• Business Standards

    • CA CA Capital Adequacy

      • CA-A CA-A Introduction

        • CA-A.1 CA-A.1 Purpose

          • CA-A.1.1

            This Module presents requirements that have to be met by insurance licensees, with respect to the level of capital they must maintain. Condition 5 of the Central Bank of Bahrain ('the CBB') Licensing Conditions (cf. Chapter AU-2.5) requires insurance licensees to maintain adequate financial resources, in excess of the minimum requirements specified in Module CA (Capital Adequacy).

            Amended: January 2007

          • CA-A.1.2

            The requirements specified in this Module vary according to the Category of insurance licensee concerned, the volume of business undertaken and its inherent risk. The purpose of such requirements is to ensure that insurance licensees maintain levels of capital sufficient to absorb unexpected losses, within a reasonable confidence interval. The capital levels specified here, in other words, are not sufficient to absorb all unexpected losses. Insurance licensees are also required to make their own assessment of the prudent level of capital that they need to hold.

            Amended: January 2007

          • CA-A.1.3

            This Module covers requirements to be met by both conventional and Takaful insurers. Specific requirements for Takaful firms are given in Chapter CA-8.

            Amended: January 2007
            Amended: October 2008

          • Legal Basis

            • CA-A.1.4

              This Module contains the CBB's Directive (as amended from time to time) relating to the capital adequacy of insurance licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all insurance licensees.

              Amended: January 2011
              Adopted: January 2007

            • CA-A.1.5

              For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

              Adopted: January 2007

        • CA-A.2 CA-A.2 Module History

          • CA-A.2.1

            This Module was first issued in April 2005 by the BMA, together with the rest of Volume 3 (Insurance). Any material changes to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

            Amended: January 2007

          • CA-A.2.2

            When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

            Amended: January 2007

          • CA-A.2.3

            A list of recent changes made to this Module is detailed in the table below:

            Module Ref. Change Date Description of Changes
            CA-1.2 01/07/05 Changes made to the definitions of Tier 1 and Tier 2.
            CA-4.1 01/07/05 Correction to cross-reference.
            CA-4.2 01/07/05 Clarified valuation of amounts receivable.
            CA-7.1 01/07/05 Minor correction to list.
            CA-8.2 01/07/05 Minor correction.
            CA-8.3 01/07/05 Minor correction.
            CA-8.4 01/07/05 Minor correction.
            CA-8.5 01/07/05 Minor correction.
            CA-1.2 01/10/05 Amended requirement for minimum paid-in capital to minimum Tier 1 capital and related transition rules; clarified the definition of Tier 1 capital with respect to reserves and appropriations; clarified definition of Tier 2 in relation to the investment fair value reserve; amended determination of capital available chart in line with other changes in Section CA-1.2.
            CA-2.1 01/10/05 Added class of short term medical for solvency calculation of premiums basis and claims basis.
            CA-4.2 01/10/05 Clarified the treatment of unlisted equity shares and deleted the reference to managed funds.
            CA-7.1 01/10/05 Corrected reference to Group Insurance Firm Return.
            CA-3.1 01/01/06 Clarified that rule applies to related parties, as defined in Glossary.
            CA-2.1.14 01/04/06 Clarified the calculation of the average gross claims incurred.
            CA-4.2.25 01/04/06 Corrected that receivables from contracts of insurance are also included under general asset valuation regulations.
            CA-6.1.6 01/04/06 Clarified the definitions of 'assets' and 'liabilities' for purposes of currency matching and localisation requirements.
            CA-1.2.8 and CA-1.2.21 01/07/06 Added minority interest as part of the components of Tier 1 and clarified excess tier 2 capital.
            CA-2.1.14 01/07/06 Clarified calculation of required solvency margin on the Claims basis.
            CA-4.3.2 01/07/06 Clarified category limits for assets linked to long-term liabilities.
            CA-8.4.3 01/07/06 Clarified definition of capital available for a takaful fund.
            CA-A.1.4 01/2007 New Rule introduced, categorising this Module as a Directive.
            CA-1.2.8 and 1.2.21 01/2007 Minority interest was deleted as part of Tier 1 capital as solvency test is performed on an unconsolidated basis.
            CA-1.2.21 01/2007 Deleted reference to negative reserves as no discounting is permitted that would give rise to negative reserves. Clarified that there should be a deduction for solvency margin deduction required for branches in other jurisdictions. Added a deduction for assets pledged or provided as collateral.
            CA-2.1.8A 01/2007 The required solvency margin for pure reinsurers, other than for the reinsurance of linked business, is to be calculated in accordance with Paragraph CA-2.1.12.
            CA-2.1.15 01/2007 The reference period for the calculation of average gross claims and met claims incurred is now limited to 3 years. The 7-year option has been deleted.
            CA-4.2.25 01/2007 Clarified that all amounts due under contracts of insurance and reinsurance that have been due for more than 6 months must be valued at nil.
            CA-1.2.1
            and 1.2.2
            10/2007 Minimum Tier 1 capital only applies to Bahraini insurance firms
            CA-4.2.25A 10/2008 Added a Paragraph to deal with the valuation of unearned reinsurance premiums.
            CA-8.4.6A 10/2008 Clarified treatment of income generated from the assets forming part of the free loan to the Takaful fund.
            CA-8.4.13 10/2008 Introduced Rules for transition period for newly established Takaful funds.
            CA-6.1.1 04/2009 Clarified non-application of localisation requirements to unit-linked products.
            CA-8.4.8 04/2009 Paragraph 8.4.8 deleted on funding of deficit for Family Takaful funds
            CA-1.2.4 10/2009 Paragraph amended to allow for the zillmer adjustment as outlined in Paragraph CA-5.1.24
            CA-3.1 10/2009 Section amended to reemphasize the need for separate accounting funds for different lines of business and different funds.
            CA-5.1 10/2009 Various amendments in line with consultation document issued in July 2009.
            CA-A.1.4 01/2011 Clarified legal basis
            CA-1.3.1 and CA-1.3.1A 04/2012 Updated capital requirements for insurance brokers.
            CA-1.2.3,
            CA-1.2.23,
            CA-4.2.25,
            CA-8.2,
            CA-8.3,
            CA-8.4,
            CA-8.4A,
            CA-8.5
            04/2014 Various amendments to reflect consultation undertaken on the enhanced operational and solvency framework. Some changes are applicable to all insurance firms and some only applicable to Takaful firms.
            CA-1.3.1B 04/2023 Added a new Paragraph on minimum capital and liquid funds required for insurance aggregators.

          • CA-A.2.4

            Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).

            Amended: January 2007

      • CA-B CA-B Scope of Application

        • CA-B.1 CA-B.1 Bahraini Insurance Licensees and Overseas Insurance Licensees

          • CA-B.1.1

            This Module applies to both Bahraini insurance licensees and overseas insurance licensees.

          • CA-B.1.2

            While the solvency requirements for Bahraini insurance firms and for overseas insurance firms are identical (as per Chapter CA-2), the calculation of the capital available varies based on the legal structure of the licensee, i.e. whether it is a locally incorporated company or a branch operation.

            Amended: January 2007

          • CA-B.1.3

            Bahraini insurance firms must calculate their capital available based on the shareholder's equity of the licensee (and other allowable elements of regulatory capital, as specified in Chapter CA-1). Overseas insurance firms must calculate their capital available based on their audited net assets, determined in accordance with accounting standards that would be applicable if they were a joint stock company incorporated in Bahrain.

            Amended: January 2007

        • CA-B.2 CA-B.2 Single Insurance Entity and Consolidated Insurance Entity

          • Single Insurance Entity (Unconsolidated)

            • CA-B.2.1

              Insurance licensees must apply the requirements of this Module as a single insurance entity, i.e. at the level of the unconsolidated company or branch. Any insurance activities of branches of Bahraini insurance licensees are included in the single insurance entity and are not subject to separate capital and solvency requirements.

              Amended: January 2007

          • Consolidated Insurance Entity

            • CA-B.2.2

              Overall capital and solvency requirements must be calculated for the consolidated Bahrain group (including the Bahrain insurance parent and subsidiaries). Bahraini insurance licensees must in addition apply the requirements of this Module at the consolidated level.

              Amended: January 2007

            • CA-B.2.3

              For purposes of Paragraph CA-B.2.1, where branches and subsidiaries are operating in jurisdictions outside of Bahrain, and are subject to capital requirements in these other jurisdictions that are equivalent or more stringent than the Bahrain requirements, these licensees will be considered to be in compliance with the requirements of this Module.

              Amended: January 2007

            • CA-B.2.4

              In instances where insurance licensees are uncertain as to the equivalency of the capital requirements of other jurisdictions where they operate, they should discuss these requirements with the CBB.

              Amended: January 2007

      • CA-1 CA-1 Capital Requirements

        • CA-1.1 CA-1.1 General Requirements

          • CA-1.1.1

            In accordance with Principle of Business 9, insurance licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.

          • CA-1.1.2

            In the event that an insurance licensee fails to meet the capital and solvency margin requirements outlined in this Module, it must, on becoming aware that it has breached these Rules, notify the CBB immediately and within 25 calendar days submit a plan to the CBB demonstrating how its capital available will be restored and the timeframe for that restoration to occur.

            Amended: January 2007

          • CA-1.1.3

            Should the insurance licensee fail to meet the requirements of this Module, the CBB may impose enforcement measures outlined in Module EN.

            Amended: January 2007

          • CA-1.1.4

            Unless otherwise indicated, all insurance licensees must implement the requirements of Module CA, effective 31 December 2005 (Refer to ES-2.5.1).

            Amended: January 2007

        • CA-1.2 CA-1.2 Calculation of Capital Available for Insurance Firms

          • CA-1.2.1

            A Bahraini insurance firm must maintain sufficient capital to enable it to meet at all times its insurance and other obligations. The minimum Tier 1 capital for Bahraini insurance firms is BD 5 million, except for those firms whose business is limited to reinsurance. Bahraini insurance firms whose business is limited to reinsurance must have minimum Tier 1 capital of BD 10 million. Overseas insurance firms and captive insurers are not subject to a minimum Tier 1 capital but must comply with the Required Solvency Margin and minimum fund, as defined in Chapter CA-2. In addition, all insurance firms must at all times maintain a capital available in excess of the greater of the Required Solvency Margin and the minimum fund, as defined in Chapter CA-2.

            Amended: January 2007
            Amended: October 2007

          • CA-1.2.2

            Bahraini insurance firms licensed prior to 1 April 2005 that do not meet the requirements of Paragraph CA-1.2.1, will be required to meet the requirements for minimum Tier 1 capital by 31 December 2007. In addition, the requirements to maintain a capital available in excess of the greater of the Required Solvency Margin and minimum fund must be met by insurance firms by 31 December 2005. Insurance firms who are in run-off and whose license is restricted from entering into new contracts of insurance as per Paragraph GR-8.1.8, are grandfathered and not required to apply the requirements of Paragraph CA-1.2.1 (refer to ES-2.6.2).

            Amended: January 2007
            Amended: October 2007

          • CA-1.2.3

            An insurance firm must ensure that at all times its capital available does not fall below the minimum fund. In the event that an insurance firm's capital available does fall below the minimum fund, the insurance firm must inject capital and must notify the CBB immediately. Further, the insurance firm must cease to effect any new contracts of insurance, including renewals of existing contracts unless explicitly permitted to do so by the CBB.

            Amended: April 2014
            Amended: October 2007
            Amended: January 2007

          • Limitation on Valuation of Capital Instruments

            • CA-1.2.4

              For the purposes of determining an insurance firm's capital available, no value is attributed to any other instrument or resource of an insurance firm other than those identified in Paragraphs CA-1.2.8, CA-1.2.12 and CA-5.1.24 without the consent in writing of the CBB. Without limiting the generality of this Rule, no value is attributed to any of the following:

              (a) Any implicit items (which relate to future profits, zillmerising and hidden reserves); and
              (b) The unpaid element of any issued shares some or all of which are not 'fully paid' shares.
              Amended: October 2009
              Amended: January 2007

          • Capital Available: Tier 1 and Tier 2

            • CA-1.2.5

              An insurance firm's capital available, for the purposes of this Module, comprises two tiers. Tier 1, or core capital, comprises the highest quality capital elements that fully meet all the essential characteristics of capital. Tier 2, or supplementary capital, comprises other instruments that, to varying degrees, fall short of the quality of Tier 1 capital but nonetheless contribute to the overall financial strength of the insurance firm. Insurance firms may hold Tier 2 capital in excess of the limits in Paragraph CA-1.2.7, but any such excess is not counted as capital available for the purposes of the requirements in this Module.

              Amended: January 2007

            • CA-1.2.6

              The capital available of an insurance firm comprises the sum of its Tier 1 and Tier 2 capital resources, subject to the limits in Paragraph CA-1.2.7.

              Amended: January 2007

            • CA-1.2.7

              Total Tier 2 capital cannot exceed 100% of total Tier 1 capital. Lower Tier 2 capital of the type identified in Paragraph CA-1.2.12 (f), (g) and (h) cannot exceed more than 50% of total Tier 1 capital.

              Amended: January 2007

          • Tier 1 Capital

            • CA-1.2.8

              Tier 1 capital comprises:

              (a) Paid-up ordinary shares (net of treasury shares);
              (b) Share premium reserve;
              (c) Perpetual non-cumulative preference shares.
              (d) All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserve;
              (e) Unappropriated retained earnings, excluding cumulative unrealised fair value gains, brought forward;
              (f) Audited current year's earnings net of unrealised fair value gains and before taxes; and
              (g) In the case of an overseas insurance firm, the audited net assets (excluding any unrealised fair value gains and the surplus assets of long-term funds), determined in accordance with accounting standards that would be applicable if it were a joint stock company incorporated in Bahrain.
              Amended: January 2007

            • CA-1.2.9

              Tier 1 capital elements included in Subparagraph CA-1.2.8 (a) to (c) can only be so included if:

              (a) It is issued by the insurance firm;
              (b) It is fully paid, and only that portion of the shares for which payment has been received is otherwise included; and
              (c) It:
              (i) Cannot be redeemed at all or can only be redeemed on a winding up of the insurance firm; or
              (ii) Is only redeemable at the option of the insurance firm and complies with any conditions applicable to joint stock companies in Bahrain;
              (d) Any coupon is non-cumulative;
              (e) It is able to absorb losses;
              (f) It ranks for repayment upon winding up no higher than a share of a company incorporated under the Joint Stock companies law of Bahrain;
              (g) Coupons on it can only be paid out of accumulated realised profits;
              (h) No coupon is payable at a time when the insurer is in breach of Paragraph CA-1.2.1 and no coupon is payable to the extent that, after paying it, the insurance firm would breach that Rule; and
              (i) The proceeds of issue are immediately and fully available to the insurance firm.
              Amended: January 2007

            • CA-1.2.10

              Tier 1 capital has the following characteristics:

              (a) It is able to absorb losses;
              (b) It is permanent;
              (c) It ranks for repayment upon winding up after all other debts and liabilities; and
              (d) It has no fixed costs, that is, there is no inescapable obligation to pay dividends or interest.
              Amended: January 2007

            • CA-1.2.11

              An insurance firm must not redeem any tier 1 instrument that it has included in its Tier 1 capital resources for the purpose of Chapter CA-1 unless it has notified the CBB of its intention at least one month before it does so.

              Amended: January 2007
              Amended: October 2007

          • Tier 2 Capital

            • CA-1.2.12

              Tier 2 capital includes the following liabilities of an insurance firm, to the extent permissible by Paragraph CA-1.2.7:

              (a) Interim net income, excluding 55% of any unrealised fair value gains arising from investments held to maturity as per IAS 39, reviewed by the external auditors in accordance with International Standards on Auditing (ISA);
              (b) Perpetual cumulative preference shares;
              (c) Mandatory convertible notes and similar capital instruments;
              (d) Perpetual subordinated debt;
              (e) Any other hybrid (debt/equity) capital instruments of a permanent nature;
              (f) Dated subordinated debt with an original term of at least 5 years;
              (g) Limited life redeemable preference shares with an original term of at least 5 years;
              (h) Any other similar limited life capital instruments with an original term of at least 5 years; and
              (i) Investment fair value reserve (IAS 39) on investments held available for sale, discounted to 45%.
              Amended: January 2007

            • CA-1.2.13

              Tier 2 capital includes forms of capital that do not meet the requirements for permanency and absence of fixed servicing costs that apply to Tier 1 capital. Tier 2 capital resources are split into upper and lower tiers, based on the permanency of the instruments. For example:

              (a) Capital which is perpetual (that is, has no fixed term) but cumulative (that is, servicing costs cannot be waived at the issuer's option, although they may be deferred — for example cumulative preference shares) may be included in upper Tier 2 capital; and
              (b) Capital which is dated, i.e. not perpetual (that is, it has a fixed term) and which may also have fixed servicing costs that cannot generally be either waived or deferred, such as subordinated debt, are included in lower Tier 2 capital. Such capital should normally be of a medium to long-term maturity (that is, an original maturity of at least five years).
              Amended: January 2007

            • CA-1.2.14

              Lower Tier 2 capital instruments (ref CA-1.2.12 (f) to (h)), must have a minimum fixed term to maturity in excess of 5 years. During the last 5 years to maturity, a cumulative discount (or amortisation) factor of 20% per year must be applied to reflect the diminishing value of these instruments as a continuing source of strength.

              Amended: January 2007

          • Tier 2: Hybrid Capital Instruments

            • CA-1.2.15

              Hybrid capital instruments are instruments that combine the features of debt and equity in that they are structured like debt, but exhibit some of the loss absorption and funding flexibility features of equity.

            • CA-1.2.16

              A hybrid capital instrument must meet the following conditions before it can be included in an insurance firm's upper Tier 2 capital resources:

              (a) It must meet the general conditions described in Paragraph CA-1.2.17;
              (b) It must have no fixed maturity date;
              (c) The contractual terms of the debt agreement must provide for the insurance firm to have the option to defer any interest payment on the debt; and
              (d) The contractual terms of the debt agreement must provide for the loss-absorption capacity of the debt and unpaid interest, whilst enabling the insurance firm to continue its business.
              Amended: January 2007

            • CA-1.2.17

              A hybrid capital instrument cannot form part of the capital resources of an insurance firm unless it meets the following conditions:

              (a) The claims of the creditors must rank behind those of all unsubordinated creditors;
              (b) No amounts due may be payable:
              (i) At a time when the insurance firm is in breach of Paragraph CA-1.2.1; or
              (ii) If the payment would mean that the insurance firm would be in breach of Paragraph CA-1.2.1;
              (c) The only events of default must be non-payment of any amount falling due under the terms of the instrument or the winding-up of the insurance firm;
              (d) The remedies available to the subordinated creditor in the event of non-payment or other breach of the written agreement or instrument must be limited to petitioning for the winding up of the insurance firm or proving the debt in a liquidation of the insurance firm;
              (e) Any events of default and any remedy described in (d) must not prejudice the matters in (a) and (b);
              (f) In addition to the requirements about repayment in (a) and (b), the debt must not become due and payable before its stated final maturity date (if any) except on an event of default complying with (c);
              (g) The debt agreement or terms of the instrument are governed by the laws of Bahrain;
              (h) To the fullest extent permitted under the laws of the relevant jurisdictions, creditors must waive their right to set off amounts they owe the insurance firm against subordinated amounts included in the insurance firm's capital resources owed to them by the insurance firm;
              (i) The terms of the instrument must be set out in a written agreement that contains terms that provide for the conditions set out in (a) to (h);
              (j) The debt must be unsecured and fully paid up; and
              (k) The insurance firm has obtained an external legal opinion stating that the requirements in (a) to (j) have been met.
              Amended: January 2007

            • CA-1.2.18

              Subparagraph CA-1.2.17 (g) does not apply if the insurance firm has obtained an external legal opinion confirming that a degree of subordination has been achieved under the law that governs the debt and the agreement that is equivalent to that which would have been provided under the laws of Bahrain.

              Amended: January 2007

            • CA-1.2.19

              An insurance firm must not amend the terms of the debt and the documents referred to in Subparagraph CA-1.2.17 (i) unless:

              (a) At least one month before the amendment is due to take effect, the insurance firm has given the CBB notice in writing of the proposed amendment; and
              (b) That notice includes confirmation that the legal opinion referred to in Subparagraph CA-1.2.17 (k) continues in full force and effect in relation to the terms of the debt and the documents as proposed to be so amended.
              Amended: January 2007

            • CA-1.2.20

              An insurance firm must notify the CBB of its intention to repay a hybrid capital instrument that is included in its capital resources before its contractual repayment date (if any) at least six months before the date of the proposed repayment, providing details of how it will meet its capital available requirement after such repayment.

              Amended: January 2007

          • Determination of Capital Available

            • CA-1.2.21

              Every insurance firm must determine its capital available in accordance with this Rule:

              Determination of Insurance Firm's Capital Available
                Tier 1 Capital
                Paid-up ordinary shares (net of treasury shares)
                Share premium reserve
                Perpetual non-cumulative preference shares
                All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserve
                Unappropriated retained earnings, excluding cumulative unrealised fair value gains, brought forward
                Audited current year's earnings net of unrealised fair value gains and before tax expenses
                Overseas Insurance Firms Only: audited net assets, excluding any unrealised fair value gains and surplus assets in long-term funds.
              (A) Total Tier 1 Capital
                Tier 2 Capital — Upper Level
                Interim net income, excluding any unrealised fair value gains, reviewed by the external auditors in accordance with International Standards on Auditing (ISA)
                Perpetual cumulative preference shares
                Mandatory convertible notes and similar capital instruments
                Perpetual subordinated debt
                Other hybrid (debt/equity) capital instruments of a permanent nature
                Investment fair value reserve (IAS 39) and any unrealised fair value gains included in retained earnings, both discounted to 45%.
              (B) Total Tier 2 Capital — Upper Level
                Tier 2 Capital — Lower Level
                Limited life redeemable preference shares with an original term of at least 5 years.
                Dated subordinated debt with an original term of at least 5 years.
                Any other similar limited life capital instruments with an original term of at least 5 years.
              (C) Total Tier 2 Capital — Lower Level: before excess deduction
              (D) Total Tier 2 Capital (B plus C)
              (E) Excess Tier 2 Capital — Lower Level = (C) − [(A) times 50%)] (if negative, excess is 0)
              (F) = (D) − (E) Total Tier 2 Capital — Lower Tier adjusted
              (G) Excess Tier 2 Capital = (F) − [(A) times 100%)] (if negative, excess is 0)
              (H) = (F) − (G) Total Tier 2 Capital
                Deductions from Capital
                Valuation asset differences
                Inadmissible assets by asset category
                Inadmissible assets in excess of counterparty limits
                Required margins of solvency for branches in other jurisdictions.
                Current year's losses, before any tax expenses
                Dividends paid and declared
                Assets pledged or provided as collateral where there is no offsetting liability.
                Tax expenses
                Other appropriations not included as charges to profit and loss statement (e.g. Directors' remuneration, donations)
                Other
              (I) Total Deductions from Capital
              (A)+(H)−(I) CAPITAL AVAILABLE
              Amended: January 2007

            • CA-1.2.22

              In Paragraph CA-1.2.21, under 'Deductions from Capital' the deductions for:

              (a) Inadmissible assets by asset type; and
              (b) Inadmissible assets in excess of counterparty limits

              only apply to those amounts in respect of assets, other than those assets from linked long-term insurance.

              Amended: January 2007

            • CA-1.2.23

              [This Paragraph was deleted in April 2014.]

              Deleted: April 2014
              Amended: January 2007

        • CA-1.3 CA-1.3 Capital Requirements for Insurance Brokers

          • CA-1.3.1

            Bahrain insurance brokers must maintain at all times the greater of:

            (a) A minimum net assets value of BD 50,000;
            (b) 4% of fiduciary liabilities; and
            (c) 4% of annual income from global insurance broking activities.
            Amended: April 2012
            January 2007

          • CA-1.3.1A

            For semi-annual reporting under Form IBRS (see Section BR-1.4A), with regards to Subparagraph CA-1.3.1(c), the calculation of the annual income must be done on a moving average year basis. As an example, for the reporting period ending 30th June 2011, annual income from global insurance broking activities covers the period of 1st July 2010 to 30th June 2011.

            Added: April 2012

          • CA-1.3.1B

            Notwithstanding the requirements in Paragraph CA-1.3.1, Insurance aggregators are required to maintain at all times a minimum net assets value of BD 25,000 and adequate liquid funds representing 25% of operating expenses incurred in the preceding financial year at all times in the form of cash or liquid assets that can be converted to cash in the short-term to cover its operating expenses.

            Added: April 2023

          • CA-1.3.2

            There are no minimum capital and net asset requirements for overseas insurance brokers. However, for overseas insurance brokers, financial statements of the parent company must be submitted to the CBB for review, in order to assess the financial stability of the group on a global basis.

            Amended: January 2007

          • CA-1.3.3

            For purposes of Paragraph CA-1.3.1, global insurance broking activities refers to annual income of a Bahrain incorporated brokerage firm including any income being generated by any of the firm's brokerage subsidiaries and/or branches operating in other jurisdictions.

            Amended: January 2007

          • CA-1.3.4

            In respect of licensees who were carrying out activities that fall within the definition of the regulated activity of insurance broker prior to 1 April 2005, the requirements of Paragraph CA-1.3.1 will apply from 1 January 2007 (refer to ES-2.4.2 for transition rules).

            Amended: January 2007

          • CA-1.3.5

            For the purposes of this section, 'net assets' means the excess of assets over liabilities. The minimum net assets value is to be determined by excluding all intangible assets and in accordance with accounting principles generally accepted in Bahrain.

            Amended: January 2007

          • CA-1.3.6

            The value of debtors taken into account as assets available to support financial requirements must not exceed the amount which the insurance broker expects to receive net of any significant costs associated with making the recovery.

          • CA-1.3.7

            Insurance brokers must make adequate provisions for any debts which are unlikely to be received or recovered from the debtors.

        • CA-1.4 CA-1.4 Capital Requirements for Insurance Consultants and Insurance Managers

          • CA-1.4.1

            Insurance consultants and insurance managers must possess financial resources commensurate with the scale and nature of their insurance consultancy or management activities.

            Amended: January 2007

          • CA-1.4.2

            In determining the adequacy of the financial resources of insurance consultants and insurance managers, the CBB will consider, amongst other things:

            (a) The volume of business undertaken by the licensee;
            (b) The licensee's capacity to meet its financial obligations towards all clients in a timely and professional manner; and
            (c) The licensee's future business plans considering the capital available to meet all obligations and additional sources of capital when and if required.
            Amended: January 2007

          • CA-1.4.3

            There are no minimum capital and net assets requirements applicable to insurance consultants and insurance managers. However, Section AU-2.5 (Licensing Conditions: Financial Resources) requires all licensees to maintain adequate financial resources and to conduct their business in a prudent manner.

      • CA-2 CA-2 Solvency Margin Requirements

        • CA-2.1 CA-2.1 Solvency Margin Requirements

          • CA-2.1.1

            Every Bahraini insurance firm must calculate a required solvency margin in accordance with the requirements in this Chapter. The solvency margin must include the operations of all branches of the insurance firm, whether these undertake operations within Bahrain or in another jurisdiction.

            Amended: January 2007
            Amended: October 2007

          • CA-2.1.2

            Every overseas insurance firm, other than a pure reinsurer, must calculate a 'Bahrain Required Solvency Margin' in accordance with the requirements in this Chapter.

            Amended: October 2007

          • CA-2.1.3

            All overseas insurance firms, including pure reinsurers, must provide an equivalent or substantially equivalent solvency margin calculation, submitted to a supervisor in another jurisdiction for the company as a whole, in accordance with Chapter CA-7. In instances where pure reinsurers are not subject to supervisory requirements in another jurisdiction, they must calculate a Required Solvency Margin in accordance with this Chapter for the company as a whole.

            Amended: January 2007
            Amended: October 2007

          • CA-2.1.4

            For insurance firms licensed prior to 1 April 2005 and allowed to carry on both long-term insurance business and general insurance business (refer to Paragraph AU-1.1.15), the insurance firm must calculate a separate Required Solvency Margin or a Bahrain Required Solvency Margin in respect of the two different types of insurance business and maintain separate solvency margins.

            Amended: January 2007
            Amended: October 2007

          • Minimum Fund

            • CA-2.1.5

              For the purposes of this Module 'minimum fund' means for:

              (a) Category 1 Insurer: BD 300,000;
              (b) Category 2 Insurer: BD 500,000;
              (c) Category 3 Insurer: BD 400,000;
              (d) Category 4 Insurer: The relevant minimum fund for Category 1 or 2 (depending on the type of general business underwritten) PLUS the Category 3 minimum. These amounts are to be maintained separately by the insurance firm;.
              (e) Category C1 Insurer: BD 75,000; and
              (f) Category C2 Insurer: BD 300,000.
              Amended: January 2007

            • CA-2.1.6

              For purposes of Paragraph CA-2.1.5, the following definitions apply:

              (a) Category 1 insurer: an insurance firm whose license is limited to any of the following types of insurance: fire; damage to property; and miscellaneous financial loss;
              (b) Category 2 insurer: an insurance firm whose license includes any of the following types of insurance: marine cargo and marine hull; aviation; motor; engineering; liability; and any other general insurance class not specifically mentioned. These may only be in addition to any Category 1 activities;
              (c) Category 3 insurer: an insurance firm whose license includes any of the following types of insurance: life insurance of all types; personal accident whose term is over 1 year; and savings fund accumulation insurance;
              (d) Category 4 insurer: an insurance firm, licensed prior to 1 April 2005 and whose license includes any of the types of insurance specified in Category 3 and in Category 1 or 2, or both;
              (e) Category C1 insurer: an insurance firm whose business is restricted to insuring only the insurance risks (other than liability risk) of its shareholder(s) or those of subsidiary or associated companies of its shareholder(s); and
              (f) Category C2 insurer: an insurance firm whose business is restricted to insuring only the risks of its shareholder(s) or of subsidiary or associated companies of its shareholder(s) and whose business may include liability risks, subject to the CBB being satisfied that the activity, capital structure and management provide sufficient protection to potential third party claimants.
              Amended: January 2007

          • Calculation of Solvency Margin

            • CA-2.1.7

              The Required Solvency Margin to be calculated by an insurance firm subject to any of the requirements in Paragraphs CA-2.1.1 to CA-2.1.4 must be determined:

              (a) As regards long-term insurance business, in accordance with Paragraph CA-2.1.9, and
              (b) As regards general insurance business, in accordance with Paragraph CA-2.1.12.
              Amended: January 2007

            • CA-2.1.8

              The Bahrain Required Solvency Margin for overseas insurance firms must be calculated by applying Paragraph CA-2.1.7, but only to business booked in the Bahrain overseas insurance firm.

              Amended: January 2007

            • CA-2.1.8A

              The Required Solvency Margin for companies whose business is limited to reinsurance, except for reinsurance of linked business, is to be calculated in accordance with Paragraph CA-2.1.12.

              Adopted: January 2007

          • Long-term Insurance Business

            • CA-2.1.9

              For long-term insurance business the solvency margin must be determined by taking the aggregate of the results arrived at by applying the calculations described in Paragraph CA-2.1.10 ('the mathematical reserves basis calculation') and Paragraph CA-2.1.11 ('the capital sum at risk basis calculation'). Where the aggregate falls below the minimum fund, it must be substituted by the amount of the minimum fund.

              Amended: January 2007

            • CA-2.1.10

              The mathematical reserves are defined as the provision made by an insurer to cover liabilities (excluding liabilities which have fallen due) arising under or in connection with long-term insurance business. The mathematical reserves basis calculation for:

              (a) Traditional long-term insurance business must be either 2% of mathematical reserves before deduction for reinsurance cessions or 4% of mathematical reserves after deduction for reinsurance cessions whichever produces the higher result;
              (b) The mathematical reserves basis calculation for linked long-term insurance business where the company bears an investment risk must be as in Subparagraph CA-2.1.10 (a); and
              (c) The mathematical reserves basis calculation for linked long-term insurance business where the company bears no investment risk must be either 0.5% of mathematical reserves before deduction for reinsurance cessions or 1% of mathematical reserves after deduction for reinsurance cessions whichever produces the higher result.

              No negative value can be used as the mathematical reserve under any policy.

              Amended: January 2007

            • CA-2.1.11

              The capital sum at risk is defined as the benefit amounts payable as a consequence of the happening of the contingency covered by the policy contract less the mathematical reserves in respect of the relevant contract. The capital sum at risk calculation is the greater of:

              (a) 0.15% of the capital sum at risk before deduction for reinsurance cessions; or
              (b) 0.30% of the capital sum at risk after deduction for reinsurance cessions.

              In either case no negative value can be used as the capital sum at risk under any policy.

              Amended: January 2007

          • General Insurance Business

            • CA-2.1.12

              For general insurance business, the solvency margin must be determined by taking the higher of the two results arrived at by applying the calculations described in Paragraph CA-2.1.13 ('the premium basis calculation') and Paragraph CA-2.1.14 ('the claim basis calculation'). Where the higher of the two results falls below the minimum fund, it must be substituted by the amount of the minimum fund.

              Amended: January 2007

            • CA-2.1.13

              The premium basis calculation for general insurance business is determined by applying the following formula:

              Gross Premium Written X Reinsurance Allowance X Risk Factor (for each class of business)

              Where:

              Gross Premium Written =

              Premium written in the financial year (or annualised where the financial year is other than 12 months)

              Reinsurance Allowance (Premium basis) = (calculated on total business)

              the higher of 0.5 or (Total Net Premium Written /Total Gross Premium Written)

              Risk Factor =

              Class of insurance Risk Factor (general insurance) Risk Factor (Category C1 captive) Risk Factor (Category C2 captive)
              (a) Fire 15% 12% 12%
              (b) Damage to property 15% 12% 12%
              (c) Miscellaneous financial loss 15% 12% 12%
              (d) Marine cargo, marine hull 20% 20% 20%
              (e) Aviation 20% 20% 20%
              (f) Motor 20% 20% 20%
              (g) Engineering 20% 20% 20%
              (h) Liability 20% 20% (Category C2) 20%
              (i) Medical (short term ≤ 1 year) 20% 20% 20%
              (j) Other 20% 20% 20%
              Amended: January 2007

            • CA-2.1.14

              The claim basis calculation for general insurance business is determined by applying the following formula:

              Average Gross Claims Incurred in the reference period X Reinsurance Allowance X Risk Factor (for each class of business)

              Where:

              Average Gross Claims Incurred =

              Gross Claims Incurred in the reference period (see CA-2.1.15) divided by the number of years covered by the reference period (or annualised where any financial year in the reference period is other than 12 months)

              Reinsurance Allowance (Claim basis) = (calculated on total business)

              the higher of 0.5 or (Total Average Net Claims Incurred in the reference period/Total Average Gross Claims Incurred in the reference period)

              Risk Factor =

              (a) Fire 20%
              (b) Damage to property 20%
              (c) Miscellaneous financial loss 20%
              (d) Marine cargo, marine hull 25%
              (e) Aviation 25%
              (f) Motor 25%
              (g) Engineering 25%
              (h) Liability 25%
              (i) Medical (short term ≤ 1 year) 25%
              (j) Other 25%
              Amended: January 2007

            • CA-2.1.15

              For the purposes of Paragraph CA-2.1.14 the reference period for all classes of business must be the three most recent financial years up to and including the current financial year.  In instances where the insurance firm has been in business for less than three years, the claims basis calculation shall be equal to 0.

      • CA-3 CA-3 Long-Term Insurance Business

        • CA-3.1 CA-3.1 Long-Term Insurance Business

          • CA-3.1.1

            Where an insurance firm carries on long-term insurance business, including traditional long-term insurance business or linked long-term insurance business or both:

            (a) It must maintain a separate account and separate books of accounts in respect of each kind of business and unit fund; and
            (b) The receipts of each kind of business must be entered in the account maintained for that business and must be carried to and form a separate long-term insurance fund with an appropriate name.
            Amended: October 2009
            Amended: October 2007
            Amended: January 2007

          • CA-3.1.1A

            Where the bonus policy of the with-profits business explicitly mentions that the profit (or bonuses) are determined by the performance of the life fund, separate accounting for such funds must be maintained.

            Adopted: October 2009

          • CA-3.1.1B

            The requirement in Paragraph CA-3.1.1A is to ensure that sources of profits arising from with-profits block of business will be distributed according to the agreed profit sharing mechanisms (which may include a proportion to the shareholders) and sources of profits arising purely from non-profits business will be allocated to shareholders.

