Business Standards
CA CA Money Changers Capital Adequacy Module
CA-A CA-A Introduction
CA-A.1 CA-A.1 Purpose
Executive Summary
CA-A.1.1
This Module lays down requirements that apply to all
licensees , with respect to the minimum level of capital they must maintain.October 2010CA-A.1.2
Principle 9 of the Principles of Business requires that
licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.1.9).October 2010Legal Basis
CA-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the capital adequacy of
licensees , and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to alllicensees . Requirements regardingMoney Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.Amended: January 2011
October 2010CA-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
October 2010CA-A.2 CA-A.2 Module History
Evolution of Module
CA-A.2.1
This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
CA-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes CA-A.1.3 01/2011 Clarified legal basis. CA-1.2.2 and CA-1.2.3 01/2011 Clarified minimum capital requirements for licensees authorised prior to 1st January 2011. CA-1.4.1 01/2011 Added cross reference. CA-1.4.1 07/2011 Clarified Rule pertaining to capital required for any additional branch. Superseded Requirements
CA-A.2.3
This Module supersedes the following provisions contained in circulars or other regulatory instruments:
Document Ref. Document Subject Standard Conditions and Licensing Criteria: Money Changers Capital Funds BC/24/99 Accounts of Money Changers BC/6/99 Bank Guarantee October 2010CA-B CA-B Scope of Application
CA-B.1 CA-B.1 Scope of Application
CA-B.1.1
The content of this Module applies to all
Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module aslicensees .October 2010CA-1 CA-1 Capital Adequacy Requirements
CA-1.1 CA-1.1 General Requirements
Obligation to Maintain Adequate Capital
CA-1.1.1
In accordance with Principle of Business 9 (Section PB-1.1.9),
licensees must maintain adequate human, financial and other resources sufficient to run their business in an orderly manner.October 2010CA-1.1.2
Licensees are required to maintain, at all times, the minimum capital requirement specified in Section CA-1.2.October 2010CA-1.1.3
In addition to the minimum capital requirements specified in Section CA-1.2 onwards, the CBB may, at its discretion, require
licensees to hold additional capital, should this be necessary (in the CBB's view) to meet additional liquidity requirements. (refer to CA-1.5.2)October 2010CA-1.1.4
No funds may be withdrawn by shareholders from the
licensee without the necessary prior written approval of the CBB.October 2010CA-1.1.5
In the event that a
licensee fails to meet any of the requirements specified in this Module, it must, on becoming aware that it has breached these requirements, immediately notify the CBB in writing. Unless otherwise directed, thelicensee must in addition submit to the CBB, within 30 calendar days of its notification, a plan demonstrating how it will achieve compliance with these requirements.October 2010CA-1.1.6
Should a
licensee fail to comply with the requirements of this Module, the CBB may impose enforcement measures, as described in Module EN.October 2010CA-1.2 CA-1.2 Minimum Capital Requirements
Key Requirements
CA-1.2.1
Licensees must ensure that, at all times, their Minimum Capital meets the requirement stipulated in Rule CA-1.2.2 below.October 2010CA-1.2.2
Minimum Capital Requirements are:(a) Paid-up Capital of not less than BD500,000;(b) Additional Paid-up Capital of BD30,000 for each branch; and(c) A Bank Guarantee of not less than BD50,000.Amended: January 2011
October 2010CA-1.2.3
For those
licensees authorised prior to 1st January 2011, the minimum paid-up capital noted in Subparagraph CA-1.2.2 (a) must be not less than BD200,000. In addition, such licensees must comply with Subparagraphs CA-1.2.2 (b) and (c).January 2011CA-1.3 CA-1.3 Guarantee Requirements
CA-1.3.1
Licensees are required to provide the CBB with a guarantee in respect of their liabilities. The guarantee must be:a) In favor of and callable by the CBB at the CBB's sole discretion;b) Unconditional and irrevocable;c) Issued by a retail bank licensed by the CBB;d) Valid at all times for a period of one year; ande) Renewed at least one week before its expiry and submitted to the CBB.October 2010CA-1.3.2
If the guarantee is not renewed within the stipulated timeframe, the CBB may call the guarantee.
October 2010CA-1.4 CA-1.4 Capital Requirement for Branches
CA-1.4.1
In addition to the minimum paid-up capital required under Section CA-1.2,
licensees must inject capital in the amount of BD30, 000 in respect of any additional branch (see CA-1.2.2 for additional details).Amended: July 2011
Amended: January 2011
October 2010CA-1.4.2
Licensees must provide the CBB with evidence of the deposited amount of capital as part of the application for a branch outlined in Section 4.2 of the Module AU (Authorisation).October 2010CA-1.5 CA-1.5 Additional Requirements
CA-1.5.1
A
licensee 's liabilities should not exceed threefold its capital and reserves.October 2010CA-1.5.2
A
licensee 's liquid assets must be held in a form acceptable to the CBB, in a minimum amount of three months estimated expenditures including salaries, rent, general utilities and other operating costs.October 2010CA-1.5.3
Liquid assets comprise of cash, cash equivalents, and placements or deposits maturing within 30 days.
October 2010BC BC Money Changers Business Conduct Module
BC-A BC-A Introduction
BC-A.1 BC-A.1 Purpose
Executive Summary
BC-A.1.1
This Module contains requirements that have to be met by
licensees with regards to their dealings withcustomers .October 2010BC-A.1.2
The Rules contained in this Module aim to ensure that
licensees deal with theircustomers in a fair and open manner, and address theircustomers ' information needs.October 2010BC-A.1.3
The Rules build upon several of the Principles of Business (see Module PB (Principles of Business)). Principle 1 (Integrity) requires
licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in their dealings withcustomers . Principle 3 (Due skill, care and diligence) requireslicensees to act with due skill, care and diligence when acting on behalf of theircustomers . Principle 7 (Customer Interests) requireslicensees to pay due regard to the legitimate interests and information needs of theircustomers , and to communicate with them in a fair and transparent manner.October 2010BC-A.1.4
The Rules contained in this Module are largely principles-based and focus on desired outputs rather than on prescribing detailed processes. This gives
licensees flexibility in how to implement the basic standards prescribed in this Module.October 2010Legal Basis
BC-A.1.5
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) on business conduct by
licensees , and is issued under the powers available to the CBB under Article 38 of the CBB Law. The directive in this Module is applicable to alllicensees . Requirements regardingMoney Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.Amended: January 2011
October 2010BC-A.1.6
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
October 2010BC-A.2 BC-A.2 Module History
Evolution of the Module
BC-A.2.1
This Module was first issued in October 2010 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
BC-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes BC-A.1.5 01/2011 Clarified legal basis. BC-2.5.2 07/2019 Amended the number of years for record keeping. BC-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis Superseded Requirements
BC-A.2.3
This Module supersedes the following provisions contained in circulars or other regulatory requirements:
Document Ref. Document Subject EDBC/73/96 Explanatory note on the promotion of banking and financial products offered in/from Bahrain by means of incentives. October 2010BC-B BC-B Scope of Application
BC-B.1 BC-B.1 Scope of Application
BC-B.1.1
The content of this Module applies to all
Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module aslicensees .October 2010BC-C BC-C Provision of Financial Services on a Non-discriminatory Basis
BC-C.1 BC-C.1 Provision of Financial Services on a Non-discriminatory Basis
BC-C.1.1
Money changer licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.Added: October 2020BC-1 BC-1 Base Requirements
BC-1.1 BC-1.1 General Rules
BC-1.1.1
This Module applies to all
licensees .October 2010BC-1.1.2
This Module aims to encourage high standards of business conduct, which are broadly applicable to all
licensees , all types ofregulated money changer services , and all types ofcustomers .October 2010BC-1.1.3
Licensees must comply with theMoney Changers' Business Code of Practice ('the Code' ), under Chapter 2 of this Module, throughout the lifetime of their relationship with acustomer .October 2010BC-1.1.4
Licensees must take responsibility for compliance with theCode by all persons carrying outregulated money changer services on their behalf.Licensees must put in place appropriate measures across all their business operations to ensure compliance with theCode .October 2010BC-1.1.5
The Business
Code of Practice comprises a number of overarching principles of business conduct, with respect to the conduct ofregulated money changer services bylicensees ; these cover the various stages of the life of acustomer relationship.October 2010BC-1.1.6
Licensees must maintain adequate records to demonstrate compliance with theCode .October 2010BC-1.1.7
The
Code focuses on desired outcomes, rather than prescribing detailed measures to achieve those outcomes.October 2010BC-1.1.8
The CBB will monitor compliance with the
Code and business conduct standards. If required, the CBB may develop more detailed rules and guidance to supplement the existingCode .October 2010BC-2 BC-2 The Business Code of Practice
BC-2.1 BC-2.1 Overarching Principles
BC-2.1.1
In the course of
