Business Standards
CA CA Capital Adequacy
CA-A CA-A Introduction
CA-A.1 CA-A.1 Purpose
CA-A.1.1
This Module presents requirements that have to be met by
insurance licensees , with respect to the level of capital they must maintain. Condition 5 of the Central Bank of Bahrain ('the CBB') Licensing Conditions (cf. Chapter AU-2.5) requiresinsurance licensees to maintain adequate financial resources, in excess of the minimum requirements specified in Module CA (Capital Adequacy).Amended: January 2007CA-A.1.2
The requirements specified in this Module vary according to the Category of
insurance licensee concerned, the volume of business undertaken and its inherent risk. The purpose of such requirements is to ensure thatinsurance licensees maintain levels of capital sufficient to absorb unexpected losses, within a reasonable confidence interval. The capital levels specified here, in other words, are not sufficient to absorb all unexpected losses.Insurance licensees are also required to make their own assessment of the prudent level of capital that they need to hold.Amended: January 2007CA-A.1.3
This Module covers requirements to be met by both conventional and Takaful insurers. Specific requirements for
Takaful firms are given in Chapter CA-8.Amended: January 2007
Amended: October 2008Legal Basis
CA-A.1.4
This Module contains the CBB's Directive (as amended from time to time) relating to the capital adequacy of
insurance licensees , and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to allinsurance licensees .Amended: January 2011
Adopted: January 2007CA-A.1.5
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
Adopted: January 2007CA-A.2 CA-A.2 Module History
CA-A.2.1
This Module was first issued in April 2005 by the BMA, together with the rest of Volume 3 (Insurance). Any material changes to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
Amended: January 2007CA-A.2.2
When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.
Amended: January 2007CA-A.2.3
A list of recent changes made to this Module is detailed in the table below:
Module Ref. Change Date Description of Changes CA-1.2 01/07/05 Changes made to the definitions of Tier 1 and Tier 2. CA-4.1 01/07/05 Correction to cross-reference. CA-4.2 01/07/05 Clarified valuation of amounts receivable. CA-7.1 01/07/05 Minor correction to list. CA-8.2 01/07/05 Minor correction. CA-8.3 01/07/05 Minor correction. CA-8.4 01/07/05 Minor correction. CA-8.5 01/07/05 Minor correction. CA-1.2 01/10/05 Amended requirement for minimum paid-in capital to minimum Tier 1 capital and related transition rules; clarified the definition of Tier 1 capital with respect to reserves and appropriations; clarified definition of Tier 2 in relation to the investment fair value reserve; amended determination of capital available chart in line with other changes in Section CA-1.2. CA-2.1 01/10/05 Added class of short term medical for solvency calculation of premiums basis and claims basis. CA-4.2 01/10/05 Clarified the treatment of unlisted equity shares and deleted the reference to managed funds. CA-7.1 01/10/05 Corrected reference to Group Insurance Firm Return. CA-3.1 01/01/06 Clarified that rule applies to related parties, as defined in Glossary. CA-2.1.14 01/04/06 Clarified the calculation of the average gross claims incurred. CA-4.2.25 01/04/06 Corrected that receivables from contracts of insurance are also included under general asset valuation regulations. CA-6.1.6 01/04/06 Clarified the definitions of 'assets' and 'liabilities' for purposes of currency matching and localisation requirements. CA-1.2.8 and CA-1.2.21 01/07/06 Added minority interest as part of the components of Tier 1 and clarified excess tier 2 capital. CA-2.1.14 01/07/06 Clarified calculation of required solvency margin on the Claims basis. CA-4.3.2 01/07/06 Clarified category limits for assets linked to long-term liabilities. CA-8.4.3 01/07/06 Clarified definition of capital available for a takaful fund. CA-A.1.4 01/2007 New Rule introduced, categorising this Module as a Directive. CA-1.2.8 and 1.2.21 01/2007 Minority interest was deleted as part of Tier 1 capital as solvency test is performed on an unconsolidated basis. CA-1.2.21 01/2007 Deleted reference to negative reserves as no discounting is permitted that would give rise to negative reserves. Clarified that there should be a deduction for solvency margin deduction required for branches in other jurisdictions. Added a deduction for assets pledged or provided as collateral. CA-2.1.8A 01/2007 The required solvency margin for pure reinsurers, other than for the reinsurance of linked business, is to be calculated in accordance with Paragraph CA-2.1.12. CA-2.1.15 01/2007 The reference period for the calculation of average gross claims and met claims incurred is now limited to 3 years. The 7-year option has been deleted. CA-4.2.25 01/2007 Clarified that all amounts due under contracts of insurance and reinsurance that have been due for more than 6 months must be valued at nil. CA-1.2.1
and 1.2.210/2007 Minimum Tier 1 capital only applies to Bahraini insurance firms CA-4.2.25A 10/2008 Added a Paragraph to deal with the valuation of unearned reinsurance premiums. CA-8.4.6A 10/2008 Clarified treatment of income generated from the assets forming part of the free loan to the Takaful fund. CA-8.4.13 10/2008 Introduced Rules for transition period for newly established Takaful funds. CA-6.1.1 04/2009 Clarified non-application of localisation requirements to unit-linked products. CA-8.4.8 04/2009 Paragraph 8.4.8 deleted on funding of deficit for Family Takaful funds CA-1.2.4 10/2009 Paragraph amended to allow for the zillmer adjustment as outlined in Paragraph CA-5.1.24 CA-3.1 10/2009 Section amended to reemphasize the need for separate accounting funds for different lines of business and different funds. CA-5.1 10/2009 Various amendments in line with consultation document issued in July 2009. CA-A.1.4 01/2011 Clarified legal basis CA-1.3.1 and CA-1.3.1A 04/2012 Updated capital requirements for insurance brokers. CA-1.2.3,
CA-1.2.23,
CA-4.2.25,
CA-8.2,
CA-8.3,
CA-8.4,
CA-8.4A,
CA-8.504/2014 Various amendments to reflect consultation undertaken on the enhanced operational and solvency framework. Some changes are applicable to all insurance firms and some only applicable to Takaful firms. CA-1.3.1B 04/2023 Added a new Paragraph on minimum capital and liquid funds required for insurance aggregators. CA-A.2.4
Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).
Amended: January 2007CA-B CA-B Scope of Application
CA-B.1 CA-B.1 Bahraini Insurance Licensees and Overseas Insurance Licensees
CA-B.1.1
This Module applies to both
Bahraini insurance licensees andoverseas insurance licensees .CA-B.1.2
While the solvency requirements for
Bahraini insurance firms and foroverseas insurance firms are identical (as per Chapter CA-2), the calculation of thecapital available varies based on the legal structure of the licensee, i.e. whether it is a locally incorporated company or a branch operation.Amended: January 2007CA-B.1.3
Bahraini insurance firms must calculate theircapital available based on theshareholder's equity of the licensee (and other allowable elements of regulatory capital, as specified in Chapter CA-1).Overseas insurance firms must calculate theircapital available based on their auditednet assets , determined in accordance with accounting standards that would be applicable if they were a joint stock company incorporated in Bahrain.Amended: January 2007CA-B.2 CA-B.2 Single Insurance Entity and Consolidated Insurance Entity
Single Insurance Entity (Unconsolidated)
CA-B.2.1
Insurance licensees must apply the requirements of this Module as a single insurance entity, i.e. at the level of the unconsolidated company orbranch . Any insurance activities ofbranches ofBahraini insurance licensees are included in the single insurance entity and are not subject to separate capital and solvency requirements.Amended: January 2007Consolidated Insurance Entity
CA-B.2.2
Overall capital and solvency requirements must be calculated for the consolidated Bahrain group (including the Bahrain insurance parent and
subsidiaries ).Bahraini insurance licensees must in addition apply the requirements of this Module at the consolidated level.Amended: January 2007CA-B.2.3
For purposes of Paragraph CA-B.2.1, where
branches andsubsidiaries are operating in jurisdictions outside of Bahrain, and are subject to capital requirements in these other jurisdictions that are equivalent or more stringent than the Bahrain requirements, these licensees will be considered to be in compliance with the requirements of this Module.Amended: January 2007CA-B.2.4
In instances where
insurance licensees are uncertain as to the equivalency of the capital requirements of other jurisdictions where they operate, they should discuss these requirements with the CBB.Amended: January 2007CA-1 CA-1 Capital Requirements
CA-1.1 CA-1.1 General Requirements
CA-1.1.1
In accordance with Principle of Business 9,
insurance licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.CA-1.1.2
In the event that an
insurance licensee fails to meet the capital and solvency margin requirements outlined in this Module, it must, on becoming aware that it has breached these Rules, notify the CBB immediately and within 25 calendar days submit a plan to the CBB demonstrating how itscapital available will be restored and the timeframe for that restoration to occur.Amended: January 2007CA-1.1.3
Should the
insurance licensee fail to meet the requirements of this Module, the CBB may impose enforcement measures outlined in Module EN.Amended: January 2007CA-1.1.4
Unless otherwise indicated, all
insurance licensees must implement the requirements of Module CA, effective 31 December 2005 (Refer to ES-2.5.1).Amended: January 2007CA-1.2 CA-1.2 Calculation of Capital Available for Insurance Firms
CA-1.2.1
A
Bahraini insurance firm must maintain sufficient capital to enable it to meet at all times its insurance and other obligations. The minimum Tier 1 capital forBahraini insurance firms is BD 5 million, except for those firms whose business is limited toreinsurance .Bahraini insurance firms whose business is limited toreinsurance must have minimum Tier 1 capital of BD 10 million.Overseas insurance firms andcaptive insurers are not subject to a minimum Tier 1 capital but must comply with theRequired Solvency Margin andminimum fund , as defined in Chapter CA-2. In addition, allinsurance firms must at all times maintain acapital available in excess of the greater of theRequired Solvency Margin and theminimum fund , as defined in Chapter CA-2.Amended: January 2007
Amended: October 2007CA-1.2.2
Bahraini insurance firms licensed prior to 1 April 2005 that do not meet the requirements of Paragraph CA-1.2.1, will be required to meet the requirements for minimum Tier 1 capital by 31 December 2007. In addition, the requirements to maintain acapital available in excess of the greater of theRequired Solvency Margin andminimum fund must be met byinsurance firms by 31 December 2005.Insurance firms who are in run-off and whose license is restricted from entering into new contracts of insurance as per Paragraph GR-8.1.8, are grandfathered and not required to apply the requirements of Paragraph CA-1.2.1 (refer to ES-2.6.2).Amended: January 2007
Amended: October 2007CA-1.2.3
An
insurance firm must ensure that at all times itscapital available does not fall below theminimum fund . In the event that aninsurance firm's capital available does fall below theminimum fund , theinsurance firm must inject capital and must notify the CBB immediately. Further, theinsurance firm must cease to effect any newcontracts of insurance , including renewals of existing contracts unless explicitly permitted to do so by the CBB.Amended: April 2014
Amended: October 2007
Amended: January 2007Limitation on Valuation of Capital Instruments
CA-1.2.4
For the purposes of determining an
insurance firm's capital available , no value is attributed to any other instrument or resource of aninsurance firm other than those identified in Paragraphs CA-1.2.8, CA-1.2.12 and CA-5.1.24 without the consent in writing of the CBB. Without limiting the generality of this Rule, no value is attributed to any of the following:(a) Any implicit items (which relate to future profits,zillmerising and hidden reserves); and(b) The unpaid element of any issued shares some or all of which are not 'fully paid' shares.Amended: October 2009
Amended: January 2007Capital Available: Tier 1 and Tier 2
CA-1.2.5
An
insurance firm's capital available , for the purposes of this Module, comprises two tiers. Tier 1, or core capital, comprises the highest quality capital elements that fully meet all the essential characteristics of capital. Tier 2, or supplementary capital, comprises other instruments that, to varying degrees, fall short of the quality ofTier 1 capital but nonetheless contribute to the overall financial strength of theinsurance firm .Insurance firms may holdTier 2 capital in excess of the limits in Paragraph CA-1.2.7, but any such excess is not counted ascapital available for the purposes of the requirements in this Module.Amended: January 2007CA-1.2.6
The
capital available of aninsurance firm comprises the sum of its Tier 1 and Tier 2 capital resources, subject to the limits in Paragraph CA-1.2.7.Amended: January 2007CA-1.2.7
Total
Tier 2 capital cannot exceed 100% of totalTier 1 capital . LowerTier 2 capital of the type identified in Paragraph CA-1.2.12 (f), (g) and (h) cannot exceed more than 50% of totalTier 1 capital .Amended: January 2007Tier 1 Capital
CA-1.2.8
Tier 1 capital comprises:(a) Paid-up ordinary shares (net of treasury shares);(b)Share premium reserve ;(c) Perpetual non-cumulative preference shares.(d) All disclosed reserves brought forward, that are audited and approved by theshareholders , in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserve;(e) Unappropriated retained earnings, excluding cumulative unrealised fair value gains, brought forward;(f) Audited current year's earnings net of unrealised fair value gains and before taxes; and(g) In the case of anoverseas insurance firm , the auditednet assets (excluding any unrealised fair value gains and thesurplus assets of long-term funds), determined in accordance with accounting standards that would be applicable if it were a joint stock company incorporated in Bahrain.Amended: January 2007CA-1.2.9
Tier 1 capital elements included in Subparagraph CA-1.2.8 (a) to (c) can only be so included if:
(a) It is issued by theinsurance firm ;(b) It is fully paid, and only that portion of the shares for which payment has been received is otherwise included; and(c) It:(i) Cannot be redeemed at all or can only be redeemed on a winding up of theinsurance firm ; or(ii) Is only redeemable at the option of theinsurance firm and complies with any conditions applicable to joint stock companies in Bahrain;(d) Any coupon is non-cumulative;(e) It is able to absorb losses;(f) It ranks for repayment upon winding up no higher than a share of a company incorporated under the Joint Stock companies law of Bahrain;(g) Coupons on it can only be paid out of accumulated realised profits;(h) No coupon is payable at a time when the insurer is in breach of Paragraph CA-1.2.1 and no coupon is payable to the extent that, after paying it, theinsurance firm would breach that Rule; and(i) The proceeds of issue are immediately and fully available to theinsurance firm .Amended: January 2007CA-1.2.10
Tier 1 capital has the following characteristics:(a) It is able to absorb losses;(b) It is permanent;(c) It ranks for repayment upon winding up after all other debts and liabilities; and(d) It has no fixed costs, that is, there is no inescapable obligation to pay dividends or interest.Amended: January 2007CA-1.2.11
An
insurance firm must not redeem any tier 1 instrument that it has included in itsTier 1 capital resources for the purpose of Chapter CA-1 unless it has notified the CBB of its intention at least one month before it does so.Amended: January 2007
Amended: October 2007Tier 2 Capital
CA-1.2.12
Tier 2 capital includes the following liabilities of aninsurance firm , to the extent permissible by Paragraph CA-1.2.7:(a) Interim net income, excluding 55% of any unrealised fair value gains arising from investments held to maturity as per IAS 39, reviewed by the externalauditors in accordance with International Standards on Auditing (ISA);(b) Perpetual cumulative preference shares;(c) Mandatory convertible notes and similar capital instruments;(d)Perpetual subordinated debt ;(e) Any other hybrid (debt/equity) capital instruments of a permanent nature;(f)Dated subordinated debt with anoriginal term of at least 5 years;(g) Limited life redeemable preference shares with anoriginal term of at least 5 years;(h) Any other similar limited life capital instruments with anoriginal term of at least 5 years; and(i) Investment fair value reserve (IAS 39) on investments held available for sale, discounted to 45%.Amended: January 2007CA-1.2.13
Tier 2 capital includes forms of capital that do not meet the requirements for permanency and absence of fixed servicing costs that apply toTier 1 capital .Tier 2 capital resources are split into upper and lower tiers, based on the permanency of the instruments. For example:(a) Capital which is perpetual (that is, has no fixed term) but cumulative (that is, servicing costs cannot be waived at the issuer's option, although they may be deferred — for example cumulative preference shares) may be included in upperTier 2 capital ; and(b) Capital which is dated, i.e. not perpetual (that is, it has a fixed term) and which may also have fixed servicing costs that cannot generally be either waived or deferred, such as subordinated debt, are included in lowerTier 2 capital . Such capital should normally be of a medium to long-term maturity (that is, an original maturity of at least five years).Amended: January 2007CA-1.2.14
Lower
Tier 2 capital instruments (ref CA-1.2.12 (f) to (h)), must have a minimum fixed term to maturity in excess of 5 years. During the last 5 years to maturity, a cumulative discount (or amortisation) factor of 20% per year must be applied to reflect the diminishing value of these instruments as a continuing source of strength.Amended: January 2007Tier 2: Hybrid Capital Instruments
CA-1.2.15
Hybrid capital instruments are instruments that combine the features of debt and equity in that they are structured like debt, but exhibit some of the loss absorption and funding flexibility features of equity.
CA-1.2.16
A hybrid capital instrument must meet the following conditions before it can be included in an
insurance firm's upperTier 2 capital resources:(a) It must meet the general conditions described in Paragraph CA-1.2.17;(b) It must have no fixed maturity date;(c) The contractual terms of the debt agreement must provide for theinsurance firm to have the option to defer any interest payment on the debt; and(d) The contractual terms of the debt agreement must provide for the loss-absorption capacity of the debt and unpaid interest, whilst enabling theinsurance firm to continue its business.Amended: January 2007CA-1.2.17
A hybrid capital instrument cannot form part of the capital resources of an
insurance firm unless it meets the following conditions:(a) The claims of the creditors must rank behind those of all unsubordinated creditors;(b) No amounts due may be payable:(c) The only events of default must be non-payment of any amount falling due under the terms of the instrument or the winding-up of theinsurance firm ;(d) The remedies available to the subordinated creditor in the event of non-payment or other breach of the written agreement or instrument must be limited to petitioning for the winding up of theinsurance firm or proving the debt in aliquidation of theinsurance firm ;(e) Any events of default and any remedy described in (d) must not prejudice the matters in (a) and (b);(f) In addition to the requirements about repayment in (a) and (b), the debt must not become due and payable before its stated final maturity date (if any) except on an event of default complying with (c);(g) The debt agreement or terms of the instrument are governed by the laws of Bahrain;(h) To the fullest extent permitted under the laws of the relevant jurisdictions, creditors must waive their right to set off amounts they owe theinsurance firm against subordinated amounts included in theinsurance firm's capital resources owed to them by theinsurance firm ;(i) The terms of the instrument must be set out in a written agreement that contains terms that provide for the conditions set out in (a) to (h);(j) The debt must be unsecured and fully paid up; and(k) Theinsurance firm has obtained an external legal opinion stating that the requirements in (a) to (j) have been met.Amended: January 2007CA-1.2.18
Subparagraph CA-1.2.17 (g) does not apply if the
insurance firm has obtained an external legal opinion confirming that a degree of subordination has been achieved under the law that governs the debt and the agreement that is equivalent to that which would have been provided under the laws of Bahrain.Amended: January 2007CA-1.2.19
An
insurance firm must not amend the terms of the debt and the documents referred to in Subparagraph CA-1.2.17 (i) unless:(a) At least one month before the amendment is due to take effect, theinsurance firm has given the CBB notice in writing of the proposed amendment; and(b) That notice includes confirmation that the legal opinion referred to in Subparagraph CA-1.2.17 (k) continues in full force and effect in relation to the terms of the debt and the documents as proposed to be so amended.Amended: January 2007CA-1.2.20
An
insurance firm must notify the CBB of its intention to repay a hybrid capital instrument that is included in its capital resources before its contractual repayment date (if any) at least six months before the date of the proposed repayment, providing details of how it will meet itscapital available requirement after such repayment.Amended: January 2007Determination of Capital Available
CA-1.2.21
Every
insurance firm must determine itscapital available in accordance with this Rule:Determination of Insurance Firm's Capital Available Tier 1 Capital Paid-up ordinary shares (net of treasury shares) Share premium reserve Perpetual non-cumulative preference shares All disclosed reserves brought forward, that are audited and approved by the shareholders , in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserveUnappropriated retained earnings, excluding cumulative unrealised fair value gains, brought forward Audited current year's earnings net of unrealised fair value gains and before tax expenses Overseas Insurance Firms Only: audited net assets, excluding any unrealised fair value gains andsurplus assets in long-term funds.(A) Total Tier 1 Capital Tier 2 Capital — Upper Level Interim net income, excluding any unrealised fair value gains, reviewed by the external auditors in accordance with International Standards on Auditing (ISA)Perpetual cumulative preference shares Mandatory convertible notes and similar capital instruments Perpetual subordinated debt Other hybrid (debt/equity) capital instruments of a permanent nature Investment fair value reserve (IAS 39) and any unrealised fair value gains included in retained earnings, both discounted to 45%. (B) Total Tier 2 Capital — Upper Level Tier 2 Capital — Lower Level Limited life redeemable preference shares with an original term of at least 5 years.Dated subordinated debt with anoriginal term of at least 5 years.Any other similar limited life capital instruments with an original term of at least 5 years.(C) Total Tier 2 Capital — Lower Level: before excess deduction (D) Total Tier 2 Capital (B plus C) (E) Excess Tier 2 Capital — Lower Level = (C) − [(A) times 50%)] (if negative, excess is 0) (F) = (D) − (E) Total Tier 2 Capital — Lower Tier adjusted (G) Excess Tier 2 Capital = (F) − [(A) times 100%)] (if negative, excess is 0) (H) = (F) − (G) Total Tier 2 Capital Deductions from Capital Valuation asset differences Inadmissible assets by asset category Inadmissible assets in excess of counterparty limits Required margins of solvency for branches in other jurisdictions.Current year's losses, before any tax expenses Dividends paid and declared Assets pledged or provided as collateral where there is no offsetting liability. Tax expenses Other appropriations not included as charges to profit and loss statement (e.g. Directors' remuneration, donations) Other (I) Total Deductions from Capital (A)+(H)−(I) CAPITAL AVAILABLE Amended: January 2007CA-1.2.22
In Paragraph CA-1.2.21, under 'Deductions from Capital' the deductions for:
(a) Inadmissible assets by asset type; and(b) Inadmissible assets in excess ofcounterparty limits only apply to those amounts in respect of assets, other than those assets from linked long-term insurance.
Amended: January 2007CA-1.2.23
[This Paragraph was deleted in April 2014.]
Deleted: April 2014
Amended: January 2007CA-1.3 CA-1.3 Capital Requirements for Insurance Brokers
CA-1.3.1
Bahrain insurance brokers must maintain at all times the greater of:(a) A minimumnet assets value of BD 50,000;(b) 4% offiduciary liabilities ; and(c) 4% of annual income fromglobal insurance broking activities .Amended: April 2012
January 2007CA-1.3.1A
For semi-annual reporting under Form IBRS (see Section BR-1.4A), with regards to Subparagraph CA-1.3.1(c), the calculation of the annual income must be done on a moving average year basis. As an example, for the reporting period ending 30th June 2011, annual income from global insurance broking activities covers the period of 1st July 2010 to 30th June 2011.
Added: April 2012CA-1.3.1B
Notwithstanding the requirements in Paragraph CA-1.3.1,
Insurance aggregators are required to maintain at all times a minimumnet assets value of BD 25,000 and adequate liquid funds representing 25% of operating expenses incurred in the preceding financial year at all times in the form of cash or liquid assets that can be converted to cash in the short-term to cover its operating expenses.Added: April 2023CA-1.3.2
There are no minimum capital and net asset requirements for
overseas insurance brokers . However, foroverseas insurance brokers , financial statements of theparent company must be submitted to the CBB for review, in order to assess the financial stability of the group on a global basis.Amended: January 2007CA-1.3.3
For purposes of Paragraph CA-1.3.1,
global insurance broking activities refers to annual income of a Bahrain incorporated brokerage firm including any income being generated by any of the firm's brokeragesubsidiaries and/orbranches operating in other jurisdictions.Amended: January 2007CA-1.3.4
In respect of licensees who were carrying out activities that fall within the definition of the regulated activity of
insurance broker prior to 1 April 2005, the requirements of Paragraph CA-1.3.1 will apply from 1 January 2007 (refer to ES-2.4.2 for transition rules).Amended: January 2007CA-1.3.5
For the purposes of this section, '
net assets ' means the excess of assets over liabilities. The minimum net assets value is to be determined by excluding all intangible assets and in accordance with accounting principles generally accepted in Bahrain.Amended: January 2007CA-1.3.6
The value of debtors taken into account as assets available to support financial requirements must not exceed the amount which the
insurance broker expects to receive net of any significant costs associated with making the recovery.CA-1.3.7
Insurance brokers must make adequate provisions for any debts which are unlikely to be received or recovered from the debtors.CA-1.4 CA-1.4 Capital Requirements for Insurance Consultants and Insurance Managers
CA-1.4.1
Insurance consultants andinsurance managers must possess financial resources commensurate with the scale and nature of their insurance consultancy or management activities.Amended: January 2007CA-1.4.2
In determining the adequacy of the financial resources of
insurance consultants andinsurance managers , the CBB will consider, amongst other things:(a) The volume of business undertaken by the licensee;(b) The licensee's capacity to meet its financial obligations towards allclients in a timely and professional manner; and(c) The licensee's future business plans considering the capital available to meet all obligations and additional sources of capital when and if required.Amended: January 2007CA-1.4.3
There are no minimum capital and net assets requirements applicable to
insurance consultants andinsurance managers . However, Section AU-2.5 (Licensing Conditions: Financial Resources) requires all licensees to maintain adequate financial resources and to conduct their business in a prudent manner.CA-2 CA-2 Solvency Margin Requirements
CA-2.1 CA-2.1 Solvency Margin Requirements
CA-2.1.1
Every
Bahraini insurance firm must calculate arequired solvency margin in accordance with the requirements in this Chapter. The solvency margin must include the operations of allbranches of theinsurance firm , whether these undertake operations within Bahrain or in another jurisdiction.Amended: January 2007
Amended: October 2007CA-2.1.2
Every
overseas insurance firm , other than apure reinsurer , must calculate a 'Bahrain Required Solvency Margin ' in accordance with the requirements in this Chapter.Amended: October 2007CA-2.1.3
All
overseas insurance firms , includingpure reinsurers , must provide an equivalent or substantially equivalent solvency margin calculation, submitted to a supervisor in another jurisdiction for the company as a whole, in accordance with Chapter CA-7. In instances wherepure reinsurers are not subject to supervisory requirements in another jurisdiction, they must calculate aRequired Solvency Margin in accordance with this Chapter for the company as a whole.Amended: January 2007
Amended: October 2007CA-2.1.4
For
insurance firms licensed prior to 1 April 2005 and allowed to carry on bothlong-term insurance business andgeneral insurance business (refer to Paragraph AU-1.1.15), theinsurance firm must calculate a separateRequired Solvency Margin or aBahrain Required Solvency Margin in respect of the two different types of insurance business and maintain separate solvency margins.Amended: January 2007
Amended: October 2007Minimum Fund
CA-2.1.5
For the purposes of this Module 'minimum fund' means for:
(a)Category 1 Insurer : BD 300,000;(b)Category 2 Insurer : BD 500,000;(c)Category 3 Insurer : BD 400,000;(d)Category 4 Insurer : The relevant minimum fund for Category 1 or 2 (depending on the type of general business underwritten) PLUS the Category 3 minimum. These amounts are to be maintained separately by theinsurance firm ;.(e)Category C1 Insurer: BD 75,000; and(f)Category C2 Insurer: BD 300,000.Amended: January 2007CA-2.1.6
For purposes of Paragraph CA-2.1.5, the following definitions apply:
(a)Category 1 insurer : aninsurance firm whose license is limited to any of the following types of insurance: fire; damage to property; and miscellaneous financial loss;(b)Category 2 insurer : aninsurance firm whose license includes any of the following types of insurance: marine cargo and marine hull; aviation; motor; engineering; liability; and any other general insurance class not specifically mentioned. These may only be in addition to any Category 1 activities;(c)Category 3 insurer : aninsurance firm whose license includes any of the following types of insurance: life insurance of all types; personal accident whose term is over 1 year; and savings fund accumulation insurance;(d)Category 4 insurer : aninsurance firm , licensed prior to 1 April 2005 and whose license includes any of the types of insurance specified in Category 3 and in Category 1 or 2, or both;(e)Category C1 insurer: an insurance firm whose business is restricted to insuring only the insurance risks (other thanliability risk ) of itsshareholder(s) or those ofsubsidiary orassociated companies of itsshareholder(s) ; and(f)Category C2 insurer: aninsurance firm whose business is restricted to insuring only the risks of itsshareholder(s) or ofsubsidiary orassociated companies of itsshareholder(s) and whose business may includeliability risks , subject to the CBB being satisfied that the activity, capital structure and management provide sufficient protection to potential third party claimants.Amended: January 2007Calculation of Solvency Margin
CA-2.1.7
The
Required Solvency Margin to be calculated by aninsurance firm subject to any of the requirements in Paragraphs CA-2.1.1 to CA-2.1.4 must be determined:Amended: January 2007CA-2.1.8
The
Bahrain Required Solvency Margin foroverseas insurance firms must be calculated by applying Paragraph CA-2.1.7, but only to business booked in the Bahrainoverseas insurance firm .Amended: January 2007CA-2.1.8A
The
Required Solvency Margin for companies whose business is limited toreinsurance , except forreinsurance of linked business, is to be calculated in accordance with Paragraph CA-2.1.12.Adopted: January 2007Long-term Insurance Business
CA-2.1.9
For
long-term insurance business thesolvency margin must be determined by taking the aggregate of the results arrived at by applying the calculations described in Paragraph CA-2.1.10 ('themathematical reserves basis calculation ') and Paragraph CA-2.1.11 ('thecapital sum at risk basis calculation '). Where the aggregate falls below theminimum fund , it must be substituted by the amount of theminimum fund .Amended: January 2007CA-2.1.10
The
mathematical reserves are defined as the provision made by an insurer to cover liabilities (excluding liabilities which have fallen due) arising under or in connection withlong-term insurance business . Themathematical reserves basis calculation for:(a)Traditional long-term insurance business must be either 2% ofmathematical reserves before deduction for reinsurance cessions or 4% ofmathematical reserves after deduction for reinsurance cessions whichever produces the higher result;(b) Themathematical reserves basis calculation forlinked long-term insurance business where the company bears an investment risk must be as in Subparagraph CA-2.1.10 (a); and(c) Themathematical reserves basis calculation forlinked long-term insurance business where the company bears no investment risk must be either 0.5% ofmathematical reserves before deduction for reinsurance cessions or 1% ofmathematical reserves after deduction for reinsurance cessions whichever produces the higher result.No negative value can be used as the
mathematical reserve under any policy.Amended: January 2007CA-2.1.11
The
capital sum at risk is defined as the benefit amounts payable as a consequence of the happening of the contingency covered by the policy contract less themathematical reserves in respect of the relevant contract. Thecapital sum at risk calculation is the greater of:(a) 0.15% of thecapital sum at risk before deduction for reinsurance cessions; or(b) 0.30% of thecapital sum at risk after deduction for reinsurance cessions.In either case no negative value can be used as the capital sum at risk under any policy.
Amended: January 2007General Insurance Business
CA-2.1.12
For
general insurance business , thesolvency margin must be determined by taking the higher of the two results arrived at by applying the calculations described in Paragraph CA-2.1.13 ('thepremium basis calculation ') and Paragraph CA-2.1.14 ('theclaim basis calculation '). Where the higher of the two results falls below theminimum fund , it must be substituted by the amount of theminimum fund .Amended: January 2007CA-2.1.13
The
premium basis calculation forgeneral insurance business is determined by applying the following formula:Gross Premium Written X Reinsurance Allowance X Risk Factor (for each class of business)
Where:
Gross Premium Written =
Premium written in the financial year (or annualised where the financial year is other than 12 months)
Reinsurance Allowance (Premium basis) = (calculated on total business)
the higher of 0.5 or (Total Net Premium Written /Total Gross Premium Written)
Risk Factor =
Class of insurance Risk Factor (general insurance) Risk Factor (Category C1 captive) Risk Factor (Category C2 captive) (a) Fire 15% 12% 12% (b) Damage to property 15% 12% 12% (c) Miscellaneous financial loss 15% 12% 12% (d) Marine cargo, marine hull 20% 20% 20% (e) Aviation 20% 20% 20% (f) Motor 20% 20% 20% (g) Engineering 20% 20% 20% (h) Liability 20% 20% (Category C2) 20% (i) Medical (short term ≤ 1 year) 20% 20% 20% (j) Other 20% 20% 20% Amended: January 2007CA-2.1.14
The
claim basis calculation forgeneral insurance business is determined by applying the following formula:Average Gross Claims Incurred in the reference period X Reinsurance Allowance X Risk Factor (for each class of business)
Where:
Average Gross Claims Incurred =
Gross Claims Incurred in the
reference period (see CA-2.1.15) divided by the number of years covered by thereference period (or annualised where any financial year in the reference period is other than 12 months)Reinsurance Allowance (Claim basis) = (calculated on total business)
the higher of 0.5 or (Total Average Net Claims Incurred in the
reference period /Total Average Gross Claims Incurred in thereference period )Risk Factor =
(a) Fire 20% (b) Damage to property 20% (c) Miscellaneous financial loss 20% (d) Marine cargo, marine hull 25% (e) Aviation 25% (f) Motor 25% (g) Engineering 25% (h) Liability 25% (i) Medical (short term ≤ 1 year) 25% (j) Other 25% Amended: January 2007CA-2.1.15
For the purposes of Paragraph CA-2.1.14 the
reference period for all classes of business must be the three most recent financial years up to and including the current financial year. In instances where theinsurance firm has been in business for less than three years, the claims basis calculation shall be equal to 0.CA-3 CA-3 Long-Term Insurance Business
CA-3.1 CA-3.1 Long-Term Insurance Business
CA-3.1.1
Where an
insurance firm carries onlong-term insurance business , includingtraditional long-term insurance business orlinked long-term insurance business or both:(a) It must maintain a separate account and separate books of accounts in respect of each kind of business and unit fund; and(b) The receipts of each kind of business must be entered in the account maintained for that business and must be carried to and form a separatelong-term insurance fund with an appropriate name.Amended: October 2009
Amended: October 2007
Amended: January 2007CA-3.1.1A
Where the bonus policy of the with-profits business explicitly mentions that the profit (or bonuses) are determined by the performance of the life fund, separate accounting for such funds must be maintained.
Adopted: October 2009CA-3.1.1B
The requirement in Paragraph CA-3.1.1A is to ensure that sources of profits arising from with-profits block of business will be distributed according to the agreed profit sharing mechanisms (which may include a proportion to the shareholders) and sources of profits arising purely from non-profits business will be allocated to shareholders.
