Back Custom print Link Text Only Rich Text Print

  • OM-6 OM-6 Security Measures for Banks

    • OM-6.1 OM-6.1 Physical Security Measures for Retail Banks

      • General Requirement

        • OM-6.1.1

          Retail banks must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. This initial certification must be obtained by 30th April 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

          Amended: October 2016
          Amended: April 2016
          Amended: January 2011
          October 2007

        • OM-6.1.1.A

          In order to maintain up to date PCI-DSS certification, retail banks will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

          Added: April 2016

      • External Measures

        • OM-6.1.2

          All head offices are required to maintain Ministry of Interior ("MOI") guards or alternatively MOI trained and permanently licensed private security guards of licensed private security companies, on a 24 hours basis. All branches must also maintain a 24 hour MOI guard. However, if branches satisfy the criteria mentioned in Paragraphs OM-6.1.3 to OM-6.1.22 below, they may maintain MOI guards during opening hours only. Furthermore, branches will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI. Head Offices must always have a 24 hour MOI.

          Amended: July 2019
          October 07

        • OM-6.1.3

          Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

          October 07

        • OM-6.1.4

          Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances must have the following security measures:

          (a) Magic eye;
          (b) Locking device (key externally and handle internally);
          (c) Door closing mechanism;
          (d) Contact sensor with alarm for prolonged opening time; and
          (e) Combination access control system (e.g. access card and key slot or swipe card and password).
          Amended: July 2011
          Amended: April 2011
          October 07

        • OM-6.1.5

          If additional security measures to those mentioned in OM-6.1.3 and OM-6.1.4 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

          October 07

        • OM-6.1.6

          External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, banks may also wish to add steel grills fastened into the wall.

          Amended: July 2011
          October 07

        • OM-6.1.7

          Branch alarm systems should have the following features:

          (a) PIR motion detectors
          (b) Door sensors
          (c) Anti vibration/movement sensors on vaults
          (d) External siren
          (e) The intrusion detection system must be linked to the bank's (i.e. head office) monitoring unit and also the MOI Central Monitoring Unit.
          Amended: January 2011
          October 2007

      • Internal Measures

        • OM-6.1.8

          Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.

          October 07

        • OM-6.1.9

          All areas where cash is handled must be screened off from customers and other staff areas.

          October 07

        • OM-6.1.10

          Access to teller areas must be restricted to authorised staff only. The design of the teller area must not allow customers to pass through it.

          Amended: July 2011
          October 07

        • OM-6.1.11

          Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.

          October 07

      • Cash Safety

        • OM-6.1.12

          Cash precious metals and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes must be located in strong rooms.

          Amended: July 2011
          October 07

        • OM-6.1.13

          Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

          Amended: July 2011
          October 07

        • OM-6.1.14

          Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

          October 07

        • OM-6.1.15

          [This Paragraph was deleted in April 2016.]

          Deleted: April 2016
          Amended: July 2011
          October 07

        • OM-6.1.16

          [This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]

          Deleted: April 2016
          Amended: July 2011
          October 07

        • OM-6.1.17

          [This Paragraph was deleted in April 2016.]

          Amended: April 2016
          October 07

        • OM-6.1.18

          [This Paragraph was deleted in April 2016 and requirements were moved to Section OM-6.4.]

          Deleted: April 2016
          October 07

        • OM-6.1.19

          [This Paragraph was deleted in April 2016 and requirements are now covered under Paragraph OM-6.4.14.]

          Deleted: April 2016
          October 07

      • CCTV Network Systems

        • OM-6.1.20

          All head offices and branches must have a CCTV network and alarm system which are connected to a central monitoring unit located in the head office, along with a Video Monitoring System (VMS) and to the MOI Central Monitoring Unit.

          Amended: April 2016
          October 07

        • OM-6.1.21

          At a minimum, CCTV cameras must cover the following areas:

          (a) Main entrance;
          (b) Other external doors;
          (c) Any other access points (e.g. ground floor windows);
          (d) The banking hall;
          (e) Tellers' area;
          (f) Strongroom entrance; and
          (g) ATMs (by way of internal or external cameras) Refer to Section OM-6.3 for specific CCTV requirements related to ATMs.
          Amended: April 2016
          Amended: July 2011
          Amended: January 2011
          October 2007

        • OM-6.1.22

          Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system must be operational 24 hours per day.

