OM-A.2 OM-A.2 Module History
OM-A.2.1
This Module was first issued in July 2004 as part of Volume one of the CBB Rulebook. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made; Chapter UG-3 provides further details on Rulebook maintenance and version control.
Added: January 2020OM-A.2.2
The changes made to this Module are detailed in the table below:
Summary of Changes
Module Ref. Change Date Description of Changes OM-5.1 01/04/05 Physical security measures. OM-4.2 01/10/05 Succession planning for locally incorporated banks. OM-5.1 01/10/05 Clarification of security manager role for smaller banks and deletion of requirement for cash trays. OM-B & OM-1.2 01/04/06 Minor amendments concerning roles of Board and management and editing of OM B. OM-5.1.15-OM-5.1.24 01/04/06 New security requirements for ATM security arrangements and reporting of security related complaints. OM-A.2.1-OM-A.2.6 01/10/07 Purpose (expanded) OM-A.2.1-OM-A.2.6 01/10/07 Key Requirements (deleted) OM-5.1-OM-5.9 01/10/07 Business Continuity Planning (expanded) OM-7 01/10/07 New Books and Records Chapter transferred from Module GR OM-8 01/04/08 Basel II Qualitative Operational Risk Requirements OM 01/2011 Various minor amendments to ensure consistency in CBB Rulebook. OM-A.1.3 and OM-A.1.4 01/2011 Clarified legal basis. OM-7.1.4 04/2011 This paragraph was deleted as Ministerial Order 23 does not apply to CBB licensees. OM-7.3.4 04/2011 Clarified retention period of records for promotional schemes. OM 07/2011 Various minor amendments to clarify Rules and have consistent language. OM-2.4 07/2011 Amended CBB reporting requirements regarding succession planning. OM-3.1.7 07/2011 Paragraph deleted as no longer applicable since standard conditions and licensing criteria document has now been incorporated as part of Volume 1. OM-6.2 10/2011 Added new Section on internet security. OM-7.1.7 10/2011 Corrected typo. OM-A.1.3 01/2012 Updated legal basis. OM-2.1.4 01/2012 Corrected cross reference. OM-3.2.2 04/2012 Deleted last sentence of Paragraph as it repeats the requirement under Paragraph OM-3.3.1 OM-6.2.2 04/2012 Clarified penetration testing interval for internet security. OM-1.1.4 10/2012 Amended to reflect updated version of Basel Committee document. OM-3.2.6, OM-5.2.1, OM-5.4.8, OM-8 10/2012 Amended to reflect the Basel June 2011 paper on Principles for the Sound Management of Operational Risk. OM-6.2 07/2013 Amended reporting requirements related to internet security measures. OM-6.2.1 10/2013 Amended Rule to apply to all banks. OM-3.7.2 10/2015 Clarified Rule on internal audit outsourcing. OM-6 04/2016 Updated ATM security measures for banks. OM-3.9 07/2016 Added new Section dealing with outsourcing of functions containing customer information. OM-5.10 10/2016 Added new Section on Cyber Security Risk Management OM-6.1.1 10/2016 Added implementation deadline date OM-6.4.3 10/2016 Corrected cross references OM-6.4.4 10/2016 Corrected cross references OM-6.4.5 10/2016 Corrected cross references OM-6.6 10/2016 Added new Section on Cyber Security Measures OM-3.9.2 01/2017 Amended Paragraph on customer information OM-3.9.6 01/2017 Added new guidance paragraph on customer information OM-6.4.22 04/2017 ATM requirement on Solid Wall deleted. OM-6.4.23 04/2017 ATM requirement on Solid Wall deleted. OM-6.3.1 07/2017 Clarified requirements on compliance date. OM-6.3.2A 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2B 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2C 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2D 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2E 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.4.21 07/2017 Deleted paragraph. OM-7.