Back Custom print Link Text Only Rich Text Print

  • OM-3.9 OM-3.9 Outsourcing of Functions Containing Customer Information

    • OM-3.9.1

      Licensees must seek the CBB's prior written approval for third party and intragroup outsourcing of functions/services containing customer information including but not limited to payment services, debt collection, card and data processing, IT function including cloud services, internal audit and electronic/internet banking services but excluding legal services.

      Amended: October 2017
      Added: July 2016

    • OM-3.9.2

      For a third party outsourcing of functions/services containing customer information, other than debt collection, IT function, internal audit, cards embossing, cheques personalization, data/documents storing and call centres, the service providers must be licensed by the CBB and located in Bahrain. If the outsourced service is not available in Bahrain after 30th June 2017, licencees must submit to the CBB a written request, at least within 30 days of the stated deadline. The request must provide details of the circumstances under which the extension of outsourcing activities is being requested.

      Amended: July 2018
      Amended: October 2017
      Amended: January 2017
      Added: July 2016

    • OM-3.9.2A

      In case of an outsourcing arrangement that involves transmission of customer information to the service provider, Licensees must make necessary changes to the terms of the customer agreements and send prior notices to the customer, who shall provide a consent in writing that his/her information would be transmitted to a service provider. Licensees may only effect the changes in the customer agreement following the receipt of customer consent.

      Added: July 2018

    • OM-3.9.3

      Licensees must provide to the CBB quarterly progress reports on the steps and procedures taken in implementing the requirements of Paragraph OM-3.9.2. The progress report must be provided to the retail bank's supervisory point of contact at the CBB and the first report must be submitted by 31st July 2016.

      Amended: October 2017
      Added: July 2016

    • OM-3.9.4

      For intragroup outsourcing of functions/services containing customer information, the following conditions must also be met:

      (a) The outsourcing providers must be annually audited by the group internal audit team and the audit findings must be reported to the CBB;
      (b) The service level agreement must clearly state that the CBB inspectors and appointed experts have the legal right to conduct onsite examinations of the outsourcing provider and such expenses are to be borne by the licensee;
      (c) Any report by any other regulatory authority on the quality of controls of the outsourcing provider must be submitted immediately by the licensee to the CBB.
      (d) [This sub-paragraph was deleted in October 2017].
      Amended: October 2017
      Added: July 2016

    • OM-3.9.5

      [This paragraph was deleted in October 2017].

      Amended: October 2017
      Added: July 2016

    • OM-3.9.6

      In the case of overseas retail bank licensees, the CBB may consider a third party outsourcing arrangements entered by the licensee's head office as an intragroup outsourcing, provided that the head office submits to the CBB a letter of comfort which includes, but not limited to, the following conditions:

      a. The head office declares its ultimate responsibility of ensuring that adequate controlling measures are in place; and
      b. The head office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third party service provider.
      Added: January 2017

    • Cloud services

      • OM-3.9.7

        For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place:

        (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
        (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing provider;
        (c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
        (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
        (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
        (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
        Added: October 2017