Adopted: October 2009CA-3.1.2
An
insurance firm which carries onlong-term insurance business orlinked long-term insurance business must maintain such accounting and other records as are necessary for identifying:(a) The assets representing the fund maintained by it under Paragraph CA-3.1.1 above; and(b) The liabilities attributable to each kind of business which it carries on.Amended: January 2007CA-3.1.3
Other than the explicit exceptions included in Paragraphs CA-3.1.4 and CA-3.1.5 of this Module, an
insurance firm's long-term insurance business assets must only be applied for the purposes of itslong-term insurance business and must not be made available for any other purpose of theinsurance firm . This does not however prevent the reimbursement of expenditure borne by other assets (in the same or the preceding financial year) in discharging liabilities wholly or partly attributable to thelong-term insurance business .Amended: January 2007CA-3.1.4
Where an actuarial investigation shows that the value of the
long-term insurance business assets exceeds the amount of the liabilities attributable to thelong-term insurance business , the restriction does not apply to those assets that represent the excess.Amended: January 2007CA-3.1.5
Paragraph CA-3.1.3 above does not prevent an
insurance firm from exchanging, at fair market value,long-term insurance business assets for other assets of theinsurance firm .Amended: January 2007CA-3.1.6
A long-term
insurance firm must not enter into a financial transaction, and must take reasonable steps to ensure that anysubsidiary company orassociate company does not enter into such a transaction, with anyrelated party where the aggregate of the value of any assets and liabilities arising out of such transactions exceeds 5% of the total amount standing to the credit of the insurer'slong-term insurance funds .Amended: January 2007CA-3.1.7
An
insurance firm which carries onlong-term insurance business in Bahrain must have adequate arrangements for securing that transactions affecting assets of theinsurance firm (other than transactions outside of its control) do not operate unfairly between thelong-term insurance fund or funds and the other assets of theinsurance firm or, in a case where theinsurance firm has more than one 'identified fund', between those funds.Amended: January 2007CA-3.1.8
An identified fund means assets representing the
insurance firm's receipts from a particular part of itslong-term insurance business that can be identified as such by virtue of accounting or other records maintained by theinsurance firm .Amended: January 2007CA-3.1.9
Where the CBB imposes a financial penalty on an
insurance firm or requires aninsurance firm to compensatepolicyholders for any wrongful act of theinsurance firm (including any wrongful act committed by anappointed representative of theinsurance firm ) it must not pay that compensation or financial penalty from anylong-term insurance fund . Such penalties can only be paid out of theshareholder (or company) fund.Amended: January 2007CA-4 CA-4 Valuation and Admissibility of Assets
CA-4.1 CA-4.1 General Requirements
CA-4.1.1
The Asset Valuation Rules, being the Linked Asset Valuation Rules and/or General Asset Valuation Rules, as appropriate, relate to the determination of the value of all the assets of an
insurance firm subject to this Chapter.Amended: January 2007CA-4.1.2
Assets not covered in this Chapter are deemed to be
inadmissible assets for purposes of calculating thecapital available required under Paragraph CA-1.2.21 and theiradmissible value is deemed to be nil.Amended: January 2007CA-4.1.3
Where an
insurance firm has entered into any insurance contracts that are classified as alinked long term insurance business the value of the linked assets to the extent that they are held to match liabilities in respect of such business must be determined in accordance with the Linked Asset Valuation Rules (Paragraphs CA-4.3.1 to CA-4.3.4).Amended: January 2007CA-4.1.4
All other assets of an insurer subject to this Chapter must be valued in accordance with the General Asset Valuation Rules (Paragraphs CA-4.2.1 to CA-4.2.36).
Amended: January 2007CA-4.1.5
Where in all the circumstances of the case, any asset is actually of a lesser value than the amount calculated in accordance with prescribed Rules (that is either assets subject to the General Asset Valuation Rules or the Linked Asset Valuation Rules) such lesser value must be taken to be the value of the asset.
Amended: January 2007CA-4.1.6
The admissibility of assets for purposes of the General Asset Valuation Rules is determined based on the category of asset held and the
counterparty .Amended: January 2007CA-4.1.7
An
insurance firm must ensure that its liabilities under acontract of insurance , other than linked long-term business, are covered by assets of appropriate safety, yield and marketability having regard to the classes of business carried on by theinsurance firm .Amended: January 2007CA-4.1.8
Without prejudice to Paragraph CA-4.1.7, an
insurance firm must ensure that:(a) Excessive reliance is not placed onreinsurance or any particular reinsurer; and(b) That its investments are appropriately diversified, adequately spread and that excessive reliance is not placed on investments of any particular category, description, type orcounterparty .Amended: January 2007CA-4.2 CA-4.2 General Asset Valuation Rules
Asset Limits per Category of Assets
Investments in Non-Insurance Subsidiaries and Associates
CA-4.2.1
Investments in
subsidiaries andassociates that are not carrying outregulated insurance services as defined in Chapter AU-1.4, must be valued at an amount not exceeding theinsurance firm's proportionate share of thesubsidiary's orassociate's net asset value, determined as if thatsubsidiary orassociate applied these Rules in determining its net asset value.Amended: January 2007CA-4.2.2
The net asset value determined in Paragraph CA-4.2.1 must be reduced for any amounts that cannot be made available to the
insurance firm in the ordinary course of business. This includes but is not limited to:(a) Required solvency margins, base capital requirements or any other amounts required to be maintained in order to comply with regulatory requirements applicable to thesubsidiary orassociate in Bahrain or any other jurisdiction. This restriction applies to anysubsidiary orassociate (including banks and investment firms) subject to regulation in any jurisdiction;(b) Assets subject to currency control restrictions; and(c)Surplus assets in long-term insurance funds, as these assets belong to the long termpolicyholders .Amended: January 2007CA-4.2.3
Where a
subsidiary orassociate carries on a regulated activity either in Bahrain or any other jurisdiction, aninsurance firm may, with the consent of the CBB, determine the net asset value of thatsubsidiary orassociate (as specified in Paragraph CA-4.2.1) in accordance with the Rules applicable in the jurisdiction where that subsidiary orassociate has both its head office and principal supervisor.Amended: January 2007CA-4.2.4
In determining the net asset value of a
subsidiary orassociate (as specified in Paragraph CA-4.2.1) where thatsubsidiary orassociate is not carrying outregulated insurance services , if the value of any single asset under Paragraph CA-4.2.1 exceeds 5% of theinsurance business amount , theadmissible value of the said asset for the purpose of this Paragraph must be restricted to 5% of theinsurance business amount .Amended: January 2007Real Estate Assets
CA-4.2.5
Real estate assets such as land and buildings must be valued at market value as assessed by an
independent qualified valuer at a date no earlier than 3 years from the end of the financial year under consideration. Aninsurance firm may elect to usebook value where that value is less thanmarket value however where noproper valuation exists the value is deemed by this Module to be nil.Amended: January 2007CA-4.2.6
If the value of any single asset under Paragraph CA-4.2.5 exceeds 10% of the
insurance business amount , theadmissible value of the said asset for the purpose of this Paragraph must be restricted to 10% of theinsurance business amount .CA-4.2.7
The 10% admissibility test of Paragraph CA-4.2.6 is to be applied in total to both land and building, in instances where the realisable value of the asset is dependent on both the land and the building.
Debt Securities
CA-4.2.8
Debt securities (both fixed and variable interest securities) issued by, or guaranteed by, governments rated investment grade, or public authority with
investment grade security must be valued at:(a) In the case oflisted securities , the closing market quotation or the latest available market quotation;(b) In the case of securities which are not transferable, the amount payable on surrender or redemption of such securities as at the date the security is being valued; and(c) In any other case, the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.Amended: January 2007CA-4.2.9
There are no admissibility restrictions for fixed and variable interest securities meeting the requirements of Paragraph CA-4.2.8. However, admissibility restrictions pertaining to
counterparties may apply (CA-4.2.33).Amended: January 2007CA-4.2.10
Debt securities (both fixed and variable interest securities) not covered by Paragraph CA-4.2.8 must be valued at:
(a) In the case oflisted securities , the closing market quotation;(b) In the case of securities which are not transferable, the amount payable on surrender or redemption of such securities as at the date the security is being valued; and(c) In any other case, the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.Amended: January 2007CA-4.2.11
If the value of debt securities, other than those to which Paragraph CA-4.2.8 relates, (both fixed and variable interest securities), which are
listed securities , in any one company together with its associated companies exceeds 5% of theinsurance business amount , theadmissible value of the said assets for the purpose of this Chapter must be restricted to 5% of theinsurance business amount .Amended: January 2007CA-4.2.12
For debt securities (both fixed and variable interest) which are not
listed securities , if the value of those securities in any one company together with its associated companies exceeds 1.0% of theinsurance business amount theadmissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of theinsurance business amount .Amended: January 2007Equity Shares
CA-4.2.13
Equity shares that are
listed securities must be valued on the closing market quotation or the latest available market quotation.Amended: January 2007CA-4.2.14
If the value of equity shares, that are
listed securities , in any one company together with its associated companies exceeds 5% of theinsurance business amount theadmissible value of the said assets for the purpose of this Chapter must be restricted to 5% of theinsurance business amount .Amended: January 2007CA-4.2.15
Equity shares that are not
listed securities must be valued at the lower of:(a) The carrying value of these shares on the books of theinsurance firm ;(b) 75% of the net asset value for each share owned by theinsurance firm (based on the most recently available financial information); and(c) The amount which would reasonably be paid by way of consideration for an immediate transfer or assignment of the investment.Amended: January 2007CA-4.2.16
If the value of equity shares, that are not
listed securities , in any one company together with its associated companies exceeds 1.0% of theinsurance business amount , theadmissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of theinsurance business amount .Amended: January 2007Unit Trust or Mutual Funds
CA-4.2.17
Where the issuer can be required to purchase the units or other beneficial interests from the holder upon the holder giving notice of one month or less and the value of the holdings or other beneficial interests in any one
unit trust or mutual exceeds 5.0% of theinsurance business amount , theadmissible value of the said assets for the purpose of this Chapter must be restricted to 5.0% of theinsurance business amount .Amended: January 2007CA-4.2.18
Where the issuer is not required to purchase the units or other beneficial interests from the holder upon the holder giving notice of one month or less and the value of the holdings or other beneficial interests in any one
unit trust or mutual fund exceeds 1.0% of theinsurance business amount , theadmissible value of the said assets for the purpose of this Chapter must be restricted to 1.0% of theinsurance business amount .Amended: January 2007Traded Derivative Contract
CA-4.2.19
A traded
derivative contract that is alisted security , for a share or a debenture must be valued at the closing market quotation, and otherwise at the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof. If the value of the contracts in any one company or its connected companies exceeds 0.1% of theinsurance business amount , theadmissible value of the said assets for the purpose of this Chapter must be restricted to 0.1% of theinsurance business amount .Amended: January 2007Loan
CA-4.2.20
A loan secured by a policy of insurance issued by the company must be valued as the amount of the loan but not exceeding the amount payable on a surrender of the policy as at the date the policy is being valued.
CA-4.2.21
A loan to an individual or an unincorporated body of persons shall be valued at the lower of the outstanding amount of the loan and the amount that would reasonably be paid by way of consideration for an immediate assignment of the loan together with the benefit of any security held in respect thereof.
CA-4.2.22
Where paragraph CA-4.2.21 applies and the loan to any one individual or unincorporated body of persons is fully secured on assets whose value at least equals the amount of the loan and the loan exceeds 5% of the
insurance business amount , theadmissible value of the secured loan for the purpose of this Chapter must be restricted to 5% of theinsurance business amount .CA-4.2.23
Where Paragraph CA-4.2.21 applies and the loan to any one individual or unincorporated body of persons is not fully secured on assets whose value at least equals the amount of the loan and the loan exceeds 1% of the
insurance business amount , theadmissible value of the unsecured loan for the purpose of this Chapter must be restricted to 1% of theinsurance business amount .Other Assets
CA-4.2.24
Deposits and current account balances with
approved financial institutions must be valued at their full face value. Theadmissible value of these assets is their face value.CA-4.2.25
Amounts due under
contracts of insurance and reinsurance (either ceded or accepted), including salvage and subrogation rights, must be valued at the amounts that can reasonably be expected to be recovered. The exceptions being:(a) All debts (net of provisions) which have been due for more than 6 months, in which case they must be valued at nil;(b) Advance commission paid to intermediaries which must be valued at nil; and(c) Amounts that pertain to asubsidiary orassociate of theinsurance firm must be valued in accordance with Paragraph CA-4.2.4 above.Amended: April 2014
Amended: October 2007
Amended: January 2007CA-4.2.25A
The value of unearned reinsurance premiums is the value as determined in accordance with generally accepted accounting concepts, bases and policies or other generally accepted methods appropriate to
insurance firms .Inserted: October 2008CA-4.2.26
In the case of
general insurance business , the value of deferredacquisition costs is the value as determined in accordance with generally accepted accounting concepts, bases and policies or other generally accepted methods appropriate toinsurance firms .Amended: January 2007CA-4.2.27
The
admissible value of any cash holding is its face value.CA-4.2.28
Office machinery, furniture, motor vehicles, computer and other equipment belonging to the company must be valued at an amount not greater than its
book value . If the value of office machinery, furniture, motor vehicles computer and other equipment exceeds 3% of theinsurance business amount theadmissible value of the said assets for the purpose of this Chapter must be restricted to 3% of theinsurance business amount .Amended: January 2007CA-4.2.29
Life interests, reversionary interests and similar interests in property must be valued as the amount which would reasonably be paid by way of consideration for an immediate transfer or assignment thereof.
CA-4.2.30
Investments, except investments that are specifically covered above, must be valued in accordance with this Paragraph:
(a) If the investment is due, or will become due, within twelve months from the date at which the investment is being valued at (or would become so due if the company exercised some right), the amount which can reasonably be expected to be recovered in respect of the investment, taking due account of any security held in respect thereof;(b) Otherwise, the amount that would reasonably be paid by way of consideration for an immediate assignment of the debt together with the benefit of any security held in respect thereof.Amended: January 2007CA-4.2.31
Where Paragraph CA-4.2.30 applies to an investment in any one individual or unincorporated body of persons and the aggregate value of those investments (for that individual or unincorporated body of persons valued in accordance with Paragraph CA-4.2.30) exceeds 1% of the
insurance business amount , theadmissible value of those investments for the purpose of this Chapter must be restricted to 1% of theinsurance business amount .Amended: January 2007CA-4.2.32
Where Paragraph CA-4.2.30 applies to an investment in any one company and the aggregate value of those investments (for that company valued in accordance with Paragraph CA-4.2.30) exceeds 2.5% of the
insurance business amount the admissible value of those investments for the purpose of this Chapter must be restricted to 2.5% of the insurance business amount.Amended: January 2007Counterparty Exposure Limits
CA-4.2.33
The
admissible value forcounterparty exposure limit is:(a) Where thecounterparty is an individual or an unincorporated body of persons, 5% of theinsurance business amount ;(b) Where thecounterparty is a government of a jurisdiction, other than aZone A Country , GCC country, the Kingdom of Bahrain and any other jurisdiction approved by the CBB, the jurisdiction together with all the public bodies, local authorities or nationalised industries of that jurisdiction, 10% of theinsurance business amount ;(c) Where thecounterparty is a body corporate or group, and:(i) Thecounterparty is anapproved financial institution , 25% of theinsurance business amount or BD 1.5 million, whichever is the larger for all exposures including short term (3 months or less) deposits;(ii) Thecounterparty is anapproved financial institution , 10% of theinsurance business amount or such lower amount as theinsurance firm may decide for all exposures other than short term deposits; and(iii) Thecounterparty is not anapproved financial institution , 10% of theinsurance business amount for all exposures to thatcounterparty .Amended: April 2012
Amended: January 2007CA-4.2.34
For the purposes of Section CA-4.2, '
insurance business amount ' means 'general insurance business amount ' or 'long-term insurance business amount' as follows:(a) In terms ofgeneral insurance business , thegeneral insurance business amount is the value of the insurance firm's assets (other thanlong-term insurance business assets) and excluding reinsurance recoveries as determined in accordance with Chapter CA-4; and(b) In terms oflong-term insurance business , the long-term insurance business amount is the value of theinsurance firm's assets (other than those relating togeneral insurance business ) and excluding reinsurance recoveries and assets required to match property-linked liabilities in accordance with Chapter CA-4.Amended: January 2007CA-4.2.35
For purposes of Paragraph CA-4.2.34, the value of an
insurance firm's assets refers to the valuation assigned in this section, but does not refer to theadmissible value of these assets, i.e. after adjusting for category limits and counterparty limits.Amended: January 2007
Amended: October 2007CA-4.3 CA-4.3 Linked Asset Valuation Rules
CA-4.3.1
Assets to the extent that they are held to match liabilities in respect of linked long-term insurance must comprise of no other types of property of any description other than property meeting the descriptions set out in Paragraph CA-4.3.2 of this Module.
Amended: January 2007CA-4.3.2
Assets used to match linked long-term insurance liabilities must fall in one of the following categories:
(a) Real estate assets such as land and buildings (including any interest in land and buildings) each piece individually not exceeding 5% of linked long-term assets and 20% in aggregate;(b)Listed securities which are readily realisable, other than securities which are:
(i) Loans or deposits of the kinds mentioned in (c) or (d); and(ii)Derivative contracts ;(c) Loans which are fully secured by mortgage or charge on land (or any interest in land) each loan individually not exceeding 5% of linked long-term assets and 20% in aggregate and in relation to which the rate of interest and the due dates for the payment of interest and the repayment of principal can be fully ascertained from the terms of any agreement relating to the loan;(d) Loans to or deposits with anapproved financial institution ;(e) Holdings or other beneficial interests inunit trusts or mutual/managed funds which satisfies the following conditions:
(i) The property of the fund comprises property only consisting of the descriptions in this section;(ii) The units are readily realisable at a price which represents the net value per unit of the assets and liabilities of the fund; and(iii) The price at which the units may be bought and sold is published regularly;(f) Cash; and(g) Income due, or to become due, in respect of property of any of the descriptions in this section.Amended: April 2012
Amended: January 2007CA-4.3.3
All of the property described in Paragraph CA-4.3.2 must either be classified as 'Available for sale investments' and valued in accordance with International Accounting Standards or valued at their fair
market value .Amended: January 2007CA-4.3.4
The fair
market value of real estate assets held as linked long-term insurance assets must be themarket value as assessed by anindependent qualified valuer at a date no earlier than 12 months from the end of the most recent financial year.Amended: January 2007CA-5 CA-5 Valuation of Liabilities
CA-5.1 CA-5.1 Valuation of Liabilities
CA-5.1.1
The Valuation of Liabilities Rules apply with respect to the determination of the amount of liabilities of an
insurance firm .Amended: January 2007CA-5.1.2
Subject to the specific provisions of this Chapter, the amount of liabilities of an
insurance firm in respect itslong-term insurance business ,general insurance business and any other activities directly arising from that business must be determined in accordance with generally accepted accounting and actuarial concepts, using generally accepted methods appropriate forinsurance firms .Amended: January 2007CA-5.1.2A
Where an
insurance licensee writeslong term insurance with guaranteed level premiums, the reserving and solvency requirements must follow the requirements forlong term insurance . However, where a life policy or an extension of a life policy with has a policy term of less than or equal to one year, the valuation of these liabilities should follow the requirements of Paragraph CA-5.1.3 to CA-5.1.10.Adopted: October 2009General Insurance Business
CA-5.1.3
The amount of insurance liabilities that are
general insurance business liabilities must be determined in accordance with International Accounting Standards applicable to insurance business or until such a standard or standards come into effect, with the provisions of Paragraphs CA-5.1.4 to CA-5.1.10.Amended: January 2007CA-5.1.4
Unearned premiums and unearned commission income in respect of thegeneral insurance business must be calculated by a method which has due regard to the period of the policy and the incidence of risk throughout that period. Time apportionment of the premium over the period of policy cover is normally appropriate unless there is a marked unevenness in the incidence of risk over that period, in which case a basis which reflects the profile of risk must be used.Amended: January 2007CA-5.1.5
Where a time apportionment method is used that method must be at least as accurate as the '
24ths basis ' of premium income recognition, except for reinsurers for which transactions are only recorded every quarter where the method used must be at least as appropriate as the 1/8th basis. Where a time apportionment method is deemed inappropriate due to uncertainty in the period of insurance, such as for marine cargo, the method used must be disclosed in the actuarial report required as per Chapter AA-4.Amended: October 2009CA-5.1.6
Unearned reinsurance premiums ceded must be calculated on the basis of the principles specified in Paragraphs CA-5.1.4 and CA-5.1.5.
CA-5.1.7
Unexpired risk reserves (URR) should be calculated as the prospective estimate of expected future payments arising from future events insured under policies in force as at the valuation date and also include allowance for
insurance firm's expenses including overheads and cost of reinsurance, expected to be incurred during the unexpired period in administering these policies and settling the relevant claims, and must allow for any expected future premium refund. Where theunearned premium less unearned commission calculated in Paragraphs CA-5.1.4to CA-5.1.6 above is less than the unexpired risk reserves, the company must set up a suitable additional provision for unexpired risks to cover this deficiency (premium deficiency). This premium deficiency provisions must be calculated at a prudent level.Amended: October 2009
Amended: January 2007CA-5.1.7A
In calculating the URR as required under Paragraph CA-5.1.7, the actuary report must clearly disclose if the URR has been calculated on and individual class basis or on total company basis and must justify the approach taken in the adopted method.
Adopted: October 2009CA-5.1.8
Provision must be made for the expected ultimate cost of settlement of all claims incurred in respect of events up to that date, whether reported or not, together with related claims handling expenses, less amounts already paid. This provision should be calculated at a prudent level. This should include a provision for claims reported, claims incurred but not reported (IBNR), claims incurred but not enough reserved (IBNER) and direct and indirect claims handling expenses such as investigation fees, loss adjustment fees, legal fees, labour charges and the expected internal costs that the insurer expects to incur when settling these claims. If a liability is known to exist but there is uncertainty as to its eventual amount, a provision should nevertheless be made.
Amended: October 2009
Amended: January 2007CA-5.1.8A
The IBNR includes the IBNER. The distinction between IBNR and IBNER is made for a consistent approach to matching of income and expenses.
Adopted: October 2009CA-5.1.9
The level of claims provisions must be set such that:
(a) No adverse run-off deviation is envisaged;(b) The provision is determined having regard to the range of uncertainty as to the eventual outcome for the category of business in question; and(c) In circumstances where there exists considerable uncertainty concerning future events, a degree of caution is exercised such that liabilities are not understated.(d) If it is less than the aggregate case-by-case provision for claims reported set up by the claims manager, theinsurance firm must disclose in writing to the CBB the justification for such a release of reserves.Amended: October 2009
Amended: January 2007CA-5.1.10
In determining the sufficiency of evidence and the ability to measure claims costs, an
insurance firm must take all reasonable steps to ensure that it has appropriate information with regard to its claims exposures.Long-term Insurance Business
CA-5.1.11
The amount of insurance liabilities which are
long-term insurance business liabilities must be determined in accordance with International Accounting Standards applicable to insurance business or until such a standard or standards come into effect, with the provisions of Paragraphs CA-5.1.12 to CA-5.1.33 below.Amended: January 2007CA-5.1.12
The determination of the amount of long-term liabilities (other than liabilities which have fallen due for payment before the valuation date) must be made on actuarial principles with due regard to the reasonable expectations of
policyholders and must make proper provision for all liabilities on prudent assumptions with appropriate margins for adverse deviation of the relevant factors.Amended: January 2007CA-5.1.13
The determination must take account of all prospective liabilities as determined by the policy conditions for each existing contract, taking due credit for premiums payable after the valuation date.
CA-5.1.14
The determination must take into account all guarantees including but not limited to:
(a) Guaranteed benefits;(b) Guaranteed surrender values;(c) Guaranteed annuities or annuity options; and(d) Any other guarantees, commitments or options however described that theinsurance firm has contracted to provide to apolicyholder .Amended: January 2007CA-5.1.15
The determination must take into account all bonuses contractually added to each policy.
CA-5.1.16
The determination must take into account expenses including commission.
CA-5.1.17
Subject to Paragraphs CA-5.1.18, CA-5.1.19 and CA-5.1.20, the amount of the long-term liabilities must be determined separately for each contract by a prospective calculation.
CA-5.1.18
A retrospective calculation may be applied to determine the liabilities where a prospective method cannot be applied to a particular type of contract or benefit.
CA-5.1.19
Where necessary, additional amounts must be set aside on an aggregated basis for general risks that are not individualised.
CA-5.1.20
The method of calculation of the amount of liabilities and the assumptions used must not be subject to discontinuities from year to year arising from arbitrary changes and must be such as to recognise the distribution of profits in an appropriate way over the duration of each policy.
CA-5.1.21
The distribution of surplus as bonus to
participating policies must consider the level of premiums under these contracts, the assets held in respect of these contracts and the custom and practice of the company in the manner and timing of the distribution of profits.CA-5.1.22
The liability under a contract (other than a linked long-term contract) must be calculated using the
net premium valuation method using rates of interest and rates of mortality ormorbidity considered appropriate by theactuary appointed as per the requirements of Paragraph AA-4.1.1, at a prudent level.Amended: October 2009
Amended: October 2007
Amended: January 2007CA-5.1.22A
The value of unit liabilities and non unit liabilities must be calculated separately for a unit linked policy. The value of unit liabilities is taken as the net asset value of the units at the valuation date. Non-unit liabilities must be valued by projecting future cash flows to ensure that all future outgoes can be met without recourse to additional capital support at any future time during the duration of the unit linked contracts at a prudent level.
Adopted: October 2009CA-5.1.23
Other suitable alternative methods may be employed where it can be demonstrated that the alternative methods employed result in reserves no less, in aggregate, than would result from the
net premium valuation method .CA-5.1.24
In order to take account of the
acquisition expenses , the net premium to be valued for the purpose of Paragraph CA-5.1.22 above may be increased by an amount not greater than the equivalent, taken over the whole period of premium payments and calculated according to the rates of interest and rate of mortality andmorbidity employed in valuing the contract, of 3.5 percent of therelevant capital sum under the contract.Amended: January 2007CA-5.1.25
The increased net premium as computed in Paragraph CA-5.1.24 must not exceed the premium actually payable by the
policyholder under the contract.Amended: January 2007CA-5.1.26
For the purposes of Paragraph CA-5.1.24 '
relevant capital sum ' means:(a) The sum assured at the date of valuation forwhole life assurances ;(b) The sum payable at the end of the contract term forendowment assurance contracts ;(c) The capitalised value of the annuity at the vesting date (or cash option if greater) for deferred annuities;(d) The sum assured or the value of the fund for linked long-term contracts whichever is less notwithstanding (a) to (c) above, where the value of the fund means the aggregate of the value allocated to the contract in the form of units or any other measure and the total amount of premiums remaining to be paid over the term of the contract.excluding in all cases any vested reversionary bonus and any capital sums for temporary assurances.
Amended: January 2007CA-5.1.27
The rate of interest employed for the valuation must be determined prudently with due regard to the yield on the existing assets attributable to the life business as well as the yields expected to be obtained on sums to be invested in the future.
CA-5.1.28
The amount of the liability in respect of any category of contracts must, where relevant, be determined on the basis of prudent rates of mortality and
morbidity which in the opinion of theactuary are appropriate for that category.Amended: January 2007
Amended: October 2007CA-5.1.29
Provision of expenses whether implicit or explicit must not be less than the amount required, on prudent assumptions, to meet the total cost that would be incurred in fulfilling the existing contracts if the company were to cease to transact new business twelve months from the valuation date. This provision must consider the company's actual expenses in the last twelve months before the valuation date and the expected level of inflation on future expenses.
CA-5.1.30
Provision must be made on prudent assumptions to cover any increase in liabilities caused by
policyholders exercising options under their contracts including options for guaranteed cash payments.Amended: January 2007CA-5.1.31
The liability under a contract for life business must not be less than zero.
CA-5.1.32
No allowance must be made in the valuation for the voluntary discontinuance of any contract if the amount of liability so determined is less than the corresponding amount without the allowance for voluntary discontinuance.
CA-5.1.33
The determination of the amount of long-term liabilities must take into account the nature and term of the assets representing those liabilities and the value placed upon them and must include prudent provision against the effects of possible future changes in the value of the assets on:
(a) The ability of the company to meet its obligations arising under contracts for long-term business as they arise, and(b) The adequacy of the assets to meet the liabilities as determined by this Chapter.Amended: January 2007CA-6 CA-6 Currency Matching and Localisation Requirements
CA-6.1 CA-6.1 Currency Matching and Localisation Requirements
CA-6.1.1
The provisions of this Chapter do not apply to:
(a) Insurance business carried on by aninsurance firm outside Bahrain;(b)Reinsurance business (unless it is facultative reinsurance written by an insurer who also carries on insurance business that is not reinsurance business); or(c) To unit-linked business.Amended: January 2007
Amended: April 2009CA-6.1.2
Where an
insurance firm's 'liabilities' in any particular currency exceed 10% of its total 'liabilities', theinsurance firm must hold sufficient 'assets in that currency' to cover at least 80% of its 'liabilities' in that currency.CA-6.1.3
For the purposes of Paragraph CA-6.1.2 'assets in that currency' is extended to include the currency itself (Currency A) and any other currency (Currency B) where Currency A is
officially linked to Currency B.Amended: January 2007CA-6.1.4
Where an
insurance firm carries on bothlong term insurance business andgeneral insurance business , the requirements of Paragraph CA-6.1.1 apply to the 'assets' and ' liabilities' of each kind of business separately.Amended: January 2007CA-6.1.5
Where a
contract of insurance expresses any 'liability' in terms of a particular currency, that 'liability' must be regarded as a 'liability' in that currency.CA-6.1.6
For the purposes of the Rules in this Chapter:
(a) Assets means admissible assets valued in accordance with Chapter CA-4 General Assets Valuation Rules;(b) Liabilities means provision, net of reinsurance recoveries, made by aninsurance firm to cover liabilities arising under (or in connection with)contracts of insurance , excluding those liabilities exempted by Paragraph CA-6.1.1;(c) References to assets in a currency (or similar expressions) are construed as references to 'assets' expressed in or capable of being realised (without exchange risk) in that currency; and(d) An 'asset' is capable of being realised (without exchange risk) in a currency if it is reasonably capable of being realised in that currency without risk that changes in exchange rates would reduce the cover of 'liabilities' in that currency.Amended: January 2007
Amended: October 2007CA-6.1.7
The currency of an
insurance firm's general insurance business liabilities must, for the purposes of Paragraph CA-6.1.2 be determined as follows:(a) Where the 'liabilities' are not expressed as 'liabilities' in terms of a particular currency, they must be treated as 'liabilities' in the currency of the country in which the risk is situated or, if theinsurance firm on reasonable grounds so decides, in the currency in which the premium payable under the contract is expressed;(b) Where a claim has been notified to aninsurance firm and theinsurance firm's 'liability' in respect of that claim is payable in a currency other than one which would result from the application of the above provisions, theinsurance firm must regard its 'liability' as a 'liability' in the currency in which theinsurance firm is actually obliged to pay it;(c) Where a claim is assessed in a currency that is known to theinsurance firm in advance but which is different from a currency that would result from the application of the above provisions, theinsurance firm may regard its 'liability' as a 'liability' in that currency.Amended: January 2007CA-6.1.8
'Assets' held pursuant to Paragraph CA-6.1.2 above must be held:
(a) If they cover 'liabilities' in Bahrain Dinars, in Bahrain;(b) If they cover 'liabilities' in any other currency, in Bahrain or in the country of that currency, unless they cover liabilities in Bahrain in which case they must be held in Bahrain.Amended: January 2007CA-7 CA-7 Whole Firm and Group Solvency
CA-7.1 CA-7.1 Whole Firm and Group Solvency
CA-7.1.1
In addition to the capital adequacy and solvency requirements imposed on
Bahraini insurance firms andoverseas insurance firms , the CBB may require whole firm and/or group solvency information. The requirement under this Chapter apply to the following categories:(a)Overseas insurance firms ;(b)Bahraini insurance firms withsubsidiaries andbranches , operating within Bahrain and/or in other jurisdictions; and(c)Bahraini insurance firms that are subsidiaries and whoseparent companies may or may not be aninsurance firm .Amended: January 2007CA-7.1.2
Captive insurers are exempted from the requirements to report on their group solvency position.Amended: January 2007CA-7.1.3
As part of the requirements of the Group Insurance Firm Return (Form GIFR) referred to in Section BR-1.3, the CBB may require an
insurance firm to provide:(a) A statement of the consolidated financial position of any group of which theinsurance firm is either the holding company, asubsidiary or abranch of that group; and(b) A statement of the solvency margin that would be determined by this Module if the group identified in part (a) of this Rule were a Bahrain authorisedinsurance firm .Amended: January 2007CA-7.1.4
In considering the application of Paragraph CA-7.1.3, the CBB will take into account where the balance of the insurance business is undertaken. Where a high-level of the business undertaken by the group is done from Bahrain, the requirements of CA-7.1.3 may apply.
Amended: January 2007CA-7.1.5
The consolidated financial position referred to in Paragraph CA-7.1.3 must be determined on the basis that the assets and liabilities of that group are valued in accordance with the requirements of this Module.
CA-7.1.6
An
insurance licensee subject to the requirements of Paragraph CA-7.1.3 may, with the consent of the CBB, provide equivalent or substantially equivalent solvency margin information submitted to a supervisor in another jurisdiction.Amended: January 2007CA-7.1.7
In addition to consolidated information on the group, for
Bahraini insurance firms , aggregate information detailing the solvency requirements of the major insurancesubsidiaries in the group must also be submitted to the CBB as part of the Group Insurance Firm Return.Amended: January 2007CA-7.1.8
Where the licensee's group or
parent reports its own solvency position to its regulatory authority (on a group or 'solo' basis) a copy of this calculation must be provided to the CBB within 30 calendar days from the due date to the other regulatory authority, in accordance with Paragraph RM-8.1.6.Amended: January 2007CA-8 CA-8 Takaful and Retakaful
CA-8.1 CA-8.1 General Capital Requirements
CA-8.1.1
This Chapter of CA applies only to those firms licensed to conduct the regulated activity of
Takaful andRetakaful .Amended: January 2007
Amended: October 2008CA-8.1.2
The specific Rules and Guidance in this Chapter are additional to Chapters CA-B to CA-7. The Rules and Guidance in Chapters CA-B to CA-7 apply to
Takaful firms unless those Rules have been specifically modified or waived by this Chapter.Amended: January 2007
Amended: October 2008CA-8.1.3
The CBB acknowledges that
Takaful/Retakaful insurance is different in some respects fromconventional insurance . The specific Rules and Guidance set out in this Chapter aim to allowTakaful firms to operate in Bahrain within the CBB's insurance regulatory regime on a basis consistent with that imposed on conventional insurers. That is, the CBB's regulatory regime does not favour one form of insurance over another, allowing for both types of structures,Takaful and conventional, to operate in a competitive environment.Amended: January 2007
Amended: October 2008CA-8.1.4
For the purposes of applying the rules in Chapters CA-B to CA-7 to
Takaful firms , references to 'long-term insurance business' should be read as 'family Takaful business' and 'general insurance business' should be read as 'general Takaful business'.Amended: January 2007
Amended: October 2008CA-8.2 CA-8.2 Basis of Operating a Takaful Business
Amended: October 2008CA-8.2.1
All
Takaful firms licensed in Bahrain must organise and operate their business according to the al Wakala model. Specifically, in exchange for the provision of management services to participants' fund(s), theshareholders of theTakaful firm must receive a specific consideration (Wakala fee). For the insurance assets invested on behalf of participants' funds, the Takaful operator must use the al Mudaraba model, and must receive a set percentage of the profits generated from the investment portfolio. No performance/incentive fees are allowed to be paid to the shareholders/Takaful operator of theTakaful firm ; the only fees that can be paid are the Wakala fees and the set percentage of the profits generated from the investment portfolio.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.2
The Wakala fee charged in respect of a Takaful contract must be directly proportional to the costs associated with establishing and maintaining that contract. Both the Wakala and Mudaraba fees must be clearly disclosed to the participants of the Takaful fund(s).
