• OM-2 OM-2 Outsourcing Requirements

    • OM-2.1 OM-2.1 Outsourcing Arrangements

      • OM-2.1.1

        This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

        Amended: July 2022
        Added: January 2020

      • OM-2.1.2

        In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

        Amended: July 2022
        Added: January 2020

      • OM-2.1.3

        In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

        i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
        ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
        Amended: July 2022
        Added: January 2020

      • OM-2.1.4

        The licensee must not outsource the following functions:

        (i) Compliance;
        (ii) AML/CFT;
        (iii) Financial control;
        (iv) Risk management; and
        (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
        Amended: July 2022
        Added: January 2020

      • OM-2.1.5

        For the purposes of Paragraph OM-2.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph OM-2.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

        Amended: July 2022
        Added: January 2020

      • OM-2.1.6

        Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph OM-2.1.4 (iv), subject to CBB’s prior approval.

        Amended: July 2022
        Added: January 2020

      • OM-2.1.7

        Licensees must comply with the following requirements:

        (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
        a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
        b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
        (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
        (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
        (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
        (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement to ensure compliance with the licensee’s internal policies and applicable laws and regulations.
        (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
        (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
        (viii) Where the internal audit function is fully or partially outsourced, licensees must ensure that:
        i. The use of external experts does not compromise the independence and objectivity of the internal audit function;
        ii. The outsourcing service provider has not been previously engaged in a consulting or external audit engagement with the licensee unless a one year “cooling-off” period has elapsed;
        iii. The outsourcing service provider must not provide consulting services to the licensee during the engagement period; and
        iv. Adequate oversight is maintained over the outsourcing service provider to ensure that it complies with the licensee’s internal audit charter, policy and applicable laws and regulations.
        Amended: April 2023
        Amended: July 2022
        Added: January 2020

      • OM-2.1.8

        For the purpose of Subparagraph OM-2.1.7 (iv), licensees as part of their assessments may use the following:

        a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
        b) Third-party or internal audit reports of the outsourcing service provider; and
        c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

        When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

        Added: July 2022

      • OM-2.1.9

        For the purpose of Subparagraph OM-2.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

        Added: July 2022

    • OM-2.2 [This Section was deleted in July 2022]

    • OM-2.3 [This Section was deleted in July 2022]

    • OM-2.4 [This Section was deleted in July 2022]

    • OM-2.5 [This Section was deleted in July 2022]

    • OM-2.6 [This Section was deleted in July 2022]

    • OM-2.7 [This Section was deleted in July 2022]

    • OM-2.8 [This Section was deleted in July 2022]