• OM-2.8 OM-2.8 Outsourcing of Functions Containing Customer Information

    • OM-2.8.1

      Licensees must seek the CBB's prior written approval for third party and intragroup outsourcing of functions/services containing customer information including but not limited to payment services, debt collection, card and data processing, IT function including cloud services, internal audit and electronic/internet banking services but excluding legal services. Customer information must be encrypted and the encryption keys or similar forms of authentication codes must be securely kept under the licensee's control.

      Added: January 2020

    • OM-2.8.2

      Because of the critical importance of protecting customer information confidentiality, all proposals to outsource functions containing customer information should be considered material.

      Added: January 2020

    • OM-2.8.3

      For a third party outsourcing of functions/services containing customer information, other than debt collection, IT function, internal audit, cards embossing, cheques personalization, data/documents storing and call centres, the outsourcing service providers must be licensed by the CBB and located in Bahrain. If the outsourced service is not available in Bahrain, licensees must submit to the CBB a written request. The request must provide details of the circumstances under which the extension of outsourcing activities is being requested.

      Added: January 2020

    • OM-2.8.4

      In case of an outsourcing arrangement that involves disclosure of confidential information to the outsourcing service provider, licensees must ensure that the contract with the outsourcing service provider clearly requires the latter to safeguard the confidentiality of the confidential information; provided always that the responsibility for disclosure of such confidential information must rest with the licensee. Due consideration must also be given to Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018 and the CBB Law.

      Added: January 2020

    • OM-2.8.5

      For outsourcing of functions/services containing customer information, the following conditions must also be met:

      (a) [This Subparagraph was deleted in January 2021].
      (b) The service level agreement must clearly state that the CBB inspectors and appointed experts have the legal right to conduct onsite examinations of the outsourcing service provider and such expenses are to be borne by the licensee; and
      (c) Any report by any other regulatory authority on the quality of controls of the outsourcing service provider must be submitted immediately by the licensee to the CBB.
      Amended: January 2021
      Added: January 2020

    • Cloud Services

      • OM-2.8.6

        For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place and included in the outsourcing agreement:

        (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
        (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing service provider;
        (c) A comprehensive change management procedure must be developed to account for future changes in technology with adequate testing of such changes;
        (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
        (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
        (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, based on the CBB Law and the Personal Data Protection Law (PDPL).
        Added: January 2020

      • OM-2.8.7

        The licensees should consider how the outsourced activity is impacted by the variety of risks associated with the cloud adoptions, for example:

        a) Vendor lock-in (cloud vendor using proprietary technology preventing migration);
        b) Vendor lock-out (cloud going out of business, preventing access to data);
        c) Data and application interoperability;
        d) Segregation of data in SaaS environments;
        e) Distributed denial of service (DDoS) prevention;
        f) Impact of regulatory enforcement processes;
        g) Safeguards for management of cryptographic keys;
        h) Unmonitored access to administrative zones by staff and 3rd parties;
        i) Remote access to administrative zones without strong authentication and accountability;
        j) Single point of failures in connectivity to cloud environments.
        Added: January 2020

      • OM-2.8.8

        The licensees must ensure that the cloud adoption does not result in data being stored in countries that are subject to United Nations sanctions.

        Added: January 2020