            Adopted: October 2009

          • CA-3.1.2

            An insurance firm which carries on long-term insurance business or linked long-term insurance business must maintain such accounting and other records as are necessary for identifying:

            (a) The assets representing the fund maintained by it under Paragraph CA-3.1.1 above; and
            (b) The liabilities attributable to each kind of business which it carries on.
            Amended: January 2007

          • CA-3.1.3

            Other than the explicit exceptions included in Paragraphs CA-3.1.4 and CA-3.1.5 of this Module, an insurance firm's long-term insurance business assets must only be applied for the purposes of its long-term insurance business and must not be made available for any other purpose of the insurance firm. This does not however prevent the reimbursement of expenditure borne by other assets (in the same or the preceding financial year) in discharging liabilities wholly or partly attributable to the long-term insurance business.

            Amended: January 2007

          • CA-3.1.4

            Where an actuarial investigation shows that the value of the long-term insurance business assets exceeds the amount of the liabilities attributable to the long-term insurance business, the restriction does not apply to those assets that represent the excess.

            Amended: January 2007

          • CA-3.1.5

            Paragraph CA-3.1.3 above does not prevent an insurance firm from exchanging, at fair market value, long-term insurance business assets for other assets of the insurance firm.

            Amended: January 2007

          • CA-3.1.6

            A long-term insurance firm must not enter into a financial transaction, and must take reasonable steps to ensure that any subsidiary company or associate company does not enter into such a transaction, with any related party where the aggregate of the value of any assets and liabilities arising out of such transactions exceeds 5% of the total amount standing to the credit of the insurer's long-term insurance funds.

            Amended: January 2007

          • CA-3.1.7

            An insurance firm which carries on long-term insurance business in Bahrain must have adequate arrangements for securing that transactions affecting assets of the insurance firm (other than transactions outside of its control) do not operate unfairly between the long-term insurance fund or funds and the other assets of the insurance firm or, in a case where the insurance firm has more than one 'identified fund', between those funds.

            Amended: January 2007

          • CA-3.1.8

            An identified fund means assets representing the insurance firm's receipts from a particular part of its long-term insurance business that can be identified as such by virtue of accounting or other records maintained by the insurance firm.

            Amended: January 2007

          • CA-3.1.9

            Where the CBB imposes a financial penalty on an insurance firm or requires an insurance firm to compensate policyholders for any wrongful act of the insurance firm (including any wrongful act committed by an appointed representative of the insurance firm) it must not pay that compensation or financial penalty from any long-term insurance fund. Such penalties can only be paid out of the shareholder (or company) fund.

            Amended: January 2007

      • CA-4 CA-4 Valuation and Admissibility of Assets

        • CA-4.1 CA-4.1 General Requirements

          • CA-4.1.1

            The Asset Valuation Rules, being the Linked Asset Valuation Rules and/or General Asset Valuation Rules, as appropriate, relate to the determination of the value of all the assets of an insurance firm subject to this Chapter.

            Amended: January 2007

          • CA-4.1.2

            Assets not covered in this Chapter are deemed to be inadmissible assets for purposes of calculating the capital available required under Paragraph CA-1.2.21 and their admissible value is deemed to be nil.

            Amended: January 2007

          • CA-4.1.3

            Where an insurance firm has entered into any insurance contracts that are classified as a linked long term insurance business the value of the linked assets to the extent that they are held to match liabilities in respect of such business must be determined in accordance with the Linked Asset Valuation Rules (Paragraphs CA-4.3.1 to CA-4.3.4).

            Amended: January 2007

          • CA-4.1.4

            All other assets of an insurer subject to this Chapter must be valued in accordance with the General Asset Valuation Rules (Paragraphs CA-4.2.1 to CA-4.2.36).

            Amended: January 2007

          • CA-4.1.5

            Where in all the circumstances of the case, any asset is actually of a lesser value than the amount calculated in accordance with prescribed Rules (that is either assets subject to the General Asset Valuation Rules or the Linked Asset Valuation Rules) such lesser value must be taken to be the value of the asset.

            Amended: January 2007

          • CA-4.1.6

            The admissibility of assets for purposes of the General Asset Valuation Rules is determined based on the category of asset held and the counterparty.

            Amended: January 2007

          • CA-4.1.7

            An insurance firm must ensure that its liabilities under a contract of insurance, other than linked long-term business, are covered by assets of appropriate safety, yield and marketability having regard to the classes of business carried on by the insurance firm.

            Amended: January 2007

          • CA-4.1.8

            Without prejudice to Paragraph CA-4.1.7, an insurance firm must ensure that:

            (a) Excessive reliance is not placed on reinsurance or any particular reinsurer; and
            (b) That its investments are appropriately diversified, adequately spread and that excessive reliance is not placed on investments of any particular category, description, type or counterparty.
            Amended: January 2007

        • CA-4.2 CA-4.2 General Asset Valuation Rules

          • Asset Limits per Category of Assets

            • Investments in Non-Insurance Subsidiaries and Associates

              • CA-4.2.1

                Investments in subsidiaries and associates that are not carrying out regulated insurance services as defined in Chapter AU-1.4, must be valued at an amount not exceeding the insurance firm's proportionate share of the subsidiary's or associate's net asset value, determined as if that subsidiary or associate applied these Rules in determining its net asset value.

                Amended: January 2007

              • CA-4.2.2

                The net asset value determined in Paragraph CA-4.2.1 must be reduced for any amounts that cannot be made available to the insurance firm in the ordinary course of business. This includes but is not limited to:

                (a) Required solvency margins, base capital requirements or any other amounts required to be maintained in order to comply with regulatory requirements applicable to the subsidiary or associate in Bahrain or any other jurisdiction. This restriction applies to any subsidiary or associate (including banks and investment firms) subject to regulation in any jurisdiction;
                (b) Assets subject to currency control restrictions; and
                (c) Surplus assets in long-term insurance funds, as these assets belong to the long term policyholders.
                Amended: January 2007

              • CA-4.2.3

                Where a subsidiary or associate carries on a regulated activity either in Bahrain or any other jurisdiction, an insurance firm may, with the consent of the CBB, determine the net asset value of that subsidiary or associate (as specified in Paragraph CA-4.2.1) in accordance with the Rules applicable in the jurisdiction where that subsidiary or associate has both its head office and principal supervisor.

                Amended: January 2007

              • CA-4.2.4

                In determining the net asset value of a subsidiary or associate (as specified in Paragraph CA-4.2.1) where that subsidiary or associate is not carrying out regulated insurance services, if the value of any single asset under Paragraph CA-4.2.1 exceeds 5% of the insurance business amount, the admissible value of the said asset for the purpose of this Paragraph must be restricted to 5% of the insurance business amount.

                Amended: January 2007

            • Real Estate Assets

              • CA-4.2.5

                Real estate assets such as land and buildings must be valued at market value as assessed by an independent qualified valuer at a date no earlier than 3 years from the end of the financial year under consideration. An insurance firm may elect to use book value where that value is less than market value however where no proper valuation exists the value is deemed by this Module to be nil.

                Amended: January 2007

              • CA-4.2.6

                If the value of any single asset under Paragraph CA-4.2.5 exceeds 10% of the insurance business amount, the admissible value of the said asset for the purpose of this Paragraph must be restricted to 10% of the insurance business amount.

              • CA-4.2.7

                The 10% admissibility test of Paragraph CA-4.2.6 is to be applied in total to both land and building, in instances where the realisable value of the asset is dependent on both the land and the building.

            • Debt Securities

              • CA-4.2.8

                Debt securities (both fixed and variable interest securities) issued by, or guaranteed by, governments rated investment grade, or public authority with investment grade security must be valued at:

                (a) In the case of listed securities, the closing market quotation or the latest available market quotation;
                (b) In the case of securities which are not transferable, the amount payable on surrender or redemption of such securities as at the date the security is being valued; and
                (c) In any other case, the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.
                Amended: January 2007

              • CA-4.2.9

                There are no admissibility restrictions for fixed and variable interest securities meeting the requirements of Paragraph CA-4.2.8. However, admissibility restrictions pertaining to counterparties may apply (CA-4.2.33).

                Amended: January 2007

              • CA-4.2.10

                Debt securities (both fixed and variable interest securities) not covered by Paragraph CA-4.2.8 must be valued at:

                (a) In the case of listed securities, the closing market quotation;
                (b) In the case of securities which are not transferable, the amount payable on surrender or redemption of such securities as at the date the security is being valued; and
                (c) In any other case, the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.
                Amended: January 2007

              • CA-4.2.11

                If the value of debt securities, other than those to which Paragraph CA-4.2.8 relates, (both fixed and variable interest securities), which are listed securities, in any one company together with its associated companies exceeds 5% of the insurance business amount, the admissible value of the said assets for the purpose of this Chapter must be restricted to 5% of the insurance business amount.

                Amended: January 2007

              • CA-4.2.12

                For debt securities (both fixed and variable interest) which are not listed securities, if the value of those securities in any one company together with its associated companies exceeds 1.0% of the insurance business amount the admissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of the insurance business amount.

                Amended: January 2007

            • Equity Shares

              • CA-4.2.13

                Equity shares that are listed securities must be valued on the closing market quotation or the latest available market quotation.

                Amended: January 2007

              • CA-4.2.14

                If the value of equity shares, that are listed securities, in any one company together with its associated companies exceeds 5% of the insurance business amount the admissible value of the said assets for the purpose of this Chapter must be restricted to 5% of the insurance business amount.

                Amended: January 2007

              • CA-4.2.15

                Equity shares that are not listed securities must be valued at the lower of:

                (a) The carrying value of these shares on the books of the insurance firm;
                (b) 75% of the net asset value for each share owned by the insurance firm (based on the most recently available financial information); and
                (c) The amount which would reasonably be paid by way of consideration for an immediate transfer or assignment of the investment.
                Amended: January 2007

              • CA-4.2.16

                If the value of equity shares, that are not listed securities, in any one company together with its associated companies exceeds 1.0% of the insurance business amount, the admissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of the insurance business amount.

                Amended: January 2007

            • Unit Trust or Mutual Funds

              • CA-4.2.17

                Where the issuer can be required to purchase the units or other beneficial interests from the holder upon the holder giving notice of one month or less and the value of the holdings or other beneficial interests in any one unit trust or mutual exceeds 5.0% of the insurance business amount, the admissible value of the said assets for the purpose of this Chapter must be restricted to 5.0% of the insurance business amount.

                Amended: January 2007

              • CA-4.2.18

                Where the issuer is not required to purchase the units or other beneficial interests from the holder upon the holder giving notice of one month or less and the value of the holdings or other beneficial interests in any one unit trust or mutual fund exceeds 1.0% of the insurance business amount, the admissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of the insurance business amount.

                Amended: January 2007

            • Traded Derivative Contract

              • CA-4.2.19

                A traded derivative contract that is a listed security, for a share or a debenture must be valued at the closing market quotation, and otherwise at the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof. If the value of the contracts in any one company or its connected companies exceeds 0.1% of the insurance business amount, the admissible value of the said assets for the purpose of this Chapter must be restricted to 0.1% of the insurance business amount.

                Amended: January 2007

            • Loan

              • CA-4.2.20

                A loan secured by a policy of insurance issued by the company must be valued as the amount of the loan but not exceeding the amount payable on a surrender of the policy as at the date the policy is being valued.

              • CA-4.2.21

                A loan to an individual or an unincorporated body of persons shall be valued at the lower of the outstanding amount of the loan and the amount that would reasonably be paid by way of consideration for an immediate assignment of the loan together with the benefit of any security held in respect thereof.

              • CA-4.2.22

                Where paragraph CA-4.2.21 applies and the loan to any one individual or unincorporated body of persons is fully secured on assets whose value at least equals the amount of the loan and the loan exceeds 5% of the insurance business amount, the admissible value of the secured loan for the purpose of this Chapter must be restricted to 5% of the insurance business amount.

              • CA-4.2.23

                Where Paragraph CA-4.2.21 applies and the loan to any one individual or unincorporated body of persons is not fully secured on assets whose value at least equals the amount of the loan and the loan exceeds 1% of the insurance business amount, the admissible value of the unsecured loan for the purpose of this Chapter must be restricted to 1% of the insurance business amount.

            • Other Assets

              • CA-4.2.24

                Deposits and current account balances with approved financial institutions must be valued at their full face value. The admissible value of these assets is their face value.

              • CA-4.2.25

                Amounts due under contracts of insurance and reinsurance (either ceded or accepted), including salvage and subrogation rights, must be valued at the amounts that can reasonably be expected to be recovered. The exceptions being:

                (a) All debts (net of provisions) which have been due for more than 6 months, in which case they must be valued at nil;
                (b) Advance commission paid to intermediaries which must be valued at nil; and
                (c) Amounts that pertain to a subsidiary or associate of the insurance firm must be valued in accordance with Paragraph CA-4.2.4 above.
                Amended: April 2014
                Amended: October 2007
                Amended: January 2007

              • CA-4.2.25A

                The value of unearned reinsurance premiums is the value as determined in accordance with generally accepted accounting concepts, bases and policies or other generally accepted methods appropriate to insurance firms.

                Inserted: October 2008

              • CA-4.2.26

                In the case of general insurance business, the value of deferred acquisition costs is the value as determined in accordance with generally accepted accounting concepts, bases and policies or other generally accepted methods appropriate to insurance firms.

                Amended: January 2007

              • CA-4.2.27

                The admissible value of any cash holding is its face value.

              • CA-4.2.28

                Office machinery, furniture, motor vehicles, computer and other equipment belonging to the company must be valued at an amount not greater than its book value. If the value of office machinery, furniture, motor vehicles computer and other equipment exceeds 3% of the insurance business amount the admissible value of the said assets for the purpose of this Chapter must be restricted to 3% of the insurance business amount.

                Amended: January 2007

              • CA-4.2.29

                Life interests, reversionary interests and similar interests in property must be valued as the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.

              • CA-4.2.30

                Investments, except investments that are specifically covered above, must be valued in accordance with this Paragraph:

                (a) If the investment is due, or will become due, within twelve months from the date at which the investment is being valued at (or would become so due if the company exercised some right), the amount which can reasonably be expected to be recovered in respect of the investment, taking due account of any security held in respect thereof;
                (b) Otherwise, the amount that would reasonably be paid by way of consideration for an immediate assignment of the debt together with the benefit of any security held in respect thereof.
                Amended: January 2007

              • CA-4.2.31

                Where Paragraph CA-4.2.30 applies to an investment in any one individual or unincorporated body of persons and the aggregate value of those investments (for that individual or unincorporated body of persons valued in accordance with Paragraph CA-4.2.30) exceeds 1% of the insurance business amount, the admissible value of those investments for the purpose of this Chapter must be restricted to 1% of the insurance business amount.

                Amended: January 2007

              • CA-4.2.32

                Where Paragraph CA-4.2.30 applies to an investment in any one company and the aggregate value of those investments (for that company valued in accordance with Paragraph CA-4.2.30) exceeds 2.5% of the insurance business amount the admissible value of those investments for the purpose of this Chapter must be restricted to 2.5% of the insurance business amount.

                Amended: January 2007

            • Counterparty Exposure Limits

              • CA-4.2.33

                The admissible value for counterparty exposure limit is:

                (a) Where the counterparty is an individual or an unincorporated body of persons, 5% of the insurance business amount;
                (b) Where the counterparty is a government of a jurisdiction, other than a Zone A Country, GCC country, the Kingdom of Bahrain and any other jurisdiction approved by the CBB, the jurisdiction together with all the public bodies, local authorities or nationalised industries of that jurisdiction, 10% of the insurance business amount;
                (c) Where the counterparty is a body corporate or group, and:
                (i) The counterparty is an approved financial institution, 25% of the insurance business amount or BD 1.5 million, whichever is the larger for all exposures including short term (3 months or less) deposits;
                (ii) The counterparty is an approved financial institution, 10% of the insurance business amount or such lower amount as the insurance firm may decide for all exposures other than short term deposits; and
                (iii) The counterparty is not an approved financial institution, 10% of the insurance business amount for all exposures to that counterparty.
                Amended: April 2012
                Amended: January 2007

              • CA-4.2.34

                For the purposes of Section CA-4.2, 'insurance business amount' means 'general insurance business amount' or 'long-term insurance business amount' as follows:

                (a) In terms of general insurance business, the general insurance business amount is the value of the insurance firm's assets (other than long-term insurance business assets) and excluding reinsurance recoveries as determined in accordance with Chapter CA-4; and
                (b) In terms of long-term insurance business, the long-term insurance business amount is the value of the insurance firm's assets (other than those relating to general insurance business) and excluding reinsurance recoveries and assets required to match property-linked liabilities in accordance with Chapter CA-4.
                Amended: January 2007

              • CA-4.2.35

                For purposes of Paragraph CA-4.2.34, the value of an insurance firm's assets refers to the valuation assigned in this section, but does not refer to the admissible value of these assets, i.e. after adjusting for category limits and counterparty limits.

                Amended: January 2007
                Amended: October 2007

        • CA-4.3 CA-4.3 Linked Asset Valuation Rules

          • CA-4.3.1

            Assets to the extent that they are held to match liabilities in respect of linked long-term insurance must comprise of no other types of property of any description other than property meeting the descriptions set out in Paragraph CA-4.3.2 of this Module.

            Amended: January 2007

          • CA-4.3.2

            Assets used to match linked long-term insurance liabilities must fall in one of the following categories:

            (a) Real estate assets such as land and buildings (including any interest in land and buildings) each piece individually not exceeding 5% of linked long-term assets and 20% in aggregate;
            (b) Listed securities which are readily realisable, other than securities which are:

            (i) Loans or deposits of the kinds mentioned in (c) or (d); and
            (ii) Derivative contracts;
            (c) Loans which are fully secured by mortgage or charge on land (or any interest in land) each loan individually not exceeding 5% of linked long-term assets and 20% in aggregate and in relation to which the rate of interest and the due dates for the payment of interest and the repayment of principal can be fully ascertained from the terms of any agreement relating to the loan;
            (d) Loans to or deposits with an approved financial institution;
            (e) Holdings or other beneficial interests in unit trusts or mutual/managed funds which satisfies the following conditions:

            (i) The property of the fund comprises property only consisting of the descriptions in this section;
            (ii) The units are readily realisable at a price which represents the net value per unit of the assets and liabilities of the fund; and
            (iii) The price at which the units may be bought and sold is published regularly;
            (f) Cash; and
            (g) Income due, or to become due, in respect of property of any of the descriptions in this section.
            Amended: April 2012
            Amended: January 2007

          • CA-4.3.3

            All of the property described in Paragraph CA-4.3.2 must either be classified as 'Available for sale investments' and valued in accordance with International Accounting Standards or valued at their fair market value.

            Amended: January 2007

          • CA-4.3.4

            The fair market value of real estate assets held as linked long-term insurance assets must be the market value as assessed by an independent qualified valuer at a date no earlier than 12 months from the end of the most recent financial year.

            Amended: January 2007

      • CA-5 CA-5 Valuation of Liabilities

        • CA-5.1 CA-5.1 Valuation of Liabilities

          • CA-5.1.1

            The Valuation of Liabilities Rules apply with respect to the determination of the amount of liabilities of an insurance firm.

            Amended: January 2007

          • CA-5.1.2

            Subject to the specific provisions of this Chapter, the amount of liabilities of an insurance firm in respect its long-term insurance business, general insurance business and any other activities directly arising from that business must be determined in accordance with generally accepted accounting and actuarial concepts, using generally accepted methods appropriate for insurance firms.

            Amended: January 2007

          • CA-5.1.2A

            Where an insurance licensee writes long term insurance with guaranteed level premiums, the reserving and solvency requirements must follow the requirements for long term insurance. However, where a life policy or an extension of a life policy with has a policy term of less than or equal to one year, the valuation of these liabilities should follow the requirements of Paragraph CA-5.1.3 to CA-5.1.10.

            Adopted: October 2009

          • General Insurance Business

            • CA-5.1.3

              The amount of insurance liabilities that are general insurance business liabilities must be determined in accordance with International Accounting Standards applicable to insurance business or until such a standard or standards come into effect, with the provisions of Paragraphs CA-5.1.4 to CA-5.1.10.

              Amended: January 2007

            • CA-5.1.4

              Unearned premiums and unearned commission income in respect of the general insurance business must be calculated by a method which has due regard to the period of the policy and the incidence of risk throughout that period. Time apportionment of the premium over the period of policy cover is normally appropriate unless there is a marked unevenness in the incidence of risk over that period, in which case a basis which reflects the profile of risk must be used.

              Amended: January 2007

            • CA-5.1.5

              Where a time apportionment method is used that method must be at least as accurate as the '24ths basis' of premium income recognition, except for reinsurers for which transactions are only recorded every quarter where the method used must be at least as appropriate as the 1/8th basis. Where a time apportionment method is deemed inappropriate due to uncertainty in the period of insurance, such as for marine cargo, the method used must be disclosed in the actuarial report required as per Chapter AA-4.

              Amended: October 2009

            • CA-5.1.6

              Unearned reinsurance premiums ceded must be calculated on the basis of the principles specified in Paragraphs CA-5.1.4 and CA-5.1.5.

            • CA-5.1.7

              Unexpired risk reserves (URR) should be calculated as the prospective estimate of expected future payments arising from future events insured under policies in force as at the valuation date and also include allowance for insurance firm's expenses including overheads and cost of reinsurance, expected to be incurred during the unexpired period in administering these policies and settling the relevant claims, and must allow for any expected future premium refund. Where the unearned premium less unearned commission calculated in Paragraphs CA-5.1.4to CA-5.1.6 above is less than the unexpired risk reserves, the company must set up a suitable additional provision for unexpired risks to cover this deficiency (premium deficiency). This premium deficiency provisions must be calculated at a prudent level.

              Amended: October 2009
              Amended: January 2007

            • CA-5.1.7A

              In calculating the URR as required under Paragraph CA-5.1.7, the actuary report must clearly disclose if the URR has been calculated on and individual class basis or on total company basis and must justify the approach taken in the adopted method.

              Adopted: October 2009

            • CA-5.1.8

              Provision must be made for the expected ultimate cost of settlement of all claims incurred in respect of events up to that date, whether reported or not, together with related claims handling expenses, less amounts already paid. This provision should be calculated at a prudent level. This should include a provision for claims reported, claims incurred but not reported (IBNR), claims incurred but not enough reserved (IBNER) and direct and indirect claims handling expenses such as investigation fees, loss adjustment fees, legal fees, labour charges and the expected internal costs that the insurer expects to incur when settling these claims. If a liability is known to exist but there is uncertainty as to its eventual amount, a provision should nevertheless be made.

              Amended: October 2009
              Amended: January 2007

            • CA-5.1.8A

              The IBNR includes the IBNER. The distinction between IBNR and IBNER is made for a consistent approach to matching of income and expenses.

              Adopted: October 2009

            • CA-5.1.9

              The level of claims provisions must be set such that:

              (a) No adverse run-off deviation is envisaged;
              (b) The provision is determined having regard to the range of uncertainty as to the eventual outcome for the category of business in question; and
              (c) In circumstances where there exists considerable uncertainty concerning future events, a degree of caution is exercised such that liabilities are not understated.
              (d) If it is less than the aggregate case-by-case provision for claims reported set up by the claims manager, the insurance firm must disclose in writing to the CBB the justification for such a release of reserves.
              Amended: October 2009
              Amended: January 2007

            • CA-5.1.10

              In determining the sufficiency of evidence and the ability to measure claims costs, an insurance firm must take all reasonable steps to ensure that it has appropriate information with regard to its claims exposures.

          • Long-term Insurance Business

            • CA-5.1.11

              The amount of insurance liabilities which are long-term insurance business liabilities must be determined in accordance with International Accounting Standards applicable to insurance business or until such a standard or standards come into effect, with the provisions of Paragraphs CA-5.1.12 to CA-5.1.33 below.

              Amended: January 2007

            • CA-5.1.12

              The determination of the amount of long-term liabilities (other than liabilities which have fallen due for payment before the valuation date) must be made on actuarial principles with due regard to the reasonable expectations of policyholders and must make proper provision for all liabilities on prudent assumptions with appropriate margins for adverse deviation of the relevant factors.

              Amended: January 2007

            • CA-5.1.13

              The determination must take account of all prospective liabilities as determined by the policy conditions for each existing contract, taking due credit for premiums payable after the valuation date.

            • CA-5.1.14

              The determination must take into account all guarantees including but not limited to:

              (a) Guaranteed benefits;
              (b) Guaranteed surrender values;
              (c) Guaranteed annuities or annuity options; and
              (d) Any other guarantees, commitments or options however described that the insurance firm has contracted to provide to a policyholder.
              Amended: January 2007

            • CA-5.1.15

              The determination must take into account all bonuses contractually added to each policy.

            • CA-5.1.16

              The determination must take into account expenses including commission.

            • CA-5.1.17

              Subject to Paragraphs CA-5.1.18, CA-5.1.19 and CA-5.1.20, the amount of the long-term liabilities must be determined separately for each contract by a prospective calculation.

            • CA-5.1.18

              A retrospective calculation may be applied to determine the liabilities where a prospective method cannot be applied to a particular type of contract or benefit.

            • CA-5.1.19

              Where necessary, additional amounts must be set aside on an aggregated basis for general risks that are not individualised.

            • CA-5.1.20

              The method of calculation of the amount of liabilities and the assumptions used must not be subject to discontinuities from year to year arising from arbitrary changes and must be such as to recognise the distribution of profits in an appropriate way over the duration of each policy.

            • CA-5.1.21

              The distribution of surplus as bonus to participating policies must consider the level of premiums under these contracts, the assets held in respect of these contracts and the custom and practice of the company in the manner and timing of the distribution of profits.

            • CA-5.1.22

              The liability under a contract (other than a linked long-term contract) must be calculated using the net premium valuation method using rates of interest and rates of mortality or morbidity considered appropriate by the actuary appointed as per the requirements of Paragraph AA-4.1.1, at a prudent level.

              Amended: October 2009
              Amended: October 2007
              Amended: January 2007

            • CA-5.1.22A

              The value of unit liabilities and non unit liabilities must be calculated separately for a unit linked policy. The value of unit liabilities is taken as the net asset value of the units at the valuation date. Non-unit liabilities must be valued by projecting future cash flows to ensure that all future outgoes can be met without recourse to additional capital support at any future time during the duration of the unit linked contracts at a prudent level.

              Adopted: October 2009

            • CA-5.1.23

              Other suitable alternative methods may be employed where it can be demonstrated that the alternative methods employed result in reserves no less, in aggregate, than would result from the net premium valuation method.

            • CA-5.1.24

              In order to take account of the acquisition expenses, the net premium to be valued for the purpose of Paragraph CA-5.1.22 above may be increased by an amount not greater than the equivalent, taken over the whole period of premium payments and calculated according to the rates of interest and rate of mortality and morbidity employed in valuing the contract, of 3.5 percent of the relevant capital sum under the contract.

              Amended: January 2007

            • CA-5.1.25

              The increased net premium as computed in Paragraph CA-5.1.24 must not exceed the premium actually payable by the policyholder under the contract.

              Amended: January 2007

            • CA-5.1.26

              For the purposes of Paragraph CA-5.1.24 'relevant capital sum' means:

              (a) The sum assured at the date of valuation for whole life assurances;
              (b) The sum payable at the end of the contract term for endowment assurance contracts;
              (c) The capitalised value of the annuity at the vesting date (or cash option if greater) for deferred annuities;
              (d) The sum assured or the value of the fund for linked long-term contracts whichever is less notwithstanding (a) to (c) above, where the value of the fund means the aggregate of the value allocated to the contract in the form of units or any other measure and the total amount of premiums remaining to be paid over the term of the contract.

              excluding in all cases any vested reversionary bonus and any capital sums for temporary assurances.

              Amended: January 2007

            • CA-5.1.27

              The rate of interest employed for the valuation must be determined prudently with due regard to the yield on the existing assets attributable to the life business as well as the yields expected to be obtained on sums to be invested in the future.

            • CA-5.1.28

              The amount of the liability in respect of any category of contracts must, where relevant, be determined on the basis of prudent rates of mortality and morbidity which in the opinion of the actuary are appropriate for that category.

              Amended: January 2007
              Amended: October 2007

            • CA-5.1.29

              Provision of expenses whether implicit or explicit must not be less than the amount required, on prudent assumptions, to meet the total cost that would be incurred in fulfilling the existing contracts if the company were to cease to transact new business twelve months from the valuation date. This provision must consider the company's actual expenses in the last twelve months before the valuation date and the expected level of inflation on future expenses.

            • CA-5.1.30

              Provision must be made on prudent assumptions to cover any increase in liabilities caused by policyholders exercising options under their contracts including options for guaranteed cash payments.

              Amended: January 2007

            • CA-5.1.31

              The liability under a contract for life business must not be less than zero.

            • CA-5.1.32

              No allowance must be made in the valuation for the voluntary discontinuance of any contract if the amount of liability so determined is less than the corresponding amount without the allowance for voluntary discontinuance.

            • CA-5.1.33

              The determination of the amount of long-term liabilities must take into account the nature and term of the assets representing those liabilities and the value placed upon them and must include prudent provision against the effects of possible future changes in the value of the assets on:

              (a) The ability of the company to meet its obligations arising under contracts for long-term business as they arise, and
              (b) The adequacy of the assets to meet the liabilities as determined by this Chapter.
              Amended: January 2007

            • CA-5.1.34

              For a life policy or an extension to a life policy with a policy term of less than or equal to one year, the valuation of these liabilities must follow Paragraphs CA-5.1.3 to CA-5.1.10.

              Adopted: October 2009

      • CA-6 CA-6 Currency Matching and Localisation Requirements

        • CA-6.1 CA-6.1 Currency Matching and Localisation Requirements

          • CA-6.1.1

            The provisions of this Chapter do not apply to:

            (a) Insurance business carried on by an insurance firm outside Bahrain;
            (b) Reinsurance business (unless it is facultative reinsurance written by an insurer who also carries on insurance business that is not reinsurance business); or
            (c) To unit-linked business.
            Amended: January 2007
            Amended: April 2009

          • CA-6.1.2

            Where an insurance firm's 'liabilities' in any particular currency exceed 10% of its total 'liabilities', the insurance firm must hold sufficient 'assets in that currency' to cover at least 80% of its 'liabilities' in that currency.

          • CA-6.1.3

            For the purposes of Paragraph CA-6.1.2 'assets in that currency' is extended to include the currency itself (Currency A) and any other currency (Currency B) where Currency A is officially linked to Currency B.

            Amended: January 2007

          • CA-6.1.4

            Where an insurance firm carries on both long term insurance business and general insurance business, the requirements of Paragraph CA-6.1.1 apply to the 'assets' and ' liabilities' of each kind of business separately.

            Amended: January 2007

          • CA-6.1.5

            Where a contract of insurance expresses any 'liability' in terms of a particular currency, that 'liability' must be regarded as a 'liability' in that currency.

          • CA-6.1.6

            For the purposes of the Rules in this Chapter:

            (a) Assets means admissible assets valued in accordance with Chapter CA-4 General Assets Valuation Rules;
            (b) Liabilities means provision, net of reinsurance recoveries, made by an insurance firm to cover liabilities arising under (or in connection with) contracts of insurance, excluding those liabilities exempted by Paragraph CA-6.1.1;
            (c) References to assets in a currency (or similar expressions) are construed as references to 'assets' expressed in or capable of being realised (without exchange risk) in that currency; and
            (d) An 'asset' is capable of being realised (without exchange risk) in a currency if it is reasonably capable of being realised in that currency without risk that changes in exchange rates would reduce the cover of 'liabilities' in that currency.
            Amended: January 2007
            Amended: October 2007

          • CA-6.1.7

            The currency of an insurance firm's general insurance business liabilities must, for the purposes of Paragraph CA-6.1.2 be determined as follows:

            (a) Where the 'liabilities' are not expressed as 'liabilities' in terms of a particular currency, they must be treated as 'liabilities' in the currency of the country in which the risk is situated or, if the insurance firm on reasonable grounds so decides, in the currency in which the premium payable under the contract is expressed;
            (b) Where a claim has been notified to an insurance firm and the insurance firm's 'liability' in respect of that claim is payable in a currency other than one which would result from the application of the above provisions, the insurance firm must regard its 'liability' as a 'liability' in the currency in which the insurance firm is actually obliged to pay it;
            (c) Where a claim is assessed in a currency that is known to the insurance firm in advance but which is different from a currency that would result from the application of the above provisions, the insurance firm may regard its 'liability' as a 'liability' in that currency.
            Amended: January 2007

          • CA-6.1.8

            'Assets' held pursuant to Paragraph CA-6.1.2 above must be held:

            (a) If they cover 'liabilities' in Bahrain Dinars, in Bahrain;
            (b) If they cover 'liabilities' in any other currency, in Bahrain or in the country of that currency, unless they cover liabilities in Bahrain in which case they must be held in Bahrain.
            Amended: January 2007

      • CA-7 CA-7 Whole Firm and Group Solvency

        • CA-7.1 CA-7.1 Whole Firm and Group Solvency

          • CA-7.1.1

            In addition to the capital adequacy and solvency requirements imposed on Bahraini insurance firms and overseas insurance firms, the CBB may require whole firm and/or group solvency information. The requirement under this Chapter apply to the following categories:

            (a) Overseas insurance firms;
            (b) Bahraini insurance firms with subsidiaries and branches, operating within Bahrain and/or in other jurisdictions; and
            (c) Bahraini insurance firms that are subsidiaries and whose parent companies may or may not be an insurance firm.
            Amended: January 2007

          • CA-7.1.2

            Captive insurers are exempted from the requirements to report on their group solvency position.

            Amended: January 2007

          • CA-7.1.3

            As part of the requirements of the Group Insurance Firm Return (Form GIFR) referred to in Section BR-1.3, the CBB may require an insurance firm to provide:

            (a) A statement of the consolidated financial position of any group of which the insurance firm is either the holding company, a subsidiary or a branch of that group; and
            (b) A statement of the solvency margin that would be determined by this Module if the group identified in part (a) of this Rule were a Bahrain authorised insurance firm.
            Amended: January 2007

          • CA-7.1.4

            In considering the application of Paragraph CA-7.1.3, the CBB will take into account where the balance of the insurance business is undertaken. Where a high-level of the business undertaken by the group is done from Bahrain, the requirements of CA-7.1.3 may apply.

            Amended: January 2007

          • CA-7.1.5

            The consolidated financial position referred to in Paragraph CA-7.1.3 must be determined on the basis that the assets and liabilities of that group are valued in accordance with the requirements of this Module.

          • CA-7.1.6

            An insurance licensee subject to the requirements of Paragraph CA-7.1.3 may, with the consent of the CBB, provide equivalent or substantially equivalent solvency margin information submitted to a supervisor in another jurisdiction.

            Amended: January 2007

          • CA-7.1.7

            In addition to consolidated information on the group, for Bahraini insurance firms, aggregate information detailing the solvency requirements of the major insurance subsidiaries in the group must also be submitted to the CBB as part of the Group Insurance Firm Return.

            Amended: January 2007

          • CA-7.1.8

            Where the licensee's group or parent reports its own solvency position to its regulatory authority (on a group or 'solo' basis) a copy of this calculation must be provided to the CBB within 30 calendar days from the due date to the other regulatory authority, in accordance with Paragraph RM-8.1.6.

            Amended: January 2007

      • CA-8 CA-8 Takaful and Retakaful

        • CA-8.1 CA-8.1 General Capital Requirements

          • CA-8.1.1

            This Chapter of CA applies only to those firms licensed to conduct the regulated activity of Takaful and Retakaful.

            Amended: January 2007
            Amended: October 2008

          • CA-8.1.2

            The specific Rules and Guidance in this Chapter are additional to Chapters CA-B to CA-7. The Rules and Guidance in Chapters CA-B to CA-7 apply to Takaful firms unless those Rules have been specifically modified or waived by this Chapter.

            Amended: January 2007
            Amended: October 2008

          • CA-8.1.3

            The CBB acknowledges that Takaful/Retakaful insurance is different in some respects from conventional insurance. The specific Rules and Guidance set out in this Chapter aim to allow Takaful firms to operate in Bahrain within the CBB's insurance regulatory regime on a basis consistent with that imposed on conventional insurers. That is, the CBB's regulatory regime does not favour one form of insurance over another, allowing for both types of structures, Takaful and conventional, to operate in a competitive environment.

            Amended: January 2007
            Amended: October 2008

          • CA-8.1.4

            For the purposes of applying the rules in Chapters CA-B to CA-7 to Takaful firms, references to 'long-term insurance business' should be read as 'family Takaful business' and 'general insurance business' should be read as 'general Takaful business'.