regulated money changer services ,licensees must:(a) Act with due skill, care and diligence in all dealings withcustomers ;(b) Act fairly and reasonably in all dealings withcustomers ;(c) Identifycustomers ' specific requirements in relation to the services about which they are enquiring;(d) Provide sufficient information to enablecustomers to make informed decisions when purchasing services offered to them, as listed under Paragraph BC-2.5.2 of the Appendix;(e) Provide sufficient and timely documentation tocustomers to confirm that their transaction arrangements are in place and provide all necessary information about their rights and responsibilities, as listed under Paragraph BC-2.5.3 of the Appendix;(f) Maintain fair treatment ofcustomers through the lifetime of thecustomer relationships, and ensure thatcustomers are kept informed of important events;(g) Ensure complaints fromcustomers are dealt with fairly and promptly, in accordance with the Rules under Section BC-2.3;(h) Ensure that all information provided tocustomers is clear, fair and not misleading, and appropriate tocustomers ' information needs; and(i) Take appropriate measures to safeguard any money and precious metals handled on behalf ofcustomers and maintain confidentiality ofcustomer information.October 2010BC-2.2 BC-2.2 Marketing and Promotion
BC-2.2.1
Licensees must ensure that all advertising and promotional material is fair, clear and not misleading.October 2010BC-2.2.2
In ensuring that the description of the service in the promotional material is fair, clear and not misleading, the
licensee should send copies of the documentation relating to promotional schemes to the CBB at least 2 weeks prior to their launch and should, among other precautionary measures, ensure that:a) The purpose, and to the extent practicable, the content, of the information or communication are likely to be understood by the average member of the group to whom the communication is addressed;b) Key items contained in the information are given due prominence;c) The method of presentation in the information does not disguise, diminish, or obscure important risks, warnings or information; andd) The communication does not omit information that is material to ensure it is fair, clear and not misleading.October 2010BC-2.2.3
Licensees must ensure that the accuracy of all material statements of fact in promotional materials is supported by adequate evidence.October 2010BC-2.2.4
Licensees must not, in any form of communication with an individualcustomer , attempt to limit or avoid any duty or liability it may have towards the individualcustomer in relation toregulated money changing services. October 2010Content of Promotions
BC-2.2.5
Before a
licensee communicates any promotional material to acustomer or a potentialcustomer it must ensure the promotional material at the very least contains the information laid out in Paragraph BC-2.5.1 of the Appendix.BC-2.2.6
Licensees must not make use of the name of the CBB in any promotion in such a way that would indicate endorsement or approval of its services.BC-2.2.7
All documentation concerning promotional schemes must be in Arabic and English and, if relevant, any other language necessary for customers to fully understand and appreciate their terms and conditions. Such terms and conditions, including any related advertising, need to be clear, concise, truthful, unambiguous and complete so as to enable
customers to make a fully informed decision.BC-2.2.8
Customers to whom promotional schemes are directed should enjoy equal opportunity in terms of access to, and treatment within, such schemes.BC-2.2.9
No costs (including funding costs), charges or levies associated with promotional schemes should be concealed from prospective
customers .BC-2.2.10
Any raffles/lotteries etc. held as part of promotional schemes should be independently monitored (e.g. by the institution's external auditor) and adequate systems put in place to ensure fair play and impartiality.
BC-2.2.11
An appropriate system should also exist for informing participants of the results of a raffle/lottery without delay.
BC-2.2.12
Institutions should note that raffles/lotteries etc. may be subject to rules and requirements (including prior authorisation/approval) laid down by the Ministry of Industry and Commerce.
Records
BC-2.2.13
Licensees must maintain a record of all promotional materials issued by them or on their behalf, particularly where raffles/lotteries etc. are concerned.BC-2.3 BC-2.3 Complaints
BC-2.3.1
Licensees must disclose, maintain and operate effective procedures for handling complaints in a reasonable and timely manner. These procedures include:(a) Informingcustomers in writing of any out of court complaint and redress mechanism and methods for having access to it;(b) Paying compensation or other forms of redress tocustomers where thelicensee decides this is appropriate; and(c) Regularly verifying if complaints are effectively processed.October 2010BC-2.3.2
Upon receiving complaints from
customers (either orally or in writing),licensees must:(a) Acknowledge complaints promptly, within 5 business days, and providecustomers with an explanation about how the complaint will be handled and any actions required of thecustomer ;(b) Consider and handle complaints fairly and promptly, keepingcustomers informed of progress; and(c) Provide final responses tocustomers ' complaints without undue delay and within 20 business days.October 2010BC-2.3.3
In their final responses to
customers ' complaints,licensees must:(a) Accept (or partially accept) the complaint and where appropriate offer compensation or other forms of redress; or(b) Reject (or partially reject) the complaint, informingcustomers with a full explanation of thelicensee 's position.October 2010Records
BC-2.3.4
Licensees must maintain adequate records of all complaints received, and how they were dealt with, to a level of detail sufficient to demonstrate compliance with this Section and in accordance with the Rules under Section GR-1.October 2010BC-2.3.5
In recording complaints activity,
licensees should consider the types of data and reports that will enable them to demonstrate compliance with the above Rules for handling complaints, together with the overarching principles requiring fair dealings withcustomers .October 2010BC-2.4 BC-2.4 Confidentiality
BC-2.4.1
Licensees must ensure that any information obtained from theircustomers is not used or disclosed unless:(a) They have thecustomer's consent;(b) Disclosure is made in accordance with thelicensee's regulatory obligations; or(c) Thelicensee is legally obliged to disclose the information in accordance with Article 117 of the CBB Law.October 2010BC-2.4.2
Licensees must take appropriate steps to ensure the security of any information handled or held on behalf of theircustomers .October 2010BC-2.5 BC-2.5 Appendix
BC-2.5.1
The minimum information that should be contained in promotional material includes:
(a) The name of thelicensee communicating the promotional material;(b) Thelicensee's address;(c) A description of the main characteristics of the service offered;(d) Suitable warning regarding the risks of the service offered; and(e) A clear statement indicating that, if acustomer is in any doubt about the suitability of the agreement which is the subject of the promotion, he should consult thelicensee .October 2010BC-2.5.2
The minimum information that should be provided to
customers when purchasingregulated money changer services include:(a) The regulatory status of thelicensee ;(b) A statement that thelicensee is bound by the CBB's regulation and licensing conditions;(c) Thelicensee's name, address, e-mail and telephone number;(d) A statement of the services provided by thelicensee , as permitted by the CBB;(e) The total price to be paid by thecustomer to thelicensee for its services, or, where an exact price cannot be indicated, the basis for the calculation of the price enabling thecustomer to verify it;(f) A statement that clearly indicates the following:(i) Thecustomer's right to obtain copies of records relating to his business with thelicensee ;(ii) Thecustomer's record will be kept for 5 years or as otherwise required by Bahrain Law; and(g) The name and job title, address and telephone number of the person in thelicensee to whom any complaint should be addressed (in writing) by thecustomer .Amended: July 2019
October 2010BC-2.5.3
The minimum information that should be included in a transaction confirmation includes:
(a) Thelicensee's name and address;(b) Thecustomer's name or other identifier;(c) Whether the transaction was a sale or purchase;(d) The date and time of the transaction; and(e) The amount thelicensee charges in connection with the transaction, including commission charges.October 2010RM RM Money Changers Risk Management Module
RM-A RM-A Introduction
RM-A.1 RM-A.1 Purpose
Executive Summary
RM-A.1.1
This Module contains requirements relating to the management of risk by
licencees . It expands on certain high level requirements contained in other Modules. In particular, Section AU-2.6 of Module AU (Authorisation) specifies requirements regarding systems and controls that have to be met as a license condition; Principle 10 of the Principles of Business (ref. PB-1.10) requireslicencees to have systems and controls sufficient to manage the level of risk inherent in their business; and Module HC (High-level Controls) specifies various requirements relating to the role and composition of Boards, and related high-level controls.October 2010RM-A.1.2
This Module obliges
licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management framework is expected to have the resources and tools to identify, monitor and control all material risks. The adequacy of alicensee's risk management framework is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules,licensees with very simple operational structures and business activities may need to implement less extensive or sophisticated risk management systems, compared tolicensees with a complex and/or extensive customer base or operations.October 2010Legal Basis
RM-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding Risk Management requirements applicable to
licensees , and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regardingMoney Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.Amended: January 2011
October 2010RM-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.
