GR GR General Requirements
GR-A GR-A Introduction
GR-A.1 GR-A.1 Purpose
Executive Summary
GR-A.1.1
The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on books and records; on the use of corporate and trade names; and on
controllers . Each set of requirements is contained in its own Chapter: a table listing these and their application to licensees is given in Chapter GR-B.October 07Legal Basis
GR-A.1.2
This Module contains the Central Bank of Bahrain's ('CBB') Regulation No.(31) of 2008 and Directive (as amended from time to time) governing bank control and general requirements and is issued under the powers available to the CBB under Articles 38 and 52 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Module also contains requirements pertaining to
controllers as prescribed under Resolution No.(43) of 2011 governing the conditions of granting a license for the provision of regulated services and is issued under the powers available to the CBB under Article 44(c). The requirements of Resolution No.(33) for the year 2012 with respect to the issuance of the Regulation setting the procedures for processing applications of banks to transfer financial services business in the Kingdom of Bahrain are included in Chapter GR-4. The Regulation, Resolutions and Directive in this Module are applicable to allIslamic bank licensees .Amended: October 2012
Amended: October 2011
Added: January 2011
GR-A.1.3
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
Added: January 2011
GR-A.2 GR-A.2 Module History
Evolution of Module
GR-A.2.1
This Module was first issued in July 2006, with immediate effect, as a new Module aimed at aligning the structure and contents of Volume 2 with other Volumes of the CBB Rulebook. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
Amended: January 2014
October 07GR-A.2.2
The October 2007 version incorporates the requirements relating to
controllers , previously contained in Chapter HC-2 of the High-Level Controls Module. It also expands on certain requirements contained in the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006).October 07GR-A.2.3
A list of recent changes made to this Module is detailed in the table below:
Module Ref. Change Date Description of Changes GR-5 04/2008 New notification requirements and limits concerning "controllers" GR-4, GR-5.4, GR-7 10/2007 Administrative changes due to implementation of CBB Law. Revised notification deadlines etc. GR-1 10/2007 This Chapter has been relocated to OM Module. GR-8 10/2007 CBB Fees Chapter has been transferred to Module LR. GR-5.3 01/2010 Revised approval threshold for controllers which are financial institutions. GR 01/2011 Various minor amendments to ensure consistency in CBB Rulebook. GR-A.1.2 and A.1.3 01/2011 Added legal basis. GR-3.1.1 04/2011 Clarified Rule pertaining to announcement of dividend. GR-4.1.2 04/2011 Clarified Guidance and deleted reference to outsourcing and winding up proceedings. GR-4.1 07/2011 Noted that the Regulation dealing with Asset/Liability transfers is under consultation. GR-A.1.2 and GR-5.3.5A 10/2011 New reference added to reflect the issuance of Resolution No.(43) of 2011, and reference made to controllers. GR-3.1 10/2011 Clarified guidance Paragraphs on CBB's non-objection for dividends. GR-5.2.2 10/2011 Clarified the definition of "associate". GR-7 10/2011 Chapter redrafted to be consistent with other Volumes of the CBB Rulebook. GR-5.3.8 07/2012 Percentage amended to be consistent with Paragraph GR-5.3.5. GR-A.1.2 10/2012 Updated legal basis. GR-4 10/2012 Amended to reflect the issuance of Resolution No.(33) for 2012. GR-4.2.3 01/2013 Specified timeline for CBB preliminary assessment. GR-5.4.1 and GR-5.4.3 04/2013 Changed Rules to Guidance. GR-5 07/2013 Changes made to be in line with Regulation No.