            Amended: January 2007
            Amended: October 2008

        • CA-8.2 CA-8.2 Basis of Operating a Takaful Business

          Amended: October 2008

          • CA-8.2.1

            All Takaful firms licensed in Bahrain must organise and operate their business according to the al Wakala model. Specifically, in exchange for the provision of management services to participants' fund(s), the shareholders of the Takaful firm must receive a specific consideration (Wakala fee). For the insurance assets invested on behalf of participants' funds, the Takaful operator must use the al Mudaraba model, and must receive a set percentage of the profits generated from the investment portfolio. No performance/incentive fees are allowed to be paid to the shareholders/Takaful operator of the Takaful firm; the only fees that can be paid are the Wakala fees and the set percentage of the profits generated from the investment portfolio.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.2.2

            The Wakala fee charged in respect of a Takaful contract must be directly proportional to the costs associated with establishing and maintaining that contract. Both the Wakala and Mudaraba fees must be clearly disclosed to the participants of the Takaful fund(s).

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • Wakala Fee

            • CA-8.2.2A

              The Wakala fee must be a fixed upfront fee, which may be expressed as a percentage of contributions. The Wakala fee, once fixed, must not be adjusted during the reporting period, and must be clearly stated in the Takaful contract and agreed to by the participant.

              Added: April 2014

            • CA-8.2.2B

              The Wakala fee must cover the total sum of the following components:

              (a) The management expenses;
              (b) The distribution expenses including intermediaries' remuneration, agents' commission and other expenses involved in making Takaful products available to the public; and
              (c) A reasonable and appropriate margin of operational profit.
              Added: April 2014

            • CA-8.2.2C

              The Takaful operator must ensure that the management and distribution expenses referred to under Paragraph CA-8.2.2B are paid from the shareholders' fund and not from the participants' fund(s).

              Added: April 2014

            • CA-8.2.2D

              The Wakala fee must be certified by the Takaful firm's actuary (see Paragraph AA-4.3A.2) and must be considered and subsequently approved by the Shari'a Supervisory Board.

              Added: April 2014

            • CA-8.2.3

              The Takaful operators must establish an equitable basis for determining the consideration charged for managing Takaful business.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.2.3A

              In the case of general Takaful contracts, it would normally be expected that the fee would be the same for all contracts of a particular duration, risk and type. In the case of family Takaful, contracts that may be in force for several years, it would normally be the case that the consideration in the initial years would be relatively high due to the costs of establishing the contract but be substantially lower in later years reflecting only the costs of maintaining the contract.

              Added: April 2014

          • Mudaraba Fee

            • CA-8.2.4

              For the insurance assets invested on behalf of the participants' fund(s), the Takaful operator collects a Mudaraba fee based on a fixed percentage of the net investment income from the fund and approved by the Shari'a Supervisory Board.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.2.4A

              Net investment income noted in Paragraph CA-8.2.4 refers to gross investment income less any investment expenses, but excluding any Mudaraba fee paid to the Takaful operator.

              Added: April 2014

          • Managing Operating Costs

            • CA-8.2.5

              The Takaful operator must establish effective policies and procedures to manage the costs of the Takaful operations. In addition, the board of directors must ensure that effective controls are in place in order that the actual management and distributions expenses are in line with the Wakala fee and do not affect the viability of the Takaful operator.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.2.6

              Only direct expenses related to claims or investments can be paid out of participants' fund(s). The direct expenses related to claims and investments, charged to the participants' fund(s) must be approved by the Shari'a Supervisory Board and must be limited to the amount of expenses incurred.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.2.7

              The Shari'a Supervisory Board (SSB) is not expected to approve each and every claims related and/or investment related expenses. However, the policy established dealing with the direct expenses related to claims and investments, charged to the participants' fund(s), should be approved by the SSB.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.2.8

              Paragraphs CA-8.2.5 to CA-8.2.7 are transitional provisions to enable existing Takaful firms to discharge their obligations under pre-existing contracts according to the basis of operating the Takaful funds at the time participants entered into those contracts. Whilst it would be simpler to require all pre-existing contracts to be maintained in separate Takaful funds to those established for contracts written after these Rules come into effect, the CBB considers this may not be in the best interests of participants. It is for this reason that the transitional rules enable Takaful firms to either establish subfunds for pre-existing contracts or offer participants the option of switching their policies to the al Wakala model. Whilst ultimately it would be at the discretion of the Courts to decide, the CBB would generally be prepared to support Court applications as outlined in Paragraph CA-8.2.6 where more than 75% of participants (by number and value) had indicated their preparedness to switch to the al Wakala model.

              Amended: January 2007
              Amended: October 2008

        • CA-8.3 CA-8.3 Segregation of Funds

          • CA-8.3.1

            Where an insurer carries out Takaful business:

            (a) In the case of family Takaful business, it must comply with Chapter CA-3 of the Capital Adequacy Module;
            (b) It must maintain separate books of account in respect of each kind of business;
            (c) It must maintain any additional books of account required by this Module for either its general Takaful or family Takaful business; and
            (d) The transactions relating to each kind of business must be maintained separately for that business and must be carried to and form a separate fund or funds.
            Amended: January 2007
            Amended: October 2008

          • CA-8.3.2

            A Takaful firm must maintain such accounting and other records as are necessary for:

            (a) Identifying the assets representing the fund or funds maintained by it under Paragraph CA-8.3.1 above for each kind of business that it carries on;
            (b) Identifying the liabilities attributable to fund or funds maintained by it under Paragraph CA-8.3.1 above for each kind of business that it carries on; and
            (c) Complying with the accounting standards established by the 'Accounting and Auditing Organisation for Islamic Financial Institutions' ('AAOIFI').
            Amended: January 2007
            Amended: October 2008

          • CA-8.3.3

            Other than the explicit exceptions included in Paragraphs CA-8.3.4 and CA-8.3.5, a Takaful firm's assets allocated to the participants' fund(s) must only be applied for the purposes of the fund to which it is attributed as required by Paragraph CA-8.3.2 and must not be made available for any other purpose of the Takaful firm. This does not however prevent the reimbursement of expenditures borne by the shareholders (in the same or the preceding financial year) in discharging liabilities wholly or partly attributable to a fund or funds.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.3.4

            Paragraph CA-8.3.3 does not apply to the payment of management fees by the fund or funds to the Takaful manager even where the manager is the shareholder provided that the Shari'a Supervisory Board has approved those fees.

            Amended: January 2007
            Amended: October 2008

          • CA-8.3.5

            Paragraph CA-8.3.3 does not prevent a Takaful firm from exchanging, at fair market value, insurance business assets of any fund for other assets of the insurer including assets held by another fund or the shareholder.

            Amended: January 2007
            Amended: October 2008

          • CA-8.3.6

            A Takaful firm which carries on insurance business in Bahrain must have adequate arrangements for securing that transactions involving assets of the Takaful firm (other than transactions outside its control) do not operate unfairly between any of the participants' fund(s) and the shareholder assets of the Takaful firm or, in a case where the Takaful firm has more than one 'identified fund', between those funds.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.3.7

            Where the CBB imposes a financial penalty on a Takaful firm or requires a Takaful firm to compensate participants for any wrongful act of the firm (including any wrongful act committed by an appointed representative of the firm), it must not pay that compensation or financial penalty from any participants' fund(s) and it must not seek to have that compensation or financial penalty reimbursed as part of its management fees.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.3.8

            The Rules in this Chapter in respect of the segregation of funds by a Takaful firm are similar to the Rules set out in Chapter CA-3 relating to long-term insurance business. In the case of a family participants' fund(s) this similarity is most pronounced. However, the Rules set out in Chapter CA-3 still apply even if the participants' fund(s) is a family participants' fund(s), in particular the requirement to separate linked family Takaful business into a separate fund.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

        • CA-8.4 CA-8.4 Capital Adequacy and Solvency

          • CA-8.4.1

            All Takaful firms are subject to capital available and solvency requirements.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • Determination of Available Capital

            • CA-8.4.2

              The determination of available capital eligible to meet the solvency requirements is the total of:

              (a) The participants' fund(s) net admissible assets as defined under Paragraph CA-8.4.3 in all funds; and
              (b) The capital available of the shareholder fund as determined under Section CA-1.2, excluding any assets of the participants' fund(s).
              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.3

              Every participants' fund must calculate its net admissible assets to meet the solvency requirements of the Takaful firm. The admissible assets are calculated in accordance with Chapter CA-4 and are reduced by any of the participants' fund(s) liabilities (including any Qard Hassan payable to the shareholder fund) and excluding 55% of any unrealised gains to arrive at the net admissible assets.

              Amended: April 2014
              Amended: October 2008

            • CA-8.4.4

              For the purpose of calculating the admissible assets of the participants' fund(s) referred to under Paragraph CA-8.4.3, the insurance business amount referred to in Paragraph CA-4.2.34 means:

              (a) In the case of general Takaful business, the general Takaful insurance business amount is the value of the general participants' fund(s)'s assets (other than family participants' fund(s) assets) and allocated earmarked assets to the insurance business amount (see Paragraphs AA-4.3A.6 to AA-4.3A.11 for actuarial requirements) from the shareholder fund and excluding any reinsurance/retakaful recoveries as determined in accordance with Chapter CA-4; and
              (b) In the case of family Takaful business, the family Takafulinsurance business amount is the value of the family participants' fund(s)'s assets (other than general participants' fund(s) assets) and allocated earmarked assets to the insurance business amount from the shareholder fund and excluding reinsurance/retakaful recoveries and assets required to match property-linked liabilities in accordance with Chapter CA-4.
              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.5

              Any earmarked assets used under Paragraph CA-8.4.4 must be adjusted to account for any Qard Hassan that may be granted as outlined under Paragraph CA-8.4A.2

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.6

              For purposes of Paragraph CA-8.4.4, earmarked assets must meet the following criteria:

              (a) Availability: the asset is available and can be called on demand to meet any liquidity requirement where a Qard Hassan may be extended (see Section CA-8.4A);
              (b) Permanency: the asset is not callable and cannot be withdrawn;
              (c) Free of encumbrances: the asset is free of any encumbrances or mandatory payments; and
              (d) Highly liquid: the asset must be readily convertible to cash equivalent to a minimum of 90% of its reported value on the shareholder's fund statement of financial condition.
              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.7

              Earmarked assets must comply with the criteria outlined in Paragraph CA-8.4.6 and refer to the following allocated assets from the shareholder fund to the each of the participants' fund:

              (a) Cash and unencumbered current accounts with financial institutions;
              (b) Placements with financial institutions which can be liquidated within one month;
              (c) Readily marketable securities;
              (d) GCC government securities;
              (e) Other sovereign securities, other than in Paragraph CA-8.4.7(c) and Paragraph CA-8.4.7(d) above, up to one year maturity, carrying an S&P minimum rating of A (or equivalent); and
              (f) Accounts receivable due within one month, excluding any past due accounts.
              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.8

              Earmarked assets from the shareholder fund must be allocated for each participants' fund in the calculation of the insurance business amount of each participants fund and as determined by the actuary under Paragraph AA-4.3A.7.

              Added: April 2014

          • CA-8.4.6A

            In cases where Paragraph CA-8.4.5 applies, any income generated from the assets forming part of the free loan, will be solely for the benefit of the Takaful fund, and should be recorded as investment income of the Takaful fund. The total investment income being generated by the Takaful fund will however be subject to a mudaraba fee as approved by the Shari'a Board.

            Inserted: October 2008

          • Solvency Requirements

            • CA-8.4.9

              The solvency requirements only apply to the insurance activities of the participants' fund(s) and are calculated in accordance with Chapter CA-2 for each of the participants' fund(s). The solvency required is the total of the solvency requirements for all participants' funds.

              Amended: April 2014
              Amended: April 2009
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.10

              Where the capital available as defined under Paragraph CA-8.4.2 does not meet the solvency requirements of Paragraph CA-8.4.9, a capital injection must be made by the shareholders to meet the solvency required.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.11

              Should the Takaful firm fail to meet its required solvency margin, it will be restricted from writing any new Takaful business until such time as the Takaful firm is in compliance with the solvency margin requirements.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

          • Other Requirements

            • CA-8.4.12

              In cases where a Qard Hassan has been granted to the participants' fund(s), any income generated from the assets forming part of the Qard Hassan (free loan), will be solely for the benefit of the participants' fund, and should be recorded as investment income of the participants' fund. The total investment income being generated by the participants' fund will however be subject to a Mudaraba fee as approved by the Shari'a Board (see Paragraph CA-8.2.4).

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.13

              A participants' fund is prohibited from providing any form of credit by way of loan, guarantee or other instrument to another participants' fund or to any other party, including but not limited to:

              (a) The Takaful operator (i.e. the shareholder fund);
              (b) A person in a controlled function;
              (c) A participant (policyholder) except as provided under Paragraph CA-8.4.14; and
              (d) A controller or close link of the Takaful firm.
              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.14

              In the case of Family Takaful, a participant credit facility (policyholder loan) may be granted should the contract of insurance allow for such event to take place and the contract outlines the various conditions attached to such credit.

              Amended: April 2014
              Amended: October 2008
              Amended: January 2007

            • CA-8.4.15

              The Rule under Paragraph CA-8.4.13 does not restrict the participants' funds from providing any form of commitment associated with investment projects/funds.

              Added: April 2014

          • CA-8.4.13A

            Following the Takaful fund's first year of operation, the fund will be expected to meet the solvency margin requirements, but the calculation of its capital available (participants' equity) will still be subject to valuation rules but will not be subject to deductions resulting from inadmissible assets (by category or counterparty) as outlined in Section CA-4.2:

            (a) For a period not exceeding 5 years from the start of the Takaful fund; or
            (b) When the asset base of the fund reaches a minimum asset level of BD 5 million,

            whichever of (a) or (b) occurs first.

            Inserted: October 2008

          • CA-8.4.13B

            Once a Takaful fund has reached conditions (a) or (b) stated in Paragraph CA-8.4.13A, it will be expected to calculate its capital available as per Paragraph CA-1.2.21, including all deductions related to inadmissible assets due to category or counterparty limits.

            Inserted: October 2008

          • CA-8.4.13C

            During the transition phase outlined in Paragraph CA-8.4.13A, while category and counterparty limits do not apply, proper diversification of the assets of the Takaful funds should be followed, focusing on low risk and income producing assets.

            Inserted: October 2008

          • Qard Hassan Transition Rules

            • CA-8.4.16

              Where a Qard Hassan has been granted for solvency purposes under the Rules in place at that time, the amount of Qard Hassan will be written off and/or repaid over a period not exceeding 5 years and disclosed as an off-balance sheet item (see Paragraph PD-1.1.13A) and not included as part of available capital for solvency purposes.

              Added: April 2014

            • CA-8.4.17

              Where Paragraph CA-8.4.16 applies, should the participants' fund for which the Qard Hassan was originally granted generate a surplus during the course of the write-off period, such surplus may be used to repay any part of the portion of the Qard Hassan that has not been written off, subject to the CBB's prior written approval.

              Added: April 2014

        • CA-8.4A CA-8.4A Liquidity of Participants' Funds

          • CA-8.4A.1

            Where a participants' fund(s) has a cash deficit which results in its inability to meet its day to day expenses and obligations, a Qard Hassan must be extended immediately by the shareholder fund. The cash being sought by the participants' fund must be physically transferred from the shareholder fund to cover the cash deficit of the participants' fund.

            Added: April 2014

          • CA-8.4A.2

            Where a Qard Hassan has been extended for liquidity purposes, the calculation of the earmarked assets allocated to the insurance business amount for the participants' fund(s) as outlined under Paragraph CA-8.4.4, must consider the impact of the reduction in earmarked assets.

            Added: April 2014

          • CA-8.4A.3

            Where the shareholders' fund of Takaful firms provide Qard Hassan (free loan) to the participants' fund as available for the purposes of meeting a participants' fund's liquidity needs and where the earmarked assets are to be reassessed as a result, the Takaful firm must notify the CBB immediately.

            Added: April 2014

          • CA-8.4A.4

            Where a Qard Hassan has been granted for liquidity purposes, the statement of financial position of the shareholders' fund must reflect the reduction in earmarked assets to fund the Qard Hassan as an asset and for the participants' fund(s), the amount of Qard Hassan must be shown as a liability. In addition, the CBB requires, as a minimum, that the Takaful firm include a specific note in the financial statements of the Takaful firm explaining the circumstances of the arrangement (Qard Hassan) and the implications for shareholders and participants.

            Added: April 2014

          • CA-8.4A.5

            Where a Qard Hassan has been extended, it must be repaid from future surpluses from the participants' fund(s).

            Added: April 2014

          • CA-8.4A.6

            The Takaful operator must have a clear written policy on the mechanism to rectify the cash deficit of the participants' fund(s), duly approved by the Board. The policy must address the manner in which Qard Hassan will be repaid and specify Qard impairment testing mechanism. The Qard Hassan must be tested for impairment at least annually. Whenever there is a need for Qard Hassan, the Takaful operator must determine the time period for the repayment of Qard Hassan.

            Added: April 2014

        • CA-8.5 CA-8.5 Determining and Allocating Surplus or Deficit

          • CA-8.5.1

            Every Takaful firm must develop a policy for determining the surplus or deficit arising from Takaful operations, the basis of determining and allocating that surplus or deficit to the participants and the shareholders, and the method of transferring any surplus or deficit to the participants. The policy developed must consider all relevant AAOIFI standards including Financial Accounting Standard No. 13 'Disclosure of Bases for Determining and Allocating Surplus or Deficit in Islamic Insurance Companies'. The policy must be approved by the Shari'a Supervisory Board as well as the board of directors of the Takaful firm.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.5.2

            More than one policy may be developed where the Takaful firm offers different types of insurance products. In any event, the company must have separate policies in respect of its general business and its long-term business and any surplus or deficit allocation must be in line with the policy developed under Paragraph CA-8.5.1.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.5.3

            On an annual basis, every Takaful firm must determine any surplus or deficit arising on each separate participants' fund. The surplus distribution or remedial action for deficit reduction must be recommended by the actuary (see Paragraphs AA-4.3A.4 and AA-4.3A.5) and endorsed by the Shari'a Supervisory Board and the board of directors of the Takaful firm.

            Amended: April 2014
            Amended: October 2008
            Amended: October 2007
            Amended: January 2007

          • CA-8.5.4

            The policy developed in accordance with Paragraph CA-8.5.1 must not be amended or changed without the approval of the Shari'a Supervisory Board.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

          • CA-8.5.4A

            Distribution of surpluses from the Participants' fund(s) is subject to the CBB's prior written approval.

            Added: April 2014

          • CA-8.5.5

            No Takaful firm is permitted to make any distributions to participants if either the participants' fund(s) does not, or through the payment of the distribution, would not meet all the capital available and solvency requirements set out in Chapters 1 and 2 of the Capital Adequacy Module. In addition the surplus distribution must not cause adverse financial implications or a deficit in the participants' fund(s) and the Takaful operator must ensure that the participants' fund(s) is sufficiently liquid to cover any proposed surplus distribution.

            Amended: April 2014
            Amended: October 2008
            Amended: January 2007

    • BC BC Business and Market Conduct

      • BC-A BC-A Introduction

        • BC-A.1 BC-A.1 Purpose

          • Executive Summary

            • BC-A.1.1

              This Module presents requirements that have to be met by insurance licensees with regards to their dealings with customers. Reinsurance business is exempted from the scope of these requirements.

            • BC-A.1.2

              The requirements contained in this Module aim to ensure that insurance licensees deal with their customers in a fair and open manner, and address their customers' information needs.

              Amended: January 2007

            • BC-A.1.3

              The requirements build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires insurance licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings with customers. Principle 7 (Customer Interests), requires insurance licensees to pay due regard to the legitimate interests and information needs of their customers, and to communicate with them in a fair and transparent manner.

              Amended: January 2007

            • BC-A.1.4

              The requirements contained in this Module are largely principles-based and focus on desired outputs rather than on prescribing detailed processes. This gives insurance licensees flexibility in how to implement the basic standards prescribed in this Module.

              Amended: January 2007

          • Legal Basis

            • BC-A.1.5

              This Module contains the Central Bank of Bahrain's ('CBB') (as amended from time to time) Directive relating to business conduct and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to insurance licensees (including their approved persons).

              Amended: January 2011
              Added: January 2007

            • BC-A.1.6

              For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.

              Added: January 2007

        • BC-A.2 BC-A.2 Module History

          • BC-A.2.1

            This Module was first issued in April 2005 by the BMA, together with the rest of Volume 3 (Insurance). Any material changes that have been subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

            Amended: January 2007

          • BC-A.2.2

            When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

            Added: January 2007

          • BC-A.2.3

            A list of recent changes made to this Module is detailed in the table below:

            Module Ref. Change Date Description of Changes
            BC-3.4 01/07/05 Clarified language of takaful disclosure.
            BC-A.1.5 01/2007 New Rule introduced, categorising this Module as a Directive.
            BC-A.1.5 01/2011 Clarified legal basis
            BC-2.11 and BC-4 10/2011 Replaced Complaints Section BC-2.11 with new Chapter BC-4 Customer Complaints Procedures.
            BC-4.2 and BC-4.3 01/2012 Minor corrections to correct typos and clarify language.
            BC-4.3.9 01/2012 Paragraph deleted as it repeats what is in Paragraph BC-4.3.7.
            BC-4.1.3A 10/2012 Added guidance on the appointment of the customer complaints officer.
            BC-4.7 07/2013 Additional details provided on reporting of complaints.
            BC-2.9 04/2016 Added requirements for insurance firms when dealing with medical insurance.
            BC-4.3.16 04/2020 Amended Paragraph adding reference to CBB consumer protection.
            BC-4.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
            BC-4.7.1 - BC-4.7.3 04/2020 Amended Paragraph adding reference to CBB consumer protection.
            BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.

          • BC-A.2.3 [Deleted]

            Deleted: January 2007

          • BC-A.2.4

            Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).

            Amended: January 2007

      • BC-B BC-B Scope of Application

        • BC-B.1 BC-B.1 Insurance Licensees

          • BC-B.1.1

            Except as noted in this section, the requirements in this Module apply to all insurance licensees, with respect to their direct insurance activities carried on from the Kingdom of Bahrain with a person who is a resident of Bahrain ('domestic business').

            Amended: October 2011

          • BC-B.1.2

            The requirements of this Module therefore apply to insurance firms and insurance intermediaries who are selling, intermediating or advising on direct insurance contracts from their offices in Bahrain, with respect to customers who are resident of Bahrain. The requirements in this Module do not, therefore, apply to direct insurance activities carried on from overseas branches and subsidiaries of Bahraini insurance licensees, or to activities carried on with non-residents.

          • BC-B.1.3

            Reinsurance business is exempted from the requirements of this Module because the reinsurance market is limited to dealings between insurance market professionals.

          • BC-B.1.4

            The activities of insurance managers and operators of insurance exchanges do not fall within the scope of this Module. However, the CBB expects the insurance manager to consider the requirements of this Module in relation to the service provided, on behalf of the captive insurer or insurance firm, to its 'clients', namely insured members of the group.

            Amended: January 2007

          • BC-B.1.5

            Although the requirements of this Module apply in full to all direct insurance activities in relation to domestic business, the CBB recognises that customers' needs vary. For example, because a captive insurer is insuring the risks of its parent group, it would be acceptable for the level of sales documentation and written disclosure to be less than would be required for retail customers. Large corporate customers may also require less extensive written disclosures than retail customers. The requirements in this Module give insurance licensees the flexibility to adapt their processes to suit the different needs of different customer types.

            Amended: January 2007

      • BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis

        • BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis

          • BC-C.1.1

            Insurance licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

            Added: October 2020

      • BC-1 BC-1 General Requirements

        • BC-1.1 BC-1.1 General Rules

          • BC-1.1.1

            This Module applies to the direct insurance activities of all licensees in relation to domestic business.

          • BC-1.1.2

            This Module aims to encourage high standards of business conduct, which are broadly applicable to all licensees, all types of direct insurance business (i.e. excluding reinsurance), and all types of customers. However, it is recognized that some types of licensees or business (such as captive insurance or commercial insurance) may present lower regulatory risks in relation to business conduct. For these types of business, the CBB therefore accepts that less detailed arrangements are likely to be sufficient to implement the principles contained in this Module. The CBB will monitor the regulatory performance of the market, and may in due course allow for specific exemptions or relaxations for certain types of business or licensees (see also BC-1.1.11 and BC-1.1.12).

            Amended: January 2007

          • BC-1.1.3

            Where packaged investment products include insurance elements, this Module applies to the insurance elements.

          • BC-1.1.4

            It is recognised that investment products represent different features and risks that require separate regulatory treatment. Specific rules applying to business conduct in relation to investment products will be developed over time.

            Amended: January 2007

          • BC-1.1.5

            All licensees must comply with the Insurance Code of Practice for business conduct with customers, which sets out the minimum standards of good practice for market conduct in relation to direct insurance activities.

          • BC-1.1.6

            The Code comprises a number of overarching principles and a number of principles-based requirements rules in relation to the conduct of direct insurance business with customers. The structure of the Insurance Code of Practice for Business Conduct with customers reflects the key stages and activities over the lifetime of the customer relationship for insurance products and services (see Illustration 1).

            Illustration 1: Structure of Insurance Code of Practice for Business Conduct

            Structure of Insurance Code of Practice for Business Conduct
            Amended: January 2007

          • BC-1.1.7

            Licensees must maintain compliance with the Code throughout the lifetime of their relationships with all of their customers.

          • BC-1.1.8

            The Code focuses on desired outcomes, rather than prescribing in detail measures required to achieve those outcomes. Licensees therefore have the flexibility to design arrangements that implement the Code, in a way that suits the particular nature of their business.

          • BC-1.1.9

            Insurance licensees must take responsibility for compliance with the Code of all persons carrying out direct insurance activities on their behalf (including, but not limited to, appointed representatives and insurance managers).

            Amended: October 2007

          • BC-1.1.10

            Licensees must put in place appropriate measures across all their business operations and distribution channels to ensure compliance with the Code. Licensees must maintain adequate records to demonstrate compliance with the Code.

          • BC-1.1.11

            The CBB will monitor compliance with the Code and standards of business conduct. If required, the CBB may develop more detailed rules and guidance to supplement the existing Code.

            Amended: January 2007

          • BC-1.1.12

            The CBB will apply these requirements in a way that allows them to be adapted to fit the circumstances of licensees' businesses, to be achieved through a pragmatic approach to supervision. However, in exceptional circumstances, it may be appropriate for the CBB to consider and grant waivers where strict compliance would be unduly burdensome or would not achieve the purpose for which the requirement was intended. Each application for waiver will be considered on its individual merits. The fact that a waiver has been granted to a particular licensee should not be regarded as an indication that similar waivers will be issued to any other licensee.

            Amended: January 2007

      • BC-2 BC-2 The Insurance Code of Practice

        • BC-2.1 BC-2.1 Overarching Principles

          • BC-2.1.1

            In the course of direct insurance activities, licensees must:

            (a) Act with due skill, care and diligence in all dealings with customers;
            (b) Act fairly and reasonably in all dealings with customers;
            (c) Identify customers' specific requirements in relation to the products and services about which they are enquiring;
            (d) Ensure that any advice to customers is aimed at the customers' interests and based on adequate standards of research and analysis;
            (e) Provide sufficient information to enable customers to make informed decisions when purchasing insurance products and services offered to them;
            (f) Provide sufficient and timely documentation to customers to confirm that their insurance arrangements are in place and provide all necessary information about their products, rights and responsibilities;
            (g) Maintain fair treatment of customers through the lifetime of their insurance products and customer relationships, and ensure that customers are kept informed of important events;
            (h) Handle claims fairly and promptly;
            (i) Ensure that all information provided to customers is clear, fair and not misleading, and appropriate to customers' information needs; and
            (j) Take appropriate measures to safeguard any money and property handled on behalf of customers and maintain confidentiality of customer information.
            Amended: January 2007
            Amended: October 2007

        • BC-2.2 BC-2.2 Marketing and Promotion

          • BC-2.2.1

            Licensees must ensure that all advertising and promotional material is clear, fair and not misleading.

        • BC-2.3 BC-2.3 Initial Customer Information about Service

          • BC-2.3.1

            At the initial point of contact, before any contract is concluded between the customer and the insurance licensee, licensees must advise customers of the nature of the service they can offer and their relationship with the customer, including:

            (a) The types of services that can be provided;
            (b) The choice of products and services that can be offered; and
            (c) Whether the licensee acts on behalf of an insurer or insurers, or acts independently on behalf of the customer in arranging insurance.
            Amended: January 2007

        • BC-2.4 BC-2.4 Identification of Customer Requirements

          • BC-2.4.1

            Licensees must identify customers' requirements by seeking from customers such information about their circumstances and objectives as might reasonably be expected to be relevant in establishing their specific insurance needs in relation to the products and services about which they are enquiring.

        • BC-2.5 BC-2.5 Advice and Recommendations

          • BC-2.5.1

            Any recommendations made must be appropriate to the customer's needs. The recommendation must include an explanation as to how the recommended product suits the customer's identified needs. Where more than one product is recommended as appropriate to the customer's needs, the recommendation must include an explanation of the differences in and relative costs in the alternative options.

            Amended: January 2007

          • BC-2.5.2

            In the case of compulsory insurance, such as third party motor liability insurance, the explanation of the product's suitability may be limited to a brief explanation of the obligation to hold such insurance, and the options available to satisfy the obligation.

          • BC-2.5.3

            The objective of Paragraph BC-2.5.1 is to ensure that a customer is provided with sufficient information with which to make an informed decision. An insurance firm is able to rely on the customer's explanation of his insurance needs and is not otherwise required to verify the customer's own assessment of his needs. Given the customer's stated needs, the insurance firm must explain how the proposed contract(s) would meet those needs, and provide sufficient information regarding the different options so that the customer is able to make an informed decision.

            Amended: January 2007

        • BC-2.6 BC-2.6 Customer Information before Commitment to the Contract

          • BC-2.6.1

            Before customers make their final commitment to enter into a contract of insurance, licensees must provide to the customer sufficient information on the key features of the product being proposed to enable the customer to make an informed purchasing decision, including:

            (a) The identity of the insurance licensee;
            (b) All the important details of cover and benefits;
            (c) Any significant or unusual restrictions or exclusions, conditions or obligations attaching to the customer; and
            (d) The period of cover.
            Amended: January 2007
            Amended: October 2007

          • BC-2.6.2

            Before customers make their final commitment to enter into a contract of insurance, licensees must provide to the customer full details of costs of the insurance products and services being offered, including:

            (a) The level of insurance premiums, the periodicity of payment and any grace periods allowed for payment;
            (b) The consequences of discontinuing the payment of any premium; and
            (c) Any fees and charges other than the insurance premium.
            Amended: January 2007
            Amended: October 2007

          • BC-2.6.3

            While an insurance broker may not approach every possible underwriter for each risk, he should make reasonable efforts to make his selection from a panel of insurance firms. An insurance broker's submission of quotations should incorporate the reasons for recommending or choosing an insurance firm.

          • BC-2.6.4

            Except for clients with turnover exceeding BD 1 million per year, an insurance intermediary must draw the client's attention to the status of the insurance firm: i.e. whether or not the insurance firm is locally licensed (as a Bahraini insurance firm or overseas insurance firm) and, if not, the reasons for recommending or choosing that insurance firm. In respect of these clients, this advice must be delivered in writing.

            Amended: January 2007

          • BC-2.6.5

            An insurance intermediary should recommend, in the first instance, a policy from a CBB licensed insurer (which, for the avoidance of doubt, may be an overseas insurance firm) that he considers best suited to the needs of his client, and offering ease of client service, claims handling, etc. Paragraph BC-2.6.4 covers the situation where an insurance intermediary proposes use of an overseas insurer not licensed or incorporated in Bahrain, because of the lack of availability of local cover.

            Amended: January 2007

          • BC-2.6.6

            Insurance intermediaries acting on behalf of customers in arranging their insurance must, on request, disclose the amount of commission payable to them from the insurance premium, and any other remuneration received for arranging the insurance contract.

          • BC-2.6.7

            Before customers make a final commitment to enter into a contract of insurance, licensees must inform the customer of their key obligations and rights with regard to the transaction, including:

            (a) The customer's duty of disclosure to the insurance licensee;
            (b) Cancellation rights and conditions;
            (c) The licensee's internal complaints procedure; and
            (d) The licensee's obligations in respect of this Code.
            Amended: January 2007
            Amended: October 2007

          • BC-2.6.8

            There are no specific requirements prescribing customers' cancellation rights or required standards of cancellation terms for insurance products and customers. It is expected that licensees will put in place cancellation terms that are fair, reasonable and appropriate with respect to their customers and the products provided, in line with the overarching principles requiring fair dealings with customers (see Paragraph BC-2.1.1). The CBB will monitor the regulatory performance of the market in this area, and may make amendments over time (see Paragraphs BC-1.1.11, BC-1.1.12).

            Amended: January 2007

        • BC-2.7 BC-2.7 Confirmation of Cover and Policy Documentation

          • BC-2.7.1

            On the conclusion of contracts, licensees must provide customers with prompt written confirmation and details of the insurance that has been effected, including:

            (a) The date when cover starts and the period of cover;
            (b) Any certificates or documents which the customer is required to have by law;
            (c) Details of how the customer can make a claim, and their responsibilities in relation to making claims;
            (d) The address of the insurer to which all communications in respect of the policy should be sent; and
            (e) Proof of payment where applicable.
            Amended: January 2007

          • BC-2.7.2

            Licensees must provide full policy documentation promptly following the conclusion of contracts, unless this has already been issued with the confirmation of cover.

        • BC-2.8 BC-2.8 Service after the Point of Sale

          • BC-2.8.1

            Licensees must respond to and administer customers' requests for amendments to their insurance policies in a timely manner. In particular, licensees must:

            (a) Provide written confirmation of any changes/amendments to the policy;
            (b) Provide full details of any additional premium or charges to be paid by or returned to the customer;
            (c) Provide any certificate or documentation which the customer is required to have by law;
            (d) Provide proof of payment of additional premium or charges where applicable; and
            (e) Remit any refunds of premiums or charges due to customers without undue delay.
            Amended: January 2007

        • BC-2.9 BC-2.9 Claims

          • BC-2.9.1

            In addition to the requirements under Paragraph BC-2.9.2, where licensees' insurance activities include the handling of claims, they must:

            (a) Respond promptly when claims are first notified, and provide customers with an explanation about how the claim will be handled and any actions required of the customer;
            (b) Provide reasonable guidance to customers in pursuing their claim;
            (c) Consider and handle claims fairly and promptly, and keep the customer informed of progress;
            (d) Inform customers in writing, with an explanation, if the licensee is unable to deal with all or any part of the claim; and
            (e) Forward settlement of claims without undue delay, once settlement has been agreed.
            Amended: April 2016
            Amended: October 2007
            January 2007

          • BC-2.9.2

            Where an insurance firm deals with medical insurance and handles all the claim processing activities directly, i.e. without using a TPA:

            (a) It must process and settle all medical claims with policyholders within 15 calendar days from the receipt of all necessary documents; and
            (b) It must process and settle claims from healthcare service providers within 30 calendar days from the receipt of all necessary documents from the healthcare service providers.
            April 2016

          • BC-2.9.3

            Insurance firms must comply with Paragraph BC-2.9.2 by 30th September 2016 at the latest.

            April 2016

        • BC-2.10 BC-2.10 Renewal, Expiry and Cancellation

          • BC-2.10.1

            Licensees must notify customers of the renewal or expiry of their policy in time to allow the customer to consider and rearrange any continuing cover they may need, including:

            (a) Details of the renewal terms, if offered; and
            (b) Details of any changes to the cover, service or insurance firm being offered.
            Amended: January 2007

          • BC-2.10.2

            On expiry or cancellation of insurance policies, at the request of the customer, licensees must make available all documentation and information to which the customer is entitled in a timely manner.

        • BC-2.11 BC-2.11 [This section was deleted in October 2011]

          • BC-2.11.1

            [This paragraph was deleted in October 2011]

            Deleted: October 2011

          • BC-2.11.2

            [This paragraph was deleted in October 2011]

            Deleted: October 2011
            Amended: January 2007

          • BC-2.11.3

            [This paragraph was deleted in October 2011]

            Deleted: October 2011
            Amended: January 2007

          • BC-2.11.4

            [This paragraph was deleted in October 2011]

            Deleted: October 2011
            Amended: January 2007

          • BC-2.11.5

            [This paragraph was deleted in October 2011]

            Deleted: October 2011
            Amended: October 2007
            Amended: January 2007

        • BC-2.12 BC-2.12 Information Conditions

          • BC-2.12.1

            Licensees must ensure that all information presented to customers in accordance with this Code shall be clear, fair and not misleading, and comprehensible to the customer having regard to the complexity of the products and services being offered and the customer's knowledge.

