OM-A OM-A Introduction
OM-A.1 OM-A.1 Purpose
Executive Summary
OM-A.1.1
The Operational Risk Management Module sets out the Central Bank of Bahrain's ('CBB's') rules and guidance to
Islamic Bank licensees operating in Bahrain on establishing parameters and control procedures to monitor and mitigate operational risks. The contents of this Module apply to all Islamic banks, except where noted in individual Chapters.October 07OM-A.1.2
This Module provides support for certain other parts of the Rulebook, mainly:
(a) Principles of Business; and(b) High-level Controls.October 07Legal Basis
OM-A.1.3
This Module contains the CBB's Directive (as amended from time to time) relating to Operational Risk Management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all
Islamic bank licensees (including theirapproved persons ).Amended: January 2012
Amended: January 2011
October 2007OM-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
Added: January 2011OM-A.2 [This Chapter was deleted in October 2007]
October 07OM-A.3 OM-A.3 Module History
OM-A.3.1
This Module was first issued in July 2004 as part Volume one of the CBB Rulebook (Volume one). All directives in this Module have been effective since this date. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made; Chapter UG-3 provides further details on Rulebook maintenance and version control.
October 07OM-A.3.2
When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 1 was updated in October 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.
October 07OM-A.3.3
The most recent changes made to this Module are detailed in the table below:
Summary of Changes
Module Ref. Change Date Description of Changes OM-5.1 01/04/05 Physical security measures. OM-4.2 01/10/05 Succession planning for locally incorporated banks. OM-5.1 01/10/05 Clarification of security manager role for smaller banks. OM-B & OM-1.2 01/04/06 Minor amendments concerning roles of Board and management. OM-5.1.15-OM-5.1.24 01/04/06 New security requirements for ATM security arrangements and reporting of security related complaints. OM-A.2.1-OM-A.2.6 01/10/07 Purpose (expanded) OM-A.2.1-OM-A.2.6 01/10/07 Key Requirements (deleted) OM-2.1-2.2&2.4 01/10/07 Relocation of Succession Planning Requirements from OM-4 OM-5.1-OM-5.9 01/10/07 Business Continuity Planning (expanded) OM-7 01/10/07 New Books and Records Chapter transferred from Module GR OM-8 01/04/08 Basel II Qualitative Operational Risk Requirements OM 01/2011 Various minor amendments to ensure consistency in CBB Rulebook. OM-A.1.3 and OM-A.1.4 01/2011 Clarified legal basis. OM-7.1.4 04/2011 This paragraph was deleted as Ministerial Order 23 does not apply to CBB licensees. OM-7.3.4 04/2011 Clarified retention period of records for promotional schemes. OM 07/2011 Various minor amendments to clarify Rules and have consistent language. OM-2.4 07/2011 Amended CBB reporting requirements regarding succession planning. OM-3.1.7 07/2011 Paragraph deleted as no longer applicable since standard conditions and licensing criteria document has now been incorporated as part of Volume 1. OM-6.2 10/2011 Added new Section on internet security. OM-7.1.7 10/2011 Corrected typo. OM-A.1.3 01/2012 Updated legal basis. OM-2.1.4 01/2012 Corrected cross reference. OM-3.2.2 04/2012 Deleted last sentence of Paragraph as it repeats the requirement under Paragraph OM-3.3.1 OM-6.2.2 04/2012 Clarified penetration testing interval for internet security. OM-1.1.4 10/2012 Amended to reflect updated version of Basel Committee document. OM-3.2.6, OM-5.2.1, OM-5.4.8, OM-8 10/2012 Amended to reflect the Basel June 2011 paper on Principles for the Sound Management of Operational Risk. OM-6.2 07/2013 Amended reporting requirements related to internet security measures. OM-6.2.1 10/2013 Amended Rule to apply to all banks. OM-3.7.2 10/2015 Clarified Rule on internal audit outsourcing. OM-6 04/2016 Updated ATM security measures for banks. OM-3.9 07/2016 Added new Section dealing with outsourcing of functions containing customer information. OM-5.10 10/2016 Added new Section on Cyber Security Risk Management OM-6.4.3 10/2016 Corrected cross references OM-6.4.4 10/2016 Corrected cross references OM-6.4.5 10/2016 Corrected cross references OM-6.6 10/2016 Added new Section on Cyber Security Measures OM-3.9.2 01/2017 Amended Paragraph on customer information OM-3.9.6 01/2017 Added new guidance paragraph on customer information OM-6.4.22 04/2017 ATM requirement on Solid Wall deleted. OM-6.4.23 04/2017 ATM requirement on Solid Wall deleted. OM-6.3.1 07/2017 Clarified requirements on compliance date. OM-6.3.2A 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2B 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2C 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2D 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.3.2E 07/2017 Added new paragraph on Prohibition of Double Swiping. OM-6.4.21 07/2017 Deleted paragraph. OM-7.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002. OM-7.2.2 07/2017 Deleted paragraph. OM-3.1.2 10/2017 Amended paragraph to allow the utilization of cloud services. OM-3.1.5A 10/2017 Added a new paragraph on outsourcing requirements. OM-3.2.3 10/2017 Amended paragraph. OM-3.3.1 10/2017 Amended paragraph. OM-3.3.2 10/2017 Amended paragraph. OM-3.3.3 10/2017 Amended paragraph. OM-3.3.4 10/2017 Amended paragraph. OM-3.3.5 10/2017 Added a new paragraph on outsourcing. OM-3.4.1 10/2017 Amended paragraph. OM-3.4.2(b) 10/2017 Amended sub-paragraph. OM-3.4.3 10/2017 Deleted paragraph. OM-3.4.5 10/2017 Amended paragraph. OM-3.5.1(a) 10/2017 Amended sub-sub-paragraph no. (5). OM-3.5.1(c) 10/2017 Amended sub-sub-paragraphs no. (2) and (3). OM-3.5.1(e) 10/2017 Amended sub-sub-paragraph no. (3). OM-3.8.3 10/2017 Amended paragraph. OM-3.9.1 10/2017 Amended paragraph. OM-3.9.2 10/2017 Amended paragraph on third party outsourcing of functions. OM-3.9.3 10/2017 Amended paragraph. OM-3.9.4 10/2017 Amended sub-paragraph. OM-3.9.4(b) 10/2017 Amended sub-paragraph. OM-3.9.4(d) 10/2017 Deleted sub-paragraph. OM-3.9.5 10/2017 Deleted paragraph. OM-3.9.7 10/2017 Added a new paragraph for security measures related to cloud services. OM-6.4.6 10/2017 Amended paragraph to include ancillary service providers. OM-6.3.1A 04/2018 Added a new Paragraph on card (EMV) compliance. OM-6.3.1B 04/2018 Added a new Paragraph on "provision of cash withdrawal and payment services through various channels" OM-6.3.2 04/2018 Amended Paragraph to mention "Islamic bank licensees". OM-3.9.2 07/2018 Amended Paragraph to include call centres. OM-3.9.2A 07/2018 Added new Paragraph on customer notification. OM-6.4.15A 10/2018 Added a new Paragraph on drive-thru ATMs. OM-6.4.20A 10/2018 Added a new Paragraph on drive-thru ATMs. OM-6.1.2 07/2019 Amended Paragraph on deployment of Private Security Guards at Head Offices of Licensees. OM-6.3.1C, OM6.3.1D, OM-6.3.1E, OM-6.3.1F 10/2019 Added new Paragraphs on Near Field Communication "NFC". Evolution of the Module
OM-A.3.4
[Deleted in October 2007 updates]
October 07
