Part One: Bahraini Bank Licensees
HC-B.2 HC-B.2 Subsidiaries and Foreign Branches of Bahraini Islamic Bank Licensees
HC-B.2.1
Bahraini conventional bank licensees must ensure that, as a minimum, the same or equivalent provisions of this Module apply to their subsidiaries and overseas branches. In instances where local jurisdictional requirements are more stringent than those applicable in this Module, the local requirements are to be applied.Added: April 2023HC-B.2.2
Where a
conventional bank licensee is unable to satisfy the CBB that itssubsidiaries and overseas branches are subject to the same or equivalent arrangements, the CBB will assess the potential impact of risks to thelicensee arising from inadequate high-level controls. In such instances, the CBB may impose certain restrictions on thelicensee . Where weaknesses in controls are assessed by the CBB to pose a major threat to the financial soundness of thelicensee and/or the financial stability in the Kingdom, then its license may be called into question.Added: April 2023HC-1 HC-1 Board’s Overall Responsibilities
HC-1.1 HC-1.1 Responsibilities of the Board
HC-1.1.1
The board of directors (“Board”) of the
licensee must:(a) Set the “tone at the top” and play a leading role in establishing thelicensee’s corporate culture and values, and oversee management’s role in fostering and maintaining a sound corporate and risk culture;(b) Ensure that no individual or group of directors dominates the Board’s decision-making and no individual or group has unfettered powers of decision.(c) Approve and oversee the development of thelicensee’s strategy, business plans and budget, and monitor their implementation.Bahraini conventional bank licensees must submit to the CBB for its review their proposed strategy and any major proposed changes to it;(d) Actively engage in the affairs of thelicensee , keep up with material changes in thelicensee’s business and the external environment and act in a timely manner to protect the long-term interests of thelicensee ;(e) Convene and prepare the agenda for shareholder meetings;(f) Approve, and oversee the implementation of, thelicensee’s governance framework, risk management framework and all policies, and review the relevant parts of these as well as review key controls in case a new business activity is considered, or in case of material changes to thelicensee’s size, complexity, business strategy, markets or regulatory requirements, or the occurrence of a major failure of controls;(g) Establish, along with senior management and the chief risk officer, thelicensee’s risk appetite, considering thelicensee’s strategy, competitive and regulatory landscape, the licensee’s long-term interests, risk exposure and ability to manage risk effectively, and oversee thelicensee’s adherence to the risk appetite statement, risk policy and risk limits;(h) Ensure that:i. Adequate systems, controls, processes and procedures are implemented by senior management in line with the Board approved policies;ii. Thelicensee has adequate processes to ensure full compliance with the requirements of the CBB Law, other relevant laws and the pertinent rulebooks;iii. Thelicensee has a robust finance function responsible for accounting and financial data;iv. The risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively; andv. Senior management maintains an effective and transparent relationship with the CBB;(i) Approve the annual and interim financial statements;(j) At minimum, approve the selection and oversee the performance of the chief executive officer (CEO), chief financial officer and heads of the risk management, compliance and internal audit functions;(k) Actively oversee, with the assistance and advise of the Remuneration Committee, the remuneration system’s design and operation forapproved person s and material risk-takers and monitor and review executive compensation and assess whether it is aligned with thelicensee’s remuneration policy, risk culture and risk appetite; and(l) Consider the legitimate interests of depositors, shareholders and other relevant stakeholders in their decision-making process.Added: April 2023HC-1.1.2
The Board may, where appropriate, delegate some of its functions, but not its responsibilities, to the Board committees.
Added: April 2023HC-1.1.3
The members of the Board must exercise their fiduciary and other duties of care, candor and loyalty to the
licensee in accordance with local laws and regulations.Added: April 2023HC-1.1.4
Each director must:
(a) Understand the Board’s role and responsibilities pursuant to the CBB Rulebook, the Commercial Companies Law and any other laws or regulations that may govern their responsibilities from time to time;(b) Consider themselves as representing all shareholders and must act accordingly; and(c) Ensure that they receive adequate and timely information before each meeting and must study it carefully.Added: April 2023HC-1.2 HC-1.2 Corporate Culture and Values
HC-1.2.1
In order to promote a sound corporate culture, the Board must:
(a) Approve an appropriate code of conduct/ ethics that must outline the acceptable practices that all Board members, senior management and other staff must follow in performing their duties, and the unacceptable practices/ conduct that must be avoided;(b) Set and adhere to corporate values that create expectations that the business must be conducted in a legal, professional and ethical manner, and oversee the adherence to such values by Board members, senior management and other employees;(c) Promote risk awareness within a strong risk culture, convey the Board’s expectation that it does not support risk-taking beyond the risk appetite and risk limits set by the Board, and that all employees are responsible for ensuring that thelicensee operates within the established risk appetite and risk limits;(d) Ensure that the corporate values, professional standards and codes of conduct it sets, together with supporting policies, are adequately communicated throughout thelicensee ; and(e) Ensure that all directors, senior management and other staff are aware that appropriate disciplinary or other actions will follow unacceptable behaviour, practices and transgressions.Added: April 2023HC-1.2.2
Employees must be encouraged and be able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This must be facilitated through a well communicated and Board approved whistleblowing policy and adequate procedures and processes, consistent with applicable laws. This includes the escalation of material concerns to the CBB.
Added: April 2023HC-1.2.3 HC-1.2.3
The Board must:
(a) Have oversight of the whistleblowing policy mechanism and ensure that senior management addresses legitimate issues that are raised;(b) Take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals, and that their rights are not undermined;(c) Approve and oversee how and by whom legitimate material concerns shall be investigated and addressed such as by an objective and independent internal or external body, senior management and/or the Board itself; and(d) Ensure that, after verifying the validity of the allegations, the person responsible for any misconduct is held accountable and is subjected to an appropriate disciplinary measure.Added: April 2023HC-1.2.4
The Board must establish a conflict of interest policy on identifying and managing potential conflicts of interest related to all
approved person s. The policy must include:(a) Anapproved person ’s duty to:i. Avoid, to the extent possible, activities that could create conflicts of interest or the appearance of conflicts of interest. Anapproved person shall be considered to have a “personal interest” in a transaction with a company if they themselves, or a member of their family (i.e. spouse, father, mother, sons, daughters, brothers or sisters), or another company of which they are a director or controller, are a party to the transaction or have a material financial interest in the transaction or are expected to derive material personal benefit from the transaction (transactions and interests which are de minimis in value should not be included);ii. Promptly disclose any matter that may result, or has already resulted, in a conflict of interest;iii. Abstain from getting involved in or voting on any matter where they may have a conflict of interest or where their objectivity or ability to properly fulfil duties to thelicensee may be otherwise compromised. Any decision to enter into a transaction in which anapproved person appears to have a material conflict of interest must be formally and unanimously approved by the entire Board;iv. Act with honesty, integrity and care for the best interest of thelicensee and its shareholders and other stakeholders;v. Not use properties of thelicensee for their personal needs;vi. Not misuse or misappropriate thelicensee’s assets or resources;vii. Not disclose confidential information of thelicensee or use it for their personal profit or interest;viii. Make every practicable effort to arrange their personal and business affairs to avoid a conflict of interest with thelicensee ;ix. Not take business opportunities of thelicensee for themselves; andx. Not compete in business with thelicensee or serve thelicensee’s interest in any transaction with a company in which they have a personal interest.(b) Examples of where conflict of interest may arise when serving as anapproved person ;(c) A rigorous review and approval process forapproved person s to follow before they engage in certain activities (such as serving on another Board) so as to ensure that such activity will not create a conflict of interest;(d) Adequate requirements that transactions with related parties must be made on an arm’s length basis;(e) Sufficient restrictions on and/or a robust and transparent process for the employment of relatives ofapproved person s;(f) Requirements for properly managing and disclosing conflict of interest that cannot be prevented;(g) Requirements for allapproved person s to annually declare in writing all their other interests in other enterprises or activities (whether as a shareholder of above 5% of the voting capital of a company, a manager or other form of significant participation) to the Board or a designated Board committee; and(h) The way in which the Board will deal with any non-compliance with the policy.Added: April 2023HC-1.2.5
Where there is a potential for conflict of interest, or there is a need for impartiality, the Board must assign a sufficient number of independent Board members capable of exercising independent judgement, to address the conflict.