          • BC-2.12.2

            Licensees must ensure that customer information presented to customers in accordance with this Code is provided in an appropriate format with regard to the complexity of the product being discussed. In particular:

            (a) As a general rule, all information to be provided to the customer in accordance with this Code is to be in writing, on paper or other durable medium available and accessible to the customer. If the information is initially presented orally, supporting written information must be provided in addition;
            (b) In the case of telephone selling and other forms of selling where it is impractical to provide information to the customer in writing at the point of sale, information shall be provided to the customer in accordance with Subparagraph BC-2.12.2(a) immediately following conclusion of the contract; and
            (c) By way of derogation from Subparagraph BC-2.12.2(a), information may be provided orally without supporting written information where the customer requests it, or where immediate cover is necessary.
            Amended: January 2007

        • BC-2.13 BC-2.13 Fair Treatment and Conflicts of Interest

          • BC-2.13.1

            Licensees must avoid conflicts of interest, or if conflicts are unavoidable, must explain the position fully and manage the situation so as to avoid prejudice to any party. In particular, licensees who act on behalf of their customers must not put their own interests above their duty to any customers for whom they act.

          • BC-2.13.2

            Insurance intermediaries must disclose in writing to the client any relationship that he may have with an insurance firm that he is recommending to his client and which may result in a potential conflict of interest including, but not limited to, disclosure in writing any association arising from common shareholder/controller/Director.

            Amended: January 2007

        • BC-2.14 BC-2.14 Confidentiality and Security of Customer Assets

          • BC-2.14.1

            Licensees must ensure that any information obtained from customers must not be used or disclosed except in the normal course of negotiating, maintaining or renewing insurance for that customer, unless:

            (a) They have the customer's consent;
            (b) Disclosure is made in accordance with the licensee's regulatory obligations; or
            (c) The licensee is legally obliged to disclose the information.
            Amended: January 2007

          • BC-2.14.2

            Licensees must take appropriate steps to ensure the security of any money, documents, other property or information handled or held on behalf of customers.

      • BC-3 BC-3 Takaful Firms

        • BC-3.1 BC-3.1 General Requirements

          • BC-3.1.1

            This Chapter applies only to those insurance firms licensed to conduct insurance business under takaful principles.

            Amended: January 2007

          • BC-3.1.2

            The CBB acknowledges that the nature of takaful and the operation of a takaful business are not entirely equivalent to and in some respects different from a conventional insurance business. The specific requirements set out in this Chapter aim not only to allow takaful firms to operate in Bahrain within the CBB's insurance regulatory regime on a basis consistent with conventional insurers but also to recognise some of the differences in takaful that are relevant to the way in which takaful business is carried on.

            Amended: January 2007
            Amended: October 2007

          • BC-3.1.3

            The specific requirements in this Chapter are additional to Chapters BC-A to BC-2. The requirements in Chapters BC-A to BC-2 apply to takaful firms unless those requirements are specifically modified or waived by this Chapter.

            Amended: January 2007

        • BC-3.2 BC-3.2 Restriction on the Use of Terms

          • BC-3.2.1

            The use of the terms 'takaful', 'retakaful', 'general takaful' and 'family takaful' may only be used to describe the products of insurance firms that are Islamic financial institutions within the meaning of the CBB Rulebook.

            Amended: January 2007
            Amended: October 2007

          • BC-3.2.2

            For the purposes of this Module, references to takaful shall be taken as including 'takaful', 'retakaful', 'general takaful' and 'family takaful'.

            Amended: January 2007
            Amended: October 2007

          • BC-3.2.3

            The use of the term 'Islamic insurance' should be avoided and may never be used by a firm not licensed to conduct the regulated activity of takaful.

            Amended: January 2007
            Amended: October 2007

        • BC-3.3 BC-3.3 Marketing and Promotion

          • BC-3.3.1

            An insurance firm may only offer takaful products if it is licensed to do so. An insurance intermediary may offer both conventional insurance and takaful products but must provide clear information to enable consumers to make informed choices.

            Amended: October 2007

          • BC-3.3.2

            Any comparison between takaful and conventional insurance products must draw the customer's attention to the principal differences between these products. These differences may include:

            (a) Whether there is a contractual right to claims or benefits or whether these are discretionary on the part of the firm;
            (b) The basis on which benefits and surpluses are allocated to, and between, policyholders and participants; and
            (c) Whether there is any future liability of policyholders (or participants), individually or collectively, for deficits in the policyholders' (participants') funds.
            Amended: January 2007
            Amended: October 2007

        • BC-3.4 BC-3.4 Disclosure

          • BC-3.4.1

            Takaful firms must provide participants and shareholders with clear information about the performance of their business. This information must, as a minimum, comply with relevant AAOIFI standards, in particular Standard 13 (Disclosure of Bases for Determining and Allocating Surplus or Deficit in Islamic Insurance Companies) and 12 (General Presentation and Disclosure in the Financial Statements of Islamic Insurance Companies).

            Amended: January 2007

          • BC-3.4.2

            Takaful firms must clearly disclose to participants the calculation (percentage) and amount of wakala fee and mudaraba share of profits paid by the takaful fund to the takaful operator.

            Amended: January 2007

      • BC-4 BC-4 Customer Complaints Procedures

        • BC-4.1 BC-4.1 General Requirements

          • BC-4.1.1

            All insurance licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints made by customers by 31st March 2012.

            Added: October 2011

          • BC-4.1.2

            Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

            Added: October 2011

          • BC-4.1.3

            All insurance licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches. The customer complaints officer must be of a senior level at the insurance licensee and must be independent of the parties to the complaint to minimize any potential conflict of interest.

            Added: October 2011

          • BC-4.1.3A

            The position of customer complaints officer may be combined with that of compliance officer.

            Added: October 2012

          • BC-4.1.4

            In the case of an overseas insurance licensee, a local complaints officer must be present and must report all complaints to the head office complaints unit.

            Added: October 2011

        • BC-4.2 BC-4.2 Documenting Customer Complaints Handling Procedures

          • BC-4.2.1

            In order to make customer complaints handling procedures as transparent and accessible as possible, all insurance licensees must document their customer complaints handling procedures. These include setting out in writing:

            (a) The procedures and policies for:
            (i) Receiving and acknowledging complaints;
            (ii) Investigating complaints;
            (iii) Responding to complaints within appropriate time limits;
            (iv) Recording information about complaints; and
            (v) Identifying recurring system failure issues; and
            (b) The types of remedies available for resolving complaints; and
            (c) The organisational reporting structure for the complaints handling function.
            Amended: January 2012
            Added: October 2011

          • BC-4.2.2

            Insurance licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

            Added: October 2011

          • BC-4.2.3

            Insurance licensees are required to ensure that claims forms and claim notification documents include a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

            Amended: January 2012
            Added: October 2011

        • BC-4.3 BC-4.3 Principles for Effective Handling of Complaints

          • BC-4.3.1

            Adherence to the following principles is required for effective handling of complaints:

            Added: October 2011

          • Visibility

            • BC-4.3.2

              "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

              Added: October 2011

          • Accessibility

            • BC-4.3.3

              A complaints handling process must be easily accessible to all customers and must be free of charge.

              Added: October 2011

            • BC-4.3.4

              While an insurance licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

              Amended: January 2012
              Added: October 2011

            • BC-4.3.5

              Process information must be readily accessible and must include flexibility in the method of making complaints.

              Added: October 2011

            • BC-4.3.6

              Support for customers in interpreting the complaints procedures must be provided, upon request.

              Added: October 2011

            • BC-4.3.7

              Information and assistance must be available on details of making and resolving a complaint.

              Added: October 2011

            • BC-4.3.8

              Supporting information must be easy to understand and use.

              Added: October 2011

            • BC-4.3.9

              [This Paragraph was deleted in January 2012].

              Deleted: January 2012

            • BC-4.3.10

              Insurance licensees should incorporate the complaints procedure as a clause within the insurance policies provided to their customers.

              Added: October 2011

          • Responsiveness

            • BC-4.3.11

              Receipt of complaints must be acknowledged in accordance with Section BC-4.5 "Response to Complaints".

              Added: October 2011

            • BC-4.3.12

              Complaints must be addressed promptly in accordance with their urgency.

              Added: October 2011

            • BC-4.3.13

              Customers must be treated with courtesy.

              Added: October 2011

            • BC-4.3.14

              Customers must be kept informed of the progress of their complaint.

              Added: October 2011

            • BC-4.3.15

              If a customer is not satisfied with an insurance licensee's response, the insurance licensee must advise the customer on how to take the complaint further within the organisation.

              Added: October 2011

            • BC-4.3.16

              In the event that they are unable to resolve a complaint, insurance licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

              Amended: April 2020
              Added: October 2011

          • Objectivity and Efficiency

            • BC-4.3.17

              Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

              Amended: January 2012
              Added: October 2011

            • BC-4.3.18

              General principles for objectivity in the complaints handling process include:

              (a) Openness:
              The process must be clear and well publicised so that both staff and customers can understand.
              (b) Impartiality:
              (i) Measures must be taken to protect the person the complaint is made against from bias;
              (ii) Emphasis must be placed on resolution of the complaint not blame; and
              (iii) The investigation must be carried out by a person independent of the person complained about.
              (c) Accessibility:
              (i) The insurance licensee must allow customer access to the process at any reasonable point in time; and
              (ii) A joint response must be made when the complaint affects different participants.
              (d) Completeness:
              The complaints officer must find the relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
              (e) Equitability:
              Give equal treatment to all parties.
              (f) Sensitivity:
              Each complaint must be treated on its merits and paying due care to individual circumstances.
              (g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:
              (i) Informing them immediately and completely on complaints about performance;
              (ii) Giving them an opportunity to explain and providing appropriate support;
              (iii) Keeping them informed of the progress and result of the complaint investigation;
              (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
              (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
              (h) Confidentiality:
              (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
              (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
              (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination.
              (i) Objectivity monitoring:
              insurance licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints.
              (j) Charges:
              The process must be free of charge to customers;
              (k) Customer Focused Approach:
              (i) Insurance licensees must have a customer focused approach;
              (ii) Insurance licensees must be open to feedback; and
              (iii) Insurance licensees must show commitment to resolving problems.
              (l) Accountability:
              Insurance licensees must ensure accountability for reporting actions and decisions with respect to complaints handling; and
              (m) Continual improvement:
              Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the insurance licensees.
              Amended: January 2012
              Added: October 2011

        • BC-4.4 BC-4.4 Internal Complaint Handling Procedures

          • BC-4.4.1

            An insurance licensee's internal complaint handling procedures must provide for:

            (a) The receipt of written complaints;
            (b) The appropriate investigation of complaints;
            (c) An appropriate decision-making process in relation to the response to a customer complaint;
            (d) Notification of the decision to the customer;
            (e) The recording of complaints; and
            (f) How to deal with complaints when a business continuity plan (BCP) is operative.
            Added: October 2011

          • BC-4.4.2

            An insurance licensee's internal complaint handling procedures must be designed to ensure that:

            (a) All complaints are handled fairly, effectively and promptly;
            (b) Recurring systems failures are identified, investigated and remedied;
            (c) The number of unresolved complaints referred to the CBB is minimized;
            (d) The employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
            (e) Relevant employees are aware of the insurance licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
            Added: October 2011

        • BC-4.5 BC-4.5 Response to Complaints

          • BC-4.5.1

            An insurance licensee must acknowledge in writing within the same day of receipt of customer written complaints for non-life insurance policies and within 5 business days of receipt of customer written complaints for life insurance policies.

            Added: October 2011

          • BC-4.5.2

            An insurance licensee must respond in writing to a customer's complaint within one week of receiving non-life insurance policies complaint and within 2 weeks of receiving life insurance policies complaint, explaining their position and how they propose to deal with the complaint.

            Added: October 2011

          • Redress

            • BC-4.5.3

              An insurance licenseeshould decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the insurance licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

              Added: October 2011

            • BC-4.5.4

              Where an insurance licensee decides that redress in the form of compensation is appropriate, the insurance licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

              Added: October 2011

            • BC-4.5.5

              Where an insurance licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

              Added: October 2011

            • BC-4.5.6

              Should the customer that filed a complaint not be satisfied with the response received as per Paragraph BC-4.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter from the insurance licensee.

              Amended: April 2020
              Added: October 2011

        • BC-4.6 BC-4.6 Records of Complaints

          • BC-4.6.1

            An insurance licensee must maintain a record of all customers' complaints. The record of each complaint must include:

            (a) The identity of the complainant;
            (b) The substance of the complaint;
            (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
            (d) All correspondence in relation to the complaint. Such records must be retained by the insurance licensee for a period of 5 years from the date of receipt of the complaint.
            Added: October 2011

        • BC-4.7 BC-4.7 Reporting of Complaints

          • BC-4.7.1

            An insurance licensee must submit to the CBB's Consumer Protection Unit a quarterly report summarising the following:

            (a) The number of complaints received;
            (b) The substance of the complaints;
            (c) The number of days it took the insurance licensee to acknowledge and to respond to the complaints; and
            (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
            Amended: April 2020
            Added: October 2011

          • BC-4.7.2

            The report referred to in Paragraph BC-4.7.1 must be sent electronically to Complaint@cbb.gov.bh.

            Amended: April 2020
            Added: July 2013

          • BC-4.7.3

            Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB’s Consumer Protection Unit.

            Amended: April 2020
            Added: July 2013

        • BC-4.8 BC-4.8 Monitoring and Enforcement

          • BC-4.8.1

            Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

            Added: October 2011

    • CL CL Client Money

      • CL-A CL-A Introduction

        • CL-A.1 CL-A.1 Purpose

          • Executive Summary

            • CL-A.1.1

              This Module presents requirements that have to be met by insurance brokers with regards to holding client money for which they are responsible.

              Amended: July 2023
              April 2012

            • CL-A.1.2

              The Rules contained in this Module are aimed at ensuring proper protection of client money to minimise the risk of client money being used by insurance brokers and to prevent the commingling of client money with the insurance brokers' assets.

              Amended: July 2023
              April 2012

          • Legal Basis

            • CL-A.1.3

              This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) on client money, with respect to insurance brokers, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to insurance brokers.

              Amended: July 2023
              April 2012

            • CL-A.1.4

              For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

              April 2012

          • Effective Date

            • CL-A.1.5

              All insurance brokers and where applicable, insurance firms, must comply with the requirements of this Module, effective 1st July 2012 (See ES-2.6AA2).

              Amended: July 2023
              April 2012

        • CL-A.2 CL-A.2 Module History

          • Evolution of Module

            • CL-A.2.1

              This Module was first issued in April 2012 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

              April 2012

          • Summary of Changes

            • CL-A.2.2

              The most recent changes made to this Module are detailed in the table below:

              Module Ref. Change Date Description of Changes
              CL-2.3.4 and CL-2.3.4A 07/2015 Rules amended on insurance broker commissions where an insurance broker is dealing with an international insurance/reinsurance broker.
              Full Module 07/2023 Deleted Appointed Representatives from Module.
                   
                   

      • CL-B CL-B Scope of Application

        • CL-B.1 CL-B.1 Scope

          • CL-B.1.1

            This Module, unless otherwise indicated, applies to all insurance brokers licensed by the CBB that undertake the broking of insurance contracts (see Rule AU-1.4.10) and hold client money.

            Amended: July 2023
            April 2012

          • CL-B.1.2

            Client money is money of any currency that an insurance broker receives and holds for its client when carrying on insurance mediation. It can include premiums/contributions and premium/ contribution refunds.

            Amended: July 2023
            April 2012

          • CL-B.1.3

            Reference to insurance firms throughout this Module apply to Takaful firms as well.

            April 2012

          • CL-B.1.4

            Paragraph CL-2.3.4 applies as well to insurance firms.

            April 2012

          • CL-B.1.5

            [This Paragraph was deleted in July 2023].

            Amended: July 2023
            April 2012

      • CL-1 CL-1 Client Money Protection

        • CL-1.1 CL-1.1 Client Money Protection Rules

          • Keeping Separate Client Accounts

            • CL-1.1.1

              Where an insurance broker receives payment from a client, it must maintain one or more premiums/contributions account that holds client money separate from its own money.

              Amended: July 2023
              April 2012

            • CL-1.1.2

              Premiums/contributions collected in relation of a specific transaction must not be used to settle amounts due under another transaction.

              April 2012

            • CL-1.1.3

              Payment of premiums/contributions to insurance firms, or commissions (brokerage) to the insurance brokers' own accounts must not be effected until the premiums to which these payments relate have been duly received from that client and credited to the client account.

              Amended: July 2023
              April 2012

            • CL-1.1.4

              In respect of premiums/contributions booked in Bahrain in relation to residents and non-residents of Bahrain, these accounts are to be maintained with a retail bank licensed to do business in Bahrain.

              April 2012

            • CL-1.1.5

              Insurance brokers must:

              (a) Provide the CBB with a written confirmation from a retail bank(s) licensed to do business in Bahrain, as in what capacity they are holding such client money. This confirmation must be provided to the CBB at the time of opening the client money account and when there is a material change in the nature of the account; and
              (b) Instruct the bank(s) not to combine the client money account(s) with any other account or to exercise any right or set-off or counterclaim against money in that account in respect of any sum owed to it on any other account of the insurance broker.
              Amended: July 2023
              April 2012

            • CL-1.1.6

              [This Paragraph was deleted in July 2023].

              Deleted: July 2023
              April 2012

            • CL-1.1.7

              Client money must, upon receipt, be paid into a specifically designated client money account no later than the immediate business day after receipt. The monies in this account must form part of the fiduciary assets of the insurance broker and must be held in custody for the client, where the insurance broker acts as an agent with the client retaining full legal ownership of the funds.

              Amended: July 2023
              April 2012

            • CL-1.1.8

              The following guidance material provides examples of circumstances under which monies may be deposited into or withdrawn from a client account.

              April 2012

            • CL-1.1.9

              Amounts that may be deposited into a client account:

              (a) Monies received from the client for the purpose of purchasing contracts of insurance; and
              (b) Monies received on behalf of the client from (re)insurance firms, insurance intermediaries and any other third parties relating to the refund of premiums/contributions to clients.
              April 2012

            • CL-1.1.10

              Amounts that may be withdrawn from a client account:

              (a) Premium monies required to be paid on behalf of the client to (re)insurance firms or other insurance intermediaries for the purchase of contracts of insurance;
              (b) Monies drawn on a client's written authority in accordance with the insurance contract; or
              (c) Monies which may by mistake or accident have been paid into the account.
              April 2012

            • CL-1.1.11

              While the (re)insurance broker may assist a policyholder or insurance firm in the claims settlement process, funds related to claims settlement must be remitted directly by the (re)insurance firm to the policyholder or insurance firm.

              April 2012

            • CL-1.1.12

              Every insurance broker must maintain at least one income and expenses account with a retail bank licensed to do business in Bahrain.

              Amended: July 2023
              April 2012

            • CL-1.1.13

              Insurance brokers are prohibited from:

              (a) Combining income and expenses account(s) with premiums/contributions; and
              (b) Transferring income and expenses account(s) to premiums/contributions account(s).
              Amended: July 2023
              April 2012

        • CL-1.2 CL-1.2 Record Keeping

          • CL-1.2.1

            In accordance with Section GR-1.2, insurance brokers must ensure that proper records, sufficient to show and explain insurance brokers' transactions and commitments in respect of their client money, are maintained and demonstrate compliance with the provisions of this Module. These records must be retained for a period of a minimum of ten years after they are made, unless otherwise required by law.

            Amended: July 2023
            April 2012

          • CL-1.2.2

            An insurance broker that holds client money must:

            (a) Check its record-keeping and client money procedures regularly; and
            (b) Subject its record-keeping and client money procedures to an appropriate independent review (see Rule CL-1.3.3).
            Amended: July 2023
            April 2012

          • CL-1.2.3

            Records of the insurance broker must clearly show funds received and paid out allocated per client/transaction. For greater clarity, all client money and receivables from clients are to be shown on the balance sheet as fiduciary assets and there must be an offsetting fiduciary liability, representing the amounts payable by the insurance broker to the insurance firm (See Rule CL-1.3.4).

            Amended: July 2023
            April 2012

        • CL-1.3 CL-1.3 CBB Reporting

          • CL-1.3.1

            In accordance with Sections BR-1.2A and BR-1.4A, insurance brokers must prepare and submit to the CBB an Insurance Broker Return (IBR) semi-annually. The 31st December IBR must be submitted by 28th February at the latest. The 30th June IBR must be submitted by 30th July at the latest.

            April 2012
            Amended: April 2022

          • CL-1.3.2

            Insurance brokers must provide the CBB, within 3 months of the financial year end, the audited financial statements and the management letter from the external auditor.

            April 2012

          • CL-1.3.3

            In accordance with Paragraph BR-1.5.4, insurance brokers must provide the CBB, within 3 months of the financial year end, the Agreed Upon Procedure Report produced by the external auditor, certifying that the insurance broker among other things, is complying with the Rules of the Module CL (Client Money).

            April 2012

          • Reporting of Fiduciary Assets and Liabilities

            • CL-1.3.4

              Unremitted insurance premiums held in the client money account, in accordance with Paragraph CL-2.2.4, and uncollected premiums from insureds must be recorded as fiduciary assets on the balance sheet of the insurance broker. Fiduciary assets must have an offsetting fiduciary liability representing the total remittances to be made to the insurance firm.

              April 2012

      • CL-2 CL-2 Holding of Client Money

        • CL-2.1 CL-2.1 Systems and Controls

          • CL-2.1.1

            Insurance brokers must establish and maintain effective systems and controls to ensure the fulfillment of their fiduciary responsibilities towards their clients particularly protecting client money.

            Amended: July 2023
            April 2012

        • CL-2.2 CL-2.2 Arrangements to Hold Client Money

          • CL-2.2.1

            Except as otherwise indicated, in order to ensure adequate protection of client money, insurance brokers must follow one of two approaches or a mix of both for holding client money:

            (a) Transfer the risk from the insurance broker to the insurance firm(s); or
            (b) Segregate client money into client money accounts that cannot be used to reimburse other creditors if an insurance broker fails.
            Amended: July 2023
            April 2012

          • CL-2.2.2

            For purposes of subparagraph CL-2.2.1 (a), funds paid directly to insurance firms must not be received by the insurance broker.

            Amended: July 2023
            April 2012

          • CL-2.2.3

            For purposes of Subparagraph CL-2.2.1 (a), a written agreement must be in place between the insurance broker and the insurance firm stating that premiums/ contributions — and if the insurance firm wishes, premium refunds — are held by the insurance firm.

            Amended: July 2023
            April 2012

          • CL-2.2.4

            For purposes of Subparagraph CL-2.2.1 (b), any client money, an insurance broker that is a financial institution, receives and holds for an insurance firm must be held in a client money account, properly segregated from the insurance broker's own funds.

            Amended: July 2023
            April 2012

          • CL-2.2.5

            [This Paragraph was deleted in July 2023].

            Deleted: July 2023
            April 2012

        • CL-2.3 CL-2.3 Brokerage and Premiums/Contributions Collection

          • CL-2.3.1

            In instances when Subparagraph CL-2.2.1(b) applies, the insurance broker is solely responsible for collecting premiums/contributions from clients and passing these to insurance firms. Any refund premiums/contributions due from insurance firms, the insurance broker shall pass these to clients immediately upon receipt from insurance firms.

            Amended: July 2023
            April 2012

          • CL-2.3.2

            For life/family takaful participating with profit policies, the insurance broker are prohibited from collecting premiums/contributions from clients. Premiums/contributions must be paid directly by the policyholders/participants to insurance/takaful companies.

            Amended: July 2023
            April 2012

          • CL-2.3.3

            Other than noted in Paragraph CL-1.1.6, insurance brokers must pay to insurance firms premiums/contributions received no later than (15) calendar days from the date of the receipt of such amounts.

            Amended: July 2023
            April 2012

          • CL-2.3.4

            Except as permitted under Paragraph CL-2.3.4A, insurance brokers are prohibited from deducting their brokerage commission from the premiums/contributions account(s). Insurance brokers must be paid separately their brokerage commission from the insurance firms after transferring the amounts due (premiums/contributions) to insurance firms no later than (10) calendar days from the receipt of the premiums/contributions by insurance firms.

            Amended: July 2023
            Amended: July 2015
            April 2012

          • CL-2.3.4A

            In instances where international insurance business is involved, where an insurance broker is dealing with an international insurance/reinsurance broker, the insurance broker may choose to deduct its commission from the premium/contribution account.

            Added: July 2015

          • CL-2.3.5

            For brokerage activities, insurance brokers are prohibited from collecting additional charges (other than the quoted premiums/contributions) from clients.

            Amended: July 2023
            April 2012

          • CL-2.3.6

            Insurance brokers can offer other services to the policyholder on behalf of the insurance firm, such as the issuance of policy documentation. Such other services should be dictated in a separate agreement between the insurance broker and the insurance firm; however, such charges should not result in any additional fees to the policyholder.

            April 2012

        • CL-2.4 CL-2.4 Premiums/Contributions Payments

          • CL-2.4.1

            The insurance broker must immediately notify in writing the insurance firm/Takaful firm if the insurance broker fails to collect the amount due from the concerned clients within the agreed premiums/contributions payment terms dictated by the insurance firm.

            April 2012

          • CL-2.4.2

            Brokerage charged by insurance brokers cannot exceed 15% of the premiums/contributions quoted by insurance/Takaful firms for motor and medical classes of business of direct general insurance business.

            April 2012

    • RM RM Risk Management

      • RM-A RM-A Introduction

        • RM-A.1 RM-A.1 Purpose

          • Executive Summary

            • RM-A.1.1

              This Module provides detailed Rules and Guidance on risk management systems and controls requirements for insurance licensees. It expands on certain high-level requirements contained in various High-Level Standards Modules. In particular, Section AU-2.6 of Module AU (Authorisation) outlines the systems and controls required as part of the licensing conditions and Principle 10 of the Principles of Business (ref. PB-1.10) requires insurance licensees to have systems and controls sufficient to manage the level of risk inherent in their business.

              Amended: January 2007

            • RM-A.1.2

              This Module obliges insurance licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management systems should monitor and control all material risks. The adequacy of a licensee's risk management is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules, smaller licensees with very simple operational structures and business activities may require to implement less extensive or sophisticated risk management systems, compared to licensees with a complex and/or extensive customer base or operations.

          • Legal Basis

            • RM-A.1.3

              This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to risk management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to insurance licensees (including their approved persons).

              Amended: January 2011
              Amended: October 2007
              Added: January 2007

            • RM-A.1.4

              For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.

              Added: January 2007

        • RM-A.2 RM-A.2 Module History

          • RM-A.2.1

            This Module was first issued in April 2005 by the BMA together with the rest of Volume 3 (Insurance). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

            Amended: January 2007

          • RM-A.2.2

            When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

            Added: January 2007
            Amended: October 2007

          • RM-A.2.3

            A list of recent changes made to this module is detailed in the table below:

            Module Ref. Change Date Description of Changes
            RM-1.1 01/07/05 Correction to cross-reference.
            RM-6.1 01/07/05 Clarified wording of factors to consider for operational risks.
            RM-2.1 01/10/05 Clarified that the 25% notification for reinsurance exposure is to be applied based on a premium basis.
            RM-8.1 01/10/05 Corrected cross reference in RM-8.1.6.
            RM-1.1 01/01/06 Clarified CBB's requirements for insurance firms to carry out their own assessment of their capital needs.
            RM-2.1 01/01/06 Corrected cross-reference.
            RM-6.1 01/07/06 Added requirements for physical security measures and third party insurance to be put in place by insurance firms.
            RM-A.1.3 01/2007 New Rule introduced, categorising this Module as a Directive.
            RM-7.5.3 04/2008 Clarified that CBB prior approval is required for intra-group outsourcing.
            RM-7.2.1, 7.2.2 and 7.3.6 07/2008 Clarified that CBB prior approval is required for outsourcing arrangements.
            RM-7.5.7 04/2010 Added a Paragraph dealing with restrictions on intra-group outsourcing.
            RM-A.1.3 01/2011 Clarified legal basis
            RM-7.6 04/2013 Section amended on outsourcing of internal audit.
            RM-1.1 04/2014 Enhanced the requirements for the risk management function.
            RM-7.1.3 10/2017 Amended Paragraph to allow the utilization of cloud services.
            RM-7.1.5A 10/2017 Added a new Paragraph on outsourcing requirements.
            RM-7.2.1 10/2017 Amended Paragraph.
            RM-7.2.3 10/2017 Amended Paragraph.
            RM-7.2.6 10/2017 Amended Paragraph.
            RM-7.2.8 10/2017 Added a new Paragraph on outsourcing.
            RM-7.3.1 10/2017 Amended Paragraph.
            RM-7.3.2 10/2017 Amended Paragraph.
            RM-7.3.3 10/2017 Amended Paragraph.
            RM-7.3.6 10/2017 Amended Paragraph.
            RM-7.4.6 10/2017 Amended Paragraph.
            RM-7.4.13 10/2017 Amended Paragraph.
            RM-7.4.14 10/2017 Amended Paragraph.
            RM-7.4.20 10/2017 Amended Paragraph.
            RM-7.4.21 10/2017 Added a new Paragraph on security measures related to cloud services.
            RM-7.5.3 10/2017 Amended Paragraph.
            RM-7.5.4 10/2017 Amended Paragraph.
            RM-9 10/2019 Added a new Section on Cyber Security.
            RM-9 01/2022 New revised Chapter on Cyber Security Risk Management.
            RM-9.1.58 04/2022 Amended Paragraph on cyber security reporting.
            RM-9.1.59 04/2022 Amended Paragraph on the submission of the cyber security report.
            RM-7 07/2022 Replaced Chapter RM-7 with new Outsourcing Requirements.
            RM-9.1.22 10/2022 Amended Paragraph on email domains requirements.
            RM-9.1.22A 10/2022 Added a new Paragraph on additional domains requirements.

          • RM-A.2.3 [Deleted]

            Deleted: January 2007

          • RM-A.2.4

            Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).

            Amended: January 2007

      • RM-B RM-B Scope of Application

        • RM-B.1 RM-B.1 Scope

          • RM-B.1.1

            Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to Bahraini insurance firms and Bahraini insurance brokers on a consolidated basis, and to overseas insurance firms and overseas insurance brokers with respect to their operations either booked in or undertaken from Bahrain.

            Amended: January 2007

          • RM-B.1.2

            Because of the nature of their activities, insurance brokers are not subject to Sections RM-4.1 (Market Risk) and RM-5.1 (Insurance Technical Risk).

            Amended: January 2007

          • RM-B.1.3

            The CBB will only consider granting an exemption to a Rule in this Module, where the insurance firm concerned can demonstrate that it has equivalent systems and controls applied at the group or parent entity level, that achieve the same objective as the CBB requirement concerned. The purpose of such an exemption is to allow entity-wide or group-wide systems and requirements to be applied, where these achieve the same outcome: exemptions are therefore only likely to be given with respect to overseas insurance licensees, and possibly Bahraini licensees that are part of an overseas group. Because of their general nature, exemptions will not be considered with regards to the requirements contained in Chapter RM-1 (Risk Management Systems and Controls).

            Amended: January 2007

          • RM-B.1.4

            For the purposes of Paragraph RM-B.1.1, 'consolidated basis' means including the branches and subsidiaries of the Bahraini insurance firm or Bahraini insurance broker, whether these are located inside or outside the Kingdom of Bahrain.

            Amended: January 2007

          • RM-B.1.5

            Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to operators of insurance exchanges authorised to carry out insurance business in Bahrain.

            Amended: January 2007

          • RM-B.1.6

            The contents of this Module do not apply to insurance consultants, insurance managers and to appointed representatives, because the nature of their activities only expose policyholders to limited financial risk.

            Amended: January 2007

          • RM-B.1.7

            While the business of insurance managers is not subject to this Module, clients of insurance managers that are insurance firms, such as captive insurers, are subject to the requirements of this Module. The insurance manager, in fulfilling its obligations to its clients, therefore needs to manage the affairs of its clients in accordance with the requirements of the Rulebook, including this Module.

            Amended: October 2007

          • RM-B.1.8

            An insurance licensee's failure to establish, in the opinion of the CBB, adequate systems and controls will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6 of Module AU (Authorisation). This failure may result in the CBB withdrawing or imposing restrictions on the license, or the licensee being required to inject more capital.

            Amended: January 2007

      • RM-1 RM-1 General Requirements

        • RM-1.1 RM-1.1 Risk Management Systems and Controls

          • RM-1.1.1

            A licensee must take reasonable care to establish and maintain effective systems and controls as are appropriate to its business to manage its risks. These policies must be documented and regularly reviewed.

          • RM-1.1.2

            The licensee's identification, assessment, management and reporting of risks must consider (but is not limited to) the management of credit, liquidity, market, technical, operational (including outsourcing) and group risks, as outlined in Chapters RM-2 to RM-8.

            Amended: January 2007

          • RM-1.1.3

            As noted in Paragraph CA-A.1.2, insurance firms must regularly carry out their own assessment of their capital needs, appropriate to their risk profile, and maintain a process for monitoring and maintaining their actual capital in line with their assessment.

          • RM-1.1.4

            For purposes of Paragraph RM-1.1.3, the CBB does not prescribe the detailed form of such assessment, in order to give insurance firms flexibility to develop their own approaches. Where a firm's assessment suggests that a level of capital that should be held is higher than the minimum required per Chapter CA-2, the CBB would expect firms to hold capital in line with their assessment.

            Amended: January 2007

          • RM-1.1.5

            The licensee must determine if any additional risk categories, other than those referred to in Paragraph RM-1.1.2 and RM-1.1.3, are relevant to its business and therefore need to be addressed.

            Amended: January 2007

          • Risk Management

            • RM-1.1.6

              In the case of incorporated insurance firms and insurance brokers, the Board of Directors must take responsibility for the establishment and oversight of effective risk management systems and controls.

            • RM-1.1.7

              In the case of Bahraini insurance brokers that are unincorporated entities or single person companies, the General Manager must take responsibility for the establishment and oversight of effective risk management systems and controls.

              Amended: October 2007

            • RM-1.1.8

              Additional requirements relating to Boards and senior management in terms of risk management and controls are specified in Module HC (High-Level Controls). The Board may delegate various functions and tasks, but retains ultimate responsibility. However, the CBB will also take into account the responsibility of the Chief Executive Officer or General Manager of a licensee, within the framework of delegated authorities laid down by the Board.

              Amended: January 2007
              Amended: October 2007

            • RM-1.1.9

              In assessing the systems and controls framework, the CBB would expect the Board to be able to demonstrate that it provides suitable prudential oversight and establish a risk management system that includes setting and monitoring policies so that all major risks are identified, measured, monitored and controlled on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in Paragraph HC-1.1.5.

              Amended: January 2007

          • Risk Management Function

            • RM-1.1.10

              The CBB requires that all insurance firms establish an independent risk management function, staffed by a head of risk management, duly approved by the CBB in accordance with Paragraph AU-1.2.1.

              Added: April 2014

            • RM-1.1.10A

              Depending on the scale and complexity of their operations, insurance brokers must consider establishing an independent risk management function.

              Amended: April 2014

            • RM-1.1.10B

              The risk management function must be independent of risk-taking units and must not have any conflict of interest with any other function. The risk management function must have direct access to the Board and must report to the Board and senior management.

              Added: April 2014

            • RM-1.1.11

              Where there is a risk management function, the licensee must document the process by which it manages risks, and how it directly reports to the Board of directors on these risks.

              Amended: April 2014

            • RM-1.1.12

              [This Paragraph was deleted in April 2014.]

              Deleted: April 2014

      • RM-2 RM-2 Credit Risk

        • RM-2.1 RM-2.1 Credit Risk

          • RM-2.1.1

            Section RM-2.1 applies only to insurance firms and insurance brokers.

          • RM-2.1.2

            Insurance licensees must identify and manage their credit risk across all their operations, and document their policies and procedures for achieving this in a credit risk policy. This policy must be regularly reviewed.

            Amended: January 2007
            Amended: October 2007

          • RM-2.1.3

            Amongst other things, a licensee's credit risk policy must identify the limits it applies to both individual counterparties and categories of counterparty, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

            Amended: October 2007

          • RM-2.1.4

            Credit risk is the risk that a counterparty will not meet its obligations in accordance with agreed terms, causing a financial loss. In the case of an insurance firm, credit risk will normally occur with:

            (a) Reinsurance counterparties;
            (b) Assets (e.g. stock, loans);
            (c) Derivatives; and
            (d) Insurance debtors (premiums due from insured persons and intermediaries).
            Amended: January 2007
            Amended: October 2007

          • RM-2.1.5

            The licensee should consider these and other credit risk factors that may affect the licensee's solvency:

            (a) The credit-worthiness of its reinsurers;
            (b) The financial effect of non-performance of the reinsurance; and
            (c) The financial effect of non-payment of premiums, by debtors such as intermediaries and policyholders.
            Amended: January 2007

          • RM-2.1.6

            In addition to considering the failure of counterparties, the licensee should also consider scenarios such as increases in late payment and doubtful debt provisioning, and measures to mitigate credit risks, such as premium payment warranties (whereby policy coverage only becomes effective on payment of premiums).

