• GR GR General Requirements

    • GR-A GR-A Introduction

      • GR-A.1 GR-A.1 Purpose

        • Executive Summary

          • GR-A.1.1

            The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on books and records; on the use of corporate and trade names; and on controllers. Each set of requirements is contained in its own Chapter: a table listing these and their application to licensees is given in Chapter GR-B.

            October 07

        • Legal Basis

          • GR-A.1.2

            This Module contains the Central Bank of Bahrain's ('CBB') Regulation No.(31) of 2008 and Directive (as amended from time to time) governing bank control and general requirements and is issued under the powers available to the CBB under Articles 38 and 52 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Module also contains requirements pertaining to controllers as prescribed under Resolution No.(43) of 2011 governing the conditions of granting a license for the provision of regulated services and is issued under the powers available to the CBB under Article 44(c). The requirements of Resolution No.(33) for the year 2012 with respect to the issuance of the Regulation setting the procedures for processing applications of banks to transfer financial services business in the Kingdom of Bahrain are included in Chapter GR-4. The Regulation, Resolutions and Directive in this Module are applicable to all Islamic bank licensees.

            Amended: October 2012
            Amended: October 2011
            Added: January 2011

          • GR-A.1.3

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

            Added: January 2011

      • GR-A.2 GR-A.2 Module History

        • Evolution of Module

          • GR-A.2.1

            This Module was first issued in July 2006, with immediate effect, as a new Module aimed at aligning the structure and contents of Volume 2 with other Volumes of the CBB Rulebook. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

            Amended: January 2014
            October 07

          • GR-A.2.2

            The October 2007 version incorporates the requirements relating to controllers, previously contained in Chapter HC-2 of the High-Level Controls Module. It also expands on certain requirements contained in the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006).

            October 07

          • GR-A.2.3

            A list of recent changes made to this Module is detailed in the table below:

            Module Ref. Change Date Description of Changes
            GR-5 04/2008 New notification requirements and limits concerning "controllers"
            GR-4, GR-5.4, GR-7 10/2007 Administrative changes due to implementation of CBB Law. Revised notification deadlines etc.
            GR-1 10/2007 This Chapter has been relocated to OM Module.
            GR-8 10/2007 CBB Fees Chapter has been transferred to Module LR.
            GR-5.3 01/2010 Revised approval threshold for controllers which are financial institutions.
            GR 01/2011 Various minor amendments to ensure consistency in CBB Rulebook.
            GR-A.1.2 and A.1.3 01/2011 Added legal basis.
            GR-3.1.1 04/2011 Clarified Rule pertaining to announcement of dividend.
            GR-4.1.2 04/2011 Clarified Guidance and deleted reference to outsourcing and winding up proceedings.
            GR-4.1 07/2011 Noted that the Regulation dealing with Asset/Liability transfers is under consultation.
            GR-A.1.2 and GR-5.3.5A 10/2011 New reference added to reflect the issuance of Resolution No.(43) of 2011, and reference made to controllers.
            GR-3.1 10/2011 Clarified guidance Paragraphs on CBB's non-objection for dividends.
            GR-5.2.2 10/2011 Clarified the definition of "associate".
            GR-7 10/2011 Chapter redrafted to be consistent with other Volumes of the CBB Rulebook.
            GR-5.3.8 07/2012 Percentage amended to be consistent with Paragraph GR-5.3.5.
            GR-A.1.2 10/2012 Updated legal basis.
            GR-4 10/2012 Amended to reflect the issuance of Resolution No.(33) for 2012.
            GR-4.2.3 01/2013 Specified timeline for CBB preliminary assessment.
            GR-5.4.1 and GR-5.4.3 04/2013 Changed Rules to Guidance.
            GR-5 07/2013 Changes made to be in line with Regulation No.(31) for the year 2008.
            GR-A.2.1 01/2014 Deleted repetitive sentence.
            GR-5.3.8 04/2014 Corrected cross reference.
            GR-7.1.12 10/2016 Added additional requirements for cessation of business to be in line with Volume 4.
            GR-5.1.7 01/2017 Consistency of notification timeline rule on Controllers with other Volumes of the CBB Rulebook.
            GR-3.1.3 10/2017 Amended paragraph and changed from Guidance to Rule.
            GR-6 04/2019 Added Section on Open Banking.
            GR-B.1.2 04/2020 Amended Paragraph.
            GR-B.1.3 04/2020 Amended Paragraph.
            GR-2.1.2 04/2020 Amended Paragraph.
            GR-4.1.5 04/2020 Amended Paragraph.
            GR-4.3.2 (d) 04/2020 Amended Paragraph.
            GR-5.1.1 04/2020 Amended Paragraph.
            GR-5.1.10 04/2020 Amended Paragraph.
            GR-7.1.4 04/2020 Amended Paragraph.
            GR-7.1.12 04/2020 Amended Paragraph.
            GR-9 01/2021 Added a new Chapter on Prepaid Cards.
            GR-5 07/2021 Deleted Chapter and superseded by Resolution No. 16 of 2021.
            GR-6.1.3 07/2021 Amended Paragraph.
            GR-6.1.5 07/2021 Amended Paragraph.
            GR-6.1.7 07/2021 Amended Paragraph.
            GR-6.1.8 07/2021 Added a new Paragraph on access to customer information and data.
            GR-6.2.1 07/2021 Amended Paragraph.
            GR-6.2.3 07/2021 Amended Paragraph.
            GR-6.2.6 07/2021 Amended Paragraph.
            GR-6.3.8 07/2021 Paragraph moved to GR-6.1.7.
            GR-6.3.12 07/2021 Amended Paragraph.
            GR-6.3.13 07/2021 Amended Paragraph.
            GR-6.3.14 07/2021 Amended Paragraph.
            GR-6.3.15 07/2021 Amended Paragraph.
            GR-6.4.1 07/2021 Amended Paragraph.
            GR-6.4.2 07/2021 Amended Paragraph.
            GR-6.5 07/2021 Deleted Section.