(31) for the year 2008. GR-A.2.1 01/2014 Deleted repetitive sentence. GR-5.3.8 04/2014 Corrected cross reference. GR-7.1.12 10/2016 Added additional requirements for cessation of business to be in line with Volume 4. GR-5.1.7 01/2017 Consistency of notification timeline rule on Controllers with other Volumes of the CBB Rulebook. GR-3.1.3 10/2017 Amended paragraph and changed from Guidance to Rule. GR-6 04/2019 Added Section on Open Banking. GR-B.1.2 04/2020 Amended Paragraph. GR-B.1.3 04/2020 Amended Paragraph. GR-2.1.2 04/2020 Amended Paragraph. GR-4.1.5 04/2020 Amended Paragraph. GR-4.3.2 (d) 04/2020 Amended Paragraph. GR-5.1.1 04/2020 Amended Paragraph. GR-5.1.10 04/2020 Amended Paragraph. GR-7.1.4 04/2020 Amended Paragraph. GR-7.1.12 04/2020 Amended Paragraph. GR-9 01/2021 Added a new Chapter on Prepaid Cards. GR-5 07/2021 Deleted Chapter and superseded by Resolution No. 16 of 2021. GR-6.1.3 07/2021 Amended Paragraph. GR-6.1.5 07/2021 Amended Paragraph. GR-6.1.7 07/2021 Amended Paragraph. GR-6.1.8 07/2021 Added a new Paragraph on access to customer information and data. GR-6.2.1 07/2021 Amended Paragraph. GR-6.2.3 07/2021 Amended Paragraph. GR-6.2.6 07/2021 Amended Paragraph. GR-6.3.8 07/2021 Paragraph moved to GR-6.1.7. GR-6.3.12 07/2021 Amended Paragraph. GR-6.3.13 07/2021 Amended Paragraph. GR-6.3.14 07/2021 Amended Paragraph. GR-6.3.15 07/2021 Amended Paragraph. GR-6.4.1 07/2021 Amended Paragraph. GR-6.4.2 07/2021 Amended Paragraph. GR-6.5 07/2021 Deleted Section. GR-2.1.1 01/2022 Amended Paragraph. GR-6.1.5 04/2022 Amended Paragraph on MCCs. GR-6.1.8 04/2022 Amended Paragraph on payment data provided including MCCs. GR-6.2.5 04/2022 Amended Paragraph on Bahrain Open Banking Framework Developer Portal. GR-3 07/2023 Amended Chapter on Dividends and Profit Repatriation. GR-3 01/2024 Amended Chapter on Dividends and Profit Repatriation. Superseded Requirements
GR-A.2.4
This Module supersedes:
Circular / other reference Provision Subject Module LR (April 2006 version) LR-6: Record-Keeping Record-keeping requirements were moved to GR-1, and edited down to simplify and avoid duplication of record-keeping requirements contained in Module FC. Module HC (April 2006 version) HC-2: 'Fit and Proper Requirement' Requirements relating to controllers were moved to GR-5. Remaining 'fit and proper' elements regarding Directors and key employees of licensees were retained in HC-2, in a re-drafted form. October 07GR-B GR-B Scope of Application
GR-B.1 GR-B.1 Islamic Bank Licensees
License Categories
GR-B.1.1
The requirements in Module GR (General Requirements) apply to both
retail andwholesale Islamic bank licensees .October 07Bahraini and Branches of Foreign Islamic Bank Licensees
GR-B.1.2
The scope of application of Module GR (General Requirements) is as follows:
Chapter Bahraini bank licensees Branches of foreign bank licensees GR-2 Applies to the whole bank. Applies to the Bahrain branch only. GR-3 Applies to the whole bank. Doesn't apply. GR-4 Applies to the whole bank. Applies to the Bahrain branch only. GR-5 Applies to the whole bank. Applies to the whole bank. GR-6 Applies to the conventional retail bank. Does not apply. GR-7 Applies to the whole bank. Applies to the Bahrain branch only. Amended: April 2020
Amended: April 2019
Added: October 07GR-B.1.3
In the case of
Bahraini Islamic bank licensees , certain requirements apply to the whole bank, irrespective of the location of its business; other requirements apply only in respect to business booked in Bahrain. In the case ofbranches of foreign bank licensees , the requirements of Module GR mostly only apply to business booked in the Bahrain branch.Amended: April 2020
Added: October 07GR-1 Books and Records
[This Chapter has been relocated to Module OM.]
October 07GR-2 GR-2 Corporate and Trade Names
GR-2.1 GR-2.1 Vetting of Names
GR-2.1.1
Licensees must obtain CBB’s prior written approval for any change in their legal name.Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.Amended: January 2022
October 07GR-2.1.2
GR-2.1.1 applies to
branches of foreign bank licensees only with respect to their Bahrain branch.Amended: April 2020
Added: October 07GR-2.1.3
Rules GR-2.1.1 and GR-2.1.2 refers to the requirements contained in Article 41 of the CBB Law.
October 07GR-2.1.4
In approving a corporate or trade name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector. The CBB also seeks to ensure that names used by unregulated subsidiaries do not suggest those subsidiaries are in fact regulated.
October 07GR-3 GR-3 Dividends and Profit Repatriation
GR-3.1 GR-3.1 CBB Non-Objection
GR-3.1.1
Bahraini Islamic bank licensees must obtain CBB’s prior approval for any proposed cash or stock dividend before any public announcements or the Annual General Meeting.Amended July 2023
Amended April 2011
October 2007GR-3.1.2
[This Paragraph was deleted in July 2023].