            Amended: October 2007

          • RM-2.1.7

            An insurance firm must monitor its exposure, defined as sums insured, to an individual reinsurer and provide details of its reinsurance programme to the CBB. It must notify the CBB if its total aggregate exposure, on a premium basis, to one reinsurer (or group of related reinsurers) exceeds 25% of individual or aggregate risks and why it considers that this exposure does not pose a credit risk for which a provision should be made.

            Amended: January 2007

          • RM-2.1.8

            Paragraph RM-2.1.7 does not constitute a prohibition on exceeding this amount as the CBB recognises that there may be situations and types of reinsurance arrangements where reinsurance in excess of this limit might be necessary. The CBB should however be notified of these cases, and the licensee should include an explanation of the reason why it believes that the excess exposure is an acceptable credit risk.

            Amended: January 2007
            Amended: October 2007

          • RM-2.1.9

            In addition to the requirements noted in Paragraph RM-2.1.7, insurance firms must evaluate the credit worthiness of individual reinsurers at the time of ceding business and on an on-going basis.

          • RM-2.1.10

            The credit worthiness of reinsurers may be established by referring to ratings provided by international rating agencies, such as Standard & Poors or AM Best.

          • RM-2.1.11

            An insurance licensee must keep its exposure to individual assets or classes of assets within prudent levels, taking into account the relationship between counterparties, geographical and sectoral concentration, duration of exposures and the exposure to single loss events (e.g. regional economic downturns). Chapter CA-4 provides additional Rules in establishing limitations in the valuation of assets.

            Amended: January 2007

          • RM-2.1.12

            Specific counterparty limits are contained in Paragraph CA-4.2.33.

            Amended: January 2007
            Amended: October 2007

          • RM-2.1.13

            An insurance licensee must take into account the risk of default in the valuation of its assets.

      • RM-3 RM-3 Liquidity Risk

        • RM-3.1 RM-3.1 Liquidity Risk

          • RM-3.1.1

            Section RM-3.1 applies only to insurance firms and insurance brokers.

          • RM-3.1.2

            Insurance licensees must identify and manage their liquidity risk across all their operations, and document their policies and procedures for achieving this in a liquidity risk policy. This policy must be regularly reviewed.

            Amended: January 2007

          • RM-3.1.3

            Liquidity risk is the risk of not being able to meet liabilities when they fall due, even though a firm may still be solvent. Liquidity risk can result from claims falling due earlier than anticipated, higher than expected policy surrender or changes in mortality rates.

          • RM-3.1.4

            Liquidity risk in insurance licensees relates to the management of their cash flow and the risk to their meeting short-term liabilities due to liquidity problems. The risks of matching of assets and liabilities, currency risk etc. are considered as part of insurance risk and are the subject of specific limits in Section CA-6.1.

          • RM-3.1.5

            Insurance licensees must also carry out stress testing to assess the resilience of their financial resources to any identified areas of material liquidity risk. This stress testing may take into account the general characteristics, and licensee's experience, of the classes of business that it writes, any discounting of its claims provisions, and any mitigating factors that it considers relevant such as the ability to sell assets quickly and the options available to re-schedule the payments to policyholders and other counterparties.

          • RM-3.1.6

            Where the insurance licensee considers that the nature of its assets or liabilities and the matching of its liabilities result in no significant liquidity risk exposure, it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

            Amended: January 2007

          • RM-3.1.7

            When assessing liquidity risk, the insurance licensee should consider the extent of mismatch between assets and liabilities and the amount of assets held in highly liquid, marketable forms should unexpected cash flows lead to a liquidity problem. The price concession of liquidating assets is a prime concern when assessing such liquidity risk and should be built into any assessment of capital adequacy.

            Amended: January 2007

          • RM-3.1.8

            Captive insurance firms are exempted from the specific requirement to undertake stress and scenario testing aimed at testing the resilience of their financial resources to specific areas of significant risk.

            Amended: January 2007

      • RM-4 RM-4 Market Risk

        • RM-4.1 RM-4.1 Market Risk

          • RM-4.1.1

            Section RM-4.1 applies only to insurance firms.

          • RM-4.1.2

            Insurance licensees must identify and manage their market risk across all their operations, and document their policies and procedures for achieving this in a market risk policy. This policy must be regularly reviewed.

            Amended: October 2007

          • RM-4.1.3

            Market risk relates to the exposure of the insurance licensee, to fluctuations in the market value, currency or yield of an asset.

          • RM-4.1.4

            A licensee's market risk policy must identify its appetite for market risk, systems for identifying, reporting and documenting market risk and mitigation factors in place.

          • RM-4.1.5

            Insurance firms (other than captives) must carry out stress testing to assess the resilience of their financial resources to any identified areas of material market risk under reasonably foreseeable circumstances. This stress testing may take into account the rating and geographical spread of its assets, the duration of their maturity relative to the licensee's liabilities and the fluctuation of interest and currency rates.

          • RM-4.1.6

            The insurance licensee should consider potential market risk events that may affect its solvency. These include the following:

            (a) Reduced values of equities due to stock market falls, etc;
            (b) Variation in interest rates and the effect on the market value of investments;
            (c) A lower level of investment income than planned;
            (d) Inadequate valuation of assets;
            (e) The direct impact on the portfolio of currency devaluation, as well as the effect on related markets and currencies; and
            (f) The extent of any mismatch of assets and liabilities.
            Amended: January 2007

          • RM-4.1.7

            Chapter CA-4 contains Rules and Guidance relating to the valuation of assets and counterparty limits. Chapter CA-6 contains Rules and Guidance relating to currency matching and localisation.

            Amended: January 2007

          • RM-4.1.8

            Where the insurance licensee considers that the nature of its assets and the matching of its liabilities result in no significant market risk exposure (e.g. its investments consist entirely of cash and bank deposits), it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

            Amended: January 2007

      • RM-5 RM-5 Insurance Technical Risk

        • RM-5.1 RM-5.1 Insurance Technical Risk

          • RM-5.1.1

            Section RM-5.1 applies only to insurance firms.

          • RM-5.1.2

            An insurance firm licensee must identify and manage its insurance technical risk across all its operations, and document its underwriting and claims policies for achieving this in an underwriting policy.

            Amended: January 2007

          • RM-5.1.3

            Insurance technical risk is the normal trading risk, arising out of contracts of insurance, that the insurance licensee is exposed to in its day-to-day operations, and includes the technical and actuarial bases of calculation for premiums and technical provisions in both long-term and general insurance.

            Amended: January 2007
            Amended: October 2007

          • RM-5.1.4

            An insurance firm must document its underwriting and claims policies and review these at regular intervals.

          • RM-5.1.5

            The underwriting policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:

            (a) Classes and sources of business to be written (including limits on concentrations of class, location and counterparty);
            (b) Rating and pricing strategy and methodology;
            (c) The management of, and reserving for, claims;
            (d) Responsibilities and authority levels; and
            (e) Reinsurance protections, including any mismatch between the duration of the contracts and the underlying reinsurance protection.
            Amended: January 2007

          • RM-5.1.6

            The claims policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:

            (a) Reporting (e.g. evidence required, appointment of loss adjusters);
            (b) Scrutiny;
            (c) Authority levels;
            (d) Valuation;
            (e) Monitoring claims settlement, payments, reinsurance recoveries and subrogation; and
            (f) Provisioning of claims, including the bases and assumptions followed, authority levels, record-keeping and review.
            Amended: January 2007

          • RM-5.1.7

            Where necessary to demonstrate the adequacy of its financial resources under reasonably foreseeable deteriorations of its underwriting and claims positions, the insurance firm must conduct stress testing under a range of foreseeable adverse scenarios.

          • RM-5.1.8

            In assessing the outcome of adverse scenarios on the future solvency position, insurance firms must consider the impact of future further deterioration claims reserves (or, in the case of long- term business, the inadequacy of mathematical reserves) and future loss ratios being higher than past claims patterns would suggest.

            Amended: January 2007

          • RM-5.1.9

            Factors that licensees may consider appropriate in assessing the levels of underwriting risk include:

            (a) The adequacy of the licensee's pricing structure;
            (b) The volatility of sales volumes (e.g. the risk of poor underwriting from over-rapid expansion);
            (c) The uncertainty of claims experience (and the length of the claims 'tail');
            (d) The share of premium paid to intermediaries;
            (e) The adequacy of the coverage of the reinsurance programme;
            (f) The impact of the licensee's inability to secure renewal of part of its reinsurance at acceptable terms or at all;
            (g) The risk of unintended risks claims being covered (or not excluded) by policy wordings; and
            (h) The risk of mis-selling, for example, the number of complaints or disputed claims.
            Amended: January 2007
            Amended: October 2007

          • RM-5.1.10

            Factors that insurance licensees may consider appropriate in assessing the levels of claims risk include:

            (a) The frequency and size of large claims;
            (b) Possible outcomes relating to any disputed claims, particularly where the outcome is subject to legal proceedings;
            (c) The ability of the licensee to withstand catastrophic events, increases in unexpected exposures, latent claims or aggregation of claims;
            (d) The possible exhaustion of reinsurance arrangements, both on a per-risk and per-event basis;
            (e) The non-payment of outstanding claims due to the lack of coverage offered by the reinsurance purchased for underwritten risks (i.e. offsetting potential liabilities);
            (f) Social changes regarding an increase in the propensity to claim and to sue;
            (g) The impact of unanticipated legal judgements on claims and claims reserves;
            (h) Other social, economic and technological changes; and
            (i) The risk associated with dealing with a reinsurer, fronting 100% of the risks ceded.
            Amended: January 2007
            Amended: October 2007

          • RM-5.1.11

            The CBB believes that insurance firms need to consider carefully dealing with reinsurers fronting 100% of the risks that is ceded to them. The concern is that the reinsurer ceding 100% of the risk to a retrocessionaire has little incentive to adhere to proper standards of underwriting, due to it receiving a fee, based on maximizing volume of premium, at the expense of underwriting soundness. Fronting arrangements can result in abrupt cancellation by the assuming reinsurer and sometimes refusal to pay claims because of the lack of observation of the understandings with regard to business quality that were agreed upon when the arrangement was negotiated. Consequently, insurers may have to assume risks for which they believed to have covered through a proper reinsurance arrangement, should the reinsurer no longer honour the arrangement. The CBB will scrutinise carefully the management by firms of the risks associated with fronting, in the course of its supervision.

            Amended: January 2007

          • RM-5.1.12

            Additional factors that general insurers may consider appropriate in assessing the levels of claims risk include:

            (a) The adequacy and uncertainty of the technical claims provisions, such as outstanding claims, IBNR and claims handling expense reserves;
            (b) The adequacy of other underwriting provisions, such as the provisions for unearned premium and unexpired risk reserves;
            (c) The appropriateness of catastrophe models and underlying assumptions used, such as possible maximum loss (PML) factors used; and
            (d) The effects of inflation.
            Amended: January 2007

          • RM-5.1.13

            Additional factors that long-term insurers may consider appropriate in assessing the levels of claims risk include future variations in investment returns and in mortality and morbidity rates.

      • RM-6 RM-6 Operational Risk

        • RM-6.1 RM-6.1 Operational Risk

          • RM-6.1.1

            Section RM-6.1 applies only to insurance firms and insurance brokers

          • RM-6.1.2

            An insurance licensee must identify and manage its operational risk across all its operations, and document its policies and procedures for achieving this in an operational risk policy.

          • RM-6.1.3

            Operational risk is the risk to the insurance licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

          • RM-6.1.4

            Insurance licensees must consider the impact of operational risks on their financial resources and solvency. In so doing, insurance licensees must consider the factors listed under Paragraph RM-6.1.5, and any other factors relevant to their business.

            Amended: January 2007

          • RM-6.1.5

            In assessing potential operational risk, events that may affect the licensee's solvency include the following:

            (a) Risks to the licensee's resources and reputation from employees and agents (due to fraud, negligence etc);
            (b) Adequacy of management information;
            (c) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
            (d) Failure of processes and procedures;
            (e) Internal and external fraud;
            (f) Outsourcing risk (for more detail, see RM-7);
            (g) Resourcing levels;
            (h) Business continuity and disaster recovery; and
            (i) Reputational risks and the risk to the licensee's business from an undermining of consumer confidence in particular market segments, e.g. savings products.
            Amended: January 2007

          • RM-6.1.6

            Human failure may arise either from the loss of one or more key individuals, lack of competence or failure of an individual to follow procedures or observe authority levels.

          • RM-6.1.7

            The insurance licensee must identify those processes, systems and premises that are critical to its survival and continuing operations and must develop contingency plans ('business continuity planning') covering these areas. These plans must be regularly updated and tested.

            Amended: January 2007

          • RM-6.1.8

            An insurance licensee should have the means to ensure that its statutory and regulatory responsibilities are effectively carried out, especially where the group is subject to matrix management. More specifically, clear reporting lines and responsibilities need to be defined to minimize the risk that statutory and regulatory responsibilities are overlooked.

          • RM-6.1.9

            Insurance licensees must ensure that there is adequate succession planning and that the risks arising from the loss of key individuals are thereby contained.

          • RM-6.1.10

            The licensee's Board is responsible for ensuring the suitability and competence of employees for the assigned tasks, and for the adequacy of staffing levels. Depending on their size and scale of their activities, insurance licensees should consider having in place a formal appraisal process and a training plan for professional members of staff. For employees that are members of professional bodies it may also be appropriate for this to be integrated with requirements of those bodies for Continuing Professional Education (CPE).

          • RM-6.1.11

            Insurance licensees must identify, manage and control the risks that arise from human failure, including employees and agents. These include inappropriate remuneration policies, health and safety and employment policies.

          • RM-6.1.12

            The licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the firm and its business portfolio.

          • Physical Security Measures

            • RM-6.1.13

              Insurance licensees that deal directly with the public and maintain cash on their premises must put in place security measures to minimise the risk of theft or fraud.

            • RM-6.1.14

              Insurance licensees subject to Paragraph RM-6.1.13 must ensure that the maximum cash maintained at their premises at the end of each day is limited to BD10,000.

            • RM-6.1.15

              Insurance licensees subject to Paragraph RM-6.1.13 are required to install an alarm system for those premises that maintain cash.

            • RM-6.1.16

              Where appropriate, insurance licensees may consider the need to maintain a trained security guard at their premises.

          • Third Party Insurance

            • RM-6.1.17

              Insurance licensees are required to have in place insurance coverage from an unrelated third party to cover potential losses arising from liability, theft, fire and other potential operational risk.

            • RM-6.1.18

              Insurance licensees are required to comply with Paragraph RM-6.1.13 to RM-6.1.17, by 31st December, 2006 (Refer to ES-2.6A.1).

              Amended: October 2007
              Amended: April 2008

      • RM-7 RM-7 Outsourcing Requirements

        • RM-7.1 RM-7.1 Outsourcing Arrangements

          • RM-7.1.1

            This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

            Amended: July 2022

          • RM-7.1.2

            In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

            Amended: July 2022

          • RM-7.1.3

            In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

            i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
            ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
            Amended: July 2022
            Amended: October 2017

          • RM-7.1.4

            The licensee must not outsource the following functions:

            (i) Compliance;
            (ii) AML/CFT;
            (iii) Financial control;
            (iv) Risk management; and
            (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
            Amended: July 2022
            Amended: January 2007

          • RM-7.1.5

            For the purposes of Paragraph RM-7.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-7.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

            Amended: July 2022
            Amended: January 2007

          • RM-7.1.6

            Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-7.1.4 (iv), subject to CBB’s prior approval.

            Amended: July 2022
            Added: October 2017

          • RM-7.1.7

            Licensees must comply with the following requirements:

            (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
            a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
            b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
            (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
            (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
            (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
            (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
            (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
            (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
            Amended: July 2022
            Amended: January 2007

          • RM-7.1.8

            For the purpose of Subparagraph RM-7.1.7 (iv), licensees as part of their assessments may use the following:

            a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
            b) Third-party or internal audit reports of the outsourcing service provider; and
            c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

            When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

            Amended: July 2022

          • RM-7.1.9

            For the purpose of Subparagraph RM-7.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

            Added: July 2022

        • RM-7.2 [This Section was deleted in July 2022]

        • RM-7.3 [This Section was deleted in July 2022]

        • RM-7.4 [This Section was deleted in July 2022]

        • RM-7.5 [This Section was deleted in July 2022]

        • RM-7.6 [This Section was deleted in July 2022]

      • RM-8 RM-8 Group Risk

        • RM-8.1 RM-8.1 Group Risk

          • RM-8.1.1

            Section RM-8.1 applies only to Bahraini insurance firms and Bahraini insurance brokers.

            Amended: October 2007

          • RM-8.1.2

            An insurance licensee must identify, manage and control risks to its activities arising from the activities and financial position of other members of its group.

          • RM-8.1.3

            The CBB may impose additional restrictions on the insurance licensee should it have reason to believe that other members of the group pose undue risk to the insurance licensee. These restrictions, for instance, may try to limit the risk of financial contagion, by restricting financial transactions between the licensee and group members.

            Amended: January 2007
            Amended: October 2007

          • RM-8.1.4

            For purposes of Section RM-8.1, the term group refers to a person or firm who is:

            (a) The parent of the licensee;
            (b) A subsidiary of the licensee (including subsidiaries of subsidiaries); or
            (c) A subsidiary of the licensee's parent.
            Amended: January 2007

          • RM-8.1.5

            The Board is expected to request sufficient information of its group members to allow it to address group risks.

          • RM-8.1.6

            Where the licensee's group or parent reports its own solvency position to its regulatory authority (on a group or 'solo' basis), a copy of this calculation must be provided to the CBB within 30 calendar days from the due date to the other regulatory authority, in accordance with Paragraph CA-7.1.8.

            Amended: January 2007
            Amended: October 2007

          • RM-8.1.7

            Where a licensee is part of a larger financial services group, it may rely on the systems and controls that the group (or its parent company) has put in place. The Board in these circumstances should establish what systems and controls are in place and should ensure that it is provided with sufficient and timely information on the solvency position of the group. This should be evidenced in the prudential records retained in Bahrain.

            Amended: January 2007
            Amended: October 2007

          • RM-8.1.8

            In assessing group systems and controls, an insurance licensee must give consideration to:

            (a) The likely impact of activities of the group on the compliance of the licensee with CBB requirements;
            (b) The effectiveness of linkages between group central functions and the licensee;
            (c) Potential conflicts of interest and methods of minimising them; and
            (d) The risk of adverse events of other group entities on the licensee, in particular due to financial weakness, crime or fraudulent behaviour.
            Amended: January 2007
            Amended: October 2007

          • RM-8.1.9

            An insurance licensee should not be subject to material influence by other entities of the group through informal or undocumented channels. The overall governance, high-level controls and reporting lines with the group should be clearly documented.

            Amended: October 2007

      • RM-9 RM-9 Cyber Security Risk Management

        • RM-9.1 RM-9.1 Cyber Security Risk Management

          • Role of the Board and Senior Management

            • RM-9.1.1 RM-9.1.1

              The Board of insurance licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

              Amended: January 2022
              Added: October 2019

              • RM-9.1.2 RM-9.1.2

                Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

                a) Cyber security strategy;
                b) Cyber security policy; and
                c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
                Amended: January 2022
                Added: October 2019

                • RM-9.1.3

                  The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.4

                  Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

                  a. Key Risk Indicators/ Key Performance Indicators;
                  b. Status reports on overall cyber security control maturity levels;
                  c. Status of staff Information Security awareness;
                  d. Updates on latest internal or relevant external cyber security incidents; and
                  e. Results from penetration testing exercises.
                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.5

                  The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.6

                  Insurance firms must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within the licensee. The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls. Other insurance licensees may assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas insurance licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.7

                  Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.8

                  Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.9

                  Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.10

                  The senior management must be responsible for the following activities:

                  (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
                  (b) Formulate an organisation-wide cyber security strategy and cyber security policy;
                  (c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;
                  (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
                  (e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;
                  (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
                  (g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.
                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.11

                  The senior management must ensure that:

                  (a) The licensee has identified clear internal ownership and classification for all information assets and data;
                  (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
                  (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
                  (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
                  Amended: January 2022
                  Added: October 2019

                • RM-9.1.12

                  With respect to Subparagraph RM-9.1.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

                  a) Who has access to the data;
                  b) How the data is secured;
                  c) How long the data is retained (this includes backups);
                  d) What method should be used to dispose of the data;
                  e) Whether the data needs to be encrypted; and
                  f) What use of the data is appropriate.

                  The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

                  Amended: January 2022
                  Added: October 2019

          • Cyber Security Strategy

            • RM-9.1.13

              An organisation-wide cyber security strategy must be defined and documented to include:

              (a) The position and importance of cyber security at the licensee;
              (b) The primary cyber security threats and challenges facing the licensee;
              (c) The licensee’s approach to cyber security risk management;
              (d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;
              (e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;
              (f) Approach to planning response and recovery activities; and
              (g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.
              Amended: January 2022
              Added: October 2019

            • RM-9.1.14

              The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the licensee’s cyber security strategy and cyber security policy.

              Amended: January 2022
              Added: October 2019

          • Cyber Security Policy

            • RM-9.1.15

              Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee's senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

              (a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;
              (b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;
              (c) Definition of main cyber security processes and measures and the approach to control and assessment;
              (d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:
              (a) Asset management (Hardware and software);
              (b) Incident management (Detection and response);
              (c) Vulnerability management;
              (d) Configuration management;
              (e) Access management;
              (f) Third party management;
              (g) Secure application development;
              (h) Secure change management;
              (i) Cyber training and awareness;
              (j) Cyber resilience (business continuity and disaster planning); and
              (k) Secure network architecture.

               

              Amended: January 2022
              Added: October 2019

          • Approach, Tools and Methodology

            • RM-9.1.16 RM-9.1.16

              Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of the licensee. The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.

              Amended: January 2022
              Added: October 2019

              • RM-9.1.17

                Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the licensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across the licensee. They should be reviewed and updated regularly to incorporate improvements and/or changes in the licensee. Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.

                 

                Added: January 2022

          • Prevention Controls

            • RM-9.1.18

              A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

              (a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;
              (b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
              (c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;
              (d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
              (e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
              (f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
              (g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.

               

              Added: January 2022

            • RM-9.1.19

              Licensees should also implement the following prevention controls in the following areas:

              (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
              (b) to Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM))
              (c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
              (d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.

               

              Added: January 2022

            • RM-9.1.20

              Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

              • SPF “Sender Policy Framework”;
              • DKIM “Domain Keys Identified Mail”; and
              • DMARC “Domain-based Message Authentication, Reporting and Conformance”.

               

              Added: January 2022

            • RM-9.1.21

              Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

               

              Added: January 2022

            • RM-9.1.22

              Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

              (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;
              (b) Refrain from using shortened links in communication with customers;
              (c) Implement one or more of the following measures for links sent to customers:
              i. ensure customers receive clear instructions in communications sent with the links;
              ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;
              iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;
              iv. use of other verification measures like password or biometric authentication; and
              (d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.
              Amended: October 2022
              Added: January 2022

            • RM-9.1.22A

              For the purpose of Paragraph RM-9.1.22, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

              (a) Head/regional office of a licensee; and
              (b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).
              Added: October 2022

          • Cyber Risk Identification and Assessments

            • RM-9.1.23

              Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

              (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
              (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
              (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
              (d) Dark web surveillance to identify any plot for cyber attacks;
              (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
              (f) Examples of cyber threats from recent cyber attacks on other organisations.

               

              Added: January 2022

            • RM-9.1.24

              Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

               

              Added: January 2022

            • RM-9.1.25

              Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

               

              Added: January 2022

            • RM-9.1.26

              Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. for external public facing services and systems must be more frequent.

               

              Added: January 2022

            • RM-9.1.27

              With respect to Paragraph RM-9.1.25, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

               

              Added: January 2022

            • RM-9.1.28

              Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

               

              Added: January 2022

            • RM-9.1.29

              All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

              (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
              (b) Include both Grey Box and Black Box testing in its scope;
              (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
              (d) Be performed by internal and external independent third parties who are rotated out at least every two years; and
              (e) Be performed on either the production environment or on non-production exact replicas of the production environment.

               

              Added: January 2022

            • RM-9.1.30

              CBB may require additional third-party security reviews to be performed as needed.

               

              Added: January 2022

            • RM-9.1.31

              The tests referred to in Paragraph RM-9.1.29 must be conducted each year in June and the report on such testing must be submitted to the CBB before 30th September. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

               

              Added: January 2022

          • Cyber Incident Detection and Management

            • RM-9.1.32

              Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

               

              Added: January 2022

            • RM-9.1.33

              Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

               

              Added: January 2022

            • RM-9.1.34

              Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

               

              Added: January 2022

            • RM-9.1.35

              Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

               

              Added: January 2022

            • RM-9.1.36

              Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

               

              Added: January 2022

            • RM-9.1.37

              Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

               

              Added: January 2022

            • RM-9.1.38

              The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

               

              Added: January 2022

            • RM-9.1.39

              Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-9.1.58 for the requirement to report to CBB.

               

              Added: January 2022

            • RM-9.1.40

              Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

              • Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.
              • Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensee’s management to update the internal and external stakeholders with consistent information.
              • Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.

               

              Added: January 2022

            • RM-9.1.41

              For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

               

              Added: January 2022

            • RM-9.1.42

              Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

               

              Added: January 2022

            • RM-9.1.43

              Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

              (a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)
              (b) Describe whether the cyber incident due to a third-party service provider
              (c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)
              (d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)
              (e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)
              (f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)
              (g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)
              (h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)

              The cyber incident severity may be classified as:

              (a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.
              (b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.
              (c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.

               

              Added: January 2022

            • RM-9.1.44

              Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.

               

              Added: January 2022

            • RM-9.1.45

              Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

              1. Metrics to measure impact of a cyber incident
              (a) Duration of unavailability of critical functions and services
              (b) Number of stolen records or affected accounts
              (c) Volume of customers impacted
              (d) Amount of lost revenue due to business downtime, including both existing and future business opportunities
              (e) Percentage of service level agreements breached
              2. Performance metrics for incident management
              (a) Volume of incidents detected and responded via automation
              (b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)
              (c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied

               

              Added: January 2022

          • Recovery

            • RM-9.1.46

              Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time the licensee will require to return to full service and operations.

               

              Added: January 2022

            • RM-9.1.47

              Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

              a) Financial situation;
              b) Reputation;
              c) Regulatory, legal and contractual obligations; and
              d) Operational aspects and delivery of key products and services.

               

              Added: January 2022

            • RM-9.1.48

              Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”. Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.

               

              Added: January 2022

            • RM-9.1.49

              Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

               

              Added: January 2022

            • RM-9.1.50

              Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.

               

              Added: January 2022

            • RM-9.1.51

              Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

               

              Added: January 2022

            • RM-9.1.52

              Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

               

              Added: January 2022

            • RM-9.1.53

              Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.

               

              Added: January 2022

          • Cyber Security Insurance

            • RM-9.1.54

              Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respective licensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:

              a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;
              b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and
              c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.

               

              Added: January 2022

          • Training and Awareness

            • RM-9.1.55

              Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

               

              Added: January 2022

            • RM-9.1.56

              The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

               

              Added: January 2022

            • RM-9.1.57

              The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

              Executive board and senior management;
              Cyber security roles;
              IT staff; and
              Any high-risk staff as determined by the licensee.

               

              Added: January 2022

          • Reporting to CBB

            • RM-9.1.58

              Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.insurance@cbb.gov.bh, within two hours.

              Added: January 2022
              Amended: April 2022

            • RM-9.1.59

              Following the submission referred to in Paragraph RM-9.1.58, the licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.

               

              Added: January 2022
              Amended: April 2022

            • RM-9.1.60

              With regards to the submission requirement mentioned in Paragraph RM-9.1.58, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.

               

              Added: January 2022

            • RM-9.1.61

              The penetration testing report as per Paragraph RM-9.1.29, along with the steps taken to mitigate the risks must be maintained by the licensee for a five-year period from the date of the report and must be provided to CBB

               

              Added: January 2022

          • Appendix A – Cyber Security Control Guidelines

            The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.

            Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

            Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.

            Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.

            Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.

            Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.

            Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:

            IDENTIFY

            Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.

            1. Physical devices and systems within the licensee are inventoried.
            2. Software platforms and applications within the licensee are inventoried.
            3. Communication and data flows are mapped.
            4. External information systems are catalogued.
            5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
            6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

            Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.

            1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.
            2. Dependencies and critical functions for delivery of critical services are established.
            3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

            Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.

            1. licensee’s cyber security policy is established and communicated.
            2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.
            3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.
            4. Governance and risk management processes address cyber security risks.

            Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.

            1. Asset vulnerabilities are identified and documented.
            2. Cyber threat intelligence is received from information sharing forums and sources.
            3. Threats, both internal and external, are identified and documented.
            4. Potential business impacts and likelihoods are identified.
            5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
            6. Risk responses are identified and prioritized.

            Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

            1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.
            2. The licensee’s risk tolerance is determined and clearly expressed.
            3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

            Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.

            1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.
            2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.
            3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.
            4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
            5. Response and recovery planning and testing are conducted with suppliers and third-party providers.

            PROTECT

            Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

            1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
            2. Physical access to assets is managed and protected.
            3. Remote access is managed.
            4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
            5. Network integrity is protected (e.g., network segregation, network segmentation).
            6. Identities are proofed and bound to credentials and asserted in interactions
            7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

            Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.

            1. All users are informed and trained on a regular basis.
            2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.
            3. Privileged users understand their roles and responsibilities.
            4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
            5. The Board and senior management understand their roles and responsibilities.
            6. Physical and cyber security personnel understand their roles and responsibilities.
            7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.

            Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.

            1. Data-at-rest classified as critical or confidential is protected through strong encryption.
            2. Data-in-transit classified as critical or confidential is protected through strong encryption.
            3. Assets are formally managed throughout removal, transfers, and disposition
            4. Adequate capacity to ensure availability is maintained.
            5. Protections against data leaks are implemented.
            6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.
            7. The development and testing environment(s) are separate from the production environment.
            8. Integrity checking mechanisms are used to verify hardware integrity.

            Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.

            1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
            2. A System Development Life Cycle to manage systems is implemented
            3. Configuration change control processes are in place.
            4. Backups of information are conducted, maintained, and tested.
            5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.
            6. Data is destroyed according to policy.
            7. Protection processes are improved.
            8. Effectiveness of protection technologies is shared.
            9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
            10. Response and recovery plans are tested.
            11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).
            12. A vulnerability management plan is developed and implemented.

            Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.

            1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.
            2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.

            Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

            1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
            2. Removable media is protected and its use restricted according to policy.
            3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
            4. Communications and control networks are protected.
            5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

            DETECT

            Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

            1. A baseline of network operations and expected data flows for users and systems is established and managed.
            2. Detected events are analyzed to understand attack targets and methods.
            3. Event data are collected and correlated from multiple sources and sensors
            4. Impact of events is determined.
            5. Incident alert thresholds are established.

            Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

            1. The network is monitored to detect potential cyber security events.
            2. The physical environment is monitored to detect potential cyber security events
            3. Personnel activity is monitored to detect potential cyber security events.
            4. Malicious code is detected.
            5. Unauthorized mobile code is detected.
            6. External service provider activity is monitored to detect potential cyber security events.
            7. Monitoring for unauthorized personnel, connections, devices, and software is performed.
            8. Vulnerability scans are performed at least quarterly.

            Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

            1. Roles and responsibilities for detection are well defined to ensure accountability.
            2. Detection activities comply with all applicable requirements.
            3. Detection processes are tested.
            4. Event detection information is communicated.
            5. Detection processes are continuously improved.

            RESPOND

            Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.

            Communications: Response activities are coordinated with internal and external stakeholders.

            1. Personnel know their roles and order of operations when a response is needed.
            2. Incidents are reported consistent with established criteria.
            3. Information is shared consistent with response plans.
            4. Coordination with internal and external stakeholders occurs consistent with response plans.
            5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.
            6. Incident response exercises and scenarios across departments are conducted at least annually.

            Analysis: Analysis is conducted to ensure effective response and support recovery activities.

            1. Notifications from detection systems are investigated.
            2. The impact of the incident is understood.
            3. Forensics are performed.
            4. Incidents are categorized consistent with response plans.
            5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

            Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

            1. Incidents are contained.
            2. Incidents are mitigated.
            3. Newly identified vulnerabilities are mitigated or documented as accepted risks.

            Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.

            1. Response plans incorporate lessons learned.
            2. Response strategies are updated.

            RECOVER

            Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.

            Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

            1. Recovery plans incorporate lessons learned.
            2. Recovery strategies are updated.

            Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

            1. Public relations are managed.
            2. Reputation is repaired after an incident.
            3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
            Added: January 2022

    • FC FC Financial Crime

      • FC-A FC-A Introduction

        • FC-A.1 FC-A.1 Purpose

          • Executive Summary

            • FC-A.1.1

              This Module applies, to relevant insurance licensees, a comprehensive framework of Rules and Guidance aimed at combating money laundering and terrorist financing. In so doing, it helps implement the FATF Recommendations on combating money laundering and financing of terrorism and proliferation, issued by the Financial Action Task Force (FATF), that are relevant to insurance licensees; it also implements IAIS guidance in this area. (Further information on these can be found in Chapter FC-9.) The Module also contains measures relating to the combating of fraud in the insurance sector.

              Amended: October 2015
              Amended: January 2007

            • FC-A.1.2

              The Module requires insurance firms and insurance brokers to have effective anti-money laundering ('AML') policies and procedures, in addition to measures for combating the financing of terrorism ('CFT'). The Module contains detailed requirements relating to customer due diligence, reporting and the role and duties of the Money Laundering Reporting Officer (MLRO). Furthermore, examples of suspicious activity are provided (see Part B, Supplementary Information, Appendix FC-(iv)), to assist licensees to monitor transactions and fulfil their reporting obligations under Bahrain law. Because they represent negligible money laundering/terrorism financing risk, these requirements do not apply to insurance consultants nor, in some circumstances, to insurance managers.

              Amended: July 2007

            • FC-A.1.3

              This Module also covers measures in place to combat fraud: these apply to all insurance licensees. Chapter FC-10 sets out basic requirements regarding measures to deter, detect and report instances of fraud and attempted fraud.

          • Legal Basis

            • FC-A.1.4

              This Module contains the Central Bank of Bahrain's (the CBB) Directive (as amended from time to time) regarding the combating money laundering and terrorism financing and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 (‛CBB Law’). The Directive in this Module is applicable to insurance licensees (including their approved persons).

              Amended: January 2022
              Amended: January 2011
              Added: January 2007

            • FC-A.1.5

              For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.

              Added: January 2007

        • FC-A.2 FC-A.2 Module History

          • FC-A.2.1

            This Module was first issued by the BMA in April 2005, together with the rest of Volume 3 (Insurance). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

            Amended: January 2007

          • FC-A.2.2

            When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.

