SIO-5 Business Standards & Ongoing Obligations
SIO-5.1 General Obligations
SIO-5.1.1
In the course of undertaking regulated stablecoin offering service, a stablecoin issuer must:
Added: July 2025Dealing with clients and other stakeholders
(a) Ensure that the regulated activities are undertaken in a fair, orderly and transparent manner;(b) Stablecoin issuers must act honestly, fairly and professionally and communicate with their clients and prospective clients in a fair, clear and not misleading manner; and(c) Act with due skill, care and diligence in all dealings with clients;(d) Provide sufficient information to enable clients to make informed decisions when availing services offered to them;(e) Provide sufficient and timely documentation to clients to confirm that their transaction arrangements are in place and provide all necessary information about their rights and responsibilities;(f) Maintain fair treatment of clients through the lifetime of the client relationships, and ensure that clients are kept informed of important events and are not misled;(g) Ensure complaints from clients are dealt with fairly and promptly;(h) Not act contrary to the interests of its clients;(i) Stablecoin issuers must act in the best interests of their clients and treat them equally;(j) Take appropriate measures to safeguard any money and approved stablecoin handled on behalf of clients and maintain confidentiality of client information;Added: July 2025Risk management
(k) Manage any risks associated with its business and operations prudently;Added: July 2025Internal operating policies and procedures
(l) Have an operating manual and internal policies;Added: July 2025Compliance
(m) Maintain proper arrangements to enforce compliance with the CBB Law, Rules and Regulations and develop, implement, and adhere to a “compliance policy”, tailored to meet specific requirements associated with regulated stablecoin offering services. The compliance policy must reflect a clear comprehension and understanding of compliance responsibilities with respect to approved stablecoins;Added: July 2025Training and skills
(n) Ensure that all the employees are provided with the required education, qualifications and experience and they fully understand the rules and regulations of the CBB;Added: July 2025Record keeping
(o) Ensure that there are sufficient and appropriate records, books and systems in place to record all transactions and maintain an audit trail;Added: July 2025Shareholder meetings
(p) Provide to the CBB, for its review and comment, the draft agenda at least 5 business days prior to, the shareholders’ meetings (i.e. ordinary and extraordinary general assembly);(q) Ensure that any agenda items to be discussed or presented during the course of meetings which requires the CBB’s prior approval, have received the necessary approval, prior to the meeting taking place;(r) Invite a representative of the CBB to attend any shareholders’ meeting that will take place. The invitation must be provided to the CBB at least 5 business days prior to the meeting taking place;(s) Within one month of any shareholders meetings referred to in Paragraph SIO-5.1.1(o), provide to the CBB a copy of the minutes of the meeting.Added: July 2025SIO-5.1.2
A stablecoin issuer must establish and document keyman risk management measures that include arrangements in place should individuals holding encryption keys or passcodes to stored assets, including wallets, or information be unavailable unexpectedly due to death, disability or other unforeseen circumstances.
Added: July 2025SIO-5.1.3
A stablecoin issuer must ensure that it maintains no encrypted accounts that cannot be retrieved in the future for any reason. It must also advise its clients who maintain wallets with custodian firms outside of Bahrain (not licensed by the CBB) about any associated risks.
Added: July 2025SIO-5.1.4
Where a stablecoin issuer holds their own approved stablecoins, either due to redemption or due to minting, such approved stablecoins must be fully backed by reserve assets.
Added: July 2025SIO-5.2 Auditors and Accounting Standards
SIO-5.2.1
Stablecoin issuers must appoint an independent external auditor for its accounts for every financial year. While appointing an auditor, stablecoin issuers must exercise due skill, care and diligence in the selection and appointment of the auditor and must take into consideration the auditor’s experience and track record of auditing stablecoin and/or crypto-asset related businesses.
Added: July 2025SIO-5.2.2
In accordance with Article 61(b) of the CBB Law, if a stablecoin issuer fails to appoint an auditor within four months from the beginning of its financial year, the CBB shall appoint an auditor on behalf of the stablecoin issuer.
Added: July 2025SIO-5.2.3
A stablecoin issuer must pay the fees of the auditor regardless of the manner in which the auditor is appointed.