Amended: April 2014
Amended: October 2008
Amended: January 2007Wakala Fee
CA-8.2.2A
The Wakala fee must be a fixed upfront fee, which may be expressed as a percentage of contributions. The Wakala fee, once fixed, must not be adjusted during the reporting period, and must be clearly stated in the Takaful contract and agreed to by the participant.
Added: April 2014CA-8.2.2B
The Wakala fee must cover the total sum of the following components:
(a) The management expenses;(b) The distribution expenses including intermediaries' remuneration, agents' commission and other expenses involved in making Takaful products available to the public; and(c) A reasonable and appropriate margin of operational profit.Added: April 2014CA-8.2.2C
The Takaful operator must ensure that the management and distribution expenses referred to under Paragraph CA-8.2.2B are paid from the shareholders' fund and not from the participants' fund(s).
Added: April 2014CA-8.2.2D
The Wakala fee must be certified by the
Takaful firm's actuary (see Paragraph AA-4.3A.2) and must be considered and subsequently approved by the Shari'a Supervisory Board.Added: April 2014CA-8.2.3
The Takaful operators must establish an equitable basis for determining the consideration charged for managing Takaful business.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.3A
In the case of general Takaful contracts, it would normally be expected that the fee would be the same for all contracts of a particular duration, risk and type. In the case of
family Takaful , contracts that may be in force for several years, it would normally be the case that the consideration in the initial years would be relatively high due to the costs of establishing the contract but be substantially lower in later years reflecting only the costs of maintaining the contract.Added: April 2014Mudaraba Fee
CA-8.2.4
For the insurance assets invested on behalf of the participants' fund(s), the Takaful operator collects a Mudaraba fee based on a fixed percentage of the net investment income from the fund and approved by the Shari'a Supervisory Board.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.4A
Net investment income noted in Paragraph CA-8.2.4 refers to gross investment income less any investment expenses, but excluding any Mudaraba fee paid to the Takaful operator.
Added: April 2014Managing Operating Costs
CA-8.2.5
The Takaful operator must establish effective policies and procedures to manage the costs of the Takaful operations. In addition, the board of directors must ensure that effective controls are in place in order that the actual management and distributions expenses are in line with the Wakala fee and do not affect the viability of the Takaful operator.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.6
Only direct expenses related to claims or investments can be paid out of participants' fund(s). The direct expenses related to claims and investments, charged to the participants' fund(s) must be approved by the Shari'a Supervisory Board and must be limited to the amount of expenses incurred.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.7
The Shari'a Supervisory Board (SSB) is not expected to approve each and every claims related and/or investment related expenses. However, the policy established dealing with the direct expenses related to claims and investments, charged to the participants' fund(s), should be approved by the SSB.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.2.8
Paragraphs CA-8.2.5 to CA-8.2.7 are transitional provisions to enable existing
Takaful firms to discharge their obligations under pre-existing contracts according to the basis of operating the Takaful funds at the time participants entered into those contracts. Whilst it would be simpler to require all pre-existing contracts to be maintained in separate Takaful funds to those established for contracts written after these Rules come into effect, the CBB considers this may not be in the best interests of participants. It is for this reason that the transitional rules enableTakaful firms to either establish subfunds for pre-existing contracts or offer participants the option of switching their policies to the al Wakala model. Whilst ultimately it would be at the discretion of the Courts to decide, the CBB would generally be prepared to support Court applications as outlined in Paragraph CA-8.2.6 where more than 75% of participants (by number and value) had indicated their preparedness to switch to the al Wakala model.Amended: January 2007
Amended: October 2008CA-8.3 CA-8.3 Segregation of Funds
CA-8.3.1
Where an insurer carries out Takaful business:
(a) In the case offamily Takaful business, it must comply with Chapter CA-3 of the Capital Adequacy Module;(b) It must maintain separate books of account in respect of each kind of business;(c) It must maintain any additional books of account required by this Module for either its general Takaful orfamily Takaful business; and(d) The transactions relating to each kind of business must be maintained separately for that business and must be carried to and form a separate fund or funds.Amended: January 2007
Amended: October 2008CA-8.3.2
A
Takaful firm must maintain such accounting and other records as are necessary for:(a) Identifying the assets representing the fund or funds maintained by it under Paragraph CA-8.3.1 above for each kind of business that it carries on;(b) Identifying the liabilities attributable to fund or funds maintained by it under Paragraph CA-8.3.1 above for each kind of business that it carries on; and(c) Complying with the accounting standards established by the 'Accounting and Auditing Organisation for Islamic Financial Institutions' ('AAOIFI').Amended: January 2007
Amended: October 2008CA-8.3.3
Other than the explicit exceptions included in Paragraphs CA-8.3.4 and CA-8.3.5, a
Takaful firm's assets allocated to the participants' fund(s) must only be applied for the purposes of the fund to which it is attributed as required by Paragraph CA-8.3.2 and must not be made available for any other purpose of theTakaful firm . This does not however prevent the reimbursement of expenditures borne by theshareholders (in the same or the preceding financial year) in discharging liabilities wholly or partly attributable to a fund or funds.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.3.4
Paragraph CA-8.3.3 does not apply to the payment of management fees by the fund or funds to the Takaful manager even where the manager is the
shareholder provided that theShari'a Supervisory Board has approved those fees.Amended: January 2007
Amended: October 2008CA-8.3.5
Paragraph CA-8.3.3 does not prevent a
Takaful firm from exchanging, at fair market value, insurance business assets of any fund for other assets of the insurer including assets held by another fund or theshareholder .Amended: January 2007
Amended: October 2008CA-8.3.6
A
Takaful firm which carries on insurance business in Bahrain must have adequate arrangements for securing that transactions involving assets of theTakaful firm (other than transactions outside its control) do not operate unfairly between any of the participants' fund(s) and theshareholder assets of theTakaful firm or, in a case where theTakaful firm has more than one 'identified fund', between those funds.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.3.7
Where the CBB imposes a financial penalty on a
Takaful firm or requires aTakaful firm to compensate participants for any wrongful act of the firm (including any wrongful act committed by an appointed representative of the firm), it must not pay that compensation or financial penalty from any participants' fund(s) and it must not seek to have that compensation or financial penalty reimbursed as part of its management fees.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.3.8
The Rules in this Chapter in respect of the segregation of funds by a Takaful firm are similar to the Rules set out in Chapter CA-3 relating to long-term insurance business. In the case of a family participants' fund(s) this similarity is most pronounced. However, the Rules set out in Chapter CA-3 still apply even if the participants' fund(s) is a family participants' fund(s), in particular the requirement to separate linked
family Takaful business into a separate fund.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4 CA-8.4 Capital Adequacy and Solvency
CA-8.4.1
All
Takaful firms are subject to capital available and solvency requirements.Amended: April 2014
Amended: October 2008
Amended: January 2007Determination of Available Capital
CA-8.4.2
The determination of available capital eligible to meet the solvency requirements is the total of:
(a) The participants' fund(s) net admissible assets as defined under Paragraph CA-8.4.3 in all funds; and(b) The capital available of the shareholder fund as determined under Section CA-1.2, excluding any assets of the participants' fund(s).Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.3
Every participants' fund must calculate its net admissible assets to meet the solvency requirements of the Takaful firm. The admissible assets are calculated in accordance with Chapter CA-4 and are reduced by any of the participants' fund(s) liabilities (including any Qard Hassan payable to the shareholder fund) and excluding 55% of any unrealised gains to arrive at the net admissible assets.
Amended: April 2014
Amended: October 2008CA-8.4.4
For the purpose of calculating the admissible assets of the participants' fund(s) referred to under Paragraph CA-8.4.3, the
insurance business amount referred to in Paragraph CA-4.2.34 means:(a) In the case of general Takaful business, the general Takaful insurance business amount is the value of the general participants' fund(s)'s assets (other than family participants' fund(s) assets) and allocatedearmarked assets to the insurance business amount (see Paragraphs AA-4.3A.6 to AA-4.3A.11 for actuarial requirements) from the shareholder fund and excluding any reinsurance/retakaful recoveries as determined in accordance with Chapter CA-4; and(b) In the case offamily Takaful business, thefamily Takaful insurance business amount is the value of the family participants' fund(s)'s assets (other than general participants' fund(s) assets) and allocatedearmarked assets to the insurance business amount from the shareholder fund and excluding reinsurance/retakaful recoveries and assets required to match property-linked liabilities in accordance with Chapter CA-4.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.5
Any
earmarked assets used under Paragraph CA-8.4.4 must be adjusted to account for any Qard Hassan that may be granted as outlined under Paragraph CA-8.4A.2Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.6
For purposes of Paragraph CA-8.4.4,
earmarked assets must meet the following criteria:(a) Availability: the asset is available and can be called on demand to meet any liquidity requirement where a Qard Hassan may be extended (see Section CA-8.4A);(b) Permanency: the asset is not callable and cannot be withdrawn;(c) Free of encumbrances: the asset is free of any encumbrances or mandatory payments; and(d) Highly liquid: the asset must be readily convertible to cash equivalent to a minimum of 90% of its reported value on the shareholder's fund statement of financial condition.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.7
Earmarked assets must comply with the criteria outlined in Paragraph CA-8.4.6 and refer to the following allocated assets from the shareholder fund to the each of the participants' fund:(a) Cash and unencumbered current accounts with financial institutions;(b) Placements with financial institutions which can be liquidated within one month;(c) Readily marketable securities;(d) GCC government securities;(e) Other sovereign securities, other than in Paragraph CA-8.4.7(c) and Paragraph CA-8.4.7(d) above, up to one year maturity, carrying an S&P minimum rating of A (or equivalent); and(f) Accounts receivable due within one month, excluding any past due accounts.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.8
Earmarked assets from the shareholder fund must be allocated for each participants' fund in the calculation of the insurance business amount of each participants fund and as determined by the actuary under Paragraph AA-4.3A.7.Added: April 2014CA-8.4.6A
In cases where Paragraph CA-8.4.5 applies, any income generated from the assets forming part of the free loan, will be solely for the benefit of the Takaful fund, and should be recorded as investment income of the Takaful fund. The total investment income being generated by the Takaful fund will however be subject to a mudaraba fee as approved by the Shari'a Board.
Inserted: October 2008Solvency Requirements
CA-8.4.9
The solvency requirements only apply to the insurance activities of the participants' fund(s) and are calculated in accordance with Chapter CA-2 for each of the participants' fund(s). The solvency required is the total of the solvency requirements for all participants' funds.
Amended: April 2014
Amended: April 2009
Amended: October 2008
Amended: January 2007CA-8.4.10
Where the capital available as defined under Paragraph CA-8.4.2 does not meet the solvency requirements of Paragraph CA-8.4.9, a capital injection must be made by the shareholders to meet the solvency required.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.11
Should the
Takaful firm fail to meet itsrequired solvency margin , it will be restricted from writing any new Takaful business until such time as the Takaful firm is in compliance with thesolvency margin requirements.Amended: April 2014
Amended: October 2008
Amended: January 2007Other Requirements
CA-8.4.12
In cases where a Qard Hassan has been granted to the participants' fund(s), any income generated from the assets forming part of the Qard Hassan (free loan), will be solely for the benefit of the participants' fund, and should be recorded as investment income of the participants' fund. The total investment income being generated by the participants' fund will however be subject to a Mudaraba fee as approved by the Shari'a Board (see Paragraph CA-8.2.4).
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.13
A participants' fund is prohibited from providing any form of credit by way of loan, guarantee or other instrument to another participants' fund or to any other party, including but not limited to:
(a) The Takaful operator (i.e. theshareholder fund);(b) A person in acontrolled function ;(c) A participant (policyholder ) except as provided under Paragraph CA-8.4.14; and(d) Acontroller orclose link of theTakaful firm .Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.14
In the case of Family Takaful, a participant credit facility (policyholder loan) may be granted should the contract of insurance allow for such event to take place and the contract outlines the various conditions attached to such credit.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.4.15
The Rule under Paragraph CA-8.4.13 does not restrict the participants' funds from providing any form of commitment associated with investment projects/funds.
Added: April 2014CA-8.4.13A
Following the Takaful fund's first year of operation, the fund will be expected to meet the solvency margin requirements, but the calculation of its capital available (participants' equity) will still be subject to valuation rules but will not be subject to deductions resulting from inadmissible assets (by category or counterparty) as outlined in Section CA-4.2:
(a) For a period not exceeding 5 years from the start of the Takaful fund; or(b) When the asset base of the fund reaches a minimum asset level of BD 5 million,whichever of (a) or (b) occurs first.
Inserted: October 2008CA-8.4.13B
Once a Takaful fund has reached conditions (a) or (b) stated in Paragraph CA-8.4.13A, it will be expected to calculate its capital available as per Paragraph CA-1.2.21, including all deductions related to inadmissible assets due to category or counterparty limits.
Inserted: October 2008CA-8.4.13C
During the transition phase outlined in Paragraph CA-8.4.13A, while category and counterparty limits do not apply, proper diversification of the assets of the Takaful funds should be followed, focusing on low risk and income producing assets.
Inserted: October 2008Qard Hassan Transition Rules
CA-8.4.16
Where a Qard Hassan has been granted for solvency purposes under the Rules in place at that time, the amount of Qard Hassan will be written off and/or repaid over a period not exceeding 5 years and disclosed as an off-balance sheet item (see Paragraph PD-1.1.13A) and not included as part of available capital for solvency purposes.
Added: April 2014CA-8.4.17
Where Paragraph CA-8.4.16 applies, should the participants' fund for which the Qard Hassan was originally granted generate a surplus during the course of the write-off period, such surplus may be used to repay any part of the portion of the Qard Hassan that has not been written off, subject to the CBB's prior written approval.
Added: April 2014CA-8.4A CA-8.4A Liquidity of Participants' Funds
CA-8.4A.1
Where a participants' fund(s) has a cash deficit which results in its inability to meet its day to day expenses and obligations, a Qard Hassan must be extended immediately by the shareholder fund. The cash being sought by the participants' fund must be physically transferred from the shareholder fund to cover the cash deficit of the participants' fund.
Added: April 2014CA-8.4A.2
Where a Qard Hassan has been extended for liquidity purposes, the calculation of the
earmarked assets allocated to theinsurance business amount for the participants' fund(s) as outlined under Paragraph CA-8.4.4, must consider the impact of the reduction inearmarked assets .Added: April 2014CA-8.4A.3
Where the shareholders' fund of
Takaful firms provide Qard Hassan (free loan) to the participants' fund as available for the purposes of meeting a participants' fund's liquidity needs and where theearmarked assets are to be reassessed as a result, theTakaful firm must notify the CBB immediately.Added: April 2014CA-8.4A.4
Where a Qard Hassan has been granted for liquidity purposes, the statement of financial position of the shareholders' fund must reflect the reduction in
earmarked assets to fund the Qard Hassan as an asset and for the participants' fund(s), the amount of Qard Hassan must be shown as a liability. In addition, the CBB requires, as a minimum, that theTakaful firm include a specific note in the financial statements of theTakaful firm explaining the circumstances of the arrangement (Qard Hassan) and the implications for shareholders and participants.Added: April 2014CA-8.4A.5
Where a Qard Hassan has been extended, it must be repaid from future surpluses from the participants' fund(s).
Added: April 2014CA-8.4A.6
The Takaful operator must have a clear written policy on the mechanism to rectify the cash deficit of the participants' fund(s), duly approved by the Board. The policy must address the manner in which Qard Hassan will be repaid and specify Qard impairment testing mechanism. The Qard Hassan must be tested for impairment at least annually. Whenever there is a need for Qard Hassan, the Takaful operator must determine the time period for the repayment of Qard Hassan.
Added: April 2014CA-8.5 CA-8.5 Determining and Allocating Surplus or Deficit
CA-8.5.1
Every
Takaful firm must develop a policy for determining the surplus or deficit arising from Takaful operations, the basis of determining and allocating that surplus or deficit to the participants and theshareholders , and the method of transferring any surplus or deficit to the participants. The policy developed must consider all relevant AAOIFI standards including Financial Accounting Standard No. 13 'Disclosure of Bases for Determining and Allocating Surplus or Deficit in Islamic Insurance Companies'. The policy must be approved by the Shari'a Supervisory Board as well as the board of directors of theTakaful firm .Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.5.2
More than one policy may be developed where the
Takaful firm offers different types of insurance products. In any event, the company must have separate policies in respect of its general business and its long-term business and any surplus or deficit allocation must be in line with the policy developed under Paragraph CA-8.5.1.Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.5.3
On an annual basis, every
Takaful firm must determine any surplus or deficit arising on each separate participants' fund. The surplus distribution or remedial action for deficit reduction must be recommended by theactuary (see Paragraphs AA-4.3A.4 and AA-4.3A.5) and endorsed by the Shari'a Supervisory Board and the board of directors of theTakaful firm .Amended: April 2014
Amended: October 2008
Amended: October 2007
Amended: January 2007CA-8.5.4
The policy developed in accordance with Paragraph CA-8.5.1 must not be amended or changed without the approval of the Shari'a Supervisory Board.
Amended: April 2014
Amended: October 2008
Amended: January 2007CA-8.5.4A
Distribution of surpluses from the Participants' fund(s) is subject to the CBB's prior written approval.
Added: April 2014CA-8.5.5
No
Takaful firm is permitted to make any distributions to participants if either the participants' fund(s) does not, or through the payment of the distribution, would not meet all thecapital available and solvency requirements set out in Chapters 1 and 2 of the Capital Adequacy Module. In addition the surplus distribution must not cause adverse financial implications or a deficit in the participants' fund(s) and the Takaful operator must ensure that the participants' fund(s) is sufficiently liquid to cover any proposed surplus distribution.Amended: April 2014
Amended: October 2008
Amended: January 2007BC BC Business and Market Conduct
BC-A BC-A Introduction
BC-A.1 BC-A.1 Purpose
Executive Summary
BC-A.1.1
This Module presents requirements that have to be met by
insurance licensees with regards to their dealings withcustomers . Reinsurance business is exempted from the scope of these requirements.BC-A.1.2
The requirements contained in this Module aim to ensure that
insurance licensees deal with theircustomers in a fair and open manner, and address theircustomers' information needs.Amended: January 2007BC-A.1.3
The requirements build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires
insurance licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings withcustomers . Principle 7 (Customer Interests), requiresinsurance licensees to pay due regard to the legitimate interests and information needs of theircustomers , and to communicate with them in a fair and transparent manner.Amended: January 2007BC-A.1.4
The requirements contained in this Module are largely principles-based and focus on desired outputs rather than on prescribing detailed processes. This gives
insurance licensees flexibility in how to implement the basic standards prescribed in this Module.Amended: January 2007Legal Basis
BC-A.1.5
This Module contains the Central Bank of Bahrain's ('CBB') (as amended from time to time) Directive relating to business conduct and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to
insurance licensees (including theirapproved persons ).Amended: January 2011
Added: January 2007BC-A.1.6
For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.
Added: January 2007BC-A.2 BC-A.2 Module History
BC-A.2.1
This Module was first issued in April 2005 by the BMA, together with the rest of Volume 3 (Insurance). Any material changes that have been subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
Amended: January 2007BC-A.2.2
When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.
Added: January 2007BC-A.2.3
A list of recent changes made to this Module is detailed in the table below:
Module Ref. Change Date Description of Changes BC-3.4 01/07/05 Clarified language of takaful disclosure. BC-A.1.5 01/2007 New Rule introduced, categorising this Module as a Directive. BC-A.1.5 01/2011 Clarified legal basis BC-2.11 and BC-4 10/2011 Replaced Complaints Section BC-2.11 with new Chapter BC-4 Customer Complaints Procedures. BC-4.2 and BC-4.3 01/2012 Minor corrections to correct typos and clarify language. BC-4.3.9 01/2012 Paragraph deleted as it repeats what is in Paragraph BC-4.3.7. BC-4.1.3A 10/2012 Added guidance on the appointment of the customer complaints officer. BC-4.7 07/2013 Additional details provided on reporting of complaints. BC-2.9 04/2016 Added requirements for insurance firms when dealing with medical insurance. BC-4.3.16 04/2020 Amended Paragraph adding reference to CBB consumer protection. BC-4.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection. BC-4.7.1 - BC-4.7.3 04/2020 Amended Paragraph adding reference to CBB consumer protection. BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis. BC-A.2.3 [Deleted]
Deleted: January 2007BC-A.2.4
Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).
Amended: January 2007BC-B BC-B Scope of Application
BC-B.1 BC-B.1 Insurance Licensees
BC-B.1.1
Except as noted in this section, the requirements in this Module apply to all
insurance licensees , with respect to theirdirect insurance activities carried on from the Kingdom of Bahrain with a person who is a resident of Bahrain ('domestic business ').Amended: October 2011BC-B.1.2
The requirements of this Module therefore apply to
insurance firms andinsurance intermediaries who are selling, intermediating or advising ondirect insurance contracts from their offices in Bahrain, with respect tocustomers who are resident of Bahrain. The requirements in this Module do not, therefore, apply todirect insurance activities carried on from overseas branches and subsidiaries ofBahraini insurance licensees , or to activities carried on with non-residents.BC-B.1.3
Reinsurance business is exempted from the requirements of this Module because the reinsurance market is limited to dealings between insurance market professionals.
BC-B.1.4
The activities of
insurance managers and operators of insurance exchanges do not fall within the scope of this Module. However, the CBB expects theinsurance manager to consider the requirements of this Module in relation to the service provided, on behalf of thecaptive insurer orinsurance firm , to its 'clients', namely insured members of the group.Amended: January 2007BC-B.1.5
Although the requirements of this Module apply in full to all
direct insurance activities in relation todomestic business , the CBB recognises that customers' needs vary. For example, because acaptive insurer is insuring the risks of its parent group, it would be acceptable for the level of sales documentation and written disclosure to be less than would be required for retailcustomers . Large corporatecustomers may also require less extensive written disclosures than retailcustomers . The requirements in this Module giveinsurance licensees the flexibility to adapt their processes to suit the different needs of differentcustomer types.Amended: January 2007BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis
BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis
BC-C.1.1
Insurance licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.Added: October 2020BC-1 BC-1 General Requirements
BC-1.1 BC-1.1 General Rules
BC-1.1.1
This Module applies to the
direct insurance activities of all licensees in relation todomestic business .BC-1.1.2
This Module aims to encourage high standards of business conduct, which are broadly applicable to all licensees, all types of
direct insurance business (i.e. excluding reinsurance), and all types ofcustomers . However, it is recognized that some types of licensees or business (such as captive insurance or commercial insurance) may present lower regulatory risks in relation to business conduct. For these types of business, the CBB therefore accepts that less detailed arrangements are likely to be sufficient to implement the principles contained in this Module. The CBB will monitor the regulatory performance of the market, and may in due course allow for specific exemptions or relaxations for certain types of business or licensees (see also BC-1.1.11 and BC-1.1.12).Amended: January 2007BC-1.1.3
Where packaged investment products include insurance elements, this Module applies to the insurance elements.
BC-1.1.4
It is recognised that investment products represent different features and risks that require separate regulatory treatment. Specific rules applying to business conduct in relation to investment products will be developed over time.
Amended: January 2007BC-1.1.5
All licensees must comply with the Insurance Code of Practice for business conduct with
customers , which sets out the minimum standards of good practice for market conduct in relation todirect insurance activities.BC-1.1.6
The Code comprises a number of overarching principles and a number of principles-based requirements rules in relation to the conduct of
direct insurance business withcustomers . The structure of the Insurance Code of Practice for Business Conduct withcustomers reflects the key stages and activities over the lifetime of thecustomer relationship for insurance products and services (see Illustration 1).Illustration 1: Structure of Insurance Code of Practice for Business Conduct
Amended: January 2007BC-1.1.7
Licensees must maintain compliance with the Code throughout the lifetime of their relationships with all of their
customers .BC-1.1.8
The Code focuses on desired outcomes, rather than prescribing in detail measures required to achieve those outcomes. Licensees therefore have the flexibility to design arrangements that implement the Code, in a way that suits the particular nature of their business.
BC-1.1.9
Insurance licensees must take responsibility for compliance with the Code of all persons carrying outdirect insurance activities on their behalf (including, but not limited to,appointed representatives andinsurance managers ).Amended: October 2007BC-1.1.10
Licensees must put in place appropriate measures across all their business operations and distribution channels to ensure compliance with the Code. Licensees must maintain adequate records to demonstrate compliance with the Code.
BC-1.1.11
The CBB will monitor compliance with the Code and standards of business conduct. If required, the CBB may develop more detailed rules and guidance to supplement the existing Code.
Amended: January 2007BC-1.1.12
The CBB will apply these requirements in a way that allows them to be adapted to fit the circumstances of licensees' businesses, to be achieved through a pragmatic approach to supervision. However, in exceptional circumstances, it may be appropriate for the CBB to consider and grant waivers where strict compliance would be unduly burdensome or would not achieve the purpose for which the requirement was intended. Each application for waiver will be considered on its individual merits. The fact that a waiver has been granted to a particular licensee should not be regarded as an indication that similar waivers will be issued to any other licensee.
Amended: January 2007BC-2 BC-2 The Insurance Code of Practice
BC-2.1 BC-2.1 Overarching Principles
BC-2.1.1
In the course of
direct insurance activities, licensees must:(a) Act with due skill, care and diligence in all dealings withcustomers ;(b) Act fairly and reasonably in all dealings withcustomers ;(c) Identifycustomers' specific requirements in relation to the products and services about which they are enquiring;(d) Ensure that any advice tocustomers is aimed at thecustomers' interests and based on adequate standards of research and analysis;(e) Provide sufficient information to enablecustomers to make informed decisions when purchasing insurance products and services offered to them;(f) Provide sufficient and timely documentation tocustomers to confirm that their insurance arrangements are in place and provide all necessary information about their products, rights and responsibilities;(g) Maintain fair treatment ofcustomers through the lifetime of their insurance products andcustomer relationships, and ensure thatcustomers are kept informed of important events;(h) Handle claims fairly and promptly;(i) Ensure that all information provided tocustomers is clear, fair and not misleading, and appropriate tocustomers' information needs; and(j) Take appropriate measures to safeguard any money and property handled on behalf ofcustomers and maintain confidentiality ofcustomer information.Amended: January 2007
Amended: October 2007BC-2.2 BC-2.2 Marketing and Promotion
BC-2.2.1
Licensees must ensure that all advertising and promotional material is clear, fair and not misleading.
BC-2.3 BC-2.3 Initial Customer Information about Service
BC-2.3.1
At the initial point of contact, before any contract is concluded between the
customer and theinsurance licensee , licensees must advisecustomers of the nature of the service they can offer and their relationship with thecustomer , including:(a) The types of services that can be provided;(b) The choice of products and services that can be offered; and(c) Whether the licensee acts on behalf of an insurer or insurers, or acts independently on behalf of thecustomer in arranging insurance.Amended: January 2007BC-2.4 BC-2.4 Identification of Customer Requirements
BC-2.4.1
Licensees must identify
customers' requirements by seeking fromcustomers such information about their circumstances and objectives as might reasonably be expected to be relevant in establishing their specific insurance needs in relation to the products and services about which they are enquiring.BC-2.5 BC-2.5 Advice and Recommendations
BC-2.5.1
Any recommendations made must be appropriate to the
customer's needs. The recommendation must include an explanation as to how the recommended product suits thecustomer's identified needs. Where more than one product is recommended as appropriate to thecustomer's needs, the recommendation must include an explanation of the differences in and relative costs in the alternative options.Amended: January 2007BC-2.5.2
In the case of compulsory insurance, such as third party motor liability insurance, the explanation of the product's suitability may be limited to a brief explanation of the obligation to hold such insurance, and the options available to satisfy the obligation.
BC-2.5.3
The objective of Paragraph BC-2.5.1 is to ensure that a
customer is provided with sufficient information with which to make an informed decision. Aninsurance firm is able to rely on thecustomer's explanation of his insurance needs and is not otherwise required to verify thecustomer's own assessment of his needs. Given thecustomer's stated needs, theinsurance firm must explain how the proposed contract(s) would meet those needs, and provide sufficient information regarding the different options so that thecustomer is able to make an informed decision.Amended: January 2007BC-2.6 BC-2.6 Customer Information before Commitment to the Contract
BC-2.6.1
Before
customers make their final commitment to enter into acontract of insurance , licensees must provide to thecustomer sufficient information on the key features of the product being proposed to enable thecustomer to make an informed purchasing decision, including:(a) The identity of theinsurance licensee ;(b) All the important details of cover and benefits;(c) Any significant or unusual restrictions or exclusions, conditions or obligations attaching to thecustomer ; and(d) The period of cover.Amended: January 2007
Amended: October 2007BC-2.6.2
Before
customers make their final commitment to enter into acontract of insurance , licensees must provide to thecustomer full details of costs of the insurance products and services being offered, including:(a) The level of insurance premiums, the periodicity of payment and any grace periods allowed for payment;(b) The consequences of discontinuing the payment of any premium; and(c) Any fees and charges other than the insurance premium.Amended: January 2007
Amended: October 2007BC-2.6.3
While an
insurance broker may not approach every possible underwriter for each risk, he should make reasonable efforts to make his selection from a panel ofinsurance firms . Aninsurance broker's submission of quotations should incorporate the reasons for recommending or choosing aninsurance firm .BC-2.6.4
Except for
clients with turnover exceeding BD 1 million per year, aninsurance intermediary must draw theclient's attention to the status of theinsurance firm : i.e. whether or not theinsurance firm is locally licensed (as aBahraini insurance firm oroverseas insurance firm ) and, if not, the reasons for recommending or choosing thatinsurance firm . In respect of theseclients , this advice must be delivered in writing.Amended: January 2007BC-2.6.5
An
insurance intermediary should recommend, in the first instance, a policy from a CBB licensed insurer (which, for the avoidance of doubt, may be anoverseas insurance firm ) that he considers best suited to the needs of hisclient , and offering ease of client service, claims handling, etc. Paragraph BC-2.6.4 covers the situation where aninsurance intermediary proposes use of an overseas insurer not licensed or incorporated in Bahrain, because of the lack of availability of local cover.Amended: January 2007BC-2.6.6
Insurance intermediaries acting on behalf ofcustomers in arranging their insurance must, on request, disclose the amount of commission payable to them from the insurance premium, and any other remuneration received for arranging the insurance contract.BC-2.6.7
Before
customers make a final commitment to enter into acontract of insurance , licensees must inform thecustomer of their key obligations and rights with regard to the transaction, including:(a) Thecustomer's duty of disclosure to theinsurance licensee ;(b) Cancellation rights and conditions;(c) The licensee's internal complaints procedure; and(d) The licensee's obligations in respect of this Code.Amended: January 2007
Amended: October 2007BC-2.6.8
There are no specific requirements prescribing
customers' cancellation rights or required standards of cancellation terms for insurance products andcustomers . It is expected that licensees will put in place cancellation terms that are fair, reasonable and appropriate with respect to theircustomers and the products provided, in line with the overarching principles requiring fair dealings withcustomers (see Paragraph BC-2.1.1). The CBB will monitor the regulatory performance of the market in this area, and may make amendments over time (see Paragraphs BC-1.1.11, BC-1.1.12).Amended: January 2007BC-2.7 BC-2.7 Confirmation of Cover and Policy Documentation
BC-2.7.1
On the conclusion of contracts, licensees must provide
customers with prompt written confirmation and details of the insurance that has been effected, including:(a) The date when cover starts and the period of cover;(b) Any certificates or documents which thecustomer is required to have by law;(c) Details of how thecustomer can make a claim, and their responsibilities in relation to making claims;(d) The address of the insurer to which all communications in respect of the policy should be sent; and(e) Proof of payment where applicable.Amended: January 2007BC-2.7.2
Licensees must provide full policy documentation promptly following the conclusion of contracts, unless this has already been issued with the confirmation of cover.