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002. OM-7.2.2 07/2017 Deleted paragraph. OM-3.1.2 10/2017 Amended paragraph to allow the utilization of cloud services. OM-3.1.5A 10/2017 Added a new paragraph on outsourcing requirements. OM-3.2.3 10/2017 Amended paragraph. OM-3.3.1 10/2017 Amended paragraph. OM-3.3.2 10/2017 Amended paragraph. OM-3.3.3 10/2017 Amended paragraph. OM-3.3.4 10/2017 Amended paragraph. OM-3.3.5 10/2017 Added a new paragraph on outsourcing. OM-3.4.1 10/2017 Amended paragraph. OM-3.4.2(b) 10/2017 Amended sub-paragraph. OM-3.4.3 10/2017 Deleted paragraph. OM-3.4.5 10/2017 Amended paragraph. OM-3.5.1(a) 10/2017 Amended sub-sub-paragraph no. (5). OM-3.5.1(c) 10/2017 Amended sub-sub-paragraphs no. (2) and (3). OM-3.5.1(e) 10/2017 Amended sub-sub-paragraph no. (3). OM-3.8.3 10/2017 Amended paragraph. OM-3.9.1 10/2017 Amended paragraph. OM-3.9.2 10/2017 Amended paragraph on third party outsourcing of functions. OM-3.9.3 10/2017 Amended paragraph. OM-3.9.4) 10/2017 Amended paragraph. OM-3.9.4(b) 10/2017 Amended sub-paragraph. OM-3.9.4(d) 10/2017 Deleted sub-paragraph. OM-3.9.5 10/2017 Deleted paragraph. OM-3.9.7 10/2017 Added a new paragraph for security measures related to cloud services. OM-6.4.6 10/2017 Amended paragraph to include ancillary service providers. OM-6.3.1A 04/2018 Added a new Paragraph on card (EMV) compliance. OM-6.3.1B 04/2018 Added a new Paragraph on "provision of cash withdrawal and payment services through various channels". OM-6.3.2 04/2018 Amended Paragraph to mention "Conventional bank licensees". OM-3.9.2 07/2018 Amended Paragraph to include call centres. OM-3.9.2A 07/2018 Added new Paragraph on customer notification. OM-6.4.15A 10/2018 Added a new Paragraph on drive-thru ATMs. OM-6.4.20A 10/2018 Added a new Paragraph on drive-thru ATMs. OM Module 01/2020 Entire Module revised for better alignment with the principles and guidance from Basel Committee on Banking Supervision. OM-5.2.1A 07/2020 Added a new Paragraph on contactless payments. OM-5.1.2A & OM-5.1.2B 10/2020 Added new Paragraphs on fraudulent phishing attempts measures. OM-2.8.5 01/2021 Deleted Subparagraph (a). OM-3.1.2(f) 01/2021 Amended Subparagraph on electronic fraud. OM-3.3.11 01/2021 Added a new Paragraph on electronic fraud awareness. OM-5.1.5 04/2021 Amended Paragraph. OM-5.5 07/2021 New enhanced Section. Appendix C 07/2021 Added a new Appendix - Cyber security Control Guidelines OM-1.6.1 01/2022 Deleted Paragraph. OM-1.6.2 01/2022 Deleted Paragraph. OM-1.6.3 01/2022 Amended Paragraph. OM-1.6.4 – OM-1.6.6 01/2022 Deleted Paragraphs. OM-5.3.2 01/2022 Amended Paragraph. OM-5.3.3 – OM-5.3.11 01/2022 Deleted Paragraphs. OM-1.3.17(g) 04/2022 Amended Subparagraph on vacation policy. OM-5.5.57 04/2022 Amended Paragraph on cyber security incident reporting. OM-5.5.58 04/2022 Amended Paragraph on submission period of the cyber security incident report. OM-5.5.61 04/2022 Deleted reference to BR. OM-2 07/2022 Replaced Chapter OM-2 with new Outsourcing Requirements. OM-5.3.25 10/2022 Added a new Paragraph on compliance with the physical security requirements for ATM installations. OM-5.5.21 10/2022 Amended Paragraph on email domains requirements. OM-5.5.21A 10/2022 Added a new Paragraph on additional domains requirements. OM-2.1.7(v) 04/2023 Amended Subparagraph on the outsourcing coordinator. OM-2.1.7(viii) 04/2023 Added a new Subparagraph on outsourcing the internal audit function. OM-5.2.1 – OM-5.2.1A 04/2023 Amended contactless payment amount permitted where no pin or authentication is required.
