Entire Section | Rulebook

Back

Custom print

Link

Text Only

Rich Text

Type 1: Type 1: Money Changers Licensees

Part A Part A

High Level Standards

AU AU Money Changers Authorisation Module

AU-A AU-A Introduction

AU-A.1 AU-A.1 Purpose

Executive Summary

AU-A.1.1
The Authorisation Module sets out the Central Bank of Bahrain's ('CBB') approach to licensing providers of regulated money changer services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

Amended: January 2011
October 2010

AU-A.1.2
Persons undertaking certain functions in relation to licensees require prior CBB approval. These functions (called 'controlled functions') include Directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

October 2010

Retaining Authorised Status

AU-A.1.3
The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

October 2010

Legal Basis

AU-A.1.4
This Module contains the CBB's Directive, Regulations and Resolutions (as amended from time to time) regarding authorisation under Volume 5 (Specialised Licensees) of the CBB Rulebook. It is applicable to all licensees (as well as to approved persons), and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding regulated money changer services as per Article 39 (see Paragraph AU-1.1.8), licensing conditions as per Article 44 (see Chapter AU-2) and licensing fees as per Article 180 (see Chapter AU-5) are also included in Regulations and Resolutions and included in this Module. The Module also contains requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No.(43) of 2011 and issued under the powers available to the CBB under Article 44(c). The Module contains requirements under Resolution No.(16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module. This Module contains the prior approval requirements for approved persons under Resolution No (23) of 2015.

Amended: July 2015
Amended: January 2013
Amended: April 2012
Amended: January 2011
October 2010

AU-A.1.5
Approved Persons are individuals holding certain specified positions at CBB licensees; they must be approved by the CBB prior to taking on those positions and must demonstrate that they are fit and proper. The list of positions subject to the CBB's Approved Persons regime vary according to the CBB license Category, but generally cover directors and senior management, as well as certain other positions. Approved Persons requirements are specified in the relevant Rulebook Volume for the license Category in question.

October 2010

AU-A.1.6
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

October 2010

AU-A.2 AU-A.2 Module History

Evolution of Module

AU-A.2.1
This Module was first issued in October 2010. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. UG-3 provides further details on Rulebook maintenance and version control

AU-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
AU-A.1.4	01/2011	Clarified legal basis.
AU-4.1.4	01/2011	Removed the requirement for a letter of comfort to be provided with an application for license.
AU-4.1.15	01/2011	Corrected cross reference.
AU-4.1.4(a)	04/2011	Added cross reference.
AU-4.2	04/2011	Clarified Rules for authorisation of a branch and added Rules for authorisation of a subsidiary.
AU-4.3.7A	07/2011	Added a Rule dealing with notification to CBB when an approved person ceases to hold a controlled function.
AU-4.4.6	07/2011	Cross reference added to Rule.
AU-A.1.4	04/2012	Legal basis updated to reflect all Articles of the CBB Law covered by this Module as well as applicable Resolutions.
AU-4.4	04/2012	Clarified language on cancellation of a license to be in line with other Volumes of the CBB Rulebook.
AU-1.1.8A and AU-1.1.8B	10/2012	Rule and guidance added to address the activity of wholesale export and import of various currency bank notes in physical form.
AU-2.1.1	10/2012	Amended legal status.
AU-A.1.4	01/2013	Updated legal basis.
AU-1.1	01/2013	References added to requirements under Resolution No.(16) for the year 2012.
AU-1.2.3	01/2013	Clarified approval requirements for controlled functions for Bahrain operations.
AU-4.4.4A	01/2013	Corrected cross reference to CBB Law.
AU-5.2	07/2013	Amended due date and collection process for annual licensee fee.
AU-A.1.4	07/2015	Legal basis updated to reflect Resolution No (23) of 2015.
AU-4.3	07/2015	Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
AU-4.4.6	07/2015	Clarified interim arrangements for replacement of approved person.
AU-1.2	01/2016	Clarified general requirements for approved persons.
AU-3	01/2016	Amended to be in line with Resolution No (23) of 2015 on Prior Approval Requirements for Approved Persons.
AU-4.3	01/2016	Minor amendments to be aligned with other Volumes of the Rulebook.
AU-4.5	07/2017	Added new Section on Publication of the Decision to Grant, Cancel or Amend a License
AU-4.1.1	04/2018	Amended Paragraph.
AU-4.1.18	04/2018	Amended Paragraph.
AU-4.3.2	04/2018	Amended Paragraph.
AU-4.3.8AA	10/2018	Amended Paragraph number.
AU-4.4.6	10/2018	Amended reference Paragraph.
AU-4.1.1	07/2019	Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
AU-4.1.21	10/2019	Changed from Rule to Guidance.
AU-4.1.22	10/2019	Changed from Rule to Guidance.
AU-4.1.23	10/2019	Changed from Rule to Guidance.
AU-4.5.1	10/2019	Changed from Rule to Guidance.
AU-4.3.9A	01/2021	Added a new Paragraph on compliance of approved persons with the fit and proper requirement.

Superseded Requirements

AU-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory instruments:

Circular / other reference	Subject
Standard Conditions and Licensing Criteria: Money Changers	Scope of license and licensing conditions.
Circular BC/309/1994	Management Personnel
Circular BC/120/1995	Money Changers Permitted Business
Circular BC/11/98	Appointment and suitability of Directors and senior managers ('fit and proper').
Circular EDFIS/C/05/2007	CBB's New License Fees System

October 2010

AU-B AU-B Scope of Application

AU-B.1 AU-B.1 Scope of Application

AU-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

October 2010

AU-B.1.2
Two types of authorisation are prescribed:

(i) Any person seeking to provide a regulated money changer service within or from the Kingdom of Bahrain must hold the appropriate CBB license (see AU-1.1). Money Changer Licensees are thereafter referred to in this Module as licensees; and

(ii) Natural persons wishing to perform a controlled function in a licensee also require prior CBB approval, as an approved person (see AU-1.2).

October 2010

AU-B.2 AU-B.2 Authorised Persons

AU-B.2.1
Various requirements in Chapters AU-2 to AU-4 inclusive also apply to persons once they have been authorised by the CBB (whether as licensees or approved persons).

October 2010

AU-B.2.2
Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

October 2010

AU-1 AU-1 Authorisation Requirements

AU-1.1 AU-1.1 Licensing

AU-1.1.1
No person may:

(a) Undertake (or hold themselves out to undertake) regulated money changer services, by way of business, within or from the Kingdom of Bahrain unless duly licensed by the CBB;

(b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or

(c) Market any financial services in the Kingdom of Bahrain unless:
(i) Allowed to do by the terms of a license issued by the CBB;

(ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or

(iii) Has obtained the express written permission of the CBB to offer financial services.

Amended: January 2013
October 2010

AU-1.1.2
For the purposes of Rule AU-1.1.1, please refer to Rule AU-1.1.8 for the definition of 'regulated money changer services' and Rule AU-1.1.9 for 'by way of business'. Such activities will be deemed to be undertaken within or from the Kingdom of Bahrain if, for example, the person concerned:

(a) Is incorporated in the Kingdom of Bahrain; or

(b) Uses an address situated in the Kingdom of Bahrain for its correspondence.

October 2010

AU-1.1.2A
In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

Added: January 2013

AU-1.1.2B
Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

Added: January 2013

AU-1.1.3
Persons wishing to be licensed to undertake regulated money changer services within or from the Kingdom of Bahrain must apply in writing to the CBB.

October 2010

AU-1.1.4
An application for a license must be in the form prescribed by the CBB and must contain, inter alia:

(a) A business plan specifying the type of business to be conducted;

(b) Application forms for all controllers; and

(c) Application forms for all controlled functions.

October 2010

AU-1.1.5
The CBB will review the application and duly advise the applicant in writing when it has:

(a) Granted the application without conditions;

(b) Granted the application subject to conditions specified by the CBB; or

(c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.

October 2010

AU-1.1.6
Detailed rules and guidance regarding information requirements and processes for licenses can be found in Section AU-4.1. As specified in Paragraph AU-4.1.12, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

October 2010

AU-1.1.7
All applicants seeking a Money Changers license must satisfy the CBB that they meet, by the date of authorisation, the minimum criteria for licensing, as contained in Chapter AU-2. Once licensed, licensees must maintain these criteria on an on-going basis.

October 2010

Money Changer License Permitted Activities

AU-1.1.8
For the purposes of Volume 5 (Specialised Licensees), regulated money changer services mean all transactions including:

(a) The sale, purchase and exchange of foreign currencies;

(b) Currency transfer to/from Bahrain;

(c) Purchase and sale of travellers' cheques;

(d) The dealing in precious metals within the allowed limits; or

(e) Any other financial business related to Money Changers activities and approved by the CBB.

Amended: April 2011
October 2010

AU-1.1.8A
For purposes of Subparagraph AU-1.1.8(a), the sale, purchase and exchange of foreign currencies may include the wholesale export and import of various currency bank notes in physical form, for the purpose of distribution/collection to/from the local market or for transmission to a foreign jurisdiction. Only licensees whose license specifically allows for such activity to be undertaken are permitted to engage in this activity.

Added: October 2012

AU-1.1.8B
In assessing a request from a licensee to add the activity of export/import of bank notes to its permitted activities, the CBB will consider among other factors, the following:

(a) A satisfactory track record of not less than 5 years operating as a licensed regulated entity in the financial sector;

(b) The licensee's financial soundness, an acceptable level of capitalisation and financial resources and its ability to meet its obligations in a timely and satisfactory manner;

(c) The legal status and regulatory track record of the licensee including previous disciplinary measures taken against the licensee by the CBB or any other jurisdiction in which its group operates;

(d) The maintenance of an adequate insurance coverage to cater for any risk that may arise while importing/exporting the consignment;

(e) The application of prudent security measures when transporting the banknotes within the Kingdom of Bahrain, as required by Paragraphs GR-7.1.1 and GR-9.1.5A;

(f) The existence of prudent documented and approved internal procedures and controls within the licensee to govern the entire import/export activity starting from the origination of the consignment to its final destination. Such procedures must observe the requirements of any other Law or relevant competent authority in this regard, whether in the Kingdom of Bahrain or the jurisdiction to/from which the banknotes are being exported/imported;

(g) The existence of the necessary AML/CFT systems and controls in place as required by Module FC;

(h) The quality of management and corporate governance framework and oversight over the activities of the licensee; and

(i) The maintenance of proper books and records as required by Chapter GR-1.

Added: October 2012

AU-1.1.9
For the purposes of Volume 5 (Specialised Licensees), carrying on a regulated money changer services by way of business means:

(a) Undertaking one or more of the activities specified in Paragraph AU-1.1.8 for commercial gain;

(b) Holding oneself out as willing and able to engage in that activity; or

(c) Regularly soliciting other persons to engage in transactions constituting that activity.

October 2010

AU-1.1.10
Licensees are prohibited from conducting any other financial business other than that set out in Rule AU-1.1.8 above, and permitted by the license issued to them by the CBB.

October 2010

AU-1.1.11
A person does not carry on an activity constituting regulated money changer services if it is an organisation, commercial company or travel and tourism agency accepting foreign currencies and travellers' cheques in consideration for their sales. In addition, hotels do not undertake regulated money changer services when accepting foreign currencies and travellers' cheques in consideration for their services and/or as a service to their guests.

October 2010

Suitability

AU-1.1.12
Those seeking authorisation must satisfy the CBB as to their suitability to carry out the regulated money changer services for which they are seeking authorisation.

October 2010

AU-1.1.13
In assessing applications for a license, the CBB will assess whether an applicant satisfies the licensing conditions (as specified in Chapter AU-2) with respect to all the regulated services that the applicant proposes to undertake.

October 2010

AU-1.2 AU-1.2 Approved Persons

General Requirements

AU-1.2.1
Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment, subject to the variations contained in Paragraph AU-1.2.3.

Amended: January 2016
October 2010

AU-1.2.2
Controlled functions are those functions occupied by board members and persons in executive positions and include:

(a) Director;

(b) Chief Executive or General Manager;

(c) Head of function;

(d) Compliance Officer; and

(e) Money Laundering Reporting Officer (MLRO).

Amended: January 2016
October 2010

AU-1.2.3
Prior approval is required for all of the above controlled functions. Combination of the above controlled functions is subject to the requirements contained in Modules HC and RM. Controlled functions (b) to (e) are in relation to Bahrain operations.

Amended: January 2013
October 2010

Basis for Approval

AU-1.2.4
Approval under Paragraph AU-1.2.1 is only granted by the CBB, if it is satisfied that the person is 'fit and proper' to hold the particular position at the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Sections AU-3.1 and AU-3.2 respectively.

October 2010

Definitions

AU-1.2.5
Director is any person who occupies the position of a Director, as defined in Article 173 of the Commercial Companies Law (Legislative Decree No. 21 of 2001).

October 2010

AU-1.2.6
The fact that a person may have 'Director' in their job title does not of itself make them a Director within the meaning of the definition noted in Paragraph AU-1.2.5. For example, a 'Director of IT', is not necessarily a member of the Board of Directors and therefore may not fall under the definition of Paragraph AU-1.2.5.

October 2010

AU-1.2.7
The Chief Executive or General Manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The Chief Executive or General Manager must be resident in Bahrain. This person is responsible, for the conduct of the whole of the firm.

October 2010

AU-1.2.8
Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

October 2010

AU-1.2.9
Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy Chief Executive, heads of departments such as Risk Management, Compliance or Internal Audit, or the Chief Financial Officer.

October 2010

AU-1.2.10
Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

October 2010

AU-2 AU-2 Licensing Conditions

AU-2.1 AU-2.1 Condition 1: Legal Status

AU-2.1.1
The legal status of a licensee must be:

(i) A Bahraini joint stock company (B.S.C.); or

(ii) A Bahraini company with limited liability (W.L.L.) and licensed to conduct money changer business prior to 1^st October 2012.

Amended: October 2012
October 2010

AU-2.1.2
For those licensees that do not meet the requirements of Rule AU-2.1.1, they should discuss their legal status with the CBB.

October 2010

AU-2.2 AU-2.2 Condition 2: Mind and Management

AU-2.2.1
Licensees with their Registered Office in the Kingdom of Bahrain must maintain their Head Office in the Kingdom and must conduct their business from their Head Office and approved branches only.

October 2010

AU-2.2.2
In assessing the location of a licensee's Head Office, the CBB will take into account the residency of its Directors and senior management. The CBB requires the majority of key decision makers in executive management — including the Chief Executive - to be resident in Bahrain.

October 2010

AU-2.3 AU-2.3 Condition 3: Controllers

AU-2.3.1
Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee.

October 2010

AU-2.4 AU-2.4 Condition 4: Board and Employees

AU-2.4.1
As per Article 65(a) of the CBB law, those nominated to carry out controlled functions must satisfy CBB's approved person's requirements.

October 2010

AU-2.4.2
The definition of controlled functions is contained in Paragraph AU-1.2, whilst Chapter AU-3 sets out CBB's approved persons requirements. Applications for approved person status must be submitted using the prescribed approved persons form.

October 2010

AU-2.4.3
The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

October 2010

AU-2.4.4
The CBB's training and competency requirements are contained in Module TC (Training and Competency).

October 2010

AU-2.5 AU-2.5 Condition 5: Financial Resources

AU-2.5.1
Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. The level of financial resources held must exceed at all times the minimum requirements contained in Module CA (Capital Adequacy), as specified for the license held.

October 2010

AU-2.6 AU-2.6 Condition 6: Systems and Controls

AU-2.6.1
Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC (High-level Controls) and RM (Risk Management), as specified for the license held.

October 2010

AU-2.6.2
Licensees must maintain adequate segregation of responsibilities in their staffing arrangements, to protect against the misuse of systems or errors. Such segregation should ensure that no single individual has control over all stages of a transaction.

October 2010

AU-2.6.3
Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee. These systems and controls must meet the minimum requirements contained in Module FC (Financial Crime), as specified for the license held.

October 2010

AU-2.6.4
As part of the licensing approval process, applicants must demonstrate in their business plan (together with any supporting documentation) what risks their business would be subject to and how they would manage those risks. Applicants may also be asked to provide an independent assessment of the appropriateness of their systems and controls to the CBB.

October 2010

AU-2.7 AU-2.7 Condition 7: External Auditors

AU-2.7.1
As per Article 61 of the CBB Law, licensees must appoint external auditors, subject to prior CBB approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

October 2010

AU-2.7.2
Applicants must submit details of their proposed external auditor to the CBB as part of their license application.

October 2010

AU-2.8 AU-2.8 Condition 8: Other Requirements

Books and Records

AU-2.8.1
Licensees must maintain comprehensive books of accounts and other records, which must be available for inspection within the Kingdom of Bahrain by the CBB, or persons appointed by the CBB, at any time. Licensees must comply with the minimum record-keeping requirements contained in Module GR. Books of accounts must comply with IFRS standards.

October 2010

Provision of Information

AU-2.8.2
Licensees must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and public disclosure requirements contained in Modules BR and PD respectively.

October 2010

General Conduct

AU-2.8.3
Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice standards. Licensees must comply with the general standards of business conduct contained in Module PB, as well as the standards relating to treatment of customers contained in Module BC.

October 2010

License Fees

AU-2.8.4
Licensees must comply with any license fee requirements applied by the CBB.

October 2010

AU-2.8.5
License fee requirements are contained in Chapter AU-5.

October 2010

Additional Conditions

AU-2.8.6
Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

October 2010

AU-2.8.7
When granting a license, the CBB specifies the regulated services that the licensee may undertake. Licensees must respect the scope of their license.

October 2010

AU-2.8.8
In addition, the CBB may vary existing requirements or impose additional restrictions or requirements, beyond those already specified in Volume 5 (Specialised Licensees), to address specific risks.

October 2010

AU-3 AU-3 Approved Persons Conditions

AU-3.1 AU-3.1 Condition 1: 'Fit and Proper'

AU-3.1.1
Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

October 2010

AU-3.1.2
The authorisation requirement for persons nominated to carry out controlled functions is contained in Section AU-1.2. The authorisation process is described in Section AU-4.3.

October 2010

AU-3.1.3
Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

(a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;

(b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;

(c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;

(d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;

(e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;

(f) Must have personal integrity, good conduct and reputation;

(g) Has appropriate professional and other qualifications for the controlled function in question; and

(h) Has sufficient experience to perform the duties of the controlled function.

Amended: January 2016
October 2010

AU-3.1.4
In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1.5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

Amended: January 2016
October 2010

AU-3.1.5
In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

(a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;

(b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;

(c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;

(d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;

(e) The contravention of any financial services legislation;

(f) Whether the person has ever been refused a license, authorisation, registration or other authority;

(g) Dismissal or a request to resign from any office or employment;

(h) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;

(i) The extent to which the person has been truthful and open with supervisors; and

(j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.

Added: January 2016

AU-3.1.6
With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

Added: January 2016

AU-3.1.7
Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

Amended: January 2016
October 2010

AU-3.1.8
In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

(a) A person has breached any fiduciary obligations to the company or terms of employment;

(b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and

(c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.

Amended: January 2016
October 2010

AU-3.1.9
Further guidance on the process for assessing a person s fit and proper status is given in Module EN (Enforcement): see Chapter EN-8.

Added: January 2016

AU-3.2 AU-3.2 [This Section was deleted in January 2016]
Deleted: January 2016

AU-3.2.1
[This Paragraph was deleted in January 2016.]

Deleted: January 2016
October 2010

AU-3.2.2
[This Paragraph was deleted in January 2016.]

Deleted: January 2016
October 2010

AU-3.2.3
[This Paragraph was moved to Paragraph AU-3.1.9 in January 2016.]

Amended: January 2016
October 2010

AU-4 AU-4 Information Requirements and Processes

AU-4.1 AU-4.1 Licensing

Application Form and Documents

AU-4.1.1
Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under E-services/online Forms. The applicant must upload scanned copies of supporting documents listed in Rule AU-4.1.4, unless otherwise directed by the CBB.

Amended: July 2019
Amended: April 2018
October 2010

AU-4.1.2
Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and time-lines.

October 2010

AU-4.1.3
References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

October 2010

AU-4.1.4
Unless otherwise directed by the CBB, the following documents must be provided in support of a Form 1:

(a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee (refer to Chapter GR-5 for detailed requirements on controllers);

(b) A duly completed Form 3 (Application for Approved Person status), for each individual proposed to undertake controlled functions (as defined in Rule AU-1.2.2 ) in the proposed licensee;

(c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;

(d) Where the applicant is an existing Bahraini company, a copy of the applicant's commercial registration certificate;

(e) A certified copy of a Board resolution of the applicant, confirming its decision to seek a CBB money changer license;

(f) In the case of applicants that are part of a group, copies of the audited financial statements of the applicant's group, for the three years immediately prior to the date of application;

(g) In the case of applicants not falling under (f) above, copies of the audited financial statements of the applicant's major shareholder (where a legal person), for the three years immediately prior to the date of application;

(h) In the case of applicants seeking to raise part of their capital through a private placement, a draft of the relevant private placement memorandum, together with a formal, independent legal opinion that the memorandum comply with all applicable capital markets laws and regulations; and

(i) A copy of the applicant's memorandum and articles of association (in draft form for applicants creating a new company) addressing the matters described in AU-4.1.8.