          Amended: July 2011
          October 07

      • Training and Other Measures

        • OM-6.1.23

          Banks must establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks must produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position must be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

          Amended: July 2011
          October 07

        • OM-6.1.24

          The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

          October 07

        • OM-6.1.25

          Banks must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).

          Amended: July 2011
          October 07

        • OM-6.1.26

          Further rules on ATM Physical Security Measures are contained in Section OM-6.4.

          Added: April 2016

    • OM-6.2 OM-6.2 Internet Security for all Banks

      • OM-6.2.1

        All banks providing internet banking services must regularly test their systems against security breaches and verify the robustness of the security controls in place. These tests must be conducted by security professionals, such as ethical hackers, that provide penetration testing services and a vulnerability assessment of the system. The tests must be undertaken by external independent parties that are not employees of the bank nor associated with it.

        Amended: April 2016
        Amended: October 2013
        Added: October 2011

      • OM-6.2.2

        The penetration testing referred to in Paragraph OM-6.2.1, must be conducted each year in June and December.

        Amended: July 2013
        Amended: April 2012
        Added: October 2011

      • OM-6.2.3

        The vulnerability assessment report, along with the steps taken to mitigate the risks must be maintained by the bank for a 5-year period from the date of testing and must be provided to the CBB within two months following the end of the month where the testing took place, i.e. for the June test, the report must be submitted at the latest by 31st August and for the December test, by 28th February (see Section BR-4A.2).

        Amended: July 2013
        Added: October 2011

    • OM-6.3 OM-6.3 ATM Security Measures: Hardware/Software for Retail Banks

      • Implementation

        • OM-6.3.1

          The requirements in this Section must be complied with in full by 30th April 2017, or as specified otherwise. Failure to comply with these requirements will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

          Amended: July 2017
          Added: April 2016

      • Europay, MasterCard and Visa (EMV) Compliance

        • OM-6.3.1A

          All cards (debit, credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all ATMs, CDMs, POS, etc. must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that Islamic bank licensees bear full responsibility in case of fraud occurrence.

          Added: April 2018

      • Provision of Cash Withdrawal and Payment Services through Various Channels

        • OM-6.3.1B

          Islamic bank licensees are allowed to provide cash withdrawal and payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

          Added: April 2018

      • Near Field Communication ("NFC")

        • OM-6.3.1C

          Islamic retail bank licensees must ensure that all currently installed ATMs support contactless payment using Near Field Communication "NFC" technology. The changes necessary to the software/hardware to meet this requirement must be completed no later than 1st April 2020.

          Added: October 2019

        • OM-6.3.1D

          Islamic retail bank licensees must ensure, with effect from 18th August 2019, that all new installations of ATM machines support contactless payment using Near Filed Communication "NFC" technology.

          Added: October 2019

        • OM-6.3.1E

          Islamic retail bank licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

          Added: October 2019

        • OM-6.3.1F

          Islamic retail bank licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

          Added: October 2019

      • Geolocation Limitations

        • OM-6.3.2

          All Islamic bank licensees issuing debit, prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS).

          Amended: April 2018
          Added: April 2016

      • Prohibition of Double Swiping

        • OM-6.3.2A

          All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by some merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

          Added: July 2017

        • OM-6.3.2B

          For the purpose of Paragraph OM-6.3.2A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

          Added: July 2017

        • OM-6.3.2C

          For the purpose of Paragraph OM-6.3.2A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

          Added: July 2017

        • OM-6.3.2D

          All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

          Added: July 2017

        • OM-6.3.2E

          All card acquirer licensees must:

          (i) Educate the concerned merchants on the regulatory requirement and continue to follow up the progress of the implementation to comply within the period stipulated in Paragraph OM-6.3.2A; and
          (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
          Added: July 2017

      • Integration of Hardware Components

        • OM-6.3.3

          If the Automated Teller Machines (ATM) environment permits access to internal areas where account data is processed and/or stored (e.g., for service or maintenance), these areas must be effectively protected from access by unauthorised persons to mitigate the risk associated with attaching/inserting malicious additional components, especially those which may be designed to capture sensitive data. Banks must encrypt account data or secure access to such data by effective physical barriers such as strong walls, doors, and mechanical locks.