Added: April 2023HC-1.2.6
The CEO/General Manager of the
licensee must disclose to the Board of directors on an annual basis those individuals who are occupying controlled functions and who are relatives of anyapproved person s within thelicensee .Added: April 2023HC-1.3 HC-1.3 Oversight of Senior Management
HC-1.3.1
The Board must exercise proper oversight of senior management against formal performance and remuneration standards consistent with the long-term strategic objectives and the financial soundness of the
licensee . In doing so, the Board must:(a) Meet regularly with senior management;(b) Subject senior management to annual performance assessment and document such assessments;(c) Ensure thatapproved person s’ collective knowledge and expertise remain appropriate given thelicensee’s nature of business and risk profile;(d) Ensure that senior management’s actions are in full compliance with applicable laws and regulations and consistent with the strategy, business plan and policies approved by the Board, including risk appetite;(e) Question, challenge and critically review the explanations and information provided by senior management; and(f) Ensure that appropriate succession plans are in place for allapproved persons within senior management (provided that such plans are subject to review in case of any changes toapproved persons within senior management).Added: April 2023HC-2 HC-2 Board Formation
HC-2.1 HC-2.1 Board Composition
HC-2.1.1
The Board must comprise of individuals with a balance of skills, diversity and expertise, who individually and collectively possess the necessary qualifications commensurate with the size, complexity and risk profile of the
licensee . The Board must have a sufficient number of independent directors.Added: April 2023HC-2.1.2
In case of a
Bahraini conventional bank licensee with a controller, at least one-third of the Board must be independent.Added: April 2023HC-2.1.3
If the
Bahraini conventional bank licensee has a controller or a group of controllers acting in concert, such person(s) must recognise their specific responsibility to the minority shareholders as Board members have responsibilities to thelicensee’s overall interests, regardless of who appoints them.Added: April 2023HC-2.1.4
At least half of a
Bahraini conventional bank licensee ’s Board should be non-executive directors and at least three of those persons should be independent directors.Added: April 2023HC-2.1.5
The CBB may call upon each independent director at its discretion to have a general discussion on the affairs of the
Bahraini conventional bank licensee .Added: April 2023HC-2.2 HC-2.2 Board Member Selection
HC-2.2.1
The Board must have a clear and rigorous process for identifying, assessing and selecting Board candidates. The Board, and not management, must nominate the candidates for shareholders’ approval.
Added: April 2023HC-2.2.2
Board candidates must:
(a) Possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind necessary to discharge their responsibilities on the Board in light of thelicensee’s business and risk profile;(b) Have a record of integrity and good repute;(c) Have sufficient time to fully carry out their responsibilities;(d) Not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from:i. Otherapproved persons , controllers or other connected parties;ii. Past or present positions held; oriii. Personal, professional or other economic relationships with otherapproved persons (or with other entities within the group); and(e) Not have more than two directorships of Bahrainibanks , bearing in mind that two directorships oflicensees within the same license category (e.g. ‘Retail Bank’) are not permitted.Added: April 2023HC-2.2.3
Board candidates should not hold more than three directorships in public companies in Bahrain. In case such directorships exist, there must be no conflict of interest, and the Board must not propose the election or re-election of any director where such conflict of interest exists.
Added: April 2023HC-2.2.4
Nominated directors of a
Bahraini conventional bank licensee must possess the requisite experience and competencies specified in Module TC (Training and Competency).Added: April 2023HC-2.2.5
A CEO of a
Bahraini conventional bank licensee who has resigned or retired, must not be appointed as an independent director of the same bank unless a period of three years has passed from the date of his/her resignation/ retirement. Additionally, where a CEO is terminated from his/her position, he/she must not be appointed or retained as a Board member of the same bank.Added: April 2023HC-2.2.6
Each proposal by the Board to the shareholders for election or re-election of a director must be accompanied by a recommendation from the Board, a summary of the advice of the Nomination Committee and the following specific information:
(a) The term to be served, which may not exceed three years;(b) Biographical details and professional qualifications;(c) In the case of an independent director, a statement that the Board has determined that the applicable rules and criteria for independent director have been met;(d) Any other directorships held;(e) Particulars of other positions which involve significant time commitments; and(f) Details of relationships (if any) between:i. the candidate and theconventional bank licensee , andii. the candidate and otherapproved persons of theconventional bank licensee .Added: April 2023HC-2.2.7
Newly appointed non-executive directors must be made aware of their duties before their nomination, particularly as to the time commitment required.
Added: April 2023HC-2.3 HC-2.3 Board Members’ Appointment and Induction
Board Members’ Appointment
HC-2.3.1
The chairperson of the Board must confirm to shareholders when proposing re-election of a director that, following a formal performance evaluation, the person’s performance continues to be effective and they continue to demonstrate commitment to the role.
Added: April 2023HC-2.3.2
Where an independent director has served three consecutive terms on the Board, such director will lose his independence status and must not be classified as an independent director if reappointed.
Added: April 2023HC-2.3.3
Bahraini conventional bank licensees must have a written appointment agreement with each director which recites the directors’ powers, duties and responsibilities, accountability, term, the time commitment envisaged, the committee assignment (if any), remuneration, expense reimbursement entitlement and their access to independent legal or other professional advice at the expense of the bank when needed to discharge their responsibilities as directors.Added: April 2023Board Members’ Induction
HC-2.3.4
The Board must ensure that:
(a) Sufficient time, budget and other resources are allocated annually for the Board members’ induction programmes;(b) Each new director receives a formal and tailored induction and has access to ongoing training on relevant issues which may involve internal or external resources to ensure their effective contribution to the Board from the beginning of their term; and(c) The induction programmes include meetings with senior management, visits to theconventional bank licensee ’s facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, and meetings with internal and external auditors and legal counsel.Added: April 2023HC-2.3.5
Board members must understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the
licensee .Added: April 2023HC-2.3.6
All continuing directors must be invited to attend orientation meetings and all directors must continually educate themselves as to the
conventional bank licensee ’s business and corporate governance.Added: April 2023HC-3 HC-3 Board’s Structure and Practices
HC-3.1 HC-3.1 Organisation and Assessment of the Board
HC-3.1.1
The Board of a
Bahraini conventional bank licensee must:(a) Adopt a formal Board charter specifying matters which are reserved for it, which must include, but are not limited to, the specific requirements and responsibilities of directors stipulated in this Module and the Commercial Companies Law;(b) Structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the Board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of key issues;(c) Maintain and periodically update its governance structure, organisational rules, by-laws and other similar documents setting out its organisation, rights, responsibilities and key activities; and(d) Carry out annual evaluation and assessments – alone or with the assistance of external experts – of the Board, its committees and individual Board members. This must include:i. Assessing how the Board operates in terms of the requirements of the CBB Rulebook and the Commercial Companies Law;ii. Evaluating the performance of each committee considering its specific purposes and responsibilities, which shall include review of the self-evaluations undertaken by each committee;iii. Reviewing each director's work, their attendance at Board and committee meetings, and their independence and constructive involvement in discussions and decision making;iv. Reviewing, based on the Nomination Committee’s advice and assessment, the Board’s current structure, size, composition as well as committees’ structures and composition in order to maintain an appropriate balance of skills, diversity and experience and for the purpose of planned and progressive refreshing of the Board; andv. Recommendations for new directors to replace long-standing members or those members whose contribution to the Board or its committees is not adequate.Added: April 2023HC-3.1.2
Where the Board has serious reservations about the performance or integrity of a Board member, or he ceases to be qualified, the Board must take appropriate action and inform the CBB accordingly.