Added: July 2025SIO-5.2.4
An auditor must not be the chairman or a director in the stablecoin issuer’s board or a managing director, agent, representative or taking up any administrative work therein, or supervising its accounts, or a next of kin to someone who is responsible for the administration or accounts of the stablecoin issuer or having an extraordinary interest in the stablecoin issuer.
Added: July 2025SIO-5.2.5
If any of the circumstances referred to in rule Paragraph SIO-5.2.4 occurs after the appointment of the auditor, the stablecoin issuer must appoint another external auditor.
Added: July 2025SIO-5.2.6
Stablecoin issuers must provide the external auditor with all information and assistance necessary for carrying out his duties.
Added: July 2025SIO-5.2.7
The duties of the external auditor must include the preparation of a report on the final accounts. The report must contain a statement on whether the stablecoin issuer’s accounts are correct and reflect the actual state of affairs of the licensee according to the auditing standards prescribed by the CBB, and whether the stablecoin issuer has provided the auditor with all required information and clarifications.
Added: July 2025SIO-5.2.8
The final audited accounts must be presented to the general meeting of the licensed stablecoin issuer together with the auditor’s report. A copy of these documents must be sent to the CBB at least 15 days before the date of the general meeting.
Added: July 2025SIO-5.2.9
Audited financial statements of a stablecoin issuer must be prepared in accordance with the International Financial Accounting Standards (IFRS) or AAOIFI standards as appropriate.
Added: July 2025Annual Audited Financial statements
SIO-5.2.10
Stablecoin issuers must submit to the CBB their annual audited financial statements no later than 3 months from the end of the licensee’s financial year. The financial statements must include the statement of financial position (balance sheet), the statements of income, cash flow and changes in equity and where applicable, the statement of comprehensive income.
Added: July 2025Annual Report
SIO-5.2.11
Stablecoin issuers must submit a soft copy (electronic) of their full annual report to the CBB within 4 months of the end of their financial year.
Added: July 2025Reviewed (Unaudited) Quarterly Financial Statements
SIO-5.2.12
Stablecoin issuers must submit to the CBB unaudited quarterly financial statements (in the same format as their Annual Audited Accounts), reviewed by the licensee’s external auditor, on a quarterly basis within 45 calendar days from the end of each of the first 3 quarters of their financial year.
Added: July 2025SIO-5.3 Governance Requirements
SIO-5.3.1
A stablecoin issuer must have robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks to which they are or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures.
Added: July 2025SIO-5.3.2
Stablecoin issuers must adopt policies and procedures that are sufficiently effective to ensure compliance with the requirements of this Module and other applicable Modules. Stablecoin issuer must establish, maintain and implement, in particular, policies and procedures on:
(b) the custody of the reserve assets, including the segregation of assets, as specified in Section SIO-6.4;(c) the rights granted to the holders of approved stablecoins, as specified in Section SIO-6.5;(d) the mechanism through which approved stablecoins are issued and redeemed;(e) the protocols for validating transactions in approved stablecoins;(f) the functioning of the stablecoin issuer’s proprietary distributed ledger technology, where the approved stablecoins are issued, transferred and stored using such distributed ledger technology or similar technology that is operated by the stablecoin issuer or a third party acting on their behalf;(g) the mechanisms to ensure the liquidity of approved stablecoins, including the liquidity management policy and procedures for issuers of significant stablecoins referred to in Section SIO-8.2.3(b);(h) arrangements with third-party entities for managing the reserve assets, and for the investment of the reserve assets, the custody of the reserve assets and, where applicable, the distribution of the approved stablecoins to the public;(i) the written consent of the stablecoin issuer given to third parties that might offer or seek the admission to trading of the approved stablecoin;(j) complaints-handling, as specified in Section SIO-5.7;(k) conflicts of interest, as specified in Section SIO-5.8;Added: July 2025SIO-5.3.3
For the purposes of Paragraph SIO-5.3.2(h), stablecoin issuers must enter into a written contact with the third party. The contractual arrangements must set out the roles, responsibilities, rights and obligations both of the licensee and of the third party. Any contractual arrangement with cross jurisdictional implications must provide for an unambiguous choice of applicable law.
