CA-A.1.1

The purpose of this module is to set out the CBB's regulations for minimum capital requirements. This requirement is supported by Article 44(c) of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006).

CA-A.1.2

Principle 9 of the Principles of Business requires that financing company licensees maintain adequate human, financial and other resources, sufficient to run their business in an orderly manner (see Section PB-1.9). In addition, Condition 5 of CBB's Authorised Conditions (Section AU-2.5) requires financing company licensees to maintain financial resources in excess of the minimum requirements specified in this Module.

CA-A.1.3

This Module sets out the minimum capital requirements which financing company licensees must meet as a condition of their licensing.

CA-A.1.4

The purpose of these requirements is to ensure that financing company licensees hold sufficient financial resources to provide some protection against unexpected losses.

CA-A.1.5

The CBB requires in particular that the relevant financing company maintain adequate capital in accordance with the requirements of this Module, against their risks.

CA-A.1.6

This module provides support for certain other parts of the Rulebook, mainly:

CA-A.1.7

This Module contains the CBB's Directive relating to the capital requirements and gearing of financing company licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all financing company licensees.

CA-A.2.1

This Module was first issued in January 2013 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

CA-A.2.2

A list of recent changes made to this Module is provided below:

CA-A.2.3

Guidance on the implementation and transition to Volume 5 (Specialised Licensees) is given in Module ES (Executive Summary).

CA-1.1.1

A licensee must maintain a minimum paid-up capital of BD5,000,000. A greater amount of capital may be required by the CBB on a case-by-case basis. A licensee offering a limited scope of short-term instalment credit activity may be allowed, as determined by the CBB, to maintain a lower capital based on the nature, scale and size of operations.

CA-1.1.2

In addition to the requirements of Paragraph CA-1.1.1, the CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from the major shareholder in control of the licensee.

CA-1.1.3

All licensees must implement the requirements of Paragraphs CA-1.1.1 and CA-1.1.2, effective January 2013.

CA-1.1.4

In addition to the requirements outlined in Paragraphs CA-1.1.1 and CA-1.2.1., all licensees must maintain a minimum gearing ratio of 20%.

CA-1.1.5

For purposes of Paragraph CA-1.1.4, the gearing ratio is defined as the core capital divided by the total liabilities to be calculated on a consolidated basis.

CA-1.1.6

Core capital shall consist of the sum of items (a) to (e) below, less the sum of items (f) to (h) below:

LESS:

CA-1.1.7

Only interim profits which have been reviewed as per IAS 34 may be included as core capital.

CA-1.1.8

For purposes of Paragraph CA-1.1.5, liabilities are defined as the total amount of liabilities reported in the PIRF or PIRCC.

CA-1.1.9

Licensees must ensure that at all times they maintain the minimum gearing ratio outlined in Paragraph CA-1.1.4. In the event that the licensee does not comply with the minimum gearing ratio, it must notify the CBB by no later than the following business day of the actual level of the gearing ratio. When providing such notification, the licensee must:

CA-1.1.10

Licensees must note that the CBB considers the breach of the gearing ratio to be a very serious matter. Consequently, the CBB may (at its discretion) subject a licensee which breaches its gearing ratio to a formal licensing reappraisal. Such reappraisal may be effected either through the CBB's own inspection function or through the use of Reporting Accountants, as appropriate. Following such reappraisal, the CBB will provide a written notification to the licensee concerned outlining the CBB's conclusions with regard to the continued licensing.

CA-1.1.11

The CBB requires that the licensee's compliance officer supports and cooperates with the CBB in the monitoring and reporting of the capital level and the gearing ratio and other regulatory reporting matters.

CA-1.1.12

Compliance officers should ensure that the licensee has adequate internal systems and controls to comply with this Module.

CA-1.1.13

The licensee must report its capital level and gearing ratio to the CBB in accordance with the requirements outlined in Chapter BR-3.

BC-A.1.3

This Module contains the CBB's Directive (as amended from time to time) on business conduct by financing company licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 (CBB Law). The Directive in this Module is applicable to all financing company licensees.

BC-A.1.4

For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

BC-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory requirements:

BC-1.1.1

The purpose of this Section is to set out requirements pertaining to the promotion of financial products offered in/from Bahrain by licensees by means of incentives (herein referred to as 'promotional schemes').