Added: April 2023HC-3.1.3
The Board must report to the shareholders, at each annual shareholder meeting, that evaluations have been done and report its findings.
Added: April 2023HC-3.1.4
Executive directors must provide the Board with all relevant business and financial information within their knowledge and must recognise that their role as a director is different from their role as a member of management.
Added: April 2023HC-3.1.5
Non-executive directors must be fully independent of management and must constructively scrutinise and challenge management and executive directors.
Added: April 2023HC-3.1.6
The Board must maintain appropriate records of meeting minutes, including key points of discussions held, recommendations made, decisions taken and dissenting opinions (if any).
Added: April 2023HC-3.1.7
The Board must meet at least four times a year to enable it to discharge its responsibilities effectively, and half of all Board meetings in any financial year must be held in the Kingdom of Bahrain.
Added: April 2023HC-3.1.8
Individual Board members must attend at least 75% of all Board meetings in a given financial year, whether in-person or virtually (if needed) so as to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for Board meetings are prohibited.
Meetings per year 75% Attendance requirement 4 3 5 4 6 5 7 5 8 6 9 7 10 8 Added: April 2023HC-3.1.9
The absence of Board members at Board and committee meetings must be noted in the relevant meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when Board members stand for re-election (e.g. Board member XYZ attended xx% of scheduled meetings this year).
Added: April 2023HC-3.1.10
If a Board member has not attended at least 75% of Board meetings in any given financial year, the
licensee must notify the CBB, within one month from its financial year-end, indicating which member has failed to satisfy this requirement, their level of attendance and the reason for non-attendance. The CBB shall then consider the matter and determine whether enforcement action pursuant to Article 65 of the CBB Law is appropriate.Added: April 2023HC-3.1.11
Board governance framework should require members to step down if they are not actively participating in Board meetings.
Added: April 2023HC-3.1.12
Non-executive directors should have free access to theBahraini conventional bank licensee’s management beyond that provided in Board meetings. Such access should be through the chairperson of the Audit Committee or the CEO. The Board should make this policy known to management to alleviate any management concerns about a director’s authority in this regard.Added: April 2023HC-3.2 HC-3.2 Board Chairperson
HC-3.2.1
The Chairperson of the Board of the
Bahraini conventional bank licensee must:(a) Not be an executive director;(b) Not be the same person as the CEO. This applies also to the deputy chairperson;(c) Commit sufficient time to perform their role effectively;(d) Play a critical role in promoting mutual trust, efficient functioning of the Board, open discussion, constructive dissent from decisions and constructive support for decisions after they have been made;(e) Ensure that all directors receive an agenda, minutes of prior meetings and adequate background information on each agenda item in writing well before each Board meeting;(f) Encourage and promote critical and objective discussion and ensure that dissenting views can be freely expressed, discussed and recorded in the minutes of the Board meeting; and(g) Ensure that Board decisions are taken on sound and well-informed bases.Added: April 2023HC-3.2.2
The chairperson of a
Bahraini conventional bank licensee should be an independent Board member.Added: April 2023HC-3.3 HC-3.3 Board Committees
HC-3.3.1
The Board of the
Bahraini conventional bank licensee must establish Audit, Risk, Remuneration and Nomination Committees described elsewhere in this Module.Added: April 2023HC-3.3.2
Objectivity and independence must be ensured by the selection of appropriate Board members in each committee.
Added: April 2023HC-3.3.3
Committees may be combined provided that no conflict of interest arises between the duties of such committees, and subject to the CBB’s prior approval.
Added: April 2023HC-3.3.4
Every committee must have a formal written charter or other instrument which sets out its roles and responsibilities, how the committee will report to the Board, what is expected of committee members and any tenure limits for serving on the committee.
Added: April 2023HC-3.3.5
Each committee must have the resources and the authority necessary to discharge its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of external legal, accounting or other advisors as it deems necessary.
Added: April 2023HC-3.3.6
Each Board committee must maintain appropriate records of their deliberations and decisions in their meeting minutes, including key points of discussions held, recommendations made, decisions taken (and update on their subsequent implementation) and dissenting opinions (if any).
Added: April 2023HC-3.3.7
Each committee must prepare and review with the Board an annual performance evaluation of the committee and its members and must recommend to the Board any improvements deemed necessary or desirable to the committee’s charter or composition. The report must be in the form of a written report presented at any regularly scheduled Board meeting.
Added: April 2023HC-3.3.8
Members of each committee must exercise judgment free from any personal conflicts of interest or bias.
Added: April 2023HC-3.3.9
The Board should consider occasional rotation of membership and chair of the Board committees provided that doing so does not impair the collective skills, experience and effectiveness of these committees.
Added: April 2023HC-3.4 HC-3.4 Audit Committee
HC-3.4.1
The audit committee of the
Bahraini conventional bank licensee must have at least three directors of which the majority must be independent and have no conflict of interest with any other duties they have.Added: April 2023HC-3.4.2
The Chairperson of the audit committee must:
(a) Be independent;(b) Not be the chairperson of the board, unless he is considered independent; and(c) Not be the chairperson of any other Board committee.Added: April 2023HC-3.4.3
The CEO and other senior management of the
Bahraini conventional bank licensee must not be members of the audit committee.Added: April 2023HC-3.4.4
The audit committee members must have sufficient experience in audit practices, financial reporting and accounting.
Added: April 2023HC-3.4.5
The audit committee must meet:
(a) At least four times a year.(b) At least twice a year with the external auditor.(c) At least once a year in the absence of the CEO and any executive management, but in presence of the Head of Compliance, Internal Auditor and CRO.Added: April 2023HC-3.4.6
The audit committee must, at minimum:
(a) Ensure that thelicensee has effective and adequate policies covering all its business activities, internal audit, financial reporting, compliance, risk management, prevention of frauds and cyber security breaches, etc.;(b) Oversee the financial reporting process;(c) Oversee and interact with thelicensee’s internal and external auditors;(d) Review the integrity of theconventional bank licensee ’s financial statements;(e) Recommend to the Board, based on a Board approved objective criteria, the appointment, remuneration, dismissal and rotation of external auditors;(f) Review and approve the internal and external audit and compliance scope;(g) Receive internal and external audit and compliance reports and ensure that senior management is taking necessary corrective actions in a timely manner to address any control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors, the head of compliance and other control functions;(h) Assess once a year the extent to which thelicensee is managing its compliance risk effectively;(i) Ensure that the agenda for their meetings includes compliance and internal audit issues at least every quarter;(j) Recommend the appointment and dismissal of the heads of internal audit and compliance functions. Thelicensee must also discuss the reasons for their dismissal with the CBB.(k) Make a determination, at least once a year, of the external auditor’s independence;(l) Commission every five years a quality review of the effectiveness and efficiency of the internal audit and compliance functions by a third-party consultant, other than the external auditor. The results of such independent review must be provided to the CBB by 30th September of the relevant year;(m) Review and supervise the implementation and enforcement of thelicensee's code of conduct, unless such mandate is delegated to another committee such as the Governance Committee; and(n) Ensure that senior management establishes and maintains an adequate and effective internal control systems, procedures and processes for the business of thelicensee .Added: April 2023HC-3.4.7
In case the
licensee has a different board committee overseeing and monitoring compliance issues, then all of the above compliance-related requirements in Paragraph HC-3.4.6 can be handled by such committee instead.Added: April 2023HC-3.5 HC-3.5 Risk Committee
HC-3.5.1
The risk committee of the
Bahraini conventional bank licensee must have at least three directors of which the majority must be independent. In addition, the committee members must have experience in risk management issues and practices and have no conflict of interest with any other duties they may have.Added: April 2023HC-3.5.2
The chairperson of the risk committee must:
(a) Be independent;(b) Not be the chairperson of the Board, unless he is considered independent; and(c) Not be the chairperson of any other Board committee.Added: April 2023HC-3.5.3
The CEO and other senior management must not be members of the risk committee.