        • Superseded Requirements

          • GR-A.2.4

            This Module supersedes:

            Circular / other reference Provision Subject
            Module LR (April 2006 version) LR-6: Record-Keeping Record-keeping requirements were moved to GR-1, and edited down to simplify and avoid duplication of record-keeping requirements contained in Module FC.
            Module HC (April 2006 version) HC-2: 'Fit and Proper Requirement' Requirements relating to controllers were moved to GR-5. Remaining 'fit and proper' elements regarding Directors and key employees of licensees were retained in HC-2, in a re-drafted form.
            October 07

    • GR-B GR-B Scope of Application

      • GR-B.1 GR-B.1 Islamic Bank Licensees

        • License Categories

          • GR-B.1.1

            The requirements in Module GR (General Requirements) apply to both retail and wholesale Islamic bank licensees.

            October 07

        • Bahraini and Branches of Foreign Islamic Bank Licensees

          • GR-B.1.2

            The scope of application of Module GR (General Requirements) is as follows:

            Chapter Bahraini bank licensees Branches of foreign bank licensees
            GR-2 Applies to the whole bank. Applies to the Bahrain branch only.
            GR-3 Applies to the whole bank. Doesn't apply.
            GR-4 Applies to the whole bank. Applies to the Bahrain branch only.
            GR-5 Applies to the whole bank. Applies to the whole bank.
            GR-6 Applies to the conventional retail bank. Does not apply.
            GR-7 Applies to the whole bank. Applies to the Bahrain branch only.
            Amended: April 2020
            Amended: April 2019
            Added: October 07

          • GR-B.1.3

            In the case of Bahraini Islamic bank licensees, certain requirements apply to the whole bank, irrespective of the location of its business; other requirements apply only in respect to business booked in Bahrain. In the case of branches of foreign bank licensees, the requirements of Module GR mostly only apply to business booked in the Bahrain branch.

            Amended: April 2020
            Added: October 07

    • GR-1 Books and Records

      [This Chapter has been relocated to Module OM.]

      October 07

    • GR-2 GR-2 Corporate and Trade Names

      • GR-2.1 GR-2.1 Vetting of Names

        • GR-2.1.1

          Islamic bank licensees must seek prior written approval from the CBB for their corporate name and any trade names, and those of their subsidiaries located in Bahrain.

          October 07

        • GR-2.1.2

          GR-2.1.1 applies to branches of foreign bank licensees only with respect to their Bahrain branch.

          Amended: April 2020
          Added: October 07

        • GR-2.1.4

          In approving a corporate or trade name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector. The CBB also seeks to ensure that names used by unregulated subsidiaries do not suggest those subsidiaries are in fact regulated.

