10/2017 Amended paragraph.
      OM-3.3.5 10/2017 Added a new paragraph on outsourcing
      OM-3.4.2(b) 10/2017 Amended sub-paragraph.
      OM-3.4.3 10/2017 Deleted paragraph.
      OM-3.4.5 10/2017 Amended paragraph.
      OM-3.5.1(a) 10/2017 Amended sub-sub-paragraph no. (5)
      OM-3.5.1(c) 10/2017 Amended sub-sub-paragraphs no. (2) and (3).
      OM-3.5.1(e) 10/2017 Amended sub-sub-paragraph no. (3).
      OM-3.8.3 10/2017 Amended paragraph.
      OM-3.9.1 10/2017 Amended paragraph.
      OM-3.9.2 10/2017 Amended paragraph on third party outsourcing of functions.
      OM-3.9.3 10/2017 Amended paragraph.
      OM-3.9.4(b) 10/2017 Amended sub-paragraph.
      OM-3.9.4(c) 10/2017 Amended sub-paragraph.
      OM-3.9.4(d) 10/2017 Deleted sub-paragraph.
      OM-3.9.5 10/2017 Deleted paragraph.
      OM-3.9.7 10/2017 Added a new paragraph for security measures related to cloud services.
      OM-6.4.6 10/2017 Amended paragraph to include ancillary service providers.
      OM-6.3.1A 04/2018 Added a new Paragraph on card (EMV) compliance.
      OM-6.3.1B 04/2018 Added a new Paragraph on provision of cash withdrawal and payment services through various channels.
      OM-6.3.2 04/2018 Amended Paragraph to mention “conventional bank licensees".
      OM-3.9.2 07/2018 Amended Paragraph to include call centres.
      OM-3.9.2A 07/2018 Added new Paragraph on customer notification.
      OM-6.4.15A 10/2018 Added a new Paragraph on drive-thru ATMs.
      OM-6.4.20A 10/2018 Added a new Paragraph on drive-thru ATMs.
      OM-6.1.2 07/2019 Amended Paragraph on deployment of Private Security Guards at Head Offices of Licensees.
      OM-6.3.1C, OM6.3.1D, OM-6.3.1E, OM-6.3.1F 10/2019 Added new Paragraphs on Near Field Communication "NFC".

    • Evolution of the Module

      • OM-A.3.4

        [Deleted in October 2007 updates]

        October 07