• Central Bank of Bahrain Volume 5—Specialised Licensees

    Table of Contents
           
    Common Modules (Applicable to all Specialised Licensees)  
     Module TitleModule
    Code
    Date last
    changed
    Current Version PDFFuture Version PDFEffective Date
    IntroductionUser's GuideUGApr 20PDF Version  
    Executive SummaryES(to be issued)   
    High Level StandardsPrinciples of BusinessPBJan 11PDF Version  
    Auditors and Accounting StandardsAAOct 16PDF Version  
    Business StandardsFinancial CrimeFCJan 24PDF Version  
    Enforcement & RedressEnforcementENApr 21PDF Version  

     

    Specific Modules (By Type of Licensee)
    Type 1: Money Changers LicenseesType 2: Representative Office LicenseesType 3: Financing CompaniesType 4: AdministratorsType 5: Trust Service ProvidersType 6: Microfinance InstitutionsType 7: Ancillary Service Providers
    Authorisation Module (AU)

    PDF Version

    Updated: Jan 21
    Authorisation Module (AU)

    PDF Version

    Updated: Jan 21
    Authorisation Module (AU)

    PDF Version

    Updated: Jul 22
    Authorisation Module (AU)

    PDF Version

    Updated: Jan 21
     Authorisation Module (AU)

    PDF Version

    Updated: Jan 21
    Authorisation Module (AU)

    PDF Version

    Updated: Apr 23
          
    Business Conduct Module (BC)

    PDF Version

    Updated: Oct 20
     Business and Market Conduct Module (BC)

    PDF Version

    Updated: Jul 23
      Business and Market Conduct (BC)

    PDF Version

    Updated: Jan 22
     
       
    CBB Reporting Requirements Module (BR)

    PDF Version

    Updated: Jan 23
     CBB Reporting Requirements Module (BR)

    PDF Version

    Updated: Jan 23
    CBB Reporting Requirements Module (BR)

    PDF Version

    Updated: Jan 23
     CBB Reporting Requirements Module (BR)

    PDF Version

    Updated: Jan 23
    CBB Reporting Requirements Module (BR)

    PDF Version

    Updated: Sep 24
         
    Capital Adequacy Module (CA)

    PDF Version

    Updated: Jul 11
     Capital Adequacy Module (CA)

    PDF Version

    Updated: Jul 22
    Capital Adequacy Module (CA)

    PDF Version

    Updated: Jan 23
     Capital Adequacy and Liquidity Requirements Module (CA)

    PDF Version

    Updated: Apr 19
     
        
    General Requirements Module (GR)

    PDF Version

    Updated: Jan 22
    General Requirements Module (GR)

    PDF Version

    Updated: Jan 22
    General Requirements Module (GR)

    PDF Version

    Updated: Jul 22
    General Requirements Module (GR)

    PDF Version

    Updated: Jul 22
     General Requirements Module (GR)

    PDF Version

    Updated: Jan 22
    General Requirements Module (GR)

    PDF Version

    Updated: Jul 23
          
    High-level Control Module (HC)

    PDF Version

    Updated: Apr 20
     High-level Control Module (HC)

    PDF Version

    Updated: Jul 22
    High-level Control Module (HC)

    PDF Version

    Updated: Jan 13
     High-Level Controls Module (HC)

    PDF Version

    Updated: Apr 20
    High-Level Controls Module (HC)

    PDF Version

    Updated: Oct 20
         
    Risk Management Module (RM)

    PDF Version

    Updated: Jul 23
     Credit Risk Management Module (CM)

    (to be issued)
      Risk Management Module (RM)

    PDF Version

    Added: Jul 22
     
       
      Operational Risk Management (OM)

    PDF Version

    Updated: Jul 23
        
     
      Liquidity Risk Management Module (LM)

    PDF Version

    Updated: Jul 14
        
     
    Training and Competency Module (TC) [Deleted in August 2025]

    Deleted: Aug 25
     Training and Competency Module (TC) [Deleted in August 2025]

    Deleted: Aug 25
        
      
      Public Disclosure (PD)

    PDF Version

    Updated: Jul 23
      Public Disclosure Module (PD)

    PDF Version

    Updated: Jul 23
     
      
          Open Banking (OB)

    PDF Version

    Updated: Sep 24
     
          Crowdfunding Platform Operators (CFP)

    PDF Version

    Added: Jul 22
     
    Part B
    Glossary
    CBB Authorisation Forms
    CBB Reporting Forms
    Supplementary Information
    To be developed: pending the issuance of the remaining Modules for Volume 5, the standard conditions and licensing criteria applicable to specialised licensees can be accessed below:
    Leasing Companies (Conventional)PDF Version
    Leasing Companies (Islamic)PDF Version

    • Common Modules (Applicable to all Specialised Licensees)

      • Part A

        • Introduction

          • UG UG User's Guide

            • UG-A UG-A Introduction

              • UG-A.1 UG-A.1 Purpose

                • Executive Summary

                  • UG-A.1.1

                    The Central Bank of Bahrain ('the CBB'), in its capacity as the regulatory and supervisory authority for all financial institutions in Bahrain, issues regulatory instruments that licensees and other specified persons are legally obliged to comply with. These regulatory instruments are contained in the CBB Rulebook. Much of the Rulebook's substantive content was previously issued by the Bahrain Monetary Agency ('the BMA'), and was carried forward when the CBB replaced the BMA in September 2006.

                    October 2010

                  • UG-A.1.2

                    The Rulebook is divided into 7 Volumes, covering different areas of financial services activity. These Volumes are being progressively issued. Volumes 1 and 2, covering conventional bank licensees and Islamic bank licensees respectively, were issued in July 2004 and January 2005; Volume 3, covering insurance licensees, was issued in April 2005; Volume 4, covering investment firm licensees was issued in April 2006. This Volume, Volume 5 specialised licensees is issued in 2010. Volume 6 (capital markets) is gradually being issued. Volume 7 on collective investment undertakings (CIUs) was issued in May 2012.

                    Amended: October 2012
                    October 2010

                  • UG-A.1.3

                    This User's Guide provides guidance on (i) the status and application of the Rulebook, with specific reference to Volume 5 (Specialised licensees); (ii) the structure and design of the Rulebook; and (iii) its maintenance and version control.

                    October 2010

                  • UG-A.1.4

                    Volume 5 (Specialised Licensees) covers specialised licensees, i.e. those CBB licensees that undertake regulated specialised activities that do not fall under any other Volume (1-4,6, 7) of the CBB Rulebook. It contains prudential requirements (such as rules on minimum capital and risk management); and conduct of business requirements (such as rules on the giving of advice and the treatment of customer money). Collectively, these requirements are aimed at ensuring the safety and soundness of CBB-licensed companies, and providing an appropriate level of protection to the customers of such companies.

                    Amended: October 2012
                    October 2010

                • Legal Basis

                  • UG-A.1.6

                    This Module contains the CBB's Directive (as amended from time to time) regarding the User's Guide for Volume 5 of the CBB Rulebook, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all specialised licensees (including their approved persons).

                    Amended: January 2011
                    October 2010

                  • UG-A.1.7

                    For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                    October 2010

              • UG-A.2 UG-A.2 Module History

                • Evolution of Module

                  • UG-A.2.1

                    This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2010

                  • UG-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    UG-A.1.6 01/2011 Clarified legal basis.
                    UG-2.1.2 01/2011 Amended defined term.
                    UG-A.1.2, UG-A.1.4, UG-1.2.1, UG-1.2.2, UG-1.2.7, UG-2.1.1, UG-2.1.2, UG-2.1.5 and UG-2.2.2 10/2012 Various minor corrections to reflect structure of Rulebook, including issuance of Volume 7.
                    UG-3.2 and Annex 01/2013 Amended as CBB Rulebook only now available on CBB Website.
                    UG-1.3.4 10/2016 Added a Paragraph to clarify reference to 'he' 'his' 'she' and 'her'.
                    UG-3.2.2. 04/2020 Amended Paragraph.

            • UG-1 UG-1 Rulebook Status and Application

              • UG-1.1 UG-1.1 Legal Basis

                • General

                  • UG-1.1.1

                    Volume 5 (Specialised Licensees) of the CBB Rulebook is issued by the CBB pursuant to the Central Bank of Bahrain and Financial Institutions Law 2006 ('the CBB Law'). The CBB Law provides for two formal rulemaking instruments: Regulations (made pursuant to Article 37) and Directives (made pursuant to Article 38). Other articles in the CBB Law also prescribe various specific requirements (for example, requirements relating to licensing (Articles 44 to 49), or the notification and approval of controllers of licensees (Articles 52 to 56)).

                    October 2010

                  • UG-1.1.2

                    The Purpose Section of each Module specifies in all cases the rulemaking instrument(s) used to issue the content of the Module in question, and the legal basis underpinning the Module's requirements.

                    October 2010

                • CBB’s Rulemaking Instruments

                  • UG-1.1.4

                    Regulations are made pursuant to Article 37 of the CBB Law. These instruments have general application throughout the Kingdom and bind all persons ordinarily affected by Bahraini legislative measures (i.e. residents and/or Bahraini persons wherever situated).

                    October 2010

                  • UG-1.1.5

                    Because Regulations have wide general application, they are subject to two important safeguards: (i) the CBB is under a duty to consult with interested parties and to review and consider their comments; and (ii) the finalised Regulations only become effective after they are published in the Official Gazette.

                    October 2010

                  • UG-1.1.6

                    Directives are made pursuant to Article 38 of the CBB Law. These instruments do not have general application in the Kingdom, but are rather addressed to specific licensees (or categories of licensees) or approved persons. Directives are binding on those to whom they are addressed.

                    October 2010

                  • UG-1.1.7

                    Unlike Regulations, there is no duty on the CBB to either consult with addressees or publicise a Directive by publishing it in the Official Gazette (save that an addressee must obviously have actual or constructive notice of a Directive). However, as a matter of general policy, the CBB also consults on Rulebook content issued by way of a Directive.

                    October 2010

                  • UG-1.1.8

                    All of the content of the CBB Rulebook has the legal status of at least a Directive, issued pursuant to Article 38 of the CBB Law. Certain of the requirements contained in the CBB Rulebook may also have the status of a Regulation, in which case they are also separately issued pursuant to Article 37 of the CBB Law and published in the Official Gazette. Where this is the case, then the Rulebook cross-refers to the Regulation in question and specifies the requirements concerned.

                    October 2010

                  • UG-1.1.9

                    In keeping with the nature of these regulatory instruments, Regulations are used to supplement the CBB Rulebook, either where explicitly required under the CBB Law, or where a particular requirement needs to have general applicability, in addition to being applied to licensees or approved persons.

                    October 2010

              • UG-1.2 UG-1.2 Status of Provisions

                • UG-1.2.1

                  The contents of the CBB Rulebook are categorised either as Rules or as Guidance. Rules have a binding effect. If a licensee breaches a Rule to which it is subject, it is liable to enforcement action by the CBB and, in certain cases, criminal proceedings by the Office of the Public Prosecutor.

                  Amended: October 2012
                  October 2010

                • UG-1.2.2

                  Guidance is not binding: rather, it is material that helps inform a particular Rule or set of Rules, or provides other general information. Where relevant, compliance with Guidance will generally lead the CBB to assess that the rule(s) to which the Guidance relates has been complied with. Conversely, failure to comply with Guidance will generally be viewed by the CBB as tending to suggest breach of a Rule.

                  Amended: October 2012
                  October 2010

                • UG-1.2.3

                  The status of each Paragraph within the Rulebook is identified by its text format, as follows:

                  •   Rules are in bold, font size 12. The Paragraph reference number is also highlighted in a coloured box.
                  •   Guidance is in normal type, font size 11.
                  October 2010

                • UG-1.2.4

                  Where there are differences of interpretation over the meaning of a Rule or Guidance, the CBB reserves the right to apply its own interpretation.

                  October 2010

                • UG-1.2.5

                  Rule UG-1.2.4 does not prejudice the rights of an authorised person to make a judicial appeal, should it believe that the CBB is acting unreasonably or beyond its legal powers.

                  October 2010

                • UG-1.2.6

                  All Rulebook content has the formal status of at least a Directive. Some Rulebook content may also have the status of Regulations. Rulebook content that is categorised as a Rule is therefore legally mandatory and must be complied with by those to whom the content is addressed.

                  October 2010

                • UG-1.2.7

                  [This Paragraph was deleted in October 2012].

                  Deleted: October 2012
                  October 2010

                • UG-1.2.8

                  The CBB's enforcement powers and processes are set out in Module EN.

                  October 2010

              • UG-1.3 UG-1.3 Application

                • UG-1.3.1

                  Volume 5 of the CBB Rulebook for the most part applies only to specialised licensees, and to individuals undertaking key functions in those licensees (so-called 'approved persons'). Most of the content of Volume 5 only has the formal status of a Directive.

                  October 2010

                • UG-1.3.2

                  A few Rules and Guidance have general applicability (and thus also have the formal status of a Regulation): for instance, no one may carry on specialised activities within or from Bahrain without the appropriate license, and controllers of specialised licensees are also subject to various requirements.

                  October 2010

                • UG-1.3.3

                  Each Module in Volume 5 (except those listed under the 'Introduction' and 'Sector Guides' headings) contains a Scope of Application Chapter, setting out which Rules and Guidance apply to which particular type of specialised licensee or person, for the Module concerned. In addition, each Rule (or Section containing a series of Rules) is drafted such that its application is clearly highlighted for the user. Finally, each Module, in its Purpose Section, specifies in all cases the rulemaking instrument(s) used to issue the content of the Module in question, and the legal basis underpinning the Module's requirements.

                  October 2010

                • UG-1.3.4

                  All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                  Added: October 2016

              • UG-1.4 UG-1.4 Effective Date

                • UG-1.4.1

                  Volume 5 (Specialised Licensees) of the CBB Rulebook was first issued in October 2010. Its contents have immediate effect, subject to any specific transition arrangements that may be specified.

                  October 2010

            • UG-2 UG-2 Rulebook Structure and Format

              • UG-2.1 UG-2.1 Rulebook Structure

                • Rulebook Volumes

                  • UG-2.1.1

                    The Rulebook is divided into 7 Volumes, covering different areas of financial services activity, as follows:

                    Volume 1 Conventional Banks
                    Volume 2 Islamic Banks
                    Volume 3 Insurance
                    Volume 4 Investment Business
                    Volume 5 Specialised Licensees
                    Volume 6 Capital Markets
                    Volume 7 Collective Investment Undertakings
                    Amended: October 2012
                    October 2010

                  • UG-2.1.2

                    Volume 5 (Specialised Licensees), covers money changers; financing companies; representative offices; administrators; trust service providers, micro-finance institutions and ancillary services providers.

                    Amended: October 2012
                    Amended: January 2011
                    October 2010

                • Rulebook Contents (Overview)

                  • UG-2.1.3

                    The material in Volume 5 is divided into common modules and specific modules. It is further organised by the type of the specialised licensee concerned, as outlined in the chart in UG-2.1.5 below. The contents of the common modules apply to all specialised licensees, while the content of the specific modules apply to one specific type of licensee (e.g. Capital Adequacy Module for Money Changers).

                    October 2010

                  • UG-2.1.4

                    Each Volume has its own appendix Volume containing relevant reporting and authorisation forms; a glossary; and any supplementary information. In all cases, the main Volume is called 'Part A' and the appendix Volume is called 'Part B'.

                    October 2010

                  • UG-2.1.5:

                    Volume 5 Structure
                    Common Modules (Applicable to all Specialised Licensees)
                    User's Guide Module (UG)
                    Financial Crime Module (FC)
                    Auditors and Accounting Standards Module (AA)
                    Enforcement Module (EN)
                    Principles of Business Module (PB)
                    Specific Modules (By Type of Licensee)
                    Type 1: Money Changers Licensees Type 2: Representative Office Licensees Type 3: Financing Companies Type 4: Fund Administrators Type 5: Trust Service Providers Type 6: Micro-Finance Institutions Type 7: Ancillary Services Providers
                    Authorisation Module (AU) Authorisation Module (AU) Authorisation Module (AU) Authorisation Module (AU) To be developed
                    Business Conduct Module (BC)   Business Conduct Module (BC)  
                    CBB Reporting Requirements Module (BR)   CBB Reporting Requirements Module (BR) CBB Reporting Requirements Module (BR)
                    Capital Adequacy Module (CA)   Capital Adequacy Module (CA) Capital Adequacy Module (CA)
                    General Requirements Module (GR) General Requirements Module (GR) General Requirements Module (GR) General Requirements Module (GR)
                    High-level Control Module (HC)   High-level Control Module (HC) High-level Control Module (HC)
                    Risk Management Module (RM)   Risk Management Module (RM)  
                    Training and Competency Module (TC)   Training and Competency Module  
                        Liquidity Risk Management Module (LM)  
                    Amended: October 2012
                    October 2010

              • UG-2.2 UG-2.2 Volume Structure

                • Modules

                  • UG-2.2.1

                    Modules in Volume 5 are divided into Common and Specific Modules based on the nature of each specialised licensee. The contents of Common Modules apply to all specialised licensees, while the contents of Specific Modules apply to one specific type of licensee (e.g. Money Changers).

                    October 2010

                  • UG-2.2.2

                    Each Module in Volume 5 is referenced using a two-or three-letter code, which is usually a contraction or abbreviation of its title. For each Specific Module, in addition to the title, the type of licensee is mentioned. These codes are used for cross-referencing within the text.

                    Amended: October 2012
                    October 2010

                • Chapters

                  • UG-2.2.3

                    Each Module consists of Chapters, categorised into two types:

                    •   Standard introductory Chapters (referenced with a letter: e.g. UG-A); and
                    •   Chapters containing the substantive content of the Module (referenced with a number: e.g. CA-1, CA-2, etc.)
                    October 2010

                  • UG-2.2.4

                    The introductory Chapters summarise the purpose of the Module, its history (in terms of changes made to its contents) and, where relevant, lists previously issued circulars and regulations that were replaced by the Rulebook Module. A separate introductory Chapter also prescribes the scope of application of the Module's requirements.

                    October 2010

                • Sections and Paragraphs

                  • UG-2.2.5

                    Chapters are further sub-divided into Sections: these extend the Chapter numbering (e.g. FC-1.1, FC-1.2, FC-1.3 etc). In turn, Sections are sub-divided into Paragraphs; these extend the Chapter and Section numbering (e.g. FC-1.1.1, FC-1.1.2, FC-1.1.3 etc.). Where appropriate, sub-Section headings may be used, to guide the reader through a Section; sub-Section headings are italicised and unnumbered, and act purely as an indicator (without limitation) as to the contents of the Paragraphs that follow.

                    October 2010

                • Table of Contents

                  • UG-2.2.6

                    Each Volume's contents page lists all the Modules contained within it (Part A) and the information contained in the relevant appendix Volume (Part B).

                    October 2010

                  • UG-2.2.7

                    The contents page of each Module lists the Chapters and Sections it contains, and the latest version date of each Section in issue.

                    October 2010

              • UG-2.3 UG-2.3 Format and Page Layout

                • Headers

                  • UG-2.3.1

                    The top of each page in the Rulebook identifies the Volume, Common or Specific Module and Chapter in question. Each Module is a separate document. New Chapters start on a fresh page.

                    October 2010

                • Footers

                  • UG-2.3.2

                    The bottom of each page in the Rulebook (on the left hand side) identifies the Module in question, its Section and page number. Page numbering starts afresh for each Section: the total number of pages in each Section is shown as well as the individual page number. The bottom right hand side shows an end-calendar quarter issue date. The contents page for each Module, and each Section in a Module, are each given their own issue date. In addition, the Module contents page lists the latest issue date for each Section in that Module. The contents page thus acts as a summary checklist of the current issue date in force for each Section. Further explanation is provided in Section UG-3.1 below.

                    October 2010

                • Defined terms

                  • UG-2.3.3

                    Defined terms used in the Rulebook are underlined. Each Volume has its own glossary listing defined terms and giving their meaning. Definitions of terms used apply only to the Volume in question. It is possible for the same term to be used in a different Volume with a different meaning.

                    October 2010

                • Cross-references

                  • UG-2.3.4

                    Any cross-references given in a text state the Module code, followed (where appropriate) by the numbering convention for any particular Chapter, Section or Paragraph being referred to. For example, the cross-reference FC-1.2.3 refers to the third Paragraph in the second Section of the first Chapter of the Financial Crime Module. Many references will be quite general, referring simply to a particular Module, Chapter or Section, rather than a specific Paragraph.

                    October 2010

                • Text format

                  • UG-2.3.5

                    Each Paragraph is assigned a complete reference to the Module, Chapter, and Section, as well as its own Paragraph number, as explained in Paragraph UG-2.3.4 above. The format of the Paragraph reference and text indicates its status as either a Rule or Guidance, as explained in Paragraph UG-1.2.4 above.

                    October 2010

                  • UG-2.3.6

                    When cross-referring to specific Paragraphs, and it is important to make clear the status of the Paragraph in question as a Rule or Guidance, then the words 'Rule' or 'Guidance' may be used instead of 'Paragraph', followed by the reference number (e.g. 'As required by Rule FC-1.1.1, licensees must...').

                    October 2010

            • UG-3 UG-3 Rulebook Maintenance and Access

              • UG-3.1 UG-3.1 Rulebook Maintenance

                • Quarterly Updates

                  • UG-3.1.1

                    Any changes to the Rulebook are generally made on a quarterly cycle (the only exception being when changes are urgently required), in early January, April, July and October. When changes are made to a Module, the amended Sections are given a new version date, in the bottom right-hand page.

                    October 2010

                  • UG-3.1.2

                    The contents page for each amended Module is also updated: the table of contents is changed to show the new version date for each amended Section (in the 'Date Last Changed' column), and the contents page itself is also given its own new version date in the bottom right-hand corner. The Module contents pages thus act as a checklist for hard-copy users to verify which are the current version dates for each Section in that Module.

                    October 2010

                  • UG-3.1.3

                    A summary of any changes made to a Module is included in the Module History Section of each Module. The table summarises the nature of the change made, the date of the change, and the Module components and relevant pages affected. The Module History can thus be used to identify which pages were updated within individual Sections.

                    October 2010

                  • UG-3.1.4

                    Hard-copy users of the CBB Rulebook can check that they have the latest copy of each Module's contents pages, by referring to the overall table of contents for each Volume. The Volume table of contents lists the date each Module was last changed; users can use this table to check the date showing in the bottom right-hand corner of each Module's contents page.

                    October 2010

                  • UG-3.1.5

                    The website version of the Rulebook acts at all times as the definitive version of the Rulebook. Any changes are automatically posted to the CBB website, together with a summary of those changes. Licensees are in addition e-mailed every quarter, to notify them of any changes (if any). Hard-copy users are invited to print off the updated pages from the website to incorporate in their Rulebook in order to keep it current.

                    October 2010

                • Changes to Numbering

                  • UG-3.1.6

                    In order to limit the knock-on impact of inserting or deleting text on the numbering of text that follows the change, the following conventions apply:

                    (a) Where a new Paragraph is to be included in a Section, such that it would impact the numbering of existing text that would follow it, the Paragraph retains the numbering of the existing Paragraph immediately preceding it, but with the addition of an "A"; a second inserted Paragraph that follows immediately afterwards would be numbered with a "B", and so on.

                    For example, if a new Paragraph needs to be inserted after UG-3.1.6, it would be numbered UG-3.1.6A; a second new Paragraph would be numbered UG-3.1.6B, and so on. This convention avoids the need for renumbering existing text that follows an insertion. The same principle is applied where a new Section or a new Chapter needs to be inserted: for example, UG-3.1A (for a new Section), and UG-3A (for a new Chapter)
                    (b) Where a Paragraph is deleted, then the numbering of the old Paragraph is retained, and the following inserted in square brackets: '[This Paragraph was deleted in April 2006.]' (The date given being the actual end-calendar quarter date of the deletion.) The same principle is applied with respect to Sections and Chapters.
                    October 2010

                  • UG-3.1.7

                    Where many such changes have built up over time, then the CBB may reissue the whole Section, Paragraph, Chapter or even Module concerned, consolidating all these changes.

                    October 2010

              • UG-3.2 UG-3.2 Rulebook Access

                • Availability

                  • UG-3.2.1

                    The Rulebook is available on the CBB website.

                    Amended: January 2013
                    October 2010

                • Queries

                  • UG-3.2.2

                    Questions regarding the administration of the Rulebook (e.g. website availability, the updating of material etc) should be addressed to the Rulebook Section of the Regulatory Policy Unit:

                    Rulebook Section
                    Regulatory Policy Unit
                    Central Bank of Bahrain
                    P.O. Box 27
                    Manama
                    Kingdom of Bahrain

                    Tel: + 973 - 17 54 7413
                    E-mail: rulebook@cbb.gov.bh
                    Web: www.cbb.gov.bh

                    Questions regarding interpretation of the policy and requirements contained in the Rulebook should be addressed to the licensee's regular supervisory point of contact within the CBB.

                    Amended: April 2020
                    Amended: January 2013
                    Added: October 2010

            • CBB Rulebook Order Form [This form was deleted in January 2013]

              Deleted: January 2013

          • ES Executive Summary

        • High Level Standards

          • PB PB Principles of Business

            • PB-A PB-A Introduction

              • PB-A.1 PB-A.1 Purpose

                • Executive Summary

                  • PB-A.1.1

                    The Principles of Business are a general statement of the fundamental obligations of all Central Bank of Bahrain ('CBB') specialised licensees and approved persons. They serve as a basis for other material in Volume 5 (Specialised Licensees), and help address specific circumstances not covered elsewhere in the Rulebook.

                    October 2010

                  • PB-A.1.2

                    The Principles of Business have the status of Rules and apply alongside other Rules contained in Volume 5 (Specialised Licensees). However, these other Rules do not exhaust the fundamental obligations contained in the Principles. Compliance with all other Rules, therefore, does not necessarily guarantee compliance with the Principles of Business.

                    October 2010

                • Legal Basis

                  • PB-A.1.3

                    This Module contains the CBB's Directive (as amended from time to time) relating to Principles of Business and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all specialised licensees (including their approved persons) where applicable.

                    Amended: January 2011
                    October 2010

                  • PB-A.1.4

                    For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                    October 2010

              • PB-A.2 PB-A.2 Module History

                • Evolution of Module

                  • PB-A.2.1

                    This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2010

                  • PB-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    PB-A.1.3 01/2011 Clarified legal basis.
                         
                         
                         
                         

            • PB-B PB-B Scope of Application

              • PB-B.1 PB-B.1 Scope of Application

                • PB-B.1.1

                  The 10 Principles of Business apply to all CBB specialised licensees, in accordance with Paragraph PB-B.1.2. Principles 1-8 also apply to all approved persons, in accordance with Paragraph PB-B.1.5.

                  October 2010

                • PB-B.1.2

                  These principles are addressed to all specialised licensees (where applicable).

                  October 2010

                • PB-B.1.3

                  Principles 1 to 10 apply to activities carried out by the specialised licensee, including activities carried out through overseas branches (if any).

                  October 2010

                • PB-B.1.4

                  The CBB expects specialised licensees to take into account any activities of other members of the group of which the specialised licensee is a member for Principles 9 and 10.

                  October 2010

                • PB-B.1.5

                  Principles 1 to 8 apply to approved persons in respect of the controlled function for which they have been approved.

                  October 2010

                • PB-B.1.6

                  Principles 1 to 8 do not apply to behaviour by an approved person with respect to any other functions or activities they may undertake. However, behaviour unconnected to their controlled function duties may nonetheless be relevant to an assessment of that person's fitness and propriety.

                  October 2010

                • PB-B.1.7

                  The CBB's requirements regarding approved persons and controlled functions are located in Module AU (Authorisation).

                  October 2010

              • PB-B.2 PB-B.2 Non-compliance

                • PB-B.2.1

                  Breaching a Principle of Business makes the specialised licensee or approved person concerned liable to enforcement action. In the case of a licensee, this may call into question whether they continue to meet the licensing conditions (see Chapter AU-2). In the case of an approved person, this may call into question whether they continue to meet the 'fit and proper' requirements for the function for which they have been approved (see Chapter AU-3).

                  October 2010

                • PB-B.2.2

                  Module EN (Enforcement) sets out the CBB's policy and procedures on enforcement action.

                  October 2010

            • PB-1 PB-1 The Principles

              • Principle 1 – Integrity

                • PB-1.1.1

                  Specialised licensees and approved persons must observe high standards of integrity and fair dealing. They must be honest and straightforward in their dealings with customers, and provide full disclosure of all relevant information to customers, as required by the CBB's Regulations and Directives.

                  October 2010

              • Principle 2 – Conflicts of Interest

                • PB-1.1.2

                  Specialised licensees and approved persons must take all reasonable steps to identify, and prevent or manage, conflicts of interest that could harm the interests of a customer.

                  October 2010

              • Principle 3 – Due Skill, Care and Diligence

                • PB-1.1.3

                  Specialised licensees and approved persons must act with due skill, care and diligence.

                  October 2010

              • Principle 4 – Confidentiality

                • PB-1.1.4

                  Specialised licensees and approved persons must observe in full any obligations of confidentiality, including with respect to customer information. This requirement does not over-ride lawful disclosures.

                  October 2010

              • Principle 5 – Market Conduct

                • PB-1.1.5

                  Specialised licensees and approved persons must observe proper standards of market conduct, and avoid action that would generally be viewed as improper.

                  October 2010

              • Principle 6 – Customer Assets

                • PB-1.1.6

                  Specialised licensees and approved persons must take reasonable care to safeguard the assets of customers for which they are responsible.

                  October 2010

              • Principle 7 – Customer Interests

                • PB-1.1.7

                  Specialised licensees and approved persons must pay due regard to the legitimate interests and information needs of their customers and communicate with them in a fair and transparent manner. Specialised licensees and approved persons, when dealing with customers who are entitled to rely on their advice or discretionary decisions, must take reasonable care to ensure the suitability of such advice or decisions.

                  October 2010

              • Principle 8 – Relations with Regulators/Supervisors

                • PB-1.1.8

                  Specialised licensees and approved persons must act in an open and co-operative manner with the CBB and other regulatory/supervisory bodies whose authority they come under. They must take reasonable care to ensure that their activities comply with all applicable laws and regulations.

                  October 2010

              • Principle 9 – Adequate Resources

                • PB-1.1.9

                  Specialised licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.

                  October 2010

              • Principle 10 – Management, Systems & Controls

                • PB-1.1.10

                  Specialised licensees must take reasonable care to ensure that their affairs are managed effectively and responsibly, with appropriate systems and controls in relation to the size and complexity of their operations. Specialised licensees' systems and controls, as far as is reasonably practical, must be sufficient to manage the level of risk inherent in their business and ensure compliance with the CBB Rulebook.

                  October 2010

          • AA AA Auditors and Accounting Standards

            • AA-A AA-A Introduction

              • AA-A.1 AA-A.1 Purpose

                • Executive Summary

                  • AA-A.1.1

                    This Module presents requirements that have to be met by specialised licensees with respect to the appointment of external auditors. This Module also sets out certain obligations that external auditors have to comply with, as a condition of their appointment by specialised licensees.

                    October 2010

                  • AA-A.1.2

                    This Module is issued under the powers given to the Central Bank of Bahrain ('CBB') under Decree No. (64) of 2006 with respect to promulgating the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). It supplements Article 61 of the CBB Law, which requires licensees to appoint an external auditor acceptable to the CBB.

                    October 2010

                • Legal Basis

                  • AA-A.1.3

                    This Module contains the CBB's Directive (as amended from time to time) relating to auditors and accounting standards used by specialised licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all specialised licensees (where applicable).

                    Amended: January 2011
                    October 2010

                  • AA-A.1.4

                    For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                    October 2010

              • AA-A.2 AA-A.2 Module History

                • Evolution of Module

                  • AA-A.2.1

                    This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2010

                  • AA-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    AA-A.1.3 01/2011 Clarified legal basis.
                    AA-3.1.1 07/2011 Excluded money changers and administrators from Paragraph AA-3.1.1.
                    AA-5 04/2012 Chapter amended and content moved to Section BR-3.5 for money changers and administrators (or Module GR for rep offices) and retitled as Role of External Auditor as Appointed Expert.
                    AA-1.3.2 10/2012 Guidance Paragraph deleted as five year period varies depending on type of specialised licensee and when license was granted.
                    AA-1.5.4 and AA-1.5.5 10/2012 Clarified guidance by indicating what Law is being referred to.
                    AA-3.3 10/2012 Section deleted as report can now also be completed by approved consultancy from as per Section FC-4.3.
                    AA-3.2.2 and AA-3.2.3 04/2014 Added specific auditor reports applicable to financing companies.
                    AA-3.1 10/2016 Deleted Section on Review of QPR

            • AA-B AA-B Scope of Application

              • AA-B.1 AA-B.1 Specialised Licensees

                • AA-B.1.1

                  The contents of this Module – unless otherwise stated – apply to all specialised licensees. Representative Offices are exempted from this Module.

                  October 2010

                • AA-B.1.2

                  The contents of this Module apply to both Bahraini specialised licensees and overseas specialised licensees.

                  October 2010

              • AA-B.2 AA-B.2 Auditors

                • AA-B.2.1

                  Certain requirements in this Module indirectly extend to auditors, by virtue of their appointment by specialised licensees. Auditors appointed by specialised licensees must be independent (cf. Sections AA-1.4 and AA-1.5). Auditors who resign or are otherwise removed from office are required to inform the CBB in writing of the reasons for the termination of their appointment (cf. Sections AA-1.2). Other requirements are contained in Sections AA-1.3 (Audit partner rotation) and AA-3.1 (Auditor reports).

                  October 2010

            • AA-1 AA-1 Auditor Requirements

              • AA-1.1 AA-1.1 Appointment of Auditors

                • AA-1.1.1

                  Specialised licensees must obtain prior written approval from the CBB before appointing or re-appointing their auditor.

                  October 2010

                • AA-1.1.2

                  As the appointment of auditors normally takes place during the course of the firm's annual general meeting, specialised licensees should notify the CBB of the proposed agenda for the annual general meeting in advance of it being circulated to shareholders. The CBB's approval of the proposed auditors does not limit in any way shareholders' rights to subsequently reject the Board's choice.

                  October 2010

                • AA-1.1.3

                  The CBB, in considering the proposed (re-) appointment of an auditor, takes into account the expertise, resources and reputation of the audit firm, relative to the size and complexity of the licensee. The CBB will also take into account the track record of the audit firm in auditing specialised licensees within Bahrain; the degree to which it has generally demonstrated independence from management in its audits; and the extent to which it has identified and alerted relevant persons of significant matters. Finally, the CBB will also consider the audit firm's compliance with applicable laws and regulations (including legislative Decree No. 26 of 1996; the Ministry of Industry and Commerce's Ministerial Resolution No. 6 of 1998; and relevant Bahrain Stock Exchange regulations).

                  October 2010

                • AA-1.1.4

                  In the case of overseas specialised licensees, the CBB will also take into account who act as the auditors of the parent firm. As a general rule, the CBB does not favour different parts of a specialised licensee group having different auditors.

                  October 2010

              • AA-1.2 AA-1.2 Removal or Resignation of Auditors

                • AA-1.2.1

                  Specialised licensees must notify the CBB as soon as they intend to remove their external auditor, with an explanation of their decision, or as soon as their auditor resign.

                  October 2010

                • AA-1.2.2

                  Specialised licensees must ensure that a replacement auditor is appointed (subject to CBB approval as per Section AA-1.1), as soon as reasonably practicable after a vacancy occurs, but no later than three months.

                  October 2010

                • AA-1.2.3

                  The external auditor of specialised licensees must inform the CBB in writing, should it resign or its appointment as auditor be terminated, within 30 calendar days, of the event occurring, setting out the reasons for the resignation or termination.

                  October 2010

              • AA-1.3 AA-1.3 Audit Partner Rotation

                • AA-1.3.1

                  Unless otherwise exempted by the CBB, specialised licensees must ensure that the audit partner responsible for their audit does not undertake that function more than five years in succession.

                  October 2010

                • AA-1.3.2

                  [This Paragraph was deleted in October 2012].

                  Deleted: October 2012

                • AA-1.3.3

                  Specialised licensees must notify the CBB of any change in audit partner.

                  October 2010

              • AA-1.4 AA-1.4 Auditor Independence

                • AA-1.4.1

                  Article 61(d) of the CBB Law imposes conditions for the auditor to be considered independent. Before a specialised licensee appoints an auditor, it must take reasonable steps to ensure that the auditor has the required skill, resources and experience to carry out the audit properly, and is independent of the licensee.

                  October 2010

                • AA-1.4.2

                  For an auditor to be considered independent, it must, among things, comply with the restrictions in Section AA-1.5.

                  October 2010

                • AA-1.4.3

                  If a specialised licensee becomes aware at any time that its auditor is not independent, it must take reasonable steps to remedy the matter and notify the CBB of the fact.

                  October 2010

                • AA-1.4.4

                  If in the opinion of the CBB, independence has not been achieved within a reasonable timeframe, then the CBB may require the appointment of a new auditor.

                  October 2010

              • AA-1.5 AA-1.5 Licensee/Auditor Restrictions

                • Financial Transactions with Auditors

                  • AA-1.5.1

                    Specialised licensees must not provide regulated services to their auditor.

                    October 2010

                • Outsourcing to Auditors

                  • AA-1.5.2

                    Specialised licensees may not outsource their internal audit function to the same firm that acts as their (external) auditor.

                    October 2010

                • Other Relationships

                  • AA-1.5.3

                    Specialised licensees and their auditor must comply with the restrictions contained in Article 217 (c) of the Commercial Companies Law (Legislative Decree No. (21) of 2001), as well as in Article 61(d) of the CBB Law.

                    October 2010

                  • AA-1.5.4

                    Article 217(c) of the Commercial Companies Law prohibits an auditor from (i) being the chairman or a member of the Board of Directors of the licensee he/she audits; (ii) holding any managerial position in the licensee he/she audits; and (iii) acquiring any shares in the licensee he/she audits, or selling any such shares he/she may already own, during the period of his audit. Furthermore, the auditor must not be a relative (up to the second degree) of a person assuming management or accounting duties in the licensee.

                    Amended: October 2012
                    October 2010

                  • AA-1.5.5

                    Article 61(d) of the CBB Law prohibits an auditor from (i) being the chairman or a member of the Board of Directors of the licensee he/she audits; (ii) acting as a managing director, agent or representative of the licensee concerned; and (iii) taking up any administrative work in the licensee, or supervising its accounts, or having a next of kin in such a position.

                    Amended: October 2012
                    October 2010

                  • AA-1.5.6

                    The restriction in Paragraph AA-1.5.4 applies to overseas specialised licensees as well as Bahraini specialised licensees.

                    October 2010

                  • AA-1.5.7

                    A partner, Director or manager on the engagement team of auditing a specialised licensee may not serve on the Board or in a controlled function of the licensee, for two years following the end of their involvement in the audit, without prior authorisation of the CBB.

                    October 2010

                  • AA-1.5.8

                    Chapter AU-1.2 sets out the CBB's "controlled functions" requirements.

                    October 2010

                • Definition of 'Auditor'

                  • AA-1.5.9

                    For the purposes of Section AA-1.5, 'auditor' means the partners, Directors and managers on the engagement team responsible for the audit of the specialised licensee.

                    October 2010

            • AA-2 AA-2 Access

              • AA-2.1 AA-2.1 CBB Access to Auditors

                • AA-2.1.1

                  Specialised licensees must waive any duty of confidentiality on the part of their auditor, such that their auditor may report to the CBB any concerns held regarding material failures by the specialised licensee to comply with CBB requirements.

                  October 2010

                • AA-2.1.2

                  The CBB may, as part of its on-going supervision of specialised licensees, request meetings with a licensee's auditor. If necessary, the CBB may direct that the meeting be held without the presence of the licensee's management or Directors.

                  October 2010

              • AA-2.2 AA-2.2 Auditor Access to Outsourcing Providers

                • AA-2.2.1

                  Outsourcing agreements between specialised licensees and outsourcing providers must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.

                  October 2010

                • AA-2.2.2

                  Further Rules and Guidance on outsourcing are contained in Module RM (Risk Management).

                  October 2010

            • AA-3 AA-3 Auditor Reports

              • AA-3.1 AA-3.1 This Section was deleted in October 2016.

                Deleted: October 2016

                • AA-3.1.1

                  [This paragraph was deleted in October 2016]

                  Deleted: October 2016
                  Amended: July 2011
                  October 2010

                • AA-3.1.2

                  [This paragraph was deleted in October 2016]

                  Deleted: October 2016
                  October 2010

              • AA-3.2 AA-3.2 Review of Financial Disclosures

                • AA-3.2.1

                  Specialised licensees that are required to publish financial disclosures in accordance with Module PD must arrange for their external auditor to review these prior to their publication, unless otherwise exempted in writing by the CBB.

                  Amended: April 2014
                  October 2010

                • AA-3.2.2

                  Financing companies must arrange for their external auditor to review the annual disclosures required in Module PD, Section PD-1.3 and Chapter PD-4, prior to their submission to the CBB or their publication. This review must be in the form of an agreed-upon procedures report (see also PD-A.2.4). The report must be submitted to the CBB within 3 months of the year end of the concerned financing company (see also Paragraph BR-1.1.2).

                  Added: April 2014

                • AA-3.2.3

                  Financing companies must arrange for their external auditor to review the disclosures in the half-yearly financial statements required by Module PD, Paragraph PD-2.1.6 prior to their submission to the CBB or their publication. This review must be in the form of an agreed-upon procedure report. This report must be submitted to the CBB within two months of the end of the half year reporting period of the concerned financing company (see also Section BR-1.2.4).

                  Added: April 2014

              • AA-3.3 AA-3.3 Report on Compliance with Financial Crime Rules [This Section was deleted in October 2012]

                • AA-3.3.1

                  [This Paragraph was deleted in October 2012].

                  Deleted: October 2012

                • AA-3.3.2

                  [This Paragraph was deleted in October 2012].

                  Deleted: October 2012

                • AA-3.3.3

                  [This Paragraph was deleted in October 2012].

                  Deleted: October 2012

            • AA-4 AA-4 Accounting Standards

              • AA-4.1 AA-4.1 General Requirements

                • AA-4.1.1

                  Specialised licensees must comply with International Financial Reporting Standards / International Accounting Standards and, to the extent that they undertake Shari'a compliant activities, relevant standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI).

                  October 2010

                • AA-4.1.2

                  Overseas specialised licensees that do not, at the parent licensee level, apply IFRS/IAS are still required under Paragraph AA-4.1.1 to produce pro-forma accounts for the Bahrain branch in conformity with these standards. Where this requirement is difficult to implement, the Bahraini specialised licensee should contact the CBB in order to agree to a solution.

                  October 2010

                • AA-4.1.3

                  Paragraph AA-4.1.1 requires specialised licensees that operate exclusively on a Shari'a compliant basis to apply relevant AAOIFI Financial Accounting Standards, depending on the type of Islamic finance contracts entered into. Specialised licensees that undertake both conventional finance and Shari'a compliant transactions are required by Paragraph AA-4.1.1 to apply AAOIFI Financial Accounting Standard 18, "Islamic Financial Services Offered by Conventional Financial Institutions".

                  October 2010

            • AA-5 AA-5 Role of External Auditor as Appointed Expert

              • AA-5.1 AA-5.1 General Requirements

                • AA-5.1.1

                  In accordance with Articles 114 and 121 of the CBB Law, the CBB may appoint appointed experts to undertake on-site examinations or report by way of investigations on specific aspects of a licensee's business. External auditors may be called upon to be appointed experts and should be aware of their role in that capacity by referring to Section BR-3.5 for money changers and administrators or Module GR for representative office licensees.

                  [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                  Amended: April 2012
                  October 2010

                • AA-5.1.2

                  The purpose of the contents of this chapter is to set out the roles and responsibilities of Appointed Experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-7.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                  October 2010

                • AA-5.1.3

                  The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified "Appointed Experts" appointed for the purpose by the CBB, or a combination of the two.

                  October 2010

                • AA-5.1.4

                  Specialised licensees must provide all relevant information and assistance to the CBB inspectors and Appointed Experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or Appointed Experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                  October 2010

                • AA-5.1.5

                  Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person /Appointed Expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                  October 2010

                • AA-5.1.6

                  The CBB will not, as a matter of general policy, publicise the appointment of an Appointed Expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the Appointed Expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                  October 2010

                • AA-5.1.7

                  Unless the CBB otherwise permits, Appointed Experts should not be the same firm appointed as external auditor of the specialised licensee.

                  October 2010

                • AA-5.1.8

                  Appointed Experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by Appointed Experts.

                  October 2010

                • AA-5.1.9

                  Appointed Experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the relevant specialised licensees' group structure). The report produced by the Appointed Experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                  October 2010

                • AA-5.1.10

                  Compliance by Appointed Experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular specialised licensee (i.e. create a conflict of interest).

                  October 2010

                • AA-5.1.11

                  The CBB may appoint one or more of its officials to work on the Appointed Experts' team for a particular specialised licensee.

                  October 2010

              • AA-5.2 AA-5.2 The Required Report

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • AA-5.2.1

                  Commissioned Appointed Experts would normally be required to report on one or more of the following aspects of a specialised licensee's business:

                  (a) Accounting and other records;
                  (b) Internal control systems;
                  (c) Returns of information provided to the CBB;
                  (d) Operations of certain departments; and/or
                  (e) Other matters specified by the CBB.
                  October 2010

                • AA-5.2.2

                  Appointed Experts will be required to form an opinion on whether, during the period examined, the specialised licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                  October 2010

                • AA-5.2.3

                  The Appointed Experts' report should follow the format set out in Appendix AA-1, in part B of the CBB Rulebook.

                  October 2010

                • AA-5.2.4

                  Unless otherwise directed by the CBB or unless the circumstances described in Section AA-5.3 apply, the report must be discussed with the Board of directors and/or senior management in advance of its being sent to the CBB.

                  October 2010

                • AA-5.2.5

                  Where the report is qualified by exception, the report must clearly set out the risks which the specialised licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed Experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                  October 2010

                • AA-5.2.6

                  If the Appointed Experts conclude, after discussing the matter with the specialised licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                  October 2010

                • AA-5.2.7

                  The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the specialised licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                  October 2010

              • AA-5.3 AA-5.3 Other Notifications to the CBB

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • AA-5.3.1

                  Appointed Experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a specialised licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned specialised licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a specialised licensee. Notwithstanding the above, it is primarily the specialised licensee's responsibility to report such matters to the CBB.

                  October 2010

                • AA-5.3.2

                  The CBB recognises that Appointed Experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when Appointed Experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                  October 2010

                • AA-5.3.3

                  If Appointed Experts decide to communicate directly with the CBB in the circumstances set out in Paragraph AA-5.3.1 above, they may wish to consider whether the matter should be reported at an appropriate senior level in the specialised licensee at the same time and whether an appropriate senior representative of the specialised licensee should be invited to attend the meeting with the CBB.

                  October 2010

              • AA-5.4 AA-5.4 Permitted Disclosure by the CBB

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • AA-5.4.1

                  Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to Appointed Experts to fulfil their duties. It should be noted, however, that Appointed Experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                  October 2010

              • AA-5.5 AA-5.5 Trilateral Meeting

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • AA-5.5.1

                  The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant specialised licensee and the Appointed Experts. This meeting will provide an opportunity to discuss the Appointed Experts' examination of, and report on, the specialised licensee.

                  October 2010

        • Business Standards

          • FC FC Financial Crime

            • FC-A FC-A Introduction

              • FC-A.1 FC-A.1 Purpose

                • Executive Summary

                  • FC-A.1.1

                    This Module applies, to all specialised licensees, a comprehensive framework of Rules and Guidance aimed at combating money laundering and terrorist financing. In so doing, it helps implement the 40 Recommendations on money laundering and 9 Special Recommendations on terrorist financing, issued by the Financial Action Task Force (FATF), that are relevant to specialised licensees. (Further information on these can be found in Chapter FC-10.) The Module also contains measures relating to the combating of fraud.

                    October 2010

                  • FC-A.1.2

                    The Module requires specialised licensees to have effective anti-money laundering ('AML') policies and procedures, in addition to measures for combating the financing of terrorism ('CFT'). The Module contains detailed requirements relating to customer due diligence, reporting and the role and duties of the Money Laundering Reporting Officer (MLRO). Furthermore, examples of suspicious activity are provided, to assist licensees monitor transactions and fulfill their reporting obligations under Bahrain law.

                    October 2010

                  • FC-A.1.3

                    This Module also covers measures in place to combat fraud. Chapter FC-11 sets out basic requirements regarding measures to deter, detect and report instances of fraud and attempted fraud.

                    October 2010

                • Legal Basis

                  • FC-A.1.4

                    This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding the combating money laundering and terrorism financing and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all specialised licensees.

                    Amended: January 2022
                    Amended: January 2011
                    October 2010

                  • FC-A.1.5

                    For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                    October 2010

              • FC-A.2 FC-A.2 Module History

                • Evolution of Module

                  • FC-A.2.1

                    This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2010

                  • FC-A.2.2

                    A list of recent changes made to this Module is detailed in the table below:

                    Module Ref.Change DateDescription of Changes
                    FC-A.1.401/2011Clarified legal basis.
                    FC-B.1.107/2011Exempted administrators from specific sections of this Module.
                    FC-4.1.704/2012Clarified requirements for MLRO.
                    FC-4.304/2012Amended Section to allow for CBB-approved consultancy firm to do required sample testing and report under Paragraph FC-4.3.1.
                    FC-B.1.110/2012Amended the scope of application to have a limited scope for ancillary services providers and to expand the role of the general managers for those licensees allowed to follow only certain Chapters of Module FC.
                    FC-1.2.3(b)01/2013Clarified location of guidance under Part B Supplementary Information Appendix FC-(v).
                    FC-1.2.11(f) and FC-1.2.11A04/2013Provided additional details when dealing with employee benefit trusts and occupational savings schemes.
                    FC-1.10.104/2013Updated language to refer to licensed exchange.
                    FC-2.2.3A04/2013Guidance Paragraph added for trust service providers on automatic transaction monitoring.
                    FC-7.1.404/2013Reference made to the use of electronic records.
                    FC-5.2.310/2014Updated method of submitting STRs.
                    FC-5.310/2014Updated relevant authorities information.
                    FC-1.2.807/2016Change made for consistency across CBB Rulebook.
                    FC-1.5.407/2016Definition of PEPs is already included in Glossary so this guidance paragraph was deleted.
                    FC-5.2.307/2016Updated instructions for STR.
                    FC-1.2.9A01/2017Added guidance paragraph on CR printing
                    FC-8.2.1AA04/2017Added new Paragraph on Implementing and complying with the United Nations Security Council resolutions requirement.
                    FC-1.1.2A and FC-1.1.2B10/2017Added new paragraphs on CDD requirements.
                    FC-1.2.710/2017Amended paragraph.
                    FC-1.2.8A10/2017Added new paragraph on legal entities or legal arrangements CDD.
                    FC-2.2.10 – FC- 2.2.1110/2017Amended paragraphs on On-going CDD and Transaction Monitoring.
                    FC-4.1.4A10/2017Added paragraph on combining the MLRO or DMLRO position with any other position within the licensee.
                    FC-B.2.401/2018Added new paragraph on implementation of groupwide programmes against money laundering and terrorist financing.
                    FC-1.7.101/2018Amended paragraph.
                    FC-1.10.101/2018Deleted paragraph.
                    FC-5.2.601/2018Amended paragraph.
                    FC-8.1.301/2018Added new paragraph on due diligence measures (FATF).
                    FC-8.1.401/2018Added new guidance paragraph.
                    FC-8.2.201/2018Deleted paragraph.
                    FC-1.1.207/2018Deleted sub-paragraph (a).
                    FC-1.907/2018Amended Section title deleting the threshold.
                    FC-1.9.207/2018Amended Paragraph deleting the threshold.
                    FC-1.10.107/2018Deleted sub-paragraph (a).
                    FC-1.10.307/2018Deleted Paragraph.
                    FC-1.10.807/2018Deleted Paragraph.
                    FC-1.10.101/2019Amended reference.
                    FC-B.1.110/2019Amended Paragraph on scope of application.
                    FC-1.6.410/2019Amended Paragraph on societies and clubs fund transfers.
                    FC-1.8.210/2019Amended authority name.
                    FC-4.1.810/2019Amended authority name.
                    FC-4.2.110/2019Amended authority name.
                    FC-5.2.310/2019Amended authority name.
                    FC-5.3.210/2019Amended authority address.
                    FC-8.2.1AA10/2019Amended Paragraph on terrorist financing.
                    FC-1.1.101/2020Amended Paragraph on procedures approval.
                    FC-1.2.101/2020Added a new Sub-paragraph.
                    FC-4.3.501/2020Amended Paragraph on report submission date.
                    FC-4.3.701/2020Amended Paragraph references.
                    FC-2.1.3 & FC-2.1.404/2020Added new Paragraphs on KPIs compliance with AML/CFT requirements.
                    FC-1.1.5A01/2021Added a new Paragraph on onboarding of customers by financing companies.
                    FC-1.1.5B01/2021Added a new Paragraph on enhanced due diligence for high risk profiles.
                    FC-3.1.501/2021Added a new Paragraph on rejecting payment transactions.
                    FC-6.1.6A01/2021Added a new Paragraph on requirements to hire new employees.
                    FC-6.1.6A07/2021Amended Paragraph on requirements to hire new employees.
                    FC-A.1.401/2022Amended Paragraph to replace financial crime with money laundering and terrorism financing.
                    FC-B.1.101/2022Amended Paragraph by adding reference to Section FC-C.
                    FC-C01/2022New chapter on risk-based approach (RBA).
                    FC-1.101/2022Amended Section to introduce additional rules for non-resident customers, amendments to customers onboarded prior to full completion of customer due diligence, digital onboarding etc.
                    FC-1.201/2022Amended Section to include E-KYC and electronic documents law requirements.
                    FC-1.3.201/2022Added new guidance on enhanced due diligence requirements for customers identified as having higher risk profile.
                    FC-1.401/2022Amended Section to introduce detailed requirements for digital onboarding and related requirements.
                    FC-1.5.201/2022Amended Paragraph on onboarding non-Bahraini PEPs using digital ID applications.
                    FC-1.10.7A01/2022Added a new Paragraph on not applying simplified CDD in situations where the licensee has identified high ML/TF/PF risks.
                    FC-2.1.501/2022Added a new Paragraph on including remitting agents in programmes for monitoring.
                    FC-2.2.501/2022Amended Paragraph.
                    FC-3.1.6 – FC-3.1.801/2022Added new Paragraphs on Originating Financial Institutions.
                    FC-3.1.9 – FC-3.1.1201/2022Added new Paragraphs on Intermediary Financial Institution/Bank.
                    FC-3.1.13 - FC-3.1.1501/2022New Paragraphs on Beneficiary Financial Institutions.
                    FC-4.3.101/2022Amended Paragraph.
                    FC-4.3.201/2022Amended Paragraph.
                    FC-4.3.501/2022Amended Paragraph.
                    FC-4.3.601/2022Deleted Paragraph.
                    FC-4.3.701/2022Deleted Paragraph.
                    FC-6.1.6A01/2022Deleted Paragraph.
                    FC-C.2.301/2023Minor amendment to Paragraph.
                    FC-8.2.4(c)01/2023Added a new Sub-paragraph on reporting any frozen assets or actions taken.
                    FC-1.1.5A10/2023Deleted Paragraph.
                    FC-1.1.13A10/2023Amended Sub-Paragraph on the enhanced diligence for the non-resident accounts.
                    FC-1.1.13E10/2023Deleted Paragraph.
                    FC-1.1.13I10/2023Deleted Paragraph.
                    FC-1.1.1410/2023Added a new Paragraph on CDD and Customer onboarding requirements.
                    FC-1.1110/2023Added a new Section on reliance on third parties for customer due diligence.
                    FC-1.2.101/2024Amended Paragraph on customer due diligence.

                • Superseded Requirements

                  • FC-A.2.3

                    Prior to the introduction of this Module, the CBB (BMA then) had issued various regulatory instruments containing requirements covering different aspects of financial crime. These requirements were consolidated and updated into a comprehensive financial crime regulation, issued in January 2006 to all non-bank and non-insurance licensees. In turn, this new consolidated regulation was transposed, with no major changes, into the initial version of this Module. This Regulation and other instruments listed below replaced by this Module are listed below:

                    Document Ref. Date of Issue Module Ref. Document Subject
                    BC/17/97 10 Nov 1997 FC B-1 Money Laundering
                    OG/308/89 14 Oct 1989 FC B-1 Money Laundering
                    EDBC/6/01 14 Oct 2001 FC 1, FC 4 – FC
                    7
                    Re: Money Laundering Regulation
                    BC/1/02 27 Jan 2002 FC 3 FATF Special Recommendations on Terrorism Financing
                    BC/3/00 5 Mar 2000 FC 1.5 Re: Accounts for Charity Organisations
                    EDFIS/136/2005 19 June 2005   New draft Financial Crime Regulation and Guidance
                    FIS/C/001/2006 2 Jan 2006 FC-A to FC-10 New Financial Crime Regulation.
                           
                    October 2010

            • FC-B FC-B Scope of Application

              • FC-B.1 FC-B.1 Scope of Application

                • FC-B.1.1

                  This Module applies to all specialised licensees including branches of licensees incorporated outside of Bahrain, and Bahrain-incorporated subsidiaries of overseas groups. Certain parts of this Module may not be relevant to some licensees' business. Some transactions may not involve the opening of account relationships, however whenever a transaction takes place with another party or the licensee acts as an introducer or intermediary in a transaction or business relationship, then this Module becomes effective. Representative office licensees, administrators and ancillary services providers, except ancillary service providers carrying out the activities of payment service provider, crowdfunding platform operator and payment initiation service provider, are exempted from: FC-C, FC-2, FC-3, FC-4 and FC-6 because of the limited nature of their business; however, for these licensees, the Chief Executive Officer/General Manager of the licensee is responsible to comply with the remaining Chapters of Module FC. The scope provided for simplified customer due diligence requirements – as set out in Section FC-1.10 – will reduce the burden of customer due diligence for a number of specialised licensees.

                  Amended: January 2022
                  Amended: October 2019
                  Amended: October 2012
                  Amended: July 2011
                  October 2010

                • FC-B.1.2

                  The requirements of this Module are in addition to and supplement Decree Law No. (4) of 2001 with respect to the prevention and prohibition of the laundering of money; this Law was subsequently updated, with the issuance of Decree Law No. 54 of 2006 with respect to amending certain provisions of Decree No. 4 of 2001 (collectively, 'the AML Law'). The AML Law imposes obligations on persons generally in relation to the prevention of money laundering and the combating of the financing of terrorism, to all persons resident in Bahrain. All specialised licensees are therefore under the statutory obligations of that Law, in addition to the more specific requirements contained in this Module. Nothing in this Module is intended to restrict the application of the AML Law (a copy of which is contained in Part B of Volume 5 (Specialised licensees), under 'Supplementary Information'). Also included in Part B is a copy of Decree Law No. 58 of 2006 with respect to the protection of society from terrorism activities ('the anti-terrorism law).

                  October 2010

              • FC-B.2 FC-B.2 Overseas Subsidiaries and Branches

                • FC-B.2.1

                  Licensees must apply the requirements in this Module to all their branches and subsidiaries operating both in the Kingdom of Bahrain and in foreign jurisdictions. Where local standards differ, the higher standard must be followed. Licensees must pay particular attention to procedures in branches or subsidiaries in countries that do not or insufficiently apply the FATF Recommendations and Special Recommendations.

                  October 2010

                • FC-B.2.2

                  Where another jurisdiction's laws or regulations prevent a licensee (or any of its foreign branches or subsidiaries) from applying the same standards contained in this Module or higher, the licensee must immediately inform the CBB in writing.

                  October 2010

                • FC-B.2.3

                  In such instances, the CBB will review alternatives with the licensee. Should the CBB and the licensee be unable to reach agreement on the satisfactory implementation of this Module in a foreign subsidiary or branch, the licensee may be required by the CBB to cease the operations of the subsidiary or branch in the foreign jurisdiction in question.

                  October 2010

                • FC-B.2.4

                  Financial groups (e.g. a licensee with its subsidiaries) must implement groupwide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes, which must also be applicable, and appropriate to, all branches and subsidiaries of the financial group. These must include:

                  (a) The development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees;
                  (b) An ongoing employee training programme;
                  (c) An independent audit function to test the system;
                  (d) Policies and procedures for sharing information required for the purposes of CDD and money laundering and terrorist financing risk management;
                  (e) The provision at group-level compliance, audit, and/or AML/CFT functions of customer, account and transaction information from branches and subsidiaries when necessary for AML/CFT purposes; and
                  (f) Adequate safeguards on the confidentiality and use of information exchanged.
                  Added: January 2018

            • FC-C FC-C Risk Based Approach

              • FC-C.1 FC-C.1 Risk Based Approach

                • FC-C.1.1

                  Licensees must implement Risk Based Approach (RBA) in establishing an AML/CFT/CPF program and conduct ML/TF/PF risk assessments prior to and during the establishment of a business relationship and, on an ongoing basis, throughout the course of its relationship with the customer. The licensee must establish and implement policies, procedures, tools and systems commensurate with the size, nature and complexity of its business operations to support its RBA.

                  Added: January 2022

                • FC-C.1.2

                  Licensees must perform enhanced measures where higher ML/TF/PF risks are identified to effectively manage and mitigate those higher risks.

                  Added: January 2022

                • FC-C.1.3

                  Licensees must maintain and regularly review and update the documented risk assessment. The risk management and mitigation measures implemented by a licensee must be commensurate with the identified ML/TF/PF risks.

                  Added: January 2022

                • FC-C.1.4

                  A Licensees must allocate adequate financial, human and technical resources and expertise to effectively implement and take appropriate preventive measures to mitigate ML/TF/PF risks.

                  Added: January 2022

              • FC-C.2 FC-C.2 Risk Assessment

                • FC-C.2.1

                  A Licensee must ensure that it takes measures to identify, assess, monitor, manage and mitigate ML/TF/PF risks to which it is exposed and that the measures taken are commensurate with the nature, scale and complexities of its activities. The risk assessment must enable the licensee to understand how, and to what extent, it is vulnerable to ML/TF/PF.

                  Added: January 2022

                • FC-C.2.2

                  In the context of the risk assessment, “proliferation financing risk” refers to the potential breach, non-implementation or evasion of the targeted financial sanctions obligations referred to in FATF Recommendation 7.

                  Added: January 2022

                • FC-C.2.3

                  The risk assessment must be properly documented, regularly updated and communicated to the licensee’s senior management. Licensees must have in place policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified. In conducting its risk assessments, the licensee must consider quantitative and qualitative information obtained from the relevant internal and external sources to identify, manage and mitigate these risks. This must include consideration of the risk and threat assessments using, national risk assessments, sectorial risk assessments, crime statistics, typologies, risk indicators, red flags, guidance and advisories issued by inter-governmental organisations, national competent authorities and the FATF, and AML/CFT/CPF mutual evaluation and follow-up reports by the FATF or associated assessment bodies.

                  Amended: January 2023
                  Added: January 2022

                • FC-C.2.4

                  Licensees must assess country/geographic risk, customer risk, product/ service/transactions risk and distribution channel risk taking into consideration the appropriate factors in identifying and assessing the ML/TF/PF risks, including the following:

                  (a) The nature, scale, diversity and complexity of its business, products and target markets;
                  (b) Products, services and transactions that inherently provide more anonymity, ability to pool underlying customers/funds, cash-based, face-to-face, non face-to-face, domestic or cross-border;
                  (c) The volume and size of its transactions, nature of activity and the profile of its customers;
                  (d) The proportion of customers identified as high risk;
                  (e) Its target markets and the jurisdictions it is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT/CPF controls and listed by FATF;
                  (f) The complexity of the transaction chain (e.g. complex layers of intermediaries and sub intermediaries or distribution channels that may anonymise or obscure the chain of transactions) and types of distributors or intermediaries;
                  (g) The distribution channels, including the extent to which the licensee deals directly with the customer and the extent to which it relies (or is allowed to rely) on third parties to conduct CDD and the use of technology; and
                  (h) Internal audit, external audit or regulatory inspection findings.
                  Added: January 2022

                • Country/Geographic risk

                  • FC-C.2.5

                    Country/geographic area risk, in conjunction with other risk factors, provides useful information as to potential ML/TF/PF risks. Factors that may be considered as indicators of higher risk include:

                    (a) Countries identified by credible sources, such as mutual evaluation or detailed assessment reports or published follow-up reports, as not having adequate AML/CFT/CPF systems;
                    (b) Countries or geographic areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country;
                    (c) Countries identified by credible sources as having significant levels of corruption or organized crime or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling;
                    (d) Countries subject to sanctions, embargoes or similar measures issued by international organisations such as the United Nations Organisation; and
                    (e) Countries identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT/CPF regimes, and for which financial institutions should give special attention to business relationships and transactions.
                    Added: January 2022

                • Customer risk

                  • FC-C.2.6

                    Categories of customers which may indicate a higher risk include:

                    (a) The business relationship is conducted in unusual circumstances (e.g. significant unexplained geographic distance between the financial institution and the customer).
                    (b) Non-resident customers;
                    (c) Legal persons or arrangements that are personal asset-holding vehicles;
                    (d) Companies that have nominee shareholders or shares in bearer form;
                    (e) Businesses that are cash-intensive;
                    (f) The ownership structure of the company appears unusual or excessively complex given the nature of the company’s business;
                    (g) Customer is sanctioned by the relevant national competent authority for non-compliance with the applicable AML/CFT/CPF regime and is not engaging in remediation to improve its compliance;
                    (h) Customer is a PEP or customer’s family members, or close associates are PEPs (including where a beneficial owner of a customer is a PEP);
                    (i) Customer resides in or whose primary source of income originates from high-risk jurisdictions;
                    (j) Customer resides in countries considered to be uncooperative in providing beneficial ownership information; customer has been mentioned in negative news reports from credible media, particularly those related to predicate offences for AML/CFT/CPF or to financial crimes;
                    (k) Customer’s transactions indicate a potential connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national competent authorities;
                    (l) Customer is engaged in, or derives wealth or revenues from, a high-risk cash-intensive business;
                    (m) The number of STRs and their potential concentration on particular client groups;
                    (n) Customers who have sanction exposure; and
                    (o) Customer has a non-transparent ownership structure.
                    Added: January 2022

                • Product/Service/Transactions risk

                  • FC-C.2.7

                    An overall risk assessment should include determining the potential risks presented by product, service, transaction or the delivery channel of the licensee. A licensee should assess, using a RBA, the extent to which the offering of its product, service, transaction or the delivery channel presents potential vulnerabilities to placement, layering or integration of criminal proceeds into the financial system.

                    Added: January 2022

                  • FC-C.2.8

                    Determining the risks of product, service, transaction or the delivery channel offered to customers may include a consideration of their attributes, as well as any associated risk mitigation measures. Products and services that may indicate a higher risk include:

                    (a) Anonymous transactions (which may include cash);
                    (b) Non-face-to-face business relationships or transactions;
                    (c) Payment received from unknown or un-associated third parties;
                    (d) Products or services that may inherently favour anonymity or obscure information about underlying customer transactions;
                    (e) The geographical reach of the product or service offered, such as those emanating from higher risk jurisdictions;
                    (f) Products with unusual complexity or structure and with no obvious economic purpose;
                    (g) Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party, particularly those residing in a higher risk jurisdiction; and
                    (h) Use of new technologies or payment methods not used in the normal course of business by the licensee.
                    Added: January 2022

                • Distribution Channel Risk

                  • FC-C.2.9

                    A customer may request transactions that pose an inherently higher risk to the licensee. Factors that may be considered as indicators of higher risk include:

                    (a) A request is made to transfer funds to a higher risk jurisdiction/country/region without a reasonable business purpose provided; and
                    (b) A transaction is requested to be executed, where the licensee is made aware that the transaction will be cleared/settled through an unregulated entity.
                    Added: January 2022

                  • FC-C.2.10

                    A licensee should analyse the specific risk factors, which arise from the use of intermediaries and their services. Intermediaries’ involvement may vary with respect to the activity they undertake and their relationship with the licensees. Licensee should understand who the intermediary is and perform a risk assessment on the intermediary prior to establishing a business relationship. Licensees and intermediaries should establish clearly their respective responsibilities for compliance with applicable regulation.

                    Added: January 2022

            • FC-1 FC-1 Customer Due Diligence Requirements

              • FC-1.1 FC-1.1 General Requirements

                • Verification of Identity and Source of Funds

                  • FC-1.1.1

                    Licensees must establish effective systematic internal procedures for establishing and verifying the identity of their customers and the source of their funds. Such procedures must be set out in writing and approved by the licensee's senior management. They must be strictly adhered to.

                    Amended: January 2020
                    Added: October 2010

                  • FC-1.1.2

                    Licensees must implement the customer due diligence measures outlined in Chapters 1, 2 and 3 when:

                    (a) [This Sub-paragraph was deleted in July 2018];
                    (b) Carrying out wire transfers (of the equivalent of US$1,000 or above) (particularly relevant for money changers);
                    (c) Establishing business relations with a new or existing customer;
                    (d) A change to the signatory or beneficiary of an existing account or business relationship is made;
                    (e) Customer documentation standards change substantially;
                    (f) The licensee has doubts about the veracity or adequacy of previously obtained customer due diligence information;
                    (g) A significant transaction takes place (see FC-2.2.3);
                    (h) There is a material change in the way that an account is operated or in the manner in which the business relationship is conducted; or
                    (i) There is a suspicion of money laundering or terrorist financing.
                    Amended: January 2021
                    Amended: July 2018
                    October 2010

                  • FC-1.1.2A

                    Licensees must understand, and as appropriate, obtain information on the purpose and intended nature of the business relationship.

                    Added: October 2017

                  • FC-1.1.2B

                    Licensees must conduct ongoing due diligence on the business relationship, including:

                    (a) Scrutinizing transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds; and
                    (b) Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.
                    Added: October 2017

                  • FC-1.1.2C

                    Licensees must also review and update the customer’s risk profile based on their level of ML/TF/PF risk upon onboarding the customer and regularly throughout the life of the relationship. The risk management and mitigation measures implemented by a licensee must be commensurate with the risk profile of a particular customer or type of customer.

                    Added: January 2022

                  • FC-1.1.3

                    Representative office licensees are not allowed to undertake business directly with customers. However, they may be assigned by the Head Office to contact new or existing customers on their behalf, in this case they must pay regard to (c) – (f) and (h-i) customer due diligence measures listed under FC-1.1.2 above.

                    October 2010

                  • FC-1.1.4

                    For the purposes of this Module, "customer" includes counterparties such as financial markets counterparties, except where financial institutions are acting as principals where simplified due diligence measures may apply. These simplified measures are set out in Section FC 1.10. For the representative office licensees, 'customer' includes customers of the HO that the Representative office liaises with for general purposes. Examples might include general inquiries and inquiries regarding the accuracy of customer information.

                    October 2010

                  • FC-1.1.5

                    The CBB's specific minimum standards to be followed with respect to verifying customer identity and source of funds are contained in Section FC-1.2 and in the Guidance Notes (See Supplementary Information, FC-7 in Part B of the Rulebook). Enhanced requirements apply under certain high-risk situations: these requirements are contained in Sections FC-1.3 to FC-1.9 inclusive. Additional requirements apply where a licensee is relying on a professional intermediary to perform certain parts of the customer due diligence process: these are detailed in Section FC-1.7. Simplified customer due diligence measures may apply in defined circumstances: these are set out in Section FC-1.10.

                    October 2010

                  • FC-1.1.5A

                    [This Paragraph was deleted in October 2023].

                    Deleted: October 2023
                    Added: January 2021

                  • FC-1.1.5B

                    Money changers must not register persons identified as having high-risk profiles, including those whose CPR has expired, for the purposes of the use of online channels or applications, without conducting the enhanced due diligence requirements outlined in Section FC-1.3.

                    Added: January 2021

                • Verification of Third Parties

                  • FC-1.1.6

                    Licensees must obtain a signed statement, in hard copy or through digital means from all new customers confirming whether or not the customer is acting on his own behalf or not. This undertaking must be obtained prior to conducting any transactions with the customer concerned.

                    Amended: January 2022
                    October 2010

                  • FC-1.1.7

                    Where a customer is acting on behalf of a third party, the licensee must also obtain a signed statement from the third party, confirming they have given authority to the customer to act on their behalf. Where the third party is a legal person, the licensee must have sight of the original board resolution (or other applicable document) authorising the customer to act on the third party's behalf, and retain a certified copy. Representative office licensees must obtain a signed statement from all new customers confirming whether or not the customer is acting on their own behalf or not.

                    October 2010

                  • FC-1.1.8

                    Licensees must establish and verify the identity of the customer and (where applicable) the party/parties on whose behalf the customer is acting, including the Beneficial Owner of the funds. Verification must take place in accordance with the requirements specified in this Chapter.

                    October 2010

                  • FC-1.1.9

                    Where financial services are provided to a minor or other person lacking full legal capacity, the normal identification procedures as set out in this Chapter must be followed. In the case of minors, licensees must additionally verify the identity of the parent(s) or legal guardian(s). Where a third party on behalf of a person lacking full legal capacity wishes to open business relations, the licensee must establish the identity of that third party as well as the person conducting the business.

                    October 2010

                • Anonymous and Nominee Accounts

                  • FC-1.1.10

                    Licensees must not establish or keep anonymous accounts or accounts in fictitious names. Where licensees maintain a nominee account, which is controlled by or held for the benefit of another person, the identity of that person must be disclosed to the licensee and verified by it in accordance with the requirements specified in this Chapter.

                    October 2010

                • Timing of Verification

                  • FC-1.1.11

                    Licensees must not commence a business relationship or undertake a transaction with a customer before completion of the relevant customer due diligence measures specified in Chapters 1, 2 and 3. Licensees must also adopt risk management procedures with respect to the conditions under which a customer may utilise the business relationship prior to verification. However, verification may be completed after receipt of funds in the case of non-face-to-face business, or the subsequent submission of CDD documents by the customer after undertaking initial customer due diligence provided that no disbursement of funds takes place until after the requirements of this Chapter have been fully met.

                    Amended: January 2022
                    October 2010

                • Incomplete Customer Due Diligence

                  • FC-1.1.12

                    Where a licensee is unable to comply with the requirements specified in Chapters 1, 2 and 3, it must consider whether to terminate the relationship or not proceed with the transaction. If it proceeds with the transaction (to avoid tipping off the customer), it should additionally consider whether it should file a suspicious transaction report.

                    October 2010

                  • FC-1.1.13

                    See also Chapter FC-5, which covers the filing of suspicious transaction reports.

                    October 2010

                • Non-Resident Accounts

                  • FC-1.1.13A

                    Licensees that transact or deal with non-resident customers who are natural persons must have documented criteria for acceptance of business with such persons. For non-resident customers, licensees must ensure the following:

                    (a) Ensure there is a viable economic reason for the business relationship;
                    (b) Perform enhanced due diligence where required in accordance with Paragraph FC-1.1.14;
                    (c) Obtain and document the country of residence for tax purposes where relevant;
                    (d) Obtain evidence of banking relationships in the country of residence;
                    (e) Obtain the reasons for dealing with licensee in Bahrain;
                    (f) Obtain an indicative transaction volume and/or value of incoming funds; and
                    (g) Test that the persons are contactable without unreasonable delays.
                    Amended: October 2023
                    Added: January 2022

                  • FC-1.1.13B

                    Licensees that transact or deal with non-resident customers who are natural persons must have documented approved policies in place setting out the products and services which will be offered to non-resident customers. Such policy document must take into account a comprehensive risk assessment covering all risks associated with the products and services offered to non-residents. The licensee must also have detailed procedures to address the risks associated with the dealings with non-resident customers including procedures and processes relating to authentication, genuineness of transactions and their purpose.

                    Added: January 2022

                  • FC-1.1.13C

                    Licensees must not accept non-residents customers from high risk jurisdictions subject to a call for action by FATF.

                    Added: January 2022

                  • FC-1.1.13D

                    Licensees must take adequate precautions and risk mitigation measures before onboarding non-resident customers from high risk jurisdictions. The licensees must establish detailed assessments and criteria that take into consideration FATF mutual evaluations, FATF guidance, the country national risk assessments (NRAs) and other available guidance on onboarding and retaining non-resident customers from the following high risk jurisdictions:

                    (a) Jurisdictions under increased monitoring by FATF;
                    (b) Countries upon which United Nations sanctions have been imposed except those referred to in Paragraph FC-1.1.13B; and
                    (c) Countries that are the subject of any other sanctions.
                    Added: January 2022

                  • FC-1.1.13E

                    [This Paragraph has been deleted in October 2023].

                    Deleted: October 2023
                    Added: January 2022

                  • FC-1.1.13F

                    Licensees must establish systems and measures that are proportional to the risk relevant to each jurisdiction and this must be documented. Such a document must show the risks, mitigation measures for each jurisdiction and for each non-resident customer.

                    Added: January 2022

                  • FC-1.1.13G

                    Licensees must establish a comprehensive documented policy and procedures describing also the tools, methodology and systems that support the licensee’s processes for:

                    (a) The application of RBA;
                    (b) Customer due diligence;
                    (c) Ongoing transaction monitoring; and
                    (d) Reporting in relation to their transactions or dealings with non-resident customers.
                    Added: January 2022

                  • FC-1.1.13H

                    Licensees must ensure that only the official/government documents are accepted for the purpose of information in Subparagraphs FC-1.2.1 (a) to (f) in the case of non-resident customers.

                    Added: January 2022

                  • FC-1.1.13I

                    [This Paragraph has been deleted in October 2023].

                    Deleted: October 2023
                    Added: January 2022

                  • FC-1.1.14

                    Licensees must follow the below CDD and customer on-boarding requirements:

                      Enhanced Due Diligence Digital Onboarding
                    Bahrainis and GCC nationals (wherever they reside) and expatriates resident in Bahrain No Yes
                    Others Yes Yes
                    Added: October 2023

              • FC-1.2 FC-1.2 Face-to-face Business

                • Natural Persons

                  • FC-1.2.1

                    If the customer is a natural person, licensees must identify the person’s identity and obtain the following information before providing financial services as described in Paragraph FC-1.1.2:

                    (a) Full legal name and any other names used;
                    (b) Full permanent address (i.e. the residential address of the customer; a post office box is insufficient);
                    (c) Date of birth;
                    (d) Nationality;
                    (e) Passport number (if the customer is a passport holder);
                    (f) Current CPR or residence permit number (for residents of Bahrain or GCC states) or government issued national identification proof;
                    (g) Telephone/fax number and email address (where applicable);
                    (h) Occupation or public position held (where applicable);
                    (i) Employer's name and address (if self-employed, the nature of the self-employment);
                    (j) Type of account, and nature and volume of anticipated business dealings with the licensee;
                    (k) Signature of the customer(s);
                    (l) Source of funds;
                    (m) Reason for opening the account; and
                    (n) Place of birth.
                    Amended: January 2024
                    Amended: January 2022
                    Amended: January 2020
                    Added: October 2010

                  • FC-1.2.1A

                    Licensees obtaining the information and customer signature electronically using digital applications must comply with the applicable laws governing the onboarding/business relationship including but not limited to the Electronic Transactions Law (Law No. 54 of 2018) for the purposes of obtaining signatures as required in Subparagraph FC-1.2.1 (k) above.

                    Added: January 2022

                  • FC-1.2.2

                    See the Guidance Notes (filed under Supplementary Information in Part B of Volume 5) for further information on source of funds (FC-1.2.1 (1)) and CDD requirements for Bahrain residents (FC-1.2.1 (c) & (f)).

                    October 2010

                  • FC-1.2.3

                    Licensees must verify the information in Paragraph FC-1.2.1 (a) to (f), by the following methods below; at least one of the copies of the identification documents mentioned in (a) and (b) below must include a clear photograph of the customer:

                    (a) Confirmation of the date of birth and legal name, by use of the national E-KYC application and if this is not practical, obtaining a copy of a current valid official original identification document (e.g. birth certificate, passport, national identity card, CPR or Iqama);
                    (b) Confirmation of the permanent residential address by use of the national E-KYC application and if this is not practical, obtaining a copy of a recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the licensee; and
                    (c) Where appropriate, direct contact with the customer by phone, letter or email to confirm relevant information, such as residential address information.
                    Amended: January 2022
                    Amended: January 2013
                    Amended: April 2012
                    October 2010

                  • FC-1.2.4

                    Any document copied or obtained for the purpose of identification verification in a face-to-face customer due diligence process must be an original. An authorised official of the licensee must certify the copy, by writing on it the words 'original sighted', together with the date and his signature. Equivalent measures must be taken for electronic copies.

                    Amended: January 2022
                    October 2010

                  • FC-1.2.5

                    Identity documents which are not obtained by an authorised official of the licensee in original form (e.g. due to a customer sending a copy by post following an initial meeting) must instead be certified (as per FC-1.2.4) by one of the following from a GCC or FATF member state:

                    (a) A lawyer;
                    (b) A notary;
                    (c) A chartered/certified accountant;
                    (d) An official of a government ministry;
                    (e) An official of an embassy or consulate; or
                    (f) An official of another licensed financial institution or of a licensed associate company of the licensee.
                    October 2010

                  • FC-1.2.6

                    The individual making the certification under FC-1.2.5 must give clear contact details (e.g. by attaching a business card or company stamp). The licensee must verify the identity of the person providing the certification through checking membership of a professional organisation (for lawyers or accountants), or through checking against databases/websites, or by direct phone or email contact.

                    October 2010

                • Legal Entities or Legal Arrangements (such as trusts)

                  • FC-1.2.7

                    If the customer is a legal entity or a legal arrangement such as a trust, the licensee must obtain and record the following information from original identification documents, databases or websites, in hard copy or electronic form, identify the customer and to take reasonable measures to verify its identity, legal existence and structure:

                    (a) The entity's full name and other trading names used;
                    (b) Registration number (or equivalent);
                    (c) Legal form and proof of existence;
                    (d) Registered address and trading address (where applicable);
                    (e) Type of business activity;
                    (f) Date and place of incorporation or establishment;
                    (g) Telephone, fax number and email address;
                    (h) Regulatory body or listing body (for regulated activities such as financial services and listed companies);
                    (hh) The names of the relevant persons having a senior management position in the legal entity or legal arrangement;
                    (i) Name of external auditor (where applicable);
                    (j) Type of account, and nature and volume of anticipated business dealings with the licensee; and
                    (k) Source of funds.
                    Amended: October 2017
                    October 2010

                  • FC-1.2.8

                    The information provided under Paragraph FC-1.2.7 must be verified by obtaining certified copies of the following documents, as applicable (depending on the legal form of the entity):

                    (a) Certificate of incorporation and/or certificate of commercial registration or trust deed;
                    (b) Memorandum of association;
                    (c) Articles of association;
                    (d) Partnership agreement;
                    (e) Board resolution seeking financial services (only necessary in the case of private or unlisted companies);
                    (f) Identification documentation of the authorised signatories of the account (certification not necessary for companies listed in a GCC/FATF state);
                    (g) Copy of the latest financial report and accounts, audited where possible (audited copies do not need to be certified); and
                    (h) List of persons authorised to do business on behalf of the company and in the case of the opening of an account, a board resolution (or other applicable document) authorising the named persons to operate the account (resolution only necessary for private or unlisted companies).
                    Amended: July 2016
                    October 2010

                  • FC-1.2.8A

                    For customers that are legal persons, Licensees must identify and take reasonable measures to verify the identity of beneficial owners through the following information:

                    (a) The identity of the natural person(s) who ultimately have a controlling ownership interest in a legal person, and
                    (b) To the extent that there is doubt under (a) as to whether the person(s) with the controlling ownership interest is the beneficial owner(s), or where no natural person exerts control of the legal person or arrangement through other means; and
                    (c) Where no natural person is identified under (a) or (b) above, the identity of the relevant natural person who holds the position of senior managing official.
                    Added: October 2017

                  • FC-1.2.9

                    Documents obtained to satisfy the requirements in Paragraph FC-1.2.8 above must be certified in the manner specified in Paragraphs FC-1.2.4 to FC-1.2.6.

                    October 2010

                  • FC-1.2.9A

                    For the purpose of Paragraph FC-1.2.8(a), the requirement to obtain a certified copy of the commercial registration, may be satisfied by obtaining a commercial registration abstract printed directly from the Ministry of Industry, Commerce and Tourism's website, through "SIJILAT Commercial Registration Portal".

                    Added: January 2017

                  • FC-1.2.10

                    The documentary requirements in Paragraph FC-1.2.8 above do not apply in the case of FATF/GCC listed companies: see Section FC-1.10 below. Also, the documents listed in Paragraph FC-1.2.8 above are not exhaustive: for customers from overseas jurisdictions, documents of an equivalent nature may be produced as satisfactory evidence of a customer's identity.

                    October 2010

                  • FC-1.2.11

                    Licensees must also obtain and document the following due diligence information. These due diligence requirements must be incorporated in the licensee's new business procedures:

                    (a) Enquire as to the structure of the legal entity or trust sufficient to determine and verify the identity of the ultimate beneficial owner of the funds, the ultimate provider of funds (if different), and the ultimate controller of the funds (if different);
                    (b) Ascertain whether the legal entity has been or is in the process of being wound up, dissolved, struck off or terminated;
                    (c) Obtain the names, country of residence and nationality of directors or partners (only necessary for private or unlisted companies);
                    (d) Require, through new customer documentation or other transparent means, updates on significant changes to corporate ownership and/or legal structure;
                    (e) Obtain and verify the identity of shareholders holding 20% or more of the issued capital (where applicable). The requirement to verify the identity of these shareholders does not apply in the case of FATF/GCC listed companies;
                    (f) In the case of trusts or similar arrangements (excluding employee benefit trusts and occupational savings schemes), establish the identity of the settlor(s), trustee(s), and beneficiaries (including making such reasonable enquiries as to ascertain the identity of any other potential beneficiary, in addition to the named beneficiaries of the trust); and
                    (g) Where a licensee has reasonable grounds for questioning the authenticity of the information supplied by a customer, conduct additional due diligence to confirm the above information.
                    Amended: April 2013
                    October 2010

                  • FC-1.2.11A

                    In the case of employee benefit trusts and occupational savings schemes, the licensee must establish the identity of the settlor and trustee as required in FC-1.2.11(f), but may rely upon the settlor to maintain the identity information of the beneficiaries, subject to written confirmation from the settlor that such information has been collected.

                    Added: April 2013

                  • FC-1.2.12

                    For the purposes of Paragraph FC-1.2.11, acceptable means of undertaking such due diligence might include taking bank references; visiting or contacting the company by telephone; undertaking a company search or other commercial enquiries; accessing public and private databases (such as stock exchange lists); making enquiries through a business information service or credit bureau; confirming a company's status with an appropriate legal or accounting firm; or undertaking other enquiries that are commercially reasonable.

                    October 2010

              • FC-1.3 FC-1.3 Enhanced Customer Due Diligence: General Requirements

                • FC-1.3.1

                  Enhanced customer due diligence must be performed on those customers identified as having a higher risk profile, and additional inquiries made or information obtained in respect of those customers.

                  October 2010

                • FC-1.3.2

                  Licensees should examine, as far as reasonably possible, the background and purpose of all complex, unusual large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. Where the risks of money laundering or terrorist financing are higher, licensees should conduct enhanced CDD measures, consistent with the risks identified. In particular, they should increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear unusual or suspicious. The additional inquiries or information referred to in Paragraph FC-1.3.1 include:

                  (a) Obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.) and updating more regularly the identification data of customer and beneficial owner;
                  (b) Obtaining additional information on the intended nature of the business relationship;
                  (c) Obtaining information on the source of funds or source of wealth of the customer;
                  (d) Obtaining information on the reasons for intended or performed transactions;
                  (e) Obtaining the approval of senior management to commence or continue the business relationship;
                  (f) Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;
                  (g) Taking specific measures to identify the source of the first payment in this account and applying RBA to ensure that there is a plausible explanation in any case where the first payment was not received from the same customer’s account;
                  (h) Obtaining evidence of a person's permanent address through the use of a credit reference agency search or through independent governmental database or by home visit;
                  (i) Obtaining a personal reference (e.g. by an existing customer of the licensee);
                  (j) Obtaining another licensed entity's reference and contact with the concerned licensee regarding the customer;
                  (k) Obtaining documentation outlining the customer's source of wealth;
                  (l) Obtaining additional documentation outlining the customer's source of income; and
                  (m) Obtaining additional independent verification of employment or public position held.
                  January 2022
                  October 2010

                • FC-1.3.3

                  In addition to the general rule contained in Paragraph FC-1.3.1 above, special care is required in the circumstances specified in Sections FC-1.4 to FC-1.9 inclusive.

                  October 2010

              • FC-1.4 FC-1.4 Enhanced Customer Due Diligence: Non face-to-face Business and New Technologies

                • FC-1.4.1

                  Licensees must establish specific procedures for verifying customer identity where no face-to-face contact takes place.

                  October 2010

                • FC-1.4.2

                  Where no face-to-face contact takes place, licensees must take additional measures (to those specified in Section FC-1.2), in order to mitigate the potentially higher risk associated with such business. In particular, licensees must take measures:

                  (a) To ensure that the customer is the person they claim to be; and
                  (b) To ensure that the address provided is genuinely the customer's.
                  October 2010

                • FC-1.4.3

                  There are a number of checks that can provide a licensee with a reasonable degree of assurance as to the authenticity of the applicant. They include:

                  (a) Telephone contact with the applicant on an independently verified home or business number;
                  (b) With the customer's consent, contacting an employer to confirm employment, via phone through a listed number or in writing;
                  (c) Salary details appearing on recent bank statements;
                  (d) Independent verification of employment (e.g.: through the use of a national E-KYC application, or public position held;
                  (e) Carrying out additional searches (e.g. internet searches using independent and open sources) to better inform the customer risk profile;
                  (f) Carrying out additional searches focused on financial crime risk indicator (i.e. negative news);
                  (g) Evaluating the information provided with regard to the destination of fund and the reasons for the transaction;
                  (h) Seeking and verifying additional information from the customer about the purpose and intended nature of the transaction or the business relationship; and
                  (i) Increasing the frequency and intensity of transaction monitoring.
                  Amended: January 2022
                  October 2010

                • FC-1.4.4

                  Financial services provided using digital channels or internet pose greater challenges for customer identification and AML/CFT purposes. Licensees must identify and assess the money laundering or terrorist financing risks relevant to any new technology or channel and establish procedures to prevent the misuse of technological developments in money laundering or terrorist financing schemes. The risk assessments must be consistent with the requirements in Section FC-C.2.

                  Amended: January 2022
                  October 2010

                • Enhanced Monitoring

                  • FC-1.4.5

                    Customers onboarded digitally must be subject to enhanced on-going account monitoring measures.

                    Added: January 2022

                  • FC-1.4.6

                    The CBB may require a licensee to share the details of the enhanced monitoring and the on-going monitoring process for non face-to-face customer relationships.

                    Added: January 2022

                • Licensee’s digital ID applications

                  • FC-1.4.7

                    Licensees may use its digital ID applications that use secure audio-visual real time (live video conferencing/live photo selfies) communication means to identify the natural person.

                    Added: January 2022

                  • FC-1.4.8

                    Licensees must maintain a document available upon request for the use of its digital ID applications that includes all the following information:

                    (a) A description of the nature of products and services for which the proprietary digital ID application is planned to be used with specific references to the rules in this Module for which it will be used;
                    (b) A description of the systems and IT infrastructure that are planned to be used;
                    (c) A description of the technology and applications that have the features for facial recognition or biometric recognition to authenticate independently and match the face and the customer identification information available with the licensee. The process and the features used in conjunction with video conferencing include, among others, face recognition, three-dimensional face matching techniques etc;
                    (d) “Liveness” checks created in the course of the identification process;
                    (e) A description of the governance arrangements related to this activity including the availability of specially trained personnel with sufficient level of seniority; and
                    (f) Record keeping arrangements for electronic records to be maintained and the relative audit.
                    Added: January 2022

                  • FC-1.4.9

                    Licensees that intend to use its digital ID application to identify the customer and verify identity information must meet the following additional requirements:

                    (a) The digital ID application must make use of secure audio visual real time (live video conferencing/live photo selfies) technology to (i) identify the customer, (ii) verify his/her identity, and also (iii) ensure the data and documents provided are authentic;
                    (b) The picture/sound quality must be adequate to facilitate unambiguous identification;
                    (c) The digital ID application must include or be combined with capability to read and decrypt the information stored in the identification document’s machine readable zone (MRZ) for authenticity checks from independent and reliable sources;
                    (d) Where the MRZ reader is with an outsourced provider, the licensee must ensure that such party is authorized to carry out such services and the information is current and up to date and readily available such that the licensee can check that the decrypted information matches the other information in the identification document;
                    (e) The digital ID application has the features for allowing facial recognition or biometric recognition that can authenticate and match the face and the customer identification documents independently;
                    (f) The digital ID solution has been tested by an independent expert covering the governance and control processes to ensure the integrity of the solution and underlying methodologies, technology and processes and risk mitigation. The report of the expert’s findings must be retained and available upon request;
                    (g) The digital ID application must enable an ongoing process of retrieving and updating the digital files, identity attributes, or data fields which are subject to documented access rights and authorities for updating and changes; and
                    (h) The digital ID application must have the geo-location features which must be used by the licensee to ensure that it is able to identify any suspicious locations and to make additional inquiries if the location from which a customer is completing the onboarding process does not match the location of the customer based on the information and documentation submitted.
                    Added: January 2022

                  • FC-1.4.10

                    A Licensee using its digital ID application must establish and implement an approved policy which lays down the governance, control mechanisms, systems and procedures for the CDD which include:

                    (a) A description of the nature of products and services for which customer due diligence may be conducted through video conferencing or equivalent electronic means;
                    (b) A description of the systems, controls and IT infrastructure planned to be used;
                    (c) Governance mechanism related to this activity;
                    (d) Specially trained personnel with sufficient level of seniority; and
                    (e) Record keeping arrangements for electronic records to be maintained and the relative audit trail.
                    Added: January 2022

                  • FC-1.4.11

                    Licensees must ensure that the information referred to in Paragraph FC-1.2.1 is collected in adherence to privacy laws and other applicable laws of the country of residence of the customer.

                    Added: January 2022

                  • FC-1.4.12

                    Licensees must ensure that the information referred to in Subparagraphs FC-1.2.1 (a) to (f) is obtained prior to commencing the digital verification such that:

                    (a) The licensee can perform its due diligence prior to the digital interaction/communication and can raise targeted questions at such interaction/communication session; and
                    (b) The licensee can verify the authenticity, validity and accuracy of such information through digital means (See Paragraph FC.1.4.14 below) or by use of the methods mentioned in Paragraph FC-1.2.3 and /or FC-1.4.3 as appropriate.
                    Added: January 2022

                  • FC-1.4.13

                    The licensee must also obtain the customer’s explicit consent to record the session and capture images as may be needed.

                    Added: January 2022

                  • FC-1.4.14

                    Licensees must verify the information in Paragraph FC-1.2.1 (a) to (f) by the following methods below:

                    (a) Confirmation of the date of birth and legal name by digital reading and authenticating current valid passport or other official original identification using machine readable zone (MRZ) or other technology which has been approved under paragraph FC-1.4.9, unless the information was verified using national E-KYC application;
                    (b) Performing real time video calls with the applicant to identify the person and match the person’s face and /other features through facial recognition or bio-metric means with the office documentation, (e.g. passport, CPR);
                    (c) Matching the official identification document, (e.g. passport, CPR) and related information provided with the document captured/displayed on the live video call; and
                    (d) Confirmation of the permanent residential address by, unless the information was verified using national E-KYC application capturing live, the recent utility bill, bank statement or similar statement from another licensee or financial institution, or some form of official correspondence or official documentation card, such as national identity card or CPR, from a public/governmental authority, or a tenancy agreement or record of home visit by an official of the licensee.
                    Added: January 2022

                  • FC-1.4.15

                    For the purposes of Paragraph FC-1.4.14, actions taken for obtaining and verifying customer identity could include:

                    (a) Collection: Present and collect identity attributes and evidence, either in person and/or online (e.g., by filling out an online form, sending a selfie photo, uploading photos of documents such as passport or driver’s license, etc.);
                    (b) Certification: Digital or physical inspection to ensure the document is authentic and its data or information is accurate (for example, checking physical security features, expiration dates, and verifying attributes via other services);
                    (c) De-duplication: Establish that the identity attributes and evidence relate to a unique person in the ID system (e.g., via duplicate record searches, biometric recognition and/or deduplication algorithms);
                    (d) Verification: Link the individual to the identity evidence provided (e.g., using biometric solutions like facial recognition and liveness detection); and
                    (e) Enrolment in identity account and binding: Create the identity account and issue and link one or more authenticators with the identity account (e.g., passwords, one-time code (OTC) generator on a smartphone, etc.). This process enables authentication.
                    Added: January 2022

                  • FC-1.4.16

                    Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding and authentication must be digital.

                    Added: January 2022

                  • FC-1.4.17

                    Sufficient controls must be put in place to safeguard the data relating to customer information collected through the video conference and due regard must be paid to the requirements of the Personal Data Protection Law (PDPL). Additionally, controls must be put in place to minimize the increased impersonation fraud risk in such non face-to-face relationship where there is a chance that customer may not be who he claims he is.

                    Added: January 2022

                • Overseas branches

                  • FC-1.4.18

                    Where licensees intend to use a digital ID application in a foreign jurisdiction in which it operates, it must ensure that the digital ID application meets with the requirements under Paragraph FC-B.2.1.

                    Added: January 2022

              • FC-1.5 FC-1.5 Enhanced Customer Due Diligence: Politically Exposed Persons (“PEPs”)

                • FC-1.5.1

                  Licensees must have appropriate risk management systems to determine whether a customer is a Politically Exposed Person ('PEP'), both at the time of establishing business relations and thereafter on a periodic basis. Licensees must utilise publicly available databases and information to establish whether a customer is a PEP.

                  October 2010

                • FC-1.5.2

                  Licensees must establish a client acceptance policy with regard to PEPs, taking into account the reputational and other risks involved. Senior management approval must be obtained before a PEP is accepted as a customer. Licensees must not accept a non-Bahraini PEP as a customer based on customer due diligence undertaken using digital ID applications.

                  Amended: January 2022
                  October 2010

                • FC-1.5.3

                  Where an existing customer is a PEP, or subsequently becomes a PEP, enhanced monitoring and customer due diligence measures must include:

                  (a) Analysis of complex financial structures, including trusts, foundations or international business corporations;
                  (b) A written record in the customer file to establish that reasonable measures have been taken to establish both the source of wealth and the source of funds;
                  (c) Development of a profile of anticipated customer activity, to be used in on-going monitoring;
                  (d) Approval of senior management for allowing the customer relationship to continue; and
                  (e) Ongoing account monitoring of the PEP's account by senior management (such as the MLRO).
                  October 2010

                • FC-1.5.4

                  [This Paragraph was deleted in July 2016 as the definition is included under Part B in the Glossary.]

                  Deleted: July 2016
                  October 2010

              • FC-1.6 FC-1.6 Enhanced Due Diligence: Charities, Clubs and Other Societies

                • FC-1.6.1

                  Financial services must not be provided to charitable funds and religious, sporting, social, cooperative and professional societies, before an original certificate authenticated by the relevant Ministry confirming the identities of those purporting to act on their behalf (and authorising them to obtain the said service) has been obtained. Money changers are allowed to conduct business with charities without a certificate where payment is made by a cheque drawn on a bank licensed in Bahrain.

                  Amended: January 2021
                  October 2010

                • FC-1.6.2

                  Charities should be subject to enhanced transaction monitoring. Money changers should develop a profile of anticipated activity (in terms of payee countries and recipient organisations in particular).

                  Amended: January 2021
                  October 2010

                • FC-1.6.3

                  Money changers must provide a monthly report of all payments and transfers of BD3,000 (or equivalent in foreign currencies) and above performed on behalf of charities registered in Bahrain. The report must be submitted to the CBB's Compliance Directorate (see Section FC-5.3 for contact address), giving details of the amount transferred, name of charity, number and beneficiary name account and bank details. Licensees must ensure that such transfers are in accordance with the spending plans of the charity (in terms of amount, recipient and country).

                  Amended: January 2021
                  October 2010

                • FC-1.6.4

                  Article 20 of Decree Law No. 21 of 1989 (issuing the Law of Social and Cultural Societies and Clubs and Private Organizations Operating in the Area of Youth and Sport and Private Institutions) provides that money changer licensees and payment service providers must not accept or process any incoming or outgoing fund transfers in any form (wire transfer, drafts, etc.) from or to any foreign person or foreign association on behalf of societies and clubs licensed by the Ministry of Youth and Sport Affairs without prior written approval of the Ministry.

                  Amended: October 2019
                  October 2010

                • FC-1.6.5

                  The receipt of a Ministry letter mentioned in Paragraph FC-1.6.4 above does not exempt the concerned money changer from conducting normal CDD measures as outlined in other parts of this Module.

                  Amended: January 2021
                  October 2010

              • FC-1.7 FC-1.7 Introduced Business from Professional Intermediaries

                • FC-1.7.1

                  A licensee may only accept customers introduced to it by other financial institutions or intermediaries, if it has satisfied itself that the introducer concerned is subject to FATF-equivalent measures and customer due diligence measures. Where licensees delegate part of the customer due diligence measures to an introducer, the responsibility for meeting the requirements of Chapters 1 and 2 remains with the licensee, not the introducer.

                  Amended: January 2018
                  October 2010

                • FC-1.7.2

                  Licensees may only accept introduced business if all of the following conditions are satisfied:

                  (a) The customer due diligence measures applied by the introducer are consistent with those required by the FATF 40 + 9 Recommendations;
                  (b) A formal agreement is in place defining the respective roles of the licensee and the introducer in relation to customer due diligence measures. The agreement must specify that the customer due diligence measures of the introducer will comply with the FATF 40 + 9 Recommendations;
                  (c) The introducer is able to provide all relevant data pertaining to the customer's identity, the identity of the customer and beneficial owner of the funds and, where applicable, the party/parties on whose behalf the customer is acting; also, the introducer has confirmed that the licensee will be allowed to verify the customer due diligence measures undertaken by the introducer at any stage; and
                  (d) Written confirmation is provided by the introducer confirming that all customer due diligence measures required by the FATF 40 + 9 Recommendations have been followed and the customer's identity established and verified. In addition, the confirmation must state that any identification documents or other customer due diligence material can be accessed by the licensee and that these documents will be kept for at least five years after the business relationship has ended.
                  October 2010

                • FC-1.7.3

                  The licensee must perform periodic reviews ensuring that any introducer on which it relies is in compliance with the FATF 40 + 9 Recommendations. Where the introducer is resident in another jurisdiction, the licensee must also perform periodic reviews to verify whether the jurisdiction is in compliance with the FATF 40 + 9 Recommendations.

                  October 2010

                • FC-1.7.4

                  Should the licensee not be satisfied that the introducer is in compliance with the requirements of the FATF 40 + 9 Recommendations, the licensee must conduct its own customer due diligence on introduced business, or not accept further introductions, or discontinue the business relationship with the introducer.

                  October 2010

              • FC-1.8 FC-1.8 Shell Banks

                • FC-1.8.1

                  Licensees must not establish business relations with banks, which have no physical presence or "mind and management" in the jurisdiction in which they are licensed and which are unaffiliated with a regulated financial group ("shell banks"). Licensees must not knowingly establish relations with financial institutions that have relations with shell banks.

                  October 2010

                • FC-1.8.2

                  Licensees must make a suspicious transaction report to the Financial Intelligence Directorate and the Compliance Directorate if they are approached by a shell bank or an institution they suspect of being a shell bank.

                  Amended: October 2019
                  October 2010

              • FC-1.9 FC-1.9 Enhanced Due Diligence: Cross Border Cash Transactions by Courier

                • FC-1.9.1

                  The cross-border movement of cash funds warrants special attention under the FATF 40 Recommendations where transactions are large in value (Recommendation 6), in addition to the general requirement under Recommendation 19 to verify monitor, declare and keep records of all cross-border transfers of cash. Cash shipments are therefore subject to inspection and investigation procedures by the Customs Directorate of the Kingdom of Bahrain. There are also certain specific legal measures mentioned below which are relevant to cross-border cash shipments. Under Article 4 of Decree Law No. 4 of 2001, licensees of the CBB are required to comply with the CBB's Rules and Regulations concerning the prevention and prohibition of money laundering, which include regulations concerning the cross-border movement of cash. Also, licensees' attention is drawn to the disclosure provisions of Decree Law No 54 of 2006 and Ministerial Order No 6 of 2008 with respect to cross-border transportation of funds (see Part B of the Rulebook for Decree Law No 54). Licensees are also reminded of the rules of the unified customs arrangements of the Gulf Cooperation Council as laid out in Decree Law No 10 of 2002. With respect to the above Law No. 4 of 2001 and the concerned parts of other legislation mentioned above, all money changers must implement the enhanced measures below in respect of all cash received from foreign countries or sold/transferred to foreign countries.

                  Amended: January 2021
                  October 2010

                • FC-1.9.2

                  Cash coming into Bahrain via courier (whether a representative of a Bahrain money changer or a foreign institution) must be accompanied by original documentation stating the source of funds and identity of the originator of the funds. Furthermore, the documentation must state the full name and address of the beneficiary of the funds. This documentation must be signed in original by (a representative) of the originator of the cash. This means that where a courier is importing cash via any customs point of entry (e.g. via the Causeway or the Airport), the aforementioned courier must carry original documentation which clearly shows the source of funds and identity of the originator of the funds and the intended beneficiaries' names and address.

                  Amended: January 2021
                  Amended: July 2018
                  October 2010

                • FC-1.9.3

                  In the case of incoming cash, the courier must carry original documentation signed by the originator stating whether the cash shipment is for local use or for onward transmission.

                  October 2010

                • FC-1.9.4

                  If the imported cash is for onward transmission, the original documentation must provide the full name and address of the final beneficiaries, as well as the local recipient (e.g. the money changer).

                  Amended: January 2021
                  October 2010

                • FC-1.9.5

                  Failure to provide complete and detailed original signed documentation by the originator of the funds referred to in Paragraph FC-1.9.2 may cause the cash shipment to be blocked, whereupon the blocking costs will be borne by the concerned money changer in Bahrain. Licensees are also reminded of the penalties and enforcement measures in Law No. 4 of 2001, Decree Law No. 54 of 2006, Ministerial Order No. 7 of 2001 issued by the Minister of Finance and National Economy, the rules of the unified customs arrangements of the Gulf Cooperation Council as laid out in Decree Law No. 10 of 2002 and the CBB Law No. 64 of 2006.

                  Amended: January 2021
                  October 2010

              • FC-1.10 FC-1.10 Simplified Customer Due Diligence

                • FC-1.10.1

                  Licensees may apply simplified customer due diligence measures, as described in Paragraphs FC-1.10.2 to FC-1.10.7, if:

                  (a) [This Subparagraph was deleted in July 2018];
                  (b) The transaction is a wire transfer below the equivalent of US$1000;
                  (c) The customer is a company listed on a GCC or FATF member state stock exchange with equivalent disclosure standards to those of a licensed exchange;
                  (d) The customer is a financial institution whose entire operations are subject to AML/CFT requirements consistent with the FATF Recommendations / Special Recommendations and it is supervised by a financial services supervisor in a FATF or GCC member state for compliance with those requirements;
                  (e) The customer is a financial institution which is a subsidiary of a financial institution located in a FATF or GCC member state, and the AML/CFT requirements applied to its parent also apply to the subsidiary;
                  (f) The customer is the Central Bank of Bahrain ('CBB'), a licensed exchange or a licensee of the CBB; or
                  (g) The customer is a Ministry of a Gulf Cooperation Council ('GCC') or Financial Action Task Force ('FATF') member state government, a company in which a GCC government is a majority shareholder, or a company established by decree in the GCC.
                  Amended: January 2019
                  Amended: July 2018
                  Amended: January 2018
                  Amended: April 2013
                  October 2010

                • FC-1.10.2

                  For customers falling under categories (c) to (g) specified in Paragraph FC-1.10.1, the information required under Paragraph FC-1.2.1 (for natural persons) or FC-1.2.7 (for legal entities) must be obtained. However, the verification, certification and due diligence requirements in Paragraphs FC-1.2.3, FC-1.2.5, FC-1.2.8, FC-1.2.9 and FC-1.2.11, may be dispensed with.

                  October 2010

                • FC-1.10.3

                  [This Paragraph was deleted in July 2018].

                  Deleted: July 2018
                  October 2010

                • FC-1.10.4

                  Licensees wishing to apply simplified due diligence measures as allowed for under categories (c) to (g) of Paragraph FC-1.10.1 must retain documentary evidence supporting their categorisation of the customer.

                  October 2010

                • FC-1.10.5

                  Examples of such documentary evidence may include a printout from a regulator's website, confirming the licensed status of an institution, and internal papers attesting to a review of the AML/CFT measures applied in a jurisdiction.

                  October 2010

                • FC-1.10.6

                  Licensees may use authenticated SWIFT messages as a basis for confirmation of the identity of a financial institution under Subparagraphs FC-1.10.1 (d) and (e) where it is dealing as principal. For customers coming under Subparagraphs FC-1.10.1 (d) and (e), licensees must also obtain and retain a written statement from the parent institution of the subsidiary concerned, confirming that the subsidiary is subject to the same AML/CFT measures as its parent.

                  October 2010

                • FC-1.10.7

                  Simplified customer due diligence measures must not be applied where a licensee knows, suspects, or has reason to suspect, that the applicant is engaged in money laundering or terrorism financing or that the transaction is carried out on behalf of another person engaged in money laundering or terrorism financing.

                  October 2010

                • FC-1.10.7A

                  Simplified customer due diligence measures must not be applied in situations where the licensee has identified high ML/TF/PF risks.

                  Added: January 2022

                • FC-1.10.8

                  [This Paragraph was deleted in July 2018].

                  Deleted: July 2018
                  October 2010

              • FC-1.11 Reliance on Third Parties for Customer Due Diligence

                • FC-1.11.1

                  Licensees are permitted to rely on third parties to perform elements of CDD measures and recordkeeping requirements stipulated in Chapter FC-1 related to customer and beneficial owner identity, verification of their identity and information on the purpose and intended nature of the business relationship with the licensee, subject to complying with the below:

                  (a) Licensees remain ultimately responsible for CDD measures;
                  (b) Licensees immediately obtain the relevant CDD information from the third party upon onboarding clients;
                  (c) There is an agreement with the third party for the arrangement with clear contractual terms on the obligations of the third party;
                  (d) The third party without delay makes available the relevant documentation relating to the CDD requirements upon request;
                  (e) Licensees ensure that the third party is a financial institution that is regulated and supervised for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF Recommendations 10 and 11; and
                  (f) For third parties based abroad, licensees must consider the information available on the level of country risk.
                  Added: October 2023

                • FC-1.11.2

                  Where a licensee relies on a third-party that is part of the same financial group, the licensee can consider that:

                  (a) The requirements under Subparagraphs FC-1.11.1 (d) and (e) are complied with through its group programme, provided the group satisfies the following conditions:
                  (i) The group applies CDD and record keeping requirements consistent with FATF Recommendations 10, 11 and 12 and has in place internal controls in accordance with FATF Recommendation 18; and
                  (ii) The implementation of CDD, record keeping and AML/CFT measures are supervised at a group level by a financial services regulatory authority for compliance with AML/CFT requirements consistent with standards set by the FATF.
                  (b) The requirement under Subparagraph FC-1.11.1 (f) is complied with if the country risk is adequately mitigated by the group’s AML/CFT policies.
                  Added: October 2023

                • FC-1.11.3

                  This Section does not apply to outsourcing or agency arrangements in which the outsourced entity applies the CDD measures on behalf of the delegating licensee, in accordance with its procedures.

                  Added: October 2023

            • FC-2 FC-2 AML / CFT Systems and Controls

              • FC-2.1 FC-2.1 General Requirements

                • FC-2.1.1

                  Licensees must take reasonable care to establish and maintain appropriate systems and controls for compliance with the requirements of this Module and to limit their vulnerability to financial crime. These systems and controls must be documented, and approved and reviewed annually by the Board of the licensee. The documentation, and the Board's review and approval, must be made available upon request to the CBB.

                  October 2010

                • FC-2.1.2

                  The above systems and controls, and associated documented policies and procedures, should cover standards for customer acceptance, on-going monitoring of high-risk accounts, staff training and adequate screening procedures to ensure high standards when hiring employees.

                  October 2010

                • FC-2.1.3

                  Licensees must incorporate Key Performance Indicators (KPIs) to ensure compliance with AML/CFT requirements by all staff. The performance against the KPIs must be adequately reflected in their annual performance evaluation and in their remuneration (See also Paragraph HC-5.4.2 for Financing Companies and Microfinance Institutions, HC-5.2.4 for Ancillary Service Providers and HC-4.2.1 for Money Changers).

                  Amended: January 2021
                  Added: April 2020

                • FC-2.1.4

                  In implementing the policies, procedures and monitoring tools for ensuring compliance with Paragraph FC-2.1.3, licensees should consider the following:

                  (a) The business policies and practices should be designed to reduce incentives for staff to expose the licensee to AML/CFT compliance risk;
                  (b) The performance measures of departments/divisions/units and personnel should include measures to address AML/CFT compliance obligations;
                  (c) AML/CFT compliance breaches and deficiencies should be attributed to the relevant departments/divisions/units and personnel within the organisation as appropriate;
                  (d) Remuneration and bonuses should be adjusted for AML/CFT compliance breaches and deficiencies; and
                  (e) Both quantitative measures and human judgement should play a role in determining any adjustments to the remuneration and bonuses resulting from the above.
                  Added: April 2020

                • FC-2.1.5

                  Licensees that use remitting agents must include them in their AML/CFT programmes and monitor them for compliance with these programmes.”

                  Added: January 2022

              • FC-2.2 FC-2.2 Ongoing Customer Due Diligence and Transaction Monitoring

                • Risk Based Monitoring

                  • FC-2.2.1

                    Licensees must develop risk-based monitoring systems appropriate to the complexity of their business, their number of customers and types of transactions. These systems must be configured to identify significant or abnormal transactions or patterns of activity. Such systems must include limits on the number, types or size of transactions undertaken outside expected norms; and must include limits for cash and non-cash transactions.

                    October 2010

                  • FC-2.2.2

                    Licensees' risk-based monitoring systems should therefore be configured to help identify:

                    (a) Transactions which do not appear to have a clear purpose or which make no obvious economic sense;
                    (b) Significant or large transactions not consistent with the normal or expected behavior of a customer; and
                    (c) Unusual patterns of activity (relative to other customers of the same profile or of similar types of transactions, for instance because of differences in terms of volumes, transaction type, or flows to or from certain countries), or activity outside the expected or regular pattern of a customer's account activity.
                    October 2010

                • Automated Transaction Monitoring

                  • FC-2.2.3

                    Licensees must consider the need to include automated transaction monitoring as part of their risk-based monitoring systems to spot abnormal or unusual flows of funds. In the absence of automated transaction monitoring systems, all transactions above BD 6,000 must be viewed as "significant" and be captured in a daily transactions report for monitoring by the MLRO or a relevant delegated official, and records retained by the licensee for five years after the date of the transaction.

                    October 2010

                  • FC-2.2.3A

                    In the case of trust service providers (or any other licensee that does not handle customer funds) such licensees should monitor bank statements and other records to ensure that they are aware of "significant" transactions on a timely basis.

                    Added: April 2013

                  • FC-2.2.4

                    The CBB would expect larger licensees to include automated transaction monitoring as part of their risk-based monitoring systems. See also Chapters FC-4 and FC-7, regarding the responsibilities of the MLRO and record-keeping requirements.

                    October 2010

                • Unusual Transactions or Customer Behaviour

                  • FC-2.2.5

                    Where a licensee's risk-based monitoring systems identify significant or abnormal transactions (as defined in Paragraphs FC-2.2.2 and FC-2.2.3), it must verify the source of funds for those transactions, particularly where the transactions are above the transactions threshold of BD 6,000. Furthermore, licensees must examine the background and purpose to those transactions and document their findings. In the case of one-off transactions where there is no ongoing account relationship, the licensee must file an STR if it is unable to verify the source of funds to its satisfaction (see Chapter FC-5).

                    Amended: January 2022
                    October 2010

                  • FC-2.2.6

                    The investigations required under Paragraph FC-2.2.5 must be carried out by the MLRO (or relevant delegated official). The documents relating to these findings must be maintained for five years from the date when the transaction was completed (see also Subparagraph FC-7.1.1 (b)).

                    October 2010

                  • FC-2.2.7

                    Licensees must consider instances where there is a significant, unexpected or unexplained change in customer activity.

                    October 2010

                  • FC-2.2.8

                    When an existing customer closes one account and opens another, the licensee must review its customer identity information and update its records accordingly. Where the information available falls short of the requirements contained in Chapter FC-1, the missing or out of date information must be obtained and re-verified with the customer.

                    October 2010

                  • FC-2.2.9

                    Once identification procedures have been satisfactorily completed and, as long as records concerning the customer are maintained in line with Chapters FC-1 and FC-7, no further evidence of identity is needed when transactions are subsequently undertaken within the expected level and type of activity for that customer, provided reasonably regular contact has been maintained between the parties and no doubts have arisen as to the customer's identity.

                    October 2010

                • On-going Monitoring

                  • FC-2.2.10

                    Licensees must take reasonable steps to:

                    (a) Scrutinize transactions undertaken throughout the course of that relationship to ensure that transactions being conducted are consistent with the licensee's knowledge of the customer, their business risk and risk profile; and
                    (b) Ensure that they receive and maintain up-to-date and relevant copies of the identification documents specified in Chapter FC-1, by undertaking reviews of existing records, particularly for higher risk categories of customers. Licensees must require all customers to provide up-to-date identification documents in their standard terms and conditions of business.
                    Amended: October 2017
                    October 2010

                  • FC-2.2.11

                    Licensees must review and update their customer due diligence information at least every three years, particularly for higher risk categories of customers. If, upon performing such a review, copies of identification documents are more than 12 months out of date, the licensee must take steps to obtain updated copies as soon as possible.

                    Amended: October 2017
                    October 2010

            • FC-3 FC-3 Money Transfers and Alternative Remittances

              • FC-3.1 FC-3.1 Electronic Transfers

                • Outward Transfers

                  • FC-3.1.1

                    Licensees must include all required originator information details with the accompanying electronic transfers of funds they make on behalf of their customers. Non-routine transfers must not be batched, if batching increases the risks of money laundering or terrorist financing. This obligation does not apply where the transfer is made by a licensee acting as principal or acting on behalf of another licensee as principal such as in the case of payment of spot FX transactions.

                    October 2010

                  • FC-3.1.2

                    For the purposes of this Chapter, "Originator Information" means:

                    (a) The name of the payer;
                    (b) The address of the payer; and
                    (c) The unique customer or transaction or account number of the payer.
                    Amended: April 2012
                    October 2010

                  • FC-3.1.3

                    It is not necessary for the recipient institution to pass the originator information on to the payee. The obligation is discharged simply by notifying the recipient institution of the originator information at the time the transfer is made.

                    October 2010

                • Inward Transfers

                  • FC-3.1.4

                    Licensees must:

                    (a) Maintain records (in accordance with Chapter FC-7 of this Module) of all originator information received with an inward transfer (see Section FC-1.10 for simplified arrangements for transfers below US$1,000); and
                    (b) Carefully scrutinise inward transfers which do not contain originator information (i.e. full name, address and account number or a unique customer identification number – see Paragraph FC-1.9.1 for simplified arrangements). Licensees must presume that such transfers are "suspicious transactions" and pass them to the MLRO for review for determination as to possible filing of an STR, unless (a), the sending institution is able to promptly (i.e. within two business days) advise the licensee in writing of the originator information upon the licensee's request; or (b), the sending institution and the licensee are acting on their own behalf (as principals); or (c), the inward transfer is below US$1,000 or equivalent in other currencies.
                    Amended: April 2012
                    October 2010

                • Rejecting Payment Transactions

                  • FC-3.1.5

                    Licensees have the right to reject (i.e. reverse) any payment transaction/ money transfer where it has come to their knowledge that the relevant customer did not actually initiate the transaction instruction/ money transfer instruction. Licensees must file a Suspicious Transactions Report for such cases.

                    Added: January 2021

                • Originating Financial Institution

                  • FC-3.1.6

                    Licensees acting as originating financial institution must ensure that wire transfers contain required and accurate originator information, and the required beneficiary information.

                    Added: January 2022

                  • FC-3.1.7

                    Licensees acting as originating financial institution must maintain all originator and beneficiary information collected in accordance with Paragraph FC-7.1.1.

                    Added: January 2022

                  • FC-3.1.8

                    Licensees acting as originating financial institution must not execute the wire transfer if it does not comply with the requirements of Paragraphs FC-3.1.6 and FC-3.1.7.

                    Added: January 2022

                • Intermediary Financial Institution/Bank

                  • FC-3.1.9

                    For cross-border wire transfers, licensees processing an intermediary element of such chains of wire transfers must ensure that all originator and beneficiary information that accompanies a wire transfer is retained with it.

                    Added: January 2022

                  • FC-3.1.10

                    Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, a record must be kept, for at least five years, by the receiving intermediary licensees of all the information received from the originating financial institution or another intermediary financial institution/bank.

                    Added: January 2022

                  • FC-3.1.11

                    Licensees acting as an intermediary financial institution must take reasonable measures to identify cross border wire transfers that lack required originator information or required beneficiary information. Such measures must be consistent with straight through processing.

                    Added: January 2022

                  • FC-3.1.12

                    Licensees acting as an intermediary financial institution must have effective risk-based policies and procedures for determining:

                    (a) When to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and
                    (b) The appropriate follow-up action.
                    Added: January 2022

                • Beneficiary Financial Institution

                  • FC-3.1.13

                    A licensee acting as beneficiary financial institution must take reasonable measures to identify cross-border wire transfers that lack required originator or required beneficiary information. Such measures may include post-event monitoring or realtime monitoring where feasible.

                    Added: January 2022

                  • FC-3.1.14

                    For wire transfers, a licensee acting as a beneficiary financial institution must verify the identity of the beneficiary, if the identity has not been previously verified, and maintain this information in accordance with Paragraph FC-7.1.1.

                    Added: January 2022

                  • FC-3.1.15

                    A licensee acting as a beneficiary financial institution must have effective risk-based policies and procedures for determining:

                    (a) When to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and
                    (b) The appropriate follow-up action.
                    Added: January 2022

              • FC-3.2 FC-3.2 Remittances on Behalf of other Money Transferors

                • FC-3.2.1

                  Whenever a licensee uses the services of Authorised Money Transferors to effect the transfer of funds for a customer to a person or organisation in another country, that licensee must, in respect of the amount so transferred, maintain records of:

                  (a) The identity of its customer(s) in accordance with Chapters FC-1 and FC-7 of this Module; and
                  (b) The exact amount transferred for each such customer (particularly where a single transfer is effected for more than one customer).
                  Amended: April 2012
                  October 2010

                • FC-3.2.2

                  Licensees must be able to produce this information for inspection immediately upon request by the CBB.

                  October 2010

                • FC-3.2.3

                  Licensees must not transfer funds for customers to a person or organisation in another country by any means other than through an Authorised Money Transferor. Where a licensee is found to be in contravention of this rule, the CBB will not hesitate to impose sanctions upon that licensee (and in serious cases may revoke the license).

                  October 2010

            • FC-4 FC-4 Money Laundering Reporting Officer (MLRO)

              • FC-4.1 FC-4.1 Appointment of MLRO

                • FC-4.1.1

                  Licensees must appoint a Money Laundering reporting officer ("MLRO"). The MLRO must be approved by the CBB prior to his appointment. The position of MLRO is a controlled function and the MLRO is an approved person.

                  October 2010

                • FC-4.1.2

                  For details of CBB's requirements regarding controlled functions and approved persons, see Section AU-1.2. Amongst other things, approved persons require CBB approval before being appointed, which is granted only if they are assessed as 'fit and proper' for the function in question. A completed Form 3 must accompany any request for CBB approval.

                  October 2010

                • FC-4.1.3

                  The position of MLRO must not be combined with functions that create potential conflicts of interest, such as an internal auditor or business line head. The position of MLRO may not be outsourced.

                  October 2010

                • FC-4.1.4

                  Subject to Paragraph FC-4.1.2, however, the position of MLRO may otherwise be combined with other functions in the licensee, such as that of Compliance Officer, in cases where the volume and geographical spread of the business is limited and, therefore, the demands of the function are not likely to require a full time resource.

                  October 2010

                • FC-4.1.4A

                  For purposes of Paragraphs FC-4.1.3 and FC-4.1.4 above, licensees must clearly state in the Application for Approved Person Status — Form 3 — when combining the MLRO or DMLRO position with any other position within the licensee.

                  Added: October 2017

                • FC-4.1.5

                  Licensees must appoint a deputy MLRO to act for the MLRO in his absence. The deputy MLRO must be resident in Bahrain unless otherwise agreed with the CBB.

                  October 2010

                • FC-4.1.6

                  Licensees should note that although the MLRO may delegate some of his functions, either within the licensee or even possibly (in the case of larger groups) to individuals performing similar functions for other group entities, the responsibility for compliance with the requirements of this Module remains with the licensee and the designated MLRO. The deputy MLRO should be able to support the MLRO discharge his responsibilities and to deputise for him in his absence.

                  October 2010

                • FC-4.1.7

                  So that he can carry out his functions effectively, licensees must ensure that their MLRO:

                  (a) Is a member of senior management of the licensee;
                  (b) Has a sufficient level of seniority within the licensee, has the authority to act without interference from business line management and has direct access to the board and senior management (where necessary);
                  (c) Has sufficient resources, including sufficient time and (if necessary) support staff, and has designated a replacement to carry out the function should the MLRO be unable to perform his duties;
                  (d) Has unrestricted access to all transactional information relating to any financial services provided by the licensee to a customer, or any transactions conducted by the licensee on behalf of that customer;
                  (e) Is provided with timely information needed to identify, analyse and effectively monitor customer accounts;
                  (f) Has access to all customer due diligence information obtained by the licensee; and
                  (g) Is resident in Bahrain.
                  Amended: April 2012
                  October 2010

                • FC-4.1.8

                  In addition, licensees must ensure that their MLRO is able to:

                  (a) Monitor the day-to-day operation of its policies and procedures relevant to this Module; and
                  (b) Respond promptly to any reasonable request for information made by the Financial Intelligence Directorate or the CBB.
                  Amended: October 2019
                  October 2010

                • FC-4.1.9

                  If the position of MLRO falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements (including the appointment of an acting MLRO) to ensure continuity in the MLRO function's performance. These interim arrangements must be approved by the CBB.

                  October 2010

              • FC-4.2 FC-4.2 Responsibilities of the MLRO

                • FC-4.2.1

                  The MLRO is responsible for:

                  (a) Establishing and maintaining the licensee's AML/CFT policies and procedures;
                  (b) Ensuring that the licensee complies with the AML Law and any other applicable AML/CFT legislation and this Module;
                  (c) Ensuring day-to-day compliance with the licensee's own internal AML/CFT policies and procedures;
                  (d) Acting as the licensee's main point of contact in respect of handling internal suspicious transactions reports from the licensee's staff (refer to Section FC-5.1) and as the main contact for the Financial Intelligence Directorate, the CBB and other concerned bodies regarding AML/CFT;
                  (e) Making external suspicious transactions reports to the Financial Intelligence Directorate and the Compliance Directorate (refer to Section FC-5.2);
                  (f) Taking reasonable steps to establish and maintain adequate arrangements for staff awareness and training on AML/CFT matters (whether internal or external), as per Chapter FC-6;
                  (g) Producing annual reports on the effectiveness of the licensee's AML / CFT controls, for consideration by senior management, as per Paragraph FC-4.3.3;
                  (h) On-going monitoring of what may, in his opinion, constitute high-risk customer accounts; and
                  (i) Maintaining all necessary CDD, transactions, STR and staff training records for the required periods (refer to Section FC-7.1).
                  Amended: October 2019
                  October 2010

              • FC-4.3 FC-4.3 Compliance Monitoring

                • Annual Compliance Review

                  • FC-4.3.1

                    A licensee must review the effectiveness of its AML/CFT procedures, systems and controls at least once each calendar year. The review must cover the licensee and its branches and subsidiaries both inside and outside the Kingdom of Bahrain. A licensee must monitor the implementation of those controls and enhance them if necessary. The scope of the review must include:

                    (a) A report, containing the number of internal reports made in accordance with Section FC-5.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced;
                    (b) A report, indicating the number of external reports made in accordance with Section FC-5.2 and, where a licensee has made an internal report but not made an external report, noting why no external report was made;
                    (c) A sample test of compliance with this Module's customer due diligence requirements; and
                    (d) A report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and this Module.
                    Amended: January 2022
                    October 2010

                  • FC-4.3.2

                    The reports listed under Subparagraphs FC-4.3.1 (a) and (b) must be made by the MLRO. The sample testing and report required under Subparagraphs FC-4.3.1 (c) and (d) must be made by the licensee's external auditor or a consultancy firm approved by the CBB.

                    Amended: January 2022
                    Amended: April 2012
                    October 2010

                  • FC-4.3.2A

                    In order for a consultancy firm to be approved by the CBB for the purposes of Paragraph FC-4.3.2, such firm should provide the CBB's Compliance Directorate with:

                    (a) A sample AML/CFT report prepared for a financial institution;
                    (b) A list of other AML/CFT related work undertaken by the firm;
                    (c) A list of other audit/review assignments undertaken, specifying the nature of the work done, date and name of the licensee; and
                    (d) An outline of any assignment conducted for or in cooperation with an international audit firm.
                    Added: April 2012

                  • FC-4.3.2B

                    The firm should indicate which personnel (by name) will work on the report (including, where appropriate, which individual will be the team leader) and demonstrate that all such persons have appropriate qualifications in one of the following areas:

                    (a) Audit;
                    (b) Accounting;
                    (c) Law; or
                    (d) Banking/Finance.
                    Added: April 2012

                  • FC-4.3.2C

                    At least two persons working on the report (one of whom would normally expected to be the team leader) should have:

                    (a) A minimum of 5 years professional experience dealing with AML/CFT issues; and
                    (b) Formal AML/CFT training.
                    Added: April 2012

                  • FC-4.3.2D

                    Submission of a curriculum vitae for all personnel to be engaged on the report is encouraged for the purposes of evidencing the above requirements.

                    Added: April 2012

                  • FC-4.3.2E

                    Upon receipt of the above required information, the CBB Compliance Directorate will assess the firm and communicate to it whether it meets the criteria required to be approved by the CBB for this purpose. The CBB may also request any other information it considers necessary in order to conduct the assessment.

                    Added: April 2012

                  • FC-4.3.3

                    The reports listed under Paragraph FC-4.3.1 must be submitted to the licensee's Board, for it to review and commission any required remedial measures, and copied to the licensee's senior management.

                    October 2010

                  • FC-4.3.4

                    The purpose of the annual compliance review is to assist a licensee's Board and senior management to assess, amongst other things, whether internal and external reports are being made (as required under Chapter FC-5), and whether the overall number of such reports (which may otherwise appear satisfactory) does not conceal inadequate reporting in a particular segment of the licensee's business (or, where relevant, in particular branches or subsidiaries). Licensees should use their judgement as to how the reports listed under Subparagraphs FC-4.3.1 (a) and (b) should be broken down in order to achieve this aim (e.g. by branches, departments, product lines, etc).

                    October 2010

                  • FC-4.3.5

                    Licensees must instruct their appointed firm to produce the report referred to in Subparagraphs FC-4.3.1 (c) and (d). The report must be submitted to the CBB by the 30th of June of the following year. The findings of this review must be received and acted upon by the licensee.

                    Amended: January 2022
                    Amended: January 2020
                    Amended: April 2012
                    Added: October 2010

                  • FC-4.3.6

                    [This Paragraph has been deleted in January 2022].

                    Deleted: January 2022
                    Amended: April 2012
                    October 2010

                  • FC-4.3.7

                    [This Paragraph has been deleted in January 2022].

                    Deleted: January 2022
                    Amended: January 2020
                    Added: October 2010

            • FC-5 FC-5 Suspicious Transaction Reporting

              • FC-5.1 FC-5.1 Internal Reporting

                • FC-5.1.1

                  Licensees must implement procedures to ensure that staff who handle customer business (or are managerially responsible for such staff) make a report promptly to the MLRO if they know or suspect that a customer (or a person on whose behalf a customer may be acting) is engaged in money laundering or terrorism financing, or if the transaction or the customer's conduct otherwise appears unusual or suspicious. These procedures must include arrangements for disciplining any member of staff who fails, without reasonable excuse, to make such a report.

                  October 2010

                • FC-5.1.2

                  Where licensees' internal processes provide for staff to consult with their line managers before sending a report to the MLRO, such processes must not be used to prevent reports reaching the MLRO, where staff have stated that they have knowledge or suspicion that a transaction may involve money laundering or terrorist financing.

                  October 2010

              • FC-5.2 FC-5.2 External Reporting

                • FC-5.2.1

                  Licensees must take reasonable steps to ensure that all reports made under Section FC-5.1 are considered by the MLRO (or his duly authorised delegate). Having considered the report and any other relevant information the MLRO (or his duly authorised delegate), if he still suspects that a person has been engaged in money laundering or terrorism financing, or the activity concerned is otherwise still regarded as suspicious, must report the fact promptly to the relevant authorities. Where no report is made, the MLRO must document the reasons why.

                  October 2010

                • FC-5.2.2

                  To take reasonable steps, as required under Paragraph FC-5.2.1, licensees must:

                  (a) Require the MLRO to consider reports made under Section FC-5.1.1 in the light of all relevant information accessible to or reasonably obtainable by the MLRO;
                  (b) Permit the MLRO to have access to any information, including know your customer information, in the licensee's possession which could be relevant; and
                  (c) Ensure that where the MLRO, or his duly authorised delegate, suspects that a person has been engaged in money laundering or terrorist financing, a report is made by the MLRO which is not subject to the consent or approval of any other person.
                  October 2010

                • FC-5.2.3

                  Reports to the relevant authorities made under Paragraph FC-5.2.1 must be sent to the Financial Intelligence Directorate at the Ministry of Interior, and CBB's Compliance Directorate using the Suspicious Transaction Reporting Online System (Online STR system). STRs in paper format will not be accepted.

                  Amended: October 2019
                  Amended: July 2016
                  Amended: October 2014
                  October 2010

                • FC-5.2.4

                  Licensees must report all suspicious transactions or attempted transactions. This reporting requirement applies regardless of whether the transaction involves tax matters.

                  October 2010

                • FC-5.2.5

                  Licensees must retain all relevant details of STRs submitted to the relevant authorities, for at least five years.

                  Amended: October 2014
                  October 2010

                • FC-5.2.6

                  In accordance with the AML Law, licensees, their directors, officers and employees:

                  (a) Must not warn or inform ("tipping off") their customers, the beneficial owner or other subjects of the STR when information relating to them is being reported to the relevant authorities; and
                  (b) In cases where licensees form a suspicion that transactions relate to money laundering or terrorist financing, they must take into account the risk of tipping-off when performing the CDD process. If the licensee reasonably believes that performing the CDD process will tip-off the customer or potential customer, it may choose not to pursue that process, and must file an STR.
                  Amended: January 2018
                  October 2010

              • FC-5.3 FC-5.3 Contacting the Relevant Authorities

                • FC-5.3.1

                  Reports made by the MLRO or his duly authorised delegate under Section FC-5.2 must be sent electronically using the Suspicious Transaction Reporting Online System (Online STR system).

                  Amended: October 2014
                  October 2010

                • FC-5.3.2

                  The relevant authorities are:
                  Financial Intelligence Directorate (FID)
                  Ministry of Interior
                  P.O. Box 26698
                  Manama, Kingdom of Bahrain
                  Telephone: + 973 17 749397
                  Fax: + 973 17 715502
                  E-mail: bahrainfid@moipolice.bh

                  Director of Compliance Directorate
                  Central Bank of Bahrain
                  P.O. Box 27
                  Manama, Kingdom of Bahrain
                  Telephone: 17 547107
                  Fax: 17 535673
                  E-mail: Compliance@cbb.gov.bh

                  Amended: October 2019
                  Added: October 2014

            • FC-6 FC-6 Staff Training and Recruitment

              • FC-6.1 FC-6.1 General Requirements

                • FC-6.1.1

                  A licensee must take reasonable steps to provide periodic training and information to ensure that staff who handle customer transactions, or are managerially responsible for such transactions, are made aware of:

                  (a) Their responsibilities under the AML Law, this Module, and any other relevant AML/CFT laws and regulations;
                  (b) The identity and responsibilities of the MLRO and his deputy;
                  (c) The potential consequences, both individual and corporate, of any breach of the AML Law, this Module and any other relevant AML/CFT laws or regulations;
                  (d) The licensee's current AML/CFT policies and procedures;
                  (e) Money laundering and terrorist financing typologies and trends;
                  (f) The type of customer activity or transaction that may justify an internal report in accordance with Section FC-5.1;
                  (g) The licensee's procedures for making internal report in accordance with Section FC-5.1; and
                  (h) Customer due diligence measures with respect to establishing business relations with customers.
                  October 2010

                • FC-6.1.2

                  The information referred to in Paragraph FC-6.1.1 must be brought to the attention of relevant new employees of licensees, and must remain available for reference by staff during their period of employment.

                  October 2010

                • FC-6.1.3

                  Relevant new employees must be given AML/CFT training within three months of joining a licensee.

                  October 2010

                • FC-6.1.4

                  Licensees must ensure that their AML/CFT training for relevant staff remains up-to-date, and is appropriate given the licensee's activities and customer base.

                  October 2010

                • FC-6.1.5

                  The CBB would normally expect AML/CFT training to be provided to relevant staff at least once a year.

                  October 2010

                • FC-6.1.6

                  Licensees must develop adequate screening procedures to ensure high standards when hiring employees. These procedures must include controls to prevent criminals or their associates from being employed by licensees.

                  October 2010

                • FC-6.1.6A

                  [This Paragraph was deleted in January 2022].

                  Deleted: January 2022
                  Added: January 2021

            • FC-7 FC-7 Record Keeping

              • FC-7.1 FC-7.1 General Requirements

                • CDD and Transaction Records

                  • FC-7.1.1

                    Licensees must comply with the record keeping requirements contained in the AML Law and in the CBB Law. Licensees must therefore retain adequate records (including accounting and identification records), for the following minimum periods:

                    (a) For customers, in relation to evidence of identity and business relationship records (such as application forms and business correspondence), for at least five years after the customer relationship has ceased; and
                    (b) For transactions, in relation to documents enabling a reconstitution of the transaction concerned, for at least five years after the transaction was completed.
                    October 2010

                • Compliance Records

                  • FC-7.1.2

                    Licensees must retain copies of the reports produced for their annual compliance review, as specified in Paragraph FC-4.3.1, for at least five years. Licensees must also maintain for 5 years reports made to, or by, the MLRO made in accordance with Sections FC-5.1 and 5.2, and records showing how these reports were dealt with and what action, if any, was taken as a consequence of those reports.

                    October 2010

                • Training Records

                  • FC-7.1.3

                    Licensees must maintain for at least five years, records showing the dates when AML/CFT training was given, the nature of the training, and the names of the staff that received the training.

                    October 2010

                • Access

                  • FC-7.1.4

                    All records required to be kept under this Section must be made available available (in hard copy or electronic form, where the concerned law(s) allow electronic records to be kept) for prompt and swift access by the relevant authorities or other authorised persons.

                    Amended: October 2014
                    Amended: April 2013
                    October 2010

            • FC-8 FC-8 AML & CFT Measures

              • FC-8.1 FC-8.1 Special Measures for Non-Cooperative Countries or Territories ('NCCTs')

                • FC-8.1.1

                  Licensees must give special attention to any dealings they may have with entities or persons domiciled in countries or territories which are:

                  (a) Identified by the FATF as being "non-cooperative"; or
                  (b) Notified to licensees from time to time by the CBB.
                  October 2010

                • FC-8.1.2

                  Whenever transactions with such parties have no apparent economic or visible lawful purpose, their background and purpose must be reexamined and the findings documented. If suspicions remain about the transaction, these must be reported to the relevant authorities in accordance with Section FC-5.2.

                  October 2010

                • FC-8.1.3

                  Licensees must apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries where such measures are called for by the FATF. The type of enhanced due diligence measures applied must be effective and proportionate to the risks.

                  Added: January 2018

                • FC-8.1.4

                  With regard to the jurisdictions identified as NCCTs or those which in the opinion of the CBB, do not have adequate AML/CFT systems, the CBB reserves the right to:

                  (a) Refuse the establishment of subsidiaries or branches or representative offices of financial institutions from such jurisdictions;
                  (b) Limit business relationships or financial transactions with such jurisdictions or persons in those jurisdictions;
                  (c) Prohibit financial institutions from relying on third parties located in such jurisdictions to conduct elements of the CDD process;
                  (d) Require financial institutions to review and amend, or if necessary terminate, correspondent relationships with financial institutions in such jurisdictions;
                  (e) Require increased supervisory examination and/or external audit requirements for branches and subsidiaries of financial institutions based in such jurisdictions; or
                  (f) Require increased external audit requirements for financial groups with respect to any of their branches and subsidiaries located in such jurisdictions.
                  Added: January 2018

              • FC-8.2 FC-8.2 Terrorist Financing

                • FC-8.2.1AA

                  Licensees must implement and comply with United Nations Security Council resolutions relating to the prevention and suppression of terrorism and terrorist financing. Licensees must freeze, without delay, the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either (i) designated by, or under the authority of, the United Nations Security Council under Chapter VII of the Charter of the United Nations, including in accordance with resolution 1267(1999) and its successor resolutions as well as Resolution 2178(2014) or (ii) designated as pursuant to Resolution 1373(2001).

                  Amended: October 2019
                  Added: April 2017

                • FC-8.2.1

                  Licensees must comply in full with the provisions of the UN Security Council Anti-terrorism Resolution No. 1373 of 2001 ('UNSCR 1373').

                  October 2010

                • FC-8.2.2

                  [This Paragraph was deleted in January 2018].

                  Deleted: January 2018
                  October 2010

                • FC-8.2.3

                  A copy of UNSCR 1373 is included in Part B of Volume 5 (Specialised Licensees), under 'Supplementary Information' on the CBB Website.

                  October 2010

                • FC-8.2.4

                  Licensees must report to the CBB details of:

                  (a) Funds or other financial assets or economic resources held with them which may be the subject of Article 1, paragraphs c) and d) of UNSCR 1373;
                  (b) All claims, whether actual or contingent, which the licensee has on persons and entities which may be the subject of Article 1, paragraphs c) and d) of UNSCR 1373; and
                  (c) All assets frozen or actions taken in compliance with the prohibition requirements of the relevant UNSCRs, including attempted transactions.
                  Amended: January 2023
                  October 2010

                • FC-8.2.5

                  For the purposes of Paragraph FC-8.2.4, 'funds or other financial resources' includes (but is not limited to) shares in any undertaking owned or controlled by the persons and entities referred to in Article 1, paragraph c) and d) of UNSCR 1373, and any associated dividends received by the licensee.

                  October 2010

                • FC-8.2.6

                  All reports or notifications under this Section must be made to the CBB's Compliance Directorate.

                  October 2010

                • FC-8.2.7

                  See Section FC-5.3 for the Compliance Directorate's contact details.

                  October 2010

              • FC-8.3 FC-8.3 Designated Persons and Entities

                • FC-8.3.1

                  Without prejudice to the general duty of all licensees to exercise the utmost care when dealing with persons or entities who might come under Article 1, paragraphs (c) and (d) of UNSCR 1373, licensees must not deal with any persons or entities designated by the CBB as potentially linked to terrorist activity.

                  October 2010

                • FC-8.3.2

                  The CBB from time to time issues to licensees lists of designated persons and entities believed linked to terrorism. Licensees are required to verify that they have no dealings with these designated persons and entities, and report back their findings to the CBB. Names designated by the CBB include persons and entities designated by the United Nations, under UN Security Council Resolution 1267 ("UNSCR 1267").

                  October 2010

                • FC-8.3.3

                  Licensees must report to the relevant authorities, using the procedures contained in Section FC-5.2, details of any accounts or other dealings with designated persons and entities, and comply with any subsequent directions issued by the relevant authorities.

                  October 2010

            • FC-9 FC-9 Enforcement Measures

              • FC-9.1 FC-9.1 Regulatory Penalties

                • FC-9.1.1

                  Without prejudice to any other penalty imposed by the CBB Law, the AML Law No. 4 or the Penal Code of the Kingdom of Bahrain, failure by a licensee to comply with this Module or any direction given hereunder shall result in the levying by the CBB, without need of a court order and at the CBB's discretion, of a fine of up to BD 20,000.

                  October 2010

                • FC-9.1.2

                  Module EN provides further information on the assessment of financial penalties and the criteria taken into account prior to imposing such fines (reference to Paragraph EN-5.1.4). Other enforcement measures may also be applied by the CBB in response to a failure by a licensee to comply with this Module; these other measures are also set out in Module EN.

                  October 2010

                • FC-9.1.3

                  The CBB will endeavor to assist licensees to interpret and apply the requirements of this Module. Licensees may seek clarification on any issue by contacting the Compliance Directorate (see Section FC-5.3 for contact details).

                  October 2010

                • FC-9.1.4

                  Without prejudice to the CBB's general powers under the law, the CBB may amend, clarify or issue further directions on any provision of this Module from time to time, by notice to its licensees.

                  October 2010

            • FC-10 FC-10 AML / CFT Guidance and Best Practice

              • FC-10.1 FC-10.1 Guidance Provided by International Bodies

                • FATF: 40 Recommendations and 9 Special Recommendations

                  • FC-10.1.1

                    The Forty Recommendations (see www.fatf-gafi.org) and Nine Special Recommendations (together with their associated interpretative notes and best practices papers) issued by the Financial Action Task Force (FATF), provide the basic framework for combating money laundering activities and the financing of terrorism. FATF Recommendations 4-6, 8-11, 13-15, 17 and 21-23 as well as Special Recommendations IV, V, VII and the AML/CFT Methodology are specifically relevant to the financial institutions.

                    October 2010

                  • FC-10.1.2

                    The relevant authorities in Bahrain believe that the principles established by these Recommendations and Special Recommendations should be followed by licensees in all material respects, as representing best practice and prudence in this area.

                    October 2010

                • Other Website References Relevant to AML/CFT

                  • FC-10.1.3

                    The following lists a selection of other websites relevant to AML/CFT:

                    (a) The Middle East North Africa Financial Action Task Force: www.menafatf.org;
                    (b) The Egmont Group: www.egmontgroup.org;
                    (c) The United Nations: www.un.org/terrorism;
                    (d) The UN Counter-Terrorism Committee: www.un.org/Docs/sc/committees/1373/;
                    (e) The UN list of designated individuals: www.un.org/Docs/sc/committees/1267/1267ListEng.htm ;
                    (f) The Wolfsberg Group: www.wolfsberg-principles.com; and
                    (g) The Association of Certified Anti-Money Laundering Specialists: www.acams.org.
                    October 2010

            • FC-11 FC-11 Fraud

              • FC-11.1 FC-11.1 General Requirements

                • FC-11.1.1

                  The requirements of this Chapter apply to all Specialised Licensees.

                  October 2010

                • FC-11.1.2

                  Licensees must ensure that they allocate appropriate resources and have in place systems and controls to deter, detect, and record instances of fraud or attempted fraud.

                  October 2010

                • FC-11.1.3

                  Fraud may arise from internal sources originating from changes or weaknesses to processes, products and internal systems and controls. Fraud can also arise from external sources, for instance through false invoicing or advance fee frauds.

                  October 2010

                • FC-11.1.4

                  Any actual or attempted fraud incident (however small) must be reported to the appropriate authorities (including the CBB) and followed up. Monitoring systems must be designed to measure fraud patterns that might reveal a series of related fraud incidents.

                  October 2010

                • FC-11.1.5

                  Licensees must ensure that a person, of sufficient seniority, is given overall responsibility for the prevention, detection and remedying of fraud within the organisation.

                  October 2010

                • FC-11.1.6

                  Licensees must ensure the effective segregation of functions and responsibilities, between different individuals and departments, such that the possibility of financial crime is reduced and that no single individual is able to initiate, process and control a transaction.

                  October 2010

                • FC-11.1.7

                  Licensees must provide regular training to their management and staff, to make them aware of potential fraud risks.

                  October 2010

        • Enforcement & Redress

          • EN EN Enforcement

            • EN-A EN-A Introduction

              • EN-A.1 EN-A.1 Purpose

                • Executive Summary

                  • EN-A.1.1

                    This Module sets out the Central Bank of Bahrain's ('CBB') approach to enforcement, and the measures used by the CBB to address failures by authorised persons to comply with its regulatory requirements (whether they be specialised licensees or approved persons). The purpose of such measures is to encourage a high standard of compliance by all those authorised by the CBB, thus reducing risk to customers and the financial system.

                    Amended: January 2011
                    October 2010

                • Legal Basis

                  • EN-A.1.2

                    This Module contains the CBB's Directive (as amended from time to time) relating to enforcement and penalties and administrative provisions under Articles 125 to 132 of Central Bank of Bahrain and Financial institutions Law 2006 and its amendments ('CBB Law') is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all specialised licensees (including their approved persons).

                    Amended: April 2016
                    Amended: January 2011
                    October 2010

                  • EN-A.1.3

                    For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                    October 2010

                  • EN-A.1.4

                    Specialised licensees who are also members of the Bahrain Stock Exchange ('BSE') are reminded that the BSE is also empowered to exercise its own enforcement powers by virtue of the Bahrain Stock Exchange Decree – Law No. 4 of 1987 (the 'BSE Law'). Article 14 of the BSE Law lays down a number of penalties which the disciplinary Board of the BSE may impose on persons who violate the BSE Law and/or the regulations made thereunder. In appropriate circumstances, the CBB may ask the BSE to consider the exercise of its powers under Article 14 in support of the enforcement objectives of the CBB.

                    October 2010

              • EN-A.2 EN-A.2 Module History

                • Evolution of Module

                  • EN-A.2.1

                    This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2010

                  • EN-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    EN-A.1.2 01/2011 Clarified legal basis.
                    EN-2 04/2012 Chapter has been streamlined and repetitive information has been eliminated and reference is now made to Section BR-3.5 for money changers and administrators or Module GR for representative offices.
                    EN-B.4.5 10/2012 Guidance changed to Rule.
                    EN-4.1.1 10/2012 Corrected typo.
                    EN-5.1.1 10/2012 Amended guidance.
                    EN-5.3A 10/2012 New Section added on financial penalties for date sensitive requirements.
                    EN-8.2.4 10/2012 Inserted missing word.
                    EN-9.3.1A 01/2013 Paragraph added to refer to Article 161 of the CBB Law.
                    EN-5.2.7 01/2016 Paragraph deleted and replaced as it is a repetition of EN-5.2.6.
                    EN-A.1.2 04/2016 Reference added to amendments to the CBB Law.
                    EN-B.1.4 04/2016 New guidance Paragraph added to broaden the scope of the application of financial penalties to persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law.
                    EN-5 04/2016 Amended to be in line with amendments to Article 129 of the CBB Law.
                    EN-B.4.5 07/2016 Corrected typo.
                    EN-5.3A.3 04/2017 Adjustment to Financial Penalties for Date Sensitive Requirements.
                    EN-5.3A.1 and 5.3A.2 07/2017 Added the requirement of HC as part of date sensitive requirements for financing companies.
                    EN-4.3.3 04/2019 Moved guideline to Section EN-B.2.
                    EN-6 04/2019 Deleted Chapter.
                    EN-B.4.5 10/2019 Amended Paragraph adding reference to Module BR
                    EN-5.2.2 10/2019 Amended Paragraph adding reference to Module BR.
                    EN-5.3B 04/2021 Added a new Section on ‘Financial Penalties for Non-compliance with Blocking/Unblocking Requirements’.

                • Superseded Requirements

                  • EN-A.2.4

                    This Module replaces CBB Circular No. ODG/249/2004 (the "Enforcement Circular"), issued on 22 July 2004.

                    October 2010

            • EN-B EN-B Scope of Application

              • EN-B.1 EN-B.1 Scope

                • EN-B.1.1

                  The contents of this Module mostly consist of Guidance material, explaining the different measures that the CBB can employ to ensure compliance with Volume 5 (Specialised Licensees). Certain Rules, applicable to specialised licensees, are however contained in Paragraphs EN-B.3.1, EN-B.4.5, EN-2.2.4, EN-2.2.10, EN-5.2.2 and EN-8.2.4 and Sections EN-2.4 and EN-2.5.

                  October 2010

                • EN-B.1.2

                  Chapters EN-1 to EN-9 of this Module are generally relevant to specialised licensees. In the case of overseas specialised licensees, the CBB's enforcement powers apply only to the branch operating in the Kingdom of Bahrain.

                  October 2010

                • EN-B.1.3

                  In addition, Chapters EN-8 and EN-9 of this Module are relevant to approved persons.

                  October 2010

                • EN-B.1.4

                  Section EN-5 dealing with financial penalties is applicable to specialised licensees as well as to persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law.

                  April 2016

              • EN-B.2 EN-B.2 The CBB's Approach

                • EN-B.2.1

                  The CBB favours an open, pragmatic and collaborative relationship with authorised persons, within the boundaries set by the CBB Law and Rulebook. Whilst the CBB wishes to avoid a legalistic and confrontational style of supervision, it believes that effective supervision requires effective and timely enforcement of its requirements. Should authorised persons fail to cooperate, then the CBB will use the means described in this Module to achieve compliance.

                  October 2010

                • EN-B.2.2

                  In the CBB's view, it is generally neither practical nor effective to prescribe in detail the exact regulatory response for each and every potential contravention. There are a large number of potential contraventions. Moreover, individual circumstances are unlikely to be identical in all cases, and may warrant different responses.

                  October 2010

                • EN-B.2.3

                  In deciding any given supervisory response, the CBB will nonetheless consistently assess the individual circumstance of each contravention against the principles described in this Module. The CBB's overall approach is to take into account:

                  (a) The seriousness of the contravention concerned (including the risks posed to customers and other market participants);
                  (b) The compliance track record of the authorised person concerned (including the extent to which the contravention reflects systemic weaknesses or reckless behaviour); and
                  (c) Which measures are most likely to achieve the desired result of remedying the contravention.
                  October 2010

                • EN-B.2.4

                  Such an approach reduces the risk of inappropriate enforcement actions, by allowing regulatory measures to be tailored to individual circumstances. By taking into account an authorised person's compliance record and attitude, it also creates positive incentives and encourages an open and collaborative approach. By assessing individual cases against the same broad principles, the CBB also aims to achieve an overall consistency in its regulatory actions.

                  October 2010

                • EN-B.2.5

                  Underlying the CBB's approach outlined in Paragraph EN-B.2.3 is the fundamental principle of proportionality. The enforcement measures contained in this Module are of varying severity, and will be used accordingly in keeping with the CBB's assessment of the contravention. Thus, the CBB will reserve its most serious enforcement measures – such as cancellation of license or withdrawal of "fit and proper" status – for the most serious contraventions.

                  October 2010

                • EN-B.2.6

                  In keeping with the proportionality principle, and to the extent consistent with the CBB's enforcement approach in Paragraph EN-B.2.3, the CBB will usually opt for the least severe of appropriate enforcement measures. In most cases, the CBB expects to use a Formal Warning before resorting to more severe measures; the need for further measures will then usually be dependent on the response of the authorised person concerned.