          Added: April 2016

        • OM-6.3.4

          All entry to sensitive areas must be recorded, including the name of the persons accessing the area; the date; and the time of access to and exit from the area. CCTV cameras must be installed, and used to record all activities within the ATM environment.

          Added: April 2016

        • OM-6.3.5

          Banks are required to implement best industry practice in respect of hardware and software development and integration, including but not limited to formal specification, test plans, and documentation. Hardware and software should only be introduced to the environment following a successful programme of testing.

          Added: April 2016

        • OM-6.3.6

          All test plans and the outcomes of these plans must be retained by the bank for a minimum of five years from the date of testing and be available on request to the CBB or their authorised representatives. Examples of instances in which a detailed testing process must be undertaken prior to installation and integration of components include, but are not limited to, secure card readers or EPPs. In all instances the applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must be fully complied with.

          Added: April 2016

        • OM-6.3.7

          Banks must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

          Added: April 2016

        • OM-6.3.8

          Banks must ensure that all ATMs, including offsite ATMs, are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

          Added: April 2016

      • ATM Software

        • OM-6.3.9

          Banks must ensure that their ATM software security measures comply with the following:

          (a) Access to sensitive services is controlled by requiring authentication. Entering or exiting sensitive services must not reveal or otherwise compromise the security of sensitive information;
          (b) ATM software must include controls which are designed to prevent unauthorised modification of the software configuration, including the operating system, drivers, libraries, and individual applications. Software configuration includes the software platform, configuration data, applications loaded to and executed by the platform, and the associated data. The mechanisms must also ensure the integrity of third-party applications, using a controlled process to install such controls;
          (c) Access to all elements of the ATM environment must be strictly controlled to ensure an effective segregation of functions and an effective segregation of responsibilities exists for all personnel; and
          (d) The logging data must be stored in a way that data cannot be changed under any circumstances, and deleted only after authorisation by a member of bank staff who has specific responsibility delegated by the CEO.
          Added: April 2016

        • OM-6.3.10

          ATMs should incorporate dedicated tampering protection capabilities.

          Added: April 2016

      • Device Management/Operation

        • OM-6.3.11

          Banks must ensure that their device management/operation controls comply with the following:

          (a) Software is protected and stored in a manner which precludes unauthorised modification; and
          (b) Loading of software into ATMs is performed by a person who has the requisite knowledge and skills, and who has been nominated and authorised by a senior manager in the bank to undertake these tasks.
          Added: April 2016

      • ATM Application Management

        • OM-6.3.12

          Banks must ensure that their ATM application management complies with the following:

          (a) The display of a cardholder PIN on the ATM display must not be in 'clear' mode;
          (b) Sensitive information must not be present any longer or used more often than strictly necessary. The ATM must automatically clear its internal buffers when either the transaction is completed, or the ATM has timed out whilst awaiting a response from the cardholder or host; and
          (c) Prevent the display or disclosure of cardholder account information on the ATM screen, printed on receipts, or audio transcripts for visually impaired cardholders.
          Added: April 2016

    • OM-6.4 OM-6.4 ATM Security Measures: Physical Security for Retail Banks

      • Implementation

        • OM-6.4.1

          The requirements in this Section must be complied with in full by 31st March 2017. Failure to comply with any of these requirements will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

          Added: April 2016

      • Record Keeping

        • OM-6.4.2

          Banks must record the details of the site risk assessments and retain such records for a period of five years from the date of the ATM installation, or whatever other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

          Added: April 2016

      • Installation of an Off-site ATM in Bahrain

        • OM-6.4.3

          Applications for the installation of off-site ATMs must be sent in writing, and in accordance with the requirements set out in Paragraphs OM-6.4.6 to Paragraphs OM-6.4.12 to the Supervisory Point of Contact (SPoC), at the CBB.