          October 07

    • GR-3 GR-3 Dividends

      • GR-3.1 GR-3.1 CBB Non-Objection

        • GR-3.1.1

          Bahraini Islamic bank licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of a press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

          Amended April 2011
          October 2007

        • GR-3.1.2

          The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable – for the foreseeable future – to breaching the CBB's capital requirements, taking into account (as appropriate) the licensee's liquidity and the adequacy of provisions against impaired credit facilities or other assets.

          Amended: October 2011
          October 07

        • GR-3.1.3

          To facilitate the prior approval required under Paragraph GR-3.1.1, Islamic bank licensees subject to GR-3.1.1 must provide the CBB with:

          (a) The licensee's intended percentage and amount of proposed dividends for the coming year;
          (b) A letter of no objection from the bank's external auditor on such profit distribution; and
          (c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and liquidity position of the bank.
          Amended: October 2017
          Amended: October 2011
          October 07

    • GR-4 GR-4 Business Transfers

      • GR-4.1 GR-4.1 [deleted]

        [This Section was deleted in July 2011 as Regulation on Asset/Liability transfers currently under consultation].

        • GR-4.1.1 [deleted]

          Deleted: July 2011

        • GR-4.1.2 [deleted]

          Deleted: July 2011

        • GR-4.1.3 [deleted]

          Deleted: July 2011

        • GR-4.1.4 [deleted]

          Deleted: July 2011

        • GR-4.1.5 [deleted]

          Deleted: July 2011

        • GR-4.1.6 [deleted]

          Deleted: July 2011

      • GR-4.1 GR-4.1 CBB Approval

        • GR-4.1.1

          In accordance with the CBB Governor s Resolution No.(33) for the year 2012 issued pursuant to Article 66 of the CBB Law, an Islamic bank licensee (transferor) must seek prior written approval from the CBB before transferring any regulated banking service to a person (transferee), except in the following circumstances:

          (a) Where the transferred business is limited to the assets and/or liabilities of the transferor and does not include any regulated banking services; or
          (b) Where the regulated service transferred accounts for less than 5% of the transferor s total assets and/or liabilities as recorded in the unconsolidated balance sheet of the financial quarter preceding the date of the transfer of business application.
          Added: October 2012

        • GR-4.1.2

          For purposes of Paragraph GR-4.1.1 (a), a business transfer refers to a transfer of the rights and obligations of one Islamic bank licensee to a third party, so that the customers continue to be subject to the same terms and conditions as those originally agreed.

          Added: October 2012

        • GR-4.1.3

          In instances where Subparagraph GR-4.1.1(b) applies, Islamic bank licensees must notify the CBB before transferring any regulated banking service to a transferee one month prior to the transfer taking place.

          Added: October 2012

        • GR-4.1.4

          Rule GR-4.1.1 is intended to apply to circumstances where a bank wishes to transfer all or part of its business (examples: credit card business, asset management business) to a third party, or is undertaking winding up proceedings.

          Added: October 2012

        • GR-4.1.5

          In the case of a Bahraini Islamic bank licensee, Chapter GR-4 applies to its assets and liabilities booked in Bahrain. In the case of branches of foreign bank licensee, Chapter GR-4 applies only to assets and liabilities booked in the bank's Bahrain branch.

          Amended: April 2020
          Added: October 2012

      • GR-4.2 GR-4.2 Procedure with Respect to Applications

        • GR-4.2.1

          Islamic bank licensees wishing to transfer banking business in the Kingdom must apply to the Executive Director of Banking Supervision by submitting an application form along with the supporting documents as specified by the CBB (see Part B, Supplementary Information, Appendix GR-1). Unless otherwise directed by the CBB, the application must provide:

          (a) Full details of the business to be transferred including a detailed list of all liabilities or assets that will be transferred;
          (b) The rationale for the proposed transfer;
          (c) If applicable, an assessment of the impact of the transfer on any customers directly affected by the transfer, and any mitigating factors or measures;
          (d) If applicable, an assessment of the impact of the transfer on the transferor's remaining business and customers; and
          (e) Evidence that the proposed transfer has been duly authorised by the transferor (such as a certified copy of a Board resolution approving the transfer).
          Added: October 2012

        • GR-4.2.2

          Banks intending to apply to transfer a regulated service are advised to contact the CBB at the earliest possible opportunity, in order that the CBB may determine the nature and level of any documentation and/or the need for an auditor or other expert opinion to be provided. The CBB will grant its permission where the transfer will have no negative impact on the financial soundness of the bank, and does not otherwise compromise the interests of the bank's depositors and creditors. In all cases, the CBB will only grant its permission where the institution acquiring the regulated service holds the appropriate regulatory approvals and is in good regulatory standing.