Added: July 2025SIO-5.3.4
Unless a stablecoin issuer initiates a redemption plan referred to in Chapter 11 of this Module, the stablecoin issuer must employ appropriate and proportionate systems, resources and procedures to ensure the continued and regular performance of their services and activities. To this end, stablecoin issuers must maintain all of their systems and security access protocols in conformity with necessary and appropriate standards.
Added: July 2025SIO-5.3.5
Where a stablecoin issuer decides to discontinue the provision of its regulated stablecoin offering services and activities, including by discontinuing the offering of a particular approved stablecoin, it must submit a plan to the CBB for approval of such discontinuation.
Added: July 2025SIO-5.3.6
Stablecoin issuers must identify sources of operational risk and minimise those risks through the development of appropriate systems, controls and procedures.
Added: July 2025SIO-5.3.7
Stablecoin issuers must establish a business continuity management policy to ensure, in the case of an interruption of their Information Technology systems and procedures, the preservation of essential data and functions and the maintenance of their activities or, where that is not possible, the timely recovery of such data and functions and the timely resumption of their activities.
Added: July 2025SIO-5.3.8
Stablecoin issuers must have in place internal control mechanisms and effective procedures for risk management, including effective control and safeguard arrangements for managing IT systems. Further, stablecoin issuers must monitor and evaluate on a regular basis the adequacy and effectiveness of the internal control mechanisms and procedures for risk assessment and take appropriate measures to address any deficiencies in that respect.
Added: July 2025SIO-5.3.9
Stablecoin issuers must have systems and procedures in place that are adequate to safeguard the availability, authenticity, integrity and confidentiality of data as required under Personal Data Protection Law. Those systems must record, and safeguard relevant data and information collected and produced in the course of the stablecoin issuer’s activities.
Added: July 2025Responsibility of the Board of Directors
SIO-5.3.10
The Board of a stablecoin issuer is responsible for overseeing the implementation of sound governance arrangements that ensure effective and prudent management of the licensee and the interest of its clients including the segregation of duties and the identification, prevention and management of conflicts of interest.
Added: July 2025SIO-5.3.11
The Board must establish and approve:
(a) the overall business strategy and the key policies of the stablecoin issuer taking into account the licensee’s long-term financial interests and solvency and interest of the clients;(b) the policies required under Paragraph SIO-5.3.2 and such policies must be consistent with the risk appetite the stablecoin issuer;(c) the organisation structure of the stablecoin issuer;(d) the overall risk strategy, the stablecoin issuer’s risk appetite and its risk management framework;(e) an effective internal control framework to ensure compliance with applicable regulatory requirements including with regard to the management of reserve assets;(f) in accordance with the requirement of Paragraph SIO-8.2.3(a), a remuneration policy applicable upon classification of an approved stablecoin as significant stablecoin;(g) the policies and procedures to identify, prevent, manage and disclose conflicts of interest, in line with Section SIO-5.8;(h) arrangements that aim to ensure the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards.Added: July 2025Responsibility of Senior Management
SIO-5.3.13
The senior management is responsible for the implementation of the strategies and policies set out by the Board and must regularly discuss the implementation and appropriateness of these strategies and policies with the Board.
Added: July 2025SIO-5.3.14
The senior management must:
(a) actively engage in the business of the stablecoin issuer and must take decisions on a sound and well-informed basis.(b) monitor that the risk culture of the licensee is implemented consistently;(c) oversee the implementation of policies and procedures to identify, prevent, manage and disclose conflicts of interest, in accordance with Section SIO-5.8 of this Module;(d) oversee the integrity of financial information and reporting, and the internal control framework, including an effective and sound risk management framework;(e) ensure that the heads of internal control functions are able to act independently and, regardless of the responsibility to report to other business lines or units, can raise concerns and warn the management body in its supervisory function directly, where necessary, when adverse risk developments affect or may affect the stablecoin issuer; and(f) set and monitor the implementation of the internal audit plan.Added: July 2025SIO-5.4 Compliance Function
SIO-5.4.1
Stablecoin issuers must establish a permanent and effective compliance function to manage compliance risk and appoint a competent person as compliance officer.