          Amended: October 2016
          Added: April 2016

        • OM-6.4.4

          The purpose of the content of Paragraphs OM-6.4.5 to OM-6.4.12 is to set out the minimum criteria to be followed by banks for the installation and usage of off-site ATMs in the Kingdom of Bahrain.

          Amended: October 2016
          Added: April 2016

      • General Criteria

        • OM-6.4.5

          The ownership and operations of any off-site ATMs is subject to the prior written approval of the CBB and must comply with the Rules outlined in Paragraph OM-6.4.6.

          Amended: October 2016
          Added: April 2016

        • OM-6.4.6

          Off-site ATMs must be owned either individually or jointly by banks or ancillary service providers which are members of the BENEFIT Switch. Each relevant owning bank must already have linked its ATM capability to the BENEFIT Switch prior to requesting the CBB's permission to install an off-site ATM and, furthermore, must conform to the general standards set by the Benefit Company from time to time or by the ancillary service provider licensed by the CBB.

          Amended: October 2017
          Added: April 2016

        • OM-6.4.7

          Banks must bear full legal responsibility for their respective off-site ATMs, as well as all costs associated with such ATMs (including, but not limited to, cash replenishment, installation, security etc.).

          Added: April 2016

        • OM-6.4.8

          Banks wishing to install an off-site ATM must submit an application (in writing) for the CBB's approval (see Paragraph BR-5.3.3). A copy of the written permission (for installation of that off-site ATM) of the legal owner of the proposed location must be provided to the CBB, as well as a copy of the written permission of any other relevant authorities in this context (e.g. the Ministry of Interior).

          Added: April 2016

        • OM-6.4.9

          The CBB will consider applications on a 'first come, first served' basis for a particular location. If more than one application is received to install an off-site ATM in the same location, the number of such applications which are approved will depend upon whether the location appears to the CBB to be capable of sustaining multiple off-site ATMs subject to the exact details of each individual application regarding security being acceptable to the CBB.

          Added: April 2016

        • OM-6.4.10

          Each application will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:

          (a) The suitability of the location in question;
          (b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and
          (c) The type and range of facilities which the applicant proposes offering through the off-site ATM at the location in question.
          Added: April 2016

        • OM-6.4.11

          In addition to the information required by the CBB under Paragraph OM-6.4.8, the CBB may require further information/clarification to be provided to it before it takes a decision regarding the application. The CBB's decision in this regard will be notified to each relevant applicant bank in writing.

          Added: April 2016

        • OM-6.4.12

          A bank must request in writing the CBB's permission to close any of its off-site ATMs.

          Added: April 2016

        • OM-6.4.13

          The CBB may, at its sole discretion, require an off-site ATM to be closed and decommissioned at any time.

          Added: April 2016

      • ATM Alarms

        • OM-6.4.14

          In addition to alarming the premises, banks must alarm the ATM itself, in a way which activates audibly when the ATM is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of the Interior. Banks must consider the following:

          (a) The design of the system must ensure that the ATM has a panic alarm installed;
          (b) The design of the system must give an immediate, system controlled warning of an attack on the ATM, and all ATMs must be fitted with fully operational fraud detection and inhibiting devices;
          (c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and
          (d) The alarm system must be monitored from an ARC 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.
          Added: April 2016

      • Closed-circuit Television (CCTV)

        • OM-6.4.15

          Banks must ensure that ATMs are equipped with Closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the ATM are recorded, however keypad entry are not recorded. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

          Added: April 2016

        • OM-6.4.15A

          For the purposes of Paragraph OM-6.4.15, the location of camera installation in drive-thru ATMs must be carefully chosen to ensure that the images of the vehicle number plates are clearly captured at both daytime and nighttime.

          Added: October 2018

        • OM-6.4.16

          As a minimum, CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by a third party ARC.

          Added: April 2016

        • OM-6.4.17

          When an ATM is located in an area where a public CCTV system operates, the deployer or agent must liaise with the agency responsible for the CCTV system to include the ATM site in any preset automatic camera settings or to request regular sweeps of the site. The CCTV system must not be able to view the ATM keypad thereby preventing observation of PIN entry.