          Added: October 2012

        • Preliminary Assessment

          • GR-4.2.3

            The CBB will make a preliminary assessment of whether the proposed transfer is of a type that could be considered for approval or not based on the receipt of the documents referred to in Paragraph GR-4.2.1. If rejected, the applicant will be informed accordingly. The CBB will approve/reject the transfer of business application form after the submission of all necessary documents within 14 calendar days of the date where all documents have been submitted.

            Amended: January 2013
            Added: October 2012

        • Publication of the Transfer of Business Application

          • GR-4.2.4

            In instances where the CBB is in favor of the transfer requested, and in accordance with Article 66(c) of the CBB Law, the transfer of business application will be published by the CBB in the Official Gazette and in two daily newspapers in the Kingdom of Bahrain (one in Arabic and one in English). The CBB notice will include a statement that written representations concerning the transfer of business application may be sent to the CBB within three months from the date of publication.

            Added: October 2012

          • GR-4.2.5

            If the liabilities are located in a jurisdiction outside Bahrain, the CBB may also publish such notice in the jurisdiction in which the risk is situated.

            Added: October 2012

          • GR-4.2.6

            In all cases, the costs of publication of the notices referred to in Paragraphs GR-4.2.5 and GR-4.2.6 must be met by the transferor.

            Added: October 2012

      • GR-4.3 GR-4.3 Determination of Application

        • GR-4.3.1

          The CBB will consider an application under Paragraph GR-4.2.1 if it is satisfied that:

          (a) Any objections received to the application to transfer the business following its publication in the Official Gazette and in two daily newspapers in the Kingdom of Bahrain (one in Arabic and one in English) as required under Article 66(d) have been reviewed and resolved by the CBB.
          (b) Except in so far as the CBB has otherwise directed, a copy of the notice has been sent to every affected customer and every other person who claims an interest in an asset or liability included in the proposed transfer (and has given written notice of his claim to the transferor);
          (c) Copies of a statement, approved by the CBB, setting out particulars of the transfer, have been available for inspection at one or more places in Bahrain for at least 30 days, from the date of publication of the notice specified in Paragraph GR-4.2.3; and
          (d) Where the proposed transfer includes any contract where the risk is situated in a jurisdiction other than Bahrain, a statement, approved by the CBB, setting out particulars of the transfer, has been available for inspection at one or more places in that jurisdiction for at least 30 days, starting with the date of publication of the notice specified in Paragraph GR-4.2.3.
          Added: October 2012

        • GR-4.3.2

          The CBB will not approve the transfer, under the terms of Paragraph GR-4.2.1, unless it is satisfied that:

          (a) The transferee is authorised to carry on regulated banking services in Bahrain or (where relevant) is authorised or otherwise permitted to carry on regulated banking services in the jurisdiction where any overseas risks are situated;
          (b) Every transaction or account or relationship included in the transfer evidences a contract which was entered into before the date of the application;
          (c) The transferee possesses the necessary solvency required by the regulatory authorities to which he is subject to, after taking the proposed transfer into account;
          (d) Where transactions, accounts, or customer relationships are being transferred from an overseas branch of a bank licensee, or the transferee is a branch of foreign bank licensee, the relevant overseas regulatory authority has been consulted about the proposed transfer, the law of that jurisdiction provides for the possibility of such a transfer, and the relevant supervisory authority in that jurisdiction has agreed to the transfer;
          (e) The transfer will not breach any applicable laws and regulations, and will not create any supervisory concerns;
          (f) The business transferred is not prohibited by the CBB; and
          (g) There are no material adverse consequences from the transfer on the transferee or the security of customers and creditors and their rights and obligations are protected.
          Amended: April 2020
          Added: October 2012

        • GR-4.3.3

          In assessing the criteria outlined in Paragraph GR-4.3.2, the CBB will, amongst other factors, take into account the financial strength of the transferee; its capacity to manage the business being transferred; its track record in complying with applicable regulatory requirements; and (where applicable) its track record in treating customers fairly. The CBB will also take into account the impact of the transfer on the transferor, and any consequences this may have for the transferor's remaining customers.