Deleted: July 2023
Amended: October 2011
October 07GR-3.1.3
For the purpose of Paragraph GR-3.1.1,
Islamic bank licensees must:(a) Submit the following:
(i) The intended percentage and amount of proposed dividends;(ii) The impact of proposed dividends on:
(a) Capital Adequacy Ratio (CAR), Liquidity Coverage Ratio (LCR), Net Stable Funding Ratio (NSFR), and Leverage Ratio (LR) showing the ratios before and after the proposed dividends;(b) The cash flow position and shareholders’ equity level before and after the proposed dividends;(iii) Stress testing results evidencing that the proposed dividends would not lead to any breach of the regulatory requirements (CAR, LCR, NSFR and LR) in the last financial year and the next two years under normal and stressed scenarios.(b) Satisfy the CBB of the adequacy of impairment provisions during the review of the annual/interim financial statements;(c) Ensure that any unrealized gains arising from assets or liabilities fair value assessment are excluded from net income in the determination of the proposed dividends, given that CBB does not permit distribution of unrealised profit;(d) Ensure that the amount of realised profits included in the retained earnings as at the year-end is sufficient to cover the proposed dividend amount; and(e) Ensure that any negative fair value on assets held at amortised cost do not have any material adverse impact on the capital and liquidity positions where such assets may need to be liquidated before maturity to satisfy any financial obligations, including deposit withdrawals.Amended: January 2024
Amended: July 2023
Amended: October 2017
Amended: October 2011
October 07GR-3.2 Repatriation of Profits by Retail Branches of Foreign Banks
GR-3.2.1
Retail
branches of foreign banks must comply with the following when repatriating profits to Head Office:(a) The gearing ratio stipulated in Paragraph CA-10.6.3 after repatriation;(b) Satisfy the CBB of the adequacy of impairment provisions during the CBB’s review of the annual financial statements;(c) Ensure that any unrealized gains arising from assets or liabilities fair value assessment are excluded from net income in the determination of the repatriation;(d) Ensure that the amount of realised profits included in the retained earnings (unremitted profits due to head office) as at the year-end is sufficient to cover the proposed profit repatriation amount; and(e) Ensure that any negative fair value on assets held at amortised cost do not have any material adverse impact on the capital and liquidity positions where such assets may need to be liquidated before maturity to satisfy any financial obligations, including deposit withdrawals.Amended: January 2024
Added: July 2023GR-4 GR-4 Business Transfers
GR-4.1 GR-4.1 [deleted]
[This Section was deleted in July 2011 as Regulation on Asset/Liability transfers currently under consultation].
GR-4.1.1 [deleted]
Deleted: July 2011
GR-4.1.2 [deleted]
Deleted: July 2011
GR-4.1.3 [deleted]
Deleted: July 2011
GR-4.1.4 [deleted]
Deleted: July 2011
GR-4.1.5 [deleted]
Deleted: July 2011
GR-4.1.6 [deleted]
Deleted: July 2011
GR-4.1 GR-4.1 CBB Approval
GR-4.1.1
In accordance with the CBB Governor s Resolution No.(33) for the year 2012 issued pursuant to Article 66 of the CBB Law, an
Islamic bank licensee (transferor ) must seek prior written approval from the CBB before transferring any regulated banking service to a person (transferee ), except in the following circumstances:(a) Where the transferred business is limited to the assets and/or liabilities of thetransferor and does not include anyregulated banking services ; or(b) Where the regulated service transferred accounts for less than 5% of thetransferor s total assets and/or liabilities as recorded in the unconsolidated balance sheet of the financial quarter preceding the date of the transfer of business application.Added: October 2012GR-4.1.2
For purposes of Paragraph GR-4.1.1 (a), a business transfer refers to a transfer of the rights and obligations of one
Islamic bank licensee to a third party, so that the customers continue to be subject to the same terms and conditions as those originally agreed.Added: October 2012GR-4.1.3
In instances where Subparagraph GR-4.1.1(b) applies,
Islamic bank licensees must notify the CBB before transferring anyregulated banking service to atransferee one month prior to the transfer taking place.Added: October 2012GR-4.1.4
Rule GR-4.1.1 is intended to apply to circumstances where a bank wishes to transfer all or part of its business (examples: credit card business, asset management business) to a third party, or is undertaking winding up proceedings.