                  October 2010

                • EN-B.2.7

                  Where a significant element of judgement is required to assess compliance with a requirement, the CBB will usually discuss the matter with the authorised person concerned, before using one of this Module's enforcement mechanisms. This is likely to be the case, for example, with respect to requirements for adequate systems and controls. Conversely, where there are clear-cut contraventions of CBB requirements, then the CBB will usually move immediately to one or more of the enforcement mechanisms outlined in this Module. This is more likely to occur in cases where quantitative requirements – such as those relating to capital and/or large exposures – are concerned. In most such cases, though, the CBB also expects to continue an active dialogue with the authorised person concerned, aimed at remedying the contravention.

                  October 2010

                • EN-B.2.8

                  Except in the limited circumstances outlined below, the CBB will usually only apply an enforcement measure after the authorised person concerned has been given a suitable opportunity to make representations. In the case of measures described in Chapters EN-6 and EN-7, certain procedures are set out in the CBB Law.

                  October 2010

                • EN-B.2.9

                  In extreme circumstances, where the CBB believes that immediate action is required to prevent real damage to Bahrain's financial markets, its users or to customers of the licensee concerned, it may amend or cancel a license, place a licensee under administration, or suspend a license (cf. Articles 48(g), 130(b) and 131 of the CBB Law).

                  Added: April 2019

              • EN-B.3 EN-B.3 Prohibition on Insurance

                • EN-B.3.1

                  To help the CBB achieve the purpose of this Module, specialised licensees may not enter into or make a claim under a contract of insurance that is intended to, or has the effect of, indemnifying them from the financial penalties provided for in this Module.

                  October 2010

              • EN-B.4 EN-B.4 Publicity

                • EN-B.4.1

                  The CBB will not as a matter of general policy publicise individual cases when it uses the measures described in Chapters EN-2 to EN-5, and EN-8. However, in such cases the CBB may inform (where relevant) an authorised person's external auditor and – in the case of licensees with overseas operations – relevant overseas regulators.

                  October 2010

                • EN-B.4.2

                  In exceptional circumstances, as allowed by Article 132 of the CBB Law, the CBB may decide to publicise individual cases when the measures set out in Chapters EN-2 to EN-5 and EN-8 are used, where there is a strong case that doing so would help achieve the CBB's supervisory objectives. In such instances, the CBB will usually allow the licensee or person concerned the opportunity to make representations to the CBB before a public statement is issued.

                  October 2010

                • EN-B.4.3

                  Without prejudice to the above policy, the CBB may from time to time publish aggregate information on its use of enforcement measures, without identifying the licensees or persons concerned, unless their identities have previously been disclosed as provided for in Paragraphs EN-B.4.1 or EN-B.4.2.

                  October 2010

                • EN-B.4.4

                  By their nature, the penalties in Chapters EN-6, EN-7 and EN-9 are public acts, once applied. The CBB will in these instances generally issue a public statement explaining the circumstances of the case.

                  October 2010

                • EN-B.4.5

                  If a financial penalty is imposed on a specialised licensee under the provision of Chapter EN-5, and it is subject to the requirements of Module PD (Public Disclosure) or Module BR (CBB Reporting Requirements), then the specialised licensee must disclose in the manner prescribed by Module PD or BR the amount of any financial penalties imposed by the CBB, together with a factual description of the reasons given by the CCB for the penalty.

                  Amended: October 2019
                  Amended: July 2016
                  Amended: October 2012
                  October 2010

                • EN-B.4.6

                  Specialised licensees subject to a CBB enforcement measure (with the exception of formal requests for information) must inform their external auditor of the fact.

                  October 2010

            • EN-1 EN-1 Formal Requests for Information

              • EN-1.1 EN-1.1 Legal Source

                • EN-1.1.1

                  As part of its on-going supervision, under Articles 111 and 123 of the CBB Law, the CBB may specifically request information or temporary reporting from a licensee or individual. Recipients of such requests are bound to respond to such requests under the terms of their license.

                  October 2010

              • EN-1.2 EN-1.2 Procedure

                • EN-1.2.1

                  To clearly identify formal information requests, these will always be made in writing, under signature of a Director or more senior official of the CBB. They will include the statement, "This is a formal request for information as defined in Chapter 1 of Module EN of Volume 5 of the CBB Rulebook"; and will state the deadline by which the information is to be communicated to the CBB.

                  October 2010

                • EN-1.2.2

                  Failure to respond to such formal requests within the deadline set will be viewed as a significant breach of regulatory requirements and may result in a formal warning or other enforcement measure, specified under Articles 163 and 170 of the CBB Law, as decided by the CBB depending on the circumstances of the case.

                  October 2010

                • EN-1.2.3

                  The deadline set in the request will vary depending on individual circumstances. A recipient may submit a case for an extension to the deadline; it should do so as soon as possible if it believes that an extension will be required, and in any event prior to the passing of the original deadline. Unless otherwise directed by the CBB, the original deadline remains valid pending consideration by the CBB of a request for an extension. The CBB will respond before the original deadline has passed; if it fails to do so, then the requested extension will apply. Whilst waiting for a reply, the recipient must assume that the original deadline will apply.

                  October 2010

                • EN-1.2.4

                  The above procedures do not prevent individual CBB supervisors from making oral requests for information as part of their day-to-day interaction with authorised persons. The CBB expects authorised persons to maintain their cooperative response to such requests; however, in the interests of clarity, the CBB will not view failures to respond to oral requests as a breach of regulatory requirements.

                  October 2010

            • EN-2 EN-2 Investigations

              • EN-2.1 EN-2.1 Legal Source

                • EN-2.1.1

                  Articles 121 to 123 of the CBB Law empowers the CBB to order investigations of licensees, in order to help it assess a licensee's compliance with the provisions of the CBB Law. Such investigations may be carried out either by its own officials or appointed experts. Articles 111 and 124 require licensees to make available to the CBB's inspectors and appointed experts their books and other records, and to provide all relevant information within the time limits deemed reasonable by the inspectors and/or appointed experts.

                  Amended: April 2012
                  October 2010

                • EN-2.1.2

                  Articles 163 and 170 of the CBB Law provide for criminal sanctions where false or misleading statements are made to the CBB, or an investigation by the CBB is otherwise obstructed (see Section EN-9.3).

                  October 2010

              • EN-2.2 EN-2.2 CBB Policy

                • EN-2.2.1

                  The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission special investigations of licensees in order to help it assess their compliance with CBB requirements, as contained in Article 121 of the CBB Law. Such investigations may be carried out either by the CBB's own officials, by duly qualified experts appointed for the purpose by the CBB ('appointed experts'), or a combination of the two.

                  Amended: April 2012
                  October 2010

                • EN-2.2.2

                  Failure by licensees to cooperate fully with the CBB's inspectors, or its appointed experts or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in this Module. This guidance is supported by Article 114(a) of the CBB Law.

                  Amended: April 2012
                  October 2010

                • EN-2.2.3

                  The CBB may appoint an individual or a firm as an appointed expert. Examples of appointed experts are lawyers and expert witnesses. The appointment of appointed experts is not necessarily indicative of a contravention of CBB requirements or suspicion of such a contravention. For instance, an appointed expert may be commissioned to provide an expert opinion on a technical matter.

                  Amended: April 2012
                  October 2010

                • EN-2.2.4

                  Appointed experts report in a form and within a scope defined by the CBB, and are solely responsible to the CBB for the work they undertake in relation to the investigation concerned. The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned). The cost of the appointed experts' work must be borne by the licensee concerned.

                  Amended: April 2012
                  October 2010

                • EN-2.2.5

                  In selecting an appointed expert, the CBB will take into account the level of fees proposed and aim to limit these to the lowest level consistent with an adequate review of the matters at hand, given the qualifications, track record and independence of the persons concerned. Because the costs of such investigations are met by the licensee, the CBB makes only selective use of appointed experts, when essential to supplement CBB's other supervisory tools and resources.

                  Amended: April 2012
                  October 2010

                • EN-2.2.6

                  [This Paragraph was moved to Section BR-3.5 for money changers and administrators and the module GR for representative offices in April 2012.]

                • EN-2.2.7

                  [This Paragraph was deleted in April 2012].

                  Deleted: April 2012
                  October 2010

                • EN-2.2.8

                  [This Paragraph was deleted in April 2012].

                  Deleted: April 2012
                  October 2010

                • EN-2.2.9

                  The CBB may commission reports, which require appointed experts to review information from another company within the reporting specialised licensee's group even when that other entity is not subject to any CBB requirements.

                  Amended: January 2012
                  October 2010

                • EN-2.2.10

                  In accordance with Articles 114 and 123 of the CBB Law, specialised licensees must provide all relevant information and assistance to appointed experts on demand.

                  Amended: April 2012
                  October 2010

                • EN-2.2.11

                  [This Paragraph was moved to Section BR-3.5 for money changers and administrators and the module GR for representative offices in April 2012.]

              • EN-2.3 EN-2.3 Procedure

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • EN-2.3.1

                  All proposals for Appointed Experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the Appointed Experts, to discuss any aspect of the investigation.

                  October 2010

                • EN-2.3.2

                  Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the specialised licensee concerned.

                  October 2010

              • EN-2.4 EN-2.4 The Required Report

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • EN-2.4.1

                  The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned Appointed Experts will normally be required to report on one or more of the following aspects of a licensee's business:

                  a) Accounting and other records;
                  b) Internal control systems;
                  c) Returns of information provided to the CBB;
                  d) Operations of certain departments; and/or
                  e) Other matters specified by the CBB.
                  October 2010

                • EN-2.4.2

                  Appointed Experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                  October 2010

                • EN-2.4.3

                  The Appointed Experts report should follow the format set out in Appendix EN-1 in Part B of Rulebook Volume 4.

                  October 2010

                • EN-2.4.4

                  Unless otherwise directed by the CBB, the report must be discussed with the Board of Directors and/or senior management in advance of it being sent to the CBB.

                  October 2010

                • EN-2.4.5

                  Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness, should it not be corrected. Appointed Experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                  October 2010

                • EN-2.4.6

                  If the Appointed Experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                  October 2010

                • EN-2.4.7

                  The report must be completed, dated and submitted, together with any comments by Directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                  October 2010

              • EN-2.5 EN-2.5 Other Notifications to the CBB

                [The Rules and guidance in this Section were moved to Section BR-3.5 for money changers and administrators and Module GR for Representative offices in April 2012]

                • EN-2.5.1

                  Appointed Experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of clients are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                  October 2010

                • EN-2.5.2

                  The CBB recognises that Appointed Experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when Appointed Experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                  October 2010

                • EN-2.5.3

                  If Appointed Experts decide to communicate directly with the CBB in the circumstances set out in Paragraph EN-2.5.1 above, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                  October 2010

            • EN-3 EN-3 Formal Warnings

              • EN-3.1 EN-3.1 CBB Legal Source

                • EN-3.1.1

                  Article 38 of the CBB Law empowers the CBB to issue formal warnings to specialised licensees or authorised persons. The CBB will issue such warnings where it reasonably believes that these are required to achieve its statutory objectives.

                  October 2010

              • EN-3.2 EN-3.2 CBB Policy

                • EN-3.2.1

                  Formal warnings are clearly identified as such and represent the CBB's first level formal enforcement measure. They are intended to clearly set out the CBB's concerns to a licensee or individual regarding an issue, and should be viewed by the recipient with the appropriate degree of seriousness.

                  October 2010

                • EN-3.2.2

                  As indicated in Paragraph EN-B.2.7, the CBB will usually discuss concerns it may have prior to resorting to a formal enforcement measure, especially where a significant element of judgement is required in assessing compliance with a regulatory requirement.

                  October 2010

                • EN-3.2.3

                  Where such discussions fail to resolve matters to the CBB's satisfaction, then it may issue a formal warning. Failure to respond adequately to a formal warning will lead the CBB to consider more severe enforcement measures. However, more severe measures do not require the prior issuance of a formal warning – depending on its assessment of the circumstances, the CBB may decide to have immediate recourse to other measures. Similarly, there may be circumstances where the CBB issues a formal warning without prior discussion with the licensee or individual concerned: this would usually be the case where a clear-cut compliance failing has occurred.

                  October 2010

                • EN-3.2.4

                  When considering whether to issue a formal warning, the criteria taken into consideration by the CBB therefore include the following:

                  (a) The seriousness of the actual or potential contravention, in relation to the requirement(s) concerned and the risks posed to customers, market participants and other stakeholders;
                  (b) In the case of an actual contravention, its duration and/or frequency of the contravention; the extent to which it reflects more widespread weaknesses in controls and/or management; and the extent to which it was attributable to deliberate or reckless behaviour; and
                  (c) The extent to which the CBB's supervisory objectives would be better served by issuance of a formal warning as opposed to another type of regulatory action.
                  October 2010

              • EN-3.3 EN-3.3 Procedure for Issuing Formal Warnings

                • EN-3.3.1

                  Proposals to issue formal warnings are carefully considered against the criteria listed in Paragraph EN-3.2.4. They require approval of a Director or more senior CBB official, and include the statement "This is a formal warning as defined in Chapter EN-3 of Volume 5 of the CBB Rulebook".

                  October 2010

                • EN-3.3.2

                  Depending on the issue in question, recipients of a formal warning may be required to respond to the contents of the warning. Where a formal warning is served prior to imposing any penalties or administrative proceedings, Articles 125(c) and 126 of the CBB Law provide the recipients the right to object or challenge the formal warning.

                  October 2010

            • EN-4 EN-4 Directions

              • EN-4.1 EN-4.1 Legal Source

                • EN-4.1.1

                  Article 38 of the CBB Law empowers the CBB to issue Directions to specialised licensees or individuals. The powers conveyed allow the CBB to issue whatever Directions, it reasonably believes, are required to achieve its statutory objectives.

                  Amended: October 2012
                  October 2010

              • EN-4.2 EN-4.2 CBB Policy

                • EN-4.2.1

                  The types of Directions that the CBB may issue in practice vary and will depend on the individual circumstances of a case. Generally, however, Directions require a licensee or individual either to undertake or to stop specific actions in order to address or mitigate certain perceived risks. They may also include restrictions on a licensee's activities until those risks have been addressed – for instance, a ban on the acceptance of new customers.

                  October 2010

                • EN-4.2.2

                  The CBB is conscious of the powerful nature of a Direction and, in the case of a licensee, the fact that it subordinates the role of its Board and management on a specific issue. The CBB will carefully consider the need for a Direction, and whether alternative measures may not achieve the same end. Where feasible, the CBB will try to achieve the desired outcome through persuasion, rather than recourse to a Direction.

                  October 2010

                • EN-4.2.3

                  In considering whether to issue a Direction, the criteria taken into consideration by the CBB include the following:

                  (a) The seriousness of the actual or potential contravention, in relation to the requirement(s) concerned and the risks posed to customers, market participants and other stakeholders ;
                  (b) In the case of an actual contravention, its duration and/or frequency of the contravention; the extent to which it reflects more widespread weaknesses in controls and/or management; and the extent to which it was attributable to deliberate or reckless behaviour; and
                  (c) The extent to which the CBB's supervisory objectives would be better served by issuance of a Direction as opposed to another type of regulatory action.
                  October 2010

              • EN-4.3 EN-4.3 Procedure

                • EN-4.3.1

                  Proposals to issue Directions are carefully considered against the criteria listed in Paragraph EN-4.2.3. They require approval of an Executive Director or more senior official of the CBB, and include the statement "This is a formal Direction as defined in Chapter EN-4 of Volume 5 of the CBB Rulebook".

                  October 2010

                • EN-4.3.2

                  The subject of the Direction will normally be given 30 calendar days from the Direction's date of issuance in which to make representations to the CBB concerning the actions required. This must be done in writing, and addressed to the issuer of the original Direction. Should a representation be made, the CBB will make a final determination within 30 calendar days of the date of the representation, as specified in Articles 125(c) and 126 of the CBB Law.

                  October 2010

                • EN-4.3.3

                  [This Paragraph was moved to Section EN-B.2 in April 2019].

                  Deleted: April 2019
                  October 2010

            • EN-5 EN-5 Financial Penalties

              • EN-5.1 EN-5.1 Legal Source

                • EN-5.1.1

                  Article 129 of the CBB Law, provides the CBB the power to impose financial penalties on licensees or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law.

                  Amended: April 2016
                  Amended: October 2012
                  October 2010

              • EN-5.2 EN-5.2 CBB Policy

                • EN-5.2.1

                  The level of financial penalty applied is determined by the nature of the contravention and the amount of additional supervisory attention and resources taken up by a licensee's or persons' referred to in paragraph (b) of Article (68 bis 1) of the CBB Law behaviour and by limits set in the CBB Law. The CBB intends that the impact of a penalty should derive more from its signalling effect than from the actual amount of money involved.

                  Amended: April 2016
                  October 2010

                • EN-5.2.2

                  As indicated in Paragraph EN-B.4.5, the CBB requires disclosure by licensees in accordance with Modules PD or BR of any financial penalties served on them, together with a factual description of the reasons given by the CBB for applying the penalty. In addition, the CBB may publicise the issuance of a financial penalty notice, where there is a strong case that doing so would help achieve the CBB's supervisory objectives, as mentioned in Article 132 of the CBB Law.

                  Amended: October 2019
                  October 2010

                • EN-5.2.3

                  In assessing whether to serve a financial written penalty notice, the CBB takes into account the following criteria:

                  (a) The seriousness of the contravention, in relation to the requirement(s) concerned;
                  (b) The duration and/or frequency of the contravention, and the extent to which it reflects more widespread weaknesses in controls and/or management;
                  (c) The extent to which the contravention was deliberate or reckless;
                  (d) The licensee's past compliance record and conduct following the contravention; and
                  (e) The scope of any other action taken by the CBB or other regulators against the licensee, in response to the compliance failures in question.
                  October 2010

                • EN-5.2.4

                  Part 11 of the CBB Law outlines instances where financial penalties may be imposed. Examples of the types of compliance failings that may lead to the serving of a financial penalty notice include (but are not limited to):

                  (a) Failures to address persistent delays and/or significant inaccuracies in regulatory reporting to the CBB;
                  (b) Repeated failures to respond to formal requests for information from the CBB, within the deadlines set;
                  (c) The submission of information to the CBB known to be false or misleading; and
                  (d) Major failures in maintaining adequate systems and controls in accordance with CBB's requirements, subjecting investors and other customers to significant risk of financial loss.
                  October 2010

                • EN-5.2.5

                  In accordance with Article 125 of the CBB Law, a written notice of a financial penalty must be issued before imposing any financial penalty. The written notice must contain the following information:

                  (a) The violations committed by the licensee with respect to the CBB Law; the CBB Rulebook; any Directions, Warnings or Formal Requests for Information; or violations of the terms and conditions of the license issued to the licensee;
                  (b) Evidence or proof to support the above;
                  (c) The level of financial penalty to be imposed; and
                  (d) The grace period to be allowed to the licensee for challenging the intended penalty (which will not be less than 30 calendar days).
                  October 2010

                • EN-5.2.6

                  The licensee may either pay the penalty or, pursuant to Article 126 of the CBB Law, may object within the period noted in Subparagraph EN-5.2.5(d). In accordance with Article 127 of the CBB Law, the CBB will consider any objection and make a formal resolution within 30 calendar days of receiving the objection. Thereafter, the resolution and any accompanying penalties are final and must be paid within 30 calendar days.

                  October 2010

                • EN-5.2.7

                  [This Paragraph was deleted in January 2016.]

                  Deleted: January 2016
                  October 2010

                • EN-5.2.8

                  The imposition of a financial penalty does not preclude the CBB from also using other enforcement measures to remedy the same violation (for instance, a Direction).

                  October 2010

              • EN-5.3 EN-5.3 Module FC (Financial Crime)

                • EN-5.3.1

                  In addition to the general circumstances set out in Section EN-5.2, a financial penalty of up to BD 100,000 may be applied by the CBB in cases where a licensee fails to comply with any of the requirements in Module FC (Financial Crime). The fine shall be multiplied by the number of violations.

                  Amended: April 2016
                  October 2010

                • EN-5.3.2

                  As with the imposition of financial penalties in response to breaches of other regulatory requirements, the CBB will apply financial penalties with respect to Module FC, based on the criteria set out in paragraph EN-5.2.3.

                  October 2010

                • EN-5.3.3

                  A failure to comply with Module FC (Financial Crime) that warrants a financial penalty would not trigger also a financial penalty under Section EN-5.2.

                  October 2010

                • EN-5.3.4

                  Any financial penalties applied by the CBB as regards the implementation of Module FC, are without prejudice to the criminal sanctions available to the Bahraini courts under the Decree – Law No. 4 of 2001, with respect to the prevention and prohibition of the laundering of money. As with other financial penalties, the imposition of a financial penalty with regards to breaches of Module FC does not prevent the CBB from also using other enforcement measures to remedy the same violation (for instance, a Direction).

                  October 2010

              • EN-5.3A EN-5.3A Financial Penalties for Date Sensitive Requirements

                • EN-5.3A.1

                  Modules AU, FC, BR, HC and PD contain specific requirements where specialised licensees must comply with, by a precise date. Where a specific due date is involved, the CBB's financial penalties are based on a per diem basis.

                  Amended: July 2017
                  Added: October 2012

                • EN-5.3A.2

                  This Section applies to date sensitive requirements for:

                  (a) Reporting requirements included in Module BR;
                  (b) Public disclosure requirements included in Module PD;
                  (c) The report of the external auditor or approved consultancy firm required as per Paragraph FC-4.3.1 (d);
                  (d) Annual licensing fees required as per Module AU, and
                  (e) Conduct of Shareholders' Meetings requirements included in Section HC-7.2 (for financing companies).
                  Amended: July 2017
                  Added: October 2012

                • EN-5.3A.3

                  Financial penalties related to late filing or other date sensitive requirements are calculated as per the following per diem basis:

                  (a) Where the financing company licensee's total consolidated assets are less than or equal to BD 50 million, the financial penalty for late filing is BD 100 per day;
                  (b) Where the financing company licensee's total consolidated assets are greater than BD 50 million but less than or equal to BD 250 million, the financial penalty for late filing is BD 200 per day;
                  (c) Where the financing company licensee's total consolidated assets are greater than BD 250 million, the financial penalty is BD 400 per day;
                  (e) For new financing company licensees who have yet to provide audited financial statements, the financial penalty is BD 100 per day;
                  (f) For all Volume 5 specialised licensees, other than financing company licensees, the financial penalty under this Section is BD 40 per day.
                  Amended: April 2017
                  Added: October 2012

                • EN-5.3A.4

                  In accordance with Article 129 of the CBB Law, the maximum financial penalty levied for failing to comply with date sensitive requirements is BD 100,000. The fine shall be multiplied by the number of violations. The CBB may opt to limit the amount of the financial penalty and use other enforcement measures as outlined in Module EN (Enforcement), such as imposing restrictions on a specialised license limiting the scope of operations.

                  Amended: April 2016
                  Added: October 2012

                • EN-5.3A.5

                  The various deadlines for submission of reports and annual fees referred to in Modules BR, FC, PD and AU are defined:

                  (a) In terms of a specified number of days or months following a given date, such as the last date of a calendar quarter;
                  (b) A specified number of days or months after the occurrence of a specific event; or
                  (c) A specific date.
                  Added: October 2012

                • EN-5.3A.6

                  In imposing financial penalties for date sensitive requirements, the following criteria apply:

                  (a) Where the due date falls on a holiday as designated by the CBB, the first business day following the holiday will be considered as being the due date;
                  (b) Where a due date is not complied with by the end of the day on which it is due, holidays and weekend days are included in the number of days the item is considered late;
                  (c) For returns and other filings, the date received is the date recorded by the CBB's systems in case of returns filed electronically;
                  (d) In the case of returns filed in hard copy, the CBB stamp is the date received;
                  (e) All returns are to be sent to the respective Supervision Directorate and the annual fees to the Accounts Directorate, on or before the due date, to be considered filed on time;
                  (f) A day ends at midnight in the case of returns that must be filed electronically, or at the close of CBB business day, in the case returns are filed in hard copy; and
                  (g) An incomplete return, where completeness is determined in relation to the requirements of the relevant instructions and Module BR, is considered 'not filed' until the CBB receives all necessary elements of the return.
                  Added: October 2012

                • EN-5.3A.7

                  The CBB does not require any particular method of delivery for returns and filings that are filed in hard copy. The use of the Bahrain postal services, private courier services or other methods of delivery is entirely at the discretion and risk of the licensee. For the payment of annual fees, licensees must follow the requirements of Form ALF, included under Part B of Volume 5.

                  Added: October 2012

                • EN-5.3A.8

                  A decision to impose a financial penalty for date sensitive requirements is unrelated to whether the CBB issues a reminder; it is the licensee's responsibility to file and disclose on time as per the requirements of Volume 5 (Specialised Licensees) Rulebook.

                  Added: October 2012

              • EN-5.3B EN-5.3B Financial Penalties for Non-compliance with Blocking / Unblocking Requirements

                • EN-5.3B.1

                  The financial penalty for late execution of blocking/unblocking orders issued by the Court/Public Prosecution is BD 10 per day per customer account/claim. Such financial penalties will be charged through billing on a weekly basis.

                  Added: April 2021

              • EN-5.4 EN-5.4 Procedure for Financial Penalties

                • EN-5.4.1

                  A written financial penalty notice will be addressed to the Chief Executive Officer or General Manager of the licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law concerned. This written notification will describe the contravention concerned, the CBB's evidence supporting a financial penalty, and the factors justifying the level of penalty proposed. Only an Executive Director or more senior member of the CBB's management may sign the notification.

                  Amended: April 2016
                  October 2010

                • EN-5.4.2

                  The licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law has 30 calendar days from the notification's date of issuance to submit any representations it wishes to make to the CBB, in writing and addressed to the issuer of the original notification. If the licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law decides not to submit representations, it has 30 calendar days from the notification's date of issuance in which to pay the penalty.

                  Amended: April 2016
                  October 2010

                • EN-5.4.3

                  Should the licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law make representations challenging the proposed penalty, the CBB has 30 calendar days from the issuance of those representations in which to re-examine the facts of the case and its conclusions. If the CBB confirms application of a penalty, payment is required within 30 calendar days of a final notice being issued.

                  Amended: April 2016
                  October 2010

                • EN-5.4.4

                  Failure to pay a penalty within the required deadlines will be considered a breach of CBB's regulatory requirements, and will also result in other measures being considered, as described elsewhere in this Module.

                  October 2010

              • EN-5.5 EN-5.5 Addressing a Compliance Failure

                • EN-5.5.1

                  Payment of a financial penalty does not by itself absolve a licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law from remedying the compliance failure concerned. The CBB will expect the licensee or persons referred to in paragraph (b) of Article (68 bis 1) of the CBB Law to address the contravention within a reasonable timescale, to be agreed on a case-by-case basis. Failure to do so will result in other measures being considered.

                  Amended: April 2016
                  October 2010

            • EN-6 EN-6 Administration

              • EN-6.1 EN-6.1 [This Section was deleted in April 2019]

                • EN-6.1.1

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.1.2

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.1.3

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

              • EN-6.2 EN-6.2 [This Section was deleted in April 2019]

                • EN-6.2.1

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.2.2

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.2.3

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

              • EN-6.3 EN-6.3 [This Section was deleted in April 2019]

                • EN-6.3.1

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.3.2

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

                • EN-6.3.3

                  [This Paragraph was deleted in April 2019].

                  Deleted: April 2019
                  October 2010

            • EN-7 EN-7 Cancellation or Amendment of License

              • EN-7.1 EN-7.1 Legal Source

                • EN-7.1.1

                  Article 48 of the CBB Law empowers the CBB to cancel or amend a license under certain circumstances. These include cases where a licensee has:

                  (a) Failed to satisfy its license conditions;
                  (b) Violated the terms of the CBB Law, Regulations or Rulebook;
                  (c) Failed to start business within six months from the date of the license being issued;
                  (d) Ceased to carry out the licensed activities permitted; or
                  (e) Not acted in the legitimate interest of its customers or creditors.
                  October 2010

                • EN-7.1.2

                  Article 48(d) of the CBB Law requires the CBB to give the licensee concerned at least 30 calendar days in which to appeal any proposed cancellation or amendment of its license.

                  October 2010

              • EN-7.2 EN-7.2 CBB Policy

                • EN-7.2.1

                  When used as an enforcement tool, the CBB views cancelling a license as appropriate only in the most serious of circumstances, when faced with the gravest of contraventions or when left with no other reasonable means of successfully addressing the regulatory failings in question. Cancellation or amendment of a license, however, may also be required in circumstances outside of an enforcement context, for instance because of a change in the business profile of a licensee.

                  October 2010

                • EN-7.2.2

                  When used as an enforcement tool, the criteria used by the CBB in assessing whether to seek the cancellation or amendment of a license include:

                  (a) The extent to which the interests of the market, its users and those who have a claim on the licensee would be best served by the cancellation or amendment of the license;
                  (b) The extent to which other supervisory penalties could reasonably be expected to achieve the CBB's desired supervisory objectives;
                  (c) The extent to which the licensee has contravened the conditions of its license and/or the CBB Law, including the seriousness, duration and/or frequency of the contravention(s) concerned, and the extent to which the contraventions reflect more widespread or systemic weaknesses in controls and/or management;
                  (d) The extent to which the licensee has been involved in financial crime or other criminal conduct; and
                  (e) The licensee's past compliance record and conduct following the contravention (s).
                  October 2010

                • EN-7.2.3

                  When the CBB issues a notice of cancellation or amendment as an enforcement tool, it will only implement the actual change once it is satisfied that there are no longer any regulated activities for which it is necessary to keep the current authorisation in force. Until such time as these activities have been run off or moved to another licensee, the CBB will control these activities through other means (such as taking the licensee into administration or through issuing Directions).

                  October 2010

              • EN-7.3 EN-7.3 Procedure for Amendment or Cancellation of License

                • EN-7.3.1

                  All proposals for cancelling or amending a license as an enforcement tool are subject to a thorough review by the CBB of all relevant facts, assessed against the criteria outlined in Paragraphs EN-7.2.1 and EN-7.2.2. After being assessed at the Executive Director level, proposals are submitted to H.E. the Governor for approval.

                  October 2010

                • EN-7.3.2

                  Once approved within the CBB, a formal notice of cancellation or amendment is issued to the licensee concerned. The notice of cancellation or amendment will describe the factual circumstances of the contraventions concerned, and the CBB's rationale for the proposed cancellation or amendment, as measured against the criteria outlined in Paragraphs EN-7.2.1 and EN-7.2.2.

                  October 2010

                • EN-7.3.3

                  The licensee has 30 calendar days from the date of the notice in which to lodge an appeal. The appeal should be addressed to the Board of the CBB, and copied to H.E. the Governor of the CBB.

                  October 2010

                • EN-7.3.4

                  If an appeal is lodged, the Board of the CBB will make a final ruling within 60 calendar days of its date of issuance.

                  October 2010

                • EN-7.3.5

                  A licensee may appeal to a competent court within 60 days of the above final ruling for a decision. The court's decision will then be final.

                  October 2010

            • EN-8 EN-8 Cancellation of 'Fit and Proper' Approval

              • EN-8.1 EN-8.1 Legal Source

                • EN-8.1.1

                  Article 65 of the CBB Law allows the CBB to determine the level of qualifications, experience and training of a licensee's officers or employees. Article 65(c) of the CBB Law empowers the CBB the right to remove any official, being a Board member or in an executive position, that is unqualified or unsuitable for the assigned position.

                  October 2010

              • EN-8.2 EN-8.2 CBB Policy

                • EN-8.2.1

                  Chapter AU-3 of Module AU (Authorisation), specifies that approved persons must be assessed by the CBB as 'fit and proper' to hold such a position. The Chapter specifies various factors that the CBB takes into account when reaching such a decision.

                  October 2010

                • EN-8.2.2

                  The CBB is conscious of the impact that assessing someone as not 'fit and proper' may have on an individual approved person. Such assessments are carefully reviewed in the light of all relevant facts. The criteria used in reaching a decision include the following:

                  (a) The extent to which the factors set out in Chapter AU-3 have not been met;
                  (b) The extent to which the person has deliberately or recklessly breached requirements of the CBB Law or Volume 5 (Specialised Licensees);
                  (c) The person's past compliance record and conduct following any such breaches;
                  (d) The length of time since factors indicating a lack of fitness or propriety occurred; and
                  (e) The risk the person poses to licensees and their customers.
                  October 2010

                • EN-8.2.3

                  Amongst other matters, the CBB will normally consider as grounds for the revocation of approved person status the following events affecting the approved person:

                  (a) The conviction by a court, whether in Bahrain or elsewhere, for a crime affecting honesty;
                  (b) A declaration of bankruptcy by a court of law;
                  (c) A court ruling that the approved person's legal capacity is totally or partially impaired; or
                  (d) The sanction by a professional body of a fine, suspension, expulsion or censure.
                  October 2010

                • EN-8.2.4

                  Specialised licensees must inform the CBB immediately when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                  Amended: October 2012
                  October 2010

                • EN-8.2.5

                  If the CBB has grounds for considering that an individual is no longer fit and proper to continue to hold their existing controlled function(s), it will revoke the approved person status granted to that individual. The individual will then be required to resign from each of the controlled functions to which this revocation applies. This revocation does not automatically preclude them from applying to hold other controlled functions in the future, but will be taken into account in considering new requests from specialised licensees that pertain to that individual.

                  October 2010

                • EN-8.2.6

                  Depending on the seriousness of the situation, the CBB may impose further measures, which may include disqualification from:

                  (a) Holding any controlled function;
                  (b) Performing any function in relation to any regulated activity carried out by a licensed firm; or
                  (c) Being a controller of any licensed firm.
                  October 2010

                • EN-8.2.7

                  In assessing evidence, the CBB applies a lower threshold than is applied in a criminal court of law, reflecting the administrative nature of the sanction. The CBB may also take into account the cumulative effect of factors which, when considered individually, may not in themselves be sufficient to justify an adverse 'fit and proper' finding.

                  October 2010

                • EN-8.2.8

                  The CBB may also take into account the particular function being undertaken in the licensee by the individual concerned, and the size and nature of the licensee itself, particularly when assessing the suitability of a person's experience or qualifications. Thus, the fact that a person was deemed 'fit and proper' for a particular position in a particular firm does not necessarily mean he would be suitable in a different position or in a different firm.

                  October 2010

              • EN-8.3 EN-8.3 Procedure for Issuing an Adverse Finding

                • EN-8.3.1

                  All proposals for issuing an adverse fit and proper' finding are subject to a thorough review by the CBB of all relevant facts, assessed against the criteria outlined in Paragraph EN-8.2.2. In some instances, it may be appropriate for the CBB to request the licensee or person concerned to provide further information, in order to help reach a decision.

                  October 2010

                • EN-8.3.2

                  All adverse findings have to be approved by an Executive Director of the CBB. Once approved, a notice of intent is issued to the person concerned and copied to the Board/senior management of the licensee, setting out the circumstances and the basis for the CBB's proposed adverse finding. The person has 30 calendar days from the date of the notice in which to make written representations, addressed to the Executive Director concerned, failing which a final notice is issued by the CBB.

                  October 2010

            • EN-9 EN-9 Criminal Sanctions

              • EN-9.1 EN-9.1 Overview

                • EN-9.1.1

                  The CBB Law provides for a number of criminal sanctions in cases where certain of its provisions are contravened. This Section provides a summary of those sanctions most relevant to licensees, their Directors and employees. What follows is not a complete list of all sanctions provided for in the CBB Law, nor is it a substitute for reading the Law and being fully aware of its provisions.

                  October 2010

                • EN-9.1.2

                  Licensees, their Directors and employees should also be aware of the criminal sanctions provided for under other relevant Bahraini laws, such as the Decree – Law No. 4 of 2001, with respect to the prevention and prohibition of the laundering of money.

                  October 2010

                • EN-9.1.3

                  In all cases to do with criminal sanctions, the CBB can only refer the matter to the Office of the Public Prosecutor. The CBB has no authority to apply such sanctions without recourse to the courts.

                  October 2010

              • EN-9.2 EN-9.2 CBB Policy

                • EN-9.2.1

                  Because of their criminal status, and their provision for custodial sentences, the sanctions provided for under the CBB Law are viewed by the CBB as very powerful measures, to be pursued sparingly. In most situations, the CBB will seek to address regulatory failures through administrative sanctions, as outlined in the preceding Chapters, rather than by pursuing the criminal sanctions outlined here.

                  October 2010

                • EN-9.2.2

                  Where, however, the nature of the offence is such that there is strong evidence of a reckless or intentional breach of the CBB Law relevant to the following Articles, then the CBB will refer the matter to the Office of the Public Prosecutor.

                  October 2010

              • EN-9.3 EN-9.3 Articles of CBB Law

                • Article 161

                  • EN-9.3.1A

                    Article 161 of the CBB Law provides for a penalty of up to BD 1 million, without prejudice to any other penalty prescribed in any other law, in case of any person who breaches the provisions of Resolution No.(16) for the year 2012 issued pursuant to Article 42 of the CBB Law. The Court may also confiscate the proceeds resulting from breaching the Resolution.

                    Added: January 2013

                • Article 163

                  • EN-9.3.1

                    Article 163 of the CBB Law provides for a term of imprisonment and/or a fine of up to BD 20,000, without prejudice to any other penalty prescribed in any other law, in case of conviction of a Director, manager, official, agent or representative of any licensee who:

                    (a) Conceals any records, information or documents requested by the CBB (or any person appointed by the CBB to conduct an investigation or inspection);
                    (b) Provides statements or information in bad faith which do not reflect the actual financial position of the Licensee;
                    (c) Conceals from an external auditor any records, information or documents necessary for auditing the accounts of the Licensee; or
                    (d) Provides in bad faith any misleading or inaccurate statements to an external auditor which do not reflect the actual financial position of the Licensee.
                    October 2010

                • Article 169

                  • EN-9.3.2

                    Article 169 provides for a term of imprisonment, and/or a fine of up to BD 20,000 for any Director, manager, official or employee, who acts or permits an act in violation of Article 134 of the CBB Law where he knows (or should have known) that the Licensee is insolvent.

                    October 2010

                • Article 170

                  • EN-9.3.3

                    Part 2 of Article 170 of the CBB Law provides for term of imprisonment and/or a fine not exceeding BD3,000 if any Director, manager, official or employee intentionally obstructs an investigation by the CBB or an Appointed Expert.

                    October 2010

                • Article 171

                  • EN-9.3.4

                    Article 171 of the CBB Law provides for a term of imprisonment and/or a fine not exceeding BD10, 000, if any Director, manager, official or employee discloses in bad faith any confidential information relating to a customer of the concerned of a licensee.

                    October 2010

    • Specific Modules (By Type of Licensee)

      • Type 1: Type 1: Money Changers Licensees

        • Part A Part A

          • High Level Standards

            • AU AU Money Changers Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The Authorisation Module sets out the Central Bank of Bahrain's ('CBB') approach to licensing providers of regulated money changer services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                      Amended: January 2011
                      October 2010

                    • AU-A.1.2

                      Persons undertaking certain functions in relation to licensees require prior CBB approval. These functions (called 'controlled functions') include Directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                      October 2010

                  • Retaining Authorised Status

                    • AU-A.1.3

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      October 2010

                  • Legal Basis

                    • AU-A.1.4

                      This Module contains the CBB's Directive, Regulations and Resolutions (as amended from time to time) regarding authorisation under Volume 5 (Specialised Licensees) of the CBB Rulebook. It is applicable to all licensees (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding regulated money changer services as per Article 39 (see Paragraph AU-1.1.8), licensing conditions as per Article 44 (see Chapter AU-2) and licensing fees as per Article 180 (see Chapter AU-5) are also included in Regulations and Resolutions and included in this Module. The Module also contains requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No.(43) of 2011 and issued under the powers available to the CBB under Article 44(c). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module. This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015.

                      Amended: July 2015
                      Amended: January 2013
                      Amended: April 2012
                      Amended: January 2011
                      October 2010

                    • AU-A.1.5

                      Approved Persons are individuals holding certain specified positions at CBB licensees; they must be approved by the CBB prior to taking on those positions and must demonstrate that they are fit and proper. The list of positions subject to the CBB's Approved Persons regime vary according to the CBB license Category, but generally cover directors and senior management, as well as certain other positions. Approved Persons requirements are specified in the relevant Rulebook Volume for the license Category in question.

                      October 2010

                    • AU-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      October 2010

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in October 2010. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. UG-3 provides further details on Rulebook maintenance and version control

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-A.1.4 01/2011 Clarified legal basis.
                      AU-4.1.4 01/2011 Removed the requirement for a letter of comfort to be provided with an application for license.
                      AU-4.1.15 01/2011 Corrected cross reference.
                      AU-4.1.4(a) 04/2011 Added cross reference.
                      AU-4.2 04/2011 Clarified Rules for authorisation of a branch and added Rules for authorisation of a subsidiary.
                      AU-4.3.7A 07/2011 Added a Rule dealing with notification to CBB when an approved person ceases to hold a controlled function.
                      AU-4.4.6 07/2011 Cross reference added to Rule.
                      AU-A.1.4 04/2012 Legal basis updated to reflect all Articles of the CBB Law covered by this Module as well as applicable Resolutions.
                      AU-4.4 04/2012 Clarified language on cancellation of a license to be in line with other Volumes of the CBB Rulebook.
                      AU-1.1.8A and AU-1.1.8B 10/2012 Rule and guidance added to address the activity of wholesale export and import of various currency bank notes in physical form.
                      AU-2.1.1 10/2012 Amended legal status.
                      AU-A.1.4 01/2013 Updated legal basis.
                      AU-1.1 01/2013 References added to requirements under Resolution No.(16) for the year 2012.
                      AU-1.2.3 01/2013 Clarified approval requirements for controlled functions for Bahrain operations.
                      AU-4.4.4A 01/2013 Corrected cross reference to CBB Law.
                      AU-5.2 07/2013 Amended due date and collection process for annual licensee fee.
                      AU-A.1.4 07/2015 Legal basis updated to reflect Resolution No (23) of 2015.
                      AU-4.3 07/2015 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.4.6 07/2015 Clarified interim arrangements for replacement of approved person.
                      AU-1.2 01/2016 Clarified general requirements for approved persons.
                      AU-3 01/2016 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.3 01/2016 Minor amendments to be aligned with other Volumes of the Rulebook.
                      AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License
                      AU-4.1.1 04/2018 Amended Paragraph.
                      AU-4.1.18 04/2018 Amended Paragraph.
                      AU-4.3.2 04/2018 Amended Paragraph.
                      AU-4.3.8AA 10/2018 Amended Paragraph number.
                      AU-4.4.6 10/2018 Amended reference Paragraph.
                      AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                      AU-4.1.21 10/2019 Changed from Rule to Guidance.
                      AU-4.1.22 10/2019 Changed from Rule to Guidance.
                      AU-4.1.23 10/2019 Changed from Rule to Guidance.
                      AU-4.5.1 10/2019 Changed from Rule to Guidance.
                      AU-4.3.9A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.

                  • Superseded Requirements

                    • AU-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular / other reference Subject
                      Standard Conditions and Licensing Criteria: Money Changers Scope of license and licensing conditions.
                      Circular BC/309/1994 Management Personnel
                      Circular BC/120/1995 Money Changers Permitted Business
                      Circular BC/11/98 Appointment and suitability of Directors and senior managers ('fit and proper').
                      Circular EDFIS/C/05/2007 CBB's New License Fees System
                      October 2010

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope of Application

                  • AU-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    October 2010

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (i) Any person seeking to provide a regulated money changer service within or from the Kingdom of Bahrain must hold the appropriate CBB license (see AU-1.1). Money Changer Licensees are thereafter referred to in this Module as licensees; and
                    (ii) Natural persons wishing to perform a controlled function in a licensee also require prior CBB approval, as an approved person (see AU-1.2).
                    October 2010

                • AU-B.2 AU-B.2 Authorised Persons

                  • AU-B.2.1

                    Various requirements in Chapters AU-2 to AU-4 inclusive also apply to persons once they have been authorised by the CBB (whether as licensees or approved persons).

                    October 2010

                  • AU-B.2.2

                    Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    October 2010

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Licensing

                  • AU-1.1.1

                    No person may:

                    (a) Undertake (or hold themselves out to undertake) regulated money changer services, by way of business, within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                    (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                    (c) Market any financial services in the Kingdom of Bahrain unless:
                    (i) Allowed to do by the terms of a license issued by the CBB;
                    (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                    (iii) Has obtained the express written permission of the CBB to offer financial services.
                    Amended: January 2013
                    October 2010

                  • AU-1.1.2

                    For the purposes of Rule AU-1.1.1, please refer to Rule AU-1.1.8 for the definition of 'regulated money changer services' and Rule AU-1.1.9 for 'by way of business'. Such activities will be deemed to be undertaken within or from the Kingdom of Bahrain if, for example, the person concerned:

                    (a) Is incorporated in the Kingdom of Bahrain; or
                    (b) Uses an address situated in the Kingdom of Bahrain for its correspondence.
                    October 2010

                  • AU-1.1.2A

                    In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                    Added: January 2013

                  • AU-1.1.2B

                    Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                    Added: January 2013

                  • AU-1.1.3

                    Persons wishing to be licensed to undertake regulated money changer services within or from the Kingdom of Bahrain must apply in writing to the CBB.

                    October 2010

                  • AU-1.1.4

                    An application for a license must be in the form prescribed by the CBB and must contain, inter alia:

                    (a) A business plan specifying the type of business to be conducted;
                    (b) Application forms for all controllers; and
                    (c) Application forms for all controlled functions.
                    October 2010

                  • AU-1.1.5

                    The CBB will review the application and duly advise the applicant in writing when it has:

                    (a) Granted the application without conditions;
                    (b) Granted the application subject to conditions specified by the CBB; or
                    (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                    October 2010

                  • AU-1.1.6

                    Detailed rules and guidance regarding information requirements and processes for licenses can be found in Section AU-4.1. As specified in Paragraph AU-4.1.12, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                    October 2010

                  • AU-1.1.7

                    All applicants seeking a Money Changers license must satisfy the CBB that they meet, by the date of authorisation, the minimum criteria for licensing, as contained in Chapter AU-2. Once licensed, licensees must maintain these criteria on an on-going basis.

                    October 2010

                  • Money Changer License Permitted Activities

                    • AU-1.1.8

                      For the purposes of Volume 5 (Specialised Licensees), regulated money changer services mean all transactions including:

                      (a) The sale, purchase and exchange of foreign currencies;
                      (b) Currency transfer to/from Bahrain;
                      (c) Purchase and sale of travellers' cheques;
                      (d) The dealing in precious metals within the allowed limits; or
                      (e) Any other financial business related to Money Changers activities and approved by the CBB.
                      Amended: April 2011
                      October 2010

                    • AU-1.1.8A

                      For purposes of Subparagraph AU-1.1.8(a), the sale, purchase and exchange of foreign currencies may include the wholesale export and import of various currency bank notes in physical form, for the purpose of distribution/collection to/from the local market or for transmission to a foreign jurisdiction. Only licensees whose license specifically allows for such activity to be undertaken are permitted to engage in this activity.

                      Added: October 2012

                    • AU-1.1.8B

                      In assessing a request from a licensee to add the activity of export/import of bank notes to its permitted activities, the CBB will consider among other factors, the following:

                      (a) A satisfactory track record of not less than 5 years operating as a licensed regulated entity in the financial sector;
                      (b) The licensee's financial soundness, an acceptable level of capitalisation and financial resources and its ability to meet its obligations in a timely and satisfactory manner;
                      (c) The legal status and regulatory track record of the licensee including previous disciplinary measures taken against the licensee by the CBB or any other jurisdiction in which its group operates;
                      (d) The maintenance of an adequate insurance coverage to cater for any risk that may arise while importing/exporting the consignment;
                      (e) The application of prudent security measures when transporting the banknotes within the Kingdom of Bahrain, as required by Paragraphs GR-7.1.1 and GR-9.1.5A;
                      (f) The existence of prudent documented and approved internal procedures and controls within the licensee to govern the entire import/export activity starting from the origination of the consignment to its final destination. Such procedures must observe the requirements of any other Law or relevant competent authority in this regard, whether in the Kingdom of Bahrain or the jurisdiction to/from which the banknotes are being exported/imported;
                      (g) The existence of the necessary AML/CFT systems and controls in place as required by Module FC;
                      (h) The quality of management and corporate governance framework and oversight over the activities of the licensee; and
                      (i) The maintenance of proper books and records as required by Chapter GR-1.
                      Added: October 2012

                    • AU-1.1.9

                      For the purposes of Volume 5 (Specialised Licensees), carrying on a regulated money changer services by way of business means:

                      (a) Undertaking one or more of the activities specified in Paragraph AU-1.1.8 for commercial gain;
                      (b) Holding oneself out as willing and able to engage in that activity; or
                      (c) Regularly soliciting other persons to engage in transactions constituting that activity.
                      October 2010

                    • AU-1.1.10

                      Licensees are prohibited from conducting any other financial business other than that set out in Rule AU-1.1.8 above, and permitted by the license issued to them by the CBB.

                      October 2010

                    • AU-1.1.11

                      A person does not carry on an activity constituting regulated money changer services if it is an organisation, commercial company or travel and tourism agency accepting foreign currencies and travellers' cheques in consideration for their sales. In addition, hotels do not undertake regulated money changer services when accepting foreign currencies and travellers' cheques in consideration for their services and/or as a service to their guests.

                      October 2010

                  • Suitability

                    • AU-1.1.12

                      Those seeking authorisation must satisfy the CBB as to their suitability to carry out the regulated money changer services for which they are seeking authorisation.

                      October 2010

                    • AU-1.1.13

                      In assessing applications for a license, the CBB will assess whether an applicant satisfies the licensing conditions (as specified in Chapter AU-2) with respect to all the regulated services that the applicant proposes to undertake.

                      October 2010

                • AU-1.2 AU-1.2 Approved Persons

                  • General Requirements

                    • AU-1.2.1

                      Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment, subject to the variations contained in Paragraph AU-1.2.3.

                      Amended: January 2016
                      October 2010

                    • AU-1.2.2

                      Controlled functions are those functions occupied by board members and persons in executive positions and include:

                      (a) Director;
                      (b) Chief Executive or General Manager;
                      (c) Head of function;
                      (d) Compliance Officer; and
                      (e) Money Laundering Reporting Officer (MLRO).
                      Amended: January 2016
                      October 2010

                    • AU-1.2.3

                      Prior approval is required for all of the above controlled functions. Combination of the above controlled functions is subject to the requirements contained in Modules HC and RM. Controlled functions (b) to (e) are in relation to Bahrain operations.

                      Amended: January 2013
                      October 2010

                  • Basis for Approval

                    • AU-1.2.4

                      Approval under Paragraph AU-1.2.1 is only granted by the CBB, if it is satisfied that the person is 'fit and proper' to hold the particular position at the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

                      October 2010

                  • Definitions

                    • AU-1.2.5

                      Director is any person who occupies the position of a Director, as defined in Article 173 of the Commercial Companies Law (Legislative Decree No. 21 of 2001).

                      October 2010

                    • AU-1.2.6

                      The fact that a person may have 'Director' in their job title does not of itself make them a Director within the meaning of the definition noted in Paragraph AU-1.2.5. For example, a 'Director of IT', is not necessarily a member of the Board of Directors and therefore may not fall under the definition of Paragraph AU-1.2.5.

                      October 2010

                    • AU-1.2.7

                      The Chief Executive or General Manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The Chief Executive or General Manager must be resident in Bahrain. This person is responsible, for the conduct of the whole of the firm.

                      October 2010

                    • AU-1.2.8

                      Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                      October 2010

                    • AU-1.2.9

                      Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy Chief Executive, heads of departments such as Risk Management, Compliance or Internal Audit, or the Chief Financial Officer.

                      October 2010

                    • AU-1.2.10

                      Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                      October 2010

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                  • AU-2.1.1

                    The legal status of a licensee must be:

                    (i) A Bahraini joint stock company (B.S.C.); or
                    (ii) A Bahraini company with limited liability (W.L.L.) and licensed to conduct money changer business prior to 1st October 2012.
                    Amended: October 2012
                    October 2010

                  • AU-2.1.2

                    For those licensees that do not meet the requirements of Rule AU-2.1.1, they should discuss their legal status with the CBB.

                    October 2010

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Licensees with their Registered Office in the Kingdom of Bahrain must maintain their Head Office in the Kingdom and must conduct their business from their Head Office and approved branches only.

                    October 2010

                  • AU-2.2.2

                    In assessing the location of a licensee's Head Office, the CBB will take into account the residency of its Directors and senior management. The CBB requires the majority of key decision makers in executive management — including the Chief Executive - to be resident in Bahrain.

                    October 2010

                • AU-2.3 AU-2.3 Condition 3: Controllers

                  • AU-2.3.1

                    Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee.

                    October 2010

                • AU-2.4 AU-2.4 Condition 4: Board and Employees

                  • AU-2.4.1

                    As per Article 65(a) of the CBB law, those nominated to carry out controlled functions must satisfy CBB's approved person's requirements.

                    October 2010

                  • AU-2.4.2

                    The definition of controlled functions is contained in Paragraph AU-1.2, whilst Chapter AU-3 sets out CBB's approved persons requirements. Applications for approved person status must be submitted using the prescribed approved persons form.

                    October 2010

                  • AU-2.4.3

                    The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

                    October 2010

                  • AU-2.4.4

                    The CBB's training and competency requirements are contained in Module TC (Training and Competency).

                    October 2010

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • AU-2.5.1

                    Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. The level of financial resources held must exceed at all times the minimum requirements contained in Module CA (Capital Adequacy), as specified for the license held.

                    October 2010

                • AU-2.6 AU-2.6 Condition 6: Systems and Controls

                  • AU-2.6.1

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC (High-level Controls) and RM (Risk Management), as specified for the license held.

                    October 2010

                  • AU-2.6.2

                    Licensees must maintain adequate segregation of responsibilities in their staffing arrangements, to protect against the misuse of systems or errors. Such segregation should ensure that no single individual has control over all stages of a transaction.

                    October 2010

                  • AU-2.6.3

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee. These systems and controls must meet the minimum requirements contained in Module FC (Financial Crime), as specified for the license held.

                    October 2010

                  • AU-2.6.4

                    As part of the licensing approval process, applicants must demonstrate in their business plan (together with any supporting documentation) what risks their business would be subject to and how they would manage those risks. Applicants may also be asked to provide an independent assessment of the appropriateness of their systems and controls to the CBB.

                    October 2010

                • AU-2.7 AU-2.7 Condition 7: External Auditors

                  • AU-2.7.1

                    As per Article 61 of the CBB Law, licensees must appoint external auditors, subject to prior CBB approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

                    October 2010

                  • AU-2.7.2

                    Applicants must submit details of their proposed external auditor to the CBB as part of their license application.

                    October 2010

                • AU-2.8 AU-2.8 Condition 8: Other Requirements

                  • Books and Records

                    • AU-2.8.1

                      Licensees must maintain comprehensive books of accounts and other records, which must be available for inspection within the Kingdom of Bahrain by the CBB, or persons appointed by the CBB, at any time. Licensees must comply with the minimum record-keeping requirements contained in Module GR. Books of accounts must comply with IFRS standards.

                      October 2010

                  • Provision of Information

                    • AU-2.8.2

                      Licensees must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and public disclosure requirements contained in Modules BR and PD respectively.

                      October 2010

                  • General Conduct

                    • AU-2.8.3

                      Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice standards. Licensees must comply with the general standards of business conduct contained in Module PB, as well as the standards relating to treatment of customers contained in Module BC.

                      October 2010

                  • License Fees

                    • AU-2.8.4

                      Licensees must comply with any license fee requirements applied by the CBB.

                      October 2010

                    • AU-2.8.5

                      License fee requirements are contained in Chapter AU-5.

                      October 2010

                  • Additional Conditions

                    • AU-2.8.6

                      Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      October 2010

                    • AU-2.8.7

                      When granting a license, the CBB specifies the regulated services that the licensee may undertake. Licensees must respect the scope of their license.

                      October 2010

                    • AU-2.8.8

                      In addition, the CBB may vary existing requirements or impose additional restrictions or requirements, beyond those already specified in Volume 5 (Specialised Licensees), to address specific risks.

                      October 2010

              • AU-3 AU-3 Approved Persons Conditions

                • AU-3.1 AU-3.1 Condition 1: 'Fit and Proper'

                  • AU-3.1.1

                    Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

                    October 2010

                  • AU-3.1.2

                    The authorisation requirement for persons nominated to carry out controlled functions is contained in Section AU-1.2. The authorisation process is described in Section AU-4.3.

                    October 2010

                  • AU-3.1.3

                    Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                    (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                    (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                    (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                    (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                    (f) Must have personal integrity, good conduct and reputation;
                    (g) Has appropriate professional and other qualifications for the controlled function in question; and
                    (h) Has sufficient experience to perform the duties of the controlled function.
                    Amended: January 2016
                    October 2010

                  • AU-3.1.4

                    In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

                    Amended: January 2016
                    October 2010

                  • AU-3.1.5

                    In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                    (i) The extent to which the person has been truthful and open with supervisors; and
                    (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                    Added: January 2016

                  • AU-3.1.6

                    With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                    Added: January 2016

                  • AU-3.1.7

                    Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                    Amended: January 2016
                    October 2010

                  • AU-3.1.8

                    In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                    (a) A person has breached any fiduciary obligations to the company or terms of employment;
                    (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                    (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                    Amended: January 2016
                    October 2010

                  • AU-3.1.9

                    Further guidance on the process for assessing a person s fit and proper status is given in Module EN (Enforcement): see Chapter EN-8.

                    Added: January 2016

                • AU-3.2 AU-3.2 [This Section was deleted in January 2016]

                  Deleted: January 2016

                  • AU-3.2.1

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    October 2010

                  • AU-3.2.2

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    October 2010

                  • AU-3.2.3

                    [This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

                    Amended: January 2016
                    October 2010

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Application Form and Documents

                    • AU-4.1.1

                      Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under E-services/online Forms. The applicant must upload scanned copies of supporting documents listed in Rule AU-4.1.4, unless otherwise directed by the CBB.

                      Amended: July 2019
                      Amended: April 2018
                      October 2010

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and time-lines.

                      October 2010

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      October 2010

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided in support of a Form 1:

                      (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee (refer to Chapter GR-5 for detailed requirements on controllers);
                      (b) A duly completed Form 3 (Application for Approved Person status), for each individual proposed to undertake controlled functions (as defined in Rule AU-1.2.2 ) in the proposed licensee;
                      (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                      (d) Where the applicant is an existing Bahraini company, a copy of the applicant's commercial registration certificate;
                      (e) A certified copy of a Board resolution of the applicant, confirming its decision to seek a CBB money changer license;
                      (f) In the case of applicants that are part of a group, copies of the audited financial statements of the applicant's group, for the three years immediately prior to the date of application;
                      (g) In the case of applicants not falling under (f) above, copies of the audited financial statements of the applicant's major shareholder (where a legal person), for the three years immediately prior to the date of application;
                      (h) In the case of applicants seeking to raise part of their capital through a private placement, a draft of the relevant private placement memorandum, together with a formal, independent legal opinion that the memorandum comply with all applicable capital markets laws and regulations; and
                      (i) A copy of the applicant's memorandum and articles of association (in draft form for applicants creating a new company) addressing the matters described in AU-4.1.8.
                      Amended: April 2011
                      Amended: January 2011
                      October 2010

                    • AU-4.1.5

                      The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

                      October 2010

                    • AU-4.1.6

                      The business plan submitted in support of an application must explain:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                      (d) An assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions; and
                      (e) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable capital adequacy requirements.
                      October 2010

                    • AU-4.1.7

                      In the case of applicants seeking to raise capital (refer to AU-4.1.4(h)), the CBB's review is aimed at checking that the proposed private placement complies with applicable capital markets laws and regulations, and that the information contained in the private placement memorandum ('PPM') is consistent with the information provided in the license application. The CBB's review does not in any way constitute an approval or endorsement as to any claims made in the PPM regarding the future value of the company concerned. Note also that the CBB will not license applicants without a core group of sponsoring shareholders (who can demonstrate a strong business track record with relevant expertise), and where failure of the private placement to raise its targeted amount would leave the institution unable to comply with the CBB's minimum capital requirements. The CBB will normally expect core shareholders to account for at least 40% of the applicant's initial proposed total capital.

                      October 2010

                    • AU-4.1.8

                      The applicant's memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the license application, and must preclude the applicant from undertaking other regulated services, or commercial activities.

                      October 2010

                    • AU-4.1.9

                      All documentation provided to the CBB as part of an application for a license must be in either the Arabic or English languages. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      October 2010

                    • AU-4.1.10

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      October 2010

                    • AU-4.1.11

                      Failure to inform the CBB of the changes specified in Rule AU-4.1.10 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition Rule AU-2.8.2.

                      October 2010

                    • AU-4.1.12

                      Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in, must be provided to the CBB.

                      October 2010

                  • Licensing Process and Timelines

                    • AU-4.1.13

                      By law, the 60 day time limit referred to in Paragraph AU-4.1.2 only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule AU-4.1.4 have to be provided, before the CBB may issue a license.

                      October 2010

                    • AU-4.1.14

                      The CBB recognises, however, that applicants may find it difficult to secure suitable senior management (refer AU-4.1.4(b) above) in the absence of preliminary assurances regarding the likelihood of obtaining a license.

                      October 2010

                    • AU-4.1.15

                      Therefore, applicants may first submit an unsigned Form 1 in draft, together with as many as possible of the items specified in Rule AU-4.1.4. This draft application should contain at least items AU-4.1.4(a); AU-4.1.4(b), with respect to proposed Directors (but not necessarily senior management); AU-4.1.4(c); AU-4.1.4(d); and AU-4.1.4(f) to AU-4.1.4(i) inclusive.

                      Amended: January 2011
                      October 2010

                    • AU-4.1.16

                      On the basis of the information specified in Paragraph AU-4.1.15, the CBB may provide an initial 'in principle' confirmation that the applicant appears likely to meet the CBB's licensing requirements, subject to the remaining information and documents being assessed as satisfactory. The 'in principle' confirmation will also list all outstanding documents required before an application can be considered complete and subject to formal consideration.

                      October 2010

                    • AU-4.1.17

                      An 'in principle' confirmation does not constitute a license approval, nor does it commit the CBB to issuing a license. However, it provides sufficient assurance for an applicant to complete certain practical steps, such as securing suitable executive staff that satisfy CBB's 'fit and proper' requirements. Once this has been done, the applicant may finalise its application, by submitting the remaining documents required under Rule AU-4.1.4 and, once assessed as complete by the CBB, a signed and dated final version of Form 1. However, a Bahrain company proposing to undertake financial services activities would not be able to obtain a commercial registration from the Ministry of Industry and Commerce unless they receive the final approval from the CBB.

                      October 2010

                    • AU-4.1.18

                      Regardless of whether an applicant submits a draft application or not, all potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans and associated requirements. The Licensing Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application (either in draft or in final form).

                      Amended: April 2018
                      October 2010

                    • AU-4.1.19

                      Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

                      October 2010

                    • AU-4.1.20

                      At no point should an applicant hold themselves out as having been licensed by the CBB, prior to receiving formal written notification of the fact in accordance with Rule AU-4.1.21 below. Failure to do so may constitute grounds for refusing an application and result in a contravention of Articles 40 and 41 of the CBB Law (which carries a maximum penalty of BD 1 million).

                      October 2010

                  • Granting or Refusal of License

                    • AU-4.1.21

                      To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                      Amended: October 2019
                      October 2010

                    • AU-4.1.22

                      The CBB may refuse to grant a license if in its opinion:

                      (a) The requirements of the CBB Law or this Module are not met;
                      (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                      (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                      Amended: October 2019
                      October 2010

                    • AU-4.1.23

                      Where the CBB proposes to refuse an application for a license, it will give the applicant written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

                      Amended: October 2019
                      October 2010

                  • Starting Operations

                    • AU-4.1.24

                      Within 6 months of the license being issued, the new licensee must provide to the CBB (if not previously submitted):

                      (a) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                      (b) The address in the Kingdom of Bahrain where full business records will be kept;
                      (c) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (d) A copy of its business continuity plan;
                      (e) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                      (f) A copy of the auditor's acceptance to act as auditor for the applicant;
                      (g) A copy of an auditor's opinion certifying that the licensee's capital — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in;
                      (h) A copy of the licensee's professional indemnity insurance policy (see Section GR-7.1);
                      (i) A copy of the applicant's notarized memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.8;
                      (j) A copy of the Ministry of Industry and Commerce commercial registration certificate in Arabic and in English;
                      (k) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the money changer is licensed by the CBB; and
                      (l) Any other information as may be specified by the CBB.

                    • AU-4.1.25

                      New licensees must start their operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, as per the powers and procedures set out in Article 48 of the CBB Law.

                    • AU-4.1.26

                      The procedures for cancelling licenses are contained in Section AU-4.4.

                • AU-4.2 AU-4.2 Authorisation of a Branch or Subsidiary

                  • AU-4.2.1

                    Licensees may open branches in the Kingdom of Bahrain after obtaining the CBB's prior written approval. Licensees are prohibited from opening branches in foreign jurisdictions but may open subsidiaries in such jurisdictions with the CBB prior approval.

                    Amended: April 2011
                    October 2010

                  • Authorisation of a Branch

                    • AU-4.2.2

                      Unless otherwise directed by the CBB, the following documents must be provided to the CBB in support of an application to open a branch:

                      (a) A business plan explaining:
                      1) The reasons for applying for a branch, including the applicant's strategy and market objectives; and
                      2) A minimum of three-year financial projection, with all assumptions clearly outlined, demonstrating that the branch will be able to meet all liabilities and obligations;
                      (b) The location of the proposed branch, including the full address;
                      (c) A confirmation that the branch will comply with the minimum security measures for money changer licensees as specified in Section GR-9.1;
                      (d) Confirmation from the external auditor that the licensee's capital adequacy is sufficient to support the operation of the branch, in addition to other existing branches (if applicable), at the time of filing the request; and
                      (e) Confirmation from the external auditor that additional capital requirement of BD30,000 (refer to Section CA-1.4), has been deposited in the licensee's bank account.
                      Amended: April 2011
                      October 2010

                  • Starting Operations of a Branch

                    • AU-4.2.3

                      Licensees should submit to the CBB confirmation that the authorised branch has commenced operations within 6 months of the authorisation letter.

                      Amended: April 2011
                      October 2010

                    • AU-4.2.4

                      An application for authorisation of a new branch will not be considered by the CBB unless the written confirmation that the preceding branch is operational, as required in Rule AU-4.2.3 above, has been submitted.

                      October 2010

                  • Authorisation of a Subsidiary

                    • AU-4.2.5

                      Licensees wishing to establish or acquire a new subsidiary undertaking must submit to the CBB the following information as part of their request:

                      (a) Proposed name of subsidiary;
                      (b) Country of incorporation;
                      (c) Legal structure;
                      (d) Proposed issued capital;
                      (e) Proposed shareholding structure;
                      (f) Purpose of establishing or acquiring the subsidiary;
                      (g) Draft incorporation documents of the subsidiary;
                      (h) Board resolution approving the establishment or acquisition of the subsidiary; and
                      (i) Any other information or documentation requested by the CBB.
                      Added: April 2011

                    • AU-4.2.6

                      Licensees should ensure adherence with Rules contained in Chapter CA-1 and in particular with the leverage and liquidity requirements contained in Section CA-1.5 when considering the impact of a subsidiary on capital requirements.

                      Added: April 2011

                • AU-4.3 AU-4.3 Approved Persons

                  • Prior Approval Requirements and Process

                    • AU-4.3.1

                      Licensees must obtain CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                      Amended: January 2016
                      Amended: July 2015
                      October 2010

                    • AU-4.3.2

                      When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the Director, Financial Institutions Supervision Directorate. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

                      Amended: April 2018
                      October 2010

                    • AU-4.3.3

                      When submitting Form 3, licensees must ensure that the Form 3 is:

                      (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
                      (b) Submitted in original form;
                      (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                      (d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                      Amended: July 2015
                      October 2010

                    • AU-4.3.3A

                      Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

                      Added: July 2015

                    • AU-4.3.4

                      For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be a Director or the Chief Executive/General Manager.

                      October 2010

                    • AU-4.3.5

                      [This Paragraph was deleted in July 2015.]

                      Deleted: July 2015
                      October 2010

                    • AU-4.3.6

                      [This Paragraph was moved to AU-4.3.3A in July 2015.]

                      Amended: July 2015
                      October 2010

                  • Assessment of Application

                    • AU-4.3.6A

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.6B

                      For purposes of Paragraph AU-4.3.6A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, as well as verifying references.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.6C

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.7

                      [This Paragraph was deleted in January 2016.]

                      Deleted: January 2016
                      Amended: July 2015
                      October 2010

                  • Appeal Process

                    • AU-4.3.7A

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                    • AU-4.3.7B

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the the Executive Director, Financial Institutions Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Amended: January 2016
                      Added: July 2015

                  • Notification Requirements and Process

                    • AU-4.3.8AA

                      Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.4.6). In such cases, their approved person status is automatically withdrawn by the CBB.

                      Amended: October 2018
                      Amended: July 2015
                      Added: July 2011

                    • AU-4.3.8

                      Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                      October 2010

                    • AU-4.3.9

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      October 2010

                    • AU-4.3.9A

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                  • Change in Controlled Function

                    • AU-4.3.10

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      October 2010

                    • AU-4.3.11

                      In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function at another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.4.6), and the new licensee should submit a request for approval under Rule AU-1.2.1.

                      October 2010

                • AU-4.4 AU-4.4 Cancellation of Authorisation

                  • Voluntary Surrender of a License or Closure of Branch

                    • AU-4.4.1

                      In accordance with Article 50 of the CBB Law, licensees wishing to cancel their license or cease activities for a branch, must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Financial Institutions Supervision, setting out in full the reasons for the request and how the business is to be wound up.

                      Amended: April 2012
                      October 2010

                    • AU-4.4.2

                      Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed cancellation. The requirements contained in Chapter GR-6 regarding cessation of business must be satisfied.

                      October 2010

                    • AU-4.4.3

                      Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve such a request where it has no outstanding regulatory concerns and any relevant customer interests would not be prejudiced. A voluntary surrender of a license will not be accepted where it is aimed at preempting supervisory actions by the CBB. A voluntary surrender will only be allowed to take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                      October 2010

                  • Cancellation of a License by the CBB

                    • AU-4.4.4

                      As provided for under Article 48(c) of the CBB Law, the CBB may itself move to cancel a license, for instance if a licensee fails to satisfy any of its existing license conditions or protecting the legitimate interests of customers or creditors of the licensee require a cancellation. The CBB generally views the cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. See also Chapter EN-7, regarding the cancellation or amendment of licenses, including the procedures used in such instances and the licensee's right to appeal the formal notice of cancellation issued by the CBB.

                      Amended: April 2012
                      October 2010

                    • AU-4.4.4A

                      Cancellation of a license requires the CBB to issue a formal notice of cancellation to the licensee concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                      Amended: January 2013
                      Added: April 2012

                    • AU-4.4.4B

                      Where the cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to clients. Until such time, the CBB will retain all its regulatory powers towards the licensee and will direct the licensee so that no new regulated money changer services may be undertaken whilst the licensee discharges its obligations to its clients.

                      Added: April 2012

                    • AU-4.4.5

                      Licensees wishing to cancel an authorisation for a branch must obtain the CBB's written approval, before ceasing the activities of the branch.

                      October 2010

                  • Cancellation of Approved Person Status

                    • AU-4.4.6

                      In accordance with Paragraphs AU-4.3.8AA and BR-2.2.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected, provided that such arrangements do not pose a conflict of duties. These interim arrangements must be approved by the CBB.

                      Amended: October 2018
                      Amended: July 2015
                      Amended: July 2011
                      October 2010

                    • AU-4.4.7

                      The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                      October 2010

                    • AU-4.4.8

                      The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                      October 2010

                • AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.5.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.5.2

                    For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.5.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking a Money Changer license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    October 2010

                  • AU-5.1.2

                    There are no application fees for those seeking approved person status.

                    October 2010

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Licensees must pay the relevant annual license fee to the CBB, on 1st December of the preceding year for which the fee is due.

                    Amended: July 2013
                    October 2010

                  • AU-5.2.2

                    The relevant fees are specified in Rule AU-5.2.3 below. The fees due on 1st December are those due for the following calendar year, but are calculated on the basis of the firm's latest audited financial statements for the previous calendar year: i.e. the fee payable on 1st December 2013 for the 2014 year (for example), is calculated using the audited financial statements for 2012, assuming a 31st December year end. Where a licensee does not operate its accounts on a calendar-year basis, then the most recent audited financial statements available are used instead.

                    Amended: July 2013
                    October 2010

                  • AU-5.2.3

                    The variable annual license fee payable by licensees is 0.25% of their relevant operating expenses, subject to a minimum ('floor') of BD 300 and a maximum ('cap') of BD 6,000.

                    Amended: July 2013
                    October 2010

                  • AU-5.2.4

                    Relevant operating expenses are defined as the total operating expenses of the licensee concerned, as recorded in the most recent audited financial statements available, subject to the adjustments specified in Rule AU-5.2.5.

                    October 2010

                  • AU-5.2.5

                    The adjustments to be made to relevant operating expenses are the exclusion of the following items from total operating expenses:

                    (a) Training costs;
                    (b) Charitable donations;
                    (c) CBB fees paid; and
                    (d) Non-executive Directors' remuneration.
                    October 2010

                  • AU-5.2.6

                    For the avoidance of doubt, operating expenses for the purposes of this Section, do not include items such as depreciation, provisions, interest expense, and dividends.

                    October 2010

                  • AU-5.2.7

                    The CBB would normally rely on the audited accounts of a licensee as representing a true and fair picture of its operating expenses. However, the CBB reserves the right to enquire about the accounting treatment of expenses, and/or policies on intra-group charging, if it believes that these are being used artificially to reduce a license fee.

                    October 2010

                  • AU-5.2.8

                    Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 15th October of the preceding year for which the fees are due.

                    Amended: July 2013
                    October 2010

                  • AU-5.2.8A

                    All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

                    Added: July 2013

                  • AU-5.2.9

                    For new licensees, the first annual license fee is payable when the license is issued by the CBB. The amount payable is the floor amount of BD 300.

                    October 2010

                  • AU-5.2.9A

                    For the first full year of operation for licensees, the licensee would calculate its fee as the floor amount. For future years, the licensee would submit a Form ALF by 15th October of the preceding year for which the fees are due and calculate its fee using its last audited financial statements (or alternative arrangements as agreed with CBB, should its first set of accounts cover an 18-month period).

                    Added: July 2013

                  • AU-5.2.10

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question.

                    October 2010

                  • AU-5.2.11

                    Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

                    Added: July 2013

            • HC HC Money Changers High-Level Controls Module

              • HC-A HC-A Introduction

                • HC-A.1 HC-A.1 Purpose

                  • Executive Summary

                    • HC-A.1.1

                      This Module contains requirements that have to be met by licencees with respect to:

                      (a) The role and composition of their Boards and Board committees; and
                      (b) Related high-level controls and policies.
                      October 2010

                    • HC-A.1.2

                      These requirements specify minimum good practice standards, with regards to the function and responsibilities of Boards, their composition and size, and required standards of attendance and frequency of meetings. It also specifies basic requirements with respect to establishing policies and procedures that address the segregation of duties, internal audit and compliance arrangements, and the licensee's approach to remuneration and corporate ethics.

                      October 2010

                    • HC-A.1.3

                      This Module supplements various provisions relating to corporate governance contained in Legislative Decree No. 21 of 2001, with respect to promulgating the Commercial Companies Law ('Commercial Companies Law 2001'). In case of conflict, the Commercial Companies Law shall prevail. Compliance with this Module does not guarantee compliance with the Commercial Companies Law.

                      October 2010

                  • Legal Basis

                    • HC-A.1.4

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding High-level Control requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • HC-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      October 2010

                • HC-A.2 HC-A.2 Module History

                  • Evolution of the Module

                    • HC-A.2.1

                      This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • HC-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      HC-A.1.4 01/2011 Clarified legal basis.
                      Module HC 04/2016 Module updated to be in line, where applicable, to other Volumes of the CBB Rulebook.
                      HC-2.3 and HC-2.4 07/2016 Clarified application of Rules for overseas licensees.
                      HC-1.1.5 01/2020 Amended Paragraph on policy and procedures approval.
                      HC-4.2 04/2020 Added a new Section on Standard for all Remuneration.
                      HC-4.2.1 04/2020 Added a new Paragraph on KPIs compliance with AML/CFT requirements.

                  • Superseded Requirements

                    • HC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      BSD/D(111)3179 Regarding nomination of Senior Liaison Officer.
                      BC/11/98 Appointment of Approved Persons
                      October 2010

                  • Monitoring and Enforcement of Module HC

                    • HC-A.2.4

                      Disclosure and transparency are underlying principles of Module HC. Disclosure is crucial to allow outside monitoring of functions effectively. This Module looks to a combined monitoring system relying on the Board, the money changer licensee's shareholders and the CBB.

                      April 2016

                    • HC-A.2.5

                      It is the Board's responsibility to see to the accuracy and completeness of the money changer licensee's corporate governance guidelines and compliance with Module HC. Failure to comply with this Module is subject to enforcement measures as outlined in Module EN (Enforcement).

                      April 2016

              • HC-B HC-B Scope of Application

                • HC-B.1 HC-B.1 Scope of Application

                  • HC-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    October 2010

              • HC-1 HC-1 The Board

                • HC-1.1 HC-1.1 Functions and Responsibilities

                  • General Requirements

                    • HC-1.1.1

                      Licensees must have a Board of Directors ('the Board').

                      Amended: April 2016
                      October 2010

                    • HC-1.1.1A

                      The directors are ultimately accountable and responsible both individually and collectively for performing these responsibilities and must have sufficient expertise as a Board to understand the important issues relating to operation and control of the licensee. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place. This statement must be clearly communicated to Board members and senior management.

                      April 2016

                    • HC-1.1.2

                      To discharge its responsibility effectively, a Board typically delegates various functions and tasks, for instance to Board sub-committees, management and other employees. When it delegates, the Board nonetheless retains ultimate responsibility for the performance of those functions and tasks.

                      October 2010

                    • HC-1.1.2A

                      The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                      April 2016

                  • Specific Requirements

                    • HC-1.1.3

                      The Board must establish and maintain a statement of its responsibilities, defining its functions and tasks and those delegated to Board sub-committees and senior management. This statement must be clearly communicated to Board members and senior management.

                      October 2010

                    • HC-1.1.4

                      For the purposes of HC-1.1.3, the CBB expects licensees to maintain detailed mandates for Boards and sub-committees. These mandates should be reviewed periodically by the Board. Depending on the size and complexity of the licensee concerned, the CBB also expects the Board to operate appropriate sub-committees.

                      Amended: April 2016
                      October 2010

                    • HC-1.1.5

                      The Board must approve and review at least annually the licensee's:

                      (a) Strategic plans;
                      (b) Management structure and responsibilities; and
                      (c) Systems and controls framework (including its policies).
                      Amended: January 2020
                      Added: October 2010

                    • HC-1.1.6

                      The Board must also regularly review:

                      (a) The licensee's implementation of its strategy and operational performance;
                      (b) The performance of its executive management; and
                      (c) The level of risk.
                      October 2010

                    • HC-1.1.7

                      The Board must set out clearly and review on a regular basis who has authority to commit the licensee to contractual obligations. The Board must set a materiality threshold so that contractual obligations above this set threshold are regularly reported to the Board. In setting the materiality threshold, the Board must consider the financial impact the contractual obligations may have in relation to its capital.

                      October 2010

                    • HC-1.1.8

                      The Board must must establish and disseminate to employees policies and processes for the identification, reporting and prevention or management of potential conflicts of interest, including matters such as:

                      (a) Related party transactions;
                      (b) The misuse of the licensee's assets; and
                      (c) The use of privileged information for personal advantage ('insider trading').
                      Amended: April 2016
                      October 2010

                    • HC-1.1.9

                      The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and customers.

                      October 2010

                    • HC-1.1.10

                      In assessing compliance with Paragraph HC-1.1.9, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, customers and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market.

                      October 2010

                    • HC-1.1.11

                      The Board must oversee the process of disclosure to all stakeholders. The Board must ensure that the licensee's communications are fair, transparent, comprehensive and timely.

                      October 2010

                    • HC-1.1.12

                      The CBB expects the Board to have effective policies and processes in place for:

                      (a) Approving and reviewing at least annually the overall business performance and strategy for the licensee;
                      (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                      (c) Ensuring a formal and transparent Board nomination process;
                      (d) Convening and preparing the agenda for shareholder meetings;
                      (e) Monitoring conflicts of interest and preventing abusive related party transactions;
                      (f) Appointing senior managers, after assessing that they have the necessary integrity, technical and managerial competence, and experience;
                      (g) Overseeing succession planning, and minimizing undue reliance on key individuals;
                      (d) Reviewing key senior management and Board remuneration packages and ensuring such packages are consistent with the corporate values and strategy of the licensee and encourage prudent risk taking;
                      (e) Monitoring and evaluating management's performance in implementing agreed strategy and business plans, and ensuring appropriate resources are available; and
                      (f) Approving budgets and reviewing performance against those budgets.
                      Amended: April 2016
                      October 2010

                    • HC-1.1.13

                      In assessing the systems and controls framework (see Paragraph HC-1.1.5), the CBB would expect the Board to be able to demonstrate that the licensee's operations, individually and collectively:

                      (a) Are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of the licensee's activities. These should pro-actively identify as well as monitor risk. The systems should produce information on a timely basis, and in a form and quality appropriate to the needs of the different recipients;
                      (b) Are supported by an appropriate control environment. The risk management and financial reporting functions must be independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas; and
                      (c) Make effective use of the work of internal and external auditors. The internal audit function should be independent of the senior management, reporting to the Board. The Board should ensure that the external audit firm and its partners are truly independent of the licensee and have no financial or other relationship with the licensee. Audit findings should be used as an independent check on the information received from management about the licensee's operations and performance and the effectiveness of internal controls.
                      Amended: April 2016
                      October 2010

                • HC-1.2 HC-1.2 Composition

                  • HC-1.2.1

                    The Memorandum and Articles of Association of licensees must adequately set out procedures for the appointment, removal and retirement of Directors.

                    October 2010

                  • HC-1.2.2

                    These should, amongst other things, include procedures for removing Directors in case of non-attendance or other failure to discharge properly their responsibilities as company Directors.

                    October 2010

                  • HC-1.2.2A

                    The Board should have a minimum of 3 members, as agreed with the CBB.

                    April 2016

                  • HC-1.2.3

                    To fulfil its responsibilities outlined in Section HC-1.1, the Board of licensees must periodically assess its composition and size and, where appropriate, reconstitute itself and its committees by selecting new Directors to replace long-standing members or those members whose contributions to the licensee or its committees is not adequate.

                    October 2010

                  • HC-1.2.4

                    The Board must ensure that collectively it has sufficient expertise to understand the important issues relating to the operation and control of its company.

                    October 2010

                  • HC-1.2.5

                    It is not expected that every Board member is proficient in all areas, but collectively the Board is expected to have the required expertise. There should also be agreed upon procedures by the Board for Directors to take independent advice if necessary at the licensee's expense. CBB also expects Board members to undertake relevant training on a regular basis to help them fulfill their responsibilities as Directors.

                    October 2010

                  • HC-1.2.6

                    The appointment of Board members is conditional on the approval of the CBB. (See Section AU-1.2).

                    October 2010

                  • HC-1.2.7

                    A Board member may have a maximum of two Directorships of financial institutions inside Bahrain. However, two Directorships of licensees within the same type of licensees would not be permitted. Licensees may approach the CBB for exemption from this limit where the Directorships concern financial institutions within the same group.

                    Amended: April 2016
                    October 2010

                  • HC-1.2.8

                    Unless otherwise agreed with the CBB, the chairman and/or deputy chairman must not be the same person as the CEO or general manager.

                    April 2016

                • HC-1.3 HC-1.3 Meetings and Attendance

                  • HC-1.3.1

                    The Board must meet sufficiently often to enable it to discharge its responsibilities effectively, taking into account the licensee's scale and complexity.

                    October 2010

                  • HC-1.3.2

                    The CBB expects that the scale and complexity of most licensees will require meetings to be held at least quarterly. For the larger, most complex licensees, more frequent Board meetings may be more appropriate.

                    October 2010

                  • HC-1.3.2A

                    The Board must meet frequently but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

                    April 2016

                  • HC-1.3.2B

                    Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for board meetings are prohibited at all times.

                    Meetings per year 75% Attendance requirement
                    4 3
                    5 4
                    6 5
                    7 5
                    8 6
                    9 7
                    10 8
                    April 2016

                  • HC-1.3.2C

                    The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when Board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

                    April 2016

                  • HC-1.3.2D

                    In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

                    April 2016

                  • HC-1.3.2E

                    Board members are reminded that non attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All Directors are expected to contribute actively to the work of the Board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. In instances where telephonic or videoconference meetings are held, licensees are encouraged to amend their Articles of Association to provide for such meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

                    April 2016

                  • HC-1.3.3

                    Board rules must require members to step down if they are not actively participating in Board meetings.

                    October 2010

                  • HC-1.3.4

                    The CBB expects Board members who fail to attend at least three-quarters of all Board meetings in any twelve-month period to step down, unless the Board is able to satisfy the CBB that there are valid reasons for the Director concerned to remain a Board member.

                    October 2010

                  • HC-1.3.5

                    At least half the Board meetings of licensees in any twelve-month period must be held in the Kingdom of Bahrain.

                    October 2010

                  • HC-1.3.5A

                    The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors must receive the same Board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully.

                    April 2016

                  • HC-1.3.6

                    The Board must maintain adequate records of its meetings, such that key decisions and how they are arrived at can be traced.

                    Amended: April 2016
                    October 2010

                • HC-1.4 HC-1.4 Directors' Communication with Management

                  • HC-1.4.1

                    The Board must encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO or general manager (as the case may be) believes should have exposure to the directors.

                    April 2016

              • HC-2 HC-2 Approved Persons Loyalty

                • HC-2.1 HC-2.1 Personal Accountability

                  • HC-2.1.1

                    The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and clients.

                    Amended: April 2016
                    October 2010

                  • HC-2.1.2

                    In assessing compliance with Paragraph HC-2.2.1, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, clients and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market. The interest of clients includes ensuring that the licensee fulfils its obligations under its terms of business and treats all clients fairly and pays equal regard to the interests of all clients.

                    Amended: April 2016
                    October 2010

                  • HC-2.1.3

                    Each member of the board must understand that under the Company Law he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

                    Amended: April 2016
                    October 2010

                  • HC-2.1.4

                    The duty of loyalty includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, and to serve the licensee's interest in any transactions with the company in which he has a personal interest.

                    April 2016

                  • HC-2.1.5

                    For purposes of Paragraph HC-2.1.4, an approved person is considered to have a "personal interest" in a transaction with the company if:

                    (a) He himself;
                    (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
                    (c) Another company of which he is a director or controller,

                    is a party to the transaction or has a material financial interest in the transaction. (Transactions and interests which are de minimis in value should not be included.)

                    April 2016

                  • HC-2.1.6

                    A licensee's Board must establish and disseminate to all employees of the licensee a corporate code of conduct.

                    April 2016

                  • HC-2.1.7

                    The code of conduct must establish standards by giving examples or expectations as regards:

                    (a) Honesty;
                    (b) Integrity;
                    (c) The avoidance or disclosure of conflicts of interest;
                    (d) Maintaining confidentiality;
                    (e) Professionalism;
                    (f) Commitment to the law and best practices; and
                    (g) Reliability.
                    April 2016

                  • HC-2.1.8

                    A Board must ensure that policies and procedures are in place to ensure that necessary customer confidentiality is maintained.

                    April 2016

                • HC-2.2 HC-2.2 Segregation of Duties/Avoidance of Conflicts of Interest

                  • HC-2.2.1

                    Licensees must maintain an organisational structure that segregates duties in order to minimise the risk of conflicts of interest arising.

                    Amended: April 2016
                    October 2010

                  • HC-2.2.2

                    Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

                    Amended: April 2016
                    October 2010

                  • HC-2.2.3

                    Board members must absent themselves from any discussion or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject, transaction or proposed transaction where there is a potential conflict of interest.

                    Amended: April 2016
                    October 2010

                • HC-2.3 HC-2.3 Disclosure of Conflicts of Interest

                  • HC-2.3.1

                    Each approved person must inform the entire Board of conflicts of interest as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Company Law. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflict transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision.

                    Amended: April 2016
                    October 2010

                  • HC-2.3.2

                    Board members must declare annually in writing all of their interests (and those of their family) in other enterprises or activities (whether as a Director, shareholder, senior executive or other form of participation) to the Board (or appropriate Board sub-Committee).

                    Amended: April 2016
                    October 2010

                  • HC-2.3.3

                    Bahraini licensees must have in place a board approved policy on the employment of relatives of approved persons and a summary of such policy must be disclosed in the annual report of the Bahraini licensee.

                    Amended: July 2016
                    Amended: April 2016
                    October 2010

                  • HC-2.3.4

                    Overseas licensees must have in place a policy on the employment of relatives of approved persons pertaining to their Bahrain operations.

                    Added: July 2016

                • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest to Shareholders

                  • HC-2.4.1

                    The licensee must disclose to its shareholders in the Annual Report any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

                    Amended: April 2016
                    October 2010

                  • HC-2.4.2

                    The chief executive/general manager of the Bahraini licensee must disclose to the board of directors on an annual basis those individuals who are occupying controlled functions and who are relatives of any approved persons within the Bahraini licensee.

                    Amended: July 2016
                    Amended: April 2016
                    October 2010

                  • HC-2.4.3

                    The chief executive/general manager of the overseas licensees must disclose to a designated officer at its head office or regional manager on an annual basis those individuals who are occupying controlled functions and who are relatives of any approved persons within the overseas licensee.

                    Added: July 2016

              • HC-3 HC-3 Financial Statements Certification

                • HC-3.1 HC-3.1 Internal Control

                  • HC-3.1.1

                    The Board must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    April 2016

                  • HC-3.1.2

                    To encourage management accountability for the financial statements required by the directors, the licensee's CEO or general manager and chief financial officer must state in writing to the Board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                    April 2016

              • HC-4 HC-4 Remuneration

                • Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

                  • HC-4.2.1

                    The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

                    Added: April 2020

                • HC-4.1 HC-4.1 Remuneration Policies

                  • HC-4.1.1

                    The review of Directors' remuneration must be a standing item on the licensee's Annual General Meeting agenda, and must be considered by shareholders at every Annual General Meeting. Directors' remuneration (including pension and severance arrangements) and bonuses must be clearly disclosed in the annual financial statements.

                    April 2016

                  • HC-4.1.2

                    Directors' remuneration should also comply with all applicable laws, such as Legislative Decree No. 21 of 2001 (and its amendments), with respect to promulgating the Commercial Companies Law.

                    April 2016

                • HC-4.2 Standard for all Remuneration

              • HC-5 HC-5 Management Structure

                • HC-5.1 HC-5.1 Establishment of Management Structure

                  • HC-5.1.1

                    The Board must approve and review at least annually the licensee's management structure and responsibilities.

                    April 2016

                  • HC-5.1.2

                    The Board must appoint senior management whose authority must include management and operation of current activities of the licensee, reporting to and under the direction of the Board. The senior managers must include at a minimum:

                    (a) A CEO or general manager;
                    (b) A chief financial officer;
                    (c) An internal auditor (see HC-5.4 and AU-1.2); and
                    (d) A compliance officer (see HC-5.5 and AU-1.2).

                    and must also include such other approved persons as the Board considers appropriate and as a minimum must include persons occupying controlled functions as outlined in Paragraph AU-1.2.2.

                    April 2016

                  • HC-5.1.3

                    The licensee may appoint a corporate secretary. Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training. The corporate secretary's duties include:

                    (a) Arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                    (b) Reviewing the licensee's procedures and advising the Board directly on such matters.
                    April 2016

                • HC-5.2 HC-5.2 Titles, Authorities, Duties and Reporting Responsibilities

                  • HC-5.2.1

                    Licensees must maintain clearly documented and communicated staff responsibilities and reporting lines.

                    April 2016

                  • HC-5.2.2

                    For the purposes of Rule HC-5.2.1, licensees should maintain and document their delegated authority structure as well as written terms of reference for staff positions.

                    April 2016

                  • HC-5.2.3

                    The Board must adopt by-laws prescribing each senior manager's title, authorities, duties and internal reporting responsibilities. This must be done in consultation with the CEO or general manager, to whom the other senior managers should normally report.

                    April 2016

                  • HC-5.2.4

                    These provisions must include but should not be limited to the following:

                    (a) The CEO or general manager must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other senior managers and licensee employees;
                    (b) The chief financial officer must be responsible and accountable for:
                    (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see HC-3.1.2); and
                    (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
                    (c) The internal auditor's (see HC-5.4) duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes; and
                    (d) The compliance officer's (see HC-5.5) duties include maintaining effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.
                    April 2016

                  • HC-5.2.5

                    The Board should also specify any limits which it wishes to set on the authority of the CEO or general manager or other senior managers, such as monetary maximums for transactions which they may authorize without separate Board approval.

                    April 2016

                  • HC-5.2.6

                    At least annually the Board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO or general manager, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO or general manager.

                    April 2016

                • HC-5.3 HC-5.3 Chief Executive/General Manager

                  • HC-5.3.1

                    Licensees must appoint a person to undertake the function of Chief Executive or General Manager.

                    April 2016

                  • HC-5.3.2

                    The Chief Executive or General Manager (as appropriate), is responsible for the executive management and performance of the licensee, within the framework of delegated authorities set by the Board. The function of Chief Executive or General Manager is a controlled function, and the person nominated to that post therefore requires prior CBB approval (see Module AU (Authorisation)).

                    April 2016

                  • HC-5.3.3

                    Residency requirements apply to Chief Executives and General Managers (see Section AU-2.2.)

                    April 2016

                • HC-5.4 HC-5.4 Internal Audit

                  • HC-5.4.1

                    Unless otherwise agreed with the CBB, licensees must establish an internal audit function to monitor the adequacy of their systems and controls.

                    April 2016

                  • HC-5.4.2

                    The CBB would normally expect larger licensees to maintain the internal audit function within the organisation. The CBB will however consider allowing small licensees to outsource part or all of their internal audit function to third party providers.

                    April 2016

                  • HC-5.4.3

                    Licensees may outsource part or all of their internal audit function, after obtaining the prior approval of the CBB. The outsourcing arrangements must provide for an adequate level of scrutiny of the licensee, and must comply with the requirements contained in Section RM-2.4. A licensee cannot outsource its internal audit function to its external auditor.

                    April 2016

                  • HC-5.4.4

                    Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2 and Chapter RM-2).

                    April 2016

                  • HC-5.4.5

                    Internal audit functions must have terms of reference that clearly indicate:

                    (a) The scope and frequency of audits;
                    (b) Reporting lines; and
                    (c) The review and approval process applied to audits.
                    April 2016

                  • HC-5.4.6

                    Paragraph HC-5.4.5 applies irrespective of whether the internal audit function is outsourced. Where it is outsourced, the CBB would expect to see these matters addressed in the contract with the outsourcing provider.

                    April 2016

                  • HC-5.4.7

                    Internal audit functions must report directly to the Board. They must have unrestricted access to all the appropriate records of the licensee. They must have open and regular access to the Board, the Chief Executive or general manager, and the licensee's external auditor.

                    April 2016

                  • HC-5.4.8

                    Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the head of function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.

                    April 2016

                  • HC-5.4.9

                    The CBB would expect to see in place a formal audit plan that:

                    (a) Is reviewed and approved at least annually by the Board;
                    (b) Is risk-based, with an appropriate scoring system; and
                    (c) Covers all material areas of a licensee's operations over a reasonable timescale.
                    April 2016

                  • HC-5.4.10

                    Internal Audit reports should also be:

                    (a) Clear and prioritised, with action points directed towards identified individuals;
                    (b) Timely; and
                    (c) Distributed to the Board and appropriate senior management.
                    April 2016

                  • HC-5.4.11

                    Licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:

                    (a) Dealt with in a timely fashion;
                    (b) Monitored until they are settled; and
                    (c) Raised with senior management if they have not been adequately dealt with.
                    April 2016

                • HC-5.5 HC-5.5 Compliance

                  • HC-5.5.1

                    Licensees must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.

                    April 2016

                  • HC-5.5.2

                    Depending on the nature, scale and complexity of its business, a licensee should consider having a separate compliance function. A compliance function should:

                    (a) Document its organisation and responsibilities;
                    (b) Be appropriately staffed with competent individuals;
                    (c) Have unrestricted access to the licensee's relevant records; and
                    (d) Have ultimate recourse to the Board.
                    April 2016

                  • HC-5.5.3

                    Licensees must designate an employee, of appropriate standing and resident in Bahrain, as Compliance Officer. The duties of the Compliance Officer include:

                    (a) Having responsibility for oversight of the licensee's compliance with the requirements of the CBB; and
                    (b) Reporting to the licensee's Board in respect of that responsibility.
                    April 2016

                  • HC-5.5.4

                    The Compliance Officer is a controlled function and the requirements relating to approved persons must be met (see Chapter AU-1.2). If the scale and nature of the licensee's operations are limited, then the individual who performs the function of Compliance Officer may also take on other responsibilities, providing this does not create a potential conflict of interest. The compliance function may not be combined with the internal audit function or any operational function as they are incompatible and may create a conflict of interest.

                    April 2016

            • GR GR Money Changers General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • Executive Summary

                    • GR-A.1.1

                      The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include requirements on books and records; on the use of corporate and trade names; on controllers and close links, on security measures, counterfeit currency detection measures and loans extended to related parties.

                      October 2010

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding general requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding controllers (see Chapter GR-5) also included in Regulations, to be issued by the CBB. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • GR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      October 2010

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-A.1.2 01/2011 Clarified legal basis.
                      GR-2.1.1 01/2011 Clarified Rule regarding money in transfer.
                      GR-7.1.2 01/2011 Clarified Guidance.
                      GR-5.3.1A 04/2011 New Rule added for suitability of controllers.
                      GR-9.1 07/2011 Several amendments made to be in line with other Volumes of the CBB Rulebook.
                      GR-5.3.1 04/2012 Amended to be in line with other Volumes of the CBB Rulebook.
                      GR-6 04/2012 Clarified language on cessation of business to be in line with other Volumes of the CBB Rulebook.
                      GR-11.1 and GR-11.1.1A 01/2013 Clarified Rules and added Guidance dealing with credit facilities extended to related parties.
                      GR-1.1.3 04/2013 Corrected reference to 'transaction' records.
                      GR-7.1.4 10/2014 Added due date for Insurance Coverage Form
                      GR-6.1.11 10/2016 Added an additional requirement for cessation of business to be consistent with other Volumes of the CBB Rulebook.
                      GR-5.1.4 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                      GR-1.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                      GR-1.2.2 07/2017 Deleted paragraph.
                      GR-4.1.3 10/2017 Added additional requirements to submit when requesting no-objection letter for proposed dividends.
                      GR-1.1.1 10/2018 Amended Paragraph to be consistent with other Volumes.
                      GR-5.1.1A 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-5.1.1B 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-1.2.1 01/2020 Amended Paragraph.
                      GR-6.1.6 04/2020 Amended Paragraph.
                      GR-6.1.11 04/2020 Amended Paragraph.
                      GR-3.1.1 01/2022 Amended Paragraph on change in licensee corporate and legal name.
                      GR-3.1.2 01/2022 Amended Paragraph on change to licensee legal name.

                  • Superseded Requirements

                    • GR-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular Ref. Subject
                      BS/07/2004 Record-keeping requirements.
                      BC/24/1999 Accounts of Money Changers.
                      BS/08/2004 Controllers of, and holdings and transfers of significant ownership or controlling interests in, Agency licensees
                      OD/080/2007 Directives on Measures to Detect Counterfeit Currency
                      FIS/C/001/2005 Security Measures for Money Changers
                      ODG/118/2004 Review of Security Measures
                      BC/6/99 Requirement of Bank Guarantee
                      October 2010

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Scope of Application

                  • GR-B.1.1

                    The scope of application of Module GR (General Requirements) applies to all Money Changer Licensees, thereafter referred to in this Module as licensees.

                    October 2010

              • GR-1 GR-1 Books and Records

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    In accordance with Articles 59 and 60 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be maintained for at least 10 years according to Article 60 of the CBB Law.

                    Amended: October 2018
                    October 2010

                  • GR-1.1.2

                    GR-1.1.1 includes accounts, books, files and other records (e.g. trial balance, general ledger, nostro/vostro statements, reconciliations, list of counterparties). It also includes records that substantiate the value of the assets and liabilities activities of the licensee.

                    October 2010

                  • GR-1.1.3

                    Bahrain Law currently requires other transaction records to be retained for at least 5 years (see Ministerial Order No. 23 of 2002, made pursuant to Amiri Decree Law No. 4 of 2001).

                    Amended: April 2013
                    October 2010

                  • GR-1.1.4

                    Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

                    October 2010

                  • GR-1.1.5

                    Translations produced in compliance with Rule GR-1.1.4 may be undertaken inhouse, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

                    October 2010

                  • GR-1.1.6

                    Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                    October 2010

                  • GR-1.1.7

                    Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately.

                    October 2010

                  • GR-1.1.8

                    Paragraphs GR-1.1.1 to GR-1.1.6 apply to licensees, with respect to all their business activities.

                    October 2010

                • GR-1.2 GR-1.2 Transaction Records

                  • GR-1.2.1

                    Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

                    Amended: January 2020
                    Amended: July 2017
                    Added: October 2010

                  • GR-1.2.2

                    [This Paragraph has been deleted in July 2017].

                    Deleted: July 2017
                    October 2010

                • GR-1.3 GR-1.3 Other Records

                  • Corporate Records

                    • GR-1.3.1

                      Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

                      (a) Internal policies, procedures and operating manuals;
                      (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                      (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                      (d) Reports prepared by the licensee's internal and external auditors; and
                      (e) Employee training manuals and records.
                      October 2010

                  • Customer Records

                    • GR-1.3.2

                      Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                      October 2010

              • GR-2 GR-2 Money in Transfer

                • GR-2.1 GR-2.1 Money in Transfer

                  • GR-2.1.1

                    All remittances must be pre-funded. In instances where remittances are not pre-funded, they must be channelled through a designated customer account at a retail bank in the Kingdom of Bahrain. No claims by the licensee can be made against this account.

                    Amended: January 2011
                    October 2010

              • GR-3 GR-3 Corporate and Trade Names

                • GR-3.1 GR-3.1 Vetting of Names

                  • GR-3.1.1

                    Licensees must obtain CBB’s prior written approval for any change in their legal name. Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.

                    Amended: January 2022
                    Added: October 2010

                  • GR-3.1.2

                    In approving a change to a legal name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector.

                    Amended: January 2022
                    Added: October 2010

              • GR-4 GR-4 Dividends

                • GR-4.1 GR-4.1 CBB Prior Approval

                  • GR-4.1.1

                    Licensees must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

                    October 2010

                  • GR-4.1.2

                    The CBB will grant approval where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's financial resources requirements, taking into account (as appropriate) trends in the licensee's business volumes, expenses and performance.

                    October 2010

                  • GR-4.1.3

                    To facilitate the prior approval required under Paragraph GR-4.1.1, licensees subject to Paragraph GR-4.1.1 must provide the CBB with:

                    (a) The licensee's intended percentage and amount of proposed dividends for the coming year;
                    (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
                    (c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and the liquidity position of the licensee.
                    Amended: October 2017
                    October 2010

              • GR-5 GR-5 Controllers

                • GR-5.1 GR-5.1 Key Provisions

                  • GR-5.1.1

                    Licensees must obtain prior approval from the CBB for any of the following changes to their controllers (as defined in Section GR-5.2):

                    (a) A new controller;
                    (b) An existing controller increasing its holding from below 20% to above 20%;
                    (c) An existing controller increasing its holding from below 50% to above 50%; and
                    (d) An existing controller reducing its holding from above 50% to below 50%.
                    October 2010

                  • GR-5.1.1A

                    Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

                    Added: April 2019

                  • GR-5.1.1B

                    For the purpose of Paragraph GR-5.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

                    Added: April 2019

                  • GR-5.1.2

                    Articles 52 to 56 of the CBB Law require notification to the CBB of all controllers of licensees and of listed companies; it further gives the CBB the right to refuse approval of controllers if deemed damaging to the interests of the market, customers, or in contravention of the criteria set by the CBB.

                    October 2010

                  • GR-5.1.3

                    Requests for approval under Paragraph GR-5.1.1 must be made by submitting a duly completed Form 2 (Application for Authorisation of Controller) to the CBB. Notification must be made by the controller or intended controller, and by the licensee where it is aware of the change.

                    October 2010

                  • GR-5.1.4

                    If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes specified in Paragraph GR-5.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days from the date on which those changes have occurred.

                    Amended: January 2017
                    October 2010

                  • GR-5.1.5

                    For approval under Rule GR-5.1.1 to be granted, the applicant must satisfy the CBB that the proposed change in controller poses no undue risks to the licensee or its customers, and is not damaging to the interests of the market, as defined in the suitability criteria for controllers, contained in Section GR-5.3.

                    October 2010

                  • GR-5.1.6

                    An approval of controller is valid for the period specified in the approval letter issued by the CBB. The CBB may impose any restrictions that it considers necessary to be observed when granting its approval.

                    October 2010

                  • GR-5.1.7

                    The approval process is specified in Section GR-5.4.

                    October 2010

                • GR-5.2 GR-5.2 Definition of Controller

                  • GR-5.2.1

                    A controller of a licensee is a natural or legal person who, either alone or with his associates:

                    (a) Holds 10% or more of the shares in the licensee ('L'), or is able to exercise (or control the exercise of) more than 10% of the voting power in L;
                    (b) Holds 10% or more of the shares in a parent undertaking ('P') of L, or is able to exercise (or control the exercise of) more than 10% of the voting power in P; or
                    (c) Is able to exercise significant influence over the management of L or P.
                    October 2010

                  • GR-5.2.2

                    For the purposes of Paragraph GR-5.2.1, 'associate' includes:

                    (a) In the case of natural persons, a member of the controller's family;
                    (b) An undertaking of which a controller is a Director;
                    (c) A person who is an employee or partner of the controller; or
                    (d) If the controller is a corporate entity, a Director of the controller, a subsidiary of the controller, or a Director of any subsidiary undertaking of the controller.
                    October 2010

                  • GR-5.2.3

                    Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

                    October 2010

                • GR-5.3 GR-5.3 Suitability of Controllers

                  • GR-5.3.1

                    All new controllers or prospective controllers (as defined in Section GR-5.2) of a Bahraini specialised licensee must obtain the approval of the CBB. Any increases to existing controllers' holdings or voting control (as outlined under Paragraph GR-5.1.1) must also be approved by the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-5.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness according to the criteria outlined in Paragraphs GR-5.3.2 to GR-5.3.5. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-5.4 and Paragraph GR-5.1.6.

                    Amended: April 2012
                    October 2010

                  • GR-5.3.1A

                    For those licensees authorised after 1st January 2011, at least one controller must be a regulated financial institution owning or controlling 20% or more of the voting capital.

                    Added: April 2011

                  • GR-5.3.2

                    In assessing the suitability of controllers who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation or regulation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
                    (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
                    (j) The extent to which the person, has been truthful and open with regulators;
                    (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
                    (l) The financial resources of the person and the likely stability of their shareholding, and their track record as a controller or significant investor in financial institutions;
                    (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
                    (n) The legitimate interests of customers, creditors and shareholders (including minority shareholders) of the licensee;
                    (o) Whether the approval of a controller is or could be detrimental to Bahrain's financial sector; and
                    (p) Whether the person is able to deal with existing shareholders and the Board in a constructive and cooperative manner.
                    October 2010

                  • GR-5.3.3

                    Natural persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny. The level of scrutiny and the expected compliance with the above standards become more onerous as the level of proposed ownership increases.

                    October 2010

                  • GR-5.3.4

                    Legal persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and of expected compliance with the above standards becomes more onerous as the level of proposed ownership increases. Regulated legal persons will normally only be approved to take majority control where — in addition to the above conditions — the resulting group would be subject to effective consolidated supervision in accordance with relevant international standards; and the home supervisor of the parent entity has agreed to the proposed acquisition, as well as to the sharing of relevant prudential information for supervisory purposes (expressed, if necessary, through the signing of a Memorandum of Understanding between the CBB and the home supervisor, setting out their respective supervisory responsibilities).

                    October 2010

                  • GR-5.3.5

                    In assessing the suitability of controllers who are legal persons, CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

                    (a) The financial strength of the controller, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the controller's shareholding;
                    (b) Whether the controller or members of its group has ever entered into any arrangement with creditors in relation to the inability to pay due debts;
                    (c) The controller's jurisdiction of incorporation, location of Head Office, group structure, and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
                    (d) The controller's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
                    (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
                    (f) Any criminal actions instigated against the controller or other members of its group, whether or not this resulted in an adverse finding;
                    (g) The extent to which the controller or other members of its group have been truthful and open with regulators and supervisors;
                    (h) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (i) The person's track record as a controller or investor in financial institutions;
                    (j) The legitimate interests of customers, creditors and shareholders of the licensee;
                    (k) Whether their approval as a controller is or could be detrimental to Bahrain's financial sector; and
                    (l) Whether the person is able to deal with existing shareholders and the Board in a constructive manner.
                    October 2010

                  • GR-5.3.6

                    The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in the Form 2, if required to satisfy itself as to the suitability of the applicant.

                    October 2010

                • GR-5.4 GR-5.4 Approval Process

                  • GR-5.4.1

                    Within 3 months of receipt of an approval request under Paragraph GR-5.1.1, the CBB will issue a written notice of approval (or of refusal, if it is not satisfied that the person concerned is suitable to become a controller of the licensee). The notice of refusal will specify the reasons for the objection and specify the applicant's right of appeal. Where an approval notice is given, it will specify the period for which it is valid and any conditions that may be applied.

                    October 2010

                  • GR-5.4.2

                    Article 53 allows the CBB up to 3 months in which to respond to an application, although the CBB normally aims to respond within 30 calendar days. Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of a notice in which to appeal a decision to refuse the application or any conditions imposed as a condition of approval. The CBB then has 30 calendar days from the date of the appeal in which to consider any mitigating evidence submitted and make a final determination. See Module EN (Enforcement).

                    October 2010

                  • GR-5.4.3

                    Where a person has become a controller by virtue of their shareholding in contravention of Paragraph GR-5.1.1, or a notice of refusal has been served on them under Paragraph GR-5.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, instruct the person concerned to transfer such shares, or refrain from exercising voting rights in respect of such shares.

                    October 2010

                  • GR-5.4.4

                    If the person concerned fails to take the action specified under Paragraph GR-5.4.3, then the CBB may seek a court order to take appropriate measures: these may include forcing the person to sell their shares.

                    October 2010

                  • GR-5.4.5

                    The powers available to the CBB that are described in Paragraphs GR-5.4.3 and GR-5.4.4 are specified in Article 56 of the CBB Law.

                    October 2010

                  • GR-5.4.6

                    In addition to the above requirements, licensees are encouraged to notify the CBB as soon as they become aware of events that are likely to lead to major changes in their controllers. Any supervisory implications of such changes can then be discussed prior to the filing of a formal approval request.

                    October 2010

              • GR-6 GR-6 Cessation of Business

                • GR-6.1 GR-6.1 CBB Approval

                  • GR-6.1.1

                    As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend all or any of its licensed regulated services, completely or at any of its branches, must obtain prior written approval from the CBB.

                    Amended: April 2012
                    October 2010

                  • GR-6.1.2

                    Licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a formal request together with supporting documents. Unless otherwise directed by the CBB, the following requirements must be provided in support of the request:

                    (a) Full details of the business to be terminated;
                    (b) The rationale for the cessation;
                    (c) How the licensee proposes to cease business;
                    (d) Notice of an Extraordinary Meeting setting out the agenda to discuss and approve the cessation, and inviting the CBB for such meeting;
                    (e) Evidence that the proposed cessation has been duly authorised by the licensee (such as a certified copy of a Board resolution approving the cessation);
                    (f) Formal request to the CBB for the appointment of a liquidator acceptable to the CBB;
                    (g) A cut-off date by which the licensee will stop its operations;
                    (h) If the licensee wishes to cease its whole business, confirmation that the licensee will not enter into new business with effect from the cut-off date;
                    (i) Once the CBB has given its approval to an application to cease business, the licensee must publish a notice of its intention to cease business in two local daily newspapers (one in Arabic, the other in English). Notices must also be displayed in the premises (including any branch offices) of the licensee concerned. These notices must be given not less than 30 calendar days before the cessation is to take effect, and must include such information as the CBB may specify;
                    (j) The audited accounts of the licensee as of the last date on which it stopped operations. The commencement of such accounts should be the beginning of the financial year of the licensee; and
                    (m) The final liquidator's report of the licensee.
                    October 2010

                  • GR-6.1.3

                    Licensees intending to apply to cease business are advised to contact the CBB at the earliest possible opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The documentation specified in Paragraph GR-6.1.2 may be varied by the CBB, depending on the nature of the proposed cessation, such as the materiality of the business concerned and its impact on customers.

                    October 2010

                  • GR-6.1.4

                    Approval to cease business will generally be given where adequate arrangements have been made to offer alternative arrangements to any affected customers. The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

                    October 2010

                  • GR-6.1.5

                    The notice referred to in Subparagraph GR-6.1.2 (i) must include a statement that written representations concerning the liquidation may be submitted to the CBB before a specified day, which shall not be later than thirty calendar days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

                    Amended: April 2012
                    October 2010

                  • GR-6.1.6

                    Upon satisfactorily meeting the requirements set out in GR-6.1.2, the licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its Commercial Registration from the Ministry of Industry and Commerce.

                    Amended: April 2020
                    Added: October 2010

                  • GR-6.1.7

                    Where the CBB has given its approval to cancel or amend a license, then it will also publish its decision in the Official Gazette, as well as in two local daily newspapers (one in Arabic, the other in English), once this decision has been implemented.

                    Amended: April 2012
                    October 2010

                  • GR-6.1.7A

                    The publication cost of the notices referred to in Paragraph GR-6.1.7 is to be met by the licensee concerned.

                    Added: April 2012

                  • GR-6.1.8

                    The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged.

                    October 2010

                  • GR-6.1.9

                    A licensee in liquidation must continue to meet its contractual and regulatory obligations to customers and creditors.

                    October 2010

                  • GR-6.1.9A

                    If no objections to the liquidation are upheld by the CBB, the CBB may then issue a written notice of approval for the surrender of the license.

                    Added: April 2012

                  • GR-6.1.10

                    If a licensee applies to the CBB for voluntary surrender of its authorisation, it must ensure that suitable arrangements are in place for insurance coverage, to continue in respect of any unreported claims arising from past transactions, in accordance with Rule GR-7.1.7.

                    October 2010

                  • GR-6.1.11

                    Upon satisfactorily meeting the requirements set out in GR-6.1.2, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

              • GR-7 GR-7 Insurance Coverage

                • GR-7.1 GR-7.1 Insurance Coverage Requirements

                  • GR-7.1.1

                    Licensees are required to maintain the following insurance coverage at all times:

                    (a)Money in transit insurance;
                    (b)Fire, theft and other perils; and
                    (c)Fidelity.
                    October 2010

                  • GR-7.1.2

                    A licensee is encouraged to assess its insurance needs, through professional advice, to ensure its adequacy to the level of business undertaken.

                    Amended: January 2011
                    October 2010

                  • GR-7.1.3

                    The insurance coverage must be obtained from an insurance firm acceptable to the CBB and licensed in the Kingdom of Bahrain.

                    October 2010

                  • GR-7.1.4

                    Licensees must submit an Insurance Coverage Return (Form ICR) on an annual basis, within 3 months of the end of the financial year. Additionally, they must provide, upon request, evidence to the CBB of the coverage in force.

                    Amended: October 2014
                    October 2010

                  • GR-7.1.5

                    In accordance with Paragraph EN-B.3.1, licensees may not enter into or make a claim under a contract of insurance that is intended to, or has the effect of, indemnifying them from the financial penalties provided for in Module EN.

                    October 2010

                  • GR-7.1.6

                    The requirement to maintain insurance coverage will normally be met by the licensee concerned obtaining an insurance policy from an insurance firm. The CBB may also accept an insurance policy issued at group level, e.g. issued with respect to the parent of the licensee, provided the terms of the policy explicitly provide coverage with respect to the licensee.

                    October 2010

                  • GR-7.1.7

                    Unless otherwise agreed in writing with the CBB, the policy must contain a clause that it may not be cancelled or lapsed without the prior approval of the CBB. The policy must also contain a provision for an automatic extended reporting period in the event that the policy is cancelled or lapsed, such that claims relating to the period during which the policy was in force may subsequently still be reported.

                    October 2010

                  • GR-7.1.8

                    As provided for in Module ES, insurance coverage requirements must be met by licensees which were licensed prior to the introduction of Volume 5 (Specialised Licensees) in October 2010, by June 2011. Licensees licensed after October 2010 are required to comply with the CBB's professional indemnity coverage requirements, from the point they are given a license.

                    October 2010

              • GR-8 GR-8 Display of License and Exchange Rates

                • GR-8.1 GR-8.1 Display of License and Exchange Rates

                  • GR-8.1.1

                    Licensees must display the license granted to them by the CBB, and declare the exchange rates applied by them in a prominent position in their premises, including all of their branches.

                    October 2010

              • GR-9 GR-9 Security Measures

                • GR-9.1 GR-9.1 Security Measures for Money Changers

                  • GR-9.1.1

                    Licensees must apply the following security measures as a minimum:

                    October 2010

                  • GR-9.1.2

                    External Measures

                    (a) All offices must be located in heavy customer traffic areas, e.g. souqs. Not all malls may be considered heavy traffic areas. No branches should operate in isolated areas.
                    (b) Main entrance doors must be protected by a grill type steel rolling shutter during off hours.
                    (c) Branch alarm systems should have the following features:
                    (1) PIR Motion detectors;
                    (2) External audible siren or visible alarm. The choice of whether to use an audible alarm is left to the licensees concerned; and
                    (3) The intrusion detection system must be linked to the licensee's (i.e. head office) monitoring unit.
                    Amended: July 2011
                    October 2010

                  • GR-9.1.3

                    Internal Measures

                    (a) Teller counters must be fully screened off from customers by glass screens. Cash should not be directly exchanged through screens. Special purpose trays (i.e. half-rounded trays) should be fitted for the exchange of cash;
                    (b) Access to teller areas must be restricted to authorised staff only;
                    (c) Front doors to teller areas must be eliminated as much as possible. When used, they must be full length, solid, secure and kept locked at all times; and
                    (d) Customers dealing with Branch Managers should not enter or pass through teller areas to get to the Branch Manager's office.
                    Amended: July 2011
                    October 2010

                  • Teller Area

                    • GR-9.1.4

                      Panic alarm systems for staff handling cash may be installed. The choice between silent or audible panic alarms is left to individual licensees. Kick bars and/or hold up buttons may be spread throughout the teller and customer service areas and the branch manager's office.

                      Amended: July 2011
                      October 2010

                    • GR-9.1.5

                      Cash Safety

                      (a) Cash must be kept in safes up to international standards and preferably secured to a solid floor;
                      (b) All property in vaults and safes must be under the joint custody of two people;
                      (c) Safes should be located out of the sight of customers wherever possible; and
                      (d) Insurance coverage must be maintained in accordance with Section GR-7.1.
                      Amended: July 2011
                      October 2010

                    • GR-9.1.5A

                      All cash movements between branches, or to and from banks should be performed by a special purpose vehicle.

                      Added: July 2011

                    • GR-9.1.6

                      CCTV Network Systems

                      (a) All branches must have CCTV cameras in place. The following locations are recommended:
                      (1) Customer areas (hall, reception etc);
                      (2) Teller areas (cameras located at the rear of tellers); and
                      (3) Vault entrance/area; and
                      (b) Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum of 30 days. The CCTV system must be operational 24 hours per day.
                      Amended: July 2011
                      October 2010

                    • GR-9.1.7

                      Formal Security Training

                      (a) Licensees must establish the position of security manager. For licensees with three or more branches, this position must be a formally identified position. For licensees with one or two branches, the responsibilities of this position may be added to the duties of a member of management. This person will be responsible for ensuring that all staff are given annual, comprehensive security training. Training should form part of the induction program for new staff. Training should be given to all staff when new security measures are introduced; and
                      (b) Licensees should produce a security manual or procedures for staff, especially those dealing directly with customers.
                      Amended: July 2011
                      October 2010

                    • GR-9.1.8

                      Other Issues

                      (a) Opening and closing procedures must be put in place for those responsible for opening and closing the premises; and
                      (b) Rotation of tellers must be implemented on a regular basis.
                      Amended: July 2011
                      October 2010

                    • GR-9.1.9

                      The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

                      Added: July 2011

                    • GR-9.1.10

                      Licensees must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All licensees are required to hold an insurance blanket bond (which includes theft of cash in its cover).

                      Added: July 2011

              • GR-10 GR-10 Measures to Detect Counterfeit Currency

                • GR-10.1 GR-10.1 Measures to Detect Counterfeit Currency

                  • GR-10.1.1

                    Licensees are required to apply the measures in this Section to detect counterfeit currency:

                    October 2010

                  • GR-10.1.2

                    Licensees must have in place counterfeit detection machines that comply with the following requirements:

                    (a) The detection machines must be used to verify the validity of all Bahraini currency submitted to licensees (including any branch);
                    (b) Licensees should have a suitable number of machines at each outlet to handle the volume of banknotes they ordinarily receive. Every outlet must have at least one such detection machine.
                    (c) A teller (or any other person who accepts cash from the public) must check the validity of all the banknotes he receives on a detection machine. Licensees should ensure that tellers have been given adequate training in receiving banknotes and are familiar with the security features of Bahraini notes; and
                    (d) Licensees should endeavour to have detection machines that employ state-of-the-art detection technology. What constitutes 'state-of-the-art detection technology' shall be left for the determination of licensees, but the management of such licensees must apply their judgement as to the suitability of the technology they are employing and be prepared to justify their choices to the CBB upon request.
                    October 2010

                  • Reporting

                    • GR-10.1.3

                      When a licensee discovers a counterfeit note (or what appears to be an item intended to be passed-off as a lawful banknote of the Kingdom) it should remit the same to the Currency Issue Directorate at the CBB, together with a report as required in Rules BR-1.5.14 and BR-1.5.15.

                      October 2010

                    • GR-10.1.4

                      When a licensee discovers a counterfeit note of a foreign currency, it should remit the same to Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior, together with a report as required in Rules BR-1.5.14 and BR-1.5.15.

                      October 2010

                    • GR-10.1.5

                      Licensees are reminded that inadvertent receipt of counterfeit currency remains their responsibility and their liability alone. The CBB has no obligation to give value for any counterfeit currency.

                      October 2010

              • GR-11 GR-11 Credit Facilities Extended to Related Parties

                • GR-11.1 GR-11.1 Credit Facilities Extended to Related Parties

                  • GR-11.1.1

                    Licensees are prohibited from extending credit facilities to proprietors, partners and shareholders of the business.

                    Amended: January 2013
                    October 2010

                  • GR-11.1.1A

                    Credit facilities include but are not limited to loans and shari'a compliant financing facilities.

                    Added: January 2013

                  • GR-11.1.2

                    Credit facilities may be extended to employees of the licensee, other than proprietors, partners and shareholders of the business.

                    Amended: January 2013
                    October 2010

                  • GR-11.1.3

                    Licensees must obtain the CBB's prior written approval for any credit facility in excess of BD15,000, extended to the employees of the business.

                    Amended: January 2013
                    October 2010

                  • GR-11.1.4

                    Licensees must obtain the CBB's prior written approval before writing-off any credit facility extended to the employees of the business.

                    Amended: January 2013
                    October 2010

          • Business Standards

            • CA CA Money Changers Capital Adequacy Module

              • CA-A CA-A Introduction

                • CA-A.1 CA-A.1 Purpose

                  • Executive Summary

                    • CA-A.1.1

                      This Module lays down requirements that apply to all licensees, with respect to the minimum level of capital they must maintain.

                      October 2010

                    • CA-A.1.2

                      Principle 9 of the Principles of Business requires that licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.1.9).

                      October 2010

                  • Legal Basis

                    • CA-A.1.3

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the capital adequacy of licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all licensees. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • CA-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      October 2010

                • CA-A.2 CA-A.2 Module History

                  • Evolution of Module

                    • CA-A.2.1

                      This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • CA-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      CA-A.1.3 01/2011 Clarified legal basis.
                      CA-1.2.2 and CA-1.2.3 01/2011 Clarified minimum capital requirements for licensees authorised prior to 1st January 2011.
                      CA-1.4.1 01/2011 Added cross reference.
                      CA-1.4.1 07/2011 Clarified Rule pertaining to capital required for any additional branch.
                           

                  • Superseded Requirements

                    • CA-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Document Ref. Document Subject
                      Standard Conditions and Licensing Criteria: Money Changers Capital Funds
                      BC/24/99 Accounts of Money Changers
                      BC/6/99 Bank Guarantee
                      October 2010

              • CA-B CA-B Scope of Application

                • CA-B.1 CA-B.1 Scope of Application

                  • CA-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    October 2010

              • CA-1 CA-1 Capital Adequacy Requirements

                • CA-1.1 CA-1.1 General Requirements

                  • Obligation to Maintain Adequate Capital

                    • CA-1.1.1

                      In accordance with Principle of Business 9 (Section PB-1.1.9), licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.

                      October 2010

                    • CA-1.1.2

                      Licensees are required to maintain, at all times, the minimum capital requirement specified in Section CA-1.2.

                      October 2010

                    • CA-1.1.3

                      In addition to the minimum capital requirements specified in Section CA-1.2 onwards, the CBB may, at its discretion, require licensees to hold additional capital, should this be necessary (in the CBB's view) to meet additional liquidity requirements. (refer to CA-1.5.2)

                      October 2010

                    • CA-1.1.4

                      No funds may be withdrawn by shareholders from the licensee without the necessary prior written approval of the CBB.

                      October 2010

                    • CA-1.1.5

                      In the event that a licensee fails to meet any of the requirements specified in this Module, it must, on becoming aware that it has breached these requirements, immediately notify the CBB in writing. Unless otherwise directed, the licensee must in addition submit to the CBB, within 30 calendar days of its notification, a plan demonstrating how it will achieve compliance with these requirements.

                      October 2010

                    • CA-1.1.6

                      Should a licensee fail to comply with the requirements of this Module, the CBB may impose enforcement measures, as described in Module EN.

                      October 2010

                • CA-1.2 CA-1.2 Minimum Capital Requirements

                  • Key Requirements

                    • CA-1.2.1

                      Licensees must ensure that, at all times, their Minimum Capital meets the requirement stipulated in Rule CA-1.2.2 below.

                      October 2010

                    • CA-1.2.2

                      Minimum Capital Requirements are:

                      (a) Paid-up Capital of not less than BD500,000;
                      (b) Additional Paid-up Capital of BD30,000 for each branch; and
                      (c) A Bank Guarantee of not less than BD50,000.
                      Amended: January 2011
                      October 2010

                    • CA-1.2.3

                      For those licensees authorised prior to 1st January 2011, the minimum paid-up capital noted in Subparagraph CA-1.2.2 (a) must be not less than BD200,000. In addition, such licensees must comply with Subparagraphs CA-1.2.2 (b) and (c).

                      January 2011

                • CA-1.3 CA-1.3 Guarantee Requirements

                  • CA-1.3.1

                    Licensees are required to provide the CBB with a guarantee in respect of their liabilities. The guarantee must be:

                    a) In favor of and callable by the CBB at the CBB's sole discretion;
                    b) Unconditional and irrevocable;
                    c) Issued by a retail bank licensed by the CBB;
                    d) Valid at all times for a period of one year; and
                    e) Renewed at least one week before its expiry and submitted to the CBB.
                    October 2010

                  • CA-1.3.2

                    If the guarantee is not renewed within the stipulated timeframe, the CBB may call the guarantee.

                    October 2010

                • CA-1.4 CA-1.4 Capital Requirement for Branches

                  • CA-1.4.1

                    In addition to the minimum paid-up capital required under Section CA-1.2, licensees must inject capital in the amount of BD30, 000 in respect of any additional branch (see CA-1.2.2 for additional details).

                    Amended: July 2011
                    Amended: January 2011
                    October 2010

                  • CA-1.4.2

                    Licensees must provide the CBB with evidence of the deposited amount of capital as part of the application for a branch outlined in Section 4.2 of the Module AU (Authorisation).

                    October 2010

                • CA-1.5 CA-1.5 Additional Requirements

                  • CA-1.5.1

                    A licensee's liabilities should not exceed threefold its capital and reserves.

                    October 2010

                  • CA-1.5.2

                    A licensee's liquid assets must be held in a form acceptable to the CBB, in a minimum amount of three months estimated expenditures including salaries, rent, general utilities and other operating costs.

                    October 2010

                  • CA-1.5.3

                    Liquid assets comprise of cash, cash equivalents, and placements or deposits maturing within 30 days.

                    October 2010

            • BC BC Money Changers Business Conduct Module

              • BC-A BC-A Introduction

                • BC-A.1 BC-A.1 Purpose

                  • Executive Summary

                    • BC-A.1.1

                      This Module contains requirements that have to be met by licensees with regards to their dealings with customers.

                      October 2010

                    • BC-A.1.2

                      The Rules contained in this Module aim to ensure that licensees deal with their customers in a fair and open manner, and address their customers' information needs.

                      October 2010

                    • BC-A.1.3

                      The Rules build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings with customers. Principle 3 (Due skill, care and diligence) requires licensees to act with due skill, care and diligence when acting on behalf of their customers. Principle 7 (Customer Interests) requires licensees to pay due regard to the legitimate interests and information needs of their customers, and to communicate with them in a fair and transparent manner.

                      October 2010

                    • BC-A.1.4

                      The Rules contained in this Module are largely principles-based and focus on desired outputs rather than on prescribing detailed processes. This gives licensees flexibility in how to implement the basic standards prescribed in this Module.

                      October 2010

                  • Legal Basis

                    • BC-A.1.5

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) on business conduct by licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The directive in this Module is applicable to all licensees. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • BC-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      October 2010

                • BC-A.2 BC-A.2 Module History

                  • Evolution of the Module

                    • BC-A.2.1

                      This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • BC-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      BC-A.1.5 01/2011 Clarified legal basis.
                      BC-2.5.2 07/2019 Amended the number of years for record keeping.
                      BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis
                           
                           

                  • Superseded Requirements

                    • BC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      EDBC/73/96 Explanatory note on the promotion of banking and financial products offered in/from Bahrain by means of incentives.
                         
                      October 2010

              • BC-B BC-B Scope of Application

                • BC-B.1 BC-B.1 Scope of Application

                  • BC-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    October 2010

              • BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis

                • BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • BC-C.1.1

                    Money changer licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • BC-1 BC-1 Base Requirements

                • BC-1.1 BC-1.1 General Rules

                  • BC-1.1.1

                    This Module applies to all licensees.

                    October 2010

                  • BC-1.1.2

                    This Module aims to encourage high standards of business conduct, which are broadly applicable to all licensees, all types of regulated money changer services, and all types of customers.

                    October 2010

                  • BC-1.1.3

                    Licensees must comply with the Money Changers' Business Code of Practice ('the Code'), under Chapter 2 of this Module, throughout the lifetime of their relationship with a customer.

                    October 2010

                  • BC-1.1.4

                    Licensees must take responsibility for compliance with the Code by all persons carrying out regulated money changer services on their behalf. Licensees must put in place appropriate measures across all their business operations to ensure compliance with the Code.

                    October 2010

                  • BC-1.1.5

                    The Business Code of Practice comprises a number of overarching principles of business conduct, with respect to the conduct of regulated money changer services by licensees; these cover the various stages of the life of a customer relationship.

                    October 2010

                  • BC-1.1.6

                    Licensees must maintain adequate records to demonstrate compliance with the Code.

                    October 2010

                  • BC-1.1.7

                    The Code focuses on desired outcomes, rather than prescribing detailed measures to achieve those outcomes.

                    October 2010

                  • BC-1.1.8

                    The CBB will monitor compliance with the Code and business conduct standards. If required, the CBB may develop more detailed rules and guidance to supplement the existing Code.

                    October 2010

              • BC-2 BC-2 The Business Code of Practice

                • BC-2.1 BC-2.1 Overarching Principles

                  • BC-2.1.1

                    In the course of regulated money changer services, licensees must:

                    (a) Act with due skill, care and diligence in all dealings with customers;
                    (b) Act fairly and reasonably in all dealings with customers;
                    (c) Identify customers' specific requirements in relation to the services about which they are enquiring;
                    (d) Provide sufficient information to enable customers to make informed decisions when purchasing services offered to them, as listed under Paragraph BC-2.5.2 of the Appendix;
                    (e) Provide sufficient and timely documentation to customers to confirm that their transaction arrangements are in place and provide all necessary information about their rights and responsibilities, as listed under Paragraph BC-2.5.3 of the Appendix;
                    (f) Maintain fair treatment of customers through the lifetime of the customer relationships, and ensure that customers are kept informed of important events;
                    (g) Ensure complaints from customers are dealt with fairly and promptly, in accordance with the Rules under Section BC-2.3;
                    (h) Ensure that all information provided to customers is clear, fair and not misleading, and appropriate to customers' information needs; and
                    (i) Take appropriate measures to safeguard any money and precious metals handled on behalf of customers and maintain confidentiality of customer information.
                    October 2010

                • BC-2.2 BC-2.2 Marketing and Promotion

                  • BC-2.2.1

                    Licensees must ensure that all advertising and promotional material is fair, clear and not misleading.

                    October 2010

                  • BC-2.2.2

                    In ensuring that the description of the service in the promotional material is fair, clear and not misleading, the licensee should send copies of the documentation relating to promotional schemes to the CBB at least 2 weeks prior to their launch and should, among other precautionary measures, ensure that:

                    a) The purpose, and to the extent practicable, the content, of the information or communication are likely to be understood by the average member of the group to whom the communication is addressed;
                    b) Key items contained in the information are given due prominence;
                    c) The method of presentation in the information does not disguise, diminish, or obscure important risks, warnings or information; and
                    d) The communication does not omit information that is material to ensure it is fair, clear and not misleading.
                    October 2010

                  • BC-2.2.3

                    Licensees must ensure that the accuracy of all material statements of fact in promotional materials is supported by adequate evidence.

                    October 2010

                  • BC-2.2.4

                    Licensees must not, in any form of communication with an individual customer, attempt to limit or avoid any duty or liability it may have towards the individual customer in relation to regulated money changing services.

                    October 2010

                  • Content of Promotions

                    • BC-2.2.5

                      Before a licensee communicates any promotional material to a customer or a potential customer it must ensure the promotional material at the very least contains the information laid out in Paragraph BC-2.5.1 of the Appendix.

                    • BC-2.2.6

                      Licensees must not make use of the name of the CBB in any promotion in such a way that would indicate endorsement or approval of its services.

                    • BC-2.2.7

                      All documentation concerning promotional schemes must be in Arabic and English and, if relevant, any other language necessary for customers to fully understand and appreciate their terms and conditions. Such terms and conditions, including any related advertising, need to be clear, concise, truthful, unambiguous and complete so as to enable customers to make a fully informed decision.

                    • BC-2.2.8

                      Customers to whom promotional schemes are directed should enjoy equal opportunity in terms of access to, and treatment within, such schemes.

                    • BC-2.2.9

                      No costs (including funding costs), charges or levies associated with promotional schemes should be concealed from prospective customers.

                    • BC-2.2.10

                      Any raffles/lotteries etc. held as part of promotional schemes should be independently monitored (e.g. by the institution's external auditor) and adequate systems put in place to ensure fair play and impartiality.

                    • BC-2.2.11

                      An appropriate system should also exist for informing participants of the results of a raffle/lottery without delay.

                    • BC-2.2.12

                      Institutions should note that raffles/lotteries etc. may be subject to rules and requirements (including prior authorisation/approval) laid down by the Ministry of Industry and Commerce.

                  • Records

                    • BC-2.2.13

                      Licensees must maintain a record of all promotional materials issued by them or on their behalf, particularly where raffles/lotteries etc. are concerned.

                • BC-2.3 BC-2.3 Complaints

                  • BC-2.3.1

                    Licensees must disclose, maintain and operate effective procedures for handling complaints in a reasonable and timely manner. These procedures include:

                    (a) Informing customers in writing of any out of court complaint and redress mechanism and methods for having access to it;
                    (b) Paying compensation or other forms of redress to customers where the licensee decides this is appropriate; and
                    (c) Regularly verifying if complaints are effectively processed.
                    October 2010

                  • BC-2.3.2

                    Upon receiving complaints from customers (either orally or in writing), licensees must:

                    (a) Acknowledge complaints promptly, within 5 business days, and provide customers with an explanation about how the complaint will be handled and any actions required of the customer;
                    (b) Consider and handle complaints fairly and promptly, keeping customers informed of progress; and
                    (c) Provide final responses to customers' complaints without undue delay and within 20 business days.
                    October 2010

                  • BC-2.3.3

                    In their final responses to customers' complaints, licensees must:

                    (a) Accept (or partially accept) the complaint and where appropriate offer compensation or other forms of redress; or
                    (b) Reject (or partially reject) the complaint, informing customers with a full explanation of the licensee's position.
                    October 2010

                  • Records

                    • BC-2.3.4

                      Licensees must maintain adequate records of all complaints received, and how they were dealt with, to a level of detail sufficient to demonstrate compliance with this Section and in accordance with the Rules under Section GR-1.

                      October 2010

                    • BC-2.3.5

                      In recording complaints activity, licensees should consider the types of data and reports that will enable them to demonstrate compliance with the above Rules for handling complaints, together with the overarching principles requiring fair dealings with customers.

                      October 2010

                • BC-2.4 BC-2.4 Confidentiality

                  • BC-2.4.1

                    Licensees must ensure that any information obtained from their customers is not used or disclosed unless:

                    (a) They have the customer's consent;
                    (b) Disclosure is made in accordance with the licensee's regulatory obligations; or
                    (c) The licensee is legally obliged to disclose the information in accordance with Article 117 of the CBB Law.
                    October 2010

                  • BC-2.4.2

                    Licensees must take appropriate steps to ensure the security of any information handled or held on behalf of their customers.

                    October 2010

                • BC-2.5 BC-2.5 Appendix

                  • BC-2.5.1

                    The minimum information that should be contained in promotional material includes:

                    (a) The name of the licensee communicating the promotional material;
                    (b) The licensee's address;
                    (c) A description of the main characteristics of the service offered;
                    (d) Suitable warning regarding the risks of the service offered; and
                    (e) A clear statement indicating that, if a customer is in any doubt about the suitability of the agreement which is the subject of the promotion, he should consult the licensee.
                    October 2010

                  • BC-2.5.2

                    The minimum information that should be provided to customers when purchasing regulated money changer services include:

                    (a) The regulatory status of the licensee;
                    (b) A statement that the licensee is bound by the CBB's regulation and licensing conditions;
                    (c) The licensee's name, address, e-mail and telephone number;
                    (d) A statement of the services provided by the licensee, as permitted by the CBB;
                    (e) The total price to be paid by the customer to the licensee for its services, or, where an exact price cannot be indicated, the basis for the calculation of the price enabling the customer to verify it;
                    (f) A statement that clearly indicates the following:
                    (i) The customer's right to obtain copies of records relating to his business with the licensee;
                    (ii) The customer's record will be kept for 5 years or as otherwise required by Bahrain Law; and
                    (g) The name and job title, address and telephone number of the person in the licensee to whom any complaint should be addressed (in writing) by the customer.
                    Amended: July 2019
                    October 2010

                  • BC-2.5.3

                    The minimum information that should be included in a transaction confirmation includes:

                    (a) The licensee's name and address;
                    (b) The customer's name or other identifier;
                    (c) Whether the transaction was a sale or purchase;
                    (d) The date and time of the transaction; and
                    (e) The amount the licensee charges in connection with the transaction, including commission charges.
                    October 2010

            • RM RM Money Changers Risk Management Module

              • RM-A RM-A Introduction

                • RM-A.1 RM-A.1 Purpose

                  • Executive Summary

                    • RM-A.1.1

                      This Module contains requirements relating to the management of risk by licencees. It expands on certain high level requirements contained in other Modules. In particular, Section AU-2.6 of Module AU (Authorisation) specifies requirements regarding systems and controls that have to be met as a license condition; Principle 10 of the Principles of Business (ref. PB-1.10) requires licencees to have systems and controls sufficient to manage the level of risk inherent in their business; and Module HC (High-level Controls) specifies various requirements relating to the role and composition of Boards, and related high-level controls.

                      October 2010

                    • RM-A.1.2

                      This Module obliges licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management framework is expected to have the resources and tools to identify, monitor and control all material risks. The adequacy of a licensee's risk management framework is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules, licensees with very simple operational structures and business activities may need to implement less extensive or sophisticated risk management systems, compared to licensees with a complex and/or extensive customer base or operations.

                      October 2010

                  • Legal Basis

                    • RM-A.1.3

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding Risk Management requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • RM-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      October 2010

                • RM-A.2 RM-A.2 Module History

                  • Evolution of the Module

                    • RM-A.2.1

                      This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • RM-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      RM-A.1.3 01/2011 Clarified legal basis.
                      RM-2.1.2 10/2017 Amended Paragraph to allow the utilization of cloud services.
                      RM-2.1.4A 10/2017 Added a new Paragraph on outsourcing requirements.
                      RM-2.1.7 10/2017 Amended Paragraph.
                      RM-2.1.9 10/2017 Amended Paragraph.
                      RM-2.1.11 10/2017 Amended Paragraph.
                      RM-2.1.13 10/2017 Added a new Paragraph on outsourcing.
                      RM-2.1.15 10/2017 Amended Paragraph.
                      RM-2.2.9 10/2017 Amended Paragraph.
                      RM-2.2.15 10/2017 Amended Paragraph.
                      RM-2.2.16 10/2017 Added a new Paragraph on security measures related to cloud services.
                      RM-2.3.2 10/2017 Amended Paragraph.
                      RM-1.5.5 01/2021 Added a new Paragraph on electronic fraud.
                      RM-1.5.6 01/2021 Added a new Paragraph on electronic fraud awareness.
                      RM-3 01/2022 Added a new Chapter on Cyber Security Risk Management.
                      RM-3.1.61 04/2022 Deleted reference to BR.
                      RM-3.1.58 04/2022 Amended Paragraph on cyber security incident reporting.
                      RM-3.1.59 04/2022 Amended Paragraph on submission period of the cyber security incident report.
                      RM-2 07/2022 Replaced Chapter RM-2 with new Outsourcing Requirements.
                      RM-3.1.22 10/2022 Amended Paragraph on email domains requirements.
                      RM-3.1.22A 10/2022 Added a new Paragraph on additional domains requirements.
                      RM-1.5.7 – RM-1.5.9 07/2023 Added new Rules on secured customer authentication requirements.

                  • Superseded Requirements

                    • RM-A.2.3

                      This Module does not replace any regulations or circulars in force prior to month year.

                      Document Ref. Date of Issue Module Ref. Document Subject
                             
                             
                      October 2010

              • RM-B RM-B Scope of Application

                • RM-B.1 RM-B.1 Scope of Application

                  • RM-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    October 2010

              • RM-1 RM-1 General Requirements

                • RM-1.1 RM-1.1 Risk Management

                  • Board of Directors' Responsibility

                    • RM-1.1.1

                      The Board of Directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

                      October 2010

                    • RM-1.1.2

                      The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licencee is exposed to, a risk management framework that includes setting and monitoring policies, systems, tools and controls.

                      October 2010

                    • RM-1.1.3

                      Although authority for the management of a firm's risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

                      October 2010

                    • RM-1.1.4

                      A licencees's failure to establish, in the opinion of the CBB, an adequate risk management framework will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing or imposing restrictions on the licensee, or the licensee being required to inject more capital.

                      October 2010

                    • RM-1.1.5

                      The Board of Directors must also ensure that there is adequate documentation of the licensee's risk management framework.

                      October 2010

                  • Systems and Controls

                    • RM-1.1.6

                      The risk management framework of licensees must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.

                      October 2010

                    • RM-1.1.7

                      An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in HC-1.1.5.

                      October 2010

                    • RM-1.1.8

                      The systems and controls required by Paragraph RM-1.1.6 must be proportionate to the nature, scale and complexity of the firm's activities.

                      October 2010

                    • RM-1.1.9

                      The processes and systems required must enable the licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, which include but are not limited to the following:

                      (a) Counterparty Risk;
                      (b) Liquidity Risk;
                      (c) Market Risk; and
                      (d) Operational Risk.
                      October 2010

                • RM-1.2 RM-1.2 Counterparty Risk

                  • RM-1.2.1

                    Licensees must adequately document the necessary policies and procedures for identifying, measuring, monitoring and controlling counterparty risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

                    October 2010

                  • RM-1.2.2

                    Among other things, the licensee's policies and procedures must identify the limits it applies to counterparties, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

                    October 2010

                • RM-1.3 RM-1.3 Liquidity Risk

                  • RM-1.3.1

                    Licensees must maintain a liquidity risk policy for the management of liquidity risk, which is appropriate to the nature, scale and complexity of its activities. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

                    October 2010

                  • RM-1.3.2

                    Among other things, the licensee's liquidity risk policy must identify the limits it applies, how it monitors movements in risk and how it mitigates loss in the event of unexpected liquidity events.

                    October 2010

                • RM-1.4 RM-1.4 Market Risk

                  • RM-1.4.1

                    Licensees must document their framework for the proactive management of market risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

                    October 2010

                • RM-1.5 RM-1.5 Operational Risk

                  • RM-1.5.1

                    Licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

                    October 2010

                  • RM-1.5.2

                    Licensees must consider the impact of operational risks on their financial resources and solvency.

                    October 2010

                  • RM-1.5.3

                    Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

                    October 2010

                  • RM-1.5.4

                    Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, licencees cannot ignore the nature of risks to which they are exposed.

                    October 2010

                  • Electronic Frauds

                    • RM-1.5.5

                      Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

                      Added: January 2021

                    • RM-1.5.6

                      Licensees must have in place customer awareness communications, pre and post registration process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

                      Added: January 2021

                  • Secure Authentication

                    • RM-1.5.7

                      Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform.

                      Licensees must, at a minimum, establish adequate security features for customer authentication including the use of at least two different elements out of the following three elements:

                      (a) Knowledge (something only the user knows), such as pin or password;
                      (b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and
                      (c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.
                      Added: July 2023

                    • RM-1.5.8

                      For the purpose of Paragraph RM-1.5.7, licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.

                      Added: July 2023

                    • RM-1.5.9

                      For the purposes of Subparagraph RM-1.5.7 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.

                      Added: July 2023

              • RM-2 RM-2 Outsourcing Requirements

                • RM-2.1 RM-2.1 Outsourcing Arrangements

                  • RM-2.1.1

                    This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

                    Amended: July 2022
                    October 2010

                  • RM-2.1.2

                    In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

                    Amended: July 2022
                    October 2010

                  • RM-2.1.3

                    In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

                    i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
                    ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
                    Amended: July 2022
                    Amended: October 2017
                    October 2010

                  • RM-2.1.4

                    The licensee must not outsource the following functions:

                    (i) Compliance;
                    (ii) AML/CFT;
                    (iii) Financial control;
                    (iv) Risk management; and
                    (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
                    Amended: July 2022
                    October 2010

                  • RM-2.1.5

                    For the purposes of Paragraph RM-2.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-2.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

                    Amended: July 2022
                    October 2010

                  • RM-2.1.6

                    Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-2.1.4 (iv), subject to CBB’s prior approval.

                    Amended: July 2022
                    October 2010

                  • RM-2.1.7

                    Licensees must comply with the following requirements:

                    (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
                    a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
                    b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
                    (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
                    (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
                    (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
                    (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
                    (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
                    (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
                    Amended: July 2022
                    Amended: October 2017
                    October 2010

                  • RM-2.1.8

                    For the purpose of Subparagraph RM-2.1.7 (iv), licensees as part of their assessments may use the following:

                    a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
                    b) Third-party or internal audit reports of the outsourcing service provider; and
                    c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

                    When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

                    Amended: July 2022
                    October 2010

                  • RM-2.1.9

                    For the purpose of Subparagraph RM-2.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

                    Amended: July 2022
                    Amended: October 2017
                    October 2010

                • RM-2.2 [This Section was deleted in July 2022]

                • RM-2.3 [This Section was deleted in July 2022]

                • RM-2.4 [This Section was deleted in July 2022]

              • RM-3 RM-3 Cyber Security Risk Management

                • RM-3.1 RM-3.1 Cyber Security Risk Management

                  • Role of the Board and Senior Management

                    • RM-3.1.1

                      The Board of money changer licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

                      Added: January 2022

                    • RM-3.1.2

                      Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

                      a) Cyber security strategy;
                      b) Cyber security policy; and
                      c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
                      Added: January 2022

                    • RM-3.1.3

                      The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

                      Added: January 2022

                    • RM-3.1.4

                      Senior management, and where appropriate, the boards, should receive comprehensive reports covering cyber security issues such as the following:

                      a. Key Risk Indicators/Key Performance Indicators;
                      b. Status reports on overall cyber security control maturity levels;
                      c. Status of staff Information Security awareness;
                      d. Updates on latest internal or relevant external cyber security incidents; and
                      e. Results from penetration testing exercises.
                      Added: January 2022

                    • RM-3.1.5

                      The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

                      Added: January 2022

                    • RM-3.1.6

                      Licensees must have in place arrangements to handle cyber security risk management responsibilities. Licensees may, commensurate with their size and risk profile, assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

                      Added: January 2022

                    • RM-3.1.7

                      Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

                      Added: January 2022

                    • RM-3.1.8

                      Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

                      Added: January 2022

                    • RM-3.1.9

                      Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

                      Added: January 2022

                    • RM-3.1.10

                      The senior management must be responsible for the following activities:

                      (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
                      (b) Formulate an organisation-wide cyber security strategy and cyber security policy;
                      (c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;
                      (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
                      (e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;
                      (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
                      (g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.
                      Added: January 2022

                    • RM-3.1.11

                      The senior management must ensure that:

                      (a) The licensee has identified clear internal ownership and classification for all information assets and data;
                      (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
                      (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
                      (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
                      Added: January 2022

                    • RM-3.1.12

                      With respect to Subparagraph RM-3.1.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

                      a) Who has access to the data;
                      b) How the data is secured;
                      c) How long the data is retained (this includes backups);
                      d) What method should be used to dispose of the data;
                      e) Whether the data needs to be encrypted; and
                      f) What use of the data is appropriate.

                      The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

                      Added: January 2022

                  • Cyber Security Strategy

                    • RM-3.1.13

                      An organisation-wide cyber security strategy must be defined and documented to include:

                      (a) The position and importance of cyber security at the licensee;
                      (b) The primary cyber security threats and challenges facing the licensee;
                      (c) The licensee’s approach to cyber security risk management;
                      (d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;
                      (e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;
                      (f) Approach to planning response and recovery activities; and
                      (g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.
                      Added: January 2022

                    • RM-3.1.14

                      The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the licensee’s cyber security strategy and cyber security policy.

                      Added: January 2022

                  • Cyber Security Policy

                    • RM-3.1.15

                      Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee’s senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

                      (a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;
                      (b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;
                      (c) Definition of main cyber security processes and measures and the approach to control and assessment;
                      (d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:
                      (a) Asset management (Hardware and software);
                      (b) Incident management (Detection and response);
                      (c) Vulnerability management;
                      (d) Configuration management;
                      (e) Access management;
                      (f) Third party management;
                      (g) Secure application development;
                      (h) Secure change management;
                      (i) Cyber training and awareness;
                      (j) Cyber resilience (business continuity and disaster planning); and
                      (k) Secure network architecture.
                      Added: January 2022

                  • Approach, Tools and Methodology

                    • RM-3.1.16

                      Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of the licensee. The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.

                      Added: January 2022

                    • RM-3.1.17

                      Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the licensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across the licensee. They should be reviewed and updated regularly to incorporate improvements and/or changes in the licensee. Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.

                      Added: January 2022

                  • Prevention Controls

                    • RM-3.1.18

                      A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

                      (a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;
                      (b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
                      (c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;
                      (d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
                      (e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
                      (f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
                      (g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.
                      Added: January 2022

                    • RM-3.1.19

                      Licensees should also implement the following prevention controls in the following areas:

                      (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
                      (b) Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM);
                      (c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
                      (d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.
                      Added: January 2022

                    • RM-3.1.20

                      Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

                      • SPF “Sender Policy Framework”;
                      • DKIM “Domain Keys Identified Mail”; and
                      • DMARC “Domain-based Message Authentication, Reporting and Conformance”.
                      Added: January 2022

                    • RM-3.1.21

                      Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

                      Added: January 2022

                    • RM-3.1.22

                      Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

                      (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;
                      (b) Refrain from using shortened links in communication with customers;
                      (c) Implement one or more of the following measures for links sent to customers:
                      i. ensure customers receive clear instructions in communications sent with the links;
                      ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;
                      iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;
                      iv. use of other verification measures like password or biometric authentication; and
                      (d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.
                      Amended: October 2022
                      Added: January 2022

                    • RM-3.1.22A

                      For the purpose of Paragraph RM-3.1.22, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

                      (a) Head/regional office of a licensee; and
                      (b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).
                      Added: October 2022

                  • Cyber Risk Identification and Assessments

                    • RM-3.1.23

                      Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

                      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
                      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
                      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
                      (d) Dark web surveillance to identify any plot for cyber attacks;
                      (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
                      (f) Examples of cyber threats from recent cyber attacks on other organisations.
                      Added: January 2022

                    • RM-3.1.24

                      Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

                      Added: January 2022

                    • RM-3.1.25

                      Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

                      Added: January 2022

                    • RM-3.1.26

                      Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.

                      Added: January 2022

                    • RM-3.1.27

                      With respect to Paragraph RM-3.1.25, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

                      Added: January 2022

                    • RM-3.1.28

                      Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

                      Added: January 2022

                    • RM-3.1.29

                      All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. However, licensees that provide services through digital channels must perform penetrating testing at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

                      (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
                      (b) Include both Grey Box and Black Box testing in its scope;
                      (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
                      (d) Be performed by internal and external independent third parties which should be changed at least every two years; and
                      (e) Be performed on either the production environment or on non-production exact replicas of the production environment.
                      Added: January 2022

                    • RM-3.1.30

                      CBB may require additional third-party security reviews to be performed as needed.

                      Added: January 2022

                    • RM-3.1.31

                      The tests referred to in Paragraph RM-3.1.59 must be conducted each year in June and December. Reports on penetration testing must be submitted to CBB before 30th September for the tests as at 30th June and 31st March for the tests as at 31st December. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

                      Added: January 2022

                  • Cyber Incident Detection and Management

                    • RM-3.1.32

                      Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

                      Added: January 2022

                    • RM-3.1.33

                      Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

                      Added: January 2022

                    • RM-3.1.34

                      Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

                      Added: January 2022

                    • RM-3.1.35

                      Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

                      Added: January 2022

                    • RM-3.1.36

                      Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

                      Added: January 2022

                    • RM-3.1.37

                      Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

                      Added: January 2022

                    • RM-3.1.38

                      The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

                      Added: January 2022

                    • RM-3.1.39

                      Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-3.1.58 for the requirement to report to CBB.