          Added: October 2012

        • GR-4.3.4

          The CBB will review the application and any other documents or information requested by the CBB taking into consideration any objections received and conditions stated in Article 66 (d) of the CBB law.

          Added: October 2012

        • GR-4.3.5

          The CBB reserves the right to impose additional requirements if, in the opinion of the CBB, additional requirements are necessary to protect customer interests. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

          Added: October 2012

        • GR-4.3.6

          The CBB will communicate its final decision to the transferor within 5 working days of the expiry of the period for submitting objections to the CBB (see Paragraph GR-4.2.4).

          Added: October 2012

      • GR-4.4 GR-4.4 CBB Decision

        • GR-4.4.1

          In accordance with Article 67 (d) of the CBB Law and Article 8 of the Regulation issued pursuant to Resolution No.(33) of 2012, the CBB's decision regarding the application for transfer made under Section GR-4.2, will be published as a notice in the Official Gazette and in two local newspapers (one in Arabic and one in English) and will come into effect from this date.

          Added: October 2012

        • GR-4.4.2

          If the liabilities are located in a jurisdiction outside Bahrain, the CBB may also publish such notice in the jurisdiction in which the risk is situated.

          Added: October 2012

        • GR-4.4.3

          The costs of publication of the notices referred to in Paragraphs GR-4.4.1 and GR-4.4.2 must be met by the transferor.

          Added: October 2012

        • GR-4.4.4

          Article 67(e) of the CBB Law notes that where the application for business transfer has been turned down by the CBB or includes restrictions, the applicant may appeal to a competent court within 30 calendar days from the date of publication referred to in Paragraph GR-4.4.1.

          Added: October 2012

    • GR-5 Controllers

      [This Chapter was deleted in July 2021 and superseded by Resolution No. (16) of 2021 with respect to promulgating the Regulation Pertaining to Control in Banks]

    • GR-6 GR-6 Open Banking

      • GR-6.1 GR-6.1 Access to PISPs and AISPs

        • GR-6.1.1

          The CBB has recognised the need to revise its rules in keeping with the following changes at a systemic level, both globally and regionally:

          a) market growth in e-commerce activities;
          b) increased use of internet and mobile payments;
          c) consumer demand to increasingly use smart device based payment solutions;
          d) the developments in innovative technology; and
          e) a trend towards customers having multiple account providers.

          This section sets forth the rules applicable to Islamic retail bank licensees with regards to the new category of ancillary service providers described below.

          Added: April 2019

        • GR-6.1.2

          The CBB has established a Directive contained in "Module OB: Open Banking" in Volume 5 of the CBB Rulebook that deals with a new sub category of ancillary service providers who, under the terms of the CBB license, may provide "payment initiation services" and/or "account information services". Such licensees are termed "payment initiation service providers" or PISPs and "account information service providers" or AISPs. Banks and other licensees which maintain a customer account is referred to in the CBB Rulebook Volume 5 as "licensees maintaining customer accounts".

          Added: April 2019

        • GR-6.1.3

          Islamic retail bank licensees must:

          (a) grant ancillary service providers of the types referred to in Paragraph AU-1.2.1 (f) and (g) of Rulebook Volume 5: Ancillary Service Providers Authorisation Module, access to customer accounts on an objective, non-discriminatory basis based on consents obtained from the customer;
          (b) provide the criteria that the Islamic retail bank licensees apply when considering requests pursuant to sub-paragraph (a) above for such access; and
          (c) ensure that those criteria are applied in a manner which ensures compliance with sub-paragraph (a) above while ensuring adherence to Law No 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.
          Amended: July 2021
          Added: April 2019

        • GR-6.1.4

          Access to customer accounts granted pursuant to Paragraph GR-6.1.3 must be sufficiently extensive to allow the AISP and PISP access in an unhindered and efficient manner.

          Added: April 2019

        • GR-6.1.5

          Access to customer accounts granted pursuant to Paragraph GR-6.1.3 shall mean that at customer’s direction, the licensees are obliged to share, without charging a fee, all information that has been provided to them by the customer and that which can be accessed by the customer in a digital form. The obligation should only apply where the licensee keeps that information in a digital form. Furthermore, the obligation should not apply to information supporting identity verification assessment; which the licensees should only be obliged to share with the customer directly, not a data recipient. The information accessed shall include transaction data and product and services data that banks are required to publicly disclose, such as price, fees, and other charges should be made publicly available under open banking. Fees may be charged by banks to AISPs for sharing ‘Value Added Data’ and ‘Aggregated Data’ are not required to be shared. Value added data or derived data results from material enhancement by the application of insights, analysis, or transformation on customer data by the licensee. Aggregated data refers to data which is aggregated across the licensee’s customer segments for the purpose of analysis.