BC-2.8 BC-2.8 Service after the Point of Sale
BC-2.8.1
Licensees must respond to and administer
customers' requests for amendments to their insurance policies in a timely manner. In particular, licensees must:(a) Provide written confirmation of any changes/amendments to the policy;(b) Provide full details of any additional premium or charges to be paid by or returned to thecustomer ;(c) Provide any certificate or documentation which thecustomer is required to have by law;(d) Provide proof of payment of additional premium or charges where applicable; and(e) Remit any refunds of premiums or charges due tocustomers without undue delay.Amended: January 2007BC-2.9 BC-2.9 Claims
BC-2.9.1
In addition to the requirements under Paragraph BC-2.9.2, where licensees' insurance activities include the handling of claims, they must:
(a) Respond promptly when claims are first notified, and providecustomers with an explanation about how the claim will be handled and any actions required of thecustomer ;(b) Provide reasonable guidance tocustomers in pursuing their claim;(c) Consider and handle claims fairly and promptly, and keep thecustomer informed of progress;(d) Informcustomers in writing, with an explanation, if thelicensee is unable to deal with all or any part of the claim; and(e) Forward settlement of claims without undue delay, once settlement has been agreed.Amended: April 2016
Amended: October 2007
January 2007BC-2.9.2
Where an
insurance firm deals with medical insurance and handles all the claim processing activities directly, i.e. without using a TPA:(a) It must process and settle all medical claims with policyholders within 15 calendar days from the receipt of all necessary documents; and(b) It must process and settle claims from healthcare service providers within 30 calendar days from the receipt of all necessary documents from the healthcare service providers.April 2016BC-2.9.3
Insurance firms must comply with Paragraph BC-2.9.2 by 30th September 2016 at the latest.April 2016BC-2.10 BC-2.10 Renewal, Expiry and Cancellation
BC-2.10.1
Licensees must notify
customers of the renewal or expiry of their policy in time to allow thecustomer to consider and rearrange any continuing cover they may need, including:(a) Details of the renewal terms, if offered; and(b) Details of any changes to the cover, service orinsurance firm being offered.Amended: January 2007BC-2.10.2
On expiry or cancellation of insurance policies, at the request of the
customer , licensees must make available all documentation and information to which thecustomer is entitled in a timely manner.BC-2.11 BC-2.11 [This section was deleted in October 2011]
BC-2.11.1
[This paragraph was deleted in October 2011]
Deleted: October 2011BC-2.11.2
[This paragraph was deleted in October 2011]
Deleted: October 2011
Amended: January 2007BC-2.11.3
[This paragraph was deleted in October 2011]
Deleted: October 2011
Amended: January 2007BC-2.11.4
[This paragraph was deleted in October 2011]
Deleted: October 2011
Amended: January 2007BC-2.11.5
[This paragraph was deleted in October 2011]
Deleted: October 2011
Amended: October 2007
Amended: January 2007
BC-2.12 BC-2.12 Information Conditions
BC-2.12.1
Licensees must ensure that all information presented to
customers in accordance with this Code shall be clear, fair and not misleading, and comprehensible to thecustomer having regard to the complexity of the products and services being offered and thecustomer's knowledge.BC-2.12.2
Licensees must ensure that
customer information presented tocustomers in accordance with this Code is provided in an appropriate format with regard to the complexity of the product being discussed. In particular:(a) As a general rule, all information to be provided to thecustomer in accordance with this Code is to be in writing, on paper or other durable medium available and accessible to thecustomer . If the information is initially presented orally, supporting written information must be provided in addition;(b) In the case of telephone selling and other forms of selling where it is impractical to provide information to thecustomer in writing at the point of sale, information shall be provided to thecustomer in accordance with Subparagraph BC-2.12.2(a) immediately following conclusion of the contract; and(c) By way of derogation from Subparagraph BC-2.12.2(a), information may be provided orally without supporting written information where thecustomer requests it, or where immediate cover is necessary.Amended: January 2007BC-2.13 BC-2.13 Fair Treatment and Conflicts of Interest
BC-2.13.1
Licensees must avoid conflicts of interest, or if conflicts are unavoidable, must explain the position fully and manage the situation so as to avoid prejudice to any party. In particular, licensees who act on behalf of their
customers must not put their own interests above their duty to anycustomers for whom they act.BC-2.13.2
Insurance intermediaries must disclose in writing to theclient any relationship that he may have with aninsurance firm that he is recommending to hisclient and which may result in a potential conflict of interest including, but not limited to, disclosure in writing any association arising from commonshareholder /controller /Director .Amended: January 2007BC-2.14 BC-2.14 Confidentiality and Security of Customer Assets
BC-2.14.1
Licensees must ensure that any information obtained from
customers must not be used or disclosed except in the normal course of negotiating, maintaining or renewing insurance for thatcustomer , unless:(a) They have thecustomer's consent;(b) Disclosure is made in accordance with the licensee's regulatory obligations; or(c) The licensee is legally obliged to disclose the information.Amended: January 2007BC-2.14.2
Licensees must take appropriate steps to ensure the security of any money, documents, other property or information handled or held on behalf of
customers .BC-3 BC-3 Takaful Firms
BC-3.1 BC-3.1 General Requirements
BC-3.1.1
This Chapter applies only to those
insurance firms licensed to conduct insurance business under takaful principles.Amended: January 2007BC-3.1.2
The CBB acknowledges that the nature of takaful and the operation of a takaful business are not entirely equivalent to and in some respects different from a conventional insurance business. The specific requirements set out in this Chapter aim not only to allow
takaful firms to operate in Bahrain within the CBB's insurance regulatory regime on a basis consistent with conventional insurers but also to recognise some of the differences in takaful that are relevant to the way in which takaful business is carried on.Amended: January 2007
Amended: October 2007BC-3.2 BC-3.2 Restriction on the Use of Terms
BC-3.2.1
The use of the terms '
takaful ', 'retakaful ', 'general takaful' and 'family takaful ' may only be used to describe the products ofinsurance firms that are Islamic financial institutions within the meaning of the CBB Rulebook.Amended: January 2007
Amended: October 2007BC-3.2.2
For the purposes of this Module, references to
takaful shall be taken as including 'takaful ', 'retakaful ', 'general takaful' and 'family takaful '.Amended: January 2007
Amended: October 2007BC-3.2.3
The use of the term 'Islamic insurance' should be avoided and may never be used by a firm not licensed to conduct the regulated activity of
takaful .Amended: January 2007
Amended: October 2007BC-3.3 BC-3.3 Marketing and Promotion
BC-3.3.1
An
insurance firm may only offertakaful products if it is licensed to do so. Aninsurance intermediary may offer both conventional insurance andtakaful products but must provide clear information to enable consumers to make informed choices.Amended: October 2007BC-3.3.2
Any comparison between
takaful and conventional insurance products must draw thecustomer's attention to the principal differences between these products. These differences may include:(a) Whether there is a contractual right to claims or benefits or whether these are discretionary on the part of the firm;(b) The basis on which benefits and surpluses are allocated to, and between,policyholders and participants; and(c) Whether there is any future liability ofpolicyholders (or participants), individually or collectively, for deficits in thepolicyholders' (participants') funds.Amended: January 2007
Amended: October 2007BC-3.4 BC-3.4 Disclosure
BC-3.4.1
Takaful firms must provide participants andshareholders with clear information about the performance of their business. This information must, as a minimum, comply with relevant AAOIFI standards, in particular Standard 13 (Disclosure of Bases for Determining and Allocating Surplus or Deficit in Islamic Insurance Companies) and 12 (General Presentation and Disclosure in the Financial Statements of Islamic Insurance Companies).Amended: January 2007BC-3.4.2
Takaful firms must clearly disclose to participants the calculation (percentage) and amount of wakala fee and mudaraba share of profits paid by the takaful fund to the takaful operator.Amended: January 2007BC-4 BC-4 Customer Complaints Procedures
BC-4.1 BC-4.1 General Requirements
BC-4.1.1
All
insurance licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints made by customers by 31st March 2012.Added: October 2011BC-4.1.2
Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.
Added: October 2011BC-4.1.3
All
insurance licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches. The customer complaints officer must be of a senior level at theinsurance licensee and must be independent of the parties to the complaint to minimize any potential conflict of interest.Added: October 2011BC-4.1.3A
The position of customer complaints officer may be combined with that of compliance officer.
Added: October 2012BC-4.1.4
In the case of an
overseas insurance licensee , a local complaints officer must be present and must report all complaints to the head office complaints unit.Added: October 2011BC-4.2 BC-4.2 Documenting Customer Complaints Handling Procedures
BC-4.2.1
In order to make customer complaints handling procedures as transparent and accessible as possible, all
insurance licensees must document their customer complaints handling procedures. These include setting out in writing:(a) The procedures and policies for:(i) Receiving and acknowledging complaints;(ii) Investigating complaints;(iii) Responding to complaints within appropriate time limits;(iv) Recording information about complaints; and(v) Identifying recurring system failure issues; and(b) The types of remedies available for resolving complaints; and(c) The organisational reporting structure for the complaints handling function.Amended: January 2012
Added: October 2011BC-4.2.2
Insurance licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.Added: October 2011BC-4.2.3
Insurance licensees are required to ensure that claims forms and claim notification documents include a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.Amended: January 2012
Added: October 2011BC-4.3 BC-4.3 Principles for Effective Handling of Complaints
BC-4.3.1
Adherence to the following principles is required for effective handling of complaints:
Added: October 2011Visibility
BC-4.3.2
"How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.
Added: October 2011Accessibility
BC-4.3.3
A complaints handling process must be easily accessible to all customers and must be free of charge.
Added: October 2011BC-4.3.4
While an
insurance licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.Amended: January 2012
Added: October 2011BC-4.3.5
Process information must be readily accessible and must include flexibility in the method of making complaints.
Added: October 2011BC-4.3.6
Support for customers in interpreting the complaints procedures must be provided, upon request.
Added: October 2011BC-4.3.7
Information and assistance must be available on details of making and resolving a complaint.
Added: October 2011BC-4.3.8
Supporting information must be easy to understand and use.
Added: October 2011BC-4.3.9
[This Paragraph was deleted in January 2012].
Deleted: January 2012BC-4.3.10
Insurance licensees should incorporate the complaints procedure as a clause within the insurance policies provided to their customers.Added: October 2011Responsiveness
BC-4.3.11
Receipt of complaints must be acknowledged in accordance with Section BC-4.5 "Response to Complaints".
Added: October 2011BC-4.3.12
Complaints must be addressed promptly in accordance with their urgency.
Added: October 2011BC-4.3.13
Customers must be treated with courtesy.
Added: October 2011BC-4.3.14
Customers must be kept informed of the progress of their complaint.
Added: October 2011BC-4.3.15
If a customer is not satisfied with an
insurance licensee's response, theinsurance licensee must advise the customer on how to take the complaint further within the organisation.Added: October 2011BC-4.3.16
In the event that they are unable to resolve a complaint,
insurance licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.Amended: April 2020
Added: October 2011Objectivity and Efficiency
BC-4.3.17
Complaints must be addressed in an equitable, objective, unbiased and efficient manner.
Amended: January 2012
Added: October 2011BC-4.3.18
General principles for objectivity in the complaints handling process include:
(a) Openness:
The process must be clear and well publicised so that both staff and customers can understand.(b) Impartiality:(i) Measures must be taken to protect the person the complaint is made against from bias;(ii) Emphasis must be placed on resolution of the complaint not blame; and(iii) The investigation must be carried out by a person independent of the person complained about.(c) Accessibility:(i) Theinsurance licensee must allow customer access to the process at any reasonable point in time; and(ii) A joint response must be made when the complaint affects different participants.(d) Completeness:
The complaints officer must find the relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;(e) Equitability:
Give equal treatment to all parties.(f) Sensitivity:
Each complaint must be treated on its merits and paying due care to individual circumstances.(g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:(i) Informing them immediately and completely on complaints about performance;(ii) Giving them an opportunity to explain and providing appropriate support;(iii) Keeping them informed of the progress and result of the complaint investigation;(iv) Full details of the complaint are given to those the complaint is made against prior to interview; and(v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;(h) Confidentiality:(i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;(ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and(iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination.(i) Objectivity monitoring:
insurance licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints.(j) Charges:
The process must be free of charge to customers;(k) Customer Focused Approach:(i)Insurance licensees must have a customer focused approach;(ii)Insurance licensees must be open to feedback; and(iii)Insurance licensees must show commitment to resolving problems.(l) Accountability:
Insurance licensees must ensure accountability for reporting actions and decisions with respect to complaints handling; and(m) Continual improvement:
Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of theinsurance licensees .Amended: January 2012
Added: October 2011BC-4.4 BC-4.4 Internal Complaint Handling Procedures
BC-4.4.1
An
insurance licensee's internal complaint handling procedures must provide for:(a) The receipt of written complaints;(b) The appropriate investigation of complaints;(c) An appropriate decision-making process in relation to the response to a customer complaint;(d) Notification of the decision to the customer;(e) The recording of complaints; and(f) How to deal with complaints when a business continuity plan (BCP) is operative.Added: October 2011BC-4.4.2
An
insurance licensee's internal complaint handling procedures must be designed to ensure that:(a) All complaints are handled fairly, effectively and promptly;(b) Recurring systems failures are identified, investigated and remedied;(c) The number of unresolved complaints referred to the CBB is minimized;(d) The employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and(e) Relevant employees are aware of theinsurance licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.Added: October 2011BC-4.5 BC-4.5 Response to Complaints
BC-4.5.1
An
insurance licensee must acknowledge in writing within the same day of receipt of customer written complaints for non-life insurance policies and within 5 business days of receipt of customer written complaints for life insurance policies.Added: October 2011BC-4.5.2
An
insurance licensee must respond in writing to a customer's complaint within one week of receiving non-life insurance policies complaint and within 2 weeks of receiving life insurance policies complaint, explaining their position and how they propose to deal with the complaint.Added: October 2011Redress
BC-4.5.3
An
insurance licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, theinsurance licensee must explain the options open to the customer and the procedures necessary to obtain the redress.Added: October 2011BC-4.5.4
Where an
insurance licensee decides that redress in the form of compensation is appropriate, theinsurance licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.Added: October 2011BC-4.5.5
Where an
insurance licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.Added: October 2011BC-4.5.6
Should the customer that filed a complaint not be satisfied with the response received as per Paragraph BC-4.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter from the
insurance licensee .Amended: April 2020
Added: October 2011BC-4.6 BC-4.6 Records of Complaints
BC-4.6.1
An
insurance licensee must maintain a record of all customers' complaints. The record of each complaint must include:(a) The identity of the complainant;(b) The substance of the complaint;(c) The status of the complaint, including whether resolved or not, and whether redress was provided; and(d) All correspondence in relation to the complaint. Such records must be retained by theinsurance licensee for a period of 5 years from the date of receipt of the complaint.Added: October 2011BC-4.7 BC-4.7 Reporting of Complaints
BC-4.7.1
An
insurance licensee must submit to the CBB's Consumer Protection Unit a quarterly report summarising the following:(a) The number of complaints received;(b) The substance of the complaints;(c) The number of days it took theinsurance licensee to acknowledge and to respond to the complaints; and(d) The status of the complaint, including whether resolved or not, and whether redress was provided.Amended: April 2020
Added: October 2011BC-4.7.2
The report referred to in Paragraph BC-4.7.1 must be sent electronically to Complaint@cbb.gov.bh.
Amended: April 2020
Added: July 2013BC-4.7.3
Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB’s Consumer Protection Unit.
Amended: April 2020
Added: July 2013BC-4.8 BC-4.8 Monitoring and Enforcement
BC-4.8.1
Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a
licensee . Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).Added: October 2011CL CL Client Money
CL-A CL-A Introduction
CL-A.1 CL-A.1 Purpose
Executive Summary
CL-A.1.1
This Module presents requirements that have to be met by
insurance brokers with regards to holdingclient money for which they are responsible.Amended: July 2023
April 2012CL-A.1.2
The Rules contained in this Module are aimed at ensuring proper protection of
client money to minimise the risk ofclient money being used byinsurance brokers and to prevent the commingling ofclient money with theinsurance brokers' assets.Amended: July 2023
April 2012Legal Basis
CL-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) on
client money , with respect toinsurance brokers , and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable toinsurance brokers .Amended: July 2023
April 2012CL-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
April 2012Effective Date
CL-A.1.5
All
insurance brokers and where applicable,insurance firms , must comply with the requirements of this Module, effective 1st July 2012 (See ES-2.6AA2).Amended: July 2023
April 2012CL-A.2 CL-A.2 Module History
Evolution of Module
CL-A.2.1
This Module was first issued in April 2012 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.
April 2012Summary of Changes
CL-A.2.2
The most recent changes made to this Module are detailed in the table below:
Module Ref. Change Date Description of Changes CL-2.3.4 and CL-2.3.4A 07/2015 Rules amended on insurance broker commissions where an insurance broker is dealing with an international insurance/reinsurance broker. Full Module 07/2023 Deleted Appointed Representatives from Module. CL-B CL-B Scope of Application
CL-B.1 CL-B.1 Scope
CL-B.1.1
This Module, unless otherwise indicated, applies to all
insurance brokers licensed by the CBB that undertake the broking of insurance contracts (see Rule AU-1.4.10) and holdclient money .Amended: July 2023
April 2012CL-B.1.2
Client money is money of any currency that aninsurance broker receives and holds for its client when carrying on insurance mediation. It can include premiums/contributions and premium/ contribution refunds.Amended: July 2023
April 2012CL-B.1.3
Reference to
insurance firms throughout this Module apply toTakaful firms as well.April 2012CL-B.1.4
Paragraph CL-2.3.4 applies as well to
insurance firms .April 2012CL-B.1.5
[This Paragraph was deleted in July 2023].
Amended: July 2023
April 2012CL-1 CL-1 Client Money Protection
CL-1.1 CL-1.1 Client Money Protection Rules
Keeping Separate Client Accounts
CL-1.1.1
Where an
insurance broker receives payment from a client, it must maintain one or more premiums/contributions account that holdsclient money separate from its own money.Amended: July 2023
April 2012CL-1.1.2
Premiums/contributions collected in relation of a specific transaction must not be used to settle amounts due under another transaction.
April 2012CL-1.1.3
Payment of premiums/contributions to
insurance firms , or commissions (brokerage) to theinsurance brokers' own accounts must not be effected until the premiums to which these payments relate have been duly received from that client and credited to the client account.Amended: July 2023
April 2012CL-1.1.4
In respect of premiums/contributions booked in Bahrain in relation to residents and non-residents of Bahrain, these accounts are to be maintained with a retail bank licensed to do business in Bahrain.
April 2012CL-1.1.5
Insurance brokers must:(a) Provide the CBB with a written confirmation from a retail bank(s) licensed to do business in Bahrain, as in what capacity they are holding suchclient money. This confirmation must be provided to the CBB at the time of opening theclient money account and when there is a material change in the nature of the account; and(b) Instruct the bank(s) not to combine theclient money account (s) with any other account or to exercise any right or set-off or counterclaim against money in that account in respect of any sum owed to it on any other account of the insurance broker.Amended: July 2023
April 2012CL-1.1.6
[This Paragraph was deleted in July 2023].
Deleted: July 2023
April 2012CL-1.1.7
Client money must, upon receipt, be paid into a specifically designatedclient money account no later than the immediate business day after receipt. The monies in this account must form part of thefiduciary assets of theinsurance broker and must be held in custody for the client, where theinsurance broker acts as an agent with the client retaining full legal ownership of the funds.Amended: July 2023
April 2012CL-1.1.8
The following guidance material provides examples of circumstances under which monies may be deposited into or withdrawn from a client account.
April 2012CL-1.1.9
Amounts that may be deposited into a client account:
(a) Monies received from the client for the purpose of purchasing contracts of insurance; and(b) Monies received on behalf of the client from (re)insurance firms,insurance intermediaries and any other third parties relating to the refund of premiums/contributions to clients.April 2012CL-1.1.10
Amounts that may be withdrawn from a client account:
(a) Premium monies required to be paid on behalf of the client to (re)insurance firms or other insurance intermediaries for the purchase of contracts of insurance;(b) Monies drawn on a client's written authority in accordance with the insurance contract; or(c) Monies which may by mistake or accident have been paid into the account.April 2012CL-1.1.11
While the (re)
insurance broker may assist a policyholder or insurance firm in the claims settlement process, funds related to claims settlement must be remitted directly by the (re)insurance firm to the policyholder or insurance firm.April 2012CL-1.1.12
Every
insurance broker must maintain at least one income and expenses account with a retail bank licensed to do business in Bahrain.Amended: July 2023
April 2012CL-1.1.13
Insurance brokers are prohibited from:(a) Combining income and expenses account(s) with premiums/contributions; and(b) Transferring income and expenses account(s) to premiums/contributions account(s).Amended: July 2023
April 2012CL-1.2 CL-1.2 Record Keeping
CL-1.2.1
In accordance with Section GR-1.2,
insurance brokers must ensure that proper records, sufficient to show and explaininsurance brokers' transactions and commitments in respect of theirclient money , are maintained and demonstrate compliance with the provisions of this Module. These records must be retained for a period of a minimum of ten years after they are made, unless otherwise required by law.Amended: July 2023
April 2012CL-1.2.2
An
insurance broker that holdsclient money must:(a) Check its record-keeping andclient money procedures regularly; and(b) Subject its record-keeping andclient money procedures to an appropriate independent review (see Rule CL-1.3.3).Amended: July 2023
April 2012CL-1.2.3
Records of the
insurance broker must clearly show funds received and paid out allocated per client/transaction. For greater clarity, allclient money and receivables from clients are to be shown on the balance sheet asfiduciary assets and there must be an offsettingfiduciary liability , representing the amounts payable by the insurance broker to the insurance firm (See Rule CL-1.3.4).Amended: July 2023
April 2012CL-1.3 CL-1.3 CBB Reporting
CL-1.3.1
In accordance with Sections BR-1.2A and BR-1.4A,
insurance brokers must prepare and submit to the CBB an Insurance Broker Return (IBR) semi-annually. The 31st December IBR must be submitted by 28th February at the latest. The 30th June IBR must be submitted by 30th July at the latest.April 2012
Amended: April 2022CL-1.3.2
Insurance brokers must provide the CBB, within 3 months of the financial year end, the audited financial statements and the management letter from the externalauditor .April 2012CL-1.3.3
In accordance with Paragraph BR-1.5.4,
insurance brokers must provide the CBB, within 3 months of the financial year end, the Agreed Upon Procedure Report produced by the externalauditor , certifying that theinsurance broker among other things, is complying with the Rules of the Module CL (Client Money).April 2012Reporting of Fiduciary Assets and Liabilities
CL-1.3.4
Unremitted insurance premiums held in the
client money account , in accordance with Paragraph CL-2.2.4, and uncollected premiums from insureds must be recorded asfiduciary assets on the balance sheet of theinsurance broker .Fiduciary assets must have an offsettingfiduciary liability representing the total remittances to be made to the insurance firm.April 2012CL-2 CL-2 Holding of Client Money
CL-2.1 CL-2.1 Systems and Controls
CL-2.1.1
Insurance brokers must establish and maintain effective systems and controls to ensure the fulfillment of their fiduciary responsibilities towards their clients particularly protectingclient money .Amended: July 2023
April 2012CL-2.2 CL-2.2 Arrangements to Hold Client Money
CL-2.2.1
Except as otherwise indicated, in order to ensure adequate protection of
client money ,insurance brokers must follow one of two approaches or a mix of both for holdingclient money :(a) Transfer the risk from theinsurance broker to theinsurance firm(s) ; or(b) Segregateclient money intoclient money accounts that cannot be used to reimburse other creditors if aninsurance broker fails.Amended: July 2023
April 2012CL-2.2.2
For purposes of subparagraph CL-2.2.1 (a), funds paid directly to insurance firms must not be received by the
insurance broker .Amended: July 2023
April 2012CL-2.2.3
For purposes of Subparagraph CL-2.2.1 (a), a written agreement must be in place between the
insurance broker and theinsurance firm stating that premiums/ contributions — and if theinsurance firm wishes, premium refunds — are held by theinsurance firm .Amended: July 2023
April 2012CL-2.2.4
For purposes of Subparagraph CL-2.2.1 (b), any
client money , aninsurance broker that is a financial institution, receives and holds for aninsurance firm must be held in aclient money account , properly segregated from theinsurance broker's own funds.Amended: July 2023
April 2012CL-2.2.5
[This Paragraph was deleted in July 2023].
Deleted: July 2023
April 2012CL-2.3 CL-2.3 Brokerage and Premiums/Contributions Collection
CL-2.3.1
In instances when Subparagraph CL-2.2.1(b) applies, the
insurance broker is solely responsible for collecting premiums/contributions from clients and passing these toinsurance firms . Any refund premiums/contributions due frominsurance firms , theinsurance broker shall pass these to clients immediately upon receipt frominsurance firms .Amended: July 2023
April 2012CL-2.3.2
For life/family takaful participating with profit policies, the
insurance broker are prohibited from collecting premiums/contributions from clients. Premiums/contributions must be paid directly by the policyholders/participants to insurance/takaful companies.Amended: July 2023
April 2012CL-2.3.3
Other than noted in Paragraph CL-1.1.6,
insurance brokers must pay toinsurance firms premiums/contributions received no later than (15) calendar days from the date of the receipt of such amounts.Amended: July 2023
April 2012CL-2.3.4
Except as permitted under Paragraph CL-2.3.4A,
insurance brokers are prohibited from deducting their brokerage commission from the premiums/contributions account(s).Insurance brokers must be paid separately their brokerage commission from theinsurance firms after transferring the amounts due (premiums/contributions) toinsurance firms no later than (10) calendar days from the receipt of the premiums/contributions byinsurance firms .Amended: July 2023
Amended: July 2015
April 2012CL-2.3.4A
In instances where international insurance business is involved, where an
insurance broker is dealing with an international insurance/reinsurance broker, theinsurance broker may choose to deduct its commission from the premium/contribution account.Added: July 2015CL-2.3.5
For brokerage activities,
insurance brokers are prohibited from collecting additional charges (other than the quoted premiums/contributions) from clients.Amended: July 2023
April 2012CL-2.3.6
Insurance brokers can offer other services to the policyholder on behalf of the insurance firm, such as the issuance of policy documentation. Such other services should be dictated in a separate agreement between theinsurance broker and theinsurance firm ; however, such charges should not result in any additional fees to the policyholder.April 2012CL-2.4 CL-2.4 Premiums/Contributions Payments
CL-2.4.1
The
insurance broker must immediately notify in writing theinsurance firm /Takaful firm if theinsurance broker fails to collect the amount due from the concerned clients within the agreed premiums/contributions payment terms dictated by theinsurance firm .April 2012CL-2.4.2
Brokerage charged by
insurance brokers cannot exceed 15% of the premiums/contributions quoted byinsurance /Takaful firms for motor and medical classes of business of direct general insurance business.April 2012RM RM Risk Management
RM-A RM-A Introduction
RM-A.1 RM-A.1 Purpose
Executive Summary
RM-A.1.1
This Module provides detailed Rules and Guidance on risk management systems and controls requirements for
insurance licensees . It expands on certain high-level requirements contained in various High-Level Standards Modules. In particular, Section AU-2.6 of Module AU (Authorisation) outlines the systems and controls required as part of the licensing conditions and Principle 10 of the Principles of Business (ref. PB-1.10) requiresinsurance licensees to have systems and controls sufficient to manage the level of risk inherent in their business.Amended: January 2007RM-A.1.2
This Module obliges
insurance licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management systems should monitor and control all material risks. The adequacy of a licensee's risk management is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules, smaller licensees with very simple operational structures and business activities may require to implement less extensive or sophisticated risk management systems, compared to licensees with a complex and/or extensive customer base or operations.Legal Basis
RM-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to risk management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to
insurance licensees (including theirapproved persons ).Amended: January 2011
Amended: October 2007
Added: January 2007RM-A.1.4
For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.
Added: January 2007RM-A.2 RM-A.2 Module History
RM-A.2.1
This Module was first issued in April 2005 by the BMA together with the rest of Volume 3 (Insurance). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.
Amended: January 2007RM-A.2.2
When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.
Added: January 2007
Amended: October 2007RM-A.2.3
A list of recent changes made to this module is detailed in the table below:
Module Ref. Change Date Description of Changes RM-1.1 01/07/05 Correction to cross-reference. RM-6.1 01/07/05 Clarified wording of factors to consider for operational risks. RM-2.1 01/10/05 Clarified that the 25% notification for reinsurance exposure is to be applied based on a premium basis. RM-8.1 01/10/05 Corrected cross reference in RM-8.1.6. RM-1.1 01/01/06 Clarified CBB's requirements for insurance firms to carry out their own assessment of their capital needs. RM-2.1 01/01/06 Corrected cross-reference. RM-6.1 01/07/06 Added requirements for physical security measures and third party insurance to be put in place by insurance firms. RM-A.1.3 01/2007 New Rule introduced, categorising this Module as a Directive. RM-7.5.3 04/2008 Clarified that CBB prior approval is required for intra-group outsourcing. RM-7.2.1, 7.2.2 and 7.3.6 07/2008 Clarified that CBB prior approval is required for outsourcing arrangements. RM-7.5.7 04/2010 Added a Paragraph dealing with restrictions on intra-group outsourcing. RM-A.1.3 01/2011 Clarified legal basis RM-7.6 04/2013 Section amended on outsourcing of internal audit. RM-1.1 04/2014 Enhanced the requirements for the risk management function. RM-7.1.3 10/2017 Amended Paragraph to allow the utilization of cloud services. RM-7.1.5A 10/2017 Added a new Paragraph on outsourcing requirements. RM-7.2.1 10/2017 Amended Paragraph. RM-7.2.3 10/2017 Amended Paragraph. RM-7.2.6 10/2017 Amended Paragraph. RM-7.2.8 10/2017 Added a new Paragraph on outsourcing. RM-7.3.1 10/2017 Amended Paragraph. RM-7.3.2 10/2017 Amended Paragraph. RM-7.3.3 10/2017 Amended Paragraph. RM-7.3.6 10/2017 Amended Paragraph. RM-7.4.6 10/2017 Amended Paragraph. RM-7.4.13 10/2017 Amended Paragraph. RM-7.4.14 10/2017 Amended Paragraph. RM-7.4.20 10/2017 Amended Paragraph. RM-7.4.21 10/2017 Added a new Paragraph on security measures related to cloud services. RM-7.5.3 10/2017 Amended Paragraph. RM-7.5.4 10/2017 Amended Paragraph. RM-9 10/2019 Added a new Section on Cyber Security. RM-9 01/2022 New revised Chapter on Cyber Security Risk Management. RM-9.1.58 04/2022 Amended Paragraph on cyber security reporting. RM-9.1.59 04/2022 Amended Paragraph on the submission of the cyber security report. RM-7 07/2022 Replaced Chapter RM-7 with new Outsourcing Requirements. RM-9.1.22 10/2022 Amended Paragraph on email domains requirements. RM-9.1.22A 10/2022 Added a new Paragraph on additional domains requirements. RM-A.2.3 [Deleted]
Deleted: January 2007RM-A.2.4
Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).
Amended: January 2007RM-B RM-B Scope of Application
RM-B.1 RM-B.1 Scope
RM-B.1.1
Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to
Bahraini insurance firms andBahraini insurance brokers on a consolidated basis, and tooverseas insurance firms andoverseas insurance brokers with respect to their operations either booked in or undertaken from Bahrain.Amended: January 2007RM-B.1.2
Because of the nature of their activities,
insurance brokers are not subject to Sections RM-4.1 (Market Risk) and RM-5.1 (Insurance Technical Risk).Amended: January 2007RM-B.1.3
The CBB will only consider granting an exemption to a Rule in this Module, where the
insurance firm concerned can demonstrate that it has equivalent systems and controls applied at the group or parent entity level, that achieve the same objective as the CBB requirement concerned. The purpose of such an exemption is to allow entity-wide or group-wide systems and requirements to be applied, where these achieve the same outcome: exemptions are therefore only likely to be given with respect tooverseas insurance licensees , and possibly Bahraini licensees that are part of an overseas group. Because of their general nature, exemptions will not be considered with regards to the requirements contained in Chapter RM-1 (Risk Management Systems and Controls).Amended: January 2007RM-B.1.4
For the purposes of Paragraph RM-B.1.1, 'consolidated basis' means including the branches and subsidiaries of the
Bahraini insurance firm orBahraini insurance broker , whether these are located inside or outside the Kingdom of Bahrain.Amended: January 2007RM-B.1.5
Unless otherwise stated in a Rule, or exempted in writing by the CBB, the contents of this Module apply to operators of insurance exchanges authorised to carry out insurance business in Bahrain.
Amended: January 2007RM-B.1.6
The contents of this Module do not apply to
insurance consultants ,insurance managers and toappointed representatives , because the nature of their activities only exposepolicyholders to limited financial risk.Amended: January 2007RM-B.1.7
While the business of
insurance managers is not subject to this Module, clients ofinsurance managers that areinsurance firms , such ascaptive insurers , are subject to the requirements of this Module. Theinsurance manager , in fulfilling its obligations to its clients, therefore needs to manage the affairs of its clients in accordance with the requirements of the Rulebook, including this Module.Amended: October 2007RM-B.1.8
An
insurance licensee's failure to establish, in the opinion of the CBB, adequate systems and controls will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6 of Module AU (Authorisation). This failure may result in the CBB withdrawing or imposing restrictions on the license, or the licensee being required to inject more capital.Amended: January 2007RM-1 RM-1 General Requirements
RM-1.1 RM-1.1 Risk Management Systems and Controls
RM-1.1.1
A licensee must take reasonable care to establish and maintain effective systems and controls as are appropriate to its business to manage its risks. These policies must be documented and regularly reviewed.
RM-1.1.2
The licensee's identification, assessment, management and reporting of risks must consider (but is not limited to) the management of
credit ,liquidity ,market ,technical ,operational (includingoutsourcing ) andgroup risks, as outlined in Chapters RM-2 to RM-8.Amended: January 2007RM-1.1.3
As noted in Paragraph CA-A.1.2,
insurance firms must regularly carry out their own assessment of their capital needs, appropriate to their risk profile, and maintain a process for monitoring and maintaining their actual capital in line with their assessment.RM-1.1.4
For purposes of Paragraph RM-1.1.3, the CBB does not prescribe the detailed form of such assessment, in order to give
insurance firms flexibility to develop their own approaches. Where a firm's assessment suggests that a level of capital that should be held is higher than the minimum required per Chapter CA-2, the CBB would expect firms to hold capital in line with their assessment.Amended: January 2007RM-1.1.5
The licensee must determine if any additional risk categories, other than those referred to in Paragraph RM-1.1.2 and RM-1.1.3, are relevant to its business and therefore need to be addressed.
Amended: January 2007Risk Management
RM-1.1.6
In the case of incorporated
insurance firms andinsurance brokers , the Board of Directors must take responsibility for the establishment and oversight of effective risk management systems and controls.RM-1.1.7
In the case of
Bahraini insurance brokers that are unincorporated entities or single person companies, theGeneral Manager must take responsibility for the establishment and oversight of effective risk management systems and controls.Amended: October 2007RM-1.1.8
Additional requirements relating to Boards and senior management in terms of risk management and controls are specified in Module HC (High-Level Controls). The Board may delegate various functions and tasks, but retains ultimate responsibility. However, the CBB will also take into account the responsibility of the
Chief Executive Officer orGeneral Manager of a licensee, within the framework of delegated authorities laid down by the Board.Amended: January 2007
Amended: October 2007RM-1.1.9
In assessing the systems and controls framework, the CBB would expect the Board to be able to demonstrate that it provides suitable prudential oversight and establish a risk management system that includes setting and monitoring policies so that all major risks are identified, measured, monitored and controlled on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in Paragraph HC-1.1.5.
Amended: January 2007Risk Management Function
RM-1.1.10
The CBB requires that all
insurance firms establish an independent risk management function, staffed by a head of risk management, duly approved by the CBB in accordance with Paragraph AU-1.2.1.Added: April 2014RM-1.1.10A
Depending on the scale and complexity of their operations,
insurance brokers must consider establishing an independent risk management function.Amended: April 2014RM-1.1.10B
The risk management function must be independent of risk-taking units and must not have any conflict of interest with any other function. The risk management function must have direct access to the Board and must report to the Board and senior management.
Added: April 2014RM-1.1.11
Where there is a risk management function, the licensee must document the process by which it manages risks, and how it directly reports to the Board of directors on these risks.
Amended: April 2014RM-1.1.12
[This Paragraph was deleted in April 2014.]
Deleted: April 2014RM-2 RM-2 Credit Risk
RM-2.1 RM-2.1 Credit Risk
RM-2.1.1
Section RM-2.1 applies only to
insurance firms andinsurance brokers .RM-2.1.2
Insurance licensees must identify and manage theircredit risk across all their operations, and document their policies and procedures for achieving this in acredit risk policy. This policy must be regularly reviewed.Amended: January 2007
Amended: October 2007RM-2.1.3
Amongst other things, a licensee's
credit risk policy must identify the limits it applies to both individualcounterparties and categories ofcounterparty , how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.Amended: October 2007RM-2.1.4
Credit risk is the risk that acounterparty will not meet its obligations in accordance with agreed terms, causing a financial loss. In the case of aninsurance firm ,credit risk will normally occur with:(a) Reinsurance counterparties;(b) Assets (e.g. stock, loans);(c) Derivatives; and(d) Insurance debtors (premiums due from insured persons and intermediaries).Amended: January 2007
Amended: October 2007RM-2.1.5
The licensee should consider these and other credit risk factors that may affect the licensee's solvency:
(a) The credit-worthiness of its reinsurers;(b) The financial effect of non-performance of the reinsurance; and(c) The financial effect of non-payment of premiums, by debtors such as intermediaries andpolicyholders .Amended: January 2007RM-2.1.6
In addition to considering the failure of
counterparties , the licensee should also consider scenarios such as increases in late payment and doubtful debt provisioning, and measures to mitigatecredit risks , such as premium payment warranties (whereby policy coverage only becomes effective on payment of premiums).Amended: October 2007RM-2.1.7
An
insurance firm must monitor its exposure, defined as sums insured, to an individual reinsurer and provide details of its reinsurance programme to the CBB. It must notify the CBB if its total aggregate exposure, on a premium basis, to one reinsurer (or group of related reinsurers) exceeds 25% of individual or aggregate risks and why it considers that this exposure does not pose acredit risk for which a provision should be made.Amended: January 2007RM-2.1.8
Paragraph RM-2.1.7 does not constitute a prohibition on exceeding this amount as the CBB recognises that there may be situations and types of reinsurance arrangements where
reinsurance in excess of this limit might be necessary. The CBB should however be notified of these cases, and the licensee should include an explanation of the reason why it believes that the excess exposure is an acceptablecredit risk .Amended: January 2007
Amended: October 2007RM-2.1.9
In addition to the requirements noted in Paragraph RM-2.1.7,
insurance firms must evaluate the credit worthiness of individual reinsurers at the time of ceding business and on an on-going basis.RM-2.1.10
The credit worthiness of reinsurers may be established by referring to ratings provided by international rating agencies, such as Standard & Poors or AM Best.