Added: April 2023HC-3.5.4
The
licensee must have a strong and appropriate risk governance framework which:(a) Includes a strong risk culture, and a well-developed risk appetite articulated through the risk appetite statement (RAS);(b) Outlines actions to be taken when the stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and notification to the Board; and(c) Includes well-defined organisational responsibilities for risk management.Added: April 2023HC-3.5.5
The
Bahraini conventional bank licensee ’s RAS must:(a) Include both quantitative and qualitative considerations;(b) Establish the individual and aggregate level and types of risks that the bank is willing to assume;(c) Define the boundaries and business considerations according to which the bank is expected to operate;(d) Be aligned with the bank’s strategic, capital and financial plans and compensation practices; and(e) Be communicated effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank on a timely and proactive basis.Added: April 2023HC-3.5.6
Conventional Bank licensees must avoid organisational silos that can impede effective sharing of risk information across the organisation and can result in decisions being taken in isolation from the rest of the bank. Accordingly, the Board, senior management and control functions must re-evaluate established practices in order to encourage greater communication.Added: April 2023HC-3.5.7
The risk committee must, at minimum:
(a) Recommend the appointment or removal of the Chief Risk Officer (CRO) or equivalent. Thelicensee must also discuss the reasons for removal with the CBB;(b) Discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the Board, and on the risk appetite;(c) Ensure that:i. Risks are identified, measured, aggregated, controlled, mitigated, monitored and reported on an ongoing basis across all business lines, thelicensee as a whole, its subsidiaries and overseas branches (if any);ii. Risk identification and measurement include both quantitative and qualitative elements;iii. Each key risk has a policy, process and controls;iv. Thelicensee has sufficient and robust management information system and policies, supported by appropriate control procedures and processes, designed to ensure that thelicensee’s risk identification, measurement, aggregation, controlling, mitigation, monitoring and reporting capabilities are commensurate with thelicensee’s size, complexity and risk profile. The sophistication of thelicensee’s risk management information system and internal control infrastructure must keep pace with changes to thelicensee’s risk profile, the external risk landscape and industry practices;v. Thelicensee’s risk management infrastructure, including a sufficiently robust data infrastructure, data governance and architecture and information technology infrastructure keeps pace with developments such as balance sheet and revenue growth, increasing complexity of thelicensee’s business, risk configuration or operating structure, geographical expansion, mergers and acquisitions, or the introduction of new products or business lines;vi. Senior management has in place processes to promote thelicensee’s adherence to the approved risk policies and risk appetite;vii. Thelicensee’s policies must determine the key management decisions that must be taken by more than one person;viii. Thelicensee has an adequate communication within thelicensee about risk, both across the organisation and through reporting to the Board and senior management;ix. Thelicensee has a strong risk culture that promotes risk awareness and encourages open communication and challenge about risk-taking across the organisation as well as vertically to and from the Board and senior management; andx. Thelicensee has adequate escalation procedures on risks related matters.(d) Advise the Board on thelicensee’s risk appetite, overseeing senior management’s implementation of the RAS, reporting on the state of risk culture in thelicensee , and interacting with and overseeing the CRO;(e) Oversee the strategies for capital and liquidity management as well as for all relevant risks of thelicensee , such as credit, market, operational, interest rate risk in the banking book and reputational risks, to ensure that they are consistent with the stated risk appetite;(f) Commission every five years a quality review of the effectiveness and efficiency of the risk management framework and function by a third-party consultant, other than the external auditor. The results of such independent review must be provided to the CBB by 31st May of the relevant year. More specifically, aconventional bank licensee must undertake reviews referred to above with regards to the following individual areas that are relevant to the risk management framework:i. ICAAP Framework referred to in Module IC;ii. Capital adequacy requirements under Module CA;iii. Recovery and resolution planning (RRP) and related documents referred to in Module DS;iv. Credit risk management framework and compliance with Module CM;v. Operational risk management framework and compliance with Module OM;vi. Stress testing framework included in Module ST;vii. Liquidity risk management framework and compliance with Module LM; andviii. Compliance with Module RR.(g) Receive regular reporting and communication from the CRO and other relevant functions about thelicensee’s current risk profile, current state of the risk culture, utilisation against the established risk appetite and limits, limit breaches and mitigation plans.Added: April 2023HC-3.5.8
There must be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank.
Added: April 2023HC-3.6 HC-3.6 Remuneration Committee
HC-3.6.1
The remuneration committee of the
Bahraini conventional bank licensee must have at least three directors.Added: April 2023HC-3.6.2
Members of the remuneration committee must be independent of any risk-taking function or committee.
Added: April 2023HC-3.6.3
The remuneration committee should include only independent directors or, alternatively, only non-executive directors of whom a majority are independent directors and the chairperson should be an independent director.
Added: April 2023HC-3.6.4
The remuneration committee should meet at least twice a year.
Added: April 2023HC-3.6.5
The remuneration committee must, at minimum:
(a) Recommend to the Board:i. An appropriate remuneration policy designed to reduce employees’ incentives to take excessive and undue risk, which must be approved by the shareholders; andii. A fair and internally transparent remuneration system, which includes relevant performance measures and effective controls.(b) Ensure on an annual basis that the remuneration policy and its implementation:i. Are in full compliance with CBB requirements;ii. Are consistent with thelicensee’s strategy, culture, long-term business objectives, risk appetite, performance and control environment; andiii. Are creating the desired incentives for managing risk, capital and liquidity.(c) Work closely with the risk committee in evaluating the incentives created by the remuneration system. The risk committee must, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings;(d) Approve the remuneration package and amounts for each approved person and material risk-taker, as well as the total variable remuneration to be distributed based on the results of the performance evaluation system and taking account of total remuneration including salaries, fees, expenses, bonuses and other employee benefits;(e) Regularly review remuneration outcomes, risk measurements, and risk outcomes for consistency with Board’s approved risk appetite;(f) Question payouts for income that cannot be realised or whose likelihood of realisation remains uncertain at the time of payout;(g) Recommend Board member remuneration based on their attendance and in compliance with the Commercial Companies Law;(h) Evaluate practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain by means of both quantitative and qualitative key indicators. It must demonstrate that its decisions are consistent with the assessment of thelicensee’s financial condition and future prospects; and(i) Obtain feedback on performance evaluation of the Chief Risk Officer, Chief Internal Auditor, Head of Compliance, Head of Internal Shari’a Audit, Shari’a Officer from the designated Board committee responsible for oversight of these functions.Added: April 2023HC-3.7 HC-3.7 Nomination Committee
HC-3.7.1
The nomination committee of the
Bahraini conventional bank licensee must have at least three independent directors, or alternatively, three non-executive directors of whom the majority must be independent directors including its chairperson.Added: April 2023HC-3.7.2
The committee should meet at least twice a year.