                      Added: January 2022

                    • RM-3.1.40

                      Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

                      Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.
                      Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensee’s management to update the internal and external stakeholders with consistent information.
                      Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.
                      Added: January 2022

                    • RM-3.1.41

                      For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

                      Added: January 2022

                    • RM-3.1.42

                      Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

                      Added: January 2022

                    • RM-3.1.43

                      Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

                      (a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)
                      (b) Describe whether the cyber incident due to a third-party service provider
                      (c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)
                      (d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)
                      (e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)
                      (f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)
                      (g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)
                      (h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)

                      The cyber incident severity may be classified as:

                      (a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.
                      (b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.
                      (c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.
                      Added: January 2022

                    • RM-3.1.44

                      Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.

                      Added: January 2022

                    • RM-3.1.45

                      Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

                      1. Metrics to measure impact of a cyber incident
                      (a) Duration of unavailability of critical functions and services
                      (b) Number of stolen records or affected accounts
                      (c) Volume of customers impacted
                      (d) Amount of lost revenue due to business downtime, including both existing and future business opportunities
                      (e) Percentage of service level agreements breached
                      2. Performance metrics for incident management
                      (a) Volume of incidents detected and responded via automation
                      (b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)
                      (c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied
                      Added: January 2022

                  • Recovery

                    • RM-3.1.46

                      Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time the licensee will require to return to full service and operations.

                      Added: January 2022

                    • RM-3.1.47 RM-3.1.47

                      Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

                      a) Financial situation;
                      b) Reputation;
                      c) Regulatory, legal and contractual obligations; and
                      d) Operational aspects and delivery of key products and services.
                      Added: January 2022

                      • RM-3.1.48

                        Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”. Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.

                        Added: January 2022

                      • RM-3.1.49

                        Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

                        Added: January 2022

                      • RM-3.1.50

                        Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.

                        Added: January 2022

                      • RM-3.1.51

                        Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

                        Added: January 2022

                      • RM-3.1.52

                        Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

                        Added: January 2022

                      • RM-3.1.53

                        Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.

                        Added: January 2022

                  • Cyber Security Insurance

                    • Training and Awareness

                      • RM-3.1.54 RM-3.1.54

                        Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respective licensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:

                        (a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;
                        (b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and
                        (c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.
                        Added: January 2022

                        • RM-3.1.55

                          Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

                          Added: January 2022

                        • RM-3.1.56

                          The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

                          Added: January 2022

                        • RM-3.1.57

                          The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

                          (a) Executive board and senior management;
                          (b) Cyber security roles;
                          (c) IT staff; and
                          (d) Any high-risk staff as determined by the licensee.
                          Added: January 2022

                    • Reporting to CBB

                      • RM-3.1.58

                        Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.Moneychanger@cbb.gov.bh, within two hours.

                        Amended: April 2022
                        Added: January 2022

                      • RM-3.1.59

                        Following the submission referred to in Paragraph RM-3.1.58, the licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.

                        Amended: April 2022
                        Added: January 2022

                      • RM-3.1.60

                        With regards to the submission requirement mentioned in Paragraph RM-3.1.59, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.

                        Added: January 2022

                      • RM-3.1.61

                        The penetration testing report as per Paragraph RM-3.1.29, along with the steps taken to mitigate the risks must be maintained by the licensee for a five year period from the date of the report and must be provided to CBB within three months following the end of the month where the testing took place, i.e. for a June test, the report must be submitted at the latest by 30th September and for a December test, by 31st March.

                        Amended: April 2022
                        Added: January 2022

              • Appendix A – Cyber Security Control Guidelines

                The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.

                Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

                Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.

                Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.

                Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.

                Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.

                Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:

                IDENTIFY

                Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.

                1. Physical devices and systems within the licensee are inventoried.
                2. Software platforms and applications within the licensee are inventoried.
                3. Communication and data flows are mapped.
                4. External information systems are catalogued.
                5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
                6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

                Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.

                1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.
                2. Dependencies and critical functions for delivery of critical services are established.
                3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

                Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.

                1. licensee’s cyber security policy is established and communicated.
                2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.
                3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.
                4. Governance and risk management processes address cyber security risks.

                Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.

                1. Asset vulnerabilities are identified and documented.
                2. Cyber threat intelligence is received from information sharing forums and sources.
                3. Threats, both internal and external, are identified and documented.
                4. Potential business impacts and likelihoods are identified.
                5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
                6. Risk responses are identified and prioritized.

                Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

                1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.
                2. The licensee’s risk tolerance is determined and clearly expressed.
                3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

                Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.

                1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.
                2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.
                3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.
                4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
                5. Response and recovery planning and testing are conducted with suppliers and third-party providers.

                PROTECT

                Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

                1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
                2. Physical access to assets is managed and protected.
                3. Remote access is managed.
                4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
                5. Network integrity is protected (e.g., network segregation, network segmentation).
                6. Identities are proofed and bound to credentials and asserted in interactions
                7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

                Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.

                1. All users are informed and trained on a regular basis.
                2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.
                3. Privileged users understand their roles and responsibilities.
                4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
                5. The Board and senior management understand their roles and responsibilities.
                6. Physical and cyber security personnel understand their roles and responsibilities.
                7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.

                Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.

                1. Data-at-rest classified as critical or confidential is protected through strong encryption.
                2. Data-in-transit classified as critical or confidential is protected through strong encryption.
                3. Assets are formally managed throughout removal, transfers, and disposition
                4. Adequate capacity to ensure availability is maintained.
                5. Protections against data leaks are implemented.
                6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.
                7. The development and testing environment(s) are separate from the production environment.
                8. Integrity checking mechanisms are used to verify hardware integrity.

                Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.

                1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
                2. A System Development Life Cycle to manage systems is implemented
                3. Configuration change control processes are in place.
                4. Backups of information are conducted, maintained, and tested.
                5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.
                6. Data is destroyed according to policy.
                7. Protection processes are improved.
                8. Effectiveness of protection technologies is shared.
                9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
                10. Response and recovery plans are tested.
                11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).
                12. A vulnerability management plan is developed and implemented.

                Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.

                1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.
                2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.

                Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

                1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
                2. Removable media is protected and its use restricted according to policy.
                3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
                4. Communications and control networks are protected.
                5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

                DETECT

                Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

                1. A baseline of network operations and expected data flows for users and systems is established and managed.
                2. Detected events are analyzed to understand attack targets and methods.
                3. Event data are collected and correlated from multiple sources and sensors
                4. Impact of events is determined.
                5. Incident alert thresholds are established.

                Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

                1. The network is monitored to detect potential cyber security events.
                2. The physical environment is monitored to detect potential cyber security events
                3. Personnel activity is monitored to detect potential cyber security events.
                4. Malicious code is detected.
                5. Unauthorized mobile code is detected.
                6. External service provider activity is monitored to detect potential cyber security events.
                7. Monitoring for unauthorized personnel, connections, devices, and software is performed.
                8. Vulnerability scans are performed at least quarterly.

                Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

                1. Roles and responsibilities for detection are well defined to ensure accountability.
                2. Detection activities comply with all applicable requirements.
                3. Detection processes are tested.
                4. Event detection information is communicated.
                5. Detection processes are continuously improved.

                RESPOND

                Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.

                Communications: Response activities are coordinated with internal and external stakeholders.

                1. Personnel know their roles and order of operations when a response is needed.
                2. Incidents are reported consistent with established criteria.
                3. Information is shared consistent with response plans.
                4. Coordination with internal and external stakeholders occurs consistent with response plans.
                5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.
                6. Incident response exercises and scenarios across departments are conducted at least annually.

                Analysis: Analysis is conducted to ensure effective response and support recovery activities.

                1. Notifications from detection systems are investigated.
                2. The impact of the incident is understood.
                3. Forensics are performed.
                4. Incidents are categorized consistent with response plans.
                5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

                Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

                1. Incidents are contained.
                2. Incidents are mitigated.
                3. Newly identified vulnerabilities are mitigated or documented as accepted risks.

                Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.

                1. Response plans incorporate lessons learned.
                2. Response strategies are updated.

                RECOVER

                Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.

                Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

                1. Recovery plans incorporate lessons learned.
                2. Recovery strategies are updated.

                Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

                1. Public relations are managed.
                2. Reputation is repaired after an incident.
                3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
                Added: January 2022

          • Reporting Requirements

            • BR BR Money Changers CBB Reporting Module

              • BR-A BR-A Introduction

                • BR-A.1 BR-A.1 Purpose

                  • Executive Summary

                    • BR-A.1.1

                      This Module sets out requirements applicable to licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of licensees.

                      October 2010

                    • BR-A.1.2

                      The requirements in this Module apply to all Money Changer licensees.

                      October 2010

                  • Legal Basis

                    • BR-A.1.3

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding CBB Reporting requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • BR-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      October 2010

                • BR-A.2 BR-A.2 Module History

                  • Evolution of Module

                    • BR-A.2.1

                      This Module was first issued in October 2010. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

                    • BR-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      BR-A.1.3 01/2011 Clarified legal basis.
                      BR-1.5.20 and 1.5.21 01/2011 Added IIS reporting requirements.
                      BR-2.1.5 01/2011 Minor amendment to clarify reference of guidance.
                      BR-2.2.5 01/2011 Minor amendment to correct typo.
                      BR-2.2.6, BR-2.2.12 01/2011 Minor amendment.
                      BR-2.2.7 and BR-2.2.8 01/2011 Guidance Paragraphs deleted.
                      BR-2.3.1, BR-2.3.2 and BR-2.3.14 04/2011 Clarified prior approval requirements in relation to subsidiary undertakings.
                      BR-3.1.1A and BR-3.1.1B 04/2012 Added Paragraphs to clarify Rules on power to request information.
                      BR-3.3.1 and BR-3.4 04/2012 Minor corrections.
                      BR-3.5 04/2012 New Section added to include material transferred from common Chapters EN-2 and AA-5
                      BR-2.3.5A 10/2012 Added guidance to clarify requirements for change of address for branches.
                      BR-1.5.20 01/2013 Clarified deadline to update IIS.
                      BR-3.5.14 07/2013 Amended numbering of referred appendix.
                      BR-1.3.2A 10/2014 Added annual requirement to file the Insurance Coverage Return as required under Paragraph GR-7.1.4.
                      BR-1.6 04/2017 Added a new Section on Onsite Inspection Reporting.
                      BR-1.1.1 10/2018 Amended Paragraph.
                      BR-1.2.1 10/2018 Amended Paragraph.
                      BR-1.3.1 10/2018 Amended Paragraph.
                      BR-1.5.1A 10/2019 Added a new Paragraph on disclosure of financial penalties.
                      BR-2.3.13 01/2020 Amended Paragraph.
                      BR-1.2.2 01/2022 Amended Paragraph on submission of the Quarterly Prudential Returns.
                      BR-1.6.2 01/2022 Amended Paragraph on the submission of the written assessment of the observations/issues raised in the Inspection draft report.
                      BR-2.2.17 01/2023 Amended Paragraph deleting reference to RM.
                      BR-2.3.15 01/2023 Deleted Paragraph on CBB approval for outsourcing arrangements.

                  • Superseded Requirements

                    • BR-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular/ other reference Subject
                      EDBC/73/96 No objection for promotions
                      BC/9/99 Quarterly Information Report (QIR).
                      BC/24/99 Submission of audited Accounts and Management Letter/ Dividend Approval
                      BC/1/2000 Monthly Return
                      BC/505/2001 Computerized Information Reports
                      EDBO/WR/007/2004 Report on Counterfeiting Activity
                      BS/09/2005 Accounts for Charity Organizations
                      CI/27/2006 Report on Counterfeit Currency Detection Equipment
                      OG/080/2007 Directive on measures to detect counterfeit currency
                      October 2010

              • BR-B BR-B Scope of Application

                • BR-B.1 BR-B.1 Scope of Application

                  • BR-B.1.1

                    The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    October 2010

              • BR-1 BR-1 Prudential Reporting

                • BR-1.1 BR-1.1 Monthly Prudential Reporting

                  • Monthly Prudential Return

                    • BR-1.1.1

                      All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), a Monthly Prudential Return (MC-MPR).

                      Amended: October 2018
                      October 2010

                    • BR-1.1.2

                      The Monthly Prudential Return must be submitted to the CBB within 20 calendar days of each month end.

                      October 2010

                  • Other Monthly Reports

                    • BR-1.1.3

                      All licensees must submit a report to the CBB at the end of each month, listing the name(s) and transaction details of customers whose transactions either singly or aggregately are equivalent to, or greater than, 5% of the total turnover of the licensee, during a month.

                      October 2010

                • BR-1.2 BR-1.2 Quarterly Prudential Reporting

                  • BR-1.2.1

                    All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), a Quarterly Prudential Return (MC-QPR).

                    Amended: October 2018
                    October 2010

                  • BR-1.2.2

                    The Quarterly Prudential Return must be submitted to the CBB within 30 calendar days of each quarter end (as defined in Rule BR-1.2.4).

                    Amended: January 2022
                    Added: October 2010

                  • Valuation of Assets and Liabilities

                    • BR-1.2.3

                      Amounts included within the Quarterly Prudential Return must be determined in accordance with the recognition and measurement principles specified by International Financial Reporting Standards.

                      October 2010

                    • BR-1.2.4

                      For the purpose of reporting requirements under this Section, the quarter end of a licensee must be a 3-month period ending on 31 March, 30 June, 30 September or 31 December.

                      October 2010

                • BR-1.3 BR-1.3 Annual Prudential Reporting

                  • BR-1.3.1

                    All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), an Annual Prudential Return (MC-APR).

                    Amended: October 2018
                    October 2010

                  • BR-1.3.2

                    The Annual Prudential Return must be submitted to the CBB within 3 months of the end of the financial year (as defined in Rule BR-1.3.4).

                    October 2010

                  • BR-1.3.2A

                    In accordance with Paragraph GR-7.1.4, licensees must submit the Insurance Coverage Return (Form ICR) on an annual basis, within 3 months of the end of the financial year.

                    Added: October 2014

                  • Valuation of Assets and Liabilities

                    • BR-1.3.3

                      Amounts included within the Annual Prudential Return must be determined in accordance with the recognition and measurement principles specified by International Financial Reporting Standards.

                    • BR-1.3.4

                      The financial year of a licensee must be a 12-month period ending on 31 December, except where the licensee has obtained the written consent from the CBB for either the period or the period end to be other than 12 months and 31 December respectively. In any event, the financial year can never be less than a 6-month period or greater than an 18-month period.

                • BR-1.4 BR-1.4 Public Disclosure

                  • BR-1.4.1

                    Submitted Forms Monthly, Quarterly and Annual Prudential Reports are not public documents and will not be disclosed to third parties by the CBB without the licensee's consent. However, the CBB may from time to time publish aggregate information derived from such Forms, relating to licensees or the Bahrain money changing sector as a whole.

                    October 2010

                  • BR-1.4.2

                    Whilst submitted Forms are not public documents, licensees are not prevented from providing complete copies to third parties.

                    October 2010

                • BR-1.5 BR-1.5 Other Reporting Requirements

                  • Audited Financial Statements

                    • BR-1.5.1

                      As specified in Article 62 of the CBB Law, a licensee must submit to the CBB its final audited financial statements within 3 months of the licensee's financial year-end.

                      October 2010

                    • BR-1.5.1A

                      In accordance with Paragraphs EN-B.4.5 and EN-5.2.2, licensees must disclose in their annual audited financial statements the amount of any financial penalties paid to the CBB, together with a factual description of the reason(s) given by the CBB for the penalty. Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to an enforcement action for non-disclosure.

                      Added: October 2019

                    • BR-1.5.2

                      Audited accounts of a licensee should be prepared in accordance with the International Financial Accounting Standards (IFRS) and with the requirements outlined in Appendix 1 at the end of this Module.

                      October 2010

                    • BR-1.5.3

                      The Management Letter prepared by the external auditor must be submitted together with the final audited financial statements.

                      October 2010

                  • Charity Accounts

                    • BR-1.5.4

                      As per Rule FC-1.6.3 licensees must report at the end of every month, all payments and transfers of BD3,000 (or equivalent in foreign currencies) and above performed on behalf of charities registered in Bahrain. The report must be submitted to the CBB's Compliance Directorate, giving details of the amount transferred, name of charity, number and beneficiary name account and bank details.

                      October 2010

                  • Suspicious Transaction Reports (STR)

                    • BR-1.5.5

                      As per Rule FC-5.2.4, licensees must report all suspicious transactions or attempted transactions to the Financial Intelligence Unit at the Ministry of Interior and to the Compliance Directorate at the CBB.

                      October 2010

                    • BR-1.5.6

                      As per Rule FC-1.8.2 licensees must make a suspicious transaction report to the Compliance Directorate at the CBB and the Financial Intelligence Unit at the Ministry of Interior, if they are approached by a shell bank or an institution they suspect of being a shell bank.

                      October 2010

                    • BR-1.5.7

                      As per Rule FC-2.2.5, in the case of one-off transactions where there is no ongoing account relationship, the licensee must file an STR.

                      October 2010

                    • BR-1.5.8

                      As per Rule FC-5.2.3, if licensees suspect that a person has been engaged in money laundering or terrorism financing, or the activity concerned is regarded as suspicious, the licensee must report the fact promptly to the Financial Intelligence Unit at the Ministry of Interior and copy the Compliance Directorate at the CBB. The reports must be made using the STR Form and related instructions, included in Part B of Volume 5.

                      October 2010

                    • BR-1.5.9

                      As per Section FC-8.1, when dealing with entities or persons domiciled in countries or territories which are identified by the FATF as being non-cooperative or notified to licensees from time to time by the CBB, whenever the licensee has suspicions about the transaction, these must be reported to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB.

                      October 2010

                    • BR-1.5.10

                      As per Rule FC-8.3.3, licensees must report to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB, using the procedures contained in Section FC-5.2, details of any accounts or other dealings with persons and entities designated by the CBB as potentially linked to terrorist activity.

                      October 2010

                  • Reports Prepared by the MLRO

                    • BR-1.5.11

                      As per Rule FC-4.3.1(a) and (b), licensees must arrange for their MLRO to produce a report containing the number of internal reports made in accordance with Section FC-5.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced and a report, indicating the number of external reports made in accordance with Section FC-5.2 and, where a licensee has made an internal report but not made an external report, noting why no external report was made. These reports are to be submitted to the CBB by the 30th of April of the following year.

                      October 2010

                  • Report Prepared by the External Auditor

                    • BR-1.5.12

                      As per Rule FC-4.3.1(d), licensees must arrange for their external auditor to produce a report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and Module FC (Financial Crime) to be submitted to the CBB by the 30th of April of the following year.

                      October 2010

                  • Terrorist Financing

                    • BR-1.5.13

                      As per Rule FC-8.2.4, licensees must report to the Compliance Directorate at the CBB, details of:

                      a) Funds or other financial assets or economic resources have with them which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373; and
                      b) All claims, whether actual or contingent, which the licensee has on persons and entities which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373.
                      October 2010

                  • Counterfeit Currency

                    • BR-1.5.14

                      In accordance with Rule GR-10.1.3, licensees must submit a report on any counterfeit currency discovered. The report should detail the name of the customer, the date of receipt of the notes(s), the name of the person who brought in the note(s), if different from the customer, and the action (if any) taken by the relevant licensee.

                      October 2010

                    • BR-1.5.15

                      In the case of counterfeit Bahraini Dinar currency, the report should be submitted to the Director of Currency Issue at the CBB, the Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior.

                      October 2010

                    • BR-1.5.16

                      In the case of all other foreign counterfeit currency, the report should be submitted to the Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior.

                      October 2010

                    • BR-1.5.17

                      Licensees must submit a report, in the form of a confirmation letter, detailing the use of counterfeit currency detection equipment at the premises, as per required under section GR-10.1. The report must be submitted annually and must provide the exact specifications of counterfeit currency detection devices installed at each licensees head office and branches. The report should be submitted to the Currency Issue Directorate at the CBB within one month following the end of every financial year.

                      October 2010

                  • Insurance Coverage Return

                    • BR-1.5.18

                      Licensees must submit an Insurance Coverage Return (Form ICR) on an annual basis. Additionally, they must provide, upon request, evidence to the CBB of the coverage in force.

                      October 2010

                  • Annual License Fee

                    • BR-1.5.19

                      Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 30 April each year, together with the payment due under Rule AU-5.2.1.

                      October 2010

                  • Institutional Information System (IIS)

                    • BR-1.5.20

                      Licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm the information contained in the IIS. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                      Amended: January 2013
                      January 2011

                    • BR-1.5.21

                      Licensees failing to comply with the requirements of Paragraph BR-1.5.20 or reporting inaccurate information are subject to financial penalties or other enforcement actions as outlined in Module (EN) Enforcement.

                      January 2011

                • BR-1.6 BR-1.6 Onsite Inspection Reporting

                  • BR-1.6.1

                    For the purpose of onsite inspection by the CBB, Licensees must submit requested inspection documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

                    Added: April 2017

                  • BR-1.6.2

                    Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within fifteen working days of receipt of such report. Evidentiary documents supporting management’s comments must also be included in the response package.

                    Amended: January 2022
                    Added: April 2017

                  • BR-1.6.3

                    Licensees board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

                    Added: April 2017

                  • BR-1.6.4

                    Licensees failing to comply with the requirements of Paragraphs BR-1.6.1 and BR-1.6.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

                    Added: April 2017

              • BR-2 BR-2 Notifications and Approvals

                • BR-2.1 BR-2.1 Introduction

                  • BR-2.1.1

                    All notifications and approvals required in this Chapter are to be submitted by licensees in writing.

                    October 2010

                  • BR-2.1.2

                    In this Module, the term 'in writing' includes electronic communication capable of being reproduced in paper form.

                    October 2010

                  • BR-2.1.3

                    A licensee must make the notifications and approvals required in Chapter BR-2 immediately when it becomes aware, or has information which reasonably suggests, that any of the matters in Chapter BR-2 have occurred, may have occurred or may occur in the near future.

                    October 2010

                  • BR-2.1.4

                    The requirements imposed on licensees under this Chapter apply whether the event relates to a matter that has occurred in Bahrain or in any other jurisdiction.

                    October 2010

                  • BR-2.1.5

                    Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 (Specialised Licensees) of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

                    Amended: January 2011
                    October 2010

                • BR-2.2 BR-2.2 Notification Requirements

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.2.1

                      A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                      (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                      (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                      (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                      (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                      (e) A significant breach of any provision of the Rulebook (including a Principle);
                      (f) A breach of any requirement imposed by the relevant law or by regulations or an order made under any relevant law by the CBB; or
                      (g) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately (ref. BR-3.3.2).
                      October 2010

                    • BR-2.2.2

                      The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to consider properly all potential consequences of events.

                      October 2010

                    • BR-2.2.3

                      In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may indirectly have an effect on the licensee.

                      October 2010

                  • Legal, Professional, Administrative or other Proceedings Against a Licensee

                    • BR-2.2.4

                      A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee or controller of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                      October 2010

                    • BR-2.2.5

                      A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee that would prevent the licensee from meeting the Principles of Business (Module PB) or any of its Directors, officers or approved persons from meeting the fit and proper requirements of Module AU.

                      Amended: January 2011
                      October 2010

                  • Fraud, Errors and other Irregularities

                    • BR-2.2.6

                      A licensee must notify the CBB immediately if one of the following events arises:

                      (a) It becomes aware that an employee may have committed fraud against one of its customers;
                      (b) It becomes aware that a person, whether or not employed by it, is acting with intent to commit fraud against it;
                      (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                      (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or
                      (e) Any conflicts of interest.
                      Amended: January 2011
                      October 2010

                  • Insolvency, Bankruptcy and Winding Up

                    • BR-2.2.7

                      Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                      (a) The calling of a meeting to consider a resolution for winding up the licensee or a controller of the licensee;
                      (b) An application to dissolve a controller of the licensee or to strike the licensee off the Register of Money Changing Companies;
                      (c) The presentation of a petition for the winding up of a controller of the licensee;
                      (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                      (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller of the licensee;
                      (f) The appointment of a receiver to a controller of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                      (g) An application for an interim order against the licensee, a controller of the licensee under the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.
                      October 2010

                  • [Deleted January 2011]

                    Deleted: January 2011
                    October 2010

                    • BR-2.2.8

                      [This Paragraph was deleted in January 2011].

                    • BR-2.2.9

                      [This Paragraph was deleted in January 2011].

                  • External Auditor

                    • BR-2.2.10

                      A licensee must notify the CBB of the following:

                      (a) Removal or resignation of its external auditor (ref. AA-1.2.1); or
                      (b) Change in audit partner (ref. AA-1.3.3).
                      October 2010

                  • Approved Persons

                    • BR-2.2.11

                      A licensee must notify the CBB of the termination of employment of approved persons, including particulars of reasons for the termination and arrangements with regard to replacement (ref. AU-4.4.6).

                      October 2010

                    • BR-2.2.12

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      Amended: January 2011
                      October 2010

                    • BR-2.2.13

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      October 2010

                  • Capital Adequacy

                    • BR-2.2.14

                      In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy), it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.5).

                      October 2010

                    • BR-2.2.15

                      As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                      October 2010

                  • Branches

                    • BR-2.2.16

                      An application for authorisation of a new branch will not be considered by the CBB unless the written confirmation that the preceding branch is operational, as required in Rule AU-4.2.4 above, has been submitted.

                      October 2010

                  • Outsourcing Arrangements

                    • BR-2.2.17

                      Licensees must immediately inform their normal supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

                      Amended: January 2023
                      October 2010

                    • BR-2.2.18

                      A licensee must nominate an approved person within the licensee to handle the responsibility of the day-to-day relationship with the outsourcing provider and to ensure that relevant risks are addressed. The CBB should be informed of the designated individual as part of the written prior approval required under Rule RM-2.1.7.

                      October 2010

                  • Controllers

                    • BR-2.2.19

                      If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes to their controllers specified in Paragraph GR-5.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB as soon as it becomes aware of the fact and no later than 15 calendar days after the change occurs (ref. GR-5.1.4).

                      October 2010

                    • BR-2.2.20

                      As specified in Article 52 of the CBB Law, a licensee must notify the CBB of the following events:

                      (a) If effective control over a licensee takes place indirectly whether by way of inheritance or otherwise;
                      (b) Gaining control directly as a result of any action leading to it; or
                      (c)The intention to take any of the actions that would lead to control.
                      October 2010

                  • Promotional Schemes

                    • BR-2.2.21

                      Licensees must notify the CBB, and send copies of the documentation relating to promotional schemes, at least 2 weeks prior to their launch, after ensuring that such promotional schemes are in line with the Rules under Section BC-2.2.

                      October 2010

                • BR-2.3 BR-2.3 Approval Requirements

                  • Branches or Subsidiaries

                    • BR-2.3.1

                      In accordance with Rule AU-4.2.1, a licensee should seek prior written approval from the CBB for opening a branch or a subsidiary.

                      Amended: April 2011
                      October 2010

                    • BR-2.3.2

                      Licensees wishing to cancel an authorisation for a branch or subsidiary must obtain the CBB's written approval, before ceasing the activities of the branch or subsidiary.

                      Amended: April 2011
                      October 2010

                  • Change in Name

                    • BR-2.3.3

                      In accordance with Paragraph GR-3.1.1, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in:

                      (a) The licensee's name (which is the registered name if the licensee is a body corporate); or
                      (b) The licensee's trade name.
                      October 2010

                    • BR-2.3.4

                      The request under Paragraph BR-2.3.3 must include the details of the proposed new name and the date on which the licensee intends to implement the change of name.

                      October 2010

                  • Change of Address

                    • BR-2.3.5

                      As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain, and that of its branches.

                      October 2010

                    • BR-2.3.5A

                      For purposes of Paragraph BR-2.3.5, the relocation of a branch within the same geographical area constitutes a change of address. However, the relocation of a branch to a different geographical area in Bahrain warrants a request for authorisation to open a new branch (as per Section AU-4.2) and close the existing branch.

                      Added: October 2012

                    • BR-2.3.6

                      The request under Paragraph BR-2.3.5 must include the details of the proposed new address and the date on which the licensee intends to implement the change of address.

                      October 2010

                  • Change in Legal Status

                    • BR-2.3.7

                      A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                      October 2010

                  • Change in Paid-up or Issued Capital

                    • BR-2.3.8

                      As specified in Article 57(a)3. of the CBB Law, a licensee must seek CBB approval before making any modification to its issued or paid-up capital. In the case that a licensee has been granted approval to increase its paid-up capital, confirmation from the external auditor stating that the amount has been deposited in the licensee's bank account will subsequently be required.

                      October 2010

                  • Licensed Regulated Activities

                    • BR-2.3.9

                      Licensees wishing to cancel their license must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Financial Institutions Supervision, setting out in full the reasons for the request and how the business is to be wound up.

                      October 2010

                    • BR-2.3.10

                      As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide all or any of its licensed regulated services, completely or at any of its branches, must obtain prior written approval from the CBB.

                      October 2010

                    • BR-2.3.11

                      Licensees seeking to obtain the CBB's permission to cease business must submit to the CBB a formal request to the CBB for the appointment of a liquidator acceptable to the CBB.

                      October 2010

                  • Controllers

                    • BR-2.3.12

                      In accordance with Section GR-5.1, licensees must seek CBB approval and give reasonable advance notice of any of the following events concerning the licensee:

                      (a) A person acquiring control or ceasing to have control;
                      (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control;
                      (c) An existing controller increasing the percentage of shares or voting power beyond 10%, 20% or 50%; and
                      (d) An existing controller becoming or ceasing to be a parent undertaking.
                      October 2010

                  • Mergers, Acquisitions, Disposals and Establishment of New Subsidiaries

                    • BR-2.3.13

                      A licensee incorporated in Bahrain must seek CBB approval and give reasonable advance notice of its intention to enter into a:

                      (a) Merger with another undertaking; or
                      (b) Proposed acquisition, disposal or establishment of a new subsidiary undertaking.
                      Amended: January 2020
                      Added: October 2010

                    • BR-2.3.14

                      Licensees wishing to cancel an authorisation for a subsidiary undertaking must obtain the CBB's written approval, before ceasing the activities of the subsidiary.

                      Amended: April 2011
                      October 2010

                  • Outsourcing Arrangements

                    • BR-2.3.15

                      [This Paragraph was deleted in January 2023].

                      Deleted: January 2023
                      October 2010

                  • Matters Having a Supervisory Impact

                    • BR-2.3.16

                      A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                      October 2010

                    • BR-2.3.17

                      Any licensee that wishes, intends or has been requested to do anything that might contravene, in its reasonable opinion, the provisions of UNSCR 1373 (and in particular Article 1, Paragraphs c) and d) of UNSCR 1373) must seek, in writing, the prior written opinion of the CBB on the matter (ref. FC-8.2.2).

                      October 2010

                    • BR-2.3.18

                      As specified in Article 57 of the CBB Law, a licensee wishing to modify its Memorandum or Articles of Association, must obtain prior written approval from the CBB.

                      October 2010

                    • BR-2.3.19

                      As specified in Article 57 of the CBB Law, a licensee wishing to transfer all or a major part of its assets or liabilities inside or outside the Kingdom, must obtain prior written approval from the CBB.

                      October 2010

                  • External Auditor

                    • BR-2.3.20

                      A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1).

                      October 2010

                  • Dividend Distribution

                    • BR-2.3.21

                      Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, in accordance with Chapter GR-4.

                      October 2010

                  • Approved Persons

                    • BR-2.3.22

                      A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.2 and AU-4.3).

                      October 2010

                    • BR-2.3.23

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.10).

                      October 2010

                    • BR-2.3.24

                      If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.6).

                      October 2010

                  • Loans Extended to Related Parties

                    • BR-2.3.25

                      In accordance with Section GR-11, Licensees must obtain the CBB's prior written approval for any loan in excess of BD 15,000, extended to the employees of the business.

                      October 2010

                    • BR-2.3.26

                      Licensees must obtain the CBB's prior written approval before writing-off any loan extended to the employees of the business.

                      October 2010

                  • Withdrawals

                    • BR-2.3.27

                      No funds may be withdrawn by shareholders from the licensee without the necessary prior written approval of the CBB.

                      October 2010

              • BR-3 BR-3 Information Gathering by the CBB

                • BR-3.1 BR-3.1 Power to Request Information

                  • BR-3.1.1

                    Licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    October 2010

                  • BR-3.1.1A

                    Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                    Added: April 2012

                  • BR-3.1.1B

                    Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person/appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                    Added: April 2012

                  • Information Requested on Behalf of other Supervisors

                    • BR-3.1.2

                      The CBB may ask a licensee to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee, pass on to those supervisors or agencies information that it already has in its possession.

                      October 2010

                • BR-3.2 BR-3.2 Access to Premises

                  • BR-3.2.1

                    A licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    October 2010

                  • BR-3.2.2

                    A licensee must take reasonable steps to ensure that its agents and providers under outsourcing permit such access to their business premises, to the CBB.

                    October 2010

                  • BR-3.2.3

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    October 2010

                  • BR-3.2.4

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    October 2010

                • BR-3.3 BR-3.3 Accuracy of Information

                  • BR-3.3.1

                    Licensees must take reasonable steps to ensure that all information they give to the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
                    Amended: April 2012
                    October 2010

                  • BR-3.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    October 2010

                  • BR-3.3.3

                    If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    October 2010

                • BR-3.4 BR-3.4 Methods of Information Gathering

                  • BR-3.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of Appointed Experts (refer to Section BR-3.5).
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication;
                    (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
                    Amended: April 2012
                    October 2010

                  • BR-3.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

                    Amended: April 2012
                    October 2010

                  • BR-3.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    Amended: April 2012
                    October 2010

                  • BR-3.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph BR-3.4.3:

                    (a) Its employees; and
                    (b) Any other members of its group and their employees.
                    Amended: April 2012
                    October 2010

                  • BR-3.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    October 2010

                • BR-3.5 BR-3.5 The Role of the Appointed Expert

                  • Introduction

                    • BR-3.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      Added: April 2012

                    • BR-3.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      Added: April 2012

                    • BR-3.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      Added: April 2012

                    • BR-3.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                      Added: April 2012

                    • BR-3.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      Added: April 2012

                    • BR-3.5.6

                      Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                      Added: April 2012

                    • BR-3.5.7

                      All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                      Added: April 2012

                    • BR-3.5.8

                      Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                      Added: April 2012

                    • BR-3.5.9

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                      Added: April 2012

                    • BR-3.5.10

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

                      Added: April 2012

                    • BR-3.5.11

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      Added: April 2012

                  • The Required Report

                    • BR-3.5.12

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      Added: April 2012

                    • BR-3.5.13

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      Added: April 2012

                    • BR-3.5.14

                      The appointed experts' report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

                      Amended: July 2013
                      Added: April 2012

                    • BR-3.5.15

                      Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                      Added: April 2012

                    • BR-3.5.16

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      Added: April 2012

                    • BR-3.5.17

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      Added: April 2012

                    • BR-3.5.18

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      Added: April 2012

                  • Other Notifications to the CBB

                    • BR-3.5.19

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      Added: April 2012

                    • BR-3.5.20

                      The CBB recognises that appointed expertscannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      Added: April 2012

                    • BR-3.5.21

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      Added: April 2012

                  • Permitted Disclosure by the CBB

                    • BR-3.5.22

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      Added: April 2012

                  • Trilateral Meeting

                    • BR-3.5.23

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      Added: April 2012

              • Appendices: Appendix 1

                • Format of Financial Reporting

                  1. The auditor's report on the accounts must state whether, in his opinion:
                  a) The business has maintained proper accounting records;
                  b) The accounts have been prepared in accordance with the International Financial Accounting Standards (IFRS) and with requirements below;
                  c) The financial statements present, truly and fairly, the financial position of the business as at 31st December, xxxx; and
                  d) The business has complied with the Rules within the Money Changers Modules and with the terms and conditions of its license; in specific in respect of maintaining net assets, valid bank guarantee and separate commercial registration.
                  2. The accounts should be drawn up in accordance with the following breakdown:
                  A- Assets:
                  1. Cash in hand
                  2. Balances with banks payable within 7 days
                  3. Other balances with banks
                  4. Drafts receivable
                  5. Due from travellers' cheque companies
                  6. Gold
                  7. Other precious metals
                  8. Due from money changers
                  9. Fixed Assets
                  10. Other Assets
                  B- Liabilities
                  1. Drafts payable
                  2. Due to travellers' cheque companies
                  3. Due to money changers
                  4. Borrowings from banks
                  5. Other liabilities
                  C- Shareholders' Equity:
                  1. Paid-up Capital
                  2. Statutory Reserve
                  3. General Reserve
                  4. Retained Earnings/Loss
                  D- Off-Balance Sheet Items:
                  1. Unsettled foreign exchange contracts
                  2. Unsettled dealing in gold and other precious metals
                  E- Income Statement:
                  1. From dealing in foreign currencies
                  2. From selling and buying drafts
                  3. From selling and cashing travellers' cheques
                  4. From dealing in gold and precious metals
                  5. Interest income
                  6. Other income
                  F- Expenses:
                  1. Staff expenses
                  2. Office rent
                  3. Interest expense
                  4. Depreciation
                  5. Provisions
                  6. General expenses
                  7. Other expenses
                  3. Any additional significant items in the accounts should be added in both the form and the notes to the accounts.
                  4. Additionally, the following guidelines should be observed:
                  (a) Item A1. A2 and A3 — a breakdown of each item into assets denominated in Bahraini Dinars and foreign currencies should be provided in the notes.
                  (b) A4 and A5 — these are drafts/travellers' cheques purchased from customers for which the value will be received after the balance sheet date.
                  (c) A10 — If the amount is equal to or more than 10% of total assets, a breakdown should be disclosed in the note. In any events, loans to employees should be stated in a separate note.
                  (d) B1 and B2 — these are the drafts/traveller's cheques sold out to customers for which the value will be given after the balance sheet date.
                  (e) B4 — a breakdown of the borrowings should be given in the note together with the types of collateral provided against such borrowings.
                  (f) B5 — if the amount is equal to or more than 10% of total liabilities, a breakdown should be disclosed in the note.
                  (g) E6 — if the amount is equal to or more than 10% of total income a breakdown should be disclosed in the note.
                  (h) F1 — total number of staff employed should be disclosed with a breakdown of Bahraini and non-Bahraini together with their respective costs.
                  (i) F7 — if the amount is equal to or more than 10% of total expenses a breakdown should be disclosed in the note.
                  Amended: April 2014
                  October 2010

      • Type 2: Type 2: Representative Office Licensees

        • Part A Part A

          • High Level Standards

            • AU AU Representative Offices Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The Authorisation Module sets out the CBB's approach to licensing representative offices in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key function in those licensees.

                      December 2010

                    • AU-A.1.2

                      The person undertaking the function of Representative Office Manager ('Rep Manager') in relation to a representative office licensee requires prior CBB approval. This function is referred to as a 'controlled function'. The controlled function regime supplements the licensing regime by ensuring that this key person responsible of the representative office is fit and proper. This person authorised by the CBB to undertake a controlled function in a representative office licensee is called an approved person.

                      December 2010

                  • Retaining Authorised Status

                    • AU-A.1.3

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      December 2010

                  • Legal Basis

                    • AU-A.1.4

                      This Module contains the Central Bank of Bahrain ('CBB') Directive, Regulations and Resolutions (as amended from time to time) regarding authorisation under Volume 5 of the CBB Rulebook. It is applicable to all representative offices (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Representative office licensees must also comply with Resolution No. 1 of the year 2007 'new license fees system' (as amended from time to time). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. The Module also contains requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and issued under the powers available to the CBB under Article 44(c). This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015.

                      Amended: July 2015
                      Amended: January 2013
                      December 2010

                    • AU-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      December 2010

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in December 2010, as part of Volume 5 (Specialised licensees). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      December 2010

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-A.1.4 01/2013 Updated legal basis.
                      AU-1.1 01/2013 References added to requirements under Resolution No.(16) for the year 2012.
                      AU-4.4.4 01/2013 Corrected cross reference to CBB Law.
                      AU-5.2 07/2013 Amended due date and collection process for annual license fee.
                      AU-A.1.4 07/2015 Legal basis updated to reflect Resolution No (43) of 2011 and Resolution No (23) of 2015.
                      AU-4.2 07/2015 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-3 01/2016 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.2 01/2016 Minor amendments to be aligned with other Volumes of the Rulebook.
                      AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License.
                      AU-4.1.1 04/2018 Amended Paragraph.
                      AU-4.1.10 04/2018 Amended Paragraph.
                      AU-4.2.2 04/2018 Amended Paragraph.
                      AU-1.1.4 07/2019 Amended Paragraph to reflect online submission of Form 1.
                      AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                      AU-4.1.13 10/2019 Changed from Rule to Guidance.
                      AU-4.1.14 10/2019 Changed from Rule to Guidance.
                      AU-4.1.15 10/2019 Changed from Rule to Guidance.
                      AU-4.5.1 10/2019 Changed from Rule to Guidance.
                      AU-4.2.8 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.

                  • Superseded Requirements

                    • AU-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Document reference Module Ref. Document Subject
                      Standard Conditions and Licensing Criteria for a representative office licensees AU-2 Scope of license and licensing conditions.
                      Circular EDFIS/C/011/2007 AU-5 CBB's New License Fees System
                      Circular BC/11/98 27/7/98 AU-3 Appointment and suitability of Directors and senior managers ('fit and proper').
                      December 2010

                    • AU-A.2.4

                      Further guidance on the implementation and transition to Volume 5 (Specialised Licensees) is given in Module ES (Executive Summary).

                      December 2010

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope

                  • AU-B.1.1

                    The Authorisation requirements in Chapter AU-1 are specifically applicable to financial institutions in highly reputable jurisdictions acceptable to the CBB. In addition, those applying for authorisation are also required to comply with the relevant requirements and procedures contained in this Module.

                    December 2010

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (a) Any financial institution seeking to operate as a representative office within or from the Kingdom of Bahrain must hold the appropriate CBB license (see AU-1.1); and
                    (b) Natural persons wishing to perform a controlled function in a representative office licensee also require prior CBB approval, as an approved person (see AU-1.2).
                    December 2010

                  • AU-B.1.3

                    Because of the general applicability of many of the requirements contained in this Module, they are supported by way of a Regulation (see Section UG-1.1 for an explanation of the CBB's rule-making powers and different regulatory instruments).

                    December 2010

                • AU-B.2 AU-B.2 Licensees and Approved Person

                  • AU-B.2.1

                    Various requirements in Chapters AU-2 to AU-4 inclusive also apply to persons once they have been authorised by the CBB (whether as licensees or approved person).

                    December 2010

                  • AU-B.2.2

                    Chapter AU-2 applies to representative office licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to the approved person on a continuous basis; it also applies to representative office licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to their permitted activities, as well as to licensees and approved person, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    December 2010

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Licensing

                  • AU-1.1.1

                    No person may:

                    (a) Operate as a representative office within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                    (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                    (c) Market any financial services in the Kingdom of Bahrain unless:
                    (i) Allowed to do by the terms of a license issued by the CBB;
                    (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                    (iii) Has obtained the express written permission of the CBB to offer financial services.
                    Amended: January 2013
                    December 2010

                  • AU-1.1.2

                    For the purposes of Rule AU-1.1.1(a), please refer to Section AU-1.3 for the definition of 'regulated representative office services'. Such activities will be deemed to be undertaken within or from the Kingdom of Bahrain if, for example, the person concerned:

                    (a) Uses an address situated in the Kingdom of Bahrain for its correspondence; or
                    (b) Directly contacts clients, who are resident within the Kingdom of Bahrain.
                    December 2010

                  • AU-1.1.2A

                    In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                    Added: January 2013

                  • AU-1.1.2B

                    Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                    Added: January 2013

                  • AU-1.1.3

                    Financial institutions wishing to be licensed as a representative office to undertake regulated representative office services within or from the Kingdom of Bahrain must apply in writing to the CBB.

                    December 2010

                  • AU-1.1.4

                    An application for a license must be in the form prescribed by the CBB and must contain, inter alia:

                    (a) Form 1 Application for a representative office license must be filled online. The Form is available on the CBB website under Eservices/online Forms; and
                    (b) Form 3 Application for Approved Person Status for the controlled function.
                    Amended: July 2019
                    December 2010

                  • AU-1.1.5

                    The CBB will review the application and duly advise the applicant in writing when it has:

                    (a) Granted the application without conditions;
                    (b) Granted the application subject to conditions specified by the CBB; or
                    (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                    December 2010

                  • AU-1.1.6

                    Detailed rules and guidance regarding information requirements and processes for licenses can be found in Section AU-4.1. As specified in Paragraph AU-4.1.12, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                    December 2010

                  • AU-1.1.7

                    All applicants seeking a representative office license must satisfy the CBB that they meet, by the date of authorisation, the minimum criteria for licensing, as contained in Chapter AU-2. Once licensed, licensees must maintain these criteria on an on-going basis.

                    December 2010

                  • Vetting of a Name

                    • AU-1.1.8

                      Representative offices must seek prior written approval from the CBB for their corporate name or changes then; the name of the foreign financial institution (Head Office) must only be used by the representative office in conjunction with the description "representative office". This may include the office sign, letterheads, advertising material and business cards (See also GR-2.1).

                      December 2010

                  • Suitability

                    • AU-1.1.9

                      Those seeking authorisation must satisfy the CBB as to their suitability to carry out the regulated representative office services for which they are seeking authorisation.

                      December 2010

                    • AU-1.1.10

                      In assessing applications for a license, the CBB will assess whether an applicant satisfies the licensing conditions (as specified in Chapter AU-2) with respect to the regulated representative office services that the applicant proposes undertaking.

                      December 2010

                    • AU-1.1.11

                      In addition to the licensing conditions specified in Chapter AU-2 the CBB, in considering an application shall also take into consideration the following:

                      (a) The reputation and financial standing (including financial standing on a consolidated basis) of the applicant,
                      (b) The consolidated supervisory arrangements, if any, for the applicant in any other jurisdiction and the opinion of the relevant supervisory authority therefore,
                      (c) The previous 3 years track-record, as a minimum, of the applicant, its owners and management, both as regards probity and in relation to the activities to be undertaken, and
                      (d) The suitability of the proposal and the effect on the financial sector in Bahrain of the applicant being granted a license.
                      December 2010

                • AU-1.2 AU-1.2 Approved Person

                  • General Requirement

                    • AU-1.2.1

                      Representative office licensees must appoint a person to undertake the function of representative office manager "Rep Manager". As mentioned in Paragraph AU-A.1.2, a person wishing to undertake a controlled function in a representative office licensee must be approved by the CBB prior to his/her appointment. Controlled function means in this case the Rep Manager. In the case of representative office licensees, the Rep Manager is considered the approved person.

                      December 2010

                  • Basis for Approval

                    • AU-1.2.2

                      Approval under Paragraph AU-1.2.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

                      December 2010

                  • Definitions

                    • AU-1.2.3

                      The representative office manager (or "Rep Manager") means a person who is responsible for the conduct of the licensee (regardless of actual title). The Rep Manager must be resident in Bahrain.

                      December 2010

                • AU-1.3 AU-1.3 Definition of Regulated Representative Office Services

                  • AU-1.3.1

                    Representative office licensees may undertake the following regulated representative office services:

                    (a) Conducting research and surveys for its parent company/head office on local Bahrain economy and international market;
                    (b) Liaising with customers on behalf of the head office, parent company or wholly owned subsidiary as approved by the CBB;
                    (c) Providing factual information, data and promotional material relating to the head office's products and services to customers; and
                    (d) Responding to general inquiries related to the head office.
                    December 2010

                  • AU-1.3.2

                    General Prohibitions:

                    (a) Representative office licensees may only undertake the regulated representative office services defined in AU-1.3.1 above. Representative office licensees must not undertake any other regulated financial services as set out in Regulation 1 of 2007;
                    (b) The representative office must not engage directly or on behalf of the head office in any financial transactions or business activities for profit inside Bahrain, except transactions which are necessary for and incidental to the maintenance of the representative office in Bahrain; and
                    (c) Any staff of the representative office must not also be an employee or director with day-to-day responsibilities of any financial institution operating in Bahrain. The representative office must not represent any institution other than its head office or parent company.
                    December 2010

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Representative office licensees must maintain a resident Rep Manager and premises in the Kingdom appropriate to the nature and scale of their permitted activities.

                    December 2010

                • AU-2.3 AU-2.3 Condition 3: Controller

                  • AU-2.3.1

                    The head office or parent company is legally responsible for the representative office in Bahrain. The head office or parent company is considered a controller in this case; therefore it must fill in the information related to the head office in the Application Form "Form 1".

                    December 2010

                  • AU-2.3.2

                    In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

                    December 2010

                • AU-2.4 AU-2.4 Condition 4: Approved Person

                  • AU-2.4.1

                    The resident Rep Manager nominated to carry out the controlled function in a representative office licensee must satisfy CBB's approved person's requirements.

                    December 2010

                  • AU-2.4.2

                    The definition of controlled function is contained in AU-1.2.1, whilst AU-3 sets out CBB's approved person requirements. Applications for approved person status must be submitted using the prescribed Form 3 Application for Approved Person Status.

                    December 2010

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • AU-2.5.1

                    Representative office licensees must maintain a level of financial resources, as agreed with the CBB, adequate for meeting their expenses.

                    December 2010

                  • AU-2.5.2

                    Representative office licensees must provide written confirmation from their head office that the head office will provide financial support to the representative office sufficient to enable it to meet its obligations as and when they fall due.

                    December 2010

                • AU-2.6 AU-2.6 Condition 6: Other Requirements

                  • Books and Records

                    • AU-2.6.1

                      Representative office licensees must comply with the minimum record-keeping requirements contained in Module GR and FC.

                      December 2010

                  • Provision of Information

                    • AU-2.6.2

                      Representative office licensees must act in an open and cooperative manner with the CBB. Representative office licensees must meet the regular reporting requirements contained in Module GR.

                      December 2010

                  • General Conduct

                    • AU-2.6.3

                      Representative office licensees must conduct their permitted activities in a professional and orderly manner. Representative office licensees must comply with the general standards of business conduct contained in Module PB.

                      December 2010

                  • License Fees

                    • AU-2.6.4

                      Representative office licensees must comply with Resolution No. 1 for the year 2007 (as amended from time to time), with regards to the license fee requirements applied by the CBB.

                      December 2010

                    • AU-2.6.5

                      License fee requirements are contained in Chapter AU-5.

                      December 2010

                  • Additional Conditions

                    • AU-2.6.6

                      Representative office licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      December 2010

              • AU-3 AU-3 Approved Persons Conditions

                • AU-3.1 AU-3.1 Condition 1: 'Fit and Proper'

                  • AU-3.1.1

                    Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question. In the case of representative office licensees, the Rep Manager is considered a controlled function.

                    December 2010

                  • AU-3.1.2

                    The authorisation requirement for the person nominated to carry out the controlled function is contained in Section AU-1.2. The authorisation process is described in Section AU-4.2.

                    December 2010

                  • AU-3.1.3

                    Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                    (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                    (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                    (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                    (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                    (f) Must have personal integrity, good conduct and reputation;
                    (g) Has appropriate professional and other qualifications for the controlled function in question; and
                    (h) Has sufficient experience to perform the duties of the controlled function.
                    Amended: January 2016
                    December 2010

                  • AU-3.1.4

                    In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise.

                    Amended: January 2016
                    December 2010

                  • AU-3.1.5

                    In assessing a person s fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                    (a) The propriety of a person s conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                    (i) The extent to which the person has been truthful and open with supervisors; and
                    (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                    Added: January 2016

                  • AU-3.1.6

                    With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                    Added: January 2016

                  • AU-3.1.7

                    Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                    Amended: January 2016
                    December 2010

                  • AU-3.1.8

                    In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                    (a) A person has breached any fiduciary obligations to the company or terms of employment;
                    (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                    (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                    Amended: January 2016
                    December 2010

                  • AU-3.1.9

                    Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

                    Added: January 2016

                • AU-3.2 AU-3.2 [This Section was deleted in January 2016]

                  • AU-3.2.1

                    [This Paragraph was deleted in January 2016.]
                    Deleted: January 2016

                  • AU-3.2.2

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016

                  • AU-3.2.3

                    [This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

                    January 2016

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Application Form and Documents

                    • AU-4.1.1

                      Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

                      Amended: July 2019
                      Amended: April 2018
                      December 2010

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and time-lines.

                      December 2010

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      December 2010

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided in support of a Form 1:

                      (a) A duly completed Form 3 (Application for Approved Person status), for the individual proposed to undertake the controlled function (as defined in Rule AU-1.2.1 ) in the proposed licensee;
                      (b) The detailed application information, addressing the matters described in Paragraph AU-4.1.5;
                      (c) A copy of the company's current commercial registration or equivalent documentation;
                      (d) A certified copy of a Board resolution of the applicant, confirming its decision to seek a CBB representative office license;
                      (e) A letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital requirements;
                      (f) A copy of the certificate of license issued by the Regulated Authority of the head office/parent company; and
                      (g) Copies of the audited financial statements of the applicant (head office) for the three years immediately prior to the date of application.
                      December 2010

                    • AU-4.1.5

                      The Detailed Application Information submitted in support of an application must explain:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain and an indication of the number of personnel to be assigned to the office;
                      (d) The name and position of the officer in the applicant's head office to whom the representative office manager will report and an outline of how the activities of the representative office are to be monitored to ensure that the CBB conditions are met on an on going basis; and
                      (e) Details of ownership of the applicant's head office in financial institutions located in Bahrain and an outline of the nature of the business carried on by those institutions.
                      December 2010

                    • AU-4.1.6

                      All documentation provided to the CBB as part of an application for a license must be in either the Arabic or English languages. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      December 2010

                    • AU-4.1.7

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      December 2010

                    • AU-4.1.8

                      Failure to inform the CBB of the changes specified in Rule AU-4.1.7 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition Rule AU-2.7.2.

                      December 2010

                  • Licensing Process and Timelines

                    • AU-4.1.9

                      By law, the 60-day time limit referred to in Paragraph AU-4.1.2 only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule AU-4.1.4 have to be provided, before the CBB may issue a license.

                      December 2010

                    • AU-4.1.10

                      All potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans, for guidance on the CBB's license categories and associated requirements. The Licensing Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application (either in draft or in final).

                      Amended: April 2018
                      December 2010

                    • AU-4.1.11

                      Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

                      December 2010

                    • AU-4.1.12

                      At no point should an applicant hold themselves out as having been licensed by the CBB, prior to receiving formal written notification of the fact in accordance with Rule AU-4.1.13 below. Failure to do so may constitute grounds for refusing an application and result in a contravention of Articles 40 and 41 of the CBB Law (which carries a maximum penalty of BD 1 million).

                      December 2010

                  • Granting or Refusal of License

                    • AU-4.1.13

                      To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                      Amended: October 2019
                      December 2010

                    • AU-4.1.14

                      The CBB may refuse to grant a license if in its opinion:

                      (a) The requirements of the CBB Law or this Module are not met;
                      (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                      (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                      Amended: October 2019
                      December 2010

                    • AU-4.1.15

                      Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

                      Amended: October 2019
                      December 2010

                  • Starting Operations

                    • AU-4.1.16

                      Within 6 months of the license being issued, the new licensee must provide to the CBB (if not previously submitted):

                      (a) The registered office address and details of premises to be used to carry out the activities of the proposed licensee;
                      (b) The address in the Kingdom of Bahrain where full business records will be kept;
                      (c) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (d) A copy of the licensee's business card and correspondence material including letterhead, website, email indicating that the licensee is licensed by the CBB;
                      (e) A copy of the Ministry of Industry and Commerce commercial registration certificate in Arabic and in English; and
                      (f) Any other information as may be specified by the CBB.
                      December 2010

                    • AU-4.1.17

                      New licensees must start their operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, as per the powers and procedures set out in Article 48 of the CBB Law.

                      December 2010

                    • AU-4.1.18

                      The procedures for amending or cancelling licenses are contained in Sections AU-4.3 and AU-4.4 respectively.

                      December 2010

                • AU-4.2 AU-4.2 Approved Person

                  • Prior Approval Requirements and Process

                    • AU-4.2.1

                      Representative office licensees must obtain CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                      Amended: January 2016
                      Amended: July 2015
                      December 2010

                    • AU-4.2.2

                      When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3 must be marked for the attention of the concerned Supervision Director.

                      Amended: April 2018
                      Amended: July 2015
                      December 2010

                    • AU-4.2.2A

                      When submitting the Forms 3, licensees must ensure that the Form 3 is:

                      (a) Submitted to the CBB with a covering letter signed by an authorised representative of the administrator licensee, seeking approval for the proposed controlled function;
                      (b) Submitted in original form;
                      (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                      (d) Is signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                      Added: July 2015

                    • AU-4.2.3

                      [This Paragraph was deleted in July 2015.]

                      Deleted: July 2015

                  • Assessment of Application

                    • AU-4.2.3A

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.3B

                      For purposes of Paragraph AU-4.2.3A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, as well as verifying references.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.3C

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Amended January 2016
                      Added: July 2015

                    • AU-4.2.4

                      [This Paragraph was deleted in January 2016.]

                      Deleted: January 2016

                  • Appeal Process

                    • AU-4.2.4A

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                      Added: July 2015

                    • AU-4.2.4B

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the concerned Executive Director of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Added: July 2015

                  • Notification Requirements and Process

                    • AU-4.2.5

                      Representative office licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.2.6). In such cases, their approved person status is automatically withdrawn by the CBB.

                      Amended: July 2015
                      December 2010

                    • AU-4.2.6

                      Representative office licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the representative office licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the representative office licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                      December 2010

                    • AU-4.2.7

                      The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                      December 2010

                    • AU-4.2.8

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                • AU-4.3 AU-4.3 Amendment of Authorisation

                  • Licenses

                    • AU-4.3.1

                      Representative office licensees wishing to change their license must obtain the CBB's written approval, before effecting any such change.

                      December 2010

                    • AU-4.3.2

                      Failure to secure the CBB approval prior to effecting such changes is likely to be viewed as a serious breach of a licensee's regulatory obligations, and may constitute a breach of Article 40(a), as well as Article 50(a), of the CBB Law.

                      December 2010

                • AU-4.4 AU-4.4 Cancellation of Authorisation

                  • Cancellation of License

                    • AU-4.4.1

                      Representative office licensees wishing to cancel their license must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the respective Supervision Director, at the CBB, setting out in full the reasons for the request and how the business is to be wound up.

                      December 2010

                    • AU-4.4.2

                      Representative office licensees must satisfy the CBB that their head office customers' interests are to be safeguarded during and after the proposed cancellation. The requirements contained in Module GR regarding cessation of business must be satisfied.

                      December 2010

                    • AU-4.4.3

                      Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve such a request where it has no outstanding regulatory concerns and any relevant customer interests would not be prejudiced. A voluntary surrender of a license will not be accepted where it is aimed at preempting supervisory actions by the CBB. A voluntary surrender will only be allowed to take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                      December 2010

                    • AU-4.4.4

                      As provided for under Article 48(c) of the CBB Law, the CBB may itself move to cancel a license, for instance if a licensee fails to satisfy any of its existing license conditions or protecting the legitimate interests of customers or creditors of the licensee requires a cancellation. See also Chapter EN-7, regarding the cancellation or amendment of licenses, including the procedures used in such instances.

                      Amended: January 2013
                      December 2010

                  • Cancellation of Approved Person Status

                    • AU-4.4.5

                      The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                      December 2010

                • AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.5.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.5.2

                    For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.5.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking a representative office license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    December 2010

                  • AU-5.1.2

                    There are no application fees for those seeking approved person status.

                    December 2010

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Representative office licensees must pay a fixed annual license fee of BD3,000 to the CBB, on 1st December of the preceding year for which the fees are due.

                    Amended: July 2013
                    December 2010

                  • AU-5.2.2

                    [This Paragraph was deleted in July 2013].

                    Deleted: July 2013
                    December 2010

                  • AU-5.2.3

                    [This Paragraph was deleted in July 2013].

                    Deleted: July 2013
                    December 2010

                  • AU-5.2.3A

                    All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

                    Added: July 2013

                  • AU-5.2.4

                    For new representative office licensees, their first annual license fee is payable when their license is issued by the CBB. The annual fee due in relation to the first year in which the license has been granted, shall be BD3,000.

                    December 2010

                  • AU-5.2.5

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

                    December 2010

                  • AU-5.2.6

                    Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

                    Added: July 2013

            • GR GR Representative Offices General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • GR-A.1.1

                    The General Requirements Module presents a variety of different requirements that do not warrant their own stand-alone Module, but for the most part are generally applicable to the representative offices. These include, amongst others, general requirements on books and records and on the use of corporate and trade names.

                    December 2010

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law').

                      December 2010

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in December 2010, as part of Volume 5 (Specialised Licensees). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      December 2010

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-5.1 01/2011 Added a Section on IIS Reporting Requirements.
                      GR-5.1.2 04/2011 Corrected cross reference.
                      GR-3.1 04/2012 GR-3.1.3 deleted as it repeats what is included in GR-6.2.1 and Paragraph GR-4.1.1 moved to new Paragraph GR-3.1.1A.
                      GR-4.1.1 04/2012 This Paragraph was moved to Paragraph GR-3.1.1A.
                      GR-5.1 04/2012 Minor corrections.
                      GR-6 04/2012 New Chapter added to include material transferred from common Chapters EN-2 and AA-5 and include other Rules and Guidance on information gathering by the CBB.
                      GR-3.1.5 01/2013 Clarified due date for the annual confirmation letter.
                      GR-6.5.14 07/2013 Amended numbering of referred appendix.
                      GR-5.1.1 04/2014 Added requirement that licensees access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.
                      GR-6 10/2014 Amendments made to be consistent with other Volumes of the CBB Rulebook.
                      GR-4.1.8 10/2016 Added a Rule in the Cessation of Business Section to be consistent with other Volumes of the CBB Rulebook.
                      GR-1.1.1 10/2018 Amended Paragraph to be consistent with other Volumes.
                      GR-4.1.8 04/2020 Amended Paragraph.
                      GR-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                      GR-2.1.1 01/2022 Amended Paragraph on change of Representative Offices’ corporate name.
                      GR-2.1.3 01/2022 Deleted Paragraph.

                  • Superseded Requirements

                    • GR-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Document reference Provision Document Subject
                      Standard Conditions and Licensing Criteria for a representative office license Licensing requirements Scope of license and licensing conditions.
                      Circular BC/3/2001 Notifications Regular Notification of Management Personnel
                      BS/07/2003 dated 9 September 2003 Notifications Notifications to BMA
                      December 2010

                    • GR-A.2.4

                      Further guidance on the implementation and transition to Volume 5 (Specialised Licensees) is given in Module ES (Executive Summary).

                      December 2010

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Representative Office licensees

                  • Scope of Application

                    • GR-B.1.1

                      The requirements in Module GR (General Requirements) apply to representative offices licensed by the CBB.

                      December 2010

              • GR-C GR-C Provision of Financial Services on a Non-discriminatory Basis

                • GR-C.1 GR-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • GR-C.1.1

                    Representative office licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • GR-1 GR-1 Books and Records

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    Representative office licensees must maintain the following records for a 10-year period, in original form or in hard copy at their premises in Bahrain. These records must be retained for at least 10 years according to Article 60 of the CBB Law.

                    (a) A copy of all documents submitted to the CBB as part of the license application;
                    (b) Corporate records, including Head Office Annual Report, License Certificate (granted by the CBB), Commercial Registration Certificate, Memorandum and Articles of Association;
                    (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                    (d) Reports prepared by the Representative Office to its Head Office and vice versa; and
                    (e) Any other documents deemed necessary by the CBB.
                    Amended: October 2018
                    December 2010

                  • GR-1.1.2

                    Representative office licensees should refer to Chapter FC-7 with reference to records pertaining to the requirements of Module FC.

                    December 2010

                  • GR-1.1.3

                    Unless otherwise agreed with the CBB in writing, records must be kept in either English or Arabic; or else accompanied by a certified English or Arabic translation. Records must be kept current.

                    December 2010

                  • GR-1.1.4

                    The requirements of Paragraph GR-1.1.3 are effective from the issusance date of this Module.

                    December 2010

                  • GR-1.1.5

                    Translations produced in compliance with Rule GR-1.1.3 may be undertaken in-house, by an employee or contractor of the licensee, providing they are certified by an appropriate officer of the licensee.

                    December 2010

                  • GR-1.1.6

                    Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                    December 2010

                  • Customer Records

                    • GR-1.1.7

                      Record-keeping requirements with respect to customer records, including customer inquiries, identification and due diligence records, are contained in the Common Module FC (Financial Crime). These requirements address specific requirements under the Amiri Decree Law No. 4 of 2001, the standards promulgated by the Financial Action Task Force

                      December 2010

                    • GR-1.1.8

                      Representative office licensees must maintain a record of all promotional/marketing materials issued by them to new or existing customers. They must also maintain a record of all their undertakings.

                      December 2010

              • GR-2 GR-2 Corporate and Trade Names

                • GR-2.1 GR-2.1 Vetting of Names

                  • GR-2.1.1

                    Representative offices must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change. The name of the foreign financial institution (Head Office) must only be used by the representative office in conjunction with the description "representative office". This may include the office sign, letterheads, advertising material and business cards.

                    Amended: January 2022
                    December 2010

                  • GR-2.1.2

                    Rule GR-2.1.1 refers to the requirements contained in Article 41 of the CBB Law.

                    December 2010

                  • GR-2.1.3

                    [This Paragraph was deleted in January 2022].

                    Deleted: January 2022
                    December 2010

              • GR-3 GR-3 General Requirements

                • GR-3.1 GR-3.1 General Requirements

                  • GR-3.1.1A

                    Representative office licensees must obtain the CBB's prior approval for all major intended changes. These might include but not limited to change of office location and change of the representative manager.

                    Added: April 2012

                  • Maintenance of Suitable Premises

                    • GR-3.1.2

                      Representative office licensees must maintain suitable premises in the Kingdom of Bahrain.

                      December 2010

                    • GR-3.1.3

                      [This Paragraph was deleted in April 2012].

                      Deleted: April 2012
                      December 2010

                  • Annual Reporting Requirements

                    • GR-3.1.4

                      Representative office licensees must submit to the CBB the annual report of the head office within 6 months of the financial year end and any other documents and information requested by the CBB from time to time related to its undertakings.

                      December 2010

                    • GR-3.1.5

                      Representative Office licensees must submit to the CBB on an annual basis, not later than 31st March, a confirmation letter that the representative office is in compliance with the permitted activities and meet all its expenditure commitments.

                      Amended: January 2013
                      December 2010

                  • Other Notifications

                    • GR-3.1.6

                      Representative office licensees must notify the CBB of any breaches of the CBB's requirements or any other applicable Laws.

                      December 2010

                    • GR-3.1.7

                      The representative office licensee must notify the CBB of any change in the arrangements of the head office's oversight of the representative office.

                      December 2010

                    • GR-3.1.8

                      The representative office licensee must notify the CBB of any significant developments affecting its head office's financial soundness, ownership structure and/or reputation globally.

                      December 2010

              • GR-4 GR-4 Cessation of Business

                • GR-4.1 GR-4.1 CBB Approval

                  • GR-4.1.1

                    [This Paragraph was moved to GR-3.1.1A].

                    Amended: April 2012
                    December 2010

                  • GR-4.1.2

                    As specified in Article 50 of the CBB Law, a representative office licensee wishing to cease its presence in the Kingdom of Bahrain, must obtain prior written approval from the CBB.

                    December 2010

                  • GR-4.1.3

                    Representative office licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a covering letter together with any supporting attachments. Unless otherwise directed by the CBB, the application must provide:

                    (a) The rationale for the cessation; and
                    (b) Evidence that the proposed cessation has been duly authorised by the licensee head office/parent company.
                    December 2010

                  • GR-4.1.4

                    Licensees should ensure that all outstanding expenses are settled before cessation of business and should confirm it to the CBB.

                    December 2010

                  • GR-4.1.5

                    When the CBB has given its approval to an application to cease business, the representative office licensee must publish a notice of its intention to cease business in two local daily newspapers (one in Arabic, the other in English). Notices must also be displayed in the premises. These notices must be given not less than 30 calendar days before the cessation is to take effect, and must include such information as the CBB may specify.

                    December 2010

                  • GR-4.1.6

                    The CBB will normally require that the notices required under Rule GR-4.1.5 include a statement that written representations concerning the cessation of business may be submitted to the CBB.

                    December 2010

                  • GR-4.1.7

                    Where the CBB has given its approval to cancel or amend a license, then it will also publish its decision in the Official Gazette, as well as in two local daily newspapers (one in Arabic, the other in English), once this decision has been implemented. The publication cost of these notices is to be met by the licensee concerned.

                    December 2010

                  • GR-4.1.8

                    Upon satisfactorily meeting the requirements set out in GR-3.1, the representative office licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

              • GR-5 GR-5 Reporting Requirements

                • GR-5.1 GR-5.1 IIS Reporting Requirements

                  • GR-5.1.1

                    Licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm that the information contained in the IIS is correct. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                    Amended: April 2014
                    Amended: April 2012
                    January 2011

                  • GR-5.1.2

                    Licensees failing to comply with the requirements of Paragraph GR-5.1.1 or reporting inaccurate information may be subject to financial penalties or other enforcement actions as outlined in Module (EN) Enforcement.

                    Amended: April 2012
                    Amended: April 2011
                    January 2011

              • GR 6 GR 6 Information Gathering by the CBB

                • GR-6.1 GR-6.1 Power to Request Information

                  • GR-6.1.1

                    In accordance with Article 111 of the CBB Law, licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    Amended: October 2014
                    Added: April 2012

                  • GR-6.1.1A

                    Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                    Added: October 2014

                  • GR-6.1.1B

                    Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person/appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                    Added: October 2014

                  • Information Requested on Behalf of other Supervisors

                    • GR-6.1.2

                      The CBB may ask a licensee to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee pass on to those supervisors or agencies information that it already has in its possession.

                      Added: April 2012

                • GR-6.2 GR-6.2 Access to Premises

                  • GR-6.2.1

                    In accordance with Article 114 of the CBB Law, all licensees must permit representatives of the CBB, or appointed experts, access, with or without notice, to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    Amended: October 2014
                    Added: April 2012

                  • GR-6.2.2

                    A licensee must take reasonable steps to ensure that its agents, providers under outsourcing arrangements permit such access to their business premises, to the CBB.

                    Added: April 2012

                  • GR-6.2.3

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    Added: April 2012

                  • GR-6.2.4

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    Added: April 2012

                • GR-6.3 GR-6.3 Accuracy of Information

                  • GR-6.3.1

                    Licensees must take reasonable steps to ensure that all information they give to the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
                    Added: April 2012

                  • GR-6.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    Added: April 2012

                  • GR-6.3.3

                    If the information in Paragraph GR-6.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    Added: April 2012

                • GR-6.4 GR-6.4 Methods of Information Gathering

                  • GR-6.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of appointed experts (refer to Section GR-6.5).
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication;
                    (e) The CBB may require licensees to submit various documents or notifications in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee.
                    Added: April 2012

                  • GR-6.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

                    Added: April 2012

                  • GR-6.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    Added: April 2012

                  • GR-6.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph GR-6.4.3:

                    (a) Its employees; and
                    (b) Any other members of its group and their employees.
                    Added: April 2012

                  • GR-6.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    Added: April 2012

                • GR-6.5 GR-6.5 Role of the Appointed Expert

                  • Introduction

                    • GR-6.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      Added: April 2012

                    • GR-6.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      Added: April 2012

                    • GR-6.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      Added: April 2012

                    • GR-6.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives.

                      Amended: October 2014
                      Added: April 2012

                    • GR-6.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      Added: April 2012

                    • GR-6.5.6

                      Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                      Added: April 2012

                    • GR-6.5.7

                      All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                      Added: April 2012

                    • GR-6.5.8

                      Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                      Added: April 2012

                    • GR-6.5.9

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee'sgroup structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                      Added: April 2012

                    • GR-6.5.10

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular investment firm licensee (i.e. create a conflict of interest).

                      Added: April 2012

                    • GR-6.5.11

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      Added: April 2012

                  • The Required Report

                    • GR-6.5.12

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      Added: April 2012

                    • GR-6.5.13

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      Added: April 2012

                    • GR-6.5.14

                      The appointed experts' report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

                      Amended: July 2013
                      Added: April 2012

                    • GR-6.5.15

                      Unless otherwise directed by the CBB or unless the circumstances described in Section GR-6.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                      Added: April 2012

                    • GR-6.5.16

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      Added: April 2012

                    • GR-6.5.17

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      Added: April 2012

                    • GR-6.5.18

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      Added: April 2012

                  • Other Notifications to the CBB

                    • GR-6.5.19

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      Added: April 2012

                    • GR-6.5.20

                      The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      Added: April 2012

                    • GR-6.5.21

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph GR-6.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      Added: April 2012

                  • Permitted Disclosure by the CBB

                    • GR-6.5.22

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      Added: April 2012

                  • Trilateral Meeting

                    • GR-6.5.23

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      Added: April 2012

      • Type 3: Type 3: Financing Companies

        • Part A Part A

          • High Level Standards

            • AU AU Financing Companies Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The executive summary only provides an overview. For detailed rules, reference must be made to the individual Rules outlined in the remainder of this Module.

                      January 2013

                    • AU-A.1.2

                      Module AU (Authorisation) sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated financing company services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                      January 2013

                    • AU-A.1.3

                      Persons undertaking certain functions in relation to licensees require prior CBB approval. These functions (called controlled functions ) include Directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                      January 2013

                  • Retaining Authorised Status

                    • AU-A.1.4

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      January 2013

                  • Legal Basis

                    • AU-A.1.5

                      This Module contains the CBB's Directive, Regulations and Resolutions (as amended from time to time) regarding authorisation under Volume 5 of the CBB Rulebook. It is applicable to all licensees (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). It also includes the requirements contained in Resolution No (1) of 2007 with respect to determining fees categories due for licenses and services provided by the CBB. It contains requirements under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and those conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and is issued under the powers available to the CBB under Article 44(c). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015. The Directive, Resolutions and Regulations in this Module are applicable to all financing company licensees (including their approved persons).

                      Amended: July 2015
                      January 2013

                    • AU-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2013

                    • AU-A.1.7

                      Persons wishing to undertake regulated financing company services are required to be licensed by the CBB as a financing company licensee.

                      January 2013

                  • Licensing Conditions

                    • AU-A.1.8

                      Financing company licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules (such as Module CA). These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.

                      January 2013

                  • Information Requirements and Processes

                    • AU-A.1.9

                      Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking a financing company license, as well as existing licensees seeking to vary the scope of their license, by adding new regulated activities. It also covers the voluntary surrender of a license, or its cancellation by the CBB.

                      January 2013

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in January 2013. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. UG-3 provides further details on Rulebook maintenance and version control.

                      January 2013

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-5.2 07/2013 Amended due date and collection process for annual license fee.
                      AU-2.8.1 01/2014 Corrected reference to proper accounting standards.
                      AU-5.2.7B and AU-5.2.7C 01/2014 Added requirements for payment of annual fees for SPVs.
                      AU-1.2.2 04/2014 Updated controlled functions.
                      AU-A.1.5 07/2015 Legal basis updated to reflect Resolution No (23) of 2015.
                      AU-3.2.1 07/2015 Added cross reference to Module TC.
                      AU-4.3 07/2015 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-1.2 01/2016 Clarified general requirements for Approved Persons.
                      AU-3 01/2016 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.3 01/2016 Minor amendments to be aligned with other Volumes of the Rulebook.
                      AU-4.6 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License.
                      AU-1.1.9 07/2019 Amended Paragraph to reflect online submission of Form 1.
                      AU-4.1.22 10/2019 Changed from Rule to Guidance.
                      AU-4.1.24 10/2019 Changed from Rule to Guidance.
                      AU-4.6.1 10/2019 Changed from Rule to Guidance.
                      AU-1.3.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards.
                      AU-4.3.10A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.
                      AU-1.3.1(d) 07/2022 Amended Subparagraph on means of payment.
                      AU-1.3.1B 07/2022 Added a new Paragraph on offering a limited range of financing activity.
                      AU-1.3.14 07/2022 Deleted Paragraph.
                      AU-2.5.2 07/2022 Amended Paragraph on financial resources.

                  • Superseded Requirements

                    • AU-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular/other reference Provision Subject
                      Standard Conditions and Licensing criteria for financing companies (conventional) All articles Scope of license and licensing conditions.
                      Standard Conditions and Licensing criteria for Islamic financing companies All articles Scope of license and licensing conditions.
                           
                           
                           
                      January 2013

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope of Application

                  • AU-B.1.1

                    The content of this Module applies to all financing company licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    January 2013

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (a) Any person seeking to provide a regulated financing company service within or from the Kingdom of Bahrain must hold the appropriate CBB license (see AU-1.1); and
                    (b) Natural persons wishing to perform a controlled function in a licensee also require prior CBB's approval, as an approved person (see AU-1.2).
                    January 2013

                  • AU-B.1.3

                    The Authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated financing company services within or from the Kingdom of Bahrain, unless they have been licensed as a financing company (conventional or Islamic) by the CBB (see Rule AU-1.1.1).

                    January 2013

                  • AU-B.1.4

                    The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.2 above) apply to all those licensed by the CBB as a financing company licensee, or which are in the process of seeking such a license. They apply regardless of whether the person concerned is incorporated in the Kingdom of Bahrain, or in an overseas jurisdiction, unless otherwise specified.

                    January 2013

                  • AU-B.1.5

                    Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    January 2013

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Licensing

                  • General Prohibitions

                    • AU-1.1.1

                      No person may:

                      (a) Undertake (or hold themselves out to undertake) financing company services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                      (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                      (c) Market any financial services in the Kingdom of Bahrain unless:
                      (i) Allowed to do by the terms of a license issued by the CBB;
                      (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                      (iii) Has obtained the express written permission of the CBB to offer financial services.
                      January 2013

                    • AU-1.1.2

                      In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                      January 2013

                    • AU-1.1.3

                      Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                      January 2013

                    • AU-1.1.4

                      Licensees are prohibited from taking deposits or any similar liabilities and Shari'a compliant investment accounts.

                      January 2013

                    • AU-1.1.5

                      Only persons licensed to undertake regulated financing services (or regulated Islamic financing services), may use the term 'financing company' in their corporate or trading names, or otherwise hold themselves out to be a financing company.

                      January 2013

                    • AU-1.1.6

                      Licensees are not obliged to include the word 'financing company' in their corporate or trading names; however, they may be required to make clear their regulatory status in their letter heads, customer communications, website and so on (See Paragraph GR-2.2.1).

                      January 2013

                    • AU-1.1.7

                      For the purposes of Rule AU-1.1.2, persons will be considered in breach of this requirement if they attempt to operate as, or incorporate a financing company in Bahrain with a name containing the word "financing company" (or the equivalents in any language), without holding the appropriate CBB license or obtaining the prior approval of the CBB.

                      January 2013

                    • AU-1.1.8

                      Persons wishing to be licensed to undertake regulated financing company services within or from the Kingdom of Bahrain must apply in writing to the CBB.

                      January 2013

                    • AU-1.1.9

                      An application for a license must fill in the Application form (Form 1) online, available on the CBB website under E-services/online Forms and must contain:

                      (a) A business plan specifying the type of business to be conducted;
                      (b) Application forms (Form 2) for all controllers; and
                      (c) Application forms (Form 3) for all controlled functions.
                      Amended: July 2019
                      January 2013

                    • AU-1.1.10

                      The CBB will review the application and duly advise the applicant in writing when it has:

                      (a) Granted the application without conditions;
                      (b) Granted the application subject to conditions specified by the CBB; or
                      (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                      January 2013

                    • AU-1.1.11

                      Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                      January 2013

                    • AU-1.1.12

                      In granting new licenses, the CBB will specify the specific types of regulated financing company service for which a license has been granted.

                      January 2013

                    • AU-1.1.13

                      All applicants for financing company licenses must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed, licensees must maintain these criteria on an on-going basis.

                      January 2013

                    • AU-1.1.14

                      Licensees must not carry on any commercial business in the Kingdom of Bahrain or elsewhere other than financing business and activities directly arising from or incidental to that business.

                      January 2013

                    • AU-1.1.15

                      Rule AU-1.1.14 is intended to restrict licensees from undertaking any material non-financial business activities. The Rule does not prevent a financing company undertaking commercial activities if these directly arise from their financing business: for instance, in the context of Islamic contracts, such as murabaha, ijara and musharaka, where the company may hold the physical assets being financed or leased. Nor does it restrict a licensee from undertaking commercial activities if, in the judgment of the CBB, they are incidental and do not detract from the financial nature of the financing companies operations.

                      January 2013

                    • AU-1.1.16

                      Rule AU-1.1.14 applies to the legal entity holding the financing company license. A licensee may thus own subsidiaries that undertake non-financial activities, although the CBB generally does not support the development of significant commercial activities within a licensee's group.

                      January 2013

                • AU-1.2 AU-1.2 Approved Persons

                  • General Requirement

                    • AU-1.2.1

                      Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment.

                      Amended: January 2016
                      January 2013

                    • AU-1.2.2

                      Controlled functions are those functions occupied by board members and persons in executive positions and include:

                      (a) Member of the Board of Directors;
                      (b) Chief Executive or General Manager and their Deputies;
                      (c) Head of function;
                      (d) Compliance Officer;
                      (e) Money Laundering Reporting Officer (MLRO); and
                      (f) Head of Shari'a review.
                      Amended: January 2016
                      Amended: April 2014
                      January 2013

                    • AU-1.2.3

                      Prior approval is required for controlled functions (a), (b), (c), (d) and (e). Controlled functions (d) and (e) may be combined, however (see also FC-4.1, regarding the MLRO function). Controlled function (f) does not require prior approval instead, notification only is required, once the person concerned has accepted to undertake that function.

                      January 2013

                  • Basis for Approval

                    • AU-1.2.4

                      Approval under Paragraph AU-1.2.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

                      Amended: January 2016
                      January 2013

                  • Definitions

                    • AU-1.2.5

                      Director is any person who occupies the position of a Director, as defined in Article 173 of the Commercial Companies Law (Legislative Decree No. 21 of 2001).

                      January 2013

                    • AU-1.2.6

                      The fact that a person may have 'Director' in their job title does not of itself make them a Director within the meaning of the definition noted in Paragraph AU-1.5.5. For example, a 'Director of IT', is not necessarily a member of the Board of Directors and therefore may not fall under the definition of Paragraph AU-1.5.5.

                      January 2013

                    • AU-1.2.7

                      The Chief Executive or General Manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The Chief Executive or General Manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.

                      January 2013

                    • AU-1.2.8

                      Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                      January 2013

                    • AU-1.2.9

                      Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy Chief Executive; heads of departments such as Risk Management, Compliance or Internal Audit; or any front office functions or the Chief Financial Officer.

                      January 2013

                    • AU-1.2.10

                      Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                      January 2013

                    • AU-1.2.11

                      The controlled function of compliance officer is defined in accordance with the compliance function under Section HC-6.4. The controlled functions of Money Laundering Reporting Officer is defined under Chapter FC-4.

                      January 2013

                    • AU-1.2.12

                      All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The duties of the compliance officer include:

                      (a) Assisting senior management to identify and assess the main compliance risks facing the licensees and the plans to manage them;
                      (b) Advising senior management on compliance laws, rules and standards, including keeping them informed on developments in the area;
                      (c) Assisting senior management in educating staff on compliance issues, and acting as a contact point within the licensee for compliance queries from staff members;
                      (d) Establishing written guidance to staff on the appropriate implementation of compliance laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;
                      (e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with the licensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;
                      (f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and
                      (g) Reporting on a regular basis to the board of directors or the audit committee of the board of directors.
                      January 2013

                • AU-1.3 AU-1.3 Definition of Regulated Financing Company Services

                  • AU-1.3.1

                    Regulated financing company services are any of the following activities, carried on by way of business:

                    (a) Offering instalment credit;
                    (b) Offering revolving credit facilities (such as credit cards);
                    (c) Offering Shari'a financing contracts; and
                    (d) Issuing/administering means of payment (charge or prepaid cards, whether physical or digital.
                    Amended: July 2022
                    January 2013

                  • AU-1.3.2 AU-1.3.2

                    Upon application, the CBB may exclude specific transactions from the definition of regulated financing company services.

                    January 2013

                    • AU-1.3.1A

                      Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by regulated financing company services must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.

                      Added: October 2020

                    • AU-1.3.1B

                      A financing company licensee may choose to offer a limited range of financing activity as determined by its business plan provided that such activity includes short term instalment credits only.

                      Added: July 2022

                    • AU-1.3.3

                      For the purposes of Rule AU-1.3.1, carrying on a regulated financing company service by way of business means:

                      (a) Undertaking the regulated financing company service of (a), plus any of the activities (b) to (d), as defined in Section AU-1.3, for commercial gain;
                      (b) Holding oneself out as willing and able to engage in such activities; or
                      (c) Regularly soliciting other persons to engage in transactions constituting such activities.
                      January 2013

                    • AU-1.3.4

                      Licensees are allowed to transact with both residents and non-residents of the Kingdom of Bahrain, and in both Bahrain Dinar and foreign currencies.

                      January 2013

                    • AU-1.3.5

                      Licensees may undertake transactions with both Bahraini residents and non-residents.

                      January 2013

                    • AU-1.3.6

                      Licensees should note that the same legal entity cannot combine regulated financing company services with other regulated services, such as regulated insurance services and regulated ancillary services.

                      January 2013

                    • General Exclusions

                      • AU-1.3.7

                        A person does not carry on an activity constituting a regulated financing company service if the activity:

                        (a) Is carried on in the course of a business which does not ordinarily constitute the carrying on of financial services;
                        (b) May reasonably be regarded as a necessary part of any other services provided in the course of that business; and
                        (c) Is not remunerated separately from the other services.
                        January 2013

                      • AU-1.3.8

                        A person does not carry on an activity constituting a regulated financing company service if the person is a body corporate and carries on that activity solely with or for other bodies corporate that are members of the same group.

                        January 2013

                      • AU-1.3.9

                        A person does not carry on an activity constituting a regulated financing company service if such person carries on an activity with or for another person, and they are both members of the same family.

                        January 2013

                      • AU-1.3.10

                        A person does not carry on an activity constituting a regulated financing company service if the sole or main purpose for which the person enters into the transaction is to limit any identifiable risks arising in the conduct of his business, providing the business conducted does not itself constitute a regulated activity.

                        January 2013

                      • AU-1.3.11

                        A person does not carry on an activity constituting a regulated financing company service if that person is a government body charged with the management of financial instruments on behalf of a government or public body or an exempt person, as specified by Royal decree.

                        January 2013

                    • Providing Credit

                      • AU-1.3.12

                        Providing credit is defined as the provision of credit to a person in his capacity as borrower or potential borrower. This includes consumer and mortgage credit and providing credit by way of finance leases and factoring.

                        January 2013

                    • Offering Shari'a Financing Contracts

                      • AU-1.3.13

                        Offering Shari'a financing contracts is defined as entering into, or making arrangement for another person to enter into, a contract to provide finance in accordance with Shari'a principles, such as murabaha, bay muajjal, bay salam, ijara wa iktina and istisna'a contracts. etc...

                        January 2013

                    • Issuing Means of Payment

                      • AU-1.3.14

                        [This Paragraph was deleted in July 2022].

                        Deleted: July 2022
                        January 2013

                • AU-1.4 AU-1.4 Shari'a Compliant Transactions

                  • General Requirements for all Conventional Financing Companies

                    • AU-1.4.1

                      Conventional financing company licensees may not hold themselves out as an Islamic financing company. Conventional financing company licensees are allowed to enter into activities (a) to (c) listed in Rule AU-1.3.1 under the conditions outlined in the remainder of this Section, subject to conditions outlined in Section AU-1.2 (concerning facilities offered to Bahrain residents and facilities in Bahrain Dinar in particular).

                      January 2013

                    • AU-1.4.2

                      When offering any of the Shari'a compliant activities listed in Rule AU-1.3.1, conventional licensees must have staff trained in Shari'a compliant financing business. The licensee must also disclose in the notes to its Annual Report/Financial Statement all quantitative and qualitative disclosures on its Shari'a compliant business as required by AAOIFI accounting and auditing standards.

                      January 2013

                  • Additional Requirements for Conventional Financing Companies

                    • AU-1.4.3

                      Conventional licensees may provide Shari'a compliant activities (b) and (c) listed in Rule AU-1.3.1 in any amount and in any currency to Bahrain-resident individuals subject to the following conditions:

                      (a) Shari'a compliant financing transactions to be undertaken through a special counter or branch as deemed necessary by the licensee;
                      (b) The licensee must maintain separate books for Shari'a compliant financing activities to ensure no co-mingling of conventional and Islamic funds;
                      (c) The licensee must have a Shari'a Compliant Reviewer; and
                      (d) The licensee must establish a Shari'a Supervisory Committee with a minimum of three board members. The board may have global authority for all Shari'a compliant business or may have authority purely for Islamic business booked in Bahrain.
                      January 2013

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                  • AU-2.1.1

                    The legal status of a licensee must be a Bahraini joint stock company (BSC).

                    January 2013

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Licensees with their Registered Office in the Kingdom of Bahrain must maintain their Head Office in the Kingdom.

                    January 2013

                  • AU-2.2.2

                    The CBB requires that all approved persons occupying controlled functions outlined in Paragraph AU-1.2.2, except for Subparagraphs (a) member of the board of directors and (f) member of the Shari'a Supervisory Board, be resident in Bahrain.

                    January 2013

                  • AU-2.2.3

                    For regional groups, the CBB may consider other arrangements, subject to such arrangements meeting the CBB's supervisory objectives.

                    January 2013

                • AU-2.3 AU-2.3 Condition 3: Controllers

                  • AU-2.3.1

                    Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their close links do not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

                    January 2013

                  • AU-2.3.2

                    Chapters GR-5 and GR-6 contain the CBB's requirements and definitions regarding controllers and close links.

                    January 2013

                  • AU-2.3.3

                    In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.

                    January 2013

                  • AU-2.3.4

                    A licensee has close links with its subsidiaries, with its parent undertakings, and with subsidiaries of its parent undertakings. It also has close links with any entity in which the licensee, its subsidiaries, its parent undertakings, and the subsidiaries of its parent undertakings has an equity interest of more than 20% (either in terms of capital or voting rights). The CBB seeks to ensure that these closely linked entities do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the licensee.

                    January 2013

                  • AU-2.3.5

                    In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

                    January 2013

                • AU-2.4 AU-2.4 Condition 4: Board and Employees

                  • AU-2.4.1

                    Those nominated to carry out controlled functions must satisfy the CBB's approved persons requirements. This rule is supported by Article 65 of the CBB Law.

                    January 2013

                  • AU-2.4.2

                    The definition of controlled functions is contained in Paragraph AU-1.5.2, whilst Chapter AU-3 sets out CBB's approved persons requirements.

                    January 2013

                  • AU-2.4.3

                    The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

                    January 2013

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • Capital Funds

                    • AU-2.5.1

                      Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed.

                      January 2013

                    • AU-2.5.2

                      Licensees must fully comply with the capital requirements contained in Module CA (Capital Adequacy).

                      Amended: July 2022
                      January 2013

                  • Liquidity

                    • AU-2.5.3

                      Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business, as required under Module LM. Licensees must agree a liquidity management policy with the CBB.

                      January 2013

                • AU-2.6 AU-2.6 Condition 6: Systems and Controls

                  • AU-2.6.1

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC, CM and OM.

                    January 2013

                  • AU-2.6.2

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee. These systems and controls must meet the minimum requirements contained in Module FC, as specified for the license held.

                    January 2013

                • AU-2.7 AU-2.7 Condition 7: External Auditors

                  • AU-2.7.1

                    Article 61 of the CBB Law requires that licensees appoint an external auditor, subject to CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

                    January 2013

                • AU-2.8 AU-2.8 Condition 8: Other Requirements

                  • Books and Records

                    • AU-2.8.1

                      Article 59 of the CBB Law requires licensees to maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module OM. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamic licensees.

                      Amended: January 2014
                      January 2013

                  • Provision of Information

                    • AU-2.8.2

                      Articles 58, 111, 114 and 163 of the CBB Law require that licensees and their staff must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and public disclosure requirements contained in Modules BR and PD respectively. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of the licensee s financial year-end.

                      January 2013

                  • General Conduct

                    • AU-2.8.3

                      Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice. Licensees must comply with the general standards of business conduct contained in Module PB, as well as the standards relating to treatment of customers contained in Modules BC and CM.

                      January 2013

                  • Additional Conditions

                    • AU-2.8.4

                      Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      January 2013

                    • AU-2.8.5

                      Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law. Thus, when granting a license, the CBB specifies the regulated financing company services that the licensee may undertake. Licensees must respect the scope of their license.

                      January 2013

                    • AU-2.8.6

                      In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.

                      January 2013

              • AU-3 AU-3 Approved Persons Conditions

                • AU-3.1 AU-3.1 Approved Persons Conditions

                  • Condition 1: 'Fit and Proper'

                    • AU-3.1.1

                      Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

                      January 2013

                    • AU-3.1.2

                      The authorisation requirement for persons nominated to carry out controlled functions is contained in Section AU-1.5. The authorisation process is described in Section AU-4.3.

                      January 2013

                    • AU-3.1.3

                      Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                      (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                      (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                      (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                      (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                      (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                      (f) Must have personal integrity, good conduct and reputation;
                      (g) Has appropriate professional and other qualifications for the controlled function in question (see Appendix TC-1 in Module TC (Training and Competency)); and
                      (h) Has sufficient experience to perform the duties of the controlled function (see Appendix TC-1 in Module TC (Training and Competency)).
                      Amended: January 2016
                      January 2013

                    • AU-3.1.4

                      In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

                      Amended: January 2016
                      January 2013

                    • AU-3.1.5

                      In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                      (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                      (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                      (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                      (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                      (e) The contravention of any financial services legislation;
                      (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                      (g) Dismissal or a request to resign from any office or employment;
                      (h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                      (i) The extent to which the person has been truthful and open with supervisors; and
                      (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                      Added: January 2016

                    • AU-3.1.6

                      With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                      Added: January 2016

                    • AU-3.1.7

                      Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                      Amended: January 2016
                      January 2013

                    • AU-3.1.8

                      In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                      (a) A person has breached any fiduciary obligations to the company or terms of employment;
                      (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                      (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                      Amended: January 2016
                      January 2013

                    • AU-3.1.9

                      Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

                      Added: January 2016

                • AU-3.2 AU-3.2 [This Section was deleted in January 2016]

                  • AU-3.2.1

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    Amended: July 2015
                    January 2013

                  • AU-3.2.2

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    January 2013

                  • AU-3.2.3

                    [This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

                    Amended: January 2016
                    January 2013

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Application Form and Documents

                    • AU-4.1.1

                      Applicants for a license must submit a duly completed Form 1 (Application for a License), under cover of a letter signed by an authorised signatory of the applicant marked for the attention of the Director, Licensing and Policy Directorate. The application letter must be accompanied by the documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

                      January 2013

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and time-lines.

                      January 2013

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      January 2013

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:

                      (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
                      (b) A duly completed Form 3 (Application for Approved Person status), for each individual proposed to undertake controlled functions (as defined in Rule AU-1.2.2) in the proposed licensee;
                      (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                      (d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;
                      (e) Any relevant Private Placement Memoranda or public offering documents (if funds are to be raised by external shareholders);
                      (f) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBB financing company license;
                      (g) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;
                      (h) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application; and
                      (i) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7.
                      January 2013

                    • AU-4.1.5

                      The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

                      January 2013

                    • AU-4.1.6

                      The business plan submitted in support of an application should include:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
                      (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                      (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions; and
                      (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements.
                      January 2013

                    • AU-4.1.7

                      The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its financing activities or are incidental to those.

                      January 2013

                    • AU-4.1.8

                      Where a new financing company's capital is being financed by a private placement, the CBB will verify that the contents of the Private Placement Memorandum (PPM) are consistent with other information supplied to the CBB, notably the business plan, and otherwise meet any applicable regulatory requirements with respect to PPM documents. The CBB's review of the PPM does not in any way constitute an approval or endorsement as to any claims it may contain as to the future value of the proposed licensee.

                      January 2013

                    • AU-4.1.9

                      The CBB will not license applicants without a core group of sponsoring shareholders (who can demonstrate a strong business track record with relevant expertise), and where failure of the private placement to raise its targeted amount would leave the institution unable to comply with the CBB's minimum capital requirements. The CBB may, on a case-by-case basis, require that at least one shareholder is a regulated financial institution which holds 20% of the applicant's shares.

                      January 2013

                    • AU-4.1.10

                      All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      January 2013

                    • AU-4.1.11

                      Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in, must be provided to the CBB.

                      January 2013

                    • AU-4.1.12

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      January 2013

                    • AU-4.1.13

                      Failure to inform the CBB of the changes specified in AU-4.1.12 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.

                      January 2013

                  • Licensing Process and Timelines

                    • AU-4.1.14

                      By law, the 60-day time limit referred to in Paragraph AU-4.1.2 only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule AU-4.1.4 have to be provided, before the CBB may issue a license.

                      January 2013

                    • AU-4.1.15

                      The CBB recognises, however, that applicants may find it difficult to secure suitable senior management (refer AU-4.1.4(b) above) in the absence of preliminary assurances regarding the likelihood of obtaining a license.

                      January 2013

                    • AU-4.1.16

                      Therefore, applicants may first submit an unsigned Form 1 in draft, together with as many as possible of the items specified in Rule AU-4.1.4. This draft application should contain at least items AU-4.1.4(a); AU-4.1.4(b), with respect to proposed Directors (but not necessarily senior management); AU-4.1.4(c); AU-4.1.4(d); and AU-4.1.4(f) to AU-4.1.4(i) inclusive.

                      January 2013

                    • AU-4.1.17

                      On the basis of the information specified in Paragraph AU-4.1.16, the CBB may provide an initial 'in principle' confirmation that the applicant appears likely to meet the CBB's licensing requirements, subject to the remaining information and documents being assessed as satisfactory. The 'in principle' confirmation will also list all outstanding documents required before an application can be considered complete and subject to formal consideration.

                      January 2013

                    • AU-4.1.18

                      An 'in principle' confirmation does not constitute a license approval, nor does it commit the CBB to issuing a license. However, it provides sufficient assurance for an applicant to complete certain practical steps, such as securing suitable executive staff that satisfy CBB's 'fit and proper' requirements. Once this has been done, the applicant may finalise its application, by submitting the remaining documents required under Rule AU-4.1.4 and, once assessed as complete by the CBB, a signed and dated final version of Form 1. However, a Bahrain company proposing to undertake financial services activities would not be able to obtain a commercial registration from the Ministry of Industry and Commerce unless they receive the final approval from the CBB.

                      January 2013

                    • AU-4.1.19

                      Regardless of whether an applicant submits a draft application or not, all potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans and associated requirements. The Licensing & Policy Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application (either in draft or in final form).

                      January 2013

                    • AU-4.1.20

                      Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

                      January 2013

                    • AU-4.1.21

                      At no point should an applicant hold themselves out as having been licensed by the CBB, prior to receiving formal written notification of the fact in accordance with Rule AU-4.1.22 below. Failure to do so may constitute grounds for refusing an application and result in a contravention of Articles 40 and 41 of the CBB Law (which carries a maximum penalty of BD 1 million).

                      January 2013

                  • Granting or Refusal of License

                    • AU-4.1.22

                      To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                      Amended: October 2019
                      January 2013

                    • AU-4.1.23

                      The CBB may refuse to grant a license if in its opinion:

                      (a) The requirements of the CBB Law or this Module are not met;
                      (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                      (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                      January 2013

                    • AU-4.1.24

                      Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

                      Amended: October 2019
                      January 2013

                  • Starting Operations

                    • AU-4.1.25

                      Within 6 months of the license being issued, the new licensee must provide to the CBB:

                      (a) A detailed action plan for establishing the operations and supporting infrastructure of the licensee, such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);
                      (b) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                      (c) The address in the Kingdom of Bahrain where full business records will be kept;
                      (d) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (e) A description of the business continuity plan;
                      (f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                      (g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;
                      (h) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6;
                      (i) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;
                      (j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
                      (k) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the financing company is licensed by the CBB; and
                      (l) Any other information as may be specified by the CBB.
                      January 2013

                    • AU-4.1.26

                      New licensees must start their operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, as per the powers and procedures set out in Article 48 of the CBB Law.

                      January 2013

                    • AU-4.1.27

                      The procedures for cancelling licenses are contained in Section AU-4.3.

                      January 2013

                • AU-4.2 AU-4.2 Authorisation of a Branch or Subsidiary

                  • AU-4.2.1

                    Licensees may open branches or subsidiaries in the Kingdom of Bahrain or in foreign jurisdictions after obtaining the CBB's prior written approval.

                    January 2013

                  • Authorisation of a Branch

                    • AU-4.2.2

                      Unless otherwise directed by the CBB, the following documents must be provided to the CBB in support of an application to open a branch:

                      (a) A business plan explaining:
                      (i) The reasons for applying for a branch, including the applicant's strategy and market objectives; and
                      (ii) A minimum of three-year financial projection, with all assumptions clearly outlined, demonstrating that the branch will be able to meet all liabilities and obligations;
                      (b) The location of the proposed branch, including the full address; and
                      (c) Confirmation from the external auditor that the licensee's capital adequacy is sufficient to support the operation of the branch, in addition to other existing branches (if applicable), at the time of filing the request.
                      January 2013

                  • Starting Operations of a Branch

                    • AU-4.2.3

                      Licensees must submit to the CBB confirmation that the authorised branch has commenced operations within 6 months of the authorisation letter.

                      January 2013

                  • Authorisation of a Subsidiary

                    • AU-4.2.4

                      Licensees wishing to establish a new subsidiary undertaking must submit to the CBB the following information as part of their request:

                      (a) Proposed name of subsidiary;
                      (b) Country of incorporation;
                      (c) Legal structure;
                      (d) Proposed issued capital;
                      (e) Proposed shareholding structure;
                      (f) Purpose of establishing the subsidiary;
                      (g) Draft incorporation documents of the subsidiary;
                      (h) Board resolution approving the establishment of the subsidiary; and
                      (i) Any other information or documentation requested by the CBB.
                      January 2013

                    • AU-4.2.5

                      Licensees wishing to acquire a new subsidiary undertaking must submit to the CBB the following information as part of their request:

                      (a) Annual report, including audited financial statements of the subsidiary being acquired;
                      (b) Purpose of acquiring the subsidiary;
                      (c) Memorandum and Articles of Association of the subsidiary;
                      (d) Board resolution approving the acquisition of the subsidiary; and
                      (e) Any other information or documentation requested by the CBB.
                      January 2013

                    • AU-4.2.6

                      Licensees should ensure adherence with Rules contained in:

                      (a) Chapter CA-1 and in particular with the gearing ratio requirements contained in Paragraph CA-1.1.4;
                      (b) The minimum liquidity requirements outlined in Chapter LM-1; and
                      (c) The reporting requirements for close links contained in Paragraph GR-6.1.3

                      when considering the impact of a subsidiary on these requirements.

                      January 2013

                • AU-4.3 AU-4.3 Approved Persons

                  • AU-4.3.1

                    Licensees must obtain CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                    Amended: January 2016
                    Amended: July 2015
                    January 2013

                  • AU-4.3.2

                    When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing and Policy Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO and the Deputy MLRO, must be marked for the attention of the applicable Director, Banking Supervision Directorate responsible for the supervision of the licensee. In the case of the MLRO and Deputy MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

                    January 2013

                  • AU-4.3.3

                    When submitting the Forms 3, licensees must ensure that the Form 3 is:

                    (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
                    (b) Submitted in original form;
                    (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                    (d) Is signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                    Amended: July 2015
                    January 2013

                  • AU-4.3.3A

                    Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

                    Added: July 2015

                  • AU-4.3.4

                    For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be a Director or the Chief Executive/General Manager.

                    Amended: July 2015
                    January 2013

                  • AU-4.3.5

                    [This Paragraph was deleted in July 2015.]

                    Deleted: July 2015

                  • AU-4.3.6

                    [This Paragraph was moved to Paragraph AU-4.3.3A in July 2015.]

                    Amended: July 2015
                    January 2013

                  • Assessment of Application

                    • AU-4.3.6A

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.6B

                      For purposes of Paragraph AU-4.3.6A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.6C

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and does not satisfy the CBB criteria in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.3.7

                      [This Paragraph was deleted in January 2016.]

                      Deleted: January 2016
                      Amended: July 2015
                      January 2013

                  • Appeal Process

                    • AU-4.3.7A

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                      Added: July 2015

                    • AU-4.3.7B

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the concerned Executive Director, Banking Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Amended: January 2016
                      Added: July 2015

                  • Notification Requirements and Process

                    • AU-4.3.8

                      Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.5.7). In such cases, their approved person status is automatically withdrawn by the CBB.

                      January 2013

                    • AU-4.3.9

                      Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                      January 2013

                    • AU-4.3.10

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      January 2013

                    • AU-4.3.10A

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                  • Change in Controlled Function

                    • AU-4.3.11

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      January 2013

                    • AU-4.3.12

                      In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.5.7), and the new licensee should submit a request for approval under Rule AU-1.2.1.

                      January 2013

                • AU-4.4 AU-4.4 Variations to a License

                  • AU-4.4.1

                    As per Article 48 of the CBB Law, licensees must seek prior CBB approval before undertaking new regulated financing company services.

                    January 2013

                  • AU-4.4.2

                    Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person. This is supported by Article 40 of the CBB law.

                    January 2013

                  • AU-4.4.3

                    In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a licensee requesting CBB approval to undertake a new regulated financing company service must provide the following information:

                    (a) A summary of the rationale for undertaking the proposed new activities;
                    (b) A description of how the new business will be managed and controlled;
                    (c) An analysis of the financial impact of the new activities; and
                    (d) A summary of the due diligence undertaken by the Board and management of the licensee on the proposed new activities.
                    January 2013

                  • AU-4.4.4

                    The CBB may amend or revoke a licence in any of the following cases:

                    (a) If the licensee fails to satisfy any of the license conditions;
                    (b) If the licensee violates the terms of these rules or any of the Volume's directives;
                    (c) If the licensee fails to start business within six months from the date of the licence;
                    (d) If the licensee ceases to carry out the licensed activity in the Kingdom; or
                    (e) The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
                    January 2013

                  • AU-4.4.5

                    The CBB's procedures for amending or revoking a license is outlined in detail in the Enforcement Module (EN).

                    January 2013

                • AU-4.5 AU-4.5 Withdrawal of a License or Closure of a Branch

                  • Licenses

                    • Voluntary Surrender of a License or Closure of a Branch

                      • AU-4.5.1

                        In Accordance with Article 50 of the CBB Law, all requests for the voluntary surrender of a license or closure of a branch are subject to CBB approval. Such requests must be made in writing to the Executive Director of Banking Supervision, setting out in full the reasons for the request and how the voluntary surrender or branch closure is to be carried out.

                        January 2013

                      • AU-4.5.2

                        Licensees must satisfy CBB that their customers' interests are to be safeguarded during and after the proposed voluntary surrender or closure of the branch.

                        January 2013

                      • AU-4.5.3

                        The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant customers' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at pre-empting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                        January 2013

                    • Cancellation of a License by the CBB

                      • AU-4.5.4

                        As provided for under Article 48 (c) of the CBB Law, the CBB may itself move to cancel a license. The CBB generally views the cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. See also Chapter EN-7, regarding the cancellation or amendment of licenses, including the procedures used in such instances and the licensee's right to appeal the formal notice of cancellation issued by the CBB.

                        January 2013

                      • AU-4.5.5

                        Cancellation of a license requires CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation must describe the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                        January 2013

                      • AU-4.5.6

                        Where cancellation of a license has been confirmed by CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to customers. Until such time, CBB will retain all its regulatory powers with regards to the licensee, and will direct the licensee such that no new regulated financing activity may be undertaken whilst the licensee discharges its obligations to customers.

                        January 2013

                    • Cancellation of Approved Person Status

                      • AU-4.5.7

                        In accordance with Paragraph AU-4.3.8, licensees must promptly notify the CBB in writing, as soon as they become aware, when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                        January 2013

                      • AU-4.5.8

                        The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                        January 2013

                      • AU-4.5.9

                        The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                        January 2013

                • AU-4.6 AU-4.6 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.6.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.6.2

                    For the purposes of Paragraph AU-4.6.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.6.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking a financing company license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    January 2013

                  • AU-5.1.2

                    There are no application fees for those seeking approved person status.

                    January 2013

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Licensees must pay the relevant annual license fee to the CBB on 1st of December of the preceding year for which the fee is due.

                    Amended: July 2013
                    January 2013

                  • AU-5.2.2

                    Financing company licensees must pay a variable annual licensing fee based on 0.25% of their relevant operating expenses, subject to a floor of BD6,000 and a cap of BD24,000.

                    Amended: July 2013
                    January 2013

                  • AU-5.2.3

                    Relevant operating expenses are defined as the total operating expenses of the licensee concerned, as recorded in the most recent audited financial statements available, subject to the adjustments specified in Rule AU-5.2.4.

                    January 2013

                  • AU-5.2.4

                    The adjustments to be made to relevant operating expenses are the exclusion of the following items from total operating expenses:

                    (a) Training costs;
                    (b) Charitable donations; and
                    (c) Previous year's CBB fees paid.
                    January 2013

                  • AU-5.2.5

                    The CBB would normally rely on the audited accounts of a licensee as representing a true and fair picture of its operating expenses. However, the CBB reserves the right to enquire about the accounting treatment of expenses, and/or policies on intra-group charging, if it believes that these are being used artificially to reduce a license fee.

                    January 2013

                  • AU-5.2.6

                    Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 15th October of the preceding year for which the fees are due.

                    Amended: July 2013
                    January 2013

                  • AU-5.2.6A

                    All licensees are subject to direct debit for the payment of the annual license fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

                    Added: July 2013

                  • AU-5.2.7

                    For new licensees, their first annual license fee is payable when their license is issued by the CBB. The amount payable is the floor amount of BD6,000.

                    Amended: July 2013
                    January 2013

                  • AU-5.2.7A

                    For the first full year of operation for licensees, the licensee would submit a Form ALF by the 15th October of the previous year for which the fees are due, and calculate its fee as the floor amount. For future years, the licensee would submit a Form ALF by 15th October of the preceding year for which the fees are due and calculate its fee using its last audited financial statements (or alternative arrangements as agreed with CBB, should its first set of accounts cover an 18-month period).

                    Added: July 2013

                  • AU-5.2.7B

                    Licensees must pay a fixed annual fee of BD 1,000 for each locally incorporated SPV in Bahrain which is under the control of and/or providing an actual business function, service or activity (whether actively or passively) for the licensee and/or others at the licensee's direction or having been established under the licensee's direction for that purpose. The CBB approval for any new SPV will only be granted, once the annual fee has been paid. The full amount of the BD 1,000 annual fee is due in the year the SPV is set up and it is not prorated for the number of months remaining in the year.

                    Added: January 2014

                  • AU-5.2.7C

                    Paragraph AU-5.2.7C does not apply to SPVs of Bahrain domiciled CIUs. In the case of Bahrain domiciled CIUs, licensees should refer to the relevant Chapter in Module ARR of Volume 7, depending on the classification of the Bahrain domiciled CIU.

                    Added: January 2014

                  • AU-5.2.8

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

                    January 2013

                  • AU-5.2.9

                    Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

                    Added: July 2013

            • HC HC Financing Companies High-level Controls Module

              • HC-A HC-A Introduction

                • HC-A.1 HC-A.1 Purpose

                  • Executive Summary

                    • HC-A.1.1

                      This Module presents requirements that have to be met by licensees with respect to:

                      (a) Corporate governance principles issued by the Ministry of Industry and Commerce as "The Corporate Governance Code"; and
                      (b) Related high-level controls and policies.
                      January 2013

                    • HC-A.1.2

                      The Principles referred to in this Module are in line with the Principles relating to the Corporate Governance Code issued by the Ministry of Industry and Commerce.

                      January 2013

                    • HC-A.1.3

                      The purpose of the Module is to establish best practice corporate governance principles in Bahrain, and to provide protection for investors and other licensee's stakeholders through compliance with those principles.

                      January 2013

                    • HC-A.1.4

                      Whilst the Module follows best practice, it is nevertheless considered as the minimum standard to be applied.

                      January 2013

                  • Structure of this Module

                    • HC-A.1.5

                      This Module follows the structure of the Corporate Governance Code and each Chapter deals with one of the nine Principles of corporate governance. The numbered directives included in the Code are Rules for purposes of this Module. Recommendations under the Code have been included as guidance.

                      January 2013

                    • HC-A.1.6

                      The Module also incorporates other high-level controls and policies that apply in particular to licensees.

                      January 2013

                    • HC-A.1.7

                      All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                      January 2013

                  • The Comply or Explain Principle

                    • HC-A.1.8

                      This Module is issued as a Directive (as amended from time to time) in accordance with Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). In common with other Rulebook Modules, this Module contains a mixture of Rules and Guidance (See Module UG-1.2 for detailed explanation of Rules and Guidance). All Rulebook content that is categorised as a Rule must be complied with by those to whom the content is addressed. Other parts of this Module are Guidance; nonetheless every financing company licensee to whom Module HC applies, is expected to comply with recommendations made as Guidance in Module HC or explain its noncompliance in the Annual Report in accordance with Paragraph PD-1.3.5 and to the CBB (see Chapter HC-8).

                      January 2013

                  • Monitoring and Enforcement of Module HC

                    • HC-A.1.9

                      Disclosure and transparency are underlying principles of Module HC. Disclosure is crucial to allow outside monitoring to function effectively. This Module looks to a combined monitoring system relying on the board, the licensee's shareholders and the CBB.

                      January 2013

                    • HC-A.1.10

                      It is the board's responsibility to see to the accuracy and completeness of the licensee's corporate governance guidelines and compliance with Module HC. Failure to comply with this Module is subject to enforcement measures as outlined in Module EN (Enforcement).

                      January 2013

                  • Legal Basis

                    • HC-A.1.11

                      This Module contains the CBB's Directive (as amended from time to time) relating to high-level controls and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to financing companies licensees (including their approved persons).

                      January 2013

                    • HC-A.1.12

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2013

                  • Effective Date

                    • HC-A.1.13

                      The contents in this Module are effective from January 2013.

                      January 2013

                • HC-A.2 HC-A.2 Module History

                  • HC-A.2.1

                    This Module was first issued in January 2013. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    January 2013

                  • HC-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    HC-8.2 01/2014 Amended as a result of the issuance of Module PD.
                    Appendix D 01/2014 Requirements moved to Module PD.
                    HC-1.2.12,
                    HC-1.2.13
                    and HC-1.3.9
                    10/2014 Corrected cross reference.
                    HC-1.3.11 10/2014 Corrected typo.
                    HC-2.3.3 04/2016 Added a requirement for the licensee to have in place a board approved policy on the employment of relatives of approved persons.
                    HC-2.4.1A 04/2016 Added the requirement to disclose to the board on annual basis relatives of any approved persons occupying controlled functions.
                    HC-7.2 04/2016 Added requirements dealing with shareholders' meetings.
                    HC-7.2.3A 07/2017 Amended paragraph to be in line with Article (199) of the Commercial Companies law.
                    HC-1.4.12 01/2020 Added a new Paragraph on independent directors.
                    HC-1.4.13 01/2020 Added a new Paragraph on termination of Board membership of a retired, terminated CEO.
                    HC-2.3.2 01/2020 Amended Paragraph on policy and procedures approval.
                    HC-5.4.2 04/2020 Added a new Paragraph on KPIs compliance with AML/CFT requirements.
                    HC-1.8.1 07/2022 Amended Paragraph on the committees of the Board.
                    HC-6.2.1 07/2022 Amended Paragraph on the appointment of senior management.

                  • Superseded Requirements

                    • HC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module HC
                         
                      January 2013

              • HC-B HC-B Scope of Application

                • HC-B.1 HC-B.1 Scope of Application

                  • HC-B.1.1

                    The contents of this Module — unless otherwise stated — apply to all financing companies licensees, thereafter referred to in this Module as licensees.

                    January 2013

                • HC-B.2 HC-B.2 Subsidiaries, Affiliates and Foreign Branches

                  • HC-B.2.1

                    Licensees must ensure that, as a minimum, the same or equivalent provisions of this Module apply to their foreign branches, located outside the Kingdom of Bahrain, such that these are also subject to effective high-level controls. In instances where local jurisdictional requirements are more stringent than those applicable in this Module, the local requirements are to be applied.

                    January 2013

                  • HC-B.2.2

                    Licensees must satisfy the CBB that financial services activities conducted in subsidiaries and other group members are subject to the same or equivalent arrangements for ensuring effective corporate governance over their activities.

                    January 2013

                  • HC-B.2.3

                    Where a licensee is unable to satisfy the CBB that its subsidiaries and other group members are subject to the same or equivalent arrangements, the CBB will assess the potential impact of risks — both financial and reputational — to the licensee arising from inadequate high-level controls in the rest of the group of which it is a member. In such instances, the CBB may impose restrictions on dealings between the licensee and other group members. Where weaknesses in controls are assessed by the CBB to pose a major threat to the stability of the licensee, then its authorisation may be called into question.

                    January 2013

              • HC-1 HC-1 The Board

                • HC-1.1 HC-1.1 Principle

                  • HC-1.1.1

                    All licensees must be headed by an effective, collegial and informed Board of Directors ('the Board').

                    January 2013

                • HC-1.2 HC-1.2 Role and Responsibilities

                  • HC-1.2.1

                    All directors must understand the board's role and responsibilities under the Commercial Companies Law and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                    (a) The board's role as distinct from the role of the shareholders (who elect the board and whose interests the board serves) and the role of senior managers (whom the board appoints and oversees); and
                    (b) The board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-2.1).
                    January 2013

                  • HC-1.2.2

                    The board's role and responsibilities include but are not limited to:

                    (a) The overall business performance and strategy for the licensee;
                    (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                    (c) Monitoring management performance;
                    (d) Convening and preparing the agenda for shareholders meetings;
                    (e) Monitoring conflicts of interest and preventing abusive related party transactions;
                    (f) Assuring equitable treatment of shareholders including minority shareholders; and
                    (g) Establishing the objectives of the licensee.
                    January 2013

                  • HC-1.2.3

                    The precise functions reserved for the Board, and those delegated to management and committees will vary, dependent upon the business of the institution, its size and ownership structure. However, as a minimum, the Board must establish and maintain a statement of its responsibilities for:

                    (a) The adoption and annual review of strategy;
                    (b) The adoption and review of management structure and responsibilities;
                    (c) The adoption and review of the systems and controls framework; and
                    (d) Monitoring the implementation of strategy by management.
                    January 2013

                  • HC-1.2.4

                    The directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-1.2.1 to HC-1.2.3. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place.

                    January 2013

                  • HC-1.2.5

                    In its strategy review process under Paragraphs HC-1.2.3 a) and d), the Board must:

                    (a) Review the licensee's business plans and the inherent level of risk in these plans;
                    (b) Assess the adequacy of capital to support the business risks of the licensee;
                    (c) Set performance objectives; and
                    (d) Oversee major capital expenditures, divestitures and acquisitions.
                    January 2013

                  • HC-1.2.6

                    Licensees must notify the CBB in writing of all major proposed changes to the strategy and/or corporate plan of the licensee prior to implementation.

                    January 2013

                  • HC-1.2.7

                    The Board is expected to have effective policies and processes in place for:

                    (a) Approving budgets and reviewing performance against those budgets and key performance indicators; and
                    (b) The management of the licensee's compliance risk.
                    January 2013

                  • HC-1.2.8

                    When a new director is inducted, the chairman of the board, or by the licensee's legal counsel or compliance officer, or other individual delegated by the chairman of the board should review the board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC (see also HC-4.5.1).

                    January 2013

                  • HC-1.2.9

                    The licensee must have a written appointment agreement with each director which recites the directors' powers, duties, responsibilities and accountabilities and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                    January 2013

                  • Risk Recognition and Assessment

                    • HC-1.2.10

                      The Board is responsible for ensuring that the systems and controls framework, including the Board structure and organisational structure of the licensee, is appropriate for the business and associated risks (see Paragraph HC-1.2.3 (c)). The Board must ensure that collectively it has sufficient expertise to identify, understand and measure the significant risks to which the licensee is exposed in its business activities.

                      January 2013

                    • HC-1.2.11

                      The Board must regularly assess the systems and controls framework of the licensee. In its assessments, the Board must demonstrate to the CBB that:

                      (a) The licensee's operations, individually and collectively are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of its activities;
                      (b) The licensee's operations are supported by an appropriate control environment. The compliance, risk management and financial reporting functions must be adequately resourced, independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas. The Board must additionally ensure that management develops, implements and oversees the effectiveness of comprehensive know your customer standards, as well as on-going monitoring of accounts and transactions, in keeping with the requirements of relevant law, regulations and best practice (with particular regard to anti-money laundering measures). The control environment must maintain necessary client confidentiality and ensure that the privacy of the licensee is not violated, and ensure that clients' rights and assets are properly safeguarded; and
                      (c) Where the Board has identified any significant issues related to the licensee's adopted governance framework, appropriate and timely action is taken to address any identified adverse deviations from the requirements of this Module.
                      January 2013

                    • HC-1.2.12

                      The board must adopt a formal board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of directors. This charter must cover the points in Paragraphs HC-1.2.1 to HC-1.2.11.

                      Amended: October 2014
                      January 2013

                    • HC-1.2.13

                      Wherever possible, the documents referred to in Paragraphs HC-1.2.3 to HC-1.2.11 or a summary of responsibilities should be disclosed publicly, for example in the annual report, which must be submitted to the CBB in line with the requirements of Module BR.

                      Amended: October 2014
                      January 2013

                • HC-1.3 HC-1.3 Decision Making Process

                  • HC-1.3.1

                    The board must be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                    January 2013

                  • HC-1.3.2

                    The chairman must take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                    January 2013

                  • HC-1.3.3

                    The board must meet frequently to enable it to discharge its responsibilities effectively but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

                    January 2013

                  • HC-1.3.4

                    Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for Board meetings are prohibited at all times.

                    Meetings per year 75% Attendance requirement
                    4 3
                    5 4
                    6 5
                    7 5
                    8 6
                    9 7
                    10 8
                    January 2013

                  • HC-1.3.5

                    The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

                    January 2013

                  • HC-1.3.6

                    In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

                    January 2013

                  • HC-1.3.7

                    To meet its obligations under Rule HC-1.3.3 above, the full Board should meet once every quarter to address the Board's responsibilities for management oversight and performance monitoring. Furthermore, Board rules should require members to step down if they are not actively participating in Board meetings. Board members are reminded that non attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All directors are expected to contribute actively to the work of the Board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. Licensees are encouraged to amend their articles of association to provide for telephonic and videoconference meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

                    January 2013

                  • HC-1.3.8

                    At least half the Board meetings of Bahraini licensees in any twelve-month period must be held in the Kingdom of Bahrain.

                    January 2013

                  • HC-1.3.9

                    All licensees are required to submit, on an annual basis, as an attachment to the year-end quarterly PIR, a report recording the meetings during the year by their Board of Directors. For a sample report, refer to Appendix BR-5.

                    Amended: October 2014
                    January 2013

                  • HC-1.3.10

                    The Chairman is responsible for the leadership of the Board, and for the efficient functioning of the Board. The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each board meeting and when necessary between meetings. Therefore it is vital that the Chairman commit sufficient time to perform his role effectively. All directors must receive the same board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully (See also HC-7 for other duties of the Chairman).

                    January 2013

                  • HC-1.3.11

                    The board should have no more than 15 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision making yet large enough to have members who can contribute from different specialties and viewpoints. The board should recommend changes in board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                    Amended: October 2014
                    January 2013

                  • HC-1.3.12

                    Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. The Nominating Committee should regularly review the time commitment required from each non-executive director and should require each non-executive director to inform the Committee before he accepts any board appointments to another licensee.

                    January 2013

                  • HC-1.3.13

                    No Board member may have a directorship in two financing companies in Bahrain. Licensees may approach the CBB for exemption from this limit where the directorships concern licensees or financial institutions within the same group.

                    January 2013

                  • HC-1.3.14

                    One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

                    January 2013

                • HC-1.4 HC-1.4 Independence of Judgment

                  • HC-1.4.1

                    Every director must bring independent judgment to bear in decision making. No individual or group of directors must dominate the board's decision-making and no one individual should have unfettered powers of decision.

                    January 2013

                  • HC-1.4.2

                    Executive directors must provide the board with all relevant business and financial information within their cognizance, and must recognise that their role as a director is different from their role as a member of management (see HC-2.3.2).

                    January 2013

                  • HC-1.4.3

                    Non-executive directors must be fully independent of management and must constructively scrutinise and challenge management including the management performance of executive directors.

                    January 2013

                  • HC-1.4.4

                    Where there is the potential for conflict of interest, or there is a need for impartiality, the Board must assign a sufficient number of independent Board members capable of exercising independent judgment.

                    January 2013

                  • HC-1.4.5

                    At least half of a licensee's board should be non-executive directors and at least three of those persons should be independent directors. (Note the exception for controlled companies in Paragraph HC-1.5.2.)

                    January 2013

                  • HC-1.4.6

                    The chairman of the board should be an independent director, so that there will be an appropriate balance of power and greater capacity of the board for independent decision making.

                    January 2013

                  • HC-1.4.7

                    The Chairman and/or Deputy Chairman must not be the same person as the Chief Executive Officer.

                    January 2013

                  • HC-1.4.8

                    The Chairman must not be an Executive Director.

                    January 2013

                  • HC-1.4.9

                    Where the Chairmanship concerns licensees within the same group, licensees may approach the CBB for an exemption from Paragraph HC-1.4.8.

                    January 2013

                  • HC-1.4.10

                    The board should review the independence of each director at least annually in light of interests disclosed by them, and their conduct. Each independent director shall provide the board with all necessary and updated information for this purpose.

                    January 2013

                  • HC-1.4.11

                    To facilitate free and open communication among independent directors, each board meeting should be preceded or followed with a session at which only independent directors are present, except as may otherwise be determined by the independent directors themselves.

                    January 2013

                  • HC-1.4.12

                    Where an independent director has served three consecutive terms on the board, such director will lose his/her independence status and must not be classified as an independent director if reappointed.

                    Added: January 2020

                  • HC-1.4.13

                    Where a Chief Executive Officer of a licensee, who is also a Board member, no longer occupies the CEO position, whether due to resignation, retirement or termination, his/her Board Membership must also be immediately terminated.

                    Added: January 2020

                • HC-1.5 HC-1.5 Representation of all Shareholders

                  • HC-1.5.1

                    Each director must consider himself as representing all shareholders and must act accordingly. The board must avoid having representatives of specific groups or interests within its membership and must not allow itself to become a battleground of vested interests. If the licensee has controllers (as defined by Module GR-5.2) (or a group of controllers acting in concert), the latter must recognise its or their specific responsibility to the other shareholders, which is direct and is separate from that of the board of directors.

                    January 2013

                  • HC-1.5.2

                    In licensees with a controller, at least one-third of the board must be independent directors. Minority shareholders must generally look to independent directors' diligent regard for their interests, in preference to seeking specific representation on the board.

                    January 2013

                  • HC-1.5.3

                    In licensees with controllers, both controllers and other shareholders should be aware of controllers' specific responsibilities regarding their duty of loyalty to the licensee and conflicts of interest (see Chapter HC-2) and also of rights that minority shareholders may have to elect specific directors under the Company Law or if the licensee has adopted cumulative voting for directors. The chairman of the board or other individual delegated by the chairman of the board should take the lead in explaining this with the help of the licensee's lawyers.

                    January 2013

                • HC-1.6 HC-1.6 Directors' Access to Independent Advice

                  • HC-1.6.1

                    The board must ensure by way of formal procedures that individual directors have access to independent legal or other professional advice at the licensee's expense whenever they judge this necessary to discharge their responsibilities as directors and this must be in accordance with the licensee's policy approved by the board.

                    January 2013

                  • HC-1.6.2

                    Individual directors must also have access to the licensee's corporate secretary, who must have responsibility for reporting to the board on board procedures. Both the appointment and removal of the corporate secretary must be a matter for the board as a whole, not for the CEO or any other officer.

                    January 2013

                  • HC-1.6.3

                    Whenever a director has serious concerns which cannot be resolved concerning the running of the licensee or a proposed action, he should consider seeking independent advice and should ensure that the concerns are recorded in the board minutes and that any dissent from a board action is noted or delivered in writing.

                    January 2013

                  • HC-1.6.4

                    Upon resignation, a non-executive director should provide a written statement to the chairman, for circulation to the board, if he has any concerns such as those in Paragraph HC-1.6.3.

                    January 2013

                • HC-1.7 HC-1.7 Directors' Communication with Management

                  • HC-1.7.1

                    The board must encourage participation by management regarding matters the board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                    January 2013

                  • HC-1.7.2

                    Non-executive directors should have free access to the licensee's management beyond that provided in board meetings. Such access should be through the Chairman of the Audit Committee or CEO. The board should make this policy known to management to alleviate any management concerns about a director's authority in this regard.

                    January 2013

                • HC-1.8 HC-1.8 Committees of the Board

                  • HC-1.8.1

                    The board must establish Audit, Remuneration and Nominating Committees described elsewhere in this Module. For financing company licensees offering limited scope of activities, an Audit Committee is required at minimum.

                    Amended: July 2022
                    January 2013

                  • HC-1.8.2

                    The board should establish a corporate governance committee of at least three independent members which should be responsible for developing and recommending changes from time to time in the licensee's corporate governance policy framework.

                    January 2013

                  • HC-1.8.3

                    The board or a committee may invite non-directors to participate in, but not vote at, a committee's meetings so that the committee may gain the benefit of their advice and expertise in financial or other areas.

                    January 2013

                  • HC-1.8.4

                    Committees must act only within their mandates and therefore the board must not allow any committee to dominate or effectively replace the whole board in its decision-making responsibility.

                    January 2013

                  • HC-1.8.5

                    Committees may be combined provided that no conflict of interest might arise between the duties of such committees, subject to CBB prior approval.

                    January 2013

                  • HC-1.8.6

                    Every committee must have a formal written charter similar in form to the model charters which are set forth in Appendices A, B and C of this Module for the Audit, Nominating and Remuneration Committees.

                    January 2013

                  • HC-1.8.7

                    Where committees are set up, they should keep full minutes of their activities and meet regularly to fulfill their mandates. For larger licensees that deal with the general public, committees can be a more efficient mechanism to assist the main Board in its monitoring and control of the activities of the licensee. The establishment of committees should not mean that the role of the Board is diminished, or that the Board becomes fragmented.

                    January 2013

                • HC-1.9 HC-1.9 Evaluation of the Board and Each Committee

                  • HC-1.9.1

                    At least annually the board must conduct an evaluation of its performance and the performance of each committee and each individual director.

                    January 2013

                  • HC-1.9.2

                    The evaluation process must include:

                    (a) Assessing how the board operates, especially in light of Chapter HC-1;
                    (b) Evaluating the performance of each committee in light of its specific purposes and responsibilities, which shall include review of the self-evaluations undertaken by each committee;
                    (c) Reviewing each director's work, his attendance at board and committee meetings, and his constructive involvement in discussions and decision making;
                    (d) Reviewing the board's current composition against its desired composition with a view toward maintaining an appropriate balance of skills and experience and a view toward planned and progressive refreshing of the board; and
                    (e) Recommendations for new directors to replace long-standing members or those members whose contribution to the board or its committees (such as the audit committee) is not adequate.
                    January 2013

                  • HC-1.9.3

                    While the evaluation is a responsibility of the entire board, it should be organised and assisted by an internal board committee and, when appropriate, with the help of external experts.

                    January 2013

                  • HC-1.9.4

                    The board should report to the shareholders, at each annual shareholder meeting, that evaluations have been done and report its findings.

                    January 2013

              • HC-2 HC-2 Approved Persons Loyalty

                • HC-2.1 HC-2.1 Principle

                  • HC-2.1.1

                    The approved persons must have full loyalty to the licensee.

                    January 2013

                • HC-2.2 HC-2.2 Personal Accountability

                  • HC-2.2.1

                    Licensees are subject to a wide variety of laws, regulations and codes of best practice that directly affect the conduct of business. Such laws involve the Rulebook of the licensed exchange, the Labour Law, the Commercial Companies Law, occupational health and safety, even environment and pollution laws, as well as the Law, codes of conduct and regulations of the CBB (as amended from time to time). The Board sets the 'tone at the top' of a licensee, and has a responsibility to oversee compliance with these various requirements. The Board should ensure that the staff conduct their affairs with a high degree of integrity, taking note of applicable laws, codes and regulations.

                    January 2013

                  • Corporate Ethics, Conflicts of Interest and Code of Conduct

                    • HC-2.2.2

                      Each member of the board must understand that under the Company Law he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

                      January 2013

                    • HC-2.2.3

                      The Board must establish corporate standards for approved persons and employees. This requirement should be met by way of a documented and published code of conduct or similar document. These standards must be communicated throughout the licensee, so that the approved persons and staff understand the importance of conducting business based on good corporate governance values and understand their accountabilities to the various stakeholders of the licensee. The licensee's approved persons and staff must be informed of and be required to fulfill their fiduciary responsibilities to the licensee's stakeholders.

                      January 2013

                    • HC-2.2.4

                      An internal code of conduct is separate from the business strategy of a licensee. A code of conduct should outline the practices that approved persons and staff should follow in performing their duties. Licensees may wish to use procedures and policies to complement their codes of conduct. The suggested contents of a code of conduct are covered below:

                      (a) Commitment by the Board and management to the code. The code of conduct should be linked to the objectives of the licensee, and its responsibilities and undertakings to customers, shareholders, staff and the wider community (see HC-2.2.3 and HC-2.2.4). The code should give examples or expectations of honesty, integrity, leadership and professionalism;
                      (b) Commitment to the law and best practice standards. This commitment would include commitments to following accounting standards, industry best practice (such as ensuring that information to clients is clear, fair, and not misleading), transparency, and rules concerning potential conflicts of interest (see HC-2.3);
                      (c) Employment practices. This would include rules concerning health and safety of employees, training, policies on the acceptance and giving of business courtesies, prohibition on the offering and acceptance of bribes, and potential misuse of licensee's assets;
                      (d) How the licensee deals with disputes and complaints from clients and monitors compliance with the code; and
                      (e) Confidentiality. Disclosure of client or licensee information should be prohibited, except where disclosure is required by law (see HC-1.2.10 b).
                      January 2013

                    • HC-2.2.5

                      The Central Bank expects that the Board and its members individually and collectively:

                      (a) Act with honesty, integrity and in good faith, with due diligence and care, with a view to the best interest of the licensee and its shareholders and other stakeholders (see Paragraphs HC-2.2.2 to HC-2.2.4);
                      (b) Act within the scope of their responsibilities (which should be clearly defined — see HC-1.2.9 and HC-1.2.11 and not participate in the day-to-day management of the licensee;
                      (c) Have a proper understanding of, and competence to deal with the affairs and products of the licensee and devote sufficient time to their responsibilities; and
                      (d) To independently assess and question the policies, processes and procedures of the licensee, with the intent to identify and initiate management action on issues requiring improvement. (i.e. to act as checks and balances on management).
                      January 2013

                    • HC-2.2.6

                      The duty of loyalty (mentioned in Paragraph HC-2.2.2 above) includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, not to take business opportunities of the licensee for himself, not to compete in business with the licensee, and to serve the licensee's interest in any transactions with a licensee in which he has a personal interest.

                      January 2013

                    • HC-2.2.7

                      For purposes of Paragraph HC-2.2.6, an approved person should be considered to have a "personal interest" in a transaction with a licensee if:

                      (a) He himself; or
                      (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
                      (c) Another licensee of which he is a director or controller,

                      is a party to the transaction or has a material financial interest in the transaction. (Transactions and interests which are de minimis in value should not be included.)

                      January 2013

                • HC-2.3 HC-2.3 Avoidance of Conflicts of Interest

                  • HC-2.3.1

                    Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

                    January 2013

                  • HC-2.3.2

                    The Board must establish and disseminate to its members and management, policies for the identification, reporting, disclosure, prevention, or strict limitation of potential conflicts of interest. It is senior management's responsibility to implement these policies. Rules concerning connected party transactions and potential conflicts of interest may be dealt with in the Code of Conduct (see HC-2.2.4). In particular, the CBB requires that any decisions to enter into transactions, under which approved persons would have conflicts of interest that are material, should be formally and unanimously approved by the full Board. Best practice would dictate that an approved person must:

                    (a) Not enter into competition with the licensee;
                    (b) Not demand or accept substantial gifts from the licensee for himself or connected persons;
                    (c) Not misuse the licensee's assets;
                    (d) Not use the licensee's privileged information or take advantage of business opportunities to which the licensee is entitled, for himself or his associates; and
                    (e) Absent themselves from any discussions or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject or (proposed) transaction where a conflict of interest exists.
                    Amended: January 2020
                    Added: January 2013

                  • HC-2.3.3

                    Licensees must have in place a board approved policy on the employment of relatives of approved persons and a summary of such policy must be disclosed in the annual report of the licensee.

                    April 2016

                • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest

                  • HC-2.4.1

                    Each approved person must inform the entire board of (potential) conflicts of interest in their activities with, and commitments to other organisations as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Company Law. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflicted transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision. In any case, all approved persons must declare in writing all of their other interests in other enterprises or activities (whether as a shareholder of above 5% of the voting capital of a licensee, a manager, or other form of significant participation) to the Board (or the Nominations or Audit Committees) on an annual basis.

                    January 2013

                  • HC-2.4.1A

                    The chief executive/general manager of the licensee must disclose to the board of directors on an annual basis relatives of any approved persons occupying controlled functions within the licensee.

                    April 2016

                  • HC-2.4.2

                    The board should establish formal procedures for:

                    (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
                    (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a licensee's approved person has a personal interest. The board should require such advance approval in every case.
                    January 2013

                • HC-2.5 HC-2.5 Disclosure of Conflicts of Interest to Shareholders

                  • HC-2.5.1

                    The licensee must disclose to its shareholders in the Annual Report any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

                    January 2013

              • HC-3 HC-3 Audit Committee and Financial Statements Certification

                • HC-3.1 HC-3.1 Principle

                  • HC-3.1.1

                    The Board must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    January 2013

                • HC-3.2 HC-3.2 Audit Committee

                  • HC-3.2.1

                    The board must establish an audit committee of at least three directors of which the majority must be independent including the Chairman. The committee must:

                    (a) Review the licensee's accounting and financial practices;
                    (b) Review the integrity of the licensee's financial and internal controls and financial statements (particularly with reference to information passed to the Board — see HC-1.2.10). The information needs of the Board to perform its monitoring responsibilities must be defined in writing, and regularly monitored by the Audit Committee;
                    (c) Review the licensee's compliance with legal requirements;
                    (d) Recommend the appointment, compensation and oversight of the licensee's external auditor; and
                    (e) Recommend the appointment of the internal auditor.
                    January 2013

                  • HC-3.2.2

                    In its review of the systems and controls framework in Paragraph HC-3.2.1, the audit committee must:

                    (a) Make effective use of the work of external and internal auditors. The audit committee must ensure the integrity of the licensee's accounting and financial reporting systems through regular independent review (by internal and external audit). Audit findings must be used as an independent check on the information received from management about the licensee's operations and performance and the effectiveness of internal controls;
                    (b) Make use of self-assessments, stress/scenario tests, and/or independent judgments made by external advisors. The Board should appoint supporting committees, and engage senior management to assist the audit committee in the oversight of risk management; and
                    (c) Ensure that senior management have put in place appropriate systems of control for the business of the licensee and the information needs of the Board; in particular, there must be appropriate systems and functions for identifying as well as for monitoring risk, the financial position of the licensee, and compliance with applicable laws, regulations and best practice standards. The systems must produce information on a timely basis.
                    January 2013

                  • HC-3.2.3

                    The licensee must set up an internal audit function, which reports directly to the Audit Committee and administratively to the CEO.

                    January 2013

                  • HC-3.2.4

                    The CEO must not be a member of the audit committee.

                    January 2013

                • HC-3.3 HC-3.3 Audit Committee Charter

                  • HC-3.3.1

                    The audit committee must adopt a written charter which shall, at a minimum, state the duties outlined in Paragraph HC-3.2.1 and the other matters included in Appendix A to this Module.

                    January 2013

                  • HC-3.3.2

                    A majority of the audit committee must have the financial literacy qualifications stated in Appendix A.

                    January 2013

                  • HC-3.3.3

                    The board should adopt a "whistleblower" program under which employees can confidentially raise concerns about possible improprieties in financial or legal matters. Under the program, concerns may be communicated directly to any audit committee member or, alternatively, to an identified officer or employee who will report directly to the Audit Committee on this point.

                    January 2013

                • HC-3.4 HC-3.4 CEO and CFO Certification of Financial Statements

                  • HC-3.4.1

                    To encourage management accountability for the financial statements required by the directors, the licensee's CEO and chief financial officer must state in writing to the audit committee and the board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                    January 2013

              • HC-4 HC-4 Appointment, Training and Evaluation of the Board

                • HC-4.1 HC-4.1 Principle

                  • HC-4.1.1

                    The licensee must have rigorous and transparent procedures for appointment, training and evaluation of the Board.

                    January 2013

                • HC-4.2 HC-4.2 Nominating Committee

                  • HC-4.2.1

                    The board must establish a Nominating Committee of at least three directors which must:

                    (a) Identify persons qualified to become members of the board of directors or Chief Executive Officer, Chief Financial Officer, Corporate Secretary and any other officers of the licensee considered appropriate by the Board, with the exception of the appointment of the internal auditor which shall be the responsibility of the Audit Committee in accordance with Paragraph HC-3.2.1 above; and
                    (b) Make recommendations to the whole board of directors including recommendations of candidates for board membership to be included by the board of directors on the agenda for the next annual shareholder meeting.
                    January 2013

                  • HC-4.2.2

                    The committee should include only independent directors or, alternatively, only non-executive directors of whom a majority should be independent directors and the chairman should be an independent director. This is consistent with international best practice and it recognises that the Nominating Committee should exercise judgment free from personal career conflicts of interest.

                    January 2013

                • HC-4.3 HC-4.3 Nominating Committee Charter

                  • HC-4.3.1

                    The Nominating Committee must adopt a formal written charter which must, at a minimum, state the duties outlined in Paragraph HC-4.2.1 and the other matters included in Appendix B to this Module.

                    January 2013

                • HC-4.4 HC-4.4 Board Nominations to Shareholders

                  • HC-4.4.1

                    Each proposal by the board to the shareholders for election or reelection of a director must be accompanied by a recommendation from the board, a summary of the advice of the Nominating Committee, as applicable, and the following specific information:

                    (a) The term to be served, which may not exceed three years (but there need not be a limit on reelection for further terms);
                    (b) Biographical details and professional qualifications;
                    (c) In the case of an independent director, a statement that the board has determined that the criteria of independent director have been met;
                    (d) Any other directorships held;
                    (e) Particulars of other positions which involve significant time commitments; and
                    (f) Details of relationships between:
                    (i) The candidate and the licensee; and
                    (ii) The candidate and other directors of the licensee.
                    January 2013

                  • HC-4.4.2

                    The chairman of the board should confirm to shareholders when proposing re-election of a director that, following a formal performance evaluation, the person's performance continues to be effective and continues to demonstrate commitment to the role. Any term beyond six years (e.g. two three-year terms) for a director should be subject to particularly rigorous review, and should take into account the need for progressive refreshing of the board. Serving more than six years is relevant to the determination of a non-executive director's independence.

                    January 2013

                • HC-4.5 HC-4.5 Induction and Training of Directors

                  • HC-4.5.1

                    The chairman of the board must ensure that each new director receives a formal and tailored induction to ensure his contribution to the board from the beginning of his term. The induction must include:

                    (a) Meetings with senior management, internal and external auditors and legal counsel;
                    (b) Visits to the licensee's facilities; and
                    (c) Presentations regarding strategic plans, significant financial, accounting and risk management issues and compliance programs.
                    January 2013

                  • HC-4.5.2

                    All continuing directors must be invited to attend orientation meetings and all directors must continually educate themselves as to the licensee's business and corporate governance.

                    January 2013

                  • HC-4.5.3

                    Management, in consultation with the chairman of the board, should hold programs and presentations to directors respecting the licensee's business and industry, which may include periodic attendance at conferences and management meetings. The Nominating Committee shall oversee directors' corporate governance educational activities.

                    January 2013

              • HC-5 HC-5 Remuneration of Approved Persons

                • HC-5.1 HC-5.1 Principle

                  • HC-5.1.1

                    The licensee must remunerate approved persons fairly and responsibly.

                    January 2013

                • HC-5.2 HC-5.2 Remuneration Committee

                  • HC-5.2.1

                    The Board must establish a remuneration committee of at least three directors which must:

                    (a) Review the licensee's remuneration policies for the approved persons, which must be approved by the shareholders and be consistent with the corporate values and strategy of the licensee;
                    (b) Make recommendations regarding remuneration policies and amounts for approved persons to the whole board, taking account of total remuneration including salaries, fees, expenses and employee benefits; and
                    (c) Recommend Board member remuneration based on their attendance and performance.
                    January 2013

                  • HC-5.2.2

                    The committee may be merged with the nominating committee.

                    January 2013

                • HC-5.3 HC-5.3 Remuneration Committee Charter

                  • HC-5.3.1

                    The committee must adopt a written charter which must, at a minimum, state the duties in Paragraph HC-5.2.1 and other matters in Appendix C of this Module.

                    January 2013

                  • HC-5.3.2

                    The committee should include only independent directors or, alternatively, only non-executive directors of whom a majority are independent directors and the chairman is an independent director. This is consistent with international best practice and it recognises that the remuneration committee must exercise judgment free from personal career conflicts of interest.

                    January 2013

                • HC-5.4 HC-5.4 Standard for all Remuneration

                  • HC-5.4.1

                    Remuneration of approved persons must be sufficient enough to attract, retain and motivate persons of the quality needed to run the licensee successfully, but the licensee must avoid paying more than is necessary for that purpose.

                    January 2013

                  • Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

                    • HC-5.4.2

                      The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

                      Added: April 2020

                • HC-5.5 HC-5.5 Non-Executive Directors' Remuneration

                  • HC-5.5.1

                    Remuneration of independent directors and non-executive directors must not include performance-related elements such as grants of shares, share options or other deferred stock-related incentive schemes, bonuses, or pension benefits.

                    January 2013

                • HC-5.6 HC-5.6 Senior Management's Remuneration

                  • HC-5.6.1

                    Remuneration of senior management must be structured so that a portion of the total is linked to the licensee's and individual's performance and aligns their interests with the interests of the shareholders.

                    January 2013

                  • HC-5.6.2

                    Such rewards may include grants of shares, share options and other deferred stock-related incentive schemes, bonuses, and pension benefits which are not based on salary.

                    January 2013

                  • HC-5.6.3

                    If a senior manager is also a director, his remuneration as a senior manager must take into account compensation received in his capacity as a director.

                    January 2013

                  • HC-5.6.4

                    All share incentive plans must be approved by the shareholders.

                    January 2013

                  • HC-5.6.5

                    All performance-based incentives should be awarded under written objective performance standards which have been approved by the board and are designed to enhance shareholder and the licensee's value, and under which shares should not vest and options should not be exercisable within less than two years of the date of award of the incentive.

                    January 2013

                  • HC-5.6.6

                    All policies for performance-based incentives should be approved by the shareholders, but the approval should be only of the plan itself and not of the grant to specific individuals of benefits under the plan.

                    January 2013

              • HC-6 HC-6 Management Structure

                • HC-6.1 HC-6.1 Principle

                  • HC-6.1.1

                    The board must establish a clear and efficient management structure.

                    January 2013

                • HC-6.2 HC-6.2 Establishment of Management Structure

                  • HC-6.2.1

                    The board must appoint senior management whose authority must include management and operation of current activities of the licensee, reporting to and under the direction of the board. The senior management must include at a minimum:

                    (a) A CEO;
                    (b) A chief financial officer;
                    (c) A corporate secretary;
                    (d) An internal auditor; and
                    (e) Compliance Officer/MLRO.
                    Amended: July 2022
                    January 2013

                • HC-6.3 HC-6.3 Titles, Authorities, Duties and Reporting Responsibilities

                  • HC-6.3.1

                    The board must adopt by-laws prescribing each senior manager's title, authorities, duties, accountabilities and internal reporting responsibilities. This must be done with the advice of the Nominating Committee and in consultation with the CEO, to whom the other senior managers should normally report.

                    January 2013

                  • HC-6.3.2

                    These provisions must include but should not be limited to the following:

                    (a) The CEO must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other senior managers and licensee employees;
                    (b) The chief financial officer must be responsible and accountable for:
                    (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see also HC-3.4.1); and
                    (ii) Presenting the board with a balanced and understandable assessment of the licensee's financial situation;
                    (c) The corporate secretary's duties must include arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                    (d) The internal auditor's duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes.
                    January 2013

                  • HC-6.3.3

                    The board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate board approval.

                    January 2013

                  • HC-6.3.4

                    The corporate secretary should be given general responsibility for reviewing the licensee's procedures and advising the board directly on such matters (see Rule HC-6.3.2(c)). Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training.

                    January 2013

                  • HC-6.3.5

                    At least annually the board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

                    January 2013

                • HC-6.4 HC-6.4 Compliance

                  • HC-6.4.1

                    The CBB expects licensees to carry out a review of their compliance with the principles in this Module on a regular basis.

                    January 2013

              • HC-7 HC-7 Communication between Board and Shareholders

                • HC-7.1 HC-7.1 Principle

                  • HC-7.1.1

                    The licensee must communicate with shareholders, encourage their participation, and respect their rights.

                    January 2013

                • HC-7.2 HC-7.2 Conduct of Shareholders' Meetings

                  • HC-7.2.1

                    The board must observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

                    (a) Notices of meetings must be honest, accurate and not misleading. They must clearly state and, where necessary, explain the nature of the business of the meeting;
                    (b) Meetings must be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
                    (c) Notices of meetings must encourage shareholders to attend shareholder meetings and, if not possible, to allow shareholders to participate by proxy and must refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement must list the agenda items and must specify the vote (such as "yes," "no" or "abstain);
                    (d) Notices must ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
                    (e) The board must propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
                    (f) In meetings where directors are to be elected or removed the board must ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
                    (g) The chairman of the meeting must encourage questions from shareholders, including questions regarding the licensee's corporate governance guidelines;
                    (h) The minutes of the meeting must be made available to shareholders upon their request as soon as possible but not later than 30 days after the meeting; and
                    (i) Disclosure of all material facts must be made to the shareholders by the Chairman prior to any vote by the shareholders.
                    January 2013

                  • HC-7.2.2

                    The licensee should require all directors to attend and be available to answer questions from shareholders at any shareholder meeting and, in particular, ensure that the chairs of the audit, remuneration and nominating committees are ready to answer appropriate questions regarding matters within their committee's responsibility (it being understood that confidential and proprietary business information may be kept confidential).

                    January 2013

                  • HC-7.2.3

                    The licensee should require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

                    January 2013

                  • HC-7.2.3A

                    Licensees must provide to the CBB, for its review and comment, at least 5 business days prior to communicating with the shareholders or publishing in the press, the draft agenda for any shareholders' meetings referred to in Paragraph HC-7.2.3C.

                    Amended: July 2017
                    April 2016

                  • HC-7.2.3B

                    Licensees must ensure that any agenda items to be discussed or presented during the course of meetings which require the CBB's prior approval, have received the necessary approval, prior to the meeting taking place.

                    April 2016

                  • HC-7.2.3C

                    The licensee must invite a representative of the CBB to attend any shareholders' meetings (i.e. ordinary and extraordinary general assembly) taking place. The invitation must be provided to the CBB at least 5 business days prior to the meeting taking place.

                    April 2016

                  • HC-7.2.3D

                    Within a maximum of 15 calendar days of any shareholders' meetings referred to in Paragraph HC-7.2.3C, the licensee must provide to the CBB a copy of the minutes of the meeting.

                    April 2016

                  • HC-7.2.4

                    A licensee should maintain a website. The licensee should dedicate a specific section of its website to describing shareholders' rights to participate and vote at each shareholders' meeting, and should post significant documents relating to meetings including the full text of notices and minutes. The licensee may also consider establishing an electronic means for shareholders' communications including appointment of proxies. For confidential information, the licensee should grant a controlled access to such information to its shareholders.

                    January 2013

                  • HC-7.2.5

                    In notices of meetings at which directors are to be elected or removed the licensee should ensure that:

                    (a) Where the number of candidates exceeds the number of available seats, the notice of the meeting should explain the voting method by which the successful candidates will be selected and the method to be used for counting of votes; and
                    (b) The notice of the meeting should present a factual and objective view of the candidates so that shareholders may make an informed decision on any appointment to the board.
                    January 2013

                • HC-7.3 HC-7.3 Direct Shareholder Communication

                  • HC-7.3.1

                    The chairman of the board (and other directors as appropriate) must maintain continuing personal contact with controllers to solicit their views and understand their concerns. The chairman must ensure that the views of shareholders are communicated to the board as a whole. The chairman must discuss governance and strategy with controllers. Given the importance of market monitoring to enforce the "comply or explain" approach of this Module, the board should encourage shareholders to help in evaluating the licensee's corporate governance (see also HC-1.2 and 1.3 for other duties of the Chairman).

                    January 2013

                • HC-7.4 HC-7.4 Controllers

                  • HC-7.4.1

                    In licensees with one or more controllers, the chairman and other directors must actively encourage the controllers to make a considered use of their position and to fully respect the rights of minority shareholders (see also HC-1.2 and 1.3 for other duties of the Chairman).

                    January 2013

              • HC-8 HC-8 Corporate Governance Disclosure

                • HC-8.1 HC-8.1 Principle

                  • HC-8.1.1

                    The licensee must disclose its corporate governance.

                    January 2013

                • HC-8.2 HC-8.2 Disclosure under the Company Law and CBB Requirements

                  • HC-8.2.1

                    In each licensee:

                    (a) The board must adopt written corporate governance guidelines covering the matters stated in this Module and Module PD and other corporate governance matters deemed appropriate by the board. Such guidelines must include or refer to the principles and rules of Module HC;
                    (b) The licensee must publish the guidelines on its website, if it has a website;
                    (c) At each annual shareholders' meeting the board must report on the licensee's compliance with its guidelines and Module HC, and explain the extent if any to which it has varied them or believes that any variance or noncompliance was justified; and
                    (d) At each annual shareholders' meeting the board must also report on further items listed in Module PD. Such information should be maintained on the licensee's website or held at the licensee's premises on behalf of the shareholders.
                    Amended: January 2014
                    January 2013

                  • HC-8.2.2

                    [This Paragraph was deleted in January 2014]

                    Deleted: January 2014

                  • Board's Responsibility for Disclosure

                    • HC-8.2.3

                      The Board must oversee the process of disclosure and communications with internal and external stakeholders. The Board must ensure that disclosures made by the licensee are fair, transparent, comprehensive and timely and reflect the character of the licensee and the nature, complexity and risks inherent in the licensee's business activities. Disclosure policies must be reviewed for compliance with the CBB's disclosure requirements (see Chapter PD-1).

                      January 2013

              • HC-9 HC-9 Shari'a Compliant Business

                • HC-9.1 HC-9.1 Principle

                  • HC-9.1.1

                    Companies which refer to themselves as "Islamic" must follow the principles of Islamic Shari'a.

                    January 2013

                • HC-9.2 HC-9.2 Governance and Disclosure per Shari'a Principles

                  • HC-9.2.1

                    Licensees which are guided by the principles of Islamic Shari'a have additional responsibilities to their stakeholders. Licensees which refer to themselves as "Islamic" are subject to additional governance requirements and disclosures to provide assurance to stakeholders that they are following Shari'a Principles. In ensuring compliance with Shari'a principles, each licensee must establish a Shari'a Supervisory Board consisting of at least three Shari'a scholars.