Added: October 2012GR-4.1.5
In the case of a
Bahraini Islamic bank licensee , Chapter GR-4 applies to its assets and liabilities booked in Bahrain. In the case ofbranches of foreign bank licensee , Chapter GR-4 applies only to assets and liabilities booked in the bank's Bahrain branch.Amended: April 2020
Added: October 2012GR-4.2 GR-4.2 Procedure with Respect to Applications
GR-4.2.1
Islamic bank licensees wishing to transfer banking business in the Kingdom must apply to the Executive Director of Banking Supervision by submitting an application form along with the supporting documents as specified by the CBB (see Part B, Supplementary Information, Appendix GR-1). Unless otherwise directed by the CBB, the application must provide:(a) Full details of the business to be transferred including a detailed list of all liabilities or assets that will be transferred;(b) The rationale for the proposed transfer;(c) If applicable, an assessment of the impact of the transfer on anycustomers directly affected by the transfer, and any mitigating factors or measures;(d) If applicable, an assessment of the impact of the transfer on the transferor's remaining business andcustomers ; and(e) Evidence that the proposed transfer has been duly authorised by thetransferor (such as a certified copy of a Board resolution approving the transfer).Added: October 2012GR-4.2.2
Banks intending to apply to transfer a regulated service are advised to contact the CBB at the earliest possible opportunity, in order that the CBB may determine the nature and level of any documentation and/or the need for an auditor or other expert opinion to be provided. The CBB will grant its permission where the transfer will have no negative impact on the financial soundness of the bank, and does not otherwise compromise the interests of the bank's depositors and creditors. In all cases, the CBB will only grant its permission where the institution acquiring the regulated service holds the appropriate regulatory approvals and is in good regulatory standing.
Added: October 2012Preliminary Assessment
GR-4.2.3
The CBB will make a preliminary assessment of whether the proposed transfer is of a type that could be considered for approval or not based on the receipt of the documents referred to in Paragraph GR-4.2.1. If rejected, the applicant will be informed accordingly. The CBB will approve/reject the transfer of business application form after the submission of all necessary documents within 14 calendar days of the date where all documents have been submitted.
Amended: January 2013
Added: October 2012Publication of the Transfer of Business Application
GR-4.2.4
In instances where the CBB is in favor of the transfer requested, and in accordance with Article 66(c) of the CBB Law, the transfer of business application will be published by the CBB in the Official Gazette and in two daily newspapers in the Kingdom of Bahrain (one in Arabic and one in English). The CBB notice will include a statement that written representations concerning the transfer of business application may be sent to the CBB within three months from the date of publication.
Added: October 2012GR-4.2.5
If the liabilities are located in a jurisdiction outside Bahrain, the CBB may also publish such notice in the jurisdiction in which the risk is situated.
Added: October 2012GR-4.2.6
In all cases, the costs of publication of the notices referred to in Paragraphs GR-4.2.5 and GR-4.2.6 must be met by the
transferor .Added: October 2012GR-4.3 GR-4.3 Determination of Application
GR-4.3.1
The CBB will consider an application under Paragraph GR-4.2.1 if it is satisfied that:
(a) Any objections received to the application to transfer the business following its publication in the Official Gazette and in two daily newspapers in the Kingdom of Bahrain (one in Arabic and one in English) as required under Article 66(d) have been reviewed and resolved by the CBB.(b) Except in so far as the CBB has otherwise directed, a copy of the notice has been sent to every affected customer and every other person who claims an interest in an asset or liability included in the proposed transfer (and has given written notice of his claim to thetransferor );(c) Copies of a statement, approved by the CBB, setting out particulars of the transfer, have been available for inspection at one or more places in Bahrain for at least 30 days, from the date of publication of the notice specified in Paragraph GR-4.2.3; and(d) Where the proposed transfer includes any contract where the risk is situated in a jurisdiction other than Bahrain, a statement, approved by the CBB, setting out particulars of the transfer, has been available for inspection at one or more places in that jurisdiction for at least 30 days, starting with the date of publication of the notice specified in Paragraph GR-4.2.3.Added: October 2012GR-4.3.2
The CBB will not approve the transfer, under the terms of Paragraph GR-4.2.1, unless it is satisfied that:
(a) Thetransferee is authorised to carry onregulated banking services in Bahrain or (where relevant) is authorised or otherwise permitted to carry onregulated banking services in the jurisdiction where any overseas risks are situated;(b) Every transaction or account or relationship included in the transfer evidences a contract which was entered into before the date of the application;(c) Thetransferee possesses the necessary solvency required by the regulatory authorities to which he is subject to, after taking the proposed transfer into account;(d) Where transactions, accounts, or customer relationships are being transferred from an overseasbranch of a bank licensee, or thetransferee is abranch of foreign bank licensee , the relevant overseas regulatory authority has been consulted about the proposed transfer, the law of that jurisdiction provides for the possibility of such a transfer, and the relevant supervisory authority in that jurisdiction has agreed to the transfer;(e) The transfer will not breach any applicable laws and regulations, and will not create any supervisory concerns;(f) The business transferred is not prohibited by the CBB; and(g) There are no material adverse consequences from the transfer on thetransferee or the security of customers and creditors and their rights and obligations are protected.Amended: April 2020
Added: October 2012GR-4.3.3
In assessing the criteria outlined in Paragraph GR-4.3.2, the CBB will, amongst other factors, take into account the financial strength of the
transferee ; its capacity to manage the business being transferred; its track record in complying with applicable regulatory requirements; and (where applicable) its track record in treatingcustomers fairly. The CBB will also take into account the impact of the transfer on thetransferor , and any consequences this may have for thetransferor's remainingcustomers .Added: October 2012GR-4.3.4
The CBB will review the application and any other documents or information requested by the CBB taking into consideration any objections received and conditions stated in Article 66 (d) of the CBB law.
