Back Custom print Link Text Only Rich Text Print

  • SIO-5.10 Outsourcing Arrangements

    • SIO-5.10.1

      This Section sets out the CBB’s approach to outsourcing by stablecoin issuers. It also sets out various requirements that stablecoin issuers must address when considering outsourcing an activity or function.

      Added: July 2025

    • SIO-5.10.2

      In the context of this Section, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a stablecoin issuer an activity which commonly would have been performed internally by the stablecoin issuer. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back office related activities.

      Added: July 2025

    • SIO-5.10.3

      In the case of a stablecoin issuer being part of a group entity, the CBB may consider a third-party outsourcing arrangement entered into by the stablecoin issuer’s head office/regional office or other offices of the group entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions: (i) The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and (ii) The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.

      Added: July 2025

    • SIO-5.10.4

      A stablecoin issuer must not outsource the following functions:

      (i) Compliance;
      (ii) AML/CFT;
      (iii) Financial control;
      (iv) Risk management; and
      (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services)
      Added: July 2025

    • SIO-5.10.5

      For the purposes of Paragraph SIO-5.10.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centre, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph SIO-5.10.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the stablecoin issuer.

      Added: July 2025

    • SIO-5.10.6

      Stablecoin issuers who are part of a group may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph SIO-5.10.4(iv), subject to CBB’s prior approval.

      Added: July 2025

    • SIO-5.10.7

      Stablecoin issuers must comply with the following requirements:

      (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The application request must:

      (a) include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
      (b) be made at least 30 calendar days before the licensee intends to commit to the arrangement.
      (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
      (iii) Stablecoin issuers must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
      (iv) Stablecoin issuers must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, and compliance function of the stablecoin issuer have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
      (v) Stablecoin issuers must designate a senior manager to act as coordinator for monitoring and assessing the outsourced arrangement.
      (vi) Stablecoin issuers must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
      (vii) Stablecoin issuers must inform their normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
      Added: July 2025

    • SIO-5.10.8

      For the purpose of Subparagraph SIO-5.10.7(iv), stablecoin issuers as part of their assessments may use the following:

      (a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
      (b) Third-party or internal audit reports of the outsourcing service provider; and
      (c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

      When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

      Added: July 2025

    • SIO-5.10.9

      For the purpose of Subparagraph SIO-5.10.7(i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

      Added: July 2025