Amended: April 2011
Amended: January 2011
October 2010

AU-4.1.5
The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

October 2010

AU-4.1.6
The business plan submitted in support of an application must explain:

(a) An outline of the history of the applicant and its shareholders;

(b) The reasons for applying for a license, including the applicant's strategy and market objectives;

(c) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;

(d) An assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions; and

(e) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable capital adequacy requirements.

October 2010

AU-4.1.7
In the case of applicants seeking to raise capital (refer to AU-4.1.4(h)), the CBB's review is aimed at checking that the proposed private placement complies with applicable capital markets laws and regulations, and that the information contained in the private placement memorandum ('PPM') is consistent with the information provided in the license application. The CBB's review does not in any way constitute an approval or endorsement as to any claims made in the PPM regarding the future value of the company concerned. Note also that the CBB will not license applicants without a core group of sponsoring shareholders (who can demonstrate a strong business track record with relevant expertise), and where failure of the private placement to raise its targeted amount would leave the institution unable to comply with the CBB's minimum capital requirements. The CBB will normally expect core shareholders to account for at least 40% of the applicant's initial proposed total capital.

October 2010

AU-4.1.8
The applicant's memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the license application, and must preclude the applicant from undertaking other regulated services, or commercial activities.

October 2010

AU-4.1.9
All documentation provided to the CBB as part of an application for a license must be in either the Arabic or English languages. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

October 2010

AU-4.1.10
Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

October 2010

AU-4.1.11
Failure to inform the CBB of the changes specified in Rule AU-4.1.10 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition Rule AU-2.8.2.

October 2010

AU-4.1.12
Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in, must be provided to the CBB.

October 2010

Licensing Process and Timelines

AU-4.1.13
By law, the 60 day time limit referred to in Paragraph AU-4.1.2 only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule AU-4.1.4 have to be provided, before the CBB may issue a license.

October 2010

AU-4.1.14
The CBB recognises, however, that applicants may find it difficult to secure suitable senior management (refer AU-4.1.4(b) above) in the absence of preliminary assurances regarding the likelihood of obtaining a license.

October 2010

AU-4.1.15
Therefore, applicants may first submit an unsigned Form 1 in draft, together with as many as possible of the items specified in Rule AU-4.1.4. This draft application should contain at least items AU-4.1.4(a); AU-4.1.4(b), with respect to proposed Directors (but not necessarily senior management); AU-4.1.4(c); AU-4.1.4(d); and AU-4.1.4(f) to AU-4.1.4(i) inclusive.

Amended: January 2011
October 2010

AU-4.1.16
On the basis of the information specified in Paragraph AU-4.1.15, the CBB may provide an initial 'in principle' confirmation that the applicant appears likely to meet the CBB's licensing requirements, subject to the remaining information and documents being assessed as satisfactory. The 'in principle' confirmation will also list all outstanding documents required before an application can be considered complete and subject to formal consideration.

October 2010

AU-4.1.17
An 'in principle' confirmation does not constitute a license approval, nor does it commit the CBB to issuing a license. However, it provides sufficient assurance for an applicant to complete certain practical steps, such as securing suitable executive staff that satisfy CBB's 'fit and proper' requirements. Once this has been done, the applicant may finalise its application, by submitting the remaining documents required under Rule AU-4.1.4 and, once assessed as complete by the CBB, a signed and dated final version of Form 1. However, a Bahrain company proposing to undertake financial services activities would not be able to obtain a commercial registration from the Ministry of Industry and Commerce unless they receive the final approval from the CBB.

October 2010

AU-4.1.18
Regardless of whether an applicant submits a draft application or not, all potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans and associated requirements. The Licensing Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application (either in draft or in final form).

Amended: April 2018
October 2010

AU-4.1.19
Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

October 2010

AU-4.1.20
At no point should an applicant hold themselves out as having been licensed by the CBB, prior to receiving formal written notification of the fact in accordance with Rule AU-4.1.21 below. Failure to do so may constitute grounds for refusing an application and result in a contravention of Articles 40 and 41 of the CBB Law (which carries a maximum penalty of BD 1 million).

October 2010

Granting or Refusal of License

AU-4.1.21
To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

Amended: October 2019
October 2010

AU-4.1.22
The CBB may refuse to grant a license if in its opinion:

(a) The requirements of the CBB Law or this Module are not met;

(b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or

(c) The CBB believes it necessary in order to safeguard the interests of potential customers.

Amended: October 2019
October 2010

AU-4.1.23
Where the CBB proposes to refuse an application for a license, it will give the applicant written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

Amended: October 2019
October 2010

Starting Operations

AU-4.1.24

Within 6 months of the license being issued, the new licensee must provide to the CBB (if not previously submitted):

(a) The registered office address and details of premises to be used to carry out the business of the proposed licensee;

(b) The address in the Kingdom of Bahrain where full business records will be kept;

(c) The licensee's contact details including telephone and fax number, e-mail address and website;

(d) A copy of its business continuity plan;

(e) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;

(f) A copy of the auditor's acceptance to act as auditor for the applicant;

(g) A copy of an auditor's opinion certifying that the licensee's capital — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in;

(h) A copy of the licensee's professional indemnity insurance policy (see Section GR-7.1);

(i) A copy of the applicant's notarized memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.8;

(j) A copy of the Ministry of Industry and Commerce commercial registration certificate in Arabic and in English;

(k) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the money changer is licensed by the CBB; and

(l) Any other information as may be specified by the CBB.

AU-4.1.25

New licensees must start their operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, as per the powers and procedures set out in Article 48 of the CBB Law.

AU-4.1.26

The procedures for cancelling licenses are contained in Section AU-4.4.

AU-4.2 AU-4.2 Authorisation of a Branch or Subsidiary

AU-4.2.1
Licensees may open branches in the Kingdom of Bahrain after obtaining the CBB's prior written approval. Licensees are prohibited from opening branches in foreign jurisdictions but may open subsidiaries in such jurisdictions with the CBB prior approval.

Amended: April 2011
October 2010

Authorisation of a Branch

AU-4.2.2
Unless otherwise directed by the CBB, the following documents must be provided to the CBB in support of an application to open a branch:

(a) A business plan explaining:
1) The reasons for applying for a branch, including the applicant's strategy and market objectives; and

2) A minimum of three-year financial projection, with all assumptions clearly outlined, demonstrating that the branch will be able to meet all liabilities and obligations;

(b) The location of the proposed branch, including the full address;

(c) A confirmation that the branch will comply with the minimum security measures for money changer licensees as specified in Section GR-9.1;

(d) Confirmation from the external auditor that the licensee's capital adequacy is sufficient to support the operation of the branch, in addition to other existing branches (if applicable), at the time of filing the request; and

(e) Confirmation from the external auditor that additional capital requirement of BD30,000 (refer to Section CA-1.4), has been deposited in the licensee's bank account.

Amended: April 2011
October 2010

Starting Operations of a Branch

AU-4.2.3
Licensees should submit to the CBB confirmation that the authorised branch has commenced operations within 6 months of the authorisation letter.

Amended: April 2011
October 2010

AU-4.2.4
An application for authorisation of a new branch will not be considered by the CBB unless the written confirmation that the preceding branch is operational, as required in Rule AU-4.2.3 above, has been submitted.

October 2010

Authorisation of a Subsidiary

AU-4.2.5
Licensees wishing to establish or acquire a new subsidiary undertaking must submit to the CBB the following information as part of their request:

(a) Proposed name of subsidiary;

(b) Country of incorporation;

(c) Legal structure;

(d) Proposed issued capital;

(e) Proposed shareholding structure;

(f) Purpose of establishing or acquiring the subsidiary;

(g) Draft incorporation documents of the subsidiary;

(h) Board resolution approving the establishment or acquisition of the subsidiary; and

(i) Any other information or documentation requested by the CBB.

Added: April 2011

AU-4.2.6
Licensees should ensure adherence with Rules contained in Chapter CA-1 and in particular with the leverage and liquidity requirements contained in Section CA-1.5 when considering the impact of a subsidiary on capital requirements.

Added: April 2011

AU-4.3 AU-4.3 Approved Persons

Prior Approval Requirements and Process

AU-4.3.1
Licensees must obtain CBB's prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

Amended: January 2016
Amended: July 2015
October 2010

AU-4.3.2
When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the Director, Financial Institutions Supervision Directorate. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

Amended: April 2018
October 2010

AU-4.3.3
When submitting Form 3, licensees must ensure that the Form 3 is:

(a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;

(b) Submitted in original form;

(c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and

(d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.

Amended: July 2015
October 2010

AU-4.3.3A
Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

Added: July 2015

AU-4.3.4
For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be a Director or the Chief Executive/General Manager.

October 2010

AU-4.3.5
[This Paragraph was deleted in July 2015.]

Deleted: July 2015
October 2010

AU-4.3.6
[This Paragraph was moved to AU-4.3.3A in July 2015.]

Amended: July 2015
October 2010

Assessment of Application

AU-4.3.6A
The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5.

Amended: January 2016
Added: July 2015

AU-4.3.6B
For purposes of Paragraph AU-4.3.6A, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, as well as verifying references.

Amended: January 2016
Added: July 2015

AU-4.3.6C
The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

Amended: January 2016
Added: July 2015

AU-4.3.7
[This Paragraph was deleted in January 2016.]

Deleted: January 2016
Amended: July 2015
October 2010

Appeal Process

AU-4.3.7A
Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

AU-4.3.7B
Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the the Executive Director, Financial Institutions Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

Amended: January 2016
Added: July 2015

Notification Requirements and Process

AU-4.3.8AA
Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.4.6). In such cases, their approved person status is automatically withdrawn by the CBB.

Amended: October 2018
Amended: July 2015
Added: July 2011

AU-4.3.8
Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

October 2010

AU-4.3.9
Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

October 2010

AU-4.3.9A
Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

Added: January 2021

Change in Controlled Function

AU-4.3.10
Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

October 2010

AU-4.3.11
In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function at another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.4.6), and the new licensee should submit a request for approval under Rule AU-1.2.1.

October 2010

AU-4.4 AU-4.4 Cancellation of Authorisation

Voluntary Surrender of a License or Closure of Branch

AU-4.4.1
In accordance with Article 50 of the CBB Law, licensees wishing to cancel their license or cease activities for a branch, must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Financial Institutions Supervision, setting out in full the reasons for the request and how the business is to be wound up.

Amended: April 2012
October 2010

AU-4.4.2
Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed cancellation. The requirements contained in Chapter GR-6 regarding cessation of business must be satisfied.

October 2010

AU-4.4.3
Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve such a request where it has no outstanding regulatory concerns and any relevant customer interests would not be prejudiced. A voluntary surrender of a license will not be accepted where it is aimed at preempting supervisory actions by the CBB. A voluntary surrender will only be allowed to take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

October 2010

Cancellation of a License by the CBB

AU-4.4.4
As provided for under Article 48(c) of the CBB Law, the CBB may itself move to cancel a license, for instance if a licensee fails to satisfy any of its existing license conditions or protecting the legitimate interests of customers or creditors of the licensee require a cancellation. The CBB generally views the cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. See also Chapter EN-7, regarding the cancellation or amendment of licenses, including the procedures used in such instances and the licensee's right to appeal the formal notice of cancellation issued by the CBB.

Amended: April 2012
October 2010

AU-4.4.4A
Cancellation of a license requires the CBB to issue a formal notice of cancellation to the licensee concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

Amended: January 2013
Added: April 2012

AU-4.4.4B
Where the cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to clients. Until such time, the CBB will retain all its regulatory powers towards the licensee and will direct the licensee so that no new regulated money changer services may be undertaken whilst the licensee discharges its obligations to its clients.

Added: April 2012

AU-4.4.5
Licensees wishing to cancel an authorisation for a branch must obtain the CBB's written approval, before ceasing the activities of the branch.

October 2010

Cancellation of Approved Person Status

AU-4.4.6
In accordance with Paragraphs AU-4.3.8AA and BR-2.2.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected, provided that such arrangements do not pose a conflict of duties. These interim arrangements must be approved by the CBB.

Amended: October 2018
Amended: July 2015
Amended: July 2011
October 2010

AU-4.4.7
The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

October 2010

AU-4.4.8
The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

October 2010

AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

AU-4.5.1
In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

Amended: October 2019
Added: July 2017

AU-4.5.2
For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

Added: July 2017

AU-4.5.3
The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

Added: July 2017

AU-5 AU-5 License Fees

AU-5.1 AU-5.1 License Application Fees

AU-5.1.1
Applicants seeking a Money Changer license from the CBB must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

October 2010

AU-5.1.2
There are no application fees for those seeking approved person status.

October 2010

AU-5.2 AU-5.2 Annual License Fees

AU-5.2.1
Licensees must pay the relevant annual license fee to the CBB, on 1st December of the preceding year for which the fee is due.

Amended: July 2013
October 2010

AU-5.2.2
The relevant fees are specified in Rule AU-5.2.3 below. The fees due on 1st December are those due for the following calendar year, but are calculated on the basis of the firm's latest audited financial statements for the previous calendar year: i.e. the fee payable on 1st December 2013 for the 2014 year (for example), is calculated using the audited financial statements for 2012, assuming a 31st December year end. Where a licensee does not operate its accounts on a calendar-year basis, then the most recent audited financial statements available are used instead.

Amended: July 2013
October 2010

AU-5.2.3
The variable annual license fee payable by licensees is 0.25% of their relevant operating expenses, subject to a minimum ('floor') of BD 300 and a maximum ('cap') of BD 6,000.

Amended: July 2013
October 2010

AU-5.2.4
Relevant operating expenses are defined as the total operating expenses of the licensee concerned, as recorded in the most recent audited financial statements available, subject to the adjustments specified in Rule AU-5.2.5.

October 2010

AU-5.2.5
The adjustments to be made to relevant operating expenses are the exclusion of the following items from total operating expenses:

(a) Training costs;

(b) Charitable donations;

(c) CBB fees paid; and

(d) Non-executive Directors' remuneration.

October 2010

AU-5.2.6
For the avoidance of doubt, operating expenses for the purposes of this Section, do not include items such as depreciation, provisions, interest expense, and dividends.

October 2010

AU-5.2.7
The CBB would normally rely on the audited accounts of a licensee as representing a true and fair picture of its operating expenses. However, the CBB reserves the right to enquire about the accounting treatment of expenses, and/or policies on intra-group charging, if it believes that these are being used artificially to reduce a license fee.

October 2010

AU-5.2.8
Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 15th October of the preceding year for which the fees are due.

Amended: July 2013
October 2010

AU-5.2.8A
All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

Added: July 2013

AU-5.2.9
For new licensees, the first annual license fee is payable when the license is issued by the CBB. The amount payable is the floor amount of BD 300.

October 2010

AU-5.2.9A
For the first full year of operation for licensees, the licensee would calculate its fee as the floor amount. For future years, the licensee would submit a Form ALF by 15th October of the preceding year for which the fees are due and calculate its fee using its last audited financial statements (or alternative arrangements as agreed with CBB, should its first set of accounts cover an 18-month period).

Added: July 2013

AU-5.2.10
Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question.

October 2010

AU-5.2.11
Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

Added: July 2013

HC HC Money Changers High-Level Controls Module

HC-A HC-A Introduction

HC-A.1 HC-A.1 Purpose

Executive Summary

HC-A.1.1
This Module contains requirements that have to be met by licencees with respect to:

(a) The role and composition of their Boards and Board committees; and

(b) Related high-level controls and policies.

October 2010

HC-A.1.2
These requirements specify minimum good practice standards, with regards to the function and responsibilities of Boards, their composition and size, and required standards of attendance and frequency of meetings. It also specifies basic requirements with respect to establishing policies and procedures that address the segregation of duties, internal audit and compliance arrangements, and the licensee's approach to remuneration and corporate ethics.

October 2010

HC-A.1.3
This Module supplements various provisions relating to corporate governance contained in Legislative Decree No. 21 of 2001, with respect to promulgating the Commercial Companies Law ('Commercial Companies Law 2001'). In case of conflict, the Commercial Companies Law shall prevail. Compliance with this Module does not guarantee compliance with the Commercial Companies Law.

October 2010

Legal Basis

HC-A.1.4
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding High-level Control requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

HC-A.1.5
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

October 2010

HC-A.2 HC-A.2 Module History

Evolution of the Module

HC-A.2.1
This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

HC-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
HC-A.1.4	01/2011	Clarified legal basis.
Module HC	04/2016	Module updated to be in line, where applicable, to other Volumes of the CBB Rulebook.
HC-2.3 and HC-2.4	07/2016	Clarified application of Rules for overseas licensees.
HC-1.1.5	01/2020	Amended Paragraph on policy and procedures approval.
HC-4.2	04/2020	Added a new Section on Standard for all Remuneration.
HC-4.2.1	04/2020	Added a new Paragraph on KPIs compliance with AML/CFT requirements.

Superseded Requirements

HC-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory requirements:

Document Ref.	Document Subject
BSD/D(111)3179	Regarding nomination of Senior Liaison Officer.
BC/11/98	Appointment of Approved Persons

October 2010

Monitoring and Enforcement of Module HC

HC-A.2.4
Disclosure and transparency are underlying principles of Module HC. Disclosure is crucial to allow outside monitoring of functions effectively. This Module looks to a combined monitoring system relying on the Board, the money changer licensee's shareholders and the CBB.

April 2016

HC-A.2.5
It is the Board's responsibility to see to the accuracy and completeness of the money changer licensee's corporate governance guidelines and compliance with Module HC. Failure to comply with this Module is subject to enforcement measures as outlined in Module EN (Enforcement).

April 2016

HC-B HC-B Scope of Application

HC-B.1 HC-B.1 Scope of Application

HC-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

October 2010

HC-1 HC-1 The Board

HC-1.1 HC-1.1 Functions and Responsibilities

General Requirements

HC-1.1.1
Licensees must have a Board of Directors ('the Board').

Amended: April 2016
October 2010

HC-1.1.1A
The directors are ultimately accountable and responsible both individually and collectively for performing these responsibilities and must have sufficient expertise as a Board to understand the important issues relating to operation and control of the licensee. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place. This statement must be clearly communicated to Board members and senior management.

April 2016

HC-1.1.2
To discharge its responsibility effectively, a Board typically delegates various functions and tasks, for instance to Board sub-committees, management and other employees. When it delegates, the Board nonetheless retains ultimate responsibility for the performance of those functions and tasks.

October 2010

HC-1.1.2A
The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

April 2016

Specific Requirements

HC-1.1.3
The Board must establish and maintain a statement of its responsibilities, defining its functions and tasks and those delegated to Board sub-committees and senior management. This statement must be clearly communicated to Board members and senior management.

October 2010

HC-1.1.4
For the purposes of HC-1.1.3, the CBB expects licensees to maintain detailed mandates for Boards and sub-committees. These mandates should be reviewed periodically by the Board. Depending on the size and complexity of the licensee concerned, the CBB also expects the Board to operate appropriate sub-committees.

Amended: April 2016
October 2010

HC-1.1.5
The Board must approve and review at least annually the licensee's:

(a) Strategic plans;

(b) Management structure and responsibilities; and

(c) Systems and controls framework (including its policies).

Amended: January 2020
Added: October 2010

HC-1.1.6
The Board must also regularly review:

(a) The licensee's implementation of its strategy and operational performance;

(b) The performance of its executive management; and

(c) The level of risk.

October 2010

HC-1.1.7
The Board must set out clearly and review on a regular basis who has authority to commit the licensee to contractual obligations. The Board must set a materiality threshold so that contractual obligations above this set threshold are regularly reported to the Board. In setting the materiality threshold, the Board must consider the financial impact the contractual obligations may have in relation to its capital.

October 2010

HC-1.1.8
The Board must must establish and disseminate to employees policies and processes for the identification, reporting and prevention or management of potential conflicts of interest, including matters such as:

(a) Related party transactions;

(b) The misuse of the licensee's assets; and

(c) The use of privileged information for personal advantage ('insider trading').

Amended: April 2016
October 2010

HC-1.1.9
The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and customers.

October 2010

HC-1.1.10
In assessing compliance with Paragraph HC-1.1.9, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, customers and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market.

October 2010

HC-1.1.11
The Board must oversee the process of disclosure to all stakeholders. The Board must ensure that the licensee's communications are fair, transparent, comprehensive and timely.