                    January 2013

                  • HC-9.2.2

                    In addition to its duties outlined in Chapter HC-3 and Appendix A, the Audit Committee shall communicate and co-ordinate with the licensee's Corporate Governance Committee and the Shari'a Supervisory Board ("SSB") (where applicable) to ensure that information on compliance with Islamic Shari'a rules and principles is reported in a timely manner.

                    January 2013

                  • HC-9.2.3

                    The Board shall set up a Corporate Governance Committee (see also Paragraph HC-1.8.2). In this case, the Committee shall comprise at least three members to coordinate and integrate the implementation of the governance policy framework.

                    January 2013

                  • HC-9.2.4

                    The Corporate Governance Committee established under Chapter HC-9 shall comprise at a minimum of:

                    (a) An independent director to chair the Corporate Governance Committee. The Chairman of the Corporate Governance Committee should not only possess the relevant skills, such as the ability to read and understand financial statements, but should also be able to coordinate and link the complementary roles and functions of the Corporate Governance Committee and the Audit Committee;
                    (b) A Shari'a scholar who is an SSB member for the purpose of leading the Corporate Governance Committee on Shari'a-related governance issues (if any), and also to coordinate and link the complementary roles and functions of the Corporate Governance Committee and the SSB; and
                    (c) An independent director who can offer different skills to the committee, such as legal expertise and business proficiency, which are considered particularly relevant by the Board of directors for cultivating a good corporate governance culture, and deemed "fit and proper" by the CBB.
                    January 2013

                  • HC-9.2.5

                    The Corporate Governance Committee shall be empowered to:

                    (a) Oversee and monitor the implementation of the governance policy framework by working together with the management, the Audit Committee and the SSB; and
                    (b) Provide the Board of directors with reports and recommendations based on its findings in the exercise of its functions.
                    January 2013

              • Appendix A Appendix A Audit Committee

                • Committee Duties

                  The Committee's duties shall include those stated in Paragraph HC-3.2.1.

                  January 2013

                • Committee Membership and Qualifications

                  The Committee shall have at least three members. Such members must have no conflict of interest with any other duties they have for the licensee.

                  A majority of the members of the committee including the Chairman shall be independent directors.

                  The CEO must not be a member of this committee.

                  The committee members must have sufficient technical expertise to enable the committee to perform its functions effectively. Technical expertise means that members must have recent and relevant financial ability and experience, which includes:

                  (a) An ability to read and understand corporate financial statements including a licensee's balance sheet, income statement and cash flow statement and changes in shareholders' equity;
                  (b) An understanding of the accounting principles which are applicable to the licensee's financial statements;
                  (c) Experience in evaluating financial statements that have a level of accounting complexity comparable to that which can be expected in the licensee's business;
                  (d) An understanding of internal controls and procedures for financial reporting; and
                  (e) An understanding of the audit committee's controls and procedures for financial reporting.
                  January 2013

                • Committee Duties and Responsibilities

                  In serving those duties, the Committee shall:

                  (a) Be responsible for the selection, appointment, remuneration, oversight and termination where appropriate of the external auditor, subject to ratification by the licensee's board and shareholders. The external auditor shall report directly to the committee;
                  (b) Make a determination at least once each year of the external auditor's independence, including:
                  (i) Determining whether its performance of any non-audit services compromised its independence (the committee may establish a formal policy specifying the types of non-audit services which are permissible) and;
                  (ii) Obtaining from the external auditor a written report listing any relationships between the external auditor and the licensee or with any other person or entity that may compromise the auditor's independence;
                  (c) Review and discuss with the external auditor the scope and results of its audit, any difficulties the auditor encountered including any restrictions on its access to requested information and any disagreements or difficulties encountered with management;
                  (d) Review and discuss with management and the external auditor each annual and each quarterly financial statements of the licensee including judgments made in connection with the financial statements;
                  (e) Review and discuss and make recommendations regarding the selection, appointment and termination where appropriate of the head of internal audit and head of compliance and the budget allocated to the internal audit and compliance function, and monitor the responsiveness of management to the committee's recommendations and findings;
                  (f) Review and discuss the activities, performance and adequacy of the licensee's internal auditing and compliance personnel and procedures and its internal controls and compliance procedures, risk management systems, and any changes in those;
                  (g) Oversee the licensee's compliance with legal and regulatory requirements, codes and business practices, and ensure that the licensee communicates with shareholders and relevant stakeholders (internal and external) openly and promptly, and with substance of compliance prevailing over form;
                  (h) Review and discuss possible improprieties in financial reporting or other matters, and ensure that arrangements are in place for independent investigation and follow-up regarding such matters;
                  (i) The committee must monitor rotation arrangements for audit engagement partners. The audit committee must monitor the performance of the external auditor and the non-audit services provided by the external auditor; and
                  (j) The review and supervision of the implementation of, enforcement of and adherence to the licensee's code of conduct.
                  January 2013

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least four times a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  The committee may meet without any other director or any officer of the licensee present. Only the committee may decide if a non-member of the committee should attend a particular meeting or a particular agenda item. Non-members who are not directors of the licensee may attend to provide their expertise, but may not vote. It is expected that the external auditor's lead representative will be invited to attend regularly but that this shall always be subject to the committee's decision.

                  The committee must meet with the external auditor at least twice per year, and at least once per year in the absence of any members of executive management.

                  The committee shall report regularly to the full board on its activities.

                  January 2013

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, accounting or other advisors as it deems necessary or appropriate, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2013

                • Committee Performance Evaluation

                  The committee shall prepare and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with the above requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report provided at any regularly scheduled board meeting.

                  January 2013

              • Appendix B Appendix B Nominating Committee

                • Committee Duties

                  The committee's duties shall include those stated in Paragraph HC-4.2.1.

                  January 2013

                • Committee Duties and Responsibilities

                  In serving those duties with respect to board membership:

                  (a) The committee shall make recommendations to the board from time to time as to changes the committee believes to be desirable to the size of the board or any committee of the board;
                  (b) Whenever a vacancy arises (including a vacancy resulting from an increase in board size), the committee shall recommend to the board a person to fill the vacancy either through appointment by the board or through shareholder election;
                  (c) In performing the above responsibilities, the committee shall consider any criteria approved by the board and such other factors as it deems appropriate. These may include judgment, specific skills, experience with other comparable businesses, the relation of a candidate's experience with that of other board members, and other factors;
                  (d) The committee shall also consider all candidates for board membership recommended by the shareholders and any candidates proposed by management;
                  (e) The committee shall identify board members qualified to fill vacancies on any committee of the board and recommend to the board that such person appoint the identified person(s) to such committee; and
                  (f) Assuring that plans are in place for orderly succession of senior management.

                  In serving those purposes with respect to officers the committee shall:

                  (a) Make recommendations to the board from time to time as to changes the committee believes to be desirable in the structure and job descriptions of the officers including the CEO, and prepare terms of reference for each vacancy stating the job responsibilities, qualifications needed and other relevant matters including integrity, technical and managerial competence, and experience;
                  (b) Overseeing succession planning and replacing key executives when necessary, and ensuring appropriate resources are available, and minimising reliance on key individuals;
                  (c) Design a plan for succession and replacement of officers including replacement in the event of an emergency or other unforeseeable vacancy; and
                  (d) If charged with responsibility with respect to licensee's corporate governance guidelines, the committee shall develop and recommend to the board corporate governance guidelines, and review those guidelines at least once a year.
                  January 2013

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least twice a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  January 2013

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, consulting or search firms used to identify candidates, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2013

                • Performance Evaluation

                  The committee shall preview and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with the above requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report provided at any regularly scheduled board meeting.

                  January 2013

              • Appendix C Appendix C Remuneration Committee

                • Committee Duties

                  The committee's duties shall include those stated in Paragraph HC-5.2.1.

                  January 2013

                • Committee Duties and Responsibilities

                  In serving those duties the committee shall consider, and make specific recommendations to the board on, both remuneration policy and individual remuneration packages for the CEO and other senior managers. This remuneration policy should cover at least:

                  (a) The following components:
                  (i) Salary;
                  (ii) The specific terms of performance-related plans including any stock compensation, stock options, or other deferred-benefit compensation;
                  (iii) Pension plans;
                  (iv) Fringe benefits such as non-salary perks; and
                  (v) Termination policies including any severance payment policies; and
                  (b) Policy guidelines to be used for determining remuneration in individual cases, including on:
                  (i) The relative importance of each component noted in a) above;
                  (ii) Specific criteria to be used in evaluating a senior manager's performance.

                  The committee shall evaluate the CEO's and senior management's performance in light of the licensee's corporate goals, agreed strategy, objectives and business plans and may consider the licensee's performance and shareholder return relative to comparable licensees, the value of awards to CEOs at comparable licensees, and awards to the CEO in past years.

                  The committee should also be responsible for retaining and overseeing outside consultants or firms for the purpose of determining approved persons' remuneration, administering remuneration plans, or related matters.

                  January 2013

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least twice a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  January 2013

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, consulting or compensation firms used to evaluate the compensation of directors, the CEO or other approved persons, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2013

                • Performance Evaluation

                  The committee shall preview and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with the above requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report provided at any regularly scheduled board meeting.

                  January 2013

              • Appendix D Corporate Governance Disclosure to Shareholders

                [The requirements of this Appendix were moved to Module PD in January 2014]

                Deleted: January 2014

            • GR GR Financing Companies General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • Executive Summary

                    • GR-A.1.1

                      The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on books and records, the use of corporate and trade names; on the distribution of dividends; on controllers; and on suspension of business. Each set of requirements is contained in its own Chapter.

                      January 2013

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to financing company licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Module also contains requirements prescribed under Resolution No.(43) of 2011 governing the conditions of granting a license for the provision of regulated services and is issued under the powers available to the CBB under Article 44(c). Requirements regarding controllers (see Chapter GR-5) are also included in Regulations, to be issued by the CBB.

                      January 2013

                    • GR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      January 2013

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in January 2013 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2013

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-1.1.3 04/2013 Corrected reference to 'transaction' records.
                      GR-6.1.8 10/2016 Added an additional requirement for cessation of business to be consistent with other Volumes of the CBB Rulebook.
                      GR-4.1.7 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                      GR-1.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                      GR-1.2.2 07/2017 Deleted paragraph.
                      GR-3.1.3 10/2017 Amended paragraph and changed from Guidance to Rule.
                      GR-4.1.1A 04/2019 Added a new Paragraph on exposures to controllers.
                      GR-4.1.1B 04/2019 Added a new Paragraph on exposures to controllers.
                      GR-1.2.1 01/2020 Amended Paragraph.
                      GR-6.1.8 04/2020 Amended Paragraph.
                      GR-7 01/2021 Added a new Chapter on Prepaid Cards.
                      GR-2.1.1 01/2022 Amended Paragraph on change of licensee corporate and legal name.
                      GR-2.1.2 01/2022 Amended Paragraph to refer to change in legal name.
                      GR-4.3.3 – GR-4.3.4 07/2022 Amended Paragraphs on suitability and controllers.
                      GR-4.3.4A 07/2022 Added a new Paragraph on the exemption of licensees offering limited scope of activities from certain requirements.

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Financing Company Licensees

                  • GR-B.1.1

                    The requirements in Module GR (General Requirements) apply to all financing company licensees, thereafter referred to in this Module as licensees.

                    January 2013

              • GR-1 GR-1 Books and Records

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    In accordance with Article 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

                    January 2013

                  • GR-1.1.2

                    GR-1.1.1 includes accounts, books, files and other records (e.g. trial balance, general ledger, nostro/vostro statements, reconciliations, list of counterparties). It also includes records that substantiate the value of the assets, liabilities and off-balance sheet activities of the licensee (e.g. client activity files and valuation documentation).

                    January 2013

                  • GR-1.1.3

                    Separately, Bahrain Law currently requires other transaction records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

                    Amended: April 2013
                    January 2013

                  • GR-1.1.4

                    Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

                    January 2013

                  • GR-1.1.5

                    Translations produced in compliance with Rule GR-1.1.4 may be undertaken in-house, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

                    January 2013

                  • GR-1.1.6

                    Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                    January 2013

                  • GR-1.1.7

                    Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

                    January 2013

                  • GR-1.1.8

                    Paragraphs GR-1.1.1 to GR-1.1.7 apply to licensees, with respect to all business activities.

                    January 2013

                • GR-1.2 GR-1.2 Transaction Records

                  • GR-1.2.1

                    Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

                    Amended: January 2020
                    Amended: July 2017
                    Added: January 2013

                  • GR-1.2.2

                    [This Paragraph has been deleted in July 2017].

                    Deleted: July 2017
                    January 2013

                  • GR-1.2.3

                    Rule GR-1.2.1 applies only to transactions relating to business booked in Bahrain by the licensee.

                    January 2013

                • GR-1.3 GR-1.3 Other Records

                  • Corporate Records

                    • GR-1.3.1

                      Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

                      (a) Internal policies, procedures and operating manuals;
                      (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                      (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                      (d) Reports prepared by the licensee's internal and external auditors; and
                      (e) Employee training manuals and records.
                      January 2013

                    • GR-1.3.2

                      [This Paragraph is intentionally left blank].

                      Added: April 2013

                  • Customer Records

                    • GR-1.3.3

                      Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                      January 2013

                  • Promotional Schemes

                    • GR-1.3.4

                      Licensees must maintain all materials related to promotional schemes as outlined in Section BC-1.1 for a minimum period of 5 years.

                      January 2013

              • GR-2 GR-2 Corporate and Trade Names

                • GR-2.1 GR-2.1 Vetting of Names

                  • GR-2.1.1

                    Licensees must obtain CBB’s prior written approval for any change in their legal name. Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.

                    Amended: January 2022
                    Added: January 2013

                  • GR-2.1.2

                    In approving a change to a legal name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector. The CBB also seeks to ensure that names used by unregulated subsidiaries do not suggest those subsidiaries are in fact regulated.

                    Amended: January 2022
                    Added: January 2013

                • GR-2.2 GR-2.2 Publication of Documents by the Licensee

                  • GR-2.2.1

                    Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees must include a statement that the licensee is regulated by the Central Bank of Bahrain, the type of license and the legal status.

                    January 2013

              • GR-3 GR-3 Dividends

                • GR-3.1 GR-3.1 CBB Non-Objection

                  • GR-3.1.1

                    Licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

                    January 2013

                  • GR-3.1.2

                    The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's capital requirements, taking into account (as appropriate) the licensee's liquidity, the adequacy of provisions against impaired credit facilities or other assets and the level of realised gains in reported profits.

                    January 2013

                  • GR-3.1.3

                    To facilitate the prior approval required under Paragraph GR-3.1.1, licensees must provide the CBB with:

                    (a) The licensee's intended percentage and amount of proposed dividends for the coming year;
                    (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
                    (c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and the liquidity position of the licensee.
                    Amended: October 2017
                    January 2013

              • GR-4 GR-4 Controllers

                • GR-4.1 GR-4.1 Key Provisions

                  • GR-4.1.1

                    Licensees must obtain prior approval from the CBB for any of the following changes to their controllers (as defined in Section GR-4.2 and subject to the limits as outlined in GR-4.3):

                    (a) A new controller;
                    (b) An existing controller increasing its holding from below 20% to 20%;
                    (c) An existing controller increasing its holding from above 20% to 30%;
                    (d) An existing controller increasing its holding above 30% to 40%; or
                    (e) An existing controller increasing its holding above 40%.
                    January 2013

                  • GR-4.1.1A

                    Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

                    Added: April 2019

                  • GR-4.1.1B

                    For the purpose of Paragraph GR-4.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

                    Added: April 2019

                  • GR-4.1.2

                    Condition 3 of the CBB's licensing conditions specifies, among other things, that licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee (See Paragraph AU-2.3.1). There are also certain procedures which are set out in Articles 52 to 56 of the CBB Law on controllers. Licensees and their controllers must also observe the CBB's Capital Markets requirements in respect of changes in holdings of shares of listed companies.

                    January 2013

                  • GR-4.1.3

                    Applicants for a license must provide details of their controllers, by submitting a duly completed Form 2 (Application for Authorisation of Controller). (See sub-Paragraph AU-4.1.4(a)).

                    January 2013

                  • GR-4.1.4

                    There are strict limits on changes in the holdings of shares held by controllers in licensees or the extent of voting control exercised by controllers in licensees. These limits are outlined in Section GR-4.3. Failure to observe these limits may lead to imposition of enforcement provisions of the Rulebook on the licensee and other penalties on the controller under the provisions of the CBB Law as outlined in Paragraph GR-4.1.2, including loss of voting power or transfer of shares.

                    January 2013

                  • GR-4.1.5

                    Where a controller is a legal person, any change in its shareholding must be notified to the CBB at the earlier of:

                    (a) When the change takes effect; and
                    (b) When the controller becomes aware of the proposed change.
                    January 2013

                  • GR-4.1.6

                    For approval under Paragraph GR-4.1.1 to be granted, the CBB must be satisfied that the proposed controller or increase in control poses no undue risks to the licensee. The CBB will therefore consider or reconsider the criteria outlined in Paragraphs GR-4.3.6 to GR-4.3.8 in any request for approval. The CBB may impose any restrictions that it considers necessary to be observed in case of its approval of a new controller, or any of the changes listed to existing controllers in Paragraph GR-4.1.1. These restrictions will include the applicable maximum allowed limit of holding or control (as outlined in Section GR-4.3). A duly completed Form 2 (Controllers) must be submitted as part of the request for a change in controllers. An approval of controller will specify the applicable period for effecting the proposed acquisition of shares.

                    January 2013

                  • GR-4.1.7

                    If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes specified in Paragraph GR-4.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days from the date on which those changes have occurred.

                    Amended: January 2017
                    January 2013

                  • GR-4.1.8

                    The approval provisions outlined above do not apply to existing holdings or existing voting control by controllers already approved by the CBB. The approval provisions apply to new/prospective controllers or to increases in existing holdings/voting control as outlined in Paragraph GR-4.1.1.

                    January 2013

                  • GR-4.1.9

                    Licensees are required to notify the CBB as soon as they become aware of events that are likely to lead to changes in their controllers. The criteria by which the CBB assesses the suitability of controllers are set out in Section GR-4.3. The CBB aims to respond to requests for approval within 30 calendar days and is obliged to reply within 3 months to a request for approval. The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in Form 2, if required to satisfy itself as to the suitability of the applicant.

                    January 2013

                  • GR-4.1.10

                    Licensees must submit, within 3 months of their financial year-end, a report on their controllers (See Subparagraph BR-1.1.2(f)). This report must identify all controllers of the licensee, as defined in Section GR-4.2 and the extent of their shareholding interests.

                    January 2013

                • GR-4.2 GR-4.2 Definition of Controller

                  • GR-4.2.1

                    A controller of a licensee is a natural or legal person who either alone, or with his associates:

                    (a) Holds 10% or more of the shares in the licensee ("L"), or is able to exercise (or control the exercise of) 10% or more of the voting power in L;
                    (b) Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or
                    (c) Is able to exercise significant influence over the management of L or P.
                    January 2013

                  • GR-4.2.2

                    For the purposes of Paragraph GR-4.2.1, "associate" includes:

                    (a) The spouse, son(s) or daughter(s) of a controller;
                    (b) An undertaking of which a controller is a Director;
                    (c) A person who is an employee or partner of the controller; and
                    (d) If the controller is a corporate entity, a Director of the controller, a subsidiary of the controller, or a Director of any subsidiary undertaking of the controller.
                    January 2013

                  • GR-4.2.3

                    Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

                    January 2013

                • GR-4.3 GR-4.3 Suitability of Controllers

                  • GR-4.3.1

                    All new controllers or prospective controllers (as defined in Section GR-4.2) of a licensee must obtain the approval of the CBB. Any increases to existing controllers' holdings or voting control (as outlined under Paragraph GR-4.1.1) must also be approved by the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-4.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness according to the criteria outlined in Paragraphs GR-4.3.6 to GR-4.3.8. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-4.4 and Paragraph GR-4.1.5.

                    January 2013

                  • GR-4.3.2

                    All controllers or prospective controllers (whether natural or legal persons) of all licensees are subject to the approval of the CBB. Persons who intend to take ownership stakes of 10% or above of the voting capital of a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the criteria for approval become more onerous as the level of proposed ownership increases. Existing and prospective controllers should therefore take particular note of the requirements of Paragraphs GR-4.3.3 to GR-4.3.8 if they wish to take more substantial holdings or control.

                    As a matter of policy, the CBB distinguishes between regulated legal persons (i.e. financial institutions) and unregulated legal persons and natural persons as controllers. Unregulated legal persons and natural persons are subject to greater due diligence and therefore have more stringent conditions to satisfy. Regulated legal persons must satisfy home country prudential requirements. The CBB may also contact their home regulators for information on their "fit & proper" status.

                    January 2013

                  • GR-4.3.3

                    A natural person must not own or control more than 15% of the voting capital of a licensee. Such person must satisfy the conditions in Paragraph GR-4.3.6 below.

                    Amended: July 2022
                    January 2013

                  • GR-4.3.4

                    An unregulated legal person (including companies, trusts, partnerships) must not own or control more than 20% of the voting capital of a licensee. All such persons must satisfy the conditions in Paragraph GR-4.3.7 below.

                    Amended: July 2022
                    January 2013

                  • GR-4.3.4A

                    Financing company licensees offering limited scope of activities may be exempted from the requirements of GR-4.3.3 and GR-4.3.4.

                    Added: July 2022

                  • GR-4.3.5

                    The CBB will only permit financial institutions which are subject to effective consolidated supervision under a regulatory framework consistent with the Basel Core Principles, the IOSCO Principles or the IAIS Principles to become controllers with a holding of more than 20% of the voting capital of a licensee. Furthermore, the concerned regulated financial institution must satisfy the conditions in Paragraph GR-4.3.7 and also the specific conditions in Paragraph GR-4.3.8 below. A regulated financial institution will not be approved as a controller of a locally listed licensee if it wishes to acquire more than 40% of the voting capital. Subject to the discretion of the CBB, regulated financial institutions from reputable jurisdictions may be allowed to own or control holdings of voting capital of unlisted locally incorporated licensees in excess of the above mentioned 40% level.

                    January 2013

                  • GR-4.3.6

                    In assessing the suitability and the appropriateness of new/prospective controllers (and existing controllers proposing to increase their shareholdings) who are natural persons, CBB has regard to their professional and personal conduct, including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation or regulation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
                    (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
                    (j) The extent to which the person has been truthful and open with regulators;
                    (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
                    (l) The person's track record as a controller of, or investor in financial institutions.
                    (m) The financial resources of the person and the likely stability of their shareholding;
                    (n) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
                    (o) The legitimate interests of creditors and minority shareholders of the licensee;
                    (p) If the approval of a person as a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain; and
                    (q) Whether the person is able to deal with existing shareholders and the board in a constructive and co-operative manner.
                    January 2013

                  • GR-4.3.7

                    In assessing the suitability and appropriateness of legal persons as controllers (wishing to increase their shareholding) or new/potential controllers, the CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

                    (a) The financial strength of the person, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the person's shareholding;
                    (b) Whether the person or members of its group have ever entered into any arrangement with creditors in relation to the inability to pay due debts;
                    (c) The person's jurisdiction of incorporation, location of Head Office, group structure and connected counterparties and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
                    (d) The person's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations including financial services legislation on regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
                    (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
                    (f) Any criminal actions instigated against the person or other members of its group, whether or not this resulted in an adverse finding;
                    (g) The extent to which the person or other members of its group have been truthful and open with regulators and supervisors;
                    (h) Whether the person has ever been refused a licence, authorisation, registration or other authority;
                    (i) The person's track record as a controller of, or investor in financial institutions;
                    (j) The legitimate interests of creditors and shareholders of the licensee;
                    (k) Whether the approval of a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain;
                    (l) Whether the person is able to deal with existing shareholders and the board in a constructive manner; and
                    (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply.
                    January 2013

                  • GR-4.3.8

                    Regulated financial institutions wishing to acquire more than 20% of the voting capital of a licensee must observe the following additional conditions:

                    (a) The person must be subject to effective consolidated supervision by a supervisory authority which effectively implements the Basel Core Principles, the IOSCO Principles or the IAIS Principles as well as the FATF 40+9 Recommendations on Money Laundering and Terrorist Financing;
                    (b) The home supervisor of the person must give its formal written prior approval for (or otherwise raise no objection to) the proposed acquisition of the licensee;
                    (c) The home supervisor of the person must confirm to the CBB that it will require the person to consolidate the activities of the concerned licensee for regulatory and accounting purposes if the case so requires;
                    (d) The home supervisor of the person must formally agree to the exchange of customer information between the person and its prospective Bahraini subsidiary/acquisition for AML/CFT purposes and for large exposures monitoring purposes;
                    (e) The home supervisor of the person and the CBB must (if not already in place) conclude a Memorandum of Understanding in respect of supervisory responsibilities, exchange of information and mutual inspection visits;
                    (f) The person must provide an acceptably worded letter of guarantee to the CBB in respect of its obligation to support the licensee; and
                    (g) The licensee will be subject to the provisions of Chapter CM-5 in respect of exposures to its controller.
                    January 2013

                • GR-4.4 GR-4.4 Approval Process

                  • GR-4.4.1

                    Within 3 months of receipt of an approval request under Paragraph GR-4.1.1, the CBB will issue an approval notice (with or without restrictions) or a written notice of refusal if it is not satisfied that the person concerned is suitable to increase his shareholding in, or become a controller of the licensee. The notice of refusal or notice of approval with conditions will specify the reasons for the objection or restriction and specify the applicant's right of appeal in either case. Where an approval notice is given, it will specify the period for which it is valid and any conditions that attach (see Paragraph GR-4.1.5). These conditions will include the maximum permitted limit of holding or voting control exercisable by the controller.

                    January 2013

                  • GR-4.4.2

                    Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of the notice in which to make written representation as to why his application should not be refused. The CBB then has 30 calendar days from the date of receipt of those representations to reconsider the evidence submitted and make a final determination, pursuant to Article 53 of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) ("CBB Law") and Module EN (Enforcement).

                    January 2013

                  • GR-4.4.3

                    Pursuant to Article 56 of the CBB Law, where a person has become a controller by virtue of his shareholding in contravention of Paragraph GR-4.1.1, or a notice of refusal has been served to him under Paragraph GR-4.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, direct that his shareholding shall be transferred or until further notice, no voting right shall be exercisable in respect of those shares.

                    January 2013

                  • GR-4.4.4

                    Article 56 of the CBB Law empowers the CBB to take appropriate precautionary measures, or sell such shares mentioned in Paragraph GR-4.4.3, if the licensee fails to carry out the order referred to in the preceding Paragraph.

                    January 2013

              • GR-5 GR-5 Close Links

                • GR-5.1 GR-5.1 Key Provisions

                  • GR-5.1.1

                    Condition 3 of the CBB's licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

                    January 2013

                  • GR-5.1.2

                    Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraph AU-4.1.1).

                    January 2013

                  • GR-5.1.3

                    Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links (See Subparagraph BR-1.1.2(g)). The report must identify all undertakings closely linked to the licensee, as defined in Section GR-5.2.

                    January 2013

                  • GR-5.1.4

                    Licensees may satisfy the requirement in Paragraph GR-5.1.3 by submitting a corporate structure chart, identifying all undertakings closely linked to the licensee.

                    January 2013

                  • GR-5.1.5

                    Licensees must provide information on undertakings with which they are closely linked, as requested by the CBB.

                    January 2013

                • GR-5.2 GR-5.2 Definition of Close Links

                  • GR-5.2.1

                    A licensee ('L') has close links with another undertaking ('U'), if:

                    (a) U is a parent undertaking of L;
                    (b) U is a subsidiary undertaking of L;
                    (c) U is a subsidiary undertaking of a parent undertaking of L;
                    (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
                    (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
                    January 2013

                • GR-5.3 GR-5.3 Assessment Criteria

                  • GR-5.3.1

                    In assessing whether a licensee's close links may prevent the effective supervision of the licensee, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

                    (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
                    (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
                    (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
                    January 2013

              • GR-6 GR-6 Cessation of Business

                • GR-6.1 GR-6.1 CBB Approval

                  • GR-6.1.1

                    As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB's prior approval.

                    January 2013

                  • GR-6.1.2

                    Licensees must notify the CBB in writing at least six months in advance of their intended suspension of any or all the licensed regulated services or cessation of business, setting out how they propose to do so and, in particular, how they will treat any of their liabilities.

                    January 2013

                  • GR-6.1.3

                    If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

                    January 2013

                  • GR-6.1.4

                    A licensee in liquidation must continue to meet its contractual and regulatory obligations to its clients and creditors.

                    January 2013

                  • GR-6.1.5

                    Once the licensee believes that it has discharged all its remaining contractual obligations to clients and creditors, it must publish a notice in two national newspapers in Bahrain approved by the CBB (one being in English and one in Arabic), stating that it has settled all its dues and wishes to leave the market. According to Article 50 of the CBB Law, such notice shall be given after receiving the approval of the CBB, not less than 30 days before the actual cessation is to take effect.

                    January 2013

                  • GR-6.1.6

                    The notice referred to in Paragraph GR-6.1.5 must include a statement that written representations concerning the liquidation may be sent to the CBB before a specified day, which shall not be later than thirty days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

                    January 2013

                  • GR-6.1.7

                    If no objections to the liquidation are upheld by the CBB, then the CBB may issue a written notice of approval for the surrender of the license.

                    January 2013

                  • GR-6.1.8

                    Upon satisfactorily meeting the requirements set out in GR-6.1., the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

              • GR-7 Prepaid Cards

                • GR-7.1 GR-7.1 General Requirements

                  • GR-7.1.1

                    Licensees must place any prepaid card which is inactive for a period of six months on the “dormant” list.

                    Added: January 2021

          • Business Standards

            • CA CA Financing Companies Capital Adequacy Module

              • CA-A CA-A Introduction

                • CA-A.1 CA-A.1 Purpose

                  • Executive Summary

                    • CA-A.1.1

                      The purpose of this module is to set out the CBB's regulations for minimum capital requirements. This requirement is supported by Article 44(c) of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006).

                      January 2013

                    • CA-A.1.2

                      Principle 9 of the Principles of Business requires that financing company licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.9). In addition, Condition 5 of CBB's Authorised Conditions (Section AU-2.5) requires financing company licensees to maintain financial resources in excess of the minimum requirements specified in this Module.

                      January 2013

                    • CA-A.1.3

                      This Module sets out the minimum capital requirements which financing company licensees must meet as a condition of their licensing.

                      January 2013

                    • CA-A.1.4

                      The purpose of these requirements is to ensure that financing company licensees hold sufficient financial resources to provide some protection against unexpected losses.

                      January 2013

                    • CA-A.1.5

                      The CBB requires in particular that the relevant financing company maintain adequate capital in accordance with the requirements of this Module, against their risks.

                      January 2013

                    • CA-A.1.6

                      This module provides support for certain other parts of the Rulebook, mainly:

                      (a) Prudential Consolidation and Deduction Requirements;
                      (b) Licensing and Authorisation Requirements;
                      (c) CBB Reporting Requirements;
                      (d) Credit Risk Management;
                      (e) Operational Risk Management;
                      (f) High Level Controls:
                      (g) Relationship with Audit Firms; and
                      (i) Penalties and Fines.
                      January 2013

                  • Legal Basis

                    • CA-A.1.7

                      This Module contains the CBB's Directive relating to the capital requirements and gearing of financing company licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all financing company licensees.

                      January 2013

                • CA-A.2 CA-A.2 Module History

                  • Evolution of Module

                    • CA-A.2.1

                      This Module was first issued in January 2013 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2013

                    • CA-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      CA-1.1.5 10/2014 Clarified that gearing ratio is to be calculated on a consolidated basis.
                      CA-1.1.6 10/2014 Amended definition of core capital.
                      CA-1.1.1 07/2022 Amended Paragraph on the minimum capital requirement for licensees offering a limited scope of short-term instalment credit activity.
                           
                           

                    • CA-A.2.3

                      Guidance on the implementation and transition to Volume 5 (Specialised Licensees) is given in Module ES (Executive Summary).

                      January 2013

              • CA-B CA-B Scope of Application

                • CA-B.1 CA-B.1 Scope of Application

                  • CA-B.1.1

                    This Module is applicable to all financing company licensees (authorised in the Kingdom, thereafter referred to in this Module as licensees).

                    January 2013

              • CA-1 CA-1 Regulatory Capital

                • CA-1.1 CA-1.1 General Requirements

                  • Minimum Capital Requirement

                    • CA-1.1.1

                      A licensee must maintain a minimum paid-up capital of BD5,000,000. A greater amount of capital may be required by the CBB on a case-by-case basis. A licensee offering a limited scope of short-term instalment credit activity may be allowed, as determined by the CBB, to maintain a lower capital based on the nature, scale and size of operations.

                      Amended: July 2022
                      January 2013

                    • CA-1.1.2

                      In addition to the requirements of Paragraph CA-1.1.1, the CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

                      January 2013

                    • CA-1.1.3

                      All licensees must implement the requirements of Paragraphs CA-1.1.1 and CA-1.1.2, effective January 2013.

                      January 2013

                  • Gearing Ratio

                    • CA-1.1.4

                      In addition to the requirements outlined in Paragraphs CA-1.1.1 and CA-1.2.1., all licensees must maintain a minimum gearing ratio of 20%.

                      January 2013

                    • CA-1.1.5

                      For purposes of Paragraph CA-1.1.4, the gearing ratio is defined as the core capital divided by the total liabilities to be calculated on a consolidated basis.

                      Amended: October 2014
                      January 2013

                  • Core Capital

                    • CA-1.1.6

                      Core capital shall consist of the sum of items (a) to (e) below, less the sum of items (f) to (h) below:

                      (a) Issued and fully paid ordinary shares (net of treasury shares);
                      (b) Share premium reserve;
                      (c) Preference shares;
                      (d) All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings; and
                      (e) Retained earnings (losses) brought forward, including reviewed interim profits;

                      LESS:

                      (f) Goodwill;
                      (g) Current interim cumulative net losses; and
                      (h) Other deductions, as specified by the CBB.
                      Amended: October 2014
                      January 2013

                    • CA-1.1.7

                      Only interim profits which have been reviewed as per IAS 34 may be included as core capital.

                      Amended: October 2014
                      January 2013

                  • Liabilities

                    • CA-1.1.8

                      For purposes of Paragraph CA-1.1.5, liabilities are defined as the total amount of liabilities reported in the PIRF or PIRCC.

                      January 2013

                    • CA-1.1.9

                      Licensees must ensure that at all times they maintain the minimum gearing ratio outlined in Paragraph CA-1.1.4. In the event that the licensee does not comply with the minimum gearing ratio, it must notify the CBB by no later than the following business day of the actual level of the gearing ratio. When providing such notification, the licensee must:

                      (a) Provide to the CBB, within one week of the non-compliance, a written action plan setting out how the licensee proposes to restore its gearing ratio to the required minimum level and describe the systems and controls that have been put in place to prevent any future non-compliance of the minimum gearing ratio; and
                      (b) Report to the CBB on a monthly basis or on another timely basis as required by the CBB, the licensee's gearing ratio until such time as the gearing ratio has reached 22% or other target level as specified by the CBB.
                      January 2013

                    • CA-1.1.10

                      Licensees must note that the CBB considers the breach of the gearing ratio to be a very serious matter. Consequently, the CBB may (at its discretion) subject a licensee which breaches its gearing ratio to a formal licensing reappraisal. Such reappraisal may be effected either through the CBB's own inspection function or through the use of Reporting Accountants, as appropriate. Following such reappraisal, the CBB will provide a written notification to the licensee concerned outlining the CBB's conclusions with regard to the continued licensing.

                      January 2013

                  • Compliance Officer

                    • CA-1.1.11

                      The CBB requires that the licensee's compliance officer supports and cooperates with the CBB in the monitoring and reporting of the capital level and the gearing ratio and other regulatory reporting matters.

                      January 2013

                    • CA-1.1.12

                      Compliance officers should ensure that the licensee has adequate internal systems and controls to comply with this Module.

                      January 2013

                  • Reporting Requirements

                    • CA-1.1.13

                      The licensee must report its capital level and gearing ratio to the CBB in accordance with the requirements outlined in Chapter BR-3.

                      January 2013

            • BC BC Financing Companies Business And Market Conduct Module

              • BC-A BC-A Introduction

                • BC-A.1 BC-A.1 Purpose

                  • BC-A.1.1

                    This Module contains requirements that have to be met by financing company licensees with regards to their dealings with customers. The Rules contained in this Module aim to ensure that financing company licensees deal with their clients in a fair and open manner, and address their customers' information needs.

                    January 2014

                  • BC-A.1.2

                    The Rules build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires financing company licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings with customers. Principle 3 (Due skill, care and diligence) requires financing company licensees to act with due skill, care and diligence when acting on behalf of their customers. Principle 7 (Client Interests) requires financing company licensees to pay due regard to the legitimate interests and information needs of their customers, and to communicate with them in a fair and transparent manner.

                    January 2014

                  • Legal Basis

                    • BC-A.1.3

                      This Module contains the CBB's Directive (as amended from time to time) on business conduct by financing company licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 (CBB Law). The Directive in this Module is applicable to all financing company licensees.

                      January 2014

                    • BC-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • BC-A.2 BC-A.2 Module History

                  • BC-A.2.1

                    This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    January 2014

                  • BC-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    BC-3.5 10/2015 Added new Section on credit check reports.
                    BC-3.6 07/2016 Added new Section on transaction advice.
                    BC-5 01/2017 Added new Section on Cheques
                    BC-3.7 04/2018 Added new Section on Fees and Charges for Services Provided to Individuals.
                    BC-3.1.28A 07/2018 Added new Paragraph on existing "Early Repayment" requirements.
                    BC-3.1.22 01/2019 Amended Paragraph on initial disclosure of charges by licensees.
                    BC-3.1.24 01/2019 Amended Paragraph on disclosure to individual customers.
                    BC-3.1.25A 01/2019 Added a new Paragraph on Rounding off in Transactions.
                    BC-3.8 07/2019 Added a new Section on Interest on Credit Card Transactions.
                    BC-4.3.14 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                    BC-4.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                    BC-4.7.1 - BC-4.7.3 04/2020 Amended Paragraphs adding reference to CBB consumer protection.
                    BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                    BC-3.9 10/2020 Added a new Section on Fund Transfers by Customers of Payment Service Providers (PSP).
                    BC-3.10 04/2021 Added a new Section on Merchant Fees on Payments to Zakat and Charity Fund.
                    BC-1.2.1 07/2021 Deleted Paragraph.
                    BC-1.2.2 07/2021 Deleted Paragraph.
                    BC-3.1.6 07/2021 Amended Paragraph.
                    BC-4.7.1 01/2022 Amended Paragraph on submission of quarterly report on complaints.
                    BC-1.1.2 04/2022 Amended Paragraph on promotional schemes.
                    BC-3.2.1 07/2023 Amended Paragraph on notification to the CBB of any new products or services with added cost.

                  • Superseded Requirements

                    • BC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module BC
                      EDBS/KH/C/73/2018 Rounding off in Transactions
                      Amended: January 2019
                      January 2014

              • BC-B BC-B Scope of Application

                • BC-B.1 BC-B.1 Scope

                  • BC-B.1.1

                    This Module applies to all financing company licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis

                • BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • BC-C.1.1

                    Financing company licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • BC-1 BC-1 Promotion of Financial Products and Services

                • BC-1.1 BC-1.1 Promotion of Financial Products and Services Offered in/from Bahrain by Means of Incentives

                  • Introduction

                    • BC-1.1.1

                      The purpose of this Section is to set out requirements pertaining to the promotion of financial products offered in/from Bahrain by licensees by means of incentives (herein referred to as 'promotional schemes').

                      January 2014

                    • BC-1.1.2

                      The CBB has no objection to the use of promotional schemes in general and, unless it otherwise specifically directs in any particular case, the CBB does not expect to be actively consulted/have its approval sought about the idea and/or substance of any promotional schemes. Any advertising of promotional schemes are subject to the requirements of Section BC-1.2.

                      Amended: April 2022
                      January 2014

                    • BC-1.1.3

                      The CBB will monitor promotional schemes and, if thought appropriate in the interests of a licensee and its customers in particular and/or the financial sector in general, may issue specific guidance in certain cases. Licensees should feel free to consult the CBB at any time regarding any matters referred to in this Section.

                      January 2014

                  • General Requirements

                    • BC-1.1.4

                      Licensees must take care to ensure that promotional schemes do not involve a breach of Bahrain law or any other relevant applicable law and regulation. In addition, promotional schemes should not in any way be detrimental to the public good or public morals.

                      January 2014

                    • BC-1.1.5

                      While there is to be no formal restriction on the types of incentive which may be used by institutions, care must be taken to ensure that promotional schemes do not negatively affect the integrity, reputation, good image and standing of Bahrain and/or its financial sector, and do not detrimentally affect Bahrain's economy.

                      January 2014

                    • BC-1.1.6

                      Bearing in mind the reputation of, and the requirement to develop, the financial sector in Bahrain, as well as the need to act at all times in the best interests of the customer, licensees need to take adequate care to ensure that promotional schemes do not unreasonably divert the attention of the public from other important considerations in choosing a financing company or a financial product.

                      January 2014

                    • BC-1.1.7

                      All documentation and other media communication (including websites, voice messaging, SMS, etc.) concerning promotional schemes must be in Arabic and English and, if relevant, any other language necessary for customers to fully understand and appreciate their terms and conditions. Such terms and conditions, including any related advertising, are required to be clear, concise, truthful, unambiguous and complete so as to enable customers to make a fully informed decision.

                      January 2014

                    • BC-1.1.8

                      Customers to whom promotional schemes are directed must enjoy equal opportunity in terms of access to, and treatment within, such schemes.

                      January 2014

                    • BC-1.1.9

                      All costs (including funding costs), charges or levies associated with promotional schemes must be disclosed to prospective customers.

                      January 2014

                    • BC-1.1.10

                      All material related to promotional schemes, particularly where raffles are concerned, must be maintained for a minimum period of 5 years (see Paragraph GR-1.3.4).

                      January 2014

                    • BC-1.1.11

                      Any raffles held as part of promotional schemes must be independently monitored (e.g. by the licensee's external auditor) and adequate systems put in place to ensure fair play and impartiality.

                      January 2014

                    • BC-1.1.12

                      An appropriate system must also exist for informing participants of the results of a raffle without delay. Licensees must note that raffles may be subject to rules and requirements (including prior authorisation/approval) laid down by the Ministry of Industry and Commerce.

                      January 2014

                    • BC-1.1.13

                      Licensees may use small 'gifts' as an inducement to members of the public to use its services, provided such gifts are offered on a general basis and have a low monetary value.

                      January 2014

                    • BC-1.1.14

                      Due note must be taken of the overriding provisions of Bahrain (and any other relevant) law in relation to licensees' duties to customers to the extent (if any) that promotional schemes might impact on such duties.

                      January 2014

                • BC-1.2 BC-1.2 Advertisements for Financial Products and Services

                  • BC-1.2.1

                    [This Paragraph was deleted in July 2021].

                    Deleted: July 2021
                    January 2014

                  • BC-1.2.2

                    [This Paragraph was deleted in July 2021].

                    Deleted: July 2021
                    January 2014

              • BC-2 BC-2 Client Confidentiality

                • BC-2.1 BC-2.1 Disclosure of Information about Individual Accounts

                  • BC-2.1.1

                    In accordance with Article 117 of the CBB Law, licensees must not publish or release information to third parties concerning the accounts or activities of their individual customers, unless:

                    (a) Such information is requested by an authorised official from the CBB or by an order from the Courts;
                    (b) The release of such information is approved by the customer concerned; or
                    (c) It is in compliance with the provision of the law or any international agreements to which the Kingdom is a signatory.
                    January 2014

              • BC-3 BC-3 Customer Account Services and Charges

                • BC-3.1 BC-3.1 Disclosure of Charges by Licensees

                  • BC-3.1.1

                    In order to improve customer awareness and enhance transparency of licensees' charging structures, all licensees must display in a prominent position, in Arabic and in English, by notice in their banking halls (both head offices and branches), a list of all applicable charges.

                    January 2014

                  • BC-3.1.2

                    Licensees must also ensure that each customer is in receipt of their current list of charges, by enclosing such a list with statements and displaying such charges on their websites. The list must specify standard charges and commissions that will be applied by the licensee to individual services and transactions and to specific areas of business.

                    January 2014

                  • Credit Agreements

                    • BC-3.1.3

                      A licensee must make available, at their premises, information leaflets containing information on the key products and services in respect of all credit agreements including:

                      (a) The Annual Percentage Rate (APR) as defined in BC-3.1.10, for instalment financing facilities only; and
                      (b) The annual profit/interest rate on credit facilities (as referred to in paragraph BC-3.1.14), commission, fees, one-off charges, expenses on behalf of third parties, exchange rates applied and any other charges.
                      January 2014

                    • BC-3.1.4

                      For the purpose of this Section, the following definitions apply:

                      (a) Credit agreement — Means all instalment financing agreements and lease agreements, as well as credit cards, revolving and other types of credit offered to customers;
                      (b) Customer — Means both the debtor and the guarantor (if any) and/or any potential debtor or guarantor;
                      (c) Conspicuous notice — Means a written statement in both Arabic and English languages which is easily visible and legible and displayed in all licensees' premises open to the public (head offices and branches), and via means such as websites, newspapers and other press notices;
                      (d) Nominal annual rate — Means the interest rate charged to the customer, calculated by dividing the amount of the total interest by the amount of the funds provided to the customer and excluding any other charges, the results of which is divided by the number of years of the term of the credit agreement;
                      (e) Outstanding credit amount — Means the amount outstanding under a credit agreement representing the amount of funds provided to the customer and any other charges that are included as part of the principal amount to be repaid by the customer over the duration of the agreement less any repayment made related to the principal amount at a specified date; and
                      (f) Principal — Means the amount of credit received plus any other charges, the total of which is subject to interest.
                      January 2014

                  • General Rules

                    • BC-3.1.5

                      Where a customer has a credit agreement with a licensee, licensees must:

                      (a) Duly inform their customers in accordance with this Module about the nature and the characteristics (including relevant risks) of the credit agreements and services offered by them, and about the terms and conditions governing such agreements;
                      (b) Periodically inform, in writing, their customers on the evolution and the terms of any credit agreement signed, throughout the duration of the contract (refer to Paragraphs BC-3.1.24 and BC-3.1.25);
                      (c) Respond in due time, to customers' requests for the provision of information and clarifications regarding the application of contractual terms (refer to Paragraphs BC-3.1.29 and BC-3.1.30);
                      (d) Appoint a customer complaints officer and publicise his/ her contact details (refer to Chapter BC-4 on Customer Complaints Procedures);
                      (e) Ensure the proper training of employees involved in interfacing and providing specific information to customers;
                      (f) Disclose information required in this Module in the credit agreement in both Arabic & English languages;
                      (g) Show clearly the APR for instalment facilities and the annual rate of interest for other credit facilities on the credit agreement application and 'key terms disclosure' document; and
                      (h) Disclose all information in a clear and readable form (refer to Paragraph BC-3.1.6).
                      January 2014

                    • BC-3.1.6

                      Marketing of customer credit agreements, advertising and sales promoting credit agreements, irrespective of the media used (SMS, Internet, printed material, telephone solicitation) must be clear and understandable, must be true and not misleading and meet the basic customer information requirements as defined in this Module. Licensees are also asked to take special care to ensure that the content of any advertising material does not mislead or deceive the public in any way.

                      Amended: July 2021
                      January 2014

                    • BC-3.1.7

                      The use of "small print" to make potentially important information less visible is not compatible with good business conduct, and should be avoided.

                      January 2014

                  • Minimum Disclosure Requirements

                    • BC-3.1.8

                      Licensees must make:

                      (a) Public disclosure regarding credit agreements; and
                      (b) Disclosures to individual customer(s), whether these be during the course of the initial negotiation of the credit agreement or during the term of the facility being offered.
                      January 2014

                  • Public Disclosure Requirements for all Credit agreements

                    • BC-3.1.9

                      The following public disclosures must be made by conspicuous notice for all types of credit agreements:

                      (a) Any late payment charges;
                      (b) The level of fees for any special services rendered, or one-off expenses, as well as any amount collected by licensees on behalf of third parties;
                      (c) Any fees or charges payable under any linked or mandatory contract entered into as a condition for the granting of the credit agreement, such as payment protection insurance; and
                      (d) Any other charges not included above.
                      January 2014

                  • Additional Public Disclosure for Instalment Financing Facilities

                    • BC-3.1.10

                      In addition to the requirements under Paragraph BC-3.1.9, licensees must publicly disclose by conspicuous notice for instalment financing facilities:

                      (a) The current Annual Percentage Rate (APR) as calculated using the APR methodology in BC-3.1.31. The APR displayed must be calculated based on the following scenarios. In case of consumer finance, amount borrowed is BD10,000 for a 7-year term and for housing facilities, BD100,000 for 25 years;
                      (b) The Annual Percentage Rate (APR), must be broken down as follows:
                      (i) The annual nominal interest/profit rate payable on the instalment financing;
                      (ii) Administration/handling fees;
                      (iii) In the case of finance lease contracts/ijara or deferred purchase contracts, any fees for purchasing the asset; and
                      (iv) Any other mandatory charges (contingent costs are excluded); and
                      (c) The terms and conditions for early repayment, partial or full, of the credit agreement, or for any change in the terms and covenants of the credit agreement, as well as any relevant charges (where permitted) and the way in which these are calculated.
                      January 2014

                    • BC-3.1.11

                      The APR is a standard measure that allows customers to compare total charges for instalment financing facilities on a like-for-like basis. The APR allows the customer to compare the total charge for credit over differing periods (e.g. — two versus three years) or offered by different licensees with differing payment profiles and taking into account the payment of any other fees payable as a condition of the contract, such as administration fees or insurance premiums.

                      January 2014

                    • BC-3.1.12

                      Any advertising through any media means of instalment financing facilities, offered by the licensees must specify only the APR (including all fees and charges) and no other rates, i.e. nominal, base, flat or rates by any other names.

                      January 2014

                    • BC-3.1.13

                      For the purposes of Paragraph BC-3.1.10, the disclosures can be provided as one APR or a range of APRs for licensees that provide instalment financing to different segments and products. A licensee may have different customer segments with different risk profiles, for whom the APR offered on the same product may vary. However, the disclosures must comply with the scenarios outlined in Subparagraph BC-3.1.10 (a).

                      January 2014

                  • Additional Public Disclosure for Credit Agreements other than Instalment Financing Facilities

                    • BC-3.1.14

                      In addition to the requirements under paragraph BC-3.1.9, licensees must publicly disclose by conspicuous notice for Credit Agreements other than instalment financing facilities:

                      (a) For credit cards, the monthly and the annual rate of profit/interest plus other fees and charges;
                      (b) For floating-rate credit agreements, the profit/interest rate clearly defined on the basis of the relevant base rate, the periods during which this rate would apply, as well as information on key factors that could affect the total cost of the credit agreement; and
                      (c) For instances where the customer exceeds contractual credit lines, the terms and any relevant charges.
                      January 2014

                    • BC-3.1.15

                      For credit agreements other than instalment financing facilities, any advertising through any media means must specify only the annual proft/interest rate and other fees and charges.

                      January 2014

                    • BC-3.1.16

                      For credit agreements other than instalment financing facilities, licensees are prohibited from using the term APR in any advertising.

                      January 2014

                  • Disclosure to Individual Customers: Initial Disclosure Requirements of Key Terms

                    • BC-3.1.17

                      Licensees must make clear to potential customers, prior to entering into a credit agreement, all relevant key terms of the agreement in the credit application and 'key terms disclosure' document, in order for them to clearly understand the characteristics of the services and products on offer. Licensees must also comply with the disclosure requirements under the "Code of Best Practice on Consumer Credit and Charging" (see Appendix CM-1).

                      January 2014

                    • BC-3.1.18

                      The above "key terms disclosure" document must be summarised in plain English and Arabic. This document must be signed and dated by the customer(s) in duplicate as having been read and understood, prior to signing a credit agreement. One copy should be retained by the customer and the other must be retained by the licensee in their customer file.

                      January 2014

                    • BC-3.1.19

                      For credit agreements where a retailer extends credit to purchase goods or services by operating in agreement with licensees, all conditions of the credit agreement must be disclosed in the credit agreement application and 'key terms disclosure' document, including when interest will begin to accrue, along with information on any indirect charges.

                      January 2014

                    • BC-3.1.20

                      Credit agreements, referred to in Paragraph BC-3.1.19, must be finalised with an employee of the licensee, whether located at the premises of the retailer or at the premises of the licensee providing the credit. Profit/interest must in no event be charged before the disbursement of funds.

                      January 2014

                    • BC-3.1.21

                      Licensees must inform the customers on the nature of their contractual relationship with the retail outlet and the customers' rights arising as a result of this relationship.

                      January 2014

                    • BC-3.1.22

                      In addition to the initial disclosure of key terms noted in Paragraphs BC-3.1.17 to BC-3.1.21, the "key terms disclosure" document must, at the time of signing the credit agreement, amongst other things, make clear:

                      (a) The detailed breakdown of the payments:
                      (i) The principal amount being borrowed, the profit/interest per month and the maturity of the credit agreement;
                      (ii) The net amount provided to the customer after deducting or applying any upfront or other charges;
                      (iii) The total profit/interest payments and principal repayment for the term of the credit agreement; and
                      (iv) The total administration/handling fees and all details of any other fees and charges spread over the term of the credit agreement;
                      (b) The APR and annual nominal rate as defined in Paragraphs BC-3.1.10 and BC-3.1.4(d) respectively;
                      (c) Whether the rate of profit/interest is fixed or can be varied, and under what circumstances;
                      (d) The basis on which profit/interest is charged (e.g. actual reducing balance) and applied to the account (e.g. monthly or quarterly compounding) and whether principal repayments are taken into account in the calculation, together with an illustration of the calculation method;
                      (e) The detailed costs associated with "top-ups" of credit agreements or other alternative arrangements for extending additional credit or early repayments, whether partial or full, of amounts due including the treatment of remaining profit/interest and the payment of premium for insurance;
                      (f) Any late payment charges;
                      (g) The annual profit/interest rate and credit limit being offered for credit agreements such as credit cards; and
                      (h) Any other charges related to the credit agreement not included above all details of which must be provided to the customer.
                      Amended: January 2019
                      January 2014

                    • BC-3.1.23

                      Licensees are free to design the layout and wording to be used in their 'key terms disclosure' document, as they see fit, providing they contain the information specified in Paragraph BC-3.1.22. The CBB will monitor compliance with the spirit as well as the letter of the requirements in this Chapter.

                      January 2014

                  • Disclosure to Individual Customers: During the Term of the Credit Agreement

                    • BC-3.1.24

                      Licensees must, at the time of singing the credit agreement, give the clients information on the payment schedule of the credit agreement, including the breakdown of principal, profit/interest and other charges per month for the whole life of the facility. Information must be given, free of charge, at least on a semi-annual basis, unless the period of debt servicing is shorter or where there exists a prior agreement on a more frequent basis.

                      Amended: January 2019
                      January 2014

                    • BC-3.1.25

                      In addition to the requirements under Paragraph BC-3.1.24, when credit is granted through credit cards, monthly statements must be provided and include information on minimum payment.

                      January 2014

                    • BC-3.1.25A

                      Licensees must, when billing their customers, reflect the card transactions without rounding off the amounts in Fils. Licensees must collaborate with acquirers and Visa/MasterCard network schemes to ensure that there is no rounding off in any transaction irrespective of the currency of the transaction.

                      Added: January 2019

                  • Variation Disclosures Requirements

                    • BC-3.1.26

                      Licensees must disclose to the customer in advance, either collectively or individually, all relevant changes or variations to a credit agreement. The circumstances in which a customer must be provided with variation disclosures are:

                      (a) If both the licensee and customer agree to change the credit agreement; in this case, the customer must be provided in writing with full particulars of the change, at least seven calendar days before it takes effect; and
                      (b) If the credit agreement gives the licensee power to vary fees or charges, the amount or timing of payments, the profit/interest rate or the way profit/interest is calculated, and the licensee decides to exercise that power, the customer must be provided with full particulars of the change, including an updated schedule of the total interest payments and principal repayment for the remaining term of the credit agreement, at least thirty calendar days prior to the date the change takes effect. Such notice is to enable the customer to decide whether to accept the new terms or terminate the agreement by settling the outstanding credit amount, in accordance with relevant provisions therein, which must have been stated in a clear and understandable manner.
                      January 2014

                    • BC-3.1.27

                      Any increase of the profit/interest rate or the amount of any fee or charge payable under a credit agreement, must be disclosed publicly, by conspicuous notice, at least thirty calendar days prior to the date the change takes effect by:

                      (a) Displaying the information prominently at the licensee's place of business; and
                      (b) Posting the information on the licensee's website.
                      January 2014

                    • BC-3.1.28

                      Any deferral of profit/interest or principal announced by the licensee must also take account of the APR methodology as shown in Paragraphs BC-3.1.31 to BC-3.1.33, and the new APR must be given to the client or made public in advertisements.

                      January 2014

                  • Early Repayment

                    • BC-3.1.28A

                      All requests for early repayment of Shari'a compliant financing must satisfy the condition requiring the licensees to restrict the profit on the transaction to one month profit; i.e. the month in which the actual early repayment takes place. This is effective from 1st October 2011.

                      Added: July 2018

                  • Request Disclosure

                    • BC-3.1.29

                      The licensee must provide a reply to any request for disclosure within fifteen business days of receiving the request.

                      January 2014

                    • BC-3.1.30

                      Disclosures requested by the customer may include but are not limited to any or all of the following information about a credit agreement:

                      (a) The effect of part prepayment on the customer's obligations;
                      (b) Full particulars of any changes to the agreement since it was made;
                      (c) The amount of any fee payable on part prepayment and how the fee will be calculated;
                      (d) The amount required for full prepayment on a specified date and how the amount will be calculated;
                      (e) The outstanding credit amount, including any outstanding profit/interest charge (calculated at the date the disclosure statement is prepared);
                      (f) The amount of payments made or to be made or the method of calculating the amount of those payments;
                      (g) The number of payments made or to be made (if ascertainable);
                      (h) How often payments are to be made;
                      (i) The total amount of payments to be made under the agreement, if ascertainable; and
                      (j) A copy of any disclosure statement that was or should have been provided before the request was made.
                      January 2014

                    • BC-3.1.31

                      The APR must be calculated using the following methodology:

                      K=m K'=m'
                      Σ   Ak
                      (1 + i) tk =  
                      Σ   A'k'
                      (1 + i) tk'  
                      K=1 K'=1
                      January 2014

                    • BC-3.1.32

                      The meaning of letters and symbols used in the above formula are:

                      K is the number identifying a particular advance of credit;
                      K' is the number identifying a particular instalment;
                      Ak is the amount of advance K;
                      A'k' is the amount of instalment K;
                      Σ represents the sum of all the terms indicated;
                      m is the number of advances of credit;
                      m' is the total number of instalments;
                      tk is the interval, expressed in years between the relevant date and the date of advance K;
                      tk' is the interval expressed in years between the relevant date and the date of instalment K';
                      i is the APR, expressed as a decimal.
                      January 2014

                    • BC-3.1.33

                      For the purpose of this Chapter, the 'relevant date' is the earliest identifiable date on which the borrower is able to acquire anything which is the subject of the agreement (e.g. delivery of goods), or otherwise the 'relevant date' is the date on which the credit agreement is made.

                      January 2014

                • BC-3.2 BC-3.2 Notification to the CBB on Introduction of New or Expanded Customer Products and Facilities

                  • BC-3.2.1

                    All licensees are required to notify the CBB before the introduction of any new products or services or any changes in existing product/service that will have an additional financial cost to the customers. The CBB will respond to the concerned licensee within one week of receipt of the notification if it has any observations on the new application.

                    Amended: July 2023
                    January 2014

                • BC-3.3 BC-3.3 Dealing with Inheritance Claims

                  • BC-3.3.1

                    Licensees must ensure that no transfer of legal ownership of financial assets is made until they have sight of documentation (which must be duly copied for their records) from the Ministry of Justice and Islamic Affairs confirming the entitlement of a person or persons to inherit from the deceased. Such documentation must be complied with precisely. Particular care must be taken where minors (children) or other people lacking full legal capacity are named as inheritors.

                    January 2014

                  • BC-3.3.2

                    Without prejudice to Paragraph BC-3.3.1, financial assets may be distributed to the order of an individual provided that individual is named in a mandate, duly certified by the Ministry of Justice and Islamic Affairs, as having the permission to act on behalf of all of the inheritors.

                    January 2014

                • BC-3.4 BC-3.4 Compliance with the Code of Best Practice on Consumer Credit and Charging

                  • BC-3.4.1

                    Licensees must comply with the Code of Best Practice on Consumer Credit and Charging as included in Appendix CM-1 throughout the lifetime of their relationship with a customer.

                    January 2014

                  • BC-3.4.2

                    Licensees must take responsibility for compliance with the above requirements by all persons carrying out regulated financing company services on their behalf. Licensees must put in place appropriate measures across all their business operations and distribution channels to ensure compliance with the requirements of the Code of Best Practice on Consumer Credit and Charging where relevant.

                    January 2014

                • BC-3.5 BC-3.5 Credit Check Reports

                  • BC-3.5.1

                    Where a pensioner has been requested to produce a credit report by the Social Insurance Organization (SIO) to establish his/her credit standing, licensees must not levy any administrative charges.

                    Added: October 2015

                • BC-3.6 BC-3.6 Transaction Advice

                  • BC-3.6.1

                    All licensees must provide at no charge, a transaction advice service for its customers. This service information must be communicated on all credit card transactions through short message service (SMS) for all types of local and international financial transactions, including POS, ATM and internet.

                • BC-3.7 BC-3.7 Fees and Charges for Services Provided to Individuals

                  • BC-3.7.1

                    Financing company licensees must comply with the caps on fees and charges for standard services provided to individuals effective from 1st May 2018 as per the table in Appendix BC-2 in Part B of the CBB Rulebook Volume 5 for Financing Companies.

                    Added: April 2018

                • BC-3.8 BC-3.8 Interest on Credit Card Transactions

                  • BC-3.8.1

                    Financing company licensees must comply with the following requirements with regards to charging interest on credit card statement dues:

                    (a) Interest must not be charged if the customer pays the full amount billed and due before or on the due date specified in the monthly credit card statement except for cash withdrawal transactions;
                    (b) Interest must not be charged on partial payments made by the customer on or before the due date specified in the monthly credit card statement against credit card amount billed and due;
                    (c) Interest on cash withdrawal transactions must be computed from the date of the transaction ("transaction date");
                    (d) Interest on credit card amounts billed but unpaid on or before the due date must be computed from the posting date of the transaction; and
                    (e) Interest must not be charged on outstanding interest amounts, fees and charges due from the customer.
                    Added: July 2019

                  • BC-3.8.2

                    For the purpose of charging interest on credit card dues, financing company licensees must only calculate interest charges using 365-days a year basis.

                    Added: July 2019

                • BC-3.9 BC-3.9 Fund Transfers by Customers of Payment Service Providers (PSP)

                  • BC-3.9.1

                    Financing company licensees that act as acquirers or payment gateways for PSPs, must not charge more than 100 fils in line with the Electronic Fund Transfer System (EFTS) requirements to the customers of PSPs for normal fund transfers made electronically.

                    Added: October 2020

                • BC-3.10 BC-3.10 Merchant Fees on Payments to Zakat and Charity Fund

                  • BC-3.10.1

                    Financing company licensees that act as acquirers must exempt the Zakat and Charity Fund (“the Fund”) of the Ministry of Justice, Islamic Affairs and Awqaf from merchant fees for payments made to the Fund.

                    Added: April 2021

              • BC-4 BC-4 Customer Complaints Procedures

                • BC-4.1 BC-4.1 General Requirements

                  • BC-4.1.1

                    All licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints.

                    January 2014

                  • BC-4.1.2

                    Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

                    January 2014

                  • BC-4.1.3

                    All licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches and on the licensee's website. The customer complaints officer must be of a senior level at the licensee and must be independent of the parties to the complaint to minimise any potential conflict of interest.

                    January 2014

                  • BC-4.1.4

                    The position of customer complaints officer may be combined with that of compliance officer.

                    January 2014

                • BC-4.2 BC-4.2 Documenting Customer Complaints Handling Procedures

                  • BC-4.2.1

                    In order to make customer complaints handling procedures as transparent and accessible as possible, all licensees must document their customer complaints handling procedures. These include setting out in writing:

                    (a) The procedures and policies for:
                    (i) Receiving and acknowledging complaints;
                    (ii) Investigating complaints;
                    (iii) Responding to complaints within appropriate time limits;
                    (iv) Recording information about complaints;
                    (v) Identifying recurring system failure issues;
                    (b) The types of remedies available for resolving complaints; and
                    (c) The organisational reporting structure for the complaints handling function.
                    January 2014

                  • BC-4.2.2

                    Licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

                    January 2014

                  • BC-4.2.3

                    Licensees are required to ensure that all financial services related documentation (such as credit facility documentation) provided to the customer includes a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

                    January 2014

                • BC-4.3 BC-4.3 Principles for Effective Handling of Complaints

                  • BC-4.3.1

                    Adherence to the following principles is required for effective handling of complaints:

                    January 2014

                  • Visibility

                    • BC-4.3.2

                      "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

                      January 2014

                  • Accessibility

                    • BC-4.3.3

                      A complaints handling process must be easily accessible to all customers and must be free of charge.

                      January 2014

                    • BC-4.3.4

                      While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

                      January 2014

                    • BC-4.3.5

                      Process information must be readily accessible and must include flexibility in the method of making complaints.

                      January 2014

                    • BC-4.3.6

                      Support for customers in interpreting the complaints procedures must be provided, upon request.

                      January 2014

                    • BC-4.3.7

                      Information and assistance must be available on details of making and resolving a complaint.

                      January 2014

                    • BC-4.3.8

                      Supporting information must be easy to understand and use.

                      January 2014

                  • Responsiveness

                    • BC-4.3.9

                      Receipt of complaints must be acknowledged in accordance with Section BC-4.5 "Response to Complaints".

                      January 2014

                    • BC-4.3.10

                      Complaints must be addressed promptly in accordance with their urgency.

                      January 2014

                    • BC-4.3.11

                      Customers must be treated with courtesy.

                      January 2014

                    • BC-4.3.12

                      Customers must be kept informed of the progress of their complaint, in accordance with Section BC-4.5.

                      January 2014

                    • BC-4.3.13

                      If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

                      January 2014

                    • BC-4.3.14

                      In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

                      Amended: April 2020
                      Added: January 2014

                  • Objectivity and Efficiency

                    • BC-4.3.15

                      Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

                      January 2014

                    • BC-4.3.16

                      General principles for objectivity in the complaints handling process include:

                      (a) Openness:

                      The process must be clear and well publicised so that both staff and customers can understand;
                      (b) Impartiality:
                      (i) Measures must be taken to protect the person the complaint is made against from bias;
                      (ii) Emphasis must be placed on resolution of the complaint not blame; and
                      (iii) The investigation must be carried out by a person independent of the person complained about;
                      (c) Accessibility:
                      (i) The bank must allow customer access to the process at any reasonable point in time; and
                      (ii) A joint response must be made when the complaint affects different participants;
                      (d) Completeness:

                      The complaints officer must find relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
                      (e) Equitability:

                      Give equal treatment to all parties;
                      (f) Sensitivity:

                      Each complaint must be treated on its merits and paying due care to individual circumstances;
                      (g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:
                      (i) Informing them immediately and completely on complaints about performance;
                      (ii) Giving them an opportunity to explain and providing appropriate support;
                      (iii) Keeping them informed of the progress and result of the complaint investigation;
                      (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
                      (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
                      (h) Confidentiality:
                      (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
                      (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
                      (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination;
                      (i) Objectivity monitoring:

                      Licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints;
                      (j) Charges:

                      The process must be free of charge to customers;
                      (k) Customer Focused Approach:
                      (i) Licensees must have a customer focused approach;
                      (ii) Licensees must be open to feedback; and
                      (iii) Licensees must show commitment to resolving problems;
                      (l) Accountability:

                      Licensees must ensure accountability for reporting actions and decisions with respect to complaints handling;
                      (m) Continual improvement:

                      Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the licensee.
                      January 2014

                • BC-4.4 BC-4.4 Internal Complaint Handling Procedures

                  • BC-4.4.1

                    A licensee's internal complaint handling procedures must provide for:

                    (a) The receipt of written complaints;
                    (b) The appropriate investigation of complaints;
                    (c) An appropriate decision-making process in relation to the response to a customer complaint;
                    (d) Notification of the decision to the customer;
                    (e) The recording of complaints; and
                    (f) How to deal with complaints when a business continuity plan (BCP) is operative.
                    January 2014

                  • BC-4.4.2

                    A licensee's internal complaint handling procedures must be designed to ensure that:

                    (a) All complaints are handled fairly, effectively and promptly;
                    (b) Recurring systems failures are identified, investigated and remedied;
                    (c) The number of unresolved complaints referred to the CBB is minimised;
                    (d) The employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
                    (e) Relevant employees are aware of the licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
                    January 2014

                • BC-4.5 BC-4.5 Response to Complaints

                  • BC-4.5.1

                    A licensee must acknowledge in writing customer written complaints within 5 working days of receipt.

                    January 2014

                  • BC-4.5.2

                    A licensee must respond in writing to a customer complaint within 4 weeks of receiving the complaint, explaining their position and how they propose to deal with the complaint.

                    January 2014

                  • Redress

                    • BC-4.5.3

                      A licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

                      January 2014

                    • BC-4.5.4

                      Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

                      January 2014

                    • BC-4.5.5

                      Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

                      January 2014

                    • BC-4.5.6

                      Should the customer that filed a complaint not be satisfied with the response received as per Paragraph BC-4.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

                      Amended: April 2020
                      Added: January 2014

                • BC-4.6 BC-4.6 Records of Complaints

                  • BC-4.6.1

                    A licensee must maintain a record of all customers' complaints. The record of each complaint must include:

                    (a) The identity of the complainant;
                    (b) The substance of the complaint;
                    (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
                    (d) All correspondence in relation to the complaint. Such records must be retained by the licensees for a period of 5 years from the date of receipt of the complaint.
                    January 2014

                • BC-4.7 BC-4.7 Reporting of Complaints

                  • BC-4.7.1

                    A licensee must submit to the CBB’s Consumer Protection Unit, 30 days after the end of the quarter, a quarterly report summarising the following:

                    (a) The number of complaints received;
                    (b) The substance of the complaints;
                    (c) The number of days it took the licensee to acknowledge and to respond to the complaints; and
                    (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
                    Amended: January 2022
                    Amended: April 2020
                    Added: January 2014

                  • BC-4.7.2

                    The report referred to in Paragraph BC-4.7.1 must be sent electronically to complaint@cbb.gov.bh.

                    Amended: April 2020
                    Added: January 2014

                  • BC-4.7.3

                    Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB's Consumer Protection Unit.

                    Amended: April 2020
                    Added: January 2014

                • BC-4.8 BC-4.8 Monitoring and Enforcement

                  • BC-4.8.1

                    Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

                    January 2014

              • BC-5 BC-5 Cheques

                • BC-5.1 BC-5.1 Return Policy - Post-Dated Cheques

                  • BC-5.1.1

                    When a customer fully repays his/her credit outstanding amount in full or settles in part pursuant to a settlement agreement, the subject financing company licensee must immediately return all holding of the customer's post-dated cheques taken as collateral or destroy such cheques and inform the customer in writing.

                    Added: January 2017

            • OM OM Financing Companies Operational Risk Management Module

              • OM-A OM-A Introduction

                • OM-A.1 OM-A.1 Purpose

                  • Executive Summary

                    • OM-A.1.1

                      The Operational Risk Management Module sets out the Central Bank of Bahrain's ('CBB's') rules and guidance for financing company licensees operating in Bahrain on establishing parameters and control procedures to monitor and mitigate operational risks.

                      January 2014

                    • OM-A.1.2

                      This Module provides support for certain other parts of the Rulebook, mainly:

                      (a) Principles of Business; and
                      (b) High-level Controls.
                      January 2014

                  • Legal Basis

                    • OM-A.1.3

                      This Module contains the CBB's Directive (as amended from time to time) relating to operational risk management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees (including their approved persons).

                      January 2014

                    • OM-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • OM-A.2 OM-A.2 Module History

                  • OM-A.2.1

                    This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG 3 provides further details on Rulebook maintenance and version control.

                    January 2014

                  • OM-A.2.2

                    The most recent changes made to this Module are detailed in the table below:

                    Summary of Changes

                    Module Ref. Change Date Description of Changes
                    OM-2.9 07/2016 Added new Section dealing with outsourcing of functions containing customer information.
                    OM-4.9 10/2016 Added new Section on Cyber Security Risk Management
                    OM-5.3 10/2016 Added new Section on Cyber Security Measures
                    OM-2.9.2 01/2017 Amended Paragraph on customer information
                    OM-5.1.19 & OM-5.1.19A 01/2017 Added Paragraphs on PCI-DSS certification.
                    OM-5.1.20 04/2017 Added a Paragraph on Geolocation Limitation
                    OM-5.1.20A 07/2017 Added new paragraph on Prohibition of Double Swiping.
                    OM-5.1.20B 07/2017 Added new paragraph on Prohibition of Double Swiping.
                    OM-5.1.20C 07/2017 Added new paragraph on Prohibition of Double Swiping.
                    OM-5.1.20D 07/2017 Added new paragraph on Prohibition of Double Swiping.
                    OM-5.1.20E 07/2017 Added new paragraph on Prohibition of Double Swiping.
                    OM-2.1.2 10/2017 Amended Paragraph on outsourcing, to allow the utilization of cloud services and customer call centres.
                    OM-2.1.4 10/2017 Added a new Paragraph on outsourcing.
                    OM-2.1.5 10/2017 Added a new Paragraph on outsourcing.
                    OM-2.3.1 10/2017 Amended Paragraph.
                    OM-2.3.6 10/2017 Amended Paragraph.
                    OM-2.3.7 10/2017 Amended Paragraph.
                    OM-2.4.2 10/2017 Amended Paragraph.
                    OM-2.4.3 10/2017 Deleted Paragraph.
                    OM-2.4.5 10/2017 Amended Paragraph.
                    OM-2.5.1(a) 10/2017 Amended sub-sub-paragraph no. (5).
                    OM-2.5.1(c) 10/2017 Amended sub-sub-paragraphs no. (2) and (3).
                    OM-2.5.1(e) 10/2017 Amended sub-sub-paragraph no. (3).
                    OM-2.8.3 10/2017 Amended Paragraph.
                    OM-2.9.1 10/2017 Amended Paragraph.
                    OM-2.9.4(b) 10/2017 Amended sub-paragraph.
                    OM-2.9.4(c) 10/2017 Amended sub-paragraph.
                    OM-2.9.4(d) 10/2017 Deleted sub-paragraph.
                    OM-2.9.5 10/2017 Deleted paragraph.
                    OM-2.9.6 10/2017 Added a new paragraph for security measures related to cloud services.
                    OM-5.1.20AA 04/2018 Added a new Paragraph on card (EMV) compliance.
                    OM-5.1.20BB 04/2018 Added a new Paragraph on provision of cash withdrawal and payment services through various channels.
                    OM-2.9.2 07/2018 Amended Paragraph to include call centres.
                    OM-2.9.2A 07/2018 Added new Paragraph on customer notification.
                    OM-5.1.21 & OM-5.1.22 10/2019 Added new Paragraphs on Contactless Payment Transactions.
                    OM-5.1.20AAA 07/2020 Added a new Paragraph on contactless payment.
                    OM-2.9.4 01/2021 Deleted sub-paragraph (a).
                    OM-3.1.7 01/2021 Added a new Paragraph on electronic fraud.
                    OM-3.1.8 01/2021 Added a new Paragraph on electronic fraud awareness.
                    OM-1.5.7(g) 04/2022 Amended Subparagraph on vacation policy.
                    OM-2 07/2022 Replaced Chapter OM-2 with new Outsourcing Requirements.
                    OM-3.2 07/2023 Added a new Section on secured customer authentication requirements.

                  • Superseded Requirements

                    • OM-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module OM
                      EDBS/KH/C/33/2018 Amendments to the Operational Risk Management Module
                      Amended: July 2018
                      January 2014

              • OM-B OM-B Scope of Application

                • OM-B.1 OM-B.1 Scope

                  • OM-B.1.1

                    This Module applies to all financing company licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • OM-1 OM-1 General Requirements

                • OM-1.1 OM-1.1 Overview

                  • OM-1.1.1

                    This Module provides guidance and rules for operational risk and sets out requirements for an appropriate risk management environment, including outsourcing, electronic financing activities, business continuity and security measures.

                    January 2014

                  • OM-1.1.2

                    Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk1, but excludes strategic and reputational risk.


                    1 Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

                    January 2014

                  • OM-1.1.3

                    Operational risk is inherent in all types of licensees' transactions and activities, processes and systems, and the effective management of operational risk must be a fundamental element of a licensee's risk management programme. Sound operational risk governance relies upon three lines of defence:

                    (a) Business line management;
                    (b) An independent operational risk management function; and
                    (c) Independent review functions
                    January 2014

                • OM-1.2 OM-1.2 Developing an Appropriate Risk Management Environment

                  • OM-1.2.1

                    Licensee's management must implement policies and procedures to manage risks arising out of a licensee's activities. The licensee must maintain written policies and procedures that identify the risk tolerances approved by the Board of Directors and must clearly delineate lines of authority and responsibility for managing the risks. Licensees' employees and credit officers in particular must be fully aware of all policies and procedures that relate to their specific duties.

                    January 2014

                  • OM-1.2.2

                    The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

                    January 2014

                  • OM-1.2.3

                    The operational risk management function must be functionally independent of the risk generating business lines and will be responsible for the design, maintenance and ongoing development of the operational risk framework within the licensee.

                    January 2014

                  • OM-1.2.4

                    For the purpose of Paragraph OM-1.2.3, 'functionally independent' means that the risk management function cannot report hierarchically and/or functionally to any person or function that is directly responsible for risk generation.

                    January 2014

                  • OM-1.2.5

                    The operational risk management function should include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of the operational risk management function is to challenge the business lines' inputs to, and outputs from, the licensee's risk management, risk measurement and reporting systems. The operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.

                    January 2014

                  • OM-1.2.6

                    Both the board and senior management are responsible for creating an organisational culture that places high priority on effective operational risk management and adherence to sound operating controls. Operational risk management is most effective where a licensee's culture emphasises high standards of ethical behaviour at all levels of the licensee. The board and senior management should promote an organisational culture which establishes through both actions and words the expectations of integrity for all employees in conducting the business of the licensee.

                    January 2014

                  • The Board of Directors

                    • OM-1.2.7

                      The board of directors must establish, approve and periodically review the framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.

                      January 2014

                    • OM-1.2.8

                      The board of directors must:

                      (a) Establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the licensee's strategies and activities, and develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall framework for managing all risks across the enterprise;
                      (b) Provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management;
                      (c) Regularly review the framework to ensure that the licensee has identified and is managing the operational risk arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (e.g. changing business volumes);
                      (d) Ensure that the licensee's framework is subject to effective independent review by audit or other appropriately trained parties such as the compliance function; and
                      (e) Ensure that as best practice evolves, management is availing themselves of these advances.
                      January 2014

                    • OM-1.2.9

                      Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions

                      January 2014

                  • The Role of Committees

                    • OM-1.2.10

                      A licensee's governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, a licensee must take the following into consideration:

                      (a) Committee structure;
                      (b) Committee composition; and
                      (c) Committee operation.
                      January 2014

                    • OM-1.2.11

                      Sound industry practice for larger and more complex organisations with a central group function and separate business units is to utilise a board-created enterprise level risk committee for overseeing all risks, to which a management level operational risk committee reports. Depending on the nature, size and complexity of the licensee, the enterprise level risk committee may receive input from operational risk committees by country, business or functional area. Smaller and less complex organisations may utilise a flatter organisational structure that oversees operational risk directly within the board's risk management committee.

                      January 2014

                    • OM-1.2.12

                      Sound industry practice is for operational risk committees (or the risk committee in smaller licensees) to include a combination of members with expertise in business activities and financial, as well as independent risk management

                      January 2014

                  • Risk Appetite and Tolerance

                    • OM-1.2.13

                      The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the licensee is willing to assume.

                      January 2014

                    • OM-1.2.14

                      When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the licensee's level of risk aversion, its current financial condition and the licensee's strategic direction. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.

                      January 2014

                    • OM-1.2.15

                      The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a licensee and ensure that they are consistent.

                      January 2014

                    • OM-1.2.16

                      The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

                      January 2014

                    • OM-1.2.17

                      The licensee must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance.

                      January 2014

                  • Ethics Policy

                    • OM-1.2.18

                      The board of directors must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (See Section HC-2.2).

                      January 2014

                    • OM-1.2.19

                      Clear expectations and accountabilities ensure that staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

                      January 2014

                  • Compensation Policies

                    • OM-1.2.20

                      Compensation policies must be aligned to the licensee's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward.

                      January 2014

                  • Operational Risk Training

                    • OM-1.2.21

                      Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

                      January 2014

                  • Risk Management Framework

                    • OM-1.2.22

                      Licensees must develop, implement and maintain a framework that is fully integrated into the licensee's overall risk management processes.

                      January 2014

                    • OM-1.2.23

                      The framework for operational risk management chosen by an individual licensee will depend on a range of factors, including its nature, size, complexity and risk profile.

                      January 2014

                    • OM-1.2.24

                      The board is responsible for establishing a management structure capable of implementing the licensee's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the licensee needs to have in place to manage operational risk.

                      January 2014

                    • OM-1.2.25

                      The framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss.

                      January 2014

                    • OM-1.2.26

                      Licensees that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their framework.

                      January 2014

                    • OM-1.2.27

                      Framework documentation must clearly:

                      (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
                      (b) Describe the risk assessment tools and how they are used;
                      (c) Describe the licensee's accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments;
                      (d) Describe the licensee's approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
                      (e) Establish risk reporting and Management Information Systems (MIS);
                      (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives;
                      (g) Provide for appropriate independent review and assessment of operational risk; and
                      (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the licensee occurs, and revised as appropriate.
                      January 2014

                    • OM-1.2.28

                      The board should review the framework regularly to ensure that the licensee is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the licensee's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.

                      January 2014

                  • Independent Review of Operational Risk

                    • OM-1.2.29

                      The board of directors must ensure that the licensee's operational risk management framework is subject to effective and comprehensive independent review.

                      January 2014

                    • OM-1.2.30

                      The independent review functions are the internal audit and compliance functions and the staff occupying these functions must be competent and appropriately trained and not be involved in the development, implementation and operation of the operational risk framework.

                      January 2014

                    • OM-1.2.31

                      With reference to Paragraph OM-1.2.30, internal audit and compliance should not be involved with the setting of risk appetite or risk tolerance. Internal audit should be reviewing the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances. More details on the internal audit function and the role of the audit committee are included in Chapter HC-3.

                      January 2014

                    • OM-1.2.32

                      An independent review consists of the verification of the framework on a periodic basis and is typically performed by the licensee's internal and/or external audit, but may involve other suitably qualified independent parties from external sources. Verification activities test the effectiveness of the overall framework, consistent with policies approved by the board of directors, and also test validation processes to ensure that they are independent and implemented in a manner consistent with established policies of the licensee.

                      January 2014

                    • OM-1.2.33

                      Licensees should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the licensee's operational risk management framework is being implemented effectively across the licensee.

                      January 2014

                  • Senior Management

                    • OM-1.2.34

                      The responsibilities of the senior management of the licensee must include:

                      (a) Developing for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility;
                      (b) Implementing the operational risk strategy approved by the Board of Directors;
                      (c) Ensuring that the strategy is implemented consistently throughout the whole organisation;
                      (d) Ensuring that all levels of staff understand their responsibilities with respect to operational risk management;
                      (e) Developing, maintaining and implementing policies, processes and procedures for managing operational risk in all of the licensee's products, activities, processes and systems consistent with the risk appetite and tolerance;
                      (f) Developing succession plans for senior staff; and
                      (g) Developing business continuity plans for the licensee.
                      January 2014

                    • OM-1.2.35

                      Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution. Licensees must be able to demonstrate that the three lines of defence approach is operating satisfactorily and to explain how the board and senior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.

                      January 2014

                    • OM-1.2.36

                      Senior management must translate the operational risk strategy established by the board of directors into an operational risk management framework that refers to specific policies, processes and procedures that can be implemented and verified within the different business units.

                      January 2014

                    • OM-1.2.37

                      While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability.

                      January 2014

                    • OM-1.2.38

                      Senior management must ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management must assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's activity.

                      January 2014

                    • OM-1.2.39

                      Senior management should ensure that the licensee's activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.

                      January 2014

                    • OM-1.2.40

                      Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the licensee who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in a licensee's overall risk management programme.

                      January 2014

                    • OM-1.2.41

                      The managers of the corporate operational risk management function should be of sufficient stature within the licensee to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.

                      January 2014

                    • OM-1.2.42

                      Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.

                      January 2014

                  • Management Information System

                    • OM-1.2.43

                      The management information system of an organisation plays a key role in establishing and maintaining an effective operational risk management framework.

                      January 2014

                    • OM-1.2.44

                      Communication flow serves the purpose of establishing a consistent operational risk management culture across the licensee. Reporting flow enables:

                      (a) Senior management to monitor the effectiveness of the risk management system for operational risk; and
                      (b) The Board of Directors to oversee senior management performance.
                      January 2014

                • OM-1.3 OM-1.3 Identification and Assessment

                  • OM-1.3.1

                    Licensees must identify and assess the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Licensees must also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.

                    January 2014

                  • OM-1.3.2

                    Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors (such as the licensee's structure, the nature of the licensee's activities, the quality of the licensee's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and technological advances) that could adversely affect the achievement of the licensee's objectives.

                    January 2014

                  • OM-1.3.3

                    In addition to identifying the most potentially adverse risks, licensees should assess their vulnerability to these risks. Sound risk assessment allows the licensee to better understand its risk profile and most effectively target risk management resources.

                    January 2014

                  • OM-1.3.4

                    Amongst the possible tools used by licensees for identifying and assessing operational risk are:

                    (a) Self- or Risk Assessment: a licensee assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them;
                    (b) Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action;
                    (c) Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a licensee's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert licensees to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions; and
                    (d) Measurement: some licensees have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a licensee's historical loss experience could provide meaningful information for assessing the licensee's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events. Some licensees have also combined internal loss data with external loss data, scenario analyses, and risk assessment factors.
                    January 2014

                  • Approval Process

                    • OM-1.3.5

                      Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

                      January 2014

                    • OM-1.3.6

                      In general, a licensee's operational risk exposure is increased when a licensee engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A licensee should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

                      January 2014

                    • OM-1.3.7

                      A licensee must have policies and procedures that address the process for review and approval of new products, activities, processes and systems.

                      January 2014

                    • OM-1.3.8

                      The review and approval process referred to in Paragraph OM-1.3.7 should consider:

                      (a) Inherent risks in the new product, service, or activity;
                      (b) Changes to the licensee's operational risk profile and appetite and tolerance, including the risk of existing products or activities;
                      (c) The necessary controls, risk management processes, and risk mitigation strategies;
                      (d) The residual risk;
                      (e) Changes to relevant risk thresholds or limits; and
                      (f) The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
                      January 2014

                    • OM-1.3.9

                      The approval process should also ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

                      January 2014

                • OM-1.4 OM-1.4 Monitoring

                  • OM-1.4.1

                    Licensees must implement a process to regularly monitor operational risk profiles and material exposures to losses. There must be regular reporting of pertinent information at the board, senior management and business levels that supports the proactive management of operational risk.

                    January 2014

                  • OM-1.4.2

                    Licensees are encouraged to continuously improve the quality of operational risk reporting. A licensee should ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products. Reports should be manageable in scope and volume; effective decision-making is impeded by both excessive amounts and paucity of data.

                    January 2014

                  • OM-1.4.3

                    Reporting should be timely and a licensee should be able to produce reports in both normal and stressed market conditions. The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a licensee's activities. The results of these monitoring activities should be included in regular management and board reports, as should compliance reviews performed by the internal audit and/or risk management functions. Reports generated by (and/or for) supervisory authorities may also inform this monitoring and should likewise be reported internally to senior management and the board, where appropriate.

                    January 2014

                  • OM-1.4.4

                    Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making. Operational risk reports should include:

                    (a) Breaches of the licensee's risk appetite and tolerance statement, as well as thresholds or limits;
                    (b) Details of recent significant internal operational risk events and losses; and
                    (c) Relevant external events and any potential impact on the licensee.
                    January 2014

                  • OM-1.4.5

                    Data capture and risk reporting processes should be analysed periodically with a view to continuously enhancing risk management performance as well as advancing risk management policies, procedures and practices.

                    January 2014

                • OM-1.5 OM-1.5 Control and Mitigation

                  • OM-1.5.1

                    Licensees must have a strong control environment that utilises:

                    (a) Policies, processes and systems;
                    (b) Appropriate internal controls; and
                    (c) Appropriate risk mitigation and/or transfer strategies.
                    January 2014

                  • OM-1.5.2

                    Internal controls must be designed to provide assurance that a licensee will:

                    (a) Have efficient and effective operations;
                    (b) Safeguard its assets;
                    (c) Produce reliable financial reports; and
                    (d) Comply with applicable laws and regulations.
                    January 2014

                  • OM-1.5.3

                    Control activities are designed to address the operational risks that a licensee has identified. For all material operational risks that have been identified, the licensee should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the licensee should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely.

                    January 2014

                  • OM-1.5.4

                    Control processes and procedures should be established and licensees should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

                    (a) Top-level reviews of the licensee's progress towards the stated objectives;
                    (b) Verifying compliance with management controls;
                    (c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues;
                    (d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and
                    (e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.
                    January 2014

                  • OM-1.5.5

                    Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a licensee. Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs.

                    January 2014

                  • OM-1.5.6

                    An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.

                    January 2014

                  • OM-1.5.7

                    In addition to segregation of duties, licensees should ensure that other internal practices are in place as appropriate to control operational risk. Examples of these include:

                    (a) Clearly established authorities and/or processes for approval;
                    (b) Close monitoring of adherence to assigned risk limits or thresholds;
                    (c) Maintaining safeguards for access to, and use of, licensee assets and records;
                    (d) Appropriate staffing level and training to maintain expertise;
                    (e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
                    (f) Regular verification and reconciliation of transactions and accounts; and
                    (g) A vacation policy in line with Bahrain Labour Law.
                    Amended: April 2022
                    January 2014

                  • OM-1.5.8

                    Some significant operational risks have low probabilities but potentially very large financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalise the risk of "low frequency, high severity" losses which may occur as a result of events such as third-party claims resulting from errors and omissions, physical loss of securities, employee or third-party fraud, and natural disasters.

                    January 2014

                  • OM-1.5.9

                    Licensees should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognise and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).

                    January 2014

                  • OM-1.5.10

                    Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, licensees should be aware that increased automation could transform high-frequency, low-severity losses into low frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the licensee's immediate control (e.g., external events). Such problems may cause serious difficulties for licensees and could jeopardise an institution's ability to conduct key business activities.

                    January 2014

                  • OM-1.5.11

                    In some instances, licensees may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with the licensee's overall business strategy and appetite for risk.

                    January 2014

                  • OM-1.5.12

                    Licensees should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.

                    January 2014

                • OM-1.6 OM-1.6 Succession Planning

                  • OM-1.6.1

                    Succession planning is an essential precautionary measure for a licensee if its leadership stability – and hence ultimately its financial stability – is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

                    January 2014

                  • OM-1.6.2

                    The CBB requires licensees to document succession plans for their senior management team and have these ready at any time for onsite inspection by CBB staff. Licensees must summarise who is covered by their succession plan and confirm that the plan has been reviewed and endorsed at Board level.

                    January 2014

                • OM-1.7 OM-1.7 Disclosure

                  • OM-1.7.1

                    A licensee's public disclosures must allow stakeholders to assess its approach to operational risk management.

                    January 2014

                  • OM-1.7.2

                    A licensee's public disclosure of relevant operational risk management information can lead to transparency and the development of better industry practice through market discipline. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a licensee's operations, and evolving industry practice. See Section PD-1.3 on disclosure requirements.

                    January 2014

                  • OM-1.7.3

                    A licensee should disclose its operational risk management framework in a manner that will allow stakeholders to determine whether the licensee identifies, assesses, monitors and controls/mitigates operational risk effectively.

                    January 2014

                  • OM-1.7.4

                    A licensee's disclosures should be consistent with how senior management and the board of directors assess and manage the operational risk of the licensee.

                    January 2014

                  • OM-1.7.5

                    A licensee must have a formal disclosure policy approved by the board of directors that addresses the licensee's approach for determining what operational risk disclosures it will make and the internal controls over the disclosure process. In addition, licensees must implement a process for assessing the appropriateness of their disclosures, including the verification and frequency of them.

                    January 2014

              • OM-2 OM-2 Outsourcing Requirements

                • OM-2.1 OM-2.1 Outsourcing Arrangements

                  • OM-2.1.1

                    This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

                    Amended: July 2022
                    January 2014

                  • OM-2.1.2

                    In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

                    Amended: July 2022
                    Amended: October 2017
                    January 2014

                  • OM-2.1.3

                    In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

                    i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
                    ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
                    Amended: July 2022
                    January 2014

                  • OM-2.1.4

                    The licensee must not outsource the following functions:

                    (i) Compliance;
                    (ii) AML/CFT;
                    (iii) Financial control;
                    (iv) Risk management; and
                    (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
                    Amended: July 2022
                    Added: October 2017

                  • OM-2.1.5

                    For the purposes of Paragraph OM-2.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph OM-2.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

                    Amended: July 2022
                    Added: October 2017

                  • OM-2.1.6

                    Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph OM-2.1.4 (iv), subject to CBB’s prior approval.

                    Added: July 2022

                  • OM-2.1.7

                    Licensees must comply with the following requirements:

                    (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
                    a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
                    b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
                    (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
                    (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
                    (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
                    (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
                    (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
                    (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
                    Added: July 2022

                  • OM-2.1.8

                    For the purpose of Subparagraph OM-2.1.7 (iv), licensees as part of their assessments may use the following:

                    a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
                    b) Third-party or internal audit reports of the outsourcing service provider; and
                    c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

                    When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

                    Added: July 2022

                  • OM-2.1.9

                    For the purpose of Subparagraph OM-2.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

                    Added: July 2022

                • OM-2.2 [This Section was deleted in July 2022]

                • OM-2.3 [This Section was deleted in July 2022]

                • OM-2.4 [This Section was deleted in July 2022]

                • OM-2.5 [This Section was deleted in July 2022]

                • OM-2.6 [This Section was deleted in July 2022]

                • OM-2.7 [This Section was deleted in July 2022]

                • OM-2.8 [This Section was deleted in July 2022]

                • OM-2.9 [This Section was deleted in July 2022]

              • OM-3 OM-3 Electronic Financing Activities

                • OM-3.1 OM-3.1 Electronic Financial Services

                  • OM-3.1.1

                    As the Board of Directors and senior management should take an explicit, informed and documented strategic decision as to whether and how the licensee is to provide electronic financial services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context.

                    January 2014

                  • OM-3.1.2

                    Effective management oversight should include the review and approval of the key aspects of the licensee's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards the electronic financial systems and data from both internal and external threats. The review should also include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform electronic financing functions.

                    January 2014

                  • OM-3.1.3

                    Senior management should ensure that appropriate security control processes are in place for electronic financing. Such processes should include establishing appropriate authorisation privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information.

                    January 2014

                  • OM-3.1.4

                    The existence of clear audit trails for all electronic financing transactions should be ensured and measures to preserve confidentiality of key electronic financing information should be appropriate with the sensitivity of such information.

                    January 2014

                  • OM-3.1.5

                    To protect licensees against business, legal and reputation risk, electronic financial services should be delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand. Licensees should have the ability to deliver electronic financing services to all end-users and be able to maintain such availability in all circumstances.

                    January 2014

                  • OM-3.1.6

                    Licensees should develop appropriate incident response plans, including communication strategies that ensure business continuity, control reputation risk and limit liability associated with disruptions in their electronic financing services.

                    January 2014

                  • OM-3.1.7

                    Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

                    Added: January 2021

                  • OM-3.1.8

                    Licensees must have in place customer awareness communications, pre and post onboarding process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

                    Added: January 2021

                • OM-3.2 Secure Authentication

                  • OM-3.2.1

                    Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform. Licensees must, at a minimum, establish adequate security features for customer authentication including the use of at least two different elements out of the following three elements:

                    (a) Knowledge (something only the user knows), such as PIN or password;
                    (b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and
                    (c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.
                    Added: July 2023

                  • OM-3.2.2

                    For the purpose of Paragraph OM-3.2.1, licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.

                    Added: July 2023

                  • OM-3.2.3

                    For the purposes of Subparagraph OM-3.2.1 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.

                    Added: July 2023

              • OM-4 OM-4 Business Continuity Planning

                • OM-4.1 OM-4.1 General Requirements

                  • OM-4.1.1

                    To ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption, all licensees must maintain contingency and business continuity plan (BCP) to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. A BCP must address the following key areas:

                    (a) Data back up and recovery (hard copy and electronic);
                    (b) Continuation of all critical systems, activities, and counterparty impact;
                    (c) Financial and operational assessments;
                    (d) Alternate communication arrangements between the licensee and its customers and its employees;
                    (e) Alternate physical location of employees; and
                    (f) Communications with and reporting to the CBB and any other relevant regulators.
                    January 2014

                  • OM-4.1.2

                    For reasons that may be beyond a licensee's control, a severe event may result in the inability of the licensee to fulfil some or all of its business obligations, particularly where the licensee's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to the licensee. This potential event requires that licensees establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the licensee may be vulnerable, commensurate with the size and complexity of the licensee's operations.

                    January 2014

                  • OM-4.1.3

                    Licensees should identify critical business processes, including those where there is dependence on external vendors or other third parties, for which rapid resumption of service would be most essential. For these processes, licensees should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. Where such records are backed-up at an off-site facility, or where a licensee's operations must be relocated to a new site, care should be taken that these sites are at an adequate distance from the impacted operations to minimise the risk that both primary and back-up records and facilities will be unavailable simultaneously.

                    January 2014

                  • OM-4.1.4

                    Licensees should periodically review their disaster recovery and business continuity plans so that they are consistent with the licensee's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the licensee would be able to execute the plans in the unlikely event of a severe business disruption.

                    January 2014

                  • OM-4.1.5

                    Effective BCPs must be comprehensive, limited not just to disruption of business premises and information technology facilities, but covering all other critical areas, which affect the continuity of critical business operations or services (e.g. liquidity, human resources and others).

                    January 2014

                  • OM-4.1.6

                    Licensees must notify the CBB promptly if their BCP is activated. They must also provide regular progress reports – as agreed with the CBB – until the BCP is deactivated.

                    January 2014

                • OM-4.2 OM-4.2 Board and Senior Management Responsibilities

                  • Establishment of Policy, Processes & Responsibilities

                    • OM-4.2.1

                      A licensee's Board of Directors and senior management are collectively responsible for a licensee's business continuity. The Board must endorse the policies, standards and processes for a licensee's BCP, as established by its senior management. The Board and senior management must delegate adequate resources to develop the BCP, and for its maintenance and periodic testing.

                      January 2014

                    • OM-4.2.2

                      Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members of senior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).

                      January 2014

                    • OM-4.2.3

                      Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).

                      January 2014

                  • Monitoring and Reporting

                    • OM-4.2.4

                      The CMT must submit regular reports to the Board and senior management on the results of the testing of the BCP (refer to section OM-4.8). Major changes must be developed by the CMT, reported to senior management, and endorsed by the Board.

                      January 2014

                    • OM-4.2.5

                      The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCP documentation and will be reviewed as part of the CBB's on-site examinations.

                      January 2014

                • OM-4.3 OM-4.3 Developing a Business Continuity Plan

                  • Impact Analysis

                    • OM-4.3.1

                      Licensees' BCPs must be based on:

                      (a) A business impact analysis;
                      (b) An operational impact analysis; and
                      (c) A financial impact analysis.

                      These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.

                      January 2014

                    • OM-4.3.2

                      The key objective of a business impact analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.

                      January 2014

                    • OM-4.3.3

                      A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.

                      January 2014

                    • OM-4.3.4

                      Operational impact analysis focuses on the licensee's ability to maintain communications with customers and to retrieve key activity records. It identifies the organisational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.

                      January 2014

                    • OM-4.3.5

                      A financial impact analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.

                      January 2014

                  • Risk Assessment

                    • OM-4.3.6

                      In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.

                      January 2014

                    • OM-4.3.7

                      Business continuity plans must take into account different types of likely or plausible scenarios to which the licensee will be vulnerable. The following specific scenarios must at a minimum, be considered in the BCP:

                      (a) Utilities are not available (power, telecommunications);
                      (b) Critical buildings are not available or specific facilities are not accessible;
                      (c) Software and live data are not available or are corrupted;
                      (d) Vendor assistance or (outsourced) service providers are not available;
                      (e) Critical documents or records are not available;
                      (f) Critical personnel are not available; and
                      (g) Significant equipment malfunctions (hardware or telecom).
                      January 2014

                • OM-4.4 OM-4.4 BCP – Recovery Levels & Objectives

                  • OM-4.4.1

                    The BCP must document strategies and procedures to maintain, resume and recover critical business operations or services. The plan must differentiate between critical and non-critical functions. The BCP must clearly describe the types of events that would lead up to the formal declaration of a business disruption and the process for activating the BCP.

                    January 2014

                  • OM-4.4.2

                    The BCP must clearly identify alternate sites for different operations, the total number of recovery personnel, workspace requirements, and applications and technology requirements. Office facilities and records requirements must also be identified.

                    January 2014

                  • OM-4.4.3

                    Licensees should take note that they might need to cater for processing volumes that exceed those under normal circumstances. The interdependency among critical services is another major consideration in determining the recovery strategies and priority.

                    January 2014

                  • OM-4.4.4

                    Individual critical business and support functions must establish the minimum BCP recovery objectives for recovering essential business operations and supporting systems to a specified level of service ("recovery level") within a defined period following a disruption ("recovery time"). These recovery levels and recovery times must be approved by the senior management prior to proceeding to the development of the BCP.

                    January 2014

                  • List of Contacts and Responsibilities

                    • OM-4.4.5

                      The BCP must contain a list of all key personnel. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone so they may be contacted in case of a disaster or other emergency.

                      January 2014

                    • OM-4.4.6

                      The BCP must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.

                      January 2014

                  • Alternate Sites for Business and Technology Recovery

                    • OM-4.4.7

                      Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or premises owned or under the control of the licensee. A useable, functional alternate site is an integral component of BCP.

                      January 2014

                    • OM-4.4.8

                      Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).

                      January 2014

                    • OM-4.4.9

                      Licensees' alternate sites and alternate recovery mechanisms must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with the licensee's security policy.

                      January 2014

                    • OM-4.4.10

                      Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.

                      January 2014

                    • OM-4.4.11

                      Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.

                      January 2014

                    • OM-4.4.12

                      Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.

                      January 2014

                    • OM-4.4.13

                      The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.

                      January 2014

                    • OM-4.4.14

                      Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability. Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.

                      January 2014

                • OM-4.5 OM-4.5 Detailed Procedures for the BCP

                  • OM-4.5.1

                    Once the recovery levels and recovery objectives for individual business lines and support functions are determined, the development of the detailed BCP should commence. The objective of the detailed BCP is to provide detailed guidance and procedures in a crisis situation, of how to recover critical business operations or services identified in the business impact analysis stage, and to ultimately return to operations as usual.

                    January 2014

                  • Crisis Management Process

                    • OM-4.5.2

                      A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:

                      (a) A process for ensuring early detection of an emergency or a disaster situation and prompt notification to the CMT about the incident;
                      (b) A process for the CMT to assess the overall impact of the crisis situation on the licensee and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures);
                      (c) Arrangements for safe evacuation from business locations (e.g. directing staff to a pre-arranged emergency assembly area, taking attendance of all employees and visitors at the time and tracking missing people through different means immediately after the disaster);
                      (d) Clear criteria for activation of the BCP and/or alternate sites;
                      (e) A process for gathering updated status information for the CMT (e.g. ensuring that regular conference calls are held among key staff from relevant business and support functions to report on the status of the recovery process);
                      (f) A process for timely internal and external communications; and
                      (g) A process for overseeing the recovery and restoration efforts of the affected facilities and the business services.
                      January 2014

                    • OM-4.5.3

                      If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.

                      January 2014

                  • Business Resumption

                    • OM-4.5.4

                      Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.

                      January 2014

                  • Technology Recovery

                    • OM-4.5.5

                      Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.

                      January 2014

                    • OM-4.5.6

                      Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.

                      January 2014

                    • OM-4.5.7

                      Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.

                      January 2014

                • OM-4.6 OM-4.6 Vital Records Management

                  • OM-4.6.1

                    Each BCP must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a disaster as well as the relevant protection measures to be taken for protecting vital information. Licensees must refer to Chapter GR-1 when identifying vital information for business continuity. Vital information includes information stored on both electronic and non-electronic media.

                    January 2014

                  • OM-4.6.2

                    Copies of vital records must be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records must be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees must consider the need for instantaneous data back up to ensure prompt system and data recovery. There must be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.

                    January 2014

                • OM-4.7 OM-4.7 Other Policies Standards, and Processes

                  • Employee Awareness and Training Plan

                    • OM-4.7.1

                      Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.

                      January 2014

                    • OM-4.7.2

                      Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.

                      January 2014

                  • Public Relations & Communication Planning

                    • OM-4.7.3

                      Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers as well as the public in general.

                      January 2014

                    • OM-4.7.4

                      The BCP must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or licensees' intranet).

                      January 2014

                    • OM-4.7.5

                      Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.

                      January 2014

                    • OM-4.7.6

                      As regards internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff, licensees websites, e-mails, intranet and instant messaging).

                      January 2014

                  • Disclosure Requirements

                    • OM-4.7.7

                      Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope. Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. The licensees might make these disclosures on their website, or through mailing to key external parties upon request. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.

                      January 2014

                • OM-4.8 OM-4.8 Maintenance, Testing and Review

                  • Testing & Rehearsal

                    • OM-4.8.1

                      Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).

                      January 2014

                    • OM-4.8.2

                      All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided depending on the situation. The following points must be included in the annual testing:

                      (a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;
                      (b) The alternate sites for business and technology recovery must be activated;
                      (c) Important recovery services provided by vendors or counterparties must form part of the testing scope;
                      (d) Licensees must consider testing the linkage of their back up IT systems with the primary and back up systems of service providers;
                      (e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and
                      (f) Recovery of vital records must be performed as part of the testing.
                      January 2014

                    • OM-4.8.3

                      Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.

                      January 2014

                  • Periodic Maintenance and Updating of a BCP

                    • OM-4.8.4

                      Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreement.

                      January 2014

                    • OM-4.8.5

                      Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.

                      January 2014

                    • OM-4.8.6

                      The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.

                      January 2014

                    • OM-4.8.7

                      Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.

                      January 2014

                    • OM-4.8.8

                      Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to senior management and other key personnel.

                      January 2014

                  • Audit and Independent Review

                    • OM-4.8.9

                      The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

                      (a) The adequacy of business process identification;
                      (b) Threat scenario development;
                      (c) Business impact analysis and risk assessments;
                      (d) The written plan;
                      (e) Testing scenarios and schedules; and
                      (f) Communication of test results and recommendations to the Board.
                      January 2014

                    • OM-4.8.10

                      Significant findings must be brought to the attention of the Board and senior management within three months of the completion of the review. Furthermore, senior management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

                      January 2014

                • OM-4.9 OM-4.9 Cyber Security Risk Management

                  • OM-4.9.1

                    To prepare for the eventuality of cyber attacks, licensees must have a cyber attack response mechanism in place. The BCP of the licensee must also be properly enhanced to account for all CBB requirements and must be regularly tested to assure that the licensee is capable of dealing with cyber attacks.

                    Added: October 2016

              • OM-5 OM-5 Security Measures for Financing Companies

                • OM-5.1 OM-5.1 Physical Security Measures

                  • External Measures

                    • OM-5.1.1

                      Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

                      January 2014

                    • OM-5.1.2

                      Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances should have the following security measures:

                      (a) Magic eye;
                      (b) Locking device (key externally and handle internally);
                      (c) Door closing mechanism;
                      (d) Contact sensor with alarm for prolonged opening time; and
                      (e) Combination access control system (e.g. access card and key slot or swipe card and password).
                      January 2014

                    • OM-5.1.3

                      If additional security measures to those mentioned in Paragraph OM-5.1.2 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

                      January 2014

                    • OM-5.1.4

                      External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, licensees may also wish to add steel grills fastened into the wall.

                      January 2014

                    • OM-5.1.5

                      Alarm systems should have the following features:

                      (a) PIR motion detectors;
                      (b) Door sensors;
                      (c) Anti vibration/movement sensors on vaults;
                      (d) External siren; and
                      (e) The intrusion detection system must be linked to the licensee's (i.e. head office) monitoring unit.
                      January 2014

                  • Internal Measures

                    • OM-5.1.6

                      All areas where cash is handled must be screened off from customers and other staff areas.

                      January 2014

                    • OM-5.1.7

                      Access to areas where cash is handled must be restricted to authorised staff only. The design of the teller area should not allow customers to pass through it.

                      January 2014

                    • OM-5.1.8

                      Panic alarm systems for staff handling cash may be installed. The choice between silent or audible panic alarms is left to individual licensees. Kick bars and/or hold up buttons may be spread throughout the teller and customer service areas and the branch manager's office.

                      January 2014

                  • Cash Safety

                    • OM-5.1.9

                      Cash and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes should be located in strong rooms.

                      January 2014

                    • OM-5.1.10

                      Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

                      January 2014

                    • OM-5.1.11

                      Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

                      January 2014

                    • OM-5.1.12

                      Licensees must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

                      January 2014

                  • CCTV Network Systems

                    • OM-5.1.13

                      All head offices and branches must have a CCTV network which is connected to a central monitoring unit located in the head office.

                      January 2014

                    • OM-5.1.14

                      The location and type of CCTV cameras is left to the discretion of the licensee. At a minimum, CCTV cameras must cover the following areas:

                      (a) Main entrance;
                      (b) Other external doors;
                      (c) Any other access points (e.g. ground floor windows); and
                      (d) The service's hall.
                      January 2014

                    • OM-5.1.15

                      Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) should be high enough to make for effective monitoring. Delayed transmission of pictures to the central monitoring unit is not acceptable. The CCTV system must be operational 24 hours per day.

                      January 2014

                  • Training and Other Measures

                    • OM-5.1.16

                      Licensees must establish the formal position of security manager. This person will be responsible for ensuring all licensee staff are given annual, comprehensive security training. Licensees must produce a security manual or procedures for staff, especially those dealing directly with customers. For licensees with three or more branches, this position must be a formally identified position. For licensees with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

                      January 2014

                    • OM-5.1.17

                      The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

                      January 2014

                    • OM-5.1.18

                      Licensees must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All licensees are required to hold an insurance blanket bond (which includes theft of cash in its cover).

                      January 2014

                  • General Requirement

                    • OM-5.1.19

                      Licensees must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

                      Added: January 2017

                    • OM-5.1.19A

                      In order to maintain up to date PCI-DSS certification, licensees will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

                      Added: January 2017

                  • Geolocation Limitations

                    • OM-5.1.20

                      All financing companies issuing prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS). This requirement must be complied with by 28th February 2018.

                      Added: April 2017

                  • Europay, MasterCard and Visa (EMV) Compliance

                    • OM-5.1.20AA

                      All cards (credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all POS must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

                      Added: April 2018

                    • OM-5.1.20AAA

                      Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph OM-5.1.20AA is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

                      Added: July 2020

                  • Provision of Cash Withdrawal and Payment Services through Various Channels

                    • OM-5.1.20BB

                      Licensees are allowed to provide payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

                      Added: April 2018

                  • Prohibition of Double Swiping

                    • OM-5.1.20A

                      All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

                      Added: July 2017

                    • OM-5.1.20B

                      For the purpose of Paragraph OM-5.1.20A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

                      Added: July 2017

                    • OM-5.1.20C

                      For the purpose of Paragraph OM-5.1.20A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

                      Added: July 2017

                    • OM-5.1.20D

                      All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

                      Added: July 2017

                    • OM-5.1.20E

                      All card acquirer licensees must:

                      (i) Educate the concerned merchants on the regulatory requirement and continue to follow up the progress of the implementation to comply within the period stipulated in Paragraph OM-5.1.20A; and
                      (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
                      Added: July 2017

                    • OM-5.1.21

                      Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

                      Added: October 2019

                    • OM-5.1.22

                      Licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

                      Added: October 2019

                • OM-5.2 OM-5.2 Internet Security

                  • OM-5.2.1

                    Licensees providing internet financial services must regularly test their systems against security breaches and verify the robustness of the security controls in place. These tests must be conducted by security professionals, such as ethical hackers, that provide penetration testing services and a vulnerability assessment of the system.

                    January 2014

                  • OM-5.2.2

                    The penetration testing referred to in Paragraph OM-5.2.1, must be conducted each year in June and December.

                    January 2014

                  • OM-5.2.3

                    The vulnerability assessment report, along with the steps taken to mitigate the risks must be maintained by the licensee for a 5-year period from the date of testing and must be provided to the CBB within two months following the end of the month where the testing took place, i.e. for the June test, the report must be submitted at the latest by 31st August and for the December test, by 28th February (see Section BR-1.6).

                    January 2014

                • OM-5.3 OM-5.3 Cyber Security Measures

                  • OM-5.3.1

                    Clear ownership and management accountability of the risks associated with cyber attacks and related risk management must be established, which cover not only the IT function but also all relevant business lines. Cyber security must be made part of the licensees IT security policy.

                    Added: October 2016

                  • OM-5.3.2

                    The Board and senior management must ensure that the cyber security controls are periodically evaluated for adequacy, taking into account emerging cyber threats and establishing a credible benchmark of cyber security controls endorsed by the Board and senior management. Should material gaps be identified, the Board and senior management must ensure that corrective action is taken immediately.

                    Added: October 2016

                  • OM-5.3.3

                    Licensees must report to the CBB within one week, any instances of cyber attacks, whether internal or external, that compromise customer information or disrupt critical services that affect their operations. When reporting such instances, the licensee must provide the root cause analysis of the cyber attack and measures taken by them to ensure that similar events do not recur.

                    Added: October 2016

            • LM LM Financing Companies Liquidity Risk Management Module

              • LM-A LM-A Introduction

                • LM-A.1 LM-A.1 Purpose

                  • Executive Summary

                    • LM-A.1.1

                      This Module provides detailed Rules and Guidance on risk management systems and controls required for minimum liquidity requirements for financing company licensees.

                      January 2014

                    • LM-A.1.2

                      This Module expands on certain high-level requirements contained in various High-Level Standards Modules. In particular, Condition 5 of the Licensing Conditions (see Section AU-2.5) notes that financing company licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of business. In addition, Principle 9 of the Principles of Business (see Paragraph PB-1.1.9) refers to the requirement to maintain adequate resources for financing company licensees to run their business in an orderly manner. Principle 10 of the Principles of Business (see Paragraph PB-1.1.10) also notes the requirement for licensees to maintain systems and controls to manage the level of risk inherent in their business and ensure compliance with the CBB Rulebook.

                      January 2014

                    • LM-A.1.3

                      This Module sets out the minimum stock liquidity ratio and maturity mismatch ratios which financing company licensees must meet as a condition of their licensing. In addition, it outlines the need for proper systems and controls to ensure the prudent management of liquidity and the liquidity reporting and other requirements.

                      January 2014

                    • LM-A.1.4

                      Liquidity risk is the risk of not being able to meet liabilities when they fall due, even though a firm may still be solvent. Liquidity risk in financing company licensees relates to the management of their cash flow and the risk to their meeting short-term liabilities due to liquidity problems. The purpose of these requirements is to ensure that financing company licensees hold sufficient liquid assets to meet their obligations as they fall due.

                      January 2014

                  • Legal Basis

                    • LM-A.1.5

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive relating to the liquidity risk management of financing company licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees.

                      January 2014

                • LM-A.2 LM-A.2 Module History

                  • Evolution of Module

                    • LM-A.2.1

                      This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • LM-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      LM-1.2.1 07/2014 Clarified the requirement for the minimum stock liquidity ratio.
                           
                           
                           
                           

              • LM-B LM-B Scope of Application

                • LM-B.1 LM-B.1 Scope of Application

                  • LM-B.1.1

                    This Module is applicable to all financing company licensees authorised in the Kingdom of Bahrain (thereafter referred to in this Module as licensees).

                    January 2014

              • LM-1 LM-1 Minimum Liquidity Requirements

                • LM-1.1 LM-1.1 General Requirements

                  • LM-1.1.1

                    Licensees must maintain on a continuing basis an appropriate mix of high quality liquid assets in order to meet their obligations when they fall due and to address any liquidity needs and unexpected cash flow required for funding needs.

                    January 2014

                  • LM-1.1.2

                    To address the requirements of Paragraph LM-1.1.1, a minimum amount of liquid assets must be maintained by the licensee. The minimum level of liquid assets is determined by the minimum stock liquidity ratio (See Section LM-1.2) and maturity mismatch ratios (See Section LM-1.3) that must be complied with by the licensee.

                    January 2014

                  • LM-1.1.3

                    Licensees must ensure that at all times they maintain the minimum stock liquidity ratio and maturity mismatch ratios outlined in Paragraph LM-1.1.2. In the event that the licensee does not comply with these ratios, it must notify the CBB by no later than the following business day of the actual level of the ratios. When providing such notification, the licensee must:

                    (a) Provide to the CBB, within one week of the non-compliance, a written action plan setting out how the licensee proposes to restore its ratios to the required minimum level and describe the systems and controls that have been put in place to prevent any future non-compliance of the minimum ratios;
                    (b) Report to the CBB, on a weekly basis or on another timely basis as required by the CBB, the average stock liquidity ratio until such time as it reaches 30%; and
                    (c) Report to the CBB on a monthly basis or on another timely basis as required by the CBB, the negative cumulative maturity mismatch ratios until such time as the 3-month maturity does not exceed 15% and the 6-month maturity band does not exceed 20%.
                    January 2014

                • LM-1.2 LM-1.2 Stock Liquidity Ratio

                  • LM-1.2.1

                    Licensees must maintain a minimum stock liquidity ratio of 25% on a monthly basis. Such ratio is to be calculated for Bahrain operations only.

                    Amended: July 2014
                    January 2014

                  • LM-1.2.2

                    The CBB may require licensees to maintain an average stock liquidity ratio in excess of the 25% minimum required under Paragraph LM-1.2.1, should it have concerns regarding the licensee's liquidity and/or financial position.

                    January 2014

                  • LM-1.2.3

                    The stock liquidity ratio, expressed as a percentage, must be calculated on each business day and is the ratio of the sum of the licensee's liquid assets, net of deductions required under Paragraph LM-1.2.6, divided by the sum of qualifying liabilities.

                    January 2014

                  • LM-1.2.4

                    The average stock liquidity ratio for a calendar month is calculated by dividing the sum of the daily stock liquidity ratio calculated in accordance with Paragraph LM-1.2.3 at the close of business on each working day during a month by the number of business days during that month.

                    January 2014

                  • Liquid Assets

                    • LM-1.2.5

                      For purposes of Paragraph LM-1.2.3, liquid assets are defined as:

                      (a) Cash and unencumbered current accounts with financial institutions;
                      (b) Placements with financial institutions maturing within one month;
                      (c) Exchange traded financial instruments;
                      (d) GCC government securities;
                      (e) Other sovereign bonds and bills up to one year maturity, carrying a minimum rating of AA-; and
                      (f) Accounts receivable due within one month.
                      January 2014

                    • LM-1.2.6

                      The liquid assets noted under Paragraph LM-1.2.5 must also meet the following requirements to be included in the calculation of the stock liquidity ratio. They must be:

                      (a) Free from encumbrances; and
                      (b) Freely available and payable.
                      January 2014

                  • Qualifying Liabilities

                    • LM-1.2.7

                      For purposes of Paragraph LM-1.2.3, qualifying liabilities are defined as:

                      (a) Liabilities due within one month; and
                      (b) Irrevocable commitments to provide funds within one month.
                      January 2014

                    • LM-1.2.8

                      For purposes of Subparagraph LM-1.2.7 (b), irrevocable commitments include facilities:

                      (a) With a known date of drawdown within one month; and
                      (b) Without a known date of drawdown but carrying a notice period of within one month (including where the drawdown is on demand, i.e. requiring no notice period) except where conditions attached to the drawdown cannot be met in practice within one month.
                      January 2014

                    • LM-1.2.9

                      Potential commitments relating to credit card facilities, which may be cancelled at any time are excluded from qualifying liabilities.

                      January 2014

                • LM-1.3 LM-1.3 Maturity Mismatch Ratios

                  • LM-1.3.1

                    Licensees must maintain positive cumulative maturity mismatch ratios for 3-month and 6-month maturity bands. Where negative cumulative maturity mismatch ratios occur, the negative cumulative maturity mismatch ratios, as a percentage of total liabilities, must not exceed 20% for a 3-month maturity band and 25% for a 6-month maturity band. These ratios are to be calculated on a unconsolidated basis.

                    January 2014

                  • LM-1.3.2

                    A mismatch occurs when differences exist between the receipts from cash inflows (assets) and cash outflows (liabilities). A positive mismatch is one where the expected cash inflow, generated by revenues and assets, exceeds the expected cash outflow, from the payment of expenses and liabilities. A negative mismatch occurs when the expected inflow of cash is less than the expected outflow of funds. The amount of the mismatch is measured in cash.

                    January 2014

                  • LM-1.3.3

                    In measuring maturity bands, cash inflows from assets and cash outflows from liabilities are slotted into time bands. The maturities used are based on a worst case scenario. Specifically, cash inflows are included based on their latest maturity and cash outflows are based on their earliest maturity.

                    January 2014

                  • LM-1.3.4

                    A net mismatch figure is obtained by subtracting cash outflows from cash inflows for each time band. Mismatches are then calculated on a net cumulative basis.

                    January 2014

                  • LM-1.3.5

                    The maturity mismatch ratio is calculated using the net cumulative mismatch figure obtained under Paragraph LM-1.3.4 as a percentage of total liabilities.

                    January 2014

              • LM-2 LM-2 Systems and Controls

                • LM-2.1 LM-2.1 Liquidity Policy

                  • LM-2.1.1

                    Prudent liquidity management is the primary responsibility of senior management based on the authority and limits approved by the licensee's Board of Directors. Senior management must continuously review information on the liquidity developments and report to the board of directors on a quarterly basis.

                    January 2014

                  • LM-2.1.2

                    Licensees must ensure that they have in place systems and controls to ensure the prudent management of liquidity. Licensees must identify and manage their liquidity risk across all their operations, and document their policies and procedures for achieving this in a liquidity risk policy.

                    January 2014

                  • LM-2.1.3

                    On annual basis, a licensee's board of directors must review and approve the structure, strategy, policies and practices related to liquidity management (including contingency planning) and must also ensure that senior management manages and monitors liquidity risk effectively.

                    January 2014

                  • LM-2.1.4

                    Licensees must formulate a statement of their liquidity management policies that is to be reviewed and discussed with the CBB. The objective of this review is to agree to minimum liquidity standards for the licensees. The policy statement must be properly documented, reviewed annually and approved by the Board of Directors to ensure that it remains valid under changing circumstances. While specific details of the policy statement will differ, at a minimum, it must refer to the liquidity management strategy, responsibilities, systems and contingency planning.

                    January 2014

                  • Stress Testing

                    • LM-2.1.5

                      Licensees are encouraged to carry out stress testing to assess the resilience of their financial resources to any identified areas of material liquidity risk. This stress testing may take into account the general characteristics, and licensee's experience, and any mitigating factors that it considers relevant such as the ability to sell assets quickly and the options available to re-schedule the payment of liabilities.

                      January 2014

                    • LM-2.1.6

                      Where the licensee considers that the nature of its assets or liabilities and the matching of its liabilities result in no significant liquidity risk exposure, it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

                      January 2014

                    • LM-2.1.7

                      When assessing liquidity risk, the licensee should consider the extent of mismatch between assets and liabilities and the amount of assets held in highly liquid, marketable forms should unexpected cash flows lead to a liquidity problem. The price concession of liquidating assets is a prime concern when assessing such liquidity risk and should be built into any assessment of liquidity risk management.

                      January 2014

              • LM-3 LM-3 Other Requirements

                • LM-3.1 LM-3.1 Contingency Planning

                  • LM-3.1.1

                    Licensees must have in place a formal contingency plan that clearly sets out their strategies for addressing liquidity shortfalls in emergency situations. The results of stress tests should also play a key role in shaping the licensee's contingency planning and in determining the strategy and tactics to deal with events of liquidity stress.

                    January 2014

                • LM-3.2 LM-3.2 Liquidity Reporting Requirements

                  • LM-3.2.1

                    Licensees must report their stock liquidity ratio and maturity mismatch ratios on a quarterly basis to the CBB, in accordance with the requirements outlined in Chapter BR-1.3.

                    January 2014

                • LM-3.3 LM-3.3 Bonds Issued by Licensee

                  • LM-3.3.1

                    In accordance with Article 141 of the Bahrain Commercial Companies Law, licensees must comply with the statutory requirement whereby the total value of existing bonds issued by the licensee must not exceed the issued and fully paid up capital and the undistributed reserves according to the latest balance sheet approved at the annual general meeting. This statutory requirement does not apply to bonds guaranteed by the state or by one of the public entities and bonds issued by financial institutions regulated by the CBB, and with the approval of the CBB.

                    January 2014

          • Reporting Requirements

            • BR BR Financing Companies CBB Reporting Module

              • BR-A BR-A Introduction

                • BR-A.1 BR-A.1 Purpose

                  • Executive Summary

                    • BR-A.1.1

                      This Module sets out requirements applicable to financing company licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of financing company licensees.

                      January 2013

                    • BR-A.1.2

                      This Module provides support for certain other parts of the Rulebook, mainly:

                      (a) Principles of Business;
                      (b) Public Disclosure;
                      (c) Risk Management;
                      (d) Financial Crime;
                      (e) Capital Adequacy;
                      (f) High-Level Controls;
                      (g) Business Conduct; and
                      (h) Auditors and Accounting Standards.
                      January 2013

                    • BR-A.1.3

                      Unless otherwise stated, all reports referred to in this Module should be addressed to the Director of relevant supervision directorate of the CBB.

                      January 2013

                  • Legal Basis

                    • BR-A.1.4

                      This Module contains the CBB's Directive relating to reporting requirements applicable to financing company licensees and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ("CBB Law').

                      January 2013

                    • BR-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2013

                • BR-A.2 BR-A.2 Module History

                  • Evolution of Module

                    • BR-A.2.1

                      This Module was first issued in January 2013. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

                      January 2013

                    • BR-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      BR-1.5.1 04/2013 Clarified deadline to update IIS.
                      BR-2.3.9 04/2013 Corrected cross reference.
                      BR-2.3.10 04/2013 Aligned with requirements of Article 57 of the CBB Law.
                      BR-1.1.2 and BR-3.5.11 07/2013 Amended numbering of referred appendix.
                      BR-1.2.2 01/2014 Clarified format of interim financial statements.
                      BR-1.3.5 01/2014 Added liquidity reporting requirements.
                      BR-1.6 01/2014 Added new Section on Internet Security Measures.
                      BR-1.1.2 and BR1.2.4- 04/2014 Added requirement for agreed upon procedures report for annual and semi-annual disclosures.
                      BR-1.1.2 and BR-1.1.2A 10/2014 To align and update requirements dealing with new Appendix BR-5, Board and Committee meetings with the requirements under Paragraph HC-1.3.9.
                      BR-1.3 10/2014 Updated to reflect new reporting form PIRFM.
                      BR-1.2 10/2015 Added new reporting requirements dealing with draft interim financial statements and financial review report.
                      BR-2.3.12 01/2016 Corrected cross references.
                      BR-2.2.16 04/2016 Corrected cross reference.
                      BR-1.1.2 04/2017 Added sub-paragraph (k) on CPD requirements.
                      BR-1.7 04/2017 Added a new Section on Onsite Inspection Reporting.
                      BR-2.3.10 01/2020 Amended Paragraph.
                      BR-1.1.2A 01/2022 Amended Paragraph on the submission of the Board and Committee annual meetings report.
                      BR-1.1.4 01/2022 Amended Paragraph on submission of annual report.
                      BR-1.3.2 01/2022 Amended Paragraph on the submission of the PIRFM forms.
                      BR-1.7.2 01/2022 Amended Paragraph on the submission of the written assessment of the observations/issues raised in the Inspection draft report.
                      BR-2.2.15 01/2023 Amended Paragraph removing reference to OM.
                      BR-2.3.12 01/2023 Deleted Paragraph on CBB approval for outsourcing arrangements.

              • BR-B BR-B Scope of Application

                • BR-B.1 BR-B.1 Scope of Application

                  • BR-B.1.1

                    The content of this Module applies to all financing company licensees authorised in the Kingdom (thereafter referred to in this Module as licensees).

                    January 2013

              • BR-1 BR-1 Prudential Reporting

                • BR-1.1 BR-1.1 Annual Requirements

                  • BR-1.1.1

                    All licensees are required to submit to the CBB their annual audited financial statements within 3 months of their financial year end.

                    January 2013

                  • BR-1.1.2

                    In addition to the statements required in Paragraph BR-1.1.1, licensees are required to submit to the CBB the following information within 3 months of their financial year end:

                    (a) The external auditor's management letter;
                    (b) Audited financial statements of all subsidiaries (whether or not consolidated) along with their management letters;
                    (c) The financing company's group structure and the internal organisation chart;
                    (d) A list of non-performing and rescheduled credit facilities (including name of customer, country, amount outstanding, net interest income/ profit for the year attributed to profit & loss and the reasons for attributing interest/ profit to income);
                    (e) A reconciliation statement between the audited financial statements and the relevant prudential returns;
                    (f) The report on controllers as required under Paragraph GR-4.1.10;
                    (g) A report on the licensee's close links as required under Paragraph GR-5.1.3;
                    (h) [This Sub Paragraph was deleted in October 2014];
                    (i) Any supplementary information as required by the CBB; and
                    (j) An agreed upon procedures report concerning the completeness of disclosures required by Module PD, Section PD-1.3 and Chapter PD-4 (see also AA-3.2.2).
                    (k) Report on the number of hours completed during the previous year in Continuous Professional Development (CPD) via CPD Form in Appendix BR-22 by the approved persons specifically board of directors and management as required under Paragraph TC-1.2.1.
                    Amended: April 2017
                    Amended: October 2014
                    Amended: April 2014
                    Amended: July 2013
                    Added: January 2013

                  • BR-1.1.2A

                    In accordance with Paragraph HC-1.3.9, licensees must submit annually a report recording the board meetings held during the year. Such report must be submitted to the CBB, within 30 calendar days of the financial year end, as an attachment to the year-end quarterly PIRFM. Reference should be made to Appendix BR-5, Board and Committee Meetings, under part B/Reporting Forms of Volume 5 for a sample of such report.

                    Amended: January 2022
                    Added: October 2014

                  • BR-1.1.3

                    In accordance with the provisions of Section AA-4.1, the audited financial statements and the annual reports of the licensees must be in full compliance with:

                    (a) The International Financial Reporting Standards (IFRS); or
                    (b) AAOIFI Financial Accounting Standards for Sharia Compliant Financing Companies and for products and activities not covered by AAOIFI, International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) must be followed; and
                    (c) The disclosure requirements set out under Sections PD-1.2, PD-1.3 and PD-1.4.
                    January 2013

                  • Annual Report

                    • BR-1.1.4

                      Licensees must submit a soft copy (electronic) of their full annual report to the CBB within 4 months of the end of their financial year (SeePD-1.2.6).

                      Amended: January 2022
                      January 2013

                • BR-1.2 BR-1.2 Interim Financial Statements

                  • BR-1.2.1

                    Licensees that are listed companies are required to submit to the CBB reviewed (unaudited) quarterly financial statements in accordance with the requirements outlined in Volume 6 (Capital Markets).

                    January 2013

                  • BR-1.2.2

                    Licensees that are non-listed companies are required to submit to the CBB reviewed (unaudited) semi-annual financial statements on a semi-annual basis, within two months of the date of these statements. The semi-annual financial statements are to be presented in accordance with IFRS and/or AAOIFI (for sharia-compliant licensees).

                    Amended: January 2014
                    January 2013

                  • BR-1.2.3

                    The statements mentioned under Paragraphs BR-1.2.1 and BR-1.2.2 must be in compliance with the requirements set out under Section PD-2.1.

                    January 2013

                  • Additional Reporting Requirements for Semi Annual Disclosures

                    • BR-1.2.4

                      Licensees are required to submit to the CBB within two months of the end of the half year an agreed upon procedures report concerning the completeness of disclosures required by Paragraph PD-2.1.6.

                      Added: April 2014

                  • Requirement to Submit Draft Interim and Year-end Financial Statements

                    • BR-1.2.5

                      In addition to the interim financial statements requirements under Paragraphs BR-1.2.1 and BR-1.2.2, licensees must submit their draft interim and year-end financial statements to the CBB at least one week before their board meets to discuss the interim and year-end financial statements.

                      Added: October 2015

                    • BR-1.2.6

                      Licensees that are listed companies must comply with Paragraph BR-1.2.5 on a quarterly basis, while non-listed licensees must comply on a semi-annual basis.

                      Added: October 2015

                  • Requirement to Submit Financial Review Report

                    • BR-1.2.7

                      When submitting the draft interim and year-end financial statements required under Paragraph BR-1.2.5, licensees must also submit the prescribed financial review report. The prescribed format of the report for conventional licensees is Appendix BR-11 while Islamic licensees must submit Appendix BR-12. Both appendices are included under Part B of Volume 5.

                      Added: October 2015

                • BR-1.3 BR-1.3 Quarterly Prudential Requirements

                  • PIRFM

                    • BR-1.3.1

                      All licensees must complete the PIRFM form (see Appendix BR-1 under Part B of Volume 5 for financing companies). This form is intended to be a financial report of the licensee on a consolidated basis.

                      Amended: October 2014
                      January 2013

                    • BR-1.3.2

                      The PIRFM form referred to under Paragraph BR-1.3.1 must be submitted to the CBB on a quarterly basis within 30 calendar days of the end of the reporting date.

                      Amended: January 2022
                      Amended: October 2014
                      January 2013

                    • BR-1.3.3

                      The CBB requires all licensees to request their external auditor to conduct a review of the prudential return on a quarterly basis. The results of such review (in the form of an Agreed Upon Procedures report as shown in Appendix BR-6) must be submitted to the CBB's relevant supervision Directorate no later than 2 months from the end of the subject quarter. A licensee may apply for an exemption from this requirement provided that it meets the criteria set out under Paragraph BR-1.3.4.

                      January 2013

                    • BR-1.3.4

                      Licensees which demonstrate to the satisfaction of the CBB that they have fulfilled all of the CBB's requirements with regard to Prudential Returns for at least two consecutive quarters may apply (in writing) to the CBB for an exemption from the review procedure set out in Paragraph BR-1.3.3. Such exemption may be withdrawn by the CBB at any time, should errors be detected.

                      January 2013

                  • Liquidity Reporting Requirements

                    • BR-1.3.5

                      In accordance with Paragraph LM-3.2.1, licensees must report their stock liquidity and maturity mismatch ratios. The reporting of these ratios is included as part of the PIRFM return required under Paragraph BR-1.3.1. Licensees must note however that the liquidity requirements are only applicable to Bahrain operations as outlined in Paragraph LM-1.2.1.

                      Amended: October 2014
                      Added: January 2014

                • BR-1.4 BR-1.4 Monthly Requirements

                  • BR-1.4.1

                    All licensees which are listed on a licensed exchange in Bahrain must comply with the requirements of Volume 6 of the CBB Rulebook.

                    January 2013

                  • Connected Counterparty Exposures

                    • BR-1.4.2

                      All licensees are required to submit to the CBB their exposures to connected parties on a monthly basis on the fourth working day of the month.

                      January 2013

                    • BR-1.4.3

                      For instructions relating to the reporting required as per Paragraph BR-1.4.2, reference should be made to Appendix BR-8 and for the concerned reporting forms refer to Appendix BR-7, found under Part B of Volume 5.

                      January 2013

                • BR-1.5 BR-1.5 IIS Reporting Requirements

                  • Institutional Information System (IIS)

                    • BR-1.5.1

                      All licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm that the information contained in the IIS is correct. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                      Amended: April 2013
                      January 2013

                    • BR-1.5.2

                      Licensees failing to comply with the requirements of Paragraph BR-1.5.1 or reporting inaccurate information may be subject to financial penalties or other enforcement action as outlined in Module (EN) Enforcement.

                      January 2013

                • BR-1.6 BR-1.6 Internet Security Measures

                  • BR-1.6.1

                    In accordance with Section OM-5.2, licensees providing internet financial services must regularly test their systems against security breaches and submit the vulnerability assessment report to the CBB.

                    Added: January 2014

                  • BR-1.6.2

                    The report referred to under Paragraph BR-1.6.1 must be conducted in accordance with Section OM-5.2 and submitted to the CBB twice a year, within two months following the end of the month where the testing took place, i.e. for the June test, the report must be submitted at the latest by 31st August and for the December test, by 28th February.

                    Added: January 2014

                • BR-1.7 BR-1.7 Onsite Inspection Reporting

                  • BR-1.7.1

                    For the purpose of onsite inspection by the CBB, licensees must submit requested documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

                    Added: April 2017

                  • BR-1.7.2

                    Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within fifteen working days of receipt of such report. Evidentiary documents supporting management’s comments must also be included in the response package.

                    Amended: January 2022
                    Added: April 2017

                  • BR-1.7.3

                    Licensees' board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

                    Added: April 2017

                  • BR-1.7.4

                    Licensees failing to comply with the requirements of Paragraphs BR-1.7.1 and BR-1.7.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

                    Added: April 2017

              • BR-2 BR-2 Notifications and Approvals

                • BR-2.1 BR-2.1 Introduction

                  • BR-2.1.1

                    All notifications and requests for approvals required in this Chapter are to be submitted by licensees in writing.

                    January 2013

                  • BR-2.1.2

                    In this Chapter, the term 'in writing' includes electronic communications capable of being reproduced in paper form.

                    January 2013

                  • BR-2.1.3

                    Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

                    January 2013

                • BR-2.2 BR-2.2 Notification Requirements

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.2.1

                      A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                      (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                      (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                      (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                      (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                      (e) A significant breach of any provision of the Rulebook (including a Principle);
                      (f) A breach of any requirement imposed by law, regulation, directive or any other instruction issued by the CBB;
                      (g) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately (ref. BR-3.3.2); or
                      (h) If the licensee intends to suspend any or all the licensed regulated services or ceases business, setting out how it proposes to do so and, in particular, how it will treat any of its liabilities (ref GR-7.1.2).
                      January 2013

                    • BR-2.2.2

                      The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to properly consider all potential events and consequences that may arise from them.

                      January 2013

                    • BR-2.2.3

                      In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may directly or indirectly have an effect on the licensee.

                      January 2013

                  • Legal, Professional, Administrative or other Proceedings against a Licensee

                    • BR-2.2.4

                      A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller or a close link of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                      January 2013

                    • BR-2.2.5

                      A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee or any of its approved persons.

                      January 2013

                  • Fraud, Errors and other Irregularities

                    • BR-2.2.6

                      A licensee must notify the CBB immediately if one of the following events arises and the event is significant:

                      (a) It becomes aware that an employee may have committed a fraud against one of its customers;
                      (b) It becomes aware that a person, whether or not employed by it, is acting with intent to commit fraud against it;
                      (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                      (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or
                      (e) Significant conflicts of interest.
                      January 2013

                  • Meaning of the Term "significant"

                    • BR-2.2.7

                      For the purposes of this chapter, in determining whether a matter is significant, a licensee should have regard to:

                      (a) The size of any monetary loss or potential monetary loss to itself or its customers (either in terms of a single incident or group of similar or related incidents);
                      (b) The risk of reputational loss to the licensee; and
                      (c) Whether the incident or a pattern of incidents reflects weaknesses in the licensee's internal controls.
                      January 2013

                    • BR-2.2.8

                      In addition, if the licensee may have suffered significant financial losses as a result of the incident, or may suffer reputational loss, the CBB will wish to consider this and whether the incident is indicative of weaknesses in the licensee's internal controls.

                      January 2013

                  • Insolvency, Bankruptcy and Winding Up

                    • BR-2.2.9

                      Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                      (a) The calling of a meeting to consider a resolution for winding up the licensee, a controller or close link of the licensee;
                      (b) An application to dissolve a controller or close link of the licensee:
                      (c) The presentation of a petition for the winding up of a controller or close link of the licensee;
                      (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                      (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller or close link of the licensee;
                      (f) The appointment of a receiver to the licensee or to a controller or close link of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                      (g) An application against the licensee, a controller or close link of the licensee under Part 10 of the CBB Law or the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.
                      January 2013

                  • External Auditor

                    • BR-2.2.10

                      A licensee must notify the CBB of the following:

                      (a) Removal or resignation of its external auditor (ref. AA-1.2.1); or
                      (b) A change in the partner in charge of conducting the external audit. (Ref. AA-1.3.3).
                      January 2013

                  • Approved Persons

                    • BR-2.2.11

                      A licensee must notify the CBB of the termination of employment of any approved persons, including reasons for their termination and arrangements for replacing them (ref. AU-4.3.8 and AU-4.5.7).

                      January 2013

                  • Authorised Signatories

                    • BR-2.2.12

                      At the time of authorisation (when the license is granted) or whenever a change occurs, in order to maintain an up-to-date record of authorised signatories of respective financial institutions, the CBB requires all licensees to submit to the licensee's CBB supervisory point of contact a list of specimen signatures of the officials authorised to sign on behalf of the concerned institution, together with, where appropriate, details of what they are authorised to sign for.

                      January 2013

                  • Capital Adequacy Liquidity Requirements

                    • BR-2.2.13

                      In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy) or Module LM (Liquidity Risk Management), it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.9 and LM-1.1.3).

                      January 2013

                    • BR-2.2.14

                      As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                      January 2013

                  • Outsourcing Arrangements

                    • BR-2.2.15

                      Licensees must immediately inform their normal supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

                      Amended: January 2023
                      January 2013

                  • Controllers

                    • BR-2.2.16

                      If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes to their controllers specified in Paragraph GR-4.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB on the earlier of:

                      (a) The moment the change takes effect; or
                      (b) The moment the controller becomes aware of the proposed change (ref. GR-4.1.7).
                      Amended: April 2016
                      January 2013

                    • BR-2.2.17

                      A licensee must notify the CBB of any event as specified under Article 52 of the CBB Law.

                      January 2013

                  • Promotional Schemes

                    • BR-2.2.18

                      Licensees must notify the CBB, and send copies of the documentation relating to promotional schemes, at least ten business days prior to their launch, after ensuring that such promotional schemes are in line with the Rules under Section BC-1.

                      January 2013

                  • Introduction of New or Expanded Customer Products and Facilities

                    • BR-2.2.19

                      All licensees should notify the CBB of information relating to any new or expanded customer products and facilities in accordance with the requirements set out under Section BC-3.2.

                      January 2013

                  • Write-offs

                    • BR-2.2.20

                      All licensees must notify the CBB of any write-off of a credit facility of an amount in excess of BD100,000 or its equivalent in foreign currency.

                      January 2013

                • BR-2.3 BR-2.3 Approval Requirements

                  • Branches or Subsidiaries

                    • BR-2.3.1

                      In accordance with Rule AU-4.2.1, a licensee must seek prior written approval from the CBB for opening a branch or a subsidiary.

                      January 2013

                    • BR-2.3.2

                      Licensees wishing to cancel an authorisation for a branch or subsidiary must obtain the CBB's written approval before ceasing the activities of the branch or subsidiary.

                      January 2013

                  • Change in Name

                    • BR-2.3.3

                      In accordance with Paragraph GR-2.1.1, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in:

                      (a) The licensee's name (being its registered name if the licensee is a body corporate); and/or
                      (b) The licensee's trade name.
                      January 2013

                    • BR-2.3.4

                      The request under Paragraph BR-2.3.3 must include the details of the proposed new name and the date on which the licensee intends to use the new name.

                      January 2013

                  • Change of Address

                    • BR-2.3.5

                      As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain, and that of its branches.

                      January 2013

                    • BR-2.3.6

                      The request under Paragraph BR-2.3.5 must include the details of the proposed new address and the date on which the licensee intends to use the new address.

                      January 2013

                  • Change in Legal Status

                    • BR-2.3.7

                      A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                      January 2013

                  • Change in Paid-up or Issued Capital

                    • BR-2.3.8

                      As specified in Article 57(3) of the CBB Law, a licensee must seek CBB prior approval before making any modification to its issued or paid-up capital.

                      January 2013

                  • Controllers

                    • BR-2.3.9

                      In accordance with Section GR-4.1, licensees must seek CBB prior approval and give reasonable advance notice of any of the following events:

                      (a) A person acquiring control or ceasing to have control of the licensee;
                      (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control of the licensee;
                      (c) An existing controller increasing the percentage of shares or voting power beyond 10%, 20% or 40% of the licensee; and
                      (d) An existing controller becoming or ceasing to be a parent undertaking of the licensee.
                      Amended: April 2013
                      January 2013

                  • Mergers, Acquisitions, Disposals and Establishment of New Subsidiaries

                    • BR-2.3.10

                      A licensee incorporated in Bahrain must seek CBB prior approval and give reasonable advance notice of its intention to enter into a:

                      (a) Merger with another undertaking; or
                      (b) Proposed acquisition, disposal or establishment of a new subsidiary undertaking; or
                      (c) Modify its memorandum or articles of association.
                      Amended: January 2020
                      Amended: April 2013
                      Added: January 2013

                  • Write-offs

                    • BR-2.3.11

                      Licensees should obtain the CBB's prior written approval before writing off any of the following exposures:

                      (a) To any present or former director of the licensee;
                      (b) Which are guaranteed by a director of the licensee;
                      (c) To any business entity for which the licensee or any of its directors is an agent;
                      (d) To any officer or employee of the licensee, or any other person who receives remuneration from the licensee;
                      (e) To any business entity in which the licensee (or any of its directors, officers or other persons receiving remuneration from the licensee) has a material interest as a shareholder (i.e. 5% or more), or as a director, manager, agent or guarantor; and
                      (f) To any person who is a director, manager or officer of another licensee of the CBB.
                      January 2013

                  • Outsourcing Arrangements

                    • BR-2.3.12

                      [This Paragraph was deleted in January 2023].

                      Deleted: January 2023
                      Amended: January 2016
                      January 2013

                  • Matters Having a Supervisory Impact

                    • BR-2.3.13

                      A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                      January 2013

                    • BR-2.3.14

                      Any licensee that wishes, intends or has been requested to do anything that might contravene, in its reasonable opinion, the provisions of UNSCR 1373 (and in particular Article 1, Paragraphs c) and d) of UNSCR 1373) must seek, in writing, the prior written opinion of the CBB on the matter (ref. FC-8.2.2).

                      January 2013

                    • BR-2.3.15

                      As specified in Article 57 of the CBB Law, a licensee wishing to modify its Memorandum or Articles of Association, must obtain prior written approval from the CBB.

                      January 2013

                    • BR-2.3.16

                      As specified in Article 57 of the CBB Law, a licensee wishing to transfer all or a major part of its assets or liabilities inside or outside the Kingdom, must obtain prior written approval from the CBB.

                      January 2013

                  • External Auditor

                    • BR-2.3.17

                      A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1)

                      January 2013

                  • Dividend Distribution

                    • BR-2.3.18

                      Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, in accordance with Chapter GR-4.

                      January 2013

                  • Approved Persons

                    • BR-2.3.19

                      A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.2 and AU-4.3.1).

                      January 2013

                    • BR-2.3.20

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.11).

                      January 2013

                    • BR-2.3.21

                      If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.5).

                      January 2013

                  • Cessation of Business

                    • BR-2.3.22

                      In accordance with Paragraph GR-7.1.1 and Article 50 of the CBB Law, licensees must seek the CBB's prior approval should they wish to cease to provide or suspend any or all of the licensed regulated services of their operations and/or liquidate their business.

                      January 2013

              • BR-3 BR-3 Information Gathering by the CBB

                • BR-3.1 BR-3.1 Power to Request Information

                  • BR-3.1.1

                    In accordance with Article 111 of the CBB Law, licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    January 2013

                  • BR-3.1.2

                    Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                    January 2013

                  • BR-3.1.3

                    Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person /appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                    January 2013

                  • Information Requested on Behalf of other Supervisors

                    • BR-3.1.4

                      The CBB may ask licensees to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee, pass on to those supervisors or agencies information that it already has in its possession.

                      January 2013

                • BR-3.2 BR-3.2 Access to Premises

                  • BR-3.2.1

                    In accordance with Article 114 of the CBB Law, a licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    January 2013

                  • BR-3.2.2

                    A licensee must take reasonable steps to ensure that its agents and providers under outsourcing arrangements permit such access to their business premises, to the CBB.

                    January 2013

                  • BR-3.2.3

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    January 2013

                  • BR-3.2.4

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    January 2013

                • BR-3.3 BR-3.3 Accuracy of Information

                  • BR-3.3.1

                    Licensees must take reasonable steps to ensure that all information they give to the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
                    January 2013

                  • BR-3.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    January 2013

                  • BR-3.3.3

                    If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    January 2013

                • BR-3.4 BR-3.4 Methods of Information Gathering

                  • BR-3.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of Appointed Experts (refer to Chapter EN-2);
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication; or
                    (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
                    January 2013

                  • BR-3.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

                    January 2013

                  • BR-3.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    January 2013

                  • BR-3.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph BR-3.4.3:

                    (a) Its employees; and
                    (b) Any other members of its group and their employees.
                    January 2013

                  • BR-3.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    January 2013

                • BR-3.5 BR-3.5 The Role of the Appointed Expert

                  • Introduction

                    • BR-3.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      January 2013

                    • BR-3.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      January 2013

                    • BR-3.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      January 2013

                    • BR-3.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                      January 2013

                    • BR-3.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      January 2013

                    • BR-3.5.6

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                      January 2013

                    • BR-3.5.7

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest.

                      January 2013

                    • BR-3.5.8

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      January 2013

                  • The Required Report

                    • BR-3.5.9

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      January 2013

                    • BR-3.5.10

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      January 2013

                    • BR-3.5.11

                      The appointed experts' report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

                      Amended: July 2013
                      January 2013

                    • BR-3.5.12

                      Unless otherwise directed by the CBB or unless the circumstances described in Paragraph BR-3.5.16 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                      January 2013

                    • BR-3.5.13

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      January 2013

                    • BR-3.5.14

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      January 2013

                    • BR-3.5.15

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      January 2013

                  • Other Notifications to the CBB

                    • BR-3.5.16

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      January 2013

                    • BR-3.5.17

                      The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      January 2013

                    • BR-3.5.18

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.16, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      January 2013

                  • Permitted Disclosure by the CBB

                    • BR-3.5.19

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      January 2013

                  • Trilateral Meeting

                    • BR-3.5.20

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      January 2013

            • PD PD Financing Companies Public Disclosure Module

              • PD-A PD-A Introduction

                • PD-A.1 PD-A.1 Purpose

                  • PD-A.1.1

                    The purpose of this Module is to set out the detailed qualitative and quantitative public disclosure requirements that financing companies should adhere to in order to enhance corporate governance and financial transparency through better public disclosure. Such disclosures also help to protect customers and facilitate market discipline.

                    January 2014

                  • PD-A.1.2

                    This Module provides support for certain other parts of the Rulebook, namely:

                    (a) Prudential Consolidation and Deduction Requirements;
                    (b) Licensing and Authorisation Requirements;
                    (c) CBB Reporting Requirements;
                    (d) Credit Risk Management;
                    (e) Operational Risk Management;
                    (f) High Level Controls;
                    (g) Relationship with Audit Firms; and
                    (h) Penalties and Fines.
                    January 2014

                  • PD-A.1.3

                    This Module also provides support for certain aspects relating to disclosure requirements stipulated in the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) and the Bahrain Commercial Companies Law (as amended).

                    January 2014

                  • Legal Basis

                    • PD-A.1.4

                      This Module contains the Central Bank of Bahrain's ('the CBB') Directive (as amended from time to time) relating to public disclosure and disclosure to shareholders and is issued pursuant to the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). It also incorporates the requirements of Article 62 of the CBB Law with respect to the publication of financial statements. The Directive in this Module is applicable to all financing company licensees.

                      January 2014

                    • PD-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • PD-A.2 PD-A.2 General Requirements

                  • PD-A.2.1

                    All financing companies must have a formal disclosure policy as part of their overall communications strategy, supported by documented procedures and approved by the Board of Directors that addresses the disclosures that the company makes and the internal controls over the disclosure process. In addition, all financing companies must carry out a regular review of the validity of their disclosures (in terms of scope and accuracy) as outlined in Modules BR and AA.

                    January 2014

                  • PD-A.2.2

                    All financing companies are required to publish their annual audited, and reviewed quarterly financial statements per the rules set out in this Module and Article 62 of the CBB Law, the Bahrain Commercial Companies Law (as amended), the Rulebook of the licensed exchange and Volume 6 (Capital Markets), where applicable. Such financial statements must be prepared in accordance with International Financial Reporting Standards (IFRS) in the case of conventional financing companies and Financial Accounting Standards (FAS) issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI) in the case of Shari'a compliant financing companies.

                    January 2014

                  • PD-A.2.3

                    The CBB requires that each financing company maintain an up-to-date checklist of all applicable IFRS/AAOIFI standards and also the disclosure requirements set out in this Module for full compliance purposes. Such checklists should be part of the financing company's public disclosure procedures.

                    January 2014

                  • PD-A.2.4

                    The disclosures specified in this Module, which are in addition to those required by applicable accounting standards, must be reviewed by the financing company's external auditor based on agreed upon procedures (unless IFRS/ AAOIFI require that the concerned disclosures are audited).

                    January 2014

                  • PD-A.2.5

                    The disclosures in this Module may be presented as an accompanying document or appendices to the Annual Report or in the Notes to the Financial Statements at the discretion of the concerned financing company.

                    January 2014

                  • PD-A.2.6

                    The external auditor's review must also check other statements in the Annual Report such as the Chairman's report to ensure that such statements are consistent with the audited financial statements and the disclosures required by this Module. All qualitative or descriptive disclosures in the Annual Report must be based upon and reflective of facts and actual practice by the financing company (and be subject to the above review by the company's external auditor).

                    January 2014

                  • PD-A.2.7

                    If situations arise where disclosures required in this Module are in conflict with those required under IFRS/AAOIFI and/or any listing requirements issued by the CBB or a licensed exchange, listed financing companies should first follow the CBB's requirements as contained in Volume 6 (Capital Markets). In such situations, financing companies should explain any material differences between the accounting or other disclosures and the disclosure required in this Module. This explanation does not have to take the form of a line-by-line reconciliation, but should provide stakeholders with sufficient detail to make an objective assessment of the financing company's financial and operational health. Moreover, a formal notification to the CBB is required in such a situation.

                    January 2014

                  • PD-A.2.8

                    A financing company should decide which disclosures are relevant for it based on materiality and subject to the concurrence of the financing company's external auditor. For the financing companies' guidance, information would be regarded as material if its omission or misstatement could change or influence the assessment or decision of a user relying on that information for the purpose of making economic decisions.

                    January 2014

                  • PD-A.2.9

                    Non-compliance with these disclosure requirements is likely to lead to enforcement actions, such as a fine, as outlined in Module EN (Enforcement) .