            Added: January 2007

          • FC-A.2.3

            A list of recent changes made to this Module is detailed in the table below:

            Module Ref.Change DateDescription of Changes
            FC-A.1;
            FC-2;
            FC-3;
            FC-5;
            FC-6.1;
            FC-6.2;
            FC-6.5
            01/07/05Inclusion of a revised and renamed Customer Due Diligence Chapter (including a new non-face-to-face business Section). Renamed Suspicious Transaction Reporting Chapter, with minor clarifications to the text. Changes to layout of FC-5 and clarifications to the text. Correction of minor typographical and cross-referencing errors.
            FC01/10/05New Chapter on Non-Cooperative Countries/Territories, and UN notifications. Section on charities removed, since not applicable to insurance licensees. Extensive drafting changes to remainder of text, to improve clarity and ensure consistency across different CBB Rulebooks; but no other changes of substance.
            FC-1.201/01/06Clarified in FC-1.2.11 that the verification for item (a) applies to the identity of the ultimate provider of funds.
            FC-3.1.701/04/06Clarified and added guidance Paragraph dealing with residency requirements of MLRO.
            FC-4.3.101/07/06Updated contact information for Compliance Directorate.
            FC-A.1.401/2007New Rule introduced, categorising this Module as a Directive
            FC-1.6.301/2007Clarified simplified due diligence rules for transactions under BD6,000.
            FC-3.3.5A and FC-3.3.701/2007Allowed for a transition period for the external auditor's report required under SubParagraph FC-3.3.1(d) and clarified when all reports are due.
            FC-4.3.101/2007Updated new e-mail address for Compliance Directorate.
            FC-1.7.2(d)10/2007Clarified the record retention period for introduced business in line with Article 60 of the CBB Law
            FC-2.2.3,
            FC-2.2.6,
            FC-4.2.5,
            FC-6.1.1,
            FC-6.1.2,
            FC-6.1.3
            10/2007Clarified the record retention period for various transactions to be in line with Article 60 of the CBB Law
            FC-3.3.210/2007Clarified the appointment of external auditors for the purposes of the report required under Paragraph FC-3.3.1 (d)
            FC-10.1.1110/2007Added reference to new Guidance paper on fraud issued by the IAIS.
            FC-3.3.704/2008Clarified to whom in the CBB should the reports required under Paragraph FC-3.3.1 be submitted to.
            FC-1.7.2,
            FC-2.2.3,
            FC-2.2.6,
            FC-4.2.5,
            FC-6.1.1,
            FC-6.1.2,
            FC-6.1.3
            04/2008Reduced retention requirements of records to five years to be consistent with AML Law and other Volumes of the CBB Rulebook
            Table of Contents07/2008Added Supplementary Documents to Part B.
            FC-1.1.307/2009Provided guidance for insurance brokers on definition of 'customers'.
            FC-3.1.10,
            FC-3.2.1,
            FC-4.2.3,
            FC-4.3.1
            04/2010Updated name and e-mail of relevant authority to Financial Intelligence Unit.
            FC-A.1.401/2011Clarified legal basis
            FC-3.1.910/2011Clarified requirements for MLRO.
            FC-3.310/2011Amended Section to allow for CBB-approved consultancy firm to do required sample testing and report under Paragraph FC-3.3.1.
            FC-3.3.5 and FC-3.3.601/2012Amended to reflect the addition of approved consultancy firm.
            FC-4.2.310/2014Updated method of submitting STRs.
            FC-4.310/2014Updated relevant authorities information.
            FC10/2015Updated to reflect February 2012 update to FATF Recommendations.
            FC-1.5.107/2016Aligned definition of PEPs as per FATF Recommendations.
            FC-1.5.407/2016Definition of PEPs is already included in Glossary so this guidance paragraph was deleted.
            FC-4.2.307/2016Updated instructions for STR.
            FC-1.2.9A01/2017Added guidance paragraph on CR printing
            FC-7.2.1AA04/2017Implementing and complying with the United Nations Security Council resolutions requirement.
            FC-1.1.2B10/2017Amended paragraph on CDD requirements.
            FC-1.2.710/2017Amended paragraph.
            FC-1.2.8A10/2017Added new paragraph on legal entities or legal arrangements CDD.
            FC-2.2.10 – FC-2.2.1110/2017Amended paragraphs on On-going CDD and Transaction Monitoring.
            FC-3.1.6A10/2017Added paragraph on combining the MLRO or DMLRO position with any other position within the licensee.
            FC-B.3.401/2018Amended paragraph.
            FC-1.5.501/2018Added new paragraph.
            FC-1.5.601/2018Added new paragraph.
            FC-1.6.101/2018Deleted sub-paragraph (f).
            FC-1.7.101/2018Amended paragraph.
            FC-4.2.601/2018Amended paragraph.
            FC-7.1.401/2018Amended paragraph.
            FC-7.2.201/2018Deleted paragraph.
            FC-1.1.207/2018Deleted sub-paragraph (g).
            FC-1.2.107/2018Amended guidance deleting the threshold.
            FC-1.6.307/2018Deleted Paragraph.
            FC-1.6.907/2018Deleted Paragraph.
            FC-1.6.1007/2018Deleted Paragraph.
            FC-1.6.101/2019Amended references.
            FC-3.3.2 - FC-3.3.501/2019Amended references.
            FC-3.3.5A01/2019Deleted paragraph.
            FC-3.3.701/2019Amended references.
            FC-6.1.201/2019Amended references.
            FC-3.1.1010/2019Amended authority name.
            FC-3.2.110/2019Amended authority name.
            FC-4.2.310/2019Amended authority name.
            FC-4.3.210/2019Amended authority name.
            FC-7.2.1AA10/2019Defined 'without delay'.
            FC-1.1.101/2020Amended Paragraph on procedures approval.
            FC-1.2.101/2020Added a new sub-Paragraph.
            FC-3.3.501/2020Amended Paragraph on report submission date.
            FC-3.3.701/2020Amended Paragraphs references.
            FC-2.1.4 & FC-2.1.504/2020Added new Paragraphs on KPIs compliance with AML/CFT requirements.
            FC-5.1.6A01/2021Added a new Paragraph on requirements to hire new employees.
            FC-A.1.401/2022Amended Paragraph to replace financial crime with money laundering and terrorism financing.
            FC-C01/2022New chapter on risk-based approach (RBA).
            FC-1.101/2022Amended Section to introduce additional rules for non-resident customers, amendments to customers onboarded prior to full completion of customer due diligence, digital onboarding etc.
            FC-1.201/2022Amended Section to include E-KYC and electronic documents law requirements.
            FC-1.301/2022Amended Section on enhanced due diligence requirements for customers identified as having higher risk profile.
            FC-1.401/2022Amended Section to introduce detailed requirements for digital onboarding and related requirements.
            FC-1.5.201/2022Amended Paragraph on onboarding non-Bahraini PEPs using digital ID applications.
            FC-1.5A01/2022Added a new Section on Enhanced Due Diligence: Charities, Clubs and Other Societies
            FC-1.6.8A01/2022Added a new Paragraph on not applying simplified CDD in situations where the licensee has identified high ML/TF/PF risks.
            FC-2.2.501/2022Amended Paragraph.
            FC-3.3.1B01/2022Amended Paragraph.
            FC-3.3.201/2022Amended Paragraph.
            FC-3.3.501/2022Amended Paragraph.
            FC-3.3.601/2022Deleted Paragraph.
            FC-3.3.701/2022Deleted Paragraph.
            FC-5.1.6A01/2022Deleted Paragraph.
            FC-C.2.301/2023Minor amendment to Paragraph.
            FC-7.2.4(c)01/2023Added a new Sub-paragraph on reporting any frozen assets or actions taken.
            FC-1.1.14A10/2023Amended Sub-Paragraph on the enhanced diligence for the non-resident accounts.
            FC-1.1.14E10/2023Deleted Paragraph.
            FC-1.1.14I10/2023Deleted Paragraph.
            FC-1.1.1710/2023Added a new Paragraph on CDD and Customer onboarding requirements.
            FC-1.810/2023Added a new Section on reliance on third parties for customer due diligence.
            FC-1.2.101/2024Amended Paragraph on customer due diligence.

          • FC-A.2.3 [Deleted]

            Deleted: January 2007

          • FC-A.2.4

            Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).

            Amended: January 2007

      • FC-B FC-B Scope of Application

        • FC-B.1 FC-B.1 License Categories

          • FC-B.1.1

            Chapters FC-1 to FC-9 apply to all insurance firms and insurance brokers. These Chapters also apply to insurance managers where they manage a captive insurer. Chapters FC-1 to FC-9 do not apply to insurance consultants.

          • FC-B.1.2

            Chapters FC-1 to FC-9 apply, as specified in Paragraph FC-B.1.1, to all insurance firms, insurance brokers and, where they manage a captive insurer, insurance managers, irrespective of whether they are a Bahraini insurance licensee or an overseas insurance licensee. Overseas insurance licensees, and Bahraini insurance licensees that are subsidiaries of an overseas group, may apply additional AML/CFT policies and procedures, provided they satisfy the minimum requirements contained in this Module.

            Amended: January 2007
            Amended: October 2007

          • FC-B.1.3

            The Rules and Guidance in this Module are in addition to and supplement the requirements contained in Decree Law No. (4) of 2001 with respect to the prevention and prohibition of the laundering of money; this Law was subsequently updated, with the issuance of Decree Law No. 54 of 2006 with respect to amending certain provisions of Decree No. 4 of 2001 (collectively, 'the AML Law'). The AML Law imposes obligations generally in relation to the prevention of money laundering and the combating of the financing of terrorism, to all persons resident in Bahrain (including financial services firms such as insurance licensees). All insurance licensees are under the statutory obligations of that Law, in addition to the more specific requirements contained in this Module. Nothing in this Module is intended to restrict the application of the AML Law (a copy of which is contained in Part B of Volume 3 (Insurance), under 'Supplementary Information'). Also included in Part B is a copy of Decree Law No. 58 of 2006 with respect to the protection of society from terrorism activities ('the anti-terrorism law').

            Amended: January 2007

          • FC-B.1.4

            Chapter FC-10, dealing with insurance fraud, applies to all insurance licensees.

        • FC-B.2 FC-B.2 Types of Insurance Business

          • FC-B.2.1

            This Module applies to all types of insurance contracts, including general and long-term insurance, as well as to reinsurance and captive insurance business.

            Amended: January 2007
            Amended: October 2007

          • FC-B.2.2

            International experience shows that all types of insurance (including general insurance and reinsurance) have been used as channels for illegal activities. However, the CBB also recognises that in the case of pure reinsurance transactions, these risks may exist to a lesser extent. Consequently, upon application by the licensee, the CBB will consider, on an individual basis, exemptions from specific requirements of this Module, in relation to the reinsurance activities of licensees. Normally, the CBB will consider granting such exemptions where the reinsurer concerned deals only with licensed insurance entities, that are subject to AML / CFT standards equivalent to those in this Module.

            Amended: January 2007
            Amended: October 2007

        • FC-B.3 FC-B.3 Overseas Subsidiaries and Branches

          • FC-B.3.1

            Insurance licensees must apply the requirements in this Module to all their branches and subsidiaries, including those operating in another jurisdiction. Where local standards differ, the higher standard must be followed. Insurance licensees must pay particular attention to procedures in branches and subsidiaries in countries that do not or insufficiently apply the FATF Recommendations and Special Recommendations and do not have adequate AML/CFT procedures, systems and controls (see also Section FC-7.1).

            Amended: October 2015
            Amended: January 2007

          • FC-B.3.2

            Where another jurisdiction's laws or Regulations prevent an insurance licensee (or any of its foreign branches or subsidiaries) from applying the same standards contained in this Module or higher, the licensee must immediately inform the CBB in writing.

            Amended: January 2007

          • FC-B.3.3

            In such instances, the CBB will review alternatives with the insurance licensee. Should the CBB and the licensee be unable to reach agreement on the satisfactory implementation of this Module in a foreign subsidiary or branch, the insurance licensee may be required by the CBB to cease the operations of the subsidiary or branch in the foreign jurisdiction in question.

            Amended: January 2007

          • FC-B.3.4

            Financial groups (e.g. an insurance firm with its subsidiaries) must implement groupwide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes, which must also be applicable, and appropriate to, all branches and subsidiaries of the financial group. These must include:

            (a) The development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees;
            (b) An ongoing employee training programme;
            (c) An independent audit function to test the system;
            (d) Policies and procedures for sharing information required for the purposes of CDD and money laundering and terrorist financing risk management;
            (e) The provision at group-level compliance, audit, and/or AML/CFT functions of customer, account and transaction information from branches and subsidiaries when necessary for AML/CFT purposes; and
            (f) Adequate safeguards on the confidentiality and use of information exchanged.
            Amended: January 2018
            Added: October 2015

      • FC-C FC-C Risk Based Approach

        • FC-C.1 FC-C.1 Risk Based Approach

          • FC-C.1.1

            An insurance licensee must implement Risk Based Approach (RBA) in establishing an AML/CFT/CPF program and conduct ML/TF/PF risk assessments prior to and during the establishment of a business relationship and, on an ongoing basis, throughout the course of its relationship with the customer. The licensee must establish and implement policies, procedures, tools and systems commensurate with the size, nature and complexity of its business operations to support its RBA.

            Added: January 2022

          • FC-C.1.2

            An insurance licensee must perform enhanced measures where higher ML/TF/PF risks are identified to effectively manage and mitigate those higher risks.

            Added: January 2022

          • FC-C.1.3

            An insurance license must maintain and regularly review and update the documented risk assessment. The risk management and mitigation measures implemented by a licensee must be commensurate with the identified ML/TF/PF risks.

            Added: January 2022

          • FC-C.1.4

            Insurance licensees must allocate adequate financial, human and technical resources and expertise to effectively implement and take appropriate preventive measures to mitigate ML/TF/PF risks.

            Added: January 2022

        • FC-C.2 FC-C.2 Risk Assessment

          • FC-C.2.1

            An insurance licensee must ensure that it takes measures to identify, assess, monitor, manage and mitigate ML/TF/PF risks to which it is exposed and that the measures taken are commensurate with the nature, scale and complexities of its activities. The risk assessment must enable the licensee to understand how, and to what extent, it is vulnerable to ML/TF/PF.

            Added: January 2022

          • FC-C.2.2

            In the context of the risk assessment, “proliferation financing risk” refers to the potential breach, non-implementation or evasion of the targeted financial sanctions obligations referred to in FATF Recommendation 7.

            Added: January 2022

          • FC-C.2.3

            The risk assessment must be properly documented, regularly updated and communicated to the insurance licensee’s senior management. Licensees must have in place policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified. In conducting its risk assessments, the licensee must consider quantitative and qualitative information obtained from the relevant internal and external sources to identify, manage and mitigate these risks. This must include consideration of the risk and threat assessments using, national risk assessments, sectorial risk assessments, crime statistics, typologies, risk indicators, red flags, guidance and advisories issued by inter-governmental organisations, national competent authorities and the FATF, and AML/CFT/CPF mutual evaluation and follow-up reports by the FATF or associated assessment bodies.

            Amended: January 2023
            Added: January 2022

          • FC-C.2.4

            An insurance licensee must assess country/geographic risk, customer/investor risk, product/ service/ transactions risk and distribution channel risk taking into consideration the appropriate factors in identifying and assessing the ML/TF/PF risks, including the following:

            (a) The nature, scale, diversity and complexity of its business, products and target markets;
            (b) Products, services and transactions that inherently provide more anonymity, ability to pool underlying customers/funds, cash-based, face-to-face, non face-to-face, domestic or cross-border;
            (c) The volume and size of its transactions, nature of activity and the profile of its customers;
            (d) The proportion of customers identified as high risk;
            (e) Its target markets and the jurisdictions it is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT/CPF controls and listed by FATF;
            (f) The complexity of the transaction chain (e.g. complex layers of intermediaries and sub intermediaries or distribution channels that may anonymise or obscure the chain of transactions) and types of distributors or intermediaries;
            (g) The distribution channels, including the extent to which the licensee deals directly with the customer and the extent to which it relies (or is allowed to rely) on third parties to conduct CDD and the use of technology;
            (h) Internal audit, external audit or regulatory inspection findings; and
            (i) beneficiary of a life insurance policy.
            Added: January 2022

          • Country/Geographic risk

            • FC-C.2.5

              Country/geographic area risk, in conjunction with other risk factors, provides useful information as to potential ML/TF/PF risks. Factors that may be considered as indicators of higher risk include:

              (a) Countries identified by credible sources, such as mutual evaluation or detailed assessment reports or published follow-up reports, as not having adequate AML/CFT/CPF systems;
              (b) Countries or geographic areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country;
              (c) Countries identified by credible sources as having significant levels of corruption or organized crime or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling;
              (d) Countries subject to sanctions, embargoes or similar measures issued by international organisations such as the United Nations Organisation; and
              (e) Countries identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT/CPF regimes, and for which financial institutions should give special attention to business relationships and transactions.
              Added: January 2022

          • Customer/Investor risk

            • FC-C.2.6

              Categories of customers which may indicate a higher risk include:

              (a) The business relationship is conducted in unusual circumstances (e.g. significant unexplained geographic distance between the financial institution and the customer).
              (b) Non-resident customers;
              (c) Legal persons or arrangements that are personal asset-holding vehicles;
              (d) Companies that have nominee shareholders or shares in bearer form;
              (e) Businesses that are cash-intensive;
              (f) The ownership structure of the company appears unusual or excessively complex given the nature of the company’s business;
              (g) Customer is sanctioned by the relevant national competent authority for non-compliance with the applicable AML/CFT/CPF regime and is not engaging in remediation to improve its compliance;
              (h) Customer is a PEP or customer’s family members, or close associates are PEPs (including where a beneficial owner of a customer is a PEP);
              (i) Customer resides in or whose primary source of income originates from high-risk jurisdictions;
              (j) Customer resides in countries considered to be uncooperative in providing beneficial ownership information; customer has been mentioned in negative news reports from credible media, particularly those related to predicate offences for AML/CFT/CPF or to financial crimes;
              (k) Customer’s transactions indicate a potential connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national competent authorities;
              (l) Customer is engaged in, or derives wealth or revenues from, a high-risk cash-intensive business;
              (m) The number of STRs and their potential concentration on particular client groups;
              (n) Customers who have sanction exposure; and
              (o) Customer has a non-transparent ownership structure.
              Added: January 2022

          • Product/Service/Transactions risk

            • FC-C.2.7

              An overall risk assessment should include determining the potential risks presented by product, service, transaction or the delivery channel of the insurance licensee. A licensee should assess, using a RBA, the extent to which the offering of its product, service, transaction or the delivery channel presents potential vulnerabilities to placement, layering or integration of criminal proceeds into the financial system.

              Added: January 2022

            • FC-C.2.8

              Determining the risks of product, service, transaction or the delivery channel offered to customers may include a consideration of their attributes, as well as any associated risk mitigation measures. Products and services that may indicate a higher risk include:

              (a) Anonymous transactions (which may include cash);
              (b) Non-face-to-face business relationships or transactions;
              (c) Payment received from unknown or un-associated third parties;
              (d) Products or services that may inherently favour anonymity or obscure information about underlying customer transactions;
              (e) The geographical reach of the product or service offered, such as those emanating from higher risk jurisdictions;
              (f) Products with unusual complexity or structure and with no obvious economic purpose;
              (g) Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party, particularly those residing in a higher risk jurisdiction; and
              (h) Use of new technologies or payment methods not used in the normal course of business by the insurance licensee.
              Added: January 2022

          • Distribution channel risk

            • FC-C.2.9

              A customer may request transactions that pose an inherently higher risk to the insurance licensee. Factors that may be considered as indicators of higher risk include:

              (a) A request is made to transfer funds to a higher risk jurisdiction/country/region without a reasonable business purpose provided; and
              (b) A transaction is requested to be executed, where the licensee is made aware that the transaction will be cleared/settled through an unregulated entity.
              Added: January 2022

            • FC-C.2.10

              An insurance licensee should analyse the specific risk factors, which arise from the use of intermediaries and their services. Intermediaries’ involvement may vary with respect to the activity they undertake and their relationship with the licensee. Licensee should understand who the intermediary is and perform a risk assessment on the intermediary prior to establishing a business relationship. Licensees and intermediaries should establish clearly their respective responsibilities for compliance with applicable regulation.

              Added: January 2022

      • FC-1 FC-1 Customer Due Diligence Requirements

        • FC-1.1 FC-1.1 General Requirements

          • Verification of Identity and Source of Funds

            • FC-1.1.1

              Insurance licensees must establish effective systematic internal procedures for establishing and verifying the identity of their customers and the source of their funds. Such procedures must be set out in writing and approved by the licensee’s senior management and must be strictly adhered to.

              Amended: January 2020
              Amended: October 2015
              Amended: January 2007

            • FC-1.1.2

              Insurance licensees must implement the customer due diligence measures outlined in this Chapter when:

              (a) Establishing business relations with a new or existing customer;
              (b) A change to the signatory or policyholder beneficiary is made;
              (c) A significant transaction takes place;
              (d) There is a material change in the terms of an insurance policy or in the manner in which the business relationship is conducted;
              (e) Customer documentation standards change substantially;
              (f) The insurance licensee has doubts about the veracity or adequacy of previously obtained customer due diligence information;
              (g) [This Sub-paragraph was deleted in July 2018]; or
              (h) There is a suspicion of money laundering or terrorist financing.
              Amended: July 2018
              Amended: January 2007

            • FC-1.1.2A

              Insurance licensees must understand, and as appropriate, obtain information on the purpose and intended nature of the business relationship.

              Added: October 2015

            • FC-1.1.2B

              Insurance licensees must conduct ongoing due diligence on the business relationship, including:

              (a) Scrutinizing of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds; and
              (b) Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.
              Amended: October 2017
              Added: October 2015

            • FC-1.1.2C

              An insurance licensee must also review and update the customer’s risk profile based on their level of ML/TF/PF risk upon onboarding the customer and regularly throughout the life of the relationship. The risk management and mitigation measures implemented by a licensee must be commensurate with the risk profile of a particular customer or type of customer.

              Added: January 2022

            • FC-1.1.3

              For the purposes of this Module, 'customer' includes counterparties such as reinsurers and financial markets counterparties, as well as persons insured by the licensee. However, in the case of group insurance policies (such as group life or medical), the requirements in this Module need not be applied to all policyholders: see Paragraph FC-1.2.13. For insurance brokers, 'customer' refers to policyholders.

              Amended: July 2009
              Amended: January 2007

            • FC-1.1.4

              The CBB's specific minimum standards to be followed with respect to verifying customer identity and source of funds are contained in Section FC-1.2. Enhanced requirements apply under certain high-risk situations: these requirements are contained in Sections FC-1.3 to FC-1.5 inclusive. Simplified customer due diligence measures may apply in defined circumstances: these are set out in Section FC-1.6.

              Amended: January 2007

            • FC-1.1.5

              Where an insurance licensee is dealing with an intermediary such as a broker, reliance may be placed on customer identification undertaken by the intermediary, if certain conditions are satisfied: please refer to Chapter FC-1.7.

          • Verification of Third Parties

            • FC-1.1.6

              Insurance licensees must obtain a signed statement, in hard copy or through digital means from all new customers confirming whether or not the customer is acting on his own behalf or not. This undertaking must be obtained prior to conducting any transactions with the customer concerned.

              Amended: January 2022
              Amended: January 2007

            • FC-1.1.7

              Where a customer is acting on behalf of a third party, the insurance licensee must also obtain a signed statement from the third party, confirming they have given authority to the customer to act on their behalf. Where the third party is a legal person, the insurance licensee must have sight of the original Board resolution (or other applicable document) authorising the customer to act on the third party's behalf, and retain a certified copy.

              Amended: January 2007

            • FC-1.1.8

              Insurance licensees must establish and verify the identity of the customer and (where applicable) the party/parties on whose behalf the customer is acting. In the case of insurance policies, the identity of the beneficiaries must also be separately identified and verified, and the relationship between the insured party and the beneficiaries must be ascertained. Verification must take place in accordance with the requirements specified in this Chapter.

              Amended: January 2007

            • FC-1.1.9

              If claims, commissions, and other monies are to be paid to persons (including partnerships, companies, etc.) other than the policyholder, then the identity of the proposed recipient of these monies must also be verified in accordance with the requirements specified in this Chapter.

              Amended: January 2007

            • FC-1.1.10

              Where a policy is provided to a minor or other person lacking full legal capacity, the normal identification procedures as set out in this Chapter must be followed. In the case of minors, licensees must additionally verify the identity of the parent(s) or legal guardian(s). Where a third party on behalf of a person lacking full legal capacity subscribes to a policy, the licensee must establish the identity of that third party as well as the intended policyholder.

              Amended: January 2007

          • Anonymous and Nominee Accounts

            • FC-1.1.11

              Insurance licensees must not establish or keep anonymous policies or policies in fictitious names. Where insurance licensees maintain a nominee account, which is controlled by or held for the benefit of another person, the identity of that person must be disclosed to the insurance licensee and verified by it in accordance with the requirements specified in this Chapter.

          • Timing of Verification

            • FC-1.1.12

              Insurance licensees must not commence a business relationship or undertake a transaction with a customer before completion of the relevant customer due diligence (‛CDD’) measures specified in this Chapter. Licensees must also adopt risk management procedures with respect to the conditions under which a customer may utilise the business relationship prior to verification. However, verification may be completed after receipt of funds in the case of non-face-to-face business, or the subsequent submission of CDD documents by the customer after undertaking initial customer due diligence provided that no disbursement of funds takes place until after the requirements of this Chapter have been fully met.

              Amended: January 2022
              Amended: January 2007

          • Incomplete Customer Due Diligence

            • FC-1.1.13

              Where an insurance licensee is unable to comply with the requirements specified in this Chapter, it must consider whether to terminate the relationship or not proceed with the transaction. If funds have been received, these must be returned to the counterparty in the same method as originally received. If it proceeds with the transaction (to avoid tipping off the customer), it should additionally consider whether it should file a suspicious transaction report.

              Amended: October 2015
              Amended: January 2007

            • FC-1.1.14

              See also Chapter FC-4, which covers the filing of suspicious transaction reports. Regarding the return of funds to the counterparty, if funds are received in cash, funds should be returned in cash. If funds are received by wire transfer, they should be returned by wire transfer.

              Amended: October 2015

          • Non-Resident Accounts

            • FC-1.1.14A

              Insurance licensees that transact or deal with non-resident customers who are natural persons must have documented criteria for acceptance of business with such persons. For non-resident customers, insurance licensees must ensure the following:

              (a) Ensure there is a viable economic reason for the business relationship;
              (b) Perform enhanced due diligence where required in accordance with Paragraph FC-1.1.17;
              (c) Obtain and document the country of residence for tax purposes where relevant;
              (d) Obtain evidence of banking relationships in the country of residence;
              (e) Obtain the reasons for dealing with licensee in Bahrain; and
              (f) Test that the persons are contactable without unreasonable delays.
              Amended: October 2023
              Added: January 2022

            • FC-1.1.14B

              Insurance licensees that transact or deal with non-resident customers who are natural persons must have documented approved policies in place setting out the products and services which will be offered to non-resident customers. Such policy document must take into account a comprehensive risk assessment covering all risks associated with the products and services offered to non-residents. The licensee must also have detailed procedures to address the risks associated with the dealings with non-resident customers including procedures and processes relating to authentication, genuineness of transactions and their purpose.

              Added: January 2022

            • FC-1.1.14C

              Insurance licensees must not accept non-residents customers from high risk jurisdictions subject to a call for action by FATF.

              Added: January 2022

            • FC-1.1.14D

              Insurance licensees must take adequate precautions and risk mitigation measures before onboarding non-resident customers from high risk jurisdictions. The licensees must establish detailed assessments and criteria that take into consideration FATF mutual evaluations, FATF guidance, the country national risk assessments (NRAs) and other available guidance on onboarding and retaining non-resident customers from the following high risk jurisdictions:

              (a) Jurisdictions under increased monitoring by FATF;
              (b) Countries upon which United Nations sanctions have been imposed except those referred to in Paragraph FC-1.1.12B; and
              (c) Countries that are the subject of any other sanctions.
              Added: January 2022

            • FC-1.1.14E

              [This Paragraph has been deleted in October 2023].

              Deleted: October 2023
              Added: January 2022

            • FC-1.1.14F

              Insurance licensees must establish systems and measures that are proportional to the risk relevant to each jurisdiction and this must be documented. Such a document must show the risks, mitigation measures for each jurisdiction and for each non-resident customer.

              Added: January 2022

            • FC-1.1.14G

              Insurance licensees must establish a comprehensive documented policy and procedures describing also the tools, methodology and systems that support the licensee’s processes for:

              (a) The application of RBA;
              (b) Customer due diligence;
              (c) Ongoing transaction monitoring; and
              (d) Reporting in relation to their transactions or dealings with non-resident customers.
              Added: January 2022

            • FC-1.1.14H

              Insurance licensees must ensure that only the official/government documents are accepted for the purpose of information in Subparagraphs FC-1.2.1 (a) to (f) in the case of non-resident customers.

              Added: January 2022

            • FC-1.1.14I

              [This Paragraph has been deleted in October 2023]

              Deleted: October 2023
              Added: January 2022

          • Existing Customers

            • FC-1.1.15

              [This Paragraph was deleted in October 2015.]

              Deleted: October 2015

            • FC-1.1.16

              [This Paragraph was deleted in October 2015.]

              Deleted: October 2015
              Amended: January 2007

            • FC-1.1.17

              Insurance licensees must follow the below CDD and customer onboarding requirements:

                Enhanced Due Diligence Digital Onboarding
              Bahrainis and GCC nationals (wherever they reside) and expatriates resident in Bahrain No Yes
              Others Yes Yes
              Added: October 2023

        • FC-1.2 FC-1.2 Face-to-face Business

          • Natural Persons

            • FC-1.2.1

              If the customer is a natural person, the insurance licensee must identify the person’s identity and obtain the following information before providing financial services of any kind:

              a) Full legal name and any other names used;
              b) Full permanent address (i.e. the residential address of the customer; a post office box is insufficient);
              c) Date of birth;
              d) Nationality;
              e) Passport number (if the customer is a passport holder);
              f) Current CPR or Iqama number (for Bahraini or GCC residents only) or government issued national identification proof;
              g) Telephone/fax number and email address (where applicable);
              h) Occupation or public position held (where applicable);
              i) Employer's name and address (if self-employed, the nature of the self-employment);
              j) Type of policy, and nature and volume of anticipated business dealings with the insurance licensee;
              k) Signature of the customer(s);
              l) Source of funds for payment of premium;
              m) Reason for opening the account; and
              n) Place of birth.
              Amended: January 2024
              Amended: January 2022
              Amended: January 2020
              Amended: July 2018
              Amended: January 2007

            • FC-1.2.1A

              Insurance licensees obtaining the information and customer signature electronically using digital applications must comply with the applicable laws governing the onboarding/business relationship including but not limited to the Electronic Transactions Law (Law No. 54 of 2018) for the purposes of obtaining signatures as required in Subparagraph FC-1.2.1 (k) above.

              Added: January 2022

            • FC-1.2.2

              See Part B, Volume 3 (Insurance), for a Guidance Note on source of funds.

            • FC-1.2.3

              The insurance licensee must verify the information in Paragraph FC-1.2.1 (a) to (f), by the following methods below; at least one of the copies of the identification documents mentioned in (a) and (b) below must include a clear photograph of the customer:

              (a) Confirmation of the date of birth and legal name, by use of the national E-KYC application and if this is not practical, obtaining a copy of a current valid official original identification document (e.g. birth certificate, passport, national identity card, CPR or Iqama);
              (b) Confirmation of the permanent residential address by use of the national E-KYC application and if this is not practical, obtaining a copy of a recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the licensee; and
              (c) Where appropriate, direct contact with the customer by phone, letter or email to confirm relevant information, such as residential address information.
              Amended: January 2022
              Amended: January 2007

            • FC-1.2.4

              Any document copied or obtained for the purpose of identification verification in a face-to-face customer due diligence process must be an original. An authorised official of the licensee must certify the copy, by writing on it the words ‘original sighted’, together with the date and his signature. Equivalent measures must be taken for electronic copies.

              Amended: January 2022

            • FC-1.2.5

              Identity documents which are not obtained by an authorised official of the licensee in original form (e.g. due to a customer sending a copy by post following an initial meeting) must instead be certified (as per FC-1.2.4) by one of the following from a GCC or FATF member state:

              (a) A lawyer;
              (b) A notary;
              (c) A chartered/certified accountant;
              (d) An official of a government ministry;
              (e) An official of an embassy or consulate; or
              (f) An official of another licensed financial institution or of an associate company of the licensee.
              Amended: January 2007

            • FC-1.2.6

              The individual making the certification under FC-1.2.5 must give clear contact details (e.g. by attaching a business card or company stamp). The insurance licensee must verify the identity of the person providing the certification through checking membership of a professional organisation (for lawyers or accountants), or through checking against databases/websites, or by direct phone or email contact.

              Amended: January 2007

          • Legal Entities or Legal Arrangements (such as trusts)

            • FC-1.2.7

              If the customer is a legal entity or a legal arrangement such as a trust, the insurance licensee must obtain and record the following information from original identification documents, databases or websites, in hard copy or electronic form, to identify the customer and to take reasonable measures to verify its identity, legal existence and structure:

              (a) The entity's full name and other trading names used;
              (b) Registration number (or equivalent);
              (c) Legal form and proof of existence;
              (d) Registered address and trading address (where applicable);
              (e) Type of business activity;
              (f) Date and place of incorporation or establishment;
              (g) Telephone, fax number and email address;
              (h) Regulatory body or listing body (for regulated activities such as financial services and listed companies);
              (hh) The names of the relevant persons having a senior management position in the legal entity or legal arrangement;
              (i) Name of external auditor (where applicable);
              (j) Type of policy, and nature and volume of anticipated business dealings with the insurance licensee; and
              (k) Source of funds for payment of premium.
              Amended: October 2017
              Amended: January 2007

            • FC-1.2.8

              The information provided under FC-1.2.7 must be verified by obtaining certified copies of the following documents, as applicable (depending on the legal form of the entity):

              (a) Certificate of incorporation and/or certificate of commercial registration or trust deed;
              (b) Memorandum of association;
              (c) Articles of association;
              (d) Partnership agreement;
              (e) Board resolution seeking the insurance services (only necessary in the case of private or unlisted companies);
              (f) Identification documentation of the authorised signatories of the insurance contract;
              (g) Copy of the latest financial report and accounts, audited where possible (audited copies do not need to be certified); and
              (h) List of authorised signatories of the company for the insurance contract and a Board resolution (or other applicable document) authorising the named signatories or their agent to receive any proceeds from the insurance contract or to modify the terms of the contract (resolution only necessary for private or unlisted companies).
              Amended: January 2007

            • FC-1.2.8A

              For customers that are legal persons, Insurance licensees must identify and take reasonable measures to verify the identity of beneficial owners through the following information:

              (a) The identity of the natural person(s) who ultimately have a controlling ownership interest in a legal person, and
              (b) To the extent that there is doubt under (a) as to whether the person(s) with the controlling ownership interest is the beneficial owner(s), or where no natural person exerts control of the legal person or arrangement through other means; and
              (c) Where no natural person is identified under (a) or (b) above, the identity of the relevant natural person who holds the position of senior managing official.
              Amended: October 2017
              Amended: January 2007

            • FC-1.2.9

              Documents obtained to satisfy the requirements in FC-1.2.8 above must be certified in the manner specified in FC-1.2.4 to FC-1.2.6.

            • FC-1.2.9A

              For the purpose of Paragraph FC-1.2.8(a), the requirement to obtain a certified copy of the commercial registration, may be satisfied by obtaining a commercial registration abstract printed directly from the Ministry of Industry, Commerce and Tourism's website, through "SIJILAT Commercial Registration Portal".

              Added: January 2017

            • FC-1.2.10

              The documentary requirements in FC-1.2.8 above do not apply in the case of FATF/GCC listed companies: see Section FC-1.6 below. Also, the documents listed in FC-1.2.8 above are not exhaustive: for customers from overseas jurisdictions, documents of an equivalent nature may be produced as satisfactory evidence of a customer's identity.

              Amended: January 2007

            • FC-1.2.11

              Insurance licensees must also obtain and document the following due diligence information. These due diligence requirements must be incorporated in the licensee's new business procedures:

              (a) Enquire as to the structure of the legal entity or trust sufficient to determine and verify the identity of the ultimate provider of funds and ultimate controller of the funds (if different);
              (b) Ascertain whether the legal entity has been or is in the process of being wound up, dissolved, struck off or terminated;
              (c) Obtain the names, country of residence and nationality of Directors or partners (only necessary for private or unlisted companies, and for trustees in the case of trusts);
              (d) Require, through new customer documentation or other transparent means, updates on significant changes to corporate ownership and/or legal structure;
              (e) Obtain and verify the identity of shareholders holding 20% or more of the issued capital (where applicable). The requirement to verify the identity of these shareholders does not apply in the case of FATF/GCC listed companies;
              (f) In the case of trusts or similar arrangements, establish the identity of the settlor(s), trustee(s), and beneficiaries (including making such reasonable enquiries as to ascertain the identity of any other potential beneficiary, in addition to the named beneficiaries of the trust); and
              (g) Where a licensee has reasonable grounds for questioning the authenticity of the information supplied by a customer, conduct additional due diligence to confirm the above information.
              Amended: January 2007

            • FC-1.2.12

              For the purposes of Paragraph FC-1.2.11, acceptable means of undertaking such due diligence might include taking bank references; visiting or contacting the company by telephone; undertaking a company search or other commercial enquiries; accessing public and private databases (such as stock exchange lists); making enquiries through a business information service or credit bureau; confirming a company's status with an appropriate legal or accounting firm; or undertaking other enquiries that are commercially reasonable.

            • FC-1.2.13

              In the case of group insurance policies (such as group life or medical insurance), customer identification may be limited to the principal shareholders and Directors of the contracting company.

              Amended: January 2007

        • FC-1.3 FC-1.3 Enhanced Customer Due Diligence: General Requirements

          • FC-1.3.1

            Enhanced customer due diligence must be performed on those customers identified as having a higher risk profile, and additional inquiries made or information obtained in respect of those customers. If the insurance licensee determines that a beneficiary who is a legal person or a legal arrangement presents a higher risk, it must take enhanced measures which must include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.