October 2010

HC-1.1.12
The CBB expects the Board to have effective policies and processes in place for:

(a) Approving and reviewing at least annually the overall business performance and strategy for the licensee;

(b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;

(c) Ensuring a formal and transparent Board nomination process;

(d) Convening and preparing the agenda for shareholder meetings;

(e) Monitoring conflicts of interest and preventing abusive related party transactions;

(f) Appointing senior managers, after assessing that they have the necessary integrity, technical and managerial competence, and experience;

(g) Overseeing succession planning, and minimizing undue reliance on key individuals;

(d) Reviewing key senior management and Board remuneration packages and ensuring such packages are consistent with the corporate values and strategy of the licensee and encourage prudent risk taking;

(e) Monitoring and evaluating management's performance in implementing agreed strategy and business plans, and ensuring appropriate resources are available; and

(f) Approving budgets and reviewing performance against those budgets.

Amended: April 2016
October 2010

HC-1.1.13
In assessing the systems and controls framework (see Paragraph HC-1.1.5), the CBB would expect the Board to be able to demonstrate that the licensee's operations, individually and collectively:

(a) Are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of the licensee's activities. These should pro-actively identify as well as monitor risk. The systems should produce information on a timely basis, and in a form and quality appropriate to the needs of the different recipients;

(b) Are supported by an appropriate control environment. The risk management and financial reporting functions must be independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas; and

(c) Make effective use of the work of internal and external auditors. The internal audit function should be independent of the senior management, reporting to the Board. The Board should ensure that the external audit firm and its partners are truly independent of the licensee and have no financial or other relationship with the licensee. Audit findings should be used as an independent check on the information received from management about the licensee's operations and performance and the effectiveness of internal controls.

Amended: April 2016
October 2010

HC-1.2 HC-1.2 Composition

HC-1.2.1
The Memorandum and Articles of Association of licensees must adequately set out procedures for the appointment, removal and retirement of Directors.

October 2010

HC-1.2.2
These should, amongst other things, include procedures for removing Directors in case of non-attendance or other failure to discharge properly their responsibilities as company Directors.

October 2010

HC-1.2.2A
The Board should have a minimum of 3 members, as agreed with the CBB.

April 2016

HC-1.2.3
To fulfil its responsibilities outlined in Section HC-1.1, the Board of licensees must periodically assess its composition and size and, where appropriate, reconstitute itself and its committees by selecting new Directors to replace long-standing members or those members whose contributions to the licensee or its committees is not adequate.

October 2010

HC-1.2.4
The Board must ensure that collectively it has sufficient expertise to understand the important issues relating to the operation and control of its company.

October 2010

HC-1.2.5
It is not expected that every Board member is proficient in all areas, but collectively the Board is expected to have the required expertise. There should also be agreed upon procedures by the Board for Directors to take independent advice if necessary at the licensee's expense. CBB also expects Board members to undertake relevant training on a regular basis to help them fulfill their responsibilities as Directors.

October 2010

HC-1.2.6
The appointment of Board members is conditional on the approval of the CBB. (See Section AU-1.2).

October 2010

HC-1.2.7
A Board member may have a maximum of two Directorships of financial institutions inside Bahrain. However, two Directorships of licensees within the same type of licensees would not be permitted. Licensees may approach the CBB for exemption from this limit where the Directorships concern financial institutions within the same group.

Amended: April 2016
October 2010

HC-1.2.8
Unless otherwise agreed with the CBB, the chairman and/or deputy chairman must not be the same person as the CEO or general manager.

April 2016

HC-1.3 HC-1.3 Meetings and Attendance

HC-1.3.1
The Board must meet sufficiently often to enable it to discharge its responsibilities effectively, taking into account the licensee's scale and complexity.

October 2010

HC-1.3.2
The CBB expects that the scale and complexity of most licensees will require meetings to be held at least quarterly. For the larger, most complex licensees, more frequent Board meetings may be more appropriate.

October 2010

HC-1.3.2A
The Board must meet frequently but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

April 2016

HC-1.3.2B

Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance proxies for board meetings are prohibited at all times.

Meetings per year	75% Attendance requirement
4	3
5	4
6	5
7	5
8	6
9	7
10	8

April 2016

HC-1.3.2C
The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when Board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

April 2016

HC-1.3.2D
In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

April 2016

HC-1.3.2E
Board members are reminded that non attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All Directors are expected to contribute actively to the work of the Board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. In instances where telephonic or videoconference meetings are held, licensees are encouraged to amend their Articles of Association to provide for such meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

April 2016

HC-1.3.3
Board rules must require members to step down if they are not actively participating in Board meetings.

October 2010

HC-1.3.4
The CBB expects Board members who fail to attend at least three-quarters of all Board meetings in any twelve-month period to step down, unless the Board is able to satisfy the CBB that there are valid reasons for the Director concerned to remain a Board member.

October 2010

HC-1.3.5
At least half the Board meetings of licensees in any twelve-month period must be held in the Kingdom of Bahrain.

October 2010

HC-1.3.5A
The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors must receive the same Board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully.

April 2016

HC-1.3.6
The Board must maintain adequate records of its meetings, such that key decisions and how they are arrived at can be traced.

Amended: April 2016
October 2010

HC-1.4 HC-1.4 Directors' Communication with Management

HC-1.4.1
The Board must encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO or general manager (as the case may be) believes should have exposure to the directors.

April 2016

HC-2 HC-2 Approved Persons Loyalty

HC-2.1 HC-2.1 Personal Accountability

HC-2.1.1
The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and clients.

Amended: April 2016
October 2010

HC-2.1.2
In assessing compliance with Paragraph HC-2.2.1, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, clients and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market. The interest of clients includes ensuring that the licensee fulfils its obligations under its terms of business and treats all clients fairly and pays equal regard to the interests of all clients.

Amended: April 2016
October 2010

HC-2.1.3
Each member of the board must understand that under the Company Law he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

Amended: April 2016
October 2010

HC-2.1.4
The duty of loyalty includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, and to serve the licensee's interest in any transactions with the company in which he has a personal interest.

April 2016

HC-2.1.5
For purposes of Paragraph HC-2.1.4, an approved person is considered to have a "personal interest" in a transaction with the company if:

(a) He himself;

(b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or

(c) Another company of which he is a director or controller,

is a party to the transaction or has a material financial interest in the transaction. (Transactions and interests which are de minimis in value should not be included.)

April 2016

HC-2.1.6
A licensee's Board must establish and disseminate to all employees of the licensee a corporate code of conduct.

April 2016

HC-2.1.7
The code of conduct must establish standards by giving examples or expectations as regards:

(a) Honesty;

(b) Integrity;

(c) The avoidance or disclosure of conflicts of interest;

(d) Maintaining confidentiality;

(e) Professionalism;

(f) Commitment to the law and best practices; and

(g) Reliability.

April 2016

HC-2.1.8
A Board must ensure that policies and procedures are in place to ensure that necessary customer confidentiality is maintained.

April 2016

HC-2.2 HC-2.2 Segregation of Duties/Avoidance of Conflicts of Interest

HC-2.2.1
Licensees must maintain an organisational structure that segregates duties in order to minimise the risk of conflicts of interest arising.

Amended: April 2016
October 2010

HC-2.2.2
Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

Amended: April 2016
October 2010

HC-2.2.3
Board members must absent themselves from any discussion or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject, transaction or proposed transaction where there is a potential conflict of interest.

Amended: April 2016
October 2010

HC-2.3 HC-2.3 Disclosure of Conflicts of Interest

HC-2.3.1
Each approved person must inform the entire Board of conflicts of interest as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Company Law. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflict transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision.

Amended: April 2016
October 2010

HC-2.3.2
Board members must declare annually in writing all of their interests (and those of their family) in other enterprises or activities (whether as a Director, shareholder, senior executive or other form of participation) to the Board (or appropriate Board sub-Committee).

Amended: April 2016
October 2010

HC-2.3.3
Bahraini licensees must have in place a board approved policy on the employment of relatives of approved persons and a summary of such policy must be disclosed in the annual report of the Bahraini licensee.

Amended: July 2016
Amended: April 2016
October 2010

HC-2.3.4
Overseas licensees must have in place a policy on the employment of relatives of approved persons pertaining to their Bahrain operations.

Added: July 2016

HC-2.4 HC-2.4 Disclosure of Conflicts of Interest to Shareholders

HC-2.4.1
The licensee must disclose to its shareholders in the Annual Report any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

Amended: April 2016
October 2010

HC-2.4.2
The chief executive/general manager of the Bahraini licensee must disclose to the board of directors on an annual basis those individuals who are occupying controlled functions and who are relatives of any approved persons within the Bahraini licensee.

Amended: July 2016
Amended: April 2016
October 2010

HC-2.4.3
The chief executive/general manager of the overseas licensees must disclose to a designated officer at its head office or regional manager on an annual basis those individuals who are occupying controlled functions and who are relatives of any approved persons within the overseas licensee.

Added: July 2016

HC-3 HC-3 Financial Statements Certification

HC-3.1 HC-3.1 Internal Control

HC-3.1.1
The Board must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

April 2016

HC-3.1.2
To encourage management accountability for the financial statements required by the directors, the licensee's CEO or general manager and chief financial officer must state in writing to the Board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

April 2016

HC-4 HC-4 Remuneration

Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

HC-4.2.1
The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

Added: April 2020

HC-4.1 HC-4.1 Remuneration Policies

HC-4.1.1
The review of Directors' remuneration must be a standing item on the licensee's Annual General Meeting agenda, and must be considered by shareholders at every Annual General Meeting. Directors' remuneration (including pension and severance arrangements) and bonuses must be clearly disclosed in the annual financial statements.

April 2016

HC-4.1.2
Directors' remuneration should also comply with all applicable laws, such as Legislative Decree No. 21 of 2001 (and its amendments), with respect to promulgating the Commercial Companies Law.

April 2016

HC-4.2 Standard for all Remuneration

HC-5 HC-5 Management Structure

HC-5.1 HC-5.1 Establishment of Management Structure

HC-5.1.1
The Board must approve and review at least annually the licensee's management structure and responsibilities.

April 2016

HC-5.1.2
The Board must appoint senior management whose authority must include management and operation of current activities of the licensee, reporting to and under the direction of the Board. The senior managers must include at a minimum:

(a) A CEO or general manager;

(b) A chief financial officer;

(c) An internal auditor (see HC-5.4 and AU-1.2); and

(d) A compliance officer (see HC-5.5 and AU-1.2).

and must also include such other approved persons as the Board considers appropriate and as a minimum must include persons occupying controlled functions as outlined in Paragraph AU-1.2.2.

April 2016

HC-5.1.3
The licensee may appoint a corporate secretary. Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training. The corporate secretary's duties include:

(a) Arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and

(b) Reviewing the licensee's procedures and advising the Board directly on such matters.

April 2016

HC-5.2 HC-5.2 Titles, Authorities, Duties and Reporting Responsibilities

HC-5.2.1
Licensees must maintain clearly documented and communicated staff responsibilities and reporting lines.

April 2016

HC-5.2.2
For the purposes of Rule HC-5.2.1, licensees should maintain and document their delegated authority structure as well as written terms of reference for staff positions.

April 2016

HC-5.2.3
The Board must adopt by-laws prescribing each senior manager's title, authorities, duties and internal reporting responsibilities. This must be done in consultation with the CEO or general manager, to whom the other senior managers should normally report.

April 2016

HC-5.2.4
These provisions must include but should not be limited to the following:

(a) The CEO or general manager must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other senior managers and licensee employees;

(b) The chief financial officer must be responsible and accountable for:
(i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see HC-3.1.2); and

(ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;

(c) The internal auditor's (see HC-5.4) duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes; and

(d) The compliance officer's (see HC-5.5) duties include maintaining effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.

April 2016

HC-5.2.5
The Board should also specify any limits which it wishes to set on the authority of the CEO or general manager or other senior managers, such as monetary maximums for transactions which they may authorize without separate Board approval.

April 2016

HC-5.2.6
At least annually the Board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO or general manager, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO or general manager.

April 2016

HC-5.3 HC-5.3 Chief Executive/General Manager

HC-5.3.1
Licensees must appoint a person to undertake the function of Chief Executive or General Manager.

April 2016

HC-5.3.2
The Chief Executive or General Manager (as appropriate), is responsible for the executive management and performance of the licensee, within the framework of delegated authorities set by the Board. The function of Chief Executive or General Manager is a controlled function, and the person nominated to that post therefore requires prior CBB approval (see Module AU (Authorisation)).

April 2016

HC-5.3.3
Residency requirements apply to Chief Executives and General Managers (see Section AU-2.2.)

April 2016

HC-5.4 HC-5.4 Internal Audit

HC-5.4.1
Unless otherwise agreed with the CBB, licensees must establish an internal audit function to monitor the adequacy of their systems and controls.

April 2016

HC-5.4.2
The CBB would normally expect larger licensees to maintain the internal audit function within the organisation. The CBB will however consider allowing small licensees to outsource part or all of their internal audit function to third party providers.

April 2016

HC-5.4.3
Licensees may outsource part or all of their internal audit function, after obtaining the prior approval of the CBB. The outsourcing arrangements must provide for an adequate level of scrutiny of the licensee, and must comply with the requirements contained in Section RM-2.4. A licensee cannot outsource its internal audit function to its external auditor.

April 2016

HC-5.4.4
Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2 and Chapter RM-2).

April 2016

HC-5.4.5
Internal audit functions must have terms of reference that clearly indicate:

(a) The scope and frequency of audits;

(b) Reporting lines; and

(c) The review and approval process applied to audits.

April 2016

HC-5.4.6
Paragraph HC-5.4.5 applies irrespective of whether the internal audit function is outsourced. Where it is outsourced, the CBB would expect to see these matters addressed in the contract with the outsourcing provider.

April 2016

HC-5.4.7
Internal audit functions must report directly to the Board. They must have unrestricted access to all the appropriate records of the licensee. They must have open and regular access to the Board, the Chief Executive or general manager, and the licensee's external auditor.

April 2016

HC-5.4.8
Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the head of function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.

April 2016

HC-5.4.9
The CBB would expect to see in place a formal audit plan that:

(a) Is reviewed and approved at least annually by the Board;

(b) Is risk-based, with an appropriate scoring system; and

(c) Covers all material areas of a licensee's operations over a reasonable timescale.

April 2016

HC-5.4.10
Internal Audit reports should also be:

(a) Clear and prioritised, with action points directed towards identified individuals;

(b) Timely; and

(c) Distributed to the Board and appropriate senior management.

April 2016

HC-5.4.11
Licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:

(a) Dealt with in a timely fashion;

(b) Monitored until they are settled; and

(c) Raised with senior management if they have not been adequately dealt with.

April 2016

HC-5.5 HC-5.5 Compliance

HC-5.5.1
Licensees must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.

April 2016

HC-5.5.2
Depending on the nature, scale and complexity of its business, a licensee should consider having a separate compliance function. A compliance function should:

(a) Document its organisation and responsibilities;

(b) Be appropriately staffed with competent individuals;

(c) Have unrestricted access to the licensee's relevant records; and

(d) Have ultimate recourse to the Board.

April 2016

HC-5.5.3
Licensees must designate an employee, of appropriate standing and resident in Bahrain, as Compliance Officer. The duties of the Compliance Officer include:

(a) Having responsibility for oversight of the licensee's compliance with the requirements of the CBB; and

(b) Reporting to the licensee's Board in respect of that responsibility.

April 2016

HC-5.5.4
The Compliance Officer is a controlled function and the requirements relating to approved persons must be met (see Chapter AU-1.2). If the scale and nature of the licensee's operations are limited, then the individual who performs the function of Compliance Officer may also take on other responsibilities, providing this does not create a potential conflict of interest. The compliance function may not be combined with the internal audit function or any operational function as they are incompatible and may create a conflict of interest.

April 2016

GR GR Money Changers General Requirements Module

GR-A GR-A Introduction

GR-A.1 GR-A.1 Purpose

Executive Summary

GR-A.1.1
The General Requirements Module presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include requirements on books and records; on the use of corporate and trade names; on controllers and close links, on security measures, counterfeit currency detection measures and loans extended to related parties.

October 2010

Legal Basis

GR-A.1.2
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding general requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding controllers (see Chapter GR-5) also included in Regulations, to be issued by the CBB. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

GR-A.1.3
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

October 2010

GR-A.2 GR-A.2 Module History

Evolution of Module

GR-A.2.1
This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

GR-A.2.2

A list of recent changes made to this Module is detailed in the table below:

Module Ref.	Change Date	Description of Changes
GR-A.1.2	01/2011	Clarified legal basis.
GR-2.1.1	01/2011	Clarified Rule regarding money in transfer.
GR-7.1.2	01/2011	Clarified Guidance.
GR-5.3.1A	04/2011	New Rule added for suitability of controllers.
GR-9.1	07/2011	Several amendments made to be in line with other Volumes of the CBB Rulebook.
GR-5.3.1	04/2012	Amended to be in line with other Volumes of the CBB Rulebook.
GR-6	04/2012	Clarified language on cessation of business to be in line with other Volumes of the CBB Rulebook.
GR-11.1 and GR-11.1.1A	01/2013	Clarified Rules and added Guidance dealing with credit facilities extended to related parties.
GR-1.1.3	04/2013	Corrected reference to 'transaction' records.
GR-7.1.4	10/2014	Added due date for Insurance Coverage Form
GR-6.1.11	10/2016	Added an additional requirement for cessation of business to be consistent with other Volumes of the CBB Rulebook.
GR-5.1.4	01/2017	Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
GR-1.2.1	07/2017	Amended paragraph according to the Legislative Decree No. (28) of 2002.
GR-1.2.2	07/2017	Deleted paragraph.
GR-4.1.3	10/2017	Added additional requirements to submit when requesting no-objection letter for proposed dividends.
GR-1.1.1	10/2018	Amended Paragraph to be consistent with other Volumes.
GR-5.1.1A	04/2019	Added a new Paragraph on exposure to controllers.
GR-5.1.1B	04/2019	Added a new Paragraph on exposure to controllers.
GR-1.2.1	01/2020	Amended Paragraph.
GR-6.1.6	04/2020	Amended Paragraph.
GR-6.1.11	04/2020	Amended Paragraph.
GR-3.1.1	01/2022	Amended Paragraph on change in licensee corporate and legal name.
GR-3.1.2	01/2022	Amended Paragraph on change to licensee legal name.

Superseded Requirements

GR-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory instruments:

Circular Ref.	Subject
BS/07/2004	Record-keeping requirements.
BC/24/1999	Accounts of Money Changers.
BS/08/2004	Controllers of, and holdings and transfers of significant ownership or controlling interests in, Agency licensees
OD/080/2007	Directives on Measures to Detect Counterfeit Currency
FIS/C/001/2005	Security Measures for Money Changers
ODG/118/2004	Review of Security Measures
BC/6/99	Requirement of Bank Guarantee

October 2010

GR-B GR-B Scope of Application

GR-B.1 GR-B.1 Scope of Application

GR-B.1.1
The scope of application of Module GR (General Requirements) applies to all Money Changer Licensees, thereafter referred to in this Module as licensees.

October 2010

GR-1 GR-1 Books and Records

GR-1.1 GR-1.1 General Requirements

GR-1.1.1
In accordance with Articles 59 and 60 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be maintained for at least 10 years according to Article 60 of the CBB Law.

Amended: October 2018
October 2010

GR-1.1.2
GR-1.1.1 includes accounts, books, files and other records (e.g. trial balance, general ledger, nostro/vostro statements, reconciliations, list of counterparties). It also includes records that substantiate the value of the assets and liabilities activities of the licensee.

October 2010

GR-1.1.3
Bahrain Law currently requires other transaction records to be retained for at least 5 years (see Ministerial Order No. 23 of 2002, made pursuant to Amiri Decree Law No. 4 of 2001).

Amended: April 2013
October 2010

GR-1.1.4
Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

October 2010

GR-1.1.5
Translations produced in compliance with Rule GR-1.1.4 may be undertaken inhouse, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

October 2010

GR-1.1.6
Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

October 2010

GR-1.1.7
Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately.

October 2010

GR-1.1.8
Paragraphs GR-1.1.1 to GR-1.1.6 apply to licensees, with respect to all their business activities.

October 2010

GR-1.2 GR-1.2 Transaction Records

GR-1.2.1
Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

Amended: January 2020
Amended: July 2017
Added: October 2010

GR-1.2.2
[This Paragraph has been deleted in July 2017].

Deleted: July 2017
October 2010

GR-1.3 GR-1.3 Other Records

Corporate Records

GR-1.3.1
Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

(a) Internal policies, procedures and operating manuals;

(b) Corporate records, including minutes of shareholders', Directors' and management meetings;

(c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;

(d) Reports prepared by the licensee's internal and external auditors; and

(e) Employee training manuals and records.