Added: April 2023HC-3.7.3
The nomination committee must, at minimum:
(a) Assess and recommend to the Board from time to time the changes that the committee considers desirable to the size of the Board, any Board committee or management structure;(b) Regularly review the time commitment required from each non-executive director and require them to inform the committee before accepting any Board appointments to another company;(c) Recommend to the Board persons qualified to become members of the Board of directors or CEO and his deputies, chief financial officer, chief operating officer, chief investment officer, chief banking officer, corporate secretary and any equivalent or other senior management positions that the Board determines are subject to its approval. The exceptions are the appointments of the chief internal auditor, chief risk officer and head of compliance who must be recommended by other committees as prescribed in this module;(d) Assess the role and responsibilities of a Board member, the knowledge, experience and competence which the role requires;(e) Assess the Board’s and senior management’s effectiveness;(f) Recommend to the Board appropriate succession plans ofapproved persons within senior management;(g) Recommend to the Board, and oversee the implementation of, appropriate personnel or human resource policies; and(h) Recommend to the Board the prescribed title, authority, duties, accountability and internal reporting responsibilities for each approved person within senior management.Added: April 2023HC-3.8 HC-3.8 Corporate Governance Committee
HC-3.8.1
The
Bahraini conventional bank licensee must assign to one of its senior management the role of a corporate governance officer who is responsible for the tasks of verifying the bank's compliance with corporate governance rules and regulations.Added: April 2023HC-3.8.2
The Board should establish a corporate governance committee for developing and recommending changes from time to time in the
conventional bank licensee ’s corporate governance policy framework. Such committee should have at least three directors of which the majority should be independent.Added: April 2023HC-3.8.3
The corporate governance committee should:
(a) Oversee and monitor the implementation of the governance policy framework by working with the management and the Audit Committee; and(b) Provide the Board of directors with reports and recommendations based on its findings in the exercise of its functions.Added: April 2023HC-3.8.4
The responsibilities of the corporate governance officer may be assumed by the head of compliance and should include, at minimum:
(a) Coordinating and following up on thelicensee’s compliance with corporate governance requirements;(b) Ensuring that the corporate governance policies, their implementation and related internal controls are consistent with the regulatory and legal requirements;(c) Working closely with the Board and/or the relevant Board committee to improve the governance framework of thelicensee ; and(d) Reviewing the annual corporate governance disclosure to ensure that its contents are in conformity with thelicensee’s internal policies and the CBB rulebook requirements.Added: April 2023HC-4 HC-4 Shareholders’ Meetings
HC-4.1 HC-4.1 Shareholders’ Meetings
HC-4.1.1
Bahraini conventional bank licensees must comply with the following with respect to any shareholders’ meeting:(a) Provide the draft agenda to the CBB, for its review and comment, at least 5 working days prior to communicating with the shareholders or publishing in the press;(b) Ensure that CBB’s prior approval has been obtained for any agenda items which require CBB’s approval under relevant regulations, prior to the meeting taking place;(c) Invite a representative of the CBB to attend the meetings at least 5 working days prior to the meeting taking place; and(d) Submit to the CBB a copy of the minutes of the meeting within 15 calendar days of the meeting.Added: April 2023HC-5 HC-5 Group Structures
HC-5.1 HC-5.1 Governance of Group Structures
HC-5.1.1
The Board of a
Bahraini conventional bank licensee which acts as aparent must:(a) Have the overall responsibility for the group and exercise adequate oversight over subsidiaries and overseas branches while respecting the independent legal and governance responsibilities that might apply to subsidiary Boards;(b) Establish, subject to CBB’s approval, a group structure (including the legal entity and business structure) and a group corporate governance framework with clearly defined roles and responsibilities at both theparent bank’s and the subsidiaries’ level as may be appropriate based on the complexity, risks and significance of the subsidiaries;(c) Set adequate and comprehensive criteria for composing Boards at subsidiaries’ level;(d) Have a clear strategy and group policy for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group;(e) Have sufficient resources at group and subsidiaries levels to monitor risks and compliance at the level of the group and its subsidiaries;(f) Pay special attention and due care to any significant subsidiary based on its risk profile or systemic importance or due to its size relative to theparent bank;(g) Assess and discuss material risks and issues that might affect the group and its subsidiaries and overseas branches;(h) Establish effective group functions at theparent bank, including but not limited to, internal audit, compliance, risk management and financial controls to whom the relevant subsidiaries’ functions must report;(i) Maintain an effective relationship, through the subsidiary Board or direct contact, with the regulators of all subsidiaries and overseas branches; and(j) ensure that:i. The group has appropriate policies and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions;ii. The group is governed and operating under clear group strategies, business policies and specific set of group policies on risk management, internal audit, compliance and financial controls;iii. There are no barriers to exchanging information between the subsidiaries and theparent bank and that there are robust systems in place to facilitate the exchange of information to enable theparent bank to effectively supervise the group and manage its risks; andiv. Adequate authority is available to each subsidiary pursuant to local legislations.Added: April 2023Subsidiaries’ Boards
HC-5.1.2
Boards and senior management of subsidiaries of
Bahraini conventional bank licensees must remain responsible for developing effective governance and risk management framework for their entities and must clearly understand the reporting obligations they have to theparent bank.Added: April 2023HC-5.1.3
The strategy, business plan, policies, risk governance framework, corporate values and corporate governance framework of each subsidiary must align with group strategy and policies, and the subsidiary Board must make necessary adjustments where a group policy conflicts with an applicable legal or regulatory provision or prudential rule or would be detrimental to the sound and prudent management of the subsidiary.
Added: April 2023HC-5.1.4
Material risk-bearing subsidiaries and overseas branches must be captured by the bank-wide risk management system and must be part of the overall risk governance framework.
Added: April 2023Complex or Opaque Structures
HC-5.1.5
The Board and senior management of the
parent bank must be cognisant of the challenges arising from operating under complex or opaque structures, including special purpose vehicles, and must act to avoid or mitigate these by:(a) Avoiding setting up complicated structures that lack economic substance or business purpose;(b) Continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the bank’s ability to manage those risks prior to setting up new structures and initiating associated activities;(c) Having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity’s regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries;(d) Establishing adequate policies, procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk, etc. The bank must only approve structures if the material risks can be properly identified, quantified, monitored and mitigated; and(e) Ensuring that the activities, controls and structures are subject to periodic reviews by compliance, internal audit and risk management functions as well as external audit to ensure effectiveness and consistency with Board-approved strategy and policies.Added: April 2023HC-6 HC-6 Remuneration of Approved Persons and Material Risk-Takers
HC-6.1 HC-6.1 Remuneration of Approved Persons and Material Risk-Takers
HC-6.1.1
All
approved persons and material risk-takers must be remunerated fairly and responsibly. More specifically, the remuneration must be sufficient to attract, retain and motivate persons.Added: April 2023HC-6.1.2
The performance evaluation and remuneration of senior management and staff of the
conventional bank licensees must be based, among other factors, on their adherence to all relevant laws, regulations and CBB rulebook requirements, including but not limited to AML/CFT requirements in the FC module.Added: April 2023HC-6.1.3
For
approved persons and material risk-takers whose total annual remuneration (including all benefits) is in excess of BD100,000:(a) An appropriate ratio between the fixed and variable components of total remuneration must be set to ensure that fixed and variable components of total remuneration are appropriately balanced and paid on the basis of individual, business-unit and bank-wide measures that adequately measure performance; and(b) The variable proportion of remuneration must increase significantly along with the level of seniority and/or responsibility. More specifically:i. at least 40% of the variable remuneration must be payable under deferral arrangements over a period of at least 3 years; andii. for the CEO, his deputies and the other 5 most highly paid business line employees, at least 60% of the variable remuneration must be payable under deferral arrangements over a period of at least 3 years.Added: April 2023HC-6.1.4
As a minimum, 50% of total variable remuneration (including both the deferred and undeferred portions) must be awarded in shares or share-linked instruments or where appropriate, other non-cash instruments. The remaining portion of the deferred remuneration can be paid as cash remuneration vested over a minimum 3-year period.