RM-2.1.11
An
insurance licensee must keep its exposure to individual assets or classes of assets within prudent levels, taking into account the relationship between counterparties, geographical and sectoral concentration, duration of exposures and the exposure to single loss events (e.g. regional economic downturns). Chapter CA-4 provides additional Rules in establishing limitations in the valuation of assets.Amended: January 2007RM-2.1.12
Specific
counterparty limits are contained in Paragraph CA-4.2.33.Amended: January 2007
Amended: October 2007RM-2.1.13
An
insurance licensee must take into account the risk of default in the valuation of its assets.RM-3 RM-3 Liquidity Risk
RM-3.1 RM-3.1 Liquidity Risk
RM-3.1.1
Section RM-3.1 applies only to
insurance firms andinsurance brokers .RM-3.1.2
Insurance licensees must identify and manage theirliquidity risk across all their operations, and document their policies and procedures for achieving this in aliquidity risk policy. This policy must be regularly reviewed.Amended: January 2007RM-3.1.3
Liquidity risk is the risk of not being able to meet liabilities when they fall due, even though a firm may still be solvent.Liquidity risk can result from claims falling due earlier than anticipated, higher than expected policy surrender or changes in mortality rates.RM-3.1.4
Liquidity risk ininsurance licensees relates to the management of their cash flow and the risk to their meeting short-term liabilities due to liquidity problems. The risks of matching of assets and liabilities, currency risk etc. are considered as part of insurance risk and are the subject of specific limits in Section CA-6.1.RM-3.1.5
Insurance licensees must also carry out stress testing to assess the resilience of their financial resources to any identified areas of materialliquidity risk . This stress testing may take into account the general characteristics, and licensee's experience, of the classes of business that it writes, any discounting of its claims provisions, and any mitigating factors that it considers relevant such as the ability to sell assets quickly and the options available to re-schedule the payments topolicyholders and othercounterparties .RM-3.1.6
Where the
insurance licensee considers that the nature of its assets or liabilities and the matching of its liabilities result in no significantliquidity risk exposure, it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.Amended: January 2007RM-3.1.7
When assessing
liquidity risk , theinsurance licensee should consider the extent of mismatch between assets and liabilities and the amount of assets held in highly liquid, marketable forms should unexpected cash flows lead to a liquidity problem. The price concession of liquidating assets is a prime concern when assessing suchliquidity risk and should be built into any assessment of capital adequacy.Amended: January 2007RM-3.1.8
Captive insurance firms are exempted from the specific requirement to undertake stress and scenario testing aimed at testing the resilience of their financial resources to specific areas of significant risk.Amended: January 2007RM-4 RM-4 Market Risk
RM-4.1 RM-4.1 Market Risk
RM-4.1.1
Section RM-4.1 applies only to
insurance firms .RM-4.1.2
Insurance licensees must identify and manage theirmarket risk across all their operations, and document their policies and procedures for achieving this in amarket risk policy. This policy must be regularly reviewed.Amended: October 2007RM-4.1.3
Market risk relates to the exposure of theinsurance licensee , to fluctuations in the market value, currency or yield of an asset.RM-4.1.4
A licensee's
market risk policy must identify its appetite formarket risk , systems for identifying, reporting and documentingmarket risk and mitigation factors in place.RM-4.1.5
Insurance firms (other than captives) must carry out stress testing to assess the resilience of their financial resources to any identified areas of materialmarket risk under reasonably foreseeable circumstances. This stress testing may take into account the rating and geographical spread of its assets, the duration of their maturity relative to the licensee's liabilities and the fluctuation of interest and currency rates.RM-4.1.6
The
insurance licensee should consider potentialmarket risk events that may affect its solvency. These include the following:(a) Reduced values of equities due to stock market falls, etc;(b) Variation in interest rates and the effect on the market value of investments;(c) A lower level of investment income than planned;(d) Inadequate valuation of assets;(e) The direct impact on the portfolio of currency devaluation, as well as the effect on related markets and currencies; and(f) The extent of any mismatch of assets and liabilities.Amended: January 2007RM-4.1.7
Chapter CA-4 contains Rules and Guidance relating to the valuation of assets and
counterparty limits . Chapter CA-6 contains Rules and Guidance relating to currency matching and localisation.Amended: January 2007RM-4.1.8
Where the
insurance licensee considers that the nature of its assets and the matching of its liabilities result in no significantmarket risk exposure (e.g. its investments consist entirely of cash and bank deposits), it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.Amended: January 2007RM-5 RM-5 Insurance Technical Risk
RM-5.1 RM-5.1 Insurance Technical Risk
RM-5.1.1
Section RM-5.1 applies only to
insurance firms .RM-5.1.2
An
insurance firm licensee must identify and manage itsinsurance technical risk across all its operations, and document its underwriting and claims policies for achieving this in anunderwriting policy .Amended: January 2007RM-5.1.3
Insurance
technical risk is the normal trading risk, arising out ofcontracts of insurance , that theinsurance licensee is exposed to in its day-to-day operations, and includes the technical and actuarial bases of calculation for premiums and technical provisions in both long-term and general insurance.Amended: January 2007
Amended: October 2007RM-5.1.4
An
insurance firm must document its underwriting and claims policies and review these at regular intervals.RM-5.1.5
The underwriting policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:
(a) Classes and sources of business to be written (including limits on concentrations of class, location andcounterparty );(b) Rating and pricing strategy and methodology;(c) The management of, and reserving for, claims;(d) Responsibilities and authority levels; and(e) Reinsurance protections, including any mismatch between the duration of the contracts and the underlying reinsurance protection.Amended: January 2007RM-5.1.6
The claims policy must be at a level of detail appropriate to the nature, magnitude and source of its business and must include (but is not limited to) a description of the following elements:
(a) Reporting (e.g. evidence required, appointment ofloss adjusters );(b) Scrutiny;(c) Authority levels;(d) Valuation;(e) Monitoring claims settlement, payments, reinsurance recoveries and subrogation; and(f) Provisioning of claims, including the bases and assumptions followed, authority levels, record-keeping and review.Amended: January 2007RM-5.1.7
Where necessary to demonstrate the adequacy of its financial resources under reasonably foreseeable deteriorations of its underwriting and claims positions, the
insurance firm must conduct stress testing under a range of foreseeable adverse scenarios.RM-5.1.8
In assessing the outcome of adverse scenarios on the future solvency position,
insurance firms must consider the impact of future further deterioration claims reserves (or, in the case of long- term business, the inadequacy ofmathematical reserves ) and future loss ratios being higher than past claims patterns would suggest.Amended: January 2007RM-5.1.9
Factors that licensees may consider appropriate in assessing the levels of underwriting risk include:
(a) The adequacy of the licensee's pricing structure;(b) The volatility of sales volumes (e.g. the risk of poor underwriting from over-rapid expansion);(c) The uncertainty of claims experience (and the length of the claims 'tail');(d) The share of premium paid to intermediaries;(e) The adequacy of the coverage of the reinsurance programme;(f) The impact of the licensee's inability to secure renewal of part of itsreinsurance at acceptable terms or at all;(g) The risk of unintended risks claims being covered (or not excluded) by policy wordings; and(h) The risk of mis-selling, for example, the number of complaints or disputed claims.Amended: January 2007
Amended: October 2007RM-5.1.10
Factors that
insurance licensees may consider appropriate in assessing the levels of claims risk include:(a) The frequency and size of large claims;(b) Possible outcomes relating to any disputed claims, particularly where the outcome is subject to legal proceedings;(c) The ability of the licensee to withstand catastrophic events, increases in unexpected exposures, latent claims or aggregation of claims;(d) The possible exhaustion of reinsurance arrangements, both on a per-risk and per-event basis;(e) The non-payment of outstanding claims due to the lack of coverage offered by thereinsurance purchased for underwritten risks (i.e. offsetting potential liabilities);(f) Social changes regarding an increase in the propensity to claim and to sue;(g) The impact of unanticipated legal judgements on claims and claims reserves;(h) Other social, economic and technological changes; and(i) The risk associated with dealing with a reinsurer, fronting 100% of the risks ceded.Amended: January 2007
Amended: October 2007RM-5.1.11
The CBB believes that
insurance firms need to consider carefully dealing with reinsurers fronting 100% of the risks that is ceded to them. The concern is that the reinsurer ceding 100% of the risk to a retrocessionaire has little incentive to adhere to proper standards of underwriting, due to it receiving a fee, based on maximizing volume of premium, at the expense of underwriting soundness. Fronting arrangements can result in abrupt cancellation by the assuming reinsurer and sometimes refusal to pay claims because of the lack of observation of the understandings with regard to business quality that were agreed upon when the arrangement was negotiated. Consequently, insurers may have to assume risks for which they believed to have covered through a proper reinsurance arrangement, should the reinsurer no longer honour the arrangement. The CBB will scrutinise carefully the management by firms of the risks associated with fronting, in the course of its supervision.Amended: January 2007RM-5.1.12
Additional factors that general insurers may consider appropriate in assessing the levels of claims risk include:
(a) The adequacy and uncertainty of the technical claims provisions, such as outstanding claims, IBNR and claims handling expense reserves;(b) The adequacy of other underwriting provisions, such as the provisions for unearned premium and unexpired risk reserves;(c) The appropriateness of catastrophe models and underlying assumptions used, such as possible maximum loss (PML) factors used; and(d) The effects of inflation.Amended: January 2007RM-5.1.13
Additional factors that long-term insurers may consider appropriate in assessing the levels of claims risk include future variations in investment returns and in mortality and
morbidity rates.RM-6 RM-6 Operational Risk
RM-6.1 RM-6.1 Operational Risk
RM-6.1.1
Section RM-6.1 applies only to
insurance firms andinsurance brokers RM-6.1.2
An
insurance licensee must identify and manage itsoperational risk across all its operations, and document its policies and procedures for achieving this in anoperational risk policy.RM-6.1.3
Operational risk is the risk to theinsurance licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events.RM-6.1.4
Insurance licensees must consider the impact ofoperational risks on their financial resources and solvency. In so doing,insurance licensees must consider the factors listed under Paragraph RM-6.1.5, and any other factors relevant to their business.Amended: January 2007RM-6.1.5
In assessing potential
operational risk , events that may affect the licensee's solvency include the following:(a) Risks to the licensee's resources and reputation from employees and agents (due to fraud, negligence etc);(b) Adequacy of management information;(c) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;(d) Failure of processes and procedures;(e) Internal and external fraud;(f)Outsourcing risk (for more detail, see RM-7);(g) Resourcing levels;(h) Business continuity and disaster recovery; and(i) Reputational risks and the risk to the licensee's business from an undermining of consumer confidence in particular market segments, e.g. savings products.Amended: January 2007RM-6.1.6
Human failure may arise either from the loss of one or more key individuals, lack of competence or failure of an individual to follow procedures or observe authority levels.
RM-6.1.7
The
insurance licensee must identify those processes, systems and premises that are critical to its survival and continuing operations and must develop contingency plans ('business continuity planning') covering these areas. These plans must be regularly updated and tested.Amended: January 2007RM-6.1.8
An
insurance licensee should have the means to ensure that its statutory and regulatory responsibilities are effectively carried out, especially where the group is subject tomatrix management . More specifically, clear reporting lines and responsibilities need to be defined to minimize the risk that statutory and regulatory responsibilities are overlooked.RM-6.1.9
Insurance licensees must ensure that there is adequate succession planning and that the risks arising from the loss of key individuals are thereby contained.RM-6.1.10
The licensee's Board is responsible for ensuring the suitability and competence of employees for the assigned tasks, and for the adequacy of staffing levels. Depending on their size and scale of their activities,
insurance licensees should consider having in place a formal appraisal process and a training plan for professional members of staff. For employees that are members of professional bodies it may also be appropriate for this to be integrated with requirements of those bodies for Continuing Professional Education (CPE).RM-6.1.11
Insurance licensees must identify, manage and control the risks that arise from human failure, including employees and agents. These include inappropriate remuneration policies, health and safety and employment policies.RM-6.1.12
The licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the firm and its business portfolio.
Physical Security Measures
RM-6.1.13
Insurance licensees that deal directly with the public and maintain cash on their premises must put in place security measures to minimise the risk of theft or fraud.RM-6.1.14
Insurance licensees subject to Paragraph RM-6.1.13 must ensure that the maximum cash maintained at their premises at the end of each day is limited to BD10,000.RM-6.1.15
Insurance licensees subject to Paragraph RM-6.1.13 are required to install an alarm system for those premises that maintain cash.RM-6.1.16
Where appropriate,
insurance licensees may consider the need to maintain a trained security guard at their premises.Third Party Insurance
RM-6.1.17
Insurance licensees are required to have in place insurance coverage from an unrelated third party to cover potential losses arising from liability, theft, fire and other potential operational risk.RM-7 RM-7 Outsourcing Requirements
RM-7.1 RM-7.1 Outsourcing Arrangements
RM-7.1.1
This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.
Amended: July 2022RM-7.1.2
In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.
Amended: July 2022RM-7.1.3
In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:
i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; andii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.Amended: July 2022
Amended: October 2017RM-7.1.4
The
licensee must not outsource the following functions:(i) Compliance;(ii) AML/CFT;(iii) Financial control;(iv) Risk management; and(v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).Amended: July 2022
Amended: January 2007RM-7.1.5
For the purposes of Paragraph RM-7.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-7.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the
licensee .Amended: July 2022
Amended: January 2007RM-7.1.6
Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-7.1.4 (iv), subject to CBB’s prior approval.
Amended: July 2022
Added: October 2017RM-7.1.7
Licensees must comply with the following requirements:(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; andb. be made at least 30 calendar days before the licensee intends to commit to the arrangement.(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.(iii)Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.(iv)Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of thelicensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.(v)Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.(vi)Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.(vii)Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.Amended: July 2022
Amended: January 2007RM-7.1.8
For the purpose of Subparagraph RM-7.1.7 (iv),
licensees as part of their assessments may use the following:a) Independent third-party certifications on the outsourcing service provider’s security and other controls;b) Third-party or internal audit reports of the outsourcing service provider; andc) Pooled audits organized by the outsourcing service provider, jointly with its other clients.When conducting on-site examinations,
licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.Amended: July 2022RM-7.1.9
For the purpose of Subparagraph RM-7.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.
Added: July 2022RM-7.2 [This Section was deleted in July 2022]
RM-7.3 [This Section was deleted in July 2022]
RM-7.4 [This Section was deleted in July 2022]
RM-7.5 [This Section was deleted in July 2022]
RM-7.6 [This Section was deleted in July 2022]
RM-8 RM-8 Group Risk
RM-8.1 RM-8.1 Group Risk
RM-8.1.1
Section RM-8.1 applies only to
Bahraini insurance firms andBahraini insurance brokers .Amended: October 2007RM-8.1.2
An
insurance licensee must identify, manage and control risks to its activities arising from the activities and financial position of other members of itsgroup .RM-8.1.3
The CBB may impose additional restrictions on the
insurance licensee should it have reason to believe that other members of thegroup pose undue risk to theinsurance licensee . These restrictions, for instance, may try to limit the risk of financial contagion, by restricting financial transactions between the licensee and group members.Amended: January 2007
Amended: October 2007RM-8.1.4
For purposes of Section RM-8.1, the term
group refers to a person or firm who is:(a) Theparent of the licensee;(b) Asubsidiary of the licensee (including subsidiaries of subsidiaries); or(c) Asubsidiary of the licensee'sparent .Amended: January 2007RM-8.1.5
The Board is expected to request sufficient information of its group members to allow it to address group risks.
RM-8.1.6
Where the licensee's
group orparent reports its own solvency position to its regulatory authority (on a group or 'solo' basis), a copy of this calculation must be provided to the CBB within 30 calendar days from the due date to the other regulatory authority, in accordance with Paragraph CA-7.1.8.Amended: January 2007
Amended: October 2007RM-8.1.7
Where a licensee is part of a larger financial services group, it may rely on the systems and controls that the
group (or itsparent company) has put in place. The Board in these circumstances should establish what systems and controls are in place and should ensure that it is provided with sufficient and timely information on the solvency position of thegroup . This should be evidenced in the prudential records retained in Bahrain.Amended: January 2007
Amended: October 2007RM-8.1.8
In assessing group systems and controls, an
insurance licensee must give consideration to:(a) The likely impact of activities of thegroup on the compliance of the licensee with CBB requirements;(b) The effectiveness of linkages between group central functions and the licensee;(c) Potential conflicts of interest and methods of minimising them; and(d) The risk of adverse events of other group entities on the licensee, in particular due to financial weakness, crime or fraudulent behaviour.Amended: January 2007
Amended: October 2007RM-8.1.9
An
insurance licensee should not be subject to material influence by other entities of thegroup through informal or undocumented channels. The overall governance, high-level controls and reporting lines with thegroup should be clearly documented.Amended: October 2007RM-9 RM-9 Cyber Security Risk Management
RM-9.1 RM-9.1 Cyber Security Risk Management
Role of the Board and Senior Management
RM-9.1.1 RM-9.1.1
The Board of
insurance licensees must ensure that thelicensee has a robust cyber security risk management framework to comprehensively manage thelicensee ’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.Amended: January 2022
Added: October 2019RM-9.1.2 RM-9.1.2
Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:a) Cyber security strategy;b) Cyber security policy; andc) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.Amended: January 2022
Added: October 2019RM-9.1.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the
licensee ’s risk management framework.Amended: January 2022
Added: October 2019RM-9.1.4
Senior management, and where appropriate, the board
s, should receive comprehensive reports,covering cyber security issues such as the following:a. Key Risk Indicators/ Key Performance Indicators;b. Status reports on overall cyber security control maturity levels;c. Status of staff Information Security awareness;d. Updates on latest internal or relevant external cyber security incidents; ande. Results from penetration testing exercises.Amended: January 2022
Added: October 2019RM-9.1.5
The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.
Amended: January 2022
Added: October 2019RM-9.1.6
Insurance firms must establish a cyber security risk function, independent of the information technology (IT) department, which must report to an independent risk management function or an equivalent function within thelicensee . The cyber security risk management function must monitor and report on the status and maturity of relevant cyber security controls. Other insurance licensees may assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function.Overseas insurance licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.Amended: January 2022
Added: October 2019RM-9.1.7
Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.Amended: January 2022
Added: October 2019RM-9.1.8
Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.Amended: January 2022
Added: October 2019RM-9.1.9
Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.Amended: January 2022
Added: October 2019RM-9.1.10
The
senior management must be responsible for the following activities:(a) Create the overall cyber security risk management framework and adequately oversee its implementation;(b) Formulate an organisation-wide cyber security strategy and cyber security policy;(c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;(d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;(e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;(f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on thelicensee ; and(g) Ensure that processes for identifying the cyber security risk levels across thelicensee are in place and annually evaluated.Amended: January 2022
Added: October 2019RM-9.1.11
The
senior management must ensure that:(a) Thelicensee has identified clear internal ownership and classification for all information assets and data;(b) Thelicensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;(c) The cyber security staff are adequate to manage thelicensee ’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;(d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.Amended: January 2022
Added: October 2019RM-9.1.12
With respect to Subparagraph RM-9.1.11(a), data classification entails analyzing the data the
licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:a) Who has access to the data;b) How the data is secured;c) How long the data is retained (this includes backups);d) What method should be used to dispose of the data;e) Whether the data needs to be encrypted; andf) What use of the data is appropriate.The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.
Amended: January 2022
Added: October 2019Cyber Security Strategy
RM-9.1.13
An organisation-wide cyber security strategy must be defined and documented to include:
(a) The position and importance of cyber security at thelicensee ;(b) The primary cyber security threats and challenges facing thelicensee ;(c) Thelicensee ’s approach to cyber security risk management;(d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;(e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;(f) Approach to planning response and recovery activities; and(g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.Amended: January 2022
Added: October 2019RM-9.1.14
The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the
licensee ’s cyber security strategy and cyber security policy.Amended: January 2022
Added: October 2019Cyber Security Policy
RM-9.1.15
Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by thelicensee's senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:(a) Definition of the key cyber security activities within thelicensee , the roles, responsibilities, delegated powers and accountability for these activities;(b) A statement of thelicensee ’s overall cyber risk tolerance as aligned with thelicensee ’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;(c) Definition of main cyber security processes and measures and the approach to control and assessment;(d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:(a) Asset management (Hardware and software);(b) Incident management (Detection and response);(c) Vulnerability management;(d) Configuration management;(e) Access management;(f) Third party management;(g) Secure application development;(h) Secure change management;(i) Cyber training and awareness;(j) Cyber resilience (business continuity and disaster planning); and(k) Secure network architecture.Amended: January 2022
Added: October 2019Approach, Tools and Methodology
RM-9.1.16 RM-9.1.16
Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of thelicensee . The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.Amended: January 2022
Added: October 2019RM-9.1.17
Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite thelicensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across thelicensee . They should be reviewed and updated regularly to incorporate improvements and/or changes in thelicensee .Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.Added: January 2022Prevention Controls
RM-9.1.18
A
Licensee must develop and implement preventive measures across all relevant technologies to minimise thelicensee ’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:(a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;(b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;(c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;(d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);(e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;(f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and(g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access tolicensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.Added: January 2022RM-9.1.19
Licensees should also implement the following prevention controls in the following areas:(a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;(b) to Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM))(c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to thelicensee’s network or which do not meet the minimum-security requirements defined forlicensee computer systems (e.g. Network access control); and(d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.Added: January 2022RM-9.1.20
Licensees must set up anti-spam and anti-spoofing measures to authenticate thelicensee ’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:• SPF “Sender Policy Framework”;• DKIM “Domain Keys Identified Mail”; and• DMARC “Domain-based Message Authentication, Reporting and Conformance”.Added: January 2022RM-9.1.21
Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.Added: January 2022RM-9.1.22
Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties.Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers,licensees must comply with the following requirements:(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;(b) Refrain from using shortened links in communication with customers;(c) Implement one or more of the following measures for links sent to customers:i. ensure customers receive clear instructions in communications sent with the links;ii. prior notification to the customer such as through a phone call informing the customer to expect a link from thelicensee ;iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;iv. use of other verification measures like password or biometric authentication; and(d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers thatlicensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.Amended: October 2022
Added: January 2022RM-9.1.22A
For the purpose of Paragraph RM-9.1.22, subject to CBB’s approval,
licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:(a) Head/regional office of alicensee ; and(b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).Added: October 2022Cyber Risk Identification and Assessments
RM-9.1.23
Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to thelicensee , it should take into account the factors detailed below:(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;(d) Dark web surveillance to identify any plot for cyber attacks;(e) Examples of cyber threats from past cyber attacks on thelicensee if available; and(f) Examples of cyber threats from recent cyber attacks on other organisations.Added: January 2022RM-9.1.24
Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.Added: January 2022RM-9.1.25
Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above thelicensee ’s risk tolerance levels.Added: January 2022RM-9.1.26
Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. for external public facing services and systems must be more frequent.Added: January 2022RM-9.1.27
With respect to Paragraph RM-9.1.25, external technology refers to the
licensee ’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.Added: January 2022RM-9.1.28
Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.Added: January 2022RM-9.1.29
All
licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;(b) Include both Grey Box and Black Box testing in its scope;(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;(d) Be performed by internal and external independent third parties who are rotated out at least every two years; and(e) Be performed on either the production environment or on non-production exact replicas of the production environment.Added: January 2022RM-9.1.30
CBB may require additional third-party security reviews to be performed as needed.
Added: January 2022RM-9.1.31
The tests referred to in Paragraph RM-9.1.29 must be conducted each year in June and the report on such testing must be submitted to the CBB before 30th September. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.
Added: January 2022Cyber Incident Detection and Management
RM-9.1.32
Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.Added: January 2022RM-9.1.33
Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.Added: January 2022RM-9.1.34
Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.Added: January 2022RM-9.1.35
Once a cyber incident is detected,
licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.Added: January 2022RM-9.1.36
Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining thelicensee ’s asset inventory and network diagrams.Added: January 2022RM-9.1.37
Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.Added: January 2022RM-9.1.38
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption.
Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant.Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.Added: January 2022RM-9.1.39
Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with thelicensee ’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-9.1.58 for the requirement to report to CBB.Added: January 2022RM-9.1.40
Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:• Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.• Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and thelicensee’s management to update the internal and external stakeholders with consistent information.• Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.Added: January 2022RM-9.1.41
For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.
Added: January 2022RM-9.1.42
Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, thelicensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.Added: January 2022RM-9.1.43
Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)(b) Describe whether the cyber incident due to a third-party service provider(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)The cyber incident severity may be classified as:
(a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in thelicensee .(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in thelicensee .(c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in thelicensee .Added: January 2022RM-9.1.44
Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.Added: January 2022RM-9.1.45
Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:1. Metrics to measure impact of a cyber incident(a) Duration of unavailability of critical functions and services(b) Number of stolen records or affected accounts(c) Volume of customers impacted(d) Amount of lost revenue due to business downtime, including both existing and future business opportunities(e) Percentage of service level agreements breached2. Performance metrics for incident management(a) Volume of incidents detected and responded via automation(b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)(c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfiedAdded: January 2022Recovery
RM-9.1.46
Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time thelicensee will require to return to full service and operations.Added: January 2022RM-9.1.47
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:
a) Financial situation;b) Reputation;c) Regulatory, legal and contractual obligations; andd) Operational aspects and delivery of key products and services.Added: January 2022RM-9.1.48
Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident.Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”.Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.Added: January 2022RM-9.1.49
Licensees must ensure that all critical systems are able to recover from a cyber security breach within thelicensee ’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.Added: January 2022RM-9.1.50
Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases,licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.Added: January 2022RM-9.1.51
Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.Added: January 2022RM-9.1.52
Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.Added: January 2022RM-9.1.53
Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.Added: January 2022Cyber Security Insurance
RM-9.1.54
Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respectivelicensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; andc) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.Added: January 2022Training and Awareness
RM-9.1.55
Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.Added: January 2022RM-9.1.56
The
licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.Added: January 2022RM-9.1.57
The
licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:Executive board and senior management;Cyber security roles;IT staff; andAny high-risk staff as determined by thelicensee .Added: January 2022Reporting to CBB
RM-9.1.58
Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations,
licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.insurance@cbb.gov.bh, within two hours.Added: January 2022
Amended: April 2022RM-9.1.59
Following the submission referred to in Paragraph RM-9.1.58, the
licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident.Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.Added: January 2022
Amended: April 2022RM-9.1.60
With regards to the submission requirement mentioned in Paragraph RM-9.1.58, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.
Added: January 2022RM-9.1.61
The penetration testing report as per Paragraph RM-9.1.29, along with the steps taken to mitigate the risks must be maintained by the
licensee for a five-year period from the date of the report and must be provided to CBBAdded: January 2022Appendix A – Cyber Security Control Guidelines
The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.
Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.
Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.
Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.
Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.
Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:
IDENTIFY
Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.
1. Physical devices and systems within the licensee are inventoried.2. Software platforms and applications within the licensee are inventoried.3. Communication and data flows are mapped.4. External information systems are catalogued.5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.
1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.2. Dependencies and critical functions for delivery of critical services are established.3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.
1. licensee’s cyber security policy is established and communicated.2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.4. Governance and risk management processes address cyber security risks.Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.
1. Asset vulnerabilities are identified and documented.2. Cyber threat intelligence is received from information sharing forums and sources.3. Threats, both internal and external, are identified and documented.4. Potential business impacts and likelihoods are identified.5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.6. Risk responses are identified and prioritized.Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.2. The licensee’s risk tolerance is determined and clearly expressed.3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.
1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.5. Response and recovery planning and testing are conducted with suppliers and third-party providers.PROTECT
Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.2. Physical access to assets is managed and protected.3. Remote access is managed.4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties5. Network integrity is protected (e.g., network segregation, network segmentation).6. Identities are proofed and bound to credentials and asserted in interactions7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.
1. All users are informed and trained on a regular basis.2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.3. Privileged users understand their roles and responsibilities.4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.5. The Board and senior management understand their roles and responsibilities.6. Physical and cyber security personnel understand their roles and responsibilities.7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.
1. Data-at-rest classified as critical or confidential is protected through strong encryption.2. Data-in-transit classified as critical or confidential is protected through strong encryption.3. Assets are formally managed throughout removal, transfers, and disposition4. Adequate capacity to ensure availability is maintained.5. Protections against data leaks are implemented.6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.7. The development and testing environment(s) are separate from the production environment.8. Integrity checking mechanisms are used to verify hardware integrity.Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.
1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).2. A System Development Life Cycle to manage systems is implemented3. Configuration change control processes are in place.4. Backups of information are conducted, maintained, and tested.5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.6. Data is destroyed according to policy.7. Protection processes are improved.8. Effectiveness of protection technologies is shared.9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.10. Response and recovery plans are tested.11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).12. A vulnerability management plan is developed and implemented.Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.
1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.2. Removable media is protected and its use restricted according to policy.3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.4. Communications and control networks are protected.5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.DETECT
Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.
1. A baseline of network operations and expected data flows for users and systems is established and managed.2. Detected events are analyzed to understand attack targets and methods.3. Event data are collected and correlated from multiple sources and sensors4. Impact of events is determined.5. Incident alert thresholds are established.Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.
1. The network is monitored to detect potential cyber security events.2. The physical environment is monitored to detect potential cyber security events3. Personnel activity is monitored to detect potential cyber security events.4. Malicious code is detected.5. Unauthorized mobile code is detected.6. External service provider activity is monitored to detect potential cyber security events.7. Monitoring for unauthorized personnel, connections, devices, and software is performed.8. Vulnerability scans are performed at least quarterly.Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
1. Roles and responsibilities for detection are well defined to ensure accountability.2. Detection activities comply with all applicable requirements.3. Detection processes are tested.4. Event detection information is communicated.5. Detection processes are continuously improved.RESPOND
Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.
Communications: Response activities are coordinated with internal and external stakeholders.
1. Personnel know their roles and order of operations when a response is needed.2. Incidents are reported consistent with established criteria.3. Information is shared consistent with response plans.4. Coordination with internal and external stakeholders occurs consistent with response plans.5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.6. Incident response exercises and scenarios across departments are conducted at least annually.Analysis: Analysis is conducted to ensure effective response and support recovery activities.
1. Notifications from detection systems are investigated.2. The impact of the incident is understood.3. Forensics are performed.4. Incidents are categorized consistent with response plans.5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
1. Incidents are contained.2. Incidents are mitigated.3. Newly identified vulnerabilities are mitigated or documented as accepted risks.Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.
1. Response plans incorporate lessons learned.2. Response strategies are updated.RECOVER
Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.
Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.
1. Recovery plans incorporate lessons learned.2. Recovery strategies are updated.Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).
1. Public relations are managed.2. Reputation is repaired after an incident.3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.Added: January 2022FC FC Financial Crime
FC-A FC-A Introduction
FC-A.1 FC-A.1 Purpose
Executive Summary
FC-A.1.1
This Module applies, to relevant
insurance licensees , a comprehensive framework of Rules and Guidance aimed at combating money laundering and terrorist financing. In so doing, it helps implement the FATF Recommendations on combating money laundering and financing of terrorism and proliferation, issued by the Financial Action Task Force (FATF), that are relevant toinsurance licensees ; it also implements IAIS guidance in this area. (Further information on these can be found in Chapter FC-9.) The Module also contains measures relating to the combating of fraud in the insurance sector.Amended: October 2015
Amended: January 2007FC-A.1.2
The Module requires
insurance firms andinsurance brokers to have effective anti-money laundering ('AML') policies and procedures, in addition to measures for combating the financing of terrorism ('CFT'). The Module contains detailed requirements relating to customer due diligence, reporting and the role and duties of the Money Laundering Reporting Officer (MLRO). Furthermore, examples of suspicious activity are provided (see Part B, Supplementary Information, Appendix FC-(iv)), to assist licensees to monitor transactions and fulfil their reporting obligations under Bahrain law. Because they represent negligible money laundering/terrorism financing risk, these requirements do not apply toinsurance consultants nor, in some circumstances, toinsurance managers .Amended: July 2007FC-A.1.3
This Module also covers measures in place to combat fraud: these apply to all
insurance licensees . Chapter FC-10 sets out basic requirements regarding measures to deter, detect and report instances of fraud and attempted fraud.Legal Basis
FC-A.1.4
This Module contains the Central Bank of Bahrain's (the CBB) Directive (as amended from time to time) regarding the combating money laundering and terrorism financing and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 (‛CBB Law’). The Directive in this Module is applicable to
insurance licensees (including theirapproved persons ).Amended: January 2022
Amended: January 2011
Added: January 2007FC-A.1.5
For an explanation of the CBB’s rule-making powers and different regulatory instruments, see Section UG-1.1.
Added: January 2007FC-A.2 FC-A.2 Module History
FC-A.2.1
This Module was first issued by the BMA in April 2005, together with the rest of Volume 3 (Insurance). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
Amended: January 2007FC-A.2.2
When the CBB replaced the BMA in September 2006, the provisions of this Module remained in force. Volume 3 was updated in January 2007 to reflect the switch to the CBB; however, new calendar quarter dates were only issued where the update necessitated changes to actual requirements.