October 2010

Customer Records

GR-1.3.2
Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

October 2010

GR-2 GR-2 Money in Transfer

GR-2.1 GR-2.1 Money in Transfer

GR-2.1.1
All remittances must be pre-funded. In instances where remittances are not pre-funded, they must be channelled through a designated customer account at a retail bank in the Kingdom of Bahrain. No claims by the licensee can be made against this account.

Amended: January 2011
October 2010

GR-3 GR-3 Corporate and Trade Names

GR-3.1 GR-3.1 Vetting of Names

GR-3.1.1
Licensees must obtain CBB’s prior written approval for any change in their legal name. Licensees must notify the CBB of any change in their corporate name at least one week prior to effecting the proposed change.

Amended: January 2022
Added: October 2010

GR-3.1.2
In approving a change to a legal name, the CBB seeks to ensure that it is sufficiently distinct as to reduce possible confusion with other unconnected businesses, particularly those operating in the financial services sector.

Amended: January 2022
Added: October 2010

GR-4 GR-4 Dividends

GR-4.1 GR-4.1 CBB Prior Approval

GR-4.1.1
Licensees must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

October 2010

GR-4.1.2
The CBB will grant approval where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's financial resources requirements, taking into account (as appropriate) trends in the licensee's business volumes, expenses and performance.

October 2010

GR-4.1.3
To facilitate the prior approval required under Paragraph GR-4.1.1, licensees subject to Paragraph GR-4.1.1 must provide the CBB with:

(a) The licensee's intended percentage and amount of proposed dividends for the coming year;

(b) A letter of no objection from the licensee's external auditor on such profit distribution; and

(c) A detailed analysis of the impact of the proposed dividend on the capital adequacy requirements outlined in Module CA (Capital Adequacy) and the liquidity position of the licensee.

Amended: October 2017
October 2010

GR-5 GR-5 Controllers

GR-5.1 GR-5.1 Key Provisions

GR-5.1.1
Licensees must obtain prior approval from the CBB for any of the following changes to their controllers (as defined in Section GR-5.2):

(a) A new controller;

(b) An existing controller increasing its holding from below 20% to above 20%;

(c) An existing controller increasing its holding from below 50% to above 50%; and

(d) An existing controller reducing its holding from above 50% to below 50%.

October 2010

GR-5.1.1A
Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

Added: April 2019

GR-5.1.1B
For the purpose of Paragraph GR-5.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

Added: April 2019

GR-5.1.2
Articles 52 to 56 of the CBB Law require notification to the CBB of all controllers of licensees and of listed companies; it further gives the CBB the right to refuse approval of controllers if deemed damaging to the interests of the market, customers, or in contravention of the criteria set by the CBB.

October 2010

GR-5.1.3
Requests for approval under Paragraph GR-5.1.1 must be made by submitting a duly completed Form 2 (Application for Authorisation of Controller) to the CBB. Notification must be made by the controller or intended controller, and by the licensee where it is aware of the change.

October 2010

GR-5.1.4
If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes specified in Paragraph GR-5.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days from the date on which those changes have occurred.

Amended: January 2017
October 2010

GR-5.1.5
For approval under Rule GR-5.1.1 to be granted, the applicant must satisfy the CBB that the proposed change in controller poses no undue risks to the licensee or its customers, and is not damaging to the interests of the market, as defined in the suitability criteria for controllers, contained in Section GR-5.3.

October 2010

GR-5.1.6
An approval of controller is valid for the period specified in the approval letter issued by the CBB. The CBB may impose any restrictions that it considers necessary to be observed when granting its approval.

October 2010

GR-5.1.7
The approval process is specified in Section GR-5.4.

October 2010

GR-5.2 GR-5.2 Definition of Controller

GR-5.2.1
A controller of a licensee is a natural or legal person who, either alone or with his associates:

(a) Holds 10% or more of the shares in the licensee ('L'), or is able to exercise (or control the exercise of) more than 10% of the voting power in L;

(b) Holds 10% or more of the shares in a parent undertaking ('P') of L, or is able to exercise (or control the exercise of) more than 10% of the voting power in P; or

(c) Is able to exercise significant influence over the management of L or P.

October 2010

GR-5.2.2
For the purposes of Paragraph GR-5.2.1, 'associate' includes:

(a) In the case of natural persons, a member of the controller's family;

(b) An undertaking of which a controller is a Director;

(c) A person who is an employee or partner of the controller; or

(d) If the controller is a corporate entity, a Director of the controller, a subsidiary of the controller, or a Director of any subsidiary undertaking of the controller.

October 2010

GR-5.2.3
Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

October 2010

GR-5.3 GR-5.3 Suitability of Controllers

GR-5.3.1
All new controllers or prospective controllers (as defined in Section GR-5.2) of a Bahraini specialised licensee must obtain the approval of the CBB. Any increases to existing controllers' holdings or voting control (as outlined under Paragraph GR-5.1.1) must also be approved by the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-5.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness according to the criteria outlined in Paragraphs GR-5.3.2 to GR-5.3.5. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-5.4 and Paragraph GR-5.1.6.

Amended: April 2012
October 2010

GR-5.3.1A
For those licensees authorised after 1st January 2011, at least one controller must be a regulated financial institution owning or controlling 20% or more of the voting capital.

Added: April 2011

GR-5.3.2
In assessing the suitability of controllers who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

(a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;

(b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;

(c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;

(d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;

(e) The contravention of any financial services legislation or regulation;

(f) Whether the person has ever been refused a license, authorisation, registration or other authority;

(g) Dismissal or a request to resign from any office or employment;

(h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;

(i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;

(j) The extent to which the person, has been truthful and open with regulators;

(k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;

(l) The financial resources of the person and the likely stability of their shareholding, and their track record as a controller or significant investor in financial institutions;

(m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;

(n) The legitimate interests of customers, creditors and shareholders (including minority shareholders) of the licensee;

(o) Whether the approval of a controller is or could be detrimental to Bahrain's financial sector; and

(p) Whether the person is able to deal with existing shareholders and the Board in a constructive and cooperative manner.

October 2010

GR-5.3.3
Natural persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny. The level of scrutiny and the expected compliance with the above standards become more onerous as the level of proposed ownership increases.

October 2010

GR-5.3.4
Legal persons who intend to take a stake of 20% or more in a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and of expected compliance with the above standards becomes more onerous as the level of proposed ownership increases. Regulated legal persons will normally only be approved to take majority control where — in addition to the above conditions — the resulting group would be subject to effective consolidated supervision in accordance with relevant international standards; and the home supervisor of the parent entity has agreed to the proposed acquisition, as well as to the sharing of relevant prudential information for supervisory purposes (expressed, if necessary, through the signing of a Memorandum of Understanding between the CBB and the home supervisor, setting out their respective supervisory responsibilities).

October 2010

GR-5.3.5
In assessing the suitability of controllers who are legal persons, CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

(a) The financial strength of the controller, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the controller's shareholding;

(b) Whether the controller or members of its group has ever entered into any arrangement with creditors in relation to the inability to pay due debts;

(c) The controller's jurisdiction of incorporation, location of Head Office, group structure, and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;

(d) The controller's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;

(e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;

(f) Any criminal actions instigated against the controller or other members of its group, whether or not this resulted in an adverse finding;

(g) The extent to which the controller or other members of its group have been truthful and open with regulators and supervisors;

(h) Whether the person has ever been refused a license, authorisation, registration or other authority;

(i) The person's track record as a controller or investor in financial institutions;

(j) The legitimate interests of customers, creditors and shareholders of the licensee;

(k) Whether their approval as a controller is or could be detrimental to Bahrain's financial sector; and

(l) Whether the person is able to deal with existing shareholders and the Board in a constructive manner.

October 2010

GR-5.3.6
The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in the Form 2, if required to satisfy itself as to the suitability of the applicant.

October 2010

GR-5.4 GR-5.4 Approval Process

GR-5.4.1
Within 3 months of receipt of an approval request under Paragraph GR-5.1.1, the CBB will issue a written notice of approval (or of refusal, if it is not satisfied that the person concerned is suitable to become a controller of the licensee). The notice of refusal will specify the reasons for the objection and specify the applicant's right of appeal. Where an approval notice is given, it will specify the period for which it is valid and any conditions that may be applied.

October 2010

GR-5.4.2
Article 53 allows the CBB up to 3 months in which to respond to an application, although the CBB normally aims to respond within 30 calendar days. Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of a notice in which to appeal a decision to refuse the application or any conditions imposed as a condition of approval. The CBB then has 30 calendar days from the date of the appeal in which to consider any mitigating evidence submitted and make a final determination. See Module EN (Enforcement).

October 2010

GR-5.4.3
Where a person has become a controller by virtue of their shareholding in contravention of Paragraph GR-5.1.1, or a notice of refusal has been served on them under Paragraph GR-5.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, instruct the person concerned to transfer such shares, or refrain from exercising voting rights in respect of such shares.

October 2010

GR-5.4.4
If the person concerned fails to take the action specified under Paragraph GR-5.4.3, then the CBB may seek a court order to take appropriate measures: these may include forcing the person to sell their shares.

October 2010

GR-5.4.5
The powers available to the CBB that are described in Paragraphs GR-5.4.3 and GR-5.4.4 are specified in Article 56 of the CBB Law.

October 2010

GR-5.4.6
In addition to the above requirements, licensees are encouraged to notify the CBB as soon as they become aware of events that are likely to lead to major changes in their controllers. Any supervisory implications of such changes can then be discussed prior to the filing of a formal approval request.

October 2010

GR-6 GR-6 Cessation of Business

GR-6.1 GR-6.1 CBB Approval

GR-6.1.1
As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend all or any of its licensed regulated services, completely or at any of its branches, must obtain prior written approval from the CBB.

Amended: April 2012
October 2010

GR-6.1.2
Licensees seeking to obtain the CBB's permission to cease business must apply to the CBB in writing, in the form of a formal request together with supporting documents. Unless otherwise directed by the CBB, the following requirements must be provided in support of the request:

(a) Full details of the business to be terminated;

(b) The rationale for the cessation;

(c) How the licensee proposes to cease business;

(d) Notice of an Extraordinary Meeting setting out the agenda to discuss and approve the cessation, and inviting the CBB for such meeting;

(e) Evidence that the proposed cessation has been duly authorised by the licensee (such as a certified copy of a Board resolution approving the cessation);

(f) Formal request to the CBB for the appointment of a liquidator acceptable to the CBB;

(g) A cut-off date by which the licensee will stop its operations;

(h) If the licensee wishes to cease its whole business, confirmation that the licensee will not enter into new business with effect from the cut-off date;

(i) Once the CBB has given its approval to an application to cease business, the licensee must publish a notice of its intention to cease business in two local daily newspapers (one in Arabic, the other in English). Notices must also be displayed in the premises (including any branch offices) of the licensee concerned. These notices must be given not less than 30 calendar days before the cessation is to take effect, and must include such information as the CBB may specify;

(j) The audited accounts of the licensee as of the last date on which it stopped operations. The commencement of such accounts should be the beginning of the financial year of the licensee; and

(m) The final liquidator's report of the licensee.

October 2010

GR-6.1.3
Licensees intending to apply to cease business are advised to contact the CBB at the earliest possible opportunity, prior to submitting a formal application, in order that the CBB may determine the nature and level of documentation to be provided and the need for an auditor or other expert opinion to be provided to support the application. The documentation specified in Paragraph GR-6.1.2 may be varied by the CBB, depending on the nature of the proposed cessation, such as the materiality of the business concerned and its impact on customers.

October 2010

GR-6.1.4
Approval to cease business will generally be given where adequate arrangements have been made to offer alternative arrangements to any affected customers. The CBB's approval may be given subject to any conditions deemed appropriate by the CBB. In all cases where additional requirements are imposed, the CBB shall state the reasons for doing so.

October 2010

GR-6.1.5
The notice referred to in Subparagraph GR-6.1.2 (i) must include a statement that written representations concerning the liquidation may be submitted to the CBB before a specified day, which shall not be later than thirty calendar days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

Amended: April 2012
October 2010

GR-6.1.6
Upon satisfactorily meeting the requirements set out in GR-6.1.2, the licensee must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its Commercial Registration from the Ministry of Industry and Commerce.

Amended: April 2020
Added: October 2010

GR-6.1.7
Where the CBB has given its approval to cancel or amend a license, then it will also publish its decision in the Official Gazette, as well as in two local daily newspapers (one in Arabic, the other in English), once this decision has been implemented.

Amended: April 2012
October 2010

GR-6.1.7A
The publication cost of the notices referred to in Paragraph GR-6.1.7 is to be met by the licensee concerned.

Added: April 2012

GR-6.1.8
The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged.

October 2010

GR-6.1.9
A licensee in liquidation must continue to meet its contractual and regulatory obligations to customers and creditors.

October 2010

GR-6.1.9A
If no objections to the liquidation are upheld by the CBB, the CBB may then issue a written notice of approval for the surrender of the license.

Added: April 2012

GR-6.1.10
If a licensee applies to the CBB for voluntary surrender of its authorisation, it must ensure that suitable arrangements are in place for insurance coverage, to continue in respect of any unreported claims arising from past transactions, in accordance with Rule GR-7.1.7.

October 2010

GR-6.1.11
Upon satisfactorily meeting the requirements set out in GR-6.1.2, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

Amended: April 2020
Added: October 2016

GR-7 GR-7 Insurance Coverage

GR-7.1 GR-7.1 Insurance Coverage Requirements

GR-7.1.1
Licensees are required to maintain the following insurance coverage at all times:

(a)Money in transit insurance;

(b)Fire, theft and other perils; and

(c)Fidelity.

October 2010

GR-7.1.2
A licensee is encouraged to assess its insurance needs, through professional advice, to ensure its adequacy to the level of business undertaken.

Amended: January 2011
October 2010

GR-7.1.3
The insurance coverage must be obtained from an insurance firm acceptable to the CBB and licensed in the Kingdom of Bahrain.

October 2010

GR-7.1.4
Licensees must submit an Insurance Coverage Return (Form ICR) on an annual basis, within 3 months of the end of the financial year. Additionally, they must provide, upon request, evidence to the CBB of the coverage in force.

Amended: October 2014
October 2010

GR-7.1.5
In accordance with Paragraph EN-B.3.1, licensees may not enter into or make a claim under a contract of insurance that is intended to, or has the effect of, indemnifying them from the financial penalties provided for in Module EN.

October 2010

GR-7.1.6
The requirement to maintain insurance coverage will normally be met by the licensee concerned obtaining an insurance policy from an insurance firm. The CBB may also accept an insurance policy issued at group level, e.g. issued with respect to the parent of the licensee, provided the terms of the policy explicitly provide coverage with respect to the licensee.

October 2010

GR-7.1.7
Unless otherwise agreed in writing with the CBB, the policy must contain a clause that it may not be cancelled or lapsed without the prior approval of the CBB. The policy must also contain a provision for an automatic extended reporting period in the event that the policy is cancelled or lapsed, such that claims relating to the period during which the policy was in force may subsequently still be reported.

October 2010

GR-7.1.8
As provided for in Module ES, insurance coverage requirements must be met by licensees which were licensed prior to the introduction of Volume 5 (Specialised Licensees) in October 2010, by June 2011. Licensees licensed after October 2010 are required to comply with the CBB's professional indemnity coverage requirements, from the point they are given a license.

October 2010

GR-8 GR-8 Display of License and Exchange Rates

GR-8.1 GR-8.1 Display of License and Exchange Rates

GR-8.1.1
Licensees must display the license granted to them by the CBB, and declare the exchange rates applied by them in a prominent position in their premises, including all of their branches.

October 2010

GR-9 GR-9 Security Measures

GR-9.1 GR-9.1 Security Measures for Money Changers

GR-9.1.1
Licensees must apply the following security measures as a minimum:

October 2010

GR-9.1.2
External Measures

(a) All offices must be located in heavy customer traffic areas, e.g. souqs. Not all malls may be considered heavy traffic areas. No branches should operate in isolated areas.

(b) Main entrance doors must be protected by a grill type steel rolling shutter during off hours.

(c) Branch alarm systems should have the following features:
(1) PIR Motion detectors;

(2) External audible siren or visible alarm. The choice of whether to use an audible alarm is left to the licensees concerned; and

(3) The intrusion detection system must be linked to the licensee's (i.e. head office) monitoring unit.

Amended: July 2011
October 2010

GR-9.1.3
Internal Measures

(a) Teller counters must be fully screened off from customers by glass screens. Cash should not be directly exchanged through screens. Special purpose trays (i.e. half-rounded trays) should be fitted for the exchange of cash;

(b) Access to teller areas must be restricted to authorised staff only;

(c) Front doors to teller areas must be eliminated as much as possible. When used, they must be full length, solid, secure and kept locked at all times; and

(d) Customers dealing with Branch Managers should not enter or pass through teller areas to get to the Branch Manager's office.

Amended: July 2011
October 2010

Teller Area

GR-9.1.4
Panic alarm systems for staff handling cash may be installed. The choice between silent or audible panic alarms is left to individual licensees. Kick bars and/or hold up buttons may be spread throughout the teller and customer service areas and the branch manager's office.

Amended: July 2011
October 2010

GR-9.1.5
Cash Safety

(a) Cash must be kept in safes up to international standards and preferably secured to a solid floor;

(b) All property in vaults and safes must be under the joint custody of two people;

(c) Safes should be located out of the sight of customers wherever possible; and

(d) Insurance coverage must be maintained in accordance with Section GR-7.1.

Amended: July 2011
October 2010

GR-9.1.5A
All cash movements between branches, or to and from banks should be performed by a special purpose vehicle.

Added: July 2011

GR-9.1.6
CCTV Network Systems

(a) All branches must have CCTV cameras in place. The following locations are recommended:
(1) Customer areas (hall, reception etc);

(2) Teller areas (cameras located at the rear of tellers); and

(3) Vault entrance/area; and

(b) Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum of 30 days. The CCTV system must be operational 24 hours per day.

Amended: July 2011
October 2010

GR-9.1.7
Formal Security Training

(a) Licensees must establish the position of security manager. For licensees with three or more branches, this position must be a formally identified position. For licensees with one or two branches, the responsibilities of this position may be added to the duties of a member of management. This person will be responsible for ensuring that all staff are given annual, comprehensive security training. Training should form part of the induction program for new staff. Training should be given to all staff when new security measures are introduced; and

(b) Licensees should produce a security manual or procedures for staff, especially those dealing directly with customers.

Amended: July 2011
October 2010

GR-9.1.8
Other Issues

(a) Opening and closing procedures must be put in place for those responsible for opening and closing the premises; and

(b) Rotation of tellers must be implemented on a regular basis.

Amended: July 2011
October 2010

GR-9.1.9
The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

Added: July 2011

GR-9.1.10
Licensees must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All licensees are required to hold an insurance blanket bond (which includes theft of cash in its cover).

Added: July 2011

GR-10 GR-10 Measures to Detect Counterfeit Currency

GR-10.1 GR-10.1 Measures to Detect Counterfeit Currency

GR-10.1.1
Licensees are required to apply the measures in this Section to detect counterfeit currency:

October 2010

GR-10.1.2
Licensees must have in place counterfeit detection machines that comply with the following requirements:

(a) The detection machines must be used to verify the validity of all Bahraini currency submitted to licensees (including any branch);

(b) Licensees should have a suitable number of machines at each outlet to handle the volume of banknotes they ordinarily receive. Every outlet must have at least one such detection machine.

(c) A teller (or any other person who accepts cash from the public) must check the validity of all the banknotes he receives on a detection machine. Licensees should ensure that tellers have been given adequate training in receiving banknotes and are familiar with the security features of Bahraini notes; and

(d) Licensees should endeavour to have detection machines that employ state-of-the-art detection technology. What constitutes 'state-of-the-art detection technology' shall be left for the determination of licensees, but the management of such licensees must apply their judgement as to the suitability of the technology they are employing and be prepared to justify their choices to the CBB upon request.

October 2010

Reporting

GR-10.1.3
When a licensee discovers a counterfeit note (or what appears to be an item intended to be passed-off as a lawful banknote of the Kingdom) it should remit the same to the Currency Issue Directorate at the CBB, together with a report as required in Rules BR-1.5.14 and BR-1.5.15.

October 2010

GR-10.1.4
When a licensee discovers a counterfeit note of a foreign currency, it should remit the same to Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior, together with a report as required in Rules BR-1.5.14 and BR-1.5.15.

October 2010

GR-10.1.5
Licensees are reminded that inadvertent receipt of counterfeit currency remains their responsibility and their liability alone. The CBB has no obligation to give value for any counterfeit currency.

October 2010

GR-11 GR-11 Credit Facilities Extended to Related Parties

GR-11.1 GR-11.1 Credit Facilities Extended to Related Parties

GR-11.1.1
Licensees are prohibited from extending credit facilities to proprietors, partners and shareholders of the business.

Amended: January 2013
October 2010

GR-11.1.1A
Credit facilities include but are not limited to loans and shari'a compliant financing facilities.