                    January 2014

                • PD-A.3 PD-A.3 Proprietary and Confidential Information

                  • PD-A.3.1

                    Proprietary information encompasses information (for example on products or systems), that if shared with competitors would render a financing company's investment in these products/systems less valuable, and hence would undermine its competitive position. Information about customers is often confidential, in that it is provided under the terms of a legal agreement or counterparty relationship. This has an impact on what financing companies should reveal in terms of information about their customer base, as well as details on their internal commercial arrangements, for instance methodologies used, parameter estimates, data etc.

                    January 2014

                  • PD-A.3.2

                    If a financing company considers that disclosure of certain information required in Section PD-1.3 may prejudice seriously its position by making public information that is either proprietary or confidential in nature, it need not disclose those specific items, subject to the prior approval of the CBB. In such situations, the CBB may require the disclosure of more general information about the subject matter of the requirement, together with the fact that, and the reason why, the specific items of information have not been disclosed. This limited exemption is not intended to conflict with the disclosure requirements under IFRS and AAOIFI, as applicable.

                    January 2014

                • PD-A.4 PD-A.4 Module History

                  • Evolution of Module

                    • PD-A.4.1

                      This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • PD-A.4.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      PD-2.1.2 04/2014 Deleted requirement for non-listed licensees to publish semi-annual financial statements.
                      PD-1.3.18 10/2019 Amended Paragraph on disclosure of financial penalties.
                      PD-1.2.6 01/2022 Amended Paragraph on submission of annual report.
                      PD-1.2.5 & PD-2.1.5 07/2023 Amended Paragraphs on submission of newspaper extracts of financial statements.
                           

                  • Superseded Requirements

                    • PD-A.4.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module PD
                         
                      January 2014

              • PD-B PD-B Scope of Application

                • PD-B.1 PD-B.1 Scope

                  • PD-B.1.1

                    This Module applies to all financing company licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • PD-1 PD-1 Annual Disclosure Requirements

                • PD-1.1 PD-1.1 Introduction

                  • PD-1.1.1

                    The purpose of this Chapter is to set out the CBB's requirements relating to the disclosure of information in the annual audited financial statements and the Annual Report of all licensees. This Chapter also refers to the Bahrain Commercial Companies Law (as amended) and the Rulebook of the licensed exchange relating to public disclosure and reporting requirements.

                    January 2014

                  • PD-1.1.2

                    For the purpose of this Module, the following definitions apply:

                    (a) 'Interest in the shares' includes, but is not be limited to, direct and/or indirect ownership of such shares, the right of voting associated with such shares, the right to receive dividends payable on such shares, and/or any right, regardless of the form thereof, to purchase (or otherwise acquire an interest in) such shares at any time;
                    (b) 'Audited financial statements' refers to the financial statements required under International Financial Reporting Standards (IFRS) and/or Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI); and
                    (c) 'Annual Report' refers to the document which contains the full audited financial statements and accompanying notes as well as any accompanying commentary by the senior officials of the company.
                    January 2014

                • PD-1.2 PD-1.2 Requirements for Annual Audited Financial Statements and Annual Report

                  • Submission of Annual Audited Financial Statements

                    • PD-1.2.1

                      All licensees must submit their annual audited financial statements to the CBB within 3 months of the end of the licensee's financial year (as required by Article 62 of the CBB Law). Licensees' annual audited financial statements must be audited by their external auditor.

                      January 2014

                    • PD-1.2.2

                      Licensees are also required to publish the annual audited financial statements on their website (see also PD-1.3.5(g)) within one week of submission to the CBB.

                      January 2014

                  • Publication of Annual Audited Financial Statements

                    • PD-1.2.3

                      Licensees must publish extracts from their audited annual financial statements in one Arabic and one English daily newspaper within 2 months of the end of the financial year. The newspaper disclosures may be edited, but must include at a minimum the balance sheet, the statements of income, cash flow, changes in equity and, where applicable, the statement of comprehensive income. The newspaper disclosures must also be published on the licensee's website within one week of publication.

                      January 2014

                    • PD-1.2.4

                      The newspaper disclosures must include a reference to the fact that the published figures 'have been extracted from financial statements audited by XYZ auditor, who expressed an unqualified opinion on (dated report)'. Licensees must disclose in full any audit qualifications or matter of emphasis paragraphs contained within the auditor's opinion. The auditor's opinion must be made in accordance with the International Standards on Auditing as established by the International Federation of Accountants and AAOIFI's Standards on Auditing, where applicable.

                      January 2014

                    • PD-1.2.5

                      Licensees must submit a copy of the newspaper extracts from their annual audited financial statements to the CBB within two business days of publication in the concerned newspapers clearly showing on which date and in which publications the statements were published.

                      Amended: July 2023
                      January 2014

                  • Submission of Annual Report

                    • PD-1.2.6

                      All licensees must submit a soft copy (electronic) of their full annual report to the CBB, including the full disclosures prescribed in this Chapter within 4 months of the end of the licensee's financial year.

                      Amended: January 2022
                      Added: January 2014

                    • PD-1.2.7

                      Licensees are also required to place the annual report on their website (see also PD-1.3.5(g)) within one week of submission to the CBB.

                      January 2014

                • PD-1.3 PD-1.3 Disclosures in the Annual Report

                  • Introduction

                    • PD-1.3.1

                      Licensees should provide timely information which facilitates market participants' assessment of them. The disclosure requirements set out in this Section must be included in the Annual Report either as an appendix or in the notes to the audited financial statements at the discretion of the concerned licensee. The disclosures should be addressed in clear terms and with appropriate details to help achieve a satisfactory level of transparency.

                      January 2014

                    • PD-1.3.2

                      If a licensee is unable to achieve full compliance with the requirements stated in this Chapter, a meeting should be held with the relevant Banking Supervision Director at the CBB in the presence of the concerned external auditor to discuss the reasons for such non-compliance prior to the finalisation of the Annual Report. It is the responsibility of the licensee to call for such meetings.

                      January 2014

                  • Scope of Application — Qualitative Disclosures

                    • PD-1.3.3

                      The following information must be disclosed in relation to the licensee, its subsidiaries and associates:

                      (a) The full legal name of the top corporate entity in the group to which the disclosure requirements apply; and
                      (b) An outline of the differences in the basis of consolidation for accounting and regulatory purposes.
                      January 2014

                  • Financial Performance and Position

                    • PD-1.3.4

                      The following information should be included:

                      (a) Discussion of the main factors that influenced the licensee's financial performance for the year, explaining any differences in performance between the current year and previous years and the reasons for such differences, and discussing factors that will have a significant influence on the licensee's future financial performance;
                      (b) Basic quantitative indicators of financial performance (e.g. ROAE, ROAA, NIM, cost-to-income ratios) for the past 5 years;
                      (c) A discussion of the impact of acquisitions of new businesses and discontinued business and unusual items; and
                      (d) A discussion of any changes in the capital structure and their possible impact on earnings and dividends.
                      January 2014

                  • Corporate Governance and Transparency

                    • PD-1.3.5

                      The following information relating to corporate governance must be disclosed in the Annual Report:

                      (a) Information about the Board structure (e.g. the size of the Board, Board committees, function of committees and membership showing executive, non-executive and independent members) and the basic organisational structure (lines of business structure and legal entity structure);
                      (b) Information about the profession, business title, and experience in years of each Board member and the qualifications and experience in years of all senior managers;
                      (c) Descriptive information on the managerial structure, including:
                      (i) Committees;
                      (ii) Segregation of duties;
                      (iii) Reporting lines; and
                      (iv) Responsibilities;
                      (d) Descriptive information on the performance-linked incentive structure for the Chief Executive, the General Manager, Managers, Shari'a Board and the Board of directors (remuneration policies, executive compensation, stock options, etc.);
                      (e) Nature and extent of transactions with related parties (as defined by IFRS and AAOIFI as appropriate — see also PD-1.3.11(d));
                      (f) Approval process for related party transactions;
                      (g) Information about any changes in the structures (as mentioned in Subparagraphs PD-1.3.5(a) to PD-1.3.5(c)) from prior periods;
                      (h) The communications strategy approved by the Board (including the use of the licensee's website) which should undertake to perform at least the following:
                      (i) The disclosure of all relevant information to stakeholders on a periodic basis in a timely manner; and
                      (ii) The provision of at least the last three years of financial data on the licensee's website;
                      (i) Distribution of ownership of shares by nationality;
                      (j) Directors' and senior managers' trading of the licensee's shares during the year, on an individual basis;
                      (k) Distribution of ownership of shares by directors and senior managers, on an individual basis;
                      (l) Distribution of ownership of shares by size of shareholder;
                      (m) Ownership of shares by government;
                      (n) The Board's functions — rather than a general statement (which could be disclosed simply as the Board's legal obligations under various laws) the 'mandate' of the Board should be set out;
                      (o) The types of material transactions that require Board approval;
                      (p) Number and names of independent board members;
                      (q) Board terms and start date for each term for each director;
                      (r) What the board does to induct, educate and orient new directors;
                      (s) Election system of directors and any termination arrangements;
                      (t) Meeting dates (number of meetings during the year);
                      (u) Attendance of directors at each meeting;
                      (v) Whether the board has adopted a written code of ethical business conduct, and if so the text of that code and a statement of how the board monitors compliance;
                      (w) Minimum number of Board committee meetings per year, the actual number of board meetings, attendance of committees' members and the work of committees and any significant issues arising during the period;
                      (x) Reference to Module HC and any amendments subsequently made by the CBB, including explanation and nature of any non-compliance with Module HC in accordance with Paragraph HC-A.1.8;
                      (y) Review of internal control processes and procedures;
                      (z) Directors responsibility with regard to the preparation of financial statements;
                      (aa) Board of Directors — whether or not the board, its committees and individual directors are regularly assessed with respect to their effectiveness and contribution;
                      (bb) Licensees must maintain a website;
                      (cc) Aggregate remuneration paid to board members;
                      (dd) Remuneration policy of the licensee for board members and senior management; and
                      (ee) Aggregate remuneration paid to senior management.
                      January 2014

                    • PD-1.3.5A

                      With regards to corporate governance, licensees are subject to additional disclosure requirements on corporate governance, whereby such disclosure are for the benefit of shareholders (See Chapter PD-4).

                      January 2014

                  • Capital Structure — Qualitative Disclosures

                    • PD-1.3.6

                      All licensees must disclose summary information of the terms and conditions of the main features of all capital instruments listed in Paragraph PD-1.3.7 including innovative, complex or hybrid capital instruments.

                      January 2014

                  • Capital Structure — Quantitative Disclosures

                    • PD-1.3.7

                      All licensees must disclose the amount of core capital with separate disclosures of:

                      (a) Authorised capital;
                      (b) Paid-up share capital/common stock;
                      (c) Breakdown of reserves and retained earnings;
                      (d) Minority interests in the equity of subsidiaries;
                      (e) Other capital instruments such as subordinated debt or hybrid capital instruments; and
                      (f) Regulatory deductions from core capital (see Paragraph CA-1.1.6 for more guidance).
                      January 2014

                  • Capital Adequacy

                    • PD-1.3.8

                      All licensees must present a summary of the licensee's approach to assessing the adequacy of capital and adherence to the gearing requirements to support current and future activities.

                      January 2014

                  • General Qualitative Disclosure Requirements

                    • PD-1.3.9

                      All licensees must describe their risk management objectives and policies for each separate risk area below and provide information on whether or not strategies used have been effective throughout the reporting period. The strategies, processes and internal controls (including internal audit) must be described for each area below including the structure and organisation of the relevant risk management function, and the scope and nature of risk reporting systems and policies for hedging/mitigating risk and strategies for monitoring the continuing effectiveness of hedges/mitigants. There are also certain specific disclosures for each of these areas in addition to the general qualitative disclosures required by this Paragraph:

                      (a) Credit risk (see also PD-1.3.10 – PD-1.3.12);
                      (b) Securitisations (see also PD-1.3.13 – PD-1.3.14); and
                      (c) Operational Risk (see also PD-1.3.15 – PD-1.3.16).
                      January 2014

                  • Credit Risk — Qualitative Disclosures

                    • PD-1.3.10

                      All licensees must make the general qualitative disclosures outlined in Paragraph PD-1.3.9, as well as those below:

                      (a) Definition of past due and impaired credit facilities (for accounting purposes); and
                      (b) Description of the approaches for specific and collective impairment provisions and statistical methods used (where applicable).
                      January 2014

                  • Credit Risk — Quantitative Disclosures

                    • PD-1.3.11

                      All licensees must disclose the following:

                      (a) Total gross credit exposures (gross outstanding before any risk mitigation) plus average gross exposures over the period broken down by major types of credit exposure (as outlined under IFRS) into funded and unfunded exposures. Where the period end position is representative of the risk positions of the company during the period, average gross exposures need not be disclosed. Licensees must state that average gross exposures have not been disclosed for this reason. Where average amounts are disclosed in accordance with an accounting standard or other requirement which specifies the calculation method to be used, that method should be followed. Otherwise, the average exposures should be calculated using the most frequent interval that an entity's systems generate for management, regulatory or other reasons, provided that the resulting averages are representative of the licensee's operations. The basis used for calculating averages needs to be stated;
                      (b) Geographic distribution of exposures, broken down into significant areas by major types of credit exposure. Geographical areas may be individual countries, or groups of countries. Licensees may define the geographical area according to how they manage the concerned areas internally. The criteria used to allocate exposures to particular geographical areas should be specified;
                      (c) Distribution of exposures by industry or counterparty type, broken down by major types of credit exposure, broken down by funded and unfunded exposure;
                      (d) Intra-group transactions including exposures to related parties, and whether such transactions have been made on an arm's length basis;
                      (e) By major industry or counterparty type:
                      (i) Amount of impaired loans/facilities and past due loans/facilities (see PD-1.3.12);
                      (ii) Specific and collective impairment provisions (see PD-1.3.12);
                      (iii) Charges for specific impairment provisions and charge-offs (write-offs) during the period; and
                      (iv) Reconciliation of changes in provisions for loan impairment;
                      (f) Amount of past due credit facilities, separately broken down by significant geographic areas, including the amounts of specific and collective impairment provisions related to each geographical area (see PD-1.3.11(b) for definition of geographical area);
                      (g) Aggregate quantitative information about all outstanding credit facilities at year end not included in (f) above that have been restructured (according to the definition in the PIR instructions) during the period including:
                      (i) The balance of any restructured credit facilities ;
                      (ii) The magnitude of any restructuring activity;
                      (iii) The impact of restructured credit facilities on provisions and present and future earnings; and
                      (iv) The basic nature of concessions on all credit relationships that are restructured.
                      If full repayment is expected, the restructured credit need not be disclosed in this section after satisfactory performance for a period of six months in accordance with the modified terms; and
                      (h) Quantitative information concerning obligations with respect to recourse transactions (i.e. where the asset has been sold, but the company retains responsibility for repayment if the original counterparty defaults or fails to fulfil their obligations). Information must include the amount of assets sold and any expected losses.
                      January 2014

                    • PD-1.3.12

                      For Paragraph PD-1.3.11, the following notes are provided for interpretative guidance:

                      (a) Licensees must follow the residual maturity groupings currently followed under IFRS 7, but they must also extend the periods to include 5-10 years, 10-20 years, and 20 years and over (where the licensees have exposures or liabilities of such maturity);
                      (b) In PD-1.3.11(e), licensees must provide an ageing of past due credit facilities on the following basis:
                      (i) Ageing schedule (over 3 months, over 1 year and over 3 years) of past due credit facilities and other assets; and
                      (ii) Breakdown by relevant counterparty type and geographic area;
                      (c) For specific, collective and other impairment provisions, the portion of collective impairment provisions not allocated to specific geographical areas should be shown separately; and
                      (d) The reconciliation of changes in provisions should show specific and collective impairment provisions separately.
                      January 2014

                  • Securitisation — Qualitative Disclosure Requirements

                    • PD-1.3.13

                      All licensees must disclose the following with respect to securitisation activities:

                      (a) The general qualitative disclosure requirement (PD-1.3.9) with respect to securitisation, including a summary of:
                      (i) The licensee's objectives in relation to its securitisation activities, including the extent to which these activities transfer credit risk of the underlying securitised exposures away from the licensee to other parties; and
                      (ii) The roles played by the licensee in the securitisation process (for example, is the licensee the originator of the underlying risks, is it an investor, is it a servicer, is it a provider of credit enhancement, is it a sponsor of an asset-backed commercial paper facility, is it a liquidity provider, or is it a swap provider?) and an indication of the licensee's involvement in each of them;
                      (b) A summary of the licensee's accounting policies for securitisation activities, including:
                      (i) Whether transactions are treated as sales or financing;
                      (ii) Recognition of gain on sale;
                      (iii) Key assumptions for valuing retained interests, including any changes since the last report and the impact of such changes; and
                      (iv) Treatment of synthetic securitisations if not covered by other accounting policies (e.g. derivatives); and
                      (c) The names of External Credit Assessment Institutions (ECAIs) used for securitisations and the type of securitisation exposure for which each agency is used.
                      January 2014

                  • Securitisation — Quantitative Disclosure Requirements

                    • PD-1.3.14

                      Licensees must disclose the following quantitative information with respect to securitisation activities:

                      (a) The total outstanding exposures securitised by the licensee and subject to the securitisation framework (broken down into traditional and synthetic), by exposure type. These should be categorised under bands such as credit cards, home equity, etc. Also licensees must separately report any securitisation transactions for the year of inception where they do not retain any exposure. Licensees should also clearly identify securitisations where they are acting purely as sponsors;
                      (b) Securitisations broken down by exposure type showing:
                      (i) The amount of impaired or past due assets securitised; and
                      (ii) Losses recognised by the company during the current period;
                      (c) The aggregate amount of securitisation exposures retained or purchased, broken down by exposure type; and
                      (d) Summary of current year's securitisation activity, including the amount of exposures securitised (by exposure type) and recognised gain or loss on sale by asset type.
                      January 2014

                  • Operational Risk Disclosures

                    • PD-1.3.15

                      All licensees must disclose the general qualitative disclosures (PD-1.3.9) and also the approach for operational risk which the licensee employs to control such risk, and disclosures of any issues considered to be individually significant.

                      January 2014

                    • PD-1.3.16

                      All licensees must disclose quantitative information on any material legal contingencies including pending legal actions, and a discussion and estimate of the potential liabilities, in addition to qualitative statements about how licensees manage and control such risks.

                      January 2014

                  • Compliance

                    • PD-1.3.17

                      The annual report must include a declaration by the external auditor that it did not come across any violations of the requirements below during the course of its audit work that would have any material negative impact on the financial position of the licensee:

                      (a) The Bahrain Commercial Companies Law;
                      (b) The CBB Law where a violation might have had a material negative effect on the business of the licensee or on its financial position;
                      (c) The Regulations and Directives issued by the CBB, including Volume 6 (Capital Markets); and
                      (d) The Rulebook of the licensed exchange and associated Resolutions, Rules and Procedures.
                      January 2014

                    • PD-1.3.18

                      The annual report must disclose the amount of any penalties paid to the CBB during the period of the report together with a factual description of the reason(s) given by the CBB for the penalty (see Module EN). Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to enforcement action for non-disclosure.

                      Amended: October 2019
                      January 2014

                • PD-1.4 PD-1.4 Additional Disclosure in the Annual Audited Financial Statements of Licensees Listed on a Licensed Exchange

                  • PD-1.4.1

                    The content of this Section is applicable only to licensees listed on a licensed exchange.

                    January 2014

                  • PD-1.4.2

                    The disclosure requirements set out in this Section for listed licensees referred to under Paragraph PD-1.4.1 are in addition to those set out in Section PD-1.3.

                    January 2014

                  • Interests of Approved Persons

                    • PD-1.4.3

                      Without prejudice to any other requirement of Bahrain law (or any other direction of the CBB), the Directors' Report Section of the annual audited financial statements of listed licensees should contain details of the interests of approved persons in the shares of such licensees. Such details should include:

                      (a) Total interests in the shares of listed licensees by approved persons; and
                      (b) Changes in such interests from the previous financial year to the current financial year.
                      January 2014

                    • PD-1.4.4

                      For the purpose of the disclosure required under Paragraph PD-1.4.3, any interests in the shares of a listed licensee held by the connected person(s) of an approved person, or any other person the control of whose interests in such shares lies ultimately with the approved person, shall be deemed to be the interests of the relevant approved person. For a definition of 'interest in the shares', see Paragraph PD-1.1.2(a).

                      January 2014

                • PD-1.5 PD-1.5 Press Release on Annual Results

                  • PD-1.5.1

                    Where a licensee chooses to issue a narrative press release in conjunction with or in relation to the publication of its audited annual financial statements as required under Paragraph PD-1.2.3, the press release must indicate the net income for the last quarter.

                    January 2014

              • PD-2 PD-2 Quarterly Disclosure Requirements

                • PD-2.1 PD-2.1 Publication of Reviewed (Unaudited) Quarterly/Semi-Annual Financial Statements for Licensees

                  • PD-2.1.1

                    Licensees that are listed companies must prepare reviewed (unaudited) quarterly financial statements in accordance with IFRS and/or AAOIFI (for sharia-compliant licensees) for the first three quarters of their financial year.

                    January 2014

                  • PD-2.1.2

                    [This Paragraph was deleted in April 2014.]

                    Deleted: April 2014
                    January 2014

                  • PD-2.1.3

                    Licensees' unaudited financial statements must be reviewed by their external auditor who must also make a statement regarding the results of such review. Such review and statement should be made in accordance with the applicable International Standard on Review Engagements.

                    January 2014

                  • PD-2.1.4

                    Extracts from the reviewed financial statements (including at a minimum the balance sheet, the statements of income, the cash flow, changes in equity and where applicable, the statement of comprehensive income) must be published in one Arabic and one English daily newspaper widely available in Bahrain and on the licensee's website within forty-five calendar days of the end of the period to which such statements relate.

                    January 2014

                  • PD-2.1.5

                    Licensees must submit a newspaper copy of the statements (referred to under Paragraph PD-2.1.4) to the CBB within two business days of publication clearly showing on which date and in which publication(s) the statements were published.

                    Amended: July 2023
                    January 2014

                  • Additional Requirements for Semi Annual Disclosures

                    • PD-2.1.6

                      In addition to the requirements of Paragraphs PD-2.1.1 to PD-2.1.5 above, licensees must make all the quantitative disclosures required by Section PD-1.3 with their half-yearly financial statements on their website.

                      January 2014

                • PD-2.2 PD-2.2 Special Arrangements for Newly-Established Licensees

                  • PD-2.2.1

                    Newly-established licensees are not required to follow the publication requirements of Section PD-2.1 for the first three quarters of their operation or until the commencement of their second financial year of operation (whichever period is the longer).

                    January 2014

                  • PD-2.2.2

                    After the above period has expired, all newly-established locally incorporated licensees must follow the publication requirements of Section PD-2.1. Newly-established licensees must follow the requirements for annual reporting.

                    January 2014

              • PD-3 PD-3 Other Public Disclosure Requirements

                • PD-3.1 PD-3.1 Press Releases Concerning Financial Statements

                  • PD-3.1.1

                    Licensees must obtain the CBB's prior approval before issuing any press releases regarding interim or annual financial statements. Licensees must not publish or cause to be published, any media statements until such times as CBB approval has been granted.

                    January 2014

                  • PD-3.1.2

                    In implementing Rule PD-3.1.1, the CBB will provide the licensee with a written decision within two business days of the receipt of request for approval.

                    January 2014

              • PD-4 PD-4 Corporate Governance Disclosure to Shareholders

                • PD-4.1 PD-4.1 General Requirements

                  • PD-4.1.1

                    In addition to the corporate governance disclosure required under Paragraph PD-1.3.5, licensees must also disclose to their shareholders the following information:

                    (a) Names of shareholders owning 5% or more and, if they act in concert, a description of the voting, shareholders' or other agreements among them relating to acting in concert, and of any other direct and indirect relationships among them or with the bank licensee or other shareholders;
                    (b) Information on the directorships held by the directors on other boards;
                    (c) Audit fees charged by the external auditor;
                    (d) Non-audit services provided by the external auditor and fees;
                    (e) Reasons for any switching of auditors and reappointing of auditors; and
                    (f) Conflict of Interest — any issues arising must be reported and, in addition describe any steps the board has taken or will take to ensure directors exercise independent judgment in considering transactions and agreements in respect of which a director or executive officer has a material interest.
                    January 2014

      • Type 4: Type 4: Administrators

        • Part A

          • High Level Standards

            • AU AU Administrators Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The Authorisation Module sets out the CBB's approach to licensing providers of regulated administration services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                      May 2011

                    • AU-A.1.2

                      Licensed providers of regulated administration services are called fund administrators and registrars.

                      May 2011

                    • AU-A.1.3

                      Regulated administration services are defined in Paragraphs AU-1.1.11 and AU-1.1.12.

                      May 2011

                    • AU-A.1.4

                      Persons undertaking certain functions in relation to licensees require prior CBB approval. These functions (called 'controlled functions') include Directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                      May 2011

                  • Retaining Authorised Status

                    • AU-A.1.5

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      May 2011

                  • Legal Basis

                    • AU-A.1.6

                      This Module contains the Central Bank of Bahrain ('CBB') Directive, Regulations and Resolutions (as amended from time to time) regarding authorisation under Volume 5 of the CBB Rulebook. It is applicable to all licensees (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). CBB-licensed fund administrators and registrars must also comply with Resolution No. 1 of the year 2007 'new license fees system' (as amended from time to time). The Module also contains requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No.(43) of 2011 and issued under the powers available to the CBB under Article 44(c). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015.

                      Amended: July 2015
                      Amended: January 2013
                      Amended: April 2012
                      May 2011

                    • AU-A.1.7

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      May 2011

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in May 2011. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      May 2011

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-A.1.6 04/2012 Legal basis updated to reflect all Articles of the CBB Law covered by this Module as well as applicable Resolutions.
                      AU-1.1.4 and AU-1.1.5 04/2012 Clarified licensing requirements for those licensees already licensed under another Volume of the CBB Rulebook.
                      AU-4.3 04/2012 Clarified language on cancellation of a license to be in line with other Volumes of the CBB Rulebook.
                      AU-A.1.6 01/2013 Updated legal basis.
                      AU-1.1 01/2013 References added to requirements under Resolution No.(16) for the year 2012.
                      AU-1.2.3 01/2013 Clarified approval requirements for controlled functions for Bahrain operations.
                      AU-4.3.4A 01/2013 Corrected cross reference to CBB Law.
                      AU-5.2 07/2013 Amended due date and collection process for annual license fee.
                      AU-A.1.6 07/2015 Legal basis updated to reflect Resolution No (23) of 2015.
                      AU-4.2 07/2015 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.3.5 07/2015 Clarified interim arrangements for replacement of approved persons.
                      AU-1.2 01/2016 Clarified general requirements for approved persons.
                      AU-2.4.4 01/2016 Paragraph deleted as it is not applicable for this Module.
                      AU-3 01/2016 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.2 01/2016 Minor amendments to be aligned with other Volumes of the Rulebook.
                      AU-4.4 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License.
                      AU-4.1.1 04/2018 Amended Paragraph.
                      AU-4.1.17 04/2018 Amended Paragraph.
                      AU-4.2.2 04/2018 Amended Paragraph.
                      AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                      AU-4.1.20 10/2019 Changed from Rule to Guidance.
                      AU-4.1.21 10/2019 Changed from Rule to Guidance.
                      AU-4.1.22 10/2019 Changed from Rule to Guidance.
                      AU-4.4.1 10/2019 Changed from Rule to Guidance.
                      AU-4.2.10A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope of Application

                  • AU-B.1.1

                    The content of this Module applies to all administrators licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    May 2011

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (i) Any person seeking to provide a regulated administration service within or from the Kingdom of Bahrain must hold the appropriate CBB license (see AU-1.1); and
                    (ii) Natural persons wishing to perform a controlled function in administrators licensee also require prior CBB approval, as an approved person (see AU-1.2).
                    May 2011

                • AU-B.2 AU-B.2 Authorised Persons

                  • AU-B.2.1

                    Various requirements in Chapters AU-2 to AU-3 inclusive also apply to persons once they have been authorised by the CBB (whether as licensees or approved persons).

                    May 2011

                  • AU-B.2.2

                    Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    May 2011

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Licensing

                  • AU-1.1.1

                    No person may:

                    (a) Undertake (or hold themselves out to undertake) regulated administration services (as defined under Paragraph AU-1.1.11), by way of business, within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                    (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                    (c) Market any financial services in the Kingdom of Bahrain unless:
                    (i) Allowed to do by the terms of a license issued by the CBB;
                    (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                    (iii) Has obtained the express written permission of the CBB to offer financial services.
                    Amended: January 2013
                    May 2011

                  • AU-1.1.2

                    For the purposes of Rule AU-1.1.1(a), please refer to Paragraphs AU-1.1.11 and AU-1.1.12 for the definition of 'regulated administration services' and Paragraph AU-1.1.13 for the definition of 'by way of business'. Such activities will be deemed to be undertaken within or from the Kingdom of Bahrain if, for example, the person concerned:

                    (a) Is incorporated in the Kingdom of Bahrain;
                    (b) Uses an address situated in the Kingdom of Bahrain for its correspondence; or
                    (c) Directly solicits clients, who are resident within the Kingdom of Bahrain.
                    May 2011

                  • AU-1.1.3

                    For the purposes of Rule AU-1.1.1(b), persons would be considered in breach of this requirement if they were to trade as, or incorporate a company in Bahrain with a name containing the words (or the equivalents in any language) 'fund administration', without holding the appropriate CBB license or the prior approval of the CBB.

                    May 2011

                  • AU-1.1.3A

                    In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word market refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                    Added: January 2013

                  • AU-1.1.3B

                    Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                    Added: January 2013

                  • AU-1.1.4

                    Where a person is licensed under Volumes 1 or 2, i.e. as a bank, or under Volume 4 as a Category 1 or Category 2 investment firm licensee, then a separate license under Volume 5 is not required in order to undertake activities of the kind specified under Paragraph AU-1.1.11, subject to the licensee meeting all the requirements of Volumes 1, 2 or 4.

                    Amended: April 2012
                    May 2011

                  • AU-1.1.5

                    Persons licensed by the CBB may also undertake the specific activities covered by the definition of regulated administration services, since these specific activities also form part of the definition of regulated banking services (or regulated Islamic banking services in the case of Islamic banks) or regulated investment services. In such cases, licensees are not required to hold a separate administrators license.

                    Amended: April 2012
                    May 2011

                  • AU-1.1.6

                    Persons wishing to be licensed to undertake regulated administration services within or from the Kingdom of Bahrain must apply in writing to the CBB.

                    May 2011

                  • AU-1.1.7

                    An application for a license must be in the form prescribed by the CBB and must contain, inter alia:

                    (a) A business plan specifying the type of business to be conducted;
                    (b) Application forms for all controllers; and
                    (c) Application forms for all controlled functions.
                    May 2011

                  • AU-1.1.8

                    The CBB will review the application and duly advise the applicant in writing when it has:

                    (a) Granted the application without conditions;
                    (b) Granted the application subject to conditions specified by the CBB; or
                    (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                    May 2011

                  • AU-1.1.9

                    Detailed rules and guidance regarding information requirements and processes for licenses can be found in Section AU-5.1. As specified in Paragraph AU-5.1.12, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                    May 2011

                  • AU-1.1.10

                    All applicants seeking an administrator license must satisfy the CBB that they meet, by the date of authorisation, the minimum criteria for licensing, as contained in Chapter AU-2. Once licensed, fund administration licensees must maintain these criteria on an on-going basis.

                    May 2011

                  • AU-1.1.11

                    For the purposes of Volume 5 (Specialised Licensees), regulated administration services, in relation to financial instruments administered by the fund administrator, include:

                    (a) Fund management accounting services;
                    (b) Client enquiries;
                    (c) Valuation and pricing (including tax returns);
                    (d) Regulatory compliance monitoring;
                    (e) Maintenance of unit-holder/fund instruments register;
                    (f) Distribution of income;
                    (g) Unit issues and redemption of units in CIU and other financial instruments;
                    (h) Contracts settlements (including certificate dispatch); and
                    (i) General record-keeping.
                    May 2011

                  • AU-1.1.12

                    For the purposes of Volume 5 (Specialised Licensees), regulated administration services, in relation to a registrar, include:

                    (a) Client enquiries;
                    (b) Maintenance of unit-holder/fund instruments register;
                    (c) Distribution of income;
                    (d) Certificate dispatch; and
                    (e) General record-keeping
                    May 2011

                  • AU-1.1.13

                    For the purposes of Volume 5 (Specialised Licensees), carrying on a regulated administration services by way of business means:

                    (a) Undertaking one or more of the activities specified in Paragraphs AU-1.1.11 and AU-1.1.12 for commercial gain;
                    (b) Holding oneself out as willing and able to engage in that activity; or
                    (c) Regularly soliciting other persons to engage in transactions constituting that activity.
                    May 2011

                • AU-1.2 AU-1.2 Approved Persons

                  • General Requirement

                    • AU-1.2.1

                      Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function in a licensee. The approval from the CBB must be obtained prior to their appointment, subject to the variations contained in Paragraph AU-1.2.3.

                      Amended: January 2016
                      May 2011

                    • AU-1.2.2

                      Controlled functions are those functions occupied by board members and persons in executive positions and include:

                      (a) Director;
                      (b) Chief Executive or General Manager;
                      (c) Head of function;
                      (d) Compliance officer;
                      (e) Money Laundering Reporting Officer (MLRO); and
                      (f) Deputy Money Laundering Reporting Officer (if any).
                      Amended: January 2016
                      May 2011

                    • AU-1.2.3

                      Combination of the above controlled functions is subject to the CBB's approval. Controlled functions (b) to (f) are in relation to Bahrain operations.

                      Amended: January 2013
                      May 2011

                  • Basis for Approval

                    • AU-1.2.4

                      Approval under Paragraph AU-1.2.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

                      May 2011

                  • Definitions

                    • AU-1.2.5

                      Director is any person who occupies the position of a Director, as defined in Article 173 of the Commercial Companies Law (Legislative Decree No. 21 of 2001).

                      May 2011

                    • AU-1.2.6

                      The fact that a person may have 'Director' in their job title does not of itself make them a Director within the meaning of the definition noted in Paragraph AU-1.2.5. For example, a 'Director of Marketing', is not necessarily a member of the Board of Directors and therefore may not fall under the definition of Paragraph AU-1.2.5.

                      May 2011

                    • AU-1.2.7

                      The Chief Executive or General Manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The Chief Executive or General Manager must be resident in Bahrain.

                      May 2011

                    • AU-1.2.8

                      Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                      May 2011

                    • AU-1.2.9

                      Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy Chief Executive; heads of departments such as Compliance or Internal Audit; or the Chief Financial Officer.

                      May 2011

                    • AU-1.2.10

                      Where a firm is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                      May 2011

                    • AU-1.2.11

                      The controlled functions of Money Laundering Reporting Officer/Deputy Money Laundering Reporting Officer are defined under Chapter FC-4.

                      May 2011

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                  • AU-2.1.1

                    The legal status of a licensee must be:

                    (i) A Bahraini joint stock company (B.S.C.); or
                    (ii) A Bahraini Company with Limited Liability (W.L.L.)
                    May 2011

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Licensees with their Registered Office in the Kingdom of Bahrain must maintain their Head Office in the Kingdom and must conduct their business from their Head Office.

                    May 2011

                  • AU-2.2.2

                    In assessing the location of a licensee's Head Office, the CBB will take into account the residency of its Directors and senior management. The CBB requires the majority of key decision makers in executive management — including the Chief Executive - to be resident in Bahrain.

                    May 2011

                • AU-2.3 AU-2.3 Condition 3: Controllers and Close Links

                  • AU-2.3.1

                    Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their close links do not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

                    May 2011

                • AU-2.4 AU-2.4 Condition 4: Board and Employees

                  • AU-2.4.1

                    In accordance with Article 65(a) of the CBB law, those nominated to carry out controlled functions must satisfy CBB's approved person's requirements.

                    May 2011

                  • AU-2.4.2

                    The definition of controlled functions is contained in Paragraph AU-1.2.2, whilst Chapter AU-3 sets out CBB's approved persons requirements. Applications for approved person status must be submitted using the prescribed approved persons form.

                    May 2011

                  • AU-2.4.3

                    The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

                    May 2011

                  • AU-2.4.4

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    May 2011

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • AU-2.5.1

                    Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. The level of financial resources held must exceed at all times the minimum requirements contained in Module CA (Capital Adequacy).

                    May 2011

                • AU-2.6 AU-2.6 Condition 6: Systems and Controls

                  • AU-2.6.1

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities.

                    May 2011

                  • AU-2.6.2

                    Licensees must maintain adequate segregation of responsibilities in their staffing arrangements, to protect against the misuse of systems or errors. Such segregation should ensure that no single individual has control over all stages of a transaction.

                    May 2011

                  • AU-2.6.3

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee. These systems and controls must meet the minimum requirements contained in Module FC (Financial Crime), as specified for the license held.

                    May 2011

                  • AU-2.6.4

                    As part of the licensing approval process, applicants must demonstrate in their business plan (together with any supporting documentation) what risks their business would be subject to and how they would manage those risks. Applicants may also be asked to provide an independent assessment of the appropriateness of their systems and controls to the CBB.

                    May 2011

                • AU-2.7 AU-2.7 Condition 7: External Auditor

                  • AU-2.7.1

                    Licensees must appoint an external auditor, subject to prior CBB approval. The minimum requirements regarding external auditors contained in Module AA (Auditors and Accounting Standards) must be met.

                    May 2011

                • AU-2.8 AU-2.8 Condition 8: Other Requirements

                  • Books and Records

                    • AU-2.8.1

                      Licensees must maintain comprehensive books of accounts and other records, which must be available for inspection within the Kingdom of Bahrain by the CBB, or persons appointed by the CBB, at any time. Licensees must comply with the minimum record-keeping requirements contained in Module GR. Books of accounts must comply with IFRS standards.

                      May 2011

                  • Provision of Information

                    • AU-2.8.2

                      Licensees must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and public disclosure requirements contained in Modules BR and PD respectively.

                      May 2011

                  • General Conduct

                    • AU-2.8.3

                      Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice standards. Licensees must comply with the general standards of business conduct contained in Module PB, as well as the standards relating to treatment of customers contained in Module BC.

                      May 2011

                  • License Fees

                    • AU-2.8.4

                      Licensees must comply with any license fee requirements applied by the CBB.

                      May 2011

                    • AU-2.8.5

                      License fee requirements are contained in Chapter AU-5.

                      May 2011

                  • Additional Conditions

                    • AU-2.8.6

                      Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      May 2011

                    • AU-2.8.7

                      When granting a license, the CBB specifies the regulated administration services that the licensee may undertake. Licensees must respect the scope of their license.

                      May 2011

                    • AU-2.8.8

                      In addition, the CBB may vary existing requirements or impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks.

                      May 2011

              • AU-3 AU-3 Approved Persons Conditions

                • AU-3.1 AU-3.1 Condition 1: 'Fit and Proper'

                  • AU-3.1.1

                    Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

                    May 2011

                  • AU-3.1.2

                    The authorisation requirement for persons nominated to carry out controlled functions is contained in Section AU-1.2. The authorisation process is described in Section AU-4.2.

                    May 2011

                  • AU-3.1.3

                    Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                    (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                    (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                    (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                    (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                    (f) Must have personal integrity, good conduct and reputation;
                    (g) Has appropriate professional and other qualifications for the controlled function in question; and
                    (h) Has sufficient experience to perform the duties of the controlled function.
                    Amended: January 2016
                    May 2011

                  • AU-3.1.4

                    In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

                    Amended: January 2016
                    May 2011

                  • AU-3.1.5

                    In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                    (i) The extent to which the person has been truthful and open with supervisors; and
                    (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                    Added: January 2016

                  • AU-3.1.6

                    With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                    Added: January 2016

                  • AU-3.1.7

                    Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                    Amended: January 2016
                    May 2011

                  • AU-3.1.8

                    In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                    (a) A person has breached any fiduciary obligations to the company or terms of employment;
                    (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                    (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                    Amended: January 2016
                    May 2011

                  • AU-3.1.9

                    Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

                    Added: January 2016

                • AU-3.2 AU-3.2 [This Section was deleted in January 2016]

                  • AU-3.2.1

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    May 2011

                  • AU-3.2.2

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    May 2011

                  • AU-3.2.3

                    [This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Application Form and Documents

                    • AU-4.1.1

                      Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under E-services/online Forms. The applicant must upload scanned copies of supporting documents listed in Rule AU-4.1.4, unless otherwise directed by the CBB.

                      Amended: July 2019
                      Amended: April 2018
                      May 2011

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and time-lines.

                      May 2011

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      May 2011

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided in support of a Form 1:

                      (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
                      (b) A duly completed Form 3 (Application for Approved Person status), for each individual proposed to undertake controlled functions (as defined in Rule AU-1.2.2 ) in the proposed licensee;
                      (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                      (d) Where the applicant is an existing Bahraini company, a copy of the applicant's commercial registration certificate;
                      (e) A certified copy of a Board resolution of the applicant, confirming its decision to seek a CBB administration license;
                      (f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's lead supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital requirements;
                      (g) In the case of applicants that are part of a group, copies of the audited financial statements of the applicant's group, for the three years immediately prior to the date of application;
                      (h) In the case of applicants not falling under either (i) above, copies of the audited financial statements of the applicant's major shareholder (where they are a legal person), for the three years immediately prior to the date of application; and
                      (i) A copy of the applicant's memorandum and articles of association (in draft form for applicants creating a new company) addressing the matters described in AU-5.1.8.
                      May 2011

                    • AU-4.1.5

                      The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

                      May 2011

                    • AU-4.1.6

                      The business plan submitted in support of an application must include:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
                      (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                      (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions; and
                      (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable capital adequacy requirements.
                      May 2011

                    • AU-4.1.7

                      The applicant's memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the license application.

                      May 2011

                    • AU-4.1.8

                      All documentation provided to the CBB as part of an application for a license must be in either the Arabic or English languages. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      May 2011

                    • AU-4.1.9

                      Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in, must be provided to the CBB.

                      May 2011

                    • AU-4.1.10

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      May 2011

                    • AU-4.1.11

                      Failure to inform the CBB of the changes specified in Rule AU-4.1.10 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition Rule AU-2.8.2.

                      May 2011

                  • Licensing Process and Timelines

                    • AU-4.1.12

                      By law, the 60 day time limit referred to in Paragraph AU-4.1.2 only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule AU-4.1.4 have to be provided, before the CBB may issue a license.

                      May 2011

                    • AU-4.1.13

                      The CBB recognises, however, that applicants may find it difficult to secure suitable senior management (refer AU-4.1.4(b) above) in the absence of preliminary assurances regarding the likelihood of obtaining a license.

                      May 2011

                    • AU-4.1.14

                      Therefore, applicants may first submit an unsigned Form 1 in draft, together with as many as possible of the items specified in Rule AU-4.1.4. This draft application should contain at least items AU-4.1.4(a); AU-4.1.4(b), with respect to proposed Directors (but not necessarily senior management); AU-4.1.4(c); AU-4.1.4(d); and AU-4.1.4(g) to AU-4.1.4(i) inclusive.

                      May 2011

                    • AU-4.1.15

                      On the basis of the information specified in Paragraph AU-4.1.14, the CBB may provide an initial 'in principle' confirmation that the applicant appears likely to meet the CBB's licensing requirements, subject to the remaining information and documents being assessed as satisfactory. The 'in principle' confirmation will also list all outstanding documents required before an application can be considered complete and subject to formal consideration.

                      May 2011

                    • AU-4.1.16

                      An 'in principle' confirmation does not constitute a license approval, nor does it commit the CBB to issuing a license. However, it provides sufficient assurance for an applicant to complete certain practical steps, such as securing suitable executive staff that satisfy CBB's 'fit and proper' requirements. Once this has been done, the applicant may finalise its application, by submitting the remaining documents required under Rule AU-4.1.1 and, once assessed as complete by the CBB, a signed and dated final version of Form 1. However, a Bahraini company proposing to undertake financial services activities would not be eligible to obtain a Commercial Registration from the Ministry of Industry and Commerce unless it receives the final approval from the CBB.

                      May 2011

                    • AU-4.1.17

                      Regardless of whether an applicant submits a draft application or not, all potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans, for guidance on the CBB's license categories and associated requirements. The Licensing Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application (either in draft or in final).

                      Amended: April 2018
                      May 2011

                    • AU-4.1.18

                      Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

                      May 2011

                    • AU-4.1.19

                      At no point should an applicant hold themselves out as having been licensed by the CBB, prior to receiving formal written notification of the fact in accordance with Rule AU-4.1.20 below. Failure to do so may constitute grounds for refusing an application and result in a contravention of Articles 40 and 41 of the CBB Law (which carries a maximum penalty of BD 1 million).

                      May 2011

                  • Granting or Refusal of License

                    • AU-4.1.20

                      To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                      Amended: October 2019
                      May 2011

                    • AU-4.1.21

                      The CBB may refuse to grant a license if in its opinion:

                      (a) The requirements of the CBB Law or this Module are not met;
                      (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                      (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                      Amended: October 2019
                      May 2011

                    • AU-4.1.22

                      Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures comply with the provisions contained in Article 46 of the CBB Law.

                      Amended: October 2019
                      May 2011

                  • Starting Operations

                    • AU-4.1.23

                      Within 6 months of the license being issued, the new licensee must provide to the CBB (if not previously submitted):

                      (a) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                      (b) The address in the Kingdom of Bahrain where full business records will be kept;
                      (c) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (d) A copy of its business continuity plan;
                      (e) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                      (f) A copy of the auditor's acceptance to act as auditor for the applicant;
                      (g) A copy of the applicant's notarized memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.7;
                      (h) A copy of the Ministry of Industry and Commerce commercial registration certificate in Arabic and in English; and
                      (i) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
                      (j) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the administrator is licensed by the CBB; and
                      (k) Any other information as may be specified by the CBB.
                      May 2011

                    • AU-4.1.24

                      New licensees must start their operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, as per the powers and procedures set out in Article 48 of the CBB Law.

                      May 2011

                    • AU-4.1.25

                      The procedures for cancelling licenses are contained in Section AU-4.3.

                      May 2011

                • AU-4.2 AU-4.2 Approved Persons

                  • Prior Approval Requirements and Process

                    • AU-4.2.1

                      Licensees must obtain CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                      Amended: January 2016
                      Amended: July 2015
                      May 2011

                    • AU-4.2.2

                      When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the Director, Financial Institutions Supervision Directorate. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

                      Amended: April 2018
                      May 2011

                    • AU-4.2.3

                      When submitting the Forms 3, licensees must ensure that the Form 3 is:

                      (a) Submitted to the CBB with a covering letter signed by an authorised representative of the administrator licensee, seeking approval for the proposed controlled function;
                      (b) Submitted in original form;
                      (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                      (d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                      Amended: July 2015
                      May 2011

                    • AU-4.2.3A

                      Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

                      Added: July 2015

                    • AU-4.2.4

                      For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be the Chief Executive/General Manager.

                      Amended: July 2015
                      May 2011

                    • AU-4.2.5

                      [This Paragraph was deleted in July 2015.]

                      Deleted: July 2015

                    • AU-4.2.6

                      [This Paragraph was moved to Paragraph AU-4.2.3A in July 2015.]

                      Amended: July 2015
                      May 2011

                  • Assessment of Application

                    • AU-4.2.6A

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.6B

                      For purposes of Paragraph AU-4.2.6A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, as well as verifying references.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.6C

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.7

                      [This Paragraph was deleted in January 2016.]

                      Deleted: January 2016
                      Amended: July 2015
                      May 2011

                  • Appeal Process

                    • AU-4.2.7A

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                      Added: July 2015

                    • AU-4.2.7B

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the concerned Executive Director, Financial Institutions Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Amended: January 2016
                      Added: July 2015

                  • Notification Requirements and Process

                    • AU-4.2.8

                      Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.3.5). In such cases, their approved person status is automatically withdrawn by the CBB.

                      May 2011

                    • AU-4.2.9

                      Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                      May 2011

                    • AU-4.2.10

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      May 2011

                    • AU-4.2.10A

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                  • Change in Controlled Function

                    • AU-4.2.11

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      May 2011

                    • AU-4.2.12

                      In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.3.5), and the new licensee should submit a request for approval under Rule AU-1.2.1.

                      May 2011

                • AU-4.3 AU-4.3 Cancellation of Authorisation

                  • Voluntary Surrender of a License or Closure of a Branch

                    • AU-4.3.1

                      In accordance with Article 50 of the CBB Law, licensees wishing to cancel their license or cease activities for a branch must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Financial Institutions Supervision, setting out in full the reasons for the request and how the business is to be wound up.

                      Amended: April 2012
                      May 2011

                    • AU-4.3.2

                      Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed cancellation. The requirements contained in Chapter GR-7 regarding cessation of business must be satisfied.

                      Amended: April 2012
                      May 2011

                    • AU-4.3.3

                      Failure to comply with Rule AU-4.3.1 constitutes a breach of Article 50(a) of the CBB Law. The CBB will only approve such a request where it has no outstanding regulatory concerns and any relevant customer interests would not be prejudiced. A voluntary surrender of a license will not be accepted where it is aimed at preempting supervisory actions by the CBB. A voluntary surrender will only be allowed to take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                      May 2011

                  • Cancellation of a License by the CBB

                    • AU-4.3.4

                      As provided for under Article 48 (c) of the CBB Law, the CBB may itself move to cancel a license, for instance if a licensee fails to satisfy any of its existing license conditions or protecting the legitimate interests of customers or creditors of the licensee requires a cancellation. The CBB generally views the cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. See also Chapter EN-7, regarding the cancellation or amendment of licenses, including the procedures used in such instances and the licensee's right to appeal the formal notice of cancellation issued by the CBB.

                      Amended: April 2012
                      May 2011

                    • AU-4.3.4A

                      Cancellation of a license requires the CBB to issue a formal notice of cancellation to the licensee concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                      Amended: January 2013
                      Added: April 2012

                    • AU-4.3.4B

                      Where the cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to clients. Until such time, the CBB will retain all its regulatory powers towards the licensee and will direct the licensee so that no new regulated administration services may be undertaken whilst the licensee discharges its obligations to its clients.

                      Added: April 2012

                  • Cancellation of Approved Person Status

                    • AU-4.3.5

                      In accordance with Paragraph AU-4.2.8, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected, provided that such arrangements do not pose a conflict of duties. These interim arrangements must be approved by the CBB.

                      Amended: July 2015
                      May 2011

                    • AU-4.3.6

                      The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                      May 2011

                    • AU-4.3.7

                      The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                      May 2011

                • AU-4.4 AU-4.4 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.4.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.4.2

                    For the purposes of Paragraph AU-4.4.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.4.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking an administrator license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    May 2011

                  • AU-5.1.2

                    There are no application fees for those seeking approved person status.

                    May 2011

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Licensees must pay a flat annual license fee of BD500 to the CBB, on 1st December of the preceding year for which the fee is due.

                    Amended: July 2013
                    May 2011

                  • AU-5.2.2

                    For new licensees, their first annual license fee is payable when their license is issued by the CBB. The amount payable is the flat amount specified for their type of license.

                    May 2011

                  • AU-5.2.3

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question.

                    May 2011

                  • AU-5.2.4

                    [This Paragraph was deleted in July 2013].

                    Deleted: July 2013
                    May 2011

                  • AU-5.2.5

                    All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

                    Added: July 2013

                  • AU-5.2.6

                    Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

                    Added: July 2013

            • HC HC Administrators High-level Controls Module

              • HC-A HC-A Introduction

                • HC-A.1 HC-A.1 Purpose

                  • Executive Summary

                    • HC-A.1.1

                      This Module presents requirements that have to be met by administrators licensees with respect to:

                      (a) Corporate governance principles issued by the Ministry of Industry and Commerce as The Corporate Governance Code; and
                      (b) Related high-level controls and policies.
                      May 2011

                    • HC-A.1.2

                      The Principles referred to in this Module are in line with the Principles relating to the Corporate Governance Code issued by the Ministry of Industry and Commerce.

                      May 2011

                    • HC-A.1.3

                      The purpose of the Module is to establish best practice corporate principles in Bahrain, and to provide protection for investors and other company stakeholders through compliance with those principles.

                      May 2011

                    • HC-A.1.4

                      Whilst the Module follows best practice, it is nevertheless considered as the minimum standard to be applied.

                      May 2011

                  • Structure of this Module

                    • HC-A.1.5

                      This Module follows the structure of the Corporate Governance Code and each Chapter deals with fundamental Principles of corporate governance. The numbered directives included in the Code are Rules for purposes of this Module. Recommendations under the Code have been included as guidance.

                      May 2011

                    • HC-A.1.6

                      All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                      May 2011

                  • The Comply or Explain Principle

                    • HC-A.1.7

                      This Module is issued as a Directive in accordance with Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). In common with other Rulebook Modules, this Module contains a mixture of Rules and Guidance (See Module UG-1.2 for a detailed explanation of Rules and Guidance). All Rulebook content that is categorised as a Rule must be complied with by those to whom the content is addressed. Other parts of this Module are Guidance; nonetheless, every administrator licensee to whom Module HC applies, is expected to comply with recommendations made as Guidance in Module HC or explain its noncompliance by way of an annual report to its shareholders and to the CBB.

                      May 2011

                  • Monitoring and Enforcement of Module HC

                    • HC-A.1.8

                      Disclosure and transparency are underlying principles of Module HC. Disclosure is crucial to allow outside monitoring to function effectively. This Module looks to a combined monitoring system relying on the Board, the administrator licensee's shareholders and the CBB.

                      May 2011

                    • HC-A.1.9

                      It is the Board's responsibility to see to the accuracy and completeness of the administrator licensee's corporate governance guidelines and compliance with Module HC. Failure to comply with this Module is subject to enforcement measures as outlined in Module EN (Enforcement).

                      May 2011

                  • Legal Basis

                    • HC-A.1.10

                      This Module contains the CBB's Directive (as amended from time to time) relating to high-level controls and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to administrator licensees (including their approved persons).

                      May 2011

                    • HC-A.1.11

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      May 2011

                • HC-A.2 HC-A.2 Module History

                  • Evolution of the Module

                    • HC-A.2.1

                      This Module was first issued in May 2011. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      May 2011

                    • HC-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      HC-2.2.1 and HC-2.4.1 01/2013 Clarified scope of application for Rules.
                           
                           
                           
                           

              • HC-B HC-B Scope of Application

                • HC-B.1 HC-B.1 Scope of Application

                  • HC-B.1.1

                    The content of this Module applies to all administrator licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    May 2011

              • HC-1 HC-1 The Board

                • HC-1.1 HC-1.1 Principle

                  • HC-1.1.1

                    All licensees must be headed by an effective, collegial and informed Board of Directors ('the Board').

                    May 2011

                • HC-1.2 HC-1.2 Role and Responsibilities

                  • HC-1.2.1

                    All directors must understand the Board's role and responsibilities under the Commercial Companies Law and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                    (a) The Board's role as distinct from the role of the shareholders (who elect the Board and whose interests the Board serves) and the role of officers (whom the Board appoints and oversees); and
                    (b) The Board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-10.2).
                    May 2011

                  • HC-1.2.2

                    The Board's role and responsibilities include but are not limited to:

                    (a) The overall business performance and strategy for the licensee;
                    (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                    (c) Monitoring management performance;
                    (d) Convening and preparing the agenda for shareholder meetings; and
                    (e) Monitoring conflicts of interest and preventing abusive related party transactions.
                    May 2011

                  • HC-1.2.3

                    When a new director is inducted, the chairman of the Board, assisted by company legal counsel or compliance officer, should review the Board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC.

                    May 2011

                  • HC-1.2.4

                    The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                    May 2011

                  • HC-1.2.5

                    The Board should adopt a formal Board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of directors.

                    May 2011

                • HC-1.3 HC-1.3 Composition

                  • HC-1.3.1

                    The Board should have no more than 15 members, and should regularly review its size and composition to assure that it is small enough for efficient decision-making yet large enough to have members who can contribute from different specialties and viewpoints. The Board should recommend changes in Board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                    May 2011

                  • HC-1.3.2

                    Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. The Board should regularly review the time commitment required from each non-executive director and should require each non-executive director to inform the Board before he accepts any Board appointments to another company. One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

                    May 2011

                • HC-1.4 HC-1.4 Decision Making Process

                  • HC-1.4.1

                    The Board should be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                    May 2011

                  • HC-1.4.2

                    The chairman should take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                    May 2011

                  • HC-1.4.3

                    The Board must meet frequently but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

                    May 2011

                  • HC-1.4.4

                    Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for Board meetings are prohibited at all times.

                    Meetings per year 75% Attendance requirement
                    4 3
                    5 4
                    6 5
                    7 5
                    May 2011

                  • HC-1.4.5

                    The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

                    May 2011

                  • HC-1.4.6

                    In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

                    May 2011

                  • HC-1.4.7

                    The chairman should ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors should receive the same Board information. At the same time, directors have a legal duty to inform themselves and they should ensure that they receive adequate and timely information and should study it carefully.

                    May 2011

                • HC-1.5 HC-1.5 Directors' Communication with Management

                  • HC-1.5.1

                    The Board should encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                    May 2011

                  • HC-1.5.2

                    Non-executive directors should have free access to the licensee's management beyond that provided in Board meetings. Such access should be through the Chairman of the Audit Committee or CEO. The Board should make this policy known to management to alleviate any management concerns about a director's authority in this regard.

                    May 2011

              • HC-2 HC-2 Approved Persons Loyalty

                • HC-2.1 HC-2.1 Principle

                  • HC-2.1.1

                    The approved persons must have full loyalty to the licensee.

                    May 2011

                • HC-2.2 HC-2.2 Personal Accountability

                  • HC-2.2.1

                    Each member of the board should understand that under the Company Law he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

                    Amended: January 2013
                    May 2011

                  • HC-2.2.2

                    The duty of loyalty includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, not to take business opportunities of the licensee for himself, not to compete in business with the licensee, and to serve the licensee's interest in any transactions with the company in which he has a personal interest.

                    May 2011

                  • HC-2.2.3

                    For purposes of Paragraph HC-2.2.2, an approved person is considered to have a "personal interest" in a transaction with the company if:

                    (a) He himself;
                    (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
                    (c) Another company of which he is a director or controller,

                    is a party to the transaction or has a material financial interest in the transaction. (Transactions and interests which are de minimis in value should not be included.)

                    May 2011

                • HC-2.3 HC-2.3 Avoidance of Conflicts of Interest

                  • HC-2.3.1

                    Each approved person should make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

                    May 2011

                • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest

                  • HC-2.4.1

                    Each approved person must inform the entire Board of conflicts of interest as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Company Law. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons should understand that any approval of a conflict transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision.

                    Amended: January 2013
                    May 2011

                  • HC-2.4.2

                    The Board must establish formal procedures for:

                    (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
                    (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a licensee's approved person has a personal interest. The Board should require such advance approval in every case.
                    May 2011

              • HC-3 HC-3 Financial Statement Certification

                • HC-3.1 HC-3.1 Principle

                  • HC-3.1.1.

                    The Board must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    May 2011

                • HC-3.2 HC-3.2 CEO and CFO Certification of Financial Statements

                  • HC-3.2.1

                    To encourage management accountability for the financial statements required by the directors, the licensee's CEO and chief financial officer must state in writing to the Board that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                    May 2011

              • HC-4 HC-4 Appointment, Training and Evaluation of the Board

                • HC-4.1 HC-4.1 Principle

                  • HC-4.1.1.

                    The licensee should have rigorous procedures for appointment, training and evaluation of the Board.

                    May 2011

                • HC-4.2 HC-4.2 Induction and Training of Directors

                  • HC-4.2.1

                    The chairman of the Board should ensure that each new director receives a formal and tailored induction to ensure his contribution to the Board from the beginning of his term. The induction should include meetings with senior management, visits to company facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, its internal and external auditors and legal counsel.

                    May 2011

                  • HC-4.2.2

                    All continuing directors should be invited to attend orientation meetings and all directors should continually educate themselves as to the licensee's business and corporate governance.

                    May 2011

                  • HC-4.2.3

                    Management, in consultation with the chairman of the Board, should hold programs and presentations to directors respecting the licensee's business and industry, which may include periodic attendance at conferences and management meetings. The Board shall oversee directors' corporate governance educational activities.

                    May 2011

              • HC-5 HC-5 Management Structure

                • HC-5.1 HC-5.1 Principle

                  • HC-5.1.1

                    The Board should establish a clear and efficient management structure.

                    May 2011

                • HC-5.2 HC-5.2 Establishment of Management Structure

                  • HC-5.2.1

                    The Board should appoint senior management whose authority must include management and operation of current activities of the licensee, reporting to and under the direction of the Board. The senior managers should include at a minimum:

                    (a) A CEO;
                    (b) A chief financial officer;
                    (c) A corporate secretary; and
                    (d) An internal auditor.

                    and should also include such other approved persons as the Board considers appropriate and as a minimum must include persons occupying controlled functions as outlined in Paragraph AU-1.2.2.

                    May 2011

                • HC-5.3 HC-5.3 Titles, Authorities, Duties and Reporting Responsibilities

                  • HC-5.3.1

                    The Board should adopt by-laws prescribing each senior manager's title, authorities, duties and internal reporting responsibilities. This should be done in consultation with the CEO, to whom the other senior managers should normally report.

                    May 2011

                  • HC-5.3.2

                    These provisions should include but should not be limited to the following:

                    (a) The CEO should have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other senior managers and licensee employees;
                    (b) The chief financial officer should be responsible and accountable for:
                    (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see HC-3.2.1); and
                    (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
                    (c) The corporate secretary's duties should include arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                    (d) The internal auditor's duties should include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes.
                    May 2011

                  • HC-5.3.3

                    The Board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate Board approval.

                    May 2011

                  • HC-5.3.4

                    The corporate secretary should be given general responsibility for reviewing the licensee's procedures and advising the Board directly on such matters. Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training

                    May 2011

                  • HC-5.3.5

                    At least annually the Board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

                    May 2011

            • GR GR Administrators General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • Executive Summary

                    • GR-A.1.1

                      The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include requirements on books and records; on the use of corporate and trade names; and on controllers and close links. Each set of requirements is contained in its own Chapter.

                      Amended: July 2011
                      May 2011

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to administrators licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding transfers of business (see Chapter GR-4) and controllers (see Chapter GR-5) are also included in Regulations, to be issued by the CBB.

                      May 2011

                    • GR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      May 2011

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in May 2011 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      May 2011

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-A.1.1 07/2011 Minor correction made to Guidance.
                      GR-5.3 04/2012 Amended to be in line with other Volumes of the CBB rulebook and to reflect the issuance of Resolution No.(43) of 2011.
                      GR-7 04/2012 Clarified language on cessation of business to be in line with other Volumes of the CBB Rulebook.
                      GR-1.1.4 04/2013 Corrected reference to 'transaction' records.
                      GR-7.1.12 10/2016 Added an additional requirement for cessation of business to be consistent with other Volumes of the CBB Rulebook.
                      GR-5.1.4 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                      GR-1.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                      GR-1.2.2 07/2017 Deleted paragraph.
                      GR-3.1.3 10/2017 Added additional requirement to submit when requesting no-objection letter for proposed dividend.
                      GR-9.1.2 10/2017 Amended Paragraph on outsourcing, to allow the utilization of cloud services.
                      GR-9.1.3A 10/2017 Added a new Paragraph on outsourcing.
                      GR-9.1.6 10/2017 Amended Paragraph.
                      GR-9.1.9 10/2017 Amended Paragraph.
                      GR-9.1.11 10/2017 Amended Paragraph.
                      GR-9.1.11A 10/2017 Added a new Paragraph on outsourcing.
                      GR-9.1.16 10/2017 Amended Paragraph.
                      GR-9.1.17 10/2017 Amended Paragraph.
                      GR-9.2.1 10/2017 Amended Paragraph.
                      GR-9.2.2 10/2017 Amended Paragraph.
                      GR-9.2.4 10/2017 Amended Paragraph.
                      GR-9.2.11 10/2017 Amended Paragraph.
                      GR-9.2.12 10/2017 Amended Paragraph.
                      GR-9.2.13 10/2017 Amended Paragraph.
                      GR-9.2.18 10/2017 Amended Paragraph.
                      GR-9.2.19 10/2017 Added a new paragraph for security measures related to cloud services.
                      GR-9.3.3 10/2017 Amended Paragraph.
                      GR-9.3.4 10/2017 Amended Paragraph.
                      GR-5.1.1A 04/2019 Added a new Paragraph on exposures to controllers.
                      GR-5.1.1B 04/2019 Added a new Paragraph on exposures to controllers.
                      GR-1.2.1 01/2020 Amended Paragraph.
                      GR-7.1.7 04/2020 Amended Paragraph.
                      GR-7.1.12 04/2020 Amended Paragraph.
                      GR-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                      GR-2.1.1 01/2022 Amended Paragraph on change in licensee corporate and legal name.
                      GR-2.1.2 01/2022 Amended Paragraph on change in licensee legal name.
                      GR-9 07/2022 Replaced Chapter GR-9 with new Outsourcing Requirements.

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Scope of Application

                  • GR-B.1.1

                    The requirements in Module GR (General Requirements) apply to all administrators licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    May 2011

              • GR-C GR-C Provision of Financial Services on a Non-discriminatory Basis

                • GR-C.1 GR-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • GR-C.1.1

                    Administrators licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • GR-1 GR-1 Books and Records

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    In accordance with Articles 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

                    May 2011

                  • GR-1.1.2

                    GR-1.1.1 includes accounts, books, files and other records (e.g. trial balance, general ledger, nostro/vostro statements, reconciliations, list of counterparties). It also includes records that substantiate the value of the assets, liabilities and off-balance sheet activities of the licensee (e.g. client activity files and valuation documentation).

                    May 2011

                  • Corporate Records

                    • GR-1.1.3

                      Licensees must maintain at all times the following records in original form or in hard copy at their premises in Bahrain:

                      (a) Internal policies, procedures and operating manuals;
                      (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                      (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                      (d) Reports prepared by the licensee's internal and external auditors; and
                      (e) Employee training manuals and records.
                      May 2011

                    • GR-1.1.4

                      Separately, Bahrain Law currently requires other transaction records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

                      Amended: April 2013
                      May 2011

                  • Language of Records

                    • GR-1.1.5

                      Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

                      May 2011

                    • GR-1.1.6

                      Translations produced in compliance with Rule GR-1.1.4 may be undertaken in-house, by an employee or contractor of the licensee, providing they are certified by an appropriate officer of the licensee.

                      May 2011

                  • Location of Records

                    • GR-1.1.6

                      Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                      May 2011

                    • GR-1.1.7

                      Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

                      May 2011

                • GR-1.2 GR-1.2 Transaction and Customer Records

                  • Transaction Records

                    • GR-1.2.1

                      Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

                      Amended: January 2020
                      Amended: July 2017
                      May 2011

                    • GR-1.2.2

                      [This Paragraph has been deleted in July 2017].

                      Deleted: July 2017
                      May 2011

                  • Customer Records

                    • GR-1.2.3

                      Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                      May 2011

              • GR 2 GR 2 Corporate and Trade Names

                • GR-2.1 GR-2.1 Vetting of Names

                  • GR-2.1.1

                    Licensees must obtain CBB’s prior written approval for any change in their legal name. Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.

                    Amended: January 2022
                    Added: May 2011

                  • GR-2.1.2

                    In approving a change in a legal name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector.

                    Amended: January 2022
                    Added: May 2011

                • GR-2.2 GR-2.2 Publication of Documents by the Licensee

                  • GR-2.2.1

                    Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees (agents, representatives, financial advisers or introducers) must include a statement that the licensee is regulated by the CBB and the type of license (administrator).

                    May 2011

              • GR-3 GR-3 Dividends

                • GR-3.1 GR-3.1 CBB Non-Objection

                  • GR-3.1.1

                    Licensees must obtain a letter of no-objection from the CBB to any dividend proposed and prior to submitting a proposal for a distribution of profits to a shareholder vote.

                    May 2011

                  • GR-3.1.2

                    The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's financial resources requirements, taking into account (as appropriate) trends in the licensee's business volumes, expenses, trend performance and investment environment.

                    May 2011

                  • GR-3.1.3

                    To facilitate the prior approval required under Paragraph GR-3.1.1, licensees subject to Paragraph GR-3.1.1 must provide the CBB with:

                    (a) The licensee's intended percentage and amount of proposed dividends for the coming year;
                    (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
                    (c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and the liquidity position of the licensee.
                    Amended: October 2017
                    May 2011

              • GR-4 GR-4 Business Transfers

                • GR-4.1 GR-4.1 CBB Approval

                  • GR-4.1.1

                    Licensee must seek prior written approval from the CBB before transferring any of its business to a third party.

                    May 2011

                  • GR-4.1.2

                    Rule GR-4.1.1 is intended to apply to circumstances where a licensee wishes to sell all or part of its business to a third party. It does not apply where a licensee is simply transferring client assets to a third party, on instruction from the client concerned.

                    May 2011

                  • GR-4.1.3

                    In all cases, CBB approval to transfer business will only be given where:

                    (a) The transfer of business will not damage or otherwise prejudice the legitimate interests of the licensee's customers;
                    (b) The transferee is duly licensed to undertake the business which it is to receive; and
                    (c) The CBB is satisfied that the transfer will not breach any applicable laws or regulations, and would not create any supervisory concerns.
                    May 2011

                  • GR-4.1.4

                    In assessing the criteria outlined in Paragraph GR-4.1.3, the CBB will, amongst other factors, take into account the financial strength of the transferee; its capacity to manage the business being transferred; its track record in complying with applicable regulatory requirements; and (where applicable) its track record in treating customers fairly. The CBB will also take into account the impact of the transfer on the transferor, and any consequences this may have for the transferor‟s remaining customers.

                    May 2011

                  • GR-4.1.5

                    Licensees seeking to obtain the CBB's permission to transfer business must apply to the CBB in writing, in the form of a covering letter together with supporting attachments. Unless otherwise directed by the CBB, the application must provide:

                    (a) Full details of the business to be transferred;
                    (b) The rationale for the proposed transfer;
                    (c) If applicable, an assessment of the impact of the transfer on any customers directly affected by the transfer, and any mitigating factors or measures;
                    (d) If applicable, an assessment of the impact of the transfer on the transferor's remaining business and customers, and any mitigating factors or measures; and
                    (e) Evidence that the proposed transfer has been duly authorised by the transferor (such as a certified copy of a Board resolution approving the transfer).
                    May 2011

                  • GR-4.1.6

                    Licensees intending to apply to transfer business are advised to contact the CBB at the earliest possible opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The documentation specified in Paragraph GR-4.1.6 may be varied by the CBB, depending on the nature of the proposed transfer, such as the materiality of the business concerned and its impact on customers.

                    May 2011

                  • GR-4.1.7

                    The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

                    May 2011

                  • GR-4.1.8

                    At its discretion, the CBB may require that a notice of proposed transfer of business be published in the Official Gazette, and/or in at least two local daily newspapers (one in Arabic, the other in English), in order to give affected customers the right to comment on the proposed transfer. Where such a requirement has been imposed, the CBB's decision on the application will also be published in the Official Gazette and in at least two local daily newspapers. In all such cases, the costs of publication must be met by the transferor.

                    May 2011

                  • GR-4.1.9

                    Publication under paragraph GR-4.1.8 will generally only be required where a proposed transfer involves a large number of customers or is otherwise deemed necessary in order to protect customer interests.

                    May 2011

                  • GR-4.1.10

                    The requirements in this Chapter are based on the powers available to the CBB in Article 68 of the CBB Law.

                    May 2011

              • GR-5 GR-5 Controllers

                • GR-5.1 GR-5.1 Key Provisions

                  • GR-5.1.1

                    Whenever they are aware of such cases, licensees must obtain prior approval from the CBB, as required under Paragraph BR-2.3.8, for any changes in the percentage holding of a controller or a new controller (as defined in Section GR-5.2).

                    May 2011

                  • GR-5.1.1A

                    Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

                    Added: April 2019

                  • GR-5.1.1B

                    For the purpose of Paragraph GR-5.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

                    Added: April 2019

                  • GR-5.1.2

                    Articles 52 to 56 of the CBB Law require notification to the CBB of all controllers of licensees and of listed companies; it further gives the CBB the right to refuse approval of controllers if deemed damaging to the interests of the market, customers, or in contravention of the criteria set by the CBB.

                    May 2011

                  • GR-5.1.3

                    Requests for approval under Paragraph GR-5.1.1 must be made by submitting a duly completed Form 2 (Application for Authorisation of Controller) to the CBB. Notification must be made by the controller or intended controller, and by the licensee where it is aware of the change.

                    May 2011

                  • GR-5.1.4

                    If, as a result of circumstances outside the licensee's knowledge and/or control, changes specified in Paragraph GR-5.1.1 are triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days on which those changes have occurred.

                    Amended: January 2017
                    May 2011

                  • GR-5.1.5

                    For approval under Rule GR-5.1.1 to be granted, the applicant must satisfy the CBB that the proposed change in controller poses no undue risks to the licensee or its customers, and is not damaging to the interests of the market, as defined in the suitability criteria for controllers, contained in Section GR-5.3.

                    May 2011

                  • GR-5.1.6

                    An approval of controller is valid for the period specified in the approval letter issued by the CBB. The CBB may impose any restrictions that it considers necessary to be observed when granting its approval.

                    May 2011

                  • GR-5.1.7

                    The approval process is specified in Section GR-5.4.

                    May 2011

                  • GR-5.1.8

                    Licensees must submit, within 3 months of their financial year-end, a report on their controllers. This report must identify all controllers of the licensee, as defined in Section GR-5.2.

                    May 2011

                • GR-5.2 GR-5.2 Definition of Controller

                  • GR-5.2.1

                    A controller of a licensee is a natural or legal person who, either alone or with his associates:

                    (a) Holds 10% or more of the shares in the licensee ('L'), or is able to exercise (or control the exercise of) more than 10% of the voting power in L; or
                    (b) Holds 10% or more of the shares in a parent undertaking ('P') of L, or is able to exercise (or control the exercise of) more than 10% of the voting power in P; or
                    (c) Is able to exercise significant influence over the management of L or P.
                    May 2011

                  • GR-5.2.2

                    For the purposes of Paragraph GR-5.2.1, 'associate' includes:

                    (a) In the case of natural persons, the spouse or child of the controller;
                    (b) An undertaking of which a controller is a Director;
                    (c) A person who is an employee or partner of the controller; and
                    (d) If the controller is a corporate entity, a Director of the controller, a subsidiary of the controller, or a Director of any subsidiary undertaking of the controller.
                    May 2011

                  • GR-5.2.3

                    Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

                    May 2011

                • GR-5.3 GR-5.3 Suitability of Controllers

                  • GR-5.3.1

                    All new controllers or prospective controllers (as defined in Section GR-5.2) of a Bahraini specialised licensee must obtain the approval of the CBB. Any increases to existing controllers' holdings or voting control (as outlined under Paragraph BR-2.3.8) must also be approved by the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-5.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness according to the criteria outlined in Paragraphs GR-5.3.2 to GR-5.3.5. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-5.4 and Paragraph GR-5.1.6.

                    Amended: April 2012
                    May 2011

                  • GR-5.3.1A

                    In line with Resolution No.(43) of 2011, the CBB may require, on a case-by-case basis, and at its sole discretion that at least one of the controllers is a regulated financial institution holding at least 20% of the licensee's shares.

                    Added: April 2012

                  • GR-5.3.2

                    In assessing the suitability of controllers who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation or regulation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
                    (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
                    (j) The extent to which the person, has been truthful and open with regulators;
                    (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
                    (l) The financial resources of the person and the likely stability of their shareholding, and their track record as a controller or significant investor in financial institutions;
                    (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
                    (n) The legitimate interests of investors, creditors and shareholders (including minority shareholders) of the licensee;
                    (o) Whether the approval of a controller is or could be detrimental to Bahrain's financial sector; and
                    (p) Whether the person is able to deal with existing shareholders and the Board in a constructive and co-operative manner.
                    May 2011

                  • GR-5.3.3

                    Natural persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the expected compliance with the above standards become more onerous as the level of proposed ownership increases. Natural persons will not normally be approved to take majority control (i.e. a stake of 50% or more of either the capital or voting rights) of a licensee.

                    Amended: April 2012
                    May 2011

                  • GR-5.3.4

                    In assessing the suitability of controllers who are legal persons, CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

                    (a) The financial strength of the controller, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the controller's shareholding;
                    (b) Whether the controller or members of its group has ever entered into any arrangement with creditors in relation to the inability to pay due debts;
                    (c) The controller's jurisdiction of incorporation, location of Head Office, group structure and close links, and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
                    (d) The controller's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
                    (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
                    (f) Any criminal actions instigated against the controller or other members of its group, whether or not this resulted in an adverse finding;
                    (g) The extent to which the controller or other members of its group have been truthful and open with regulators and supervisors;
                    (h) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (i) The person's track record as a controller or investor in financial institutions;
                    (j) The legitimate interests of investors, creditors and shareholders of the licensee;
                    (k) Whether their approval as a controller is or could be detrimental to Bahrain's financial sector; and
                    (l) Whether the person is able to deal with existing shareholders and the Board in a constructive manner.
                    May 2011

                  • GR-5.3.5

                    Legal persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and of expected compliance with the above standards becomes more onerous as the level of proposed ownership increases. In particular, unregulated legal persons will not normally be approved to take majority control (i.e. a stake of 50% or more of either the capital or voting rights of a licensee, unless the proposed parent is a well-established business (that satisfies the above conditions), and its ownership would not pose undue conflicts of interest. Regulated legal persons will normally only be approved to take majority control where — in addition to the above conditions — the resulting group would be subject to effective consolidated supervision in accordance with relevant international standards; and the home supervisor of the parent entity has agreed to the proposed acquisition, as well as to the sharing of relevant prudential information for supervisory purposes (expressed, if necessary, through the signing of a Memorandum of Understanding between the CBB and the home supervisor, setting out their respective supervisory responsibilities).

                    Amended: April 2012
                    May 2011

                  • GR-5.3.6

                    The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in the Form 2, if required to satisfy itself as to the suitability of the applicant.

                    May 2011

                • GR-5.4 GR-5.4 Approval Process

                  • GR-5.4.1

                    Within 3 months of receipt of an approval request under Paragraph GR-5.1.1, the CBB will issue a written notice of approval (or of refusal, if it is not satisfied that the person concerned is suitable to become a controller of the licensee). The notice of refusal will specify the reasons for the objection and specify the applicant's right of appeal. Where an approval notice is given, it will specify the period for which it is valid and any conditions that may be applied.

                    May 2011

                  • GR-5.4.2

                    Article 53 allows the CBB up to 3 months in which to respond to an application, although the CBB normally aims to respond within 30 calendar days. Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of a notice in which to appeal a decision to refuse the application or any conditions imposed as a condition of approval. The CBB then has 30 calendar days from the date of the appeal in which to consider any mitigating evidence submitted and make a final determination. See Module EN (Enforcement).

                    May 2011

                  • GR-5.4.3

                    Where a person has become a controller by virtue of their shareholding in contravention of Paragraph GR-5.1.1, or a notice of refusal has been served on them under Paragraph GR-5.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, instruct the person concerned to transfer such shares, or refrain from exercising voting rights in respect of such shares.

                    May 2011

                  • GR-5.4.4

                    If the person concerned fails to take the action specified under Paragraph GR-5.4.3, then the CBB may seek a court order to take appropriate measures: these may include forcing the person to sell their shares.

                    May 2011

                  • GR-5.4.5

                    The powers available to the CBB that are described in Paragraphs GR-5.4.3 and GR-5.4.4 are specified in Article 56 of the CBB Law.

                    May 2011

                  • GR-5.4.6

                    In addition to the above requirements, licensees are encouraged to notify the CBB as soon as they become aware of events that are likely to lead to major changes in their controllers. Any supervisory implications of such changes can then be discussed prior to the filing of a formal approval request.

                    May 2011

              • GR-6 GR-6 Close Links

                • GR-6.1 GR-6.1 Key Provisions

                  • GR-6.1.1

                    Condition 3 of the CBB‟s licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

                    May 2011

                  • GR-6.1.2

                    Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraph AU-5.1.1).

                    May 2011

                  • GR-6.1.3

                    Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links. The report must identify all undertakings closely linked to the licensee, as defined in Section GR-6.2.

                    May 2011

                • GR-6.2 GR-6.2 Definition of Close Links

                  • GR-6.2.1

                    A licensee ('L') has close links with another undertaking ('U'), if:

                    (a) U is a parent undertaking of L;
                    (b) U is a subsidiary undertaking of L;
                    (c) U is a subsidiary undertaking of a parent undertaking of L;
                    (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
                    (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
                    May 2011

                • GR-6.3 GR-6.3 Assessment Criteria

                  • GR-6.3.1

                    In assessing whether a licensee's close links may prevent the effective supervision of the firm, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

                    (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
                    (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
                    (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
                    May 2011

              • GR-7 GR-7 Cessation of Business

                • GR-7.1 GR-7.1 CBB Approval

                  • GR-7.1.1

                    As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend all or any of its licensed regulated services, completely or at any of its branches, must obtain prior written approval from the CBB.

                    Amended: April 2012
                    May 2011

                  • GR-7.1.2

                    If the licensee wishes to transfer client assets to a third party, it must also comply with the requirements contained in Chapter GR-4.

                    Amended: April 2012
                    May 2011

                  • GR-7.1.2A

                    If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

                    Added: April 2012

                  • GR-7.1.3

                    Licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a formal request together with supporting documents. Unless otherwise directed by the CBB, the following requirements must be provided in support of the request:

                    (a) Full details of the business to be terminated;
                    (b) The rationale for the cessation;
                    (c) How the licensee proposes to cease business;
                    (d) Notice of an Extraordinary Meeting setting out the agenda to discuss and approve the cessation, and inviting the CBB for such meeting;
                    (e) Evidence that the proposed cessation has been duly authorised by the licensee (such as a certified copy of a Board resolution approving the cessation);
                    (f) Formal request to the CBB for the appointment of a liquidator acceptable to the CBB;
                    (g) A cut-off date by which the licensee will stop its operations;
                    (h) If the licensee wishes to cease its whole business, confirmation that the licensee will not enter into new business with effect from the cut-off date;
                    (i) Once the CBB has given its approval to an application to cease business, the licensee must publish a notice of its intention to cease business in two local daily newspapers (one in Arabic, the other in English). Notices must also be displayed in the premises (including any branch offices) of the licensee concerned. These notices must be given not less than 30 calendar days before the cessation is to take effect, and must include such information as the CBB may specify;
                    (j) The audited accounts of the licensee as of the last date on which it stopped operations. The commencement of such accounts should be the beginning of the financial year of the licensee;
                    (k) If applicable, an assessment of the impact of the cessation on any customers directly affected by the cessation, and any mitigating factors or measures;
                    (l) If applicable, an assessment of the impact of the cessation on the licensee's remaining business and customers, and any mitigating factors or measures; and
                    (m) The final liquidator's report of the licensee.
                    Amended: April 2012
                    May 2011

                  • GR-7.1.4

                    Licensees intending to apply to cease business are advised to contact the CBB at the earliest possible opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The documentation specified in Paragraph GR-7.1.3 may be varied by the CBB, depending on the nature of the proposed cessation, such as the materiality of the business concerned and its impact on customers.

                    May 2011

                  • GR-7.1.5

                    Approval to cease business will generally be given where adequate arrangements have been made to offer alternative arrangements to any affected customers. The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

                    May 2011

                  • GR-7.1.6

                    The notice referred to in Subparagraph GR-7.1.3 (i) must include a statement that written representations concerning the liquidation may be submitted to the CBB before a specified day, which shall not be later than thirty calendar days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

                    Amended: April 2012
                    May 2011

                  • GR-7.1.7

                    Upon satisfactorily meeting the requirements set out in GR-7.1.3, the licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its Commercial Registration from the Ministry of Industry and Commerce.

                    Amended: April 2020
                    Added: May 2011

                  • GR-7.1.8

                    Where the CBB has given its approval to cancel or amend a license, then it will also publish its decision in the Official Gazette, as well as in two local daily newspapers (one in Arabic, the other in English), once this decision has been implemented.

                    Amended: April 2012
                    May 2011

                  • GR-7.1.8A

                    The publication cost of the notices referred to in Paragraph GR-7.1.8 is to be met by the licensee concerned.

                    Added: April 2012

                  • GR-7.1.9

                    The licensee must continue to comply with all applicable CBB requirements, until such time as it is formally notified by the CBB that its obligations have been discharged.

                    May 2011

                  • GR-7.1.10

                    A licensee in liquidation must continue to meet its contractual and regulatory obligations to customers and creditors.

                    May 2011

                  • GR-7.1.11

                    If no objections to the liquidation are upheld by the CBB, the CBB may then issue a written notice of approval for the surrender of the license.

                    Added: April 2012

                  • GR-7.1.12

                    Upon satisfactorily meeting the requirements set out in GR-7.1.3, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

              • GR-8 GR-8 Professional Indemnity Coverage

                • GR-8.1 GR-8.1 Key Provisions

                  • GR-8.1.1

                    Licensees must maintain professional indemnity coverage. The professional indemnity coverage must be obtained from an insurance firm acceptable to the CBB and licensed in the Kingdom of Bahrain.

                    May 2011

                  • GR-8.1.2

                    Upon request, licensees must provide to the CBB evidence of the coverage in force required under Paragraph GR-8.1.1.

                    May 2011

                  • GR-8.1.3

                    A licensee is encouraged to assess its insurance needs, through professional advice, to ensure its adequacy to the level of business undertaken, notwithstanding the minimum limit of indemnity.

                    May 2011

                  • GR-8.1.4

                    The minimum limit of indemnity is BD 75,000.

                    May 2011

                  • GR-8.1.5

                    The maximum excess or deductible allowable under the policy shall be BD 15,000.

                    May 2011

                  • GR-8.1.6

                    In accordance with Paragraph EN-B.3.1, licensees may not enter into or make a claim under a contract of insurance that is intended to, or has the effect of, indemnifying them from the financial penalties provided for in Module EN.

                    May 2011

                  • GR-8.1.7

                    The requirement to maintain insurance coverage will normally be met by the licensee concerned obtaining an insurance policy from an insurance firm. The CBB may also accept an insurance policy issued at group level, e.g. issued with respect to the parent of the licensee, provided the terms of the policy explicitly provide coverage with respect to the licensee.

                    May 2011

                  • GR-8.1.8

                    Unless otherwise agreed in writing with the CBB, the policy must contain a clause that it may not be cancelled or lapsed without the prior approval of the CBB. The policy must also contain a provision for an automatic extended reporting period in the event that the policy is cancelled or lapsed, such that claims relating to the period during which the policy was in force may subsequently still be reported.

                    May 2011

              • GR-9 GR-9 Outsourcing Requirements

                • GR-9.1 GR-9.1 Outsourcing Arrangements

                  • GR-9.1.1

                    This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

                    Amended: July 2022
                    May 2011

                  • GR-9.1.2

                    In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

                    Amended: July 2022
                    Amended: October 2017
                    May 2011

                  • GR-9.1.3

                    In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

                    i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
                    ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
                    Amended: July 2022
                    May 2011

                  • GR-9.1.4

                    The licensee must not outsource the following functions:

                    (i) Compliance;
                    (ii) AML/CFT;
                    (iii) Financial control;
                    (iv) Risk management; and
                    (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
                    Amended: July 2022
                    May 2011

                  • GR-9.1.5

                    For the purposes of Paragraph GR-9.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph GR-9.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

                    Amended: July 2022
                    May 2011

                  • GR-9.1.6

                    Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph GR-9.1.4 (iv), subject to CBB’s prior approval.

                    Amended: July 2022
                    Amended: October 2017
                    May 2011

                  • GR-9.1.7

                    Licensees must comply with the following requirements:

                    (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
                    a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
                    b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
                    (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
                    (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
                    (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
                    (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
                    (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
                    (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
                    Amended: July 2022
                    May 2011

                  • GR-9.1.8

                    For the purpose of Subparagraph GR-9.1.7 (iv), licensees as part of their assessments may use the following:

                    a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
                    b) Third-party or internal audit reports of the outsourcing service provider; and
                    c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

                    When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

                    Amended: July 2022
                    May 2011

                  • GR-9.1.9

                    For the purpose of Subparagraph GR-9.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

                    Amended: July 2022
                    Amended: October 2017
                    May 2011

                • GR-9.2 [This Section was deleted in July 2022]

                • GR-9.3 [This Section was deleted in July 2022]

                • GR-9.4 [This Section was deleted in July 2022]

          • Business Standards

            • CA CA Administrators Capital Adequacy and Liquidity Module

              • CA-A CA-A Introduction

                • CA-A.1 CA-A.1 Purpose

                  • Executive Summary

                    • CA-A.1.1

                      This Module lays down requirements that apply to all administrators licensees, with respect to the minimum level of capital and liquidity they must maintain.

                      May 2011

                    • CA-A.1.2

                      Principle 9 of the Principles of Business requires that licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.1.9).

                      May 2011

                  • Legal Basis

                    • CA-A.1.3

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) relating to the capital adequacy and liquidity requirements of administrators licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law').

                      May 2011

                    • CA-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      May 2011

                • CA-A.2 CA-A.2 Module History

                  • Evolution of Module

                    • CA-A.2.1

                      This Module was first issued in May 2011 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      May 2011

                    • CA-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      CA-1.2.5 01/2023 Amended Paragraph on liquidity requirements.
                      CA-1.2.6 01/2023 Deleted Paragraph.
                      CA-1.2.7 01/2023 Deleted Paragraph.
                      CA-1.2.8 01/2023 Deleted Paragraph.
                           
                           

              • CA-B CA-B Scope of Application

                • CA-B.1 CA-B.1 Scope of Application

                  • CA-B.1.1

                    The content of this Module applies to all administrators licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    May 2011

              • CA-1 CA-1 Capital Adequacy and Liquidity Requirements

                • CA-1.1 CA-1.1 General Requirements

                  • Obligation to Maintain Adequate Capital and Liquidity

                    • CA-1.1.1

                      In accordance with Principle of Business 9 (Section PB-1.1.9), licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.

                      May 2011

                    • CA-1.1.2

                      In addition to the minimum capital and liquidity requirements specified in Section CA-1.2, the CBB may, at its discretion, require licensees to hold additional capital and/or liquidity, should this be necessary in the CBB's view.

                      May 2011

                    • CA-1.1.3

                      Licensees are required to maintain, at all times, the minimum capital and liquidity requirements specified in Section CA-1.2.

                      May 2011

                    • CA-1.1.4

                      No funds may be withdrawn by shareholders from the licensee without the necessary prior written approval of the CBB.

                      May 2011

                    • CA-1.1.5

                      In the event that a licensee fails to meet any of the requirements specified in this Module, it must, on becoming aware that it has breached these requirements, immediately notify the CBB in writing. Unless otherwise directed, the licensee must in addition submit to the CBB, within 30 calendar days of its notification, a plan demonstrating how it will achieve compliance with these requirements.

                      May 2011

                    • CA-1.1.6

                      Should a licensee fail to comply with the requirements of this Module, the CBB may impose enforcement measures, as described in Module EN.

                      May 2011

                • CA-1.2 CA-1.2 Minimum Capital and Liquidity Requirements

                  • Key Requirements

                    • CA-1.2.1

                      Licensees must ensure that, at all times, their minimum capital and liquidity meet the requirements stipulated in this Section.

                      May 2011

                  • Capital Requirements

                    • CA-1.2.2

                      For those licensees whose regulated administration services are those outlined for fund administrators in Paragraph AU-1.1.11, the minimum paid up capital is BD 40,000.

                      May 2011

                    • CA-1.2.3

                      For those licensees whose regulated administration services are those outlined for registrars in Paragraph AU-1.1.12, the minimum paid up capital is BD 20,000.

                      May 2011

                    • CA-1.2.4

                      A licensee's liabilities should not exceed threefold the total of:

                      (a) Paid up capital;
                      (b) Statutory reserve;
                      (c) General reserves; and
                      (d) Retained Earnings.
                      May 2011

                  • Liquidity Requirements

                    • CA-1.2.5

                      Licensees whose regulated administration services are those outlined for fund administrators and registrars in Paragraphs AU-1.1.11 and AU-1.1.12 respectively, must maintain adequate liquid funds representing 25% of operating expenses incurred in the preceding financial year at all times in the form of cash or liquid assets that can be converted to cash in the short-term to cover its operating expenses.

                      Amended: January 2023
                      May 2011

                    • CA-1.2.6

                      [This Paragraph was deleted on January 2023].

                      Deleted: January 2023
                      May 2011

                    • CA-1.2.7

                      [This Paragraph was deleted on January 2023].

                      Deleted: January 2023
                      May 2011

                    • CA-1.2.8

                      [This Paragraph was deleted on January 2023].

                      Deleted: January 2023
                      May 2011

          • Reporting Requirements

            • BR BR Administrators CBB Reporting Module

              • BR-A BR-A Introduction

                • BR-A.1 BR-A.1 Purpose

                  • Executive Summary

                    • BR-A.1.1

                      This Module sets out requirements applicable to administrators licensees regarding reporting to the Central Bank of Bahrain ('CBB'). These include the provision of financial information to the CBB, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of administrators licensees.

                      May 2011

                  • Legal Basis

                    • BR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding CBB Reporting requirements applicable to administrators licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law').

                      May 2011

                    • BR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      May 2011

                • BR-A.2 BR-A.2 Module History

                  • Evolution of Module

                    • BR-A.2.1

                      This Module was first issued in May 2011. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

                      May 2011

                    • BR-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      BR-3.1.1A and BR-3.1.1B 04/2012 Added Paragraphs to clarify Rules on power to request information.
                      BR-3.3.1 and BR-3.4 04/2012 Minor corrections.
                      BR-3.5 04/2012 New Section added to include material transferred from common Chapters EN-2 and AA-5
                      BR-1.1.9 and BR-2.2.18 10/2012 Updated reference to CBB Rulebook Volume 7 (CIU).
                      BR-1.1.13 01/2013 Clarified deadline to update IIS.
                      BR-1.1.15 and BR-1.1.16 04/2013 Added new Paragraphs to include reporting requirements on controllers and close links as per Rules contained under Module GR.
                      BR-3.5.14 07/2013 Amended numbering of referred appendix.
                      BR-1.1.1A 10/2019 Added a new Paragraph on disclosure of financial penalties.
                      BR-2.3.10 01/2020 Amended Paragraph.
                      BR-2.3.11 01/2020 Amended Paragraph.
                      BR-2.3.14 01/2023 Deleted Paragraph on CBB approval for outsourcing of functions.

              • BR-B BR-B Scope of Application

                • BR-B.1 BR-B.1 Scope of Application

                  • BR-B.1.1

                    The content of this Module applies to all administrators licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    May 2011

              • BR-1 BR-1 Reporting Requirements

                • BR-1.1 BR-1.1 General Requirements

                  • Audited Financial Statements

                    • BR-1.1.1

                      As specified in Article 62 of the CBB Law, a licensee must submit to the CBB its final audited financial statements within 3 months of the licensee's financial year-end

                      May 2011

                    • BR-1.1.1A

                      In accordance with Paragraphs EN-B.4.5 and EN-5.2.2, licensees must disclose in their annual audited financial statements the amount of any financial penalties paid to the CBB, together with a factual description of the reason(s) given by the CBB for the penalty. Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to an enforcement action for non-disclosure.

                      Added: October 2019

                  • Suspicious Transaction Reports (STR)

                    • BR-1.1.2

                      As per Rule FC-5.2.4, licensees must report all suspicious transactions or attempted transactions to the Financial Intelligence Unit at the Ministry of Interior and to the Compliance Directorate at the CBB.

                      May 2011

                    • BR-1.1.3

                      As per Rule FC-1.8.2 licensees must make a suspicious transaction report to the Compliance Directorate at the CBB and the Financial Intelligence Unit at the Ministry of Interior, if they are approached by a shell bank or an institution they suspect of being a shell bank.

                      May 2011

                    • BR-1.1.4

                      As per Rule FC-5.2.3, if licensees suspect that a person has been engaged in money laundering or terrorism financing, or the activity concerned is regarded as suspicious, the licensee must report the fact promptly to the Financial Intelligence Unit at the Ministry of Interior and copy the Compliance Directorate at the CBB. The reports must be made using the STR Form and related instructions, included in Part B of Volume 5.

                      May 2011

                    • BR-1.1.5

                      As per Section FC-8.1, when dealing with entities or persons domiciled in countries or territories which are identified by the FATF as being non-cooperative or notified to licensees from time to time by the CBB, whenever the licensee has suspicions about the transaction, these must be reported to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB.

                      May 2011

                    • BR-1.1.6

                      As per Rule FC-8.3.3, licensees must report to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB, using the procedures contained in Section FC-5.2, details of any accounts or other dealings with persons and entities designated by the CBB as potentially linked to terrorist activity.

                      May 2011

                  • Reports Prepared by the MLRO

                    • BR-1.1.7

                      As per Rule FC-4.3.1(a) and (b), licensees must arrange for their MLRO to produce a report containing the number of internal reports made in accordance with Section FC-5.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced and a report, indicating the number of external reports made in accordance with Section FC-5.2 and, where a licensee has made an internal report but not made an external report, noting why no external report was made. These reports are to be submitted to the CBB by the 30th of April of the following year.

                      May 2011

                  • Report of Fraud or Attempted Fraud

                    • BR-1.1.8

                      Licensees must report any actual or attempted fraud incident (however small) to the appropriate authorities (including the CBB) (ref. FC-11.1).

                      May 2011

                  • Reports Required as per Volume 7 (CIU)

                    • BR-1.1.9

                      Licensees must comply with any reporting requirements applicable to them as stipulated in CBB Rulebook Volume 7 (CIU).

                      Amended: October 2012
                      May 2011

                  • Reports Prepared by the External Auditor

                    • BR-1.1.10

                      As per Rule FC-4.3.1(d), licensees must arrange for their external auditor to produce a report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and Module FC (Financial Crime) to be submitted to the CBB by the 30th of April of the following year.

                      May 2011

                  • Terrorist Financing

                    • BR-1.1.11

                      As per Rule FC-8.2.4, licensees must report to the Compliance Directorate at the CBB, details of:

                      (a) Funds or other financial assets or economic resources they have with them which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373; and
                      (b) All claims, whether actual or contingent, which the licensee has on persons and entities which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373.
                      May 2011

                  • Annual License Fee

                    • BR-1.1.12

                      Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 30 April each year, together with the payment due under Rule AU-5.2.1.

                      May 2011

                  • Institutional Information System (IIS)

                    • BR-1.1.13

                      Licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm the information contained in the IIS. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                      Amended: January 2013
                      May 2011

                    • BR-1.1.14

                      Licensees failing to comply with the requirements of Paragraph BR-1.1.13 or reporting inaccurate information are subject to financial penalties or other enforcement actions as outlined in Module (EN) Enforcement

                      May 2011

                  • Report on Controllers

                    • BR-1.1.15

                      In accordance with Paragraph GR-5.1.8, licensees must submit, within 3 months of their financial year-end, a report on their controllers which must identify all controllers of the licensee, as defined under Section GR-5.2.

                      Added: April 2013

                  • Report on Close Links

                    • BR-1.1.16

                      In accordance with Paragraph GR-6.1.3, licensees must submit within 3 months of their financial year-end, a report on their close links which must identify all undertakings closely linked to the licensee, as defined under Section GR-6.2.

                      Added: April 2013

              • BR-2 BR-2 Notifications and Approvals

                • BR-2.1 BR-2.1 Introduction

                  • BR-2.1.1

                    All notifications and approvals required in this Chapter are to be submitted by licensees in writing.

                    May 2011

                  • BR-2.1.2

                    In this Module, the term 'in writing' includes electronic communication capable of being reproduced in paper form.

                    May 2011

                  • BR-2.1.3

                    A licensee must make the notifications and approvals required in Chapter BR-2 immediately it becomes aware, or has information which reasonably suggests, that any of the matters in Chapter BR-2 have occurred, may have occurred or may occur in the near future.

                    May 2011

                  • BR-2.1.4

                    Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

                    May 2011

                • BR-2.2 BR-2.2 Notification Requirements

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.2.1

                      A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                      (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                      (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                      (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                      (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                      (e) Any breach of any provision of the Rulebook (including a Principle);
                      (f) A breach of any requirement imposed by the relevant law or by regulations or an order made under any relevant law by the CBB; or
                      (g) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately (ref. BR-3.3.2).
                      May 2011

                    • BR-2.2.2

                      The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to consider properly all potential consequences of events.

                      May 2011

                    • BR-2.2.3

                      In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a parent undertaking or controller that may indirectly have an effect on the licensee.

                      May 2011

                  • Legal, Professional, Administrative or other Proceedings Against a Fund Administration Licensee

                    • BR-2.2.4

                      A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller or a close link including a parent undertaking of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                      May 2011

                    • BR-2.2.5

                      A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee that would prevent the licensee from meeting the Principles of Business (Module PB) or any of its Directors, officers or approved persons from meeting the fit and proper requirements of Module AU.

                      May 2011

                  • Fraud, Errors and other Irregularities

                    • BR-2.2.6

                      A licensee must notify the CBB immediately if one of the following events arises and the event is significant:

                      (a) It becomes aware that an employee may have committed a fraud against one of its customers;
                      (b) It becomes aware that a person, whether or not employed by it, is acting with intent to commit fraud against it;
                      (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                      (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated or ancillary activities; or
                      (e) Any conflicts of interest.
                      May 2011

                  • Insolvency, Bankruptcy and Winding Up

                    • BR-2.2.7

                      Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                      (a) The calling of a meeting to consider a resolution for winding up the licensee, a controller or close link, including a parent undertaking of the licensee;
                      (b) An application to dissolve a controller or close link, including a parent undertaking of the licensee or to strike the licensee off the Register of Fund Administrators;
                      (c) The presentation of a petition for the winding up of a controller or close link, including a parent undertaking of the licensee;
                      (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                      (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller or close link, including a parent undertaking of the licensee;
                      (f) The appointment of a receiver to a controller or close link, including a parent undertaking of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                      (g) An application for an interim order against the licensee, a controller or close link, including a parent undertaking of the licensee under the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.
                      May 2011

                  • Other Supervisors

                    • BR-2.2.8

                      A licensee must notify the CBB immediately if it becomes subject to or ceases to be subject to the supervision of any overseas supervisor (including a home supervisor).

                      May 2011

                    • BR-2.2.9

                      The supervisory regime and any legislative or foreign provisions to which that licensee, is subject, influence the CBB's approach to the supervision of the licensee.

                      May 2011

                  • External Auditor

                    • BR-2.2.10

                      A licensee must notify the CBB of the following:

                      (a) Removal or resignation of auditor (ref. AA-1.2.1); or
                      (b) Change in audit partner (ref. AA-1.3.3).
                      May 2011

                  • Approved Persons

                    • BR-2.2.11

                      A licensee must notify the CBB of the termination of employment of approved persons, including particulars of reasons for the termination and arrangements with regard to replacement (ref. AU-4.3.5).

                      May 2011

                    • BR-2.2.12

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      May 2011

                  • Capital Adequacy

                    • BR-2.2.13

                      In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy), it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.5).

                      May 2011

                    • BR-2.2.14

                      As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                      May 2011

                  • Outsourcing Arrangements

                    • BR-2.2.15

                      Licensees must immediately inform their direct supervisory contact at the CBB of any material problems encountered with an outsourcing provider.

                      May 2011

                  • Controllers

                    • BR-2.2.16

                      If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes to their controllers specified in Paragraph GR-5.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB as soon as it becomes aware of the fact and no later than 15 calendar days after the change occurs (ref. GR-5.1.4).

                      May 2011

                    • BR-2.2.17

                      As specified in Article 52 of the CBB Law, a licensee must notify the CBB of the following events:

                      (a) If effective control over a licensee takes place indirectly whether by way of inheritance or otherwise.
                      (b) Gaining control directly as a result of any action leading to it; or
                      (c) The intention to take any of the actions that would lead to control.
                      May 2011

                  • Other Notification Requirements

                    • BR-2.2.18

                      Licensees must comply with any notification requirements applicable to them as stipulated in CBB Rulebook Volume 7 (CIU).

                      Amended: October 2012
                      May 2011

                • BR-2.3 BR-2.3 Approval Requirements

                  • Change in Name

                    • BR-2.3.1

                      In accordance with Paragraph GR-2.1.1, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in:

                      (a) The licensee's name (which is the registered name if the licensee is a body corporate); or
                      (b) The licensee's trade name.
                      May 2011

                    • BR-2.3.2

                      The request under Paragraph BR-2.3.1 must include the details of the proposed new name and the date on which the licensee intends to implement the change of name.

                      May 2011

                  • Change of Address

                    • BR-2.3.3

                      As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain.

                      May 2011

                    • BR-2.3.4

                      The request under Paragraph BR-2.3.3 must include the details of the proposed new address and the date on which the licensee intends to implement the change of address.

                      May 2011

                    • BR-2.3.5

                      As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB for its intention to carry on its business from new premises in Bahrain. This requirement applies whether or not the premises are to be used for the purposes of transacting business with customers, administration of the business or as the head office in Bahrain of the licensee.

                      May 2011

                  • Change in Legal Status

                    • BR-2.3.6

                      A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                      May 2011

                  • Change in Authorised or Paid-up Capital

                    • BR-2.3.7

                      As specified in Article 57(3) of the CBB Law, a licensee must seek CBB approval before making any modification to its authorised or paid-up capital. In the case that a licensee has been granted approval to increase its paid-up capital, confirmation from the external auditor stating that the amount has been deposited in the licensee's bank account will subsequently be required.

                      May 2011

                  • Controllers and Close Links

                    • BR-2.3.8

                      In accordance with Section GR-5.1, licensees must seek CBB approval and give reasonable advance notice of any of the following events concerning the licensee:

                      (a) A person acquiring control or ceasing to have control;
                      (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control;
                      (c) An existing controller increasing the percentage of shares or voting power beyond 10%, 20% or 50%; and
                      (d) An existing controller becoming or ceasing to be a parent undertaking.
                      May 2011

                    • BR-2.3.9

                      Every licensee authorised in Bahrain is required to submit an annual report on its controllers, as per Paragraph GR-5.1.8, and close links as set out in Paragraph GR-6.1.3.

                      May 2011

                  • Carrying out Business in Another Jurisdiction

                    • BR-2.3.10

                      A licensee must seek CBB approval and give three months' notice of its intention to undertake fund administration activities in a jurisdiction other than Bahrain, prior to commencing that business and where the effect of commencing that business may have a significant impact on:

                      (a) The licensee's business in Bahrain; or
                      (b) The capital resources of the licensee.
                      Amended: January 2020
                      Added: May 2011

                  • Mergers, Acquisitions, Disposals and Establishment of New Subsidiaries

                    • BR-2.3.11

                      A licensee incorporated in Bahrain must seek CBB approval and give reasonable advance notice of its intention to enter into a:

                      (a) Merger with another undertaking; or
                      (b) Proposed acquisition, disposal or establishment of a new subsidiary undertaking.
                      Amended: January 2020
                      Added: May 2011

                    • BR-2.3.12

                      Licensees will also need to consider the implications of a merger, acquisition, disposal or establishment of a new subsidiary undertaking in the context of the controllers and close links rules set out in Module GR.

                      May 2011

                  • Share Option Schemes

                    • BR-2.3.13

                      A licensee must seek prior approval from the CBB for any share option schemes it proposes to offer to its employees.

                      May 2011

                  • Outsourcing Arrangements

                    • BR-2.3.14

                      [This Paragraph was deleted in January 2023].

                      Deleted: January 2023
                      May 2011

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.3.15

                      A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                      May 2011

                    • BR-2.3.16

                      Any licensee that wishes, intends or has been requested to do anything that might contravene, in its reasonable opinion, the provisions of UNSCR 1373 (and in particular Article 1, Paragraphs c) and d) of UNSCR 1373) must seek, in writing, the prior written opinion of the CBB on the matter (ref. FC-7.2.2).

                      May 2011

                    • BR-2.3.17

                      As specified in Article 57 of the CBB Law, a licensee wishing to modify its Memorandum or Articles of Association, must obtain prior written approval from the CBB.

                      May 2011

                    • BR-2.3.18

                      In accordance with Paragraph GR-4.1.1, a licensee must seek prior written approval from the CBB before transferring any of its business to a third party.

                      May 2011

                  • Dividends

                    • BR-2.3.19

                      Licensees, must obtain a letter of no-objection from the CBB to any dividend proposed, before submitting a proposal for a distribution of profits to a shareholder vote (ref. GR-3.1.1).

                      May 2011

                  • External Auditor

                    • BR-2.3.20

                      A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1).

                      May 2011

                  • Approved Persons

                    • BR-2.3.21

                      A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function in a licensee (ref. Article 65 of the CBB Law, AU-1.2 and AU-4.2.1).

                      May 2011

                    • BR-2.3.22

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.2.11).

                      May 2011

                    • BR-2.3.23

                      If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. A licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB for such arrangement (ref. AU-4.3.5).

                      May 2011

              • BR-3 BR-3 Information Gathering by the CBB

                • BR-3.1 BR-3.1 Power to Request Information

                  • BR-3.1.1

                    Licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    May 2011

                  • BR-3.1.1A

                    Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                    Added: April 2012

                  • BR-3.1.1B

                    Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person/appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                    Added: April 2012

                  • Information Requested on Behalf of other Supervisors

                    • BR-3.1.2

                      The CBB may ask a licensee to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee, pass on to those supervisors or agencies information that it already has in its possession.

                      May 2011

                • BR-3.2 BR-3.2 Access to Premises

                  • BR-3.2.1

                    A licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    May 2011

                  • BR-3.2.2

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    May 2011

                  • BR-3.2.3

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    May 2011

                • BR-3.3 BR-3.3 Accuracy of Information

                  • BR-3.3.1

                    Licensees must take reasonable steps to ensure that all information they give to the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
                    Amended: April 2012
                    May 2011

                  • BR-3.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    May 2011

                  • BR-3.3.3

                    If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    May 2011

                • BR-3.4 BR-3.4 Methods of Information Gathering

                  • BR-3.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of Appointed Experts (refer to Section BR-3.5).
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication; and
                    (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
                    Amended: April 2012
                    May 2011

                  • BR-3.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 4 of the CBB Rulebook.

                    Amended: April 2012
                    May 2011

                  • BR-3.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    Amended: April 2012
                    May 2011

                  • BR-3.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph BR-3.4.3:

                    (a) Its employees; and
                    (b) Any other members of its group and their employees.
                    Amended: April 2012
                    May 2011

                  • BR-3.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    May 2011

                • BR-3.5 BR-3.5 The Role of the Appointed Expert

                  • Introduction

                    • BR-3.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      Added: April 2012

                    • BR-3.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      Added: April 2012

                    • BR-3.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      Added: April 2012

                    • BR-3.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                      Added: April 2012

                    • BR-3.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      Added: April 2012

                    • BR-3.5.6

                      Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                      Added: April 2012

                    • BR-3.5.7

                      All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                      Added: April 2012

                    • BR-3.5.8

                      Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                      Added: April 2012

                    • BR-3.5.9

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                      Added: April 2012

                    • BR-3.5.10

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

                      Added: April 2012

                    • BR-3.5.11

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      Added: April 2012

                  • The Required Report

                    • BR-3.5.12

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      Added: April 2012

                    • BR-3.5.13

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      Added: April 2012

                    • BR-3.5.14

                      The appointed experts report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

                      Amended: July 2013
                      Added: April 2012

                    • BR-3.5.15

                      Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                      Added: April 2012

                    • BR-3.5.16

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      Added: April 2012

                    • BR-3.5.17

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      Added: April 2012

                    • BR-3.5.18

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      Added: April 2012

                  • Other Notifications to the CBB

                    • BR-3.5.19

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      Added: April 2012

                    • BR-3.5.20

                      The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      Added: April 2012

                    • BR-3.5.21

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      Added: April 2012

                  • Permitted Disclosure by the CBB

                    • BR-3.5.22

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      Added: April 2012

                  • Trilateral Meeting

                    • BR-3.5.23

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      Added: April 2012

      • Type 5: Trust Service Providers

      • Type 6: Type 6: Microfinance Institutions

        • Part A

          • High Level Standards

            • AU AU Microfinance Institutions Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The executive summary only provides an overview. For detailed rules, reference must be made to the individual rules outlined in the remainder of this Module.

                      January 2014

                    • AU-A.1.2

                      The Authorisation Module sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated microfinance services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                      January 2014

                    • AU-A.1.3

                      Persons undertaking certain functions in relation to licensees require prior CBB approval. These functions (called 'controlled functions') include members of the Board of directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                      January 2014

                  • Retaining Authorised Status

                    • AU-A.1.4

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      January 2014

                  • Legal Basis

                    • AU-A.1.5

                      This Module contains the CBB's Directive, Resolution and Regulations (as amended from time to time) regarding authorisation under Volume 5 of the CBB Rulebook. It is applicable to all microfinance institutions licensees (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). It also includes the requirements contained in Resolution No (1) of 2007 (as amended from time to time) with respect to determining fees categories due for licenses and services provided by the CBB. It contains requirements under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and is issued under the powers available to the CBB under Article 44(c). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015.

                      Amended: July 2015
                      January 2014

                    • AU-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                    • AU-A.1.7

                      Persons wishing to undertake regulated microfinance services are required to be licensed by the CBB as a microfinance institution licensee.

                      January 2014

                  • Licensing Conditions

                    • AU-A.1.8

                      Microfinance institution licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules. These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.

                      January 2014

                  • Information Requirements and Processes

                    • AU-A.1.9

                      Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking a microfinance institution license. It also covers the voluntary surrender of a license, or its cancellation by the CBB.

                      January 2014

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in January 2014. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-1.1.3 04/2014 Corrected cross reference.
                      AU-5.2.1 04/2014 Corrected due date of CBB annual license fees.
                      AU-1.3.1 10/2014 Corrected cross reference.
                      AU-A.1.5 07/2015 Legal basis updated to reflect Resolution No (23) of 2015.
                      AU-4.2 07/2015 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-1.4 01/2016 Clarified general requirements for approved persons.
                      AU-3 01/2016 Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
                      AU-4.2 01/2016 Minor amendments to be aligned with other Volumes of the Rulebook.
                      AU-4.4 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License.
                      AU-4.1.1 04/2018 Amended Paragraph.
                      AU-4.2.2 04/2018 Amended Paragraph.
                      AU-1.2.2 04/2019 Amended conventional microfinance limit per eligible beneficiary.
                      AU-1.2.3 04/2019 Amended Shari'a compliant microfinance contracts limit per eligible beneficiary.
                      AU-2.5.2 04/2019 Amended minimum required capital.
                      AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                      AU-4.4.1 10/2019 Changed from Rule to Guidance.
                      AU-1.2.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards.
                      AU-4.2.10A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.

                  • Superseded Requirements

                    • AU-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module LR
                         
                      January 2014

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope of Application

                  • AU-B.1.1

                    The content of this Module applies to all microfinance institution licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    January 2014

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (a) Any person seeking to provide regulated microfinance services within or from the Kingdom of Bahrain must hold the appropriate CBB license (see Section AU-1.1); and
                    (b) Natural persons wishing to perform a controlled function in a licensee also require prior CBB's approval, as an approved person (see AU-1.2).
                    January 2014

                  • AU-B.1.3

                    The authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated microfinance services within or from the Kingdom of Bahrain, unless they have been licensed as a microfinance institution (conventional or Islamic) by the CBB or marketing any financial services unless specifically allowed to do so by the CBB (see Rule AU-1.1.1).

                    January 2014

                  • AU-B.1.4

                    The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.1) apply to all those licensed by the CBB as a microfinance institution licensee, or which are in the process of seeking such a license. They apply regardless of whether the person concerned is incorporated in the Kingdom of Bahrain, or in an overseas jurisdiction, unless otherwise specified.

                    January 2014

                  • AU-B.1.5

                    Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    January 2014

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Microfinance Institutions Licensees

                  • General Prohibitions

                    • AU-1.1.1

                      No person may:

                      (a) Undertake (or hold themselves out to undertake) microfinance services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                      (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed: or
                      (c) Market any financial services in the Kingdom of Bahrain unless:
                      (i) Allowed to do by the terms of a license issued by the CBB;
                      (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                      (iii) Has obtained the express written permission of the CBB to offer financial services.
                      January 2014

                    • AU-1.1.2

                      In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                      January 2014

                    • AU-1.1.3

                      Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-10.3).

                      Amended: April 2014
                      January 2014

                    • AU-1.1.4

                      Licensees are prohibited from taking deposits.

                      January 2014

                    • AU-1.1.5

                      Only persons licensed to undertake regulated microfinance services can use the term 'microfinance' in their corporate or trading names, or otherwise hold themselves out to be a microfinance institution. Licensees are not allowed to transact with non-residents of the Kingdom of Bahrain, and in foreign currencies. To qualify as a microfinance institution, the person concerned must undertake (as a minimum), the activities of providing credit to eligible beneficiaries.

                      January 2014

                    • AU-1.1.6

                      Licensees are obliged to include the word 'microfinance' in their corporate or trading names and are required to make clear their regulatory status in their letter heads, customer communications, website and other communication as required under Section GR-2.2.

                      January 2014

                    • AU-1.1.7

                      For the purposes of Rule AU-1.1.5, persons will be considered in breach of this requirement if they attempt to operate as, or incorporate a microfinance institution in Bahrain with or without a name containing the word "microfinance" (or the equivalent in any language), without holding the appropriate CBB license or obtaining the prior approval of the CBB.

                      January 2014

                  • Licensing

                    • AU-1.1.8

                      Persons wishing to be licensed to undertake regulated microfinance services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.

                      January 2014

                    • AU-1.1.9

                      The CBB will review the application and duly advise the applicant in writing when it has:

                      (a) Granted the application without conditions;
                      (b) Granted the application subject to conditions specified by the CBB; or
                      (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision
                      January 2014

                    • AU-1.1.10

                      Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                      January 2014

                    • AU-1.1.11

                      All applicants for microfinance institution licenses must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed, licensees must maintain these criteria on an on-going basis.

                      January 2014

                    • AU-1.1.12

                      Licensees must not carry on any other business in the Kingdom of Bahrain or elsewhere other than microfinance business and activities directly arising from or incidental to that business.

                      January 2014

                    • AU-1.1.13

                      Rule AU-1.1.12 is intended to restrict licensees from undertaking any material non-financial business activities. The Rule does not prevent a licensee undertaking commercial activities if these directly arise from their financial business: for instance, in the context of Islamic contracts, such as murabaha, ijara and musharaka, where the company may hold the physical assets being financed or leased. Nor does it restrict a licensee from undertaking commercial activities if, in the judgment of the CBB, they are incidental and do not detract from the financial nature of the licensees.

                      January 2014

                • AU-1.2 AU-1.2 Definition of Regulated Microfinance Services

                  • AU-1.2.1

                    Regulated microfinance services are any of the following activities, carried on by way of business:

                    (a) Providing conventional or Shari'a compliant microfinance to eligible beneficiaries; and
                    (b) Providing consultancy and information services to its eligible beneficiaries and prospective eligible beneficiaries.
                    January 2014

                  • AU-1.2.1A

                    Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by regulated microfinance services must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.

                    Added: October 2020

                  • Providing Conventional Microfinance

                    • AU-1.2.2

                      Providing conventional microfinance to an eligible beneficiary is defined as the provision of credit to a person in his capacity as borrower or potential borrower. The maximum amount provided under the microfinance shall not exceed BD 7,000 in aggregate per eligible beneficiary. The repayment period must not exceed 3 years.

                      Amended: April 2019
                      January 2014

                  • Offering Shari'a Compliant Microfinance Contracts

                    • AU-1.2.3

                      Offering Shari'a compliant microfinance contracts is defined as entering into, or making arrangement for an eligible beneficiary to enter into, a contract to provide finance in accordance with Shari'a principles. The maximum amount provided under the microfinance contracts shall not exceed BD 7,000 in aggregate per eligible beneficiary. The repayment period must not exceed 3 years.

                      Amended: April 2019
                      January 2014

                    • AU-1.2.4

                      For the purpose of this Section, eligible beneficiary(ies) means: Low income individuals and small businesses, who are not eligible to secure financing facilities through the banking system that intend to get a credit facility to engage in small economic activities (examples: small farmers, fishermen, related activities etc.).

                      January 2014

                    • AU-1.2.5

                      For the purposes of Rule AU-1.2.1, carrying on a regulated microfinance service by way of business means:

                      (a) Undertaking the regulated microfinance service of (a) and (b), as defined in Section AU-1.2, for commercial gain;
                      (b) Holding oneself out as willing and able to engage in such activities; or
                      (c) Regularly soliciting other persons to engage in transactions constituting such activities.
                      January 2014

                  • General Exclusions

                    • AU-1.2.6

                      A person does not carry on an activity constituting a regulated microfinance service if the activity:

                      (a) Is carried on in the course of a business which does not ordinarily constitute the carrying on of microfinance services;
                      (b) May reasonably be regarded as a necessary part of any other services provided in the course of that business;
                      (c) Is not remunerated separately from the other services; and
                      (d) Is carried out by a government entity in Bahrain authorised to provide such activity by Royal Decree or relevant legislation or a non-government organisation (NGO) registered with the Ministry of Social Development for that purpose.
                      January 2014

                • AU-1.3 AU-1.3 Shari'a Compliant Transactions Offered by Conventional Licensees

                  • General Requirements for all Conventional Microfinance Institutions

                    • AU-1.3.1

                      Conventional licensees may not hold themselves out as an Islamic microfinance institution. Conventional licensees are allowed to enter into activities listed in Rule AU-1.2.1 under the conditions outlined in the remainder of this section.

                      Amended: October 2014
                      January 2014

                    • AU-1.3.2

                      When offering any of the Shari'a compliant activities listed in Rule AU-1.2.1, conventional licensees must have staff trained in Shari'a compliant financing business. The licensee must also disclose in the notes to its Annual Report/Financial Statements all quantitative and qualitative disclosures on its Shari'a compliant business as required by AAOIFI accounting and auditing standards.

                      January 2014

                  • Additional Requirements

                    • AU-1.3.3

                      Conventional licensees may provide Shari'a compliant activities listed in Rule AU-1.2.1, subject to the limits under Paragraph AU-1.2.3 in Bahraini dinars to Bahraini resident individuals subject to the following conditions:

                      (a) Shari'a compliant financing transactions to be undertaken through a special counter or branch as deemed necessary by the licensee;
                      (b) The licensee must maintain separate books for Shari'a compliant financing activities to ensure no co-mingling of conventional and Islamic funds;
                      (c) The licensee must have a Shari'a Compliant Reviewer;
                      (d) The licensee must appoint a minimum of one Shari'a Scholar who has authority for all Shari'a compliant business; and
                      (e) The total Islamic assets of the conventional licensee must not exceed 20% of the total assets of the licensee.
                      January 2014

                • AU-1.4 AU-1.4 Approved Persons

                  • General Requirement

                    • AU-1.4.1

                      Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment.

                      Amended: January 2016
                      January 2014

                    • AU-1.4.2

                      Controlled functions are those functions occupied by board members and persons in executive positions and include:

                      (a) Director;
                      (b) Chief executive or general manager and their deputies;
                      (c) Head of function; and
                      (d) Compliance officer/Money Laundering Reporting Officer (MLRO).
                      Amended: January 2016
                      January 2014

                    • AU-1.4.3

                      Combination of the above controlled functions is subject to the requirements contained in Modules HC and RM.

                      January 2014

                  • Basis for Approval

                    • AU-1.4.4

                      Approval under Paragraph AU-1.4.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

                      January 2014

                    • AU-1.4.5

                      The chief executive or general manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The chief executive or general manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.

                      January 2014

                    • AU-1.4.6

                      Head of function means a person who, under the immediate authority of a director or the chief executive or general manager exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                      January 2014

                    • AU-1.4.7

                      Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy chief executive; heads of departments such as Risk Management, Compliance or Internal Audit; or the Chief Financial Officer.

                      January 2014

                    • AU-1.4.8

                      Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                      January 2014

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                  • AU-2.1.1

                    The legal status of a licensee must be a Bahraini joint stock company (BSC).

                    January 2014

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Licensees with their Registered Office in the Kingdom of Bahrain must maintain their Head Office in the Kingdom.

                    January 2014

                  • AU-2.2.2

                    In assessing the location of a licensee's Head Office, the CBB will take into account the residency of its Directors and senior management. The CBB requires the majority of key decision makers in executive management — including the Chief Executive Officer — to be resident in Bahrain.

                    January 2014

                • AU-2.3 AU-2.3 Condition 3: Controllers

                  • AU-2.3.1

                    Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their close links does not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

                    January 2014

                  • AU-2.3.2

                    Chapter GR-4 contains the CBB's requirements and definitions regarding controllers.

                    January 2014

                  • AU-2.3.3

                    In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.

                    January 2014

                  • AU-2.3.4

                    As regards group structures, the CBB seeks to ensure that these do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the licensee.

                    January 2014

                  • AU-2.3.5

                    In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

                    January 2014

                • AU-2.4 AU-2.4 Condition 4: Board and Employees

                  • AU-2.4.1

                    Those nominated to carry out controlled functions must satisfy the CBB's approved persons requirements. This Rule is supported by Article 65 of the CBB Law.

                    January 2014

                  • AU-2.4.2

                    The definition of controlled functions is contained in Paragraph AU-1.4.2, whilst Chapter AU-3 sets out CBB's approved persons requirements.

                    January 2014

                  • AU-2.4.3

                    The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

                    January 2014

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • Capital Funds

                    • AU-2.5.1

                      Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed.

                      January 2014

                    • AU-2.5.2

                      Licensees must maintain a minimum level of paid-up capital of BD 2 million which has been provided by the shareholders/promoters and/or grants and donations received by the microfinance institution. A greater amount of capital may be required by the CBB on a case-by-case basis.

                      Amended: April 2019
                      January 2014

                  • Other Sources of Funds

                    • AU-2.5.3

                      Licensees may obtain funds through borrowings, issuance of fixed-income securities and grants and donations received on an on-going basis.

                      January 2014

                  • Liquidity

                    • AU-2.5.4

                      Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business, as required under Section CA-1.2. Licensees must agree a liquidity management policy with the CBB.

                      January 2014

                • AU-2.6 AU-2.6 Condition 6: Systems and Controls

                  • AU-2.6.1

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC and RM.

                    January 2014

                  • AU-2.6.2

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee. These systems and controls must meet the minimum requirements contained in Module FC, as specified for the license held.

                    January 2014

                • AU-2.7 AU-2.7 Condition 7: External Auditors

                  • AU-2.7.1

                    Article 61 of the CBB Law requires that licensees appoint an external auditor, subject to the CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

                    January 2014

                • AU-2.8 AU-2.8 Condition 8: Other Requirements

                  • Books and Records

                    • AU-2.8.1

                      Article 59 of the CBB Law requires that licensees to maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module RM. Books of accounts must comply with IFRS and AAOIFI, where applicable.

                      January 2014

                  • Provision of Information

                    • AU-2.8.2

                      Articles 58, 111, 114 and 163 of the CBB Law require that licensees and their staff act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and public disclosure requirements contained in Modules BR and PD respectively. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of the licensee's financial year-end.

                      January 2014

                  • General Conduct

                    • AU-2.8.3

                      Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice. Licensees must comply with the general standards of business conduct contained in Module PB, as well as the standards relating to treatment of customers contained in Modules BC and RM.

                      January 2014

                  • Additional Conditions

                    • AU-2.8.4

                      Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      January 2014

                    • AU-2.8.5

                      Islamic licensees must appoint a minimum of one Shari'a scholar (see Paragraph HC-9.2.1).

                      January 2014

                    • AU-2.8.6

                      Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law.

                      January 2014

                    • AU-2.8.7

                      In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.

                      January 2014

              • AU-3 AU-3 Approved Persons Conditions

                • AU-3.1 AU-3.1 Approved Persons Conditions

                  • AU-3.1.1

                    Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

                    January 2014

                  • AU-3.1.2

                    The authorisation requirements for persons nominated to carry out controlled functions is contained in Section AU-1.4. The authorisation process is described in Section AU-4.3.

                    January 2014

                  • AU-3.1.3

                    Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                    (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                    (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                    (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                    (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                    (f) Must have personal integrity, good conduct and reputation;
                    (g) Has appropriate professional and other qualifications for the controlled function in question; and
                    (h) Has sufficient experience to perform the duties of the controlled function.
                    Amended: January 2016
                    January 2014

                  • AU-3.1.4

                    In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

                    Amended: January 2016
                    January 2014

                  • AU-3.1.5

                    In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                    (i) The extent to which the person has been truthful and open with supervisors; and
                    (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                    Added: January 2016

                  • AU-3.1.6

                    With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                    Added: January 2016

                  • AU-3.1.7

                    Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                    Amended: January 2016
                    January 2014

                  • AU-3.1.8

                    In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                    (a) A person has breached any fiduciary obligations to the company or terms of employment;
                    (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                    (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                    Amended: January 2016
                    January 2014

                  • AU-3.1.9

                    Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

                    Added: January 2016

                • AU-3.2 AU-3.2 [This Section was deleted in January 2016]

                  Deleted: January 2016

                  • AU-3.2.1

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    January 2014

                  • AU-3.2.2

                    [This Paragraph was deleted in January 2016.]

                    Deleted: January 2016
                    January 2014

                  • AU-3.2.3

                    [This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

                    Amended: January 2016
                    January 2014

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Application Form and Documents

                    • AU-4.1.1

                      Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under E-services/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

                      Amended: July 2019
                      Amended: April 2018
                      January 2014

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.

                      January 2014

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      January 2014

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 in support of a license application:

                      (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
                      (b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertake controlled functions of the proposed licensee;
                      (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                      (d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;
                      (e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBB microfinance institution license;
                      (f) Details of the proposed licensee's close links, if any, as defined under Chapter GR-5;
                      (g) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy requirements;
                      (h) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application; and
                      (i) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.6.
                      January 2014

                    • AU-4.1.5

                      The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from controllers. Where the application is for an overseas licensee, the CBB may seek a letter of guarantee from the parent company.

                      January 2014

                    • AU-4.1.6

                      The business plan submitted in support of an application should include:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
                      (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                      (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions; and
                      (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements.
                      January 2014

                    • AU-4.1.7

                      The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its microfinance activities or are incidental to those.

                      January 2014

                    • AU-4.1.8

                      All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      January 2014

                    • AU-4.1.9

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      January 2014

                    • AU-4.1.10

                      Failure to inform the CBB of the changes specified in Paragraph AU-4.1.10 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition in Paragraph AU-2.8.2.

                      January 2014

                  • Licensing Process and Timelines

                    • AU-4.1.11

                      As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.

                      January 2014

                    • AU-4.1.12

                      Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) – as specified in the business plan submitted under Rule AU-4.1.4 – has been paid in must be provided to the CBB.

                      January 2014

                  • Starting Operations

                    • AU-4.1.13

                      Within 6 months of the license being issued, the licensee must provide to the CBB:

                      (a) A detailed action plan for establishing the operations and supporting infrastructure of the licensee, such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);
                      (b) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                      (c) The address in the Kingdom of Bahrain where full business records will be kept;
                      (d) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (e) A description of the business continuity plan;
                      (f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                      (g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;
                      (h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;
                      (i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the microfinance institution is licensed by the CBB;
                      (j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
                      (k) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.7; and
                      (l) Other information as may be specified by the CBB.
                      January 2014

                    • AU-4.1.14

                      Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the licensee concerned, as specified in Article 128 of the CBB Law.

                      January 2014

                    • AU-4.1.15

                      A licensee must at all times keep an approved copy of the license displayed in a visible place on the licensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.

                      January 2014

                    • AU-4.1.16

                      Applicants who are refused a license have a right of appeal under the provisions contained in Article 46 of the CBB Law, which shall not be less than thirty days from the date of the decision. The CBB will decide on the appeal made by the applicant and notify him of its decision within thirty calendar days from the date of submission of the appeal.

                      January 2014

                    • AU-4.1.17

                      Applicants may not publicise in any way the application for a licence for, or formation of, a microfinance institution before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.

                      January 2014

                • AU-4.2 AU-4.2 Approved Persons

                  • AU-4.2.1

                    Licensees must obtain the CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                    Amended: January 2016
                    Amended: July 2015
                    January 2014

                  • AU-4.2.2

                    When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the applicable Banking Supervision Director. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

                    Amended: April 2018
                    January 2014

                  • AU-4.2.3

                    When submitting Form 3, licensees must ensure that the Form 3 is:

                    (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
                    (b) Submitted in original form;
                    (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                    (d) Is signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                    Amended: July 2015
                    January 2014

                  • AU-4.2.4

                    For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be a Director or the Chief Executive/General Manager.

                    Amended: July 2015
                    January 2014

                  • AU-4.2.5

                    [This Paragraph was deleted in July 2015.]

                    Deleted: July 2015

                  • AU-4.2.6

                    Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholder meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

                    January 2014

                  • Assessment of Application

                    • AU-4.2.6A

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.6B

                      For purposes of Paragraph AU-4.2.6A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.6C

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Amended: January 2016
                      Added: July 2015

                    • AU-4.2.7

                      [This Paragraph was deleted in January 2016.]

                      Deleted: January 2016
                      Amended: July 2015
                      January 2014

                  • Appeal Process

                    • AU-4.2.7A

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                      Added: July 2015

                    • AU-4.2.7B

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the Executive Director, Banking Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Amended: January 2016
                      Added: July 2015

                  • Notification Requirements and Process

                    • AU-4.2.8

                      Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraphs AU-4.3.8 and AU-4.3.9). In such cases, their approved person status is automatically withdrawn by the CBB.

                      January 2014

                    • AU-4.2.9

                      Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                      January 2014

                    • AU-4.2.10

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      January 2014

                    • AU-4.2.10A

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                  • Change in Controlled Function

                    • AU-4.2.11

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      January 2014

                    • AU-4.2.12

                      In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.2.8), and the new licensee should submit a request for approval under Rule AU-1.4.1.

                      January 2014

                • AU-4.3 AU-4.3 Cancellation of Authorisation

                  • Licenses

                    • Voluntary Surrender of a License or Closure of a Branch

                      • AU-4.3.1

                        In accordance with Article 50 of the CBB Law, all requests for the voluntary surrender of a license or closure of a branch are subject to CBB's prior written approval, before ceasing such activities. Such requests must be made in writing to the relevant Banking Supervision Director, setting out in full the reasons for the request and how the voluntary surrender of the license or branch closure is to be carried out.

                        January 2014

                      • AU-4.3.2

                        Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed voluntary surrender or closure of the branch. The requirements contained in Chapter GR-6 regarding cessation of business must be satisfied.

                        January 2014

                      • AU-4.3.3

                        The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant customers' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at pre-empting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                        January 2014

                    • Cancellation

                      • AU-4.3.4

                        As provided for under Article 48 of the CBB Law, the CBB may amend or revoke a licence in any of the following cases:

                        (a) If the licensee fails to satisfy any of the license conditions;
                        (b) If the licensee violates the terms of these Rules or any of the CBB's directives;
                        (c) If the licensee fails to start business within six months from the date of the licence;
                        (d) If the licensee ceases to carry out the licensed activity in the Kingdom; or
                        (e) The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
                        January 2014

                      • AU-4.3.5

                        Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48 (d) of the CBB Law.

                        January 2014

                      • AU-4.3.6

                        The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.

                        January 2014

                      • AU-4.3.7

                        Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to customers. Until such time, the CBB will retain all its regulatory powers with regards to the licensee, and will direct the licensee such that no new regulated microfinance services may be undertaken whilst the licensee discharges its obligations to customers.

                        January 2014

                    • Cancellation of Approved Person Status

                      • AU-4.3.8

                        In accordance with Paragraph BR-2.2.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                        January 2014

                      • AU-4.3.9

                        The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                        January 2014

                      • AU-4.3.10

                        The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                        January 2014

                • AU-4.4 AU-4.4 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.4.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.4.2

                    For the purposes of Paragraph AU-4.4.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.4.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking a microfinance institution license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    January 2014

                  • AU-5.1.2

                    There are no application fees for those seeking approved persons status.

                    January 2014

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Licensees must pay the relevant annual license fee to the CBB on 1st of December of the preceding year for which the fee is due.

                    Amended: April 2014
                    January 2014

                  • AU-5.2.2

                    Licensees must pay an annual license fee of BD1,000.

                    January 2014

                  • AU-5.2.3

                    All annual fees are collected by direct debit and all licensees must ensure that they submit to the CBB the completed Direct Debit Authorisation Form (available under Part B of Volume 5) by 15th October prior to the year for which the fees are due.

                    January 2014

                  • AU-5.2.4

                    For new licensees, their first annual license fee of BD1,000 is payable when their license is issued by the CBB.

                    January 2014

                  • AU-5.2.5

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

                    January 2014

            • HC HC Microfinance Institutions High-Level Controls Module

              • HC-A HC-A Introduction

                • HC-A.1 HC-A.1 Purpose

                  • Executive Summary

                    • HC-A.1.1

                      This Module presents requirements that have to be met by microfinance institution licensees with respect to:

                      (a) Corporate governance principles issued by the Ministry of Industry and Commerce as "The Corporate Governance Code";
                      (b) International best practice corporate governance standards set by bodies such as the Basel Committee on Banking Supervision; and
                      (c) Related high-level controls and policies.
                      January 2014

                    • HC-A.1.2

                      The Principles referred to in this Module are in line with the Principles relating to the Corporate Governance Code issued by the Ministry of Industry and Commerce.

                      January 2014

                    • HC-A.1.3

                      The purpose of the Module is to establish best practice corporate governance principles in Bahrain, and to provide protection for customers and other microfinance institution licensee's stakeholders through compliance with those principles.

                      January 2014

                    • HC-A.1.4

                      Whilst the Module follows best practice, it is nevertheless considered as the minimum standard to be applied.

                      January 2014

                  • Structure of this Module

                    • HC-A.1.5

                      This Module follows the structure of the Corporate Governance Code and each Chapter deals with one of the nine Principles of corporate governance. The numbered directives included in the Code are Rules for purposes of this Module. Recommendations under the Code have been included as guidance.

                      January 2014

                    • HC-A.1.6

                      The Module also incorporates other high-level controls and policies that apply in particular to microfinance institution licensees.

                      January 2014

                    • HC-A.1.7

                      All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                      January 2014

                  • The Comply or Explain Principle

                    • HC-A.1.8

                      This Module is issued as a Directive (as amended from time to time) in accordance with Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). In common with other Rulebook Modules, this Module contains a mixture of Rules and Guidance (See Module UG-1.2 for detailed explanation of Rules and Guidance). All Rulebook content that is categorised as a Rule must be complied with by those to whom the content is addressed. Other parts of this Module are Guidance; nonetheless every microfinance institution licensee to whom Module HC applies, is expected to comply with recommendations made as Guidance in Module HC or explain its noncompliance by way of an annual report to its shareholders and to the CBB (see Chapter HC-8).

                      January 2014

                  • Monitoring and Enforcement of Module HC

                    • HC-A.1.9

                      Disclosure and transparency are underlying principles of Module HC. Disclosure is crucial to allow outside monitoring to function effectively. This Module looks to a combined monitoring system relying on the board, the microfinance institution licensee's shareholders and the CBB.

                      January 2014

                    • HC-A.1.10

                      It is the board's responsibility to see to the accuracy and completeness of the microfinance institution licensee's corporate governance guidelines and compliance with Module HC. Failure to comply with this Module is subject to enforcement measures as outlined in Module EN (Enforcement).

                      January 2014

                  • Legal Basis

                    • HC-A.1.11

                      This Module contains the CBB's Directive (as amended from time to time) relating to high-level controls and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 (‛CBB Law'). The Directive in this Module is applicable to microfinance institution licensees (including their approved persons).

                      January 2014

                    • HC-A.1.12

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                  • Effective Date

                    • HC-A.1.13

                      All microfinance institution licensees to which Module HC applies must be in full compliance by the financial year end 2014. At every microfinance institution licensee's annual shareholder meeting held after December 2013, corporate governance must be an item on the agenda for information and any questions from shareholders regarding the microfinance institution licensee's governance. The microfinance institution licensee must also have corporate governance guidelines in place at that time and must have a "comply or explain" report as described in Paragraph HC-A.1.8.

                      January 2014

                • HC-A.2 HC-A.2 Module History

                  • HC-A.2.1

                    This Module was first issued in January 2014. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    January 2014

                  • HC-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    HC-1.3.8 10/2014 Updated cross reference.
                    HC-1.4.11 01/2020 Added a new Paragraph on independent directors.
                    HC-1.4.12 01/2020 Added a new Paragraph on termination of Board membership of a retired, terminated CEO.
                    HC-5.4.2 04/2020 Added a new Paragraph on KPIs compliance with AML/CFT requirements.
                         

                  • Superseded Requirements

                    • HC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module HC
                         
                      January 2014

              • HC-B HC-B Scope of Application

                • HC-B.1 HC-B.1 Scope of Application

                  • HC-B.1.1

                    The content of this Module applies to all microfinance institution licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    January 2014

                  • HC-B.1.2

                    Overseas licensees must satisfy the CBB that equivalent arrangements are in place at the parent entity level, and that these arrangements provide for effective high-level controls over activities conducted under the Bahrain license.

                    January 2014

              • HC-1 HC-1 The Board

                • HC-1.1 HC-1.1 Principle

                  • HC-1.1.1

                    All licensees must be headed by an effective, collegial and informed board of directors ('the board').

                    January 2014

                • HC-1.2 HC-1.2 Role and Responsibilities

                  • HC-1.2.1

                    All directors must understand the board's role and responsibilities under the Commercial Companies Law and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                    (a) The board's role as distinct from the role of the shareholders (who elect the board and whose interests the board serves) and the role of senior managers (whom the board appoints and oversees); and
                    (b) The board's fiduciary duties of care and loyalty to the licensee and the shareholders (see Section HC-2.1).
                    January 2014

                  • HC-1.2.2

                    The board's role and responsibilities include but are not limited to:

                    (a) The overall business performance and strategy for the licensee;
                    (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                    (c) Monitoring management performance;
                    (d) Convening and preparing the agenda for shareholder meetings;
                    (e) Monitoring conflicts of interest and preventing abusive related party transactions;
                    (f) Assuring equitable treatment of shareholders including minority shareholders; and
                    (g) Establishing the objectives of the licensee.
                    January 2014

                  • HC-1.2.3

                    The precise functions reserved for the board, and those delegated to management and committees will vary, dependent upon the business of the licensee, its size and ownership structure. However, as a minimum, the board must establish and maintain a statement of its responsibilities for:

                    (a) The adoption and annual review of strategy;
                    (b) The adoption and review of management structure and responsibilities;
                    (c) The adoption and review of the systems and controls framework; and
                    (d) Monitoring the implementation of strategy by management.
                    January 2014

                  • HC-1.2.4

                    The directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-1.2.1 to HC-1.2.3. Although the board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place.

                    January 2014

                  • HC-1.2.5

                    In its strategy review process under Paragraphs HC-1.2.3 a) and d), the board must:

                    (a) Review the licensee's business plans and the inherent level of risk in these plans;
                    (b) Assess the adequacy of capital to support the business risks of the licensee;
                    (c) Set performance objectives; and
                    (d) Oversee major capital expenditures and divestitures.
                    January 2014

                  • HC-1.2.6

                    Licensees must notify the CBB in writing of all major proposed changes to the strategy of the licensee prior to implementation.

                    January 2014

                  • HC-1.2.7

                    The board is expected to have effective policies and processes in place for:

                    (a) Approving budgets and reviewing performance against those budgets and key performance indicators; and
                    (b) The management of the licensee's compliance risk.
                    January 2014

                  • HC-1.2.8

                    When a new director is inducted, the chairman of the board, assisted by the licensee's legal counsel or compliance officer, should review the board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC (see also HC-4.5.1).

                    January 2014

                  • HC-1.2.9

                    The licensee must have a written appointment agreement with each director which recites the directors' powers, duties, responsibilities and accountabilities and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                    January 2014

                  • Risk Recognition and Assessment

                    • HC-1.2.10

                      The board is responsible for ensuring that the systems and controls framework, including the board structure and organisational structure of the licensee, is appropriate for the business and associated risks (see Paragraph HC-1.2.3 (c)). The board must ensure that collectively it has sufficient expertise to identify, understand and measure the significant risks to which the licensee is exposed in its business activities.

                      The board must regularly assess the systems and controls framework of the licensee. In its assessments, the board must demonstrate to the CBB that:

                      (a) The licensee's operations, individually and collectively are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of its activities;
                      (b) The licensee's operations are supported by an appropriate control environment. The compliance, internal audit, risk management and financial reporting functions must be adequately resourced, independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas. The board must additionally ensure that management develops, implements and oversees the effectiveness of comprehensive know your customer standards, as well as on-going monitoring of accounts and transactions, in keeping with the requirements of relevant law, regulations and best practice (with particular regard to anti-money laundering measures). The control environment must maintain necessary client confidentiality and ensure that the privacy of the licensee is not violated, and ensure that clients' rights and assets are properly safeguarded; and
                      (c) Where the board has identified any significant issues related to the licensee's adopted governance framework, appropriate and timely action is taken to address any identified adverse deviations from the requirements of this Module.
                      January 2014

                    • HC-1.2.11

                      The board must adopt a formal board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of directors. This charter must cover the points in Paragraphs HC-1.2.1 to HC-1.2.10.

                      January 2014

                • HC-1.3 HC-1.3 Decision Making Process

                  • HC-1.3.1

                    The board must be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                    January 2014

                  • HC-1.3.2

                    The chairman must take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                    January 2014

                  • HC-1.3.3

                    The board must meet frequently to enable it to discharge its responsibilities effectively but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

                    January 2014

                  • HC-1.3.4

                    Individual board members must attend at least 75% of all board meetings in a given financial year to enable the board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for board meetings are prohibited at all times.

                    Meetings per year 75% Attendance requirement
                    4 3
                    5 4
                    6 5
                    7 5
                    8 6
                    9 7
                    10 8
                    January 2014

                  • HC-1.3.5

                    The absence of board members at board and committee meetings must be noted in the meeting minutes. In addition, board attendance percentage must be reported during any general assembly meeting when board members stand for re-election (e.g. board member XYZ attended 95% of scheduled meetings this year).

                    January 2014

                  • HC-1.3.6

                    In the event that a board member has not attended at least 75% of board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

                    January 2014

                  • HC-1.3.7

                    To meet its obligations under Rule HC-1.3.3 above, the full board should meet once every quarter to address the board's responsibilities for management oversight and performance monitoring. Furthermore, board rules should require members to step down if they are not actively participating in board meetings. Board members are reminded that non attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All directors are expected to contribute actively to the work of the board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. Licensees are encouraged to amend their articles of association to provide for telephonic and videoconference meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

                    January 2014

                  • HC-1.3.7A

                    At least half the Board meetings of Bahraini licensees in any twelve-month period must be held in the Kingdom of Bahrain.

                    January 2014

                  • HC-1.3.8

                    All licensees are required to submit, on an annual basis, as an attachment to the year-end quarterly PIR, a report recording the meetings during the year by their board of directors. For a sample report, refer to Appendix BR-5.

                    Amended: October 2014
                    January 2014

                  • HC-1.3.9

                    The chairman is responsible for the leadership of the board, and for the efficient functioning of the board. The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each board meeting and when necessary between meetings. Therefore it is vital that the chairman commit sufficient time to perform his role effectively. All directors must receive the same board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully (See also Chapter HC-7 for other duties of the chairman).

                    January 2014

                  • HC-1.3.10

                    The board should have no more than 15 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision making yet large enough to have members who can contribute from different specialties and viewpoints. The board should recommend changes in board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                    January 2014

                  • HC-1.3.11

                    Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. Where there is a nominating committee, it should regularly review the time commitment required from each non-executive director and should require each non-executive director to inform the committee before he accepts any board appointments to another licensee.

                    January 2014

                  • HC-1.3.12

                    One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the board should not propose the election or reelection of any director who does.

                    January 2014

                • HC-1.4 HC-1.4 Independence of Judgment

                  • HC-1.4.1

                    Every director must bring independent judgment to bear in decision-making. No individual or group of directors must dominate the board's decision-making and no one individual should have unfettered powers of decision.

                    January 2014

                  • HC-1.4.2

                    Executive directors must provide the board with all relevant business and financial information within their cognizance, and must recognise that their role as a director is different from their role as a member of management (see HC-2.3.2).

                    January 2014

                  • HC-1.4.3

                    Non-executive directors must be fully independent of management and must constructively scrutinise and challenge management including the management performance of executive directors.

                    January 2014

                  • HC-1.4.4

                    Where there is the potential for conflict of interest, or there is a need for impartiality, the Board must assign a sufficient number of independent board members capable of exercising independent judgement.

                    January 2014

                  • HC-1.4.5

                    At least half of a licensee's board should be non-executive directors and at least three of those persons should be independent directors. (Note the exception for controlled companies in Paragraph HC-1.5.2.). Due to the nature of the business carried out by licensees, and government participation in such entities, government representatives are considered independent for the purpose of this Module.

                    January 2014

                  • HC-1.4.6

                    The chairman of the board should be an independent director, so that there will be an appropriate balance of power and greater capacity of the board for independent decision making.

                    January 2014

                  • HC-1.4.7

                    The chairman and/or deputy chairman must not be the same person as the chief executive officer (CEO).

                    January 2014

                  • HC-1.4.8

                    The chairman must not be an executive director.

                    January 2014

                  • HC-1.4.9

                    The board should review the independence of each director at least annually in light of interests disclosed by them, and their conduct. Each independent director shall provide the board with all necessary and updated information for this purpose.

                    January 2014

                  • HC-1.4.10

                    To facilitate free and open communication among independent directors, each board meeting should be preceded or followed with a session at which only independent directors are present, except as may otherwise be determined by the independent directors themselves.

                    January 2014

                  • HC-1.4.11

                    Where an independent director has served three consecutive terms on the board, such director will lose his/her independence status and must not be classified as an independent director if reappointed.

                    Added: January 2020

                  • HC-1.4.12

                    Where a Chief Executive Officer of a microfinance institution licensee, who is also a Board member, no longer occupies the CEO position, whether due to resignation, retirement or termination, his/her Board Membership must also be immediately terminated.

                    Added: January 2020

                • HC-1.5 HC-1.5 Representation of all Shareholders

                  • HC-1.5.1

                    Each director must consider himself as representing all shareholders and must act accordingly. The board must avoid having representatives of specific groups or interests within its membership and must not allow itself to become a battleground of vested interests. If the licensee has controllers (as defined by Section GR-4.2) (or a group of controllers acting in concert), the latter must recognise its or their specific responsibility to the other shareholders, which is direct and is separate from that of the board of directors.

                    January 2014

                  • HC-1.5.2

                    In licensees with a controller, at least one-third of the board must be independent directors. Minority shareholders must generally look to independent directors' diligent regard for their interests, in preference to seeking specific representation on the board.

                    January 2014

                  • HC-1.5.3

                    In licensees with controllers, both controllers and other shareholders should be aware of controllers' specific responsibilities regarding their duty of loyalty to the licensee and conflicts of interest (see Chapter HC-2) and also of rights that minority shareholders may have to elect specific directors under the Company Law or if the licensee has adopted cumulative voting for directors. The chairman of the board should take the lead in explaining this with the help of the licensee's lawyers.

                    January 2014

                • HC-1.6 HC-1.6 Directors' Access to Independent Advice

                  • HC-1.6.1

                    The board must ensure by way of formal procedures that individual directors have access to independent legal or other professional advice at the licensee's expense whenever they judge this necessary to discharge their responsibilities as directors and this must be in accordance with the licensee's policy approved by the board.

                    January 2014

                  • HC-1.6.2

                    Individual directors must also have access to the licensee's corporate secretary, who must have responsibility for reporting to the board on board procedures. Both the appointment and removal of the corporate secretary must be a matter for the board as a whole, not for the CEO or any other officer.

                    January 2014

                  • HC-1.6.3

                    Whenever a director has serious concerns which cannot be resolved concerning the running of the licensee or a proposed action, he should consider seeking independent advice and should ensure that the concerns are recorded in the board minutes and that any dissent from a board action is noted or delivered in writing.

                    January 2014

                  • HC-1.6.4

                    Upon resignation, a non-executive director should provide a written statement to the chairman, for circulation to the board, if he has any concerns such as those in Paragraph HC-1.6.3.

                    January 2014

                • HC-1.7 HC-1.7 Directors' Communication with Management

                  • HC-1.7.1

                    The board must encourage participation by management regarding matters the board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                    January 2014

                  • HC-1.7.2

                    Non-executive directors should have free access to the licensee's management beyond that provided in board meetings. Such access should be through the chairman of the audit committee or CEO. The board should make this policy known to management to alleviate any management concerns about a director's authority in this regard.

                    January 2014

                • HC-1.8 HC-1.8 Committees of the Board

                  • HC-1.8.1

                    The board must create specialised committees when and as such committees are needed.

                    January 2014

                  • HC-1.8.2

                    In addition to the audit, remuneration and nominating committees described elsewhere in this Module, specialised committees may include an executive committee to review and make recommendations to the whole board on the licensee's actions, or a risk committee to identify and minimize specific risks of the licensee's business.

                    January 2014

                  • HC-1.8.3

                    The board shall establish a corporate governance committee of at least three independent members which shall be responsible for developing and recommending changes from time to time in the licensee's corporate governance policy framework.

                    January 2014

                  • HC-1.8.4

                    The board or a committee may invite non-directors to participate in, but not vote at, a committee's meetings so that the committee may gain the benefit of their advice and expertise in financial or other areas.

                    January 2014

                  • HC-1.8.5

                    Committees must act only within their mandates and therefore the board must not allow any committee to dominate or effectively replace the whole board in its decision-making responsibility.

                    January 2014

                  • HC-1.8.6

                    Committees may be combined provided that no conflict of interest might arise between the duties of such committees, subject to CBB prior approval.

                    January 2014

                  • HC-1.8.7

                    Every committee must have a formal written charter similar in form to the model charters which are set forth in Appendices A, B and C of this Module for the audit, nominating and remuneration committees.

                    January 2014

                  • HC-1.8.8

                    Where committees are set up, they must keep full minutes of their activities and meet regularly to fulfill their mandates.

                    January 2014

                • HC-1.9 HC-1.9 Evaluation of the Board and Each Committee

                  • HC-1.9.1

                    At least annually the board must conduct an evaluation of its performance and the performance of each committee and each individual director.

                    January 2014

                  • HC-1.9.2

                    The evaluation process must include:

                    (a) Assessing how the board operates, especially in light of Chapter HC-1;
                    (b) Evaluating the performance of each committee in light of its specific purposes and responsibilities, which shall include review of the self-evaluations undertaken by each committee;
                    (c) Reviewing each director's work, his attendance at board and committee meetings, and his constructive involvement in discussions and decision making;
                    (d) Reviewing the board's current composition against its desired composition with a view toward maintaining an appropriate balance of skills and experience and a view toward planned and progressive refreshing of the board; and
                    (e) Recommendations for new directors to replace long-standing members or those members whose contribution to the board or its committees (such as the audit committee) is not adequate.
                    January 2014

                  • HC-1.9.3

                    While the evaluation is a responsibility of the entire board, it should be organised and assisted by an internal board committee and, when appropriate, with the help of external experts.

                    January 2014

                  • HC-1.9.4

                    The board should report to the shareholders, at each annual shareholder meeting, that evaluations have been done and report its findings.

                    January 2014

              • HC-2 HC-2 Approved Persons Loyalty

                • HC-2.1 HC-2.1 Principle

                  • HC-2.1.1

                    The approved persons must have full loyalty to the licensee.