October 2010RM-A.2 RM-A.2 Module History
Evolution of the Module
RM-A.2.1
This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
RM-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes RM-A.1.3 01/2011 Clarified legal basis. RM-2.1.2 10/2017 Amended Paragraph to allow the utilization of cloud services. RM-2.1.4A 10/2017 Added a new Paragraph on outsourcing requirements. RM-2.1.7 10/2017 Amended Paragraph. RM-2.1.9 10/2017 Amended Paragraph. RM-2.1.11 10/2017 Amended Paragraph. RM-2.1.13 10/2017 Added a new Paragraph on outsourcing. RM-2.1.15 10/2017 Amended Paragraph. RM-2.2.9 10/2017 Amended Paragraph. RM-2.2.15 10/2017 Amended Paragraph. RM-2.2.16 10/2017 Added a new Paragraph on security measures related to cloud services. RM-2.3.2 10/2017 Amended Paragraph. RM-1.5.5 01/2021 Added a new Paragraph on electronic fraud. RM-1.5.6 01/2021 Added a new Paragraph on electronic fraud awareness. RM-3 01/2022 Added a new Chapter on Cyber Security Risk Management. RM-3.1.61 04/2022 Deleted reference to BR. RM-3.1.58 04/2022 Amended Paragraph on cyber security incident reporting. RM-3.1.59 04/2022 Amended Paragraph on submission period of the cyber security incident report. RM-2 07/2022 Replaced Chapter RM-2 with new Outsourcing Requirements. RM-3.1.22 10/2022 Amended Paragraph on email domains requirements. RM-3.1.22A 10/2022 Added a new Paragraph on additional domains requirements. RM-1.5.7 – RM-1.5.9 07/2023 Added new Rules on secured customer authentication requirements. Superseded Requirements
RM-A.2.3
This Module does not replace any regulations or circulars in force prior to month year.
Document Ref. Date of Issue Module Ref. Document Subject October 2010RM-B RM-B Scope of Application
RM-B.1 RM-B.1 Scope of Application
RM-B.1.1
The content of this Module applies to all
Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module aslicensees .October 2010RM-1 RM-1 General Requirements
RM-1.1 RM-1.1 Risk Management
Board of Directors' Responsibility
RM-1.1.1
The Board of
Directors oflicensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.October 2010RM-1.1.2
The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the
licencee is exposed to, a risk management framework that includes setting and monitoring policies, systems, tools and controls.October 2010RM-1.1.3
Although authority for the management of a firm's risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.
October 2010RM-1.1.4
A
licencees's failure to establish, in the opinion of the CBB, an adequate risk management framework will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing or imposing restrictions on thelicensee , or thelicensee being required to inject more capital.October 2010RM-1.1.5
The Board of
Directors must also ensure that there is adequate documentation of thelicensee's risk management framework.October 2010Systems and Controls
RM-1.1.6
The risk management framework of
licensees must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.October 2010RM-1.1.7
An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board as outlined in HC-1.1.5.
October 2010RM-1.1.8
The systems and controls required by Paragraph RM-1.1.6 must be proportionate to the nature, scale and complexity of the firm's activities.
October 2010RM-1.1.9
The processes and systems required must enable the
licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, which include but are not limited to the following:(a) Counterparty Risk;(b) Liquidity Risk;(c) Market Risk; and(d) Operational Risk.October 2010RM-1.2 RM-1.2 Counterparty Risk
RM-1.2.1
Licensees must adequately document the necessary policies and procedures for identifying, measuring, monitoring and controlling counterparty risk. This policy must be approved and regularly reviewed by the Board ofDirectors of thelicensee .October 2010RM-1.2.2
Among other things, the
licensee's policies and procedures must identify the limits it applies to counterparties, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.October 2010RM-1.3 RM-1.3 Liquidity Risk
RM-1.3.1
Licensees must maintain a liquidity risk policy for the management of liquidity risk, which is appropriate to the nature, scale and complexity of its activities. This policy must be approved and regularly reviewed by the Board ofDirectors of thelicensee .October 2010RM-1.3.2
Among other things, the
licensee's liquidity risk policy must identify the limits it applies, how it monitors movements in risk and how it mitigates loss in the event of unexpected liquidity events.October 2010RM-1.4 RM-1.4 Market Risk
RM-1.4.1
Licensees must document their framework for the proactive management of market risk. This policy must be approved and regularly reviewed by the Board ofDirectors of thelicensee .October 2010RM-1.5 RM-1.5 Operational Risk
RM-1.5.1
Licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board ofDirectors of thelicensee .October 2010RM-1.5.2
Licensees must consider the impact of operational risks on their financial resources and solvency.October 2010RM-1.5.3
Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on thelicensee and its business portfolio.October 2010RM-1.5.4
Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however,
licencees cannot ignore the nature of risks to which they are exposed.October 2010Electronic Frauds
RM-1.5.5
Licensees must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.Added: January 2021RM-1.5.6
Licensees must have in place customer awareness communications, pre and post registration process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.Added: January 2021Secure Authentication
RM-1.5.7
Licensees must take appropriate measures to authenticate the identity and authorisation of customers when the customer accesses the online or digital platform or when a transaction is initiated on the platform.Licensees must, at a minimum, establish adequate security features forcustomer authentication including the use of at least two different elements out of the following three elements:(a) Knowledge (something only the user knows), such as pin or password;(b) Possession (something only the user possesses) such as mobile phone, smart watch, smart card or a token; and(c) Inherence (something the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.Added: July 2023RM-1.5.8
For the purpose of Paragraph RM-1.5.7,
licensees must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the others and are sufficiently complex to prevent forgery.Added: July 2023RM-1.5.9
For the purposes of Subparagraph RM-1.5.7 (b), where a customer’s mobile device is registered/marked as ‘trusted’ using knowledge, biometric or other authentication methods through the
licensee’s application, the use of such mobile device would be considered as meeting the ‘possession’ element for authentication of future access or transactions using that device.Added: July 2023RM-2 RM-2 Outsourcing Requirements
RM-2.1 RM-2.1 Outsourcing Arrangements
RM-2.1.1
This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.
Amended: July 2022
October 2010RM-2.1.2
In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.
Amended: July 2022
October 2010RM-2.1.3
In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:
i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; andii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.Amended: July 2022
Amended: October 2017
October 2010RM-2.1.4
The
licensee must not outsource the following functions:(i) Compliance;(ii) AML/CFT;(iii) Financial control;(iv) Risk management; and(v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).Amended: July 2022
October 2010RM-2.1.5
For the purposes of Paragraph RM-2.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-2.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.