          Added: April 2016

        • OM-6.4.18

          Banks must ensure that the specifications of CCTV cameras meet the following minimum requirements:

          (a) Analogue Cameras:

          Resolution — Minimum 700 TVL

          Lens — Vari-focal lenses from 2.8 to 12mm

          Sensitivity — Minimum 0.5 Luminance (Lux) without Infrared (IR), 0 Lux with IR

          IR — At least 10 to 20 meters (Camera that detects motion)
          (b) IP Cameras:

          Resolution — 2 MP — 1080 p

          Lens — Vari-focal lenses from 2.8 to 12mm

          Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR

          IR — At least 10 to 20 meters
          Added: April 2016

        • OM-6.4.19

          Banks must ensure that the following network requirements are met for connecting the Banks CCTV system to MOI Control room:

          (a) The minimum speed of the upload should be 2 Mbps for each node (ATM's and branches);
          (b) Speed/storage limit threshold must not be applied in a manner which permits a network delay; and
          (c) Access must be restricted to authorised personnel.
          Added: April 2016

      • ATM Lighting

        • OM-6.4.20

          Banks must ensure that adequate and effective lighting is operational at all times within the ATM environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

          Added: April 2016

        • OM-6.4.20A

          Banks must ensure that adequate and effective lighting is operational within drive-thru ATMs to enable the CCTV cameras to capture the vehicle number plates at both daytime and nighttime.

          Added: October 2018

        • OM-6.4.21

          This Paragraph was deleted in July 2017

          Deleted: July 2017
          Added: April 2016

      • [Deleted]

        Deleted: April 2017

        • OM-6.4.22

          This Paragraph was deleted in April 2017.

          Deleted: April 2017
          Added: April 2016

        • OM-6.4.23

          This Paragraph was deleted in April 2017.

          Deleted: April 2017
          Added: April 2016

      • Fire Alarm

        • OM-6.4.24

          Banks must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all ATMs. These alarms must be linked to the "General Directorate of Civil Defense" in Bahrain.

          Added: April 2016

      • Cash Replenishment

        • OM-6.4.25

          All cash movements between branches, to and from the CBB and to off-site ATMs must be performed by specialised service providers.

          Added: April 2016

      • ATM Service/ Maintenance

        • OM-6.4.26

          Banks must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

          Added: April 2016

    • OM-6.5 OM-6.5 ATM Security Measures: Additional Measures for Retail Banks

      • OM-6.5.1

        Banks may ensure the adequacy and effectiveness of external security measures throughout the ATM environment through the additional security measures outlined in this Section.

        Added: April 2016

      • Sounders and Flashing Warning Lights

        • OM-6.5.2

          Banks should ensure that street-based ATMs are installed with an audible alarm sounder, and a visual flashing warning light, to indicate when the ATM is under attack.

          Added: April 2016

      • Armored Anti-Bandit Shroud

        • OM-6.5.3

          Banks should obtain and act upon advice provided by the Ministry of the Interior in respect of protecting the ATM installation with an armored anti-bandit shroud which is placed around the ATM to prevent any bombing or other physical attempts to damage the ATM.

          Added: April 2016

    • OM-6.6 OM-6.6 Cyber Security Measures

      • OM-6.6.1

        Clear ownership and management accountability of the risks associated with cyber attacks and related risk management must be established, which cover not only the IT function but also all relevant business lines. Cyber security must be made part of the licensee IT security policy.

        Added: October 2016

      • OM-6.6.2

        The Board and senior management must ensure that the cyber security controls are periodically evaluated for adequacy, taking into account emerging cyber threats and establishing a credible benchmark of cyber security controls endorsed by the Board and senior management. Should material gaps be identified, the Board and senior management must ensure that corrective action is taken immediately.

        Added: October 2016

      • OM-6.6.3

        Licensees must report to the CBB within one week any instances of cyber attacks, whether internal or external, that compromise customer information or disrupt critical services that affect their operations. When reporting such instances, licensees must provide the root cause analysis of the cyber attack and measures taken by them to ensure that similar events do not recur.

        Added: October 2016