                    January 2014

                • HC-2.2 HC-2.2 Personal Accountability

                  • HC-2.2.1

                    Licensees are subject to a wide variety of laws, regulations and codes of best practice that directly affect the conduct of business. Such laws involve the Rulebook of the licensed exchange, the Labour Law, the Commercial Companies Law, occupational health and safety, even environment and pollution laws, as well as the Law, codes of conduct and regulations of the CBB (as amended from time to time). The board sets the 'tone at the top' of a licensee, and has a responsibility to oversee compliance with these various requirements. The board should ensure that the staff conduct their affairs with a high degree of integrity, taking note of applicable laws, codes and regulations.

                    January 2014

                  • Corporate Ethics, Conflicts of Interest and Code of Conduct

                    • HC-2.2.2

                      Each member of the board must understand that under the Company Law he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

                      January 2014

                    • HC-2.2.3

                      The board must establish corporate standards for approved persons and employees. This requirement should be met by way of a documented and published code of conduct or similar document. These standards must be communicated throughout the licensee, so that the approved persons and staff understand the importance of conducting business based on good corporate governance values and understand their accountabilities to the various stakeholders of the licensee. Licensee's approved persons and staff must be informed of and be required to fulfil their responsibilities to the stakeholders.

                      January 2014

                    • HC-2.2.4

                      An internal code of conduct is separate from the business strategy of a licensee. A code of conduct should outline the practices that approved persons and staff should follow in performing their duties. Licensees may wish to use procedures and policies to complement their codes of conduct. The suggested contents of a code of conduct are covered below:

                      (a) Commitment by the board and management to the code. The code of conduct should be linked to the objectives of the licensee, and its responsibilities and undertakings to customers, shareholders, staff and the wider community (see HC-2.2.3 and HC-2.2.4). The code should give examples or expectations of honesty, integrity, leadership and professionalism;
                      (b) Commitment to the law and best practice standards. This commitment would include commitments to following accounting standards, industry best practice (such as ensuring that information to clients is clear, fair, and not misleading), transparency, and rules concerning potential conflicts of interest (see HC-2.3);
                      (c) Employment practices. This would include rules concerning health and safety of employees, training, policies on the acceptance and giving of business courtesies, prohibition on the offering and acceptance of bribes, and potential misuse of licensee's assets;
                      (d) How the licensee deals with disputes and complaints (see Chapter BC-2) from clients and monitors compliance with the code; and
                      (e) Confidentiality. Disclosure of client or licensee information should be prohibited, except where disclosure is required by law (see HC-1.2.10 b).
                      January 2014

                    • HC-2.2.5

                      The CBB expects that the board and its members individually and collectively:

                      (a) Act with honesty, integrity and in good faith, with due diligence and care, with a view to the best interest of the licensee and its shareholders and other stakeholders (see Paragraphs HC-2.2.2 to HC-2.2.4);
                      (b) Act within the scope of their responsibilities (which should be clearly defined – see HC-1.2.9 and HC-1.2.11) and not participate in the day-to-day management of the licensee;
                      (c) Have a proper understanding of, and competence to deal with the affairs and products of the licensee and devote sufficient time to their responsibilities; and
                      (d) To independently assess and question the policies, processes and procedures of the licensee, with the intent to identify and initiate management action on issues requiring improvement. (i.e. to act as checks and balances on management).
                      January 2014

                    • HC-2.2.6

                      The duty of loyalty (mentioned in Paragraph HC-2.2.2) includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, not to take business opportunities of the licensee for himself, not to compete in business with the licensee, and to serve the licensee's interest in any transactions with a licensee in which he has a personal interest.

                      January 2014

                    • HC-2.2.7

                      For purposes of Paragraph HC-2.2.6, an approved person should be considered to have a "personal interest" in a transaction with a licensee if:

                      (a) He himself; or
                      (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
                      (c) Another licensee of which he is a director or controller,

                      is a party to the transaction or has a material financial interest in the transaction. (Transactions and interests which are de minimis in value should not be included.)

                      January 2014

                • HC-2.3 HC-2.3 Avoidance of Conflicts of Interest

                  • HC-2.3.1

                    Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

                    January 2014

                  • HC-2.3.2

                    The board must establish and disseminate to its members and management, policies and procedures for the identification, reporting, disclosure, prevention, or strict limitation of potential conflicts of interest. It is senior management's responsibility to implement these policies. Rules concerning connected party transactions and potential conflicts of interest may be dealt with in the Code of Conduct (see HC-2.2.4). In particular, the CBB requires that any decisions to enter into transactions, under which approved persons would have conflicts of interest that are material, should be formally and unanimously approved by the full board. Best practice would dictate that an approved person must:

                    (a) Not enter into competition with the licensee;
                    (b) Not demand or accept substantial gifts from the licensee for himself or connected persons;
                    (c) Not misuse the licensee's assets;
                    (d) Not use the licensee's privileged information or take advantage of business opportunities to which the licensee is entitled, for himself or his associates; and
                    (e) Absent himself from any discussions or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject or a proposed transaction where a conflict of interest exists.
                    January 2014

                • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest

                  • HC-2.4.1

                    Each approved person must inform the entire board of potential conflicts of interest in their activities with, and commitments to other organisations as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Company Law. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflicted transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision. In any case, all approved persons must declare in writing all of their other interests in other enterprises or activities (whether as a shareholder of above 5% of the voting capital of a licensee, a manager, or other form of significant participation) to the board (or the nominations or audit committees) on an annual basis.

                    January 2014

                  • HC-2.4.2

                    The board should establish formal procedures for:

                    (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
                    (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a licensee's approved person has a personal interest. The board should require such advance approval in every case.
                    January 2014

                • HC-2.5 HC-2.5 Disclosure of Conflicts of Interest to Shareholders

                  • HC-2.5.1

                    The licensee must disclose to its shareholders in the notes to the audited financial statements any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

                    January 2014

              • HC-3 HC-3 Audit Committee and Financial Statements Certification

                • HC-3.1 HC-3.1 Principle

                  • HC-3.1.1

                    The board must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    January 2014

                • HC-3.2 HC-3.2 Audit Committee

                  • HC-3.2.1

                    The board must establish an audit committee of at least three directors of which the majority must be independent including the chairman. The committee must:

                    (a) Review the licensee's accounting and financial policies and practices;
                    (b) Review the integrity of the licensee's financial and internal controls and financial statements (particularly with reference to information passed to the board - see Paragraph HC-1.2.10). The information needs of the board to perform its monitoring responsibilities must be defined in writing, and regularly monitored by the audit committee;
                    (c) Review the licensee's compliance with legal requirements;
                    (d) Recommend the appointment, compensation and oversight of the licensee's external auditor; and
                    (e) Recommend the appointment of the internal auditor.
                    January 2014

                  • HC-3.2.2

                    In its review of the systems and controls framework in Paragraph HC-3.2.1, the audit committee must:

                    (a) Make effective use of the work of external and internal auditors. The audit committee must ensure the integrity of the licensee's accounting and financial reporting systems through regular independent review (by internal and external audit). Audit findings must be used as an independent check on the information received from management about the licensee's operations and performance and the effectiveness of internal controls;
                    (b) Make use of self-assessments, stress tests, and/or independent judgements made by external advisors. The board should appoint supporting committees, and engage senior management to assist the audit committee in the oversight of risk management; and
                    (c) Ensure that senior management have put in place appropriate systems of control for the business of the licensee and the information needs of the board; in particular, there must be appropriate systems and functions for identifying as well as for monitoring risk, the financial position of the licensee, and compliance with applicable laws, regulations and best practice standards. The systems must produce information on a timely basis.
                    January 2014

                  • HC-3.2.3

                    The licensee must set up an internal audit function, which reports directly to the audit committee and administratively to the CEO.

                    January 2014

                  • HC-3.2.4

                    The CEO must not be a member of the audit committee.

                    January 2014

                • HC-3.3 HC-3.3 Audit Committee Charter

                  • HC-3.3.1

                    The audit committee must adopt a written charter which shall, at a minimum, state the duties outlined in Paragraph HC-3.2.1 and the other matters included in Appendix A to this Module.

                    January 2014

                  • HC-3.3.2

                    A majority of the audit committee members must have the financial literacy qualifications stated in Appendix A.

                    January 2014

                  • Whistleblower Program

                    • HC-3.3.3

                      The board must adopt a "whistleblower" program under which employees can confidentially raise concerns about possible improprieties in financial or legal matters. Under the program, concerns may be communicated directly to any audit committee member or, alternatively, to an identified officer or employee who will report directly to the audit committee on this point.

                      January 2014

                • HC-3.4 HC-3.4 CEO and CFO Certification of Financial Statements

                  • HC-3.4.1

                    To encourage management accountability for the financial statements required by the directors, the licensee's CEO and chief financial officer (CFO) must state in writing to the audit committee and the board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                    January 2014

              • HC-4 HC-4 Appointment, Training and Evaluation of the Board

                • HC-4.1 HC-4.1 Principle

                  • HC-4.1.1

                    The licensee must have rigorous and transparent procedures for appointment, training and evaluation of the board.

                    January 2014

                • HC-4.2 HC-4.2 Nominating Committee

                  • HC-4.2.1

                    The board should establish a nominating committee of at least three directors which should:

                    (a) Identify persons qualified to become members of the board of directors or CEO, CFO, Corporate Secretary and any other officers of the licensee considered appropriate by the board, with the exception of the appointment of the internal auditor which is the responsibility of the audit committee in accordance with Paragraph HC-3.2.1; and
                    (b) Make recommendations to the whole board of directors including recommendations of candidates for board membership to be included by the board of directors on the agenda for the next annual shareholder meeting.
                    January 2014

                  • HC-4.2.2

                    The committee should include only independent directors or, alternatively, only non-executive directors of whom a majority should be independent directors and the chairman should be an independent director. This is consistent with international best practice and it recognises that the nominating committee should exercise judgment free from personal career conflicts of interest.

                    January 2014

                • HC-4.3 HC-4.3 Nominating Committee Charter

                  • HC-4.3.1

                    The nominating committee should adopt a formal written charter which should, at a minimum, state the duties outlined in Paragraph HC-4.2.1 and the other matters included in Appendix B to this Module.

                    January 2014

                • HC-4.4 HC-4.4 Board Nominations to Shareholders

                  • HC-4.4.1

                    Each proposal by the board to the shareholders for election or reelection of a director must be accompanied by a recommendation from the board, a summary of the advice of the nominating committee, as applicable, and the following specific information:

                    (a) The term to be served, which may not exceed three years (but there need not be a limit on reelection for further terms);
                    (b) Biographical details and professional qualifications;
                    (c) In the case of an independent director, a statement that the board has determined that the criteria of independent director have been met;
                    (d) Any other directorships held;
                    (e) Particulars of other positions which involve significant time commitments, and
                    (f) Details of relationships between:
                    (i) The candidate and the licensee, and
                    (ii) The candidate and other directors of the licensee.
                    January 2014

                  • HC-4.4.2

                    The chairman of the board should confirm to shareholders when proposing re-election of a director that, following a formal performance evaluation, the person's performance continues to be effective and continues to demonstrate commitment to the role. Any term beyond six years (e.g. two three-year terms) for a director should be subject to particularly rigorous review, and should take into account the need for progressive refreshing of the board. Serving more than six years is relevant to the determination of a non-executive director's independence.

                    January 2014

                • HC-4.5 HC-4.5 Induction and Training of Directors

                  • HC-4.5.1

                    The chairman of the board must ensure that each new director receives a formal and tailored induction to ensure his contribution to the board from the beginning of his term. The induction must include:

                    (a) Meetings with senior management, internal and external auditors and legal counsel;
                    (b) Visits to the licensee's facilities; and
                    (c) Presentations regarding strategic plans, significant financial, accounting and risk management issues and compliance programs.
                    January 2014

                  • HC-4.5.2

                    The tailored induction for new directors may be provided by the licensee's compliance officer.

                    January 2014

                  • HC-4.5.3

                    All continuing directors must be invited to attend orientation meetings and all directors must continually educate themselves as to the licensee's business and corporate governance.

                    January 2014

                  • HC-4.5.4

                    Management, in consultation with the chairman of the board, should hold programs and presentations to the directors respecting the licensee's business and industry, which may include periodic attendance at conferences and management meetings. The nominating committee shall oversee directors' corporate governance educational activities.

                    January 2014

              • HC-5 HC-5 Remuneration of Approved Persons

                • HC-5.1 HC-5.1 Principle

                  • HC-5.1.1

                    The licensee must remunerate approved persons fairly and responsibly.

                    January 2014

                • HC-5.2 HC-5.2 Remuneration Committee

                  • HC-5.2.1

                    The board should establish a remuneration committee of at least three directors which should:

                    (a) Review the licensee's remuneration policies for the approved persons, which should be approved by the shareholders and be consistent with the corporate values and strategy of the licensee;
                    (b) Make recommendations regarding remuneration policies and amounts for approved persons to the whole board, taking account of total remuneration including salaries, fees, expenses and employee benefits; and
                    (c) Recommend board member remuneration based on their attendance and performance.
                    January 2014

                  • HC-5.2.2

                    The committee may be merged with the nominating committee.

                    January 2014

                • HC-5.3 HC-5.3 Remuneration Committee Charter

                  • HC-5.3.1

                    The committee should adopt a written charter which should, at a minimum, state the duties in Paragraph HC-5.2.1 and other matters in Appendix C of this Module.

                    January 2014

                  • HC-5.3.2

                    The committee should include only independent directors or, alternatively, only non-executive directors of whom a majority are independent directors and the chairman is an independent director. This is consistent with international best practice and it recognises that the remuneration committee must exercise judgment free from personal career conflicts of interest.

                    January 2014

                • HC-5.4 HC-5.4 Standard for all Remuneration

                  • HC-5.4.1

                    Remuneration of approved persons must be sufficient enough to attract, retain and motivate persons of the quality needed to run the licensee successfully, but the licensee must avoid paying more than is necessary for that purpose.

                    January 2014

                  • Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

                    • HC-5.4.2

                      The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

                      Added: April 2020

                • HC-5.5 HC-5.5 Non-Executive Directors' Remuneration

                  • HC-5.5.1

                    Remuneration of independent directors and non-executive directors must not include performance-related elements such as grants of shares, share options or other deferred stock-related incentive schemes, bonuses, or pension benefits.

                    January 2014

                • HC-5.6 HC-5.6 Senior Management's Remuneration

                  • HC-5.6.1

                    Remuneration of senior management must be structured so that a portion of the total is linked to the licensee's and individual's performance and aligns their interests with the interests of the shareholders.

                    January 2014

                  • HC-5.6.2

                    Such rewards may include grants of shares, share options and other deferred stock-related incentive schemes, bonuses, and pension benefits which are not based on salary.

                    January 2014

                  • HC-5.6.3

                    If a senior manager is also a director, his remuneration as a senior manager must take into account compensation received in his capacity as a director.

                    January 2014

                  • HC-5.6.4

                    All share incentive plans must be approved by the shareholders.

                    January 2014

                  • HC-5.6.5

                    All performance-based incentives should be awarded under written objective performance standards which have been approved by the board and are designed to enhance shareholder and the licensee's value, and under which shares should not vest and options should not be exercisable within less than two years of the date of award of the incentive.

                    January 2014

                  • HC-5.6.6

                    All plans for performance-based incentives should be approved by the shareholders, but the approval should be only of the plan itself and not of the grant to specific individuals of benefits under the plan.

                    January 2014

              • HC-6 HC-6 Management Structure

                • HC-6.1 HC-6.1 Principle

                  • HC-6.1.1

                    The board must establish a clear and efficient management structure.

                    January 2014

                • HC-6.2 HC-6.2 Establishment of Management Structure

                  • HC-6.2.1

                    The board must appoint senior management whose authority must include management and operation of current activities of the licensee, reporting to and under the direction of the board. The senior management must include at a minimum:

                    (a) A CEO;
                    (b) A CFO;
                    (c) A corporate secretary; and
                    (d) An internal auditor,

                    and must also include such other approved persons as the board considers appropriate.

                    January 2014

                • HC-6.3 HC-6.3 Titles, Authorities, Duties and Reporting Responsibilities

                  • HC-6.3.1

                    The board must adopt by-laws and issue formal letters of appointment prescribing each senior manager's title, authorities, duties, accountabilities and internal reporting responsibilities. This must be done in consultation with the CEO, to whom the other senior managers should normally report.

                    January 2014

                  • HC-6.3.2

                    These provisions must include but should not be limited to the following:

                    (a) The CEO must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other senior managers and licensee employees;
                    (b) The CFO must be responsible and accountable for:
                    (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see also Paragraph HC-3.4.1); and
                    (ii) Presenting the board with a balanced and understandable assessment of the licensee's financial situation;
                    (c) The corporate secretary's duties must include arranging, recording and following up on the actions, decisions and meetings of the board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                    (d) The internal auditor's duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes.
                    January 2014

                  • HC-6.3.3

                    The board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate board approval.

                    January 2014

                  • HC-6.3.4

                    The corporate secretary should be given general responsibility for reviewing the licensee's procedures and advising the board directly on such matters (see Rule HC-6.3.2(c)). Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training.

                    January 2014

                  • HC-6.3.5

                    At least annually the board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

                    January 2014

                • HC-6.4 HC-6.4 Compliance

                  • HC-6.4.1

                    The CBB expects licensees to carry out a review of their compliance with the principles in this Module on a regular basis (either by way of a self-assessment or by way of a review by the internal audit function).

                    January 2014

              • HC-7 HC-7 Communication between Board and Shareholders

                • HC-7.1 HC-7.1 Principle

                  • HC-7.1.1

                    The licensee must communicate with shareholders, encourage their participation, and respect their rights.

                    January 2014

                • HC-7.2 HC-7.2 Conduct of Shareholders' Meetings

                  • HC-7.2.1

                    The board must observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

                    (a) Notices of meetings must be honest, accurate and not misleading. They must clearly state and, where necessary, explain the nature of the business of the meeting;
                    (b) Meetings must be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
                    (c) Notices of meetings must encourage shareholders to attend shareholder meetings and, if not possible, to allow shareholders to participate by proxy and must refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement must list the agenda items and must specify the vote (such as "yes," "no" or "abstain);
                    (d) Notices must ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
                    (e) The board must propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
                    (f) In meetings where directors are to be elected or removed the board must ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
                    (g) The chairman of the meeting must encourage questions from shareholders, including questions regarding the licensee's corporate governance guidelines;
                    (h) The minutes of the meeting must be made available to shareholders upon their request as soon as possible but not later than 30 days after the meeting; and
                    (i) Disclosure of all material facts must be made to the shareholders by the Chairman prior to any vote by the shareholders.
                    January 2014

                  • HC-7.2.2

                    The licensee should require all directors to attend and be available to answer questions from shareholders at any shareholder meeting and, in particular, ensure that the chairs of the audit, remuneration and nomination committees, where applicable, are ready to answer appropriate questions regarding matters within their committee's responsibility (being understood that confidential and proprietary business information may be kept confidential).

                    January 2014

                  • HC-7.2.3

                    The licensee should require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

                    January 2014

                  • HC-7.2.4

                    A licensee should maintain a website. The licensee should dedicate a specific section of its website to describing shareholders' rights to participate and vote at each shareholders' meeting, and should post significant documents relating to meetings including the full text of notices and minutes. The licensee may also consider establishing an electronic means for shareholders' communications including appointment of proxies. For confidential information, the licensee should grant a controlled access to such information to its shareholders.

                    January 2014

                  • HC-7.2.5

                    In notices of meetings at which directors are to be elected or removed the licensee should ensure that:

                    (a) Where the number of candidates exceeds the number of available seats, the notice of the meeting should explain the voting method by which the successful candidates will be selected and the method to be used for counting of votes; and
                    (b) The notice of the meeting should present a factual and objective view of the candidates so that shareholders may make an informed decision on any appointment to the board.
                    January 2014

                • HC-7.3 HC-7.3 Direct Shareholder Communication

                  • HC-7.3.1

                    The chairman of the board (and other directors as appropriate) must maintain continuing personal contact with controllers to solicit their views and understand their concerns. The chairman must ensure that the views of shareholders are communicated to the board as a whole. The chairman must discuss governance and strategy with controllers. Given the importance of market monitoring to enforce the "comply or explain" approach of this Module, the board must encourage shareholders to help in evaluating the licensee's corporate governance (see also Sections HC-1.2 and 1.3 for other duties of the chairman).

                    January 2014

                • HC-7.4 HC-7.4 Controllers

                  • HC-7.4.1

                    In licensees with one or more controllers, the chairman and other directors must actively encourage the controllers to make a considered use of their position and to fully respect the rights of minority shareholders (see also Sections HC-1.2 and 1.3 for other duties of the chairman).

                    January 2014

              • HC-8 HC-8 Corporate Governance Disclosure

                • HC-8.1 HC-8.1 Principle

                  • HC-8.1.1

                    The licensee must disclose its corporate governance.

                    January 2014

                • HC-8.2 HC-8.2 Disclosure under the Company Law and CBB Requirements

                  • HC-8.2.1

                    In each licensee:

                    (a) The board must adopt written corporate governance guidelines covering the matters stated in this Module and other corporate governance matters deemed appropriate by the board. Such guidelines must include or refer to the principles and rules of Module HC;
                    (b) The licensee must publish the guidelines on its website, if it has a website;
                    (c) At each annual shareholders' meeting the board must report on the licensee's compliance with its guidelines and Module HC, and explain the extent if any to which it has varied them or believes that any variance or noncompliance was justified; and
                    (d) At each annual shareholders' meeting the board must also report on further items listed in Appendix D. Such information should be maintained on the licensee's website or held at the licensee's premises on behalf of the shareholders.
                    January 2014

                  • Board's Responsibility for Disclosure

                    • HC-8.2.2

                      The board must oversee the process of disclosure and communications with internal and external stakeholders. The board must ensure that disclosures made by the licensee are fair, transparent, comprehensive and timely and reflect the character of the licensee and the nature, complexity and risks inherent in the licensee's business activities. Disclosure policies must be reviewed for compliance with the CBB's disclosure requirements (see Chapter PD-1).

                      January 2014

              • HC-9 HC-9 Shari'a Compliant Business

                • HC-9.1 HC-9.1 Principle

                  • HC-9.1.1

                    Companies which refer to themselves as "Islamic" must follow the principles of Islamic Shari'a.

                    January 2014

                • HC-9.2 HC-9.2 Governance and Disclosure per Shari'a Principles

                  • HC-9.2.1

                    Licensees which are guided by the principles of Islamic Shari'a have additional responsibilities to their stakeholders. Licensees which refer to themselves as "Islamic" are subject to additional governance requirements and disclosures to provide assurance to stakeholders that they are following Shari'a principles. In ensuring compliance with Shari'a principles, each licensee must appoint a minimum of one Shari'a scholar.

                    January 2014

                  • HC-9.2.2

                    In addition to its duties outlined in Chapter HC-3 and Appendix A, the audit committee shall communicate and co-ordinate with the licensee's corporate governance committee and the appointed Shari'a scholar to ensure that information on compliance with Islamic Shari'a rules and principles is reported in a timely manner.

                    January 2014

                  • HC-9.2.3

                    The Board shall set up a corporate governance committee (see also Paragraph HC-1.8.2). In this case, the committee shall comprise at least three members to coordinate and integrate the implementation of the governance policy framework.

                    January 2014

                  • HC-9.2.4

                    The corporate governance committee established under Chapter HC-9 shall comprise at a minimum of:

                    (a) An independent director to chair the corporate governance committee. The chairman of the corporate governance committee should not only possess the relevant skills, such as the ability to read and understand financial statements, but should also be able to coordinate and link the complementary roles and functions of the corporate governance committee and the audit committee;
                    (b) A Shari'a scholar for the purpose of leading the corporate governance committee on Shari'a-related governance issues (if any); and
                    (c) An independent director who can offer different skills to the committee, such as legal expertise and business proficiency, which are considered particularly relevant by the board of directors for cultivating a good corporate governance culture, and deemed "fit and proper" by the CBB.
                    January 2014

                  • HC-9.2.5

                    The corporate governance committee shall be empowered to:

                    (a) Oversee and monitor the implementation of the governance policy framework by working together with the management, the audit committee and the Appointed Shari'a scholar; and
                    (b) Provide the board of directors with reports and recommendations based on its findings in the exercise of its functions.
                    January 2014

              • Appendix A Appendix A Audit Committee

                • Committee Duties

                  The committee's duties shall include those stated in Paragraph HC-3.2.1.

                  January 2014

                • Committee Membership and Qualifications

                  The committee shall have at least three members. Such members must have no conflict of interest with any other duties they have for the licensee.

                  A majority of the members of the committee including the chairman shall be independent directors. Where a government representative is a board member, such representative can be considered as a member of the audit committee and the majority rule will not apply (refer to Paragraph HC-1.4.5)

                  The CEO must not be a member of this committee.

                  The committee members must have sufficient technical expertise to enable the committee to perform its functions effectively. Technical expertise means that members must have recent and relevant financial ability and experience, which includes:

                  (a) An ability to read and understand corporate financial statements including a licensee's balance sheet, income statement and cash flow statement and changes in shareholders' equity;
                  (b) An understanding of the accounting principles which are applicable to the licensee's financial statements;
                  (c) Experience in evaluating financial statements that have a level of accounting complexity comparable to that which can be expected in the licensee's business;
                  (d) An understanding of internal controls and procedures for financial reporting; and
                  (e) An understanding of the audit committee's controls and procedures for financial reporting.
                  January 2014

                • Committee Duties and Responsibilities

                  In serving those duties, the committee shall:

                  (a) Be responsible for the selection, appointment, remuneration, oversight and termination where appropriate of the external auditor, subject to ratification by the licensee's board and shareholders. The external auditor shall report directly to the committee;
                  (b) Make a determination at least once each year of the external auditor's independence, including:
                  (i) Determining whether its performance of any non-audit services compromised its independence (the committee may establish a formal policy specifying the types of non-audit services which are permissible) and;
                  (ii) Obtaining from the external auditor a written report listing any relationships between the external auditor and the licensee or with any other person or entity that may compromise the auditor's independence;
                  (c) Review and discuss with the external auditor the scope and results of its audit, any difficulties the auditor encountered including any restrictions on its access to requested information and any disagreements or difficulties encountered with management;
                  (d) Review and discuss with management and the external auditor each annual and each quarterly financial statements of the licensee including judgments made in connection with the financial statements;
                  (e) Review and discuss and make recommendations regarding the selection, appointment and termination where appropriate of the head of internal audit and the head of compliance and the budget allocated to the internal audit and compliance function, and monitor the responsiveness of management to the committee's recommendations and findings;
                  (f) Review and discuss the activities, performance and adequacy of the licensee's internal auditing and compliance personnel and procedures and its internal controls and compliance procedures, and any risk management systems, and any changes in those;
                  (g) Oversee the licensee's compliance with legal and regulatory requirements, codes and business practices, and ensure that the licensee communicates with shareholders and relevant stakeholders (internal and external) openly and promptly, and with substance of compliance prevailing over form;
                  (h) Review and discuss possible improprieties in financial reporting or other matters, and ensure that arrangements are in place for independent investigation and follow-up regarding such matters;
                  (i) The committee must monitor rotation arrangements for audit engagement partners. The audit committee must monitor the performance of the external auditor and the non-audit services provided by the external auditor; and
                  (j) The review and supervision of the implementation of, enforcement of and adherence to the bank's code of conduct.
                  January 2014

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least four times a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  The committee may meet without any other director or any officer of the licensee present. Only the committee may decide if a non-member of the committee should attend a particular meeting or a particular agenda item. Non-members who are not directors of the licensee may attend to provide their expertise, but may not vote. It is expected that the external auditor's lead representative will be invited to attend regularly but that this shall always be subject to the committee's decision.

                  The committee must meet with the external auditor at least twice per year, and at least once per year in the absence of any members of executive management.

                  The committee shall report regularly to the full board on its activities.

                  January 2014

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, accounting or other advisors as it deems necessary or appropriate, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2014

                • Committee Performance Evaluation

                  The committee shall prepare and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with its requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report made at any regularly scheduled board meeting.

                  January 2014

              • Appendix B Appendix B Nominating Committee

                • Committee Duties

                  The committee's duties shall include those stated in Paragraph HC-4.2.1.

                  January 2014

                • Committee Duties and Responsibilities

                  In serving those duties with respect to board membership:

                  (a) The committee shall make recommendations to the board from time to time as to changes the committee believes to be desirable to the size of the board or any committee of the board;
                  (b) Whenever a vacancy arises (including a vacancy resulting from an increase in board size), the committee shall recommend to the board a person to fill the vacancy either through appointment by the board or through shareholder election;
                  (c) In performing the above responsibilities, the committee shall consider any criteria approved by the board and such other factors as it deems appropriate. These may include judgment, specific skills, experience with other comparable businesses, the relation of a candidate's experience with that of other board members, and other factors;
                  (d) The committee shall also consider all candidates for board membership recommended by the shareholders and any candidates proposed by management;
                  (e) The committee shall identify board members qualified to fill vacancies on any committee of the board and recommend to the board that such person appoint the identified person(s) to such committee; and
                  (f) Assuring that plans are in place for orderly succession of senior management.

                  In serving those purposes with respect to officers the committee shall:

                  (a) Make recommendations to the board from time to time as to changes the committee believes to be desirable in the structure and job descriptions of the officers including the CEO, and prepare terms of reference for each vacancy stating the job responsibilities, qualifications needed and other relevant matters including integrity, technical and managerial competence, and experience;
                  (b) Overseeing succession planning and replacing key executives when necessary, and ensuring appropriate resources are available, and minimising reliance on key individuals;
                  (c) Design a plan for succession and replacement of officers including replacement in the event of an emergency or other unforeseeable vacancy; and
                  (d) If charged with responsibility with respect to licensee's corporate governance guidelines, the committee shall develop and recommend to the board corporate governance guidelines, and review those guidelines at least once a year.
                  January 2014

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least twice a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  January 2014

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, consulting or search firms used to identify candidates, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2014

                • Performance Evaluation

                  The committee shall preview and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with its requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report made at any regularly scheduled board meeting.

                  January 2014

              • Appendix C Appendix C Remuneration Committee

                • Committee Duties

                  The committee's duties shall include those stated in Paragraph HC-5.2.1.

                  January 2014

                • Committee Duties and Responsibilities

                  In serving those duties the committee shall consider, and make specific recommendations to the board on, both remuneration policy and individual remuneration packages for the CEO and other senior managers. This remuneration policy should cover at least:

                  (a) The following components:
                  (i) Salary;
                  (ii) The specific terms of performance-related plans including any stock compensation, stock options, or other deferred-benefit compensation;
                  (iii) Pension plans;
                  (iv) Fringe benefits such as non-salary perks; and
                  (v) Termination policies including any severance payment policies; and
                  (b) Policy guidelines to be used for determining remuneration in individual cases, including on:
                  (i) The relative importance of each component noted in a) above;
                  (ii) Specific criteria to be used in evaluating a senior manager's performance.

                  The committee shall evaluate the CEO's and senior management's performance in light of the licensee's corporate goals, agreed strategy, objectives and business plans and may consider the licensee's performance and shareholder return relative to comparable licensees, the value of awards to CEOs at comparable licensees, and awards to the CEO in past years.

                  The committee should also be responsible for retaining and overseeing outside consultants or firms for the purpose of determining approved persons' remuneration, administering remuneration plans, or related matters.

                  January 2014

                • Committee Structure and Operations

                  The committee shall elect one member as its chair.

                  The committee shall meet at least twice a year. Its meetings may be scheduled in conjunction with regularly-scheduled meetings of the entire board.

                  January 2014

                • Committee Resources and Authority

                  The committee shall have the resources and authority necessary for its duties and responsibilities, including the authority to select, retain, terminate and approve the fees of outside legal, consulting or compensation firms used to evaluate the compensation of directors, the CEO or other approved persons, without seeking the approval of the board or management. The licensee shall provide appropriate funding for the compensation of any such persons.

                  January 2014

                • Performance Evaluation

                  The committee shall preview and review with the board an annual performance evaluation of the committee, which shall compare the committee's performance with its requirements and shall recommend to the board any improvements deemed necessary or desirable to the committee's charter. The report must be in the form of a written report made at any regularly scheduled board meeting.

                  January 2014

              • Appendix D Corporate Governance Disclosure to Shareholders

                The licensee shall disclose the following items to the shareholders, in addition to any disclosures required as per Module PD:

                Ownership of Shares

                1. Distribution of ownership by nationality
                2. Distribution of ownership by size of shareholder
                3. Ownership by Government
                4. Names of shareholders owning 5% or more and, if they act in concert, a description of the voting, shareholders' or other agreements among them relating to acting in concert, and of any other direct and indirect relationships among them or with the licensee or other shareholders.

                Board, Board Members and Management

                1. Board's functions – rather than a general statement (which could be disclosed simply as the board's legal obligations under the law) the 'mandate' of the board should be set out
                2. The types of material transactions that require board approval
                3. Names, their capacity of representation and detailed information about the directors, including directorships of other boards, positions, qualifications and experience (should describe each director as executive or non-executive)
                4. Number and names of independent members
                5. Board terms and the start date of each term
                6. What the board does to induct/educate/orient new directors
                7. Director's ownership of shares
                8. Election system of directors and any termination arrangements
                9. Director's trading of licensee's shares during the year
                10. Meeting dates (number of meetings during the year)
                11. Attendance of directors at each meeting
                12. Remuneration policy for board members and senior management
                13. Aggregate remuneration paid to board members
                14. List of senior managers and profile of each
                15. Shareholding by senior managers
                16. Aggregate remuneration paid to senior management
                17. Details of stock options and performance-linked incentives available to executives
                18. Whether the board has adopted a written code of ethical business conduct, and if so the text of that code and a statement of how the board monitors compliance.

                Committees

                1. Names of the board committees
                2. Functions of each committee
                3. Members of each committee divided into independent and non-independent
                4. Minimum number of meetings per year
                5. Actual number of meetings
                6. Attendance of committees' members
                7. Aggregate remuneration paid to each committee
                8. Work of committees and any significant issues arising during the period

                Corporate Governance

                1. Reference to Module HC and its principles
                2. Changes in Module HC that took place during the year

                Auditors

                1. The charters and a list of members of the audit (including external and internal; financial and non-financial experts), nominating and remuneration committees of the board.
                2. Audit fees
                3. Non-audit services provided by the external auditor and fees
                4. Reasons for any switching of auditors and reappointing of auditors

                Other

                1. Related party transactions
                2. Approval process for related party transactions
                3. Means of communication with shareholders and investors
                4. Review of internal control processes and procedures
                5. Announcements of the results in the press should include at least the followings:
                (a) Balance sheet, income statement, cash flow statement, statement of comprehensive income and changes in shareholders' equity
                (b) Auditor
                (c) Auditor's signature date
                (d) Board approval date

                Set out directors responsibility with regard to the preparation of financial statements

                Conflict of Interest – any issues arising must be reported, in addition describe any steps the board takes to ensure directors exercise independent judgment in considering transactions and agreements in respect of which a director or executive officer has a material interest.

                Board of directors – whether or not the board, its committees and individual directors are regularly assessed with respect to their effectiveness and contribution.

                January 2014

            • GR GR Microfinance Institutions General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • Executive Summary

                    • GR-A.1.1

                      This Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on books and records, the use of corporate and trade names, the distribution of dividends, controllers, close links and cessation of business. Each set of requirements is contained in its own Chapter.

                      January 2014

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding controllers (see Chapter GR-5) are also included in Regulations, to be issued by the CBB.

                      January 2014

                    • GR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      January 2014

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-6.1 10/2016 Added additional requirement for cessation of business to be consistent with other Volumes of the CBB Rulebook.
                      GR-4.1.8 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                      GR-1.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                      GR-1.2.2 07/2017 Deleted paragraph.
                      GR-3.1.3 10/2017 Amended paragraph and changed from Guidance to Rule.
                      GR-4.1.1A 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-4.1.1B 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-1.2.1 01/2020 Amended Paragraph.
                      GR-6.1.8 04/2020 Amended Paragraph.
                      GR-2.1.1 01/2022 Amended Paragraph on change of licensee corporate and legal name.
                      GR-2.1.3 01/2022 Amended Paragraph to refer to change in legal name.

                  • Superseded Requirements

                    • GR-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module GR
                         
                      January 2014

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Microfinance Institution Licensees

                  • GR-B.1.1

                    This Module is applicable to all microfinance institution licensees, authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • GR-1 GR-1 Books and Records

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    In accordance with Article 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

                    January 2014

                  • GR-1.1.2

                    Paragraph GR-1.1.1 includes accounts, books, files and other records (e.g. trial balance, general ledger, nostro/vostro statements, reconciliations, list of counterparties, etc.). It also includes records that substantiate the value of the assets, liabilities and off-balance sheet activities of the licensee (e.g. client activity files and valuation documentation).

                    January 2014

                  • GR-1.1.3

                    Separately, Bahrain Law currently requires other corporate records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

                    January 2014

                  • GR-1.1.4

                    Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

                    January 2014

                  • GR-1.1.5

                    Translations produced in compliance with Rule GR-1.1.4 may be undertaken in-house, by an employee or contractor of the licensee, providing they are certified by an appropriate officer of the licensee.

                    January 2014

                  • GR-1.1.6

                    Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                    January 2014

                  • GR-1.1.7

                    Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

                    January 2014

                  • GR-1.1.8

                    Paragraphs GR-1.1.1 to GR-1.1.7 apply to licensees, with respect to all business activities.

                    January 2014

                • GR-1.2 GR-1.2 Transaction Records

                  • GR-1.2.1

                    Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

                    Amended: January 2020
                    Amended: July 2017
                    Added: January 2014

                  • GR-1.2.2

                    [This Paragraph has been deleted in July 2017].

                    Deleted: July 2017
                    January 2014

                  • GR-1.2.3

                    Rule GR-1.2.1 applies only to transactions relating to business booked in Bahrain by the licensee.

                    January 2014

                • GR-1.3 GR-1.3 Other Records

                  • Corporate Records

                    • GR-1.3.1

                      Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

                      (a) Internal policies, procedures and operating manuals;
                      (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                      (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                      (d) Reports prepared by the licensee's internal and external auditors; and
                      (e) Employee training manuals and records.
                      January 2014

                  • Customer Records

                    • GR-1.3.2

                      Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                      January 2014

              • GR-2 GR-2 Corporate and Trade Names

                • GR-2.1 GR-2.1 Vetting of Names

                  • GR-2.1.1

                    Licensees must obtain CBB’s prior written approval for any change in their legal name. Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.

                    Amended: January 2022
                    Added: January 2014

                  • GR-2.1.2

                    Licensees must ensure that the words 'microfinance institution' appears in their corporate and trade name.

                    January 2014

                  • GR-2.1.3

                    In approving a change in a legal name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector. The CBB also seeks to ensure that names used by unregulated subsidiaries do not suggest those subsidiaries are in fact regulated.

                    Amended: January 2022
                    Added: January 2014

                • GR-2.2 GR-2.2 Publication of Documents by the Licensee

                  • GR-2.2.1

                    Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees must include a statement that the licensee is regulated by the Central Bank of Bahrain, the type of license and the legal status.

                    January 2014

              • GR-3 GR-3 Dividends

                • GR-3.1 GR-3.1 CBB Non-Objection

                  • GR-3.1.1

                    Licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

                    January 2014

                  • GR-3.1.2

                    The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable – for the foreseeable future – to breaching the CBB's capital requirements, taking into account (as appropriate) trends in the licensee's business volumes, expenses, overall performance and the adequacy of provisions against impaired loans or other assets.

                    January 2014

                  • GR-3.1.3

                    To facilitate the prior approval required under Paragraph GR-3.1.1, licensees must provide the CBB with:

                    (a) The licensee's intended percentage and amount of proposed dividends for the coming year;
                    (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
                    (c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and liquidity position of the licensee.
                    Amended: October 2017
                    January 2014

              • GR-4 GR-4 Controllers

                • GR-4.1 GR-4.1 Key Provisions

                  • GR-4.1.1

                    Licensees must obtain prior approval from the CBB for any of the following changes to their controllers (as defined in Section GR-4.2 and subject to the limits as outlined in GR-4.3):

                    (a) A new controller;
                    (b) An existing controller increasing its holding from below 20% to above 20% of issued and paid up share capital;
                    (c) An existing controller increasing its holding from below 50% to above 50% of issued and paid up share capital; or
                    (d) An existing controller reducing its holding from above 50% to below 50% of issued and paid up share capital.
                    January 2014

                  • GR-4.1.1A

                    Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

                    Added: April 2019

                  • GR-4.1.1B

                    For the purpose of Paragraph GR-4.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

                    Added: April 2019

                  • GR-4.1.2

                    Condition 3 of the CBB's licensing conditions specifies, among other things, that licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee (See Paragraph AU-2.3.1). There are also certain procedures which are set out in Articles 52 to 56 of the CBB Law on controllers. Licensees and their controllers must also observe the CBB's Capital Markets requirements in respect of changes in holdings of shares of listed companies.

                    January 2014

                  • GR-4.1.3

                    Applicants for a license must provide details of their controllers, by submitting a duly completed Form 2 (Application for Authorisation of Controller). (See sub-Paragraph AU-4.1.4(a)).

                    January 2014

                  • GR-4.1.4

                    There are strict limits on changes in the holdings of shares held by controllers in licensees or the extent of voting control exercised by controllers in licensees. These limits are outlined in Section GR-4.3.

                    January 2014

                  • GR-4.1.5

                    Failure to observe the limits outlined in this Section or to comply with an order issued by the CBB in relation to violating the share acquisition rules may lead to imposition of enforcement provisions of the Rulebook on the licensee and other penalties on the controller under the provisions of the CBB Law as outlined in Paragraph GR-4.1.2, including loss of voting power or transfer of shares.

                    January 2014

                  • GR-4.1.6

                    Where a controller is a legal person, any change in its shareholding must be notified to the CBB at the earlier of:

                    (a) When the change takes effect; and
                    (b) When the controller becomes aware of the proposed change.
                    January 2014

                  • GR-4.1.7

                    For approval under Paragraph GR-4.1.1 to be granted, the CBB must be satisfied that the proposed controller or increase in control poses no undue risks to the licensee. The CBB will therefore consider or reconsider the criteria outlined in Paragraphs GR-4.3.6 to GR-4.3.8 in any request for approval. The CBB may impose any restrictions that it considers necessary to be observed in case of its approval of a new controller, or any of the changes listed to existing controllers in Paragraph GR-4.1.1. These restrictions will include the applicable maximum allowed limit of holding or control (as outlined in Section GR-4.3). A duly completed Form 2 (Controllers) must be submitted as part of the request for a change in controllers. An approval of controller will specify the applicable period for effecting the proposed acquisition of shares.

                    January 2014

                  • GR-4.1.8

                    If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes specified in Paragraph GR-4.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days on which those changes have occurred.

                    Amended: January 2017
                    January 2014

                  • GR-4.1.9

                    The approval provisions outlined above do not apply to existing holdings or existing voting control by controllers already approved by the CBB. The approval provisions apply to new/prospective controllers or to increases in existing holdings/voting control as outlined in Paragraph GR-4.1.1.

                    January 2014

                  • GR-4.1.10

                    Licensees are required to notify the CBB as soon as they become aware of events that are likely to lead to changes in their controllers. The criteria by which the CBB assesses the suitability of controllers are set out in Section GR-4.3. The CBB aims to respond to requests for approval within 30 calendar days and is obliged to reply within 3 months to a request for approval. The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in Form 2, if required to satisfy itself as to the suitability of the applicant.

                    January 2014

                  • GR-4.1.11

                    Licensees must submit, within 3 months of their financial year-end, a report on their controllers (See Subparagraph BR-1.1.2(f)). This report must identify all controllers of the licensee, as defined in Section GR-4.2 and the extent of their shareholding interests.

                    January 2014

                • GR-4.2 GR-4.2 Definition of Controller

                  • GR-4.2.1

                    A controller of a licensee is a natural or legal person who either alone, or with his associates:

                    (a) Holds 10% or more of the issued and paid up share capital in the licensee ("L"), or is able to exercise (or control the exercise of) 10% or more of the voting power in L;
                    (b) Holds 10% or more of the issued and paid up share capital in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or
                    (c) Is able to exercise significant influence over the management of L or P.
                    January 2014

                  • GR-4.2.2

                    For the purposes of Paragraph GR-4.2.1, "associate" includes:

                    (a) The spouse, son(s) or daughter(s) of a controller;
                    (b) An undertaking of which a controller is a director;
                    (c) A person who is an employee or partner of the controller; and
                    (d) If the controller is a legal person, a director of the controller, a subsidiary of the controller, or a director of any subsidiary undertaking of the controller.
                    January 2014

                  • GR-4.2.3

                    Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

                    January 2014

                • GR-4.3 GR-4.3 Suitability of Controllers

                  • GR-4.3.1

                    All new controllers or prospective controllers (as defined in Section GR-4.2) of a licensee must obtain the approval of the CBB. Any increases to existing controllers' holdings or voting control (as outlined under Paragraph GR-4.1.1) must also be approved by the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness according to the criteria outlined in Paragraphs GR-4.3.6 to GR-4.3.8. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-4.4 and Paragraph GR-4.1.6.

                    January 2014

                  • GR-4.3.2

                    All controllers or prospective controllers (whether natural or legal persons) of all licensees are subject to the approval of the CBB. Persons who intend to take ownership stakes of 10% or above of the voting capital of a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the criteria for approval become more onerous as the level of proposed ownership increases. Existing and prospective controllers should therefore take particular note of the requirements of Paragraphs GR-4.3.3 to GR-4.3.8 if they wish to take more substantial holdings or control.

                    As a matter of policy, the CBB distinguishes between regulated legal persons (i.e. financial institutions) and unregulated legal persons and natural persons as controllers. Regulated legal persons must satisfy home country prudential requirements. As a regulated legal person can own a greater percentage of issued and pid up share capital, it is subject to additional conditions as outlined in Paragraph GR-4.3.8. The CBB may also contact their home regulators for information on their "fit & proper" status.

                    January 2014

                  • GR-4.3.3

                    A natural person will not be allowed to own or control more than 15% of the issued and paid up capital of a licensee. Such person must satisfy the conditions in Paragraph GR-4.3.6 below.

                    January 2014

                  • GR-4.3.4

                    An unregulated legal person (including companies, trusts, partnerships) will not be allowed to own or control more than 50% of the issued and paid up capital of a licensee. All such persons must satisfy the conditions in Paragraph GR-4.3.7 below.

                    January 2014

                  • GR-4.3.5

                    The CBB will only permit financial institutions which are subject to effective consolidated supervision under a regulatory framework consistent with the Basel Core Principles, the IOSCO Principles or the IAIS Principles to become controllers with a holding of 100% of the issued and paid up capital of a licensee. Furthermore, the concerned regulated financial institution must satisfy the conditions in Paragraph GR-4.3.7 and also the specific conditions in Paragraph GR-4.3.8.

                    January 2014

                  • GR-4.3.6

                    In assessing the suitability and the appropriateness of new/prospective controllers (and existing controllers proposing to increase their shareholdings) who are natural persons, the CBB considers their professional and personal conduct, including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation or regulation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Disqualification by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (i) Whether the person has been a director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
                    (j) The extent to which the person has been truthful and open with regulators;
                    (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
                    (l) The person's track record as a controller of, or investor in financial institutions;
                    (m) The financial resources of the person and the likely stability of their shareholding;
                    (n) Existing directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such directorships or ownership may imply;
                    (o) The legitimate interests of creditors and minority shareholders of the licensee;
                    (p) If the approval of a person as a controller is or could be detrimental to the subject licensee, Bahrain's banking and financial sector or the national interests of the Kingdom of Bahrain; and
                    (q) Whether the person is able to deal with existing shareholders and the board in a constructive and co-operative manner.
                    January 2014

                  • GR-4.3.7

                    In assessing the suitability and appropriateness of legal persons as controllers (wishing to increase their shareholding) or new/potential controllers, the CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

                    (a) The financial strength of the person, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the person's shareholding;
                    (b) Whether the person or members of its group have ever entered into any arrangement with creditors in relation to the inability to pay due debts;
                    (c) The person's jurisdiction of incorporation, location of Head Office, group structure and close links and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
                    (d) The person's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations including financial services legislation on regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
                    (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
                    (f) Any criminal actions instigated against the person or other members of its group, whether or not this resulted in an adverse finding;
                    (g) The extent to which the person or other members of its group have been truthful and open with regulators and supervisor;
                    (h) Whether the person has ever been refused a licence, authorisation, registration or other authority;
                    (i) The person's track record as a controller of, or investor in financial institutions;
                    (j) The legitimate interests of creditors and shareholders of the licensee;
                    (k) Whether the approval of a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain;
                    (l) Whether the person is able to deal with existing shareholders and the board in a constructive manner; and
                    (m) Existing directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such directorships or ownership may imply.
                    January 2014

                  • GR-4.3.8

                    Regulated financial institutions wishing to acquire more than 50% of the voting capital of a licensee must observe the following additional conditions:

                    (a) The person must be subject to effective consolidated supervision by a supervisory authority which effectively implements the Basel Core Principles, the IOSCO Principles or the IAIS Principles as well as the FATF Recommendations on Combating Money Laundering and the Financing of Terrorism and Proliferation;
                    (b) The home supervisor of the person must give its formal written prior approval for (or otherwise raise no objection to) the proposed acquisition of the licensee;
                    (c) The home supervisor of the person must confirm to the CBB that it will require the person to consolidate the activities of the concerned licensee for regulatory and accounting purposes if the case so requires;
                    (d) The home supervisor of the person must formally agree to the exchange of customer information between the person and its prospective Bahraini subsidiary/acquisition for AML/CFT purposes and for large exposures monitoring purposes;
                    (e) The home supervisor of the person and the CBB must (if not already in place) conclude a Memorandum of Understanding in respect of supervisory responsibilities, exchange of information and mutual inspection visits; and
                    (f) The person must provide an acceptably worded letter of guarantee to the CBB in respect of its obligation to support the licensee.
                    January 2014

                • GR-4.4 GR-4.4 Approval Process

                  • GR-4.4.1

                    Within 3 months of receipt of an approval request under Paragraph GR-4.1.1, the CBB will issue an approval notice (with or without restrictions) or a written notice of refusal if it is not satisfied that the person concerned is suitable to increase his shareholding in, or become a controller of the licensee. The notice of refusal or notice of approval with conditions will specify the reasons for the objection or restriction and specify the applicant's right of appeal in either case. Where an approval notice is given, it will specify the period for which it is valid and any conditions that attach (see Paragraph GR-4.1.6). These conditions will include the maximum permitted limit of holding or voting control exercisable by the controller.

                    January 2014

                  • GR-4.4.2

                    Notices of refusal have to be approved by an executive director of the CBB. The applicant has 30 calendar days from the date of the notice in which to make written representation as to why his application should not be refused. The CBB then has 30 calendar days from the date of receipt of those representations to reconsider the evidence submitted and make a final determination, pursuant to Article 53 of the CBB Law and Module EN (Enforcement).

                    January 2014

                  • GR-4.4.3

                    Pursuant to Article 56 of the CBB Law, where a person has become a controller by virtue of his shareholding in contravention of Paragraph GR-4.1.1, or a notice of refusal has been served to him under Paragraph GR-4.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, direct that his shareholding shall be transferred or until further notice, no voting right shall be exercisable in respect of those shares.

                    January 2014

                  • GR-4.4.4

                    Article 56 of the CBB Law empowers the CBB to request a court of law to take appropriate precautionary measures, or sell such shares mentioned in Paragraph GR-4.4.3, if the licensee fails to carry out the order referred to in the preceding Paragraph.

                    January 2014

              • GR-5 GR-5 Close Links

                • GR-5.1 GR-5.1 Key Provisions

                  • GR-5.1.1

                    Condition 3 of the CBB's licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

                    January 2014

                  • GR-5.1.2

                    Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraphs AU-4.1.1 and AU-4.1.4 (f)).

                    January 2014

                  • GR-5.1.3

                    Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links (See Subparagraph BR-1.1.3(g)). The report must identify all undertakings closely linked to the licensee, as defined in Section GR-5.2.

                    January 2014

                  • GR-5.1.4

                    Licensees may satisfy the requirement in Paragraph GR-5.1.3 by submitting a corporate structure chart, identifying all undertakings closely linked to the licensee.

                    January 2014

                  • GR-5.1.5

                    Licensees must provide information on undertakings with which they are closely linked, as requested by the CBB.

                    January 2014

                • GR-5.2 GR-5.2 Definition of Close Links

                  • GR-5.2.1

                    A licensee ('L') has close links with another undertaking ('U'), if:

                    (a) U is a parent undertaking of L;
                    (b) U is a subsidiary undertaking of L;
                    (c) U is a subsidiary undertaking of a parent undertaking of L;
                    (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
                    (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
                    January 2014

                • GR-5.3 GR-5.3 Assessment Criteria

                  • GR-5.3.1

                    In assessing whether a licensee's close links may prevent the effective supervision of the firm, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

                    (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
                    (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
                    (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
                    January 2014

              • GR-6 GR-6 Cessation of Business

                • GR-6.1 GR-6.1 CBB Approval

                  • GR-6.1.1

                    As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB's prior approval.

                    January 2014

                  • GR-6.1.2

                    Licensees must notify the CBB in writing at least six months in advance of their intended suspension of any or all the licensed regulated services or cessation of business, setting out how they propose to do so and, in particular, how they will treat any of their liabilities.

                    January 2014

                  • GR-6.1.3

                    If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

                    January 2014

                  • GR-6.1.4

                    A licensee in liquidation must continue to meet its contractual and regulatory obligations to its clients and creditors.

                    January 2014

                  • GR-6.1.5

                    Once the licensee believes that it has discharged substantially all its remaining contractual obligations to clients and creditors, it must publish a notice in two national newspapers in Bahrain approved by the CBB (one being in English and one in Arabic), stating that it has settled all its dues and wishes to leave the market. According to Article 50 of the CBB Law, such notice shall be given after receiving the approval of the CBB, not less than 30 days before the actual cessation is to take effect.

                    January 2014

                  • GR-6.1.6

                    The notice referred to in Paragraph GR-6.1.5 must include a statement that written representations concerning the liquidation may be sent to the CBB before a specified day, which shall not be later than thirty days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

                    January 2014

                  • GR-6.1.7

                    If no objections to the liquidation are upheld by the CBB, then the CBB may issue a written notice of approval for the surrender of the license.

                    January 2014

                  • GR-6.1.8

                    Upon satisfactorily meeting the requirements set out in GR-6.1., the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

          • Business Standards

            • CA CA Microfinance Institutions Capital Adequacy and Liquidity Requirements Module

              • CA-A CA-A Introduction

                • CA-A.1 CA-A.1 Purpose

                  • Executive Summary

                    • CA-A.1.1

                      The purpose of this module is to set out the CBB's regulations for minimum capital requirements. This requirement is supported by Article 44(c) of the Central Bank of Bahrain and Financial Institutions Law 2006 (CBB Law).

                      January 2014

                    • CA-A.1.2

                      Principle 9 of the Principles of Business requires that microfinance institution licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.9). In addition, Condition 5 of the CBB's Authorised Conditions (Section AU-2.5) requires microfinance institution licensees to maintain financial resources in excess of the minimum requirements specified in this Module.

                      January 2014

                    • CA-A.1.3

                      This Module sets out the minimum capital requirements which microfinance institution licensees must meet as a condition of their licensing.

                      January 2014

                    • CA-A.1.4

                      The purpose of these requirements is to ensure that microfinance institution licensees hold sufficient financial resources to provide some protection against unexpected losses.

                      January 2014

                    • CA-A.1.5

                      The CBB requires that microfinance institution licensees maintain adequate capital in accordance with the requirements of this Module, against their risks.

                      January 2014

                  • Legal Basis

                    • CA-A.1.6

                      This Module contains the CBB's Directive relating to the capital requirements and gearing of microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all microfinance institution licensees.

                      January 2014

                • CA-A.2 CA-A.2 Module History

                  • Evolution of Module

                    • CA-A.2.1

                      This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • CA-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      CA-1.1.4 and CA-1.1.5 10/2014 Updated capital requirements to be aligned with the term and definition of 'core capital'.
                      CA-1.1.3 01/2019 Amended minimum Capital Adequacy ratio.
                      CA-1.1.4 01/2019 Amended Paragraph defining Capital Adequacy ratio.
                      CA-1.1.5A 01/2019 Added a new Paragraph on risk weighted asset items.
                      CB-1.1.5B 01/2019 Added a new Paragraph on claims on banks.
                      CB-1.1.5C 01/2019 Added a new Paragraph on short-term claims.
                      CA-1.1.6 01/2019 Amended Paragraph on maintaining minimum CAR.
                      CA-1.1.7 01/2019 Amended Paragraph.
                      CA-1.1.8 01/2019 Amended guidance and changed to Rule.
                      CA-1.1.9 01/2019 Amended Paragraph.
                      CA-1.1.1 04/2019 Amended the minimum capital required.

              • CA-B CA-B Scope of Application

                • CA-B.1 CA-B.1 Scope of Application

                  • CA-B.1.1

                    This Module is applicable to all microfinance institution licensees (authorised in the Kingdom, thereafter referred to in this Module as licensees).

                    January 2014

              • CA-1 CA-1 Regulatory Capital and Liquidity

                • CA-1.1 CA-1.1 Capital Requirements

                  • Minimum Capital Requirement

                    • CA-1.1.1

                      A licensee must maintain at all times a minimum paid-up capital of BD 2 million provided by the shareholders/promoters and/or through grants and donations. A greater amount of capital may be required by the CBB on a case-by-case basis.

                      Amended: April 2019
                      January 2014

                    • CA-1.1.2

                      In addition to the requirements of Paragraph CA-1.1.1, the CBB may require that an acceptably worded letter of guarantee be provided. The CBB may seek a letter of guarantee from controllers.

                      January 2014

                  • Capital Adequacy Ratio (CAR)

                    • CA-1.1.3

                      In addition to the requirements outlined in Paragraphs CA-1.1.1 and CA-1.2.1, all licensees must maintain a minimum Capital Adequacy Ratio of 12%.

                      Amended: January 2019
                      January 2014

                    • CA-1.1.4

                      For purposes of Paragraph CA-1.1.3, the capital adequacy ratio is defined as the total core capital divided by the risk weighted assets.

                      Amended: January 2019
                      Amended: October 2014
                      January 2014

                    • CA-1.1.5

                      For purposes of Paragraph CA-1.1.4, total core capital refers to:

                      (a) Issued and fully paid ordinary shares (net of treasury shares);
                      (b) Retained earnings (losses) brought forward, including interim profits/losses; and
                      (c) All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings;
                      LESS:
                      (d) Other deductions, as specified by the CBB.
                      Amended: October 2014
                      January 2014

                    • CA-1.1.5A

                      For the purpose of Paragraph CA-1.1.4, the asset items must be risk weighted as follows:

                      (a) Cash and treasury bills in BD or in US$: 0%;
                      (b) Claims on banks (See CA-1.1.5B);
                      (c) Microfinance credit facilities: 75%;
                      (d) Investments: 100%; and
                      (e) Other assets: 100%.
                      Added: January 2019

                  • Claims on Banks

                    • CA-1.1.5B

                      Claims on banks must be risk weighted as given in the following table. No claim on an unrated bank may receive a risk weight lower than that applied to claims on its sovereign of incorporation.

                      Banks Credit Quality Grades AAA to AA- A+ to A- BBB+ to BBB- BB+ to B- Below B- Un-rated
                      ECAI 1 ECAI 2 ECAI 3 ECAI 4 ECAI 5 -
                      Standard risk weights 20% 50% 50% 100% 150% 50%
                      Added: January 2019

                    • CA-1.1.5C

                      Short-term claims on locally incorporated banks may be assigned a risk weighting of 20% where such claims on the banks are of an original maturity of 3 months or less denominated and funded in either BD or US dollar.

                      Added: January 2019

                    • CA-1.1.6

                      Licensees must ensure that at all times they maintain the minimum CAR outlined in Paragraph CA-1.1.3. In the event that the licensee does not comply with the minimum CAR requirement, it must notify the CBB by no later than the following business day of the actual level of the CAR. When providing such notification, the licensee must:

                      (a) Provide to the CBB, within one week of the non-compliance, a written action plan setting out how the licensee proposes to restore its CAR to the required minimum level and describe the systems and controls that have been put in place to prevent any future non-compliance of the minimum CAR; and
                      (b) Report to the CBB on a monthly basis or on another timely basis as required by the CBB, the licensee's CAR until such time as the CAR has reached 12.5% or other target level as specified by the CBB.
                      Amended: January 2019
                      January 2014

                    • CA-1.1.7

                      Licensees should note that the CBB considers the breach of the minimum CAR requirement to be a very serious matter. Consequently, the CBB may (at its discretion) subject a licensee which breaches its minimum CAR requirement to a formal enforcement action.

                      Amended: January 2019
                      January 2014

                  • Deleted

                  • Compliance Officer

                    • CA-1.1.8

                      Compliance officers must ensure that the licensee has adequate internal systems and controls to comply with this Module.

                      Amended: January 2019
                      January 2014

                  • Reporting Requirements

                    • CA-1.1.9

                      The licensee must report its capital level and CAR to the CBB in accordance with the requirements outlined in Chapter BR-1.

                      Amended: January 2019
                      January 2014

                • CA-1.2 CA-1.2 Liquidity Requirements

                  • CA-1.2.1

                    A licensee's net liquid assets must be held in a form acceptable to the CBB, in a minimum amount of three months estimated expenditures including salaries, rent, general utilities and other operating costs.

                    January 2014

                  • CA-1.2.2

                    For purposes of Paragraph CA-1.2.1, net liquid assets comprise of unencumbered cash, cash equivalents, treasury bills, and placements and balances with banks maturing within 30 days less any liabilities due within 30 days.

                    January 2014

            • BC BC Microfinance Institutions Business and Market Conduct Module

              • BC-A BC-A Introduction

                • BC-A.1 BC-A.1 Purpose

                  • BC-A.1.1

                    This Module contains requirements that have to be met by microfinance institution licensees with regards to their dealings with customers. The Rules contained in this Module aim to ensure that microfinance institution licensees deal with their customers in a fair and open manner, and address their customers' information needs.

                    January 2014

                  • BC-A.1.2

                    The Rules build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires microfinance institution licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings with customers. Principle 3 (Due skill, care and diligence) requires microfinance institution licensees to act with due skill, care and diligence when acting on behalf of their customers. Principle 7 (Client Interests) requires microfinance institution licensees to pay due regard to the legitimate interests and information needs of their customers, and to communicate with them in a fair and transparent manner.

                    January 2014

                  • Legal Basis

                    • BC-A.1.3

                      This Module contains the CBB's Directive (as amended from time to time) on business conduct by microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all microfinance institution licensees.

                      January 2014

                    • BC-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • BC-A.2 BC-A.2 Module History

                  • BC-A.2.1

                    This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    January 2014

                  • BC-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref. Change Date Description of Changes
                    BC-2.3.14 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                    BC-2.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                    BC-2.7.1 -
                    BC-2.7.3
                    04/2020 Amended Paragraphs adding reference to CBB consumer protection.
                    BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                    BC-1.4.6 07/2021 Amended Paragraph.
                    BC-1.8.1 07/2021 Deleted Paragraph.
                    BC-1.8.2 07/2021 Deleted Paragraph.
                    BC-2.7.1 01/2022 Amended Paragraph on submission of quarterly report on complaints.

                  • Superseded Requirements

                    • BC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module BC
                         
                      January 2014

              • BC-B BC-B Scope of Application

                • BC-B.1 BC-B.1 Scope

                  • BC-B.1.1

                    This Module applies to all microfinance institution licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis

                • BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • BC-C.1.1

                    Microfinance institution licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • BC-1 BC-1 Best Practices for Microfinance Institutions

                • BC-1.1 BC-1.1 General Rules

                  • BC-1.1.1

                    Licensees must comply with the best practices throughout the lifetime of their relationship with a customer. Chapter BC-1 sets out the minimum standards for microfinance institutions to follow when providing micro-credit and other services on which fees and/or interest (profit margin in case of Shari'a compliant micro-finance) are payable by customers in the Kingdom of Bahrain.

                    January 2014

                  • BC-1.1.2

                    This Chapter applies where any licensee provides to a borrower any type of financial product creating a creditor relationship (including Shari'a compliant credit facilities of all types).

                    January 2014

                  • BC-1.1.3

                    Licensees must put in place appropriate measures across all their business operations and distribution channels to ensure compliance with the requirements of this Chapter, where relevant. Licensees must maintain adequate records to demonstrate compliance with this Chapter.

                    January 2014

                  • BC-1.1.4

                    The CBB may, from time to time, ask the compliance officer to report on the licensee's record of adherence to the requirements of Module BC.

                    January 2014

                  • BC-1.1.5

                    Licensees should implement the requirements of Module BC and ensure that their staff is fully familiar with these.

                    January 2014

                • BC-1.2 BC-1.2 Overarching Principles

                  • BC-1.2.1

                    The six overarching principal commitments are:

                    (a) Licensees must act fairly and reasonably in all dealings with customers;
                    (b) Licensees must make sure that all advertising and promotional material relating to microfinance facilities, credit and charging is clear and not misleading in any way;
                    (c) Licensees must give clear information and provide clear documentation about products and services they offer, including the application procedures, terms & conditions, interest/profit rates and breakdown of charges that apply;
                    (d) Licensees must provide their customers with regular statements;
                    (e) Licensees must inform their customers about any changes to the terms and conditions of the contract prior to the change taking place. It is the duty of the customer to inform the licensee of changes in contact address immediately; and
                    (f) Licensees must deal sympathetically with cases of genuine financial difficulty and treat all customer personal information as private and confidential.
                    January 2014

                • BC-1.3 BC-1.3 Identification of Customer Requirements

                  • BC-1.3.1

                    For each new (or potentially new) customer, licensees should:

                    (a) Give transparent and factual information on the key features and benefits of the credit facility the customer is interested in;
                    (b) Advise customers on the various delivery channels of products (e.g. through the internet, over the phone, in different branches, etc.) and tell customers how they can find out more about such products; and
                    (c) Prior to granting the credit facility, the licensee will inform the customer of applicable details and the criteria for provision of a credit facility.
                    January 2014

                • BC-1.4 BC-1.4 Disclosure of Charges

                  • BC-1.4.1

                    In order to improve customer awareness and enhance transparency of licensee's charging structures, licensees must display in a prominent position, in Arabic and in English, by notice in their offices (both head office and branches), a list of all current charges.

                    January 2014

                  • BC-1.4.2

                    Licensees must also ensure that each customer is in receipt of their current list of charges and must display these on their websites. The list must specify standard charges that will be applied by the licensee to individual services and transactions.

                    January 2014

                  • Credit Agreements

                    • BC-1.4.3

                      A licensee must make available, at their premises, information leaflets containing information in respect of all credit agreements including the Annual Percentage Rate (APR) as defined in Paragraph BC-1.4.10.

                      January 2014

                    • BC-1.4.4

                      For the purpose of this Section, the following definitions apply:

                      (a) Conspicuous notice – Means a written statement in both Arabic and English languages which is easily visible and legible and displayed in all licensees' premises open to the public (head offices and branches), and via means such as websites, newspapers and other press notices;
                      (b) Nominal annual rate – Means the interest/profit rate charged to the customer, calculated by dividing the amount of the total interest/profit by the amount of the funds provided to the customer and excluding any other charges, the results of which is divided by the number of years or part thereof, of the term of the credit agreement;
                      (c) Outstanding credit amount – Means the amount outstanding under a credit agreement representing the amount of funds provided to the customer and any other charges that are included as part of the principal amount to be repaid by the customer over the duration of the agreement less any repayment made related to the principal amount at a specified date; and
                      (d) Principal – Means the amount of credit received plus any other charges, the total of which is subject to interest/profit.
                      January 2014

                  • General Rules

                    • BC-1.4.5

                      Where a customer has a credit agreement with a licensee, licensees must:

                      (a) Duly inform their customers in accordance with this Module about the nature and the characteristics (including relevant risks) of the credit agreements and services offered by them, and about the terms and conditions governing such agreements;
                      (b) Periodically inform, in writing, their customers on the evolution and the terms of any credit agreement signed, throughout the duration of the contract (refer to Paragraph BC-1.4.17);
                      (c) Respond in due time, to customers' requests for the provision of information and clarifications regarding the application of contractual terms (refer to Paragraphs BC-1.4.21 and BC-1.4.22);
                      (d) Appoint a customer complaints officer and publicise his/her contact details (refer to Chapter BC-2 on Customer Complaints Procedures);
                      (e) Ensure the proper training of employees involved in interfacing and providing specific information to customers;
                      (f) Disclose information required in this Module the credit agreement in both Arabic & English languages;
                      (g) Show clearly the APR on the credit agreement application and 'key terms disclosure' document; and
                      (h) Disclose all information in a clear and readable form (refer to Paragraph BC-1.4.6).
                      January 2014

                    • BC-1.4.6

                      Marketing of customer credit agreements, advertising and sales promoting credit agreements, irrespective of the media used (SMS, Internet, printed material, telephone solicitation) must be clear and understandable, must be true and not misleading and meet the basic customer information requirements as defined in this Module. Licensees are also asked to take special care to ensure that the content of any advertising material does not mislead or deceive the public in any way.

                      Amended: July 2021
                      January 2014

                    • BC-1.4.7

                      The use of "small print" to make potentially important information less visible is not compatible with good business conduct, and should be avoided.

                      January 2014

                  • Minimum Disclosure Requirements

                    • BC-1.4.8

                      Licensees must make:

                      (a) Public disclosure regarding credit agreements; and
                      (b) Disclosures to customers, whether these be during the course of the initial negotiation of the credit agreement or during the term of the facility being offered.
                      January 2014

                  • Public Disclosure Requirements for all Credit Agreements

                    • BC-1.4.9

                      The following public disclosures must be made by conspicuous notice for all types of credit agreements:

                      (a) Any obligation on the part of the customer to open a deposit account with a retail bank as a condition of granting the credit agreement;
                      (b) Administration fees;
                      (c) Pre-payment charges;
                      (d) Late payment fees;
                      (e) Insurance; and
                      (f) Any other charges not included above.
                      January 2014

                  • Additional Public Disclosure for Credit Facilities

                    • BC-1.4.10

                      In addition to the requirements under Paragraph BC-1.4.9, licensees must publicly disclose by conspicuous notice for credit facilities:

                      (a) The current Annual Percentage Rate (APR) as calculated using the APR methodology in Paragraph BC-1.4.23. The APR displayed must be calculated based on the following scenarios. Amount borrowed is BD3,000 for a 1-year term;
                      (b) The Annual Percentage Rate (APR), must be broken down as follows:
                      (i) The annual nominal interest/profit rate payable;
                      (ii) Administration/handling fees;
                      (iii) In the case of finance lease contracts/ijara or deferred purchase contracts, any fees for purchasing the asset; and
                      (iv) Any other mandatory charges (contingent costs are excluded); and
                      (c) The terms and conditions for early repayment, partial or full, of the credit agreement, or for any change in the terms and covenants of the credit agreement, as well as any relevant charges (where permitted) and the way in which these are calculated
                      January 2014

                    • BC-1.4.11

                      The APR is a standard measure that allows customers to compare total charges for instalment financing facilities on a like-for-like basis. The APR allows the customer to compare the total charge for credit over differing periods (e.g. – two versus three years) or offered by different retail banks with differing payment profiles and taking into account the payment of any other fees payable as a condition of the contract, such as administration fees or insurance premiums.

                      January 2014

                    • BC-1.4.12

                      Any advertising through any media means of credit facilities, offered by the licensees must specify only the APR (including all fees and charges) and no other rates, i.e. nominal, base, flat or rates by any other names.

                      January 2014

                  • Disclosure to Customers: Initial Disclosure Requirements of Key Terms

                    • BC-1.4.13

                      Licensees must make clear to potential customers, prior to entering into a credit agreement, all relevant key terms of the agreement in the credit application and 'key terms disclosure' document, in order for them to clearly understand the characteristics of the services and products on offer.

                      January 2014

                    • BC-1.4.14

                      The above 'key terms disclosure' document must be summarised in plain English and Arabic. This document must be signed and dated by the customer(s) in duplicate as having been read and understood, prior to signing a credit agreement. One copy should be retained by the customer and the other must be retained by the licensee in their customer file.

                      January 2014

                    • BC-1.4.15

                      In addition to the initial disclosure of key terms noted in Paragraphs BC-1.4.13 and BC-1.4.14, the "key terms disclosure" document must, amongst other things, make clear:

                      (a) The detailed breakdown of the payments:
                      (i) The principal amount being borrowed and the maturity of the credit agreement;
                      (ii) The net amount provided to the customer after deducting or applying any upfront or other charges;
                      (iii) The total interest/profit payments and principal repayment for the term of the credit agreement; and
                      (iv) The total administration/handling fees and all details of any other fees and charges spread over the term of the credit agreement;
                      (b) The APR and the nominal annual rate as defined in Paragraphs BC-1.4.10 and BC-1.4.4(b) respectively;
                      (c) Whether the rate of interest/profit is fixed or can be varied, and under what circumstances;
                      (d) The basis on which interest/profit is charged (e.g. actual reducing balance) and applied to the account (e.g. monthly or quarterly compounding) and whether principal repayments are taken into account in the calculation, together with an illustration of the calculation method;
                      (e) The detailed costs associated with "top-ups" of credit agreements or other alternative arrangements for extending additional credit or early repayments, whether partial or full, of amounts due including the treatment of remaining interest/profit and the payment of premium for insurance;
                      (f) Any late payment charges; and
                      (g) Any other charges related to the credit agreement not included above, all details of which must be provided to the customer.
                      January 2014

                    • BC-1.4.16

                      Licensees are free to design the layout and wording to be used in their 'key terms disclosure' document, as they see fit, providing they contain the information specified in Paragraph BC-1.4.15. The CBB will monitor compliance with the spirit as well as the letter of the requirements in this Chapter.

                      January 2014

                  • Disclosure to Customers: During the Term of the Credit Agreement

                    • BC-1.4.17

                      Licensees must give information on the payment schedule of the credit agreement, including interest/profit and other charges. Information must be given, free of charge, at least every three months.

                      January 2014

                  • Variation Disclosures Requirements

                    • BC-1.4.18

                      Licensees must disclose to the customer in advance, either collectively or individually, all relevant changes or variations to a credit agreement. The circumstances in which a customer must be provided with variation disclosures are:

                      (a) If both the licensee and customer agree to change the credit agreement; in this case, the customer must be provided in writing with full particulars of the change, at least seven calendar days before it takes effect; and
                      (b) If the credit agreement gives the licensee power to vary fees or charges, the amount or timing of payments, the interest/profit rate or the way interest/profit is calculated, and the licensee decides to exercise that power, the customer must be provided with full particulars of the change, including an updated schedule of the total interest/profit payments and principal repayment for the remaining term of the credit agreement, at least thirty calendar days prior to the date the change takes effect. Such notice is to enable the customer to decide whether to accept the new terms or terminate the agreement by settling the outstanding credit amount, in accordance with relevant provisions therein, which must have been stated in a clear and understandable manner.
                      January 2014

                    • BC-1.4.19

                      Any increase of the interest/profit rate or the amount of any fee or charge payable under a credit agreement, must be disclosed publicly, by conspicuous notice, at least thirty calendar days prior to the date the change takes effect by:

                      (a) Displaying the information prominently at the licensee's place of business; and
                      (b) Posting the information on the licensee's website.
                      January 2014

                    • BC-1.4.20

                      Any deferral of interest/profit or principal announced by the licensee must also take account of the APR methodology as shown in Paragraphs BC-1.4.23 to BC-1.4.25, and the new APR must be given to the customer or made public in advertisements.

                      January 2014

                  • Request Disclosure

                    • BC-1.4.21

                      The licensee must provide a reply to any request for disclosure within fifteen business days of receiving the request.

                      January 2014

                    • BC-1.4.22

                      Disclosures requested by the customer may include but are not limited to any or all of the following information about a credit agreement:

                      (a) The effect of part prepayment on the customer's obligations;
                      (b) Full particulars of any changes to the agreement since it was made;
                      (c) The amount of any fee payable on part prepayment and how the fee will be calculated;
                      (d) The amount required for full prepayment on a specified date and how the amount will be calculated;
                      (e) The outstanding credit amount, including any outstanding interest/profit charge (calculated at the date the disclosure statement is prepared);
                      (f) The amount of payments made or to be made or the method of calculating the amount of those payments;
                      (g) The number of payments made or to be made (if ascertainable);
                      (h) How often payments are to be made;
                      (i) The total amount of payments to be made under the agreement, if ascertainable; and
                      (j) A copy of any disclosure statement that was or should have been provided before the request was made.
                      January 2014

                    • BC-1.4.23

                      The APR must be calculated using the following methodology:

                      January 2014

                    • BC-1.4.24

                      The meaning of letters and symbols used in the above formula are:

                      K is the number identifying a particular advance of credit;
                      K' is the number identifying a particular instalment;
                      Ak is the amount of advance K;
                      A'k' is the amount of instalment K;
                      Σ represents the sum of all the terms indicated;
                      m is the number of advances of credit;
                      m' is the total number of instalments;
                      tk is the interval, expressed in years between the relevant date and the date of advance K;
                      tk' is the interval expressed in years between the relevant date and the date of instalment K';
                      i is the APR, expressed as a decimal.
                      January 2014

                    • BC-1.4.25

                      For the purpose of this Chapter, the 'relevant date' is the earliest identifiable date on which the borrower is able to acquire anything which is the subject of the agreement (e.g. delivery of goods), or otherwise the 'relevant date' is the date on which the credit agreement is made.

                      January 2014

                • BC-1.5 BC-1.5 Repayment Assessment

                  • BC-1.5.1

                    Before a licensee provides a credit facility, it must assess whether the customer will be able to repay, given its knowledge of the customer's current circumstances.

                    January 2014

                • BC-1.6 BC-1.6 Financial Difficulties

                  • BC-1.6.1

                    Licensees should deal sympathetically with cases of genuine financial difficulty and treat all customer personal information as private and confidential.

                    January 2014

                  • BC-1.6.2

                    Licensees should always endeavour to discuss financial difficulties with their customers before taking any legal measures.

                    January 2014

                  • BC-1.6.3

                    Where possible, licensees should consider alternative arrangements to enable customers to overcome their repayment difficulties.

                    January 2014

                  • BC-1.6.4

                    Licensees should provide customers with a minimal level of counseling on debt problems.

                    January 2014

                • BC-1.7 BC-1.7 Disclosure of Information about Individual Accounts

                  • BC-1.7.1

                    In accordance with Article 117 of the CBB Law, licensees must not publish or release information to third parties concerning the accounts or activities of their individual customers, unless:

                    (a) Such information is requested by an authorised official from the CBB or by an order from the Courts;
                    (b) The release of such information is approved by the customer concerned; or
                    (c) It is in compliance with the provision of the law or any international agreements to which the Kingdom is a signatory.
                    January 2014

                • BC-1.8 BC-1.8 Advertisements for Microfinance Products and Services

                  • BC-1.8.1

                    [This Paragraph was deleted in July 2021].

                    Deleted: July 2021
                    January 2014

                  • BC-1.8.2

                    [This Paragraph was deleted in July 2021].

                    Deleted: July 2021
                    January 2014

              • BC-2 BC-2 Customer Complaints Procedures

                • BC-2.1 BC-2.1 General Requirements

                  • BC-2.1.1

                    All licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints made by customers.

                    January 2014

                  • BC-2.1.2

                    Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

                    January 2014

                  • BC-2.1.3

                    All licensees must appoint a customer complaints officer and publicise his/her contact details at all departments and branches and on the licensee's website. The customer complaints officer must be of a senior level at the licensee and must be independent of the parties to the complaint to minimise any potential conflict of interest.

                    January 2014

                • BC-2.2 BC-2.2 Documenting Customer Complaints Handling Procedures

                  • BC-2.2.1

                    In order to make customer complaints' handling procedures as transparent and accessible as possible, all licensees must document their customer complaints handling procedures. These include setting out in writing:

                    (a) The procedures and policies for:
                    (i) Receiving and acknowledging complaints;
                    (ii) Investigating complaints;
                    (iii) Responding to complaints within appropriate time limits;
                    (iv) Recording information about complaints;
                    (v) Identifying recurring system failure issues;
                    (b) The types of remedies available for resolving complaints; and
                    (c) The organisational reporting structure for the complaints handling function.
                    January 2014

                  • BC-2.2.2

                    Licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

                    January 2014

                  • BC-2.2.3

                    Licensees are required to ensure that all financial services related documentation (such as credit facility documentation) provided to the customer includes a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

                    January 2014

                • BC-2.3 BC-2.3 Principles for Effective Handling of Complaints

                  • BC-2.3.1

                    Adherence to the following principles is required for effective handling of complaints:

                    January 2014

                  • Visibility

                    • BC-2.3.2

                      "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

                      January 2014

                  • Accessibility

                    • BC-2.3.3

                      A complaints handling process must be easily accessible to all customers and must be free of charge.

                      January 2014

                    • BC-2.3.4

                      While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

                      January 2014

                    • BC-2.3.5

                      Process information must be readily accessible and must include flexibility in the method of making complaints.

                      January 2014

                    • BC-2.3.6

                      Support for customers in interpreting the complaints procedures must be provided, upon request.

                      January 2014

                    • BC-2.3.7

                      Information and assistance must be available on details of making and resolving a complaint.

                      January 2014

                    • BC-2.3.8

                      Supporting information must be easy to understand and use.

                      January 2014

                  • Responsiveness

                    • BC-2.3.9

                      Receipt of complaints must be acknowledged in accordance with Section BC-2.5 "Response to Complaints".

                      January 2014

                    • BC-2.3.10

                      Complaints must be addressed promptly in accordance with their urgency.

                      January 2014

                    • BC-2.3.11

                      Customers must be treated with courtesy.

                      January 2014

                    • BC-2.3.12

                      Customers must be kept informed of the progress of their complaint, in accordance with Section BC-2.5.

                      January 2014

                    • BC-2.3.13

                      If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

                      January 2014

                    • BC-2.3.14

                      In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

                      Amended: April 2020
                      Added: January 2014

                  • Objectivity and Efficiency

                    • BC-2.3.15

                      Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

                      January 2014

                    • BC-2.3.16

                      General principles for objectivity in the complaints handling process include:

                      (a) Openness:
                      The process must be clear and well publicised so that both staff and customers can understand;
                      (b) Impartiality:
                      (i) Measures must be taken to protect the person the complaint is made against from bias;
                      (ii) Emphasis must be placed on resolution of the complaint not blame; and
                      (iii) The investigation must be carried out by a person independent of the person complained about;
                      (c) Accessibility:
                      (i) The licensee must allow customer access to the process at any reasonable point in time; and
                      (ii) A joint response must be made when the complaint affects different participants;
                      (d) Completeness:
                      The complaints officer must find relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
                      (e) Equitability:
                      Give equal treatment to all parties;
                      (f) Sensitivity:
                      Each complaint must be treated on its merits and paying due care to individual circumstances;
                      (g) Objectivity for personnel – complaints handling procedures must ensure those complained about are treated fairly which implies:
                      (i) Informing them immediately and completely on complaints about performance;
                      (ii) Giving them an opportunity to explain and providing appropriate support;
                      (iii) Keeping them informed of the progress and result of the complaint investigation;
                      (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
                      (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
                      (h) Confidentiality:
                      (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
                      (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
                      (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination;
                      (i) Objectivity monitoring:
                      Licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints;
                      (j) Charges:
                      The process must be free of charge to customers;
                      (k) Customer Focused Approach:
                      (i) Licensees must have a customer focused approach;
                      (ii) Licensees must be open to feedback; and
                      (iii) Licensees must show commitment to resolving problems;
                      (l) Accountability:
                      Licensees must ensure accountability for reporting actions and decisions with respect to complaints handling; and
                      (m) Continual improvement:
                      Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the licensee.
                      January 2014

                • BC-2.4 BC-2.4 Internal Complaints Handling Procedures

                  • BC-2.4.1

                    Licensees' internal complaints handling procedures must provide for:

                    (a) The receipt of written complaints;
                    (b) The appropriate investigation of complaints;
                    (c) An appropriate decision-making process in relation to the response to a customer complaint;
                    (d) Notification of the decision to the customer; and
                    (e) The recording of complaints.
                    January 2014

                  • BC-2.4.2

                    Licensees' internal complaints handling procedures must be designed to ensure that:

                    (a) All complaints are handled fairly, effectively and promptly;
                    (b) Recurring systems failures are identified, investigated and remedied;
                    (c) The number of unresolved complaints referred to the CBB is minimised;
                    (d) The employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
                    (e) Relevant employees are aware of the licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
                    January 2014

                • BC-2.5 BC-2.5 Response to Complaints

                  • BC-2.5.1

                    Licensees must acknowledge in writing customer written complaints within 5 working days of receipt.

                    January 2014

                  • BC-2.5.2

                    Licensees must respond in writing to a customer complaint within 4 weeks of receiving the complaint, explaining their position and how they propose to deal with the complaint.

                    January 2014

                  • Redress

                    • BC-2.5.3

                      Licensees should decide and communicate how they propose (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

                      January 2014

                    • BC-2.5.4

                      Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

                      January 2014

                    • BC-2.5.5

                      Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

                      January 2014

                    • BC-2.5.6

                      Should the customer that filed a complaint not be satisfied with the response received as per Paragraph BC-2.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

                      Amended: April 2020
                      Added: January 2014

                • BC-2.6 BC-2.6 Records of Complaints

                  • BC-2.6.1

                    Licensees must maintain a record of all customers' complaints. The record of each complaint must include:

                    (a) The identity of the complainant;
                    (b) The substance of the complaint;
                    (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
                    (d) All correspondence in relation to the complaint. Such records must be retained by licensees for a period of 5 years from the date of receipt of the complaint.
                    January 2014

                • BC-2.7 BC-2.7 Reporting of Complaints

                  • BC-2.7.1

                    Licensees must submit to the CBB's Consumer Protection Unit, 30 days after the end of the quarter, a quarterly report summarising the following:

                    (a) The number of complaints received;
                    (b) The substance of the complaints;
                    (c) The number of days it took the licensee to acknowledge and to respond to the complaints; and
                    (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
                    Amended: January 2022
                    Amended: April 2020
                    Added: January 2014

                  • BC-2.7.2

                    The report referred to in Paragraph BC-2.7.1 must be sent electronically to complaint@cbb.gov.bh.

                    Amended: April 2020
                    Added: January 2014

                  • BC-2.7.3

                    Where no complaints have been received by the licensee within the quarter, a "nil" report should be submitted to the CBB's Consumer Protection Unit.

                    Amended: April 2020
                    Added: January 2014

                • BC-2.8 BC-2.8 Monitoring and Enforcement

                  • BC-2.8.1

                    Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

                    January 2014

            • RM RM Microfinance Institutions Risk Management Module

              • RM-A RM-A Introduction

                • RM-A.1 RM-A.1 Purpose

                  • RM-A.1.1

                    This Module contains requirements relating to the management of risk by microfinance institution licensees.

                    July 2014

                  • RM-A.1.2

                    This Module details the minimum key elements of a sound credit risk management system which the Central Bank of Bahrain ('CBB') requires its microfinance institutions licensees to observe. These minimum requirements reflect the unique environment within which microfinance institutions licensees operate and the range of products which they typically offer. However, the CBB, at its sole discretion, retains the right to impose more stringent requirements and guidelines upon one or more microfinance institution licensees should it consider such action to be in the best interest of the Bahrain financial system at any time.

                    July 2014

                  • RM-A.1.3

                    This Module obliges microfinance institution licensees to identify and document the major risks that they face, and what action will be taken to manage those risks effectively. Effective compliance with this Module will require the risk management framework to be supported by adequate resources and the appropriate tools to identify, monitor and control all material risks.

                    July 2014

                  • RM-A.1.4

                    This Module provides support for certain other parts of the Rulebook, mainly:

                    (a) Principles of Business;
                    (b) The CBB Reporting Requirements;
                    (c) Auditors and Accounting Standards; and
                    (d) High-level Controls.
                    July 2014

                  • Legal Basis

                    • RM-A.1.5

                      This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the credit and operational risk management of microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all microfinance institutions licensees.

                      July 2014

                    • RM-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      July 2014

                • RM-A.2 RM-A.2 Module History

                  • RM-A.2.1

                    This Module was first issued in July 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG 3 provides further details on Rulebook maintenance and version control.

                    July 2014

                  • Summary of Changes

                    • RM-A.2.2

                      The most recent changes made to this Module are detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      RM-4.3.1 10/2017 Amended Paragraph.
                      RM-4.4.3 10/2017 Amended Paragraph.
                      RM-4.5.1(c) 10/2017 Amended sub-sub-Paragraph no. (2).
                      RM-4.5.1(e) 10/2017 Amended sub-sub-Paragraph no. (3).
                      RM-4.5.2 10/2017 Added a new paragraph for security measures related to cloud services.
                      RM-4 07/2022 Replaced Chapter RM-4 with new Outsourcing Requirements.

                  • Superseded Requirements

                    • RM-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Modules CM and OM
                         

              • RM-B RM-B Scope of Application

                • RM-B.1 RM-B.1 Scope

                  • RM-B.1.1

                    This Module applies to all microfinance institution licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    July 2014

              • RM-1 RM-1 Risk Management

                • RM-1.1 RM-1.1 General Requirements

                  • Board of Directors

                    • RM-1.1.1

                      The board of directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

                      July 2014

                    • RM-1.1.2

                      The CBB expects the board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licensee is exposed to, a risk management framework that includes approving and monitoring policies, systems, tools and controls.

                      July 2014

                    • RM-1.1.3

                      Although authority for the management of a licensee's risks is likely to be delegated to some degree to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

                      July 2014

                    • RM-1.1.4

                      A licensee's failure to establish an adequate risk management framework to the satisfaction of the CBB will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing the licence or imposing other restrictions on the licensee, or the licensee being required to inject more capital.

                      July 2014

                    • RM-1.1.5

                      The board of directors must ensure that there is adequate documentation of the licensee's risk management framework, and that the documentation is reviewed at least annually to ensure the framework continues to meet the needs of the licensee and complies with CBB requirements.

                      July 2014

                  • Senior Management

                    • RM-1.1.6

                      The responsibilities of the senior management of the licensee must include:

                      (a) Implementing the overall risk strategy approved by the Board of Directors;
                      (b) Ensuring that the strategy is implemented consistently throughout the whole organisation;
                      (c) Ensuring that all levels of staff understand their responsibilities with respect to risk management;
                      (d) Ensuring that each member of staff has the requisite knowledge, skills, and understanding of the principles and practices of risk management to discharge their duties effectively; and
                      (e) Developing and implementing policies, processes and procedures for managing risk in all of the licensee's products, activities, processes and systems.
                      July 2014

                  • Systems and Controls

                    • RM-1.1.7

                      The risk management framework of a licensee must describe the systems and controls which are appropriate to their business, so as to identify, measure, mitigate, and monitor risks to which the licensee may be exposed.

                      July 2014

                    • RM-1.1.8

                      The board must ensure that the licensee undertakes a timely review and evaluation of all internal systems and control weaknesses identified by external and/or internal auditors, the risk management function and management, and that actions are implemented to effectively mitigate such control weaknesses.

                      July 2014

                    • RM-1.1.9

                      Licensees must establish mechanisms to verify that controls, once established, are implemented effectively at all times.

                      July 2014

                  • The Role of Internal Audit

                    • RM-1.1.10

                      The internal audit function, which may be outsourced subject to the conditions outlined in Chapter RM-4 must, on an on-going basis, monitor, assess, and evaluate the system of internal controls.

                      July 2014

              • RM-2 RM-2 Credit Risk

                • RM-2.1 RM-2.1 General Requirements

                  • RM-2.1.1

                    Credit risk is the likelihood that a counterparty of the licensee will not meet its obligations in accordance with the agreed terms. The magnitude of the specific credit risk depends on the likelihood of default by the counterparty, and on the potential value of the licensees' contracts with the customer at the time of default. Credit risk largely arises in assets shown on the balance sheet, but it can also show up off the balance sheet in a variety of contingent obligations.

                    July 2014

                  • RM-2.1.2

                    Exposure to credit risk, notably in the form of traditional and Shari'a compliant financing has historically been the most frequent source of risk.

                    July 2014

                  • RM-2.1.3

                    The lack of continuous credit facility supervision and effective internal controls, and/or the failure to identify the application of effective controls and fraud are also sources of risk.

                    July 2014

                • RM-2.2 RM-2.2 Credit Analysis

                  • RM-2.2.1

                    All licensees which provide credit facilities to resident natural or legal persons in Bahrain must become members of the Credit Reference Bureau (CRB). All requests by residents of Bahrain for new credit facilities must be submitted to the CRB.

                    July 2014

                  • RM-2.2.2

                    All CRB members must implement the requirements of Module BC (Business Conduct), in matters such as the protection of confidential customer data (see Section BC-1.7) and payment of enquiry fees.

                    July 2014

                • RM-2.3 RM-2.3 Credit Policy

                  • RM-2.3.1

                    Licensees must have a properly documented credit framework. The framework must include a board approved policy which is supported by appropriate procedures and practices designed to bring professional discipline to the credit granting activities and ensure that credit facilities are granted based on clear and relevant criteria.

                    July 2014

                  • RM-2.3.2

                    It is prudent to review the credit policy regularly to ensure that once it is established, it remains flexible enough to be current and continues to accomplish its original purpose taking into consideration market developments.

                    July 2014

                  • RM-2.3.3

                    A sound credit policy should consider which types of credit products and borrowers the licensee is prepared to accept and the underwriting standards the licensee will utilise.

                    July 2014

                  • RM-2.3.4

                    A licensee's credit policy should address all credit matters of significance including:

                    (a) Objectives of credit monitoring;
                    (b) Organisation and reporting structure of the credit department;
                    (c) The target economic sectors and products;
                    (d) Establishment of a credit limit framework;
                    (e) Guidelines for assessment of concentration;
                    (f) Authorisation procedures for the advancement of credit;
                    (g) Effective oversight and review of all credit facilities;
                    (h) Establishment of desirable pricing levels and criteria; and
                    (i) Problem credit identification, classification and administration.
                    July 2014

                • RM-2.4 RM-2.4 Credit Grading System

                  • RM-2.4.1

                    Licensees must have in place appropriate credit grading systems (sometimes referred to as credit classification systems) to help assess credit quality.

                    July 2014

                  • RM-2.4.2

                    Each licensee must have a credit grading system and provisioning requirements within its credit policy.

                    July 2014

                  • RM-2.4.3

                    Credit facilities must be classified by licensees on an ongoing basis. The classification framework must, at a minimum, include the categories listed below, and licensees must apply provisions (sometimes referred to as "allowances") at or above the minimum levels specified in Paragraph RM-2.4.4. Licensees are free to classify a credit facility in a category which requires a higher level of provisioning if the licensee has information which gives doubt as to the collectability of the facility, even if the concerned credit facility is performing. These standards must also be applied in the case of the suspension of profit and the classification of other non-financing receivables (e.g. fees):

                    (a) 'Standard facilities' are those, which are 'performing' as the contract requires. These facilities are not past due and there is no reason to suspect that the customer's financial condition or the adequacy of collateral has deteriorated in any way;
                    (b) 'Watch-list facilities' are those which show some weaknesses in the customer's (or counterparty's) financial condition or creditworthiness, requiring more than normal attention but not necessarily requiring the allocation of specific provisions (or impairment allowances). 'Watch' could include 'performing' facilities which are not regular in repayment or are regular but there is minor deterioration in the financial position of the customer or counterparty or the underlying collateral. 'Watch' must include any facilities which are less than 90 days overdue and which are not (yet) included in 'sub-standard', 'doubtful' or 'loss' (i.e. the facility can be regarded as overdue but not yet 'impaired' according to IFRS);
                    (c) 'Sub-standard facilities' are those where interest/profit or principal is 90 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Sub-standard facilities' also include those where full repayment (collectability) is in doubt due to inadequate protection by the impaired paying capacity of the customer or by impairment of the collateral pledged. Sub-standard facilities are characterised by the distinct possibility of loss if observed weaknesses are not corrected and may therefore be viewed as 'impaired' or non-performing. Sub-standard may therefore include facilities that are not yet overdue, or are less than 90 days overdue;
                    (d) 'Doubtful facilities' are those where interest/profit or principal is 180 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Doubtful facilities' have all the weaknesses inherent in a facility classified as 'substandard' with the added characteristic that observed weaknesses make full collection (or liquidation), on the basis of currently existing facts and valuations highly questionable or improbable. The probability of loss is extremely high, but total loss may not necessarily occur because some mitigating factors may strengthen the asset quality; and
                    (e) 'Loss facilities' are those where interest/profit or principal is 360 days or more overdue (see Paragraph RM 2.5.6 for minimum required provisioning levels). 'Loss facilities' are considered uncollectible or of such little value that their continuance at any material value is not warranted. The category 'loss' means that it is not considered practical or desirable to give a positive valuation to this facility, even though partial recovery may be effected in the future.
                    July 2014

                  • RM-2.4.4

                    The following categories of credit facilities are defined as 'Non-performing'. Licensees must apply the minimum specific provision levels outlined below:

                    Substandard : 10% of the outstanding amount
                    Doubtful : 30% of the outstanding amount
                    Loss : 100% of the outstanding amount.
                    July 2014

                  • RM-2.4.5

                    The minimum provisioning levels set out above must be taken on the net amount of the outstanding facility after deducting the eligible collateral. If a licensee has collateral but is unprepared to exercise it after a facility becomes non-performing, then the collateral is not providing protection to the licensee and therefore provisions must be taken on the full amount of the outstanding balance until either the facility is repaid, the collateral (or guarantees) exercised or the facility rescheduled or restructured.

                    July 2014

                • RM-2.5 RM-2.5 Treatment of Profit/Interest in Suspense and Provisioning

                  • Non-accrual of Profit/Interest Income

                    • RM-2.5.1

                      Licensees are required to place on a non-accrual basis any facility where there is reasonable doubt about the collectability of the receivable irrespective of whether the facility is overdue or not. All accrued profit/interest, including related interest/profit earned but not collected and recognised as income in prior periods, for non-accrual assets identified in Paragraph RM-2.5.2 must be credited to an off-balance sheet special account in the licensee's records under the name 'profit/interest in suspense account' and not to the profit and loss account, i.e. it must not be recognised as income.

                      July 2014

                    • RM-2.5.2

                      For the purpose of this Module, the following 'non-performing' categories of assets must be considered as non-accrual items:

                      (a) Substandard;
                      (b) Doubtful;
                      (c) Loss; and
                      (d) Any other credit facilities that are overdue for a period of less than 90 days but the licensee has doubts about their collectability.
                      July 2014

                  • Treatment of Restructured and Rescheduled Facilities and Facilities Which Cease to be Non-performing

                    • RM-2.5.3

                      Any facility where principal or profit/interest is 90 days or more overdue must be categorised as 'non-performing'. A facility becomes overdue from the first date that profit/interest or principal is not received.

                      July 2014

                    • RM-2.5.4

                      For purposes of Paragraph RM-2.5.3, if an instalment is missed on 1st March 2010, but payment is made on 1st April 2010 (and the March instalment is still not paid), then the credit facility will become over 90 days overdue by 1st June 2010, even if the April and May instalments are paid on time and in full, and a provision must at least be taken in respect of the overdue amount (but not necessarily the full outstanding amount of the credit facility if other payments were made).

                      July 2014

                    • RM-2.5.5

                      If a non-performing credit facility is formally rescheduled (by way of a written agreement), the rescheduled credit facility may be considered 'performing' again (as 'standard') after a period of one year from the date of rescheduling if all payments have been made on schedule and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

                      July 2014

                    • RM-2.5.6

                      If a facility ceases to be non-performing (due to full repayment of all arrears on profit/interest and principal) it may be categorised as performing after a period of one year and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

                      July 2014

                • RM-2.6 RM-2.6 Collateral

                  • RM-2.6.1

                    The extension of credit is sometime supported by collateral provided by the customer or third parties. In the case of a credit facility supported by a guarantee, an assessment of the guarantor must be made by the licensee on at least an annual basis.

                    July 2014

                • RM-2.7 RM-2.7 Developing a Sound Credit Culture

                  • RM-2.7.1

                    Credit culture is defined as the sum total of a licensee's approach to managing credit risk, including business strategy, credit policy, shared assumptions about credit, the effectiveness of communications, and the composition and quality of the resulting loan portfolio.

                    July 2014

                  • The Role of the Board of Directors

                    • RM-2.7.2

                      The board must review and reassess the credit policies of the licensee (including collateral, provisioning and concentration policies) on at least an annual basis. The board must also review overdue facilities in terms of performance on a quarterly basis.

                      July 2014

                  • The Role of Senior Management

                    • RM-2.7.3

                      Senior management must be involved in the credit review process of existing facilities, including visiting clients, assessing the financial status of the borrower and verifying the appropriateness of collateral.

                      July 2014

                  • Effective Internal Systems and Controls

                    • RM-2.7.4

                      Licensees must utilise internal grading systems (as outlined in Paragraph RM-2.4.3) to manage credit risk and to set adequate provisions on a timely basis.

                      July 2014

                    • RM-2.7.5

                      Policies and procedures must include the requirement for a thorough understanding of the customer, the purpose of the credit facility and the source of repayment. This data must be reviewed as part of the risk management framework in any assessment of the customer for risk profiling purposes.

                      July 2014

                • RM-2.8 RM-2.8 The CBB's Approach to Microfinance Credit Facilities

                  • RM-2.8.1

                    Licensees must implement a sound internal controls framework, including an effective credit culture (see Section RM-2.7). Licensees must display and communicate charges and the APR clearly (see Section BC-1.4).

                    July 2014

                  • RM-2.8.2

                    The CBB requires licensees to demonstrate transparency in their dealings with their customers, as regards the costs and terms of their lending.

                    July 2014

                  • RM-2.8.3

                    The measures presented in this Chapter should be viewed as minimum standards, rather than best practice. They are aimed at encouraging prudent lending and full, frank and fair disclosures, rather than dictating comprehensively how licensees should engage in microfinance credit facilities.

                    July 2014

                • RM-2.9 RM-2.9 Refunds and Prepayments

                  • Refund/Adjustment of Insurance Premium on Loan Prepayments and Top-Ups

                    • RM-2.9.1

                      Licensees must refund/adjust proportionately the insurance premium charged on individual loans/facilities when the borrower either requests for a top-up or prepayment of the loan/facility as per the prescribed formula below:

                      Refund/Adjustment Amount = Remaining Period to Maturity X Premium Paid / Original Maturity
                      July 2014

                  • Early Repayment Fees/Charges

                    • RM-2.9.2

                      If early repayment charges are imposed by the licensee, the CBB imposes a ceiling on the early repayment charges on microfinance credit facilities as follows:

                      (a) 1% of the outstanding credit facility amount or BD20 whichever is lower;
                      (b) The ceilings on the charges have a retroactive effect i.e. covering existing and new credit facilities; and
                      (c) Licensees must not charge any remaining interest/profit amount if prepayment is made.
                      July 2014

              • RM-3 RM-3 Operational Risk

                • RM-3.1 RM-3.1 General Requirements

                  • RM-3.1.1

                    Licensees must document their framework for the proactive management of operational risk. This policy must be approved and reviewed at least annually by the board of directors of the licensee.

                    July 2014

                  • RM-3.1.2

                    Operational risk is the risk to the licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In identifying the types of operational risk losses that it may be exposed to, licensees should consider, for instance, the following:

                    (a) The nature of a licensee's customers, products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;
                    (b) The design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for a licensee's products and activities;
                    (c) The risk culture and human resource management practices at a licensee; and
                    (d) The business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.
                    July 2014

                  • RM-3.1.3

                    Licensees must assess and evaluate the impact of operational risks on their financial resources and solvency.

                    July 2014

                  • Business Continuity Planning

                    • RM-3.1.4

                      A licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

                      July 2014

                  • Record Keeping

                    • RM-3.1.5

                      Licensees must retain an appropriate record of their operational risk management activities.

                      July 2014

                • RM-3.2 RM-3.2 Identification, Measurement, Monitoring and Control

                  • RM-3.2.1

                    As part of an effective operational risk management system, licensees must:

                    (a) Identify critical processes, resources and loss events; and
                    (b) Develop policies, processes and procedures to control or mitigate operational risk.
                    July 2014

                • RM-3.3 RM-3.3 Succession Planning

                  • RM-3.3.1

                    Succession planning is an essential precautionary measure for a licensee if its leadership stability — and hence ultimately its financial stability — is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

                    July 2014

                • RM-3.4 RM-3.4 Business Continuity Requirements

                  • Vital Records Management

                    • RM-3.4.1

                      A business continuity plan must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a significant disruption to business, including an event considered as a disaster, as well as the relevant protection measures to be taken for protecting vital information, whether stored on electronic or non-electronic media.

                      July 2014

                    • RM-3.4.2

                      Copies of vital records must be stored off-site as soon as possible after creation. A back-up of all vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees should consider the need for instantaneous data back up to ensure prompt system and data recovery. There should be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.

                      July 2014

                • RM-3.5 RM-3.5 Security Measures for Microfinance Institutions

                  • RM-3.5.1

                    Licensees that maintain cash on their premises must put in place security measures to minimize the risk of theft or fraud.

                    July 2014

                  • RM-3.5.2

                    Licensees are required to install an alarm system for those premises where cash is held.

                    July 2014

                  • RM-3.5.3

                    Where appropriate, licensees may consider the need to maintain a trained security guard on the premises.

                    July 2014

                  • RM-3.5.4

                    All licensees are required to have in place insurance coverage to cover potential losses arising from liability, theft, fire and other potential operational risk.

                    July 2014

              • RM-4 RM-4 Outsourcing Requirements

                • RM-4.1 RM-4.1 Outsourcing Arrangements

                  • RM-4.1.1

                    This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

                    Amended: July 2022
                    July 2014

                  • RM-4.1.2

                    In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

                    Amended: July 2022
                    July 2014

                  • RM-4.1.3

                    In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

                    i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
                    ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
                    Added: July 2022

                  • RM-4.1.4

                    The licensee must not outsource the following functions:

                    (i) Compliance;
                    (ii) AML/CFT;
                    (iii) Financial control;
                    (iv) Risk management; and
                    (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
                    Added: July 2022

                  • RM-4.1.5

                    For the purposes of Paragraph RM-4.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-4.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

                    Added: July 2022

                  • RM-4.1.6

                    Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-4.1.4 (iv), subject to CBB’s prior approval

                    Added: July 2022

                  • RM-4.1.7

                    Licensees must comply with the following requirements:

                    (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
                    a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
                    b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
                    (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
                    (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
                    (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
                    (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
                    (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
                    (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
                    Added: July 2022

                  • RM-4.1.8

                    For the purpose of Subparagraph RM-4.1.7 (iv), licensees as part of their assessments may use the following:

                    a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
                    b) Third-party or internal audit reports of the outsourcing service provider; and
                    c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

                    When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

                    Added: July 2022

                  • RM-4.1.9

                    For the purpose of Subparagraph RM-4.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

                    Added: July 2022

                • RM-4.2 [This Section was deleted in July 2022]

                • RM-4.3 [This Section was deleted in July 2022]

                • RM-4.4 [This Section was deleted in July 2022]

                • RM-4.5 [This Section was deleted in July 2022]

              • RM-5 RM-5 Liquidity Risk

                • RM-5.1 RM-5.1 Liquidity Risk

                  • RM-5.1.1

                    Licensees must design and implement a liquidity risk policy for the management of liquidity risk of the licensee. The policy must be appropriate to the nature, scale and complexity of the activities of the licensee, and it must be approved and regularly reviewed by the board of directors of the licensee.

                    July 2014

                  • Risk Measurement and Monitoring

                    • RM-5.1.2

                      A licensee must establish and maintain a process for the measurement, monitoring and controlling of liquidity risk.

                      July 2014

                  • Contingency Planning

                    • RM-5.1.3

                      Licensees must maintain contingency funding plans for taking action to ensure, so far as they can, that they can access sufficient liquid financial resources to meet liabilities as they fall due.

                      July 2014

          • Reporting Requirements

            • BR BR Microfinance Institutions CBB Reporting Requirements Module

              • BR-A BR-A Introduction

                • BR-A.1 BR-A.1 Purpose

                  • Executive Summary

                    • BR-A.1.1

                      This Module sets out requirements applicable to microfinance institutions licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of microfinance institutions licensees.

                      January 2014

                    • BR-A.1.2

                      This Module provides support for certain other parts of the Rulebook, mainly:

                      (a) Principles of Business;
                      (b) Public Disclosure;
                      (c) Risk Management;
                      (d) Financial Crime;
                      (e) Capital Adequacy;
                      (f) High-Level Controls;
                      (g) Business Conduct; and
                      (h) Auditors and Accounting Standards.
                      January 2014

                    • BR-A.1.3

                      Unless otherwise stated, all reports referred to in this Module should be addressed to the director of the relevant supervision directorate of the CBB.

                      January 2014

                  • Legal Basis

                    • BR-A.1.4

                      This Module contains the CBB's Directive relating to reporting requirements applicable to microfinance institutions licensees and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law').

                      January 2014

                    • BR-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • BR-A.2 BR-A.2 Module History

                  • Evolution of Module

                    • BR-A.2.1

                      This Module was first issued in January 2014 by the CBB. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • BR-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      BR-1.2.5 04/2014 Deleted semi-annual reporting requirements.
                      BR-1.5 04/2017 Added a new Section on Onsite Inspection Reporting.
                      BR-1.1.3 07/2017 Amended timeframe for the annual reporting requirements.
                      BR-1.2.1 01/2020 Amended Paragraph.
                      BR-2.3.10 01/2020 Amended Paragraph.
                      BR-1.1.4 01/2022 Amended Paragraph on the submission of the Board and Committee annual meetings report.
                      BR-1.2.2 01/2022 Amended Paragraph on the submission of the PIRMF form.
                      BR-2.2.14 01/2023 Amended Paragraph removing reference to RM.
                      BR-2.3.12 01/2023 Deleted Paragraph on CBB approval for outsourcing arrangements.

              • BR-B BR-B Scope of Application

                • BR-B.1 BR-B.1 Scope of Application

                  • BR-B.1.1

                    The content of this Module applies to all microfinance institutions licensees authorised in the Kingdom (thereafter referred to in this Module as licensees).

                    January 2014

              • BR-1 BR-1 Prudential Reporting

                • BR-1.1 BR-1.1 Annual Requirements

                  • BR-1.1.1

                    All licensees are required to submit to the CBB their annual audited financial statements within 3 months of the financial year end.

                    January 2014

                  • BR-1.1.2

                    In accordance with the provisions of Section AA-4.1, the audited financial statements and the annual reports of the licensees must be in full compliance with:

                    (a) The International Financial Reporting Standards (IFRS); or
                    (b) AAOIFI Financial Accounting Standards for Sharia Compliant licensees and for products and activities not covered by AAOIFI, International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) must be followed; and
                    (c) The disclosure requirements set out under Section PD-1.3.
                    January 2014

                  • BR-1.1.3

                    In addition to the statements required in Paragraph BR-1.1.1, licensees are required to submit to the CBB the following information within 4 months of the financial year end:

                    (a) The external auditor's management letter;
                    (b) Audited financial statements of all subsidiaries along with their management letters;
                    (c) The licensee's group structure and the internal organisation chart;
                    (d) A list of non-performing and rescheduled credit facilities (including name of customer, country, amount outstanding, net interest income for the year attributed to profit & loss and the reasons for attributing interest/profit to income);
                    (e) A reconciliation statement between the audited financial statements and the relevant prudential returns;
                    (f) The report on controllers as required under Paragraph GR-4.1.10;
                    (g) A report on the licensee's close links as required under Paragraph GR-5.1.3; and
                    (h) Any supplementary information as required by the CBB.
                    Amended: July 2017
                    January 2014

                  • BR-1.1.4

                    In accordance with Paragraph HC-1.3.8, licensees must submit annually a report recording the board meetings held during the year. Such report must be submitted to the CBB, within 30 calendar days of the end of the reporting date, as an attachment to the year-end quarterly PIRMF. Reference should be made to Appendix BR-5, Board and Committee Meetings, under part B/Reporting Forms of Volume 5 for a sample of such report.

                    Amended: January 2022
                    Added: January 2014

                • BR-1.2 BR-1.2 Quarterly Requirements

                  • BR-1.2.1

                    All licensees must complete the PIRMF form (see Appendix BR-1 under Part B of Volume 5 for microfinance institutions). This form is intended to be a financial report of the licensee on a consolidated basis. Licensees must include all assets and liabilities of their head office and their branches in Bahrain (if any) and abroad (and subsidiaries, where applicable).

                    Amended: January 2020
                    Added: January 2014

                  • BR-1.2.2

                    The PIRMF forms referred to under Paragraph BR-1.2.1 must be submitted to the CBB on a quarterly basis within 30 calendar days of the end of the reporting date.

                    Amended: January 2022
                    Added: January 2014

                  • BR-1.2.3

                    The CBB requires all licensees to request their external auditor to conduct a review of the prudential return on a quarterly basis. The results of such review (in the form of an Agreed Upon Procedures report as shown in Appendix BR-3) must be submitted to the CBB's relevant supervision Directorate no later than 2 months from the end of the subject quarter. A licensee may apply for exemption from this requirement provided that it meets the criteria set out under Paragraph BR-1.2.4.

                    January 2014

                  • BR-1.2.4

                    Licensees which demonstrate to the satisfaction of the CBB that they have fulfilled all of the CBB's requirements with regard to Prudential Returns for at least two consecutive quarters may apply (in writing) to the CBB for an exemption from the review procedure set out in Paragraph BR-1.2.3.

                    January 2014

                  • BR-1.2.5

                    [This Paragraph was deleted in April 2014.]

                    Deleted: April 2014
                    January 2014

                • BR-1.3 BR-1.3 Monthly Requirements

                  • BR-1.3.1

                    All licensees which are listed on a licensed exchange in Bahrain must comply with the requirements of Volume 6 of the CBB Rulebook.

                    January 2014

                • BR-1.4 BR-1.4 IIS Reporting Requirements

                  • Institutional Information System (IIS)

                    • BR-1.4.1

                      All licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm the information contained in the IIS.

                      January 2014

                    • BR-1.4.2

                      Licensees failing to comply with the requirements of Paragraph BR-1.4.1 or reporting inaccurate information are subject to financial penalties or other enforcement actions as outlined in Module (EN) Enforcement.

                      January 2014

                • BR-1.5 BR-1.5 Onsite Inspection Reporting

                  • BR-1.5.1

                    For the purpose of onsite inspection by the CBB, licensees must submit requested documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

                    Added: April 2017

                  • BR-1.5.2

                    Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within ten working days of receipt of such report. Evidentiary documents supporting management's comments must also be included in the response package.

                    Added: April 2017

                  • BR-1.5.3

                    Licensees' board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

                    Added: April 2017

                  • BR-1.5.4

                    Licensees failing to comply with the requirements of Paragraphs BR-1.5.1 and BR-1.5.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

                    Added: April 2017

              • BR-2 BR-2 Notifications and Approvals

                • BR-2.1 BR-2.1 Introduction

                  • BR-2.1.1

                    All notifications and requests for approvals required in this Chapter are to be submitted by licensees in writing.

                    January 2014

                  • BR-2.1.2

                    In this Chapter, the term 'in writing' includes electronic communications capable of being reproduced in paper form.

                    January 2014

                  • BR-2.1.3

                    Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

                    January 2014

                • BR-2.2 BR-2.2 Notification Requirements

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.2.1

                      A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                      (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                      (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                      (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                      (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                      (e) A breach of any provision of the Rulebook (including a Principle);
                      (f) A breach of any requirement imposed by the relevant law or by regulations or an order made under any relevant law by the CBB;
                      (g) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately (ref. BR-3.3.2); or
                      (h) If the licensee intends to suspend any or all the licensed regulated services or ceases business, setting out how it proposes to do so and, in particular, how it will treat any of its liabilities (ref GR-6.1.2).
                      January 2014

                    • BR-2.2.2

                      The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to consider properly all potential consequences of events.

                      January 2014

                    • BR-2.2.3

                      In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may indirectly have an effect on the licensee.

                      January 2014

                  • Legal, Professional, Administrative or other Proceedings against a Licensee

                    • BR-2.2.4

                      A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller or a close link of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                      January 2014

                    • BR-2.2.5

                      A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee that would prevent the licensee from meeting the Principles of Business (Module PB) or any of its approved persons from meeting the fit and proper requirements of Module AU.

                      January 2014

                  • Fraud, Errors and other Irregularities

                    • BR-2.2.6

                      A licensee must notify the CBB immediately if one of the following events arises:

                      (a) It becomes aware that an employee may have committed a fraud against one of its customers;
                      (b) It becomes aware that a person, whether or not employed by it, is acting with intent to commit fraud against it;
                      (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                      (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or
                      (e) Conflicts of interest.
                      January 2014

                  • Insolvency, Bankruptcy and Winding Up

                    • BR-2.2.7

                      Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                      (a) The calling of a meeting to consider a resolution for winding up the licensee, a controller or close link of the licensee;
                      (b) An application to dissolve a controller or close link of the licensee or to strike the licensee off the register of microfinance institutions;
                      (c) The presentation of a petition for the winding up of a controller or close link of the licensee;
                      (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                      (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller or close link of the licensee;
                      (f) The appointment of a receiver to a controller or close link of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                      (g) An application for an interim order against the licensee, a controller or close link of the licensee under the Bankruptcy and Composition Law, Decree Law No(11), 1987 or similar legislation in another jurisdiction.
                      January 2014

                  • External Auditor

                    • BR-2.2.8

                      A licensee must notify the CBB of the following and the reason for the change:

                      (a) Removal or resignation of auditor (ref. AA-1.2.1); or
                      (b) Change in audit partner (ref. AA-1.3.3).
                      January 2014

                  • Approved Persons

                    • BR-2.2.9

                      A licensee must notify the CBB of the termination of employment of approved persons, including particulars of reasons for the termination and arrangements with regard to replacement (ref. AU-4.3.8 and AU-4.4.8).

                      January 2014

                  • Authorised Signatories

                    • BR-2.2.10

                      At the time of authorisation (when the license is granted) or whenever a change occurs, in order to maintain an up-to-date record of authorised signatories of respective financial institutions, the CBB requires all licensees to submit to it a list of specimen signatures of the officials authorised to sign on behalf of the concerned institution.

                      January 2014

                  • Current Management and Changes thereto

                    • BR-2.2.11

                      At the time of authorisation (when the license is granted) or whenever a change occurs, all licensees must keep the CBB informed, in writing, of the controlled functions held by approved persons. Such notification must include the following information:

                      (a) Full name (and identity card for Bahrain resident management);
                      (b) Contact details including address and emergency phone number;
                      (c) Date of birth;
                      (d) Place of birth (including town etc.);
                      (e) Nationality;
                      (f) Professional qualifications (by educational establishment and dates); and
                      (g) Career details over the last ten years (with your institution or elsewhere).
                      January 2014

                  • Breach of Capital Adequacy Requirements

                    • BR-2.2.12

                      In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy) it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.9).

                      January 2014

                    • BR-2.2.13

                      As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                      January 2014

                  • Outsourcing Arrangements

                    • BR-2.2.14

                      Licensees must immediately inform their relevant supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

                      Amended: January 2023
                      January 2014

                  • Controllers

                    • BR-2.2.15

                      If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes to their controllers specified in Paragraph GR-4.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB the earlier of:

                      (a) When the change takes effect; and
                      (b) When the controller becomes aware of the proposed change (ref. GR-4.1.7).
                      January 2014

                    • BR-2.2.16

                      As specified in Article 52 of the CBB Law, a licensee must notify the CBB of the following events:

                      (a) If effective control over a licensee takes place indirectly whether by way of inheritance or otherwise;
                      (b) Gaining control directly as a result of any action leading to it; or
                      (c) The intention to take any of the actions that would lead to control.
                      January 2014

                • BR-2.3 BR-2.3 Approval Requirements

                  • Branches or Subsidiaries

                    • BR-2.3.1

                      In accordance with Rule AU-4.2.1, a licensee should seek prior written approval from the CBB for opening a branch or a subsidiary.

                      January 2014

                    • BR-2.3.2

                      Licensees wishing to cancel an authorisation for a branch or subsidiary must obtain the CBB's written approval, before ceasing the activities of the branch or subsidiary.

                      January 2014

                  • Change in Name

                    • BR-2.3.3

                      In accordance with Paragraph GR-2.1.1, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in:

                      (a) The licensee's name (which is the registered name if the licensee is a corporate body; or
                      (b) The licensee's trade name.
                      January 2014

                    • BR-2.3.4

                      The request under Paragraph BR-2.3.3 must include the details of the proposed new name and the date on which the licensee intends to implement the change of name.

                      January 2014

                  • Change of Address

                    • BR-2.3.5

                      As specified in Article 51 of the CBB Law, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain, and that of its branches.

                      January 2014

                    • BR-2.3.6

                      The request under Paragraph BR-2.3.5 must include the details of the proposed new address and the date on which the licensee intends to implement the change of address.

                      January 2014

                  • Change in Legal Status

                    • BR-2.3.7

                      A licensee must seek CBB prior written approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                      January 2014

                  • Change in Paid-up or Issued Capital

                    • BR-2.3.8

                      As specified in Article 57(3) of the CBB Law, a licensee must seek CBB prior written approval before making any modification to its issued or paid-up capital.

                      January 2014

                  • Controllers

                    • BR-2.3.9

                      In accordance with Section GR-4.1, licensees must seek CBB prior written approval and give reasonable advance notice of any of the following events concerning the licensee:

                      (a) A person acquiring control or ceasing to have control;
                      (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control;
                      (c) An existing controller increasing the percentage of shares or voting power beyond 10%, 20% or 40%; and
                      (d) An existing controller becoming or ceasing to be a parent undertaking.
                      January 2014

                  • Mergers, Acquisitions, Disposals and Establishment of New Subsidiaries

                    • BR-2.3.10

                      A licensee incorporated in Bahrain must seek CBB prior written approval and give reasonable advance notice of its intention to enter into a:

                      (a) Merger with another undertaking; or
                      (b) Proposed acquisition, disposal or establishment of a new subsidiary undertaking.
                      Amended: January 2020
                      Added: January 2014

                  • Write-offs

                    • BR-2.3.11

                      Licensees must obtain the CBB's prior written approval before writing off any of the following exposures:

                      (a) To any present or former director of the licensee;
                      (b) Which are guaranteed by a director of the licensee;
                      (c) To any business entity for which the licensee or any of its directors is an agent;
                      (d) To any officer or employee of the licensee, or any other person who receives remuneration from the licensee;
                      (e) To any business entity in which the licensee (or any of its directors, officers or other persons receiving remuneration from the licensee) has a material interest as a shareholder (i.e., 5% or more), or as a director, manager, agent or guarantor; and
                      (f) To any person who is a director, manager or officer of another licensee of the CBB.
                      January 2014

                  • Outsourcing Arrangements

                    • BR-2.3.12

                      [This Paragraph was deleted in January 2023].

                      Deleted: January 2023
                      January 2014

                  • Matters Having a Supervisory Impact

                    • BR-2.3.13

                      A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                      January 2014

                    • BR-2.3.14

                      Any licensee that wishes, intends or has been requested to do anything that might contravene, in its reasonable opinion, the provisions of United Nations Security Council Resolution (UNSCR) 1373 (and in particular Article 1, Paragraphs c) and d) of UNSCR 1373) must seek, in writing, the prior written opinion of the CBB on the matter (ref. FC-8.2.2).

                      January 2014

                    • BR-2.3.15

                      As specified in Article 57 of the CBB Law, a licensee wishing to modify its Memorandum or Articles of Association, must obtain prior written approval from the CBB.

                      January 2014

                    • BR-2.3.16

                      As specified in Article 57 of the CBB Law, a licensee wishing to transfer all or a major part of its assets or liabilities inside or outside the Kingdom, must obtain prior written approval from the CBB.

                      January 2014

                  • External Auditor

                    • BR-2.3.17

                      A licensee must seek prior written approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1)

                      January 2014

                  • Dividend Distribution

                    • BR-2.3.18

                      Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, before announcing the proposed dividend by way of press announcement or any other means of communication, in accordance with Chapter GR-3.

                      January 2014

                  • Approved Persons

                    • BR-2.3.19

                      A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.4 and AU-4.3.1).

                      January 2014

                    • BR-2.3.20

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.11).

                      January 2014

                    • BR-2.3.21

                      If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.9).

                      January 2014

                  • Cessation of Business

                    • BR-2.3.22

                      In accordance with Paragraph GR-6.1.1 and Article 50 of the CBB Law, licensees must seek the CBB's prior approval should they wish to cease to provide or suspend any or all of the licensed regulated services of their operations and/or liquidate their business.

                      January 2014

              • BR-3 BR-3 Information Gathering by the CBB

                • BR-3.1 BR-3.1 Power to Request Information

                  • BR-3.1.1

                    In accordance with Article 111 of the CBB Law, licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    January 2014

                  • Information Requested on Behalf of other Supervisors

                    • BR-3.1.2

                      The CBB may ask licensees to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee, pass on to those supervisors or agencies information that it already has in its possession.

                      January 2014

                • BR-3.2 BR-3.2 Access to Premises

                  • BR-3.2.1

                    In accordance with Article 114 of the CBB Law, a licensee must permit representatives of the CBB, or appointed experts for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    January 2014

                  • BR-3.2.2

                    A licensee must take reasonable steps to ensure that its agents and providers under outsourcing arrangements permit such access to their business premises, to the CBB.

                    January 2014

                  • BR-3.2.3

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    January 2014

                  • BR-3.2.4

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    January 2014

                • BR-3.3 BR-3.3 Accuracy of Information

                  • BR-3.3.1

                    Licensees must take reasonable steps to ensure that all information they give the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include anything of which the CBB would reasonably expect notice.
                    January 2014

                  • BR-3.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    January 2014

                  • BR-3.3.3

                    If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    January 2014

                • BR-3.4 BR-3.4 Methods of Information Gathering

                  • BR-3.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of Appointed Experts (refer to Chapter EN-2);
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication; and
                    (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
                    January 2014

                  • BR-3.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not customary, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

                    January 2014

                  • BR-3.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    January 2014

                  • BR-3.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph BR-3.4.3:

                    (a) Its employees; and
                    (b) Any other members of its group, and their employees.
                    January 2014

                  • BR-3.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    January 2014

                • BR-3.5 BR-3.5 Role of the Appointed Expert

                  • Introduction

                    • BR-3.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      January 2014

                    • BR-3.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      January 2014

                    • BR-3.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      January 2014

                    • BR-3.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                      January 2014

                    • BR-3.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      January 2014

                    • BR-3.5.6

                      Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                      January 2014

                    • BR-3.5.7

                      All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                      January 2014

                    • BR-3.5.8

                      Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                      January 2014

                    • BR-3.5.9

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the licensee concerned).

                      January 2014

                    • BR-3.5.10

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

                      January 2014

                    • BR-3.5.11

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      January 2014

                  • The Required Report

                    • BR-3.5.12

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      January 2014

                    • BR-3.5.13

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      January 2014

                    • BR-3.5.14

                      The appointed experts' report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

                      January 2014

                    • BR-3.5.15

                      Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the board of directors and/or senior management in advance of it being sent to the CBB.

                      January 2014

                    • BR-3.5.16

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      January 2014

                    • BR-3.5.17

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      January 2014

                    • BR-3.5.18

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      January 2014

                  • Other Notifications to the CBB

                    • BR-3.5.19

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      January 2014

                    • BR-3.5.20

                      The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      January 2014

                    • BR-3.5.21

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      January 2014

                  • Permitted Disclosure by the CBB

                    • BR-3.5.22

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      January 2014

                  • Trilateral Meeting

                    • BR-3.5.23

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      January 2014

            • PD PD Microfinance Institutions Public Disclosure Module

              • PD-A PD-A Introduction

                • PD-A.1 PD-A.1 Purpose

                  • PD-A.1.1

                    The purpose of this Module is to set out the detailed qualitative and quantitative public disclosure requirements that the microfinance institutions should adhere to in order to enhance corporate governance and financial transparency through better public disclosure. Such disclosures also help to protect customers and facilitate market discipline.

                    January 2014

                  • PD-A.1.2

                    ThisModule provides support for certain other parts of the Rulebook, namely:

                    (a) Licensing and Authorisation Requirements;
                    (b) CBB Reporting Requirements;
                    (c) Risk Management;
                    (d) High Level Controls;
                    (e) Relationship with Audit Firms; and
                    (f) Enforcement actions.
                    January 2014

                  • PD-A.1.3

                    This Module also provides support for certain aspects relating to disclosure requirements stipulated in the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) and the Bahrain Commercial Companies Law (as amended).

                    January 2014

                  • Legal Basis

                    • PD-A.1.4

                      This Module contains the Central Bank of Bahrain's ('the CBB') Directive (as amended from time to time) relating to public disclosure and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). It also incorporates the requirements of Article 62 (as amended from time to time) of the CBB Law with respect to the publication of financial statements. The Directive in this Module is applicable to all microfinance institution licensees.

                      January 2014

                    • PD-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • PD-A.2 PD-A.2 General Requirements

                  • PD-A.2.1

                    All microfinance institutions must have a formal disclosure policy as part of their overall communications strategy approved by the Board of Directors (and supported by documented procedures) that addresses the disclosures that the microfinance institution makes and the internal controls over the disclosure process. In addition, all microfinance institutions must carry out an annual review of the validity of their disclosures (in terms of scope and accuracy) as outlined in Modules BR and Paragraph AA-3.2.1.

                    January 2014

                  • PD-A.2.2

                    All microfinance institutions are required to publish their annual audited financial statements per the rules set out in this Module and Article 62 of the CBB Law and the Bahrain Commercial Companies Law (as amended), where applicable. Such financial statements must be prepared in accordance with International Financial Reporting Standards (IFRS) in the case of conventional microfinance institutions or Financial Accounting Standards (FAS) issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI) for Shari'a compliant licensees and for products and activities not covered by AAOIFI, by IFRS and IAS.

                    January 2014

                  • PD-A.2.3

                    The CBB requires that each microfinance institution maintain an up-to-date checklist of all applicable accounting standards and also the disclosure requirements set out in this Module for full compliance purposes. Such checklists should be part of the microfinance institution's public disclosures procedures.

                    January 2014

                  • PD-A.2.4

                    [This Paragraph was deleted in April 2014].

                    Deleted: April 2014

                  • PD-A.2.5

                    The disclosures in this Module may be presented as an accompanying document or appendices to the Annual Report or in the Notes to the Financial Statements at the discretion of the concerned microfinance institution.

                    January 2014

                  • PD-A.2.6

                    A microfinance institution should decide which disclosures are relevant for it based on the materiality concept and subject to the concurrence of the microfinance institution's external auditor. For the microfinance institutions' guidance, information would be regarded as material if its omission or misstatement could change or influence the assessment or decision of a user relying on that information for the purpose of making economic decisions.

                    January 2014

                  • PD-A.2.7

                    Non-compliance with these disclosure requirements is likely to lead to enforcement actions as outlined in Module EN (Enforcement) such as a fine imposed by the CBB.

                    January 2014

                • PD-A.3 PD-A.3 Module History

                  • Evolution of Module

                    • PD-A.3.1

                      This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • PD-A.3.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      PD-A.2.4 04/2014 Deleted requirement for review by external auditor based on agreed upon procedures of disclosures specified under Module PD.
                      PD-1.2.3 07/2018 Amended Paragraph on 'Publication of Annual Audited Financial Statements' time frame.
                      PD-1.2.5 07/2023 Amended Paragraph on submission of newspaper extracts of financial statements.
                           
                           

                  • Superseded Requirements

                    • PD-A.3.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Document Subject
                      Volumes 1 and 2 Module PD
                      EDBS/KH/C/37/2018 Amendments to the Public Disclosure Module (PD)
                      Amended: July 2018
                      January 2014

              • PD-B PD-B Scope of Application

                • PD-B.1 PD-B.1 Scope

                  • PD-B.1.1

                    This Module applies to all microfinance institution licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    January 2014

              • PD-1 PD-1 Annual Disclosure Requirements

                • PD-1.1 PD-1.1 Introduction

                  • PD-1.1.1

                    The purpose of this Chapter is to set out the CBB's requirements relating to the disclosure of information in the annual audited financial statements of all licensees. This Chapter also refers to the Bahrain Commercial Companies Law (as amended).

                    January 2014

                  • PD-1.1.2

                    For the purpose of this Module, 'audited financial statements' refers to the financial statements required under International Financial Reporting Standards (IFRS) and/or Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI).

                    January 2014

                • PD-1.2 PD-1.2 Requirements for Annual Audited Financial Statements

                  • Submission of Annual Audited Financial Statements

                    • PD-1.2.1

                      All licensees must submit their annual audited financial statements to the CBB within 3 months of the end of the licensee's financial year (as required by Article 62 of the CBB Law). Licensees' annual audited financial statements must be audited by their external auditor.

                      January 2014

                    • PD-1.2.2

                      Licensees are also required to publish the annual audited financial statements on their website (see also PD-1.3.8(h)) within seven days of submission to the CBB.

                      January 2014

                  • Publication of Annual Audited Financial Statements

                    • PD-1.2.3

                      Licensees must publish extracts from their audited annual financial statements in one Arabic and one English daily newspaper within 3 months of the end of the financial year. The newspaper disclosures must include at a minimum the balance sheet, the statements of income, the cash flow and changes in equity. The newspaper disclosures must also be published on the licensee's website within seven days of publication.

                      Amended: July 2018
                      January 2014

                    • PD-1.2.4

                      The newspaper disclosures should include a reference to the fact that the published figures 'have been extracted from financial statements audited by XYZ auditor, who expressed an unqualified opinion on (dated report)'. Licensees must disclose in full any audit qualifications or matter of emphasis paragraphs contained within the auditor's opinion. The auditor's opinion must be made in accordance with the International Standards on Auditing as established by the International Federation of Accountants or AAOIFI's Standards on Auditing, whichever is applicable.

                      January 2014

                    • PD-1.2.5

                      Licensees must submit a copy of the newspaper extracts from their annual audited financial statements to the CBB within two business days of publication in the concerned newspapers clearly showing on which date and in which publications the statements were published.

                      Amended: July 2023
                      January 2014

                • PD-1.3 PD-1.3 Disclosures in the Annual Audited Financial Statements

                  • Introduction

                    • PD-1.3.1

                      In addition to the disclosures required under the International Financial Reporting Standards (IFRS) and/or Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI), licensees must provide timely information which facilitates market participants' assessment of them. The disclosure requirements set out in this Section must be included in the annual audited financial statements either as an Appendix or in the notes, at the discretion of the concerned licensee. The disclosures must be addressed in clear terms and with appropriate details to help achieve a satisfactory level of transparency.

                      January 2014

                    • PD-1.3.2

                      If a licensee is unable to achieve full compliance with the requirements stated in this Chapter, a meeting should be held with the relevant Supervision Director at the CBB in the presence of the concerned external auditor to discuss the reasons for such non-compliance prior to the finalisation of the annual audited financial statements. It is the responsibility of the licensee to call for such meetings.

                      January 2014

                  • Financial Performance and Position

                    • PD-1.3.3

                      The audited financial statements must include a discussion of the main factors that influenced the licensee's financial performance for the year, explaining any differences in performance between the current year and previous years and the reasons for such differences, and discussing factors that will have a significant influence on the licensee's future financial performance.

                      January 2014

                  • Corporate Governance and Transparency

                    • PD-1.3.4

                      The following information relating to corporate governance must be disclosed in the audited financial statements:

                      (a) Information about the Board structure (e.g. the size of the Board, Board committees) and the basic organisational structure (lines of business structure and legal entity structure);
                      (b) Information about the profession, business title, and experience in years of each Board member and the qualifications and experience in years of all heads of function;
                      (c) Descriptive information on the managerial structure, including:
                      (i) Committees;
                      (ii) Segregation of duties;
                      (iii) Reporting lines; and
                      (iv) Responsibilities;
                      (d) Nature and extent of transactions with related parties (as defined by IFRS and AAOIFI as appropriate);
                      (e) Information about any changes in the structures (as mentioned in Subparagraphs PD-1.3.4(a) to PD-1.3.4(c)) from prior periods;
                      (f) The communications strategy approved by the Board (including the use of the licensee's website) which should undertake to perform at least the following:
                      (i) The disclosure of all relevant information to stakeholders on a periodic basis in a timely manner; and
                      (ii) The provision of at least the last three years of financial data on the licensee's website;
                      (g) Names of shareholders owning 5% or more and, if they act in concert, a description of the voting, shareholders' or other agreements among them relating to acting in concert, and of any other direct and indirect relationships among them or with the licensee or other shareholders; and
                      (h) Information on the directorships held by the directors on other boards.
                      January 2014

                    • PD-1.3.5

                      Licensees are required to maintain a website.

                      January 2014

                  • Capital Structure – Qualitative Disclosures

                    • PD-1.3.6

                      All licensees must disclose summary information of the terms and conditions of the main features of all capital instruments listed in Paragraph PD-1.3.7.

                      January 2014

                  • Capital Structure – Quantitative Disclosures

                    • PD-1.3.7

                      All licensees must disclose the amount of capital with separate disclosures of:

                      (a) Authorised capital;
                      (b) Paid-up share capital/common stock; and
                      (c) Breakdown of reserves and retained earnings.
                      January 2014

                  • Capital Adequacy

                    • PD-1.3.8

                      All licensees must present a summary of the licensee's approach to assessing the adequacy of capital and adherence to the gearing requirements to support current and future activities.

                      January 2014

                  • Credit Risk – Quantitative Disclosures

                    • PD-1.3.9

                      All licensees must disclose the distribution of exposures by industry and provide for each major industry:

                      (a) Amount of impaired loans/facilities and past due loans/facilities, based on an aging schedule;
                      (b) Specific and collective impairment provisions and write-offs for the period, shown separately;
                      (c) Charges for specific impairment provisions and write-offs during the period; and
                      (d) Reconciliation of changes in provisions for impairment.
                      January 2014

                  • Operational Risk Disclosures

                    • PD-1.3.10

                      All licensees must disclose quantitative information on any material legal contingencies including pending legal actions, and a discussion and estimate of the potential liabilities, in addition to qualitative statements about how licensees manage and control such risks.

                      January 2014

                  • Compliance

                    • PD-1.3.11

                      The audited financial statements must include a declaration by the external auditor that it did not come across any violations of the requirements below during the course of its audit work that would have any material negative impact on the financial position of the licensee:

                      (a) The Bahrain Commercial Companies Law (as amended); and
                      (b) The CBB Law and any related Regulations, Resolutions and Directives issued by the CBB (as amended from time to time) where a violation might have had a material negative effect on the business of the licensee or on its financial position.
                      January 2014

                    • PD-1.3.12

                      The notes to the audited financial statements must disclose the amount of any penalties paid to the CBB during the period of the report together with a factual description of the reason(s) given by the CBB for the penalty (see Module EN).

                      January 2014

              • PD-2 PD-2 Other Public Disclosure Requirements

                • PD-2.1 PD-2.1 Disclosure of Fees, Commissions and other Charges on Loans/Facilities and other Forms of Financing

                  • Display of Rates by Conspicuous Notice

                    • PD-2.1.1

                      Licensees must display a list of current charges including any standard charges and commissions that will be applied by the licensee to individual services and transactions. See Module BC for further details.

                      January 2014

                  • Advertising of Microfinance Credit Facilities

                    • PD-2.1.2

                      Licensees are also asked to take special care to ensure that the content of any advertising material does not mislead or deceive the public in any way. All advertising is subject to CBB prior approval in accordance with Section BC-1.8.

                      January 2014

      • Type 7: Type 7: Ancillary Service Providers

        • Part A Part A

          • High Level Standards

            • AU AU Ancillary Service Providers Authorisation Module

              • AU-A AU-A Introduction

                • AU-A.1 AU-A.1 Purpose

                  • Executive Summary

                    • AU-A.1.1

                      The executive summary only provides an overview. For detailed rules, reference must be made to the individual Rules outlined in the remainder of this Module.

                      April 2016

                    • AU-A.1.2

                      Module AU sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated ancillary services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                      April 2016

                    • AU-A.1.3

                      Licensed providers of regulated ancillary services fall into the following categories: third party administrators, card processing services, operating a credit reference bureau, payment service providers, Shari'a advisory/review services, operating a crowdfunding platform, account information service providers and payment initiation service providers and carrying out services in accordance with the CBB Law. These licensees are referred to as financial sector support institutions under Article (1) of the CBB Law and its amendments.

                      Amended: October 2019
                      April 2016

                    • AU-A.1.4

                      Regulated ancillary services are defined in Paragraph AU-1.2.1.

                      April 2016

                    • AU-A.1.5

                      Persons undertaking certain functions in relation to ancillary service provider licensees require prior CBB approval. These functions (called 'controlled functions') include members of the board of directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of ancillary service provider licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                      April 2016

                  • Retaining Authorised Status

                    • AU-A.1.6

                      The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                      April 2016

                  • Legal Basis

                    • AU-A.1.7

                      This Module contains the CBB's Directive incorporating the relevant Regulations and Resolutions (as amended from time to time) applicable to all ancillary service provider licensees (including their approved persons) regarding authorisation under CBB Rulebook Volume 5: Specialised Licensees and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). It includes:

                      (a) the requirements (as amended from time to time) under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and those requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and issued under the powers available to the CBB under Article 44(c);
                      (b) the requirements under Resolution No. (16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law;
                      (c) the prior approval requirements for approved persons under Resolution No (23) of 2015; and
                      (d) the requirements (as amended from time to time) contained in Resolution No (1) of 2007 with respect to determining fees categories due for licenses and services provided by the CBB.
                      Amended: October 2019
                      Amended: December 2018
                      April 2016

                    • AU-A.1.8

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      April 2016

                    • AU-A.1.9

                      Persons wishing to undertake regulated ancillary services are required to be licensed by the CBB as an ancillary service provider licensee.

                      April 2016

                  • Licensing Conditions

                    • AU-A.1.10

                      Ancillary service provider licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules (such as Module BR). These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.

                      April 2016

                  • Information Requirements and Processes

                    • AU-A.1.11

                      Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking an ancillary service provider license. It also covers the voluntary surrender of a license, or its cancellation by the CBB.

                      April 2016

                • AU-A.2 AU-A.2 Module History

                  • Evolution of Module

                    • AU-A.2.1

                      This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      April 2016

                    • AU-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      AU-1.2.10A, AU-1.2.10B and AU-1.2.10C 04/2017 Added Paragraphs on issuance of pre-paid cards and PCI-DSS certification for Payment Service Providers.
                      AU-1.2.11 04/2017 Amended Paragraph on the settlement.
                      AU-2.3.2 04/2017 Amendment of reference.
                      AU-4.1.12 04/2017 Specified bank guarantee amounts.
                      AU-4.1.16 (l) 04/2017 Amended bank guarantee amount.
                      AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License
                      AU-1.2.1(ee) 10/2017 Added Crowdfunding Platform Operators under the definition of regulated services.
                      AU-1.2.10A(b) 10/2017 Amended bank guarantee requirement.
                      AU-1.2.14 – AU-1.2.20 10/2017 Added requirements on crowdfunding platform operators
                      AU-2.5.6A 10/2017 Added Paragraph on minimum core capital for crowdfunding platform operators.
                      AU-3.1.2 10/2017 Amended Paragraph.
                      AU-3.2 10/2017 Added a new section for the Approved Persons Requirements.
                      AU-4.1.12 10/2017 Amended bank guarantee amount for PSP and Card Processing Companies.
                      AU-4.1.16(l) 10/2017 Amended bank guarantee requirement for PSP issuing any multipurpose, electronic or otherwise, prepaid cards.
                      AU-4.3 10/2017 Deleted Approved Persons requirements from AU-4.3 and added to AU-3.2.
                      AU-4.6 10/2017 Added new section on Additional Requirements for Licensing Crowdfunding Platform Operators.
                      AU-4.1.1 04/2018 Amended Paragraph.
                      AU-4.3.2 04/2018 Amended Paragraph.
                      AU-1.2.1 12/2018 Added AISP and PISPs.
                      AU-1.2.10A 10/2018 Amended Paragraph.
                      AU-1.2.11A
                      AU-1.2.11B
                      10/2018 Added new Paragraphs on enabling PSPs to participate in EFTS
                      AU-1.2.21 – AU1.2.25 12/2018 Added new Paragraphs on AISPs and PISPs.
                      AU-2.5.6B
                      AU-2.5.6C
                      12/2018 Added new Paragraphs on Account Information Service Provider & Payment Initiation Services Provider.
                      AU-1.2.8 (a) & (b) 01/2019 Amended sub-paragraphs on clients' money account services.
                      AU-1.2.10 01/2019 Amended guidance on clients' money account.
                      AU-1.2.10A 01/2019 Amended sub-paragraph (a) on maximum balance limit for a natural person.
                      Added new sub-paragraph (bb) on maximum balance limit for a legal person.
                      Amend sub-paragraph (f).
                      AU-1.2.11 01/2019 Amended Paragraph.
                      AU-1.2.12 01/2019 Added a new Paragraph on audit of clients' money account.
                      AU-1.2.14 01/2019 Amended Paragraph to include B2B.
                      AU-1.2.16 01/2019 Changed guidance to rule and amended deleting B2B.
                      AU-1.2.24 01/2019 Amended Paragraph.
                      AU-2.5.6A 01/2019 Amended Core Capital amount.
                      AU-4.1.16(m) 01/2019 Amended sub-paragraph.
                      AU-1.2.11A 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11B 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11C 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11D 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11E 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11F 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11G 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11H 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11I 04/2019 Added a new Paragraph CDMs/kiosks.
                      AU-1.2.11J 04/2019 Amended Paragraph number.
                      AU-1.2.11K 04/2019 Amended Paragraph number.
                      AU-1.2.11L 04/2019 Amended Paragraph number.
                      AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                      AU-A.1.3 10/2019 Amended Paragraph on licensed providers categories.
                      AU-1.2.1 10/2019 Amended Subparagraphs (a), (c), (d) and (ee).
                      AU-1.2.2 10/2019 Amended Paragraph.
                      AU-1.2.5 10/2019 Amended Paragraph.
                      AU-1.2.21 10/2019 Added full term of AISP.
                      AU-1.2.23 10/2019 Added full term of PISP.
                      AU-4.1.13 10/2019 Amended Guidance.
                      AU-4.1.15 10/2019 Amended Guidance.
                      AU-4.2.4 10/2019 Changed from Rule to Guidance.
                      AU-4.5.1 10/2019 Changed from Rule to Guidance.
                      AU-1.2.11L 07/2020 Paragraph moved to Module BR.
                      AU-1.2.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards.
                      AU-5.2.2 10/2020 Amended Paragraph on fixed annual licence fees.
                      AU-3.2.13A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.
                      AU-5.2.2A 01/2021 Added a new guidance clarifying the applicable fees for licensees.
                      AU-4.1.4 07/2021 Amended Paragraph on the submission of licensing forms and applications.
                      AU-4.7.9 07/2021 Added a new Paragraph on additional requirements for PISPs and AISPs.
                      AU-1.2.14 04/2022 Amended Paragraph on crowdfunding platform operator definition.
                      AU-1.2.18 - AU-1.2.20 04/2022 Deleted Paragraphs.
                      AU-4.6.2 04/2022 Deleted Subparagraph (a).
                      AU-1.2.10A 07/2022 Amended Subparagraph (a) on maximum balance in any digital wallet.
                      AU-1.2.10A 04/2023 Amended Paragraph on payment from client money account.
                      AU-2.5.3 04/2023 Amended Paragraph on minimum core capital and liquid funds for TPAs.

                  • Superseded Requirements

                    • AU-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular / other reference Subject
                      Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions.
                      EDBS/KH/C/63/2018 Enabling PSPs to participate in EFTS.
                      EDBS/KH/C/74/2018 Amendments to the Crowdfunding Requirements under the CBB Rulebook Volume 5 (Ancillary Service Providers).
                      EDBS/KH/C/83/2018 Amendments in Authorization Module (AU) of Ancillary Service Providers
                      Amended: January 2019
                      Amended: October 2018
                      April 2016

              • AU-B AU-B Scope of Application

                • AU-B.1 AU-B.1 Scope of Application

                  • AU-B.1.1

                    The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

                    April 2016

                  • AU-B.1.2

                    Two types of authorisation are prescribed:

                    (a) Any person seeking to provide regulated ancillary services within or from the Kingdom of Bahrain must hold the appropriate CBB license (see Section AU-1.1); and
                    (b) Natural persons wishing to perform a controlled function in a licensee also require prior CBB's approval, as an approved person (see Section AU-1.2).
                    April 2016

                  • AU-B.1.3

                    The authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated ancillary services within or from the Kingdom of Bahrain, unless they have been licensed as a an ancillary service provider by the CBB (see Rule AU-1.1.1).

                    April 2016

                  • AU-B.1.4

                    The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.1 above) apply to all those licensed by the CBB as an ancillary service provider licensee, or which are in the process of seeking such a license. They apply to persons incorporated in the Kingdom of Bahrain, unless otherwise specified.

                    April 2016

                  • AU-B.1.5

                    Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

                    April 2016

              • AU-1 AU-1 Authorisation Requirements

                • AU-1.1 AU-1.1 Ancillary Service Provider Licensees

                  • General Prohibitions

                    • AU-1.1.1

                      No person may:

                      (a) Undertake (or hold themselves out to undertake) regulated ancillary services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                      (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                      (c) Market any financial services in the Kingdom of Bahrain unless:
                      (i) Allowed to do so by the terms of a license issued by the CBB;
                      (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                      (iii) Has obtained the express written permission of the CBB to offer financial services.
                      April 2016

                    • AU-1.1.2

                      In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                      April 2016

                    • AU-1.1.3

                      Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                      April 2016

                  • Licensing

                    • AU-1.1.4

                      Persons wishing to be licensed to undertake any of the regulated ancillary services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.

                      April 2016

                    • AU-1.1.5

                      An application for a license must be in the form prescribed by the CBB (Form 1) and must contain:

                      (a) A business plan specifying the type of business to be conducted;
                      (b) Application forms (Form 2) for all controllers; and
                      (c) Application forms (Form 3) for all controlled functions.
                      April 2016

                    • AU-1.1.6

                      The CBB will review the application and duly advise the applicant in writing when it has:

                      (a) Granted the application without conditions;
                      (b) Granted the application subject to conditions specified by the CBB; or
                      (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                      April 2016

                    • AU-1.1.7

                      Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                      April 2016

                    • AU-1.1.8

                      In granting new licenses, the CBB will specify the specific categories of regulated ancillary service for which a license has been granted.

                      April 2016

                    • AU-1.1.9

                      All applicants for ancillary service provider license must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed, licensees must be in compliance with these criteria on an on-going basis.

                      April 2016

                • AU-1.2 AU-1.2 Definition of Regulated Ancillary Services

                  • AU-1.2.1

                    Regulated ancillary services are any of the following activities, carried on by way of business:

                    (a) Permitted services undertaken by third party administrators (TPA);
                    (b) Card processing;
                    (c) Services undertaken by Credit reference bureau;
                    (d) Permitted payment services provided by payment service provider (PSP);
                    (e) Shari'a advisory/review services;
                    (ee) Permitted activities of a crowdfunding platform operator;
                    (f) Providing account information services;
                    (g) Providing payment initiation services; and
                    (h) Any other ancillary services that are related to the financial services industry.
                    Amended: October 2019
                    Amended: December 2018
                    Amended: October 2017
                    April 2016

                  • AU-1.2.2 AU-1.2.2

                    For the purposes of Paragraph AU-1.2.1, carrying on a regulated ancillary service by way of business means:

                    (a) Undertaking any of the regulated ancillary service activities as defined in Section AU-1.2, for commercial gain; or
                    (b) Holding oneself out as willing and able to engage in such activities.
                    Amended: October 2019
                    April 2016

                    • AU-1.2.1A

                      Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by licensees must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.

                      Added: October 2020

                    • AU-1.2.3

                      While Paragraph AU-1.2.1 covers different activities under regulated ancillary services, only the license itself will specify the list of activities the licensee has been authorised to carry out. For existing ancillary service providers at April 2016, no new license will be issued.

                      April 2016

                    • Third Party Administrators (TPAs)

                      • AU-1.2.4

                        TPA refers to processing claims in connection with insurance coverage offered by insurance firms.

                        April 2016

                      • AU-1.2.5

                        Notwithstanding Paragraph AU-1.2.4, TPAs are also allowed to offer their services to self-funded schemes outside Bahrain.

                        Amended: October 2019
                        April 2016

                      • AU-1.2.5A

                        When TPAs process claims for insurance firms, the CBB regards this activity as an outsourced activity and insurance firms should refer to Chapter RM-7 Outsourcing Risk under Volume 3 (Insurance) of the CBB Rulebook.

                        April 2016

                    • Card Processing

                      • AU-1.2.5B

                        Card processing includes:

                        (a) The act of processing or transmitting debit/credit/prepaid card holder and transaction related data;
                        (b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet);
                        (c) Hosting and managing card program;
                        (d) Approving and authenticating payment transactions as per financial institutions rules;
                        (e) Providing technical service support for E-commerce and M-commerce transactions;
                        (f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks;
                        (g) Reporting and customising reporting engine;
                        (h) Call centre outsourcing services; and
                        (i) Online and mobile portals for bank customers.
                        Amended: April 2023
                        April 2016

                    • Credit Reference Bureau

                      • AU-1.2.6

                        A credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies the credit information of customers and issues credit reports and provides the members of the credit reference bureau with such reports upon their request.

                        April 2016

                      • AU-1.2.7

                        For purposes of Paragraph AU-1.2.6, 'customers' refers to customers of the members of the credit reference bureau as defined under Article (68 bis) b) 3) of the CBB Law.

                        April 2016

                    • Payment Service Provider ("PSP")

                      • AU-1.2.8

                        Payment service providers, may act as an intermediary for the following services:

                        (a) Services enabling cash to be placed in clients' money account and all of the operations required for operating the account;
                        (b) Services enabling cash withdrawals from clients' money account and all of the operations required for operating the account;
                        (c) The settlement of the direct debits of payment transactions;
                        (d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and
                        (e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.
                        Amended: January 2019
                        Amended: April 2017
                        April 2016

                      • AU-1.2.9

                        Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.

                        April 2016

                      • AU-1.2.10

                        For purposes of Paragraph AU-1.2.8, clients' money account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this clients' money account at any time.

                        Amended: January 2019
                        April 2016

                      • AU-1.2.10A

                        When issuing any multi-purpose, electronic or otherwise, pre-paid cards, payment service providers must comply with the following requirements:

                        (a) The maximum balance limit under each natural person must not exceed BD2,500;
                        (bb) The maximum balance limit for each legal person must not exceed BD10,000 (Loading and transaction size).
                        (b) The payment service provider must obtain a bank guarantee of BD100,000 from a retail bank licensed in the Kingdom of Bahrain; instead of the bank guarantee amount required under Paragraph AU-4.1.12.
                        (c) Comply with all the requirements outlined under Module FC (Financial Crime);
                        (d) All pre-paid plastic cards must be EMV compliant (chip and PIN and online authentication);
                        (e) Any pre-paid card which is inactive for a period of six months must be placed in a dormant list; and
                        (f) All transactions on pre-paid cards must be made through the client money account with a retail bank in Bahrain (See also Chapter GR-15, Client Money Requirements).
                        Amended: April 2023
                        Amended: July 2022
                        Amended: January 2019
                        Amended: October 2018
                        Amended: October 2017
                        Added: April 2017

                      • AU-1.2.10B

                        In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017.