Added: October 2012GR-4.3.5
The CBB reserves the right to impose additional requirements if, in the opinion of the CBB, additional requirements are necessary to protect customer interests. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.
Added: October 2012GR-4.3.6
The CBB will communicate its final decision to the
transferor within 5 working days of the expiry of the period for submitting objections to the CBB (see Paragraph GR-4.2.4).Added: October 2012GR-4.4 GR-4.4 CBB Decision
GR-4.4.1
In accordance with Article 67 (d) of the CBB Law and Article 8 of the Regulation issued pursuant to Resolution No.(33) of 2012, the CBB's decision regarding the application for transfer made under Section GR-4.2, will be published as a notice in the Official Gazette and in two local newspapers (one in Arabic and one in English) and will come into effect from this date.
Added: October 2012GR-4.4.2
If the liabilities are located in a jurisdiction outside Bahrain, the CBB may also publish such notice in the jurisdiction in which the risk is situated.
Added: October 2012GR-4.4.3
The costs of publication of the notices referred to in Paragraphs GR-4.4.1 and GR-4.4.2 must be met by the
transferor .Added: October 2012GR-4.4.4
Article 67(e) of the CBB Law notes that where the application for business transfer has been turned down by the CBB or includes restrictions, the applicant may appeal to a competent court within 30 calendar days from the date of publication referred to in Paragraph GR-4.4.1.
Added: October 2012GR-5 Controllers
[This Chapter was deleted in July 2021 and superseded by Resolution No. (16) of 2021 with respect to promulgating the Regulation Pertaining to Control in Banks]
GR-6 GR-6 Open Banking
GR-6.1 GR-6.1 Access to PISPs and AISPs
GR-6.1.1
The CBB has recognised the need to revise its rules in keeping with the following changes at a systemic level, both globally and regionally:
a) market growth in e-commerce activities;b) increased use of internet and mobile payments;c) consumer demand to increasingly use smart device based payment solutions;d) the developments in innovative technology; ande) a trend towards customers having multiple account providers.This section sets forth the rules applicable to
Islamic retail bank licensees with regards to the new category ofancillary service providers described below.Added: April 2019GR-6.1.2
The CBB has established a Directive contained in "Module OB: Open Banking" in Volume 5 of the CBB Rulebook that deals with a new sub category of
ancillary service providers who, under the terms of the CBB license, may provide "payment initiation services " and/or "account information services ". Such licensees are termed "payment initiation service providers " or PISPs and "account information service providers " or AISPs. Banks and other licensees which maintain a customer account is referred to in the CBB Rulebook Volume 5 as "licensees maintaining customer accounts".Added: April 2019GR-6.1.3
Islamic retail bank licensees must:(a) grantancillary service providers of the types referred to in Paragraph AU-1.2.1 (f) and (g) of Rulebook Volume 5: Ancillary Service Providers Authorisation Module, access to customer accounts on an objective, non-discriminatory basis based on consents obtained from the customer;(b) provide the criteria that theIslamic retail bank licensees apply when considering requests pursuant to sub-paragraph (a) above for such access; and(c) ensure that those criteria are applied in a manner which ensures compliance with sub-paragraph (a) above while ensuring adherence to Law No 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.Amended: July 2021
Added: April 2019GR-6.1.4
Access to customer accounts granted pursuant to Paragraph GR-6.1.3 must be sufficiently extensive to allow the AISP and PISP access in an unhindered and efficient manner.