Added: January 2013

GR-11.1.2
Credit facilities may be extended to employees of the licensee, other than proprietors, partners and shareholders of the business.

Amended: January 2013
October 2010

GR-11.1.3
Licensees must obtain the CBB's prior written approval for any credit facility in excess of BD15,000, extended to the employees of the business.

Amended: January 2013
October 2010

GR-11.1.4
Licensees must obtain the CBB's prior written approval before writing-off any credit facility extended to the employees of the business.

Amended: January 2013
October 2010

Business Standards

CA CA Money Changers Capital Adequacy Module

CA-A CA-A Introduction

CA-A.1 CA-A.1 Purpose

Executive Summary

CA-A.1.1
This Module lays down requirements that apply to all licensees, with respect to the minimum level of capital they must maintain.

October 2010

CA-A.1.2
Principle 9 of the Principles of Business requires that licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.1.9).

October 2010

Legal Basis

CA-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the capital adequacy of licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all licensees. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

CA-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

October 2010

CA-A.2 CA-A.2 Module History

Evolution of Module

CA-A.2.1
This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

CA-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
CA-A.1.3	01/2011	Clarified legal basis.
CA-1.2.2 and CA-1.2.3	01/2011	Clarified minimum capital requirements for licensees authorised prior to 1st January 2011.
CA-1.4.1	01/2011	Added cross reference.
CA-1.4.1	07/2011	Clarified Rule pertaining to capital required for any additional branch.

Superseded Requirements

CA-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory instruments:

Document Ref.	Document Subject
Standard Conditions and Licensing Criteria: Money Changers	Capital Funds
BC/24/99	Accounts of Money Changers
BC/6/99	Bank Guarantee

October 2010

CA-B CA-B Scope of Application

CA-B.1 CA-B.1 Scope of Application

CA-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

October 2010

CA-1 CA-1 Capital Adequacy Requirements

CA-1.1 CA-1.1 General Requirements

Obligation to Maintain Adequate Capital

CA-1.1.1
In accordance with Principle of Business 9 (Section PB-1.1.9), licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.

October 2010

CA-1.1.2
Licensees are required to maintain, at all times, the minimum capital requirement specified in Section CA-1.2.

October 2010

CA-1.1.3
In addition to the minimum capital requirements specified in Section CA-1.2 onwards, the CBB may, at its discretion, require licensees to hold additional capital, should this be necessary (in the CBB's view) to meet additional liquidity requirements. (refer to CA-1.5.2)

October 2010

CA-1.1.4
No funds may be withdrawn by shareholders from the licensee without the necessary prior written approval of the CBB.

October 2010

CA-1.1.5
In the event that a licensee fails to meet any of the requirements specified in this Module, it must, on becoming aware that it has breached these requirements, immediately notify the CBB in writing. Unless otherwise directed, the licensee must in addition submit to the CBB, within 30 calendar days of its notification, a plan demonstrating how it will achieve compliance with these requirements.

October 2010

CA-1.1.6
Should a licensee fail to comply with the requirements of this Module, the CBB may impose enforcement measures, as described in Module EN.

October 2010

CA-1.2 CA-1.2 Minimum Capital Requirements

Key Requirements

CA-1.2.1
Licensees must ensure that, at all times, their Minimum Capital meets the requirement stipulated in Rule CA-1.2.2 below.

October 2010

CA-1.2.2
Minimum Capital Requirements are:

(a) Paid-up Capital of not less than BD500,000;

(b) Additional Paid-up Capital of BD30,000 for each branch; and

(c) A Bank Guarantee of not less than BD50,000.

Amended: January 2011
October 2010

CA-1.2.3
For those licensees authorised prior to 1st January 2011, the minimum paid-up capital noted in Subparagraph CA-1.2.2 (a) must be not less than BD200,000. In addition, such licensees must comply with Subparagraphs CA-1.2.2 (b) and (c).

January 2011

CA-1.3 CA-1.3 Guarantee Requirements

CA-1.3.1
Licensees are required to provide the CBB with a guarantee in respect of their liabilities. The guarantee must be:

a) In favor of and callable by the CBB at the CBB's sole discretion;

b) Unconditional and irrevocable;

c) Issued by a retail bank licensed by the CBB;

d) Valid at all times for a period of one year; and

e) Renewed at least one week before its expiry and submitted to the CBB.

October 2010

CA-1.3.2
If the guarantee is not renewed within the stipulated timeframe, the CBB may call the guarantee.

October 2010

CA-1.4 CA-1.4 Capital Requirement for Branches

CA-1.4.1
In addition to the minimum paid-up capital required under Section CA-1.2, licensees must inject capital in the amount of BD30, 000 in respect of any additional branch (see CA-1.2.2 for additional details).

Amended: July 2011
Amended: January 2011
October 2010

CA-1.4.2
Licensees must provide the CBB with evidence of the deposited amount of capital as part of the application for a branch outlined in Section 4.2 of the Module AU (Authorisation).

October 2010

CA-1.5 CA-1.5 Additional Requirements

CA-1.5.1
A licensee's liabilities should not exceed threefold its capital and reserves.

October 2010

CA-1.5.2
A licensee's liquid assets must be held in a form acceptable to the CBB, in a minimum amount of three months estimated expenditures including salaries, rent, general utilities and other operating costs.

October 2010

CA-1.5.3
Liquid assets comprise of cash, cash equivalents, and placements or deposits maturing within 30 days.

October 2010

BC BC Money Changers Business Conduct Module

BC-A BC-A Introduction

BC-A.1 BC-A.1 Purpose

Executive Summary

BC-A.1.1
This Module contains requirements that have to be met by licensees with regards to their dealings with customers.

October 2010

BC-A.1.2
The Rules contained in this Module aim to ensure that licensees deal with their customers in a fair and open manner, and address their customers' information needs.

October 2010

BC-A.1.3
The Rules build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings with customers. Principle 3 (Due skill, care and diligence) requires licensees to act with due skill, care and diligence when acting on behalf of their customers. Principle 7 (Customer Interests) requires licensees to pay due regard to the legitimate interests and information needs of their customers, and to communicate with them in a fair and transparent manner.

October 2010

BC-A.1.4
The Rules contained in this Module are largely principles-based and focus on desired outputs rather than on prescribing detailed processes. This gives licensees flexibility in how to implement the basic standards prescribed in this Module.

October 2010

Legal Basis

BC-A.1.5
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) on business conduct by licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The directive in this Module is applicable to all licensees. Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

BC-A.1.6
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

October 2010

BC-A.2 BC-A.2 Module History

Evolution of the Module

BC-A.2.1
This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

BC-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
BC-A.1.5	01/2011	Clarified legal basis.
BC-2.5.2	07/2019	Amended the number of years for record keeping.
BC-C	10/2020	Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis

Superseded Requirements

BC-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory requirements:

Document Ref.	Document Subject
EDBC/73/96	Explanatory note on the promotion of banking and financial products offered in/from Bahrain by means of incentives.

October 2010

BC-B BC-B Scope of Application

BC-B.1 BC-B.1 Scope of Application

BC-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

October 2010

BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis

BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis

BC-C.1.1
Money changer licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

Added: October 2020

BC-1 BC-1 Base Requirements

BC-1.1 BC-1.1 General Rules

BC-1.1.1
This Module applies to all licensees.

October 2010

BC-1.1.2
This Module aims to encourage high standards of business conduct, which are broadly applicable to all licensees, all types of regulated money changer services, and all types of customers.

October 2010

BC-1.1.3
Licensees must comply with the Money Changers' Business Code of Practice ('the Code'), under Chapter 2 of this Module, throughout the lifetime of their relationship with a customer.

October 2010

BC-1.1.4
Licensees must take responsibility for compliance with the Code by all persons carrying out regulated money changer services on their behalf. Licensees must put in place appropriate measures across all their business operations to ensure compliance with the Code.

October 2010

BC-1.1.5
The Business Code of Practice comprises a number of overarching principles of business conduct, with respect to the conduct of regulated money changer services by licensees; these cover the various stages of the life of a customer relationship.

October 2010

BC-1.1.6
Licensees must maintain adequate records to demonstrate compliance with the Code.

October 2010

BC-1.1.7
The Code focuses on desired outcomes, rather than prescribing detailed measures to achieve those outcomes.

October 2010

BC-1.1.8
The CBB will monitor compliance with the Code and business conduct standards. If required, the CBB may develop more detailed rules and guidance to supplement the existing Code.

October 2010

BC-2 BC-2 The Business Code of Practice

BC-2.1 BC-2.1 Overarching Principles

BC-2.1.1
In the course of regulated money changer services, licensees must:

(a) Act with due skill, care and diligence in all dealings with customers;

(b) Act fairly and reasonably in all dealings with customers;

(c) Identify customers' specific requirements in relation to the services about which they are enquiring;

(d) Provide sufficient information to enable customers to make informed decisions when purchasing services offered to them, as listed under Paragraph BC-2.5.2 of the Appendix;

(e) Provide sufficient and timely documentation to customers to confirm that their transaction arrangements are in place and provide all necessary information about their rights and responsibilities, as listed under Paragraph BC-2.5.3 of the Appendix;

(f) Maintain fair treatment of customers through the lifetime of the customer relationships, and ensure that customers are kept informed of important events;

(g) Ensure complaints from customers are dealt with fairly and promptly, in accordance with the Rules under Section BC-2.3;

(h) Ensure that all information provided to customers is clear, fair and not misleading, and appropriate to customers' information needs; and

(i) Take appropriate measures to safeguard any money and precious metals handled on behalf of customers and maintain confidentiality of customer information.

October 2010

BC-2.2 BC-2.2 Marketing and Promotion

BC-2.2.1
Licensees must ensure that all advertising and promotional material is fair, clear and not misleading.

October 2010

BC-2.2.2
In ensuring that the description of the service in the promotional material is fair, clear and not misleading, the licensee should send copies of the documentation relating to promotional schemes to the CBB at least 2 weeks prior to their launch and should, among other precautionary measures, ensure that:

a) The purpose, and to the extent practicable, the content, of the information or communication are likely to be understood by the average member of the group to whom the communication is addressed;

b) Key items contained in the information are given due prominence;

c) The method of presentation in the information does not disguise, diminish, or obscure important risks, warnings or information; and

d) The communication does not omit information that is material to ensure it is fair, clear and not misleading.

October 2010

BC-2.2.3
Licensees must ensure that the accuracy of all material statements of fact in promotional materials is supported by adequate evidence.

October 2010

BC-2.2.4
Licensees must not, in any form of communication with an individual customer, attempt to limit or avoid any duty or liability it may have towards the individual customer in relation to regulated money changing services.

October 2010

Content of Promotions

BC-2.2.5

Before a licensee communicates any promotional material to a customer or a potential customer it must ensure the promotional material at the very least contains the information laid out in Paragraph BC-2.5.1 of the Appendix.

BC-2.2.6

Licensees must not make use of the name of the CBB in any promotion in such a way that would indicate endorsement or approval of its services.

BC-2.2.7

All documentation concerning promotional schemes must be in Arabic and English and, if relevant, any other language necessary for customers to fully understand and appreciate their terms and conditions. Such terms and conditions, including any related advertising, need to be clear, concise, truthful, unambiguous and complete so as to enable customers to make a fully informed decision.

BC-2.2.8

Customers to whom promotional schemes are directed should enjoy equal opportunity in terms of access to, and treatment within, such schemes.

BC-2.2.9

No costs (including funding costs), charges or levies associated with promotional schemes should be concealed from prospective customers.

BC-2.2.10

Any raffles/lotteries etc. held as part of promotional schemes should be independently monitored (e.g. by the institution's external auditor) and adequate systems put in place to ensure fair play and impartiality.

BC-2.2.11

An appropriate system should also exist for informing participants of the results of a raffle/lottery without delay.

BC-2.2.12

Institutions should note that raffles/lotteries etc. may be subject to rules and requirements (including prior authorisation/approval) laid down by the Ministry of Industry and Commerce.

Records

BC-2.2.13

Licensees must maintain a record of all promotional materials issued by them or on their behalf, particularly where raffles/lotteries etc. are concerned.

BC-2.3 BC-2.3 Complaints

BC-2.3.1
Licensees must disclose, maintain and operate effective procedures for handling complaints in a reasonable and timely manner. These procedures include:

(a) Informing customers in writing of any out of court complaint and redress mechanism and methods for having access to it;

(b) Paying compensation or other forms of redress to customers where the licensee decides this is appropriate; and

(c) Regularly verifying if complaints are effectively processed.

October 2010

BC-2.3.2
Upon receiving complaints from customers (either orally or in writing), licensees must:

(a) Acknowledge complaints promptly, within 5 business days, and provide customers with an explanation about how the complaint will be handled and any actions required of the customer;

(b) Consider and handle complaints fairly and promptly, keeping customers informed of progress; and

(c) Provide final responses to customers' complaints without undue delay and within 20 business days.

October 2010

BC-2.3.3
In their final responses to customers' complaints, licensees must:

(a) Accept (or partially accept) the complaint and where appropriate offer compensation or other forms of redress; or

(b) Reject (or partially reject) the complaint, informing customers with a full explanation of the licensee's position.

October 2010

Records

BC-2.3.4
Licensees must maintain adequate records of all complaints received, and how they were dealt with, to a level of detail sufficient to demonstrate compliance with this Section and in accordance with the Rules under Section GR-1.

October 2010

BC-2.3.5
In recording complaints activity, licensees should consider the types of data and reports that will enable them to demonstrate compliance with the above Rules for handling complaints, together with the overarching principles requiring fair dealings with customers.

October 2010

BC-2.4 BC-2.4 Confidentiality

BC-2.4.1
Licensees must ensure that any information obtained from their customers is not used or disclosed unless:

(a) They have the customer's consent;

(b) Disclosure is made in accordance with the licensee's regulatory obligations; or

(c) The licensee is legally obliged to disclose the information in accordance with Article 117 of the CBB Law.

October 2010

BC-2.4.2
Licensees must take appropriate steps to ensure the security of any information handled or held on behalf of their customers.

October 2010

BC-2.5 BC-2.5 Appendix

BC-2.5.1
The minimum information that should be contained in promotional material includes:

(a) The name of the licensee communicating the promotional material;

(b) The licensee's address;

(c) A description of the main characteristics of the service offered;

(d) Suitable warning regarding the risks of the service offered; and

(e) A clear statement indicating that, if a customer is in any doubt about the suitability of the agreement which is the subject of the promotion, he should consult the licensee.

October 2010

BC-2.5.2
The minimum information that should be provided to customers when purchasing regulated money changer services include:

(a) The regulatory status of the licensee;

(b) A statement that the licensee is bound by the CBB's regulation and licensing conditions;

(c) The licensee's name, address, e-mail and telephone number;

(d) A statement of the services provided by the licensee, as permitted by the CBB;

(e) The total price to be paid by the customer to the licensee for its services, or, where an exact price cannot be indicated, the basis for the calculation of the price enabling the customer to verify it;

(f) A statement that clearly indicates the following:
(i) The customer's right to obtain copies of records relating to his business with the licensee;

(ii) The customer's record will be kept for 5 years or as otherwise required by Bahrain Law; and

(g) The name and job title, address and telephone number of the person in the licensee to whom any complaint should be addressed (in writing) by the customer.

Amended: July 2019
October 2010

BC-2.5.3
The minimum information that should be included in a transaction confirmation includes:

(a) The licensee's name and address;

(b) The customer's name or other identifier;

(c) Whether the transaction was a sale or purchase;

(d) The date and time of the transaction; and

(e) The amount the licensee charges in connection with the transaction, including commission charges.

October 2010

RM RM Money Changers Risk Management Module

RM-A RM-A Introduction

RM-A.1 RM-A.1 Purpose

Executive Summary

RM-A.1.1
This Module contains requirements relating to the management of risk by licencees. It expands on certain high level requirements contained in other Modules. In particular, Section AU-2.6 of Module AU (Authorisation) specifies requirements regarding systems and controls that have to be met as a license condition; Principle 10 of the Principles of Business (ref. PB-1.10) requires licencees to have systems and controls sufficient to manage the level of risk inherent in their business; and Module HC (High-level Controls) specifies various requirements relating to the role and composition of Boards, and related high-level controls.

October 2010

RM-A.1.2
This Module obliges licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management framework is expected to have the resources and tools to identify, monitor and control all material risks. The adequacy of a licensee's risk management framework is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules, licensees with very simple operational structures and business activities may need to implement less extensive or sophisticated risk management systems, compared to licensees with a complex and/or extensive customer base or operations.

October 2010

Legal Basis

RM-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding Risk Management requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

RM-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

October 2010

RM-A.2 RM-A.2 Module History

Evolution of the Module

RM-A.2.1
This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

RM-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
RM-A.1.3	01/2011	Clarified legal basis.
RM-2.1.2	10/2017	Amended Paragraph to allow the utilization of cloud services.
RM-2.1.4A	10/2017	Added a new Paragraph on outsourcing requirements.
RM-2.1.7	10/2017	Amended Paragraph.
RM-2.1.9	10/2017	Amended Paragraph.
RM-2.1.11	10/2017	Amended Paragraph.
RM-2.1.13	10/2017	Added a new Paragraph on outsourcing.
RM-2.1.15	10/2017	Amended Paragraph.
RM-2.2.9	10/2017	Amended Paragraph.
RM-2.2.15	10/2017	Amended Paragraph.
RM-2.2.16	10/2017	Added a new Paragraph on security measures related to cloud services.
RM-2.3.2	10/2017	Amended Paragraph.
RM-1.5.5	01/2021	Added a new Paragraph on electronic fraud.
RM-1.5.6	01/2021	Added a new Paragraph on electronic fraud awareness.
RM-3	01/2022	Added a new Chapter on Cyber Security Risk Management.
RM-3.1.61	04/2022	Deleted reference to BR.
RM-3.1.58	04/2022	Amended Paragraph on cyber security incident reporting.
RM-3.1.59	04/2022	Amended Paragraph on submission period of the cyber security incident report.
RM-2	07/2022	Replaced Chapter RM-2 with new Outsourcing Requirements.
RM-3.1.22	10/2022	Amended Paragraph on email domains requirements.
RM-3.1.22A	10/2022	Added a new Paragraph on additional domains requirements.
RM-1.5.7 – RM-1.5.9	07/2023	Added new Rules on secured customer authentication requirements.

Superseded Requirements

RM-A.2.3

This Module does not replace any regulations or circulars in force prior to month year.

Document Ref.	Date of Issue	Module Ref.	Document Subject

October 2010

RM-B RM-B Scope of Application

RM-B.1 RM-B.1 Scope of Application

RM-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

October 2010

RM-1 RM-1 General Requirements

RM-1.1 RM-1.1 Risk Management

Board of Directors' Responsibility

RM-1.1.1
The Board of Directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

October 2010

RM-1.1.2
The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licencee is exposed to, a risk management framework that includes setting and monitoring policies, systems, tools and controls.

October 2010

RM-1.1.3
Although authority for the management of a firm's risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

October 2010

RM-1.1.4
A licencees's failure to establish, in the opinion of the CBB, an adequate risk management framework will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing or imposing restrictions on the licensee, or the licensee being required to inject more capital.

October 2010

RM-1.1.5
The Board of Directors must also ensure that there is adequate documentation of the licensee's risk management framework.

October 2010

Systems and Controls

RM-1.1.6
The risk management framework of licensees must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.

October 2010

RM-1.1.7
An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in HC-1.1.5.

October 2010

RM-1.1.8
The systems and controls required by Paragraph RM-1.1.6 must be proportionate to the nature, scale and complexity of the firm's activities.

October 2010

RM-1.1.9
The processes and systems required must enable the licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, which include but are not limited to the following:

(a) Counterparty Risk;

(b) Liquidity Risk;

(c) Market Risk; and

(d) Operational Risk.

October 2010

RM-1.2 RM-1.2 Counterparty Risk

RM-1.2.1
Licensees must adequately document the necessary policies and procedures for identifying, measuring, monitoring and controlling counterparty risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

October 2010

RM-1.2.2
Among other things, the licensee's policies and procedures must identify the limits it applies to counterparties, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

October 2010

RM-1.3 RM-1.3 Liquidity Risk

RM-1.3.1
Licensees must maintain a liquidity risk policy for the management of liquidity risk, which is appropriate to the nature, scale and complexity of its activities. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

October 2010

RM-1.3.2
Among other things, the licensee's liquidity risk policy must identify the limits it applies, how it monitors movements in risk and how it mitigates loss in the event of unexpected liquidity events.

October 2010

RM-1.4 RM-1.4 Market Risk

RM-1.4.1
Licensees must document their framework for the proactive management of market risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

October 2010

RM-1.5 RM-1.5 Operational Risk

RM-1.5.1
Licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

October 2010

RM-1.5.2
Licensees must consider the impact of operational risks on their financial resources and solvency.