Added: July 2025SIO-5.4.2
Stablecoin issuers may combine the position of compliance officer with the money laundering reporting officer provided there is no conflict of interest between the tasks performed and the size, internal organisation, business model, and nature, scale and complexity of the licensee’s activities is such that the licensee can effectively meet the regulatory requirements.
Added: July 2025SIO-5.4.3
Stablecoin issuers must seek the CBB’s prior written before combining the positions of head of compliance and money laundering reporting officer functions referred to in Paragraph SIO-5.4.2.
Added: July 2025SIO-5.4.4
Employees within the compliance function must possess sufficient knowledge, skills and experience in relation to compliance and relevant procedures and should undergo regular training.
Added: July 2025SIO-5.4.5
Stablecoin issuers must have a well-documented compliance policy, and the senior management must oversee the implementation of the compliance policy. Stablecoin issuers must set up a process to regularly assess changes in the law and regulations applicable to its business activities.
Added: July 2025SIO-5.4.6
The compliance function should advise the board and senior management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and should assess the possible impact of any changes in the legal or regulatory environment on the stablecoin issuer’s activities and compliance framework.
Added: July 2025SIO-5.5 Internal Audit Function
SIO-5.5.1
The internal audit function must be independent and have sufficient authority and resources. In particular, stablecoin issuers must ensure that the qualification of the internal audit staff members and the internal audit resources, in particular its auditing tools and risk analysis methods, are adequate for the nature, scale and complexity of the risks associated with the licensed stablecoin issuer’s business model, activities, and risk appetite.
Added: July 2025SIO-5.5.2
The internal audit function must follow a risk-based approach, independently review and provide objective assurance of the compliance of all activities undertaken by the stablecoin issuer, including the use of third-party entities, with the licensee’s policies and procedures and with the regulatory requirements.
Added: July 2025SIO-5.5.3
The internal audit function must not be involved in designing, selecting, establishing, or implementing specific internal control policies, mechanisms, procedures or risk limits. However, this should not prevent the Board and the senior management from requesting input from the internal audit function on matters relating to risk, internal controls and compliance with applicable rules.
Added: July 2025SIO-5.5.4
The internal audit function must review the adequateness of the processes for the development of stablecoin whitepaper, its approval and the processes followed for issuance of the approved stablecoin and how the approved stablecoin is offered to the public.
Added: July 2025SIO-5.5.5
Internal audit work should be performed regularly in accordance with an audit plan and a detailed audit programme following a risk-based approach.
Added: July 2025SIO-5.5.6
Stablecoin issuers must, at least once a year, draw up an internal audit plan on the basis of the annual internal audit control objectives. The internal audit plan must be approved by the board or relevant board committee.
Added: July 2025SIO-5.6 Marketing & Promotion
SIO-5.6.1
Stablecoin issuers must not advertise its products, services, or activities in the Kingdom of Bahrain without including the name of the licensee and a statement that the licensee is “Licensed by the CBB as a Stablecoin issuer”.
Added: July 2025SIO-5.6.2
Stablecoin issuers must not make use of the name of the CBB in any promotion in such a way that would indicate endorsement or approval of its products or services.
Added: July 2025SIO-5.6.3
Stablecoin issuers must ensure that all advertising and marketing materials adhere to the principles of fair competition. While comparative advertisement in product or service promotion is acceptable, the intent and connotation of comparative advertisement should be to inform and never to discredit or unfairly target competitors, competing products or services.
Added: July 2025SIO-5.6.4
Any marketing communication relating to an offer to the public of an approved stablecoin, must comply with all of the following requirements:
(a) the marketing communications are clearly identifiable;(b) the information in the marketing communications is fair, clear and not misleading;(c) the information in the marketing communications is consistent with the information in the stablecoin whitepaper;(d) the marketing communications clearly states that a stablecoin whitepaper has been published and clearly indicates the address of the website of the stablecoin issuer, as well as a telephone number and an email address to contact the stablecoin issuer.Added: July 2025SIO-5.6.5
Marketing communications must contain a clear and unambiguous statement that clients have a direct right of redemption at par value at any time.
Added: July 2025SIO-5.6.6
Marketing communications and any modifications thereto must be published on the stablecoin issuer’s website.