          Amended: July 2021
          Added: April 2019

        • GR-6.1.6

          If an Islamic retail bank licensee refuses a request for access to such services or withdraws access to such services, it must seek approval of the CBB in a formal communication which must contain the reasons for the refusal or the withdrawal of access and contain such information as the CBB may direct. The CBB shall approve the request if it is satisfied that the impact of not giving access is minimal. If the request is rejected, the Islamic retail bank licensee must adhere to the direction provided by the CBB.

          Added: April 2019

        • GR-6.1.7

          Islamic retail bank licensees must comply with each of the following requirements:

          (a) provide access to the same information from designated customer accounts made available to the customer when directly requesting access to the account information, provided that this information does not include sensitive payment data (such as customer security credentials or other personalised data, the holding of which or the use of which is not authorised by the customer; and data which may be used by the holder for unauthorised, fraudulent, illegal or activity or transactions);
          (b) provide, immediately after receipt of the payment order, the same information on the initiation and execution of the payment transaction provided or made available to the customer when the transaction is initiated directly by the latter;
          (c) upon request, immediately provide PISPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation must consist of a simple 'yes' or 'no' answer.
          Added: July 2021

      • GR-6.2 GR-6.2 Communication Interface for PISPs and AISPs

        • GR-6.2.1

          Islamic retail bank licensees that offer a customer account that is accessible online must have in place at least one interface which meets each of the following requirements:

          (a) AISPs and PISPs must identify themselves in sessions with Islamic retail bank licensees;
          (b) AISPs and PISPs must communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions; and
          (c) PISPs must communicate securely to initiate a payment order from the payer's payment account and receive information on the initiation and the execution of payment transactions.
          Amended: July 2021
          Added: April 2019

        • GR-6.2.2

          Islamic retail bank licensees must establish the interface(s) referred to in Paragraph GR-6.2.1 by means of a dedicated interface.

          Added: April 2019

        • GR-6.2.3

          For the purposes of authentication of the customer, the interfaces referred to in paragraph GR-6.2.1 must allow AISPs and PISPs to rely on the authentication procedures provided by the Islamic retail bank licensee to the customer. In particular, the interface must meet all of the following requirements:

          (a) process for instructing and authentication by the Islamic retail bank licensee;
          (b) establishing and maintaining authentication of communication sessions between the Islamic retail bank licensee, the AISP, the PISP and the customer(s); and
          (c) ensuring the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the AISP or the PISP.
          Amended: July 2021
          Added: April 2019

        • GR-6.2.4

          Islamic retail bank licensees must ensure that their interface(s) follows standards of communication which are agreed by the CBB and that the protocols are technology neutral. They must ensure that the technical specifications of the interface are documented and are made available to AISPs and PISPs when requested.

          Added: April 2019

        • GR-6.2.5

          Islamic retail bank licensees must establish and make available a testing facility, including support, for connection and functional testing by authorised AISPs and PISPs that have applied for the relevant authorisation, to test their software and applications used for offering an information/payment service to users. No sensitive information must be shared through the testing facility.

          Added: April 2019

        • GR-6.2.6

          Islamic retail bank licensees must ensure that the dedicated interface established for the AISPs and PISPs offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the customer for directly accessing its payment account online.

          Amended: July 2021
          Added: April 2019

        • GR-6.2.7

          For the purposes of GR-6.2.6, the following requirements apply:

          (a) Islamic retail bank licensees must monitor the availability and performance of the dedicated interface and make the resulting statistics available to the CBB upon their request;
          (b) where the dedicated interface does not operate at the same level of availability and performance as the interface made available to the Islamic retail bank licensee's customer when accessing the payment account online, the bank must report it to the CBB and must restore the level of service for the dedicated interface without undue delay and take the necessary action to avoid its reoccurrence.
          (c) The report referred to in (b) above must include the causes of the deficiency and the measures adopted to re-establish the required level of service; and
          (d) AISPs and PISPs making use of the dedicated interface offered by Islamic retail bank licensees must also report to the CBB any deficiency in the level of availability and performance required of the dedicated interface.
          Added: April 2019

        • GR-6.2.8

          Islamic retail bank licensees must include in the design of dedicated interface, a strategy and plans for contingency measures in the event of an unplanned unavailability of the interface and systems breakdown. The strategy must include communication plan to inform the relevant AISP/PISP making use of the dedicated interface in the case of breakdown, measures to bring the system back to 'business as usual' and a description of alternative options AISPs and PISPs may make use of during the unplanned downtime.