Added: January 2007FC-A.2.3
A list of recent changes made to this Module is detailed in the table below:
Module Ref. Change Date Description of Changes FC-A.1;
FC-2;
FC-3;
FC-5;
FC-6.1;
FC-6.2;
FC-6.501/07/05 Inclusion of a revised and renamed Customer Due Diligence Chapter (including a new non-face-to-face business Section). Renamed Suspicious Transaction Reporting Chapter, with minor clarifications to the text. Changes to layout of FC-5 and clarifications to the text. Correction of minor typographical and cross-referencing errors. FC 01/10/05 New Chapter on Non-Cooperative Countries/Territories, and UN notifications. Section on charities removed, since not applicable to insurance licensees. Extensive drafting changes to remainder of text, to improve clarity and ensure consistency across different CBB Rulebooks; but no other changes of substance. FC-1.2 01/01/06 Clarified in FC-1.2.11 that the verification for item (a) applies to the identity of the ultimate provider of funds. FC-3.1.7 01/04/06 Clarified and added guidance Paragraph dealing with residency requirements of MLRO. FC-4.3.1 01/07/06 Updated contact information for Compliance Directorate. FC-A.1.4 01/2007 New Rule introduced, categorising this Module as a Directive FC-1.6.3 01/2007 Clarified simplified due diligence rules for transactions under BD6,000. FC-3.3.5A and FC-3.3.7 01/2007 Allowed for a transition period for the external auditor's report required under SubParagraph FC-3.3.1(d) and clarified when all reports are due. FC-4.3.1 01/2007 Updated new e-mail address for Compliance Directorate. FC-1.7.2(d) 10/2007 Clarified the record retention period for introduced business in line with Article 60 of the CBB Law FC-2.2.3,
FC-2.2.6,
FC-4.2.5,
FC-6.1.1,
FC-6.1.2,
FC-6.1.310/2007 Clarified the record retention period for various transactions to be in line with Article 60 of the CBB Law FC-3.3.2 10/2007 Clarified the appointment of external auditors for the purposes of the report required under Paragraph FC-3.3.1 (d) FC-10.1.11 10/2007 Added reference to new Guidance paper on fraud issued by the IAIS. FC-3.3.7 04/2008 Clarified to whom in the CBB should the reports required under Paragraph FC-3.3.1 be submitted to. FC-1.7.2,
FC-2.2.3,
FC-2.2.6,
FC-4.2.5,
FC-6.1.1,
FC-6.1.2,
FC-6.1.304/2008 Reduced retention requirements of records to five years to be consistent with AML Law and other Volumes of the CBB Rulebook Table of Contents 07/2008 Added Supplementary Documents to Part B. FC-1.1.3 07/2009 Provided guidance for insurance brokers on definition of 'customers'. FC-3.1.10,
FC-3.2.1,
FC-4.2.3,
FC-4.3.104/2010 Updated name and e-mail of relevant authority to Financial Intelligence Unit. FC-A.1.4 01/2011 Clarified legal basis FC-3.1.9 10/2011 Clarified requirements for MLRO. FC-3.3 10/2011 Amended Section to allow for CBB-approved consultancy firm to do required sample testing and report under Paragraph FC-3.3.1. FC-3.3.5 and FC-3.3.6 01/2012 Amended to reflect the addition of approved consultancy firm. FC-4.2.3 10/2014 Updated method of submitting STRs. FC-4.3 10/2014 Updated relevant authorities information. FC 10/2015 Updated to reflect February 2012 update to FATF Recommendations. FC-1.5.1 07/2016 Aligned definition of PEPs as per FATF Recommendations. FC-1.5.4 07/2016 Definition of PEPs is already included in Glossary so this guidance paragraph was deleted. FC-4.2.3 07/2016 Updated instructions for STR. FC-1.2.9A 01/2017 Added guidance paragraph on CR printing FC-7.2.1AA 04/2017 Implementing and complying with the United Nations Security Council resolutions requirement. FC-1.1.2B 10/2017 Amended paragraph on CDD requirements. FC-1.2.7 10/2017 Amended paragraph. FC-1.2.8A 10/2017 Added new paragraph on legal entities or legal arrangements CDD. FC-2.2.10 – FC-2.2.11 10/2017 Amended paragraphs on On-going CDD and Transaction Monitoring. FC-3.1.6A 10/2017 Added paragraph on combining the MLRO or DMLRO position with any other position within the licensee. FC-B.3.4 01/2018 Amended paragraph. FC-1.5.5 01/2018 Added new paragraph. FC-1.5.6 01/2018 Added new paragraph. FC-1.6.1 01/2018 Deleted sub-paragraph (f). FC-1.7.1 01/2018 Amended paragraph. FC-4.2.6 01/2018 Amended paragraph. FC-7.1.4 01/2018 Amended paragraph. FC-7.2.2 01/2018 Deleted paragraph. FC-1.1.2 07/2018 Deleted sub-paragraph (g). FC-1.2.1 07/2018 Amended guidance deleting the threshold. FC-1.6.3 07/2018 Deleted Paragraph. FC-1.6.9 07/2018 Deleted Paragraph. FC-1.6.10 07/2018 Deleted Paragraph. FC-1.6.1 01/2019 Amended references. FC-3.3.2 - FC-3.3.5 01/2019 Amended references. FC-3.3.5A 01/2019 Deleted paragraph. FC-3.3.7 01/2019 Amended references. FC-6.1.2 01/2019 Amended references. FC-3.1.10 10/2019 Amended authority name. FC-3.2.1 10/2019 Amended authority name. FC-4.2.3 10/2019 Amended authority name. FC-4.3.2 10/2019 Amended authority name. FC-7.2.1AA 10/2019 Defined 'without delay'. FC-1.1.1 01/2020 Amended Paragraph on procedures approval. FC-1.2.1 01/2020 Added a new sub-Paragraph. FC-3.3.5 01/2020 Amended Paragraph on report submission date. FC-3.3.7 01/2020 Amended Paragraphs references. FC-2.1.4 & FC-2.1.5 04/2020 Added new Paragraphs on KPIs compliance with AML/CFT requirements. FC-5.1.6A 01/2021 Added a new Paragraph on requirements to hire new employees. FC-A.1.4 01/2022 Amended Paragraph to replace financial crime with money laundering and terrorism financing. FC-C 01/2022 New chapter on risk-based approach (RBA). FC-1.1 01/2022 Amended Section to introduce additional rules for non-resident customers, amendments to customers onboarded prior to full completion of customer due diligence, digital onboarding etc. FC-1.2 01/2022 Amended Section to include E-KYC and electronic documents law requirements. FC-1.3 01/2022 Amended Section on enhanced due diligence requirements for customers identified as having higher risk profile. FC-1.4 01/2022 Amended Section to introduce detailed requirements for digital onboarding and related requirements. FC-1.5.2 01/2022 Amended Paragraph on onboarding non-Bahraini PEPs using digital ID applications. FC-1.5A 01/2022 Added a new Section on Enhanced Due Diligence: Charities, Clubs and Other Societies FC-1.6.8A 01/2022 Added a new Paragraph on not applying simplified CDD in situations where the licensee has identified high ML/TF/PF risks. FC-2.2.5 01/2022 Amended Paragraph. FC-3.3.1B 01/2022 Amended Paragraph. FC-3.3.2 01/2022 Amended Paragraph. FC-3.3.5 01/2022 Amended Paragraph. FC-3.3.6 01/2022 Deleted Paragraph. FC-3.3.7 01/2022 Deleted Paragraph. FC-5.1.6A 01/2022 Deleted Paragraph. FC-C.2.3 01/2023 Minor amendment to Paragraph. FC-7.2.4(c) 01/2023 Added a new Sub-paragraph on reporting any frozen assets or actions taken. FC-1.1.14A 10/2023 Amended Sub-Paragraph on the enhanced diligence for the non-resident accounts. FC-1.1.14E 10/2023 Deleted Paragraph. FC-1.1.14I 10/2023 Deleted Paragraph. FC-1.1.17 10/2023 Added a new Paragraph on CDD and Customer onboarding requirements. FC-1.8 10/2023 Added a new Section on reliance on third parties for customer due diligence. FC-1.2.1 01/2024 Amended Paragraph on customer due diligence. FC-A.2.3 [Deleted]
Deleted: January 2007FC-A.2.4
Guidance on the implementation and transition to Volume 3 (Insurance) is given in Module ES (Executive Summary).
Amended: January 2007FC-B FC-B Scope of Application
FC-B.1 FC-B.1 License Categories
FC-B.1.1
Chapters FC-1 to FC-9 apply to all
insurance firms andinsurance brokers . These Chapters also apply toinsurance managers where they manage a captive insurer. Chapters FC-1 to FC-9 do not apply toinsurance consultants .FC-B.1.2
Chapters FC-1 to FC-9 apply, as specified in Paragraph FC-B.1.1, to all
insurance firms ,insurance brokers and, where they manage acaptive insurer ,insurance managers , irrespective of whether they are aBahraini insurance licensee or anoverseas insurance licensee .Overseas insurance licensees , andBahraini insurance licensees that are subsidiaries of an overseas group, may apply additional AML/CFT policies and procedures, provided they satisfy the minimum requirements contained in this Module.Amended: January 2007
Amended: October 2007FC-B.1.3
The Rules and Guidance in this Module are in addition to and supplement the requirements contained in Decree Law No. (4) of 2001 with respect to the prevention and prohibition of the laundering of money; this Law was subsequently updated, with the issuance of Decree Law No. 54 of 2006 with respect to amending certain provisions of Decree No. 4 of 2001 (collectively, 'the AML Law'). The AML Law imposes obligations generally in relation to the prevention of money laundering and the combating of the financing of terrorism, to all persons resident in Bahrain (including financial services firms such as
insurance licensees ). Allinsurance licensees are under the statutory obligations of that Law, in addition to the more specific requirements contained in this Module. Nothing in this Module is intended to restrict the application of the AML Law (a copy of which is contained in Part B of Volume 3 (Insurance), under 'Supplementary Information'). Also included in Part B is a copy of Decree Law No. 58 of 2006 with respect to the protection of society from terrorism activities ('the anti-terrorism law').Amended: January 2007FC-B.1.4
Chapter FC-10, dealing with insurance fraud, applies to all
insurance licensees .FC-B.2 FC-B.2 Types of Insurance Business
FC-B.2.1
This Module applies to all types of insurance contracts, including general and
long-term insurance , as well as toreinsurance and captive insurance business.Amended: January 2007
Amended: October 2007FC-B.2.2
International experience shows that all types of insurance (including
general insurance andreinsurance ) have been used as channels for illegal activities. However, the CBB also recognises that in the case of pure reinsurance transactions, these risks may exist to a lesser extent. Consequently, upon application by the licensee, the CBB will consider, on an individual basis, exemptions from specific requirements of this Module, in relation to the reinsurance activities of licensees. Normally, the CBB will consider granting such exemptions where the reinsurer concerned deals only with licensed insurance entities, that are subject to AML / CFT standards equivalent to those in this Module.Amended: January 2007
Amended: October 2007FC-B.3 FC-B.3 Overseas Subsidiaries and Branches
FC-B.3.1
Insurance licensees must apply the requirements in this Module to all theirbranches andsubsidiaries , including those operating in another jurisdiction. Where local standards differ, the higher standard must be followed.Insurance licensees must pay particular attention to procedures inbranches andsubsidiaries in countries that do not or insufficiently apply the FATF Recommendations and Special Recommendations and do not have adequate AML/CFT procedures, systems and controls (see also Section FC-7.1).Amended: October 2015
Amended: January 2007FC-B.3.2
Where another jurisdiction's laws or Regulations prevent an
insurance licensee (or any of its foreignbranches orsubsidiaries ) from applying the same standards contained in this Module or higher, the licensee must immediately inform the CBB in writing.Amended: January 2007FC-B.3.3
In such instances, the CBB will review alternatives with the
insurance licensee . Should the CBB and the licensee be unable to reach agreement on the satisfactory implementation of this Module in a foreignsubsidiary orbranch , theinsurance licensee may be required by the CBB to cease the operations of thesubsidiary orbranch in the foreign jurisdiction in question.Amended: January 2007FC-B.3.4
Financial groups (e.g. an insurance firm with its subsidiaries) must implement groupwide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes, which must also be applicable, and appropriate to, all branches and subsidiaries of the financial group. These must include:
(a) The development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees;(b) An ongoing employee training programme;(c) An independent audit function to test the system;(d) Policies and procedures for sharing information required for the purposes of CDD and money laundering and terrorist financing risk management;(e) The provision at group-level compliance, audit, and/or AML/CFT functions of customer, account and transaction information from branches and subsidiaries when necessary for AML/CFT purposes; and(f) Adequate safeguards on the confidentiality and use of information exchanged.Amended: January 2018
Added: October 2015FC-C FC-C Risk Based Approach
FC-C.1 FC-C.1 Risk Based Approach
FC-C.1.1
An
insurance licensee must implement Risk Based Approach (RBA) in establishing an AML/CFT/CPF program and conduct ML/TF/PF risk assessments prior to and during the establishment of a business relationship and, on an ongoing basis, throughout the course of its relationship with the customer. Thelicensee must establish and implement policies, procedures, tools and systems commensurate with the size, nature and complexity of its business operations to support its RBA.Added: January 2022FC-C.1.2
An
insurance licensee must perform enhanced measures where higher ML/TF/PF risks are identified to effectively manage and mitigate those higher risks.Added: January 2022FC-C.1.3
An
insurance license must maintain and regularly review and update the documented risk assessment. The risk management and mitigation measures implemented by alicensee must be commensurate with the identified ML/TF/PF risks.Added: January 2022FC-C.1.4
Insurance licensees must allocate adequate financial, human and technical resources and expertise to effectively implement and take appropriate preventive measures to mitigate ML/TF/PF risks.Added: January 2022FC-C.2 FC-C.2 Risk Assessment
FC-C.2.1
An
insurance licensee must ensure that it takes measures to identify, assess, monitor, manage and mitigate ML/TF/PF risks to which it is exposed and that the measures taken are commensurate with the nature, scale and complexities of its activities. The risk assessment must enable thelicensee to understand how, and to what extent, it is vulnerable to ML/TF/PF.Added: January 2022FC-C.2.2
In the context of the risk assessment, “proliferation financing risk” refers to the potential breach, non-implementation or evasion of the targeted financial sanctions obligations referred to in FATF Recommendation 7.
Added: January 2022FC-C.2.3
The risk assessment must be properly documented, regularly updated and communicated to the
insurance licensee ’s senior management.Licensees must have in place policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified. In conducting its risk assessments, thelicensee must consider quantitative and qualitative information obtained from the relevant internal and external sources to identify, manage and mitigate these risks. This must include consideration of the risk and threat assessments using, national risk assessments, sectorial risk assessments, crime statistics, typologies, risk indicators, red flags, guidance and advisories issued by inter-governmental organisations, national competent authorities and the FATF, and AML/CFT/CPF mutual evaluation and follow-up reports by the FATF or associated assessment bodies.Amended: January 2023
Added: January 2022FC-C.2.4
An
insurance licensee must assess country/geographic risk, customer/investor risk, product/ service/ transactions risk and distribution channel risk taking into consideration the appropriate factors in identifying and assessing the ML/TF/PF risks, including the following:(a) The nature, scale, diversity and complexity of its business, products and target markets;(b) Products, services and transactions that inherently provide more anonymity, ability to pool underlying customers/funds, cash-based, face-to-face, non face-to-face, domestic or cross-border;(c) The volume and size of its transactions, nature of activity and the profile of its customers;(d) The proportion of customers identified as high risk;(e) Its target markets and the jurisdictions it is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT/CPF controls and listed by FATF;(f) The complexity of the transaction chain (e.g. complex layers of intermediaries and sub intermediaries or distribution channels that may anonymise or obscure the chain of transactions) and types of distributors or intermediaries;(g) The distribution channels, including the extent to which thelicensee deals directly with the customer and the extent to which it relies (or is allowed to rely) on third parties to conduct CDD and the use of technology;(h) Internal audit, external audit or regulatory inspection findings; and(i) beneficiary of a life insurance policy.Added: January 2022Country/Geographic risk
FC-C.2.5
Country/geographic area risk, in conjunction with other risk factors, provides useful information as to potential ML/TF/PF risks. Factors that may be considered as indicators of higher risk include:
(a) Countries identified by credible sources, such as mutual evaluation or detailed assessment reports or published follow-up reports, as not having adequate AML/CFT/CPF systems;(b) Countries or geographic areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country;(c) Countries identified by credible sources as having significant levels of corruption or organized crime or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling;(d) Countries subject to sanctions, embargoes or similar measures issued by international organisations such as the United Nations Organisation; and(e) Countries identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT/CPF regimes, and for which financial institutions should give special attention to business relationships and transactions.Added: January 2022Customer/Investor risk
FC-C.2.6
Categories of customers which may indicate a higher risk include:
(a) The business relationship is conducted in unusual circumstances (e.g. significant unexplained geographic distance between the financial institution and the customer).(b) Non-resident customers;(c) Legal persons or arrangements that are personal asset-holding vehicles;(d) Companies that have nominee shareholders or shares in bearer form;(e) Businesses that are cash-intensive;(f) The ownership structure of the company appears unusual or excessively complex given the nature of the company’s business;(g) Customer is sanctioned by the relevant national competent authority for non-compliance with the applicable AML/CFT/CPF regime and is not engaging in remediation to improve its compliance;(h) Customer is a PEP or customer’s family members, or close associates are PEPs (including where a beneficial owner of a customer is a PEP);(i) Customer resides in or whose primary source of income originates from high-risk jurisdictions;(j) Customer resides in countries considered to be uncooperative in providing beneficial ownership information; customer has been mentioned in negative news reports from credible media, particularly those related to predicate offences for AML/CFT/CPF or to financial crimes;(k) Customer’s transactions indicate a potential connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national competent authorities;(l) Customer is engaged in, or derives wealth or revenues from, a high-risk cash-intensive business;(m) The number of STRs and their potential concentration on particular client groups;(n) Customers who have sanction exposure; and(o) Customer has a non-transparent ownership structure.Added: January 2022Product/Service/Transactions risk
FC-C.2.7
An overall risk assessment should include determining the potential risks presented by product, service, transaction or the delivery channel of the
insurance licensee . Alicensee should assess, using a RBA, the extent to which the offering of its product, service, transaction or the delivery channel presents potential vulnerabilities to placement, layering or integration of criminal proceeds into the financial system.Added: January 2022FC-C.2.8
Determining the risks of product, service, transaction or the delivery channel offered to customers may include a consideration of their attributes, as well as any associated risk mitigation measures. Products and services that may indicate a higher risk include:
(a) Anonymous transactions (which may include cash);(b) Non-face-to-face business relationships or transactions;(c) Payment received from unknown or un-associated third parties;(d) Products or services that may inherently favour anonymity or obscure information about underlying customer transactions;(e) The geographical reach of the product or service offered, such as those emanating from higher risk jurisdictions;(f) Products with unusual complexity or structure and with no obvious economic purpose;(g) Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party, particularly those residing in a higher risk jurisdiction; and(h) Use of new technologies or payment methods not used in the normal course of business by theinsurance licensee .Added: January 2022Distribution channel risk
FC-C.2.9
A customer may request transactions that pose an inherently higher risk to the
insurance licensee . Factors that may be considered as indicators of higher risk include:(a) A request is made to transfer funds to a higher risk jurisdiction/country/region without a reasonable business purpose provided; and(b) A transaction is requested to be executed, where thelicensee is made aware that the transaction will be cleared/settled through an unregulated entity.Added: January 2022FC-C.2.10
An
insurance licensee should analyse the specific risk factors, which arise from the use of intermediaries and their services. Intermediaries’ involvement may vary with respect to the activity they undertake and their relationship with thelicensee .Licensee should understand who the intermediary is and perform a risk assessment on the intermediary prior to establishing a business relationship.Licensees and intermediaries should establish clearly their respective responsibilities for compliance with applicable regulation.Added: January 2022FC-1 FC-1 Customer Due Diligence Requirements
FC-1.1 FC-1.1 General Requirements
Verification of Identity and Source of Funds
FC-1.1.1
Insurance licensees must establish effective systematic internal procedures for establishing and verifying the identity of theircustomers and the source of their funds. Such procedures must be set out in writing and approved by the licensee’ssenior management and must be strictly adhered to.Amended: January 2020
Amended: October 2015
Amended: January 2007FC-1.1.2
Insurance licensees must implement the customer due diligence measures outlined in this Chapter when:(a) Establishing business relations with a new or existing customer;(b) A change to the signatory or policyholder beneficiary is made;(c) A significant transaction takes place;(d) There is a material change in the terms of an insurance policy or in the manner in which the business relationship is conducted;(e)Customer documentation standards change substantially;(f) Theinsurance licensee has doubts about the veracity or adequacy of previously obtained customer due diligence information;(g) [This Sub-paragraph was deleted in July 2018]; or(h) There is a suspicion of money laundering or terrorist financing.Amended: July 2018
Amended: January 2007FC-1.1.2A
Insurance licensees must understand, and as appropriate, obtain information on the purpose and intended nature of the business relationship.Added: October 2015FC-1.1.2B
Insurance licensees must conduct ongoing due diligence on the business relationship, including:(a) Scrutinizing of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds; and(b) Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.Amended: October 2017
Added: October 2015FC-1.1.2C
An
insurance licensee must also review and update the customer’s risk profile based on their level of ML/TF/PF risk upon onboarding the customer and regularly throughout the life of the relationship. The risk management and mitigation measures implemented by alicensee must be commensurate with the risk profile of a particular customer or type of customer.Added: January 2022FC-1.1.3
For the purposes of this Module, 'customer' includes counterparties such as reinsurers and financial markets counterparties, as well as persons insured by the licensee. However, in the case of group insurance policies (such as group life or medical), the requirements in this Module need not be applied to all
policyholders : see Paragraph FC-1.2.13. Forinsurance brokers , 'customer' refers topolicyholders .Amended: July 2009
Amended: January 2007FC-1.1.4
The CBB's specific minimum standards to be followed with respect to verifying customer identity and source of funds are contained in Section FC-1.2. Enhanced requirements apply under certain high-risk situations: these requirements are contained in Sections FC-1.3 to FC-1.5 inclusive. Simplified customer due diligence measures may apply in defined circumstances: these are set out in Section FC-1.6.
Amended: January 2007FC-1.1.5
Where an
insurance licensee is dealing with an intermediary such as a broker, reliance may be placed on customer identification undertaken by the intermediary, if certain conditions are satisfied: please refer to Chapter FC-1.7.Verification of Third Parties
FC-1.1.6
Insurance licensees must obtain a signed statement, in hard copy or through digital means from all newcustomers confirming whether or not thecustomer is acting on his own behalf or not. This undertaking must be obtained prior to conducting any transactions with thecustomer concerned.Amended: January 2022
Amended: January 2007FC-1.1.7
Where a
customer is acting on behalf of a third party, theinsurance licensee must also obtain a signed statement from the third party, confirming they have given authority to thecustomer to act on their behalf. Where the third party is a legal person, theinsurance licensee must have sight of the original Board resolution (or other applicable document) authorising thecustomer to act on the third party's behalf, and retain a certified copy.Amended: January 2007FC-1.1.8
Insurance licensees must establish and verify the identity of thecustomer and (where applicable) the party/parties on whose behalf thecustomer is acting. In the case of insurance policies, the identity of the beneficiaries must also be separately identified and verified, and the relationship between the insured party and the beneficiaries must be ascertained. Verification must take place in accordance with the requirements specified in this Chapter.Amended: January 2007FC-1.1.9
If claims, commissions, and other monies are to be paid to persons (including partnerships, companies, etc.) other than the
policyholder , then the identity of the proposed recipient of these monies must also be verified in accordance with the requirements specified in this Chapter.Amended: January 2007FC-1.1.10
Where a policy is provided to a minor or other person lacking full legal capacity, the normal identification procedures as set out in this Chapter must be followed. In the case of minors, licensees must additionally verify the identity of the parent(s) or legal guardian(s). Where a third party on behalf of a person lacking full legal capacity subscribes to a policy, the licensee must establish the identity of that third party as well as the intended
policyholder .Amended: January 2007Anonymous and Nominee Accounts
FC-1.1.11
Insurance licensees must not establish or keep anonymous policies or policies in fictitious names. Whereinsurance licensees maintain a nominee account, which is controlled by or held for the benefit of another person, the identity of that person must be disclosed to theinsurance licensee and verified by it in accordance with the requirements specified in this Chapter.Timing of Verification
FC-1.1.12
Insurance licensees must not commence a business relationship or undertake a transaction with acustomer before completion of the relevant customer due diligence (‛CDD’) measures specified in this Chapter.Licensees must also adopt risk management procedures with respect to the conditions under which a customer may utilise the business relationship prior to verification. However, verification may be completed after receipt of funds in the case of non-face-to-face business, or the subsequent submission of CDD documents by thecustomer after undertaking initial customer due diligence provided that no disbursement of funds takes place until after the requirements of this Chapter have been fully met.Amended: January 2022
Amended: January 2007Incomplete Customer Due Diligence
FC-1.1.13
Where an
insurance licensee is unable to comply with the requirements specified in this Chapter, it must consider whether to terminate the relationship or not proceed with the transaction. If funds have been received, these must be returned to the counterparty in the same method as originally received. If it proceeds with the transaction (to avoid tipping off thecustomer ), it should additionally consider whether it should file a suspicious transaction report.Amended: October 2015
Amended: January 2007FC-1.1.14
See also Chapter FC-4, which covers the filing of suspicious transaction reports. Regarding the return of funds to the counterparty, if funds are received in cash, funds should be returned in cash. If funds are received by wire transfer, they should be returned by wire transfer.
Amended: October 2015Non-Resident Accounts
FC-1.1.14A
Insurance licensees that transact or deal with non-resident customers who are natural persons must have documented criteria for acceptance of business with such persons. For non-resident customers,insurance licensees must ensure the following:(a) Ensure there is a viable economic reason for the business relationship;(b) Perform enhanced due diligence where required in accordance with Paragraph FC-1.1.17;(c) Obtain and document the country of residence for tax purposes where relevant;(d) Obtain evidence of banking relationships in the country of residence;(e) Obtain the reasons for dealing with licensee in Bahrain; and(f) Test that the persons are contactable without unreasonable delays.Amended: October 2023
Added: January 2022FC-1.1.14B
Insurance licensees that transact or deal with non-resident customers who are natural persons must have documented approved policies in place setting out the products and services which will be offered to non-resident customers. Such policy document must take into account a comprehensive risk assessment covering all risks associated with the products and services offered to non-residents. The licensee must also have detailed procedures to address the risks associated with the dealings with non-resident customers including procedures and processes relating to authentication, genuineness of transactions and their purpose.
Added: January 2022FC-1.1.14C
Insurance licensees must not accept non-residents customers from high risk jurisdictions subject to a call for action by FATF.Added: January 2022FC-1.1.14D
Insurance licensees must take adequate precautions and risk mitigation measures before onboarding non-resident customers from high risk jurisdictions. Thelicensees must establish detailed assessments and criteria that take into consideration FATF mutual evaluations, FATF guidance, the country national risk assessments (NRAs) and other available guidance on onboarding and retaining non-resident customers from the following high risk jurisdictions:(a) Jurisdictions under increased monitoring by FATF;(b) Countries upon which United Nations sanctions have been imposed except those referred to in Paragraph FC-1.1.12B; and(c) Countries that are the subject of any other sanctions.Added: January 2022FC-1.1.14E
[This Paragraph has been deleted in October 2023].
Deleted: October 2023
Added: January 2022FC-1.1.14F
Insurance licensees must establish systems and measures that are proportional to the risk relevant to each jurisdiction and this must be documented. Such a document must show the risks, mitigation measures for each jurisdiction and for each non-resident customer.Added: January 2022FC-1.1.14G
Insurance licensees must establish a comprehensive documented policy and procedures describing also the tools, methodology and systems that support the licensee’s processes for:(a) The application of RBA;(b) Customer due diligence;(c) Ongoing transaction monitoring; and(d) Reporting in relation to their transactions or dealings with non-resident customers.Added: January 2022FC-1.1.14H
Insurance licensees must ensure that only the official/government documents are accepted for the purpose of information in Subparagraphs FC-1.2.1 (a) to (f) in the case of non-resident customers.Added: January 2022FC-1.1.14I
[This Paragraph has been deleted in October 2023]
Deleted: October 2023
Added: January 2022Existing Customers
FC-1.1.15
[This Paragraph was deleted in October 2015.]
Deleted: October 2015FC-1.1.16
[This Paragraph was deleted in October 2015.]
Deleted: October 2015
Amended: January 2007FC-1.1.17
Insurance licensees must follow the below CDD and customer onboarding requirements:Enhanced Due Diligence Digital Onboarding Bahrainis and GCC nationals (wherever they reside) and expatriates resident in Bahrain No Yes Others Yes Yes Added: October 2023FC-1.2 FC-1.2 Face-to-face Business
Natural Persons
FC-1.2.1
If the customer is a natural person, the
insurance licensee must identify the person’s identity and obtain the following information before providing financial services of any kind:a) Full legal name and any other names used;b) Full permanent address (i.e. the residential address of the customer; a post office box is insufficient);c) Date of birth;d) Nationality;e) Passport number (if the customer is a passport holder);f) Current CPR or Iqama number (for Bahraini or GCC residents only) or government issued national identification proof;g) Telephone/fax number and email address (where applicable);h) Occupation or public position held (where applicable);i) Employer's name and address (if self-employed, the nature of the self-employment);j) Type of policy, and nature and volume of anticipated business dealings with theinsurance licensee ;k) Signature of thecustomer(s) ;l) Source of funds for payment of premium;m) Reason for opening the account; andn) Place of birth.Amended: January 2024
Amended: January 2022
Amended: January 2020
Amended: July 2018
Amended: January 2007FC-1.2.1A
Insurance licensees obtaining the information and customer signature electronically using digital applications must comply with the applicable laws governing the onboarding/business relationship including but not limited to the Electronic Transactions Law (Law No. 54 of 2018) for the purposes of obtaining signatures as required in Subparagraph FC-1.2.1 (k) above.Added: January 2022FC-1.2.2
See Part B, Volume 3 (Insurance), for a Guidance Note on source of funds.
FC-1.2.3
The
insurance licensee must verify the information in Paragraph FC-1.2.1 (a) to (f), by the following methods below; at least one of the copies of the identification documents mentioned in (a) and (b) below must include a clear photograph of the customer:(a) Confirmation of the date of birth and legal name, by use of the national E-KYC application and if this is not practical, obtaining a copy of a current valid official original identification document (e.g. birth certificate, passport, national identity card, CPR or Iqama);(b) Confirmation of the permanent residential address by use of the national E-KYC application and if this is not practical, obtaining a copy of a recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the licensee; and(c) Where appropriate, direct contact with the customer by phone, letter or email to confirm relevant information, such as residential address information.Amended: January 2022
Amended: January 2007FC-1.2.4
Any document copied or obtained for the purpose of identification verification in a face-to-face customer due diligence process must be an original. An authorised official of the licensee must certify the copy, by writing on it the words ‘original sighted’, together with the date and his signature. Equivalent measures must be taken for electronic copies.
Amended: January 2022FC-1.2.5
Identity documents which are not obtained by an authorised official of the licensee in original form (e.g. due to a
customer sending a copy by post following an initial meeting) must instead be certified (as per FC-1.2.4) by one of the following from a GCC or FATF member state:(a) A lawyer;(b) A notary;(c) A chartered/certified accountant;(d) An official of a government ministry;(e) An official of an embassy or consulate; or(f) An official of another licensed financial institution or of an associate company of the licensee.Amended: January 2007FC-1.2.6
The individual making the certification under FC-1.2.5 must give clear contact details (e.g. by attaching a business card or company stamp). The
insurance licensee must verify the identity of the person providing the certification through checking membership of a professional organisation (for lawyers or accountants), or through checking against databases/websites, or by direct phone or email contact.Amended: January 2007Legal Entities or Legal Arrangements (such as trusts)
FC-1.2.7
If the
customer is a legal entity or a legal arrangement such as a trust, theinsurance licensee must obtain and record the following information from original identification documents, databases or websites, in hard copy or electronic form, to identify thecustomer and to take reasonable measures to verify its identity, legal existence and structure:(a) The entity's full name and other trading names used;(b) Registration number (or equivalent);(c) Legal form and proof of existence;(d) Registered address and trading address (where applicable);(e) Type of business activity;(f) Date and place of incorporation or establishment;(g) Telephone, fax number and email address;(h) Regulatory body or listing body (for regulated activities such as financial services and listed companies);(hh) The names of the relevant persons having a senior management position in the legal entity or legal arrangement;(i) Name of externalauditor (where applicable);(j) Type of policy, and nature and volume of anticipated business dealings with theinsurance licensee ; and(k) Source of funds for payment of premium.Amended: October 2017
Amended: January 2007FC-1.2.8
The information provided under FC-1.2.7 must be verified by obtaining certified copies of the following documents, as applicable (depending on the legal form of the entity):
(a) Certificate of incorporation and/or certificate of commercial registration or trust deed;(b) Memorandum of association;(c) Articles of association;(d) Partnership agreement;(e) Board resolution seeking the insurance services (only necessary in the case of private or unlisted companies);(f) Identification documentation of the authorised signatories of the insurance contract;(g) Copy of the latest financial report and accounts, audited where possible (audited copies do not need to be certified); and(h) List of authorised signatories of the company for the insurance contract and a Board resolution (or other applicable document) authorising the named signatories or their agent to receive any proceeds from the insurance contract or to modify the terms of the contract (resolution only necessary for private or unlisted companies).Amended: January 2007FC-1.2.8A
For customers that are legal persons,
Insurance licensees must identify and take reasonable measures to verify the identity of beneficial owners through the following information:(a) The identity of the natural person(s) who ultimately have a controlling ownership interest in a legal person, and(b) To the extent that there is doubt under (a) as to whether the person(s) with the controlling ownership interest is the beneficial owner(s), or where no natural person exerts control of the legal person or arrangement through other means; and(c) Where no natural person is identified under (a) or (b) above, the identity of the relevant natural person who holds the position of senior managing official.Amended: October 2017
Amended: January 2007FC-1.2.9
Documents obtained to satisfy the requirements in FC-1.2.8 above must be certified in the manner specified in FC-1.2.4 to FC-1.2.6.
FC-1.2.9A
For the purpose of Paragraph FC-1.2.8(a), the requirement to obtain a certified copy of the commercial registration, may be satisfied by obtaining a commercial registration abstract printed directly from the Ministry of Industry, Commerce and Tourism's website, through "SIJILAT Commercial Registration Portal".
Added: January 2017FC-1.2.10
The documentary requirements in FC-1.2.8 above do not apply in the case of FATF/GCC listed companies: see Section FC-1.6 below. Also, the documents listed in FC-1.2.8 above are not exhaustive: for
customers from overseas jurisdictions, documents of an equivalent nature may be produced as satisfactory evidence of acustomer's identity.Amended: January 2007FC-1.2.11
Insurance licensees must also obtain and document the following due diligence information. These due diligence requirements must be incorporated in the licensee's new business procedures:(a) Enquire as to the structure of the legal entity or trust sufficient to determine and verify the identity of the ultimate provider of funds and ultimate controller of the funds (if different);(b) Ascertain whether the legal entity has been or is in the process of being wound up, dissolved, struck off or terminated;(c) Obtain the names, country of residence and nationality of Directors or partners (only necessary for private or unlisted companies, and for trustees in the case of trusts);(d) Require, through new customer documentation or other transparent means, updates on significant changes to corporate ownership and/or legal structure;(e) Obtain and verify the identity ofshareholders holding 20% or more of the issued capital (where applicable). The requirement to verify the identity of theseshareholders does not apply in the case of FATF/GCC listed companies;(f) In the case of trusts or similar arrangements, establish the identity of the settlor(s), trustee(s), and beneficiaries (including making such reasonable enquiries as to ascertain the identity of any other potential beneficiary, in addition to the named beneficiaries of the trust); and(g) Where a licensee has reasonable grounds for questioning the authenticity of the information supplied by acustomer , conduct additional due diligence to confirm the above information.Amended: January 2007FC-1.2.12
For the purposes of Paragraph FC-1.2.11, acceptable means of undertaking such due diligence might include taking bank references; visiting or contacting the company by telephone; undertaking a company search or other commercial enquiries; accessing public and private databases (such as stock exchange lists); making enquiries through a business information service or credit bureau; confirming a company's status with an appropriate legal or accounting firm; or undertaking other enquiries that are commercially reasonable.