Added: July 2025SIO-5.6.7
No marketing communications shall be disseminated prior to the publication of the stablecoin white paper. Such a restriction does not affect the ability of the stablecoin issuer to conduct market soundings.
Added: July 2025SIO-5.6.8
Stablecoin issuers, at a minimum, must make the following information available on its website:
(a) The services being offered;(b) The rights and obligations of the stablecoin issuer and the client;(c) The relevant material information, including providing clients with access to up-to-date stablecoin white paper or information, and providing clients with material information as soon as reasonably practicable to enable clients to appraise the position of their investments (for example, any major events or any other material information);(d) Circumstances under which the stablecoin issuer may disclose the client’s confidential information to third parties, including regulators;(e) Applicable rules, policies, terms and conditions for which any amendment shall require prior notification to clients;(f) Dispute resolution mechanisms, including complaints procedures; and(g) System upgrades and maintenance procedures and schedules.Added: July 2025SIO-5.7 Complaints
SIO-5.7.1
Stablecoin issuers must establish and maintain written policies and procedures to resolve complaints in a fair and timely manner.
Added: July 2025SIO-5.7.2
Stablecoin issuers must provide, in a clear and conspicuous manner on their website and in all physical locations the following disclosures:
(a) The licensee’s contact information for the receipt of complaints which may include mailing address, telephone numbers etc. but must include an email address; and(b) The CBB’s mailing address, website, and telephone number.Added: July 2025SIO-5.7.3
Stablecoin issuers must notify the CBB any change in their complaint policies or procedures within seven days prior to the implementation of the new complaint policy.
Added: July 2025SIO-5.7.4
The complaint handling procedures of a stablecoin issuer must provide for:
(a) The receipt of written complaints;(b) The appropriate investigation of complaints;(c) An appropriate decision-making process in relation to the response to a client complaint;(d) Notification of the decision to the client;(e) The recording of complaints; and(f) How to deal with complaints when a business continuity plan (BCP) is operative.Added: July 2025SIO-5.7.5
A stablecoin issuer’s internal complaint handling procedures must be designed to ensure that:
(a) All complaints are handled fairly, effectively and promptly;(b) The number of unresolved complaints referred to the CBB is minimized;(c) The employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority;(d) Relevant employees are aware of the licensee’s internal complaint handling procedures that they comply with them and receive training periodically to be kept abreast of changes in procedures; and(e) Complaints are investigated by an employee of sufficient competence who, where appropriate, was not directly involved in the matter which is the subject of a complaint.Added: July 2025Response of Complaints
SIO-5.7.6
Stablecoin issuer must acknowledge in writing clients written complaints within 5 working days of receipt.
Added: July 2025SIO-5.7.7
A stablecoin issuer must respond to a client complaint promptly and within a period of 4 weeks of receiving the complaint or provide the complainant with an appropriate explanation as to why the licensee is not, at that time, in a position to respond and must indicate by when the licensee will respond.
Added: July 2025Redress
SIO-5.7.8
A stablecoin issuer must decide and communicate how it proposes to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.
Added: July 2025SIO-5.7.9
Where a stablecoin issuer decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.
Added: July 2025SIO-5.7.10
Where a stablecoin issuer decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.
Added: July 2025SIO-5.7.11
Stablecoin issuers must inform the clients who have filed a complaint with the licensee and are not satisfied with the response received as per Paragraph SIO-5.7.7, about their right to forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter from the licensee.
Added: July 2025Reporting of Complaints
SIO-5.7.12
Stablecoin issuers must submit to the Consumer Protection Unit at the CBB, a quarterly report summarising the following:
(a) The number of complaints received during the quarter;(b) The substance of the complaints;(c) The number of days it took the licensee to acknowledge and to respond to the complaints; and(d) The status of the complaint, including whether resolved or not, and whether redress was provided.Added: July 2025SIO-5.7.13
Where no complaints have been received by the stablecoin issuer within the quarter, a ‘nil’ report must be submitted to the Consumer Protection Unit at the CBB.