Added: April 2023HC-6.1.5
Remuneration, based on both quantitative measures and human judgement, must be adjusted for all types and magnitudes of risks, including intangible and other risks managed by the approved person and material risk-taker, and remuneration outcomes must be symmetric with risk outcomes.
Added: April 2023HC-6.1.6
The mix of cash, equity and other forms of remuneration must be consistent with risk alignment. The mix will vary depending on the employee’s position and role and the
licensee must document the rationale for its mix.Added: April 2023HC-6.1.7
Employees’ incentive payments must be linked to the contribution of the individual and business to such performance.
Added: April 2023HC-6.1.8
Remuneration systems must link the size of the bonus pool to the overall performance of the
licensee .Added: April 2023HC-6.1.9
Awards in shares or share-linked instruments must be subject to a minimum share retention policy of 6 months from the time the shares are awarded, unless the
licensee’s policy requires a longer period.Added: April 2023HC-6.1.10
The only instance where deferred remuneration can be paid out before the end of the vesting period is in the case of the death of the employee where the beneficiaries would receive any unpaid deferred remuneration.
Added: April 2023HC-6.1.11
Licensees must not provide any form of guaranteed variable remuneration as part of the overall remuneration package. Exceptional minimum variable remuneration must only occur in the context of hiring new staff and limited to the first year.Added: April 2023HC-6.1.12
For
Bahraini conventional bank licensees , where fixed or variable remuneration include common shares,licensees must limit the shares awarded to an annual aggregate limit of 10% of the total issued shares outstanding of thelicensee , at all times.Added: April 2023HC-6.1.13
For
Bahraini conventional bank licensees , all share incentive plans must be approved by the shareholders.Added: April 2023HC-6.1.14
Approved persons and other staff of risk management, financial controls, internal audit, operations, internal Shari’a audit, Shari’a coordination and implementation, AML/ CFT, compliance, human resources, information technology and legal functions must be remunerated based principally on the achievement of the objectives and targets of their functions. As such the mix of fixed and variable remuneration for these functions’ personnel must be skewed toward fixed remuneration.Added: April 2023HC-6.1.15
The size of the variable remuneration pool and its allocation within the
licensee must not compromise the financial soundness of thelicensee and must take into account the full range of current and potential risks, including:(a) The cost and quantity of capital required to support the risks taken;(b) The cost and quantity of the liquidity risk assumed in the conduct of business; and(c) Consistency with the timing and likelihood of potential future revenues incorporated into current earnings.Added: April 2023HC-6.1.16
Existing contractual payments related to a termination of employment must be re-examined and kept in place only if there is a clear basis for concluding that they are aligned with long-term value creation and prudent risk-taking. Prospectively, any such payments must be related to performance achieved over time and designed in a way that does not reward failure.
Added: April 2023HC-6.1.17
Licensees must have an appropriate compliance mechanism to ensure that their employees commit themselves not to use personal hedging strategies or remuneration- and liability-related insurance to undermine the risk alignment effects embedded in their remuneration arrangements.Added: April 2023HC-6.1.18
Bonuses must either be reduced or be deferred in the event of poor
licensee , divisional or business unit performance. Subdued or negative financial performance of thelicensee must lead to contraction of thelicensee’s total variable remuneration, taking into account both current remuneration and reductions in payouts of amounts previously earned, including through malus and clawback arrangements. Recognition of staff who have achieved their targets or better, may take place by way of deferred compensation, which may be paid once thelicensee’s performance improves.Added: April 2023HC-6.1.19
If the
licensee and/or relevant line of business is incurring losses in any year during the vesting period, any unvested portions must be subject to malus. Accrual and deferral of variable remuneration does not oblige thelicensee to pay the variable remuneration, particularly when the anticipated outcome has not materialised.Added: April 2023HC-6.1.20
Approved persons , including those appointed as members of the Board of special purpose vehicles or other operating companies, are not permitted to take any benefits (commission, fees, shares, consideration in kind, or other remuneration or incentives in respect of the performance of the project or investment) from any projects or investments which are managed by theconventional bank licensee or promoted to its customers or potential customers except for Board related remuneration linked to their fiduciary duties to the investors of the project/investment.Added: April 2023HC-6.1.21
Remuneration ofnon-executive directors must not include performance-related elements such as grants of shares, share options or other deferred stock-related incentive schemes, bonuses, or pension benefits.Added: April 2023HC-6.1.22
If a
senior manager is also a director, hisremuneration as asenior manager must take into account compensation received in his capacity as a director.Added: April 2023HC-7 HC-7 Senior Management
HC-7.1 HC-7.1 Senior Management
HC-7.1.1
The Board must establish an adequate organisational structure that promotes accountability and transparency and facilitates effective decision-making and good governance throughout the
licensee . This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO.Added: April 2023HC-7.1.2
Senior management must:
(a) Be selected through an appropriate promotion or recruitment process which considers the qualifications and competencies required for the position in question;(b) Have the necessary experience, competencies, personal qualities and integrity to manage the businesses and employees under their supervision;(c) Be subject to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility;(d) Assess the training needs of staff across all levels throughout the organisation taking into account the existing skills and competencies and laws and regulations and ensure that such training is provided by competent and skilled personnel (whether internal or external);(e) Act within the scope of their responsibilities which must be clearly defined;(f) Independently assess and question the policies, processes and procedures of thelicensee , with the intent to identify and initiate management action on issues requiring improvement;(g) Not interfere in the independent duties of the risk management, compliance and internal audit functions;(h) Carry out and manage thelicensee’s activities in compliance with all laws and regulations, and in a manner consistent with the business strategy, risk appetite, business plans and remuneration and other policies approved by the Board;(i) Have a robust governance framework for all management committees;(j) Not primarily control the remuneration system in thelicensee ;(k) Actively communicate and consult with the control functions on management’s major plans and activities so that the control functions can effectively discharge their responsibilities; and(l) Provide the Board and its committees with timely, complete, accurate and understandable information and documents so that they are equipped for upholding their responsibilities, and keep them adequately informed and updated on a timely basis about material issues including:i. Changes in the implementation of business strategy, risk strategy and risk appetite;ii. Thelicensee’s performance and financial condition;iii. Breaches of risk limits or regulations;iv. Internal control failures, frauds and cyber-security incidents;v. Legal or regulatory concerns;vi. Customer complaints; andvii. Issues raised as a result of thelicensee’s whistleblowing policy.Added: April 2023HC-7.1.3
Conventional bank licensee’s CEO and chief financial officer must state in writing to the audit committee and the Board that theconventional bank licensee’s interim and annual financial statements present a true and fair view, in all material respects, of theconventional bank licensee’s financial condition and results of operations in accordance with applicable accounting standards.Added: April 2023HC-8 HC-8 Risk Management Function
HC-8.1 HC-8.1 Risk Management Function
HC-8.1.1
Conventional bank licensees must have an effective and independent risk management function commensurate with the bank’s size, complexity and risk profile, under the direction of a chief risk officer (CRO) or equivalent, with sufficient stature, independence and skilled resources.Added: April 2023HC-8.1.2
Branches of foreign bank licensees have the choice of having an in-house risk management function in Bahrain, or subject to the CBB’s approval to outsource such role to their regional or head office.Added: April 2023HC-8.1.3
The risk management function must:
(a) Be sufficiently independent of the business units, thus ensuring that it is not involved in revenue generation;(b) Be responsible for overseeing risk-taking activities across thelicensee and must have authority within the organisation to do so;(c) Have procedures in place to identify and assess the possible increased reputational risk to thelicensee if it offers products or carries out activities outside Bahrain;(d) Have access to all business lines that have the potential to generate risk to thelicensee as well as to relevant risk-bearing subsidiaries, associated companies and overseas branches;(e) Challenge business units effectively regarding all aspects of risk arising from thelicensee’s activities; and(f) Have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines, and are subject to regular training.Added: April 2023HC-8.1.4
Key activities of the risk management function must include:
(a) Implementing an enterprise-wide risk governance framework that includes appropriate policies, procedures and limits;(b) Identifying material individual, aggregate and emerging risks, including risks arising from potential mergers and acquisitions and hard to quantify risks, such as reputational risk;(c) Regularly and on an ad-hoc basis, evaluating the risks faced by thelicensee and its overall risk profile. The risk assessment process must include ongoing analysis of existing risks as well as the identification of new or emerging risks. The results of such assessments must be reported to both the Risk Committee and senior management;(d) Ongoing monitoring of the risk-taking activities and risk exposures in line with the Board-approved risk policies and appetite;(e) Establishing an early warning or trigger system for breaches of thelicensee’s risk appetite or limits;(f) Using risk measurement and modelling techniques in addition to qualitative risk analysis and monitoring;(g) Evaluating possible ways to mitigate risk exposures;(h) Reporting regularly to the risk committee and senior management on risks, including but not limited to, material exemptions and risk-mitigating actions;(i) Regularly comparing actual performance against risk estimates (i.e. Backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments; and(j) Challenging decisions that give rise to material risk.Added: April 2023HC-8.1.5