          Added: April 2019

      • GR-6.3 GR-6.3 Security of Communication Sessions and Authentication

        • GR-6.3.1

          Islamic retail bank licensees must ensure that communication sessions with PISPs and AISPs including merchants, relies on each of the following:

          (a) a unique identifier of the session;
          (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;
          (c) timestamps which must be based on a unified time-reference system and which must be synchronised according to an official time signal.
          Added: April 2019

        • GR-6.3.2

          Islamic retail bank licensees must ensure secured identification when communicating with AISPs and PISPs.

          Added: April 2019

        • GR-6.3.3

          Islamic retail bank licensees must ensure that, when exchanging data via the internet, with PISPs and AISPs, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

          Added: April 2019

        • GR-6.3.4

          PISPs and AISPs must keep the access sessions offered by Islamic retail bank licensees as short as possible and they must actively terminate the session as soon as the requested action has been completed.

          Added: April 2019

        • GR-6.3.5

          When maintaining parallel network sessions with the PISPs and AISPs, Islamic retail bank licensees must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

          Added: April 2019

        • GR-6.3.6

          Islamic retail bank licensees' sessions with PISPs and AISPs must contain unambiguous reference to each of the following items:

          (a) the customer and the corresponding communication session in order to distinguish several requests from the same customer;
          (b) for payment initiation services, the uniquely identified payment transaction initiated;
          (c) for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the transaction.
          Added: April 2019

        • GR-6.3.7

          Islamic retail bank licensees must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.

          Added: April 2019

        • GR-6.3.8

          [This Paragraph was moved to GR-6.1.7].

          Amended: July 2021
          Added: April 2019

        • GR-6.3.9

          In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the Islamic retail bank licensees must send a notification message to the relevant PISP or AISP which explains the reason for the unexpected event or error.

          Added: April 2019

        • GR-6.3.10

          Where the Islamic retail bank licensee offers a dedicated interface, it must ensure that the interface provides for notification messages concerning unexpected events or errors to be communicated by any PISP or AISP that detects the event or error to the other licensees participating in the communication session.

          Added: April 2019

        • GR-6.3.11

          Islamic retail bank licensees must provide access to information from customer accounts to AISPs whenever the customer requests such information.

          Added: April 2019

        • Secure authentication

          • GR-6.3.12

            Islamic retail bank licensees must have in place a strong customer authentication process and ensure the following:

            (a) no information on any of the elements of the strong customer authentication can be derived from the disclosure of the authentication code;
            (b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and
            (c) the authentication code cannot be forged.
            Amended: July 2021
            Added: April 2019

          • GR-6.3.13

            Islamic retail bank licensees must adopt security measures that meet the following requirements for payment transactions:

            (a) the authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;
            (b) the authentication code accepted by the licensee maintaining customer account corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer;
            (c) a SMS message must be sent to the customer upon accessing the online portal or application and when a transaction is initiated; and
            (d) any change to the amount or the payee must result in the invalidation of the authentication code generated.
            Amended: July 2021
            Added: April 2019

        • Independence of elements of strong authentication

          • GR-6.3.14

            Islamic retail bank licensees must establish adequate security features for customer authentication including the use of the following three elements:

            (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
            (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
            (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
            Amended: July 2021
            Added: April 2019

          • GR-6.3.15

            Islamic retail bank licensees must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis provided that the licensee is able to demonstrate to CBB that it has established robust controls to mitigate the relevant key risks.

            Amended: July 2021
            Added: April 2019

      • GR-6.4 GR-6.4 Standards for Program Interfaces and Communication

        • GR-6.4.1

          Islamic retail bank licensees must adhere to the Operational Guidelines, Security Standards and Guidelines, Open Banking Application Program Interface (API) Specifications and Customer Journey Guidelines included in Bahrain Open Banking Framework (see CBB website).