Added: July 2025Record of Complaints
SIO-5.7.14
Stablecoin issuers must maintain a record of all the client complaints received. The record of each complaint must include:
(a) The identity of the complainant;(b) The substance of the complaint;(c) The status of the complaint, including whether resolved or not, and whether redress was provided; and(d) All correspondence in relation to the complaint.Such records must be retained by stablecoin issuers for a period of 5 years from the date of receipt of the complaint.
Added: July 2025SIO-5.8 Conflict of Interest
SIO-5.8.1
Stablecoin issuers must implement and maintain effective policies and procedures to identify, prevent, manage and disclose conflicts of interest between themselves and:
(a) their shareholders;(b) their senior management & employees;(c) their clients; or(d) any third-party providing custody and management of reserve assets.Added: July 2025SIO-5.8.2
The conflict of interest policies referred to in Paragraph SIO-5.8.1 must address all such situations which may influence or affect, or which may be perceived to influence or affect, the stablecoin issuer’s ability or the ability of any person connected to the licensee such as its shareholders, board of directors, senior management, employees etc., to take impartial and objective decisions. In particular, the conflict of interest policies and procedures must specifically cover:
(a) conflicts that may impede the ability of the senior management to take objective and impartial decisions that aim to be in the best interest of the stablecoin issuer without prejudice to the consideration of interests of the clients;(b) potential conflict of interest situation that may arise from the management and investment of reserve assets.Added: July 2025SIO-5.8.3
The conflict of interest policies and procedures must, at a minimum include:
(a) a description of the circumstances which may give rise to a conflict of interest situation particularly with reference to the scenarios referred to in Paragraph SIO-5.8.4 and Paragraph SIO-5.8.6;(b) the policies and procedures to be adopted in order to prevent or manage, and disclose, such conflicts. The policies and procedures should differentiate between conflicts of interest that persist and need to be managed permanently and conflicts of interest that occur with regard to a single event for which a one-off measure can be appropriate.Added: July 2025Conflict of interest potentially detrimental to the clients
SIO-5.8.4
For the purposes of identifying the types of conflicts of interest that arise in the course of issuing, processing and redeeming approved stablecoins or of investing or managing the reserve assets and whose existence may damage the interests of the clients, stablecoin issuers should take into account, whether the licensee, shareholders, board of directors, senior management, employees and third parties providing custody and management of reserve asset service is in any of the following situations:
(a) is likely to make a financial gain, avoid a financial loss, or receive another kind of benefit, at the expense of the clients;(b) it has an interest in the outcome of an activity carried out to the benefit of the client, including the redemption of the approved stablecoin, which is distinct from the interest of the client.Added: July 2025SIO-5.8.5
For the purposes of identifying the types of conflicts of interest that arises in the course of managing the reserve assets, the stablecoin issuer shall assess whether it receives or will receive an inducement in relation to that activity in the form of monetary or non-monetary benefits or services in a way that may damage the interest of the client.
Added: July 2025Conflicts of interest potentially detrimental to the stablecoin issuers
SIO-5.8.6
For the purpose of identifying the persons, bodies or entities with conflicting interests, stablecoin issuers should take into account whether that person, body or entity is in any of the following situations:
(a) it is likely to make a financial gain, or avoid a financial loss, at the expense of the licensee;(b) it has an interest in the outcome an activity carried out or a decision taken by the stablecoin issuer, which is distinct from the licensee’s interest in that outcome;(c) it carries out the same business as the stablecoin issuer or is a client, consultant, service providers or other supplier of the licensee.Added: July 2025SIO-5.8.7
For the purposes of Paragraph SIO-5.8.6, stablecoin issuers should take into account the following situations or relationships where a shareholder, board of director, senior management, employee and third-party providing custody and management of reserve asset:
(a) holds shares, tokens (including governance tokens), other ownership rights or membership in that person, body or entity;(b) holds debt instruments of or has other debt arrangements with that person, body or entity;(c) has any form of contractual arrangements, such as management contracts, service contracts, delegation or outsourcing contract or intellectual property licenses, with that person, body or entity.Added: July 2025Remuneration procedures, policies and arrangements
SIO-5.8.8
Stablecoin issuers must within their policies and procedures ensure that remuneration procedures, policies and arrangements:
(a) do not create a conflict of interest or provide for incentives in the short, medium or long term that may lead the employees or members of the senior management to favour their own interests or the stablecoin issuer’s interests to the potential detriment of any client or shareholders of the licensee.(b) identify and appropriately mitigate conflicts of interest potentially caused by the award of variable remuneration, underlying key performance indicators and risk alignment mechanisms, including the pay out of instruments to employees or senior management as part of the variable or fixed remuneration.Added: July 2025SIO-5.9 Anti Money Laundering and Combating the Financing of Terrorism
SIO-5.9.1
Stablecoin issuers must have adequate and appropriate systems and controls, in accordance with the requirements of Anti Money Laundering and Combating of Financial Crime (AML) Module, CBB Rulebook Volume 6, to prevent, detect and combat money laundering and terror financing.