Licensees must have adequate risk management and approval processes for new or expanded products or services, lines of business and markets, outsourcing arrangements as well as for large and complex transactions. If such processes are not in place, a new product, service, business line or third-party relationship or major transaction must be delayed. There must also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. The risk management function must provide input on risks as part of such processes and on the outsourcer’s ability to manage risks and comply with legal and regulatory obligations. Such processes must entail the following:(a) A full assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of thelicensee’s risk management and internal controls to effectively manage associated risks; and(b) An assessment of the extent to which thelicensee’s risk management, legal and regulatory compliance, information technology, internal control and business functions have adequate tools and the expertise necessary to measure and manage related risks.Added: April 2023HC-8.1.6
Licensees must appoint a chief risk officer (CRO) or equivalent with an overall responsibility for thelicensee’s risk management function.Added: April 2023HC-8.1.7
The CRO must:
(a) Be actively engaged, together with management, in monitoring performance relative to risk-taking and risk limit adherence;(b) Manage and participate in key decision-making processes (e.g. Strategic planning, capital and liquidity planning, new products and services, compensation design and operation);(c) Be independent and have duties distinct from other executive function. This means that he must not have managerial or financial responsibility or approval authority related to any business lines or revenue-generating functions, and there must be no “dual hatting”, i.e. otherapproved persons within senior management must not serve as the CRO.(d) Have access to any information necessary to perform his duties;(e) Report directly to the risk committee without impediment, and administratively to the CEO;(f) Have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the risk committee and senior management in a constructive dialogue on key risk issues;(g) Meet regularly with the non-executive directors, the board or its risk committee without executive directors and the CEO being present;(h) Keep the risk committee and senior management apprised of the assumptions used in and potential shortcomings of thelicensee’s risk models and analyses;(i) Consistently remind all staff, through a regular process, under the sponsorship of the CEO, of the risk management requirements to ensure a common understanding of these requirements across thelicensee ; and(j) Ensure that:i. Risk reporting to the risk committee is carefully designed to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting must accurately communicate risk exposures and results of stress tests or scenario analyses and must provoke a robust discussion of, for example, the bank’s current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting must also include information about the external environment to identify market conditions and trends that may have an impact on the bank’s current or future risk profile;ii. Material risk-related ad-hoc information that requires immediate decisions or reactions is promptly presented to senior management and, as appropriate, the risk committee, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage; andiii. Thelicensee has accurate internal and external data to be able to identify, assess and mitigate risks.Added: April 2023HC-9 HC-9 Compliance
HC-9.1 HC-9.1 Compliance
HC-9.1.1
The Board must:
(a) Oversee the management of thelicensee’s compliance risk;(b) Establish an independent compliance function and approve an appropriate compliance framework for thelicensee based on its size and complexity of its operations;(c) Set priorities for the management of its compliance risk in a way that is consistent with its risk management strategy and structures;(d) Not outsource the compliance function; and(e) Approve thelicensee’s compliance policy for identifying, assessing, monitoring, reporting and advising on compliance risk.Added: April 2023HC-9.1.2
The compliance function and the internal audit function must be separate.
Added: April 2023HC-9.1.3
The Board, Audit Committee or the designated Board committee and senior management must:
(a) Ensure that, based on an agreed remedial action plan, all compliance findings are resolved within a reasonable period of time to be set based on level and magnitude of risk;(b) Not restrict the compliance function from reporting any irregularities or breaches that are identified as a result of its work or investigations, and must ensure that such reporting can be done without fear of retaliation or disfavour from management, board members or other staff members;(c) Ensure that the head of compliance and his staff are not placed in a position where there is a possible conflict of interest between their compliance responsibilities and any other responsibilities they may have;(d) Not consider the compliance function as a cost center; instead it should be viewed as an activity that helps thelicensee avoid enforcement action for non-compliance, enhances thelicensee’s reputation and promotes the right environment for better financial performance; and(e) Ensure the compliance function’s right to:i. Have unrestricted access to any records or files necessary to carry out its responsibilities, and the corresponding duty oflicensee staff to co-operate in supplying this information;ii. Conduct investigations of possible breaches of the applicable laws, regulations and the compliance policy; andiii. Appoint, subject to audit committee’s approval, outside experts to perform a specific task, if appropriate.Added: April 2023HC-9.1.4
Licensees must appoint a head of compliance with overall responsibility for thelicensee’s compliance function.Added: April 2023HC-9.1.5
In banking groups:
(a) The audit committee and senior management, with assistance of the group head of compliance, must ensure that adequate resources, commensurate with the scale and complexity of operations, are assigned for compliance activities at the head office, subsidiaries and overseas branches; and(b) The group head of compliance must ensure that:i. Adequate reports and information are received from subsidiaries and overseas branches on compliance related issues and must report the same to the audit committee; andii. It conducts annual compliance testing on subsidiaries and overseas branches whose total revenue represents 20% or more of the group’s total revenue and every two years for other overseas operations.Added: April 2023HC-9.1.6
Subject to the CBB’s approval, the role of head of compliance may be combined with the head of risk if the size and nature of the
conventional bank licensee justify the same.Added: April 2023HC-9.1.7
The head of compliance must:
(a) Report to the Audit Committee or the designated Board committee and administratively to the CEO. In the case ofbranches of foreign bank licensees , the reporting must be to the Group or Regional Head of Compliance and administratively to the CEO/GM of the branch;(b) Establish the operating compliance procedures and processes for identifying, assessing, monitoring, reporting and advising on compliance risk;(c) Establish written guidance to thelicensee’s staff on the appropriate implementation of laws and regulations;(d) Conduct, under the sponsorship of the CEO, awareness sessions for thelicensee’s staff on compliance policy requirements and issues; and(e) Report to the Audit Committee:i. On a quarterly basis, thelicensee’s management of its compliance risk, in such a manner as to assist committee members to make an informed judgment on whether thelicensee is managing its compliance risk effectively; andii. Immediately any material compliance failures as they arise (e.g. failures that may attract a significant risk of legal or regulatory sanctions, material financial loss, or loss of reputation).Added: April 2023HC-9.1.8
The compliance function must:
(a) Have a formal status with sufficient authority within thelicensee ;(b) Carry out its responsibilities under a risk-based compliance programme that sets out its planned activities, such as the implementation and review of specific policies and procedures, compliance risk assessment and compliance testing;(c) Assess in cooperation with the relevant functions, in case of new regulations, the appropriateness of thelicensee’s relevant policies as well as the compliance policy and related procedures and processes. It must promptly follow up regarding any identified deficiencies, and, where necessary, formulate proposals for amendments in cooperation with the relevant functions;(d) On a proactive basis, identify, measure, document and assess the compliance risks associated with thelicensee’s business activities including the development of new products and business practices, proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships. If thelicensee has a new products and services committee, the compliance function staff must be represented on the committee;(e) Monitor and test compliance by performing sufficient and representative compliance testing. The results of such testing must be reported to the Audit Committee;(f) Advise the audit committee and senior management on all relevant laws, regulations and standards in all jurisdictions in which thelicensee conducts its business and inform them on developments on the subject;(g) Provide to the CBB a compliance assessment report on every application/request for approval to the CBB confirming that all related legal and regulatory requirements pertaining to the request have been thoroughly checked, including the impact of such request on thelicensee’s financial position and compliance status, and a reference must be made to any previously approved arrangements by the CBB. In cases where the requests have a potential financial impact on thelicensee , a report from the financial control function in consultation with external auditors must also be submitted as part of the compliance assessment report, whereas in case of any legal implication of such a request a legal opinion on the matter must be submitted;(h) Act as a contact point within thelicensee for compliance queries from staff members; and(i) Have sufficient and appropriate resources to carry out its functions effectively, commensurate with the size and complexity of thelicensee .Added: April 2023HC-9.1.9
The compliance function staff must:
(a) Have the necessary qualifications, experience and professional and personal qualities to enable them to carry out their specific duties;(b) Have a sound understanding of applicable laws, regulations and standards and their practical impact on thelicensee’s business activities and operations; and(c) Be subject to regular and systematic training to remain up-to-date with developments in laws, regulations and standards.Added: April 2023HC-9.1.10
The CBB may at its own discretion communicate directly with the Head of Compliance to discuss issues of material concerns related to compliance risk.