                        Added: April 2017

                      • AU-1.2.10C

                        In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

                        Added: April 2017

                      • AU-1.2.11

                        When a customer load cash into the card through kiosk or company/bank counter, the payment service provider must update the amount into the card immediately, and must deposit the relevant cash amount into the clients' money account within 24 hours.

                        Amended: January 2019
                        Amended: April 2017
                        April 2016

                      • AU-1.2.11A

                        When owning or operating Cash Dispensing Machines (CDM) or Kiosks, payment service providers must comply with the requirements stated in Paragraphs AU-1.2.11B to Paragraph AU-1.2.11I.

                        Added: April 2019

                      • AU-1.2.11B

                        Payment service providers must obtain CBB's prior written approval for owning or operating any Cash Dispensing Machine (CDM) or Kiosk.

                        Added: April 2019

                      • AU-1.2.11C

                        Payment service providers must submit a written application to the Supervisory Point of Contact (SPoC) at the CBB, detailing the type of CDM or Kiosk, the proposed location(s) and the proposed security measures.

                        Added: April 2019

                      • AU-1.2.11D

                        The application referred to in Paragraph AU-1.2.11C will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:

                        (a) The suitability of the location(s) in question;
                        (b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and
                        (c) The type and range of facilities which the applicant proposes to offer through the CDM or Kiosk at the proposed location(s).
                        Added: April 2019

                      • AU-1.2.11E

                        In addition to the information required by the CBB, further information/clarification may be requested by the CBB before it takes a decision regarding the application. The CBB's decision in this regard will be communicated to the applicant payment service provider in writing.

                        Added: April 2019

                      • AU-1.2.11F

                        CDMs or Kiosks may be owned individually or jointly by ancillary service providers.

                        Added: April 2019

                      • AU-1.2.11G

                        Payment service providers must not charge their customers for cash withdrawal transactions. When a customer uses CDMs, Kiosks or ATMs belonging to other banks or PSPs, the acquiring PSP/ bank may apply a charge capped at 100 fils per transaction to the issuing PSP.

                        Added: April 2019

                      • AU-1.2.11H

                        Payment service providers must obtain the CBB's prior written approval for the termination/suspension of any of its CDMs or Kiosks.

                        Added: April 2019

                      • AU-1.2.11I

                        The CBB may, at its sole discretion, require a payment service provider to terminate/suspend a CDM or Kiosk at any time.

                        Added: April 2019

                      • AU-1.2.11J

                        Payment service providers must ensure they have a robust internal technological infrastructure and direct technical access to the EFTS, on an uninterrupted basis (24 X 7 days and 365 days in the year), to send, authorise and receive Fawri+/Fawateer direct credits on a real-time basis.

                        Amended: April 2019
                        Added: October 2018

                      • AU-1.2.11K

                        Payment service providers must maintain a daily value limit of BD1,000 for the total Fawri+ and Fawateer transactions (with assured immediate finality, i.e. within 30 seconds) for each STV card/IBAN account per day.

                        Amended: April 2019
                        Added: October 2018

                      • AU-1.2.11L

                        [This Paragraph was moved to BR-1.1.6 in July 2020].

                        Amended: July 2020
                        Amended: April 2019
                        Added: January 2019

                    • Shari'a Advisory/Review Services

                      • AU-1.2.12

                        Shari'a advisory/review services refer to:

                        (a) Regular assessment on Shari'a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari'a review services, with the objective of ensuring that the activities and operations carried out by these financial institutions do not contravene the Shari'a principles. The services include the examination and evaluation of the financial institutions' level of compliance to the Shari'a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports;
                        (b) Issuance of Shari'a pronouncements on any aspect of the Islamic financial institution's activities or operations; and
                        (c) Ad-hoc Shari'a advisory services for products and services governed by financial services.
                        April 2016

                      • AU-1.2.13

                        In offering Shari'a advisory/review services, the licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU-1.2.12(b), no service can be offered under Subparagraph AU-1.2.12(a) in relation to the pronouncement.

                        April 2016

                    • Crowdfunding Platform Operator

                      • AU-1.2.14

                        Crowdfunding platform operator refers to a person licensed by the CBB to operate an online portal or other electronic media through which people lend money to businesses (Person to Business-P2B), and businesses lend money to other businesses (Business to Business – B2B) for the purpose of gaining a financial return in the form of interest/profit payment and a repayment of credit over a pre-specified period of time (financing-based crowdfunding), and/or raising of capital by issuance of ordinary shares, or other equity instruments like preferred shares (equity-based crowdfunding).

                        Amended: April 2022
                        Amended: January 2019
                        Added: October 2017

                      • AU-1.2.15

                        The role of crowdfunding platform operator is restricted to arranging deals, bringing together borrowers and lenders, in case of financing-based crowdfunding, and investors and issuers, in case of equity-based crowdfunding. Crowdfunding platform operators are strictly prohibited to provide any advice on deals.

                        Added: October 2017

                      • AU-1.2.16

                        Crowdfunding Platform Operator must not undertake Business to Person (B2P) or Person to Person (P2P) lending/investing.

                        Amended: January 2019
                        Added: October 2017

                      • AU-1.2.17

                        Crowdfunding platform operators may raise funds for borrowers/issuers based in the Kingdom of Bahrain or abroad.

                        Added: October 2017

                      • AU-1.2.18

                        [This Paragraph was deleted in April 2022].

                        Deleted: April 2022
                        Added: October 2017

                      • AU-1.2.19

                        [This Paragraph was deleted in April 2022].

                        Deleted: April 2022
                        Added: October 2017

                      • AU-1.2.20

                        [This Paragraph was deleted in April 2022].

                        Deleted: April 2022
                        Added: October 2017

                    • Account Information Service Provider (AISP)

                      • AU-1.2.21

                        Account Information Services Provider (AISP) refers to a person licensed by the CBB to provide account information services using an online portal, mobile or smart phone application, device or other electronic media which a consenting customer can use to obtain aggregate or consolidated information about his account balances with licensed banks, financing companies and other licensees.

                        Amended: October 2019
                        Added: December 2018

                      • AU-1.2.22

                        The role of an AISP is restricted to providing the technology or other means in order to provide account information to the customer and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. AISPs must not receive or otherwise handle customer funds in the course of providing account information services.

                        Added: December 2018

                    • Payment Initiation Service Provider (PISP)

                      • AU-1.2.23

                        Payment Initiation Service Provider (PISP) refers to a person licensed by the CBB to initiate payment or credit transfers for the customer from an account held with a licensed bank, financing company or PSP.

                        Amended: October 2019
                        Amended: January 2019
                        Added: December 2018

                      • AU-1.2.24

                        The role of a PISP is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing payment initiation information services.

                        Added: December 2018

                    • Insurance Cover

                      • AU-1.2.25

                        AISPs and PISPs must, at all times, hold an insurance cover against liabilities arising from cyber security breaches.

                        Added: December 2018

                • AU-1.3 AU-1.3 Approved Persons

                  • General Requirements

                    • AU-1.3.1

                      Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment.

                      April 2016

                    • AU-1.3.2

                      Controlled functions are those occupied by board members and persons in executive positions and include:

                      (a) Member of the Board of Directors;
                      (b) Chief executive or general manager and their deputies;
                      (c) Head of function;
                      (d) Compliance officer; and
                      (e) Money Laundering Reporting Officer (for PSPs).
                      April 2016

                    • AU-1.3.3

                      Combination of the above controlled functions is subject to the requirements contained in Module HC.

                      April 2016

                  • Basis for Approval

                    • AU-1.3.4

                      Approval under Paragraph AU-1.3.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Section AU-3.1.

                      April 2016

                    • AU-1.3.5

                      The chief executive or general manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The chief executive or general manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.

                      April 2016

                    • AU-1.3.6

                      Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                      April 2016

                    • AU-1.3.7

                      Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy chief executive; heads of departments such as risk management, compliance or internal audit; the chief financial officer; head of business department, etc..

                      April 2016

                    • AU-1.3.8

                      Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                      April 2016

                    • AU-1.3.9

                      All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The compliance officer must report to senior management and must have access to the board of directors. The duties of the compliance officer include:

                      (a) Assisting senior management/head of function to identify and assess the main compliance risks facing the licensees and the plans to manage them;
                      (b) Advising senior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area;
                      (c) Assisting senior management/head of function in educating staff on compliance issues, and acting as a contact point within the licensee for compliance queries from staff members;
                      (d) Establishing written guidance to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;
                      (e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with the licensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;
                      (f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and
                      (g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors.
                      April 2016

              • AU-2 AU-2 Licensing Conditions

                • AU-2.1 AU-2.1 Condition 1: Legal Status

                  • AU-2.1.1

                    The legal status of a licensee that is an ancillary service provider licensee must be a legal form approved by the CBB.

                    April 2016

                • AU-2.2 AU-2.2 Condition 2: Mind and Management

                  • AU-2.2.1

                    Licensees must maintain their head office and management in the Kingdom.

                    April 2016

                • AU-2.3 AU-2.3 Condition 3: Controllers

                  • AU-2.3.1

                    Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their group structures do not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

                    April 2016

                  • AU-2.3.2

                    Chapter GR-7 contains the CBB's requirements and definitions regarding controllers.

                    Amended: April 2017
                    April 2016

                  • AU-2.3.3

                    In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.

                    April 2016

                  • AU-2.3.4

                    As regards group structures, the CBB seeks to ensure that these do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the licensee.

                    April 2016

                  • AU-2.3.5

                    In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

                    April 2016

                • AU-2.4 AU-2.4 Condition 4: Board and Employees

                  • AU-2.4.1

                    Those nominated to carry out controlled functions must satisfy the CBB's approved persons requirements. This rule is supported by Article 65 of the CBB Law.

                    April 2016

                  • AU-2.4.2

                    The definition of controlled functions is contained in Paragraph AU-1.3.2, whilst Chapter AU-3 sets out CBB's approved persons requirements.

                    April 2016

                  • AU-2.4.3

                    The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

                    April 2016

                • AU-2.5 AU-2.5 Condition 5: Financial Resources

                  • Capital Funds

                    • AU-2.5.1

                      Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. A greater amount of capital than specified in this Section may be required by the CBB on a case-by-case basis.

                      April 2016

                    • AU-2.5.2

                      Where a licensee undertakes more than one activity outlined under Paragraph AU-1.2.1, the licensee must maintain the highest level of core capital required amongst all categories of activities which it provides.

                      April 2016

                  • Third Party Administrators

                    • AU-2.5.3

                      For third party administrators, licensees must maintain a minimum core capital of BD25,000 and adequate liquid funds representing 25% of operating expenses incurred in the preceding financial year at all times in the form of cash or liquid assets that can be converted to cash in the short-term to cover its operating expenses.

                      Amended: April 2023
                      April 2016

                  • Card Processing and Payment Service Providers

                    • AU-2.5.4

                      For card processing and payment service providers, licensees must maintain a minimum core capital of BD 250,000.

                      April 2016

                  • Credit Reference Bureau

                    • AU-2.5.5

                      Licensees must maintain a minimum core capital of BD 2 million.

                      April 2016

                  • Shari'a Advisory/Review Services

                    • AU-2.5.6

                      Licensees must maintain a minimum core capital of BD 30,000.

                      April 2016

                  • Crowdfunding Platform Operator

                    • AU-2.5.6A

                      Licensees must maintain a minimum core capital of BD 25,000.

                      Amended: January 2019
                      Added: October 2017

                  • Account Information Services Provider

                    • AU-2.5.6B

                      Licensees must maintain a minimum core capital of BD 25,000.

                      Added: January 2019

                  • Payment Initiation Services Provider

                    • AU-2.5.6C

                      Licensees must maintain a minimum core capital of BD 30,000.

                      Added: January 2019

                  • Liquidity

                    • AU-2.5.7

                      Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business.

                      April 2016

                • AU-2.6 AU-2.6 Condition 6: Systems and Controls

                  • AU-2.6.1

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC and RM (to be issued at a later date).

                    April 2016

                  • AU-2.6.2

                    Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee.

                    April 2016

                • AU-2.7 AU-2.7 Condition 7: External Auditor

                  • AU-2.7.1

                    Article 61 of the CBB Law requires that licensees appoint an external auditor, subject to the CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

                    April 2016

                • AU-2.8 AU-2.8 Condition 8: Other Requirements

                  • Books and Records

                    • AU-2.8.1

                      Article 59 of the CBB Law requires that licensees must maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module GR. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamic licensees.

                      April 2016

                  • Provision of Information

                    • AU-2.8.2

                      Articles 58, 111, 114 and 163 of the CBB Law require that licensees and their staff must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and disclosure requirements contained in Module BR. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of the licensee's financial year-end.

                      April 2016

                  • General Conduct

                    • AU-2.8.3

                      Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice. Licensees must comply with the general standards of business conduct contained in Modules PB and GR.

                      April 2016

                  • Additional Conditions

                    • AU-2.8.4

                      Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                      April 2016

                    • AU-2.8.5

                      Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law. Thus, when granting a license, the CBB specifies the regulated ancillary services that the licensee may undertake. Licensees must respect the scope of their license.

                      April 2016

                    • AU-2.8.6

                      In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.

                      April 2016

              • AU-3 AU-3 Approved Persons

                • AU-3.1 AU-3.1 Approved Persons Conditions

                  • AU-3.1.1

                    Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

                    April 2016

                  • AU-3.1.2

                    The authorisation requirements for persons nominated to carry out controlled functions is contained in Section AU-1.3. The authorisation process is described in Section AU-3.2.

                    Amended: October 2017
                    April 2016

                  • AU-3.1.3

                    Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

                    (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
                    (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
                    (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
                    (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
                    (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
                    (f) Must have personal integrity, good conduct and reputation;
                    (g) Has appropriate professional and other qualifications for the controlled function in question; and
                    (h) Has sufficient experience to perform the duties of the controlled function.
                    April 2016

                  • AU-3.1.4

                    In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1-5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

                    April 2016

                  • AU-3.1.5

                    In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Whether the person has been a member of a board of directors, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
                    (i) The extent to which the person has been truthful and open with supervisors; and
                    (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
                    April 2016

                  • AU-3.1.6

                    With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

                    April 2016

                  • AU-3.1.7

                    Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

                    April 2016

                  • AU-3.1.8

                    In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

                    (a) A person has breached any fiduciary obligations to the company or terms of employment;
                    (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
                    (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
                    April 2016

                  • AU-3.1.9

                    Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

                    April 2016

                • AU-3.2 AU-3.2 Approved Persons Requirements

                  • AU-3.2.1

                    Licensees must obtain CBB prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

                    Added: October 2017

                  • AU-3.2.2

                    When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the concerned supervisory point of contact at the CBB. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

                    Amended: April 2018
                    Added: October 2017

                  • AU-3.2.3

                    When submitting Form 3, licensees must ensure that the Form 3 is:

                    (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
                    (b) Submitted in original form;
                    (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
                    (d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
                    Added: October 2017

                  • AU-3.2.4

                    Licensees seeking to appoint members of the board of directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

                    Added: October 2017

                  • AU-3.2.5

                    For existing licensees applying for the appointment of any controlled functions, the authorised representative should be a duly authorised representative of the licensee and must submit with Form 3: Application for Approved Person Status, internal documentary evidence supporting the appointment of the duly authorised representative of the licensee.

                    Added: October 2017

                  • Assessment of Application

                    • AU-3.2.6

                      The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5

                      Added: October 2017

                    • AU-3.2.7

                      For purposes of Paragraph AU-3.2.6, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.

                      Added: October 2017

                    • AU-3.2.8

                      The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and does not satisfy the CBB criteria in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                      Added: October 2017

                  • Appeal Process

                    • AU-3.2.9

                      Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                      Added: October 2017

                    • AU-3.2.10

                      Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved personsmay appeal to the concerned Executive Director of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                      Added: October 2017

                  • Notification Requirements and Process

                    • AU-3.2.11

                      Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.4.9). In such cases, their approved person status is automatically withdrawn by the CBB.

                      Added: October 2017

                    • AU-3.2.12

                      Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                      Added: October 2017

                    • AU-3.2.13

                      Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                      Added: October 2017

                    • AU-3.2.13A

                      Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                      Added: January 2021

                  • Change in Controlled Function

                    • AU-3.2.14

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                      Added: October 2017

                    • AU-3.2.15

                      In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.4.9), and the new licensee should submit a request for approval under Rule AU-1.3.1.

                      Added: October 2017

              • AU-4 AU-4 Information Requirements and Processes

                • AU-4.1 AU-4.1 Licensing

                  • Applications Form and Documents

                    • AU-4.1.1

                      Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

                      Amended: July 2019
                      Amended: April 2018
                      April 2016

                    • AU-4.1.2

                      Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.

                      April 2016

                    • AU-4.1.3

                      References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                      April 2016

                    • AU-4.1.4

                      Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:

                      (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
                      (b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertake controlled functions of the proposed licensee;
                      (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                      (d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;
                      (e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBB ancillary service provider license;
                      (f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;
                      (g) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application;
                      (h) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7;
                      (i) Evidence of competency and qualifications for Shari'a advisor; and
                      (j) Information and documents required under Section AU-4.7 for PSP, AISP and PSIP applicants.
                      Amended: July 2021
                      Added: April 2016

                    • AU-4.1.5

                      The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from controllers. Where the application is for an overseas licensee, the CBB may seek a letter of guarantee from the parent company.

                      April 2016

                    • AU-4.1.6

                      The business plan submitted in support of an application should include:

                      (a) An outline of the history of the applicant and its shareholders;
                      (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                      (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
                      (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                      (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions. For card processing and payment services providers, IT security measures must be outlined in the plan;
                      (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements; and
                      (g) For TPA's, details setting forth the applicant's capability for providing a sufficient number of experienced and qualified personnel in the areas of claims' processing and recordkeeping.
                      April 2016

                    • AU-4.1.7

                      The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its activities or are incidental to those.

                      April 2016

                    • AU-4.1.8

                      All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                      April 2016

                    • AU-4.1.9

                      Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                      April 2016

                    • AU-4.1.10

                      Failure to inform the CBB of the changes specified in AU-4.1.9 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.

                      April 2016

                  • Licensing Process and Timelines

                    • AU-4.1.11

                      As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.

                      April 2016

                    • AU-4.1.12

                      Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, a bank guarantee of BD50,000 must be provided.

                      Amended: October 2017
                      Amended: April 2017
                      April 2016

                  • Granting or Refusal of a License

                    • AU-4.1.13

                      To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                      Amended: October 2019
                      April 2016

                    • AU-4.1.14

                      The CBB may refuse to grant a license if in its opinion:

                      (a) The requirements of the CBB Law or this Module are not met;
                      (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                      (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                      April 2016

                    • AU-4.1.15

                      Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

                      Amended: October 2019
                      April 2016

                  • Starting Operations

                    • AU-4.1.16

                      Within 6 months of the license being issued, the new licensee must provide to the CBB:

                      (a) A detailed action plan for establishing the operations and supporting infrastructure of the licensee, such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);
                      (b) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                      (c) The address in the Kingdom of Bahrain where full business records will be kept;
                      (d) The licensee's contact details including telephone and fax number, e-mail address and website;
                      (e) A description of the business continuity plan;
                      (f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                      (g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;
                      (h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;
                      (i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the ancillary service provider is licensed by the CBB;
                      (j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
                      (k) A copy of the licensee's professional indemnity insurance policy or confirmation that a deposit to an amount specified by the CBB has been placed in an escrow account with a retail bank licensed in the Kingdom of Bahrain;
                      (l) A bank guarantee of BD100,000 for payment service providers issuing any multi-purpose, electronic or otherwise, pre-paid cards, instead of the bank guarantee amount required under Paragraph AU-4.1.12. Such bank guarantee must be in the format approved by the CBB;
                      (m) Proof that the PSP has set up the clients' money account as required under Paragraph AU-1.2.8;
                      (n) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6; and
                      o) Other information as may be specified by the CBB.
                      Amended: January 2019
                      Amended: October 2017
                      Amended: April 2017
                      April 2016

                    • AU-4.1.17

                      Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the licensee concerned, as specified in Article 128 of the CBB Law. A licensee must at all times keep an approved copy of the license displayed in a visible place on the licensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.

                      April 2016

                    • AU-4.1.18

                      Applicants may not publicise in any way the application for a licence for, or formation of, an ancillary service provider before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.

                      April 2016

                • AU-4.2 AU-4.2 Variations to a License

                  • AU-4.2.1

                    As per Article 48 of the CBB Law, licensees must seek prior CBB approval before undertaking new regulated ancillary services.

                    April 2016

                  • AU-4.2.2

                    Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person in accordance with Article 40 of the CBB Law.

                    April 2016

                  • AU-4.2.3

                    In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a licensee requesting CBB approval to undertake a new regulated ancillary service must provide the following information:

                    (a) A summary of the rationale for undertaking the proposed new activities;
                    (b) A description of how the new business will be managed and controlled;
                    (c) An analysis of the financial impact of the new activities; and
                    (d) A summary of the due diligence undertaken by the Board and management of the licensee on the proposed new activities.
                    April 2016

                  • AU-4.2.4

                    The CBB may amend or revoke a licence in any of the following cases:

                    (a) If the licensee fails to satisfy any of the license conditions;
                    (b) If the licensee violates the terms of the CBB Rulebook;
                    (c) If the licensee fails to start business within six months from the date of the licence;
                    (d) If the licensee ceases to carry out the licensed activity in the Kingdom; or
                    (e) The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
                    Amended: October 2019
                    April 2016

                  • AU-4.2.5

                    The CBB's procedure for amending or revoking a license is outlined in detail in the Enforcement Module (EN).

                    April 2016

                • AU-4.3 AU-4.3 [This section was moved to AU-3.2 in October 2017]

                  • AU-4.3.1

                    [This Paragraph was moved to AU-3.2.1 in October 2017].

                    Moved: October 2017
                    April 2016

                  • AU-4.3.2

                    [This Paragraph was moved to AU-3.2.2 in October 2017].

                    Moved: October 2017
                    April 2016

                  • AU-4.3.3

                    [This Paragraph was moved to AU-3.2.3 in October 2017].

                    Moved: October 2017
                    April 2016

                  • AU-4.3.4

                    [This Paragraph was moved to AU-3.2.4 in October 2017].

                    Moved: October 2017
                    April 2016

                  • AU-4.3.5

                    [This Paragraph was moved to AU-3.2.5 in October 2017].

                    Moved: October 2017
                    April 2016

                  • [This heading was moved to AU-3.2 in October 2017]

                    • AU-4.3.6

                      [This Paragraph was moved to AU-3.2.6 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.7

                      [This Paragraph was moved to AU-3.2.7 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.8

                      [This Paragraph was moved to AU-3.2.8 in October 2017].

                      Moved: October 2017
                      April 2016

                  • [This heading was moved to AU-3.2 in October 2017]

                    • AU-4.3.9

                      [This Paragraph was moved to AU-3.2.9 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.10

                      [This Paragraph was moved to AU-3.2.10 in October 2017].

                      Moved: October 2017
                      April 2016

                  • [This heading was moved to AU-3.2 in October 2017]

                    • AU-4.3.11

                      [This Paragraph was moved to AU-3.2.11 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.12

                      [This Paragraph was moved to AU-3.2.12 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.13

                      [This Paragraph was moved to AU-3.2.13 in October 2017].

                      Moved: October 2017
                      April 2016

                  • [This heading was moved to AU-3.2 in October 2017]

                    • AU-4.3.14

                      [This Paragraph was moved to AU-3.2.14 in October 2017].

                      Moved: October 2017
                      April 2016

                    • AU-4.3.15

                      [This Paragraph was moved to AU-3.2.15 in October 2017].

                      Moved: October 2017
                      April 2016

                • AU-4.4 AU-4.4 Cancellation of Authorisation

                  • Licenses

                    • Voluntary Surrender

                      • AU-4.4.1

                        According to Article 50 of the CBB Law, all requests for the voluntary surrender of a license are subject to CBB approval. Such requests must be made in writing and must set out in full the reasons for the request and how the voluntary surrender is to be carried out. Requests must be addressed to the concerned Executive Director at the CBB.

                        April 2016

                      • AU-4.4.2

                        Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed voluntary surrender. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                        April 2016

                      • AU-4.4.3

                        Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant customers' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at preempting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                        April 2016

                      • AU-4.4.4

                        In accordance with Articles 50(a) and 51(a) of the CBB Law, a licensee wishing to cancel an authorisation for a service or a branch must obtain the CBB's prior written approval. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                        April 2016

                    • Cancellation

                      • AU-4.4.5

                        As provided for under Article 48 of the CBB Law, the CBB may itself move to cancel a license, should the licensee fail to meet the conditions outlined in Paragraph AU-4.2.4.

                        April 2016

                      • AU-4.4.6

                        Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                        April 2016

                      • AU-4.4.7

                        The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.

                        April 2016

                      • AU-4.4.8

                        Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to customers. Until such time, the CBB will retain all its regulatory powers with regards to the licensee, and will direct the licensee such that no new regulated activity may be undertaken whilst the licensee discharges its obligations to customers.

                        April 2016

                    • Cancellation of Approved Person Status

                      • AU-4.4.9

                        In accordance with Paragraph AU-4.3.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                        April 2016

                      • AU-4.4.10

                        The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                        April 2016

                      • AU-4.4.11

                        The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                        April 2016

                • AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

                  • AU-4.5.1

                    In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                    Amended: October 2019
                    Added: July 2017

                  • AU-4.5.2

                    For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

                    Added: July 2017

                  • AU-4.5.3

                    The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                    Added: July 2017

                • AU-4.6 AU-4.6 Additional Requirements for Licensing of Crowdfunding Platform Operator

                  • AU-4.6.1

                    This section sets out additional licensing requirements for crowdfunding platform operator, including conventional and Shari'a-compliant crowdfunding platform operators.

                    Added: October 2017

                  • AU-4.6.2

                    The CBB may license a person as a crowdfunding platform operator provided that:

                    (a) [This Subparagraph was deleted in April 2022];
                    (b) The applicant is able to demonstrate that will be able to operate an orderly, fair and transparent market in relation to the transactions offered through its electronic facilities;
                    (c) The applicant appoints at least two approved persons. One of the approved persons must be a Compliance Officer who can also handle the responsibilities of the MLRO, and the second person is the CEO of the crowdfunding platform operator;
                    (d) The business rules of the crowdfunding platform operator must make satisfactory provisions–
                    (i) For the protection of investors/lenders and public interest;
                    (ii) To ensure proper functioning of the platform;
                    (iii) To promote fairness and transparency;
                    (iv) To manage any conflict of interest that may arise;
                    (v) To promote fair treatment of its users or any person who subscribe for its services;
                    (vi) To promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;
                    (vii) To ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such persons;
                    (viii) To provide an avenue of appeal against the decision of the licensed crowdfunding platform operator.
                    (ix) To clarify the criteria for admission of lenders/investors and the exclusion, suspension, expulsion and re-admission of lenders/investors therefrom or thereto;
                    (x) To describe the proposed technology, IT system and disaster recovery plan; and
                    (xi) For the oversight and controls over outsourced activities, if any.
                    Amended: April 2022
                    Added: October 2017

                • AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs

                  • Business plan

                    • AU-4.7.1

                      The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:

                      (a) a marketing plan consisting of:
                      (i) an analysis of the company's competitive position;
                      (ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;
                      (b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;
                      (c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:
                      (i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;
                      (ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;
                      (iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.
                      Added: December 2018

                  • Programme of Operations

                    • AU-4.7.2

                      The programme of operations to be provided by the applicant must contain the following information:

                      (a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;
                      (b) a declaration of the applicant that they will not enter at any time into possession of client funds;
                      (c) a description of the service including:
                      (i) draft contracts between all the parties involved, if applicable;
                      (ii) terms and conditions of the provision of the services;
                      (iii) processing times;
                      (d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;
                      (e) a description of the proposed ancillary services;
                      (f) a declaration of whether or not the applicant intends to provide services in another country once licensed;
                      (g) a description of the relevant operational outsourcing arrangements consisting of:
                      (i) the identity and geographical location of the outsourcing provider;
                      (ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;
                      (iii) a detailed description of the outsourced activities and its main characteristics; and
                      (h) a copy of draft outsourcing agreements.
                      Added: December 2018

                  • Governance arrangements and internal control mechanisms

                    • AU-4.7.3

                      The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:

                      (a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;
                      (b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;
                      (c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;
                      (d) the composition of the management body and, if applicable, of any other oversight body or committee;
                      (e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;
                      (f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;
                      (g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.
                      Added: December 2018

                  • Business continuity arrangements

                    • Governance arrangements and internal control mechanisms

                      • AU-4.7.4

                        The applicant should provide a description of the business continuity arrangements consisting of the following information:

                        (a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
                        (b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
                        (c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;
                        (d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
                        Added: December 2018

                  • Internal Control Mechanisms to comply with AML/CFT obligations

                    • AU-4.7.5

                      The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:

                      (a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;
                      (b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;
                      (c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;
                      (d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;
                      (e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;
                      (f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and
                      (g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).
                      Added: December 2018

                  • Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints

                    • AU-4.7.6

                      The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:

                      (a) organisational measures and tools for the prevention of cyber events and fraud;
                      (b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;
                      (c) reporting lines in cases of fraud;
                      (d) the contact point for customers, including a name and email address;
                      (e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;
                      (f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.
                      Added: December 2018

                  • Process for filing, monitoring, tracking and restricting access to sensitive payment data

                    • AU-4.7.7

                      The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:

                      (a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;
                      (b) the procedures in place to authorise access to sensitive payment data;
                      (c) a description of the monitoring tool;
                      (d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;
                      (e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;
                      (f) the expected internal and/or external use of the collected data;
                      (g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;
                      (h) confirmation that access to sensitive customer data is not available to the applicant;
                      (i) an explanation of how breaches will be detected and addressed; and
                      (j) an annual internal control programme in relation to the safety of the IT systems.
                      Added: December 2018

                  • Security policy documentation

                    • AU-4.7.8

                      The applicant should provide a security policy document containing the following information:

                      (a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;
                      (b) a description of the IT systems, which should include:
                      (i) the architecture of the systems and their network elements;
                      (ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;
                      (iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;
                      (iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;
                      (v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
                      (vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
                      (c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:
                      (i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;
                      (ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;
                      (d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;
                      (e) the security of the payment processes, which should include:
                      (i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;
                      (ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;
                      (iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;
                      (f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;
                      (g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.
                      Added: December 2018

                    • AU-4.7.9

                      AISPs/PISPs must submit a report of an independent review undertaken by a third-party expert confirming compliance with the Bahrain Open Banking Framework prior to going live. The detailed scope and procedures for such review and the appointment of the third party expert must be approved by CBB.

                      Added: July 2021

              • AU-5 AU-5 License Fees

                • AU-5.1 AU-5.1 License Application Fees

                  • AU-5.1.1

                    Applicants seeking an ancillary service provider license from the CBB AU-5.1.1 must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

                    April 2016

                  • AU-5.1.2

                    There are no application fees for those seeking approved persons status.

                    April 2016

                • AU-5.2 AU-5.2 Annual License Fees

                  • AU-5.2.1

                    Licensees must pay the relevant annual license fee to the CBB on 1st December of the preceding year for which the fee is due.

                    April 2016

                  • AU-5.2.2

                    The applicable fixed annual license fees are as follows:

                    (a) Third party administrators - BD 2,000;
                    (b) Card processing services - BD 1,000;
                    (c) Operating a credit reference bureau - BD 100,000;
                    (d) Payment service providers - BD 2,000;
                    (e) Shari’a advisory/review services - BD 500;
                    (f) Operating a crowdfunding platform - BD 200;
                    (g) Account information service providers - BD 1,000;
                    (h) Payment initiation service providers - BD 1,000;
                    (i) Any other ancillary services that are related to the financial services industry - BD 500.
                    Amended: October 2020
                    Added: April 2016

                  • AU-5.2.2A

                    Licensees providing multiple regulated ancillary services are required to pay the annual license fees applicable for each activity in accordance with Paragraph AU-5.2.2.

                    Added: January 2021

                  • AU-5.2.3

                    For new licensees, their first annual license fee is the amount stated in Paragraph AU-5.2.2 and is payable when their license is issued by the CBB.

                    April 2016

                  • AU-5.2.4

                    Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

                    April 2016

                  • AU-5.2.5

                    All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

                    April 2016

                  • AU-5.2.6

                    Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

                    April 2016

            • HC HC High-Level Controls

              • HC-A HC-A Introduction

                • HC-A.1 HC-A.1 Purpose

                  • Executive Summary

                    • HC-A.1.1

                      The purpose of the Module is to establish best practice corporate governance principles in the Kingdom of Bahrain, and to provide protection for shareholders and other company stakeholders through compliance with those principles.

                      October 2019

                    • HC-A.1.2

                      All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                      October 2019

                  • The Comply or Explain Principle for Guidance Paragraphs

                    • HC-A.1.3

                      All ancillary service provider licensees must comply with the Guidance in Module HC or explain their noncompliance by way of a report to the CBB.

                      October 2019

                  • Monitoring and Enforcement of Module HC

                    • HC-A.1.4

                      It is the Board's responsibility to see to the accuracy and completeness of the ancillary service provider licensee's corporate governance framework in compliance with this Module.

                      October 2019

                  • Legal Basis

                    • HC-A.1.5

                      This Module contains the CBB's Directive (as amended from time to time) relating to high-level controls and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'), as amended. The Directive in this Module is applicable to ancillary service provider licensees (including their approved persons).

                      October 2019

                    • HC-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      October 2019

                  • Effective Date

                    • HC-A.1.7

                      All ancillary service provider licensees to which Module HC applies should be in full compliance by 31st December 2020. Where possible, the ancillary service provider licensee should also have corporate governance guidelines in place at that time and should have a "comply or explain" report as described in Paragraph HC-A.1.3.

                      Amended: October 2020
                      Added: October 2019

                • HC-A.2 HC-A.2 Module History

                  • HC-A.2.1

                    This Module was first issued in April 2019. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    October 2019

                  • HC-A.2.2

                    A list of recent changes made to this Module is detailed in the table below:

                    Module Ref. Change Date Description of Changes
                    HC-1.2.2 & HC-2.2.8 01/2020 Amended Paragraphs on policy and procedures approval.
                    HC-1.5.8 01/2020 Added a new Paragraph on independent directors.
                    HC-1.5.9 01/2020 Added a new Paragraph on termination of Board membership of a retired, terminated CEO.
                    HC-1.8.5 04/2020 Amended Paragraph.
                    HC-3.3.1 04/2020 Amended Paragraph.
                    HC-3.3.2 04/2020 Amended Paragraph.
                    HC-5.2.4 04/2020 Added a new Paragraph on KPIs compliance with AML/CFT requirements.
                    HC-A.1.7 10/2020 Amended Paragraph reference.
                         
                         

                  • Superseded Requirements

                    • HC-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                      Document Ref. Subject
                         
                      Standard Conditions and Licensing Criteria for providers of ancillary services to the financial sector. Board, Management and Staffing
                      October 2019

              • HC-B HC-B Scope of Application

                • HC-B.1 HC-B.1 Scope of Application

                  • HC-B.1.1

                    The contents of Chapters HC-1 to HC-7 of this Module, unless otherwise stated, apply to card processing services, payment service providers and credit reference bureaus.

                    October 2019

                  • HC-B.1.2

                    The guidance in Chapter HC-8 of this Module apply to TPAs, Shari'a advisory/review services, Crowdfunding Platform Operators and other Ancillary Service Providers. The "comply or explain" principle (see Paragraph HC-A.1.3) applies to the contents of Chapter HC-8.

                    October 2019

              • HC-1 HC-1 The Board

                • HC-1.1 HC-1.1 Principle

                  • HC-1.1.1

                    All licensees must be headed by an effective, collegial and informed Board of Directors ('the Board').

                    October 2019

                • HC-1.2 HC-1.2 Role and Responsibilities

                  • HC-1.2.1

                    All directors must understand the Board's role and responsibilities under the Bahrain Commercial Companies Law (2001), as amended and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                    (a) The Board's role as distinct from the role of the shareholders (who elect the Board and whose interests the Board serves) and the role of officers (whom the Board appoints and oversees); and
                    (b) The Board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-2.1).
                    October 2019

                  • HC-1.2.2

                    The Board's role and responsibilities include but are not limited to:

                    (a) Approving and reviewing at least annually the overall business performance and strategy for the licensee;
                    (b) Reviewing regularly the implementation of the strategy and operational performance;
                    (c) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                    (d) Monitoring management performance;
                    (e) Reviewing regularly the level of risk;
                    (f) Approving and reviewing at least annually systems and controls framework (including policies);
                    (g) Approving the agenda for shareholders' meetings;
                    (h) Monitoring conflicts of interest and preventing abusive related party transactions;
                    (i) Assuring equitable treatment of shareholders including minority shareholders; and
                    (j) Setting out clearly and reviewing on a regular basis who has authority to enter the licensee into contractual obligations.
                    Amended: January 2020
                    Added: October 2019

                  • HC-1.2.3

                    With respect to Subparagraph HC-1.2.2(j), the Board should set a materiality threshold so that contractual obligations above this set threshold are regularly reported to the Board. In setting the materiality threshold, the Board will consider the financial impact the contractual obligation may have in relation to its capital.

                    October 2019

                  • HC-1.2.4

                    The members of the board of directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-1.2.2 and must have sufficient expertise as a Board to understand the important issues relating to operation and control of the licensee. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place. This statement must be clearly communicated to Board members and senior management.

                    October 2019

                  • HC-1.2.5

                    When a member of the board of directors is inducted, the chairman of the Board, or the licensee's legal counsel or compliance officer, or other individual delegated by the chairman of the board, should review the Board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC (see also HC-4.3.1).

                    October 2019

                  • HC-1.2.6

                    The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                    October 2019

                  • HC-1.2.7

                    The Board should adopt a formal Board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of board directors.

                    October 2019

                  • Additional Guidance

                    • HC-1.2.8

                      In assessing the licensee's strategic plans (see Paragraph HC-1.2.2), the CBB would expect the Board to address the licensee's current and future aspirations with respect to its position in the market place, its size, products, value and other key aspirations that would be considered important by investors. Furthermore, the Board should demonstrate that it is able to identify proactively and understand the significant risks that the licensee faces in achieving its business objectives. A description of the licensee's strategy should be included in the annual financial statements.

                      October 2019

                    • HC-1.2.9

                      The Board must have effective policies and processes in place for:

                      (a) Ensuring a formal and transparent Board nomination process;
                      (b) Appointing senior managers, and ensuring that they have the necessary integrity, technical and managerial competence, and experience;
                      (c) Overseeing succession planning, and minimising undue reliance on key individuals;
                      (d) Reviewing key senior management and Board remuneration packages and ensuring such packages are consistent with the corporate values and strategy of the licensee and encourage prudent risk taking;
                      (e) Monitoring and evaluating management's performance in implementing agreed strategy and business plans, and ensuring appropriate resources are available; and
                      (f) Approving budgets and reviewing performance against those budgets.
                      October 2019

                    • HC-1.2.10

                      The Board must be able to demonstrate that the licensee's operations, individually and collectively:

                      (a) Are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of the licensee's activities. The systems must produce information on a timely basis, and in a form and quality appropriate to the needs of the different recipients;
                      (b) Are supported by an appropriate control environment. The risk management and financial reporting functions must be independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas; and
                      (c) Make effective use of the work of internal and external auditors.
                      October 2019

                • HC-1.3 HC-1.3 Composition

                  • HC-1.3.1

                    The Memorandum and Articles of Association of licensees must adequately set out procedures for the appointment, removal and retirement of directors.

                    October 2019

                  • HC-1.3.2

                    The Board should have a minimum of 3 members and no more than 5 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision-making yet large enough to have members who can contribute from different specialties and viewpoints. The Board should recommend changes in Board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                    October 2019

                  • HC-1.3.3

                    It is not expected that every Board member is proficient in all areas, but collectively the Board is expected to have the required expertise. The CBB expects Board members to undertake relevant training on a regular basis to help them fulfill their responsibilities as board members.

                    October 2019

                  • HC-1.3.4

                    Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. Where applicable, the Nominating Committee should regularly review the time commitment required from each non-executive director and should require each non-executive director to inform the Committee before he accepts any Board appointments to another company. One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

                    October 2019

                  • HC-1.3.5

                    To fulfil its responsibilities outlined in Section HC-1.2, the Board of licensees must periodically assess its composition and size and, where appropriate, reconstitute itself and its committees by selecting new directors to replace long-standing members or those members whose contributions to the licensee or its committees is not adequate.

                    October 2019

                  • HC-1.3.6

                    To demonstrate compliance with Rule HC-1.3.5, the Board should be able to demonstrate that it regularly considers (e.g. every one or two years) the mix of executive, non-executive and independent non-executive Directors, and skills and experience, that it requires. See also Paragraph HC-1.3.2.

                    October 2019

                  • HC-1.3.7

                    A Board member must not serve in two or more competing licensees.

                    October 2019

                  • HC-1.3.8

                    The appointment of Board members is conditional on the approval of the CBB (See Section AU-1.2).

                    October 2019

                • HC-1.4 HC-1.4 Decision Making Process

                  • HC-1.4.1

                    The Board must be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                    October 2019

                  • HC-1.4.2

                    The Board must meet frequently but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

                    October 2019

                  • HC-1.4.3

                    Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance by proxies for board meetings are prohibited at all times.

                    Meetings per year 75% Attendance requirement
                    4 3
                    5 4
                    6 5
                    7 5
                    8 6
                    9 7
                    10 8
                    October 2019

                  • HC-1.4.4

                    The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when Board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

                    October 2019

                  • HC-1.4.5

                    The chairman should take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                    October 2019

                  • HC-1.4.6

                    In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

                    October 2019

                  • HC-1.4.7

                    To meet its obligations under Rule HC-1.4.3 above, the Board should meet preferably no less than four times per year. The CBB recommends that meetings should take place once every quarter to address the Board's responsibilities for management oversight and performance monitoring. Furthermore, Board rules should require members to step down if they are not actively participating in Board meetings. Board members are reminded that non-attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All Directors are expected to contribute actively to the work of the Board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. Licensees are encouraged to amend their Articles of Association to provide for telephonic and videoconference meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

                    October 2019

                  • HC-1.4.8

                    The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors must receive the same Board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully.

                    October 2019

                  • HC-1.4.9

                    The Board must maintain adequate records of its meetings, such that key decisions and how they are arrived at can be traced.

                    October 2019

                • HC-1.5 HC-1.5 Independence of Judgment

                  • HC-1.5.1

                    The Board must ensure that it has at least one independent director, in order to provide sufficient independent scrutiny of management.

                    October 2019

                  • HC-1.5.2

                    Every director must bring independent judgment to bear in decision-making. No individual or group of directors must dominate the Board's decision-making and no one individual must have unfettered powers of decision.

                    October 2019

                  • HC-1.5.3

                    Executive directors must provide the Board with all relevant business and financial information within their cognizance, and must recognise that their role as a director is different from their role as an officer.

                    October 2019

                  • HC-1.5.4

                    Non-executive directors must be fully independent of management and must constructively scrutinise and challenge management including the management performance of executive directors.

                    October 2019

                  • HC-1.5.5

                    The chairman of the Board should be an independent director so that there will be an appropriate balance of power and greater capacity of the Board for independent decision making.

                    October 2019

                  • HC-1.5.6

                    The chairman and/or deputy chairman must not be the same person as the CEO.

                    October 2019

                  • HC-1.5.7

                    The Board should review the independence of each director at least annually in light of interests disclosed by them. Each independent director shall provide the Board with all necessary and updated information for this purpose.

                    October 2019

                  • HC-1.5.8

                    Where an independent director has served three consecutive terms on the board, such director will lose his/her independence status and must not be classified as an independent director if reappointed.

                    Added: January 2020

                  • HC-1.5.9

                    Where a Chief Executive Officer of an ancillary service provider licensee, who is also a Board member, no longer occupies the CEO position, whether due to resignation, retirement or termination, his/her Board Membership must also be immediately terminated.

                    Added: January 2020

                • HC-1.6 HC-1.6 Directors' Access to Independent Advice

                  • HC-1.6.1

                    The Board should ensure that individual directors have access to independent legal or other professional advice at the licensee's expense whenever they judge this necessary to discharge their responsibilities as directors and this must be in accordance with the licensee's policy approved by the Board.

                    October 2019

                  • HC-1.6.2

                    Whenever a director has serious concerns which cannot be resolved concerning the running of the licensee or a proposed action, he should consider seeking independent advice and should ensure that the concerns are recorded in the Board minutes and that any dissent from a Board action is noted or delivered in writing.

                    October 2019

                  • HC-1.6.3

                    Upon resignation, a non-executive director should provide a written statement to the chairman, for circulation to the Board, if he has any concerns such as those in Paragraph HC-1.6.3.

                    October 2019

                • HC-1.7 HC-1.7 Directors' Communication with Management

                  • HC-1.7.1

                    The Board should encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                    October 2019

                • HC-1.8 HC-1.8 Committees of the Board

                  • HC-1.8.1

                    While the evaluation is a responsibility of the entire board, it should be organised and assisted by an internal board committee and, when appropriate, with the help of external experts.

                    October 2019

                  • HC-1.8.2

                    The Board or a committee may invite non-directors to participate in, but not vote at committee meetings so that the committee may gain the benefit of their advice and expertise in financial or other areas.

                    October 2019

                  • HC-1.8.3

                    Committees should act only within their mandates and therefore the Board must not allow any committee to dominate or effectively replace the whole Board in its decision-making responsibility.

                    October 2019

                  • HC-1.8.4

                    Committees may be combined provided that no conflict of interest might arise between the duties of such committees.

                    October 2019

                  • HC-1.8.5

                    Every committee should have a formal written charter similar in form to the model charter.

                    Amended: April 2020
                    Added: October 2019

              • HC-2 HC-2 Approved Persons Loyalty

                • HC-2.1 HC-2.1 Principle

                  • HC-2.1.1

                    The approved persons must have full loyalty to the licensee.

                    October 2019

                • HC-2.2 HC-2.2 Personal Accountability

                  • HC-2.2.1

                    The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and clients.

                    October 2019

                  • HC-2.2.2

                    In assessing compliance with Paragraph HC-2.2.1, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, clients and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market. The interest of clients includes ensuring that the licensee fulfils its obligations under its terms of business and treats all clients fairly and pays equal regard to the interests of all clients.

                    October 2019

                  • HC-2.2.3

                    Each member of the board must understand that under the Commercial Companies Law 2001, as amended, he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

                    October 2019

                  • HC-2.2.4

                    A licensee's Board must establish and disseminate to all employees of the licensee a corporate code of conduct.

                    October 2019

                  • HC-2.2.5

                    The code of conduct must establish standards by giving examples or expectations as regards:

                    (a) Honesty;
                    (b) Integrity;
                    (c) The avoidance or disclosure of conflicts of interest;
                    (d) Maintaining confidentiality;
                    (e) Professionalism;
                    (f) Commitment to the law and best practices; and
                    (g) Reliability.
                    October 2019

                  • HC-2.2.6

                    The Board must establish and disseminate to employees policies and processes for the identification, reporting and prevention or management of potential conflicts of interest, including matters such as:

                    (a) Related party transactions;
                    (b) The misuse of the licensee's assets; and
                    (c) The use of privileged information for personal advantage ('insider trading').
                    October 2019

                  • HC-2.2.7

                    Any transaction in which Board members or any member of management have potential conflicts of interest should either be proscribed or require formal documented approval by the Board, with measures taken to manage those conflicts (see also Paragraph HC-2.4.1).

                    October 2019

                  • HC-2.2.8

                    The Board must ensure that policies are in place to ensure that necessary customer confidentiality is maintained.

                    Amended: January 2020
                    Added: October 2019

                  • HC-2.2.9

                    The duty of loyalty includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, not to take business opportunities of the licensee for himself, not to compete in business with the licensee, and to serve the licensee's interest in any transactions with the company in which he has a personal interest.

                    October 2019

                  • HC-2.2.10

                    For purposes of Paragraph HC-2.2.9, an approved person must be considered to have a "personal interest" in a transaction with the company if:

                    (a) He himself;
                    (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
                    (c) Another company of which he is a director or controller, is a party to the transaction or has a material financial interest in the transaction.
                    October 2019

                • HC-2.3 HC-2.3 Avoidance of Conflicts of Interest

                  • HC-2.3.1

                    Licensees must maintain an organisational structure that minimises the risk of conflicts of interest arising.

                    October 2019

                  • HC-2.3.2

                    For the purposes of Rule HC-2.3.1, the CBB would expect licensees to separate front and back office functions.

                    October 2019

                  • HC-2.3.3

                    Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

                    October 2019

                  • HC-2.3.4

                    Board members must absent themselves from any discussion or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject, transaction or proposed transaction where there is a potential conflict of interest.

                    October 2019

                • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest

                  • HC-2.4.1

                    Each approved person of licensees must inform the entire Board of conflicts of interest as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Commercial Companies Law 2001, as amended. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflict transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision.

                    October 2019

                  • HC-2.4.2

                    Board members must declare annually in writing all of their interests (and those of their family) in other enterprises or activities (whether as a Director, shareholder, senior executive or other form of participation) to the Board (or appropriate Board sub-Committee).

                    October 2019

                  • HC-2.4.3

                    The Board should establish formal procedures for:

                    (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
                    (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a card processing services', credit reference bureaus', and payment service providers' approved person has a personal interest. The Board should require such advance approval in every case.
                    October 2019

                • HC-2.5 HC-2.5 Disclosure of Conflicts of Interest to Shareholders

                  • HC-2.5.1

                    The licensee must disclose to its shareholders through Annual General Meetings any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Commercial Companies Law 2001, as amended.

                    October 2019

              • HC-3 HC-3 Audit Committee and Financial Statements Certification

                • HC-3.1 HC-3.1 Principle

                  • HC-3.1.1

                    The Board of all licensees must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    October 2019

                • HC-3.2 HC-3.2 Audit Committee

                  • HC-3.2.1

                    The Board of licensees should establish an audit committee commensurate with the size, complexity and nature of its business. The audit committee should consider having at least three directors.

                    October 2019

                  • HC-3.2.2

                    The majority of the directors should be independent including the Chairman.

                    October 2019

                  • HC-3.2.3

                    Where there is an audit committee, it must:

                    (a) Review the company's accounting and financial practices;
                    (b) Review the integrity of the licensees' financial and internal controls and financial statements;
                    (c) Review the licensees' compliance with legal requirements;
                    (d) Recommend the appointment, compensation and oversight of the licensees' external auditor; and
                    (e) Recommend the appointment of the internal auditor (whether in-house or outsourced).
                    October 2019

                  • HC-3.2.4

                    The Board or Audit Committee must ensure that the external audit firm and its partners are truly independent of the licensee and have no financial or other relationship with the licensee. Audit findings must be used as an independent check on the information received from management about the licensees' operations and performance and the effectiveness of internal controls.

                    October 2019

                • HC-3.3 HC-3.3 Audit Committee Charter

                  • HC-3.3.1

                    The audit committee should adopt a written charter which shall, at a minimum, state the duties outlined in Paragraph HC-3.2.4.

                    Amended: April 2020
                    Added: October 2019

                  • HC-3.3.2

                    A majority of the audit committee should have the financial literacy and information technology qualifications.

                    Amended: April 2020
                    Added: October 2019

                  • HC-3.3.3

                    The Board should adopt a "whistleblower" program under which employees can confidentially raise concerns about possible improprieties in financial or legal matters. Under the program, concerns may be communicated directly to any audit committee member or, alternatively, to an identified officer or employee who will report directly to the Audit Committee on this point.

                    October 2019

                • HC-3.4 HC-3.4 CEO and CFO Certification of Financial Reporting

                  • HC-3.4.1

                    The licensee's CEO and chief financial officer must state in writing to the audit committee and the Board as a whole the licensee's annual and, where applicable, interim financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                    October 2019

              • HC-4 HC-4 Appointment, Training and Evaluation of the Board

                • HC-4.1 HC-4.1 Principle

                  • HC-4.1.1

                    Licensees must have rigorous procedures for appointment, training and evaluation of the Board.

                    October 2019

                • HC-4.2 HC-4.2 Board Nominations to Shareholders

                  • HC-4.2.1

                    Each proposal by the Board to the shareholders for election or reelection of a director must be accompanied by a recommendation from the Board, and the following specific information:

                    (a) The term to be served, which may not exceed three years (but there need not be a limit on reelection for further terms);
                    (b) Biographical details and professional qualifications;
                    (c) In the case of an independent director, a statement that the Board has determined that the criteria of independent director have been met;
                    (d) Any other directorships held;
                    (e) Particulars of other positions which involve significant time commitments, and
                    (f) Details of relationships between:
                    (i) The candidate and the licensee, and
                    (ii) The candidate and other directors of the licensee.
                    October 2019

                  • HC-4.2.2

                    The chairman of the Board should confirm to shareholders when proposing re-election of a director that, following a formal performance evaluation, the person's performance continues to be effective and continues to demonstrate commitment to the role. Any term beyond six years (e.g. two three-year terms) for a director should be subject to particularly rigorous review, and should take into account the need for progressive refreshing of the Board.

                    October 2019

                • HC-4.3 HC-4.3 Induction and Training of Directors

                  • HC-4.3.1

                    The chairman of the Board of licensees must ensure that each new director receives a formal and tailored induction to ensure his contribution to the Board from the beginning of his term. The induction must include meetings with senior management, visits to company facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, its internal and external auditors and legal counsel.

                    October 2019

                  • HC-4.3.2

                    All continuing directors must be invited to attend orientation meetings and all directors must continually educate themselves as to the licensee's business and corporate governance.

                    October 2019

                  • HC-4.3.3

                    Management, in consultation with the chairman of the Board, should hold programs and presentations to directors respecting the licensees' business and industry, which may include periodic attendance at conferences and management meetings.

                    October 2019

              • HC-5 HC-5 Remuneration of Approved Persons

                • HC-5.1 HC-5.1 Principle

                  • HC-5.1.1

                    The licensee must remunerate approved persons fairly and responsibly.

                    October 2019

                • HC-5.2 HC-5.2 Remuneration Structure

                  • HC-5.2.1

                    The Board of Directors must:

                    (a) Review the licensee's remuneration policies and amounts for approved persons taking into account total remuneration including salaries, fees, expenses and employee benefits which must be approved by the shareholders; and
                    (b) Recommend Board members remuneration based on their attendance and performance.
                    October 2019

                  • HC-5.2.2

                    Remuneration (including incentives, bonuses and other rewards) of approved persons must be sufficient enough to attract, retain and motivate persons of the quality needed to run the licensee successfully, but the licensee must avoid paying more than is necessary for that purpose.

                    October 2019

                  • HC-5.2.3

                    Where remuneration is structured so as to link rewards to corporate and individual performance, criteria should avoid excessive focus on short-term profitability measures, without due regard to the longer-term consequences of actions taken.

                    October 2019

                  • Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

                    • HC-5.2.4

                      The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

                      Added: April 2020

                • HC-5.3 HC-5.3 Directors' Remuneration

                  • HC-5.3.1

                    The review of Directors' remuneration must be a standing item on the licensee's Annual General Meeting agenda, and must be considered by shareholders at every Annual General Meeting. Directors' remuneration and bonuses to executive directors must be clearly disclosed in the annual financial statements.

                    October 2019

                  • HC-5.3.2

                    Directors' remuneration should also comply with all applicable laws, such as Legislative Decree No. 21 of 2001, with respect to promulgating the Commercial Companies Law.

                    October 2019

                  • HC-5.3.3

                    Remuneration of non-executive directors must not include performance-related elements such as grants of shares, share options or other deferred stock-related incentive schemes, bonuses, or pension benefits.

                    October 2019

                • HC-5.4 HC-5.4 Senior Management Remuneration

                  • HC-5.4.1

                    Remuneration of senior management must be structured so that a portion of the total is linked to licensee and individual performance and aligns their interests with the interests of the shareholders.

                    October 2019

                  • HC-5.4.2

                    Such rewards may include grants of shares, share options and other deferred stock-related incentive schemes, bonuses, and pension benefits which are not based on salary.

                    October 2019

                  • HC-5.4.3

                    If a senior manager is also a director, his remuneration as a senior manager must take into account compensation received in his capacity as a director.

                    October 2019

                  • HC-5.4.4

                    All share incentive plans must be approved by the shareholders.

                    October 2019

                  • HC-5.4.5

                    All performance-based incentives should be awarded under written objective performance standards which have been approved by the Board and are designed to enhance shareholder and company value, and under which shares should not vest and options should not be exercisable within less than two years of the date of award of the incentive.

                    October 2019

                  • HC-5.4.6

                    All policies for performance-based incentives should be approved by the shareholders, but the approval should be only of the plan itself and not of the grant to specific individuals of benefits under the plan.

                    October 2019

              • HC-6 HC-6 Management Structure

                • HC-6.1 HC-6.1 Principle

                  • HC-6.1.1

                    The Board of licensees must establish a clear and efficient management structure.

                    October 2019

                • HC-6.2 HC-6.2 Establishment of Management Structure

                  • HC-6.2.1

                    The Board must approve and review at least annually the licensees' management structure, responsibilities and authorities.

                    October 2019

                  • HC-6.2.2

                    The Board must appoint senior management whose authority must include management and operation of current activities of the licensees, reporting to and under the direction of the Board. The senior managers must include at a minimum:

                    (a) A CEO;
                    (b) A chief financial officer;
                    (c) An internal auditor;
                    (d) A compliance officer/MLRO (see HC-6.5 and AU-1.3); and
                    (e) must also include such other approved persons as the Board considers appropriate and as a minimum must include persons occupying controlled functions as outlined in Paragraph AU-1.3.2.
                    October 2019

                  • HC-6.2.3

                    For purposes of HC-6.2.2 given the nature, scale and complexity of its business, licensees may appoint a part-time or a seconded internal auditor.

                    October 2019

                • HC-6.3 HC-6.3 Titles, Authorities, Duties and Reporting Responsibilities

                  • HC-6.3.1

                    Licensees must maintain clearly documented and communicated staff responsibilities and reporting lines.

                    October 2019

                  • HC-6.3.2

                    For the purposes of Rule HC-6.3.1, licensees should maintain and document their delegated authority structure as well as written terms of reference for staff positions.

                    October 2019

                  • HC-6.3.3

                    For the purpose of Paragraph HC-6.3.1, the responsibilities and reporting lines must among other matters include the following:

                    (a) The CEO must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other approved persons and licensee employees;
                    (b) The chief financial officer must be responsible and accountable for:
                    (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see HC-3.4.1); and
                    (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
                    (c) The internal auditor's (see HC-6.4) duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes; and
                    (d) The compliance officer's (see HC-6.5) duties include maintaining effective systems and MLRO controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.
                    October 2019

                  • HC-6.3.4

                    The Board must also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorize without separate Board approval.

                    October 2019

                • HC-6.4 HC-6.4 Internal Audit

                  • HC-6.4.1

                    Licensees must consider establishing an internal audit function commensurate with the size, complexity and nature of its business to monitor the adequacy of their systems and controls.

                    October 2019

                  • HC-6.4.2

                    The internal audit function must be independent of the senior management, reporting either to the Board or its Audit committee. The internal audit function must not be combined with any other function.

                    October 2019

                  • HC-6.4.3

                    Where licensees outsource part or all of their internal audit function, the outsourcing arrangements must provide for an adequate level of scrutiny of the licensees. A licensee cannot outsource its internal audit function to its external auditor.

                    October 2019

                  • HC-6.4.4

                    Prior approval from the CBB is required for material outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2).

                    October 2019

                  • HC-6.4.5

                    Internal audit functions must have terms of reference that clearly indicate:

                    (a) The scope and frequency of audits;
                    (b) Reporting lines; and
                    (c) The review and approval process applied to audits.
                    October 2019

                  • HC-6.4.6

                    Internal audit function must report directly to the Board/Audit committee. They must have unrestricted access to all the appropriate records of the licensees. They must have open and regular access to the Audit Committee, the Board, the Chief Executive, and the licensees' external auditor.

                    October 2019

                • HC-6.5 HC-6.5 Compliance/MLRO

                  • HC-6.5.1

                    Licensees must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.

                    October 2019

                  • HC-6.5.2

                    Depending on the nature, scale and complexity of its business, licensees should consider having a separate compliance function. A compliance function should:

                    (a) Document its organisation and responsibilities;
                    (b) Be appropriately staffed with competent individuals;
                    (c) Have unrestricted access to the licensees' relevant records; and
                    (d) Have ultimate recourse to the Board.
                    October 2019

                  • HC-6.5.3

                    The compliance function/MLRO must not be combined with the internal audit function or any other operational function as such combination may lead to a conflict of interest.

                    October 2019

              • HC-7 HC-7 Communication between Board and Shareholders

                • HC-7.1 HC-7.1 Principle

                  • HC-7.1.1

                    The licensees must communicate with shareholders, encourage their participation, and respect their rights.

                    October 2019

                • HC-7.2 HC-7.2 Conduct of Shareholders' Meetings

                  • HC-7.2.1

                    The Board must observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

                    (a) Notices of meetings must be honest, accurate and not misleading. They must clearly state and, where necessary, explain the nature of the business of the meeting;
                    (b) Meetings must be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
                    (c) Notices of meetings must encourage shareholders to participate by proxy and must refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement must list the agenda items and must specify the vote (such as "yes," "no" or "abstain");
                    (d) Notices must ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
                    (e) The Board must propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
                    (f) In meetings where directors are to be elected or removed the Board must ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
                    (g) The chairman of the meeting must encourage questions from shareholders, including questions regarding licensees' corporate governance guidelines;
                    (h) The minutes of the meeting must be made available to shareholders upon their request within 30 days from the date of receipt of the request and must be endorsed at the next general assembly; and
                    (i) Disclosure of all material facts must be made to the shareholders.
                    October 2019

                  • HC-7.2.2

                    The licensee must require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

                    October 2019

              • HC-8 HC-8 TPAs, Shari'a Advisory/Review Services, Crowdfunding Platform Operators and Other Ancillary Service Providers

                • HC-8.1 HC-8.1 The Board

                  • HC-8.1.1

                    Licensees should be headed by an effective, collegial and informed Board of Directors ('the Board').

                    October 2019

                  • Role and Responsibilities

                    • HC-8.1.2

                      All members of the board of directors should understand the Board's role and responsibilities under the Bahrain Commercial Companies Law (2001) and its amendments and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                      (a) The Board's role as distinct from the role of the shareholders (who elect the Board and whose interests the Board serves) and the role of officers (whom the Board appoints and oversees); and
                      (b) The Board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-8.2).
                      October 2019

                    • HC-8.1.3

                      The Board's role and responsibilities include but are not limited to:

                      (a) The overall business performance and strategy for the licensee;
                      (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                      (c) Monitoring management performance;
                      (d) Approving the agenda for shareholders' meetings;
                      (e) Monitoring conflicts of interest and preventing abusive related party transactions; and
                      (e) Assuring equitable treatment of shareholders including minority shareholders.
                      October 2019

                    • HC-8.1.4

                      The members of the board of directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-8.1.3. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place.

                      October 2019

                    • HC-8.1.5

                      When a member of the board of directors is inducted, the chairman of the Board, assisted by company legal counsel or compliance officer, should review the Board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC.

                      October 2019

                    • HC-8.1.6

                      The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                      October 2019

                    • HC-8.1.7

                      The Board should adopt a formal Board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of board directors.

                      October 2019

                  • Composition

                    • HC-8.1.8

                      The Board should have no more than 15 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision-making yet large enough to have members who can contribute from different specialties and viewpoints. The Board should recommend changes in Board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                      October 2019

                    • HC-8.1.9

                      Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. The Board should regularly review the time commitment required from each non-executive director and should require each non-executive_director to inform the Board before he accepts any Board appointments to another company. One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

                      October 2019

                  • Decision Making Process

                    • HC-8.1.10

                      The Board should be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                      October 2019

                    • HC-8.1.11

                      The chairman should take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                      October 2019

                    • HC-8.1.12

                      The Board should meet frequently but in no event less than four times a year. All directors should attend the meetings whenever possible and the directors should maintain informal communication between meetings.

                      October 2019

                    • HC-8.1.13

                      The chairman should ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors should receive the same Board information. At the same time, directors have a legal duty to inform themselves and they should ensure that they receive adequate and timely information and should study it carefully.

                      October 2019

                  • Directors' Communication with Management

                    • HC-8.1.14

                      The Board should encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                      October 2019

                    • HC-8.1.15

                      Non-executive directors should have free access to the licensee's management beyond that provided in Board meetings. Such access should be through the Chairman of the Audit Committee or CEO. The Board should make this policy known to management to alleviate any management concerns about a director's authority in this regard.

                      October 2019

                • HC-8.2 HC-8.2 Approved Persons Loyalty

                  • HC-8.2.1

                    The Board should establish formal procedures for:

                    (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
                    (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a licensee's 'approved person' has a personal interest. The Board should require such advance approval in every case.
                    October 2019

                  • Disclosure of Conflicts of Interests to Shareholders

                    • HC-8.2.2

                      The licensee should disclose to its shareholders in the Annual Report any abstention from voting motivated by a conflict of interest and should disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

                      October 2019

                • HC-8.3 HC-8.3 Financial Statements Certification

                  • HC-8.3.1

                    The Board should have rigorous controls for financial audit and reporting, internal control, and compliance with law.

                    October 2019

                  • CEO and CFO Certification of Financial Statements

                    • HC-8.3.2

                      To encourage management accountability for the financial statements required by the directors, the licensee's CEO and chief financial officer should state in writing to the audit committee and the Board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                      October 2019

                • HC-8.4 HC-8.4 Appointment, Training and Evaluation of the Board

                  • HC-8.4.1

                    The licensee should have rigorous procedures for appointment, training and evaluation of the Board.

                    October 2019

                  • Induction and Training of Directors

                    • HC-8.4.2

                      The chairman of the Board should ensure that each new director receives a formal and tailored induction to ensure his contribution to the Board from the beginning of his term. The induction should include meetings with senior management, visits to company facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, its internal and external auditors and legal counsel.

                      October 2019

                    • HC-8.4.3

                      All continuing directors should be invited to attend orientation meetings and all directors should continually educate themselves as to the licensee's business and corporate governance.

                      October 2019

                    • HC-8.4.4

                      Management, in consultation with the chairman of the Board, should hold programs and presentations to directors respecting the licensee's business and industry, which may include periodic attendance at conferences and management meetings. The Board should oversee directors' corporate governance educational activities.

                      October 2019

                • HC-8.5 HC-8.5 Remuneration of Approved Persons

                  • HC-8.5.1

                    Licensees should remunerate approved persons fairly and responsibly.

                    October 2019

                  • HC-8.5.2

                    Remuneration of approved persons should be sufficient enough to attract, retain and motivate persons of the quality needed to run the operations of the licensee successfully, but the licensee should avoid paying more than is necessary for that purpose.

                    October 2019

                • HC-8.6 HC-8.6 Management Structure

                  • HC-8.6.1

                    The Board of the licensee should establish a clear and efficient management structure.

                    October 2019

                  • Establishment of Management Structure

                    • HC-8.6.2

                      The Board should appoint senior management whose authority should include management and operation of current activities of the licensee, reporting to and under the direction of the Board. The senior managers should include at a minimum:

                      (a) A CEO/General Manager;
                      (b) A chief financial officer and/or Financial Controller;
                      (c) Compliance Officer/MLRO

                      and should also include such other approved persons as the Board considers appropriate and as a minimum should include persons occupying controlled functions as outlined in Paragraph AU-1.2.2.

                      October 2019

                    • HC-8.6.3

                      For purposes of HC-8.6.2 (c) given the nature, scale and complexity of its business, licensees may appoint a part-time or a seconded corporate secretary.

                      October 2019

                  • Titles, Authorities, Duties and Reporting Responsibilities

                    • HC-8.6.4

                      The Board should adopt by-laws prescribing each senior manager's title, authorities, duties and internal reporting responsibilities. This should be done in consultation with the CEO, to whom the other senior managers should normally report.

                      October 2019

                    • HC-8.6.5

                      These provisions should include but should not be limited to the following:

                      (a) The CEO should have authority to act generally in the licensee's name, representing its interests in concluding transactions on its behalf and giving instructions to other senior managers and employees;
                      (b) The chief financial officer should be responsible and accountable for:
                      (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and board approved policies; and
                      (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
                      (c) The corporate secretary's duties should include arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                      (d) The internal auditor's duties should include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the risk management, control, and governance processes.
                      October 2019

                  • Titles, Authorities, Duties and Reporting Responsibilities

                    • HC-8.6.6

                      The Board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate Board approval.

                      October 2019

                    • HC-8.6.7

                      The corporate secretary should be given general responsibility for reviewing the licensee's procedures and advising the Board directly on such matters. Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training.

                      October 2019

                    • HC-8.6.8

                      At least annually, the Board should review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

                      October 2019

                • HC-8.7 HC-8.7 Communication between Board and Shareholders

                  • HC-8.7.1

                    Licensees should communicate with shareholders, encourage their participation, and respect their rights.

                    October 2019

                  • Conduct of Shareholders' Meetings

                    • HC-8.7.2

                      The Board should observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

                      (a) Notices of meetings should be honest, accurate and not misleading. They should clearly state and, where necessary, explain the nature of the business of the meeting;
                      (b) Meetings should be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
                      (c) Notices of meetings should encourage shareholders to participate by proxy and should refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement should list the agenda items and should specify the vote (such as "yes," "no" or "abstain");
                      (d) Notices should ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
                      (e) The Board should propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
                      (f) In meetings where directors are to be elected or removed the Board should ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
                      (g) The chairman of the meeting should encourage questions from shareholders, including questions regarding the licensee's corporate governance guidelines;
                      (h) The minutes of the meeting should be made available to shareholders upon their request as soon as possible but not later than 30 days after the meeting; and
                      (i) Disclosure of all material facts should be made to the shareholders.
                      October 2019

                    • HC-8.7.3

                      Licensees should require all directors to attend and be available to answer questions from shareholders at any shareholder meeting and, in particular, ensure that the chairs of the audit, remuneration and nominating committees are ready to answer appropriate questions regarding matters within their committee's responsibility (it being understood that confidential and proprietary business information may be kept confidential).

                      October 2019

                    • HC-8.7.4

                      Licensees should require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

                      October 2019

                    • HC-8.7.5

                      Licensees should maintain a company website. Licensees should dedicate a specific section of its website to describing shareholders' rights to participate and vote at each shareholders' meeting, and should post significant documents relating to meetings including the full text of notices and minutes. Licensees may also consider establishing an electronic means for shareholders' communications including appointment of proxies. For confidential information, licensees should grant a controlled access to such information to its shareholders.

                      October 2019

                    • HC-8.7.6

                      In notices of meetings at which directors are to be elected or removed licensees should ensure that:

                      (a) Where the number of candidates exceeds the number of available seats, the notice of the meeting should explain the voting method by which the successful candidates will be selected and the method to be used for counting of votes; and
                      (b) The notice of the meeting should present a factual and objective view of the candidates so that shareholders may make an informed decision on any appointment to the board.
                      October 2019

            • GR GR Ancillary Service Providers General Requirements Module

              • GR-A GR-A Introduction

                • GR-A.1 GR-A.1 Purpose

                  • Executive Summary

                    • GR-A.1.1

                      Module GR presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on confidentiality, books and records, publication of documents, the distribution of dividends, controllers; close links and on suspension of business. There are also included specific requirements for TPAs and credit reference bureaus. Each set of requirements is contained in its own Chapter.

                      April 2016

                  • Legal Basis

                    • GR-A.1.2

                      This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to ancillary service provider licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). Requirements regarding controllers (see Chapter GR-7) are also included in Regulations, to be issued by the CBB.

                      April 2016

                    • GR-A.1.3

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                      April 2016

                • GR-A.2 GR-A.2 Module History

                  • Evolution of Module

                    • GR-A.2.1

                      This Module was first issued in April 2016 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      April 2016

                    • GR-A.2.2

                      A list of recent changes made to this Module is detailed in the table below:

                      Module Ref. Change Date Description of Changes
                      GR-9.1.8 10/2016 Added a Rule in the Cessation of Business Section to be consistent with other Volumes of the CBB Rulebook.
                      GR-4.3.8 01/2017 Amended Paragraph reference.
                      GR-7.1.6 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                      GR-2.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                      GR-2.2.2 07/2017 Deleted paragraph.
                      GR-5A.1 10/2017 Added a chapter on "General Requirements for Financing-Based Crowdfunding Platform Operators".
                      GR-5A.2 10/2017 Additional requirements for “Shari'a — Compliant Financing — Based Crowdfunding Platform Operators".
                      GR-6.1.3 10/2017 Added additional requirement to submit when requesting no-objection letter for proposed dividends.
                      GR-5A.1.4 10/2018 Amended Paragraph to further clarify the scope of exemption.
                      GR-10 11/2018 Amended Paragraph to further clarify the scope of exemption.
                      GR-11 11/2018 Added new Section on Outsourcing
                      GR-5A.1.4 01/2019 Amended Paragraph on maximum credit provided to each borrower under a crowdfunding agreement.
                      GR-5A.1.5 01/2019 Amended Paragraph.
                      GR-5A.1.8 01/2019 Amended Paragraph.
                      GR-5A.1.11A 01/2019 Added a new Paragraph on the minimum time to withdraw a commitment.
                      GR-5B.1 04/2019 Added a Chapter on "Physical Security measures for Payment Service Providers owning or Operating Cash Dispensing Machines (CDMs) or Kiosks".
                      GR-5B.2 04/2019 Additional requirements for "CDM/Kiosk Security Measures: Hardware/Software".
                      GR-7.1.1A 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-7.1.1B 04/2019 Added a new Paragraph on exposure to controllers.
                      GR-5B.1.13 07/2019 Added a new Paragraph on Europay, MasterCard and Visa (EMV) Compliance.
                      GR-5B.1.14 & GR-5B.1.15 10/2019 Added new Paragraphs on Contactless Payment Transactions.
                      GR-2.2.1 01/2020 Amended Paragraph.
                      GR-9.1.8 04/2020 Amended Paragraph.
                      GR-10.3.14 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                      GR-10.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                      GR-10.7.1 -  GR-10.7.3 04/2020 Amended Paragraphs adding reference to CBB consumer protection.
                      GR-5B.1.13A 07/2020 Added a new Paragraph on contactless payment.
                      GR-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                      GR-12 01/2021 Added a new Chapter on Information Security.
                      GR-13 04/2021 Added a new Chapter on Fees and Charges.
                      GR-12.2 07/2021 Added a new Section on Cyber Security.
                      GR-12.2 01/2022 Enhanced Section on Cyber Security Risk Management.
                      GR-5A 04/2022 Deleted Chapter and replaced with Module CFP requirements.
                      GR-12.2.59 04/2022 Amended Paragraph on cyber security incident reporting.
                      GR-12.2.60 04/2022 Amended Paragraph on submission period of the cyber security incident report.
                      GR-11 07/2022 Replaced Chapter with new Outsourcing Requirements.
                      GR-12.2.26 10/2022 Amended Paragraph on email domains requirements.
                      GR-12.2.26A 10/2022 Added a new Paragraph on additional domains requirements.
                      GR-14 10/2022 Added a new Chapter on marketing of financial services including requirements for arrangements relating to regulated services provided.
                      GR-15 04/2023 Added a new Chapter on Client Money.
                      GR-12.1.3 – GR-12.1.5 07/2023 Added new Rules on Secured customer Authentication requirements.

              • GR-B GR-B Scope of Application

                • GR-B.1 GR-B.1 Ancillary Service Provider Licensees

                  • GR-B.1.1

                    Unless otherwise indicated, the requirements in this Module apply to all ancillary service provider licensees, thereafter referred to in this Module as licensees.

                    April 2016

              • GR-C GR-C Provision of Financial Services on a Non-discriminatory Basis

                • GR-C.1 GR-C.1 Provision of Financial Services on a Non-discriminatory Basis

                  • GR-C.1.1

                    Ancillary service provider licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

                    Added: October 2020

              • GR-1 GR-1 Confidentiality

                • GR-1.1 GR-1.1 General Requirements

                  • GR-1.1.1

                    Licensees must ensure that any information in their control or custody is not used or disclosed unless:

                    (a) They have the customer's or licensee's written consent;
                    (b) Disclosure is made in accordance with the licensee's regulatory obligations; or
                    (c) The licensee and members of the credit reference bureau are legally obliged to disclose the information in accordance with Article 117 of the CBB Law.
                    April 2016

                  • GR-1.1.2

                    Ancillary service providers must take appropriate steps to ensure the security of any information handled for its customers or held on behalf of other CBB licensees.

                    April 2016

              • GR-2 GR-2 Books and Records

                • GR-2.1 GR-2.1 General Requirements

                  • GR-2.1.1

                    In accordance with Article 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

                    April 2016

                  • GR-2.1.2

                    Paragraph GR-2.1.1 includes accounts, books, files and other records related to client information (e.g. trial balance, general ledger, reconciliations, list of counterparties, etc.). It also includes records that substantiate the value of the assets and liabilities.

                    April 2016

                  • GR-2.1.3

                    Separately, Bahrain Law currently requires other transaction records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

                    April 2016

                  • GR-2.1.4

                    Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

                    April 2016

                  • GR-2.1.5

                    Translations produced in compliance with Rule GR-2.1.4 may be undertaken in-house, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

                    April 2016

                  • GR-2.1.6

                    Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

                    April 2016

                  • GR-2.1.7

                    Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

                    April 2016

                  • GR-2.1.8

                    Paragraphs GR-2.1.1 to GR-2.1.7 apply to licensees, with respect to all business activities.

                    April 2016

                • GR-2.2 GR-2.2 Transaction Records

                  • GR-2.2.1

                    Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

                    Amended: January 2020
                    Amended: July 2017
                    Added: April 2016

                  • GR-2.2.2

                    [This Paragraph has been deleted in July 2017].

                    Deleted: July 2017
                    April 2016

                  • GR-2.2.3

                    Rule GR-2.2.1 applies only to transactions relating to business booked in Bahrain by the licensee.

                    April 2016

                • GR-2.3 GR-2.3 Other Records

                  • Corporate Records

                    • GR-2.3.1

                      Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

                      (a) Internal policies, procedures and operating manuals;
                      (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                      (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                      (d) Reports prepared by the licensee's internal and external auditors; and
                      (e) Employee records.
                      April 2016

                  • Customer Records

                    • GR-2.3.2

                      Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                      April 2016

              • GR-3 GR-3 Publication of Documents by the Licensee

                • GR-3.1 GR-3.1 General Requirements

                  • GR-3.1.1

                    Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees must include a statement that the licensee is regulated by the Central Bank of Bahrain, the type of license and the legal status.

                    April 2016

              • GR-4 GR-4 General Requirements for TPAs

                • GR-4.1 GR-4.1 Compensation

                  • GR-4.1.1

                    A TPA's compensation may be determined:

                    (a) As a percentage of the claims processed by the TPA; or
                    (b) On another basis as specified in the written agreement.
                    April 2016

                • GR-4.2 GR-4.2 Code of Conduct

                  • GR-4.2.1

                    TPAs are allowed to enter into agreement with more than one:

                    (a) Insurance firm; and/or
                    (b) A self-funded scheme outside of Bahrain.
                    April 2016

                  • GR-4.2.2

                    TPAs must not charge any kind of fees to the claimants/policyholders.

                    April 2016

                  • GR-4.2.3

                    TPAs must not market or sell insurance nor own any part of a healthcare facility or company.

                    April 2016

                  • GR-4.2.4

                    Where a TPA owns any part of a healthcare facility or company at the time this Module is issued, it will be permitted to retain its ownership in the company.

                    April 2016

                  • GR-4.2.5

                    TPAs must act in the insurance firm's and/or self-funded scheme's (limited to outside Bahrain) best interests at all times and must fulfill their needs to the best of their ability.

                    April 2016

                  • GR-4.2.6

                    TPAs must improve the skills of their employees and increase their knowledge through continuing education and training.

                    April 2016

                  • GR-4.2.7

                    TPAs must disclose to the existing and prospective insurance firm and/or self-funded scheme (limited to outside Bahrain) any and all information that may affect the TPA's ability to provide services and/or advice to the clients.

                    April 2016

                  • GR-4.2.8

                    TPAs must ensure that all client funds collected and/or held by the TPA are used for the express purpose for which the funds are collected and/or held as understood by the insurance firm and/or self-funded scheme (limited to outside Bahrain).

                    April 2016

                  • GR-4.2.9

                    TPAs must fully disclose to each insurance firm and/or self-funded scheme (limited to outside Bahrain) the terms of engagement and the services to be rendered to that client.

                    April 2016

                • GR-4.3 GR-4.3 Segregation of Funds

                  • GR-4.3.1

                    All funds remitted to a TPA by an insurance firm and/or self-funded scheme (limited to outside Bahrain) must be held by the TPA in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or in a separate account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA.

                    April 2016

                  • GR-4.3.2

                    When funds are collected by a TPA from a healthcare provider on behalf of an insurance firm and/or self-funded scheme (limited to outside Bahrain), such funds must be promptly deposited in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or an account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, or remitted to the insurance firm and/or self-funded scheme (limited to outside Bahrain), as provided for in the agreement.

                    April 2016

                  • GR-4.3.3

                    When an account is held jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, the TPA must provide the insurance firm and/or self-funded scheme (limited to outside Bahrain) on a monthly basis a record of all transactions in the joint account.

                    April 2016

                  • GR-4.3.4

                    Funds must not be commingled with any other funds of the TPA nor other insurance firm and/or self-funded scheme (limited to outside Bahrain) of the TPA. Records of a TPA must clearly show funds received and paid out allocated per insurance firm and/or self-funded scheme (limited to outside Bahrain) and must be made available to the insurance firm and/or self-funded scheme (limited to outside Bahrain) upon request.

                    April 2016

                  • GR-4.3.5

                    An insurance firm and/or self-funded scheme (limited to outside Bahrain) shall have the responsibility to make available to the TPA funds necessary to enable the TPA to pay claims in a timely manner, as provided in the agreement.

                    April 2016

                  • GR-4.3.6

                    TPAs must process and settle claims of the policyholder/claimant within 15 calendar days from the receipt of all necessary documents.

                    April 2016

                  • GR-4.3.7

                    TPAs must process and settle claims from healthcare service providers within 30 calendar days from the receipt of all necessary documents from the healthcare service providers.

                    April 2016

                  • GR-4.3.8

                    TPAs must comply with Paragraphs GR-4.3.6 and GR-4.3.7 by 30th September 2016 at the latest.

                    Amended: January 2017
                    April 2016

                • GR-4.4 GR-4.4 Content of Written Agreement

                  • GR-4.4.1

                    A TPA must not conduct any business with an insurance firm and/or self-funded scheme (limited to outside Bahrain) in the absence of a written agreement between the TPA and the insurance firm and/or self-funded scheme (limited to outside Bahrain). The agreement must be retained as part of the official records of the TPA for the duration of the agreement.

                    April 2016

                  • GR-4.4.2

                    The agreement referred to in Paragraph GR-4.4.1 must include at a minimum:

                    (a) The services to be provided by the TPA on behalf of the insurance firm and/or self-funded scheme (limited to outside Bahrain);
                    (b) Financial arrangements;
                    (c) Provisions setting forth the respective liability of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA for the accuracy and eligibility of submitted claims, and for the prompt submission of claims; and
                    (d) The responsibilities of the TPA to the insurance firm and/or self-funded scheme (limited to outside Bahrain) with respect to the maintenance of appropriate back-up systems against the loss of records, and the maintenance of appropriate insurance coverage by the TPA against the risk of loss.
                    April 2016

                • GR-4.5 GR-4.5 Prohibition of Collection of Premiums/Contributions

                  • GR-4.5.1

                    TPAs are prohibited from collecting premiums/contributions from policyholders. Premiums/contributions must be paid directly by the policyholders to insurance firms.

                    April 2016

              • GR-5 GR-5 General Requirements for Credit Reference Bureaus

                • GR-5.1 GR-5.1 Code of Practice

                  • GR-5.1.1

                    Credit reference bureaus must comply with the Code of Practice (Appendix CM-3 under Volumes 1 and 2 of the CBB Rulebook).

                    April 2016

              • GR-5A GR-5A [This Chapter was deleted in April 2022 and replaced with Module CFP]

                • GR-5A.1 GR-5A.1 [This Section was deleted in April 2022 and replaced with Module CFP]

                  • GR-5A.1.1

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.2

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.3

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.4

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Amended: January 2019
                    Amended: October 2018
                    Added: October 2017

                  • GR-5A.1.5

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Amended: January 2019
                    Added: October 2017

                  • GR-5A.1.6

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.7

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.8

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Amended: January 2019
                    Added: October 2017

                  • GR-5A.1.9

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.10

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.11

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.11A

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: January 2019

                  • GR-5A.1.12

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.13

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.14

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.15

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.16

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.17

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.18

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.19

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.20

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.21

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.22

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.23

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.24

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.25

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.26

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.27

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.28

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.1.29

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                • GR-5A.2 GR-5A.2 [This Section was deleted in April 2022 and replaced with Module CFP]

                  • GR-5A.2.1

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.2

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.3

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.4

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.5

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.6

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

                  • GR-5A.2.7

                    [This Paragraph was deleted in April 2022].

                    Deleted: April 2022
                    Added: October 2017

              • GR-5B GR-5B Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

                • GR-5B.1 GR-5B.1 Physical Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

                  • General Requirement

                    • GR-5B.1.1

                      Where CDMs/Kiosks are installed at an outdoor location, the Payment Service Providers (PSPs) must provide adequate shade covering the area above the customers and the machine.

                      Added: April 2019

                  • Record Keeping

                    • GR-5B.1.2

                      PSPs must record the details of the site risk assessments and retain such records for a period of five years from the date of the CDMs/Kiosks installation, or for any other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

                      Added: April 2019

                  • CDM/ Kiosk Alarms

                    • GR-5B.1.3

                      In addition to alarming the premises, PSPs must alarm the CDM/Kiosk itself, in a way which activates audibly when the CDM/Kiosk is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of Interior. PSPs must consider the following:

                      (a) The design of the system must ensure that the CDMs/Kiosks have a panic alarm installed;
                      (b) The design of the system must give an immediate, system controlled warning of an attack on the CDMs/Kiosks, and all CDMs/ Kiosks must be fitted with fully operational fraud detection and inhibiting devices;
                      (c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and
                      (d) The alarm system must be monitored by the PSP's head office 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.
                      Added: April 2019

                  • Closed-circuit Television (CCTV)

                    • GR-5B.1.4

                      PSPs must ensure that the Cash Dispensing Machines (CDMs) and Kiosks owned and operated by them are equipped with closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the CDM/Kiosk are recorded, however keypad entry or the screen of the CDM/Kiosk must not be captured by the CCTV recording. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

                      Added: April 2019

                    • GR-5B.1.5

                      As a minimum, the CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by the PSP's head office.

                      Added: April 2019

                    • GR-5B.1.6

                      When a CDM or Kiosk is located in an area where a public CCTV system operates, the PSP must liaise with the authority responsible for the CCTV system to include the CDM/Kiosk site in any preset automatic camera settings and request regular sweeps of the site. The CCTV system must not be able to view the CDM/Kiosk keypad or screen, thereby preventing observation of PIN entry.

                      Added: April 2019

                    • GR-5B.1.7

                      PSPs must ensure that the specifications of CCTV cameras meet the following minimum requirements:

                      (a) Analogue Cameras:
                      Resolution — Minimum 700 TVL
                      Lens — Vari-focal lenses from 2.8 to 12mm
                      Sensitivity — Minimum 0.5 Luminance
                      (Lux) without Infrared (IR), 0 Lux with IR
                      IR — At least 10 to 20 meters (Camera that detects motion); and
                      (b) IP Cameras:
                      Resolution — 2 MP — 1080 p
                      Lens — Vari-focal lenses from 2.8 to 12mm
                      Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR
                      IR — At least 10 to 20 meters.
                      Added: April 2019

                  • CCTV Network Systems

                    • GR-5B.1.8

                      Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. The CCTV system must be operational 24 hours per day.

                      Added: April 2019

                  • CDMs/Kiosks Lighting

                    • GR-5B.1.9

                      Banks must ensure that adequate and effective lighting is operational at all times within the CDMs/Kiosks environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

                      Added: April 2019

                  • Fire Alarm

                    • GR-5B.1.10

                      PSPs must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all CDMs/Kiosks. These alarms must be linked to the main offices of the PSP.

                      Added: April 2019

                  • Cash Replenishment

                    • GR-5B.1.11

                      All physical cash movements between PSP offices and offsite CDMs/Kiosks must be performed by specialized service providers.

                      Added: April 2019

                  • CDMs/Kiosks Service and Maintenance

                    • GR-5B.1.12

                      PSPs must maintain a list of all details on maintenance, replenishment and inspection visits by staff or other authorized parties.

                      Added: April 2019

                  • Europay, MasterCard and Visa (EMV) Compliance

                    • GR-5B.1.13

                      Prepaid cards issued by PSPs in the Kingdom of Bahrain must be EMV compliant. Moreover, all POSs, CDMs and Kiosks must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

                      Added: July 2019

                    • GR-5B.1.13A

                      Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph GR-5B.1.13 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

                      Added: July 2020

                    • GR-5B.1.14

                      Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

                      Added: October 2019

                    • GR-5B.1.15

                      Licenseesmust ensure, that any payment card issued or reissued on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

                      Added: October 2019

                • GR-5B.2 GR-5B.2 CDM/Kiosk Security Measures: Hardware/ Software

                  • GR-5B.2.1

                    Entry to sensitive areas by the PSP staff or other authorized parties into the CDM/Kiosk environment/surroundings must be controlled, monitored and recorded. The names of the persons accessing the area; the date; and the time of access to and exit from the area must be recorded. CCTV cameras must be installed, and used to record all activities within the CDM/Kiosk environment.

                    Added: April 2019

                  • GR-5B.2.2

                    The applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must, in all instances, be fully complied with.

                    Added: April 2019

                  • GR-5B-2.3

                    PSPs must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

                    Added: April 2019

                  • GR-5B-2.4

                    PSPs must ensure that all CDMs/Kiosks are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

                    Added: April 2019

              • GR-6 GR-6 Dividends

                • GR-6.1 GR-6.1 CBB Non-Objection

                  • GR-6.1.1

                    Licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

                    April 2016

                  • GR-6.1.2

                    The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's capital requirements, taking into account (as appropriate) the licensee's liquidity.

                    April 2016

                  • GR-6.1.3

                    To facilitate the prior approval required under Paragraph GR-6.1.1, licensees must provide the CBB with:

                    (a) The licensee's intended percentage and amount of proposed dividends for the year;
                    (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
                    (c) A detailed analysis of the impact of the proposed dividend on the capital requirements outlined in Section AU-2.5 and liquidity position of the licensee.
                    Amended: October 2017
                    April 2016

              • GR-7 GR-7 Controllers

                • GR-7.1 GR-7.1 Key Provisions

                  • GR-7.1.1

                    Licensees must obtain prior written approval from the CBB for any changes to their controllers (as defined in Section GR-7.2):

                    April 2016

                  • GR-7.1.2

                    Condition 3 of the CBB's licensing conditions specifies, among other things, that licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee (See Paragraph AU-2.3.1). There are also certain procedures which are set out in Articles 52 to 56 of the CBB Law on controllers.

                    April 2016

                  • GR-7.1.3

                    Applicants for a license must provide details of their controllers, by submitting a duly completed Form 2 (Application for Authorisation of Controller). (See sub-Paragraph AU-4.1.4(a)).

                    April 2016

                  • GR-7.1.4

                    Where a controller is a legal person, the controller must notify the CBB of any change in its shareholding at the earlier of:

                    (a) When the change takes effect; and
                    (b) When the controller becomes aware of the proposed change.
                    April 2016

                  • GR-7.1.5

                    For approval under Paragraph GR-7.1.1 to be granted, the CBB must be satisfied that the proposed controller or increase in control poses no undue risks to the licensee or the financial system. The CBB may impose any restrictions that it considers necessary to be observed where approval is given for a new or a change in controller. A duly completed Form 2 (Controllers) must be submitted as part of the request for a change in controllers. An approval of controller will specify the applicable period for effecting the proposed acquisition of shares.

                    April 2016

                  • GR-7.1.6

                    If, as a result of circumstances outside the licensee's knowledge and/or control, a change in controller is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days on which those changes have occurred.

                    Amended: January 2017
                    April 2016

                  • GR-7.1.7

                    The approval provisions outlined above do not apply to existing holdings or existing voting control by controllers already approved by the CBB. The approval provisions apply to new/prospective controllers or to increases in existing holdings/voting control.

                    April 2016

                  • GR-7.1.8

                    Licensees are required to notify the CBB as soon as they become aware of events that are likely to lead to changes in their controllers.

                    April 2016

                  • GR-7.1.9

                    The criteria by which the CBB assesses the suitability of controllers are set out in Section GR-7.3. The CBB aims to respond to requests for approval within 30 calendar days and is obliged to reply within 3 months to a request for approval. The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in Form 2, if required to satisfy itself as to the suitability of the applicant.

                    April 2016

                  • GR-7.1.10

                    Licensees must submit, within 3 months of their financial year-end, a report on their controllers (See Subparagraph BR-1.1.3(d)). This report must identify all controllers of the licensee, as defined in Section GR-7.2, the extent of their shareholding interests and any change in their legal status or any adverse information on the controllers.

                    April 2016

                  • GR-7.1.1A

                    Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

                    Added: April 2019

                  • GR-7.1.1B

                    For the purpose of Paragraph GR-7.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

                    Added: April 2019

                • GR-7.2 GR-7.2 Definition of Controller

                  • GR-7.2.1

                    A controller of a licensee is a natural or legal person who either alone, or with his associates:

                    (a) Holds 10% or more of the shares in the licensee ("L"), or is able to exercise (or control the exercise of) 10% or more of the voting power in L;
                    (b) Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or
                    (c) Is able to exercise significant influence over the management of L or P.
                    April 2016

                  • GR-7.2.2

                    For the purposes of Paragraph GR-7.2.1, "associate" includes:

                    (a) The spouse, son(s) or daughter(s) of a controller;
                    (b) An undertaking of which a controller is a director;
                    (c) A person who is an employee or partner of the controller; and
                    (d) If the controller is a corporate entity, a director of the controller, a subsidiary of the controller, or a director of any subsidiary undertaking of the controller.
                    April 2016

                  • GR-7.2.3

                    Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

                    April 2016

                • GR-7.3 GR-7.3 Suitability of Controllers

                  • GR-7.3.1

                    All new controllers or prospective controllers (as defined in Section GR-7.2) of a licensee must obtain the prior written approval of the CBB. Any increases to existing controllers' holdings or voting control must also have prior written approval from the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-7.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-7.4.

                    April 2016

                  • GR-7.3.2

                    All controllers or prospective controllers (whether natural or legal persons) of all licensees are subject to the approval of the CBB. Persons who intend to take ownership stakes of 10% or above of the voting capital of a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the criteria for approval become more onerous as the level of proposed ownership increases.

                    April 2016

                  • GR-7.3.3

                    In assessing the suitability and the appropriateness of new/prospective controllers (and existing controllers proposing to increase their shareholdings) who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

                    (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
                    (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
                    (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
                    (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
                    (e) The contravention of any financial services legislation or regulation;
                    (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
                    (g) Dismissal or a request to resign from any office or employment;
                    (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
                    (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
                    (j) The extent to which the person has been truthful and open with regulators;
                    (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
                    (l) The person's track record as a controller of, or investor in financial institutions;
                    (m) The financial resources of the person and the likely stability of their shareholding;
                    (n) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
                    (o) The legitimate interests of creditors and minority shareholders of the licensee;
                    (p) If the approval of a person as a controller is or could be detrimental to the subject licensee, Bahrain's banking and financial sector or the national interests of the Kingdom of Bahrain; and
                    (q) Whether the person is able to deal with existing shareholders and the board in a constructive and co-operative manner.
                    April 2016

                  • GR-7.3.4

                    In assessing the suitability and appropriateness of legal persons as controllers (wishing to increase their shareholding) or new/potential controllers, the CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

                    (a) The financial strength of the person, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the person's shareholding;
                    (b) Whether the person or members of its group have ever entered into any arrangement with creditors in relation to the inability to pay due debts;
                    (c) The person's jurisdiction of incorporation, location of head office, group structure and connected counterparties and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
                    (d) The person's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations including financial services legislation on regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
                    (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
                    (f) Any criminal actions instigated against the person or other members of its group, whether or not this resulted in an adverse finding;
                    (g) The extent to which the person or other members of its group have been truthful and open with regulators and supervisors;
                    (h) Whether the person has ever been refused a licence, authorisation, registration or other authority;
                    (i) The person's track record as a controller of, or investor in financial institutions;
                    (j) The legitimate interests of creditors and shareholders of the licensee;
                    (k) Whether the approval of a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain;
                    (l) Whether the person is able to deal with existing shareholders and the board in a constructive manner; and
                    (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply.
                    April 2016

                • GR-7.4 GR-7.4 Approval Process

                  • GR-7.4.1

                    Within 3 months of receipt of an approval request under Paragraph GR-7.1.1, the CBB will issue an approval notice (with or without restrictions) or a written notice of refusal if it is not satisfied that the person concerned is suitable to increase his shareholding in, or become a controller of the licensee. The notice of refusal or notice of approval with conditions will specify the reasons for the objection or restriction and specify the applicant's right of appeal in either case. Where an approval notice is given, it will specify the period for which it is valid and any conditions that attach. These conditions will include the maximum permitted limit of holding or voting control exercisable by the controller.

                    April 2016

                  • GR-7.4.2

                    Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of the notice in which to make written representation as to why his application should not be refused. The CBB then has 30 calendar days from the date of receipt of those representations to reconsider the evidence submitted and make a final determination, pursuant to Article 53 of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) ("CBB Law") and Module EN (Enforcement).

                    April 2016

                  • GR-7.4.3

                    Pursuant to Article 56 of the CBB Law, where a person has become a controller by virtue of his shareholding in contravention of Paragraph GR-7.1.1, or a notice of refusal has been served to him under Paragraph GR-7.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, direct that his shareholding shall be transferred or until further notice, no voting right shall be exercisable in respect of those shares.

                    April 2016

                  • GR-7.4.4

                    Article 56 of the CBB Law empowers the CBB to take appropriate precautionary measures, or sell such shares mentioned in Paragraph GR-7.4.3, if the licensee fails to carry out the order referred to in the preceding Paragraph.

                    April 2016

              • GR-8 GR-8 Close Links

                • GR-8.1 GR-8.1 Key Provisions

                  • GR-8.1.1

                    Condition 3 of the CBB's licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

                    April 2016

                  • GR-8.1.2

                    Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraph AU-4.1.1).

                    April 2016

                  • GR-8.1.3

                    Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links (See Subparagraph BR-1.1.3(b)). The report must identify all undertakings closely linked to the licensee, as defined in Section GR-8.2.

                    April 2016

                  • GR-8.1.4

                    Licensees may satisfy the requirement in Paragraph GR-8.1.3 by submitting a corporate structure chart, identifying all undertakings closely linked to the licensee.

                    April 2016

                  • GR-8.1.5

                    Licensees must provide information on undertakings with which they are closely linked, as requested by the CBB.

                    April 2016

                • GR-8.2 GR-8.2 Definition of Close Links

                  • GR-8.2.1

                    A licensee ('L') has close links with another undertaking ('U'), if:

                    (a) U is a parent undertaking of L;
                    (b) U is a subsidiary undertaking of L;
                    (c) U is a subsidiary undertaking of a parent undertaking of L;
                    (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
                    (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
                    April 2016

                • GR-8.3 GR-8.3 Assessment Criteria

                  • GR-8.3.1

                    In assessing whether a licensee's close links may prevent the effective supervision of the licensee, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

                    (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
                    (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
                    (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
                    April 2016

              • GR-9 GR-9 Cessation of Business

                • GR-9.1 GR-9.1 CBB Approval

                  • GR-9.1.1

                    As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB's prior approval.

                    April 2016

                  • GR-9.1.2

                    Licensees must notify the CBB in writing at least six months in advance of their intended suspension of any or all the licensed regulated services or cessation of business, setting out how they propose to do so and, in particular, how they will treat any of their liabilities.

                    April 2016

                  • GR-9.1.3

                    If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

                    April 2016

                  • GR-9.1.4

                    A licensee in liquidation must continue to meet its contractual and regulatory obligations to its clients and creditors.

                    April 2016

                  • GR-9.1.5

                    Once the licensee believes that it has discharged all its remaining contractual obligations to clients and creditors, it must publish a notice in two national newspapers in Bahrain approved by the CBB (one being in English and one in Arabic), stating that it has settled all its dues and wishes to leave the market. According to Article 50 of the CBB Law, such notice shall be given after receiving the approval of the CBB, not less than 30 days before the actual cessation is to take effect.

                    April 2016

                  • GR-9.1.6

                    The notice referred to in Paragraph GR-9.1.5 must include a statement that written representations concerning the liquidation may be sent to the CBB before a specified day, which shall not be later than thirty days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

                    April 2016

                  • GR-9.1.7

                    If no objections to the liquidation are upheld by the CBB, then the CBB may issue a written notice of approval for the surrender of the license.

                    April 2016

                  • GR-9.1.8

                    Upon satisfactorily meeting the requirements set out in GR-9.1, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

                    Amended: April 2020
                    Added: October 2016

              • GR-10 GR-10 Customer Complaints Procedures

                • GR-10.1 GR-10.1 General Requirements

                  • GR-10.1.1

                    All licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints, whether received directly by the licensee or through other parties connected to the licensee.

                    Added: December 2018

                  • GR-10.1.2

                    Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

                    Added: December 2018

                  • GR-10.1.3

                    All licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches and on the licensee's website. The customer complaints officer must be of a senior level at the licensee and must be independent of the parties to the complaint to minimise any potential conflict of interest.

                    Added: December 2018

                  • GR-10.1.4

                    The position of customer complaints officer may be combined with that of compliance officer.

                    Added: December 2018

                • GR-10.2 GR-10.2 Documenting Customer Complaints Handling Procedures

                  • GR-10.2.1

                    In order to make customer complaints handling procedures as transparent and accessible as possible, all licensees must document their customer complaints handling procedures. These include setting out in writing:

                    (a) The procedures and policies for:
                    (i) Receiving and acknowledging complaints;
                    (ii) Investigating complaints;
                    (iii) Responding to complaints within appropriate time limits;
                    (iv) Recording information about complaints;
                    (v) Identifying recurring system failure issues;
                    (b) The types of remedies available for resolving complaints; and
                    (c) The organisational reporting structure for the complaints handling function.
                    Added: December 2018

                  • GR-10.2.2

                    Licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

                    Added: December 2018

                  • GR-10.2.3

                    Licensees are required to ensure that all financial services related documentation provided to the customer includes a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

                    Added: December 2018

                • GR-10.3 GR-10.3 Principles for Effective Handling of Complaints

                  • GR-10.3.1

                    Adherence to the following principles is required for effective handling of complaints:

                    Added: December 2018

                  • Visibility

                    • GR-10.3.2

                      "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

                      Added: December 2018

                  • Accessibility

                    • GR-10.3.3

                      A complaints handling process must be easily accessible to all customers and must be free of charge.

                      Added: December 2018

                    • GR-10.3.4

                      While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

                      Added: December 2018

                    • GR-10.3.5

                      Process information must be readily accessible and must include flexibility in the method of making complaints.

                      Added: December 2018

                    • GR-10.3.6

                      Support for customers in interpreting the complaints procedures must be provided, upon request.

                      Added: December 2018

                    • GR-10.3.7

                      Information and assistance must be available on details of making and resolving a complaint.

                      Added: December 2018

                    • GR-10.3.8

                      Supporting information must be easy to understand and use.

                      Added: December 2018

                  • Responsiveness

                    • GR-10.3.9

                      Receipt of complaints must be acknowledged in accordance with Section GR-10.5 "Response to Complaints".

                      Added: December 2018

                    • GR-10.3.10

                      Complaints must be addressed promptly in accordance with their urgency.

                      Added: December 2018

                    • GR-10.3.11

                      Customers must be treated with courtesy.

                      Added: December 2018

                    • GR-10.3.12

                      Customers must be kept informed of the progress of their complaint, in accordance with Section BC-10.5.

                      Added: December 2018

                    • GR-10.3.13

                      If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

                      Added: December 2018

                    • GR-10.3.14

                      In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

                      Amended: April 2020
                      Added: December 2018

                  • Objectivity and Efficiency

                    • GR-10.3.15

                      Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

                      Added: December 2018

                    • GR-10.3.16

                      General principles for objectivity in the complaints handling process include:

                      (a) Openness:

                      The process must be clear and well publicised so that both staff and customers can understand;
                      (b) Impartiality:
                      (i) Measures must be taken to protect the person the complaint is made against from bias;
                      (ii) Emphasis must be placed on resolution of the complaint not blame; and
                      (iii) The investigation must be carried out by a person independent of the person complained about;
                      (c) Accessibility:
                      (i) The licensee must allow customer access to the process at any reasonable point in time; and
                      (ii) A joint response must be made when the complaint affects different participants;
                      (d) Completeness:

                      The complaints officer must find relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
                      (e) Equitability:

                      Give equal treatment to all parties;
                      (f) Sensitivity:

                      Each complaint must be treated on its merits and paying due care to individual circumstances;
                      (g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:
                      (i) Informing them immediately and completely on complaints about performance;
                      (ii) Giving them an opportunity to explain and providing appropriate support;
                      (iii) Keeping them informed of the progress and result of the complaint investigation;
                      (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
                      (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
                      (h) Confidentiality:
                      (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
                      (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
                      (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination;
                      (i) Objectivity monitoring:

                      Licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints;
                      (j) Charges:

                      The process must be free of charge to customers;
                      (k) Customer Focused Approach:
                      (i) Licensees must have a customer focused approach;
                      (ii) Licensees must be open to feedback; and
                      (iii) Licensees must show commitment to resolving problems;
                      (l) Accountability:

                      Licensees must ensure accountability for reporting actions and decisions with respect to complaints handling;
                      (m) Continual improvement:

                      Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the licensee.
                      Added: December 2018

                • GR-10.4 GR-10.4 Internal Complaint Handling Procedures

                  • GR-10.4.1

                    A licensee's internal complaint handling procedures must provide for:

                    (a) The receipt of written complaints;
                    (b) The appropriate investigation of complaints;
                    (c) An appropriate decision-making process in relation to the response to a customer complaint;
                    (d) Notification of the decision to the customer;
                    (e) The recording of complaints; and
                    (f) How to deal with complaints when a business continuity plan (BCP) is operative.
                    Added: December 2018

                  • GR-10.4.2

                    A licensee's internal complaint handling procedures must be designed to ensure that:

                    (a) All complaints are handled fairly, effectively and promptly;
                    (b) Recurring systems failures are identified, investigated and remedied;
                    (c) The number of unresolved complaints referred to the CBB is minimised;
                    (d) NThe employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
                    (e) Relevant employees are aware of the licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
                    Added: December 2018

                • GR-10.5 GR-10.5 Response to Complaints

                  • GR-10.5.1

                    A licensee must acknowledge in writing customer written complaints within 5 working days of receipt.

                    Added: December 2018

                  • GR-10.5.2

                    A licensee must respond in writing to a customer complaint within 4 weeks of receiving the complaint, explaining their position and how they propose to deal with the complaint.

                    Added: December 2018

                  • Redress

                    • GR-10.5.3

                      A licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

                      Added: December 2018

                    • GR-10.5.4

                      Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

                      Added: December 2018

                    • GR-10.5.5

                      Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

                      Added: December 2018

                    • GR-10.5.6

                      Should the customer that filed a complaint not be satisfied with the response received as per Paragraph GR-10.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

                      Amended: April 2020
                      Added: December 2018

                • GR-10.6 GR-10.6 Records of Complaints

                  • GR-10.6.1

                    A licensee must maintain a record of all customers' complaints. The record of each complaint must include:

                    (a) The identity of the complainant;
                    (b) The substance of the complaint;
                    (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
                    (d) All correspondence in relation to the complaint. Such records must be retained by the licensees for a period of 5 years from the date of receipt of the complaint.
                    Added: December 2018

                • GR-10.7 GR-10.7 Reporting of Complaints

                  • GR-10.7.1

                    A licensee must submit to the CBB's Consumer Protection Unit, 20 days after the end of the quarter, a quarterly report summarising the following:

                    (a) The number of complaints received;
                    (b) The substance of the complaints;
                    (c) The number of days it took the licensee to acknowledge and to respond to the complaints; and
                    (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
                    Amended: April 2020
                    Added: December 2018

                  • GR-10.7.2

                    The report referred to in Paragraph GR-10.7.1 must be sent electronically to complaint@cbb.gov.bh.

                    Amended: April 2020
                    Added: December 2018

                  • GR-10.7.3

                    Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB's Consumer Protection Unit.

                    Amended: April 2020
                    Added: December 2018

                • GR-10.8 GR-10.8 Monitoring and Enforcement

                  • GR-10.8.1

                    Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

                    Added: December 2018

              • GR-11 GR-11 Outsourcing Requirements

                • GR-11.1 GR-11.1 Outsourcing Arrangements

                  • GR-11.1.1

                    This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.2

                    In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.3

                    In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

                    i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
                    ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.4

                    The licensee must not outsource the following functions:

                    (i) Compliance;
                    (ii) AML/CFT;
                    (iii) Financial control;
                    (iv) Risk management; and
                    (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.5

                    For the purposes of Paragraph GR-11.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph GR-11.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.6

                    Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph GR-11.1.4 (iv), subject to CBB’s prior approval.

                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.7

                    Licensees must comply with the following requirements:

                    (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
                    a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
                    b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
                    (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
                    (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
                    (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
                    (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
                    (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
                    (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.8

                    For the purpose of Subparagraph GR-11.1.7 (iv), licensees as part of their assessments may use the following:

                    a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
                    b) Third-party or internal audit reports of the outsourcing service provider; and
                    c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

                    When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

                    Amended: July 2022
                    Added: December 2018

                  • GR-11.1.9

                    For the purpose of Subparagraph GR-11.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

                    Amended: July 2022
                    Added: December 2018

              • GR-12 GR-12 Information Security

                • GR-12.1 GR-12.1 Electronic Frauds

                  • GR-12.1.1

                    PSPs must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

                    Added: January 2021

                  • GR-12.1.2

                    PSPs must have in place customer awareness communications, pre and post onboarding process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

                    Added: January 2021

                  • Secure Authentication

                    • GR-12.1.3

                      PSPs and crowdfunding platform operators must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform. Licensees must, at a minimum, establish adequate security features for customer authentication including the use of at least two different elements out of the following three elements:

                      (a) Knowledge (something only the user knows), such as PIN or password;
                      (b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and
                      (c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.
                      Added: July 2023

                    • GR-12.1.4

                      For the purpose of Paragraph GR-12.1.3, licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.

                      Added: July 2023

                    • GR-12.1.5

                      For the purposes of Subparagraph GR-12.1.3 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.

                      Added: July 2023

                • GR-12.2 GR-12.2 Cyber Security Risk Management

                  • GR-12.2.1

                    This Section applies to ancillary service provider licensees that provide services through digital channels.

                    Amended: January 2022
                    Added: July 2021

                  • GR-12.2.2

                    All licensees must have in place vulnerability and patch management processes, including remediation processes to ensure that the vulnerabilities identified are addressed. Security patches must be applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

                    Amended: January 2022
                    Added: July 2021

                  • GR-12.2.3

                    PSPs, AISPs, and PISPs must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year and all other licensees offering services through digital means must perform such tests at least once a year. The tests must be conducted simulating real world cyber-attacks on the technology environment and must:

                    (a) Follow a risk-based approach based on an internationally recognised methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
                    (b) Include both Grey Box and Black Box testing in its scope;
                    (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
                    (d) Be performed by external, independent third parties which must be changed at least every two years; and
                    (e) Be performed on either the production environment or on non-production exact replicas of the production environment.
                    Amended: January 2022
                    Added: July 2021

                  • GR-12.2.4

                    The tests referred to in Paragraph GR-12.2.3 must be conducted each year in June and December by licensees required to perform the tests twice a year and in June for licensees required to perform the tests at least once a year. Reports on penetration testing must be submitted to CBB before 30th September for the tests as at 30th June and 31st March for the tests as at 31st December. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

                    Amended: January 2022
                    Added: July 2021

                  • Role of the Board and Senior Management

                    • GR-12.2.5

                      The Board of licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

                      Added: January 2022

                    • GR-12.2.6

                      Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

                      a) Cyber security strategy;
                      b) Cyber security policy; and
                      c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
                      Added: January 2022

                    • GR-12.2.7

                      The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

                      Added: January 2022

                    • GR-12.2.8

                      Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

                      a. Key Risk Indicators/ Key Performance Indicators;
                      b. Status reports on overall cyber security control maturity levels;
                      c. Status of staff Information Security awareness;
                      d. Updates on latest internal or relevant external cyber security incidents; and
                      e. Results from penetration testing exercises.
                      Added: January 2022

                    • GR-12.2.9

                      The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

                      Added: January 2022

                    • GR-12.2.10

                      Licensees must have in place arrangements to handle cyber security risk management responsibilities. Licensees may, commensurate with their size and risk profile, assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

                      Added: January 2022

                    • GR-12.2.11

                      Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

                      Added: January 2022

                    • GR-12.2.12

                      Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

                      Added: January 2022

                    • GR-12.2.13

                      Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

                      Added: January 2022

                    • GR-12.2.14

                      The senior management must be responsible for the following activities:

                      (a) Create the overall cyber security risk management framework and adequately oversee its implementation;
                      (b) Formulate an organisation-wide cyber security strategy and cyber security policy;
                      (c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;
                      (d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;
                      (e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;
                      (f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and
                      (g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.
                      Added: January 2022

                    • GR-12.2.15

                      The senior management must ensure that:

                      (a) The licensee has identified clear internal ownership and classification for all information assets and data;
                      (b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;
                      (c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;
                      (d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
                      Added: January 2022

                    • GR-12.2.16

                      With respect to Subparagraph GR-12.2.15(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

                      a) Who has access to the data;
                      b) How the data is secured;
                      c) How long the data is retained (this includes backups);
                      d) What method should be used to dispose of the data;
                      e) Whether the data needs to be encrypted; and
                      f) What use of the data is appropriate.

                      The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

                      Added: January 2022

                  • Cyber Security Strategy

                    • GR-12.2.17

                      An organisation-wide cyber security strategy must be defined and documented to include:

                      (a) The position and importance of cyber security at the licensee;
                      (b) The primary cyber security threats and challenges facing the licensee;
                      (c) The licensee’s approach to cyber security risk management;
                      (d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;
                      (e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;
                      (f) Approach to planning response and recovery activities; and
                      (g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.
                      Added: January 2022

                    • GR-12.2.18

                      The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the licensee’s cyber security strategy and cyber security policy.

                      Added: January 2022

                  • Cyber Security Policy

                    • GR-12.2.19

                      Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee’s senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

                      (a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;
                      (b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;
                      (c) Definition of main cyber security processes and measures and the approach to control and assessment;
                      (d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:
                      (a) Asset management (Hardware and software);
                      (b) Incident management (Detection and response);
                      (c) Vulnerability management;
                      (d) Configuration management;
                      (e) Access management;
                      (f) Third party management;
                      (g) Secure application development;
                      (h) Secure change management;
                      (i) Cyber training and awareness;
                      (j) Cyber resilience (business continuity and disaster planning); and
                      (k) Secure network architecture.
                      Added: January 2022

                  • Approach, Tools and Methodology

                    • GR-12.2.20

                      Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of the licensee. The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.

                      Added: January 2022

                    • GR-12.2.21

                      Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the licensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across the licensee. They should be reviewed and updated regularly to incorporate improvements and/or changes in the licensee. Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.

                      Added: January 2022

                  • Prevention Controls

                    • GR-12.2.22

                      A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

                      (a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;
                      (b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
                      (c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;
                      (d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
                      (e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;
                      (f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
                      (g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.
                      Added: January 2022

                    • GR-12.2.23

                      Licensees should also implement the following prevention controls in the following areas:

                      (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
                      (b) to Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM);
                      (c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
                      (d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.
                      Added: January 2022

                    • GR-12.2.24

                      Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

                      • SPF “Sender Policy Framework”;
                      • DKIM “Domain Keys Identified Mail”; and
                      • DMARC “Domain-based Message Authentication, Reporting and Conformance”.
                      Added: January 2022

                    • GR-12.2.25

                      Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

                      Added: January 2022

                    • GR-12.2.26

                      Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

                      (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;
                      (b) Refrain from using shortened links in communication with customers;
                      (c) Implement one or more of the following measures for links sent to customers:
                      i. ensure customers receive clear instructions in communications sent with the links;
                      ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;
                      iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;
                      iv. use of other verification measures like password or biometric authentication; and
                      (d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.
                      Amended: October 2022
                      Added: January 2022

                    • GR-12.2.26A

                      For the purpose of Paragraph GR-12.2.26, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

                      (a) Head/regional office of a licensee; and
                      (b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).
                      Added: October 2022

                  • Cyber Risk Identification and Assessments

                    • GR-12.2.27

                      Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

                      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
                      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
                      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
                      (d) Dark web surveillance to identify any plot for cyber attacks;
                      (e) Examples of cyber threats from past cyber attacks on the licensee if available; and
                      (f) Examples of cyber threats from recent cyber attacks on other organisations.
                      Added: January 2022

                    • GR-12.2.28

                      Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

                      Added: January 2022

                    • GR-12.2.29

                      Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

                      Added: January 2022

                    • GR-12.2.30

                      Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.

                      Added: January 2022

                    • GR-12.2.31

                      With respect to Paragraph GR-12.2.30, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

                      Added: January 2022

                    • GR-12.2.32

                      CBB may require additional third-party security reviews to be performed as needed.

                      Added: January 2022

                  • Cyber Incident Detection and Management

                    • GR-12.2.33

                      Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

                      Added: January 2022

                    • GR-12.2.34

                      Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

                      Added: January 2022

                    • GR-12.2.35

                      Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

                      Added: January 2022

                    • GR-12.2.36

                      Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

                      Added: January 2022

                    • GR-12.2.37

                      Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

                      Added: January 2022

                    • GR-12.2.38

                      Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

                      Added: January 2022

                    • GR-12.2.39

                      The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

                      Added: January 2022

                    • GR-12.2.40

                      Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph GR-12.2.59 for the requirement to report to CBB.

                      Added: January 2022

                    • GR-12.2.41

                      Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

                      Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.
                      Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensee’s management to update the internal and external stakeholders with consistent information.
                      Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.
                      Added: January 2022

                    • GR-12.2.42

                      For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

                      Added: January 2022

                    • GR-12.2.43

                      Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

                      Added: January 2022

                    • GR-12.2.44

                      Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

                      (a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)
                      (b) Describe whether the cyber incident due to a third-party service provider
                      (c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)
                      (d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)
                      (e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)
                      (f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)
                      (g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)
                      (h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)

                      The cyber incident severity may be classified as:

                      (a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.
                      (b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.
                      (c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.
                      Added: January 2022

                    • GR-12.2.45

                      Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.

                      Added: January 2022

                    • GR-12.2.46

                      Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

                      1. Metrics to measure impact of a cyber incident
                      (a) Duration of unavailability of critical functions and services
                      (b) Number of stolen records or affected accounts
                      (c) Volume of customers impacted
                      (d) Amount of lost revenue due to business downtime, including both existing and future business opportunities
                      (e) Percentage of service level agreements breached
                      2. Performance metrics for incident management
                      (a) Volume of incidents detected and responded via automation
                      (b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)
                      (c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied
                      Added: January 2022

                  • Recovery

                    • GR-12.2.47

                      Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time the licensee will require to return to full service and operations.

                      Added: January 2022

                    • GR-12.2.48

                      Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

                      a) Financial situation;
                      b) Reputation;
                      c) Regulatory, legal and contractual obligations; and
                      d) Operational aspects and delivery of key products and services.
                      Added: January 2022

                    • GR-12.2.49

                      Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”. Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.

                      Added: January 2022

                    • GR-12.2.50

                      Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

                      Added: January 2022

                    • GR-12.2.51

                      Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.

                      Added: January 2022

                    • GR-12.2.52

                      Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

                      Added: January 2022

                    • GR-12.2.53

                      Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

                      Added: January 2022

                    • GR-12.2.54

                      Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.

                      Added: January 2022

                  • Cyber Security Insurance

                    • GR-12.2.55

                      Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respective licensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:

                      (a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;
                      (b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and
                      (c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.
                      Added: January 2022

                  • Training and Awareness

                    • GR-12.2.56

                      Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

                      Added: January 2022

                    • GR-12.2.57

                      The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

                      Added: January 2022

                    • GR-12.2.58

                      The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

                      (a) Executive board and senior management;
                      (b) Cyber security roles;
                      (c) IT staff; and
                      (d) Any high-risk staff as determined by the licensee.
                      Added: January 2022

                  • Incident Reporting to CBB

                    • GR-12.2.59

                      Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.ancillary@cbb.gov.bh (for Ancillary Service Providers) or incident.tpa@cbb.gov.bh (for TPAs), within two hours.

                      Amended: April 2022
                      Added: January 2022

                    • GR-12.2.60

                      Following the submission referred to in Paragraph GR-12.2.59, the licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.

                      Amended: April 2022
                      Added: January 2022

                    • GR-12.2.61

                      With regards to the submission requirement mentioned in Paragraph GR-12.2.60, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.

                      Added: January 2022

              • GR-12 GR-13 Fees and Charges

                • GR-13.1 GR-13.1 Merchant Fees on Payments to Zakat and Charity Fund

                  • GR-13.1.1

                    PSPs must exempt the Zakat and Charity Fund (“the Fund”) of the Ministry of Justice, Islamic Affairs and Awqaf from merchant fees for payments made to the Fund.

                    Added: April 2021

              • GR-14 GR-14 Marketing of Financial Services

                • GR-14.1 GR-14.1 Arrangements relating to Regulated Services provided by PSPs

                  • GR-14.1.1

                    Pursuant to Article 3(b) of Resolution No. (16) of 2012 relating to marketing financial services in the Kingdom of Bahrain, and in relation to regulated services provided by PSPs:

                    (a) Where a PSP has entered into an arrangement with a third party offering, as part of its services, marketing services relevant to the regulated services, the said third party may market the regulated services, subject to the following conditions:
                    (i) The arrangement between the PSP and third party must be subject to a contract that governs all aspects of the relationship including, but not limited to, the marketing of the regulated services and all rights, responsibilities and obligations of both the PSP and the third party; and
                    (ii) The arrangement must be in full compliance with the CBB Law, its regulations, resolutions and directives (including the CBB Rulebook) and all other applicable laws and regulations;
                    (b) The PSP shall remain fully responsible for the regulated services provided in connection with the arrangement and for any violations of the CBB Law, its regulations, resolutions and directives (including the CBB Rulebook) that arise out of, or in connection with, the said arrangement;
                    (c) Any arrangement involving the provision of regulated services by the aforementioned third party shall be illegal and be subject to the relevant penal provisions in the CBB law.
                    Added: October 2022

              • GR-15 GR-15 Marketing of Financial Services

                • GR-15.1 GR-15.1 Client Money Requirements

                  • GR-15.1.1

                    This Chapter applies to all PSPs that are allowed to hold client money.

                    Added: April 2023

                  • GR-15.1.2

                    Licensees must receive client money into a client money account with a retail bank in Bahrain and make clear in the title of the bank account that the funds in the account belong to one or more customers of the licensee and not to the licensee.

                    Added: April 2023

                  • GR-15.1.3

                    Licensees must ensure that it has established and implemented adequate policies, procedures and systems, including those related to fraud risk and that the client money is:

                    (a) Held in a segregated client money account;
                    (b) Used only for the purposes for which the licensee received it from its customers;
                    (c) Not used for licensee’s own use or given as collateral for any purpose to a third party or be subject to any restrictions; and
                    (d) Reported as a separate balance sheet item in the licensee’s financial statements specifying also the nature and purpose for which such funds are held on behalf of its customers.
                    Added: April 2023

                  • GR-15.1.4

                    Licensees must perform reconciliations of client money accounts with related client customer accounts in their accounting records. These reconciliations must be carried out on a monthly basis as at the last business day of each calendar month. The licensee must ensure that the reconciliations are completed within 10 business days of the month end so that any unresolved differences, shortfalls and excess balances can be investigated, and corrective action initiated.

                    Added: April 2023

                  • GR-15.1.5

                    Licensees holding client money in the course of carrying out payment services must appoint independent auditors to perform an audit of client money every 6 months and submit the report to the CBB as required in Paragraph BR-1.1.6.

                    Added: April 2023

              • Appendix A – Cyber Security Control Guidelines

                The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.

                Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

                Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.

                Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.

                Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.

                Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.

                Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:

                IDENTIFY

                Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.

                1. Physical devices and systems within the licensee are inventoried.
                2. Software platforms and applications within the licensee are inventoried.
                3. Communication and data flows are mapped.
                4. External information systems are catalogued.
                5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
                6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

                Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.

                1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.
                2. Dependencies and critical functions for delivery of critical services are established.
                3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

                Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.

                1. licensee’s cyber security policy is established and communicated.
                2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.
                3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.
                4. Governance and risk management processes address cyber security risks.

                Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.

                1. Asset vulnerabilities are identified and documented.
                2. Cyber threat intelligence is received from information sharing forums and sources.
                3. Threats, both internal and external, are identified and documented.
                4. Potential business impacts and likelihoods are identified.
                5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
                6. Risk responses are identified and prioritized.

                Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

                1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.
                2. The licensee’s risk tolerance is determined and clearly expressed.
                3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

                Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.

                1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.
                2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third party risk assessment process.
                3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.
                4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
                5. Response and recovery planning and testing are conducted with suppliers and third-party providers.

                PROTECT

                Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

                1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.
                2. Physical access to assets is managed and protected.
                3. Remote access is managed.
                4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
                5. Network integrity is protected (e.g., network segregation, network segmentation).
                6. Identities are proofed and bound to credentials and asserted in interactions
                7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

                Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.

                1. All users are informed and trained on a regular basis.
                2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.
                3. Privileged users understand their roles and responsibilities.
                4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
                5. The Board and senior management understand their roles and responsibilities.
                6. Physical and cyber security personnel understand their roles and responsibilities.
                7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.

                Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.

                1. Data-at-rest classified as critical or confidential is protected through strong encryption.
                2. Data-in-transit classified as critical or confidential is protected through strong encryption.
                3. Assets are formally managed throughout removal, transfers, and disposition
                4. Adequate capacity to ensure availability is maintained.
                5. Protections against data leaks are implemented.
                6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.
                7. The development and testing environment(s) are separate from the production environment.
                8. Integrity checking mechanisms are used to verify hardware integrity.

                Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.

                1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
                2. A System Development Life Cycle to manage systems is implemented
                3. Configuration change control processes are in place.
                4. Backups of information are conducted, maintained, and tested.
                5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.
                6. Data is destroyed according to policy.
                7. Protection processes are improved.
                8. Effectiveness of protection technologies is shared.
                9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
                10. Response and recovery plans are tested.
                11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).
                12. A vulnerability management plan is developed and implemented.

                Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.

                1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.
                2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.

                Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

                1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
                2. Removable media is protected and its use restricted according to policy.
                3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
                4. Communications and control networks are protected.
                5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

                DETECT

                Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

                1. A baseline of network operations and expected data flows for users and systems is established and managed.
                2. Detected events are analyzed to understand attack targets and methods.
                3. Event data are collected and correlated from multiple sources and sensors
                4. Impact of events is determined.
                5. Incident alert thresholds are established.

                Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

                1. The network is monitored to detect potential cyber security events.
                2. The physical environment is monitored to detect potential cyber security events
                3. Personnel activity is monitored to detect potential cyber security events.
                4. Malicious code is detected.
                5. Unauthorized mobile code is detected.
                6. External service provider activity is monitored to detect potential cyber security events.
                7. Monitoring for unauthorized personnel, connections, devices, and software is performed.
                8. Vulnerability scans are performed at least quarterly.

                Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

                1. Roles and responsibilities for detection are well defined to ensure accountability.
                2. Detection activities comply with all applicable requirements.
                3. Detection processes are tested.
                4. Event detection information is communicated.
                5. Detection processes are continuously improved.

                RESPOND

                Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.

                Communications: Response activities are coordinated with internal and external stakeholders.

                1. Personnel know their roles and order of operations when a response is needed.
                2. Incidents are reported consistent with established criteria.
                3. Information is shared consistent with response plans.
                4. Coordination with internal and external stakeholders occurs consistent with response plans.
                5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.
                6. Incident response exercises and scenarios across departments are conducted at least annually.

                Analysis: Analysis is conducted to ensure effective response and support recovery activities.

                1. Notifications from detection systems are investigated.
                2. The impact of the incident is understood.
                3. Forensics are performed.
                4. Incidents are categorized consistent with response plans.
                5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

                Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

                1. Incidents are contained.
                2. Incidents are mitigated.
                3. Newly identified vulnerabilities are mitigated or documented as accepted risks.

                Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.

                1. Response plans incorporate lessons learned.
                2. Response strategies are updated.

                RECOVER

                Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.

                Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

                1. Recovery plans incorporate lessons learned.
                2. Recovery strategies are updated.

                Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

                1. Public relations are managed.
                2. Reputation is repaired after an incident.
                3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.
                Added: January 2022

          • Business Standards

            • OB OB Open Banking Module

              • OB-A OB-A Introduction

                • OB-A.1 OB-A.1 Purpose

                  • OB-A.1.1

                    This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to ancillary service providers providing either or both of the following regulated services defined in the Ancillary Services Authorisation Module of the CBB Rulebook Volume 5 in the Kingdom of Bahrain:

                    (a) the provision of account information services; or
                    (b) the provision of payment initiation services.
                    Added: December 2018

                  • OB-A.1.2

                    This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 5, applicable to specialised licensees particularly:

                    (c) Ancillary Service Providers Authorisation Module;
                    (d) Principles of Business Module;
                    (e) General Requirements Module;
                    (f) CBB Reporting Requirements Module
                    (g) Auditors and Accounting Standards Module;
                    (h) Financial Crime Module; and
                    (i) Enforcement Module.
                    Added: December 2018

                  • Legal Basis

                    • OB-A.1.3

                      This Module contains the CBB's Directive (as amended from time to time) applicable to ancillary services providers undertaking account information services or payment initiation services, and is issued under the powers available to the CBB under Article 38 of the CBB Law.

                      Added: December 2018

                    • OB-A.1.4

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      Added: December 2018

                • OB-A.2 OB-A.2 Module History

                  • OB-A.2.1

                    This Module was first issued in November 2018. It is numbered as version 01. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.

                    Added: December 2018

                  • OB-A.2.2

                    A list of recent changes made to this Module is provided below:

                    Module Ref.Change DateDescription of Changes
                    OB-1.1.1207/2021Amended Paragraph on PISPs procedures..
                    OB-1.1.1307/2021Amended Paragraph on AISPs procedures..
                    OB-2.1.107/2021Amended Paragraph on AISPs and PISPs framework contract.
                    OB-2.1.507/2021Added a new Paragraph on customer consent.
                    OB-2.1.607/2021Added A new Paragraph on data access.
                    OB-2.2.107/2021Amended Paragraph on authentication.
                    OB-2.2.207/2021Deleted Paragraph.
                    OB-2.2.307/2021Deleted Paragraph.
                    OB-2.2.407/2021Deleted Paragraph.
                    OB-2.2.507/2021Deleted Paragraph.
                    OB-2.2.607/2021Deleted Paragraph.
                    OB-2.3.807/2021Amended Paragraph on fees and charges.
                    OB-2.4.107/2021Amended Paragraph on adherence to guidelines.
                    OB-2.4.207/2021Amended Paragraph on compliance.
                    OB-2.4.307/2021Added a new Paragraph on technology solutions provided.
                    OB-2.4.301/2024Amended Paragraph on technology solutions provided.
                    OB-B.1.105/2024Amended introduction Paragraph.
                    OB-2.4.105/2024Amended Paragraph on technology related requirements.

              • OB-B OB-B Scope of Application

                • OB-B.1 OB-B.1 Introduction

                  • OB-B.1.1

                    The provision of account information services and payment initiation services entails obtaining access to customer accounts (the term ‘customer’ refers to both natural and legal persons) through 'application program interfaces' (APIs) with licensees maintaining customer accounts include conventional retail bank licenseesIslamic retail bank licensees financing companies and PSPs operating electronic wallets, (referred to in this Module as "licensees maintaining customer accounts"). Given the nature of risks inherent in online activities, the ancillary service providers undertaking such activities will be subject to strict regulatory standards to ensure the integrity and safety of customer data, the APIs, customer on boarding process, authentication process, communication sessions, process for tracking of security incidents and associated standards of dealing with the customers while undertaking this activity.

                    Amended: September 2024
                    Added: December 2018

              • OB-1 OB-1 Risks, Systems and Controls

                • OB-1.1 OB-1.1 Risks, Systems and Controls

                  • Internal Controls

                    • OB-1.1.1

                      The Board of Directors or equivalent authority must take responsibility for the establishment and oversight of effective risk management and internal controls.

                      Added: December 2018

                    • OB-1.1.2

                      Account information service providers (AISPs) and payment initiation service providers (PISPs) must use technology solutions which are capable of interfacing with software and systems used by licensees maintaining customer accounts with no material modifications to their systems.

                      Added: December 2018

                    • OB-1.1.3

                      Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.10, AISPs and PISPs must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

                      Added: December 2018

                    • OB-1.1.4

                      The internal controls must include, but not be limited to, those relating to the following:

                      (a) The development and or acquisition of the technology solutions to conduct the activity;
                      (b) Testing of the solutions and application program interfaces;
                      (c) Standards of communication and access and security of communication sessions;
                      (d) Safe authentication of the users;
                      (e) Processes and measures that protect customer data confidentiality and personalised security credentials consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018;
                      (f) Tools and measures to prevent frauds and errors;
                      (g) Security policy;
                      (h) Information security testing including web applications testing, configuration reviews, penetration testing and smart device application testing
                      (i) Risk management controls;
                      (j) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
                      (k) Record keeping and audit trails; and
                      (l) Operational and financial controls.
                      Added: December 2018

                  • Operational Risks

                    • OB-1.1.5

                      AISPs and PISPs must document the process by which they identify, prioritise and manage their operational risks.

                      Added: December 2018

                    • OB-1.1.6

                      Operational risk in AISPs' and PISPs' activities include the risk of loss of confidential customer data, financial loss or reputational loss resulting from inadequate or failed internal processes, people, technology and systems, or from external events including risks of internal and external frauds and cyber threats. In assessing potential operational risk, the following are some of the factors that may affect the licensee's risk exposure:

                      (a) Lack of governance, board and management oversight;
                      (b) Inadequate internal controls;
                      (c) Insufficient transaction monitoring;
                      (d) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
                      (e) Failure or insufficient cyber and information security controls;
                      (f) Failure of processes and procedures;
                      (g) Internal and external fraud;
                      (h) Legal risks;
                      (i) Outsourcing risk;
                      (j) Business continuity and disaster recovery; and
                      (k) Reputational risks.
                      Added: December 2018

                    • OB-1.1.7

                      AISPs and PISPs must establish comprehensive procedures for monitoring, handling and following up on security and fraud incidents and related customer complaints including but not limited to the following:

                      a) organisational measures and tools for the prevention of such incidents;
                      b) details of the individual(s) and bodies responsible for assisting customers in cases of the incidents and technical issues and/or claim management;
                      c) reporting lines in cases of such incidents;
                      d) the contact point for customers, including a name and email address;
                      e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities; and
                      f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security and fraud risks.
                      Added: December 2018

                    • OB-1.1.8

                      AISPs and PISPs must maintain an up to date security policy document containing the following information:

                      a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
                      i. a description of the business IT systems supporting the business activities;
                      ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
                      iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
                      iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
                      b) the logical security measures and mechanisms that govern the internal access to IT systems;
                      c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
                      d) the security of the account information and payment initiation processes, which should include:
                      i. the customer authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
                      ii. an explanation of how safe delivery of tokens to the legitimate customer; and
                      iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
                      Added: December 2018

                    • OB-1.1.9

                      AISPs and PISPs must ensure they have an up to date business continuity plan and arrangements consisting of the following information:

                      a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
                      b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
                      c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
                      d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
                      Added: December 2018

                    • OB-1.1.10

                      AISPs and PISPs must appoint a third party specialist to conduct vulnerability assessments against cyber-attacks and penetration testing on the specific API security standards every 6 months. The specialist's report must be submitted to the CBB, along with the licensee's related action plan to resolve any issues identified. All relevant threat profiles referenced in the security standards including the risk of social engineering must be considered for the reviews.

                      Added: December 2018

                    • OB-1.1.11

                      AISPs and PISPs must ensure that their overall systems and controls including but not limited to the business continuity, disaster recovery, information security testing, web-applications testing, smart device application testing, and cyber resilience are evaluated and independently tested by an external consultant:

                      a) initially upon implementation of this Module;
                      b) when there are any material changes to the systems and controls; and
                      c) at least once every 3 years.
                      Added: December 2018

                    • OB-1.1.12

                      A PISP must establish procedures to ensure:

                      (a) that it will not store a customer's personalised security credentials, such as customer’s KYC and biometric information and that such data are:
                      i. not accessible to other parties, with the exception of the issuer of the credentials; and
                      ii. transmitted through safe and efficient channels;
                      (b) that any other information about a customer is not provided to any person except a payee, and is provided to the payee only with the customer's explicit consent;
                      (c) that each time a PISP initiates a payment order on behalf of its customer, the PISP identifies itself to the licensee with whom the customer maintains the account in a secure way;
                      (d) [This Sub-paragraph was deleted in July 2021];
                      (e) that it will not access, use or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer, however, it may store payment details initiated by the customer such as payment amounts, payment accounts, payment reference number, payment execution dates, time and payee’s IBAN number;
                      (f) that it cannot and does not change the amount, the payee or any other feature of a transaction notified to it by the customer.
                      (g) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation.
                      Amended: July 2021
                      Added: December 2018

                    • OB-1.1.13

                      An AISP must establish procedures to ensure:

                      (a) it does not provide account information services without the customer's explicit consent;
                      (b) that it will not store the customer's personalised security credentials such as customer’s KYC and biometric information and that such data are:
                      i. not accessible to other parties, with the exception of the issuer of the credentials; and
                      ii. transmitted through safe and efficient channels;
                      (c) for each communication session, communicate securely with licensee and the customer in accordance with the regulatory requirements of this Module;
                      (d) that it does not access any information other than information from designated accounts;
                      (e) it will not access, use or store any information for any purpose except for the provision of the account information service explicitly requested by the customer;
                      (f) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation; and
                      (g) that customer information accessed must not be stored in a form which permits identification of customer once the customer consent is withdrawn.
                      Amended: July 2021
                      Added: December 2018

              • OB-2 OB-2 Operating Rules

                • OB-2.1 OB-2.1 Framework Contracts

                  • Legal arrangement and transparency

                    • OB-2.1.1

                      AISPs and PISPs must establish a framework contract (a legal arrangement) with the customer prior to providing AIS or PIS services. The framework contract must provide the information set forth below that are relevant to the services they provide:

                      (a) The following information about the service and the provider:
                      i. the name, address and contact details of the PISP or AISP as the case may be;
                      ii. a description of the main characteristics of the service to be provided;
                      iii. the information or unique identifier that must be provided by the customer in order for a payment order to be properly initiated or executed;
                      (b) the form and procedures for giving consent to provide account information service, the initiation of a payment order and for the withdrawal of consent;
                      (c) provisions regarding the time of receipt of a payment order and the cut-off time, if any, established by the licensee and the maximum execution time for the payment services to be provided;
                      (d) whether spending limits for the use of a payment instrument may be agreed;
                      (e) the detail of all fees and charges payable by the customer to the PISP/AISP, including those connected to the manner in and frequency with which information is provided or made available and, where applicable, a breakdown of the amounts of any charges;
                      (f) the means of communication agreed between the parties for the transmission of information or notifications under this Module including, where relevant, any technical requirements for the customer's equipment and software for receipt of the information or notifications;
                      (g) The terms under which the customer may opt out from the use of the payment instrument;
                      (h) explicit consents required for generic marketing promotions by the PISP/AISP; and
                      (i) the terms of the framework contract and information.
                      (j) The following information about safeguards and corrective measures in compliance with PDPL:
                      i. where relevant, a description of the steps that the customer is to take in order to keep safe a payment instrument and how to notify the PISP/AISP for the purposes of obligations of the customer in relation to loss, theft, misappropriation, unauthorised use of the payment instruments and personalised security credentials;
                      ii. the secure procedures, by which the PISP/AISP will contact the customer in the event of suspected or actual fraud or security threats;
                      iii. the conditions under which the PISP/AISP stops or prevents the use of a payment instrument;
                      iv. the customer's liability, (payer or payee's liability for unauthorized payment transactions), including details of any limits on such liability;
                      v. how and within what period of time the customer is to notify the licensee maintaining customer account of any unauthorised or incorrectly initiated or executed payment transaction, and liability, if any for unauthorised payment transactions falling on the licensee maintaining customer account for execution of unauthorised payment transactions);
                      vi. liability, if any, in the event of initiation or execution or non-execution or defective or late execution of payment transactions;
                      vii. liability of parties in the event of a cyber-attack and loss of sensitive data; and
                      viii. the conditions for any refunds for payment transactions initiated by or through a payee.
                      (k) The following information about changes to and termination of the framework contract:
                      i. the time given to the customer to review and accept any proposed changes; which under no circumstances, shall be less than 10 calendar days;
                      ii. the proposed terms under which the customer will be deemed to have accepted changes to the framework contract in accordance, unless they notify the service provider that they do not accept such changes before the proposed date of their entry into force;
                      iii. the duration of the framework contract;
                      iv. where relevant, the right of the customer to terminate the framework contract and any agreements relating to.
                      (l) The following information about redress:
                      i. any contractual clause on the law applicable to the framework contract;
                      ii. the customer complaint procedures and the availability of alternative dispute resolution procedures for the customer and the methods for having access to them; and
                      iii. the name/title and contact number of the person designated to handle any queries or complaints.
                      Amended: July 2021
                      Added: December 2018

                    • OB-2.1.2

                      The information specified in Paragraph OB-2.1.1 must be provided to the customer free of charge before initiation of service.

                      Added: December 2018

                    • OB-2.1.3

                      (a) A framework contract may provide for the PISP to have the right to stop the use of a payment instrument on reasonable ground relating to: the security of the payment instrument; or
                      (b) the suspected unauthorised or fraudulent use of the payment instrument.
                      Added: December 2018

                    • OB-2.1.4

                      AISPs and PISPs must agree the basis, the time period and the manner in which the information on its intention to stop the use of the payment instrument will be provided to the customer and to the relevant licensees maintaining customer accounts.

                      Added: December 2018

                    • OB-2.1.5

                      AISPs must allow customers to provide consent for accessing their account information for a duration of up to 12 months.

                      Added: July 2021

                    • OB-2.1.6

                      AISPs must allow their customers to choose the nature and type of data to be collected or accessed and used by the AISP for the purpose of providing the services.

                      Added: July 2021

                • OB-2.2 OB-2.2 Standards for Authentication and Communication

                  • Secure authentication

                    • OB-2.2.1

                      AISPs and PISPs must have in place a 2-factor authentication process to prevent unauthorised access.

                      (a) [This sub-paragraph was deleted in July 2021];
                      (b) [This sub-paragraph was deleted in July 2021];
                      (c) [This sub-paragraph was deleted in July 2021].
                      Amended: July 2021
                      Added: December 2018

                    • OB-2.2.2

                      [This Paragraph was deleted in July 2021].

                      Deleted: July 2021
                      Added: December 2018

                    • OB-2.2.3

                      [This Paragraph was deleted in July 2021].

                      (a) [This sub-paragraph was deleted in July 2021];
                      (b) [This sub-paragraph was deleted in July 2021];
                      (c) [This sub-paragraph was deleted in July 2021];
                      (d) [This sub-paragraph was deleted in July 2021].
                      Deleted: July 2021
                      Added: December 2018

                  • Independence of elements of strong authentication

                    • OB-2.2.4

                      [This Paragraph was deleted in July 2021].

                      (a) [This sub-paragraph was deleted in July 2021];
                      (b) [This sub-paragraph was deleted in July 2021];
                      (c) [This sub-paragraph was deleted in July 2021].
                      Deleted: July 2021
                      Added: December 2018

                    • OB-2.2.5

                      [This Paragraph was deleted in July 2021].

                      Deleted: July 2021
                      Added: December 2018

                    • OB-2.2.6

                      [This Paragraph was deleted in July 2021].

                      (a) [This sub-paragraph was deleted in July 2021];
                      (b) [This sub-paragraph was deleted in July 2021].
                      Deleted: July 2021
                      Added: December 2018

                  • Confidentiality and Integrity of Personalised Security Credentials

                    • OB-2.2.7

                      AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.

                      Added: December 2018

                    • OB-2.2.8

                      AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the customer, including authentication codes, during all phases of authentication including display and transmission.

                      Added: December 2018

                    • OB-2.2.9

                      For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:

                      (a) personalised security credentials are masked when displayed and not readable in their full extent when input by the customer during the authentication;
                      (b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;
                      (c) secret cryptographic material is protected from unauthorised disclosure.
                      Added: December 2018

                    • OB-2.2.10

                      PISPs and AISPs must ensure that only the customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.

                      Added: December 2018

                  • Security of Communication Sessions

                    • OB-2.2.11

                      AISPs and PISPs must ensure that any communication session established with the customer, and other entities, including merchants, relies on each of the following:

                      (a) a unique identifier of the session;
                      (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and
                      (c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
                      Added: December 2018

                    • OB-2.2.12

                      AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.

                      Added: December 2018

                    • OB-2.2.13

                      AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other customers' interfaces offering electronic payment services are effectively mitigated.

                      Added: December 2018

                    • OB-2.2.14

                      AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

                      Added: December 2018

                    • OB-2.2.15

                      AISPs and PISPs must keep the access sessions offered by the licensee maintaining customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.

                      Added: December 2018

                    • OB-2.2.16

                      When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

                      Added: December 2018

                    • OB-2.2.17

                      AISPs and PISPs, with the licensee maintaining customer accounts must include unambiguous reference to each of the following items:

                      (a) the customer or users and the corresponding communication session in order to distinguish several requests from the same customer or users;
                      (b) for payment initiation services, the uniquely identified payment transaction initiated;
                      (c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.
                      Added: December 2018

                    • OB-2.2.18

                      AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the customer associated with them and the issuer of the personalised security credentials.

                      Added: December 2018

                    • OB-2.2.19

                      AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the customer's explicit consent.

                      Added: December 2018

                    • OB-2.2.20

                      PISPs must provide the licensees maintaining customer accounts with the same information requested from the customer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintaining customer accounts.

                      Added: December 2018

                • OB-2.3 OB-2.3 Payment Transactions

                  • Consent to Initiate Payment Transactions

                    • OB-2.3.1

                      A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Module only if the payer has given its consent to:

                      (a) the execution of the payment transaction; or
                      (b) the execution of a series of payment transactions of which that payment transaction forms part.
                      Added: December 2018

                    • OB-2.3.2

                      For the purpose of Paragraph OB-2.3.1, such consent must be given in the form, and in accordance with the procedure, agreed between the licensee maintaining the customer account, the payer and the PISP and may be given via the payee or a PISP.

                      Added: December 2018

                    • OB-2.3.3

                      PISP must ensure that the payer can withdraw its consent to a payment transaction at any time before the point at which the payment order can no longer be revoked under the terms of the framework contract with the customer.

                      Added: December 2018

                    • OB-2.3.4

                      The customer may withdraw its consent to the execution of a series of payment transactions at any time with the effect that any future payment transactions are not regarded as authorised for the purposes of this section.

                      Added: December 2018

                  • Limits on Payment Transactions

                    • OB-2.3.5

                      The PISP may agree on payment transaction limits based on its own discretion or on account of the following limitations:

                      (a) limits imposed by the CBB from time to time;
                      (b) limits imposed by any of the licensees; and/or
                      (c) limits imposed based on customer request.
                      Added: December 2018

                    • OB-2.3.6

                      Subject to the framework contract, a PISP has the right to stop the use of a payment instrument on reasonable ground relating to:

                      (a) the security of the payment instrument; or
                      (b) the suspected unauthorised or fraudulent use of the payment instrument.
                      Added: December 2018

                    • OB-2.3.7

                      PISPs must ensure that a customer to whom a payment instrument has been issued must keep safe the personalised security credentials and must:

                      (a) use it in accordance with the terms and conditions governing such use; and
                      (b) notify the PISP in an agreed manner and without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.
                      Added: December 2018

                  • Fees and charges

                    • OB-2.3.8

                      The AISPs and PISPs may charge fees and charges which reasonably corresponds to the AISP’s or PISP’s costs, as the case may be, which must be explicitly agreed in the framework contract.

                      Amended: July 2021
                      Added: December 2018

                • OB-2.4 OB-2.4 Technology Related Requirements

                  • OB-2.4.1

                    AISPs and PIPSs must adhere to the Operational Guidelines, Security Standards and Guidelines, Open Banking Application Program Interface (API) Specifications and Customer Journey Guidelines included in Bahrain Open Banking Framework “BOBF” (See CBB website) for the use cases defined in the BOBF. Where licensees have arrangements to obtain access to customer account information or initiate payments for use cases not defined in BOBF, they must develop API Specifications, Customer Journeys and Operational Guidelines consistent with the Security Standards and Guidelines in BOBF.

                    Amended: September 2024
                    Amended: July 2021
                    Added: December 2018

                  • OB-2.4.2

                    AISPs, PISPs must ensure that compliance with standards and guidelines specified in Paragraph OB-2.4.1 is subject to independent review and tests, including testing in a test environment, by an independent consultant upon implementation.

                    Amended: July 2021
                    Added: December 2018

                  • OB-2.4.3

                    AISPs and PISPs that offer services directly to end user customers must ensure that the technology solution provided to their customers is easily accessible (e.g. website, IOS/Android/Microsoft Windows standalone application or other platform).

                    Amended: January 2024
                    Added: July 2021

            • CFP CFP Crowdfunding Platform Operators Module

              • CFP-A CFP-A Introduction

                • CFP-A.1 CFP-A.1 Purpose and Scope

                  • CFP-A.1.1

                    This Module sets out the Central Bank of Bahrain’s (CBB) regulations applicable to financing-based and equity-based offers on crowdfunding platforms and to crowdfunding platform operators. Reward-based or donation-based crowdfunding models are excluded from the scope of this Module. The authorisation requirements for crowdfunding platform operators undertaking regulated ancillary services in the Kingdom of Bahrain are stipulated in the Authorisation Module (Module AU) of CBB Rulebook - Volume 5. Crowdfunding platform operators are also subject to ongoing provisions contained in this Module and the following modules of CBB Rulebook Volume 5:

                    (a) Common Modules: Principles of Business Module, Auditors and Accounting Standards Module, Financial Crime Module, Enforcement Module (Modules PB, AA, FC and EN)
                    (b) CBB Reporting Requirements Module (Module BR);
                    (c) General Requirements Module (Module GR); and
                    (d) High-Level Controls Module (Module HC).
                    Added: April 2022

                  • CFP-A.1.2

                    Crowdfunding platform operator refers to a person licensed by the CBB to operate a platform through an online portal, on which funding to businesses (Person to Business – P2B) and (Business to Business – B2B) are allowed. Licensees may also host income producing real estate on the platform which can include both residential and commercial properties.

                    Added: April 2022

                  • CFP-A.1.3

                    Crowdfunding generally involves the raising of funds usually through an online portal or other electronic media from a large number of people who make relatively small financial contributions to the fund raising. The CBB recognises both conventional and sharia complaint crowdfunding business models. The crowdfunding platform operator may operate either one or both of the following models:

                    1. Financing-based crowdfunding: people or businesses (lenders) lend money to businesses (borrowers) hosted on the platform in return for interest/profit and repayment of principal over a pre-specified period.
                    2. Equity-based crowdfunding: businesses (issuers) raise capital through issuance of ordinary shares, or other equity instruments like preferred shares, and people or business (investors) invest in these instruments in return for dividends, capital appreciation etc.
                    Added: April 2022

                  • CFP-A.1.4

                    For the purposes of this Module, equity crowdfunding offers exclude financial instruments such as SAFE agreements (Simple Agreement for Future Equity) or similar products which has conversion features contingent on certain pre-determined conditions being met.

                    Added: April 2022

                  • Legal Basis

                    • CFP-A.1.5

                      This Module contains the CBB’s Directive, Regulation and Resolutions (as amended from time to time) applicable to crowdfunding platform operators under Volume 5 of the CBB Rulebook. It is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 (‘CBB Law’).

                      Added: April 2022

                • CFP-A.2 CFP-A.2 Module History

                  • Evolution of Module

                    • CFP-A.2.1

                      This Module was first issued in xx 2022 as part of Volume 5 (Specialised Licensees). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      Added: April 2022

                    • CFP-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      CFP-1.3.2(d) 07/2022 Deleted Subparagraph.

              • CFP-1 CFP-1 Operating Requirements

                • CFP-1.1 CFP-1.1 Platform Offers & Disclosures

                  • CFP-1.1.1

                    Crowdfunding platform operators must prominently display on their website the following:

                    (a) A general risk warning;
                    (b) Details of how and by whom the operator is remunerated for the service it provides, including fees and charges it imposes on lenders/investors and borrowers/issuers;
                    (c) For financing-based crowdfunding: the actual default rates as a percentage of loans entered into on the platform and the number and aggregate value of loans in default; and
                    (d) For equity-based crowdfunding: the actual failure rate of issuers who use the platform.
                    (e) The offering statement for each crowdfunding offer which must disclose any conflicts of interest (as required by Chapter 2); and
                    (f) Information on rights of clients relating to participation in crowdfunding offer, including right to withdraw commitments, lodging complaints and any voting rights.
                    Added: April 2022

                  • CFP-1.1.2

                    A crowdfunding offer is open from the time when it is first published on the platform and must be closed on the closing date or at the earliest of the following:

                    (a) Three months after the offer is made, unless a specific approval has obtained from the CBB;
                    (b) When the offer is fully subscribed (unless over-subscription is allowed); and
                    (c) When the borrower/issuer making the offer withdraws the offer;
                    Added: April 2022

                  • CFP-1.1.3

                    A crowdfunding offer must be withdrawn by the crowdfunding platform operator if it has material concerns regarding the crowdfunding borrower/issuer or it becomes aware of any information that indicates the offer is misleading, fraudulent, deceptive.

                    Added: April 2022

                  • CFP-1.1.4

                    A crowdfunding borrower/issuer is subject to the following limits in respect of crowdfunding:

                    (a) Financing-based crowdfunding offers must be less than or equal to BD 500,000 in aggregate, per borrower, within a 12-month period, except where the funding raised is to be used for a Government of Bahrain led initiative/project. Additionally, the tenor of loans must not exceed 5 years; and
                    (b) Equity-based crowdfunding offers must be less than or equal to BD 250,000, per issuer, (or BD 500,000 in respect of equity crowdfunding issuers who qualify as entities engaged in real estate projects) within a 12-month period.
                    Added: April 2022

                  • CFP-1.1.5

                    The minimum subscription to be received in a crowdfunding offer must not be less than 80% of the crowdfunding offer size.