Added: July 2025SIO-5.9.2
The AML/CFT systems and controls referred to in Paragraph SIO-5.9.1 must include but not be limited to (i) customer due diligence in relation to the offering and redemption of the approved stablecoin, (ii) transaction monitoring and (iii) crypto asset transfer (travel rule) and wire transfer rules as provided for in AML-2A of the Anti-Money Laundering and Combating of Financial Crime (AML) Module, CBB Rulebook Volume 6.
Added: July 2025SIO-5.9.3
For avoidance of doubt, stablecoin issuers must ensure that clients making redemption requests are compliant with the customer due diligence requirements prior to processing of the redemption request.
Added: July 2025Origin and Destination of Approved stablecoins
SIO-5.9.4
Stablecoin issuers must consider using technology solutions and other systems to adequately meet anti-money laundering, financial crime and know-your-customer requirements.
Added: July 2025SIO-5.9.5
Stablecoin issuers must develop, implement and maintain effective transaction monitoring systems to determine the origin of an approved stablecoin, to monitor its destination and to apply strong “know your transaction” measures which enable the licensed stablecoin issuer to have complete granular data centric information about the transactions conducted by a client.
Added: July 2025SIO-5.10 Outsourcing Arrangements
SIO-5.10.1
This Section sets out the CBB’s approach to outsourcing by stablecoin issuers. It also sets out various requirements that stablecoin issuers must address when considering outsourcing an activity or function.
Added: July 2025SIO-5.10.2
In the context of this Section, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a stablecoin issuer an activity which commonly would have been performed internally by the stablecoin issuer. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back office related activities.
Added: July 2025SIO-5.10.3
In the case of a stablecoin issuer being part of a group entity, the CBB may consider a third-party outsourcing arrangement entered into by the stablecoin issuer’s head office/regional office or other offices of the group entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions: (i) The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and (ii) The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
Added: July 2025SIO-5.10.4
A stablecoin issuer must not outsource the following functions:
(i) Compliance;(ii) AML/CFT;(iii) Financial control;(iv) Risk management; and(v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services)Added: July 2025SIO-5.10.5
For the purposes of Paragraph SIO-5.10.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centre, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph SIO-5.10.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the stablecoin issuer.
Added: July 2025SIO-5.10.6
Stablecoin issuers who are part of a group may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph SIO-5.10.4(iv), subject to CBB’s prior approval.
Added: July 2025SIO-5.10.7
Stablecoin issuers must comply with the following requirements:
(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The application request must:
(a) include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and(b) be made at least 30 calendar days before the licensee intends to commit to the arrangement.(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.(iii) Stablecoin issuers must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.(iv) Stablecoin issuers must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, and compliance function of the stablecoin issuer have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.(v) Stablecoin issuers must designate a senior manager to act as coordinator for monitoring and assessing the outsourced arrangement.(vi) Stablecoin issuers must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.(vii) Stablecoin issuers must inform their normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.Added: July 2025SIO-5.10.8
For the purpose of Subparagraph SIO-5.10.7(iv), stablecoin issuers as part of their assessments may use the following:
(a) Independent third-party certifications on the outsourcing service provider’s security and other controls;(b) Third-party or internal audit reports of the outsourcing service provider; and(c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.
Added: July 2025SIO-5.10.9
For the purpose of Subparagraph SIO-5.10.7(i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.
Added: July 2025