            Amended: January 2022
            Amended: January 2007

          • FC-1.3.2

            Licensees should examine, as far as reasonably possible, the background and purpose of all complex, unusual large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. Where the risks of money laundering or terrorist financing are higher, licensees should conduct enhanced CDD measures, consistent with the risks identified. In particular, they should increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear unusual or suspicious. The additional inquiries or information referred to in Paragraph FC-1.3.1 include:

            (a) Obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.), and updating more regularly the identification data of customer and beneficial owner;
            (b) Obtaining additional information on the intended nature of the business relationship;
            (c) Obtaining information on the source of funds or source of wealth of the customer;
            (d) Obtaining information on the reasons for intended or performed transactions;
            (e) Obtaining the approval of senior management to commence or continue the business relationship;
            (f) Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;
            (g) Taking specific measures to identify the source of the first payment in this account and applying RBA to ensure that there is a plausible explanation in any case where the first payment was not received from the same customer’s account;
            (h) Obtaining evidence of a person's permanent address through the use of a credit reference agency search, or through independent governmental database or by home visit;
            (i) Obtaining a personal reference (e.g. by an existing customer of the insurance licensee);
            (j) Obtaining another licensed entity’s reference and contact with the concerned licensee regarding the customer;
            (k) Obtaining documentation outlining the customer’s source of wealth;
            (l) Obtaining additional documentation outlining the customer’s source of income; and
            (m) Obtaining additional independent verification of employment or public position held.
            Amended: January 2022
            Amended: January 2007

          • FC-1.3.3

            In addition to the general Rule contained in Paragraph FC-1.3.1 above, special care is required in the circumstances specified in Sections FC-1.4 to FC-1.5 inclusive.

            Amended: January 2007

        • FC-1.4 FC-1.4 Enhanced Customer Due Diligence: Non face-to-face Business and New Technologies

          • FC-1.4.1

            Insurance licensees must establish specific procedures for verifying customer identity where no face-to-face contact takes place.

            Amended: January 2007

          • FC-1.4.2

            Where no face-to-face contact takes place, insurance licensees must take additional measures (to those specified in Section FC-1.2), in order to mitigate the potentially higher risk associated with such business. In particular, insurance licensees must take measures:

            (a) To ensure that the customer is the person they claim to be; and
            (b) To ensure that the address provided is genuinely the customer's.
            Amended: January 2007

          • FC-1.4.3

            There are a number of checks that can provide an insurance licensee with a reasonable degree of assurance as to the authenticity of the applicant. They include:

            (a) Telephone contact with the applicant on an independently verified home or business number;
            (b) With the customer’s consent, contacting an employer to confirm employment, via phone through a listed number or in writing;
            (c) Requiring a premium payment to be made from an account in the customer’s name at a bank having equivalent CDD standards;
            (d) Independent verification of employment (e.g. through the use of a national E-KYC application, or public position held;
            (e) Carrying out additional searches (e.g. internet searches using independent and open sources) to better inform the customer risk profile;
            (f) Carrying out additional searches focused on financial crime risk indicator (i.e. negative news);
            (g) Evaluating the information provided with regard to the destination of fund and the reasons for the transaction;
            (h) Seeking and verifying additional information from the customer about the purpose and intended nature of the transaction or the business relationship; and
            (i) Increasing the frequency and intensity of transaction monitoring.
            Amended: January 2022
            Amended: January 2007

          • FC-1.4.4

            Financial services provided using digital channels or internet pose greater challenges for customer identification and AML/CFT purposes. Insurance licensees must identify and assess the money laundering or terrorist financing risks relevant to any new technology or channel and establish procedures to prevent the misuse of technological developments in money laundering or terrorist financing schemes. The risk assessments must be consistent with the requirements in Section FC-C.2.

            Amended: January 2022
            Amended: January 2007

          • FC-1.4.5

            Insurance licensees must identify and assess the money laundering or terrorist financing risks that may arise in relation to:

            (a) The development of new products and new business practices, including new delivery mechanisms; and
            (b) The use of new or developing technologies for both new and pre-existing products.
            Added: October 2015

          • FC-1.4.6

            For purposes of Paragraph FC-1.4.5, such a risk assessment consistent with the requirements in Section FC-C.2 and must take place prior to the launch of the new products, business practices or the use of new or developing technologies. Insurance licensees must take appropriate measures to manage and mitigate those risks.

            Amended: January 2022
            Added: October 2015

          • Enhanced Monitoring

            • FC-1.4.7

              Customers onboarded digitally must be subject to enhanced on-going account monitoring measures.

              Added: January 2022

            • FC-1.4.8

              The CBB may require a licensee to share the details of the enhanced monitoring and the on-going monitoring process for non face-to-face customer relationships.

              Added: January 2022

          • Licensee’s digital ID applications

            • FC-1.4.9

              Insurance licensees may use its digital ID applications that use secure audio-visual real time (live video conferencing/live photo selfies) communication means to identify the natural person.

              Added: January 2022

            • FC-1.4.10

              Insurance licensees must maintain a document available upon request for the use of its digital ID applications that includes all the following information:

              (a) A description of the nature of products and services for which the proprietary digital ID application is planned to be used with specific references to the rules in this Module for which it will be used;
              (b) A description of the systems and IT infrastructure that are planned to be used;
              (c) A description of the technology and applications that have the features for facial recognition or biometric recognition to authenticate independently and match the face and the customer identification information available with the licensee. The process and the features used in conjunction with video conferencing include, among others, face recognition, three-dimensional face matching techniques etc;
              (d) “Liveness” checks created in the course of the identification process;
              (e) A description of the governance arrangements related to this activity including the availability of specially trained personnel with sufficient level of seniority; and
              (f) Record keeping arrangements for electronic records to be maintained and the relative audit.
              Added: January 2022

            • FC-1.4.11

              Insurance licensees that intend to use its digital ID application to identify the customer and verify identity information must meet the following additional requirements:

              (a) The digital ID application must make use of secure audio visual real time (live video conferencing /live photo selfies) technology to (i) identify the customer, (ii) verify his/her identity, and also (iii) ensure the data and documents provided are authentic;
              (b) The picture/sound quality must be adequate to facilitate unambiguous identification;
              (c) The digital ID application must include or be combined with capability to read and decrypt the information stored in the identification document’s machine readable zone (MRZ) for authenticity checks from independent and reliable sources;
              (d) Where the MRZ reader is with an outsourced provider, the licensee must ensure that such party is authorized to carry out such services and the information is current and up to date and readily available such that the licensee can check that the decrypted information matches the other information in the identification document;
              (e) The digital ID application has the features for allowing facial recognition or biometric recognition that can authenticate and match the face and the customer identification documents independently;
              (f) The digital ID solution has been tested by an independent expert covering the governance and control processes to ensure the integrity of the solution and underlying methodologies, technology and processes and risk mitigation. The report of the expert’s findings must be retained and available upon request;
              (g) The digital ID application must enable an ongoing process of retrieving and updating the digital files, identity attributes, or data fields which are subject to documented access rights and authorities for updating and changes; and
              (h) The digital ID application must have the geo-location features which must be used by the licensee to ensure that it is able to identify any suspicious locations and to make additional inquiries if the location from which a customer is completing the onboarding process does not match the location of the customer based on the information and documentation submitted.
              Added: January 2022

            • FC-1.4.12

              Insurance licensees using its digital ID application must establish and implement an approved policy which lays down the governance, control mechanisms, systems and procedures for the CDD which include:

              (a) A description of the nature of products and services for which customer due diligence may be conducted through video conferencing or equivalent electronic means;
              (b) A description of the systems, controls and IT infrastructure planned to be used;
              (c) Governance mechanism related to this activity;
              (d) Specially trained personnel with sufficient level of seniority; and
              (e) Record keeping arrangements for electronic records to be maintained and the relative audit trail.
              Added: January 2022

            • FC-1.4.13

              Insurance licensees must ensure that the information referred to in Paragraph FC-1.2.1 is collected in adherence to privacy laws and other applicable laws of the country of residence of the customer.

              Added: January 2022

            • FC-1.4.14

              Insurance licensees must ensure that the information referred to in Subparagraphs FC-1.2.1 (a) to (f) is obtained prior to commencing the digital verification such that:

              (a) The licensee can perform its due diligence prior to the digital interaction/communication and can raise targeted questions at such interaction/communication session; and
              (b) The licensee can verify the authenticity, validity and accuracy of such information through digital means (See Paragraph FC.1.4.16 below) or by use of the methods mentioned in Paragraph FC-1.2.3 and /or FC-1.4.3 as appropriate.
              Added: January 2022

            • FC-1.4.15

              The licensee must also obtain the customer’s explicit consent to record the session and capture images as may be needed.

              Added: January 2022

            • FC-1.4.16

              Insurance licensees must verify the information in Paragraph FC-1.2.1 (a) to (f) by the following methods below:

              (a) Confirmation of the date of birth and legal name by digital reading and authenticating current valid passport or other official original identification using machine readable zone (MRZ) or other technology which has been approved under paragraph FC-1.4.9, unless the information was verified using national E-KYC application;
              (b) Performing real time video calls with the applicant to identify the person and match the person’s face and /other features through facial recognition or bio-metric means with the office documentation, (e.g. passport, CPR);
              (c) Matching the official identification document, (e.g. passport, CPR) and related information provided with the document captured/displayed on the live video call; and
              (d) Confirmation of the permanent residential address by, unless the information was verified using national E-KYC application capturing live, the recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the insurance licensee.
              Added: January 2022

            • FC-1.4.17

              For the purposes of Paragraph FC-1.4.16, actions taken for obtaining and verifying customer identity could include:

              (a) Collection: Present and collect identity attributes and evidence, either in person and/or online (e.g., by filling out an online form, sending a selfie photo, uploading photos of documents such as passport or driver’s license, etc.);
              (b) Certification: Digital or physical inspection to ensure the document is authentic and its data or information is accurate (for example, checking physical security features, expiration dates, and verifying attributes via other services);
              (c) De-duplication: Establish that the identity attributes and evidence relate to a unique person in the ID system (e.g., via duplicate record searches, biometric recognition and/or deduplication algorithms);
              (d) Verification: Link the individual to the identity evidence provided (e.g., using biometric solutions like facial recognition and liveness detection); and
              (e) Enrolment in identity account and binding: Create the identity account and issue and link one or more authenticators with the identity account (e.g., passwords, one-time code (OTC) generator on a smartphone, etc.). This process enables authentication.
              Added: January 2022

            • FC-1.4.18

              Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding and authentication must be digital.

              Added: January 2022

            • FC-1.4.19

              Sufficient controls must be put in place to safeguard the data relating to customer information collected through the video conference and due regard must be paid to the requirements of the Personal Data Protection Law (PDPL). Additionally, controls must be put in place to minimize the increased impersonation fraud risk in such non face-to-face relationship where there is a chance that customer may not be who he claims he is.

              Added: January 2022

          • Overseas branches

            • FC-1.4.20

              Where insurance licensees intend to use a digital ID application in a foreign jurisdiction in which it operates, it must ensure that the digital ID application meets with the requirements under Paragraph FC-B.3.1.

              Added: January 2022

        • FC-1.5 FC-1.5 Enhanced Customer Due Diligence: Politically Exposed Persons ('PEPs')

          • FC-1.5.1

            Insurance licensees must have appropriate risk management systems to determine whether a customer or beneficial owner is a Politically Exposed Person ('PEP'), both at the time of establishing business relations and thereafter on a periodic basis. Licensees must utilise publicly available databases and information to establish whether a customer is a PEP.

            Amended: July 2016
            Amended: October 2015
            Amended: January 2007
            Amended: October 2007

          • FC-1.5.2

            Insurance licensees must establish a client acceptance policy with regard to PEPs, taking into account the reputational and other risks involved. Senior management approval must be obtained before a PEP is accepted as a customer. Licensees must not accept a non-Bahraini PEP as a customer based on customer due diligence undertaken using digital ID applications.

            Amended: January 2022
            Amended: January 2007

          • FC-1.5.3

            Where an existing customer is a PEP, or subsequently becomes a PEP, enhanced monitoring and customer due diligence measures must include:

            (a) Analysis of complex financial structures, including trusts, foundations or international business corporations;
            (b) A written record in the customer file to establish that reasonable measures have been taken to establish both the source of wealth and the source of funds;
            (c) Development of a profile of anticipated customer activity, to be used in on-going monitoring;
            (d) Approval of senior management for allowing the customer relationship to continue; and
            (e) On-going account monitoring of the PEP's account by senior management (such as the MLRO).
            Amended: January 2007

          • FC-1.5.3A

            In cases of higher risk business relationships with such persons, mentioned in Paragraph FC-1.5.1, insurance licensees must apply the measures referred to in Subparagraphs FC-1.5.3 (b), (d) and (e).

            Added: October 2015

          • FC-1.5.3B

            The requirements for all types of PEP must also apply to family or close associates of such PEPs.

            Added: October 2015

          • FC-1.5.3C

            For the purpose of Paragraph FC-1.5.3B, 'family' means spouse, father, mother, sons, daughters, sisters and brothers. 'Associates' are persons associated with a PEP whether such association is due to the person being an employee or partner of the PEP or of a firm represented or owned by the PEP, or family links or otherwise.

            Added: October 2015

          • FC-1.5.4

            [This Paragraph was deleted in July 2016 as definition is included under Part B in the Glossary.]

            Deleted: July 2016
            Amended: October 2015
            Amended: January 2007

          • FC-1.5.5

            In relation to life insurance policies, insurance licensees must take reasonable measures to determine whether the beneficiaries and/or, where required, the beneficial owner of the beneficiary, are PEPs. This must occur, at the latest, at the time of the payout.

            Added: January 2018

          • FC-1.5.6

            Where higher risks are identified, senior management must be informed before the payout of the policy proceeds, in order to conduct enhanced scrutiny on the whole business relationship with the policyholder, and to consider making a suspicious transaction report.

            Added: January 2018

        • FC-1.5A FC-1.5A Enhanced Due Diligence: Charities, Clubs and Other Societies

          • FC-1.5A.1

            Financial services must not be provided to charitable funds and religious, sporting, social, cooperative and professional and other societies, until an original certificate authenticated by the relevant Ministry confirming the identities of those purporting to act on their behalf (and authorising them to obtain the said service) has been obtained. Charities should be subject to enhanced monitoring by insurance licensees.

            Added: January 2022

          • FC-1.5A.2

            For the purpose of Paragraph FC-1.5A.1, for clubs and societies registered with the Ministry of Youth and Sport Affairs, insurance licensees must contact the Ministry to clarify whether a policy may be issued in accordance with the rules of the Ministry. In addition, in the case of sport associations registered with the Bahrain Olympic Committee (BOC), insurance licensees must contact BOC to clarify whether the policy may be issued in accordance with the rules of BOC.

            Added: January 2022

        • FC-1.6 FC-1.6 Simplified Customer Due Diligence

          • FC-1.6.1

            Insurance licensees may apply simplified customer due diligence measures, as described in Paragraphs FC-1.6.2 to FC-1.6.8, if:

            (a) The customer is the Central Bank of Bahrain ('CBB'), the Bahrain Bourse ('BHB') or a licensee of the CBB;
            (b) The customer is a Ministry of a Gulf Cooperation Council ('GCC') or Financial Action Task Force ('FATF') member state government, a company in which a GCC government is a majority shareholder, or a company established by decree in the GCC;
            (c) The customer is a company listed on a GCC or FATF member state stock exchange with equivalent disclosure standards to those of the BHB;
            (d) The customer is a financial institution whose entire operations are subject to AML/CFT requirements consistent with the FATF Recommendations and it is supervised by a financial services supervisor in a FATF or GCC member state for compliance with those requirements;
            (e) The customer is a financial institution that is a subsidiary of a financial institution located in a FATF or GCC member state, and the AML/CFT requirements applied to its parent also apply to the subsidiary; or
            (f) [This Subparagraph was deleted in January 2018].
            (g) The transaction is a long-term insurance contract, either taken out in connection with a pension scheme relating to the customer's employment or occupation, or contains a no surrender clause and cannot be used as security for a loan.
            Amended: January 2019
            Amended: January 2018
            Amended: October 2015
            Amended: January 2007

          • FC-1.6.2

            For customers falling under the categories (a) to (e) specified in Paragraph FC-1.6.1, the information required under Paragraph FC-1.2.1 (for natural persons) or FC-1.2.7 (for legal entities or legal arrangements such as trusts) must be obtained. However, the verification and certification requirements in Paragraphs FC-1.2.3 and FC-1.2.8, and the due diligence requirements in Paragraph FC-1.2.11, may be dispensed with.

            Amended: January 2007

          • FC-1.6.3

            [This Paragraph was deleted in July 2018].

            Deleted: July 2018
            Amended: January 2007

          • FC-1.6.4

            Insurance licensees wishing to apply simplified due diligence measures as allowed for under Paragraph FC-1.6.1 must retain documentary evidence supporting their categorisation of the customer.

            Amended: January 2007

          • FC-1.6.5

            Examples of such documentary evidence may include a printout from a regulator's website, confirming the licensed status of an institution, and internal papers attesting to a review of the AML/CFT measures applied in a jurisdiction.

          • FC-1.6.6

            For customers coming under Paragraph FC-1.6.1 (e), licensees must also obtain and retain a written statement from the parent institution of the subsidiary concerned, confirming that the subsidiary is subject to the same AML/CFT measures as its parent.

            Amended: January 2007

          • FC-1.6.7

            [This Paragraph was deleted in January 2007]

            Deleted: January 2007

          • FC-1.6.8

            Simplified customer due diligence measures must not be applied where a licensee knows, suspects, or has reason to suspect, that the applicant is engaged in money laundering or terrorism financing or that the transaction is carried out on behalf of another person engaged in money laundering or terrorism financing.

          • FC-1.6.8A

            Simplified customer due diligence measures must not be applied in situations where the licensee has identified high ML/TF/PF risks.

            Added: January 2022

          • FC-1.6.9

            [This Paragraph was deleted in July 2018].

            Deleted: July 2018

          • FC-1.6.10

            [This Paragraph was deleted in July 2018].

            Deleted: July 2018
            Amended: January 2007

        • FC-1.7 FC-1.7 Introduced Business from Professional Intermediaries

          • FC-1.7.1

            Insurance licensees may only accept customers introduced to them by other financial institutions or intermediaries, if they have satisfied themselves that the financial institution or intermediary concerned is subject to FATF-equivalent measures and customer due diligence measures. Where an insurance licensee delegates part of the customer due diligence measures to another financial institution or intermediary, the responsibility for meeting the requirements of this Chapter remains with the insurance licensee, not the third party.

            Amended: January 2018
            Amended: January 2007

          • FC-1.7.2

            Insurance licensees may only accept introduced business if all of the following conditions are satisfied:

            (a) The customer due diligence measures applied by the introducer are consistent with those required by the FATF Recommendations;
            (b) A formal agreement is in place defining the respective roles of the licensee and the introducer in relation to customer due diligence measures. The agreement must specify that the customer due diligence measures of the introducer will comply with the FATF Recommendations;
            (c) The introducer is able to provide all relevant data pertaining to the customer's identity, the identity of the policyholder and beneficiary of the policy and, where applicable, the party/parties on whose behalf the customer is acting; also, the introducer has confirmed that the licensee will be allowed to verify the customer due diligence measures undertaken by the introducer at any stage; and
            (d) Written confirmation is provided by the introducer confirming that all customer due diligence measures required by the FATF Recommendations have been followed and the customer's identity established and verified. In addition, the confirmation must state that any identification documents or other customer due diligence material can be accessed by the insurance licensee and that these documents will be kept for at least five years after the policy relationship has ended.
            Amended: October 2015
            Amended: January 2007
            Amended: October 2007
            Amended: April 2008

          • FC-1.7.3

            The insurance licensee must perform periodic reviews ensuring that any introducer on which it relies is in compliance with the FATF Recommendations. Where the introducer is resident in another jurisdiction, the insurance licensee must also require the introducer to perform periodic reviews to verify whether the jurisdiction is in compliance with the FATF Recommendations.

            Amended: October 2015

          • FC-1.7.4

            Should the insurance licensee not be satisfied that the introducer is in compliance with the requirements of the FATF Recommendations, the licensee must conduct its own customer due diligence or not accept or continue the business relationship.

            Amended: October 2015

        • FC-1.8 Reliance on Third Parties for Customer Due Diligence

          • FC-1.8.1

            Licensees are permitted to rely on third parties to perform elements of CDD measures and recordkeeping requirements stipulated in Chapter FC-1 related to customer and beneficial owner identity, verification of their identity and information on the purpose and intended nature of the business relationship with the licensee, subject to complying with the below:

            (a) Licensees remain ultimately responsible for CDD measures;
            (b) Licensees immediately obtain the relevant CDD information from the third party upon onboarding clients;
            (c) There is an agreement with the third party for the arrangement with clear contractual terms on the obligations of the third party;
            (d) The third party without delay makes available the relevant documentation relating to the CDD requirements upon request;
            (e) Licensees ensure that the third party is a financial institution that is regulated and supervised for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF Recommendations 10 and 11; and
            (f) For third parties based abroad, licensees must consider the information available on the level of country risk.
            Added: October 2023

          • FC-1.8.2

            Where a licensee relies on a third-party that is part of the same financial group, the licensee can consider that:

            (a) The requirements under Subparagraphs FC-1.8.1 (d) and (e) are complied with through its group programme, provided the group satisfies the following conditions:
            (i) The group applies CDD and record keeping requirements consistent with FATF Recommendations 10, 11 and 12 and has in place internal controls in accordance with FATF Recommendation 18; and
            (ii) The implementation of CDD, record keeping and AML/CFT measures are supervised at a group level by a financial services regulatory authority for compliance with AML/CFT requirements consistent with standards set by the FATF.
            (b) The requirement under Subparagraph FC-1.8.1 (f) is complied with if the country risk is adequately mitigated by the group’s AML/CFT policies.
            Added: October 2023

          • FC-1.8.3

            This Section does not apply to outsourcing or agency arrangements in which the outsourced entity applies the CDD measures on behalf of the delegating licensee, in accordance with its procedures.

            Added: October 2023

      • FC-2 FC-2 AML / CFT Systems and Controls

        • FC-2.1 FC-2.1 General Requirements

          • FC-2.1.1

            Insurance licensees must implement programmes against money laundering and terrorist financing which establish and maintain appropriate systems and controls for compliance with the requirements of this Module and which limit their vulnerability to financial crime. These systems and controls must be documented, and approved and reviewed annually by the Board of the licensee. The documentation, and the Board's review and approval, must be made available upon request to the CBB.

            Amended: October 2015
            Amended: January 2007

          • FC-2.1.2

            Where the insurance licensee is an unincorporated entity, the annual review and approval should be undertaken by the most senior person with oversight responsibilities for the licensee, such as its General Manager or managing partner.

            Amended: October 2007

          • FC-2.1.3

            The above systems and controls, and associated documented policies and procedures, should cover standards for customer acceptance, on-going monitoring of high-risk accounts, staff training and adequate screening procedures to ensure high standards when hiring employees.

            Amended: October 2007

          • FC-2.1.4

            Insurance licensees must incorporate Key Performance Indicators (KPIs) to ensure compliance with AML/CFT requirements by all staff. The performance against the KPIs must be adequately reflected in their annual performance evaluation and in their remuneration (See also Paragraph HC-5.4.3).

            Added: April 2020

          • FC-2.1.5

            In implementing the policies, procedures and monitoring tools for ensuring compliance with Paragraph FC-2.1.4, insurance licensees should consider the following:

            (a) The business policies and practices should be designed to reduce incentives for staff to expose the insurance licensee to AML/CFT compliance risk;
            (b) The performance measures of departments/divisions/units and personnel should include measures to address AML/CFT compliance obligations;
            (c) AML/CFT compliance breaches and deficiencies should be attributed to the relevant departments/divisions/units and personnel within the organisation as appropriate;
            (d) Remuneration and bonuses should be adjusted for AML/CFT compliance breaches and deficiencies; and
            (e) Both quantitative measures and human judgement should play a role in determining any adjustments to the remuneration and bonuses resulting from the above.
            Added: April 2020

        • FC-2.2 FC-2.2 On-going Customer Due Diligence and Transaction Monitoring

          • Risk-Based Monitoring

            • FC-2.2.1

              Insurance licensees must develop risk-based monitoring systems appropriate to the complexity of their business, their number of clients and types of transactions. These systems must be configured to identify significant or abnormal transactions or patterns of activity. Such systems must include limits on the number, types or size of transactions undertaken outside expected norms; and must include limits for cash and non-cash transactions.

            • FC-2.2.2

              Insurance licensees' risk-based monitoring systems should therefore be configured to help identify:

              (a) Transactions which do not appear to have a clear purpose or which make no obvious economic sense;
              (b) Significant or large transactions not consistent with the normal or expected behaviour of a customer; and
              (c) Unusual patterns of activity (relative to other customers of the same profile or of similar types of transactions, for instance because of differences in terms of volumes, transaction type, or flows to or from certain countries), or activity outside the expected or regular patter of a customer's account activity.
              Amended: January 2007

          • Automated Transaction Monitoring

            • FC-2.2.3

              Insurance licensees must consider the need to include automated transaction monitoring as part of their risk-based monitoring systems. In the absence of automated transaction monitoring systems, all transactions above BD 6,000 must be viewed as 'significant' and be captured in a daily transactions report for monitoring by the MLRO or a relevant delegated official, and records retained by the insurance licensee for five years after the date of the transaction.

              Amended: January 2007
              Amended: October 2007
              Amended: April 2008

            • FC-2.2.4

              The CBB would expect larger insurance licensees to include automated transaction monitoring as part of their risk-based monitoring systems. See also Chapters FC-3 and FC-6, regarding the responsibilities of the MLRO and record-keeping requirements.

              Amended: January 2007

          • Unusual Transactions or Customer Behaviour

            • FC-2.2.5

              In instances where an insurance licensee’s risk-based monitoring systems identify significant or abnormal transactions (as defined in FC-2.2.2 and FC-2.2.3), it must verify the source of funds for those transactions, particularly where the transactions are above the transactions threshold of BD 6,000. Furthermore, insurance licensees must examine the background and purpose to those transactions and document their findings.

              Amended: January 2022

            • FC-2.2.6

              The investigations required under FC-2.2.5 must be carried out by the MLRO (or relevant delegated official). The documents relating to these findings must be maintained for five years from the date when the transaction was completed (see also FC-6.1.1(b)).

              Amended: October 2007
              Amended: April 2008

            • FC-2.2.7

              Insurance licensees must consider instances where there is a significant, unexpected or unexplained change in the behaviour of policyholders' account (e.g., early surrenders). Insurance licensees must be extra vigilant to the particular risks involved in the buying and selling of second hand endowment policies, as well as the use of single premium unit-linked policies. Insurance licensees must check any reinsurance or retrocession to ensure that monies are paid to bona fide reinsurance entities at rates commensurate with the risks underwritten.

              Amended: January 2007

            • FC-2.2.8

              When an existing customer cancels a policy and applies for another, the insurance licensee must review its customer identity information and update its records accordingly. Where the information available falls short of the requirements contained in Chapter FC-1, the missing or out of date information must be obtained and re-verified with the customer.

              Amended: January 2007

            • FC-2.2.9

              Once identification procedures have been satisfactorily completed and, as long as records concerning the customer are maintained in line with Chapters FC-1 and FC-6, no further evidence of identity is needed when transactions are subsequently undertaken within the expected level and type of activity for that customer, provided reasonably regular contact has been maintained between the parties and no doubts have arisen as to the customer's identity.

              Amended: January 2007

          • On-going Monitoring

            • FC-2.2.10

              Insurance licensees must take reasonable steps to:

              (a) Scrutinize transactions undertaken throughout the course of that relationship to ensure that transactions being conducted are consistent with the Insurance licensee's knowledge of the customer, their business risk and risk profile; and
              (b) Ensure that they receive and maintain up-to-date and relevant copies of the identification documents specified in Chapter FC-1, by undertaking reviews of existing records, particularly for higher risk categories of customers. Insurance licensees must require all customers to provide up-to-date identification documents in their standard terms and conditions of business.
              Amended: October 2017
              Amended: January 2007

            • FC-2.2.11

              Insurance licensees must review and update their customer due diligence information at least every three years, particularly for higher risk categories of customers. If, upon performing such a review, copies of identification documents are more than 12 months out of date, the insurance licensee must take steps to obtain updated copies as soon as possible.

              Amended: October 2017

      • FC-3 FC-3 Money Laundering Reporting Officer

        • FC-3.1 FC-3.1 Appointment of MLRO

          • FC-3.1.1

            Insurance firms (except captive insurance firms managed by an insurance manager), insurance brokers and insurance managers (that manage a captive insurance firm) must appoint a Money Laundering Reporting Officer ('MLRO'). In the case of insurance managers that manage captive insurance firms, the insurance manager must appoint a MLRO for each of the captive insurance firms under its management.

            Amended: January 2007
            Amended: October 2007

          • FC-3.1.2

            Insurance managers may nominate the same individual to act as MLRO for more than one captive insurance firm, providing this person can meet in full the responsibilities of MLRO for each captive insurance firm in question.

            Amended: January 2007

          • FC-3.1.3

            The position of MLRO is a controlled function and the MLRO is an approved person.

          • FC-3.1.4

            For details of the CBB's requirements regarding controlled functions and approved persons, see Section AU-1.2. Amongst other things, approved persons require CBB approval before being appointed, which is granted only if they are assessed as 'fit and proper' for the function in question. A completed Form 3 must accompany any request for CBB approval.

            Amended: January 2007

          • FC-3.1.5

            The position of MLRO must not be combined with functions that create potential conflicts of interest, such as an internal auditor or business line head. The position of MLRO may not be outsourced.

          • FC-3.1.6

            Subject to Paragraph FC-3.1.5, however, the position of MLRO may otherwise be combined with other functions in the insurance licensee, such as that of Compliance Officer, in cases where the volume and geographical spread of the business is limited and, therefore, the demands of the function are not likely to require a full time resource. Paragraph FC-3.1.9 requires that the MLRO is a Director or employee of the licensee, so the function may not be outsourced to a third party employee.

            Amended: January 2007
            Amended: October 2007

          • FC-3.1.6A

            For purposes of Paragraphs FC-3.1.5 and FC-3.1.6 above, insurance licensees must clearly state in the Application for Approved Person Status — Form 3 — when combining the MLRO or DMLRO position with any other position within the insurance licensee.

            Added: October 2017

          • FC-3.1.7

            Insurance licensees must appoint at least one deputy MLRO (or more depending on the scale and complexity of the licensee's operations). The deputy MLRO(s) must be resident in Bahrain unless otherwise agreed with the CBB.

            Amended: January 2007

          • FC-3.1.7A

            The deputy MLRO should be able to support the MLRO discharge his responsibilities and to deputise for him in his absence. In the case of insurance licensees undertaking significant overseas business, the CBB would normally expect to see one or more deputy MLRO(s) residing in the jurisdiction(s) where the bulk of the customer business is processed. In such cases, the CBB would normally agree to an application for an exemption from the residency requirement in Rule FC-3.1.7.

            Amended: January 2007

          • FC-3.1.8

            Insurance licensees should note that although the MLRO may delegate some of his functions, either to other employees of the licensee or even (in the case of larger groups) to individuals performing similar functions for other group entities, that the responsibility for compliance with the requirements of this Module remains with the licensee and the designated MLRO.

            Amended: January 2007

          • FC-3.1.9

            So that he can carry out his controlled function effectively, insurance licensees must ensure that their MLRO:

            (a) Is a member of senior management of the licensee;
            (b) Has a sufficient level of seniority within the insurance licensee, has the authority to act without interference from business line management and has direct access to the Board and senior management (where necessary);
            (c) Has sufficient resources, including sufficient time and (if necessary) support staff, and has designated a replacement to carry out the function should the MLRO be unable to perform his duties;
            (d) Has unrestricted access to all transactional information relating to any financial services provided by the insurance licensee to a customer, or any transactions conducted by the insurance licensee on behalf of that customer;
            (e) Is provided with timely information needed to identify, analyse and effectively monitor customer accounts;
            (f) Has access to all customer due diligence information obtained by the insurance licensee; and
            (g) Is resident in Bahrain.
            Amended: October 2011
            Amended: January 2007
            Amended: October 2007

          • FC-3.1.10

            In addition, insurance licensees must ensure that their MLRO is able to:

            (a) Monitor the day-to-day operation of their policies and procedures relevant to this Module; and
            (b) Respond promptly to any reasonable request for information made by the Financial Intelligence Directorate or the CBB.
            Amended: October 2019
            Amended: April 2010
            Amended: October 2007
            Amended: January 2007

          • FC-3.1.11

            If the position of MLRO falls vacant, the insurance licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements (including the appointment of an acting MLRO) to ensure continuity in the MLRO function's performance. These interim arrangements must be approved by the CBB.

            Amended: January 2007

        • FC-3.2 FC-3.2 Responsibilities of the MLRO

          • FC-3.2.1

            The MLRO is responsible for:

            (a) Establishing and maintaining the insurance licensee's AML/CFT policies and procedures;
            (b) Ensuring that the licensee complies with the AML Law and any other applicable AML/CFT legislation and this Module;
            (c) Ensuring day-to-day compliance with the licensee's own internal AML/CFT policies and procedures;
            (d) Acting as the insurance licensee's main point of contact in respect of handling internal suspicious transactions reports from the licensee's staff (refer to Section FC-4.1) and as the main contact for the Financial Intelligence Directorate, the CBB and other concerned bodies regarding AML/CFT;
            (e) Making external suspicious transactions reports to the Financial Intelligence Directorate and the Compliance Directorate (refer to Section FC-4.2);
            (f) Taking reasonable steps to establish and maintain adequate arrangements for staff awareness and training on AML/CFT matters (whether internal or external), as per Chapter FC-5;
            (g) Producing annual reports on the effectiveness of the licensee's AML/CFT controls, for consideration by senior management, as per Paragraph FC-3.3.3;
            (h) On-going monitoring of what may, in his opinion, constitute high-risk customer accounts; and
            (i) Ensuring that the insurance licensee maintains all necessary CDD, transactions, STR and staff training records for the required periods (refer to Section FC-6.1).
            Amended: October 2019
            Amended: October 2015
            Amended: April 2010
            Amended: January 2007

        • FC-3.3 FC-3.3 Compliance Monitoring

          • Annual Compliance Review

            • FC-3.3.1

              Insurance licensees must take appropriate steps to identify and assess their money laundering and terrorist financing risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels). They must document those assessments in order to be able to demonstrate their basis, keep these assessments up to date, and have appropriate mechanisms to provide risk assessment information to the CBB. The nature and extent of any assessment of money laundering and terrorist financing risks must be appropriate to the nature and size of the business.

              Added: October 2015

            • FC-3.3.1A

              Insurance licensees should always understand their money laundering and terrorist financing risks, but the CBB may determine that individual documented risk assessments are not required, if the specific risks inherent to the sector are clearly identified and understood.

              Added: October 2015

            • FC-3.3.1B

              An insurance licensee must review the effectiveness of its AML/CFT procedures, systems and controls at least once each calendar year. The review must cover the licensee and its branches and subsidiaries both inside and outside the Kingdom of Bahrain. An insurance licensee must monitor the implementation of those controls and enhance them if necessary. The scope of the review must include:

              (a) A report, containing the number of internal reports made in accordance with Section FC-4.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced;
              (b) A report, indicating the number of external reports made in accordance with Section FC-4.2 and, where an insurance licensee has made an internal report but not made an external report, noting why no external report was made;
              (c) A sample test of compliance with this Module's customer due diligence requirements; and
              (d) A report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and this Module.
              Amended: January 2022
              Amended: October 2015
              Amended: January 2007
              Amended: October 2007

            • FC-3.3.2

              The reports listed under Paragraph FC-3.3.1B (a) and (b) must be made by the MLRO. The sample testing and report required under Paragraph FC-3.3.1B (c) and (d) must be made by the licensee’s external auditor or a consultancy firm approved by the CBB.

              Amended: January 2022
              Amended: January 2019
              Amended: October 2011
              Amended: January 2007
              Amended: October 2007

            • FC-3.3.2A

              In order for a consultancy firm to be approved by the CBB for the purposes of Paragraph FC-3.3.2, such firm should provide the CBB's Compliance Directorate with:

              (a) A sample AML/CFT report prepared for a financial institution;
              (b) A list of other AML/CFT related work undertaken by the firm;
              (c) A list of other audit/review assignments undertaken, specifying the nature of the work done, date and name of the licensee; and
              (d) An outline of any assignment conducted for or in cooperation with an international audit firm.
              Added: October 2011

            • FC-3.3.2B

              The firm should indicate which personnel (by name) will work on the report (including, where appropriate, which individual will be the team leader) and demonstrate that all such persons have appropriate qualifications in one of the following areas:

              (a) Audit;
              (b) Accounting;
              (c) Law; or
              (d) Banking/Finance.
              Added: October 2011

            • FC-3.3.2C

              At least two persons working on the report (one of whom would normally expected to be the team leader) should have:

              (a) A minimum of 5 years professional experience dealing with AML/CFT issues; and
              (b) Formal AML/CFT training.
              Added: October 2011

            • FC-3.3.2D

              Submission of a curriculum vitae for all personnel to be engaged on the report is encouraged for the purposes of evidencing the above requirements.