Amended: July 2022
October 2010RM-2.1.6
Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-2.1.4 (iv), subject to CBB’s prior approval.
Amended: July 2022
October 2010RM-2.1.7
Licensees must comply with the following requirements:(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; andb. be made at least 30 calendar days before the licensee intends to commit to the arrangement.(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.(iii)Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.(iv)Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of thelicensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.(v)Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.(vi)Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.(vii)Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.Amended: July 2022
Amended: October 2017
October 2010RM-2.1.8
For the purpose of Subparagraph RM-2.1.7 (iv),
licensees as part of their assessments may use the following:a) Independent third-party certifications on the outsourcing service provider’s security and other controls;b) Third-party or internal audit reports of the outsourcing service provider; andc) Pooled audits organized by the outsourcing service provider, jointly with its other clients.When conducting on-site examinations,
licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.Amended: July 2022
October 2010RM-2.1.9
For the purpose of Subparagraph RM-2.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.
Amended: July 2022
Amended: October 2017
October 2010RM-2.2 [This Section was deleted in July 2022]
RM-2.3 [This Section was deleted in July 2022]
RM-2.4 [This Section was deleted in July 2022]
RM-3 RM-3 Cyber Security Risk Management
RM-3.1 RM-3.1 Cyber Security Risk Management
Role of the Board and Senior Management
RM-3.1.1
The Board of
money changer licensees must ensure that thelicensee has a robust cyber security risk management framework to comprehensively manage thelicensee ’s cyber security risk and vulnerabilities. The Board must establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes.Added: January 2022RM-3.1.2
Licensees must ensure that the cyber security risk management framework encompasses, at a minimum, the following components:a) Cyber security strategy;b) Cyber security policy; andc) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.Added: January 2022RM-3.1.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. At the broader level, the Cyber security framework should be consistent with the
licensee ’s risk management framework.Added: January 2022RM-3.1.4
Senior management, and where appropriate, the boards, should receive comprehensive reports covering cyber security issues such as the following:
a. Key Risk Indicators/Key Performance Indicators;b. Status reports on overall cyber security control maturity levels;c. Status of staff Information Security awareness;d. Updates on latest internal or relevant external cyber security incidents; ande. Results from penetration testing exercises.Added: January 2022RM-3.1.5
The Board must ensure that the cyber security risk management framework is evaluated for scope of coverage, adequacy and effectiveness every three years or when there are significant changes to the risk environment, taking into account emerging cyber threats and cyber security controls.
Added: January 2022RM-3.1.6
Licensees must have in place arrangements to handle cyber security risk management responsibilities.Licensees may, commensurate with their size and risk profile, assign the responsibilities to a qualified Chief Information Security Officer (CISO) reporting to an independent risk management function or incorporate the responsibilities of cyber security risk into the risk management function.Overseas licensees must be governed under a framework of cyber security risk management policies which ensure that an adequate level of oversight is exercised by the regional office or head office.Added: January 2022RM-3.1.7
Licensees should ensure that appropriate resources are allocated to the cyber security risk management function for implementing the cyber security framework.Added: January 2022RM-3.1.8
Licensees must ensure that the cyber security risk management function is headed by suitably qualified Chief Information Security Officer (CISO), with appropriate authority to implement the Cyber Security strategy.Added: January 2022RM-3.1.9
Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CFO / CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.Added: January 2022RM-3.1.10
The
senior management must be responsible for the following activities:(a) Create the overall cyber security risk management framework and adequately oversee its implementation;(b) Formulate an organisation-wide cyber security strategy and cyber security policy;(c) Implement and consistently maintain an integrated, organisation-wide, cyber security risk management framework, and ensure sufficient resource allocation;(d) Monitor the effectiveness of the implementation of cyber security risk management practices and coordinate cyber security activities with internal and external risk management entities;(e) Ensure that internal management reporting caters to cyber threats and cyber security risk treatment;(f) Prepare quarterly or more frequent reports on all cyber incidents (internal and external) and their implications on thelicensee ; and(g) Ensure that processes for identifying the cyber security risk levels across thelicensee are in place and annually evaluated.Added: January 2022RM-3.1.11
The
senior management must ensure that:(a) Thelicensee has identified clear internal ownership and classification for all information assets and data;(b) Thelicensee has maintained an inventory of the information assets and data which is reviewed and updated regularly;(c) The cyber security staff are adequate to manage thelicensee ’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls;(d) It provides and requires cyber security staff to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.Added: January 2022RM-3.1.12
With respect to Subparagraph RM-3.1.11(a), data classification entails analyzing the data the
licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects of the policy should be determined:a) Who has access to the data;b) How the data is secured;c) How long the data is retained (this includes backups);d) What method should be used to dispose of the data;e) Whether the data needs to be encrypted; andf) What use of the data is appropriate.The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. In other words, there should be little (if any) overlap in the classification definitions. The owner of data (i.e. the relevant business function) should be involved in such classification.
Added: January 2022Cyber Security Strategy
RM-3.1.13
An organisation-wide cyber security strategy must be defined and documented to include:
(a) The position and importance of cyber security at thelicensee ;(b) The primary cyber security threats and challenges facing thelicensee ;(c) Thelicensee ’s approach to cyber security risk management;(d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;(e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;(f) Approach to planning response and recovery activities; and(g) Approach to communication with internal and external stakeholders including sharing of information on identified threats and other intelligence among industry participants.Added: January 2022RM-3.1.14
The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as reference to support the
licensee ’s cyber security strategy and cyber security policy.Added: January 2022Cyber Security Policy
RM-3.1.15
Licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by thelicensee’s senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:(a) Definition of the key cyber security activities within thelicensee , the roles, responsibilities, delegated powers and accountability for these activities;(b) A statement of thelicensee ’s overall cyber risk tolerance as aligned with thelicensee ’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;(c) Definition of main cyber security processes and measures and the approach to control and assessment;(d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:(a) Asset management (Hardware and software);(b) Incident management (Detection and response);(c) Vulnerability management;(d) Configuration management;(e) Access management;(f) Third party management;(g) Secure application development;(h) Secure change management;(i) Cyber training and awareness;(j) Cyber resilience (business continuity and disaster planning); and(k) Secure network architecture.Added: January 2022Approach, Tools and Methodology
RM-3.1.16
Licensees must ensure that the cyber security policy is effectively implemented through a consistent risk-based approach using tools and methodologies that are commensurate with the size and risk profile of thelicensee . The approach, tools and methodologies must cover all cyber security functions and controls defined in the cyber security policy.Added: January 2022RM-3.1.17
Licensees should establish and maintain plans, policies, procedures, process and tools (“playbooks”) that provide well-defined, organised approaches for cyber incident response and recovery activities, including criteria for activating the measures set out in the plans and playbooks to expedite thelicensee’s response time. Plans and playbooks should be developed in consultation with business lines to ensure business recovery objectives are met and are approved by senior management before broadly shared across thelicensee . They should be reviewed and updated regularly to incorporate improvements and/or changes in thelicensee .Licensees may enlist external subject matter experts to review complex and technical content in the playbook, where appropriate. A number of plans and playbooks should be developed for specific purposes (e.g. response, recovery, contingency, communication) that align with the overall cyber security strategy.Added: January 2022Prevention Controls
RM-3.1.18
A
Licensee must develop and implement preventive measures across all relevant technologies to minimise thelicensee ’s exposure to cyber security risk. Such preventive measures must include, at a minimum, the following:(a) Deployment of End Point Protection (EPP) and Endpoint Detection and Response (EDR) including anti-virus software and anti-malware programs to detect, prevent, and isolate malicious code;(b) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF) where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;(c) Rigorous security testing at software development stage as well as after deployment to limit the number of vulnerabilities;(d) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);(e) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;(f) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and(g) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access tolicensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.Added: January 2022RM-3.1.19
Licensees should also implement the following prevention controls in the following areas:(a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;(b) Controls or solutions to secure, control, manage and monitor privileged access to critical assets, (e.g. Privileged Access Management (PAM);(c) Controls to secure physical network ports against connection to computers which are unauthorised to connect to thelicensee’s network or which do not meet the minimum-security requirements defined forlicensee computer systems (e.g. Network access control); and(d) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.Added: January 2022RM-3.1.20
Licensees must set up anti-spam and anti-spoofing measures to authenticate thelicensee ’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:• SPF “Sender Policy Framework”;• DKIM “Domain Keys Identified Mail”; and• DMARC “Domain-based Message Authentication, Reporting and Conformance”.Added: January 2022RM-3.1.21
Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.Added: January 2022RM-3.1.22
Licensees must use a single unified private email domain or its subdomains for communication with customers to prevent abuse by third parties.Licensees must not utilise third-party email provider domains for communication with customers. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module. With respect to URLs or other clickable links in communications with customers,licensees must comply with the following requirements:(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of customer request or action. Examples of such customer actions include verification links for customer onboarding, payment links for customer-initiated transactions etc;(b) Refrain from using shortened links in communication with customers;(c) Implement one or more of the following measures for links sent to customers:i. ensure customers receive clear instructions in communications sent with the links;ii. prior notification to the customer such as through a phone call informing the customer to expect a link from thelicensee ;iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the customer with the link;iv. use of other verification measures like password or biometric authentication; and(d) Create customer awareness campaigns to educate their customers on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to customers thatlicensees will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result of customer request or action.Amended: October 2022
Added: January 2022RM-3.1.22A
For the purpose of Paragraph RM-3.1.22, subject to CBB’s approval,
licensees may be allowed to use additional domains for email communications with customers under certain circumstances. Examples of such circumstances include emails sent to customers by:(a) Head/regional office of alicensee ; and(b) Third-party service providers subject to prior arrangements being made with customers. Examples of such third-party services include informational subscription services (e.g. Bloomberg) and document management services (e.g. DocuSign).Added: October 2022Cyber Risk Identification and Assessments
RM-3.1.23
Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to thelicensee , it should take into account the factors detailed below:(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;(d) Dark web surveillance to identify any plot for cyber attacks;(e) Examples of cyber threats from past cyber attacks on thelicensee if available; and(f) Examples of cyber threats from recent cyber attacks on other organisations.Added: January 2022RM-3.1.24
Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.Added: January 2022RM-3.1.25
Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above thelicensee ’s risk tolerance levels.Added: January 2022RM-3.1.26
Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Assessments for external public facing services and systems must be more frequent.Added: January 2022RM-3.1.27
With respect to Paragraph RM-3.1.25, external technology refers to the
licensee ’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.Added: January 2022RM-3.1.28
Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.Added: January 2022RM-3.1.29
All
licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least once a year. However, licensees that provide services through digital channels must perform penetrating testing at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;(b) Include both Grey Box and Black Box testing in its scope;(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;(d) Be performed by internal and external independent third parties which should be changed at least every two years; and(e) Be performed on either the production environment or on non-production exact replicas of the production environment.Added: January 2022RM-3.1.30
CBB may require additional third-party security reviews to be performed as needed.
Added: January 2022RM-3.1.31
The tests referred to in Paragraph RM-3.1.59 must be conducted each year in June and December. Reports on penetration testing must be submitted to CBB before 30th September for the tests as at 30th June and 31st March for the tests as at 31st December. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.
Added: January 2022Cyber Incident Detection and Management
RM-3.1.32
Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.Added: January 2022RM-3.1.33
Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.Added: January 2022RM-3.1.34
Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.Added: January 2022RM-3.1.35
Once a cyber incident is detected,
licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.Added: January 2022RM-3.1.36
Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and customers. Such responsibilities must include log correlation, anomaly detection and maintaining thelicensee ’s asset inventory and network diagrams.Added: January 2022RM-3.1.37
Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.Added: January 2022RM-3.1.38
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption.
Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant.Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.Added: January 2022RM-3.1.39
Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with thelicensee ’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph RM-3.1.58 for the requirement to report to CBB.Added: January 2022RM-3.1.40
Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:• Incident Owner: An individual that is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.• Spokesperson: An individual, from External Communications Unit or another suitable department, that is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and thelicensee’s management to update the internal and external stakeholders with consistent information.• Record Keeper: An individual that is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record serves as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.Added: January 2022RM-3.1.41
For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.
Added: January 2022RM-3.1.42
Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, thelicensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.Added: January 2022RM-3.1.43
Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action)(b) Describe whether the cyber incident due to a third-party service provider(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink)(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media)(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to customers, data leakage, unavailability of data, data destruction/corruption, tarnishing of reputation)(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident)(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic)(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state)The cyber incident severity may be classified as:
(a) Severity 1 incident has or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in thelicensee .(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in thelicensee .(c) Severity 3 incident has little or no impact to critical services and there is no visible impact on public confidence in thelicensee .Added: January 2022RM-3.1.44
Licensees should determine the effects of the cyber incident on customers and to the wider financial system as a whole and report the results of such an assessment to CBB if it is determined that the cyber incident may have a systemic impact.Added: January 2022RM-3.1.45
Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:1. Metrics to measure impact of a cyber incident(a) Duration of unavailability of critical functions and services(b) Number of stolen records or affected accounts(c) Volume of customers impacted(d) Amount of lost revenue due to business downtime, including both existing and future business opportunities(e) Percentage of service level agreements breached2. Performance metrics for incident management(a) Volume of incidents detected and responded via automation(b) Dwell time (i.e. the duration a threat actor has undetected access until completely removed)(c) Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfiedAdded: January 2022Recovery
RM-3.1.46
Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum level of services during the downtime and determine how much time thelicensee will require to return to full service and operations.Added: January 2022RM-3.1.47 RM-3.1.47
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:
a) Financial situation;b) Reputation;c) Regulatory, legal and contractual obligations; andd) Operational aspects and delivery of key products and services.Added: January 2022RM-3.1.48
Licensees must define a program for recovery activities for timely restoration of any capabilities or services that were impaired due to a cyber security incident.Licensees must establish recovery time objectives (“RTOs”), i.e. the time in which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption”.Licensees must also consider the need for communication with third party service providers, customers and other relevant external stakeholders as may be necessary.Added: January 2022RM-3.1.49
Licensees must ensure that all critical systems are able to recover from a cyber security breach within thelicensee ’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.Added: January 2022RM-3.1.50
Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some caseslicensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and customers.Added: January 2022RM-3.1.51
Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "table top" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.Added: January 2022RM-3.1.52
Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.Added: January 2022RM-3.1.53
Licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident.Added: January 2022Cyber Security Insurance
Training and Awareness
RM-3.1.54 RM-3.1.54
Licensees must arrange to seek cyber risk insurance cover from a suitable insurer, following a risk-based assessment of cyber security risk is undertaken by the respectivelicensee and independently verified by the insurance company. The insurance policy may include some or all of the following types of coverage, depending on the risk assessment outcomes:(a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs to analyse the insured’s legal response obligations;(b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations; and(c) Policy also provides coverage for a variety of torts, including invasion of privacy or copyright infringement. First-party coverages may include lost revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the insured.Added: January 2022RM-3.1.55
Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.Added: January 2022RM-3.1.56
The
licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.Added: January 2022RM-3.1.57
The
licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:(a) Executive board and senior management;(b) Cyber security roles;(c) IT staff; and(d) Any high-risk staff as determined by thelicensee .Added: January 2022Reporting to CBB
RM-3.1.58
Upon occurrence or detection of any cyber security incident, whether internal or external, that compromises customer information or disrupts critical services that affect operations,
licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix RM-1) to CBB’s cyber incident reporting email, incident.Moneychanger@cbb.gov.bh, within two hours.Amended: April 2022
Added: January 2022RM-3.1.59
Following the submission referred to in Paragraph RM-3.1.58, the
licensee must submit to CBB Section B of the Cyber Security Incident Report (Appendix RM-1) within 10 calendar days of the occurrence of the cyber security incident.Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and customers, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.Amended: April 2022
Added: January 2022RM-3.1.60
With regards to the submission requirement mentioned in Paragraph RM-3.1.59, the licensee should submit the report with as much information as possible even if all the details have not been obtained yet.