                    Added: April 2022

                  • CFP-1.1.6

                    Crowdfunding platform operators must provide users the following information upon on-boarding:

                    (a) The process for the offering of loans or equity through the platform and the risks associated with lending or investing in crowdfunding offers;
                    (b) The limits on raising funds applicable on borrowers/issuers;
                    (c) The right of retail clients to withdraw their commitments within 5 working days from the time the commitment is made;
                    (d) The existence or non-existence of a secondary market;
                    (e) The due-diligence process of the platform for hosting a borrower/issuer; and
                    (f) Whether there will be an ongoing relationship between the platform and the borrower/issuer following the closing of an offer.
                    Added: April 2022

                  • CFP-1.1.7

                    Crowdfunding platform operators must additionally display on their website key information on how their platform operates, including:

                    (a) The eligibility criteria for borrowers/lenders and issuers/investors that use the platform;
                    (b) Arrangements and safeguards for client money held or controlled by the operator, including details of any legal arrangements (such as nominee accounts) that may be used to hold client money;
                    (c) What will happen if loans sought by a borrower or funds sought by an issuer either fail to meet, or exceed, the target level;
                    (d) Steps the operator will take and the rights of the relevant parties if there is a material change in a borrower’s or an issuer’s circumstances;
                    (e) How the operator will deal with overdue payments or a default by a borrower or failure of an issuer; and
                    (f) Which jurisdiction’s laws will govern the financing agreement.
                    Added: April 2022

                  • CFP-1.1.8

                    Crowdfunding platform operators must provide on their platform a user-friendly facility to allow investors/lenders to make their bid to crowdfunding offers. Such bids may only be made during the period a crowdfunding offer is available for investment/lending. Licensees must also provide on their platform a facility for communication among the investors/lenders, borrowers/issuers and the crowdfunding platform operator (e.g. an online forum).

                    Added: April 2022

                  • CFP-1.1.9

                    Crowdfunding platform operators must allot/allocate shares, in accordance with the allotment basis stipulated in the equity crowdfunding offering statement, within 7 working days from closing date.

                    Added: April 2022

                  • CFP-1.1.10

                    Crowdfunding platform operators must not advertise a specific crowdfunding offer hosted on its platform or make any public statements that are reasonably likely to induce people to fund a particular crowdfunding offer. This requirement does not prevent an operator from generally promoting its platform to potential clients, provided it does not advertise a specific offer.

                    Added: April 2022

                  • CFP-1.1.11

                    Crowdfunding platform operators must have in place effective and transparent procedures for the prompt, fair and consistent handling of complaints received from clients in accordance with Section GR-10 of GR Module and publish the procedures on their websites.

                    Added: April 2022

                  • CFP-1.1.12

                    For the purposes of this module, commercial entities incorporated in the Kingdom of Bahrain or incorporated in an overseas jurisdiction that is not a UN sanctioned, non-cooperative or high-risk jurisdiction are eligible to be hosted on crowdfunding platform operator, except the following:

                    (a) Financial institutions;
                    (b) Public-listed companies; and
                    (c) Holding company structures and non-operative special purposes vehicles (SPVs).
                    Added: April 2022

                  • Offers to Retail Clients

                    • CFP-1.1.13

                      Crowdfunding platform operators, upon onboarding retail clients, must undertake a suitability and appropriateness assessment to gauge the client’s knowledge, experience, financial situation (including the client’s ability to bear losses) and the client’s understanding of risks associated with crowdfunding by seeking information from the lender/investor.

                      Added: April 2022

                    • CFP-1.1.14

                      Crowdfunding platform operators must ensure that each retail client completes a self-declaration form before the client is allowed to use the platform which must include the following acknowledgements:

                      (a) that the client understands the risks involved in crowdfunding;
                      (b) that the client will only commit money that the client can afford to lose;
                      (c) that the client understands the potential to lose part or all of his investment made on the platform;
                      (d) that the client may face difficulties in exiting his investments made on the platform; and
                      (e) that the client is aware that the crowdfunding offer has neither been reviewed nor approved by the CBB.
                      Added: April 2022

                    • CFP-1.1.15

                      Crowdfunding platform operators must provide retail clients unconditional right to withdraw their commitment to lend or invest in a crowdfunding offer within 5 working days from the time the commitment is made. No fee or penalty must be charged to such persons if a commitment is withdrawn.

                      Added: April 2022

                • CFP-1.2 CFP-1.2 Managing Conflicts of Interest

                  • CFP-1.2.1

                    Crowdfunding platform operators must not participate in any crowdfunding offer hosted on their platform.

                    Added: April 2022

                  • CFP-1.2.2

                    Crowdfunding platform operators must maintain and operate effective internal rules to prevent conflicts of interest. Licensees must take appropriate steps to prevent, identify, and manage conflicts of interest between their shareholders, their managers or employees, or any natural or legal person linked to them by control and their clients, or between one client and another client. Licensees must disclose to their clients the general nature and sources of conflicts of interest and the steps taken to mitigate them.

                    Added: April 2022

                  • CFP-1.2.3

                    Crowdfunding platform operators must not accept the following persons as borrowers/issuers on their crowdfunding platform:

                    (a) Shareholders that hold 20% or more of share capital or voting rights of the platform;
                    (b) Managers or employees of the platform; and
                    (c) Any natural or legal persons linked to those shareholders, managers or employees by control.
                    Added: April 2022

                  • CFP-1.2.4

                    Crowdfunding platform operators that accept as investors/lenders any of the persons referred to in Subparagraphs CFP-1.2.3 (a), (b) and (c) in their crowdfunding offers must fully disclose on their website the fact that they accept such persons as investors/lenders and information on the specific crowdfunding projects invested in. Licensees must ensure that such crowdfunding offers are funded under the same conditions as those of other investors/lenders and that persons under (a), (b) and (c) do not enjoy any preferential treatment or privileged access to information.

                    Added: April 2022

                  • CFP-1.2.5

                    Crowdfunding platform operators must not provide direct or indirect financial assistance to lenders/investors to lend or invest in a crowdfunding borrower/issuer hosted on its platform.

                    Added: April 2022

                  • CFP-1.2.6

                    Crowdfunding platform operators must not provide advice on the crowdfunding offers hosted on their platform. The existence of filtering tools on the platform is not regarded as advice if such tools provide information to clients in an objective and neutral manner that does not constitute a recommendation. Such tools include those that display results based on criteria relating to purely objective product features. Objective product features in this context could be pre-defined project criteria such as the economic sector, the instrument used and the interest rate, or the risk category where sufficient information regarding the calculation method is disclosed. Similarly, key financial figures calculated without any scope for discretion are also considered to be objective criteria.

                    Added: April 2022

                • CFP-1.3 CFP-1.3 Due-diligence of crowdfunding borrowers/issuers

                  • CFP-1.3.1

                    Crowdfunding platform operators must conduct due-diligence of crowdfunding borrowers/issuers which includes at minimum procedures to confirm the following:

                    (a) The identity of the company through its commercial registration (or Legal Entity Identifier where relevant) and its registered office and principal place of business;
                    (b) The identity and place of domicile of the company’s owners and key management personnel;
                    (c) That the borrower/issuer and its key personnel have no criminal record in respect of local laws in the fields of commercial law, insolvency law, financial services law, anti-money laundering law, fraud law or professional liability obligations;
                    (d) That the borrower/issuer is not established in a UN sanctioned or non-cooperative jurisdiction or in a high-risk country;
                    (e) The borrower/issuer’s current state and past performance, credit history and business valuation (where relevant);
                    (f) That the business is being operated in accordance with applicable laws (in the case of overseas crowdfunding borrowers/issuers a confirmation that the overseas jurisdiction allows hosting of businesses on crowdfunding platforms of other jurisdictions); and
                    (g) That the crowdfunding offering statement provided by the borrower/issuer is complete and not misleading.
                    Added: April 2022

                  • CFP-1.3.2

                    Crowdfunding platform operators that allow real estate crowdfunding on their platforms must undertake the following due-diligence prior to hosting a real estate crowdfunding offer:

                    (a) Confirm that the offer is for an income producing property and not a new development or construction project;
                    (b) Confirm the identity of the seller, including, if it is a body corporate, details of its incorporation and business registration;
                    (c) Ensure that the seller holds valid legal title to the property; and
                    (d) This Subparagraph was deleted in July 2022;
                    (e) Obtain a valuation report from the crowdfunding borrower/issuer provided by an independent, professional and reputable valuer.
                    Amended: July 2022
                    Added: April 2022

                • CFP-1.4 CFP-1.4 Client Money

                  • CFP-1.4.1

                    Crowdfunding platform operators must hold client money, securities or other client assets, separate from its own and are not subject to any lien or other restrictions. Client money must be kept in a client bank account with a retail bank in the Kingdom of Bahrain. Licensees must designate a separate bank account (or sub-account) for each crowdfunding offer. Licensees must establish systems and controls for handling of securities, money or other assets, including maintaining up-to-date records of client assets held.

                    Added: April 2022

                  • CFP-1.4.2

                    Crowdfunding platform operators must appoint their external auditors or independent third-party audit firm to perform an audit on client assets and the licensee’s procedures for handling client assets. The objectives of the audit must include:

                    (a) Ensuring that client assets are properly segregated and not comingled with the licensee’s own assets (as per Paragraph CFP-1.4.1);
                    (b) The licensee has established and implemented adequate internal control procedures and systems to ensure client assets are always segregated;
                    (c) Client assets are not used for purposes other than for crowdfunding arrangements; and
                    (d) Fraud risks are adequately controlled and mitigated.
                    Added: April 2022

                  • CFP-1.4.3

                    Funds raised must be released to the issuer within one business day of registering the shares in the share register. In case of financing-based crowdfunding, the money must be released to the borrower within one business day of the completion of fund raising. In all cases, client money may only be released if the criteria for raising the funds has been met i.e. the minimum amount required in the offering statements has been met and there has not been any material adverse change to the crowdfunding offer.

                    Added: April 2022

                  • CFP-1.4.4

                    Crowdfunding platform operators must have mechanisms in place to refund the money to lenders/investors within 7 working days if:

                    (a) due to any reason the crowdfunding offer is withdrawn by the platform;
                    (b) the subscription amount is less than the minimum required in accordance with the offering statement; or
                    (c) the offer is oversubscribed, and the platform does not allow oversubscription.
                    Added: April 2022

                • CFP-1.5 CFP-1.5 Secondary Market

                  • CFP-1.5.1

                    Crowdfunding platform operators that operate a secondary over-the-counter market to facilitate transfers of client’s holdings of financings/shares must ensure that only crowdfunding offers hosted and successfully funded through their platforms are permitted to be hosted on the secondary market.

                    Added: April 2022

                  • CFP-1.5.2

                    The secondary market must not consist of an internal matching system which executes client orders on a multilateral basis unless the licensee has obtained approval from the CBB.

                    Added: April 2022

                  • CFP-1.5.3

                    Crowdfunding platform operators that operate a secondary market must ensure that financings or equity securities hosted on the secondary market include all the information that was required to be disclosed in the initial crowdfunding offer and include up to date information on the performance of the borrowers and issuers.

                    Added: April 2022

                  • CFP-1.5.4

                    Crowdfunding platform operators must have in place mechanisms to transfer ownership of issuer shares in a timely manner through the use of third-party registrars where relevant.

                    Added: April 2022

                • CFP-1.6 CFP-1.6 Other Operating Requirements

                  • CFP-1.6.1

                    A financing-based crowdfunding platform operator must become a member of the Bahrain Credit Reference Bureau.

                    Added: April 2022

                  • CFP-1.6.2

                    Crowdfunding platform operators must ensure that the terms and conditions for the arrangements between the relevant parties to the crowdfunding offer are legally enforceable. Such terms must include the following details:

                    (a) For financing-based crowdfunding offers, details of the borrowing, tenor, terms of repayment, the nature and frequency of reporting of performance by the borrower to the lender;
                    (b) For equity-based crowdfunding offers, the amount of shares offered, the nature of the shares, and the price;
                    (c) The duties, rights and obligations of the crowdfunding platform operator, borrower/issuer and lender/investor, including legal remedies.
                    Added: April 2022

                  • CFP-1.6.3

                    A financing-based crowdfunding platform operator that hosts sharia-compliant financing offers, must ensure that such facilities are based on Sharia-compliant financing contracts such as Murabaha, Ijarah, Salam, Istisna’a, etc. Licensees hosting sharia-compliant facilities must make an arrangement with one independent Sharia Scholar to monitor, review and verify that the crowdfunding transactions, including documentation and structuring are in full compliance with Sharia rules and principles. The Sharia Scholar to be appointed must fulfil the eligibility criteria outlined in the CBB’s Sharia Governance Module of Volume 2.

                    Added: April 2022

                  • CFP-1.6.4

                    Crowdfunding platform operators must not host a crowdfunding borrower/issuer that is concurrently hosted on other crowdfunding platforms.

                    Added: April 2022

              • CFP-2 CFP-2 Obligations of the borrower/issuer

                • CFP-2.1 CFP-2.1 General Requirements

                  • CFP-2.1.1

                    Crowdfunding borrowers and issuers must provide the minimum information required in this Section in their crowdfunding offer statements and disclosures provided on the platform. The information must be worded and presented in a ‘clear, concise and effective’ manner and must not be misleading or deceptive.

                    Added: April 2022

                  • CFP-2.1.2

                    The minimum information required in crowdfunding offer statement, includes:

                    (a) General risk warning about crowdfunding:
                    1. crowdfunding is risky, companies using this facility include new or rapidly growing ventures and lending or investment in these types of ventures is speculative and carries high risks;
                    2. you may lose your entire investment, and you should be in a position to bear this risk without undue hardship; and
                    3. for equity crowdfunding offers: the value of your investment and any return on the investment could be reduced if the company issues more shares. Your investment is unlikely to be liquid which means you are unlikely to be able to sell your shares quickly or at all.
                    (b) Information about the company (i.e. the borrower or issuer):
                    1. company details: identity and legal form;
                    2. business nature and organisational structure;
                    3. main risks associated with the business, products, industry/sector/geography, legal/regulatory concerns;
                    4. ownership capital structure;
                    5. financial statements (audited statements for existing companies required to conduct audit as per local laws, and projected financial statements);
                    6. key financial ratios;
                    7. directors and senior managers;
                    8. contact details; and
                    9. details of convictions, penalties or administrative actions against the company and its directors or senior managers.
                    (a) Information about the offer:
                    1. details of the financing facility, interest/profit rates, maturity, payment terms, guarantee/collateral etc. (for financing crowdfunding offers);
                    2. the rights associated with the shares on offer (e.g. voting and dividends), their custody and registration arrangements and buyback commitments (for equity crowdfunding offers);
                    3. the offer period, the offer size, the maximum subscription under the offer and the basis for allotment;
                    4. how the funds raised will be used;
                    5. Any situations of actual or potential conflict of interest involving the direct and indirect interest of a director, substantial shareholder etc.
                    (b) Information about investor rights:
                    1. the right of retail clients to withdraw commitments;
                    2. the availability of a communication facility on the platform and other methods to contact the company; and
                    3. the applicable reporting and corporate governance obligations in accordance with the law.
                    Added: April 2022

                  • CFP-2.1.3

                    Crowdfunding borrowers and issuers must also inform the lenders/investors, where relevant, about the use of an SPV for raising the funds and any impact on the lenders/investors rights.

                    Added: April 2022

                  • CFP-2.1.4

                    For real estate crowdfunding offers, the following additional information must be disclosed:

                    (a) details about the property, including its location and condition, and whether it is currently rented;
                    (b) details about the seller’s legal title to the property such as whether it is freehold, leasehold and whether the seller is able to sell the property free of any encumbrance;
                    (c) whether the property requires renovation or other work before it can be let;
                    (d) the independent valuation report on the property;
                    (e) the estimated annual charges and expenses relating to the property; and
                    (f) the estimated annual rental income on the property.
                    Added: April 2022

                  • CFP-2.1.5

                    The crowdfunding offers must clearly state that the borrowers/issuers and the information provided have not been reviewed or approved by the CBB.

                    Added: April 2022

                  • CFP-2.1.6

                    The crowdfunding borrowers and issuers must not advertise their crowdfunding offers outside the platform. This requirement does not prevent the borrowers/issuers to refer people to the home page of the platform.

                    Added: April 2022

                  • CFP-2.1.7

                    A crowdfunding issuer that has successfully completed its fundraising exercise on the crowdfunding platform must ensure that there is effective, transparent and regular communication with its crowdfunding participants including providing regular updates on the progress of the business of the issuer and the issuer’s financial position.

                    Added: April 2022

          • Reporting Requirements

            • BR BR Ancillary Service Providers CBB Reporting Requirements Module

              • BR-A BR-A Introduction

                • BR-A.1 BR-A.1 Purpose

                  • Executive Summary

                    • BR-A.1.1

                      This Module sets out requirements applicable to ancillary service provider licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of ancillary service provider licensees.

                      April 2016

                    • BR-A.1.2

                      This Module provides support for certain other parts of the Rulebook, mainly:

                      (a) Principles of Business;
                      (c) Risk Management (to be issued);
                      (d) Financial Crime;
                      (e) High-Level Controls (to be issued); and
                      (f) Auditors and Accounting Standards.
                      April 2016

                    • BR-A.1.3

                      Unless otherwise stated, all reports referred to in this Module should be addressed to the Director of relevant supervision directorate of the CBB.

                      April 2016

                  • Legal Basis

                    • BR-A.1.4

                      This Module contains the CBB's Directive relating to reporting requirements applicable to ancillary service provider licensees and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law').

                      April 2016

                    • BR-A.1.5

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      April 2016

                • BR-A.2 BR-A.2 Module History

                  • Evolution of Module

                    • BR-A.2.1

                      This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

                      April 2016

                    • BR-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref.Change DateDescription of Changes
                      BR-1.404/2017Added a new Section on Onsite Inspection Reporting.
                      BR-2.2.612/2018Amended sub-paragraphs (a) & (b).
                      BR-1.1.1A10/2019Added a new Paragraph on disclosure of financial penalties.
                      BR-2.3.601/2020Amended Paragraph.
                      BR-1.1.607/2020Added a new Paragraph on audited clients money report.
                      BR-1.1.601/2021Amended Paragraph on audited clients money report.
                      BR-1.1.701/2021Added a new Paragraph on audited clients money.
                      BR-1.4.201/2022Amended Paragraph on the submission of the written assessment of the observations/issues raised in the Inspection draft report.
                      BR-1.504/2022Added a new Section on other reporting requirements.
                      BR-2.3.701/2023Amended Paragraph based on the new outsourcing requirements.
                      BR-1.1.604/2023Amended Paragraph on client money requirements.
                      BR-1.1.704/2023Moved Paragraph to GR-15.1.5.
                      BR-2.2.1707/2023Amended Paragraph on notification to the CBB of any new products or services with added cost.
                      BR-1.5.205/2024Added a new Paragraph on report submission requirements of AISPs and PISPs.

                  • Superseded Requirements

                    • BR-A.2.3

                      This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                      Circular / other reference Subject
                      Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions.
                      April 2016

              • BR-B BR-B Scope of Application

                • BR-B.1 BR-B.1 Scope of Application

                  • BR-B.1.1

                    The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom (thereafter referred to in this Module as licensees).

                    April 2016

              • BR-1 BR-1 Prudential Reporting

                • BR-1.1 BR-1.1 Annual Requirements

                  • BR-1.1.1

                    All licensees are required to submit to the CBB their annual audited financial statements within 3 months of their financial year end.

                    April 2016

                  • BR-1.1.1A

                    In accordance with Paragraphs EN-B.4.5 and EN-5.2.2, licensees must disclose in their annual audited financial statements the amount of any financial penalties paid to the CBB, together with a factual description of the reason(s) given by the CBB for the penalty. Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to an enforcement action for non-disclosure.

                    Added: October 2019

                  • TPAs and PSPs

                    • BR-1.1.2

                      The notes to the financial statements must:

                      (a) For TPAs, contain complete names and addresses of all insurance companies or self-funded schemes outside Bahrain with which the TPA had a contract in effect during the preceding calendar year; and
                      (b) For PSPs, refer to the breakdown of clients' money and own funds.
                      April 2016

                    • BR-1.1.3

                      In addition to the statements required in Paragraph BR-1.1.1, licensees are required to submit to the CBB the following information within 3 months of their financial year end:

                      (a) The external auditor's management letter;
                      (b) A report on the licensee's close links as required under Paragraph GR-8.1.3;
                      (c) The licensee's group structure and the internal organisation chart;
                      (d) The report on controllers as required under Paragraph GR-7.1.10; and
                      (e) Any supplementary information as required by the CBB.
                      April 2016

                    • BR-1.1.4

                      TPAs must also submit to the CBB a breakdown of their sources of revenue within 3 months following the year end in accordance with Appendix BR-10, included under Part B Volume 5 of the CBB Rulebook.

                      April 2016

                    • BR-1.1.5

                      In accordance with the provisions of Section AA-4.1, the audited financial statements of the licensees must comply with the International Financial Reporting Standards (IFRS), and where applicable with the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI).

                      April 2016

                    • BR-1.1.6

                      Payment Service Providers holding client money in the course of carrying out payment services must appoint independent auditors to perform an audit of client money every 6 months and submit the report to the CBB by 30th September for the 30th June report and 31st March for the 31st December report. The audit must be performed by the licensee’s external auditor or an independent third-party audit firm acceptable to the CBB. Such audit must be conducted to ensure full compliance with the requirements of Chapter GR-15, Client Money Requirements. Any non-compliance matters will be subject to an enforcement action, and in the case of recurring violations, revocation of license may be pursued.

                      Amended: April 2023
                      Amended: January 2021
                      Added: July 2020

                    • BR-1.1.7

                      [This Paragraph has been moved to Paragraph GR-15.1.5].

                      Amended: April 2023
                      Added: January 2021

                • BR-1.2 BR-1.2 Periodical Financial Statements

                  • BR-1.2.1

                    PSPs are required to submit to the CBB reviewed (unaudited) semi-annual financial statements (in the same format as their annual audited accounts) on a semi-annual basis, within two months of the date of these statements. Such statements must provide the breakdown of clients' money and own funds.

                    April 2016

                • BR-1.3 BR-1.3 IIS Reporting Requirements

                  • Institutional Information System (IIS)

                    • BR-1.3.1

                      All licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm that the information contained in the IIS is correct. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                      April 2016

                    • BR-1.3.2

                      Licensees failing to comply with the requirements of Paragraph BR-1.3.1 or reporting inaccurate information may be subject to financial penalties or other enforcement action as outlined in Module (EN) Enforcement.

                      April 2016

                • BR-1.4 BR-1.4 Onsite Inspection Reporting

                  • BR.1.4.1

                    For the purpose of onsite inspection by the CBB, licensees must submit requested documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

                    Added: April 2017

                  • BR-1.4.2

                    Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within fifteen working days of receipt of such report. Evidentiary documents supporting management’s comments must also be included in the response package.

                    Amended: January 2022
                    Added: April 2017

                  • BR-1.4.3

                    Licensees' board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

                    Added: April 2017

                  • BR-1.4.4

                    Licensees failing to comply with the requirements of Paragraphs BR-1.4.1 and BR-1.4.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

                    Added: April 2017

                • BR-1.5 BR-1.5 Other Reporting Requirements

                  • BR-1.5.1

                    Crowdfunding platform operators must provide the following information for each type of crowdfunding offer (i.e.financing-based or equity-based) within 30 days of each quarter end:

                    (a) The aggregate amount of offers as at the quarter end;
                    (b) The number of investors/lenders by client type (i.e. retail or accredited) as at the quarter end;
                    (c) The aggregate amount funds raised during the quarter;
                    (d) Successfully completed crowdfunding offers as at the quarter end;
                    (e) Unsuccessful crowdfunding offers as at the quarter end; and
                    (f) Total client money and assets held as at the quarter end.
                    Added: April 2022

                  • BR-1.5.2

                    AISPs/PISPs must submit the information required under Appendix OB-1 to the CBB within 2 weeks of each month end.

                    Added: September 2024

              • BR-2 BR-2 Notifications and Approvals

                • BR-2.1 BR-2.1 Introduction

                  • BR-2.1.1

                    All notifications and requests for approvals required in this Chapter are to be submitted by licensees in writing and signed by an authorised officer in accordance with Paragraph BR-2.2.11.

                    April 2016

                  • BR-2.1.2

                    Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

                    April 2016

                • BR-2.2 BR-2.2 Notification Requirements

                  • Matters Having a Serious Supervisory Impact

                    • BR-2.2.1

                      A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                      (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                      (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                      (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                      (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                      (e) A breach of any requirement imposed by law, regulation, directive or any other instruction issued by the CBB;
                      (f) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way; or
                      (g) If the licensee intends to suspend any or all the licensed regulated services or ceases business, setting out how it proposes to do so and, in particular, how it will treat any of its liabilities (ref GR-9.1.2).
                      April 2016

                    • BR-2.2.2

                      The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to properly consider all potential events and consequences that may arise from them.

                      April 2016

                    • BR-2.2.3

                      In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may directly or indirectly have an effect on the licensee.

                      April 2016

                  • Legal, Professional, Administrative or other Proceedings against a Licensee

                    • BR-2.2.4

                      A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                      April 2016

                    • BR-2.2.5

                      A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee or any of its approved persons.

                      April 2016

                  • Fraud, Errors and other Irregularities

                    • BR-2.2.6

                      A licensee must notify the CBB immediately if one of the following events arises:

                      (a) It becomes aware that a person, whether or not employed by it may have committed, or is acting with intent to commit fraud against its customers or itself;
                      (b) A major operational or security incident where the incident has or may have a major negative impact on the financial interests of its customers or other licensees, or itself;
                      (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                      (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or
                      (e) Conflicts of interest that may affect the operation of the licensee.
                      Amended: December 2018
                      April 2016

                    • BR-2.2.7

                      If the licensee may have suffered material financial losses as a result of the incident, or may suffer reputational loss, the CBB will wish to consider this and whether the incident is indicative of weaknesses in the licensee's internal controls.

                      April 2016

                  • Insolvency, Bankruptcy and Winding Up

                    • BR-2.2.8

                      Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                      (a) The calling of a meeting to consider a resolution for winding up the licensee or a controller of the licensee;
                      (b) An application to dissolve a controller of the licensee;
                      (c) The presentation of a petition for the winding up of a controller of the licensee;
                      (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                      (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller of the licensee;
                      (f) The appointment of a receiver to the licensee or to a controller of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                      (g) An application against the licensee, a controller of the licensee under Part 10 of the CBB Law or the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.
                      April 2016

                  • External Auditor

                    • BR-2.2.9

                      A licensee must notify the CBB of the following:

                      (a) Removal or resignation of its external auditor (ref. AA-1.2.1); or
                      (b) A change in the partner in charge of conducting the external audit. (Ref. AA-1.3.3).
                      April 2016

                  • Approved Persons

                    • BR-2.2.10

                      A licensee must notify the CBB of the termination of employment of any approved persons, including reasons for their termination and arrangements for replacing them (ref. AU-4.4.9).

                      April 2016

                  • Authorised Signatories

                    • BR-2.2.11

                      At the time of authorisation (when the license is granted) or whenever a change occurs, in order to maintain an up-to-date record of authorised signatories of respective ancillary service providers, the CBB requires all licensees to submit to the licensee's CBB supervisory point of contact a list of specimen signatures of the officials authorised to sign on behalf of the concerned licensee, together with, where appropriate, details of what they are authorised to sign for.

                      April 2016

                  • Capital Adequacy Requirements

                    • BR-2.2.12

                      In the event that a licensee fails to meet any of the requirements specified in Section AU-2.5 it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing.

                      April 2016

                    • BR-2.2.13

                      As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                      April 2016

                  • Outsourcing Arrangements

                    • BR-2.2.14

                      Licensees must immediately inform their normal supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

                      April 2016

                  • Controllers

                    • BR-2.2.15

                      If, as a result of circumstances outside the licensee's knowledge and/or control, a change in controllers is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB on the earlier of:

                      (a) The moment the change takes effect; or
                      (b) The moment the licensee becomes aware of the proposed change (ref. GR-7.1.6).
                      April 2016

                    • BR-2.2.16

                      A licensee must notify the CBB of any event as specified under Article 52 of the CBB Law.

                      April 2016

                  • Introduction of New or Expanded Customer Products and Facilities

                    • BR-2.2.17

                      All licensees are required to notify the CBB before the introduction of any new products or services or any changes in existing product/service that will have an additional financial cost to the customers. The CBB will respond to the concerned licensee within one week of receipt of the notification if it has any observations on the new application.

                      Amended: July 2023
                      April 2016

                • BR-2.3 BR-2.3 Approval Requirements

                  • Change of Address

                    • BR-2.3.1

                      As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain.

                      April 2016

                    • BR-2.3.2

                      The request under Paragraph BR-2.3.1 must include the details of the proposed new address and the date on which the licensee intends to use the new address.

                      April 2016

                  • Change in Legal Status

                    • BR-2.3.3

                      A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                      April 2016

                  • Change in Paid-up and/or Issued Capital

                    • BR-2.3.4

                      As specified in Article 57(3) of the CBB Law, a licensee must seek CBB prior approval before making any modification to its issued and/or paid-up capital.

                      April 2016

                  • Controllers

                    • BR-2.3.5

                      In accordance with Section GR-7.1, licensees must seek CBB prior approval and give reasonable advance notice of any of the following events:

                      (a) A person acquiring control or ceasing to have control of the licensee;
                      (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control of the licensee;
                      (c) An existing controller increasing the percentage of shares or voting power of the licensee; and
                      (d) An existing controller becoming or ceasing to be a parent undertaking of the licensee.
                      April 2016

                  • Mergers, Acquisitions and Disposals of Assets and Liabilities

                    • BR-2.3.6

                      A licensee incorporated in Bahrain must seek CBB prior approval and give reasonable advance notice of its intention to enter into a:

                      (a) Merger with another undertaking;
                      (b) Proposed acquisition or disposal of all or a major part of assets and liabilities, inside or outside the Kingdom; or
                      (c) Modify its memorandum or articles of association.
                      Amended: January 2020
                      Added: April 2016

                  • Outsourcing Arrangements

                    • BR-2.3.7

                      [This Paragraph was deleted in January 2023].

                      Deleted: January 2023
                      April 2016

                  • Other Matters Having a Supervisory Impact

                    • BR-2.3.8

                      A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                      April 2016

                  • External Auditor

                    • BR-2.3.9

                      A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1).

                      April 2016

                  • Dividend Distribution

                    • BR-2.3.10

                      Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, in accordance with Chapter GR-6.

                      April 2016

                  • Approved Persons

                    • BR-2.3.11

                      A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.3 and AU-4.3.1).

                      April 2016

                    • BR-2.3.12

                      Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.11).

                      April 2016

                    • BR-2.3.13

                      If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.9).

                      April 2016

                  • Cessation of Business

                    • BR-2.3.14

                      In accordance with Paragraph GR-9.1.1 and Article 50 of the CBB Law, licensees must seek the CBB's prior approval should they wish to cease to provide or suspend any or all of the licensed regulated services of their operations and/or liquidate their business.

                      April 2016

              • BR-3 BR-3 Information Gathering by the CBB

                • BR-3.1 BR-3.1 Power to Request Information

                  • BR-3.1.1

                    In accordance with Article 111 of the CBB Law, licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

                    April 2016

                  • BR-3.1.2

                    Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

                    April 2016

                  • BR-3.1.3

                    Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person /appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

                    April 2016

                  • Information Requested on Behalf of other Supervisors

                    • BR-3.1.4

                      The CBB may ask licensees to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain.

                      April 2016

                • BR-3.2 BR-3.2 Access to Premises

                  • BR-3.2.1

                    In accordance with Article 114 of the CBB Law, a licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

                    April 2016

                  • BR-3.2.2

                    A licensee must take reasonable steps to ensure that its agents and providers under outsourcing arrangements permit such access to their business premises, to the CBB.

                    April 2016

                  • BR-3.2.3

                    A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

                    April 2016

                  • BR-3.2.4

                    The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

                    April 2016

                • BR-3.3 BR-3.3 Accuracy of Information

                  • BR-3.3.1

                    Licensees must take reasonable steps to ensure that all information they give to the CBB is:

                    (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
                    (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
                    April 2016

                  • BR-3.3.2

                    If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

                    (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
                    (b) An explanation why such information was or may have been provided; and
                    (c) The correct information.
                    April 2016

                  • BR-3.3.3

                    If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

                    April 2016

                • BR-3.4 BR-3.4 Methods of Information Gathering

                  • BR-3.4.1

                    The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

                    (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
                    (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of appointed experts (refer to Chapter EN-2);
                    (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
                    (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication; or
                    (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
                    April 2016

                  • BR-3.4.2

                    When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

                    April 2016

                  • BR-3.4.3

                    The CBB considers that a licensee should:

                    (a) Make itself readily available for meetings with representatives or appointees of the CBB;
                    (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
                    (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
                    (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
                    (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
                    (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
                    April 2016

                  • BR-3.4.4

                    The CBB considers that a licensee should take reasonable steps to ensure that its employees act in the manner set out in Paragraph BR-3.4.3.

                    April 2016

                  • BR-3.4.5

                    In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

                    April 2016

                • BR-3.5 BR-3.5 Role of the Appointed Expert

                  • Introduction

                    • BR-3.5.1

                      The content of this Chapter is applicable to all licensees and appointed experts.

                      April 2016

                    • BR-3.5.2

                      The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                      April 2016

                    • BR-3.5.3

                      The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                      April 2016

                    • BR-3.5.4

                      The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                      April 2016

                    • BR-3.5.5

                      Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                      April 2016

                    • BR-3.5.6

                      Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                      April 2016

                    • BR-3.5.7

                      All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                      April 2016

                    • BR-3.5.8

                      Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                      April 2016

                    • BR-3.5.9

                      Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                      April 2016

                    • BR-3.5.10

                      Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

                      April 2016

                    • BR-3.5.11

                      The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                      April 2016

                  • The Required Report

                    • BR-3.5.12

                      The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                      (a) Accounting and other records;
                      (b) Internal control systems;
                      (c) Returns of information provided to the CBB;
                      (d) Operations of certain departments; and/or
                      (e) Other matters specified by the CBB.
                      April 2016

                    • BR-3.5.13

                      Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                      April 2016

                    • BR-3.5.14

                      The appointed experts' report should follow the format set out in Appendix BR-1, in part B of the CBB Rulebook.

                      April 2016

                    • BR-3.5.15

                      Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                      April 2016

                    • BR-3.5.16

                      Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                      April 2016

                    • BR-3.5.17

                      If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                      April 2016

                    • BR-3.5.18

                      The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                      April 2016

                  • Other Notifications to the CBB

                    • BR-3.5.19

                      Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                      April 2016

                    • BR-3.5.20

                      The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                      April 2016

                    • BR-3.5.21

                      If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                      April 2016

                  • Permitted Disclosure by the CBB

                    • BR-3.5.22

                      Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                      April 2016

                  • Trilateral Meeting

                    • BR-3.5.23

                      The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                      April 2016

    • Part B

       

      Table of Contents
       Current Issue Date 
      Glossary of Defined Terms06/2025PDF Version
      CBB Authorisation FormsForm 1Application for a License10/2019PDF Version
      Form 2Application for Authorisation of Controller04/2020PDF Version
      Form 3Application for Approved Person status01/2022PDF Version
       Trust Registration or Amendment Form10/2017PDF Version
      CBB ReportingSTR[This was deleted in July 2016]07/2016 
      ALFAnnual License Fee01/2014PDF Version
      Direct Debit Authorisation Form10/2014PDF Version
      RM-1Cyber-Security Incident Report01/2022PDF Version
      Financing Companies and Microfinance Institutions
      Appendix BR-1PIRFM — Prudential Information Report for Financing and Microfinance Institutions01/2019Excel Version
      Appendix BR-3Guidelines for Completion of PIRFM10/2014PDF Version
      Appendix BR-5Board and Committee Meetings10/2014PDF Version
      Appendix BR-6Agreed Upon Procedures10/2014PDF Version
      Financing Companies
      Appendix BR-7Connected Counterparty Exposures Report01/2013Excel Version
      Appendix BR-8Guidelines for completion of Exposures to Connected Counterparties01/2013PDF Version
      Appendix BR-9[This was replaced with Appendix BR-5 in October 2014]10/2014 
      Appendix BR-11Information Required for Annual and Interim Financial Review01/2019Excel Version
      Appendix BR-12Financial Review (Islamic)10/2015Excel Version
      Appendix BR-14Guidelines for Completion of Supplementary Information Form01/2019PDF Version
      Appendix BR-22Continuous Professional Development Form (CPD)04/2017PDF Version
      Third Party Administrators (TPAs)
      Appendix BR-13Sources of Revenue04/2016PDF Version
      Money Changers
      FCRInsurance Coverage Return10/2014Excel Version
      Supplementary InformationBCBusiness Conduct
      BC-1 Examples of APR Calculations01/2014PDF Version
      BC-2 Financing Companies Standard Service Charges04/2018PDF Version
      BC-3 Microfinance Institutions Standard Service Charges04/2022PDF Version
      CMCredit Risk Management
      CM-1 Code of Best Practice on Consumer Credit and Charging (to be issued)
      CM-2 Bahrain Credit Reference Bureau Code of Practice (to be issued)
      CM-3 Example of APR Calculation (to be issued)
      BRCBB Reporting
      BR-10 Appointed Experts' Report07/2013PDF Version
      FCFinancial Crime
      FC- (i) Amiri Decree Law No. 4 (2001)01/2011PDF Version
      FC-(i)(a) Decree Law No. 54 (2006)01/2011PDF Version
      FC-(i)(b) Decree Law No. 58 (2006)01/2011PDF Version
      FC- (ii) UN Security Council Resolution 1373 (2001)01/2011PDF Version
      FC- (iii) UN Security Council Resolution 1267 (1999)01/2011PDF Version
      FC- (iv) Examples of Suspicious Transactions01/2011PDF Version
      FC- (v) Guidance Notes01/2011PDF Version
      FC- (vi) Agreed Upon Procedures10/2019PDF Version
      OBOpen Banking
      OB-1 Reporting by AISP/PISP05/2024PDF Version
      OB-2 B2B and B2C Business Models05/2024PDF Version
      PDPublic Disclosure
      PD-1 Instructions for Publication of Press Releases01/2020PDF Version

       

      • Glossary

        • Glossary of Defined Terms

          • Glossary History

            Version DateDescription of Changes
            October 2010Initial Launch
            December 2010Added definition of home supervisor, representative office manager or "Rep Manager"; regulated representative office services; amended definition of controlled function; director(s), representative office or representative office licensee(s)
            January 2011Added definition of administrator(s) licensee(s)/license, client assets, close links, executive director, lead supervisor, non-executive director(s), registrar, regulated administration services, remuneration, subsidiary undertaking;
            Amended definition of appointed expert(s), controller(s), fund administrator, money changer, outsourcing, qualified by exception, regulated services, representative office manager, shareholders.
            April 2011Amended definition of executive director
            April 2012Added definition of licensed exchange(s), market, regulated investment services, reputational risk, service level agreement(s), succession plan.
            Amended definition of executive director, overseas licensee(s), subsidiary or subsidiary undertaking.
            January 2013Added definition for financial services, person.
            Added definition of branch(es), connected person(s), family, financial instrument(s), financing company licensee(s), independent director, regulated financing company service(s) and regulated insurance services.
            Added definition of core capital, gearing ratio and liabilities.
            Added definition for regulated ancillary services.
            Added definition for Collective investment undertakings.
            January 2014Added definition for associate(d), Bahrain domiciled CIU(s), base rate, conspicuous notice, eligible beneficiary(ies), framework, intra-group outsourcing, leverage ratio, liquid assets, maturity mismatch ratio, NIM, option(s), principal, qualifying liabilities, ROAE, ROAA, regulated microfinance service, small business(es) (SMEs), stock liquidity ratio.
            Amended definition for director(s), head of function, microfinance institution(s) or microfinance institution licensee(s), parent undertaking or parent.
            October 2014Corrected cross reference to relevant authorities.
            April 2016Added definition for ancillary service provider(s) or ancillary service provider licensee(s), card processing or card processing service(s), core capital (for ancillary service providers), credit information, credit reference bureau, credit report, members of the credit reference bureau.
            Amended definition for approved persons, Chief Executive, Chief Executive Officer or CEO, close links, general manager, head of function.
            July 2016Amended definition of Politically Exposed Persons (PEPs).
            October 2017Added a definition for Beneficial Owner.
            October 2017Added a definition for Crowdfunding Platform Operator.
            December 2018Added new definitions for terms relevant to 'open banking' including, Account Information Service, Account Information Services Provider, Payment Initiation Service, Payment Initiation Services Provider, Payment Instrument and Licensee Maintaining Customer Accounts.
            December 2018Added definition of Accredited Investor and Expert Investor.
            January 2019Added definition of Originator Information.
            October 2019Amended the definition of 'Regulated ancillary services'.
            October 2019Added definition of 'without delay'.
            July 2020Amended definition of ‘Independent director’.
            October 2020Added point (f) in definition of ‘Independent director’.
            July 2021Amended definition of ‘Payment Instrument(s)’.
            April 2023Added definition of client money.
            April 2023Added definition of client money account.
            June 2025Amended definition of Beneficial Owner.
            June 2025Amended definition of Politically Exposed Persons (PEPs).

          • A A

            • Account Information Service

              An 'account information service' is an online service which provides consolidated information to a customer on one or more accounts held by that customer with licensees maintaining customer accounts.

              Added: December 2018

            • Account Information Service Provider or AISP (s)

              A person licensed by the CBB to undertake the activity of providing account information services online.

              Added: December 2018

            • Accredited Investor(s)

              Accredited investors are defined as investors meeting the following criteria:

              (a) Individuals who have a minimum net worth (or joint net worth with their spouse) of USD 1,000,000, excluding that person’s principal place of residence;
              (b) Companies, partnerships, trusts or other commercial undertakings, which have financial assets available for investment of not less than USD 1,000,000; or
              (c) Governments, supranational organisations, central banks or other national monetary authorities, and state organisations whose main activity is to invest in financial instruments (such as state pension funds).

              Individuals and commercial undertakings may elect in writing to be treated as accredited investors subject to meeting at least two of the following conditions:

              (a) The investor has carried out trading/investing transactions, in significant size (i.e. value of transactions aggregating USD 200,000) over the last 12-month period;
              (b) The size of the investor's financial assets portfolio including cash deposits and financial instruments is USD 500,000 or more; and/or
              (c) The investor works or has worked in the financial sector for at least one year in a professional position, which requires knowledge of the transactions or services envisaged (i.e. the position was professional in nature and held in a field that allowed the client to acquire knowledge of transactions or services that have comparable features and a comparable level of complexity to the transactions or services envisaged).
              Amended: July 2022
              Added: December 2018

            • Administrator(s) licensee(s)/license

              A person licensed under Volume 5_Administrator of the CBB Rulebook to undertake regulated administration services as defined in Paragraph AU-1.1.11 or AU-1.1.12.

              Added: January 2011

            • Ancillary Service Provider(s) or Ancillary Service Provider Licensee(s)

              A person licensed under Volume 5 of the CBB Rulebook to undertake regulated ancillary services. These licensees are referred to as 'financial sector support institutions' under Article 1 of the CBB Law.

              Added: April 2016

            • Appointed Expert(s)

              A duly qualified individual or firm appointed by the CBB to carry out inspections in accordance with Article 114 of the CBB Law or special investigations of licensees in accordance with Article 121 of the CBB Law. Appointed Experts are appointed in addition to the CBB's own officials. Examples of Appointed Experts are reporting accountants, lawyers, expert witnesses and independent actuaries.

              Amended: January 2011

            • Approved Person(s)

              Persons undertaking certain functions in relation to CBB specialised licensees require prior CBB approval. These functions (called "controlled functions") include directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of specialised licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons (see Paragraph AU-A.1.2; Section AU-1.3 for ancillary service providers).

              Amended: April 2016

            • Associate(d)

              A company or other enterprise, which is not a subsidiary or joint venture, over which the licensee has significant influence. Significant influence means the power to participate in financial and operating policy decisions. Such influence is presumed to exist if the licensee owns more than 20 percent of the associate.

              Added: January 2014

            • Authorised person(s)

              A person authorised either as a CBB licensee or an Approved Person.

          • B B

            • Bahrain domiciled CIU(s)

              Bahrain domiciled CIUs are undertakings where:

              (a) The legal form of the CIU is established under the laws of the Kingdom of Bahrain; and
              (b) The CIU documents and contractual agreements are governed by the Laws of the Kingdom of Bahrain.
              Added: January 2014

            • Bahraini specialised licensees/ Bahraini licensees

              A specialised licensee that is incorporated in the Kingdom of Bahrain.

              Amended: July 2016

            • Base Rate

              The interest rate that underpins lending to customers.

              Added: January 2014

            • Beneficial Owner

              (a) In the context of legal persons, beneficial owner refers to the natural person(s) who ultimately owns or controls a customer, and/or the natural person on whose behalf a transaction is being conducted. It also includes those natural persons who exercise ultimate effective control over a legal person. Only a natural person can be an ultimate beneficial owner, and more than one natural person can be the ultimate beneficial owner of a given legal person.
              (b) In the context of legal arrangements, beneficial owner includes: (i) the settlor(s); (ii) the trustee(s); (iii) the protector(s) (if any); (iv) each beneficiary, or where applicable, the class of beneficiaries and objects of a power; and (v) any other natural person(s) exercising ultimate effective control over the arrangement. In the case of a legal arrangement similar to an express trust, beneficial owner refers to the natural person(s) holding an equivalent position to those referred above. When the trustee and any other party to the legal arrangement is a legal person, the beneficial owner of that legal person should be identified.
              (c) Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control.
              (d) Reference to “ultimate effective control” over trusts or similar legal arrangements includes situations in which ownership/control is exercised through a chain of ownership/control.
              Added: October 2017
              Amended: June 2025

            • Branch(es)

              A place of business which forms a legally dependent part of a licensee and which carries out directly all or some of the transactions inherent in the business of the relevant licensee.

              Added: January 2013

          • C C

            • CBB licensees

              Any person licensed by the CBB under any of the Volumes of the CBB Rulebook.

            • Card Processing or Card Processing Service(s)

              Ancillary service provider activity as defined under Paragraph AU-1.2.5 of Module AU_Ancillary Service Provider.

              Added: April 2016

            • Chief Executive, Chief Executive Officer or CEO

              A person responsible under the immediate authority of the Board of Directors for the conduct of the firm (regardless of actual title): cf. AU-1.2.9; AU-1.3.5 for ancillary service providers).

              Amended: April 2016

            • Client Assets

              Money or financial instruments belonging to clients of a licensee that are held or controlled by the licensee in connection with the conduct of regulated administration services.

              Added: January 2011

            • Client money

              Client money comprises any money that a licensee receives and holds on a fiduciary basis, as intermediary in the course of carrying on regulated services, towards the execution of transactions on behalf of its customers.

              Added: April 2023

            • Client money account

              A segregated bank account held by PSPs with a retail bank in order to hold client money.

              Added: April 2023

            • Close link (as defined under Paragraph GR-6.2.1 of Module GR_Administrators; GR-5.2.1 for financing companies; GR-8.2.1 for ancillary service providers)

              A licensee ("L") has close links with another undertaking ("U"), if:

              (a) U is a parent undertaking of L;
              (b) U is a subsidiary undertaking of L;
              (c) U is a parent undertaking of a subsidiary undertaking of L;
              (d) U is a subsidiary undertaking of a parent undertaking of L;
              (e) U owns or controls 20% or more of the voting rights or capital of L; or
              (f) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
              Amended: April 2016
              Amended: January 2013
              Added: January 2011

            • Collective Investment Undertaking(s) ('CIUs')

              Collective investment undertakings ('CIUs') are undertakings:

              (i) The sole object of which is the collective investment of capital raised from the public or through private placement, including investment seeded by the operator, in financial instruments and other assets and which operates on the basis of risk-spreading as appropriate; and
              (ii) The holdings of which may be re-purchased or redeemed out of those undertakings. assets, as appropriate.
              Added: January 2013

            • Compliance Officer

              An employee of appropriate standing designated by licensees having responsibility for oversight of the licensee's compliance with the requirements of the CBB and reporting to the licensee's Board in respect of that responsibility. The compliance officer is an approved person occupying a controlled function.

            • Conflict of interest

              A situation when a person or an entity has competing professional or personal obligations to other parties in a financial transaction (e.g. underwriting a securities transaction and simultaneously advising clients whether to buy the security or not) or in ongoing financial relationships (e.g. when a specialised licensee has a director or one of its major customers on its board), or personal or financial interests that would make it difficult to fulfil his duties fairly.

            • Connected person(s)

              (a) The individual's spouse and his/her son, adopted son, stepson, daughter, adopted daughter, step-daughter, father, step-father, mother, step-mother, brother, step-brother, sister or step-sister, under his/her guardianship or control;
              (b) A firm or corporation in which the individual or any persons mentioned in (a) has control of not less than 10% of the voting power in the firm or corporation, whether such control is exercised individually or jointly; or
              (c) Connected persons in relation to a firm or corporation means another firm or corporation in which the first-mentioned firm or corporation has control of not less than 10% of the voting power in that other firm or corporation.
              Added: January 2013

            • Conspicuous notice

              Means a written statement in both Arabic and English languages which is easily visible and legible and displayed in all credit institutions' premises open to the public (head offices and branches), and via means such as websites, newspapers and other press notices.

              Added: January 2014

            • Controller's family

              (to be defined at a later date)

            • Controlled function

              A function carried on by an approved person in relation to a licensee that requires prior CBB approval: cf. AU-1.2.

              Amended: December 2010

            • Controller

              As defined under Paragraph GR-5.2.1 for administrators, [GR-4.2.1 for financing companies; GR-7.2.1 for ancillary service providers], a controller is a natural or legal person who, either alone or with his associates:

              (a) Holds 10% or more of the shares in the licensee ("L"), or is able to exercise (or control the exercise) of more than 10% of the voting power in L; or
              (b) Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise) of more than 10% of the voting power in P; or
              (c) Is able to exercise significant influence over the management of L or P.
              Amended: April 2016
              Amended: January 2013
              Amended: January 2011

            • Conventional bank licensees

              A bank licensed by CBB under Volume 1 of the CBB Rulebook, and generally operating according to conventional finance principles (as opposed to operating in accordance with Islamic finance principles).

            • Conventional retail bank licensee(s)

              Banks which undertake the regulated banking services of (a) to (o) in Paragraph LR-1.3.1 for both residents and non-residents of the Kingdom of Bahrain.

              Added: December 2018

            • Core Capital (as defined in CA-1.1.6_Financing Companies)

              Core capital shall consist of the sum of items (a) to (e) below, less the sum of items (f) to (i) below:

              (a) Issued and fully paid ordinary shares (net of treasury shares);
              (b) Share premium reserve;
              (c) Perpetual non-cumulative preference shares;
              (d) All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserve1;and
              (e) Retained profit brought forward;

              LESS:

              (f) Goodwill;
              (g) Current interim cumulative net losses;
              (h) Unrealised gross losses arising from fair valuing equity securities2; and
              (i) Other deductions, as specified by the CBB.

              1 This refers to unrealised fair value gains reported directly in equity.

              2 This refers to both 'net losses taken through P&L'. and 'gross losses reported directly in equity'.

              Added: January 2013

            • Core Capital (for Ancillary Service Providers)

              Core capital refers to:

              (a) Issued and fully paid ordinary shares (net of treasury shares);
              (b) Share premium reserve;
              (c) All disclosed reserves brought forward, that are audited and approved by the shareholders, in the form of legal, general and other reserves created by appropriations of retained earnings, excluding fair value reserve;
              (d) Retained profit brought forward;

              Less:

              (e) Current interim cumulative net losses; and
              (f) Other deductions, as specified by the CBB.

              Interim profits which have been reviewed as per IAS 34 may be included as core capital.

              Added: April 2016

            • CPD

              Continuous professional development as referred to in Module TC (Training and Competency).

            • Credit Information

              As defined under Article (68 bis) b) 1) of the CBB Law, means any information and data related to financial obligations of customers of members of a credit reference bureau. This includes information and data related to all of the customer's debts (liabilities), credit facilities, sale on credit arrangements, sale by instalments, and any other claims due from the customer, along with their due dates, terms and conditions, and guarantees related to such claims, repayment, and the extent of the customers' commitments as well as the data and information related to government claims against the customer in the form of fees, instalments and fines, and any other claims due to government bodies. For this definition, customer means any of the customers of a credit reference bureau whom the credit reference bureau holds credit information as defined under Article (68 bis) b) 3) of the CBB Law.

              Added: April 2016

            • Credit Reference Bureau

              A credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies the credit information of customers and issues credit reports and provides the members of the credit reference bureau with such reports upon their request (see Paragraph AU-1.2.6 of Module AU_Ancillary Service Provider). For this definition, customer means any of the customers of a credit reference bureau whom the credit reference bureau holds credit information as defined under Article (68 bis) b) 3) of the CBB Law.

              Added: April 2016

            • Credit Report

              As defined under Article (68 bis) b) 4) of the CBB Law, means any report issued by any of the credit reference bureaus based upon a request by a customer or any of the members of the credit reference bureau and which includes credit information indicating the credit worthiness of the customer.

              Added: April 2016

            • Crowdfunding Platform Operator

              A person licensed by the CBB under the CBB Rulebook Volume 5 in respect of operating a crowdfunding platform.

              Added: October 2017

            • Customer

              A customer refers to a person or persons who have a business relationship with the licensee—those who receive and use or are directly affected by the products and services of the licensee.

              Amended: January 2011

          • D D

            • Director(s)

              A person who acts in the capacity of director of a firm (whether appointed or not, or whether titled director or not). In the case of a sole trader, unincorporated body or partnership, a person directing its affairs, or a partner (of a partnership). Where relevant for CBB licensees, directors are a controlled function: see AU-1.2.2; AU-1.4.2 for microfinance institutions; and AU-1.3.2 for ancillary service providers.

              Amended: April 2016
              Amended: January 2014
              Amended: December 2010

          • E E

            • Eligible Beneficiary(ies) (For Purposes of Module AU_Microfinance Institutions)

              Low income individuals and small businesses, who are not eligible to secure financing facilities through the banking system that intend to get a credit facility to engage in small economic activities (examples: small farmers, fishermen, related activities, etc.).

              Added: January 2014

            • Employees

              An individual: a) who is employed or appointed by a person in connection with that person's business, whether under a contract of service or otherwise; or b) whose services, under an arrangement between that person and a third party, are placed at the disposal and under the control of that person.

              Amended: January 2011

            • Executive Director

              Means a director who is an officer or employee, or is otherwise involved in day-to-day management, of either:

              (a) The licensee;
              (b) Another company which is a controller of the licensee;
              (c) Another company of which the licensee is a controller; or
              (d) Another company which is controlled by a controller of the licensee.

              In this definition, the word "company" which is a controller of the licensee excludes sovereigns such as government owned entities and government ministries.

              Amended: April 2012
              Amended: April 2011
              Added: January 2011

            • Expert Investor

              Expert investors are:

              (a) Individuals who have a minimum net worth (or joint net worth with their spouse) of USD 100,000, excluding that person's principal place of residence;
              (b) Companies, partnerships, trusts or other commercial undertakings, which have financial assets available for investment of not less than USD 100,000; or
              (c) Governments, supranational organisations, central banks or other national monetary authorities, local authorities and state organisations.
              Added: December 2018

          • F F

            • Family

              For purposes of Module AU, the term 'family' refers to father, mother, husband, wife, grandfather, grandmother, grandson and granddaughter.

              Added: January 2013

            • Financial instrument(s)

              Any of the following instruments:

              (a) Transferable securities;
              (b) Islamic financial instruments;
              (c) Money market instruments;
              (d) Units in collective investment undertakings;
              (e) Derivative contracts other than commodity derivatives;
              (f) Derivative contracts relating to commodities settled in cash;
              (g) Derivative contracts relating to commodities;
              (h) Credit derivatives;
              (i) Financial contracts for differences;
              (j) Other derivative contracts;
              (k) Interests in real estate property;
              (l) Certificates representing certain securities; and
              (m) Rights or Interests in Financial Instruments.
              Added: January 2013

            • Financing companies or financing company licensee(s)

              A person licensed under Volume 5 of the CBB Rulebook to undertake regulated financing company services.

              Amended: January 2013

            • Financial services (as used in Module AU)

              For the purpose of Module AU, financial services means:

              (a) Any dealings in any instrument defined as a financial instrument in any Volume of the CBB Rulebook;
              (b) Any arrangement where money, goods or services are made available to a person in exchange for his promise to pay at a later date and that arrangement is of a type habitually provided by another person for commercial gain;
              (c) Any arrangement in which money is solicited from the public in return for a promise of financial gain on, or safekeeping of, that money; or
              (d) Any product or other financial services in the area of regulated services (regulated by the CBB) marketed in the Kingdom of Bahrain.
              Added: January 2013

            • Framework (as used in Module OM_Financing Companies)

              Framework refers to the operational risk framework of a licensee. An operational risk framework refers to the internal control systems of the licensee and contains five inter-related elements:

              (a) Establishing the control culture within the licensee and ensuring regular oversight by the Board and the Management of the licensee;
              (b) Risk recognition and assessment;
              (c) Control activities and segregation of duties;
              (d) Information and communication; and
              (e) Monitoring activities and correcting deficiencies.
              Added: January 2014

            • Fund administrators

              A person licensed under Volume 5 of the CBB Rulebook to undertake regulated administration services as defined in Paragraph AU-1.1.11.

              Amended: January 2011

          • G G

            • Gearing Ratio

              For purposes of Module CA for financing companies, the gearing ratio is defined as the core capital divided by the total liabilities.

              Amended: January 2013

            • General Manager

              The General Manager (of a firm whether incorporated in Bahrain or not) means a person who (regardless of actual title) is responsible, alone or jointly, for the conduct of the whole of the firm, or in the case of an overseas licensee, for all the activities of the branch. Equivalent to Chief Executive in the case of firms incorporated in Bahrain (cf. Rule AU-1.2.9; AU-1.3.5 for ancillary service providers).

              Amended: April 2016

          • H H

            • Head of Function

              A person who, under the immediate authority of the chief executive or general manager, exercises one or more major managerial functions or is responsible for maintaining accounts or other records of the firm (cf. Rule AU-1.2; AU-1.4 for microfinance institutions; AU-1.3.6 for ancillary service providers).

              Amended: April 2016
              Amended: January 2014
              Amended: January 2013

            • Home supervisor

              The competent authority in which the parent licensee is incorporated, or in which the head office of a branch is incorporated.

              Added: December 2010

          • I I

            • Independent director

              Determination by the Board. Under Module HC an 'independent director' is a director whom the board has specifically determined has no material relationship which could affect his independence of judgment, taking into account all known facts. The board should consider that, although a particular director meets the formal requirements, he may not be independent owing to specific circumstances of the person or the licensee, ownership structure of the licensee, or for any other reason. The board's determination should be a good faith finding after diligent review and full discussion.

              Formal Requirements. 'Independent director' means a director of the licensee who, or whose family shareholders either separately or together with him or each other, does not have any material pecuniary relationships or transactions with the licensee (not counting director's remuneration for this purpose) and in particular who, during the one year preceding the time in question met all the following conditions:

              (a) Was not an employee of the licensee;
              (b) Did not:
              (i) Make to, or receive from, the licensee payments of more than 31,000 BD or equivalent (not counting director's remuneration);
              (ii) Own more than a 10% share or other ownership interest, directly or indirectly, in an entity that made to or received from the licensee payments of more than such amount;
              (iii) Act as a general partner, manager, director or officer of a partnership or company that made to or received from the licensee payments of more than such amount;
              (iv) Have any significant contractual or business relationship with the licensee which could be seen to materially interfere with the person's capacity to act in an independent manner,
              (c) Did not own directly or indirectly (including for this purpose ownership by any family member or related person) 5% or more of the shares of any type or class of the licensee;
              (d) Was not engaged directly or indirectly as an auditor or professional advisor for the licensee;
              (e) Was not an associate of a Director or a member of senior management of the licensee; and
              (f) Was not an associate of a Director, member of senior management or board member of the licensee’s controller.

              For purposes of this definition, the 'payments' referred to in paragraph (b)(i), (b)(ii) and (b)(iii) do not include monies received from dividends and credit facilities arising from the licensee's normal business activities, but instead ordinarily refer to monies received (and/or payable during the period in question) for services rendered to the licensee by the director or company concerned, or paid (or payable) by the concerned director or company to the licensee for services provided by the licensee. The CBB may in its absolute discretion vary any such requirement (and /or restrictive effect thereof) in writing on a case-by-case basis. Dividends and credit facilities are to be considered under item (b)(iv) of this definition.

              For the purpose of the definition of "independent director":

              (a) Where the term "family" or "family member or related persons" is used reference is made to: spouse, father, mother, son(s) or daughter(s); and
              (b) Where the term "associate" is used reference is made to:
              (i) Spouse, father, mother, son(s) or daughter(s); or
              (ii) A person who is an employee or partner of the Director or of the firm represented or owned by the Director.
              Amended: October 2020
              Amended: July 2020
              Added: January 2013

            • Insurance licensees

              An insurance firm, insurance broker, insurance consultant, insurance manager or an insurance exchange operator who has been granted a licence by the CBB to undertake regulated insurance services as defined in Section AU-1.4 of Volume 3 (Insurance).

            • Intra-group outsourcing

              Intra-group outsourcing is an arrangement in which one company within a group of companies provides services for another company within the same group that could also be or usually have been provided in-house.

              Added: January 2014

            • Investment firm licensee(s)

              A person licensed under Volume 4 of the CBB Rulebook to undertake regulated investment business services.

            • Islamic bank licensees

              A bank licensed by CBB under Volume 2 of the CBB Rulebook, and generally operating according to Islamic finance principles (as opposed to operating in accordance with conventional finance principles).

            • Islamic retail banks licensee(s)

              Banks which undertake the regulated banking services of (a) to (n) in Paragraph LR-1.3.1 for both residents and non-residents of the Kingdom of Bahrain.

              Added: December 2018

          • J

            [This page is currently blank.]

          • K

            [This page is currently blank.]

          • L L

            • Lead Supervisor

              In the context of groups containing regulated financial companies, the principal regulator supervising those financial companies on a consolidated basis.

              Added: January 2011

            • Leverage ratio (For Purposes of Module CA_Microfinance Institutions)

              Defined under Paragraph CA-1.1.5 as the total equity divided by the total assets, where total equity is defined under Paragraph CA-1.1.6.

              Added: January 2014

            • Liabilities

              For purposes of Module CA for financing companies, liabilities are defined as the total amount of liabilities reported in the PIRF or PIRCC.

              Added: January 2013

            • Licensed exchange(s)

              "Licensed exchange" means an exchange licensed in respect of the operation of its market in and from the Kingdom of Bahrain.

              Added: April 2012

            • Licensees

              Any person licensed by the CBB under any of the Volumes of the CBB Rulebook.

            • Licensees maintaining customer account (s)

              Banks, financing companies and, or as the case may be, credit card or PSPs operating digital wallets, who allow AISPs and PISPs access to customer accounts with the explicit customer consent.

              Added: December 2018

            • Liquid assets (for financing companies)

              For purposes of Paragraph LM-1.2.5, liquid assets are defined as:

              (a) Cash and unencumbered current accounts with financial institutions;
              (b) Placements with financial institutions maturing within one month;
              (c) Exchange traded financial instruments;
              (d) GCC government securities;
              (e) Other sovereign bonds and bills up to one year maturity, carrying a minimum rating of AA-; and
              (f) Accounts receivable due within one month.
              Added: January 2014

          • M M

            • Market (as referred to in the definition of licensed exchange)

              "Market" means a place at which, or a facility (whether electronic or otherwise) by means of which, offers or invitations to sell, purchase or exchange securities or futures contracts (including options and derivatives) regularly made on a centralised basis, being offers or invitations that are intended or may reasonably be expected to result, whether directly or indirectly, in the acceptance or making, respectively, of offers to sell, purchase or exchange securities or futures contracts (whether through that place or facility or otherwise).

              Added: April 2012

            • Maturity mismatch ratio (for financing companies)

              The maturity mismatch ratio is calculated using the net cumulative mismatch figure obtained under Paragraph LM-1.3.4 as a percentage of total liabilities.

              Added: January 2014

            • Members of the credit reference bureau

              As defined under Article (68 bis) b) 2) of the CBB Law, means CBB licensees as designated by the CBB, government bodies as specified by the Bahrain Cabinet of Ministers resolution and any other person as specified by the CBB resolution issued in coordination with the concerned regulatory body of such person.

              Added: April 2016

            • Microfinance institution(s) or microfinance institution licensee(s)

              A person licensed under Volume 5 of the CBB Rulebook to undertake regulated microfinance services.

              Amended: January 2014

            • Money changer or money changer licensee(s)

              A person who has been granted a licence by the CBB to undertake regulated money changer services as defined in Paragraph AU-1.1.8 of Module AU (Authorisation) for Money changers.

              Amended: January 2013
              Amended: January 2011

            • Money Changers' Business Code of Practice ('the Code')

              Business conduct code included in Chapter 2 of Module BC (Business Conduct) for Money changers.

          • N N

            [This page is currently blank.]

            • NIM

              Net Interest Margin.

              Added: January 2014

            • Non-executive Director

              Means any director who is not an executive director

              Amended: January 2011

          • O O

            • Option(s)

              An option is a contract giving the buyer the right, but not the obligation, to buy or sell any of the following at a specific price on or before a certain date:

              (a) Currency of the Kingdom of Bahrain or any other country or territory;
              (b) Palladium, platinum, gold or silver; or other commodity;
              (c) Option to acquire or dispose of a financial instrument of the kind specified by this definition by virtue of the above.
              Added: January 2014

            • Originator Information

              a) The name of the payer.
              b) The address of the payer.
              c) The account number of the payer (where funds are being remitted from an account with your bank).
              Added: January 2019

            • Outsourcing

              The use of a person to provide customised services to a licensee other than by a director or employee of the licensee.

              Amended: January 2011

            • Outsourcing provider

              The person providing the customised services as described in the definition of "outsourcing".

            • Overseas specialised licensee(s)/Overseas licensee(s)

              A specialised licensee which is incorporated in an overseas jurisdiction and operates in the Kingdom of Bahrain through a branch licensed by the CBB.

              Amended: April 2012

          • P P

            • Parent Undertaking or Parent

              An undertaking or individual ('P'), which has the following relationship to another undertaking ('S'):

              (i) P holds (alone or, under an agreement with other shareholders) a majority of the voting rights in S;
              (ii) P (alone or in conjunction with its other subsidiary undertakings), has the right to appoint or remove a majority of its board of directors;
              (iii) P has the right to exercise a dominant influence over S, either through provisions contained in S's memorandum or articles, or a control contract; or
              (iv) P is a parent undertaking of a parent undertaking of S.
              Amended: January 2014

            • Payment Initiation Service

              A 'payment initiation service' is an online service to initiate a payment order at the request of a customer from a payment account held at a licensee maintaining customer accounts with the customer's explicit consent and authentication.

              Added: December 2018

            • Payment Initiation Service Provider (s) or PISP(s)

              A person licensed by the CBB to undertake payment initiation services.

              Added: December 2018

            • Payment Instrument (s)

              Payment instrument means a personalised device and/or a software application that the customer uses in order to initiate a payment.

              Amended: July 2021
              Added: December 2018

            • Person

              Unless the context requires otherwise, a natural or corporate person.

              Added: January 2013

            • Politically Exposed Person or ('PEP')

              Foreign PEPs are individuals who are or have been entrusted with prominent public functions by a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials.

              Domestic PEPs are individuals who are or have been entrusted domestically with prominent public functions, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials.

              Persons who are or have been entrusted with a prominent function by an international organisation refers to members of senior management, i.e. directors, deputy directors and members of the board or equivalent functions.

              The definition of PEPs is not intended to cover middle ranking or more junior individuals in the foregoing categories.

              Amended: July 2016
              Amended: June 2025

            • Principal

              Means the amount of credit received plus any other potential other charges, the total of which is subject to interest/profit.

              Added: January 2014

          • Q Q

            • Qualified by Exception

              A report issued by an appointed expert that is qualified and indicates that certain areas or issues remain unresolved or are unverifiable due to certain limitations imposed on the appointed expert's work. The report will clearly indicate the type and reason for exception and the action that would have been taken by the appointed experts had the mentioned limitation not been placed on their work.

              Amended: January 2011

            • Qualifying liabilities (for financing companies)

              For purposes of Paragraph LM-1.2.3, qualifying liabilities are defined as:

              (a) Liabilities due within one month; and
              (b) Irrevocable commitments to provide funds within one month.
              Added: January 2014

          • R R

            • ROAA

              Return on Average Assets.

              Added: January 2014

            • ROAE

              Return on Average Equity.

              Added: January 2014

            • Registrar

              A person licensed under Volume 5 of the CBB Rulebook to undertake regulated administration services as defined in Paragraph AU-1.1.12.

              Added: January 2011

            • Regulated administration services

              Any of the regulated activities permitted to be undertaken by a fund administrator or registrar outlined in Module AU_Administrators Paragraphs AU-1.1.11 and AU-1.1.12.

              Added: January 2011

            • Regulated ancillary services

              Refer to any of the following categories:

              (a) Permitted services undertaken by third party administrators (TPA);
              (b) Card Processing;
              (c) Services undertaken by Credit reference bureau;
              (d) Permitted payment services provided by payment service provider (PSP);
              (e) Shari'a advisory/review services;
              (ee) Permitted activities of a crowdfunding platform operator;
              (f) Providing account information services;
              (g) Providing payment initiation services; and
              (h) Any other ancillary services that are related to the financial services industry.
              Amended: October 2019
              Added: January 2013

            • Regulated financing company service(s)

              Any of the regulated activities permitted to be undertaken by a financing company licensee outlined in Module AU_Financing Companies Paragraph AU-1.3.1.

              Added: January 2013

            • Regulated insurance services

              Any of the regulated activities permitted to be undertaken by an insurance licensee as outlined in Section AU-1.4 for Volume 3 (Insurance) of the CBB Rulebook.

              Added: January 2013

            • Regulated investment services

              Any of the following, as further defined in Volume 4 (Investment Business) Section AU-1.4:

              (a) Dealing in financial instruments as principal;
              (b) Dealing in financial instruments as agent;
              (c) Arranging deals in financial instruments;
              (d) Managing financial instruments;
              (e) Safeguarding financial instruments (i.e. custodian);
              (f) Advising on financial instruments; and
              (g) Operating a collective investment undertaking (i.e. an operator).
              Added: April 2012

            • Regulated (Islamic) banking services

              Any of the regulated activities permitted to be undertaken by a conventional bank or Islamic bank licensee as outlined in Paragraph LR-1.3.1 for Volumes 1 and 2 of the CBB Rulebook.

              Added: January 2011

            • Regulated microfinance service

              Any of the regulated activities to be undertaken by a microfinance institution licensee as outlined in Module AU_Microfinance Institutions Paragraph AU-1.2.1.

              Added: January 2014

            • Regulated money changer services

              Any of the regulated activities permitted to be undertaken by a money changer licensee as outlined in Module AU_Money Changers Paragraph AU-1.1.8.

            • Regulated representative office services

              Any of the regulated activities permitted to be undertaken by a representative office licensee as outlined in Module AU_Representative Offices Paragraph AU-1.3.1.

              Added: December 2010

            • Regulated services

              Means those financial services regulated by the CBB and more particularly defined in Regulation No 1 of 2007.

              Added: January 2011

            • Regulated specialised activities

              Any of regulated activities permitted to be undertaken by specialised licensed as outlined in their specific Module AU.

            • Relevant Authorities

              For the purposes of Module FC, relevant authority refers to the authorities listed in Rule FC-5.3.2.

              Amended: October 2014

            • Relevant Operating Expenses

              For the purposes of calculating a licensee's annual CBB license fee, relevant operating expenses are defined as the total operating expenses of the licensee concerned, as recorded in the most recent audited financial statements available, excluding the following items:

              (a) Training costs;
              (b) Charitable donations;
              (c) CBB fees paid; and
              (d) Non-executive Directors' remuneration.

            • Remuneration

              Means all types of compensation including but not limited to salary, fee and non-cash benefits such as grants of stock, stock options or pension benefits.

              Added: January 2011

            • Representative office or Representative office licensee(s)

              A person who has been granted a licence by the CBB to undertake regulated representative office services as defined in Section AU-1.3.

              Amended: December 2010

            • Representative office manager or "Rep Manager"

              A person who is responsible for the conduct of a representative office.

              Amended: January 2011
              Added: December 2010

            • Reputational risk

              Reputational risk is the potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions.

              Added: April 2012

            • Retail bank

              A bank licensed in accordance with Volumes 1 or 2 of the CBB Rulebook.

          • S S

            • Senior Manager/Management

              Refers to individuals occupying the position of CEO or head of function.

            • Service level agreement(s)

              An agreement forming part of the Outsourcing Agreement between the outsourcing service provider and the licensee that outlines the standards of service to be provided by the outsourcing service provider.

              Added: April 2012

            • Shareholders

              Persons who own shares in a company.

              Amended: January 2011

            • Significant transaction

              For purposes of Module FC, in the absence of automated transaction monitoring systems, all transactions above BD 6,000 must be viewed as "significant".

            • Specialised Licensee(s)

              A person licensed under Volume 5 of the CBB Rulebook.

            • Stock liquidity ratio (for Financing companies)

              Expressed as a percentage, must be calculated on each business day and is the ratio of the sum of the licensee's liquid assets, net of deductions required under Paragraph LM-1.2.6, divided by the sum of qualifying liabilities.

              Added: January 2014

            • Subsidiary or subsidiary undertaking

              A company or other enterprise controlled by another company or enterprise (the parent or the holding company), including any other legal entity or other forms such as contractual agreements, where the licensee exercises a majority shareholding or has majority voting control by virtue of direct ownership or by proxy/nominee arrangements.

              Amended: April 2012
              Added: January 2011

            • Succession plan

              A plan developed by a licensee that would lay down the licensee's strategy with respect to succession of various senior management or board positions within the licensee.

              Added: April 2012

            • Small business(es) (SMEs)

              Corporate entities, being an unlisted or unincorporated enterprise where the reported annual sales for the consolidated group of which the firm is a part is less than BD 2 million.

              Added: January 2014

          • T T

            • Trilateral Meeting

              A meeting between a licensee, appointed expert and the CBB.

            • Trust service providers

              (to be defined at a later stage)

          • U

          • V

          • W W

            • Without delay

              The phrase without delay means, ideally, within a matter of hours of a designation by the United Nations Security Council or its relevant Sanctions Committee (e.g. the 1267 Committee, the 1988 Committee, the 1718 Sanctions Committee or the 1737 Sanctions Committee). For the purposes of S/RES/1373(2001), the phrase without delay means upon having reasonable grounds, or a reasonable basis, to suspect or believe that a person or entity is a terrorist, one who finances terrorism or a terrorist organisation. In both cases, the phrase without delay should be interpreted in the context of the need to prevent the flight or dissipation of funds or other assets which are linked to terrorists, terrorist organisations, those who finance terrorism, and to the financing of proliferation of weapons of mass destruction, and the need for global, concerted action to interdict and disrupt their flow swiftly.

              Added: October 2019

          • X

          • Y

          • Z

      • CBB Authorisation Forms

        • Form 1 Application for a License

          Click here to download the Form in PDF format.

        • Form 2 Application for Authorisation of Controller

          Click here to download the Form in PDF format.

        • Form 3 Application for Approved Person Status

          Click here to download the Form in PDF format.

        • Trust Registration or Amendment Form

          Click here to download the Form in PDF format.

      • CBB Reporting Forms

        • STR Suspicious Transaction Report

          [Deleted in July 2016]

          Deleted: July 2016
          Amended: July 2016
          Amended: October 2014
          October 2010

        • ALF Annual License Fee

          Click here to download the Form in PDF format.

        • Appendix RM-1 Cyber Security Incident Report

          Click here to download the Form in PDF format.

        • Direct Debit Authorisation Form

          Click here to download the Form in PDF format.

        • Financing Companies

          • Appendix BR-1 PIRFM — Prudential Information Return for Financing and Microfinance Institutions

            Click here to download the Appendix in Excel format.

          • Appendix BR-2 [This was deleted in October 2014]

          • Appendix BR-3 Guidelines for Completion of PIRFM

            Click here to download the Appendix in PDF format.

          • Appendix BR-4 [This was deleted in October 2014]

          • Appendix BR-5 Board and Committee Meetings

            Click here to download the Appendix in PDF format.

          • Appendix BR-6 Agreed Upon Procedures

            Click here to download the Appendix in PDF format.

          • Appendix BR-7 Connected Counterparty Exposures Report

            Click here to download the Appendix in Excel format.

          • Appendix BR-8 Guidelines for completion of Exposures to Connected Counterparties

            Click here to download the Appendix in PDF format.

          • Appendix BR-9 Report — Corporate Governance Framework

            Click here to download the Appendix in PDF format.

          • Appendix BR-11 Information Required for Annual and Interim Financial Review

            Click here to download the Appendix in Excel format.

          • Appendix BR-12 Financial Review (Islamic)

            Click here to download the Appendix in Excel format.

          • Appendix BR-14 Guidelines for Completion of Supplementary Information Form

            Click here to download the Appendix in PDF format.

          • Appendix BR-22 Continuous Professional Development Form (CPD)

            Click here to download the Appendix in PDF format.

        • [This was deleted in October 2014]

          • Appendix BR-1 [This was deleted in October 2014]

          • Appendix BR-2 [This was deleted in October 2014]

          • Appendix BR-3 [This was deleted in October 2014]

          • Appendix BR-6 [This was replaced with Appendix BR-5 in October 2014]

        • Third Party Administrators (TPAs)

          • Appendix BR-13 Sources of Revenue

            Click here to download the Appendix in PDF format.

        • Money Changers

          • FCR Insurance Coverage Return

            Click here to download the Appendix in Excel format.

      • Supplementary Information

        • BR BR CBB Reporting

          • BR-10 Appointed Experts' Report

            Click here to download the Appendix in PDF format.

        • FC FC Financial Crime

          • FC- (i) Amiri Decree Law No. 4 (2001)

            Click here to download the Appendix in PDF format.

          • FC-(i)(a) Decree Law No. 54 (2006)

            Click here to download the Appendix in PDF format.

          • FC-(i)(b) Decree Law No. 58 (2006)

            Click here to download the Appendix in PDF format.

          • FC- (ii) UN Security Council Resolution 1373 (2001)

            Click here to download the Appendix in PDF format.

          • FC- (iii) UN Security Council Resolution 1267 (1999)

            Click here to download the Appendix in PDF format.

          • FC- (iv) Examples of Suspicious Transactions

            Click here to download the Appendix in PDF format.

          • FC- (v) Guidance Notes

            Click here to download the Appendix in PDF format.

          • FC- (vi) Agreed Upon Procedures

            Click here to download the Appendix in PDF format.

        • BC BC Business Conduct

          • BC-1 Examples of APR Calculations

            Click here to download the Appendix in PDF format.

          • BC-2 Financing Companies Standard Service Charges

            Click here to download the Appendix in PDF format.

          • BC-3 Microfinance Institutions Standard Service Charges

            Click here to download the Appendix in PDF format.

        • OB Open Banking

          • Appendix OB-1 Reporting by AISP/PISP

            Please download the Appendix in PDF format.

          • Appendix OB-2 B2B and B2C Business Models

            Please download the Appendix in PDF format.

        • PD Public Disclosure

          • Appendix PD-1 Instructions for Publication of Press Releases

            Please download the Appendix in PDF format.

    • Ad-hoc Communications

      • Implementation of Ministerial Resolution No. (43) of 2024 with respect to Payments related to Commercial Transactions for Commercial Establishments_24 July 2025

        Click here to download the Letter in PDF format.

      • Cyber Security Requirements_17 July 2025

        Click here to download the Letter in PDF format.

        Click here to download the NCSC Protect Your Organization in PDF format.

      • GCC Fund Passporting Regime_4 May 2025

        Click here to download the Letter in PDF format.

        Click here to download the English Regulation in PDF format.

        Click here to download the Arabic Regulation in PDF format.

        Click here to download the English Regulatory Framework in PDF format.

        Click here to download the Arabic Regulatory Framework in PDF format.

        Click here to download the Volume 7 CIU Module in PDF format.

        Click here to download the Volume 7 GCC Module in PDF format.

      • Appointment of Data Protection Guardian_24 March 2025

        Click here to download the Letter in PDF format.

        Click here to download the English Order in PDF format.

        Click here to download the Arabic Resolution in PDF format.

      • Remote Visual Notarisation Service_13 March 2025

        Click here to download the Letter in PDF format.

        Click here to download the Arabic in PDF format.

      • New Identity Card Launch_10 March 2025

        Click here to download the Letter in PDF format.

      • New Fit and Proper Requirements Module_3 March 2025

        Click here to download the Letter in PDF format.

        Click here to download the Common Vol FP in PDF format.

      • National e-KYC_17 February 2025

        Click here to download the Letter in PDF format.

      • Implementation of Jaywan within GCCNET SWITCH Transactions_4 February 2025

        Click here to download the Letter in PDF format.

      • GCC Funds Passporting Regime_2 January 2025

        Click here to download the Letter in PDF format.

        Click here to download the Funds Passporting Framework in PDF format.

        Click here to download the Regulation for Funds Registration in PDF format.

      • Resolution No. (43) of 2024 Regarding the Conditions and Licensing Procedures of Undertaking Trustee Services_19 November 2024

        Click here to download the Letter in PDF format.

        Click here to download the English Resolution in PDF format.

        Click here to download the Arabic Resolution in PDF format.

      • Tax on Multinational Enterprises (MNEs)_16 September 2024

        Click here to download the Letter in PDF format.

      • Amendment to the Central Bank of Bahrain's Market Making Framework & Introduction of an Alternative Market Making Mechanism by Bahrain Bourse_12 August 2024

        Click here to download the Letter in PDF format.

      • Dealing with Accounts of Expatriates whose Work Permits have been Cancelled_3 July 2024

        Click here to download the Letter in PDF format.

      • WPS Reengineering Project_26 June 2024

        Click here to download the Letter in PDF format.

      • Open Banking_26 May 2024

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 BR Module in PDF format.

        Click here to download the Volume 5 OB Module in PDF format.

        Click here to download the Appendix OB-1 in PDF format.

        Click here to download the Appendix OB-2 in PDF format.

        Click here to download the BOBF Amendments in PDF format.

      • Amendments to Customer Due Diligence (CDD) Requirements_7 January 2024

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 FC Module in PDF format.

      • Point of Sales Transactions in Bahrain_19 November 2023

        Click here to download the Letter in PDF format.

      • Environmental, Social and Governance Requirements Module_5 November 2023

        Click here to download the Letter in PDF format.

        Click here to download the Common Volume ESG Module in PDF format.

      • Resolution No. (54) of 2023 with Respect to issuing a Regulation on the Rules and Procedures of Mergers and Acquisitions of Shares of Companies Listed on Exchanges Licensed by the Central Bank of Bahrain_1 November 2023

        Click here to download the Letter in PDF format.

        Click here to download the Arabic version of Resolution No. (54) for the year 2023 in PDF format.

      • Reliance on Third Parties for Customer Due Diligence_16 October 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 FC Module in PDF format.

      • Issuance of the Family Office Services Module_14 Septerber 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 FO Module in PDF format.

      • Amendments to Customer Due Dillgence (CDD) and Customer Onboarding Requirements_14 September 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 FC Module in PDF format.

      • Two-Factor Authentication Requirements for Volume 5 – Specialised Licensees (Crowdfunding Platform Operators & PSPs)_24 July 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 GR Module in PDF format.

      • Two-Factor Authentication Requirements for Volume 5 – Specialised Licensees (Financing Companies)_24 July 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 OM Module in PDF format.

      • Two-Factor Authentication Requirements for Volume 5 – Specialised Licensees_24 July 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 5 RM Module in PDF format.

      • Sub: Submission of CIUs Application_22 June 2023

        Click here to download the Letter in PDF format.

      • Government Employee Certificates issued through the National Electronic Portal_30 March 2023

        Click here to download the Letter in PDF format.

        Click here to download the User Guide in Arabic.

      • Amendments to the Credit Risk Management (CM) Module_23 February 2023

        Click here to download the Letter in PDF format.

        Click here to download the Volume 1 CM Module in PDF format.

        Click here to download the Volume 2 CM Module in PDF format.

      • Trade based Money Laundering – Guidance for all Financial Institutions_16 February 2023

        Click here to download the Letter in PDF format.

        Click here to download the Letter in Guidance Paper.

      • Amendments to the Financial Crime Module (Module FC) and Anti-Money Laundering and Combating Financial Crime Module (Module AML)_17 January 2023

        Click here to download the Letter in PDF format.

        Click here to download the FC Module in PDF format.

      • Client Money Requirements_22 November 2022

        Click here to download the Letter in PDF format.

        Click here to download the Attachment in PDF format.

      • Re: Judicial Banking Orders System (JBOS)_06 November 2022

        Click here to download the Letter in PDF format.

        Click here to download the Users Manual in PDF format.

      • Arab International Cybersecurity Summit_1 November 2022

        Click here to download the EDBS in PDF format.

        Click here to download the EDFIS in PDF format.

      • Re: Directive on Arrangements relating to Regulated Services provided by Payment Service Providers (PSPs)_25 Aug 2022

        Click here to download the Letter in PDF format.

      • Amendments to Cybersecurity Requirements_18 August 2022

        Click here to download the Letter in PDF format.

        Click here to download the Attachment in PDF format.

      • Amendments to Outsourcing Requirements

        Click here to download the Outsourcing Requirements July 21, 2022 Letter in PDF format.

        Click here to download the Outsourcing Requirements July 25, 2022 Letter in PDF format.

        Click here to download the Attachment in PDF format.

      • Reporting of Financial Impact of Covid-19_9 May 2022

        Click here to download the Letter in PDF format.

      • Issuance of new Crowdfunding Platform Operators' Regulations_28 April 2022

        Click here to download the Letter in PDF format.

        Click here to download the AU Module.

        Click here to download the BR Module.

        Click here to download the CFP.

      • Subject: Replacement of the Traditional Hard-Copy Residency Permits with Digital Residency Permits_31 March 2022

        Click here to download the Letter in PDF format.

        • Subject: Discrepancies in BCRB Reporting_11 April 2022

          Click here to download the Letter in PDF format.

        • Amendments to Requirements on Reporting Cyber Security Incidents Ancillary Service Providers_28 March 2022

          Click here to download the Letter in PDF format.

        • Amendments to Requirements on Reporting Cyber Security Incidents Money Changer Licensees_28 March 2022

          Click here to download the Letter in PDF format.

        • Issuance of the new Collective Investment Undertakings Module_24 March 2022

          Click here to download the Letter in PDF format.

          Click here to download the CIU Module.

          Click here to download the Glossary.

        • Re: Climate-Related Risks_14 March 2022

          Click here to download the Letter in PDF format.

          Click here to download the Guidance Note for CBB Licensees.

        • Re: Caps on Fees and Charges for Standard Services applicable to Microfinance Institutions_9 March 2022

          Click here to download the Letter in PDF format.

          Click here to download the Appendix BC-3 in PDF format.

        • Requirements to Enhance Representation of Payment Transactions_23 February 2022

          Click here to download the Letter in PDF format.

        • Amendments to the CBB Rulebook Volume 5 (Type 3: Financing Companies)_7 February 2022

          Click here to download the Letter in PDF format.

          Click here to download the Financing Companies Amendments in PDF format.

        • Amendments to Take-overs, Mergers and Acquisitions (TMA) Module_19 January 2022

          Click here to download the Letter in PDF format.

          Click here to download the TMA Module.

        • Subject: Climate-Related Risks_8 November 2021

          Click here to download the Letter in PDF format.

        • Enhancements to Cyber Security Requirements-Vol.5 Ancillary Services Providers_1 Nov 2021

          Click here to download the Letter in PDF format.

          Click here to download the Ancillary Service Providers GR Module.

        • Enhancements to Cyber Security Requirements-Vol.5 Money Changers_1 Nov 2021

          Click here to download the Letter in PDF format.

          Click here to download the Money Changers RM Module.

        • Amendments to the Financial Crime Module (Module FC - Vol 5)_28 Oct 2021

          Click here to download the Letter in PDF format.

          Click here to download the FC Module.

        • Issuance of Amendments to Open Banking Regulations_7 July 2021

          Click here to download the Letter in PDF format.

          Click here to download the Module Ancillary AU.

          Click here to download the Module Ancillary GR.

          Click here to download the Module Ancillary OB.

          Click here to download the Glossary.

        • WPS Project Implementation_17 June 2021

          Click here to download the Letter in PDF format.

        • Subject: Extension of Credit Instalments Deferral_27 May 2021

          Click here to download the Letter in PDF format.

        • Draft Executive Resolutions issued by the Personal Data Protection Authority_26 April 2021

          Click here to download the Letter in PDF format.

        • Merchant Fees_20 April 2021

          Click here to download the Letter in PDF format.

        • Merchant Fees on Payments to Zakat and Charity Fund_6 April 2021

          Click here to download the Letter in PDF format.

        • Re: Requirements to Enhance Representation of Paymnet Transaction Data_1 April 2021

          Click here to download the Letter in PDF format.

        • Mandating the Use of Purpose Codes for SWIFT Cross-Border Payments_17 March 2021

          Click here to download the Letter in PDF format.

          Click here to download the Purpose Codes in Arabic in PDF format.

        • Agreed-Upon Procedures of the Financial Crime ("FC") Module_3 March 2021

          Click here to download the Letter in PDF format.

        • Agreed-Upon Procedures of the Financial Crime ("FC") Module_28 February 2021

          Click here to download the Letter in PDF format.

        • Upcoming Annual General Meetings_14 February 2021

          Click here to download the Letter in PDF format.

        • Prepaid Cards_12 January 2021

          Click here to download the Letter in PDF format.

        • Mandating the Use of Purpose Codes for SWIFT Cross-Border Payments_4 January 2021

          Click here to download the Letter in PDF format.

          Click here to download the Purpose Code Logic - Internal Use in PDF format.

          Click here to download the Purpose codes - Disclosure Document in PDF format.

          Click here to download the Purpose Codes, Explanatory Notes and Examples - Internal Use in PDF format.

          Click here to download the Subscription steps for a participant to BHD service in PDF format.

        • Re: CBB Rules on Blocking/Unblocking of Customer Accounts_23 December 2020

          Click here to download the Letter in PDF format.

        • Amendments to Authorisation (AU) Module - Volume 5 Type 7: Ancillary Service Providers_21 December 2020

          Click here to download the Letter in PDF format.

        • Re: Virtual Assets - Red Flags and Indicators_30 November 2020

          Click here to download the Letter in PDF format.

          Click here to download the Guidance Paper in PDF format.

        • Re: Combating the Financing of Terrorism - Guidance for All Financial Institutions_17 November 2020

          Click here to download the Letter in PDF format.

          Click here to download the Guidance Paper in PDF format.

        • Subject: Cyber Security Risks and Threats Workshop by Visa_3 November 2020

          Click here to download the Letter in PDF format.

        • Re: Audit of Client Money and Compliance with Authorisation Module_8 October 2020

          Click here to download the Letter in PDF format.

        • Re: Fund Transfers by Customers of Payment Service Providers_8 October 2020

          Click here to download the Letter in PDF format.

        • Re: Proof of Residency Permit__29 September 2020

          Click here to download the Letter in PDF format.

          Click here to download the Proof of Residency Permit Attachment in PDF format.

        • Resolution No. (123) with respect to the Regulations and Implenting Procedures for Selling Mortgaged Properties in Public Auction_29 September 2020

          Click here to download the Letter in PDF format.

        • Re: Issuance of Contactless Payment Cards_8 Sept 2020

          Click here to download the Letter in PDF format.

        • Re: Provision of Financial Services on a Non-discriminatory Basis_26 Aug 2020

          Click here to download the Letter in PDF format.

        • Re: Exemptions from Submission of Agreed upon Procedures on PIR/PIRI/PIRFM_24 August 2020

          Click here to download the Letter in PDF format.

        • Transition from LIBOR_29 July 2020

          Click here to download the Letter in PDF format.

        • Reporting of Financial Impact of COVID-19_14 July 2020

          Click here to download the Letter in PDF format.

        • Re: Money Laundering & Terrorist Financing Risks & Practices during Covid-19_27 May 2020

          Click here to download the Letter in PDF format.

          Click here to download the Guidance Paper for Money Laundering & Terrorist Financing Risks & Practices during Covid-19 in PDF format.

        • Amendment to Operational Risk Management (OM) Module - Volume 5 Type 3: Financing Companies_18 May 2020

          Click here to download the Letter in PDF format.

        • Amendment to General Requirements (GR) Module - Volume 5 Type 7: Ancillary Service Providers_18 May 2020

          Click here to download the Letter in PDF format.

        • Amendments To The Financial Crime (FC) And High-Level Controls (HC) Modules_7 May 2020

          Click here to download the Letter in PDF format.

        • Amendments to the Financial Crime (FC) and High-Level Controls (HC) Modules_7 May 2020

          Click here to download the Letter in PDF format.

        • Amendments to the Financial Crime (FC) and High-Level Controls (HC) Modules_7 May 2020

          Click here to download the Letter in PDF format.

        • Amendments to the Financial Crime (FC) and High-Level Controls (HC) Modules_7 May 2020

          Click here to download the Letter in PDF format.

        • Financial Impact Assessment of the Six Months Instalment Deferral_26 April 2020

          Click here to download the Letter in PDF format.

          Click here to download the Spreadsheet in Excel format.

        • Directive Automatic Exchange of Information ("AEOI") - Common Reporting Standard ("CRS") and Foreign Account Tax Compliance Act ("FATCA") Reporting Window_16 April 2020

          Click here to download the Letter in PDF format.

        • Webinar on Principles and Practices of Real Estate Valuation in the Financial Services Sector_13 April 2020

          Click here to download the Letter in PDF format.

        • Webinar on Principles and Practices of Real Estate Valuation in the Financial Services Sector_13 April 2020

          Click here to download the Letter in PDF format.

        • Additional COVID-19 Precautionary Measures_8 April 2020

          Click here to download the Letter in PDF format.

        • Date Sensitive Reporting Requirements Extensions/ Exemptions under Rulebook (Volume 5)_2 April 2020

          Click here to download the Letter in PDF format.

        • Date Sensitive Reporting Requirements Extensions/ Exemptions under Rulebook (Volume 5)_2 April 2020

          Click here to download the Letter in PDF format.

        • Agreed Upon Procedures for Financial Crime Module_1 April 2020

          Click here to download the Letter in PDF format.

        • Agreed Upon Procedures for Financial Crime Module_1 April 2020

          Click here to download the Letter in PDF format.

        • Implementation Guidelines Regarding the 6 Months Deferral_24 March 2020

          Click here to download the Letter in PDF format.

        • Implementation Guidelines Regarding the 6 Months Deferral_23 March 2020

          Click here to download the Letter in PDF format.

        • Real Estate Valuation Requirements_19 March 2020

          Click here to download the Letter in PDF format.

        • Upcoming General Meetings_19 March 2020

          Click here to download the Letter in PDF format.

        • Regulatory Measures to Contain the Financial Repercussions of the Covid-19_17 March 2020

          Click here to download the Letter in PDF format.

          • Real Estate Valuation Requirements_16 March 2020

            Click here to download the Letter in PDF format.

          • Disinfection Instructions_11 March 2020

            Click here to download the Letter in PDF format.

            Click here to download the Disinfection of Public Places Guidelines in PDF format.

            Click here to download the Guidelines for Quarantine Facilities and Disinfection in PDF format.

            Click here to download the Home Quarantine and Disinfection Guidelines in PDF format.

          • Measures to Mitigate the Impact of Coronavirus on Customers_8 March 2020

            Click here to download the Letter in PDF format.

          • Sharing of Data on Financing to Small and Medium Enterprises_8 March 2020

            Click here to download the Letter in PDF format.

          • Concessionary Measures To Mitigate The Impact of Coronavirus_5 March 2020

            Click here to download the Letter in PDF format.

          • Caps on Fees for Credit Facilities Provided to Individuals_27 February 2020

            Click here to download the Letter in PDF format.

          • Removal of Prior Approval Requirement in Business and Market Conduct Module (Module BC) for Advertisements on Financial Products and Services_26 February 2020

            Click here to download the Letter in PDF format.

          • Wage Protection Scheme_13 February 2020

            Click here to download the Letter in PDF format.

          • Instructions for Publication of Press Releases Concerning Financial Results_15 January 2020

            Click here to download the Letter in PDF format.

          • Instructions for Publication of Press Releases Concerning Financial Results_14 January 2020

            Click here to download the Letter in PDF format.

          • Transition from LIBOR_14 January 2020

            Click here to download the Letter in PDF format.

          • Financial Reporting for VAT purposes_13 January 2020

            Click here to download the Letter in PDF format.

          • EDBS_e-KYC Project Implementation_12 January 2020

            Click here to download the Letter in PDF format.

          • EDBS_KH_New Requirements in HC Module_29 December 2019

            Click here to download the Letter in PDF format.

          • Local Tokenization Project for Local Debit Cards_24 October 2019

            Click here to download the Letter in PDF format.

            Click here to download the Spreadsheet in Excel format.

          • Issuance of the Amended Module TMA -Volume 6_2 October 2019

            Click here to download the Letter in PDF format.

          • Use of Monthly Flat Rate of Interest/Profit for Credit Facilities_24 September 2019

            Click here to download the Letter in PDF format.

          • SMS on Failed ATM/Point of Sale ("POS") Transactions_24 September 2019

            Click here to download the Letter in PDF format.

          • Interest charge computation on credit cards_4 September 2019

            Click here to download the Letter in PDF format.

          • EDFIS/C/73/2019 Amendments to Module FC Volume 5_29 August 2019

            Click here to download the Letter in PDF format.

          • EDBS/KH/69/2019 Amendments to Module FC Volume 5_29 August 2019

            Click here to download the Letter in PDF format.

          • Interest charge computation on credit cards_27 August 2019

            Click here to download the Letter in PDF format.

          • Issuance of the new High-Level Controls Module for Ancillary Service Providers_21 August 2019

            Click here to download the Letter in PDF format.

            Click here to download the Letter in PDF format.

            Click here to download the High-Level Controls Module in PDF format.

          • Contactless Payment Transactions_18 August 2019

            Click here to download the Letter in PDF format.

          • Proposed Requirements on Point of Sale (POS) Infrastructure_8 August 2019

            Click here to download the Letter in PDF format.

          • Wage Protection Scheme ("WPS")_22 July 2019

            Click here to download the Letter in PDF format.

          • Supplementary Information Appendix FC-(vi) Agreed-upon Procedures for fulfilling the reporting requirements in Compliance with FC Module (Financial Crime)_21 July 2019

            Click here to download the Letter in PDF format.

          • Agreed Upon Procedures for Financial Crime (FC) Module_21 July 2019

            Click here to download the Letter in PDF format.

          • Practices for charging interest on credit cards_13 June 2019

            Click here to download the Letter in PDF format.

          • Re: Open Banking - Additional Implementation Guidance_24 April 2019

            Click here to download the Letter in PDF format.

          • Exposure to controllers_25 March 2019

            Click here to download the Letter in PDF format.

          • Exposure to controllers_24 March 2019

            Click here to download the Letter in PDF format.

          • e-KYC Project Implementation_7 March 2019

            Click here to download the Letter in PDF format.

          • Amendment to Appendices BR-11 and BR-12 and the addition of a new Appendix BR-14 under CBB Rulebook Volume 5_24 February 2019

            Click here to download the letter in PDF format.

          • Regulations relating to 'Crypto-Assets'_21 February 2019

            Click here to download the Letter in PDF format.

            Click here to download the Crypto-Assets Module in PDF format.

            Click here to download the Definitions Module in PDF format.

          • Revised Form "Prudential Information Report" (PIFRM) for Financing Companies & Microfinance Institutions_21 January 2019

            Click here to download the Letter in PDF format.

            Click here to download the Appendix in Excel format.

          • Deleted

            This communication letter has been deleted as of 11th February 2019.

          • Revised Module CA: Capital Adequacy and Liquidity Requirements_20_January_2019

            Click here to download the Letter in PDF format.

            Click here to download the Module in PDF format.

          • Agreed Upon Procedures for Financial Crime (FC) Module_16 January 2019

            Click here to download the Letter in PDF format.

            Click here to download the Appendix in PDF format.

          • Agreed Upon Procedures for Module FC_15 January 2019

            Click here to download the Letter in PDF format.

            Click here to download the Appendix in PDF format.

          • Failed ATM/POS Terminal Transactions Resulting in Un-claimed Cash Resting with Licensees_30 December 2018

            Click here to download the Letter in PDF format.

          • VAT and Financial Services_25 December 2018

            Click here to download the Letter in PDF format.

          • Disclosure of information in credit card statements_24 December 2018

            Click here to download the Letter in PDF format.

          • Ad-hoc Volume 5 Ancillary AU_18 December 2018

            Click here to download the Letter in PDF format.

          • Amendments in Authorization Module (AU) of Ancillary Service Providers_18 December 2018

            Click here to download the Letter in PDF format.

          • Amendments to Payment Service Provider (PSP) requirements under Module AU Volume 5_12 December 2018

            Click here to download the Letter in PDF format.

          • Regulations relating to 'Open Banking'_6 December 2018

            Click here to download the Letter in PDF format.

          • Circular Card Rounding off Transactions_22 November 2018

            Click here to download the Letter in PDF format.

          • Amendments to the Crowdfunding Requirements under CBB Rulebook Volume 5 (Ancillary Providers)_21 November 2018

            Click here to download the Letter in PDF format.

            Click here to download the Attachment in PDF format.

            Click here to download the Attachment in PDF format.

            Click here to download the Attachment in PDF format.

          • Enabling PSPs to participate in EFTS_16 September 2018

            Click here to download the Letter in PDF format.

          • BD-USD Exchange Rate on Cards_30 August 2018

            Click here to download the Letter in PDF format.

          • Use of Rule 78 on Early Repayment of Installment Financing Facilities_30 August 2018

            Click here to download the Letter in PDF format.

          • ATM Alert_15 August 2018

            Click here to download the Letter in PDF format.

          • Interest/profit charges on credit cards_15 August 2018

            Click here to download the Letter in PDF format.

          • Failed ATM/POS Terminal Transactions Resulting in Un-Claimed Cash Resting with Licensees_31 May 2018

            Click here to download the Circular in PDF format.

          • Circular - Amendments to the Public Disclosure Module (PD)_17 May 2018

            Click here to download the Letter in PDF format.

          • Failed ATM/PoS Terminal Transactions Resulting in Un-claimed Cash Resting with Licensees_7 May 2018

            Click here to download the Letter in PDF format.

          • Amendments to the Operational Risk Management Module_29_April_2018

            Click here to download the Letter in PDF format.

          • Failed ATM/PoS Terminal Transactions Resulting in Un-claimed Cash Resting with Licensees_23 April 2018

            Please click here to download the Letter in PDF format.

          • Re: Financial Penalties_15 April 2018

            Click here to download the Letter in PDF format.

          • Implementation of Wage Protection System (WPS)_15 March 2018

            Click here to download the Letter in PDF format.

          • New Requirements in the Operational Risk Management Module (OM)_13 February 2018

            Click here to download the Letter in PDF format.

          • Failed ATM/POS Terminal Transactions Resulting in Un-claimed Cash Resting with Licensees_11 January 2018

            Please click here to download the Letter in PDF format.

          • Wage Protection System Solution — Request for Proposal_25 September 2017

            Click here to download the Letter in PDF format.

          • Incorporating of Financing and Equity Based Crowdfunding Directives into the CBB Rulebook_14 September 2017

            Click here to download the Letter in PDF format.

            Click here to download the Attachment in PDF format.

            Click here to download the Attachment in PDF format.

            Click here to download the Attachment in PDF format.

          • Amendment to the Regulatory Sandbox Framework_28 August 2017

            Click here to download the Letter in PDF format.

          • Amendments in Authorisation Module (AU) of Ancillary Service Providers_16 August 2017

            Click here to download the Letter in PDF format.

          • Conventional Financing-Based Crowdfunding Directives_8 August 2017 and Shari'a-compliant Financing-Based Crowdfunding Directives_8 August 2017

            Click here to download the Letter in PDF format.

            Click here to download the Conventional Financing-Based Crowdfunding Directives in PDF format.

            Click here to download the Shari'a-compliant Financing-Based Crowdfunding Directives in PDF format.

          • Registration of Expatriate Staff with the Labour Market Regulatory Authority (LMRA)_27 July 2017

            Click here to download the Letter in PDF format.

          • Registration of Expatriate Staff with the Labour Market Regulatory Authority_27 July 2017

            Click here to download the Letter in PDF format.

          • Protected Cell Companies_22 June 2017

            Click here to download the Letter in PDF format.

          • Investment Limited Partnerships_22 June 2017

            Click here to download the Letter in PDF format.

          • Trust Registration and Amendment Form_22 June 2017

            Click here to download the Letter in PDF format.

          • Insurance Charges and Costs for Credit Facilities and Debit/Credit Cards_21 May 2017

            Click here to download the Letter in PDF format.

          • Cyber Security Forum & Expo_25 April 2017

            Click here to download the Letter in PDF format.

          • Issuance of amended Authorisation Module of Ancillary Service Providers_8 February 2017

            Click here to download the Letter in PDF format.

          • Directive Common Reporting Standards (CRS)_30 January 2017

            Click here to download the Letter in PDF format.

          • Implementation of Resolution No. (59) of 2011 — Registration of Pledges and Liens on Securities — and its amendment Resolution No. (30) of 2015_11 January 2017

            Click here to download the Letter in PDF format.

          • Onsite Inspection Process_10 January 2017

            Click here to download the Letter in PDF format.

          • Guidelines for IFRS9 ECL Implementation by Banks and Financing Companies_28 December 2016

            Click here to download the Letter in PDF format.

          • Electronic System for Commercial Licenses launched by the Ministry of Industry Commerce & Tourism ("MOICT")_16 November 2016

            Click here to download the Letter in PDF format.

          • Newly Issued Laws — Protected Cell Companies and Investment Limited Partnerships_6 November 2016

            Click here to download the Letter in PDF format.

          • Trust Law_6 November 2016

            Click here to download the Letter in PDF format.

          • Specialized Workshop on Cyber Security in Banks & Fintech_25 October 2016

            Click here to download the Letter in PDF format.

          • New Appointment Notification_7 September 2016

            Click here to download the Letter in PDF format.

          • Implementation of Bahrain Credit Reference Bureau Code of Practice and Rules_22 August 2016

            Click here to download the Letter in PDF format.

          • US Dollar Parity Rate_4 July 2016

            Click here to download the Letter in PDF format.

          • Issuance of CRB Code of Practice_9 June 2016

            Click here to download the Letter in PDF format (Arabic).

          • Outsourcing of Functions Containing Customer Information_9 June 2016

            Click here to download the Letter in PDF format.

          • Cyber Security Risk Management_1 June 2016

            Click here to download the Letter in PDF format.

          • Cyber Attacks on Critical IT Systems and Infrastructure_11 May 2016

            Click here to download the Letter in PDF format.

          • Outsourcing of Services Containing Customers' Information_10 May 2016

            Click here to download the Letter in PDF format.

          • CBB Rulebook: Amendments to Volume 5 Related to TPAs_19 April 2016

            Click here to download the Letter in PDF format.

          • EDFIS — CBB Rulebook: Publication of Volume 5 (Specialised Licensees: Ancillary Service Providers)_15 March 2016

            Click here to download the Initial Launch Letter in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module AU in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module BR in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module GR in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Glossary in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Appendix BR-13 in PDF format.

          • EDBS — CBB Rulebook: Publication of Volume 5 (Specialised Licensees: Ancillary Service Providers)_15 March 2016

            Click here to download the Initial Launch Letter in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module AU in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module BR in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Module GR in PDF format.

            Click here to download Volume 5 Ancillary Service Providers Glossary in PDF format.

          • CBB Volume 5 Rulebook (Specialised Licensees) Amendment to Module EN_14 March 2016

            Click here to download the Letter in PDF format.

          • CBB Volume 5 Rulebook (Specialised Licensees) Amendment to Module EN_9 March 2016

            Click here to download the Letter in PDF format.

            Click here to download the Attachment to the Letter in PDF format.

          • Amendments to the Central Bank and Financial Institutions Law No. (64) of the year 2006_29 December 2015

            Click here to download the Letter in PDF format.

          • Amendments to the Central Bank and Financial Institutions Law No. (64) of the year 2006_27 December 2015

            Click here to download the Letter in PDF format.

          • IFRS Quantitative Impact Assessment (QIA)_15 November 2015

            Click here to download the Letter in PDF format.

          • Annual Financial Statements and Interim Financial Statements — Directive Encompassing New Arrangements (Conventional)_8 September 2015

            Click here to download the Letter in PDF format.

            Click here to download Appendix BR-11 in Excel format.

          • Annual Financial Statements and Interim Financial Statements — Directive Encompassing New Arrangements (Islamic)_8 September 2015

            Click here to download the Letter in PDF format.

            Click here to download Appendix BR-12 in Excel format.

          • Credit Check Reports Requested by Pensioners_27 August 2015

            Click here to download the Letter in PDF format.

          • Adoption of an Electronic Establishment of Registration Certificate By the Ministry of Industry & Commerce_6 May 2015

            Click here to download the Letter in PDF format.

          • Women in the Financial and Banking Sector 2015_31 March 2015

            Click here to download the Letter in PDF format.

          • Women in the Financial and Banking Sector_15 March 2015

            Click here to download the Letter in PDF format.

          • Court Actions Taken Against Customers_16 February 2015

            Click here to download the Letter in PDF format.

          • Court Actions Taken Against Customers_16 February 2015

            Click here to download the Letter in PDF format.

          • Publication of Close-Out Netting Regulation_30 December 2014

            Click here to download the Letter in PDF format.

          • Changes in the Current Smart ID Cards_27 November 2014

            Click here to download the Letter in PDF format.

          • Changes in the Current Smart ID Cards_20 November 2014

            Click here to download the Letter in PDF format.

          • Upgrade of ATMS and application software that run on Windows XP_28 April 2014

            Click here to download the Letter in PDF format.

          • Training Course — Islamic Financing Instruments_22 April 2014

            Click here to download the Letter in PDF format.

          • Treatment of Interest or Profit in Suspense in the PIR and Published Financial Statements_17 April 2014

            Click here to download the Letter in PDF format.

          • Discriminatory Service Treatment Not Allowed_11 March 2014

            Click here to download the Letter in PDF format.

          • Questionnaire for significant IT Outsourcing_9 March 2014

            Click here to download the Letter in PDF format.

          • CBB Rulebook: Volume 5 Specialised Licensees (Microfinance Institutions)_21 January 2014

            Click here to download the Letter in PDF format.

          • Compliance with Resolution No. (16) 2012_26 December 2013

            Click here to download the Letter in PDF format.

            Click here to download the Resolution in PDF format.

          • Skimming Frauds at ATMs_11 December 2013

            Click here to download the Letter in PDF format.

          • (EDFIS) Foreign Account Tax Compliance Act (FATCA)_29 August 2013

            Click here to download the Letter in PDF format.

          • (EDBS) Foreign Account Tax Compliance Act (FATCA)_29 August 2013

            Click here to download the Letter in PDF format.

          • Change to the Due date and Collection Process for the Payment of Annual License Fee _ Microfinance Institutions_28 July 2013

            Click here to download the Letter in PDF format.

          • Change to the Due date and Collection Process for the Payment of Annual License Fee _ Ancillary Service Providers (Banks)_28 July 2013

            Click here to download the Letter in PDF format.

          • Change to the Due date and Collection Process for the Payment of the Annual License Fee (Trust Service Providers)_25 July 2013

            Click here to download the Letter in PDF format.

          • Change to the Due date and Collection Process for the Payment of the Annual License Fee (Ancillary Service Providers)_25 July 2013

            Click here to download the Letter in PDF format.

          • Recent cases of fraud in auto finance_24 July 2013

            Click here to download the Letter in PDF format.

          • Promotion of and participation in educational scholarships and bursaries by licensees of the CBB_3 July 2013

            Click here to download the Letter in PDF format.

          • Suspicious Transaction Reports Online System (STRs)_25 June 2013

            Click here to download the Letter in PDF format.

          • Extension of Bahrain Credit Reference Bureau ("BCRB") Services to Cover Corporates_13 June 2013

            Click here to download the Letter in PDF format.

          • Written Communications with the Banking Supervision Staff at the Central Bank of Bahrain — Use of Electronic Files_30 May 2013

            Click here to download the Letter in PDF format.

          • Electronic Submission of Returns and Analysis of Data (ESRAD)_20 May 2013

            Click here to download the Letter in PDF format.

          • CBB Rulebook: Launch of Volume 5 Common Modules for Trust Service Providers_30 April 2013

            Click here to download the Letter in PDF format.

          • The official adoption of the GCC States Identity Card_27 March 2013

            Click here to download the Letter in PDF format.

          • The official adoption of the GCC States Identity Card_24 March 2013

            Click here to download the Letter in PDF format.

          • Foreign Account Tax Compliance Act (FACTA)_19 February 2013

            Click here to download the Letter in PDF format.

          • Volume 5 CBB Rulebook: Initial Launch Specialised Licensees (Financing Companies)_12 February 2013

            Click here to download the Letter in PDF format.

          • Change in Due Date and Payment for CBB Annual License Fees_4 December 2012

            Click here to download the Letter in PDF format.

          • Change in Due Date and Payment for CBB Annual License Fees_2 December 2012

            Click here to download the Letter in PDF format.

          • Submission of Audited Financial Statements_1 November 2012

            Click here to download the Letter in PDF format.

          • Money Changers February 2012

            Click here to download the Letter in PDF format.

          • Delivery of Date Sensitive Documents at the CBB

            Click here to download the Letter in PDF format.

          • CBB Rulebook: Publication of Volume 5 (Specialised Licensees: Administrators)

            Click here to download the Letter in PDF format.

          • CBB Rulebook: Volume 5 (Specialised Licensees: Money Changers)

            Click here to download the Letter in PDF format.

          • Volume 5 CBB Rulebook: Initial Launch Specialised Licensees: Representative Office Licensees

            Click here to download the Launch Letter in PDF format.

          • Volume 5 CBB Rulebook: Initial Launch Specialised Licensees: Representative Office Licensees

            Click here to download the Launch Letter in PDF format.

          • Volume 5 Initial Launch Specialised Licensees: Money Changers

            Click here to download the Launch Letter in PDF format.

    • Archive

      • Money Changers Licensees

        • Part A

          • High Level Standards

            • HC HC Money Changers High-Level Controls Module [Version from 1 October 2010 to 31 March 2016]

              • HC-2.3.4 [Version from 1 October 2010 to 31 March 2016]

                Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2 and Chapter RM-2).

                October 2010

              • HC-2.3.5 [Version from 1 October 2010 to 31 March 2016]

                Internal audit functions must have terms of reference that clearly indicate:

                (a)The scope and frequency of audits;
                (b)Reporting lines; and
                (c)The review and approval process applied to audits.
                October 2010

              • HC-2.3.6 [Version from 1 October 2010 to 31 March 2016]

                Paragraph HC-2.3.5 applies irrespective of whether the internal audit function is outsourced. Where it is outsourced, the CBB would expect to see these matters addressed in the contract with the outsourcing provider.

                October 2010

              • HC-2.3.7 [Version from 1 October 2010 to 31 March 2016]

                Internal audit functions must report directly to the Audit Committee or, where none exists, to the Board. They must have unrestricted access to all the appropriate records of the licensee. They must have open and regular access to the Audit Committee, the Board, the Chief Executive, and the licensee's external auditor.

                October 2010

              • HC-2.3.8 [Version from 1 October 2010 to 31 March 2016]

                Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the head of the function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.

                October 2010

              • HC-2.3.9 [Version from 1 October 2010 to 31 March 2016]

                The CBB would expect to see in place a formal audit plan that:

                (a) Is reviewed and approved at least annually by the Audit Committee or, where none exists, the Board;
                (b) Is risk-based, with an appropriate scoring system; and
                (c) Covers all material areas of a licensee's operations over a reasonable timescale.
                October 2010

              • HC-2.3.10 [Version from 1 October 2010 to 31 March 2016]

                Internal Audit reports should also be:

                (a) Clear and prioritised, with action points directed towards identified individuals;
                (b) Timely; and
                (c) Distributed to the Audit Committee or Board and appropriate senior management.
                October 2010

              • HC-2.3.11 [Version from 1 October 2010 to 31 March 2016]

                Licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:

                (a) Dealt with in a timely fashion;
                (b) Monitored until they are settled; and
                (c) Raised with senior management if they have not been adequately dealt with.
                October 2010

              • HC-2.4.3 [Version from 1 October 2010 to 31 March 2016]

                Licensees must designate an employee, of appropriate standing and resident in Bahrain, as Compliance Officer. The duties of the Compliance Officer include:

                (a) Having responsibility for oversight of the licensee's compliance with the requirements of the CBB; and
                (b) Reporting to the licensee's Board in respect of that responsibility.
                October 2010

              • HC-2.4.4 [Version from 1 October 2010 to 31 March 2016]

                The Compliance Officer is a controlled function and the requirements relating to approved persons must be met (see Chapter AU-1.2). If the scale and nature of the licensee's operations are limited, then the individual who performs the function of Compliance Officer may also take on other responsibilities, providing this does not create a potential conflict of interest. The compliance function may not be combined with the internal audit function or any operational function as they are incompatible and may create a conflict of interest.

                October 2010

              • HC-2.5 HC-2.5 Remuneration Policies [Version from 1 October 2010 to 31 March 2016]

                • HC-2.5.1 [Version from 1 October 2010 to 31 March 2016]

                  The review of Directors' remuneration must be a standing item on the licensee's Annual General Meeting agenda, and must be considered by shareholders at every Annual General Meeting. Directors' remuneration (including pension and severance arrangements) and bonuses must be clearly disclosed in the annual financial statements.

                  October 2010

                • HC-2.5.2 [Version from 1 October 2010 to 31 March 2016]

                  Directors' remuneration should also comply with all applicable laws, such as Legislative Decree No. 21 of 2001, with respect to promulgating the Commercial Companies Law.

                  October 2010

              • HC-2.6 HC-2.6 Corporate Ethics [Version from 1 October 2010 to 31 March 2016]

                • HC-2.6.1 [Version from 1 October 2010 to 31 March 2016]

                  A licensee's Board must establish and disseminate to all employees of the licensee a corporate code of conduct.

                  October 2010

                • HC-2.6.2 [Version from 1 October 2010 to 31 March 2016]

                  The code of conduct must establish standards by giving examples or expectations as regards:

                  (a) Honesty;
                  (b) Integrity;
                  (c) The avoidance or disclosure of conflicts of interest;
                  (d) Maintaining confidentiality;
                  (e) Professionalism;
                  (f) Commitment to the law and best practises; and
                  (g) Reliability.
                  October 2010

                • HC-2.6.3 [Version from 1 October 2010 to 31 March 2016]

                  The Board must ensure that policies and procedures are in place to ensure that necessary customer confidentiality is maintained.

                  October 2010

          • Business Standards

            • TC TC Money Changers Training and Competency Module

              • TC-A TC-A Introduction

                • TC-A.1 TC-A.1 Purpose

                  • Executive Summary

                    • TC-A.1.1

                      This Module presents requirements that have to be met by licensees with respect to training and competency of individuals undertaking controlled functions (i.e. approved persons).

                      October 2010

                    • TC-A.1.2

                      Module TC provides Rules and Guidance to licensees to ensure satisfactory levels of competence, in terms of an individual's knowledge, skills, experience, and professional qualifications. Licensees are required to demonstrate that individuals undertaking controlled functions are sufficiently competent, and are able to undertake their respective roles and responsibilities.

                      October 2010

                    • TC-A.1.3

                      The Rules build upon Principles 3 and 10 of the Principles of Business (see Module PB (Principles of Business)). Principle 3 (Due Skill, Care and Diligence) requires licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in its dealings with customers. Principle 9 (Adequate Resources) requires licensees to maintain adequate human, financial and other resources sufficient to run its business in an orderly manner.

                      October 2010

                    • TC-A.1.4

                      Condition 4 of the Central Bank of Bahrain's ('CBB') Licensing Conditions (Chapter AU-2.4) and Condition 1 of the Approved Persons regime (Chapter AU-3.1) impose further requirements. To satisfy Condition 4 of the CBB's Licensing Conditions, a licensees' staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner (AU-2.4). This condition specifies that licensees must ensure their employees meet any training and competency requirements specified by the CBB. Condition 1 of the Approved Persons Conditions (AU-3.1) sets forth the 'fit and proper' requirements in relation to competence, experience and expertise required by approved persons.

                      Amended: January 2011
                      October 2010

                  • Legal Basis

                    • TC-A.1.5

                      This Module contains the CBB's Directive (as amended from time to time) relating to Training and Competency and is issued under the powers available to the CBB under Articles 38 and 65 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all licensees (including their approved persons). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

                      Amended: January 2011
                      October 2010

                    • TC-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      October 2010

                • TC-A.2 TC-A.2 Module History

                  • Evolution of the Module

                    • TC-A.2.1

                      This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                    • TC-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      TC-A.1.5 01/2011 Clarified legal basis.
                           
                           
                           
                           

                  • Superseded Requirements

                    • TC-A.2.3

                      This Module does not replace any regulations or circulars in force prior to October 2010.

                      October 2010

              • TC-B TC-B Scope of Application

                • TC-B.1 TC-B.1 Scope of Application

                  • TC-B.1.1

                    This Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

                    October 2010

                  • TC-B.1.2

                    Persons authorised by the CBB as approved persons prior to the issuance of Module TC need not reapply for authorisation.

                    October 2010

                  • TC-B.1.3

                    The requirements of this Module apply to approved persons holding controlled functions:

                    (a) Who are employed or appointed by the licensees in connection with the licensees' regulated activities, whether under a contract of service or for services or otherwise; or
                    (b)Whose services, under an arrangement between the licensee and a third party, are placed at the disposal and under the control of the licensee.
                    October 2010

                  • TC-B.1.4

                    Licensees must satisfy the CBB that individuals performing a controlled function for it or on its behalf are suitable and competent to carry out that controlled function.

                    October 2010

                  • TC-B.1.5

                    In implementing this Module, licensees must ensure that:

                    (a) Individuals recruited by the licensees to perform a controlled function hold suitable qualifications and experience appropriate to the nature of the business;
                    (b)Individuals performing a controlled function remain competent for the work they do; and
                    (c) Individuals performing a controlled function are appropriately supervised.
                    October 2010

              • TC-1 TC-1 Recruitment and Assessing Competence

                • TC-1.1 TC-1.1 Recruitment and Appointments

                  • TC-1.1.1

                    If a licensee recruits an individual to undertake a controlled function, it must satisfy itself, where appropriate, of such individual's relevant qualifications and experience.

                    October 2010

                  • TC-1.1.2

                    A licensee proposing to recruit an individual has to satisfy itself, of his/her relevant qualifications and experience. The licensee should:

                    (a) Take into account the knowledge and skills required for the role, in addition to the nature and the level of complexity of the controlled function; and
                    (b) Take reasonable steps to obtain sufficient information about the individual's background, experience, training and qualifications.
                    October 2010

                  • TC-1.1.3

                    Individuals occupying the following controlled functions (refer to Paragraphs AU-1.2.5 to AU-1.2.10) at a licensee must be qualified and suitably experienced for their specific roles and responsibilities:

                    (a) Director;
                    (b)Chief Executive or General Manager;
                    (c) Head of function;
                    (d)Compliance officer; and
                    (e) Money Laundering Reporting Officer ('MLRO').
                    October 2010

                  • TC-1.1.4

                    A licensee must take reasonable steps to ensure that individuals holding controlled functions are sufficiently knowledgeable about their respective fields of work to be able to guide and supervise operations that fall under their responsibilities. Competence must be assessed on the basis of experience and relevant qualifications described in Appendix TC-1 as a minimum. However, the CBB reserves the right to impose a higher level of qualifications as it deems necessary.

                    October 2010

                  • Director

                    • TC-1.1.5

                      As individuals, directors of a licensee must hold professional qualifications and/or have relevant experience outlined in Appendix TC-1 as a minimum.

                      October 2010

                    • TC-1.1.6

                      The role of the director is to be accountable and responsible for the management and performance of the licensee, and is outlined in more details in Section HC-1.1.

                      October 2010

                    • TC-1.1.7

                      When taken as a whole, the board of directors of a licencee must be able to demonstrate that it has the necessary expertise, as outlined in Paragraphs HC-1.2.4 and HC-1.2.5.

                      October 2010

                  • Chief Executive or General Manager

                    • TC-1.1.8

                      Individuals holding the position of chief executive officer or equivalent at a licensee must hold relevant qualifications and relevant experience as outlined in Appendix TC-1 as a minimum.

                      October 2010

                    • TC-1.1.9

                      The chief executive officer or general manager (as appropriate) is responsible for the executive management and performance of the licensee within the framework or delegated authorities set by the Board.

                      October 2010

                  • Head of Function

                    • TC-1.1.10

                      Individuals holding the position of head of function at a licensee must hold relevant professional qualifications and experience as outlined in Appendix TC-1 as a minimum.

                      October 2010

                    • TC-1.1.11

                      Heads of functions are responsible for tracking specific functional performance goals in addition to identifying, managing, and reporting critical organisational issues upstream.

                      October 2010

                  • Compliance Officer

                    • TC-1.1.12

                      Individuals holding the position of compliance officer at a licensee must hold relevant experience and qualifications as outlined in Appendix TC-1 as a minimum.

                      October 2010

                    • TC-1.1.13

                      In accordance with Paragraph HC-2.4.3, an employee of appropriate standing must be designated by licensees for the position of compliance officer. The duties of the compliance officer include:

                      (a)Having responsibility for oversight of the licensee's compliance with the requirements of the CBB; and
                      (b)Reporting to the licensee's Board in respect of that responsibility.
                      October 2010

                  • Money Laundering Reporting Officer (MLRO)

                    • TC-1.1.14

                      Individuals holding the position of MLRO at a licensee, whose attributes and responsibilities are described more fully in Paragraphs FC-4.1.7 and FC-4.2.1, must hold relevant qualifications as outlined in Appendix TC-1 as a minimum.

                      October 2010

                • TC-1.2 TC-1.2 Assessing Competence

                  • TC-1.2.1

                    Licensees must not allow an individual to undertake or supervise controlled functions unless that individual has been assessed by the licensee as competent in accordance with this Section.

                    October 2010

                  • TC-1.2.2

                    In the case of new personnel, the licensees should ensure that they work under proper supervision. Where a person is working towards attaining a level of competence, they should be supervised by a competent person until they can demonstrate the appropriate level of competence. It is the licensees's responsibility to ensure that such arrangements are in place and working successfully.

                    October 2010

                  • TC-1.2.3

                    In determining an individual's competence, licensees may assess if the person is fit and proper in accordance with Chapter AU-3.

                    October 2010

                  • TC-1.2.4

                    Licensees will assess individuals as competent when they have demonstrated the ability to apply the knowledge and skills required to perform a specific controlled function without supervision.

                    October 2010

                  • TC-1.2.5

                    The assessment of competence will be dependent on the nature and the level of complexity of the controlled function. Such assessment of competence of new personnel may take into account the fact that an individual has been previously assessed as competent in a similar controlled function with another licensee.

                    October 2010

                  • TC-1.2.6

                    If a licensee assesses an individual as competent in accordance with TC-1.2.4 to perform a specific controlled function it does not necessarily mean that the individual is competent to undertake other controlled functions.

                    October 2010

                  • TC-1.2.7

                    A firm should use methods of assessment that are appropriate to the controlled function and to the individual's role.

                    October 2010

              • TC-2 TC-2 Training and Maintaining Competence

                • TC-2.1 TC-2.1 Training and Supervision

                  • TC-2.1.1

                    A licensee must annually determine the training needs of individuals undertaking controlled functions. It must develop a training plan to address these needs and ensure that training is planned, appropriately structured and evaluated.

                    October 2010

                  • TC-2.1.2

                    The assessment and training plan described in Paragraph TC-2.1.1 should be aimed at ensuring that the relevant approved person maintains competence in the controlled function. Training does not necessarily just imply attendance of courses. An individual can develop skills and gain experience in a variety of ways. These could include on the job learning, individual study, and other methods. In almost every situation, and for most individuals, it is likely that competence will be developed most effectively by a mixture of training methods.

                    October 2010

                  • TC-2.1.3

                    The training plan of licensees must include a programme for continuous professional development training ("CPD") for their personnel.

                    October 2010

                  • TC-2.1.4

                    Approved persons may choose to fulfil their CPD requirements by attending courses and seminars at local or foreign training institutions.

                    October 2010

                  • TC-2.1.5

                    The annual training needs assessment required under Paragraph TC-2.1.1 must also consider quarterly updates, if any, to the CBB Volume 5 (Specialised Licensees) Rulebook, in areas relevant to each controlled function.

                    October 2010

                  • TC-2.1.6

                    Individuals holding the controlled functions of compliance officer and MLRO at a licensee must undergo a minimum of 15 hours of CPD per annum.

                    October 2010

                  • TC-2.1.7

                    A licensee should ensure that an approved person undertaking a controlled function undergoes appropriate review and assessment of performance.

                    October 2010

                  • TC-2.1.8

                    The level of review and assessment should be proportionate to the level of competence demonstrated by the approved person. Review and assessment should take place on a regular basis and include coaching and assessing performance against the competencies necessary for the role.

                    October 2010

                  • TC-2.1.9

                    Assessors of approved persons should have technical knowledge and relevant skills, e.g. coaching and assessment skills.

                    October 2010

                • TC-2.2 TC-2.2 Maintaining Competence

                  • TC-2.2.1

                    A licensee must make appropriate arrangements to ensure that approved persons maintain competence.

                    October 2010

                  • TC-2.2.2

                    A licensee should ensure that maintaining competence for an approved person takes into account:

                    (a) Application of technical knowledge;
                    (b) Application and development of skills; and
                    (c) Any market changes and changes to products, legislation and regulation.
                    October 2010

                  • TC-2.2.3

                    A licensee may utilise the CPD schemes of relevant professional bodies to demonstrate compliance with TC-2.2.1. In-house training, seminars, conferences, further qualifications, product presentations, computer-based training and one-to-one tuition may also be considered to demonstrate compliance with TC-2.2.1.

                    October 2010

              • TC-3 TC-3 Record Keeping

                • TC-3.1 TC-3.1 Record Keeping

                  • TC-3.1.1

                    A licensee must make and retain records of its recruitment procedures. Such procedures should be designed to adequately take into account proof of the candidates' knowledge and skills and their previous activities and training.

                    October 2010

                  • TC-3.1.2

                    The recruitment record keeping procedure should include, but is not limited to, the following:

                    (a) Results of the initial screening;
                    (b) Results of any employment tests;
                    (c) Results and details of any interviews conducted;
                    (d) Background and references checks; and
                    (e) Details of any professional qualifications.
                    October 2010

                  • TC-3.1.3

                    A licensee should make and retain updated records of:

                    (a)The criteria applied in assessing the ongoing and continuing competence;
                    (b)How and when the competence decision was arrived at;
                    (c)The annual assessment of competence; and
                    (d)Record of CPD hours undertaken by each approved person.
                    October 2010

                  • TC-3.1.4

                    A licensee should make and retain records of:

                    (a)The annual training plan for all controlled functions;
                    (b)Materials used to conduct in-house training courses;
                    (c)List of participants attending such in-house training courses; and
                    (d)Results of evaluations conducted at the end of such training courses.
                    October 2010

                  • TC-3.1.5

                    Licensees should maintain appropriate training records for each individual. Licensees should note how the relevant training relates to and supports the individual's role. Training records may be reviewed during supervisory visits to assess the licensee's systems and to review how the licensee ensures that its staff are competent and remain competent for their roles.

                    October 2010

              • TC-4 TC-4 Transitional Provisions

                • TC-4.1 TC-4.1 Transitional Period

                  • TC-4.1.1

                    The requirements of Module TC for licensees are effective 31st December 2010.

                    October 2010

                  • TC-4.1.2

                    Where approved persons holding controlled functions are occupying positions within the licensee and do not meet the qualifications and core competencies outlined in Appendix TC-1 at the time of the issuance of Module TC, the licensee must ensure that such individuals will meet the requirements of Module TC by 31st December 2011 at the latest.

                    October 2010

              • Appendices: Appendix TC-1

                • Qualifications and Core Competencies of Controlled Functions

                  Role Core Competencies How can competence be demonstrated?
                  Director Directors should have:
                  (a) Experience to demonstrate sound business decision-making; and
                  (b) A good understanding of the industry and its regulatory environment.
                  This person should be experienced in the industry. Competence could be demonstrated by:
                  (a) Holding a relevant professional qualification; or
                  (b) A minimum length of service (at least 5 years at director or senior management level) in the financial industry.
                  Chief Executive or General Manager These roles require:
                  (a) A clear understanding of the role and responsibilities associated with this position;
                  (b) A good understanding of the licensee's business, the broader industry and its regulatory environment; and
                  (c) The relevant experience and qualifications associated with any executive responsibilities.
                  This person should be experienced in the industry. Competence could be demonstrated by:
                  (a) Holding a relevant professional qualification; or
                  (b) A minimum length of service (at least 5 years at a relatively senior position) in the financial industry.
                  Head of Function This role requires:
                  (a) A clear understanding of the role and responsibilities associated with the relevant function;
                  (b) A good understanding of the licensee's business, the broader industry and its regulatory environment; and
                  (c) The relevant experience and qualifications to fulfill their responsibilities.
                  A senior manager responsible for a specialist function should demonstrate the competencies required for that role.
                  (a) The person must have area specific experience/qualifications as required for head of function. These include accounting qualifications for financial managers, Bachelors degree in banking or finance, MBA, etc. and/or
                  (b) The head of function should have at least 5 years of experience in the industry and will typically hold, or be working towards, a relevant professional qualification as appropriate to the controlled function.
                  Compliance Officer A Compliance Officer should:
                  (a) Have the ability and experience to take responsibility for implementing and maintaining compliance policies;
                  (b) Have the appropriate level of experience to demonstrate independence from other functions within the licensee; and
                  (c) Have a thorough understanding of the industry and the applicable regulatory framework.
                  The level of required competence varies based on the scope, magnitude and complexity of the licensee.
                  The person should have a minimum of 2 years of relevant experience in a compliance function of a financial institution.

                  Additional relevant certifications may include:
                  (a) Diploma in International Compliance offered by the International Compliance Association; and/or
                  (b) Other relevant professional qualification.
                  Money
                  Laundering
                  Reporting
                  Officer
                  (MLRO)
                  The MLRO should:
                  (a) Understand the business and how the Anti Money Laundering framework applies thereto; and
                  (b) Have the appropriate level of experience to demonstrate independence from staff of the licensee dealing directly with customers.
                  An MLRO will typically hold a relevant professional qualification and / or a qualification related to the financial activities. These may include:
                  (a) Certified Anti-Money Laundering Specialist Examination (ACAMS);
                  (b) Other relevant MLRO programs; and/or
                  (c) Diploma in International Compliance offered by the International Compliance Association.
                  Additionally, he must have undergone training in anti money laundering, in a recognized institute. The initial training must be for a period of 35 hours or more.

                  MLROs should have thorough knowledge of the financial institutions industry and be familiar with relevant international standards and applicable domestic regulatory requirements.
                  October 2010

      • Financing Companies

        • Part A

          • Business Standards

            • TC TC Financing Companies Training and Competency Module

              • TC-A TC-A Introduction

                • TC-A.1 TC-A.1 Purpose

                  • Executive Summary

                    • TC-A.1.1

                      This Module presents requirements that have to be met by financing company licensees with respect to training and competency of individuals undertaking controlled functions (i.e. approved persons) (as defined in Paragraph AU-1.2.2)

                      January 2014

                    • TC-A.1.2

                      Module TC provides Rules and Guidance to financing company licencees to ensure satisfactory levels of competence, in terms of an individual's knowledge, skills, experience, and professional qualifications. Financing company licencees must maintain the competence to provide regulated financing company services as outlined in Section AU-1.3. Individuals occupying controlled functions, as outlined in Paragraph AU-1.2.2, must therefore meet minimum levels of training and experience related to their functions.

                      January 2014

                    • TC-A.1.3

                      The Rules build upon Principles 3 and 9 of the Principles of Business (see Module PB (Principles of Business)). Principle 3 (Due Skill, Care and Diligence) requires financing company licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in its dealings with customers. Principle 9 (Adequate Resources) requires financing company licensees to maintain adequate human, financial and other resources sufficient to run its business in an orderly manner.

                      January 2014

                    • TC-A.1.4

                      Condition 4 of CBB's Licensing Conditions (Chapter AU-2.4) and Condition 1 of the Approved Persons regime (Chapter AU-3.1) impose further requirements. To satisfy Condition 4 of the CBB's Licensing Conditions, a financing company licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the financing company licensee in a sound and prudent manner (AU-2.4). This condition specifies that financing company licensees must ensure their employees meet any training and competency requirements specified by the CBB. Condition 1 of the Approved Persons Conditions (AU-3.1) sets forth the 'fit and proper' requirements in relation to competence, experience and expertise required by approved persons.

                      January 2014

                  • Legal Basis

                    • TC-A.1.5

                      This Module contains the CBB's Directive relating to Training and Competency and is issued under the powers available to the CBB under Articles 38 and 65(b) of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees (including their approved persons).

                      January 2014

                    • TC-A.1.6

                      For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                      January 2014

                • TC-A.2 TC-A.2 Module History

                  • Evolution of the Module

                    • TC-A.2.1

                      This Module was first issued in January 2014. Any material changes that are subsequently made to this Module will be annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

                      January 2014

                    • TC-A.2.2

                      A list of recent changes made to this Module is provided below:

                      Module Ref. Change Date Description of Changes
                      TC-B.1.3 07/2014 Clarified scope of application.
                      TC-2.3.3 04/2017 Amended Paragraph on exception to the grandfathering Rule.
                           
                           
                           

                  • Superseded Requirements

                    • TC-A.2.3

                      This Module does not replace any regulations or circulars in force prior to January 2014.

                      January 2014

              • TC-B TC-B Scope of Application

                • TC-B.1 TC-B.1 Scope

                  • TC-B.1.1

                    This Module applies to all financing company licensees authorised in the Kingdom, thereafter referred to in this Module as licensees. It covers the training and competency requirements for staff occupying controlled functions (See Chapter TC-1).

                    January 2014

                  • TC-B.1.2

                    Persons authorised by the CBB as approved persons prior to the issuance of Module TC need not reapply for authorisation.

                    January 2014

                  • TC-B.1.3

                    The requirements of this Module apply to approved persons holding controlled functions, including board members, in connection with the licensee's regulated financing company services, or under a contract of service.

                    Amended: July 2014
                    January 2014

                  • TC-B.1.4

                    In the case of outsourcing arrangements, the licensee should refer to the competency requirements, outlined in Appendix TC-1 for controlled functions, for assessing the suitability of the outsourcing provider.

                    January 2014

                  • TC-B.1.5

                    Licensees must satisfy the CBB that individuals performing a controlled function for it or on its behalf are suitable and competent to carry on that controlled function.

                    January 2014

                  • TC-B.1.6

                    In implementing this Module, licensees must ensure that individuals recruited to perform controlled functions:

                    (a) Hold suitable qualifications and experience appropriate to the nature of the business;
                    (b) Remain competent for the work they do; and
                    (c) Are appropriately supervised.
                    January 2014

              • TC-1 TC-1 Requirements for Controlled Functions

                • TC-1.1 TC-1.1 Controlled Functions

                  • TC-1.1.1

                    Individuals occupying controlled functions (refer to Section AU-1.2) in a licensee must be qualified and suitably experienced for their specific roles and responsibilities. The controlled functions are those of:

                    (a) Board Member;
                    (b) Chief Executive or General Manager;
                    (c) Head of function;
                    (d) Compliance Officer;
                    (e) Money Laundering Reporting Officer ('MLRO'); and
                    (f) Head of Shari'a Review
                    January 2014

                  • TC-1.1.2

                    A licensee must take reasonable steps to ensure that individuals holding controlled functions are sufficiently knowledgeable about their respective fields of work to be able to guide and supervise operations that fall under their responsibilities.

                    January 2014

                  • TC-1.1.3

                    Competence is assessed by the CBB on the basis of experience and relevant qualifications described in Appendix TC-1 as a minimum. However, the CBB reserves the right to impose a higher level of qualifications as it deems necessary.

                    January 2014

                  • Board Member

                    • TC-1.1.4

                      Board Members collectively are responsible for the business performance and strategy of the licensee, as outlined in more details in Section HC-1.2.

                      January 2014

                    • TC-1.1.5

                      When taken as a whole, the board of directors of a licensee must be able to demonstrate that it has the necessary skills and expertise, as outlined in Paragraph HC-1.2.10.

                      January 2014

                  • Chief Executive or General Manager

                    • TC-1.1.6

                      The chief executive or general manager (as appropriate) are responsible for the executive management and performance of the licensee within the framework or delegated authorities set by the Board. The scope of authority of the CEO is outlined in more detail in Paragraph HC-6.3.2 (a).

                      January 2014

                  • Head of Function

                    • TC-1.1.7

                      Heads of function, where risk acquisition or control is involved, are responsible for tracking specific functional performance goals in addition to identifying, managing, and reporting critical organisational issues upstream. Certain functions require dealing directly with clients while others do not. Both categories of functions, however, require specific qualifications and experience to meet the objectives as well as compliance requirements of the financing company licensee.

                      January 2014

                    • TC-1.1.8

                      For purposes of Paragraph TC-1.1.7, licensees should contact the CBB should they require further clarification on whether a specific position falls under the definition of "Heads of Function".

                      January 2014

                  • Compliance Officer

                    • TC-1.1.9

                      In accordance with Paragraph AU-1.2.12, an employee of appropriate standing must be designated by the licensee for the position of compliance officer. The duties of the compliance officer include:

                      (a) Having responsibility for oversight of the licensee s compliance with the requirements of the CBB and other applicable laws and regulations;
                      (b) Raising awareness and providing training for the licensee s staff on compliance issues; and
                      (c) Reporting to the licensee s Board in respect of that responsibility.
                      January 2014

                  • Money Laundering Reporting Officer (MLRO)

                    • TC-1.1.10

                      The attributes and responsibilities of the MLRO are described more fully in Paragraphs FC-4.1.7 and FC-4.2.1.

                      January 2014

                  • Head of Shari'a Review

                    • TC-1.1.11

                      The head of Shari'a review in a licensee, dealing with Islamic products and services, is responsible for the examination of the extent of a licensee's compliance, in all its activities, with the Shari'a. This examination includes contracts, agreements, policies, products, transactions memorandum and articles of association, financial statements, reports (especially internal audit and central bank inspection), circulars, etc. The objective of the Shari'a review is to ensure that the activities carried out by a licensee do not contravene the Shari'a.

                      January 2014

                • TC-1.2 TC-1.2 Continuous Professional Development Training ("CPD")

                  • CPD

                    • TC-1.2.1

                      All individuals holding controlled functions in a licensee must undergo a minimum of 15 hours of CPD per annum.

                      January 2014

                    • TC-1.2.2

                      A licensee must ensure that an approved person undertaking a controlled function undergoes appropriate annual review and assessment of performance.

                      January 2014

                    • TC-1.2.3

                      The level of supervision should be proportionate to the level of competence demonstrated by the approved person. Supervision will include, as appropriate:

                      (a) Reviewing and assessing work on a regular basis; and
                      (b) Coaching and assessing performance against the competencies necessary for the role.
                      January 2014

                    • TC-1.2.4

                      Supervisors of approved persons should have technical knowledge and relevant managerial skills.

                      January 2014

                  • Record Keeping

                    • TC-1.2.5

                      A licensee should, for a minimum period of five years, retain records of:

                      (a) The annual training plan for each controlled function;
                      (b) Materials used to conduct in-house training courses;
                      (c) List of participants attending such in-house training courses; and
                      (d) Results of evaluations conducted at the end of such training courses.
                      January 2014

              • TC-2 TC-2 General Requirements

                • TC-2.1 TC-2.1 Recruitment and Assessing Competence

                  • Recruitment and Appointment

                    • TC-2.1.1

                      If a licensee recruits or promotes an individual to undertake a controlled function, it must first file Form 3 (Approved Persons) with the CBB and obtain the express written approval of the CBB for that person to occupy the desired position. In its application, the licensee must demonstrate to the CBB that full consideration has been given to the qualifications and core competencies for controlled functions in Appendix TC-1. (See Article 65(b) of the CBB Law and Paragraph AU-2.3.1).

                      January 2014

                    • TC-2.1.2

                      Licensees should refer to Module AU (Authorisation) providing detailed requirements on the appointment of individuals occupying controlled functions (approved persons).

                      January 2014

                    • TC-2.1.3

                      A licensee proposing to recruit an individual has to satisfy itself, of his/her relevant qualifications and experience. The licensee should:

                      (a) Take into account the knowledge and skills required for the role, in addition to the nature and the level of complexity of the controlled function; and
                      (b) Take reasonable steps to obtain sufficient information about the individual's background, experience, training and qualifications.
                      January 2014

                    • TC-2.1.4

                      The licensee must retain the recruitment records of controlled functions for a minimum period of five years following termination of their services or employment with the licensee. Such records must include, but are not limited to, the following:

                      (a) Results of the initial screening;
                      (b) Results of any employment tests;
                      (c) Results and details of any interviews conducted;
                      (d) Background and references checks; and
                      (e) Details of any professional qualifications.
                      January 2014

                  • Assessing Competence

                    • TC-2.1.5

                      Licensees must not allow an individual to undertake or supervise controlled functions unless that individual has been assessed by the licensee as competent in accordance with this Section.

                      January 2014

                    • TC-2.1.6

                      In the case of new personnel, the licensee should ensure that they work under proper supervision. Where a person is working towards attaining a level of competence, they should be supervised by a competent person until they can demonstrate the appropriate level of competence. It is the licensee's responsibility to ensure that such arrangements are in place and working successfully.

                      January 2014

                    • TC-2.1.7

                      In determining an individual's competence, licensees may assess if the person is fit and proper in accordance with Chapter AU-3.

                      January 2014

                    • TC-2.1.8

                      Licensees must assess individuals as competent when they have demonstrated the ability to apply the knowledge and skills required to perform a specific controlled function.

                      January 2014

                    • TC-2.1.9

                      The assessment of competence will be dependent on the nature and the level of complexity of the controlled function. Such assessment of competence of new personnel may take into account the fact that an individual has been previously assessed as competent in a similar controlled function with another licensee.

                      January 2014

                    • TC-2.1.10

                      If a licensee assesses an individual as competent in accordance with Paragraph TC-2.1.8 to perform a specific controlled function, it does not necessarily mean that the individual is competent to undertake other controlled functions.

                      January 2014

                    • TC-2.1.11

                      A financing company should use methods of assessment that are appropriate to the controlled function and to the individual's role.

                      January 2014

                  • Record Keeping

                    • TC-2.1.12

                      A licensee must, for a minimum period of five years, make and retain updated records of:

                      (a) Its recruitment procedures;
                      (b) The criteria applied in assessing competence; and
                      (c) How and when the competence decision was arrived at.
                      January 2014

                    • TC-2.1.13

                      For purposes of Paragraph TC-2.1.12, the record keeping requirements apply to both current employees as well as to employees following termination of their services or employment with the company, for a minimum period of five years.

                      January 2014

                    • TC-2.1.14

                      The recruitement procedures referred to in Subparagraph TC-2.1.12(a) should be designed to adequately take into account proof of the candidates' knowledge and skills and their previous activities and training.

                      January 2014

                • TC-2.2 TC-2.2 Training and Maintaining Competence

                  • TC-2.2.1

                    A licensee must annually determine the training needs of individuals undertaking controlled functions. It must develop a training plan to address these needs and ensure that training is planned, appropriately structured and evaluated.

                    January 2014

                  • TC-2.2.2

                    The assessment and training plan described in Paragraph TC-2.2.1 should be aimed at ensuring that the relevant approved person maintains competence in the controlled function. An individual can develop skills and gain experience in a variety of ways. These could include on-the-job learning, individual study, and other methods. In almost every situation, and for most individuals, it is likely that competence will be developed most effectively by a mixture of training methods.

                    January 2014

                  • TC-2.2.3

                    The training plan of licensees must include a programme for continuous professional development training ('CPD') for their staff.

                    January 2014

                  • TC-2.2.4

                    Approved persons may choose to fulfil their CPD requirements by attending courses, workshops, conferences and seminars at local or foreign training institutions.

                    January 2014

                  • TC-2.2.5

                    The annual training required under Paragraph TC-2.2.1 must also include the quarterly updates, if any, to the CBB Volume 5 (Financing Companies) Rulebook, in areas relevant to each controlled function.

                    January 2014

                  • TC-2.2.6

                    Licensees should maintain appropriate training records for each individual. Licensees should note how the relevant training relates to and supports the individual's role. Training records may be reviewed during supervisory visits to assess the licensee's systems and to review how the licensee ensures that its staff are competent and remain competent for their roles.

                    January 2014

                  • Maintaining Competence

                    • TC-2.2.7

                      A licensee must make appropriate arrangements to ensure that approved persons maintain competence.

                      January 2014

                    • TC-2.2.8

                      A licensee should ensure that maintaining competence for an approved person takes into account:

                      (a) Application of technical knowledge;
                      (b) Application and development of skills; and
                      (c) Any market changes and changes to products, legislation and regulation.
                      January 2014

                    • TC-2.2.9

                      A licensee may utilise the CPD schemes of relevant professional bodies to demonstrate compliance with Paragraph TC-2.2.1. In-house training, seminars, conferences, further qualifications, product presentations, computer-based training and one-to-one tuition may also be considered to demonstrate compliance with Paragraph TC-2.2.1.

                      January 2014

                  • Record Keeping

                    • TC-2.2.10

                      A licensee must, for a minimum period of five years, make and retain records of:

                      (a) The criteria applied in assessing continuing competence;
                      (b) The annual assessment of competence; and
                      (c) Record of CPD hours undertaken by each approved person.
                      January 2014

                • TC-2.3 TC-2.3 Transitional Period

                  • TC-2.3.1

                    The requirements of this Module for licensees are effective from the issuance date of this Module.

                    January 2014

                  • TC-2.3.2

                    New applications for approved persons are subject to the requirements of this Module (See Paragraph TC-B.1.3).

                    January 2014

                  • TC-2.3.3

                    Approved persons occupying controlled functions at the time this Module is issued will be grandfathered and not subject to the requirements of this Module, with the exception of CPD requirements in Paragraph TC-1.2.1 and Paragraph BR-1.1.2(k). However, should the approved person move to another controlled function, Paragraph TC-2.3.4 will apply.

                    Amended: April 2017
                    January 2014

                  • TC-2.3.4

                    In instances, where an approved person in one licensee moves to another licensee and occupies the same function, the CBB will exercise its discretion on whether to grandfather such approved person from the required qualifications and competencies outlined in Appendix TC-1 into the new licensee. The grandfathering criteria used by the CBB will include a comparison of the scope and size of both positions. This will also apply in instances where an approved person in one licensee moves from one department to another within the same licensee.

                    January 2014

              • Appendix TC-1

                • Appendix TC-1 Qualifications and Core Competencies of Controlled Functions

                  Role Core Competencies How can competence be demonstrated?
                  Board Member Board Members must have:
                  (a) Sufficient experience to demonstrate sound business decision-making; and
                  (b) A good understanding of the industry and its regulatory environment.
                  Competence is demonstrated by:
                  (a)
                  (i) Holding a Bachelor's Degree; and
                  (ii) A minimum experience of 7 years in business or government of which at least 4 years at a senior management level;

                  OR
                  (b) A minimum experience of 10 years in business
                  Chief Executive or General Manager These roles require:
                  (a) A clear understanding of the role and responsibilities associated with this position;
                  (b) A good understanding of the licensee's business, the wider industry and its regulatory environment;
                  (c) Relevant experience and qualifications associated with such executive responsibilities; and
                  (d) The necessary professional and leadership capabilities which qualify him for this position.
                  This person should have a minimum experience of 10 years in the financial sector of which at least 7 years at a senior management level in a bank or finance company. He/she should hold a relevant academic/professional qualification, preferably MBA, Masters in finance/accounting/economics or masters in any other subject, or preferably other qualification related to banking, accounting or finance.
                  Head of Function This role requires:
                  (a) A clear understanding of the role and responsibilities associated with the relevant function;
                  (b) A good understanding of the licensee's business, the broader industry and its regulatory environment; and
                  (c) The relevant experience and qualifications to fulfill their responsibilities.
                  A senior manager responsible for a specialist function should have a minimum experience of 7 years in the banking/financial industry of which at least 5 years of experience in the same function that he/she will be heading. He/she should:
                  (a) Hold a relevant academic/professional qualification, preferably MBA, Masters in finance/accounting/economics or masters in any other subject, and preferably other qualification related to banking/accounting; and
                  (b) Have other relevant certification(s) specific to this role. Such certifications may, depending on the function being fulfilled, include but are not limited to:
                  (a) Chartered Financial Analyst (CFA);
                  (b) Certificate in Securities and Financial Derivatives;
                  (c) Certificate in Investment Management;
                  (d) Professional Certification in Accounting; and/or
                  (e) Equivalent certificates or qualifications; and/or
                  (f) Advanced Diploma in Banking/ Islamic Finance or Financial Advisory Program from the BIBF or other institutions.
                  Compliance Officer A Compliance Officer should:
                  (a) Have the ability and experience to take responsibility for implementing and maintaining compliance policies;
                  (b) Have the appropriate level of experience to demonstrate independence from other functions within the licensee; and
                  (c) Have a thorough understanding of the industry and the applicable regulatory framework.
                  The level of required competence varies based on the scope, magnitude and complexity of the licensee.
                  The Compliance Officer should have a minimum of 3 years relevant experience in a bank, financial institution or financial regulator. He/she should:
                  (a) Hold a degree from a university at bachelor level or higher or a relevant professional qualification in compliance; and
                  (b) Have relevant certification(s) specific to this role. Such certifications may include but are not limited to:
                  (i) International Diploma in Compliance offered by the International Compliance Association; and/or
                  (ii) International Advanced Certificate in Compliance and Financial Crime offered by the International Compliance Association; and/or
                  (iii) Any other relevant professional qualification deemed suitable by the CBB. These may include qualifications in areas related to the license.
                  Money Laundering Reporting Officer (MLRO) The MLRO should:
                  (a) Understand the business and how the Anti-Money Laundering framework applies thereto;
                  (b) Have the appropriate level of experience to demonstrate independence from staff of the licensee dealing directly with customers; and
                  (c) Have a thorough knowledge of the financial industry and be familiar with relevant FATF and applicable domestic regulatory requirements.
                  An MLRO should have a minimum experience of 3 years in anti-money laundering or anti-money laundering related role. The MLRO should:
                  (a) Hold a degree from a university at bachelor level or higher or a relevant professional qualification; and
                  (b) Have relevant certification(s) specific to this role. Such certifications may include but are not limited to:
                  (i) Certified Anti-Money Laundering Specialist Examination (ACAMS); and/ or
                  (ii) Diploma in Anti-Money Laundering offered by the International Compliance Association; and/ or
                  (iii) International Diploma in Financial Crime Prevention offered by International Compliance Association; and/or
                  (iv) International Advanced Certificate in Compliance and Financial Crime offered by the International Compliance Association.
                  Head of Shari'a Review A Head of Shari'a Review should:
                  (a) Have appropriate level of knowledge in Islamic Finance and Shari'a principles;
                  (b) Have a good understanding of the banking/financial industry and possess good knowledge of economics and finance; and
                  (c) Understand how to interpret financial statements.
                  The Head of Shari'a Review should have a minimum of 5 years relevant experience in a bank or financial institution dealing with Islamic products and services. He/she should:
                  (a) Hold a bachelor's degree in Shari'a, which includes study in Usul Fiqh (the origin of Islamic law) and/or Fiqh Muamalat (Islamic jurisprudence) or;
                  (b) Hold a university degree in banking and finance together with a qualification in Shari'a review.
                  January 2014

      • Representative Offices [April 2008]

        Click here for a copy of the Application for a Representative Office License in PDF format.