October 2010

RM-1.5.3
Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

October 2010

RM-1.5.4
Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, licencees cannot ignore the nature of risks to which they are exposed.

October 2010

Electronic Frauds

RM-1.5.5
Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

Added: January 2021

RM-1.5.6
Licensees must have in place customer awareness communications, pre and post registration process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

Added: January 2021

Secure Authentication

RM-1.5.7
Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform.

Licensees must, at a minimum, establish adequate security features for customer authentication including the use of at least two different elements out of the following three elements:

(a) Knowledge (something only the user knows), such as pin or password;

(b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and

(c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.

Added: July 2023

RM-1.5.8
For the purpose of Paragraph RM-1.5.7, licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.

Added: July 2023

RM-1.5.9
For the purposes of Subparagraph RM-1.5.7 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.

Added: July 2023

RM-2 RM-2 Outsourcing Requirements

RM-2.1 RM-2.1 Outsourcing Arrangements

RM-2.1.1
This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

Amended: July 2022
October 2010

RM-2.1.2
In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

Amended: July 2022
October 2010

RM-2.1.3
In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and

ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.

Amended: July 2022
Amended: October 2017
October 2010

RM-2.1.4
The licensee must not outsource the following functions:

(i) Compliance;

(ii) AML/CFT;

(iii) Financial control;

(iv) Risk management; and

(v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).

Amended: July 2022
October 2010

RM-2.1.5
For the purposes of Paragraph RM-2.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-2.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

Amended: July 2022
October 2010

RM-2.1.6
Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-2.1.4 (iv), subject to CBB’s prior approval.

Amended: July 2022
October 2010

RM-2.1.7
Licensees must comply with the following requirements:

(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and

b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.

(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.

(iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.

(iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.

(v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.

(vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.

(vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.

Amended: July 2022
Amended: October 2017
October 2010

RM-2.1.8
For the purpose of Subparagraph RM-2.1.7 (iv), licensees as part of their assessments may use the following:

a) Independent third-party certifications on the outsourcing service provider’s security and other controls;

b) Third-party or internal audit reports of the outsourcing service provider; and

c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

Amended: July 2022
October 2010

RM-2.1.9
For the purpose of Subparagraph RM-2.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

Amended: July 2022
Amended: October 2017
October 2010

RM-2.2 [This Section was deleted in July 2022]

RM-2.3 [This Section was deleted in July 2022]

RM-2.4 [This Section was deleted in July 2022]

RM-3 RM-3 Cyber Security Risk Management

RM-3.1 RM-3.1 Cyber Security Risk Management

Role of the Board and Senior Management

RM-3.1.1
The Board of money changer licensees must ensure that the licensee has a robust cyber security risk management framework to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.

Added: January 2022

RM-3.1.2
Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:

a) Cyber security strategy;

b) Cyber security policy; and

c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.

Added: January 2022

RM-3.1.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the licensee’s risk management framework.

Added: January 2022

RM-3.1.4
Senior management, and where appropriate, the boards, should receive comprehensive reports covering cyber security issues such as the following:

a. Key Risk Indicators/Key Performance Indicators;

b. Status reports on overall cyber security control maturity levels;

c. Status of staff Information Security awareness;

d. Updates on latest internal or relevant external cyber security incidents; and

e. Results from penetration testing exercises.

Added: January 2022

RM-3.1.5
The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.

Added: January 2022

RM-3.1.6
Licensees must have in place arrangements to handle cyber security risk management responsibilities. Licensees may, commensurate with their size and risk profile, assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function. Overseas licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.

Added: January 2022

RM-3.1.7
Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.

Added: January 2022

RM-3.1.8
Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.

Added: January 2022

RM-3.1.9
Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

Added: January 2022

RM-3.1.10
The senior management must be responsible for the following activities:

(a) Create the overall cyber security risk management framework and adequately oversee its implementation;

(b) Formulate an organisation-wide cyber security strategy and cyber security policy;

(c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;

(d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;

(e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;

(f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on the licensee; and

(g) Ensure that processes for identifying the cyber security risk levels across the licensee are in place and annually evaluated.

Added: January 2022

RM-3.1.11
The senior management must ensure that:

(a) The licensee has identified clear internal ownership and classification for all information assets and data;

(b) The licensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;

(c) The cyber security staff are adequate to manage the licensee’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;

(d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.

Added: January 2022

RM-3.1.12
With respect to Subparagraph RM-3.1.11(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:

a) Who has access to the data;

b) How the data is secured;

c) How long the data is retained (this includes backups);

d) What method should be used to dispose of the data;

e) Whether the data needs to be encrypted; and

f) What use of the data is appropriate.

The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.

Added: January 2022

Cyber Security Strategy

RM-3.1.13
An organisation-wide cyber security strategy must be defined and documented to include:

(a) The position and importance of cyber security at the licensee;

(b) The primary cyber security threats and challenges facing the licensee;

(c) The licensee’s approach to cyber security risk management;

(d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;

(e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;

(f) Approach to planning response and recovery activities; and

(g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.

Added: January 2022

RM-3.1.14
The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the licensee’s cyber security strategy and cyber security policy.

Added: January 2022

Cyber Security Policy

RM-3.1.15
Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee’s senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

(a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;

(b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;

(c) Definition of main cyber security processes and measures and the approach to control and assessment;

(d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:
(a) Asset management (Hardware and software);

(b) Incident management (Detection and response);

(c) Vulnerability management;

(d) Configuration management;

(e) Access management;

(f) Third party management;

(g) Secure application development;

(h) Secure change management;

(i) Cyber training and awareness;

(j) Cyber resilience (business continuity and disaster planning); and

(k) Secure network architecture.

Added: January 2022

Approach, Tools and Methodology

RM-3.1.16
Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of the licensee. The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.

Added: January 2022

RM-3.1.17
Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite the licensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across the licensee. They should be reviewed and updated regularly to incorporate improvements and/or changes in the licensee. Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.

Added: January 2022

Prevention Controls

RM-3.1.18
A Licensee must develop and implement preventive measures across all relevant technologies to minimise the licensee’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:

(a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;

(b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;

(c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;

(d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);

(e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;

(f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and

(g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.

Added: January 2022

RM-3.1.19
Licensees should also implement the following prevention controls in the following areas:

(a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;

(b) Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM);

(c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and

(d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.

Added: January 2022

RM-3.1.20
Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

• SPF “Sender Policy Framework”;

• DKIM “Domain Keys Identified Mail”; and

• DMARC “Domain-based Message Authentication, Reporting and Conformance”.

Added: January 2022

RM-3.1.21
Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

Added: January 2022

RM-3.1.22
Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers, licensees must comply with the following requirements:

(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;

(b) Refrain from using shortened links in communication with customers;

(c) Implement one or more of the following measures for links sent to customers:
i. ensure customers receive clear instructions in communications sent with the links;

ii. prior notification to the customer such as through a phone call informing the customer to expect a link from the licensee;

iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;

iv. use of other verification measures like password or biometric authentication; and

(d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers that licensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.

Amended: October 2022
Added: January 2022

RM-3.1.22A
For the purpose of Paragraph RM-3.1.22, subject to CBB’s approval, licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:

(a) Head/regional office of a licensee; and

(b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).

Added: October 2022

Cyber Risk Identification and Assessments

RM-3.1.23
Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;

(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;

(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;

(d) Dark web surveillance to identify any plot for cyber attacks;

(e) Examples of cyber threats from past cyber attacks on the licensee if available; and

(f) Examples of cyber threats from recent cyber attacks on other organisations.

Added: January 2022

RM-3.1.24
Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

Added: January 2022

RM-3.1.25
Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

Added: January 2022

RM-3.1.26
Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.

Added: January 2022

RM-3.1.27
With respect to Paragraph RM-3.1.25, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

Added: January 2022

RM-3.1.28
Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

Added: January 2022

RM-3.1.29
All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. However, licensees that provide services through digital channels must perform penetrating testing at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;

(b) Include both Grey Box and Black Box testing in its scope;

(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;

(d) Be performed by internal and external independent third parties which should be changed at least every two years; and

(e) Be performed on either the production environment or on non-production exact replicas of the production environment.

Added: January 2022

RM-3.1.30
CBB may require additional third-party security reviews to be performed as needed.

Added: January 2022

RM-3.1.31
The tests referred to in Paragraph RM-3.1.59 must be conducted each year in June and December. Reports on penetration testing must be submitted to CBB before 30th September for the tests as at 30th June and 31st March for the tests as at 31st December. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

Added: January 2022

Cyber Incident Detection and Management

RM-3.1.32
Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

Added: January 2022

RM-3.1.33
Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

Added: January 2022

RM-3.1.34
Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

Added: January 2022

RM-3.1.35
Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

Added: January 2022

RM-3.1.36
Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

Added: January 2022

RM-3.1.37
Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

Added: January 2022

RM-3.1.38
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

Added: January 2022

RM-3.1.39
Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-3.1.58 for the requirement to report to CBB.

Added: January 2022

RM-3.1.40
Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

• Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.

• Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensee’s management to update the internal and external stakeholders with consistent information.

• Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.

Added: January 2022

RM-3.1.41
For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

Added: January 2022

RM-3.1.42
Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

Added: January 2022

RM-3.1.43
Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)

(b) Describe whether the cyber incident due to a third-party service provider

(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)

(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)

(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)

(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)

(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)

(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)

The cyber incident severity may be classified as:

(a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the licensee.

(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.

(c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in the licensee.

Added: January 2022

RM-3.1.44
Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.

Added: January 2022

RM-3.1.45
Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

1. Metrics to measure impact of a cyber incident
(a) Duration of unavailability of critical functions and services

(b) Number of stolen records or affected accounts

(c) Volume of customers impacted

(d) Amount of lost revenue due to business downtime, including both existing and future business opportunities

(e) Percentage of service level agreements breached

2. Performance metrics for incident management
(a) Volume of incidents detected and responded via automation

(b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)

(c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied

Added: January 2022

Recovery

RM-3.1.46
Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time the licensee will require to return to full service and operations.

Added: January 2022

RM-3.1.47 RM-3.1.47
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

a) Financial situation;

b) Reputation;

c) Regulatory, legal and contractual obligations; and

d) Operational aspects and delivery of key products and services.

Added: January 2022

RM-3.1.48
Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”. Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.

Added: January 2022

RM-3.1.49
Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

Added: January 2022

RM-3.1.50
Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.

Added: January 2022

RM-3.1.51
Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

Added: January 2022

RM-3.1.52
Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

Added: January 2022

RM-3.1.53
Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.

Added: January 2022

Cyber Security Insurance

Training and Awareness

RM-3.1.54 RM-3.1.54
Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respective licensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:

(a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;

(b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and

(c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.

Added: January 2022

RM-3.1.55
Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

Added: January 2022

RM-3.1.56
The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

Added: January 2022

RM-3.1.57
The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

(a) Executive board and senior management;

(b) Cyber security roles;

(c) IT staff; and

(d) Any high-risk staff as determined by the licensee.

Added: January 2022

Reporting to CBB

RM-3.1.58
Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.Moneychanger@cbb.gov.bh, within two hours.

Amended: April 2022
Added: January 2022

RM-3.1.59
Following the submission referred to in Paragraph RM-3.1.58, the licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.

Amended: April 2022
Added: January 2022

RM-3.1.60
With regards to the submission requirement mentioned in Paragraph RM-3.1.59, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.

Added: January 2022

RM-3.1.61
The penetration testing report as per Paragraph RM-3.1.29, along with the steps taken to mitigate the risks must be maintained by the licensee for a five year period from the date of the report and must be provided to CBB within three months following the end of the month where the testing took place, i.e. for a June test, the report must be submitted at the latest by 30^th September and for a December test, by 31^st March.

Amended: April 2022
Added: January 2022

Appendix A – Cyber Security Control Guidelines
The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.

Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.

Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.

Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.

Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.

Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:

IDENTIFY

Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.

1. Physical devices and systems within the licensee are inventoried.

2. Software platforms and applications within the licensee are inventoried.

3. Communication and data flows are mapped.

4. External information systems are catalogued.

5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.

1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.

2. Dependencies and critical functions for delivery of critical services are established.

3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.

1. licensee’s cyber security policy is established and communicated.

2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.

3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.

4. Governance and risk management processes address cyber security risks.

Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.

1. Asset vulnerabilities are identified and documented.

2. Cyber threat intelligence is received from information sharing forums and sources.

3. Threats, both internal and external, are identified and documented.

4. Potential business impacts and likelihoods are identified.

5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.

6. Risk responses are identified and prioritized.

Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.

2. The licensee’s risk tolerance is determined and clearly expressed.

3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.

1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.

2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.

3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.

4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

5. Response and recovery planning and testing are conducted with suppliers and third-party providers.

PROTECT

Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.

2. Physical access to assets is managed and protected.

3. Remote access is managed.

4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

5. Network integrity is protected (e.g., network segregation, network segmentation).

6. Identities are proofed and bound to credentials and asserted in interactions

7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.

1. All users are informed and trained on a regular basis.

2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.

3. Privileged users understand their roles and responsibilities.

4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.

5. The Board and senior management understand their roles and responsibilities.

6. Physical and cyber security personnel understand their roles and responsibilities.

7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.

Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.

1. Data-at-rest classified as critical or confidential is protected through strong encryption.

2. Data-in-transit classified as critical or confidential is protected through strong encryption.

3. Assets are formally managed throughout removal, transfers, and disposition

4. Adequate capacity to ensure availability is maintained.

5. Protections against data leaks are implemented.

6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.

7. The development and testing environment(s) are separate from the production environment.

8. Integrity checking mechanisms are used to verify hardware integrity.

Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.

1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).

2. A System Development Life Cycle to manage systems is implemented

3. Configuration change control processes are in place.

4. Backups of information are conducted, maintained, and tested.

5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.

6. Data is destroyed according to policy.

7. Protection processes are improved.

8. Effectiveness of protection technologies is shared.

9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

10. Response and recovery plans are tested.

11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).

12. A vulnerability management plan is developed and implemented.

Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.

1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.

2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.

Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

2. Removable media is protected and its use restricted according to policy.

3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.

4. Communications and control networks are protected.

5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.

DETECT

Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

1. A baseline of network operations and expected data flows for users and systems is established and managed.

2. Detected events are analyzed to understand attack targets and methods.

3. Event data are collected and correlated from multiple sources and sensors

4. Impact of events is determined.

5. Incident alert thresholds are established.

Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

1. The network is monitored to detect potential cyber security events.

2. The physical environment is monitored to detect potential cyber security events

3. Personnel activity is monitored to detect potential cyber security events.

4. Malicious code is detected.

5. Unauthorized mobile code is detected.

6. External service provider activity is monitored to detect potential cyber security events.

7. Monitoring for unauthorized personnel, connections, devices, and software is performed.

8. Vulnerability scans are performed at least quarterly.

Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

1. Roles and responsibilities for detection are well defined to ensure accountability.

2. Detection activities comply with all applicable requirements.

3. Detection processes are tested.

4. Event detection information is communicated.

5. Detection processes are continuously improved.

RESPOND

Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.

Communications: Response activities are coordinated with internal and external stakeholders.

1. Personnel know their roles and order of operations when a response is needed.

2. Incidents are reported consistent with established criteria.

3. Information is shared consistent with response plans.

4. Coordination with internal and external stakeholders occurs consistent with response plans.

5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.

6. Incident response exercises and scenarios across departments are conducted at least annually.

Analysis: Analysis is conducted to ensure effective response and support recovery activities.

1. Notifications from detection systems are investigated.

2. The impact of the incident is understood.

3. Forensics are performed.

4. Incidents are categorized consistent with response plans.

5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).

Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

1. Incidents are contained.

2. Incidents are mitigated.

3. Newly identified vulnerabilities are mitigated or documented as accepted risks.

Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.

1. Response plans incorporate lessons learned.

2. Response strategies are updated.

RECOVER

Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.

Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

1. Recovery plans incorporate lessons learned.

2. Recovery strategies are updated.

Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

1. Public relations are managed.

2. Reputation is repaired after an incident.

3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.

Added: January 2022

TC TC Money Changers Training and Competency Module

TC-A TC-A Introduction

TC-A.1 TC-A.1 Purpose

Executive Summary

TC-A.1.1
This Module presents requirements that have to be met by licensees with respect to training and competency of individuals undertaking controlled functions (i.e. approved persons).

October 2010

TC-A.1.2
Module TC provides Rules and Guidance to licensees to ensure satisfactory levels of competence, in terms of an individual's knowledge, skills, experience, and professional qualifications. Licensees are required to demonstrate that individuals undertaking controlled functions are sufficiently competent, and are able to undertake their respective roles and responsibilities.

October 2010

TC-A.1.3
The Rules build upon Principles 3 and 10 of the Principles of Business (see Module PB (Principles of Business)). Principle 3 (Due Skill, Care and Diligence) requires licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in its dealings with customers. Principle 9 (Adequate Resources) requires licensees to maintain adequate human, financial and other resources sufficient to run its business in an orderly manner.

October 2010

TC-A.1.4
Condition 4 of the Central Bank of Bahrain's ('CBB') Licensing Conditions (Chapter AU-2.4) and Condition 1 of the Approved Persons regime (Chapter AU-3.1) impose further requirements. To satisfy Condition 4 of the CBB's Licensing Conditions, a licensees' staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner (AU-2.4). This condition specifies that licensees must ensure their employees meet any training and competency requirements specified by the CBB. Condition 1 of the Approved Persons Conditions (AU-3.1) sets forth the 'fit and proper' requirements in relation to competence, experience and expertise required by approved persons.

Amended: January 2011
October 2010

Legal Basis

TC-A.1.5
This Module contains the CBB's Directive (as amended from time to time) relating to Training and Competency and is issued under the powers available to the CBB under Articles 38 and 65 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all licensees (including their approved persons). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

TC-A.1.6
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

October 2010

TC-A.2 TC-A.2 Module History

Evolution of the Module

TC-A.2.1
This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

TC-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
TC-A.1.5	01/2011	Clarified legal basis.

Superseded Requirements

TC-A.2.3
This Module does not replace any regulations or circulars in force prior to October 2010.

October 2010

TC-B TC-B Scope of Application

TC-B.1 TC-B.1 Scope of Application

TC-B.1.1
This Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

October 2010

TC-B.1.2
Persons authorised by the CBB as approved persons prior to the issuance of Module TC need not reapply for authorisation.

October 2010

TC-B.1.3
The requirements of this Module apply to approved persons holding controlled functions:

(a) Who are employed or appointed by the licensees in connection with the licensees' regulated activities, whether under a contract of service or for services or otherwise; or

(b)Whose services, under an arrangement between the licensee and a third party, are placed at the disposal and under the control of the licensee.

October 2010

TC-B.1.4
Licensees must satisfy the CBB that individuals performing a controlled function for it or on its behalf are suitable and competent to carry out that controlled function.

October 2010

TC-B.1.5
In implementing this Module, licensees must ensure that:

(a) Individuals recruited by the licensees to perform a controlled function hold suitable qualifications and experience appropriate to the nature of the business;

(b)Individuals performing a controlled function remain competent for the work they do; and

(c) Individuals performing a controlled function are appropriately supervised.

October 2010

TC-1 TC-1 Recruitment and Assessing Competence

TC-1.1 TC-1.1 Recruitment and Appointments

TC-1.1.1
If a licensee recruits an individual to undertake a controlled function, it must satisfy itself, where appropriate, of such individual's relevant qualifications and experience.

October 2010

TC-1.1.2
A licensee proposing to recruit an individual has to satisfy itself, of his/her relevant qualifications and experience. The licensee should:

(a) Take into account the knowledge and skills required for the role, in addition to the nature and the level of complexity of the controlled function; and

(b) Take reasonable steps to obtain sufficient information about the individual's background, experience, training and qualifications.

October 2010

TC-1.1.3
Individuals occupying the following controlled functions (refer to Paragraphs AU-1.2.5 to AU-1.2.10) at a licensee must be qualified and suitably experienced for their specific roles and responsibilities:

(a) Director;

(b)Chief Executive or General Manager;

(c) Head of function;

(d)Compliance officer; and

(e) Money Laundering Reporting Officer ('MLRO').

October 2010

TC-1.1.4
A licensee must take reasonable steps to ensure that individuals holding controlled functions are sufficiently knowledgeable about their respective fields of work to be able to guide and supervise operations that fall under their responsibilities. Competence must be assessed on the basis of experience and relevant qualifications described in Appendix TC-1 as a minimum. However, the CBB reserves the right to impose a higher level of qualifications as it deems necessary.

October 2010

Director

TC-1.1.5
As individuals, directors of a licensee must hold professional qualifications and/or have relevant experience outlined in Appendix TC-1 as a minimum.

October 2010

TC-1.1.6
The role of the director is to be accountable and responsible for the management and performance of the licensee, and is outlined in more details in Section HC-1.1.

October 2010

TC-1.1.7
When taken as a whole, the board of directors of a licencee must be able to demonstrate that it has the necessary expertise, as outlined in Paragraphs HC-1.2.4 and HC-1.2.5.

