RM-A RM-A Introduction
RM-A.1 RM-A.1 Purpose
Executive Summary
RM-A.1.1
This Module contains requirements relating to the management of risk by
licencees . It expands on certain high level requirements contained in other Modules. In particular, Section AU-2.6 of Module AU (Authorisation) specifies requirements regarding systems and controls that have to be met as a license condition; Principle 10 of the Principles of Business (ref. PB-1.10) requireslicencees to have systems and controls sufficient to manage the level of risk inherent in their business; and Module HC (High-level Controls) specifies various requirements relating to the role and composition of Boards, and related high-level controls.October 2010RM-A.1.2
This Module obliges
licensees to recognise the range of risks that they face and the need to manage these effectively. Their risk management framework is expected to have the resources and tools to identify, monitor and control all material risks. The adequacy of alicensee's risk management framework is subject to the scale and complexity of its operations, however. In demonstrating compliance with certain Rules,licensees with very simple operational structures and business activities may need to implement less extensive or sophisticated risk management systems, compared tolicensees with a complex and/or extensive customer base or operations.October 2010Legal Basis
RM-A.1.3
This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) regarding Risk Management requirements applicable to
licensees , and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). Requirements regardingMoney Changer Licensees are also included in the Regulation Organising Money Changing Business, issued in 1994 and included in this Module.Amended: January 2011
October 2010RM-A.1.4
For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.
October 2010RM-A.2 RM-A.2 Module History
Evolution of the Module
RM-A.2.1
This Module was first issued in October 2010. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.
RM-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes RM-A.1.3 01/2011 Clarified legal basis. RM-2.1.2 10/2017 Amended Paragraph to allow the utilization of cloud services. RM-2.1.4A 10/2017 Added a new Paragraph on outsourcing requirements. RM-2.1.7 10/2017 Amended Paragraph. RM-2.1.9 10/2017 Amended Paragraph. RM-2.1.11 10/2017 Amended Paragraph. RM-2.1.13 10/2017 Added a new Paragraph on outsourcing. RM-2.1.15 10/2017 Amended Paragraph. RM-2.2.9 10/2017 Amended Paragraph. RM-2.2.15 10/2017 Amended Paragraph. RM-2.2.16 10/2017 Added a new Paragraph on security measures related to cloud services. RM-2.3.2 10/2017 Amended Paragraph. RM-1.5.5 01/2021 Added a new Paragraph on electronic fraud. RM-1.5.6 01/2021 Added a new Paragraph on electronic fraud awareness. RM-3 01/2022 Added a new Chapter on Cyber Security Risk Management. RM-3.1.61 04/2022 Deleted reference to BR. RM-3.1.58 04/2022 Amended Paragraph on cyber security incident reporting. RM-3.1.59 04/2022 Amended Paragraph on submission period of the cyber security incident report. RM-2 07/2022 Replaced Chapter RM-2 with new Outsourcing Requirements. RM-3.1.22 10/2022 Amended Paragraph on email domains requirements. RM-3.1.22A 10/2022 Added a new Paragraph on additional domains requirements. RM-1.5.7 – RM-1.5.9 07/2023 Added new Rules on secured customer authentication requirements. Superseded Requirements
RM-A.2.3
This Module does not replace any regulations or circulars in force prior to month year.
Document Ref. Date of Issue Module Ref. Document Subject October 2010