Added: January 2022RM-3.1.61
The penetration testing report as per Paragraph RM-3.1.29, along with the steps taken to mitigate the risks must be maintained by the
licensee for a five year period from the date of the report and must be provided to CBB within three months following the end of the month where the testing took place, i.e. for a June test, the report must be submitted at the latest by 30th September and for a December test, by 31st March.Amended: April 2022
Added: January 2022Appendix A – Cyber Security Control Guidelines
The Control Guidelines consists of five Core tasks which are defined below. These Functions are not intended to form a serial path or lead to a static desired end state. Rather, the Functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cyber security risk.
Identify – Develop an organisation-wide understanding to manage cyber security risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Cyber Security Risk Management Framework. Understanding the business context, the resources that support critical functions, and the related cyber security risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cyber security incident.
Detect – Develop and implement appropriate activities to identify the occurrence of a cyber security incident. The Detect Function enables timely discovery of cyber security events.
Respond – Develop and implement appropriate activities to take action regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident.
Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident.
Below is a listing of the specific cyber security activities that are common across all critical infrastructure sectors:
IDENTIFY
Asset Management: The data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the licensee’s risk strategy.
1. Physical devices and systems within the licensee are inventoried.2. Software platforms and applications within the licensee are inventoried.3. Communication and data flows are mapped.4. External information systems are catalogued.5. Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.6. Cyber security roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.Business Environment: The licensee’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cyber security roles, responsibilities, and risk management decisions.
1. Priorities for the licensee’s mission, objectives, and activities are established and communicated.2. Dependencies and critical functions for delivery of critical services are established.3. Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).Governance: The policies, procedures, and processes to manage and monitor the licensee’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber security risk.
1. licensee’s cyber security policy is established and communicated.2. Cyber security roles and responsibilities are coordinated and aligned with internal roles and external partners.3. Legal and regulatory requirements regarding cyber security, including privacy and civil liberties obligations, are understood and managed.4. Governance and risk management processes address cyber security risks.Risk Assessment: The licensee understands the cyber security risk to licensee’s operations (including mission, functions, image, or reputation), licensee’s assets, and individuals.
1. Asset vulnerabilities are identified and documented.2. Cyber threat intelligence is received from information sharing forums and sources.3. Threats, both internal and external, are identified and documented.4. Potential business impacts and likelihoods are identified.5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.6. Risk responses are identified and prioritized.Risk Management Strategy: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
1. Risk management processes are established, managed, and agreed to by licensee’s stakeholders.2. The licensee’s risk tolerance is determined and clearly expressed.3. The licensee’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.Third Party Risk Management: The licensee’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing third party risk. The licensee has established and implemented the processes to identify, assess and manage supply chain risks.
1. Cyber third-party risk management processes are identified, established, assessed, managed, and agreed to by the licensee’s stakeholders.2. Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber third-party risk assessment process.3. Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of a licensee’s cyber security program.4. Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.5. Response and recovery planning and testing are conducted with suppliers and third-party providers.PROTECT
Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.2. Physical access to assets is managed and protected.3. Remote access is managed.4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties5. Network integrity is protected (e.g., network segregation, network segmentation).6. Identities are proofed and bound to credentials and asserted in interactions7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).Awareness and Training: The licensee’s personnel and partners are provided cyber security awareness education and are trained to perform their cyber security-related duties and responsibilities consistent with related policies, procedures, and agreements.
1. All users are informed and trained on a regular basis.2. Licensee’s security awareness programs are updated at least annually to address new technologies, threats, standards, and business requirements.3. Privileged users understand their roles and responsibilities.4. Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.5. The Board and senior management understand their roles and responsibilities.6. Physical and cyber security personnel understand their roles and responsibilities.7. Software development personnel receive training in writing secure code for their specific development environment and responsibilities.Data Security: Information and records (data) are managed consistent with the licensee’s risk strategy to protect the confidentiality, integrity, and availability of information.
1. Data-at-rest classified as critical or confidential is protected through strong encryption.2. Data-in-transit classified as critical or confidential is protected through strong encryption.3. Assets are formally managed throughout removal, transfers, and disposition4. Adequate capacity to ensure availability is maintained.5. Protections against data leaks are implemented.6. Integrity checking mechanisms are used to verify software, firmware, and information integrity.7. The development and testing environment(s) are separate from the production environment.8. Integrity checking mechanisms are used to verify hardware integrity.Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational units), processes, and procedures are maintained and used to manage protection of information systems and assets.
1. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).2. A System Development Life Cycle to manage systems is implemented3. Configuration change control processes are in place.4. Backups of information are conducted, maintained, and tested.5. Policy and regulations regarding the physical operating environment for licensee’s assets are met.6. Data is destroyed according to policy.7. Protection processes are improved.8. Effectiveness of protection technologies is shared.9. Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.10. Response and recovery plans are tested.11. Cyber security is included in human resources practices (e.g., deprovisioning, personnel screening).12. A vulnerability management plan is developed and implemented.Maintenance: Maintenance and repairs of information system components are performed consistent with policies and procedures.
1. Maintenance and repair of licensee’s assets are performed and logged, with approved and controlled tools.2. Remote maintenance of licensee’s assets is approved, logged, and performed in a manner that prevents unauthorized access.Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
1. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.2. Removable media is protected and its use restricted according to policy.3. The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.4. Communications and control networks are protected.5. Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.DETECT
Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.
1. A baseline of network operations and expected data flows for users and systems is established and managed.2. Detected events are analyzed to understand attack targets and methods.3. Event data are collected and correlated from multiple sources and sensors4. Impact of events is determined.5. Incident alert thresholds are established.Security Continuous Monitoring: The information system and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.
1. The network is monitored to detect potential cyber security events.2. The physical environment is monitored to detect potential cyber security events3. Personnel activity is monitored to detect potential cyber security events.4. Malicious code is detected.5. Unauthorized mobile code is detected.6. External service provider activity is monitored to detect potential cyber security events.7. Monitoring for unauthorized personnel, connections, devices, and software is performed.8. Vulnerability scans are performed at least quarterly.Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
1. Roles and responsibilities for detection are well defined to ensure accountability.2. Detection activities comply with all applicable requirements.3. Detection processes are tested.4. Event detection information is communicated.5. Detection processes are continuously improved.RESPOND
Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cyber security incidents. Response plan is executed during or after an incident.
Communications: Response activities are coordinated with internal and external stakeholders.
1. Personnel know their roles and order of operations when a response is needed.2. Incidents are reported consistent with established criteria.3. Information is shared consistent with response plans.4. Coordination with internal and external stakeholders occurs consistent with response plans.5. Voluntary information sharing occurs with external stakeholders to achieve broader cyber security situational awareness.6. Incident response exercises and scenarios across departments are conducted at least annually.Analysis: Analysis is conducted to ensure effective response and support recovery activities.
1. Notifications from detection systems are investigated.2. The impact of the incident is understood.3. Forensics are performed.4. Incidents are categorized consistent with response plans.5. Processes are established to receive, analyze and respond to vulnerabilities disclosed to the licensee from internal and external sources (e.g. internal testing, security bulletins, or security researchers).Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
1. Incidents are contained.2. Incidents are mitigated.3. Newly identified vulnerabilities are mitigated or documented as accepted risks.Improvements: The response activities are improved by incorporating lessons learned from current and previous detection/response activities.
1. Response plans incorporate lessons learned.2. Response strategies are updated.RECOVER
Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cyber security incidents. Recovery plan is executed during or after a cyber security incident.
Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.
1. Recovery plans incorporate lessons learned.2. Recovery strategies are updated.Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).
1. Public relations are managed.2. Reputation is repaired after an incident.3. Recovery activities are communicated to internal and external stakeholders as well as executive and management teams.Added: January 2022TC TC Money Changers Training and Competency Module
TC-A TC-A Introduction
TC-A.1 TC-A.1 Purpose
Executive Summary
TC-A.1.1
This Module presents requirements that have to be met by
licensees with respect to training and competency of individuals undertakingcontrolled functions (i.e.approved persons ).October 2010TC-A.1.2
Module TC provides Rules and Guidance to
licensees to ensure satisfactory levels of competence, in terms of an individual's knowledge, skills, experience, and professional qualifications.Licensees are required to demonstrate that individuals undertakingcontrolled functions are sufficiently competent, and are able to undertake their respective roles and responsibilities.October 2010TC-A.1.3
The Rules build upon Principles 3 and 10 of the Principles of Business (see Module PB (Principles of Business)). Principle 3 (Due Skill, Care and Diligence) requires
licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in its dealings with customers. Principle 9 (Adequate Resources) requireslicensees to maintain adequate human, financial and other resources sufficient to run its business in an orderly manner.October 2010TC-A.1.4
Condition 4 of the Central Bank of Bahrain's ('CBB') Licensing Conditions (Chapter AU-2.4) and Condition 1 of the Approved Persons regime (Chapter AU-3.1) impose further requirements. To satisfy Condition 4 of the CBB's Licensing Conditions, a
licensees' staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of thelicensee in a sound and prudent manner (AU-2.4). This condition specifies thatlicensees must ensure their employees meet any training and competency requirements specified by the CBB. Condition 1 of the Approved Persons Conditions (AU-3.1) sets forth the 'fit and proper' requirements in relation to competence, experience and expertise required byapproved persons .Amended: January 2011
October 2010Legal Basis
TC-A.1.5
This Module contains the CBB's Directive (as amended from time to time) relating to Training and Competency and is issued under the powers available to the CBB under Articles 38 and 65 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all
licensees (including theirapproved persons ). Requirements regardingMoney Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.Amended: January 2011
October 2010TC-A.1.6
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
October 2010TC-A.2 TC-A.2 Module History
Evolution of the Module
TC-A.2.1
This Module was first issued in October 2010. Any material changes that are subsequently made to this Module are annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.
TC-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes TC-A.1.5 01/2011 Clarified legal basis. Superseded Requirements
TC-A.2.3
This Module does not replace any regulations or circulars in force prior to October 2010.
October 2010TC-B TC-B Scope of Application
TC-B.1 TC-B.1 Scope of Application
TC-B.1.1
This Module applies to all
Money Changer licensees authorised in the Kingdom, thereafter referred to in this Module aslicensees .October 2010TC-B.1.2
Persons authorised by the CBB as
approved persons prior to the issuance of Module TC need not reapply for authorisation.October 2010TC-B.1.3
The requirements of this Module apply to
approved persons holdingcontrolled functions :(a) Who are employed or appointed by thelicensees in connection with thelicensees' regulated activities, whether under a contract of service or for services or otherwise; or(b)Whose services, under an arrangement between thelicensee and a third party, are placed at the disposal and under the control of thelicensee. October 2010TC-B.1.4
Licensees must satisfy the CBB that individuals performing acontrolled function for it or on its behalf are suitable and competent to carry out thatcontrolled function .October 2010TC-B.1.5
In implementing this Module,
licensees must ensure that:(a) Individuals recruited by thelicensees to perform acontrolled function hold suitable qualifications and experience appropriate to the nature of the business;(b)Individuals performing acontrolled function remain competent for the work they do; and(c) Individuals performing acontrolled function are appropriately supervised.October 2010TC-1 TC-1 Recruitment and Assessing Competence
TC-1.1 TC-1.1 Recruitment and Appointments
TC-1.1.1
If a
licensee recruits an individual to undertake acontrolled function, it must satisfy itself, where appropriate, of such individual's relevant qualifications and experience.October 2010TC-1.1.2
A
licensee proposing to recruit an individual has to satisfy itself, of his/her relevant qualifications and experience. Thelicensee should:(a) Take into account the knowledge and skills required for the role, in addition to the nature and the level of complexity of thecontrolled function ; and(b) Take reasonable steps to obtain sufficient information about the individual's background, experience, training and qualifications.October 2010TC-1.1.3
Individuals occupying the following
controlled functions (refer to Paragraphs AU-1.2.5 to AU-1.2.10) at alicensee must be qualified and suitably experienced for their specific roles and responsibilities:(a)Director ;(b)Chief Executive orGeneral Manager ;(c)Head of function ;(d)Compliance officer ; and(e)Money Laundering Reporting Officer ('MLRO').October 2010TC-1.1.4
A
licensee must take reasonable steps to ensure that individuals holdingcontrolled functions are sufficiently knowledgeable about their respective fields of work to be able to guide and supervise operations that fall under their responsibilities. Competence must be assessed on the basis of experience and relevant qualifications described in Appendix TC-1 as a minimum. However, the CBB reserves the right to impose a higher level of qualifications as it deems necessary.October 2010Director
TC-1.1.5
As individuals,
directors of alicensee must hold professional qualifications and/or have relevant experience outlined in Appendix TC-1 as a minimum.October 2010TC-1.1.6
The role of the
director is to be accountable and responsible for the management and performance of thelicensee , and is outlined in more details in Section HC-1.1.October 2010TC-1.1.7
When taken as a whole, the board of
directors of alicencee must be able to demonstrate that it has the necessary expertise, as outlined in Paragraphs HC-1.2.4 and HC-1.2.5.October 2010Chief Executive or General Manager
TC-1.1.8
Individuals holding the position of
chief executive officer or equivalent at alicensee must hold relevant qualifications and relevant experience as outlined in Appendix TC-1 as a minimum.October 2010TC-1.1.9
The
chief executive officer orgeneral manager (as appropriate) is responsible for the executive management and performance of thelicensee within the framework or delegated authorities set by the Board.October 2010Head of Function
TC-1.1.10
Individuals holding the position of
head of function at alicensee must hold relevant professional qualifications and experience as outlined in Appendix TC-1 as a minimum.October 2010TC-1.1.11
Heads of functions are responsible for tracking specific functional performance goals in addition to identifying, managing, and reporting critical organisational issues upstream.October 2010Compliance Officer
TC-1.1.12
Individuals holding the position of
compliance officer at alicensee must hold relevant experience and qualifications as outlined in Appendix TC-1 as a minimum.October 2010TC-1.1.13
In accordance with Paragraph HC-2.4.3, an employee of appropriate standing must be designated by
licensees for the position ofcompliance officer . The duties of thecompliance officer include:(a)Having responsibility for oversight of thelicensee's compliance with the requirements of the CBB; and(b)Reporting to thelicensee's Board in respect of that responsibility.October 2010Money Laundering Reporting Officer (MLRO)
TC-1.1.14
Individuals holding the position of MLRO at a
licensee , whose attributes and responsibilities are described more fully in Paragraphs FC-4.1.7 and FC-4.2.1, must hold relevant qualifications as outlined in Appendix TC-1 as a minimum.October 2010TC-1.2 TC-1.2 Assessing Competence
TC-1.2.1
Licensees must not allow an individual to undertake or supervisecontrolled functions unless that individual has been assessed by thelicensee as competent in accordance with this Section.October 2010TC-1.2.2
In the case of new personnel, the
licensees should ensure that they work under proper supervision. Where a person is working towards attaining a level of competence, they should be supervised by a competent person until they can demonstrate the appropriate level of competence. It is thelicensees's responsibility to ensure that such arrangements are in place and working successfully.October 2010TC-1.2.3
In determining an individual's competence,
licensees may assess if the person is fit and proper in accordance with Chapter AU-3.October 2010TC-1.2.4
Licensees will assess individuals as competent when they have demonstrated the ability to apply the knowledge and skills required to perform a specificcontrolled function without supervision.October 2010TC-1.2.5
The assessment of competence will be dependent on the nature and the level of complexity of the