FC-1.2.13
In the case of group insurance policies (such as group life or medical insurance), customer identification may be limited to the principal
shareholders and Directors of the contracting company.Amended: January 2007FC-1.3 FC-1.3 Enhanced Customer Due Diligence: General Requirements
FC-1.3.1
Enhanced customer due diligence must be performed on those
customers identified as having a higher risk profile, and additional inquiries made or information obtained in respect of thosecustomers . If theinsurance licensee determines that a beneficiary who is a legal person or a legal arrangement presents a higher risk, it must take enhanced measures which must include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.Amended: January 2022
Amended: January 2007FC-1.3.2
Licensees should examine, as far as reasonably possible, the background and purpose of all complex, unusual large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. Where the risks of money laundering or terrorist financing are higher,
licensees should conduct enhanced CDD measures, consistent with the risks identified. In particular, they should increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear unusual or suspicious. The additional inquiries or information referred to in Paragraph FC-1.3.1 include:(a) Obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.), and updating more regularly the identification data of customer and beneficial owner;(b) Obtaining additional information on the intended nature of the business relationship;(c) Obtaining information on the source of funds or source of wealth of the customer;(d) Obtaining information on the reasons for intended or performed transactions;(e) Obtaining the approval of senior management to commence or continue the business relationship;(f) Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;(g) Taking specific measures to identify the source of the first payment in this account and applying RBA to ensure that there is a plausible explanation in any case where the first payment was not received from the same customer’s account;(h) Obtaining evidence of a person's permanent address through the use of a credit reference agency search, or through independent governmental database or by home visit;(i) Obtaining a personal reference (e.g. by an existingcustomer of theinsurance licensee );(j) Obtaining another licensed entity’s reference and contact with the concernedlicensee regarding thecustomer ;(k) Obtaining documentation outlining thecustomer’s source of wealth;(l) Obtaining additional documentation outlining thecustomer’s source of income; and(m) Obtaining additional independent verification of employment or public position held.Amended: January 2022
Amended: January 2007FC-1.4 FC-1.4 Enhanced Customer Due Diligence: Non face-to-face Business and New Technologies
FC-1.4.1
Insurance licensees must establish specific procedures for verifyingcustomer identity where no face-to-face contact takes place.Amended: January 2007FC-1.4.2
Where no face-to-face contact takes place,
insurance licensees must take additional measures (to those specified in Section FC-1.2), in order to mitigate the potentially higher risk associated with such business. In particular,insurance licensees must take measures:(a) To ensure that thecustomer is the person they claim to be; and(b) To ensure that the address provided is genuinely thecustomer's .Amended: January 2007FC-1.4.3
There are a number of checks that can provide an
insurance licensee with a reasonable degree of assurance as to the authenticity of the applicant. They include:(a) Telephone contact with the applicant on an independently verified home or business number;(b) With thecustomer’s consent, contacting an employer to confirm employment, via phone through a listed number or in writing;(c) Requiring a premium payment to be made from an account in thecustomer’s name at a bank having equivalent CDD standards;(d) Independent verification of employment (e.g. through the use of a national E-KYC application, or public position held;(e) Carrying out additional searches (e.g. internet searches using independent and open sources) to better inform the customer risk profile;(f) Carrying out additional searches focused on financial crime risk indicator (i.e. negative news);(g) Evaluating the information provided with regard to the destination of fund and the reasons for the transaction;(h) Seeking and verifying additional information from the customer about the purpose and intended nature of the transaction or the business relationship; and(i) Increasing the frequency and intensity of transaction monitoring.Amended: January 2022
Amended: January 2007FC-1.4.4
Financial services provided using digital channels or internet pose greater challenges for
customer identification andAML/CFT purposes.Insurance licensees must identify and assess the money laundering or terrorist financing risks relevant to any new technology or channel and establish procedures to prevent the misuse of technological developments in money laundering or terrorist financing schemes. The risk assessments must be consistent with the requirements in Section FC-C.2.Amended: January 2022
Amended: January 2007FC-1.4.5
Insurance licensees must identify and assess the money laundering or terrorist financing risks that may arise in relation to:(a) The development of new products and new business practices, including new delivery mechanisms; and(b) The use of new or developing technologies for both new and pre-existing products.Added: October 2015FC-1.4.6
For purposes of Paragraph FC-1.4.5, such a risk assessment consistent with the requirements in Section FC-C.2 and must take place prior to the launch of the new products, business practices or the use of new or developing technologies.
Insurance licensees must take appropriate measures to manage and mitigate those risks.Amended: January 2022
Added: October 2015Enhanced Monitoring
FC-1.4.7
Customers onboarded digitally must be subject to enhanced on-going account monitoring measures.
Added: January 2022FC-1.4.8
The CBB may require a
licensee to share the details of the enhanced monitoring and the on-going monitoring process for non face-to-face customer relationships.Added: January 2022Licensee’s digital ID applications
FC-1.4.9
Insurance licensees may use its digital ID applications that use secure audio-visual real time (live video conferencing/live photo selfies) communication means to identify the natural person.Added: January 2022FC-1.4.10
Insurance licensees must maintain a document available upon request for the use of its digital ID applications that includes all the following information:(a) A description of the nature of products and services for which the proprietary digital ID application is planned to be used with specific references to the rules in this Module for which it will be used;(b) A description of the systems and IT infrastructure that are planned to be used;(c) A description of the technology and applications that have the features for facial recognition or biometric recognition to authenticate independently and match the face and the customer identification information available with the licensee. The process and the features used in conjunction with video conferencing include, among others, face recognition, three-dimensional face matching techniques etc;(d) “Liveness” checks created in the course of the identification process;(e) A description of the governance arrangements related to this activity including the availability of specially trained personnel with sufficient level of seniority; and(f) Record keeping arrangements for electronic records to be maintained and the relative audit.Added: January 2022FC-1.4.11
Insurance licensees that intend to use its digital ID application to identify the customer and verify identity information must meet the following additional requirements:(a) The digital ID application must make use of secure audio visual real time (live video conferencing /live photo selfies) technology to (i) identify the customer, (ii) verify his/her identity, and also (iii) ensure the data and documents provided are authentic;(b) The picture/sound quality must be adequate to facilitate unambiguous identification;(c) The digital ID application must include or be combined with capability to read and decrypt the information stored in the identification document’s machine readable zone (MRZ) for authenticity checks from independent and reliable sources;(d) Where the MRZ reader is with an outsourced provider, thelicensee must ensure that such party is authorized to carry out such services and the information is current and up to date and readily available such that thelicensee can check that the decrypted information matches the other information in the identification document;(e) The digital ID application has the features for allowing facial recognition or biometric recognition that can authenticate and match the face and the customer identification documents independently;(f) The digital ID solution has been tested by an independent expert covering the governance and control processes to ensure the integrity of the solution and underlying methodologies, technology and processes and risk mitigation. The report of the expert’s findings must be retained and available upon request;(g) The digital ID application must enable an ongoing process of retrieving and updating the digital files, identity attributes, or data fields which are subject to documented access rights and authorities for updating and changes; and(h) The digital ID application must have the geo-location features which must be used by the licensee to ensure that it is able to identify any suspicious locations and to make additional inquiries if the location from which a customer is completing the onboarding process does not match the location of the customer based on the information and documentation submitted.Added: January 2022FC-1.4.12
Insurance licensees using its digital ID application must establish and implement an approved policy which lays down the governance, control mechanisms, systems and procedures for the CDD which include:(a) A description of the nature of products and services for which customer due diligence may be conducted through video conferencing or equivalent electronic means;(b) A description of the systems, controls and IT infrastructure planned to be used;(c) Governance mechanism related to this activity;(d) Specially trained personnel with sufficient level of seniority; and(e) Record keeping arrangements for electronic records to be maintained and the relative audit trail.Added: January 2022FC-1.4.13
Insurance licensees must ensure that the information referred to in Paragraph FC-1.2.1 is collected in adherence to privacy laws and other applicable laws of the country of residence of the customer.Added: January 2022FC-1.4.14
Insurance licensees must ensure that the information referred to in Subparagraphs FC-1.2.1 (a) to (f) is obtained prior to commencing the digital verification such that:(a) Thelicensee can perform its due diligence prior to the digital interaction/communication and can raise targeted questions at such interaction/communication session; and(b) Thelicensee can verify the authenticity, validity and accuracy of such information through digital means (See Paragraph FC.1.4.16 below) or by use of the methods mentioned in Paragraph FC-1.2.3 and /or FC-1.4.3 as appropriate.Added: January 2022FC-1.4.15
The
licensee must also obtain the customer’s explicit consent to record the session and capture images as may be needed.Added: January 2022FC-1.4.16
Insurance licensees must verify the information in Paragraph FC-1.2.1 (a) to (f) by the following methods below:(a) Confirmation of the date of birth and legal name by digital reading and authenticating current valid passport or other official original identification using machine readable zone (MRZ) or other technology which has been approved under paragraph FC-1.4.9, unless the information was verified using national E-KYC application;(b) Performing real time video calls with the applicant to identify the person and match the person’s face and /other features through facial recognition or bio-metric means with the office documentation, (e.g. passport, CPR);(c) Matching the official identification document, (e.g. passport, CPR) and related information provided with the document captured/displayed on the live video call; and(d) Confirmation of the permanent residential address by, unless the information was verified using national E-KYC application capturing live, the recent utility bill, bank statement or similar statement from anotherlicensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of theinsurance licensee .Added: January 2022FC-1.4.17
For the purposes of Paragraph FC-1.4.16, actions taken for obtaining and verifying customer identity could include:
(a) Collection: Present and collect identity attributes and evidence, either in person and/or online (e.g., by filling out an online form, sending a selfie photo, uploading photos of documents such as passport or driver’s license, etc.);(b) Certification: Digital or physical inspection to ensure the document is authentic and its data or information is accurate (for example, checking physical security features, expiration dates, and verifying attributes via other services);(c) De-duplication: Establish that the identity attributes and evidence relate to a unique person in the ID system (e.g., via duplicate record searches, biometric recognition and/or deduplication algorithms);(d) Verification: Link the individual to the identity evidence provided (e.g., using biometric solutions like facial recognition and liveness detection); and(e) Enrolment in identity account and binding: Create the identity account and issue and link one or more authenticators with the identity account (e.g., passwords, one-time code (OTC) generator on a smartphone, etc.). This process enables authentication.Added: January 2022FC-1.4.18
Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding and authentication must be digital.
Added: January 2022FC-1.4.19
Sufficient controls must be put in place to safeguard the data relating to customer information collected through the video conference and due regard must be paid to the requirements of the Personal Data Protection Law (PDPL). Additionally, controls must be put in place to minimize the increased impersonation fraud risk in such non face-to-face relationship where there is a chance that customer may not be who he claims he is.
Added: January 2022Overseas branches
FC-1.4.20
Where
insurance licensees intend to use a digital ID application in a foreign jurisdiction in which it operates, it must ensure that the digital ID application meets with the requirements under Paragraph FC-B.3.1.Added: January 2022FC-1.5 FC-1.5 Enhanced Customer Due Diligence: Politically Exposed Persons ('PEPs')
FC-1.5.1
Insurance licensees must have appropriate risk management systems to determine whether acustomer or beneficial owner is aPolitically Exposed Person ('PEP') , both at the time of establishing business relations and thereafter on a periodic basis. Licensees must utilise publicly available databases and information to establish whether a customer is aPEP .Amended: July 2016
Amended: October 2015
Amended: January 2007
Amended: October 2007FC-1.5.2
Insurance licensees must establish a client acceptance policy with regard to PEPs, taking into account the reputational and other risks involved. Senior management approval must be obtained before a PEP is accepted as acustomer .Licensees must not accept a non-Bahraini PEP as a customer based on customer due diligence undertaken using digital ID applications.Amended: January 2022
Amended: January 2007FC-1.5.3
Where an existing
customer is aPEP , or subsequently becomes a PEP, enhanced monitoring and customer due diligence measures must include:(a) Analysis of complex financial structures, including trusts, foundations or international business corporations;(b) A written record in thecustomer file to establish that reasonable measures have been taken to establish both the source of wealth and the source of funds;(c) Development of a profile of anticipatedcustomer activity, to be used in on-going monitoring;(d) Approval of senior management for allowing thecustomer relationship to continue; and(e) On-going account monitoring of thePEP's account by senior management (such as the MLRO).Amended: January 2007FC-1.5.3A
In cases of higher risk business relationships with such persons, mentioned in Paragraph FC-1.5.1,
insurance licensees must apply the measures referred to in Subparagraphs FC-1.5.3 (b), (d) and (e).Added: October 2015FC-1.5.3B
The requirements for all types of
PEP must also apply to family or close associates of suchPEPs .Added: October 2015FC-1.5.3C
For the purpose of Paragraph FC-1.5.3B, 'family' means spouse, father, mother, sons, daughters, sisters and brothers. 'Associates' are persons associated with a
PEP whether such association is due to the person being an employee or partner of thePEP or of a firm represented or owned by thePEP , or family links or otherwise.Added: October 2015FC-1.5.4
[This Paragraph was deleted in July 2016 as definition is included under Part B in the Glossary.]
Deleted: July 2016
Amended: October 2015
Amended: January 2007FC-1.5.5
In relation to life insurance policies,
insurance licensees must take reasonable measures to determine whether the beneficiaries and/or, where required, the beneficial owner of thebeneficiary , are PEPs. This must occur, at the latest, at the time of the payout.Added: January 2018
FC-1.5.6
Where higher risks are identified,
senior management must be informed before the payout of the policy proceeds, in order to conduct enhanced scrutiny on the whole business relationship with the policyholder, and to consider making a suspicious transaction report.Added: January 2018
FC-1.5A FC-1.5A Enhanced Due Diligence: Charities, Clubs and Other Societies
FC-1.5A.1
Financial services must not be provided to charitable funds and religious, sporting, social, cooperative and professional and other societies, until an original certificate authenticated by the relevant Ministry confirming the identities of those purporting to act on their behalf (and authorising them to obtain the said service) has been obtained. Charities should be subject to enhanced monitoring by
insurance licensees .Added: January 2022FC-1.5A.2
For the purpose of Paragraph FC-1.5A.1, for clubs and societies registered with the Ministry of Youth and Sport Affairs,
insurance licensees must contact the Ministry to clarify whether a policy may be issued in accordance with the rules of the Ministry. In addition, in the case of sport associations registered with the Bahrain Olympic Committee (BOC),insurance licensees must contact BOC to clarify whether the policy may be issued in accordance with the rules of BOC.Added: January 2022FC-1.6 FC-1.6 Simplified Customer Due Diligence
FC-1.6.1
Insurance licensees may apply simplified customer due diligence measures, as described in Paragraphs FC-1.6.2 to FC-1.6.8, if:(a) Thecustomer is the Central Bank of Bahrain ('CBB'), the Bahrain Bourse ('BHB') or a licensee of the CBB;(b) Thecustomer is a Ministry of a Gulf Cooperation Council ('GCC') or Financial Action Task Force ('FATF') member state government, a company in which a GCC government is a majorityshareholder , or a company established by decree in the GCC;(c) Thecustomer is a company listed on a GCC or FATF member state stock exchange with equivalent disclosure standards to those of the BHB;(d) Thecustomer is a financial institution whose entire operations are subject toAML/CFT requirements consistent with the FATF Recommendations and it is supervised by a financial services supervisor in a FATF or GCC member state for compliance with those requirements;(e) Thecustomer is a financial institution that is asubsidiary of a financial institution located in a FATF or GCC member state, and theAML/CFT requirements applied to its parent also apply to the subsidiary; or(f) [This Subparagraph was deleted in January 2018].(g) The transaction is a long-term insurance contract, either taken out in connection with a pension scheme relating to thecustomer's employment or occupation, or contains a no surrender clause and cannot be used as security for a loan.Amended: January 2019
Amended: January 2018
Amended: October 2015
Amended: January 2007FC-1.6.2
For
customers falling under the categories (a) to (e) specified in Paragraph FC-1.6.1, the information required under Paragraph FC-1.2.1 (for natural persons) or FC-1.2.7 (for legal entities or legal arrangements such as trusts) must be obtained. However, the verification and certification requirements in Paragraphs FC-1.2.3 and FC-1.2.8, and the due diligence requirements in Paragraph FC-1.2.11, may be dispensed with.Amended: January 2007FC-1.6.3
[This Paragraph was deleted in July 2018].
Deleted: July 2018
Amended: January 2007FC-1.6.4
Insurance licensees wishing to apply simplified due diligence measures as allowed for under Paragraph FC-1.6.1 must retain documentary evidence supporting their categorisation of thecustomer .Amended: January 2007FC-1.6.5
Examples of such documentary evidence may include a printout from a regulator's website, confirming the licensed status of an institution, and internal papers attesting to a review of the
AML/CFT measures applied in a jurisdiction.FC-1.6.6
For
customers coming under Paragraph FC-1.6.1 (e), licensees must also obtain and retain a written statement from the parent institution of thesubsidiary concerned, confirming that thesubsidiary is subject to the sameAML/CFT measures as itsparent .Amended: January 2007FC-1.6.7
[This Paragraph was deleted in January 2007]
Deleted: January 2007FC-1.6.8
Simplified customer due diligence measures must not be applied where a licensee knows, suspects, or has reason to suspect, that the applicant is engaged in money laundering or terrorism financing or that the transaction is carried out on behalf of another person engaged in money laundering or terrorism financing.
FC-1.6.8A
Simplified customer due diligence measures must not be applied in situations where the licensee has identified high ML/TF/PF risks.
Added: January 2022FC-1.6.9
[This Paragraph was deleted in July 2018].
Deleted: July 2018FC-1.6.10
[This Paragraph was deleted in July 2018].
Deleted: July 2018
Amended: January 2007FC-1.7 FC-1.7 Introduced Business from Professional Intermediaries
FC-1.7.1
Insurance licensees may only acceptcustomers introduced to them by other financial institutions or intermediaries, if they have satisfied themselves that the financial institution or intermediary concerned is subject to FATF-equivalent measures and customer due diligence measures. Where aninsurance licensee delegates part of the customer due diligence measures to another financial institution or intermediary, the responsibility for meeting the requirements of this Chapter remains with theinsurance licensee , not the third party.Amended: January 2018
Amended: January 2007FC-1.7.2
Insurance licensees may only accept introduced business if all of the following conditions are satisfied:(a) The customer due diligence measures applied by the introducer are consistent with those required by the FATF Recommendations;(b) A formal agreement is in place defining the respective roles of the licensee and the introducer in relation to customer due diligence measures. The agreement must specify that the customer due diligence measures of the introducer will comply with the FATF Recommendations;(c) The introducer is able to provide all relevant data pertaining to thecustomer's identity, the identity of thepolicyholder and beneficiary of the policy and, where applicable, the party/parties on whose behalf thecustomer is acting; also, the introducer has confirmed that the licensee will be allowed to verify the customer due diligence measures undertaken by the introducer at any stage; and(d) Written confirmation is provided by the introducer confirming that all customer due diligence measures required by the FATF Recommendations have been followed and thecustomer's identity established and verified. In addition, the confirmation must state that any identification documents or other customer due diligence material can be accessed by theinsurance licensee and that these documents will be kept for at least five years after the policy relationship has ended.Amended: October 2015
Amended: January 2007
Amended: October 2007
Amended: April 2008FC-1.7.3
The
insurance licensee must perform periodic reviews ensuring that any introducer on which it relies is in compliance with the FATF Recommendations. Where the introducer is resident in another jurisdiction, theinsurance licensee must also require the introducer to perform periodic reviews to verify whether the jurisdiction is in compliance with the FATF Recommendations.Amended: October 2015FC-1.7.4
Should the
insurance licensee not be satisfied that the introducer is in compliance with the requirements of the FATF Recommendations, the licensee must conduct its own customer due diligence or not accept or continue the business relationship.Amended: October 2015FC-1.8 Reliance on Third Parties for Customer Due Diligence
FC-1.8.1
Licensees are permitted to rely on third parties to perform elements of CDD measures and recordkeeping requirements stipulated in Chapter FC-1 related to customer and beneficial owner identity, verification of their identity and information on the purpose and intended nature of the business relationship with thelicensee , subject to complying with the below:(a)Licensees remain ultimately responsible for CDD measures;(b)Licensees immediately obtain the relevant CDD information from the third party upon onboarding clients;(c) There is an agreement with the third party for the arrangement with clear contractual terms on the obligations of the third party;(d) The third party without delay makes available the relevant documentation relating to the CDD requirements upon request;(e)Licensees ensure that the third party is a financial institution that is regulated and supervised for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF Recommendations 10 and 11; and(f) For third parties based abroad,licensees must consider the information available on the level of country risk.Added: October 2023FC-1.8.2
Where a
licensee relies on a third-party that is part of the same financial group, thelicensee can consider that:(a) The requirements under Subparagraphs FC-1.8.1 (d) and (e) are complied with through its group programme, provided the group satisfies the following conditions:(i) The group applies CDD and record keeping requirements consistent with FATF Recommendations 10, 11 and 12 and has in place internal controls in accordance with FATF Recommendation 18; and(ii) The implementation of CDD, record keeping and AML/CFT measures are supervised at a group level by a financial services regulatory authority for compliance with AML/CFT requirements consistent with standards set by the FATF.(b) The requirement under Subparagraph FC-1.8.1 (f) is complied with if the country risk is adequately mitigated by the group’s AML/CFT policies.Added: October 2023FC-1.8.3
This Section does not apply to outsourcing or agency arrangements in which the outsourced entity applies the CDD measures on behalf of the delegating
licensee , in accordance with its procedures.Added: October 2023FC-2 FC-2 AML / CFT Systems and Controls
FC-2.1 FC-2.1 General Requirements
FC-2.1.1
Insurance licensees must implement programmes against money laundering and terrorist financing which establish and maintain appropriate systems and controls for compliance with the requirements of this Module and which limit their vulnerability to financial crime. These systems and controls must be documented, and approved and reviewed annually by the Board of the licensee. The documentation, and the Board's review and approval, must be made available upon request to the CBB.Amended: October 2015
Amended: January 2007FC-2.1.2
Where the
insurance licensee is an unincorporated entity, the annual review and approval should be undertaken by the most senior person with oversight responsibilities for the licensee, such as itsGeneral Manager or managing partner.Amended: October 2007FC-2.1.3
The above systems and controls, and associated documented policies and procedures, should cover standards for customer acceptance, on-going monitoring of high-risk accounts, staff training and adequate screening procedures to ensure high standards when hiring employees.
Amended: October 2007FC-2.1.4
Insurance licensees must incorporate Key Performance Indicators (KPIs) to ensure compliance with AML/CFT requirements by all staff. The performance against the KPIs must be adequately reflected in their annual performance evaluation and in their remuneration (See also Paragraph HC-5.4.3).Added: April 2020FC-2.1.5
In implementing the policies, procedures and monitoring tools for ensuring compliance with Paragraph FC-2.1.4,
insurance licensees should consider the following:(a) The business policies and practices should be designed to reduce incentives for staff to expose theinsurance licensee to AML/CFT compliance risk;(b) The performance measures of departments/divisions/units and personnel should include measures to address AML/CFT compliance obligations;(c) AML/CFT compliance breaches and deficiencies should be attributed to the relevant departments/divisions/units and personnel within the organisation as appropriate;(d) Remuneration and bonuses should be adjusted for AML/CFT compliance breaches and deficiencies; and(e) Both quantitative measures and human judgement should play a role in determining any adjustments to the remuneration and bonuses resulting from the above.Added: April 2020FC-2.2 FC-2.2 On-going Customer Due Diligence and Transaction Monitoring
Risk-Based Monitoring
FC-2.2.1
Insurance licensees must develop risk-based monitoring systems appropriate to the complexity of their business, their number of clients and types of transactions. These systems must be configured to identify significant or abnormal transactions or patterns of activity. Such systems must include limits on the number, types or size of transactions undertaken outside expected norms; and must include limits for cash and non-cash transactions.FC-2.2.2
Insurance licensees' risk-based monitoring systems should therefore be configured to help identify:(a) Transactions which do not appear to have a clear purpose or which make no obvious economic sense;(b) Significant or large transactions not consistent with the normal or expected behaviour of acustomer ; and(c) Unusual patterns of activity (relative to othercustomers of the same profile or of similar types of transactions, for instance because of differences in terms of volumes, transaction type, or flows to or from certain countries), or activity outside the expected or regular patter of acustomer's account activity.Amended: January 2007Automated Transaction Monitoring
FC-2.2.3
Insurance licensees must consider the need to include automated transaction monitoring as part of their risk-based monitoring systems. In the absence of automated transaction monitoring systems, all transactions above BD 6,000 must be viewed as 'significant' and be captured in a daily transactions report for monitoring by the MLRO or a relevant delegated official, and records retained by theinsurance licensee for five years after the date of the transaction.Amended: January 2007
Amended: October 2007
Amended: April 2008Unusual Transactions or Customer Behaviour
FC-2.2.5
In instances where an
insurance licensee’s risk-based monitoring systems identify significant or abnormal transactions (as defined in FC-2.2.2 and FC-2.2.3), it must verify the source of funds for those transactions, particularly where the transactions are above the transactions threshold of BD 6,000. Furthermore,insurance licensees must examine the background and purpose to those transactions and document their findings.Amended: January 2022FC-2.2.6
The investigations required under FC-2.2.5 must be carried out by the MLRO (or relevant delegated official). The documents relating to these findings must be maintained for five years from the date when the transaction was completed (see also FC-6.1.1(b)).
Amended: October 2007
Amended: April 2008FC-2.2.7
Insurance licensees must consider instances where there is a significant, unexpected or unexplained change in the behaviour ofpolicyholders' account (e.g., early surrenders).Insurance licensees must be extra vigilant to the particular risks involved in the buying and selling of second hand endowment policies, as well as the use of single premium unit-linked policies.Insurance licensees must check any reinsurance or retrocession to ensure that monies are paid to bona fide reinsurance entities at rates commensurate with the risks underwritten.Amended: January 2007FC-2.2.8
When an existing
customer cancels a policy and applies for another, theinsurance licensee must review its customer identity information and update its records accordingly. Where the information available falls short of the requirements contained in Chapter FC-1, the missing or out of date information must be obtained and re-verified with thecustomer .Amended: January 2007FC-2.2.9
Once identification procedures have been satisfactorily completed and, as long as records concerning the
customer are maintained in line with Chapters FC-1 and FC-6, no further evidence of identity is needed when transactions are subsequently undertaken within the expected level and type of activity for thatcustomer , provided reasonably regular contact has been maintained between the parties and no doubts have arisen as to thecustomer's identity.Amended: January 2007On-going Monitoring
FC-2.2.10
Insurance licensees must take reasonable steps to:(a) Scrutinize transactions undertaken throughout the course of that relationship to ensure that transactions being conducted are consistent with theInsurance licensee's knowledge of the customer, their business risk and risk profile; and(b) Ensure that they receive and maintain up-to-date and relevant copies of the identification documents specified in Chapter FC-1, by undertaking reviews of existing records, particularly for higher risk categories of customers.Insurance licensees must require allcustomers to provide up-to-date identification documents in their standard terms and conditions of business.Amended: October 2017
Amended: January 2007FC-2.2.11
Insurance licensees must review and update their customer due diligence information at least every three years, particularly for higher risk categories of customers. If, upon performing such a review, copies of identification documents are more than 12 months out of date, theinsurance licensee must take steps to obtain updated copies as soon as possible.Amended: October 2017FC-3 FC-3 Money Laundering Reporting Officer
FC-3.1 FC-3.1 Appointment of MLRO
FC-3.1.1
Insurance firms (exceptcaptive insurance firms managed by aninsurance manager ),insurance brokers andinsurance managers (that manage acaptive insurance firm ) must appoint a Money Laundering Reporting Officer ('MLRO'). In the case ofinsurance managers that managecaptive insurance firms , theinsurance manager must appoint a MLRO for each of thecaptive insurance firms under its management.Amended: January 2007
Amended: October 2007FC-3.1.2
Insurance managers may nominate the same individual to act as MLRO for more than onecaptive insurance firm , providing this person can meet in full the responsibilities of MLRO for eachcaptive insurance firm in question.Amended: January 2007FC-3.1.3
The position of MLRO is a
controlled function and the MLRO is anapproved person .FC-3.1.4
For details of the CBB's requirements regarding
controlled functions andapproved persons , see Section AU-1.2. Amongst other things,approved persons require CBB approval before being appointed, which is granted only if they are assessed as 'fit and proper' for the function in question. A completed Form 3 must accompany any request for CBB approval.Amended: January 2007FC-3.1.5
The position of MLRO must not be combined with functions that create potential conflicts of interest, such as an internal auditor or business line head. The position of MLRO may not be outsourced.
FC-3.1.6
Subject to Paragraph FC-3.1.5, however, the position of MLRO may otherwise be combined with other functions in the
insurance licensee , such as that of Compliance Officer, in cases where the volume and geographical spread of the business is limited and, therefore, the demands of the function are not likely to require a full time resource. Paragraph FC-3.1.9 requires that the MLRO is aDirector oremployee of the licensee, so the function may not be outsourced to a third party employee.Amended: January 2007
Amended: October 2007FC-3.1.6A
For purposes of Paragraphs FC-3.1.5 and FC-3.1.6 above,
insurance licensees must clearly state in the Application for Approved Person Status — Form 3 — when combining the MLRO or DMLRO position with any other position within theinsurance licensee .Added: October 2017FC-3.1.7
Insurance licensees must appoint at least one deputy MLRO (or more depending on the scale and complexity of the licensee's operations). The deputy MLRO(s) must be resident in Bahrain unless otherwise agreed with the CBB.Amended: January 2007FC-3.1.7A
The deputy MLRO should be able to support the MLRO discharge his responsibilities and to deputise for him in his absence. In the case of
insurance licensees undertaking significant overseas business, the CBB would normally expect to see one or more deputy MLRO(s) residing in the jurisdiction(s) where the bulk of the customer business is processed. In such cases, the CBB would normally agree to an application for an exemption from the residency requirement in Rule FC-3.1.7.Amended: January 2007FC-3.1.8
Insurance licensees should note that although the MLRO may delegate some of his functions, either to other employees of the licensee or even (in the case of larger groups) to individuals performing similar functions for other group entities, that the responsibility for compliance with the requirements of this Module remains with the licensee and the designated MLRO.Amended: January 2007FC-3.1.9
So that he can carry out his
controlled function effectively,insurance licensees must ensure that their MLRO:(a) Is a member of senior management of the licensee;(b) Has a sufficient level of seniority within theinsurance licensee , has the authority to act without interference from business line management and has direct access to the Board and senior management (where necessary);(c) Has sufficient resources, including sufficient time and (if necessary) support staff, and has designated a replacement to carry out the function should the MLRO be unable to perform his duties;(d) Has unrestricted access to all transactional information relating to any financial services provided by theinsurance licensee to acustomer , or any transactions conducted by theinsurance licensee on behalf of thatcustomer ;(e) Is provided with timely information needed to identify, analyse and effectively monitorcustomer accounts;(f) Has access to allcustomer due diligence information obtained by theinsurance licensee ; and(g) Is resident in Bahrain.Amended: October 2011
Amended: January 2007
Amended: October 2007FC-3.1.10
In addition,
insurance licensees must ensure that their MLRO is able to:(a) Monitor the day-to-day operation of their policies and procedures relevant to this Module; and(b) Respond promptly to any reasonable request for information made by the Financial Intelligence Directorate or the CBB.Amended: October 2019
Amended: April 2010
Amended: October 2007
Amended: January 2007FC-3.1.11
If the position of MLRO falls vacant, the
insurance licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements (including the appointment of an acting MLRO) to ensure continuity in the MLRO function's performance. These interim arrangements must be approved by the CBB.Amended: January 2007FC-3.2 FC-3.2 Responsibilities of the MLRO
FC-3.2.1
The MLRO is responsible for:
(a) Establishing and maintaining theinsurance licensee's AML/CFT policies and procedures;(b) Ensuring that the licensee complies with the AML Law and any other applicableAML/CFT legislation and this Module;(c) Ensuring day-to-day compliance with the licensee's own internalAML/CFT policies and procedures;(d) Acting as theinsurance licensee's main point of contact in respect of handling internal suspicious transactions reports from the licensee's staff (refer to Section FC-4.1) and as the main contact for the Financial Intelligence Directorate, the CBB and other concerned bodies regardingAML/CFT ;(e) Making external suspicious transactions reports to the Financial Intelligence Directorate and the Compliance Directorate (refer to Section FC-4.2);(f) Taking reasonable steps to establish and maintain adequate arrangements for staff awareness and training onAML/CFT matters (whether internal or external), as per Chapter FC-5;(g) Producing annual reports on the effectiveness of the licensee'sAML/CFT controls, for consideration by senior management, as per Paragraph FC-3.3.3;(h) On-going monitoring of what may, in his opinion, constitute high-riskcustomer accounts; and(i) Ensuring that theinsurance licensee maintains all necessary CDD, transactions, STR and staff training records for the required periods (refer to Section FC-6.1).Amended: October 2019
Amended: October 2015
Amended: April 2010
Amended: January 2007FC-3.3 FC-3.3 Compliance Monitoring
Annual Compliance Review
FC-3.3.1
Insurance licensees must take appropriate steps to identify and assess their money laundering and terrorist financing risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels). They must document those assessments in order to be able to demonstrate their basis, keep these assessments up to date, and have appropriate mechanisms to provide risk assessment information to the CBB. The nature and extent of any assessment of money laundering and terrorist financing risks must be appropriate to the nature and size of the business.Added: October 2015FC-3.3.1A
Insurance licensees should always understand their money laundering and terrorist financing risks, but the CBB may determine that individual documented risk assessments are not required, if the specific risks inherent to the sector are clearly identified and understood.Added: October 2015FC-3.3.1B
An
insurance licensee must review the effectiveness of itsAML/CFT procedures, systems and controls at least once each calendar year. The review must cover the licensee and itsbranches andsubsidiaries both inside and outside the Kingdom of Bahrain. Aninsurance licensee must monitor the implementation of those controls and enhance them if necessary. The scope of the review must include:(a) A report, containing the number of internal reports made in accordance with Section FC-4.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced;(b) A report, indicating the number of external reports made in accordance with Section FC-4.2 and, where aninsurance licensee has made an internal report but not made an external report, noting why no external report was made;(c) A sample test of compliance with this Module's customer due diligence requirements; and(d) A report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and this Module.Amended: January 2022
Amended: October 2015
Amended: January 2007
Amended: October 2007FC-3.3.2
The reports listed under Paragraph FC-3.3.1B (a) and (b) must be made by the MLRO. The sample testing and report required under Paragraph FC-3.3.1B (c) and (d) must be made by the licensee’s external
auditor or a consultancy firm approved by the CBB.Amended: January 2022
Amended: January 2019
Amended: October 2011
Amended: January 2007
Amended: October 2007FC-3.3.2A
In order for a consultancy firm to be approved by the CBB for the purposes of Paragraph FC-3.3.2, such firm should provide the CBB's Compliance Directorate with:
(a) A sample AML/CFT report prepared for a financial institution;(b) A list of other AML/CFT related work undertaken by the firm;(c) A list of other audit/review assignments undertaken, specifying the nature of the work done, date and name of the licensee; and(d) An outline of any assignment conducted for or in cooperation with an international audit firm.Added: October 2011FC-3.3.2B
The firm should indicate which personnel (by name) will work on the report (including, where appropriate, which individual will be the team leader) and demonstrate that all such persons have appropriate qualifications in one of the following areas:
(a) Audit;(b) Accounting;(c) Law; or(d) Banking/Finance.Added: October 2011FC-3.3.2C
At least two persons working on the report (one of whom would normally expected to be the team leader) should have:
(a) A minimum of 5 years professional experience dealing with AML/CFT issues; and(b) Formal AML/CFT training.Added: October 2011FC-3.3.2D
Submission of a curriculum vitae for all personnel to be engaged on the report is encouraged for the purposes of evidencing the above requirements.