          Amended: July 2021
          Added: April 2019

        • GR-6.4.2

          Islamic retail bank licensees must ensure that compliance with standards and guidelines specified in Paragraph GR-6.4.1 is subject to independent review and tests, including testing in a test environment., by an independent consultant upon implementation.

          Amended: July 2021
          Added: April 2019

        • GR-6.4.3

          To remain technologically neutral the technical standards adopted by Islamic retail bank licensees must not require a specific technology. Authentication codes must be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys and/or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.

          Added: April 2019

      • GR-6.5 GR-6.5 [This Section was deleted in July 2021].

        • GR-6.5.1

          [This Paragraph was deleted in July 2021].

          Deleted: July 2021
          Added: April 2019

    • GR-7 GR-7 Cessation of Business

      • GR-7.1 GR-7.1 CBB Approval

        • GR-7.1.1

          As specified in Article 50 of CBB Law, an Islamic bank licensee wishing to cease to provide or suspend any or all of the licensed regulated services, completely or at any of its branches must obtain prior written approval from the CBB, setting out how it proposes to do so and, in particular, how it will treat any Shari'a money placements/deposits, and investment accounts, that it holds.

          Amended: October 2011
          October 07

        • GR-7.1.2

          [This Paragraph was deleted in October 2011].

          Deleted: October 2011

        • GR-7.1.3

          If the Islamic bank licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

          October 07

        • GR-7.1.4

          In the case of a Bahraini Islamic bank licensee, Chapter GR-7 applies both to its business booked in Bahrain and the licensee's overseas branches. In the case of branches of foreign bank licensees, Chapter GR-7 applies only to business booked in the licensee's Bahrain branch.

          Amended: April 2020
          Adopted: October 2011

        • GR-7.1.5

          Licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a formal request together with supporting documents. Unless otherwise directed by the CBB, the following information/documentation must be provided in support of the request:

          (a) Full details of the business to be terminated;
          (b) The rationale for the cessation;
          (c) How the Islamic bank licensee proposes to cease business;
          (d) Notice of an extraordinary shareholder meeting setting out the agenda to discuss and approve the cessation, and inviting the CBB for such meeting;
          (e) Evidence that the proposed cessation has been duly authorised by the Islamic bank licensee (such as a certified copy of a Board resolution approving the cessation);
          (f) Formal request to the CBB for the appointment of a liquidator acceptable to the CBB;
          (g) A cut-off date by which the Islamic bank licensee will stop its operations;
          (h) If the Islamic bank licensee wishes to cease its whole business, confirmation that the Islamic bank licensee will not enter into new business with effect from the cut-off date;
          (i) If applicable, an assessment of the impact of the cessation on any customers directly affected by the cessation, and any mitigating factors or measures; and
          (j) If applicable, an assessment of the impact of the cessation on the Islamic bank licensee's remaining business and customers, and any mitigating factors or measures.
          Adopted: October 2011

        • GR-7.1.6

          Islamic bank licensees intending to apply to cease business are advised to contact the CBB at the earliest opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The information/documentation specified in Paragraph GR-7.1.5 may be varied by the CBB, depending on the nature of the proposed cessation, such as the materiality of the business concerned and its impact on customers.

          Adopted: October 2011

        • GR-7.1.7

          Approval to cease business will generally be given where adequate arrangements have been made to offer alternative arrangements to any affected customers. The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

          Adopted: October 2011

        • GR-7.1.8

          An Islamic bank licensee in liquidation must continue to meet its contractual and regulatory obligations to depositors, other clients and creditors.

          Amended: October 2011
          October 07

        • GR-7.1.9

          [This Paragraph was deleted in October 2011].

          Deleted: October 2011

        • GR-7.1.10

          [This Paragraph was deleted in October 2011].

          Deleted: October 2011

        • GR-7.1.11

          [This Paragraph was deleted in October 2011].

          Deleted: October 2011

        • GR-7.1.12

          Upon satisfactorily meeting the requirements set out in GR-7.1.4, the Islamic bank licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

          Amended: April 2020
          Added: October 2016

    • GR-8 CBB Fees

      [This Chapter has been transferred to Module LR.]

      October 07

    • GR-9 GR-9 Prepaid Cards

      • GR-9.1 GR-9.1 General Requirements

        • GR-9.1.1

          Islamic retail bank licensees must place any prepaid card which is inactive for a period of six months on the “dormant” list.

          Added: January 2021