October 2010

Chief Executive or General Manager

TC-1.1.8
Individuals holding the position of chief executive officer or equivalent at a licensee must hold relevant qualifications and relevant experience as outlined in Appendix TC-1 as a minimum.

October 2010

TC-1.1.9
The chief executive officer or general manager (as appropriate) is responsible for the executive management and performance of the licensee within the framework or delegated authorities set by the Board.

October 2010

Head of Function

TC-1.1.10
Individuals holding the position of head of function at a licensee must hold relevant professional qualifications and experience as outlined in Appendix TC-1 as a minimum.

October 2010

TC-1.1.11
Heads of functions are responsible for tracking specific functional performance goals in addition to identifying, managing, and reporting critical organisational issues upstream.

October 2010

Compliance Officer

TC-1.1.12
Individuals holding the position of compliance officer at a licensee must hold relevant experience and qualifications as outlined in Appendix TC-1 as a minimum.

October 2010

TC-1.1.13
In accordance with Paragraph HC-2.4.3, an employee of appropriate standing must be designated by licensees for the position of compliance officer. The duties of the compliance officer include:

(a)Having responsibility for oversight of the licensee's compliance with the requirements of the CBB; and

(b)Reporting to the licensee's Board in respect of that responsibility.

October 2010

Money Laundering Reporting Officer (MLRO)

TC-1.1.14
Individuals holding the position of MLRO at a licensee, whose attributes and responsibilities are described more fully in Paragraphs FC-4.1.7 and FC-4.2.1, must hold relevant qualifications as outlined in Appendix TC-1 as a minimum.

October 2010

TC-1.2 TC-1.2 Assessing Competence

TC-1.2.1
Licensees must not allow an individual to undertake or supervise controlled functions unless that individual has been assessed by the licensee as competent in accordance with this Section.

October 2010

TC-1.2.2
In the case of new personnel, the licensees should ensure that they work under proper supervision. Where a person is working towards attaining a level of competence, they should be supervised by a competent person until they can demonstrate the appropriate level of competence. It is the licensees's responsibility to ensure that such arrangements are in place and working successfully.

October 2010

TC-1.2.3
In determining an individual's competence, licensees may assess if the person is fit and proper in accordance with Chapter AU-3.

October 2010

TC-1.2.4
Licensees will assess individuals as competent when they have demonstrated the ability to apply the knowledge and skills required to perform a specific controlled function without supervision.

October 2010

TC-1.2.5
The assessment of competence will be dependent on the nature and the level of complexity of the controlled function. Such assessment of competence of new personnel may take into account the fact that an individual has been previously assessed as competent in a similar controlled function with another licensee.

October 2010

TC-1.2.6
If a licensee assesses an individual as competent in accordance with TC-1.2.4 to perform a specific controlled function it does not necessarily mean that the individual is competent to undertake other controlled functions.

October 2010

TC-1.2.7
A firm should use methods of assessment that are appropriate to the controlled function and to the individual's role.

October 2010

TC-2 TC-2 Training and Maintaining Competence

TC-2.1 TC-2.1 Training and Supervision

TC-2.1.1
A licensee must annually determine the training needs of individuals undertaking controlled functions. It must develop a training plan to address these needs and ensure that training is planned, appropriately structured and evaluated.

October 2010

TC-2.1.2
The assessment and training plan described in Paragraph TC-2.1.1 should be aimed at ensuring that the relevant approved person maintains competence in the controlled function. Training does not necessarily just imply attendance of courses. An individual can develop skills and gain experience in a variety of ways. These could include on the job learning, individual study, and other methods. In almost every situation, and for most individuals, it is likely that competence will be developed most effectively by a mixture of training methods.

October 2010

TC-2.1.3
The training plan of licensees must include a programme for continuous professional development training ("CPD") for their personnel.

October 2010

TC-2.1.4
Approved persons may choose to fulfil their CPD requirements by attending courses and seminars at local or foreign training institutions.

October 2010

TC-2.1.5
The annual training needs assessment required under Paragraph TC-2.1.1 must also consider quarterly updates, if any, to the CBB Volume 5 (Specialised Licensees) Rulebook, in areas relevant to each controlled function.

October 2010

TC-2.1.6
Individuals holding the controlled functions of compliance officer and MLRO at a licensee must undergo a minimum of 15 hours of CPD per annum.

October 2010

TC-2.1.7
A licensee should ensure that an approved person undertaking a controlled function undergoes appropriate review and assessment of performance.

October 2010

TC-2.1.8
The level of review and assessment should be proportionate to the level of competence demonstrated by the approved person. Review and assessment should take place on a regular basis and include coaching and assessing performance against the competencies necessary for the role.

October 2010

TC-2.1.9
Assessors of approved persons should have technical knowledge and relevant skills, e.g. coaching and assessment skills.

October 2010

TC-2.2 TC-2.2 Maintaining Competence

TC-2.2.1
A licensee must make appropriate arrangements to ensure that approved persons maintain competence.

October 2010

TC-2.2.2
A licensee should ensure that maintaining competence for an approved person takes into account:

(a) Application of technical knowledge;

(b) Application and development of skills; and

(c) Any market changes and changes to products, legislation and regulation.

October 2010

TC-2.2.3
A licensee may utilise the CPD schemes of relevant professional bodies to demonstrate compliance with TC-2.2.1. In-house training, seminars, conferences, further qualifications, product presentations, computer-based training and one-to-one tuition may also be considered to demonstrate compliance with TC-2.2.1.

October 2010

TC-3 TC-3 Record Keeping

TC-3.1 TC-3.1 Record Keeping

TC-3.1.1
A licensee must make and retain records of its recruitment procedures. Such procedures should be designed to adequately take into account proof of the candidates' knowledge and skills and their previous activities and training.

October 2010

TC-3.1.2
The recruitment record keeping procedure should include, but is not limited to, the following:

(a) Results of the initial screening;

(b) Results of any employment tests;

(c) Results and details of any interviews conducted;

(d) Background and references checks; and

(e) Details of any professional qualifications.

October 2010

TC-3.1.3
A licensee should make and retain updated records of:

(a)The criteria applied in assessing the ongoing and continuing competence;

(b)How and when the competence decision was arrived at;

(c)The annual assessment of competence; and

(d)Record of CPD hours undertaken by each approved person.

October 2010

TC-3.1.4
A licensee should make and retain records of:

(a)The annual training plan for all controlled functions;

(b)Materials used to conduct in-house training courses;

(c)List of participants attending such in-house training courses; and

(d)Results of evaluations conducted at the end of such training courses.

October 2010

TC-3.1.5
Licensees should maintain appropriate training records for each individual. Licensees should note how the relevant training relates to and supports the individual's role. Training records may be reviewed during supervisory visits to assess the licensee's systems and to review how the licensee ensures that its staff are competent and remain competent for their roles.

October 2010

TC-4 TC-4 Transitional Provisions

TC-4.1 TC-4.1 Transitional Period

TC-4.1.1
The requirements of Module TC for licensees are effective 31^st December 2010.

October 2010

TC-4.1.2
Where approved persons holding controlled functions are occupying positions within the licensee and do not meet the qualifications and core competencies outlined in Appendix TC-1 at the time of the issuance of Module TC, the licensee must ensure that such individuals will meet the requirements of Module TC by 31^st December 2011 at the latest.

October 2010

Appendices: Appendix TC-1

Qualifications and Core Competencies of Controlled Functions

Role	Core Competencies	How can competence be demonstrated?
Director	Directors should have: (a) Experience to demonstrate sound business decision-making; and (b) A good understanding of the industry and its regulatory environment.	This person should be experienced in the industry. Competence could be demonstrated by: (a) Holding a relevant professional qualification; or (b) A minimum length of service (at least 5 years at director or senior management level) in the financial industry.
Chief Executive or General Manager	These roles require: (a) A clear understanding of the role and responsibilities associated with this position; (b) A good understanding of the licensee's business, the broader industry and its regulatory environment; and (c) The relevant experience and qualifications associated with any executive responsibilities.	This person should be experienced in the industry. Competence could be demonstrated by: (a) Holding a relevant professional qualification; or (b) A minimum length of service (at least 5 years at a relatively senior position) in the financial industry.
Head of Function	This role requires: (a) A clear understanding of the role and responsibilities associated with the relevant function; (b) A good understanding of the licensee's business, the broader industry and its regulatory environment; and (c) The relevant experience and qualifications to fulfill their responsibilities.	A senior manager responsible for a specialist function should demonstrate the competencies required for that role. (a) The person must have area specific experience/qualifications as required for head of function. These include accounting qualifications for financial managers, Bachelors degree in banking or finance, MBA, etc. and/or (b) The head of function should have at least 5 years of experience in the industry and will typically hold, or be working towards, a relevant professional qualification as appropriate to the controlled function.
Compliance Officer	A Compliance Officer should: (a) Have the ability and experience to take responsibility for implementing and maintaining compliance policies; (b) Have the appropriate level of experience to demonstrate independence from other functions within the licensee; and (c) Have a thorough understanding of the industry and the applicable regulatory framework. The level of required competence varies based on the scope, magnitude and complexity of the licensee.	The person should have a minimum of 2 years of relevant experience in a compliance function of a financial institution. Additional relevant certifications may include: (a) Diploma in International Compliance offered by the International Compliance Association; and/or (b) Other relevant professional qualification.
Money Laundering Reporting Officer (MLRO)	The MLRO should: (a) Understand the business and how the Anti Money Laundering framework applies thereto; and (b) Have the appropriate level of experience to demonstrate independence from staff of the licensee dealing directly with customers.	An MLRO will typically hold a relevant professional qualification and / or a qualification related to the financial activities. These may include: (a) Certified Anti-Money Laundering Specialist Examination (ACAMS); (b) Other relevant MLRO programs; and/or (c) Diploma in International Compliance offered by the International Compliance Association. Additionally, he must have undergone training in anti money laundering, in a recognized institute. The initial training must be for a period of 35 hours or more. MLROs should have thorough knowledge of the financial institutions industry and be familiar with relevant international standards and applicable domestic regulatory requirements.

October 2010

Reporting Requirements

BR BR Money Changers CBB Reporting Module

BR-A BR-A Introduction

BR-A.1 BR-A.1 Purpose

Executive Summary

BR-A.1.1
This Module sets out requirements applicable to licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of licensees.

October 2010

BR-A.1.2
The requirements in this Module apply to all Money Changer licensees.

October 2010

Legal Basis

BR-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding CBB Reporting requirements applicable to licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regarding Money Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.

Amended: January 2011
October 2010

BR-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

October 2010

BR-A.2 BR-A.2 Module History

Evolution of Module

BR-A.2.1
This Module was first issued in October 2010. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

BR-A.2.2

A list of recent changes made to this Module is provided below:

Module Ref.	Change Date	Description of Changes
BR-A.1.3	01/2011	Clarified legal basis.
BR-1.5.20 and 1.5.21	01/2011	Added IIS reporting requirements.
BR-2.1.5	01/2011	Minor amendment to clarify reference of guidance.
BR-2.2.5	01/2011	Minor amendment to correct typo.
BR-2.2.6, BR-2.2.12	01/2011	Minor amendment.
BR-2.2.7 and BR-2.2.8	01/2011	Guidance Paragraphs deleted.
BR-2.3.1, BR-2.3.2 and BR-2.3.14	04/2011	Clarified prior approval requirements in relation to subsidiary undertakings.
BR-3.1.1A and BR-3.1.1B	04/2012	Added Paragraphs to clarify Rules on power to request information.
BR-3.3.1 and BR-3.4	04/2012	Minor corrections.
BR-3.5	04/2012	New Section added to include material transferred from common Chapters EN-2 and AA-5
BR-2.3.5A	10/2012	Added guidance to clarify requirements for change of address for branches.
BR-1.5.20	01/2013	Clarified deadline to update IIS.
BR-3.5.14	07/2013	Amended numbering of referred appendix.
BR-1.3.2A	10/2014	Added annual requirement to file the Insurance Coverage Return as required under Paragraph GR-7.1.4.
BR-1.6	04/2017	Added a new Section on Onsite Inspection Reporting.
BR-1.1.1	10/2018	Amended Paragraph.
BR-1.2.1	10/2018	Amended Paragraph.
BR-1.3.1	10/2018	Amended Paragraph.
BR-1.5.1A	10/2019	Added a new Paragraph on disclosure of financial penalties.
BR-2.3.13	01/2020	Amended Paragraph.
BR-1.2.2	01/2022	Amended Paragraph on submission of the Quarterly Prudential Returns.
BR-1.6.2	01/2022	Amended Paragraph on the submission of the written assessment of the observations/issues raised in the Inspection draft report.
BR-2.2.17	01/2023	Amended Paragraph deleting reference to RM.
BR-2.3.15	01/2023	Deleted Paragraph on CBB approval for outsourcing arrangements.

Superseded Requirements

BR-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory instruments:

Circular/ other reference	Subject
EDBC/73/96	No objection for promotions
BC/9/99	Quarterly Information Report (QIR).
BC/24/99	Submission of audited Accounts and Management Letter/ Dividend Approval
BC/1/2000	Monthly Return
BC/505/2001	Computerized Information Reports
EDBO/WR/007/2004	Report on Counterfeiting Activity
BS/09/2005	Accounts for Charity Organizations
CI/27/2006	Report on Counterfeit Currency Detection Equipment
OG/080/2007	Directive on measures to detect counterfeit currency

October 2010

BR-B BR-B Scope of Application

BR-B.1 BR-B.1 Scope of Application

BR-B.1.1
The content of this Module applies to all Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

October 2010

BR-1 BR-1 Prudential Reporting

BR-1.1 BR-1.1 Monthly Prudential Reporting

Monthly Prudential Return

BR-1.1.1
All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), a Monthly Prudential Return (MC-MPR).

Amended: October 2018
October 2010

BR-1.1.2
The Monthly Prudential Return must be submitted to the CBB within 20 calendar days of each month end.

October 2010

Other Monthly Reports

BR-1.1.3
All licensees must submit a report to the CBB at the end of each month, listing the name(s) and transaction details of customers whose transactions either singly or aggregately are equivalent to, or greater than, 5% of the total turnover of the licensee, during a month.

October 2010

BR-1.2 BR-1.2 Quarterly Prudential Reporting

BR-1.2.1
All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), a Quarterly Prudential Return (MC-QPR).

Amended: October 2018
October 2010

BR-1.2.2
The Quarterly Prudential Return must be submitted to the CBB within 30 calendar days of each quarter end (as defined in Rule BR-1.2.4).

Amended: January 2022
Added: October 2010

Valuation of Assets and Liabilities

BR-1.2.3
Amounts included within the Quarterly Prudential Return must be determined in accordance with the recognition and measurement principles specified by International Financial Reporting Standards.

October 2010

BR-1.2.4
For the purpose of reporting requirements under this Section, the quarter end of a licensee must be a 3-month period ending on 31 March, 30 June, 30 September or 31 December.

October 2010

BR-1.3 BR-1.3 Annual Prudential Reporting

BR-1.3.1
All licensees must prepare and submit to the CBB, through the Money Changers System (as required by the CBB), an Annual Prudential Return (MC-APR).

Amended: October 2018
October 2010

BR-1.3.2
The Annual Prudential Return must be submitted to the CBB within 3 months of the end of the financial year (as defined in Rule BR-1.3.4).

October 2010

BR-1.3.2A
In accordance with Paragraph GR-7.1.4, licensees must submit the Insurance Coverage Return (Form ICR) on an annual basis, within 3 months of the end of the financial year.

Added: October 2014

Valuation of Assets and Liabilities

BR-1.3.3

Amounts included within the Annual Prudential Return must be determined in accordance with the recognition and measurement principles specified by International Financial Reporting Standards.

BR-1.3.4

The financial year of a licensee must be a 12-month period ending on 31 December, except where the licensee has obtained the written consent from the CBB for either the period or the period end to be other than 12 months and 31 December respectively. In any event, the financial year can never be less than a 6-month period or greater than an 18-month period.

BR-1.4 BR-1.4 Public Disclosure

BR-1.4.1
Submitted Forms Monthly, Quarterly and Annual Prudential Reports are not public documents and will not be disclosed to third parties by the CBB without the licensee's consent. However, the CBB may from time to time publish aggregate information derived from such Forms, relating to licensees or the Bahrain money changing sector as a whole.

October 2010

BR-1.4.2
Whilst submitted Forms are not public documents, licensees are not prevented from providing complete copies to third parties.

October 2010

BR-1.5 BR-1.5 Other Reporting Requirements

Audited Financial Statements

BR-1.5.1
As specified in Article 62 of the CBB Law, a licensee must submit to the CBB its final audited financial statements within 3 months of the licensee's financial year-end.

October 2010

BR-1.5.1A
In accordance with Paragraphs EN-B.4.5 and EN-5.2.2, licensees must disclose in their annual audited financial statements the amount of any financial penalties paid to the CBB, together with a factual description of the reason(s) given by the CBB for the penalty. Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to an enforcement action for non-disclosure.

Added: October 2019

BR-1.5.2
Audited accounts of a licensee should be prepared in accordance with the International Financial Accounting Standards (IFRS) and with the requirements outlined in Appendix 1 at the end of this Module.

October 2010

BR-1.5.3
The Management Letter prepared by the external auditor must be submitted together with the final audited financial statements.

October 2010

Charity Accounts

BR-1.5.4
As per Rule FC-1.6.3 licensees must report at the end of every month, all payments and transfers of BD3,000 (or equivalent in foreign currencies) and above performed on behalf of charities registered in Bahrain. The report must be submitted to the CBB's Compliance Directorate, giving details of the amount transferred, name of charity, number and beneficiary name account and bank details.

October 2010

Suspicious Transaction Reports (STR)

BR-1.5.5
As per Rule FC-5.2.4, licensees must report all suspicious transactions or attempted transactions to the Financial Intelligence Unit at the Ministry of Interior and to the Compliance Directorate at the CBB.

October 2010

BR-1.5.6
As per Rule FC-1.8.2 licensees must make a suspicious transaction report to the Compliance Directorate at the CBB and the Financial Intelligence Unit at the Ministry of Interior, if they are approached by a shell bank or an institution they suspect of being a shell bank.

October 2010

BR-1.5.7
As per Rule FC-2.2.5, in the case of one-off transactions where there is no ongoing account relationship, the licensee must file an STR.

October 2010

BR-1.5.8
As per Rule FC-5.2.3, if licensees suspect that a person has been engaged in money laundering or terrorism financing, or the activity concerned is regarded as suspicious, the licensee must report the fact promptly to the Financial Intelligence Unit at the Ministry of Interior and copy the Compliance Directorate at the CBB. The reports must be made using the STR Form and related instructions, included in Part B of Volume 5.

October 2010

BR-1.5.9
As per Section FC-8.1, when dealing with entities or persons domiciled in countries or territories which are identified by the FATF as being non-cooperative or notified to licensees from time to time by the CBB, whenever the licensee has suspicions about the transaction, these must be reported to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB.

October 2010

BR-1.5.10
As per Rule FC-8.3.3, licensees must report to the Financial Intelligence Unit at the Ministry of Interior and the Compliance Directorate at the CBB, using the procedures contained in Section FC-5.2, details of any accounts or other dealings with persons and entities designated by the CBB as potentially linked to terrorist activity.

October 2010

Reports Prepared by the MLRO

BR-1.5.11
As per Rule FC-4.3.1(a) and (b), licensees must arrange for their MLRO to produce a report containing the number of internal reports made in accordance with Section FC-5.1, a breakdown of all the results of those internal reports and their outcomes for each segment of the licensee's business, and an analysis of whether controls or training need to be enhanced and a report, indicating the number of external reports made in accordance with Section FC-5.2 and, where a licensee has made an internal report but not made an external report, noting why no external report was made. These reports are to be submitted to the CBB by the 30th of April of the following year.

October 2010

Report Prepared by the External Auditor

BR-1.5.12
As per Rule FC-4.3.1(d), licensees must arrange for their external auditor to produce a report as to the quality of the licensee's anti-money laundering procedures, systems and controls, and compliance with the AML Law and Module FC (Financial Crime) to be submitted to the CBB by the 30th of April of the following year.

October 2010

Terrorist Financing

BR-1.5.13
As per Rule FC-8.2.4, licensees must report to the Compliance Directorate at the CBB, details of:

a) Funds or other financial assets or economic resources have with them which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373; and

b) All claims, whether actual or contingent, which the licensee has on persons and entities which may be the subject of Article 1, paragraphs (c) and (d) of UNSCR 1373.

October 2010

Counterfeit Currency

BR-1.5.14
In accordance with Rule GR-10.1.3, licensees must submit a report on any counterfeit currency discovered. The report should detail the name of the customer, the date of receipt of the notes(s), the name of the person who brought in the note(s), if different from the customer, and the action (if any) taken by the relevant licensee.