controlled function . Such assessment of competence of new personnel may take into account the fact that an individual has been previously assessed as competent in a similarcontrolled function with anotherlicensee .October 2010TC-1.2.6
If a
licensee assesses an individual as competent in accordance with TC-1.2.4 to perform a specificcontrolled function it does not necessarily mean that the individual is competent to undertake othercontrolled functions .October 2010TC-1.2.7
A firm should use methods of assessment that are appropriate to the
controlled function and to the individual's role.October 2010TC-2 TC-2 Training and Maintaining Competence
TC-2.1 TC-2.1 Training and Supervision
TC-2.1.1
A
licensee must annually determine the training needs of individuals undertakingcontrolled functions . It must develop a training plan to address these needs and ensure that training is planned, appropriately structured and evaluated.October 2010TC-2.1.2
The assessment and training plan described in Paragraph TC-2.1.1 should be aimed at ensuring that the relevant
approved person maintains competence in thecontrolled function . Training does not necessarily just imply attendance of courses. An individual can develop skills and gain experience in a variety of ways. These could include on the job learning, individual study, and other methods. In almost every situation, and for most individuals, it is likely that competence will be developed most effectively by a mixture of training methods.October 2010TC-2.1.3
The training plan of
licensees must include a programme for continuous professional development training ("CPD ") for their personnel.October 2010TC-2.1.4
Approved persons may choose to fulfil theirCPD requirements by attending courses and seminars at local or foreign training institutions.October 2010TC-2.1.5
The annual training needs assessment required under Paragraph TC-2.1.1 must also consider quarterly updates, if any, to the CBB Volume 5 (Specialised Licensees) Rulebook, in areas relevant to each
controlled function .October 2010TC-2.1.6
Individuals holding the
controlled functions ofcompliance officer and MLRO at alicensee must undergo a minimum of 15 hours ofCPD per annum.October 2010TC-2.1.7
A
licensee should ensure that anapproved person undertaking acontrolled function undergoes appropriate review and assessment of performance.October 2010TC-2.1.8
The level of review and assessment should be proportionate to the level of competence demonstrated by the
approved person . Review and assessment should take place on a regular basis and include coaching and assessing performance against the competencies necessary for the role.October 2010TC-2.1.9
Assessors of
approved persons should have technical knowledge and relevant skills, e.g. coaching and assessment skills.October 2010TC-2.2 TC-2.2 Maintaining Competence
TC-2.2.1
A
licensee must make appropriate arrangements to ensure thatapproved persons maintain competence.October 2010TC-2.2.2
A
licensee should ensure that maintaining competence for anapproved person takes into account:(a) Application of technical knowledge;(b) Application and development of skills; and(c) Any market changes and changes to products, legislation and regulation.October 2010TC-2.2.3
A
licensee may utilise theCPD schemes of relevant professional bodies to demonstrate compliance with TC-2.2.1. In-house training, seminars, conferences, further qualifications, product presentations, computer-based training and one-to-one tuition may also be considered to demonstrate compliance with TC-2.2.1.October 2010TC-3 TC-3 Record Keeping
TC-3.1 TC-3.1 Record Keeping
TC-3.1.1
A
licensee must make and retain records of its recruitment procedures. Such procedures should be designed to adequately take into account proof of the candidates' knowledge and skills and their previous activities and training.October 2010TC-3.1.2
The recruitment record keeping procedure should include, but is not limited to, the following:
(a) Results of the initial screening;(b) Results of any employment tests;(c) Results and details of any interviews conducted;(d) Background and references checks; and(e) Details of any professional qualifications.October 2010TC-3.1.3
A
licensee should make and retain updated records of:(a)The criteria applied in assessing the ongoing and continuing competence;(b)How and when the competence decision was arrived at;(c)The annual assessment of competence; and(d)Record ofCPD hours undertaken by eachapproved person .October 2010TC-3.1.4
A
licensee should make and retain records of:(a)The annual training plan for allcontrolled functions ;(b)Materials used to conduct in-house training courses;(c)List of participants attending such in-house training courses; and(d)Results of evaluations conducted at the end of such training courses.October 2010TC-3.1.5
Licensees should maintain appropriate training records for each individual.Licensees should note how the relevant training relates to and supports the individual's role. Training records may be reviewed during supervisory visits to assess thelicensee's systems and to review how thelicensee ensures that its staff are competent and remain competent for their roles.October 2010TC-4 TC-4 Transitional Provisions
TC-4.1 TC-4.1 Transitional Period
TC-4.1.1
The requirements of Module TC for
licensees are effective 31st December 2010.October 2010TC-4.1.2
Where
approved persons holdingcontrolled functions are occupying positions within thelicensee and do not meet the qualifications and core competencies outlined in Appendix TC-1 at the time of the issuance of Module TC, thelicensee must ensure that such individuals will meet the requirements of Module TC by 31st December 2011 at the latest.October 2010Appendices: Appendix TC-1
Qualifications and Core Competencies of Controlled Functions
Role Core Competencies How can competence be demonstrated? Director Directors should have: (a) Experience to demonstrate sound business decision-making; and(b) A good understanding of the industry and its regulatory environment.This person should be experienced in the industry. Competence could be demonstrated by: (a) Holding a relevant professional qualification; or(b) A minimum length of service (at least 5 years at director or senior management level) in the financial industry.Chief Executive or General Manager These roles require: (a) A clear understanding of the role and responsibilities associated with this position;(b) A good understanding of thelicensee 's business, the broader industry and its regulatory environment; and(c) The relevant experience and qualifications associated with any executive responsibilities.This person should be experienced in the industry. Competence could be demonstrated by: (a) Holding a relevant professional qualification; or(b) A minimum length of service (at least 5 years at a relatively senior position) in the financial industry.Head of Function This role requires: (a) A clear understanding of the role and responsibilities associated with the relevant function;(b) A good understanding of thelicensee 's business, the broader industry and its regulatory environment; and(c) The relevant experience and qualifications to fulfill their responsibilities.A senior manager responsible for a specialist function should demonstrate the competencies required for that role. (a) The person must have area specific experience/qualifications as required for head of function. These include accounting qualifications for financial managers, Bachelors degree in banking or finance, MBA, etc. and/or(b) The head of function should have at least 5 years of experience in the industry and will typically hold, or be working towards, a relevant professional qualification as appropriate to the controlled function.Compliance Officer A Compliance Officer should: (a) Have the ability and experience to take responsibility for implementing and maintaining compliance policies;(b) Have the appropriate level of experience to demonstrate independence from other functions within thelicensee ; and(c) Have a thorough understanding of the industry and the applicable regulatory framework.The level of required competence varies based on the scope, magnitude and complexity of thelicensee .The person should have a minimum of 2 years of relevant experience in a compliance function of a financial institution.
Additional relevant certifications may include:(a) Diploma in International Compliance offered by the International Compliance Association; and/or(b) Other relevant professional qualification.Money
Laundering
Reporting
Officer
(MLRO)The MLRO should: (a) Understand the business and how the Anti Money Laundering framework applies thereto; and(b) Have the appropriate level of experience to demonstrate independence from staff of thelicensee dealing directly withcustomers .An MLRO will typically hold a relevant professional qualification and / or a qualification related to the financial activities. These may include: (a) Certified Anti-Money Laundering Specialist Examination (ACAMS);(b) Other relevant MLRO programs; and/or(c) Diploma in International Compliance offered by the International Compliance Association.Additionally, he must have undergone training in anti money laundering, in a recognized institute. The initial training must be for a period of 35 hours or more.
MLROs should have thorough knowledge of the financial institutions industry and be familiar with relevant international standards and applicable domestic regulatory requirements.October 2010