              Added: October 2011

            • FC-3.3.2E

              Upon receipt of the above required information, the CBB Compliance Directorate will assess the firm and communicate to it whether it meets the criteria required to be approved by the CBB for this purpose. The CBB may also request any other information it considers necessary in order to conduct the assessment.

              Added: October 2011

            • FC-3.3.3

              The items listed under Paragraph FC-3.3.1B must be submitted to the licensee's Board, for it to review and commission any required remedial measures, and copied to the licensee's senior management.

              Amended: January 2019

            • FC-3.3.4

              The purpose of the annual compliance review is to assist a licensee's Board and senior management to assess, amongst other things, whether internal and external reports are being made (as required under Chapter FC-4), and whether the overall number of such reports (which may otherwise appear satisfactory) does not conceal inadequate reporting in a particular segment of the licensee's business (or, where relevant, in particular branches or subsidiaries). Licensees should use their judgement as to how the reports listed under Paragraph FC-3.3.1B (a) and (b) should be broken down in order to achieve this aim (e.g. by branches, departments and product lines).

              Amended: January 2019
              Amended: January 2007

            • FC-3.3.5

              Insurance licensees must instruct their appointed firm to produce the report referred to in Paragraph FC-3.3.1B (c) and (d). The report must be submitted to the CBB by the 30th of June of the following year. The findings of this review must be received and acted upon by the licensee.

              Amended: January 2022
              Amended: January 2020
              Amended: January 2019
              Amended: January 2012
              Amended: October 2007
              Amended: January 2007

            • FC-3.3.5A

              [This Paragraph was deleted in January 2019].

              Deleted: January 2019
              Added: January 2007

            • FC-3.3.6

              [This Paragraph was deleted in January 2022].

              Deleted: January 2022
              Amended: January 2012
              Amended: October 2007

            • FC-3.3.7

              [This Paragraph was deleted in January 2022].

              Deleted: January 2022
              Amended: January 2020
              Added: January 2007
              Amended: April 2008
              Amended: January 2019

      • FC-4 FC-4 Suspicious Transaction Reporting

        • FC-4.1 FC-4.1 Internal Reporting

          • FC-4.1.1

            Insurance licensees must implement procedures to ensure that staff who handle customer business (or are managerially responsible for such staff) make a report promptly to the MLRO if they know or suspect that a customer (or a person on whose behalf a customer may be acting) is engaged in money laundering or terrorism financing, or if the transaction or customer's conduct otherwise appears unusual or suspicious. These procedures must include arrangements for disciplining any member of staff who fails, without reasonable excuse, to make such a report.

            Amended: January 2007

          • FC-4.1.2

            Suspicious transaction or conduct may include a claim made in suspicious circumstances, a policy surrendered soon after inception or in circumstances that would otherwise appear contrary to the interests of a reasonable policyholder. If a prospective policyholder does not pursue an application, this may be considered suspicious in itself. Item FC (iv) in Part B of Volume 3 (Insurance) provides further examples of transactions that may be suspicious or unusual.

            Amended: January 2007

          • FC-4.1.3

            Where insurance licensees' internal processes provide for staff to consult with their line managers before sending a report to the MLRO, such processes must not be used to prevent reports reaching the MLRO, where staff have stated that they have knowledge or suspicion that a transaction may involve money laundering or terrorist financing.

        • FC-4.2 FC-4.2 External Reporting

          • FC-4.2.1

            Insurance licensees must take reasonable steps to ensure that all reports made under Section FC-4.1 are considered by the MLRO (or his duly authorised delegate). Having considered the report and any other relevant information, if the MLRO (or his duly authorised delegate) still suspects that a person has been engaged in money laundering or terrorism financing, or the activity concerned is otherwise still regarded as suspicious, he must report the fact promptly to the relevant authorities. Where no report is made, the MLRO must document the reasons why.

            Amended: January 2007

          • FC-4.2.2

            To take reasonable steps, as required under Paragraph FC-4.2.1, insurance licensees must:

            (a) Require the MLRO to consider reports made under Section FC-4.1 in the light of all relevant information accessible to or reasonably obtainable by the MLRO;
            (b) Permit the MLRO to have access to any information, including know your customer information, in the insurance licensee's possession which could be relevant; and
            (c) Ensure that where the MLRO, or his duly authorised delegate, suspects that a person has been engaged in money laundering or terrorist financing, a report is made by the MLRO which is not subject to the consent or approval of any other person.
            Amended: January 2007

          • FC-4.2.3

            Reports to the relevant authorities made under Paragraph FC-4.2.1 must be sent to the Financial Intelligence Directorate at the Ministry of Interior and the CBB's Compliance Directorate using the Suspicious Transaction Reporting Online System (Online STR system). STRs in paper format will not be accepted.

            Amended: October 2019
            Amended: July 2016
            Amended: October 2014
            Amended: April 2010
            Amended: January 2007

          • FC-4.2.4

            Insurance licensees must report all suspicious transactions or attempted transactions. This reporting requirement applies regardless of whether the transaction involves tax matters.

          • FC-4.2.5

            Insurance licensees must retain all relevant details of STRs submitted to the relevant authorities, for at least five years.

            Amended: October 2014
            Amended: October 2007
            Amended: April 2008

          • FC-4.2.6

            In accordance with the AML Law, insurance licensees, their Directors, officers and employees:

            (a) Must not warn or inform ('tipping off') the policyholder, beneficiary or other subjects of the STR when information relating to them is being reported to the relevant authorities; and
            (b) In cases where insurance licensees form a suspicion that transactions relate to money laundering or terrorist financing, they must take into account the risk of tipping-off when performing the CDD process. If the insurance licensee reasonably believes that performing the CDD process will tip-off the customer or potential customer, it may choose not to pursue that process, and must file an STR.
            Amended: January 2018
            Amended: January 2007
            Amended: October 2007

        • FC-4.3 FC-4.3 Contacting the Relevant Authorities

          • FC-4.3.1

            Reports made by the MLRO or his duly authorised delegate under Section FC-4.2 must be sent electronically using the Suspicious Transaction Reporting Online System (Online STR system).

            Amended: October 2014
            Amended: April 2010
            Amended: January 2007

          • FC-4.3.2

            The relevant authorities are:

            Financial Intelligence Directorate (FID)
            Ministry of Interior
            P.O. Box 26698
            Manama, Kingdom of Bahrain
            Telephone: + 973 17 749397
            Fax: + 973 17 715502
            E-mail: bahrainfid@moipolice.bh

            Director of the Compliance Directorate
            Central Bank of Bahrain
            P.O. Box 27
            Manama, Kingdom of Bahrain
            Telephone: 17 547107
            Fax: 17 535673
            E-mail: Compliance@cbb.gov.bh

            Amended: October 2019
            Added: October 2014

      • FC-5 FC-5 Staff Training and Recruitment

        • FC-5.1 FC-5.1 General Requirements

          • FC-5.1.1

            An insurance licensee must take reasonable steps to provide periodic training and information to ensure that staff who handle customer transactions, or are managerially responsible for such transactions, are made aware of:

            (a) Their responsibilities under the AML Law, this Module, and any other relevant AML/CFT laws and Regulations;
            (b) The identity and responsibilities of the MLRO and his deputy;
            (c) The potential consequences, both individual and corporate, of any breach of the AML Law, this Module and any other relevant AML/CFT laws or Regulations;
            (d) The insurance licensee's current AML/CFT policies and procedures;
            (e) Money laundering and terrorist financing typologies and trends;
            (f) The type of customer activity or transaction that may justify an internal STR;
            (g) The insurance licensee's procedures for making internal STRs; and
            (h) Customer due diligence measures with respect to establishing business relations with customers.
            Amended: January 2007

          • FC-5.1.2

            The information referred to in Paragraph FC-5.1.1 must be brought to the attention of relevant new employees of insurance licensees, and must remain available for reference by staff during their period of employment and by the CBB.

            Amended: January 2007

          • FC-5.1.3

            Relevant new employees must be given AML/CFT training within three months of joining an insurance licensee.

            Amended: January 2007

          • FC-5.1.4

            Insurance licensees must ensure that their AML/CFT training for relevant staff remains up-to-date, and is appropriate given the licensee's activities and customer base.

            Amended: January 2007

          • FC-5.1.5

            The CBB would normally expect AML/CFT training to be provided to relevant staff at least once a year.

            Amended: January 2007

          • FC-5.1.6

            Insurance licensees must develop adequate screening procedures to ensure high standards when hiring employees. These procedures must include controls to prevent criminals or their associates from being employed by licensees.

            Amended: January 2007

          • FC-5.1.6A

            [This Paragraph was deleted in January 2022].

            Deleted: January 2022
            Added: January 2021

      • FC-6 FC-6 Record-keeping Arrangements

        • FC-6.1 FC-6.1 General Requirements

          • Policyholder/Transaction Records

            • FC-6.1.1

              Insurance licensees must comply with the record-keeping requirements contained in the AML Law and the CBB Law. Insurance licensees must therefore retain adequate records (including accounting and identification records), for the following minimum periods:

              (a) For customers, in relation to evidence of identity and business relationship records (such as application forms, account files and business correspondence, including the results of any analysis undertaken (e.g. enquiries to establish background and purpose of complex, unusual large transactions)), for at least five years after the customer relationship has ceased; and
              (b) For transactions, in relation to documents enabling a reconstitution of the transaction concerned, for at least ten years after the transaction was completed.
              Amended: October 2015
              Amended: January 2007
              Amended: October 2007
              Amended: April 2008

          • Compliance Records

            • FC-6.1.2

              Insurance licensees must retain copies of the reports produced for their annual compliance review, as specified in Paragraph FC-3.3.1B, for at least five years. Licensees must also maintain for five years reports made to, or by, the MLRO made in accordance with Sections FC-4.1 and FC-4.2, and records showing how these reports were dealt with and what action, if any, was taken as a consequence of those reports.

              Amended: January 2007
              Amended: October 2007
              Amended: April 2008
              Amended: January 2019

          • Training Records

            • FC-6.1.3

              Insurance licensees must maintain for at least five years, records showing the dates when AML/CFT training was given, the nature of the training, and the names of the staff that received the training.

              Amended: January 2007
              Amended: October 2007
              Amended: April 2008

          • Access

            • FC-6.1.4

              All records required to be kept under this Section must be made available for prompt and swift access by the relevant authorities or other authorised persons.

            • FC-6.1.5

              Insurance licensees are also reminded of the requirements contained in Chapter GR-1 (Books and Records).

      • FC-7 FC-7 NCCT Measures and Terrorist Financing

        • FC-7.1 FC-7.1 Special Measures for Non-Cooperative Countries or Territories ('NCCTs')

          • FC-7.1.1

            Insurance licensees must give special attention to any dealings they may have with entities or persons domiciled in countries or territories which are:

            (a) Identified by the FATF as being 'non-cooperative'; or
            (b) Notified to insurance licensees from time to time by the CBB.
            Amended: January 2007

          • FC-7.1.2

            Whenever transactions with such parties have no apparent economic or visible lawful purpose, their background and purpose must be re-examined and the findings documented. If suspicions remain about the transaction, these must be reported to the relevant authorities in accordance with Section FC-4.2.

          • FC-7.1.3

            Insurance licensees must apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries where such measures are called for by the FATF. The type of enhanced due diligence measures applied must be effective and proportionate to the risks.

            Added: October 2015

          • FC-7.1.4

            With regard to jurisdictions identified as NCCTs or those which in the opinion of the CBB, do not have adequate AML/CFT systems, the CBB reserves the right to:

            (a) Refuse the establishment of subsidiaries or branches or representative offices of financial institutions from such jurisdictions;
            (b) Limit business relationships or financial transactions with such jurisdictions or persons in those jurisdictions;
            (c) Prohibit financial institutions from relying on third parties located in such jurisdictions to conduct elements of the CDD process;
            (d) Require financial institutions to review and amend, or if necessary terminate, correspondent relationships with financial institutions in such jurisdictions;
            (e) Require increased supervisory examination and/or external audit requirements for branches and subsidiaries of financial institutions based in such jurisdictions; or
            (f) Require increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in such jurisdictions.
            Amended: January 2018
            Added: October 2015

        • FC-7.2 FC-7.2 Terrorist Financing

          • FC-7.2.1AA

            Insurance licensees must implement and comply with United Nations Security Council resolutions relating to the prevention and suppression of terrorism and terrorist financing. Insurance licensees must freeze, without delay, the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either (i) designated by, or under the authority of, the United Nations Security Council under Chapter VII of the Charter of the United Nations, including in accordance with resolution 1267(1999) and its successor resolutions as well as Resolution 2178(2014) or (ii) designated as pursuant to Resolution 1373(2001).

            Amended: October 2019
            Added: April 2017

          • FC-7.2.1

            Insurance licensees must comply in full with the provisions of the UN Security Council Anti-terrorism Resolution No. 1373 of 2001 ('UNSCR 1373').

          • FC-7.2.2

            [This Paragraph was deleted in January 2018].

            Deleted: January 2018
            Amended: January 2007

          • FC-7.2.3

            A copy of UNSCR 1373 is included in Part B of Volume 3 (Insurance), under 'Supplementary Information'.

          • FC-7.2.4

            Insurance licensees must report to the CBB details of:

            (a) Funds or other financial assets or economic resources held with them which may be the subject of Article 1, Paragraphs (c) and (d) of UNSCR 1373;
            (b) All claims, whether actual or contingent, which the insurance licensee has on persons and entities which may be the subject of Article 1, Paragraphs (c) and (d) of UNSCR 1373; and
            (c) All assets frozen or actions taken in compliance with the prohibition requirements of the relevant UNSCRs, including attempted transactions.
            Amended: January 2023
            Amended: January 2007

          • FC-7.2.5

            For the purposes of Paragraph FC-7.2.4, 'funds or other financial resources' includes (but is not limited to) shares in any undertaking owned or controlled by the persons and entities referred to in Article 1, Paragraph (c) and (d) of UNSCR 1373, and any associated dividends received by the licensee.

            Amended: January 2007

          • FC-7.2.6

            All reports or notifications under this Section must be made to the CBB's Compliance Directorate.

            Amended: January 2007

          • FC-7.2.7

            See Section FC-4.3 for the Compliance Directorate's contact details.

            Amended: January 2007

        • FC-7.3 FC-7.3 Designated Persons and Entities

          • FC-7.3.1

            Without prejudice to the general duty of all insurance licensees to exercise the utmost care when dealing with persons or entities who might come under Article 1, Paragraphs (c) and (d) of UNSCR 1373, insurance licensees must not deal with any persons or entities designated by the CBB as potentially linked to terrorist activity.

            Amended: January 2007

          • FC-7.3.2

            The CBB from time to time issues to licensees lists of designated persons and entities believed linked to terrorism. Licensees are required to verify that they have no dealings with these designated persons and entities, and report back their findings to the CBB. Names designated by the CBB include persons and entities designated by the United Nations, under UN Security Council Resolution 1267 ("UNSCR 1267").

            Amended: January 2007

          • FC-7.3.3

            Insurance licensees must report to the relevant authorities, using the procedures contained in Section FC-4.2, details of any accounts or other dealings with designated persons and entities, and comply with any subsequent directions issued by the relevant authorities.

      • FC-8 FC-8 Enforcement Measures

        • FC-8.1 FC-8.1 Regulatory Penalties

          • FC-8.1.1

            The requirements in this Module are legally binding. Without prejudice to any other penalty imposed by the CBB Law, the Decree Law No. 4 or the Penal Code of the Kingdom of Bahrain, failure by a licensee to comply with this Module or any direction given hereunder shall result in the levying by the CBB, without need of a court order and at the CBB's discretion, of a fine of up to BD 20,000.

            Amended: January 2007

          • FC-8.1.2

            Module EN provides further information on the assessment of financial penalties and the criteria taken into account prior to imposing such fines (reference to Paragraph EN-5.2.3). Other enforcement measures may also be applied by the CBB in response to a failure by a licensee to comply with this Module; these other measures are also set out in Module EN.

            Amended: January 2007
            Amended: October 2007

          • FC-8.1.3

            The CBB will endeavour to assist insurance licensees to interpret and apply the requirements of this Module. Insurance licensees may seek clarification on any issue by contacting the Compliance Directorate (see Section FC-4.3 for contact details).

            Amended: January 2007

          • FC-8.1.4

            Without prejudice to the CBB's general powers under the law, the CBB may amend, clarify or issue further directions on any provision of this Module from time to time, by notice to its licensees.

            Amended: January 2007

      • FC-9 FC-9 AML / CFT Guidance and Best Practice

        • FC-9.1 FC-9.1 Guidance Provided by International Bodies

          • FATF Recommendations

            • FC-9.1.1

              The Financial Action Task Force (FATF) Recommendations (see www.fatf-gafi.org) (together with their associated interpretative notes and best practices papers) provide the basic framework for combating money laundering activities and the financing of terrorism. FATF Recommendations 9-12, 15-17, 18-21, 26-27, 33-35, 37 and 40 and the AML/CFT Methodology are specifically relevant to the insurance sector.

              Amended: October 2015
              Amended: January 2007

            • FC-9.1.2

              The relevant authorities in Bahrain believe that the principles established by these Recommendations should be followed by licensees in all material respects, as representing best practice and prudence in this area.

              Amended: October 2015

          • IAIS: Guidance Paper on Anti-Money Laundering and Combating the Financing of Terrorism

            • FC-9.1.3

              In January 2002, the International Association of Insurance Supervisors (IAIS) issued Anti-Money Laundering Guidance Notes for Insurance Supervisors and Insurance Entities. This document was updated in October 2004 and was reissued as Guidance Paper No. 5: Guidance Paper on Anti-Money Laundering and Combating the Financing of Terrorism (see www.iaisweb.org/publication). The Guidance Paper includes a set of measures and procedures, including elements of customer due diligence (CDD), reporting of suspicious transactions and measures affecting the organisation and staff of insurance licensees.

            • FC-9.1.4

              The CBB supports the above papers and the desirability of all insurance licensees adhering to their requirements and guidance.

              Amended: January 2007

      • FC-10 FC-10 Fraud

        • FC-10.1 FC-10.1 General Requirements

          • FC-10.1.1

            Insurance licensees must ensure that they allocate appropriate resources and have in place systems and controls to deter, detect, and record instances of fraud or attempted fraud.

          • FC-10.1.2

            Fraud may arise from internal sources originating from changes or weaknesses to processes, products and internal systems and controls. Fraud can also arise from external sources, such as claims fraud.

          • FC-10.1.3

            Any actual or attempted fraud incident (however small) must be reported to the appropriate authorities (including the CBB) and followed up. Monitoring systems must be designed to measure fraud patterns that might reveal a series of related fraud incidents.

            Amended: January 2007

          • FC-10.1.4

            Insurance licensees must ensure that a person is given overall responsibility for the prevention, detection and remedy of fraud, at a senior level of the organisation.

          • FC-10.1.5

            Insurance licensees must ensure the effective segregation of functions and responsibilities, between different individuals and departments, such that the possibility of financial crime is reduced and that no single individual is able to initiate, process and control a transaction.

          • FC-10.1.6

            Insurance licensees must provide regular training to their management and staff, to make them aware of potential fraud risks.

          • Advance Fee Fraud

            • FC-10.1.7

              In a number of jurisdictions, there have been a number of recent incidents whereby insurance entities have either been the victims of, or have inadvertently provided assistance to, advance fee frauds. Advance fee fraud consists of setting up a fraudulent and almost certainly non-existent financial or banking transaction, the aim of which is to defraud an innocent third party of an up front payment or deposit which is intended by the third party to be consideration for their involvement in that financial transaction, the receipt of a low interest or interest fee loan or the receipt of some other financial benefit. The types of transactions used as the façade for the frauds vary in detail, some of the most common are investment in financial instruments, self liquidating loans and loans or other financial benefits. Although these transactions are generally based around banking or securities transactions, it is occasionally the case that the transaction will purport to be guaranteed by insurers.

            • FC-10.1.8

              The most common type of advance fee fraud is for a fraudster to approach a company or sovereign state which has a poor credit rating or which is in some financial difficulty and offer to obtain funding at beneficial rates. Likewise, a potential investor may be approached and offered the opportunity to invest in a transaction with a very high rate of return. In each instance, the borrower or investor will be asked to provide some funds up front to cover the costs of setting up the transaction or by way of a deposit or down payment on fees. Once the fee has been paid, the fraudster will disappear and the transaction will, on further investigation, prove to be fictitious.

            • FC-10.1.9

              Insurance licensees are encouraged to promote the exchange of information amongst themselves with respect to fraud and those committing fraud including, as appropriate, through the use of databases. Licensees should also consider the need to exchange information with the police and other external bodies.

            • FC-10.1.10

              Insurance claims fraud is an offence punishable under the provision of Section 391 of the Penal Code, Decree Act No. (15), of 1976 of the Kingdom of Bahrain.

          • Guidance Provided by the IAIS

            • FC-10.1.11

              In October 2006, the International Association of Insurance Supervisors (IAIS) issued Guidance Paper on Preventing, Detecting and Remedying Fraud in Insurance (see www.iaisweb.org/publication). The Guidance Paper has been developed to help the insurance sector prevent and detect cases of fraud. Insurance licensees should assess their own vulnerability and implement effective and efficient policies, procedures and controls to address the risk of fraud.

              Adopted: October 2007

    • IA IA Insurance Aggregators

      • IA-A IA-A Introduction

        • IA-A.1 IA-A.1 Purpose

          • IA-A.1.1

            This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to insurance aggregators who are intermediaries with an insurance broker's license providing insurance aggregator services, as defined in the Authorisation Module of the CBB Rulebook Volume 3, in the Kingdom of Bahrain.

            October 2019

          • IA-A.1.2

            This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 3, applicable to insurance brokers particularly:

            (a) Authorisation Module;
            (b) Principles of Business Module;
            (c) High Level Controls Module;
            (d) General Requirements Module;
            (e) Risk Management Module;
            (f) Capital Adequacy Module;
            (g) CBB Reporting Requirements Module
            (h) Auditors and Accounting Standards Module;
            (i) Financial Crime Module; and
            (j) Enforcement Module.
            October 2019

          • Legal Basis

            • IA-A.1.3

              This Module contains the CBB's Directive (as amended from time to time) applicable to insurance brokers undertaking insurance aggregator activities by operating an online platform for this purpose, and is issued under the powers available to the CBB under Article 38 of the CBB Law.

              October 2019

            • IA-A.1.4

              For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

              October 2019

        • IA-A.2 IA-A.2 Module History

          • IA-A.2.1

            This Module was first issued in August 2019. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.

            October 2019

          • IA-A.2.2

            A list of recent changes made to this Module is provided below:

            Module Ref. Change Date Description of Changes
                 
                 
                 
                 

      • IA-B IA-B Scope of Application

        • IA-B.1 IA-B.1 Introduction

          • IA-B.1.1

            Insurance aggregators as defined in Module AU-1.1.8A provide information aggregation services to clients by comparing the different insurance products for its customers. Insurance aggregators are licensed as insurance brokers and may provide all or some of the services that insurance brokers are authorised to provide only through an online platform.

            October 2019

          • IA-B.1.2

            The word aggregator simply means an organisation that collects information from other businesses and then places it on one website. This may be used by a number of industries as an effective way of increasing client proposals and referrals. In the insurance industry, a customer is able to find insurance quotes under a single electronic platform instead of trawling through multiple insurer websites for quotes individually.

            October 2019

          • IA-B.1.3

            Insurance aggregators who handle client money should have policies and procedures in place to safeguard client money, and comply with the requirements under Module CL.

            October 2019

          • IA-B.1.4

            Additionally, there are confidentiality and data privacy implications if the Insurance aggregator uses the cloud for the analytics. If client data is processed by the tool using the cloud, there must be safeguards to avoid noncompliance with applicable laws.

            October 2019

      • IA-1 IA-1 Systems and Controls

        • IA-1.1 IA-1.1 Systems and Controls

          • Role of Board and Senior Management

            • IA-1.1.1

              The Board of Directors must establish adequate internal controls and maintain effective oversight and governance of the insurance aggregator process and the client interface including establishing sound policies, procedures, systems, methodologies and controls. Such policies must be comprehensive and cover the following:

              (a) Controls over technology solutions;
              (b) Platform operations and performance;
              (c) Tools and measures to prevent frauds and errors;
              (d) Risk management controls;
              (e) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
              (f) Record keeping and audit trails;
              (g) Safeguarding client moneys; and
              (h) Financial controls.
              October 2019

            • IA-1.1.2

              The Board of Directors must take responsibility for the establishment and oversight of effective risk management and internal controls.

              October 2019

            • IA-1.1.3

              Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.1, the Board of the insurance aggregator must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

              October 2019

          • Technology governance

            • IA-1.1.4

              Insurance aggregators must use technology solutions which are capable of interfacing with software and systems used by insurance licensees and different applications used by customers.

              October 2019

            • IA-1.1.4A

              With respect to Paragraph IA-1.1.4, if an insurance licensee does not have technology systems capable of interfacing with the insurance aggregator, it may utilize other means to display the said licensee's quote such as a quoting engine based on the criteria of the insurance firm.

              October 2019

            • IA-1.1.5

              The internal controls mentioned in Paragraph IA-1.1.3 must include, but not be limited to, the following:

              (a) The development and or acquisition of the technology solutions to conduct the activity;
              (b) Testing of the solutions and application program interfaces;
              (c) Standards of communication and access and related security controls;
              (d) Safe authentication of the users; and
              (e) Tools and measures to prevent frauds and errors.
              October 2019

            • IA-1.1.6

              Insurance aggregators must maintain an up-to-date security policy document containing the following information:

              a) a detailed documentation of the technology architecture and of the systems and the network elements providing:
              i. description of the business IT systems supporting the business activities;
              ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
              iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
              iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
              b) the logical security measures and mechanisms that govern the internal access to IT systems;
              c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
              d) the security of the customer payment processes; and
              e) ensure that the information systems, (both hardware and software) including the aggregation website(s)/portals, Proposal Management System and the Data Centers hosting the website(s)/Portal(s)/Proposal Management System are in compliance with the Cyber Security rules stipulated in Section RM-9.
              October 2019

          • Business continuity

            • IA-1.1.9

              Insurance aggregators must ensure they have an up-to-date business continuity plan and arrangements consisting of the following information:

              a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
              b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
              c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
              d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
              October 2019

            • IA-1.1.10

              Insurance aggregators must ensure that there are documented measures to protect confidentiality of client data consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.

              October 2019

            • IA-1.1.11

              Insurance aggregators must ensure that the requirements relating to enhanced due diligence as required under Module FC are met when the client is assessed as higher risk and also where the client relationship (whether at the time of on-boarding or otherwise) is on a non-face-to-face basis.

              October 2019

      • IA-2 IA-2 Operating Framework

        • IA-2.1 IA-2.1 Client Agreements

          • IA-2.1.1

            Insurance aggregators must agree in writing the terms of business with their clients (i.e. insurance firms) and ensure that the following are stipulated:

            a) the full scope of the insurance aggregator services;
            b) the basis for providing advice (if any) including but not limited to methodologies used for such advice,
            c) the fees, charges or commissions relevant to the services being offered;
            d) the dispute resolution processes are available to the clients if they wish to make a complaint.
            October 2019

          • IA-2.1.2

            Insurance aggregators must disclose in writing the full particulars of any actual or potential conflicts of interest arising from any connection or association with product provider, including any commissions or fees and any material information or facts that may compromise its objectivity or independence.

            October 2019

        • IA-2.2 IA-2.2 Arrangements with Insurance Firms

          • IA-2.2.1

            No arrangements must be made by the insurance aggregators with the insurance firms which are against the interests of policyholders.

            October 2019

          • IA-2.2.2

            An insurance aggregator desirous of transmitting proposals to an insurance firm must enter into an "agreement" with the insurance firm which must include at least the following details:

            a) Timeframe and mode of transmission of proposals to be shared;
            b) Onus of complying with regulatory and other legal requirements on both the parties to the agreement;
            c) Identifying the different data elements to be shared such as name of prospective client/client/visitor of the web site, contact details etc.;
            d) The timeframe for providing the premium and feature tables of the agreed products to the insurance aggregator after concluding the agreement and keeping them up to date.
            October 2019

          • IA-2.2.3

            The insurance aggregator must keep the agreement ready for inspection as and when desired by the CBB's on-site supervision team.

            October 2019

          • IA-2.2.4

            The insurance aggregator must ensure the following:

            a) While entering into such arrangements, no insurance aggregator must promise nor any insurance firm must compel the insurance aggregator to distribute the products of only a particular insurance firm;
            b) The arrangements must have provisions to include duties and responsibilities of insurance aggregators towards the policyholders, duties and responsibilities of insurance firms and insurance aggregators, terms and conditions for termination of arrangements;
            c) In case an insurance aggregator wishes to terminate arrangement with any insurance firm, they may do so after informing the insurance firm, the reasons for termination of arrangement. In such cases, the insurance aggregator must service any policies solicited but not yet issued by the concerned insurance firm until the issuance of the said policies;
            d) No insurance firm must pay and no insurance aggregator must receive any signing fee or any other charges by whatever name called, except those permitted by the CBB under relevant regulations, for becoming its insurance aggregator.
            October 2019

          • IA-2.2.5

            The CBB may, at any point in time, direct any insurance firm or insurance aggregator to terminate the distribution arrangements.

            October 2019

        • IA-2.3 IA-2.3 Product Comparisons

          • Policy for comparison and distribution of insurance products

            • IA-2.3.1

              Insurance aggregators must have a Board approved policy on the approach to be followed by the insurance aggregator in having multiple tie-ups, type of products sold, grievance redress mechanism, reporting requirements and any other item. The Board of the insurance aggregator must review the same at least once in three years.

              October 2019

          • Display of product comparisons on the insurance aggregator website

            • IA-2.3.2

              The insurance aggregator must adhere to the following conditions relating to display of product comparison on its website:

              a) Disclose prominently on the home page, a notice that
              i. the prospective client's/visitor's particulars could be shared with insurance firms;
              ii. the information displayed on the insurance aggregator's website is of the insurance firms with whom the insurance aggregator has an agreement;
              b) Product information displayed by the insurance aggregator must be authentic and be based solely on information received from insurance firms;
              c) Insurance aggregators must not display customer ratings, rankings, endorsements or bestsellers of insurance products on its website;
              d) The content of the website of the insurance aggregator must be unbiased and factual in nature;
              e) Basic features of products may be compared, such as:
              i. Eligibility criteria
              ii. Policy term
              iii. Premium
              iv. Inbuilt benefits/riders
              v. Premiums for different age groups
              vi. Benefits such as survival benefits/maturity benefits/death benefits etc.
              vii. Any other additional information/special product features relating to the products
              f) Product comparisons that are displayed must be up-to-date and reflect the true picture of the products.
              g) The product comparison must highlight whether a particular policy is a sharia compliant Takaful policy or a conventional insurance policy.
              October 2019

            • IA-2.3.3

              Insurance aggregators must not operate multiple websites or tie up with other un-registered websites for comparison of products.

              October 2019

        • IA-2.4 IA-2.4 Disclosures and Management of Proposals

          • IA-2.4.1

            Insurance aggregators must adhere to the following requirements with respect to their platform:

            a) Insurance aggregators must disclose prominently on the home page or similar page of the relevant application that the prospective client's/visitor's particulars could be shared with insurance firms if the arrangements the insurance firms warrant such a disclosure
            b) Insurance aggregator must provide an option to select multiple insurance firms by the visitor, to whom the proposal must be transmitted simultaneously;
            c) Insurance aggregators must provide an option to select or choose between conventional insurance and Takaful products;
            d) Insurance aggregators must not transmit the proposal containing data of a client to insurance firm(s) other than the one(s) preferred by the client. However, if the client shows interest in buying insurance but does not prefer any insurance firm, the insurance aggregator may transmit the proposal to several insurance firms in the same class of insurance business based on the need analysis of the client;
            e) Ensure that the proposals and other data are transmitted to the insurance firms and others using secured data encryption technologies;
            f) Disclose in all its correspondences with all stakeholders its name followed by "licensed as an Insurance Broker — Insurance Aggregator by the Central Bank of Bahrain".
            October 2019

          • IA-2.4.2

            Insurance aggregators must not provide customers with any cash discounts on their own account, such as in the form of discount codes, cash backs and promotional codes etc.

            October 2019

        • IA-2.5 IA-2.5 Professional Indemnity Insurance

          • IA-2.5.1

            Every insurance aggregator must take out and continue to maintain a professional indemnity insurance cover from a licensed insurance firm in the Kingdom of Bahrain. (See Section GR-10.1)

            October 2019

          • IA-2.5.2

            An insurance aggregator must ensure that the insurance cover indemnifies against the following:

            a) any error or omission or negligence;
            b) any loss of money or other property for which the insurance aggregator is legally liable in consequence of any financial or fraudulent act or omission;
            c) any loss of documents and costs and expenses incurred in replacing or restoring such documents; and
            d) dishonest or fraudulent acts or omissions by insurance aggregator employees.
            October 2019

          • IA-2.5.3

            The indemnity cover should not contain any terms to the effect that payments of claims depend upon the insurance aggregator having first met the liability.

            October 2019

          • IA-2.5.4

            The cover should indemnify in respect of all claims made during the period of the insurance regardless of the time at which the event giving rise to the claim may have occurred.

            October 2019

          • IA-2.5.5

            The professional indemnity insurance cover must not be cancelled without the CBB's prior written approval.

            October 2019

      • IA-3 IA-3 Other Controls

        • IA-3.1 IA-3.1 Remuneration

          • IA-3.1.1

            Remuneration in any form paid to insurance aggregators by insurance firms must be in compliance with the following provisions:

            a) No fee can be charged to the insurance firm for listing its products;
            b) Proposals which are converted into sale of insurance policies will entitle the insurance aggregator to earn commission as applicable to insurance brokers;
            c) Insurance aggregator can provide other services to insurance firms in respect of policies procured through them. In such instances, the insurance firm may pay the insurance aggregators, reasonable service charges at mutually agreed rates in the service agreements with the insurance aggregators.
            October 2019

          • IA-3.1.2

            The insurance aggregator, if requested by a prospective client, must disclose the amount of remuneration it receives as a result of effecting insurance for that client.

            October 2019

        • IA-3.2 IA-3.2 Complaints Handling

          • IA-3.2.1

            The insurance aggregator must:

            a) Have in place a system for recording and monitoring complaints;
            b) Ensure that the website contains details of complaints handling procedures and provides a facility to the customer to log complaints online;
            c) Ensure that communication of clients in any form, written/phone/email/messaging etc. are acknowledged promptly in accordance with the requirements stated in Paragraph BC-4.5.1;
            d) Ensure that the grievance is resolved to the fullest satisfaction of the client;
            e) Ensure that responses are sent to the customer on the resolution of the grievance, and the customer is informed of the further redress procedure available to him; and
            f) Ensure that complaints are attended to at senior management level.
            October 2019

          • IA-3.2.2

            The insurance aggregator must disclose on its website that if a member of the public wishes to make a complaint or requires the assistance of the CBB in resolving a dispute, he may write to the CBB.

            October 2019

        • IA-3.3 IA-3.3 Training and Independent Assessments

          • Training

            • IA-3.3.1

              The Insurance aggregator must:

              a) Ensure that its staff are aware of and adhere to the standards expected of them by this Module;
              b) Ensure that staff is competent, suitable and have been given adequate training; and
              c) Ensure that there is a system in place to monitor the quality of services of its staff.
              October 2019

          • Independent assessments

            • IA-3.3.2

              Insurance aggregators must ensure that their overall control framework is evaluated and independently tested by an independent external consultant other than the external auditors:

              a) initially upon implementation of this Module and prior to launching of business;
              b) when there are any material changes to the systems and controls; and
              c) at least once every 3 years.
              October 2019

            • IA-3.3.3

              Insurance aggregators must ensure that report of the evaluation referred to in paragraph IA-3.3.2(b) is provided to the CBB within 2 weeks of completion of the report. The report required under IA-3.3.2(c) must be submitted within 3 months of the year-end in which the evaluation was conducted. In addition, the report required under IA-3.3.2 (a) should be submitted to the CBB for the CBB's review and no-objection prior to launching the business.

              October 2019