October 2010

BR-1.5.15
In the case of counterfeit Bahraini Dinar currency, the report should be submitted to the Director of Currency Issue at the CBB, the Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior.

October 2010

BR-1.5.16
In the case of all other foreign counterfeit currency, the report should be submitted to the Director of the Compliance Directorate at the CBB and copied to the Director of the Financial Intelligence Unit at the Ministry of Interior.

October 2010

BR-1.5.17
Licensees must submit a report, in the form of a confirmation letter, detailing the use of counterfeit currency detection equipment at the premises, as per required under section GR-10.1. The report must be submitted annually and must provide the exact specifications of counterfeit currency detection devices installed at each licensees head office and branches. The report should be submitted to the Currency Issue Directorate at the CBB within one month following the end of every financial year.

October 2010

Insurance Coverage Return

BR-1.5.18
Licensees must submit an Insurance Coverage Return (Form ICR) on an annual basis. Additionally, they must provide, upon request, evidence to the CBB of the coverage in force.

October 2010

Annual License Fee

BR-1.5.19
Licensees must complete and submit Form ALF (Annual License Fee) to the CBB, no later than 30 April each year, together with the payment due under Rule AU-5.2.1.

October 2010

Institutional Information System (IIS)

BR-1.5.20
Licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm the information contained in the IIS. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

Amended: January 2013
January 2011

BR-1.5.21
Licensees failing to comply with the requirements of Paragraph BR-1.5.20 or reporting inaccurate information are subject to financial penalties or other enforcement actions as outlined in Module (EN) Enforcement.

January 2011

BR-1.6 BR-1.6 Onsite Inspection Reporting

BR-1.6.1
For the purpose of onsite inspection by the CBB, Licensees must submit requested inspection documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

Added: April 2017

BR-1.6.2
Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within fifteen working days of receipt of such report. Evidentiary documents supporting management’s comments must also be included in the response package.

Amended: January 2022
Added: April 2017

BR-1.6.3
Licensees board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

Added: April 2017

BR-1.6.4
Licensees failing to comply with the requirements of Paragraphs BR-1.6.1 and BR-1.6.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

Added: April 2017

BR-2 BR-2 Notifications and Approvals

BR-2.1 BR-2.1 Introduction

BR-2.1.1
All notifications and approvals required in this Chapter are to be submitted by licensees in writing.

October 2010

BR-2.1.2
In this Module, the term 'in writing' includes electronic communication capable of being reproduced in paper form.

October 2010

BR-2.1.3
A licensee must make the notifications and approvals required in Chapter BR-2 immediately when it becomes aware, or has information which reasonably suggests, that any of the matters in Chapter BR-2 have occurred, may have occurred or may occur in the near future.

October 2010

BR-2.1.4
The requirements imposed on licensees under this Chapter apply whether the event relates to a matter that has occurred in Bahrain or in any other jurisdiction.

October 2010

BR-2.1.5
Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 (Specialised Licensees) of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

Amended: January 2011
October 2010

BR-2.2 BR-2.2 Notification Requirements

Matters Having a Serious Supervisory Impact

BR-2.2.1
A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

(a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;

(b) Any matter which could have a significant adverse impact on the licensee's reputation;

(c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;

(d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;

(e) A significant breach of any provision of the Rulebook (including a Principle);

(f) A breach of any requirement imposed by the relevant law or by regulations or an order made under any relevant law by the CBB; or

(g) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately (ref. BR-3.3.2).

October 2010

BR-2.2.2
The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to consider properly all potential consequences of events.

October 2010

BR-2.2.3
In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may indirectly have an effect on the licensee.

October 2010

Legal, Professional, Administrative or other Proceedings Against a Licensee

BR-2.2.4
A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee or controller of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

October 2010

BR-2.2.5
A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee that would prevent the licensee from meeting the Principles of Business (Module PB) or any of its Directors, officers or approved persons from meeting the fit and proper requirements of Module AU.

Amended: January 2011
October 2010

Fraud, Errors and other Irregularities

BR-2.2.6
A licensee must notify the CBB immediately if one of the following events arises:

(a) It becomes aware that an employee may have committed fraud against one of its customers;

(b) It becomes aware that a person, whether or not employed by it, is acting with intent to commit fraud against it;

(c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;

(d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or

(e) Any conflicts of interest.

Amended: January 2011
October 2010

Insolvency, Bankruptcy and Winding Up

BR-2.2.7
Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

(a) The calling of a meeting to consider a resolution for winding up the licensee or a controller of the licensee;

(b) An application to dissolve a controller of the licensee or to strike the licensee off the Register of Money Changing Companies;

(c) The presentation of a petition for the winding up of a controller of the licensee;

(d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;

(e) An application for the appointment of an administrator or trustee in bankruptcy to a controller of the licensee;

(f) The appointment of a receiver to a controller of the licensee (whether an administrative receiver or a receiver appointed over particular property); or

(g) An application for an interim order against the licensee, a controller of the licensee under the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.

October 2010

[Deleted January 2011]
Deleted: January 2011
October 2010

BR-2.2.8
[This Paragraph was deleted in January 2011].

BR-2.2.9
[This Paragraph was deleted in January 2011].

External Auditor

BR-2.2.10
A licensee must notify the CBB of the following:

(a) Removal or resignation of its external auditor (ref. AA-1.2.1); or

(b) Change in audit partner (ref. AA-1.3.3).

October 2010

Approved Persons

BR-2.2.11
A licensee must notify the CBB of the termination of employment of approved persons, including particulars of reasons for the termination and arrangements with regard to replacement (ref. AU-4.4.6).

October 2010

BR-2.2.12
Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

Amended: January 2011
October 2010

BR-2.2.13
Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

October 2010

Capital Adequacy

BR-2.2.14
In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy), it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.5).

October 2010

BR-2.2.15
As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

October 2010

Branches

BR-2.2.16
An application for authorisation of a new branch will not be considered by the CBB unless the written confirmation that the preceding branch is operational, as required in Rule AU-4.2.4 above, has been submitted.

October 2010

Outsourcing Arrangements

BR-2.2.17
Licensees must immediately inform their normal supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

Amended: January 2023
October 2010

BR-2.2.18
A licensee must nominate an approved person within the licensee to handle the responsibility of the day-to-day relationship with the outsourcing provider and to ensure that relevant risks are addressed. The CBB should be informed of the designated individual as part of the written prior approval required under Rule RM-2.1.7.

October 2010

Controllers

BR-2.2.19
If, as a result of circumstances outside the licensee's knowledge and/or control, one of the changes to their controllers specified in Paragraph GR-5.1.1 is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB as soon as it becomes aware of the fact and no later than 15 calendar days after the change occurs (ref. GR-5.1.4).

October 2010

BR-2.2.20
As specified in Article 52 of the CBB Law, a licensee must notify the CBB of the following events:

(a) If effective control over a licensee takes place indirectly whether by way of inheritance or otherwise;

(b) Gaining control directly as a result of any action leading to it; or

(c)The intention to take any of the actions that would lead to control.

October 2010

Promotional Schemes

BR-2.2.21
Licensees must notify the CBB, and send copies of the documentation relating to promotional schemes, at least 2 weeks prior to their launch, after ensuring that such promotional schemes are in line with the Rules under Section BC-2.2.

October 2010

BR-2.3 BR-2.3 Approval Requirements

Branches or Subsidiaries

BR-2.3.1
In accordance with Rule AU-4.2.1, a licensee should seek prior written approval from the CBB for opening a branch or a subsidiary.

Amended: April 2011
October 2010

BR-2.3.2
Licensees wishing to cancel an authorisation for a branch or subsidiary must obtain the CBB's written approval, before ceasing the activities of the branch or subsidiary.

Amended: April 2011
October 2010

Change in Name

BR-2.3.3
In accordance with Paragraph GR-3.1.1, a licensee must seek prior written approval from the CBB and give reasonable advance notice of a change in:

(a) The licensee's name (which is the registered name if the licensee is a body corporate); or

(b) The licensee's trade name.

October 2010

BR-2.3.4
The request under Paragraph BR-2.3.3 must include the details of the proposed new name and the date on which the licensee intends to implement the change of name.

October 2010

Change of Address

BR-2.3.5
As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain, and that of its branches.

October 2010

BR-2.3.5A
For purposes of Paragraph BR-2.3.5, the relocation of a branch within the same geographical area constitutes a change of address. However, the relocation of a branch to a different geographical area in Bahrain warrants a request for authorisation to open a new branch (as per Section AU-4.2) and close the existing branch.

Added: October 2012

BR-2.3.6
The request under Paragraph BR-2.3.5 must include the details of the proposed new address and the date on which the licensee intends to implement the change of address.

October 2010

Change in Legal Status

BR-2.3.7
A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

October 2010

Change in Paid-up or Issued Capital

BR-2.3.8
As specified in Article 57(a)3. of the CBB Law, a licensee must seek CBB approval before making any modification to its issued or paid-up capital. In the case that a licensee has been granted approval to increase its paid-up capital, confirmation from the external auditor stating that the amount has been deposited in the licensee's bank account will subsequently be required.

October 2010

Licensed Regulated Activities

BR-2.3.9
Licensees wishing to cancel their license must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Financial Institutions Supervision, setting out in full the reasons for the request and how the business is to be wound up.

October 2010

BR-2.3.10
As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide all or any of its licensed regulated services, completely or at any of its branches, must obtain prior written approval from the CBB.

October 2010

BR-2.3.11
Licensees seeking to obtain the CBB's permission to cease business must submit to the CBB a formal request to the CBB for the appointment of a liquidator acceptable to the CBB.

October 2010

Controllers

BR-2.3.12
In accordance with Section GR-5.1, licensees must seek CBB approval and give reasonable advance notice of any of the following events concerning the licensee:

(a) A person acquiring control or ceasing to have control;

(b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control;

(c) An existing controller increasing the percentage of shares or voting power beyond 10%, 20% or 50%; and

(d) An existing controller becoming or ceasing to be a parent undertaking.

October 2010

Mergers, Acquisitions, Disposals and Establishment of New Subsidiaries

BR-2.3.13
A licensee incorporated in Bahrain must seek CBB approval and give reasonable advance notice of its intention to enter into a:

(a) Merger with another undertaking; or

(b) Proposed acquisition, disposal or establishment of a new subsidiary undertaking.

Amended: January 2020
Added: October 2010

BR-2.3.14
Licensees wishing to cancel an authorisation for a subsidiary undertaking must obtain the CBB's written approval, before ceasing the activities of the subsidiary.

Amended: April 2011
October 2010

Outsourcing Arrangements

BR-2.3.15
[This Paragraph was deleted in January 2023].

Deleted: January 2023
October 2010

Matters Having a Supervisory Impact

BR-2.3.16
A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

October 2010

BR-2.3.17
Any licensee that wishes, intends or has been requested to do anything that might contravene, in its reasonable opinion, the provisions of UNSCR 1373 (and in particular Article 1, Paragraphs c) and d) of UNSCR 1373) must seek, in writing, the prior written opinion of the CBB on the matter (ref. FC-8.2.2).

October 2010

BR-2.3.18
As specified in Article 57 of the CBB Law, a licensee wishing to modify its Memorandum or Articles of Association, must obtain prior written approval from the CBB.

October 2010

BR-2.3.19
As specified in Article 57 of the CBB Law, a licensee wishing to transfer all or a major part of its assets or liabilities inside or outside the Kingdom, must obtain prior written approval from the CBB.

October 2010

External Auditor

BR-2.3.20
A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1).

October 2010

Dividend Distribution

BR-2.3.21
Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, in accordance with Chapter GR-4.

October 2010

Approved Persons

BR-2.3.22
A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.2 and AU-4.3).

October 2010

BR-2.3.23
Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.10).

October 2010

BR-2.3.24
If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.6).

October 2010

Loans Extended to Related Parties

BR-2.3.25
In accordance with Section GR-11, Licensees must obtain the CBB's prior written approval for any loan in excess of BD 15,000, extended to the employees of the business.

October 2010

BR-2.3.26
Licensees must obtain the CBB's prior written approval before writing-off any loan extended to the employees of the business.

October 2010

Withdrawals

BR-2.3.27
No funds may be withdrawn by shareholders from the licensee without the necessary prior written approval of the CBB.

October 2010

BR-3 BR-3 Information Gathering by the CBB

BR-3.1 BR-3.1 Power to Request Information

BR-3.1.1
Licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

October 2010

BR-3.1.1A
Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

Added: April 2012

BR-3.1.1B
Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person/appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

Added: April 2012

Information Requested on Behalf of other Supervisors

BR-3.1.2
The CBB may ask a licensee to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain. The CBB may also, without notifying a licensee, pass on to those supervisors or agencies information that it already has in its possession.

October 2010

BR-3.2 BR-3.2 Access to Premises

BR-3.2.1
A licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

October 2010

BR-3.2.2
A licensee must take reasonable steps to ensure that its agents and providers under outsourcing permit such access to their business premises, to the CBB.

October 2010

BR-3.2.3
A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

October 2010

BR-3.2.4
The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

October 2010

BR-3.3 BR-3.3 Accuracy of Information

BR-3.3.1
Licensees must take reasonable steps to ensure that all information they give to the CBB is:

(a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and

(b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.

Amended: April 2012
October 2010

BR-3.3.2
If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

(a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;

(b) An explanation why such information was or may have been provided; and

(c) The correct information.

October 2010

BR-3.3.3
If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

October 2010

BR-3.4 BR-3.4 Methods of Information Gathering

BR-3.4.1
The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

(a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;

(b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of Appointed Experts (refer to Section BR-3.5).

(c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;

(d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication;

(e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.

Amended: April 2012
October 2010

BR-3.4.2
When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

Amended: April 2012
October 2010

BR-3.4.3
The CBB considers that a licensee should:

(a) Make itself readily available for meetings with representatives or appointees of the CBB;

(b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;

(c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;

(d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;

(e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and

(f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.

Amended: April 2012
October 2010

BR-3.4.4
The CBB considers that a licensee should take reasonable steps to ensure that the following persons act in the manner set out in Paragraph BR-3.4.3:

(a) Its employees; and

(b) Any other members of its group and their employees.

Amended: April 2012
October 2010

BR-3.4.5
In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

October 2010

BR-3.5 BR-3.5 The Role of the Appointed Expert

Introduction

BR-3.5.1
The content of this Chapter is applicable to all licensees and appointed experts.

Added: April 2012

BR-3.5.2
The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

Added: April 2012

BR-3.5.3
The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

Added: April 2012

BR-3.5.4
The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

Added: April 2012

BR-3.5.5
Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

Added: April 2012

BR-3.5.6
Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

Added: April 2012

BR-3.5.7
All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

Added: April 2012

BR-3.5.8
Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

Added: April 2012

BR-3.5.9
Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

Added: April 2012

BR-3.5.10
Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

Added: April 2012

BR-3.5.11
The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

Added: April 2012

The Required Report

BR-3.5.12
The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

(a) Accounting and other records;

(b) Internal control systems;

(c) Returns of information provided to the CBB;

(d) Operations of certain departments; and/or

(e) Other matters specified by the CBB.

Added: April 2012

BR-3.5.13
Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

Added: April 2012

BR-3.5.14
The appointed experts' report should follow the format set out in Appendix BR-10, in part B of the CBB Rulebook.

Amended: July 2013
Added: April 2012

BR-3.5.15
Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

Added: April 2012

BR-3.5.16
Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

Added: April 2012

BR-3.5.17
If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

Added: April 2012

BR-3.5.18
The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

Added: April 2012

Other Notifications to the CBB

BR-3.5.19
Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

Added: April 2012

BR-3.5.20
The CBB recognises that appointed expertscannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

Added: April 2012

BR-3.5.21
If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

Added: April 2012

Permitted Disclosure by the CBB

BR-3.5.22
Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

Added: April 2012

Trilateral Meeting

BR-3.5.23
The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

Added: April 2012

Appendices: Appendix 1

Format of Financial Reporting
1. The auditor's report on the accounts must state whether, in his opinion:
a) The business has maintained proper accounting records;

b) The accounts have been prepared in accordance with the International Financial Accounting Standards (IFRS) and with requirements below;

c) The financial statements present, truly and fairly, the financial position of the business as at 31st December, xxxx; and

d) The business has complied with the Rules within the Money Changers Modules and with the terms and conditions of its license; in specific in respect of maintaining net assets, valid bank guarantee and separate commercial registration.

2. The accounts should be drawn up in accordance with the following breakdown:
A- Assets:
1. Cash in hand

2. Balances with banks payable within 7 days

3. Other balances with banks

4. Drafts receivable

5. Due from travellers' cheque companies

6. Gold

7. Other precious metals

8. Due from money changers

9. Fixed Assets

10. Other Assets

B- Liabilities
1. Drafts payable

2. Due to travellers' cheque companies

3. Due to money changers

4. Borrowings from banks

5. Other liabilities

C- Shareholders' Equity:
1. Paid-up Capital

2. Statutory Reserve

3. General Reserve

4. Retained Earnings/Loss

D- Off-Balance Sheet Items:
1. Unsettled foreign exchange contracts

2. Unsettled dealing in gold and other precious metals

E- Income Statement:
1. From dealing in foreign currencies

2. From selling and buying drafts

3. From selling and cashing travellers' cheques

4. From dealing in gold and precious metals

5. Interest income

6. Other income

F- Expenses:
1. Staff expenses

2. Office rent

3. Interest expense

4. Depreciation

5. Provisions

6. General expenses

7. Other expenses

3. Any additional significant items in the accounts should be added in both the form and the notes to the accounts.

4. Additionally, the following guidelines should be observed:
(a) Item A1. A2 and A3 — a breakdown of each item into assets denominated in Bahraini Dinars and foreign currencies should be provided in the notes.

(b) A4 and A5 — these are drafts/travellers' cheques purchased from customers for which the value will be received after the balance sheet date.

(c) A10 — If the amount is equal to or more than 10% of total assets, a breakdown should be disclosed in the note. In any events, loans to employees should be stated in a separate note.

(d) B1 and B2 — these are the drafts/traveller's cheques sold out to customers for which the value will be given after the balance sheet date.

(e) B4 — a breakdown of the borrowings should be given in the note together with the types of collateral provided against such borrowings.

(f) B5 — if the amount is equal to or more than 10% of total liabilities, a breakdown should be disclosed in the note.

(g) E6 — if the amount is equal to or more than 10% of total income a breakdown should be disclosed in the note.

(h) F1 — total number of staff employed should be disclosed with a breakdown of Bahraini and non-Bahraini together with their respective costs.

(i) F7 — if the amount is equal to or more than 10% of total expenses a breakdown should be disclosed in the note.

Amended: April 2014
October 2010

Location:

Type 1: Type 1: Money Changers Licensees

Part A Part A

High Level Standards

AU AU Money Changers Authorisation Module

AU-A AU-A Introduction

AU-A.1 AU-A.1 Purpose

Executive Summary

AU-A.1.1

AU-A.1.2

Retaining Authorised Status

AU-A.1.3

Legal Basis

AU-A.1.4

AU-A.1.5

AU-A.1.6

AU-A.2 AU-A.2 Module History

Evolution of Module

AU-A.2.1

AU-A.2.2

Superseded Requirements

AU-A.2.3

AU-B AU-B Scope of Application

AU-B.1 AU-B.1 Scope of Application

AU-B.1.1

AU-B.1.2

AU-B.2 AU-B.2 Authorised Persons

AU-B.2.1

AU-B.2.2

AU-1 AU-1 Authorisation Requirements

AU-1.1 AU-1.1 Licensing

AU-1.1.1

AU-1.1.2

AU-1.1.2A

AU-1.1.2B

AU-1.1.3

AU-1.1.4

AU-1.1.5

AU-1.1.6

AU-1.1.7

Money Changer License Permitted Activities

AU-1.1.8

AU-1.1.8A

AU-1.1.8B

AU-1.1.9

AU-1.1.10

AU-1.1.11

Suitability

AU-1.1.12

AU-1.1.13

AU-1.2 AU-1.2 Approved Persons

General Requirements

AU-1.2.1

AU-1.2.2

AU-1.2.3

Basis for Approval

AU-1.2.4

Definitions

AU-1.2.5

AU-1.2.6

AU-1.2.7

AU-1.2.8

AU-1.2.9

AU-1.2.10

AU-2 AU-2 Licensing Conditions

AU-2.1 AU-2.1 Condition 1: Legal Status

AU-2.1.1

AU-2.1.2

AU-2.2 AU-2.2 Condition 2: Mind and Management

AU-2.2.1

AU-2.2.2

AU-2.3 AU-2.3 Condition 3: Controllers

AU-2.3.1

AU-2.4 AU-2.4 Condition 4: Board and Employees

AU-2.4.1

AU-2.4.2

AU-2.4.3

AU-2.4.4

AU-2.5 AU-2.5 Condition 5: Financial Resources

AU-2.5.1