Added: April 2019GR-6.1.5
Access to customer accounts granted pursuant to Paragraph GR-6.1.3 shall mean that at customer’s direction, the
licensees are obliged to share, without charging a fee, all information that has been provided to them by the customer and that which can be accessed by the customer in a digital form. The obligation should only apply where thelicensee keeps that information in a digital form. Furthermore, the obligation should not apply to information supporting identity verification assessment; which thelicensees should only be obliged to share with the customer directly, not a data recipient. The information accessed and shared shall include transaction data, relevant Merchant Category Code information and product and services data that banks are required to publicly disclose, such as price, fees, and other charges should be made publicly available under open banking. Fees may be charged by banks to AISPs for sharing ‘Value Added Data’ and ‘Aggregated Data’ are not required to be shared. Value added data or derived data results from material enhancement by the application of insights, analysis, or transformation on customer data by thelicensee . Aggregated data refers to data which is aggregated across thelicensee ’s customer segments for the purpose of analysis.Amended: April 2022
Amended: July 2021
Added: April 2019GR-6.1.6
If an
Islamic retail bank licensee refuses a request for access to such services or withdraws access to such services, it must seek approval of the CBB in a formal communication which must contain the reasons for the refusal or the withdrawal of access and contain such information as the CBB may direct. The CBB shall approve the request if it is satisfied that the impact of not giving access is minimal. If the request is rejected, theIslamic retail bank licensee must adhere to the direction provided by the CBB.Added: April 2019GR-6.1.7
Islamic retail bank licensees must comply with each of the following requirements:(a) provide access to the same information from designated customer accounts made available to the customer when directly requesting access to the account information, provided that this information does not include sensitive payment data (such as customer security credentials or other personalised data, the holding of which or the use of which is not authorised by the customer; and data which may be used by the holder for unauthorised, fraudulent, illegal or activity or transactions);(b) provide, immediately after receipt of the payment order, the same information on the initiation and execution of the payment transaction provided or made available to the customer when the transaction is initiated directly by the latter;(c) upon request, immediately provide PISPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation must consist of a simple 'yes' or 'no' answer.Added: July 2021GR-6.1.8
For the purposes of this Chapter,
Islamic retail bank licensees must provide access to and share information and data pertaining tocustomer account activity, including the Merchant Category Code information relevant to the payments from the customer account, and balances covering a period of 12 full months or 365 days at the time of access to the AISPs in respect of the following services/products offered by thelicensee :(a) Savings accounts;(b) Current accounts;(c) Term and call deposits;(d) Foreign currency accounts;(e) Unrestricted investment accounts;(f) Restricted investment accounts;(g) Mortgage/housing finance products;(h) Auto loans;(i) Consumer loans/financing;(j) Overdrafts (personal);(k) Credit and charge cards;(l) Electronic wallets and prepaid cards; and(m) Other accounts which are accessible to thecustomer through e-banking portal or mobile device.Amended: April 2022
Added: July 2021GR-6.2 GR-6.2 Communication Interface for PISPs and AISPs
GR-6.2.1
Islamic retail bank licensees that offer a customer account that is accessible online must have in place at least one interface which meets each of the following requirements:(a) AISPs and PISPs must identify themselves in sessions withIslamic retail bank licensees ;(b) AISPs and PISPs must communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions; and(c) PISPs must communicate securely to initiate a payment order from the payer's payment account and receive information on the initiation and the execution of payment transactions.Amended: July 2021
Added: April 2019GR-6.2.2
Islamic retail bank licensees must establish the interface(s) referred to in Paragraph GR-6.2.1 by means of a dedicated interface.Added: April 2019GR-6.2.3
For the purposes of authentication of the customer, the interfaces referred to in paragraph GR-6.2.1 must allow AISPs and PISPs to rely on the authentication procedures provided by the
Islamic retail bank licensee to the customer. In particular, the interface must meet all of the following requirements:(a) process for instructing and authentication by theIslamic retail bank licensee ;(b) establishing and maintaining authentication of communication sessions between theIslamic retail bank licensee , the AISP, the PISP and the customer(s); and(c) ensuring the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the AISP or the PISP.Amended: July 2021
Added: April 2019GR-6.2.4
Islamic retail bank licensees must ensure that their interface(s) follows standards of communication which are agreed by the CBB and that the protocols are technology neutral. They must ensure that the technical specifications of the interface are documented and are made available to AISPs and PISPs when requested.Added: April 2019GR-6.2.5
Islamic retail bank licensees must establish and make available a testing facility, in accordance with the operational guidelines included in the Bahrain Open Banking Framework (see Section 4.1), to authorised AISPs and PISPs, companies operating in the CBB’s Regulatory Sandbox as open banking service providers and AISPs/PISPs granted in-principle confirmation to proceed with the CBB’s licensing process. No sensitive information must be shared through the testing facility.Licensees must display a link to the testing facility on their website.Amended: April 2022
Added: April 2019GR-6.2.6
Islamic retail bank licensees must ensure that the dedicated interface established for the AISPs and PISPs offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the customer for directly accessing its payment account online.Amended: July 2021
Added: April 2019GR-6.2.7
For the purposes of GR-6.2.6, the following requirements apply:
(a)Islamic retail bank licensees must monitor the availability and performance of the dedicated interface and make the resulting statistics available to the CBB upon their request;(b) where the dedicated interface does not operate at the same level of availability and performance as the interface made available to theIslamic retail bank licensee's customer when accessing the payment account online, the bank must report it to the CBB and must restore the level of service for the dedicated interface without undue delay and take the necessary action to avoid its reoccurrence.(c) The report referred to in (b) above must include the causes of the deficiency and the measures adopted to re-establish the required level of service; and(d) AISPs and PISPs making use of the dedicated interface offered byIslamic retail bank licensees must also report to the CBB any deficiency in the level of availability and performance required of the dedicated interface.Added: April 2019GR-6.2.8
Islamic retail bank licensees must include in the design of dedicated interface, a strategy and plans for contingency measures in the event of an unplanned unavailability of the interface and systems breakdown. The strategy must include communication plan to inform the relevant AISP/PISP making use of the dedicated interface in the case of breakdown, measures to bring the system back to 'business as usual' and a description of alternative options AISPs and PISPs may make use of during the unplanned downtime.Added: April 2019GR-6.3 GR-6.3 Security of Communication Sessions and Authentication
GR-6.3.1
Islamic retail bank licensees must ensure that communication sessions with PISPs and AISPs including merchants, relies on each of the following:(a) a unique identifier of the session;(b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;(c) timestamps which must be based on a unified time-reference system and which must be synchronised according to an official time signal.Added: April 2019GR-6.3.2
Islamic retail bank licensees must ensure secured identification when communicating with AISPs and PISPs.Added: April 2019GR-6.3.3
Islamic retail bank licensees must ensure that, when exchanging data via the internet, with PISPs and AISPs, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.Added: April 2019GR-6.3.4
PISPs and AISPs must keep the access sessions offered by
Islamic retail bank licensees as short as possible and they must actively terminate the session as soon as the requested action has been completed.Added: April 2019GR-6.3.5
When maintaining parallel network sessions with the PISPs and AISPs,
Islamic retail bank licensees must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.Added: April 2019GR-6.3.6
Islamic retail bank licensees' sessions with PISPs and AISPs must contain unambiguous reference to each of the following items:(a) the customer and the corresponding communication session in order to distinguish several requests from the same customer;(b) forpayment initiation services , the uniquely identified payment transaction initiated;(c) for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the transaction.Added: April 2019GR-6.3.7
Islamic retail bank licensees must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.Added: April 2019GR-6.3.8
[This Paragraph was moved to GR-6.1.7].
Amended: July 2021
Added: April 2019GR-6.3.9
In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the
Islamic retail bank licensees must send a notification message to the relevant PISP or AISP which explains the reason for the unexpected event or error.Added: April 2019GR-6.3.10
Where the
Islamic retail bank licensee offers a dedicated interface, it must ensure that the interface provides for notification messages concerning unexpected events or errors to be communicated by any PISP or AISP that detects the event or error to the other licensees participating in the communication session.Added: April 2019GR-6.3.11
Islamic retail bank licensees must provide access to information from customer accounts to AISPs whenever the customer requests such information.Added: April 2019Secure authentication
GR-6.3.12
Islamic retail bank licensees must have in place a strong customer authentication process and ensure the following:(a) no information on any of the elements of the strong customer authentication can be derived from the disclosure of the authentication code;(b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and(c) the authentication code cannot be forged.Amended: July 2021
Added: April 2019GR-6.3.13
Islamic retail bank licensees must adopt security measures that meet the following requirements for payment transactions:(a) the authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;(b) the authentication code accepted by the licensee maintaining customer account corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer;(c) a SMS message must be sent to the customer upon accessing the online portal or application and when a transaction is initiated; and(d) any change to the amount or the payee must result in the invalidation of the authentication code generated.Amended: July 2021
Added: April 2019Independence of elements of strong authentication
GR-6.3.14
Islamic retail bank licensees must establish adequate security features for customer authentication including the use of the following three elements:(a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;(b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and(c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.Amended: July 2021
Added: April 2019GR-6.3.15
Islamic retail bank licensees must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis provided that thelicensee is able to demonstrate to CBB that it has established robust controls to mitigate the relevant key risks.Amended: July 2021
Added: April 2019GR-6.4 GR-6.4 Standards for Program Interfaces and Communication
GR-6.4.1
Islamic retail bank licensees must adhere to the Operational Guidelines, Security Standards and Guidelines, Open Banking Application Program Interface (API) Specifications and Customer Journey Guidelines included in Bahrain Open Banking Framework (see CBB website).Amended: July 2021
Added: April 2019GR-6.4.2
Islamic retail bank licensees must ensure that compliance with standards and guidelines specified in Paragraph GR-6.4.1 is subject to independent review and tests, including testing in a test environment., by an independent consultant upon implementation.Amended: July 2021
Added: April 2019GR-6.4.3
To remain technologically neutral the technical standards adopted by
Islamic retail bank licensees must not require a specific technology. Authentication codes must be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys and/or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.Added: April 2019GR-6.5 GR-6.5 [This Section was deleted in July 2021].