Added: April 2023HC-10 HC-10 Internal Audit
HC-10.1 HC-10.1 Internal Audit
HC-10.1.1
Conventional bank licensees must establish an effective and independent internal audit function (IAF).Added: April 2023HC-10.1.2
The Audit Committee remains ultimately responsible for the IAF regardless of whether internal audit activities are outsourced.
Added: April 2023HC-10.1.3
The Board, Audit Committee and senior management must:
(a) Promote a strong and robust internal control environment within thelicensee ;(b) Provide the IAF staff full and unconditional access to all files, records, data, documents, systems, properties, subsidiaries and overseas branches of thelicensee ;(c) Require that all internal audit findings and recommendations are resolved within a reasonable period of time to be set based on level and magnitude of risk;(d) Allocate sufficient annual budget to support the IAF’s activities and plans; and(e) Inform the IAF of new developments, initiatives, projects, products and operational changes.Added: April 2023HC-10.1.4
All
Bahraini conventional bank licensees must have an internal audit charter which must be drawn up and reviewed annually by the head of internal audit and approved by the Board or Audit Committee. It must be available to all internal stakeholders, and to external stakeholders in case of a listed bank.Added: April 2023HC-10.1.5
The internal audit charter must establish, at a minimum:
(a) The IAF’s standing within thelicensee , its authority, responsibilities and relations with other control functions in a manner that promotes the effectiveness of the function;(b) The purpose and scope of the IAF;(c) The obligation of the internal auditors to communicate the results of their engagements and a description of how and to whom this must be done (reporting line);(d) The criteria for when and how the IAF may outsource some of its engagements to external experts;(e) The terms and conditions according to which the IAF can be called upon to provide consulting or advisory services or to carry out other special tasks without creating a conflict with its core function;(f) The responsibility and accountability of the head of internal audit;(g) The requirement to comply with the international standard on internal audit issued by The Institute of Internal Auditor; and(h) Procedures for the coordination of the IAF with the external auditor.Added: April 2023HC-10.1.6
The IAF must:
(a) Be independent of all functions;(b) Have sufficient standing and authority within thelicensee ;(c) Have sufficient skilled resources to be able to judge outcomes and make an impact at the highest level of the organization;(d) Be able to perform its assignments on its own initiative in all areas and functions of thelicensee based on the audit plan established by the head of the IAF and approved by the audit committee;(e) Be free to report its findings and assessments internally;(f) Independently review and evaluate the effectiveness and efficiency of all functions, internal controls, risk management, internal risk and finance models, governance framework, policies, procedures, systems and processes, including thelicensee’s outsourced activities and its subsidiaries (including SPVs) and local and overseas branches, and must ensure adequate coverage of matters of regulatory interest within the audit plan;(g) Develop an independent and informed view of the risks faced by thelicensee based on its access to alllicensee records and data, its enquiries and its professional competence;(h) Discuss its views, findings and conclusions directly with the audit committee and, if necessary, with the board of directors at their routine quarterly meetings; and(i) Not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the IAF must not prevent senior management from requesting input from the IAF on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.Added: April 2023HC-10.1.7
Licensees must appoint a head of internal audit who shall:(a) Report directly to the Audit Committee and administratively to the CEO;(b) Demonstrate appropriate leadership and have the necessary personal characteristics and professional skills to fulfil his responsibility for maintaining the function’s independence and objectivity;(c) Inform senior management of all significant findings so that timely corrective actions can be taken, and subsequently, he must follow up with senior management on the outcome of those corrective measures;(d) Report quarterly to the Audit Committee the status of pending findings;(e) Arrange appropriate ongoing training for the internal audit staff to meet the growing technical complexity of theconventional bank licensee ’s activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes and other developments in the financial sector;(f) Establish an annual internal audit plan approved by the audit committee. The plan must be based on a robust risk assessment, including direct or indirect input from the board, audit committee and senior management;(g) Develop and maintain appropriate tools to assess the quality of the IAF; and(h) Define, in a banking group structure, the group’s internal audit strategy, determine the organisation of the internal audit function both at theparent ’s and the subsidiary’s level (in consultation with these entities’ respective audit committees and in accordance with local laws) and formulate the internal audit principles, the audit methodology and quality assurance measures. He must also determine the audit scope for every internal audit exercise, by the parent’s internal audit function, for every subsidiary on an annual basis in compliance with local regulations and incorporate local knowledge and experience.Added: April 2023HC-10.1.8
The head of IAF should, whenever practicable and without jeopardising competence and expertise, periodically rotate internal audit staff within the internal audit function.
Added: April 2023HC-10.1.9
The CBB may at its own discretion communicate directly with the head of the IAF to discuss issues of material concerns related to risks, compliance and internal controls.
Added: April 2023HC-10.1.10
Internal audit reports must be provided to the audit committee without management filtering.
Added: April 2023HC-10.1.11
All internal audit staff must:
(a) Apply the care and skills expected of a reasonably prudent and competent professional. Due professional care does not imply infallibility. Internal auditors having limited competence and experience in a particular area must be appropriately supervised by more experienced staff;(b) Avoid conflicts of interest. Internal auditors appointed from within thelicensee must not engage in auditing activities for which they have had previous responsibility before a one year “cooling off” period has elapsed;(c) Act with integrity (being straightforward, honest and truthful);(d) Be diligent in the protection of information acquired in the course of their duties and must not use it for personal gain or malicious action;(e) Adhere to the code of ethics of thelicensee , the institute of internal auditors and any other relevant professional or standard setting body;(f) Collectively be competent to examine all areas in which thelicensee operates; and(g) Adhere to international professional standards established by the institute of internal auditors.Added: April 2023