Added: October 2011FC-3.3.2E
Upon receipt of the above required information, the CBB Compliance Directorate will assess the firm and communicate to it whether it meets the criteria required to be approved by the CBB for this purpose. The CBB may also request any other information it considers necessary in order to conduct the assessment.
Added: October 2011FC-3.3.3
The items listed under Paragraph FC-3.3.1B must be submitted to the licensee's Board, for it to review and commission any required remedial measures, and copied to the licensee's senior management.
Amended: January 2019FC-3.3.4
The purpose of the annual compliance review is to assist a licensee's Board and senior management to assess, amongst other things, whether internal and external reports are being made (as required under Chapter FC-4), and whether the overall number of such reports (which may otherwise appear satisfactory) does not conceal inadequate reporting in a particular segment of the licensee's business (or, where relevant, in particular
branches orsubsidiaries ). Licensees should use their judgement as to how the reports listed under Paragraph FC-3.3.1B (a) and (b) should be broken down in order to achieve this aim (e.g. by branches, departments and product lines).Amended: January 2019
Amended: January 2007FC-3.3.5
Insurance licensees must instruct their appointed firm to produce the report referred to in Paragraph FC-3.3.1B (c) and (d). The report must be submitted to the CBB by the 30th of June of the following year. The findings of this review must be received and acted upon by the licensee.Amended: January 2022
Amended: January 2020
Amended: January 2019
Amended: January 2012
Amended: October 2007
Amended: January 2007FC-3.3.5A
[This Paragraph was deleted in January 2019].
Deleted: January 2019
Added: January 2007FC-3.3.6
[This Paragraph was deleted in January 2022].
Deleted: January 2022
Amended: January 2012
Amended: October 2007FC-3.3.7
[This Paragraph was deleted in January 2022].
Deleted: January 2022
Amended: January 2020
Added: January 2007
Amended: April 2008
Amended: January 2019FC-4 FC-4 Suspicious Transaction Reporting
FC-4.1 FC-4.1 Internal Reporting
FC-4.1.1
Insurance licensees must implement procedures to ensure that staff who handlecustomer business (or are managerially responsible for such staff) make a report promptly to the MLRO if they know or suspect that acustomer (or a person on whose behalf acustomer may be acting) is engaged in money laundering or terrorism financing, or if the transaction orcustomer's conduct otherwise appears unusual or suspicious. These procedures must include arrangements for disciplining any member of staff who fails, without reasonable excuse, to make such a report.Amended: January 2007FC-4.1.2
Suspicious transaction or conduct may include a claim made in suspicious circumstances, a policy surrendered soon after inception or in circumstances that would otherwise appear contrary to the interests of a reasonable
policyholder . If a prospectivepolicyholder does not pursue an application, this may be considered suspicious in itself. Item FC (iv) in Part B of Volume 3 (Insurance) provides further examples of transactions that may be suspicious or unusual.Amended: January 2007FC-4.1.3
Where
insurance licensees' internal processes provide for staff to consult with their line managers before sending a report to the MLRO, such processes must not be used to prevent reports reaching the MLRO, where staff have stated that they have knowledge or suspicion that a transaction may involve money laundering or terrorist financing.FC-4.2 FC-4.2 External Reporting
FC-4.2.1
Insurance licensees must take reasonable steps to ensure that all reports made under Section FC-4.1 are considered by the MLRO (or his duly authorised delegate). Having considered the report and any other relevant information, if the MLRO (or his duly authorised delegate) still suspects that a person has been engaged in money laundering or terrorism financing, or the activity concerned is otherwise still regarded as suspicious, he must report the fact promptly to therelevant authorities . Where no report is made, the MLRO must document the reasons why.Amended: January 2007FC-4.2.2
To take reasonable steps, as required under Paragraph FC-4.2.1,
insurance licensees must:(a) Require the MLRO to consider reports made under Section FC-4.1 in the light of all relevant information accessible to or reasonably obtainable by the MLRO;(b) Permit the MLRO to have access to any information, including know your customer information, in theinsurance licensee's possession which could be relevant; and(c) Ensure that where the MLRO, or his duly authorised delegate, suspects that a person has been engaged in money laundering or terrorist financing, a report is made by the MLRO which is not subject to the consent or approval of any other person.Amended: January 2007FC-4.2.3
Reports to the
relevant authorities made under Paragraph FC-4.2.1 must be sent to the Financial Intelligence Directorate at the Ministry of Interior and the CBB's Compliance Directorate using the Suspicious Transaction Reporting Online System (Online STR system). STRs in paper format will not be accepted.Amended: October 2019
Amended: July 2016
Amended: October 2014
Amended: April 2010
Amended: January 2007FC-4.2.4
Insurance licensees must report all suspicious transactions or attempted transactions. This reporting requirement applies regardless of whether the transaction involves tax matters.FC-4.2.5
Insurance licensees must retain all relevant details of STRs submitted to therelevant authorities , for at least five years.Amended: October 2014
Amended: October 2007
Amended: April 2008FC-4.2.6
In accordance with the AML Law,
insurance licensees , theirDirectors , officers andemployees :(a) Must not warn or inform ('tipping off') thepolicyholder , beneficiary or other subjects of the STR when information relating to them is being reported to therelevant authorities ; and(b) In cases whereinsurance licensees form a suspicion that transactions relate to money laundering or terrorist financing, they must take into account the risk of tipping-off when performing the CDD process. If theinsurance licensee reasonably believes that performing the CDD process will tip-off the customer or potential customer, it may choose not to pursue that process, and must file an STR.Amended: January 2018
Amended: January 2007
Amended: October 2007FC-4.3 FC-4.3 Contacting the Relevant Authorities
FC-4.3.1
Reports made by the MLRO or his duly authorised delegate under Section FC-4.2 must be sent electronically using the Suspicious Transaction Reporting Online System (Online STR system).
Amended: October 2014
Amended: April 2010
Amended: January 2007FC-4.3.2
The
relevant authorities are:Financial Intelligence Directorate (FID)
Ministry of Interior
P.O. Box 26698
Manama, Kingdom of Bahrain
Telephone: + 973 17 749397
Fax: + 973 17 715502
E-mail: bahrainfid@moipolice.bhDirector of the Compliance Directorate
Central Bank of Bahrain
P.O. Box 27
Manama, Kingdom of Bahrain
Telephone: 17 547107
Fax: 17 535673
E-mail: Compliance@cbb.gov.bhAmended: October 2019
Added: October 2014
FC-5 FC-5 Staff Training and Recruitment
FC-5.1 FC-5.1 General Requirements
FC-5.1.1
An
insurance licensee must take reasonable steps to provide periodic training and information to ensure that staff who handlecustomer transactions, or are managerially responsible for such transactions, are made aware of:(a) Their responsibilities under the AML Law, this Module, and any other relevantAML/CFT laws and Regulations;(b) The identity and responsibilities of the MLRO and his deputy;(c) The potential consequences, both individual and corporate, of any breach of the AML Law, this Module and any other relevantAML/CFT laws or Regulations;(d) Theinsurance licensee's currentAML/CFT policies and procedures;(e) Money laundering and terrorist financing typologies and trends;(f) The type ofcustomer activity or transaction that may justify an internal STR;(g) Theinsurance licensee's procedures for making internal STRs; and(h) Customer due diligence measures with respect to establishing business relations withcustomers .Amended: January 2007FC-5.1.2
The information referred to in Paragraph FC-5.1.1 must be brought to the attention of relevant new
employees ofinsurance licensees , and must remain available for reference by staff during their period of employment and by the CBB.Amended: January 2007FC-5.1.3
Relevant new
employees must be givenAML/CFT training within three months of joining aninsurance licensee .Amended: January 2007FC-5.1.4
Insurance licensees must ensure that theirAML/CFT training for relevant staff remains up-to-date, and is appropriate given the licensee's activities andcustomer base.Amended: January 2007FC-5.1.5
The CBB would normally expect
AML/CFT training to be provided to relevant staff at least once a year.Amended: January 2007FC-5.1.6
Insurance licensees must develop adequate screening procedures to ensure high standards when hiringemployees . These procedures must include controls to prevent criminals or their associates from being employed by licensees.Amended: January 2007FC-5.1.6A
[This Paragraph was deleted in January 2022].
Deleted: January 2022
Added: January 2021FC-6 FC-6 Record-keeping Arrangements
FC-6.1 FC-6.1 General Requirements
Policyholder/Transaction Records
FC-6.1.1
Insurance licensees must comply with the record-keeping requirements contained in the AML Law and the CBB Law.Insurance licensees must therefore retain adequate records (including accounting and identification records), for the following minimum periods:(a) Forcustomers , in relation to evidence of identity and business relationship records (such as application forms, account files and business correspondence, including the results of any analysis undertaken (e.g. enquiries to establish background and purpose of complex, unusual large transactions)), for at least five years after thecustomer relationship has ceased; and(b) For transactions, in relation to documents enabling a reconstitution of the transaction concerned, for at least ten years after the transaction was completed.Amended: October 2015
Amended: January 2007
Amended: October 2007
Amended: April 2008Compliance Records
FC-6.1.2
Insurance licensees must retain copies of the reports produced for their annual compliance review, as specified in Paragraph FC-3.3.1B, for at least five years. Licensees must also maintain for five years reports made to, or by, the MLRO made in accordance with Sections FC-4.1 and FC-4.2, and records showing how these reports were dealt with and what action, if any, was taken as a consequence of those reports.Amended: January 2007
Amended: October 2007
Amended: April 2008
Amended: January 2019Training Records
FC-6.1.3
Insurance licensees must maintain for at least five years, records showing the dates whenAML/CFT training was given, the nature of the training, and the names of the staff that received the training.Amended: January 2007
Amended: October 2007
Amended: April 2008Access
FC-6.1.4
All records required to be kept under this Section must be made available for prompt and swift access by the
relevant authorities or other authorised persons.FC-6.1.5
Insurance licensees are also reminded of the requirements contained in Chapter GR-1 (Books and Records).FC-7 FC-7 NCCT Measures and Terrorist Financing
FC-7.1 FC-7.1 Special Measures for Non-Cooperative Countries or Territories ('NCCTs')
FC-7.1.1
Insurance licensees must give special attention to any dealings they may have with entities or persons domiciled in countries or territories which are:(a) Identified by the FATF as being 'non-cooperative'; or(b) Notified toinsurance licensees from time to time by the CBB.Amended: January 2007FC-7.1.2
Whenever transactions with such parties have no apparent economic or visible lawful purpose, their background and purpose must be re-examined and the findings documented. If suspicions remain about the transaction, these must be reported to the
relevant authorities in accordance with Section FC-4.2.FC-7.1.3
Insurance licensees must apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries where such measures are called for by the FATF. The type of enhanced due diligence measures applied must be effective and proportionate to the risks.Added: October 2015FC-7.1.4
With regard to jurisdictions identified as NCCTs or those which in the opinion of the CBB, do not have adequate AML/CFT systems, the CBB reserves the right to:
(a) Refuse the establishment of subsidiaries or branches or representative offices of financial institutions from such jurisdictions;(b) Limit business relationships or financial transactions with such jurisdictions or persons in those jurisdictions;(c) Prohibit financial institutions from relying on third parties located in such jurisdictions to conduct elements of the CDD process;(d) Require financial institutions to review and amend, or if necessary terminate, correspondent relationships with financial institutions in such jurisdictions;(e) Require increased supervisory examination and/or external audit requirements for branches and subsidiaries of financial institutions based in such jurisdictions; or(f) Require increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in such jurisdictions.Amended: January 2018
Added: October 2015FC-7.2 FC-7.2 Terrorist Financing
FC-7.2.1AA
Insurance licensees must implement and comply with United Nations Security Council resolutions relating to the prevention and suppression of terrorism and terrorist financing.Insurance licensees must freeze,without delay , the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either (i) designated by, or under the authority of, the United Nations Security Council under Chapter VII of the Charter of the United Nations, including in accordance with resolution 1267(1999) and its successor resolutions as well as Resolution 2178(2014) or (ii) designated as pursuant to Resolution 1373(2001).Amended: October 2019
Added: April 2017FC-7.2.1
Insurance licensees must comply in full with the provisions of the UN Security Council Anti-terrorism Resolution No. 1373 of 2001 ('UNSCR 1373').FC-7.2.2
[This Paragraph was deleted in January 2018].
Deleted: January 2018
Amended: January 2007FC-7.2.3
A copy of UNSCR 1373 is included in Part B of Volume 3 (Insurance), under 'Supplementary Information'.
FC-7.2.4
Insurance licensees must report to the CBB details of:(a) Funds or other financial assets or economic resources held with them which may be the subject of Article 1, Paragraphs (c) and (d) of UNSCR 1373;(b) All claims, whether actual or contingent, which theinsurance licensee has on persons and entities which may be the subject of Article 1, Paragraphs (c) and (d) of UNSCR 1373; and(c) All assets frozen or actions taken in compliance with the prohibition requirements of the relevant UNSCRs, including attempted transactions.Amended: January 2023
Amended: January 2007FC-7.2.5
For the purposes of Paragraph FC-7.2.4, 'funds or other financial resources' includes (but is not limited to) shares in any undertaking owned or controlled by the persons and entities referred to in Article 1, Paragraph (c) and (d) of UNSCR 1373, and any associated dividends received by the licensee.
Amended: January 2007FC-7.2.6
All reports or notifications under this Section must be made to the CBB's Compliance Directorate.
Amended: January 2007FC-7.2.7
See Section FC-4.3 for the Compliance Directorate's contact details.
Amended: January 2007FC-7.3 FC-7.3 Designated Persons and Entities
FC-7.3.1
Without prejudice to the general duty of all
insurance licensees to exercise the utmost care when dealing with persons or entities who might come under Article 1, Paragraphs (c) and (d) of UNSCR 1373,insurance licensees must not deal with any persons or entities designated by the CBB as potentially linked to terrorist activity.Amended: January 2007FC-7.3.2
The CBB from time to time issues to licensees lists of designated persons and entities believed linked to terrorism. Licensees are required to verify that they have no dealings with these designated persons and entities, and report back their findings to the CBB. Names designated by the CBB include persons and entities designated by the United Nations, under UN Security Council Resolution 1267 ("UNSCR 1267").
Amended: January 2007FC-7.3.3
Insurance licensees must report to therelevant authorities , using the procedures contained in Section FC-4.2, details of any accounts or other dealings with designated persons and entities, and comply with any subsequent directions issued by therelevant authorities .FC-8 FC-8 Enforcement Measures
FC-8.1 FC-8.1 Regulatory Penalties
FC-8.1.1
The requirements in this Module are legally binding. Without prejudice to any other penalty imposed by the CBB Law, the Decree Law No. 4 or the Penal Code of the Kingdom of Bahrain, failure by a licensee to comply with this Module or any direction given hereunder shall result in the levying by the CBB, without need of a court order and at the CBB's discretion, of a fine of up to BD 20,000.
Amended: January 2007FC-8.1.2
Module EN provides further information on the assessment of financial penalties and the criteria taken into account prior to imposing such fines (reference to Paragraph EN-5.2.3). Other enforcement measures may also be applied by the CBB in response to a failure by a licensee to comply with this Module; these other measures are also set out in Module EN.
Amended: January 2007
Amended: October 2007FC-8.1.3
The CBB will endeavour to assist
insurance licensees to interpret and apply the requirements of this Module.Insurance licensees may seek clarification on any issue by contacting the Compliance Directorate (see Section FC-4.3 for contact details).Amended: January 2007FC-8.1.4
Without prejudice to the CBB's general powers under the law, the CBB may amend, clarify or issue further directions on any provision of this Module from time to time, by notice to its licensees.
Amended: January 2007FC-9 FC-9 AML / CFT Guidance and Best Practice
FC-9.1 FC-9.1 Guidance Provided by International Bodies
FATF Recommendations
FC-9.1.1
The Financial Action Task Force (FATF) Recommendations (see www.fatf-gafi.org) (together with their associated interpretative notes and best practices papers) provide the basic framework for combating money laundering activities and the financing of terrorism. FATF Recommendations 9-12, 15-17, 18-21, 26-27, 33-35, 37 and 40 and the
AML/CFT Methodology are specifically relevant to the insurance sector.Amended: October 2015
Amended: January 2007FC-9.1.2
The
relevant authorities in Bahrain believe that the principles established by these Recommendations should be followed by licensees in all material respects, as representing best practice and prudence in this area.Amended: October 2015IAIS: Guidance Paper on Anti-Money Laundering and Combating the Financing of Terrorism
FC-9.1.3
In January 2002, the International Association of Insurance Supervisors (IAIS) issued Anti-Money Laundering Guidance Notes for Insurance Supervisors and Insurance Entities. This document was updated in October 2004 and was reissued as Guidance Paper No. 5: Guidance Paper on Anti-Money Laundering and Combating the Financing of Terrorism (see www.iaisweb.org/publication). The Guidance Paper includes a set of measures and procedures, including elements of customer due diligence (CDD), reporting of suspicious transactions and measures affecting the organisation and staff of
insurance licensees .FC-9.1.4
The CBB supports the above papers and the desirability of all
insurance licensees adhering to their requirements and guidance.Amended: January 2007Other Website References Relevant to AML/CFT
FC-9.1.5
The following lists a selection of other websites relevant to
AML/CFT :(a) The Middle East North Africa Financial Action Task Force: www.menafatf.org;(b) The Egmont Group: www.egmontgroup.org;(c) The United Nations: www.un.org/terrorism;(d) The UN Counter-Terrorism Committee: www.un.org/Docs/sc/committees/1373/;(e) The UN list of designated individuals: www.un.org/Docs/sc/committees/1267/1267ListEng.htm;(f) The Wolfsberg Group: www.wolfsberg-principles.com; and(g) The Association of Certified Anti-Money Laundering Specialists: www.acams.org.Amended: January 2007FC-10 FC-10 Fraud
FC-10.1 FC-10.1 General Requirements
FC-10.1.1
Insurance licensees must ensure that they allocate appropriate resources and have in place systems and controls to deter, detect, and record instances of fraud or attempted fraud.FC-10.1.2
Fraud may arise from internal sources originating from changes or weaknesses to processes, products and internal systems and controls. Fraud can also arise from external sources, such as claims fraud.
FC-10.1.3
Any actual or attempted fraud incident (however small) must be reported to the appropriate authorities (including the CBB) and followed up. Monitoring systems must be designed to measure fraud patterns that might reveal a series of related fraud incidents.
Amended: January 2007FC-10.1.4
Insurance licensees must ensure that a person is given overall responsibility for the prevention, detection and remedy of fraud, at a senior level of the organisation.FC-10.1.5
Insurance licensees must ensure the effective segregation of functions and responsibilities, between different individuals and departments, such that the possibility of financial crime is reduced and that no single individual is able to initiate, process and control a transaction.FC-10.1.6
Insurance licensees must provide regular training to their management and staff, to make them aware of potential fraud risks.Advance Fee Fraud
FC-10.1.7
In a number of jurisdictions, there have been a number of recent incidents whereby insurance entities have either been the victims of, or have inadvertently provided assistance to, advance fee frauds. Advance fee fraud consists of setting up a fraudulent and almost certainly non-existent financial or banking transaction, the aim of which is to defraud an innocent third party of an up front payment or deposit which is intended by the third party to be consideration for their involvement in that financial transaction, the receipt of a low interest or interest fee loan or the receipt of some other financial benefit. The types of transactions used as the façade for the frauds vary in detail, some of the most common are investment in financial instruments, self liquidating loans and loans or other financial benefits. Although these transactions are generally based around banking or securities transactions, it is occasionally the case that the transaction will purport to be guaranteed by insurers.
FC-10.1.8
The most common type of advance fee fraud is for a fraudster to approach a company or sovereign state which has a poor credit rating or which is in some financial difficulty and offer to obtain funding at beneficial rates. Likewise, a potential investor may be approached and offered the opportunity to invest in a transaction with a very high rate of return. In each instance, the borrower or investor will be asked to provide some funds up front to cover the costs of setting up the transaction or by way of a deposit or down payment on fees. Once the fee has been paid, the fraudster will disappear and the transaction will, on further investigation, prove to be fictitious.
FC-10.1.9
Insurance licensees are encouraged to promote the exchange of information amongst themselves with respect to fraud and those committing fraud including, as appropriate, through the use of databases. Licensees should also consider the need to exchange information with the police and other external bodies.FC-10.1.10
Insurance claims fraud is an offence punishable under the provision of Section 391 of the Penal Code, Decree Act No. (15), of 1976 of the Kingdom of Bahrain.
Guidance Provided by the IAIS
FC-10.1.11
In October 2006, the International Association of Insurance Supervisors (IAIS) issued Guidance Paper on Preventing, Detecting and Remedying Fraud in Insurance (see www.iaisweb.org/publication). The Guidance Paper has been developed to help the insurance sector prevent and detect cases of fraud. Insurance licensees should assess their own vulnerability and implement effective and efficient policies, procedures and controls to address the risk of fraud.
Adopted: October 2007IA IA Insurance Aggregators
IA-A IA-A Introduction
IA-A.1 IA-A.1 Purpose
IA-A.1.1
This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to
insurance aggregators who are intermediaries with aninsurance broker's license providing insurance aggregator services, as defined in the Authorisation Module of the CBB Rulebook Volume 3, in the Kingdom of Bahrain.October 2019IA-A.1.2
This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 3, applicable to
insurance brokers particularly:(a) Authorisation Module;(b) Principles of Business Module;(c) High Level Controls Module;(d) General Requirements Module;(e) Risk Management Module;(f) Capital Adequacy Module;(g) CBB Reporting Requirements Module(h) Auditors and Accounting Standards Module;(i) Financial Crime Module; and(j) Enforcement Module.October 2019Legal Basis
IA-A.1.3
This Module contains the CBB's Directive (as amended from time to time) applicable to
insurance brokers undertakinginsurance aggregator activities by operating an online platform for this purpose, and is issued under the powers available to the CBB under Article 38 of the CBB Law.October 2019IA-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
October 2019IA-A.2 IA-A.2 Module History
IA-A.2.1
This Module was first issued in August 2019. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.
October 2019IA-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes IA-B IA-B Scope of Application
IA-B.1 IA-B.1 Introduction
IA-B.1.1
Insurance aggregators as defined in Module AU-1.1.8A provide information aggregation services to clients by comparing the different insurance products for its customers.Insurance aggregators are licensed asinsurance brokers and may provide all or some of the services thatinsurance brokers are authorised to provide only through an online platform.October 2019IA-B.1.2
The word aggregator simply means an organisation that collects information from other businesses and then places it on one website. This may be used by a number of industries as an effective way of increasing client proposals and referrals. In the insurance industry, a customer is able to find insurance quotes under a single electronic platform instead of trawling through multiple insurer websites for quotes individually.
October 2019IA-B.1.3
Insurance aggregators who handle client money should have policies and procedures in place to safeguard client money, and comply with the requirements under Module CL.October 2019IA-B.1.4
Additionally, there are confidentiality and data privacy implications if the
Insurance aggregator uses the cloud for the analytics. Ifclient data is processed by the tool using the cloud, there must be safeguards to avoid noncompliance with applicable laws.October 2019IA-1 IA-1 Systems and Controls
IA-1.1 IA-1.1 Systems and Controls
Role of Board and Senior Management
IA-1.1.1
The Board of Directors must establish adequate internal controls and maintain effective oversight and governance of the
insurance aggregator process and the client interface including establishing sound policies, procedures, systems, methodologies and controls. Such policies must be comprehensive and cover the following:(a) Controls over technology solutions;(b) Platform operations and performance;(c) Tools and measures to prevent frauds and errors;(d) Risk management controls;(e) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);(f) Record keeping and audit trails;(g) Safeguarding client moneys; and(h) Financial controls.October 2019IA-1.1.2
The Board of Directors must take responsibility for the establishment and oversight of effective risk management and internal controls.
October 2019Technology governance
IA-1.1.4
Insurance aggregators must use technology solutions which are capable of interfacing with software and systems used byinsurance licensees and different applications used by customers.October 2019IA-1.1.4A
With respect to Paragraph IA-1.1.4, if an
insurance licensee does not have technology systems capable of interfacing with theinsurance aggregator , it may utilize other means to display the said licensee's quote such as a quoting engine based on the criteria of theinsurance firm .October 2019IA-1.1.5
The internal controls mentioned in Paragraph IA-1.1.3 must include, but not be limited to, the following:
(a) The development and or acquisition of the technology solutions to conduct the activity;(b) Testing of the solutions and application program interfaces;(c) Standards of communication and access and related security controls;(d) Safe authentication of the users; and(e) Tools and measures to prevent frauds and errors.October 2019IA-1.1.6
Insurance aggregators must maintain an up-to-date security policy document containing the following information:a) a detailed documentation of the technology architecture and of the systems and the network elements providing:i. description of the business IT systems supporting the business activities;ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;b) the logical security measures and mechanisms that govern the internal access to IT systems;c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;d) the security of the customer payment processes; ande) ensure that the information systems, (both hardware and software) including the aggregation website(s)/portals, Proposal Management System and the Data Centers hosting the website(s)/Portal(s)/Proposal Management System are in compliance with the Cyber Security rules stipulated in Section RM-9.October 2019Business continuity
IA-1.1.9
Insurance aggregators must ensure they have an up-to-date business continuity plan and arrangements consisting of the following information:a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; andd) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.October 2019IA-1.1.10
Insurance aggregators must ensure that there are documented measures to protect confidentiality of client data consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.October 2019IA-1.1.11
Insurance aggregators must ensure that the requirements relating to enhanced due diligence as required under Module FC are met when the client is assessed as higher risk and also where the client relationship (whether at the time of on-boarding or otherwise) is on a non-face-to-face basis.October 2019IA-2 IA-2 Operating Framework
IA-2.1 IA-2.1 Client Agreements
IA-2.1.1
Insurance aggregators must agree in writing the terms of business with theirclients (i.e.insurance firms ) and ensure that the following are stipulated:a) the full scope of theinsurance aggregator services ;b) the basis for providing advice (if any) including but not limited to methodologies used for such advice,c) the fees, charges or commissions relevant to the services being offered;d) the dispute resolution processes are available to theclients if they wish to make a complaint.October 2019IA-2.1.2
Insurance aggregators must disclose in writing the full particulars of any actual or potential conflicts of interest arising from any connection or association with product provider, including any commissions or fees and any material information or facts that may compromise its objectivity or independence.October 2019IA-2.2 IA-2.2 Arrangements with Insurance Firms
IA-2.2.1
No arrangements must be made by the
insurance aggregators with theinsurance firms which are against the interests of policyholders.October 2019IA-2.2.2
An
insurance aggregator desirous of transmitting proposals to aninsurance firm must enter into an "agreement" with theinsurance firm which must include at least the following details:a) Timeframe and mode of transmission of proposals to be shared;b) Onus of complying with regulatory and other legal requirements on both the parties to the agreement;c) Identifying the different data elements to be shared such as name of prospective client/client/visitor of the web site, contact details etc.;d) The timeframe for providing the premium and feature tables of the agreed products to theinsurance aggregator after concluding the agreement and keeping them up to date.October 2019IA-2.2.3
The
insurance aggregator must keep the agreement ready for inspection as and when desired by the CBB's on-site supervision team.October 2019IA-2.2.4
The
insurance aggregator must ensure the following:a) While entering into such arrangements, noinsurance aggregator must promise nor anyinsurance firm must compel theinsurance aggregator to distribute the products of only a particular insurance firm;b) The arrangements must have provisions to include duties and responsibilities ofinsurance aggregators towards the policyholders, duties and responsibilities ofinsurance firms andinsurance aggregators , terms and conditions for termination of arrangements;c) In case aninsurance aggregator wishes to terminate arrangement with anyinsurance firm , they may do so after informing theinsurance firm , the reasons for termination of arrangement. In such cases, theinsurance aggregator must service any policies solicited but not yet issued by the concernedinsurance firm until the issuance of the said policies;d) Noinsurance firm must pay and noinsurance aggregator must receive any signing fee or any other charges by whatever name called, except those permitted by the CBB under relevant regulations, for becoming itsinsurance aggregator .October 2019IA-2.2.5
The CBB may, at any point in time, direct any
insurance firm orinsurance aggregator to terminate the distribution arrangements.October 2019IA-2.3 IA-2.3 Product Comparisons
Policy for comparison and distribution of insurance products
IA-2.3.1
Insurance aggregators must have a Board approved policy on the approach to be followed by theinsurance aggregator in having multiple tie-ups, type of products sold, grievance redress mechanism, reporting requirements and any other item. The Board of theinsurance aggregator must review the same at least once in three years.October 2019Display of product comparisons on the insurance aggregator website
IA-2.3.2
The
insurance aggregator must adhere to the following conditions relating to display of product comparison on its website:a) Disclose prominently on the home page, a notice thati. the prospective client's/visitor's particulars could be shared withinsurance firms ;ii. the information displayed on theinsurance aggregator's website is of theinsurance firms with whom theinsurance aggregator has an agreement;b) Product information displayed by theinsurance aggregator must be authentic and be based solely on information received frominsurance firms ;c)Insurance aggregators must not display customer ratings, rankings, endorsements or bestsellers of insurance products on its website;d) The content of the website of theinsurance aggregator must be unbiased and factual in nature;e) Basic features of products may be compared, such as:i. Eligibility criteriaii. Policy termiii. Premiumiv. Inbuilt benefits/ridersv. Premiums for different age groupsvi. Benefits such as survival benefits/maturity benefits/death benefits etc.vii. Any other additional information/special product features relating to the productsf) Product comparisons that are displayed must be up-to-date and reflect the true picture of the products.g) The product comparison must highlight whether a particular policy is a sharia compliant Takaful policy or a conventional insurance policy.October 2019IA-2.3.3
Insurance aggregators must not operate multiple websites or tie up with other un-registered websites for comparison of products.October 2019IA-2.4 IA-2.4 Disclosures and Management of Proposals
IA-2.4.1
Insurance aggregators must adhere to the following requirements with respect to their platform:a)Insurance aggregators must disclose prominently on the home page or similar page of the relevant application that the prospective client's/visitor's particulars could be shared withinsurance firms if the arrangements theinsurance firms warrant such a disclosureb)Insurance aggregator must provide an option to select multipleinsurance firms by the visitor, to whom the proposal must be transmitted simultaneously;c)Insurance aggregators must provide an option to select or choose between conventional insurance and Takaful products;d)Insurance aggregators must not transmit the proposal containing data of a client toinsurance firm (s) other than the one(s) preferred by the client. However, if the client shows interest in buying insurance but does not prefer any insurance firm , theinsurance aggregator may transmit the proposal to severalinsurance firms in the same class of insurance business based on the need analysis of the client;e) Ensure that the proposals and other data are transmitted to theinsurance firms and others using secured data encryption technologies;f) Disclose in all its correspondences with all stakeholders its name followed by "licensed as an Insurance Broker — Insurance Aggregator by the Central Bank of Bahrain".October 2019IA-2.4.2
Insurance aggregators must not provide customers with any cash discounts on their own account, such as in the form of discount codes, cash backs and promotional codes etc.October 2019IA-2.5 IA-2.5 Professional Indemnity Insurance
IA-2.5.1
Every
insurance aggregator must take out and continue to maintain a professional indemnity insurance cover from a licensedinsurance firm in the Kingdom of Bahrain. (See Section GR-10.1)October 2019IA-2.5.2
An
insurance aggregator must ensure that the insurance cover indemnifies against the following:a) any error or omission or negligence;b) any loss of money or other property for which theinsurance aggregator is legally liable in consequence of any financial or fraudulent act or omission;c) any loss of documents and costs and expenses incurred in replacing or restoring such documents; andd) dishonest or fraudulent acts or omissions byinsurance aggregator employees.October 2019IA-2.5.3
The indemnity cover should not contain any terms to the effect that payments of claims depend upon the
insurance aggregator having first met the liability.October 2019IA-2.5.4
The cover should indemnify in respect of all claims made during the period of the insurance regardless of the time at which the event giving rise to the claim may have occurred.
October 2019IA-2.5.5
The professional indemnity insurance cover must not be cancelled without the CBB's prior written approval.
October 2019IA-3 IA-3 Other Controls
IA-3.1 IA-3.1 Remuneration
IA-3.1.1
Remuneration in any form paid to
insurance aggregators byinsurance firms must be in compliance with the following provisions:a) No fee can be charged to theinsurance firm for listing its products;b) Proposals which are converted into sale of insurance policies will entitle theinsurance aggregator to earn commission as applicable toinsurance brokers ;c)Insurance aggregator can provide other services toinsurance firms in respect of policies procured through them. In such instances, theinsurance firm may pay theinsurance aggregators , reasonable service charges at mutually agreed rates in the service agreements with theinsurance aggregators .October 2019IA-3.1.2
The
insurance aggregator , if requested by a prospective client, must disclose the amount of remuneration it receives as a result of effecting insurance for that client.October 2019IA-3.2 IA-3.2 Complaints Handling
IA-3.2.1
The
insurance aggregator must:a) Have in place a system for recording and monitoring complaints;b) Ensure that the website contains details of complaints handling procedures and provides a facility to the customer to log complaints online;c) Ensure that communication of clients in any form, written/phone/email/messaging etc. are acknowledged promptly in accordance with the requirements stated in Paragraph BC-4.5.1;d) Ensure that the grievance is resolved to the fullest satisfaction of the client;e) Ensure that responses are sent to the customer on the resolution of the grievance, and the customer is informed of the further redress procedure available to him; andf) Ensure that complaints are attended to atsenior management level.October 2019IA-3.2.2
The
insurance aggregator must disclose on its website that if a member of the public wishes to make a complaint or requires the assistance of the CBB in resolving a dispute, he may write to the CBB.October 2019IA-3.3 IA-3.3 Training and Independent Assessments
Training
IA-3.3.1
The
Insurance aggregator must:a) Ensure that its staff are aware of and adhere to the standards expected of them by this Module;b) Ensure that staff is competent, suitable and have been given adequate training; andc) Ensure that there is a system in place to monitor the quality of services of its staff.October 2019Independent assessments
IA-3.3.2
Insurance aggregators must ensure that their overall control framework is evaluated and independently tested by an independent external consultant other than the external auditors:a) initially upon implementation of this Module and prior to launching of business;b) when there are any material changes to the systems and controls; andc) at least once every 3 years.October 2019IA-3.3.3
Insurance aggregators must ensure that report of the evaluation referred to in paragraph IA-3.3.2(b) is provided to the CBB within 2 weeks of completion of the report. The report required under IA-3.3.2(c) must be submitted within 3 months of the year-end in which the evaluation was conducted. In addition, the report required under IA-3.3.2 (a) should be submitted to the CBB for the CBB's review and no-objection prior to launching the business.October 2019