GR-6.5.1
[This Paragraph was deleted in July 2021].
Deleted: July 2021
Added: April 2019GR-7 GR-7 Cessation of Business
GR-7.1 GR-7.1 CBB Approval
GR-7.1.1
As specified in Article 50 of CBB Law, an
Islamic bank licensee wishing to cease to provide or suspend any or all of the licensed regulated services, completely or at any of its branches must obtain prior written approval from the CBB, setting out how it proposes to do so and, in particular, how it will treat any Shari'a money placements/deposits, and investment accounts, that it holds.Amended: October 2011
October 07GR-7.1.2
[This Paragraph was deleted in October 2011].
Deleted: October 2011GR-7.1.3
If the
Islamic bank licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.October 07GR-7.1.4
In the case of a
Bahraini Islamic bank licensee , Chapter GR-7 applies both to its business booked in Bahrain and the licensee's overseas branches. In the case ofbranches of foreign bank licensees , Chapter GR-7 applies only to business booked in the licensee's Bahrain branch.Amended: April 2020
Adopted: October 2011GR-7.1.5
Licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a formal request together with supporting documents. Unless otherwise directed by the CBB, the following information/documentation must be provided in support of the request:
(a) Full details of the business to be terminated;(b) The rationale for the cessation;(c) How theIslamic bank licensee proposes to cease business;(d) Notice of an extraordinary shareholder meeting setting out the agenda to discuss and approve the cessation, and inviting the CBB for such meeting;(e) Evidence that the proposed cessation has been duly authorised by theIslamic bank licensee (such as a certified copy of a Board resolution approving the cessation);(f) Formal request to the CBB for the appointment of a liquidator acceptable to the CBB;(g) A cut-off date by which theIslamic bank licensee will stop its operations;(h) If theIslamic bank licensee wishes to cease its whole business, confirmation that theIslamic bank licensee will not enter into new business with effect from the cut-off date;(i) If applicable, an assessment of the impact of the cessation on any customers directly affected by the cessation, and any mitigating factors or measures; and(j) If applicable, an assessment of the impact of the cessation on theIslamic bank licensee's remaining business and customers, and any mitigating factors or measures.Adopted: October 2011GR-7.1.6
Islamic bank licensees intending to apply to cease business are advised to contact the CBB at the earliest opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The information/documentation specified in Paragraph GR-7.1.5 may be varied by the CBB, depending on the nature of the proposed cessation, such as the materiality of the business concerned and its impact on customers.Adopted: October 2011GR-7.1.7
Approval to cease business will generally be given where adequate arrangements have been made to offer alternative arrangements to any affected customers. The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.
Adopted: October 2011GR-7.1.8
An
Islamic bank licensee in liquidation must continue to meet its contractual and regulatory obligations to depositors, other clients and creditors.Amended: October 2011
October 07GR-7.1.9
[This Paragraph was deleted in October 2011].
Deleted: October 2011GR-7.1.10
[This Paragraph was deleted in October 2011].
Deleted: October 2011GR-7.1.11
[This Paragraph was deleted in October 2011].
Deleted: October 2011GR-7.1.12
Upon satisfactorily meeting the requirements set out in GR-7.1.4, the
Islamic bank licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.Amended: April 2020
Added: October 2016GR-8 CBB Fees
[This Chapter has been transferred to Module LR.]
October 07GR-9 GR-9 Prepaid Cards
GR-9.1 GR-9.1 General Requirements
GR-9.1.1
Islamic retail bank licensees must place any prepaid card which is inactive for a period of six months on the “dormant” list.Added: January 2021