BC-1.1.2

The CBB has no objection to the use of promotional schemes in general and, unless it otherwise specifically directs in any particular case, the CBB does not expect to be actively consulted/have its approval sought about the idea and/or substance of any promotional schemes. Any advertising of promotional schemes are subject to the requirements of Section BC-1.2.

BC-1.1.3

The CBB will monitor promotional schemes and, if thought appropriate in the interests of a licensee and its customers in particular and/or the financial sector in general, may issue specific guidance in certain cases. Licensees should feel free to consult the CBB at any time regarding any matters referred to in this Section.

BC-1.1.4

Licensees must take care to ensure that promotional schemes do not involve a breach of Bahrain law or any other relevant applicable law and regulation. In addition, promotional schemes should not in any way be detrimental to the public good or public morals.

BC-1.1.5

While there is to be no formal restriction on the types of incentive which may be used by institutions, care must be taken to ensure that promotional schemes do not negatively affect the integrity, reputation, good image and standing of Bahrain and/or its financial sector, and do not detrimentally affect Bahrain's economy.

BC-1.1.6

Bearing in mind the reputation of, and the requirement to develop, the financial sector in Bahrain, as well as the need to act at all times in the best interests of the customer, licensees need to take adequate care to ensure that promotional schemes do not unreasonably divert the attention of the public from other important considerations in choosing a financing company or a financial product.

BC-1.1.7

All documentation and other media communication (including websites, voice messaging, SMS, etc.) concerning promotional schemes must be in Arabic and English and, if relevant, any other language necessary for customers to fully understand and appreciate their terms and conditions. Such terms and conditions, including any related advertising, are required to be clear, concise, truthful, unambiguous and complete so as to enable customers to make a fully informed decision.

BC-1.1.8

Customers to whom promotional schemes are directed must enjoy equal opportunity in terms of access to, and treatment within, such schemes.

BC-1.1.9

All costs (including funding costs), charges or levies associated with promotional schemes must be disclosed to prospective customers.

BC-1.1.10

All material related to promotional schemes, particularly where raffles are concerned, must be maintained for a minimum period of 5 years (see Paragraph GR-1.3.4).

BC-1.1.11

Any raffles held as part of promotional schemes must be independently monitored (e.g. by the licensee's external auditor) and adequate systems put in place to ensure fair play and impartiality.

BC-1.1.12

An appropriate system must also exist for informing participants of the results of a raffle without delay. Licensees must note that raffles may be subject to rules and requirements (including prior authorisation/approval) laid down by the Ministry of Industry and Commerce.

BC-1.1.13

Licensees may use small 'gifts' as an inducement to members of the public to use its services, provided such gifts are offered on a general basis and have a low monetary value.

BC-1.1.14

Due note must be taken of the overriding provisions of Bahrain (and any other relevant) law in relation to licensees' duties to customers to the extent (if any) that promotional schemes might impact on such duties.

BC-3.1.3

A licensee must make available, at their premises, information leaflets containing information on the key products and services in respect of all credit agreements including:

BC-3.1.4

For the purpose of this Section, the following definitions apply:

BC-3.1.5

Where a customer has a credit agreement with a licensee, licensees must:

BC-3.1.6

Marketing of customer credit agreements, advertising and sales promoting credit agreements, irrespective of the media used (SMS, Internet, printed material, telephone solicitation) must be clear and understandable, must be true and not misleading and meet the basic customer information requirements as defined in this Module. Licensees are also asked to take special care to ensure that the content of any advertising material does not mislead or deceive the public in any way.

BC-3.1.7

The use of "small print" to make potentially important information less visible is not compatible with good business conduct, and should be avoided.

BC-3.1.8

Licensees must make:

BC-3.1.9

The following public disclosures must be made by conspicuous notice for all types of credit agreements:

BC-3.1.10

In addition to the requirements under Paragraph BC-3.1.9, licensees must publicly disclose by conspicuous notice for instalment financing facilities:

BC-3.1.11

The APR is a standard measure that allows customers to compare total charges for instalment financing facilities on a like-for-like basis. The APR allows the customer to compare the total charge for credit over differing periods (e.g. — two versus three years) or offered by different licensees with differing payment profiles and taking into account the payment of any other fees payable as a condition of the contract, such as administration fees or insurance premiums.

BC-3.1.12

Any advertising through any media means of instalment financing facilities, offered by the licensees must specify only the APR (including all fees and charges) and no other rates, i.e. nominal, base, flat or rates by any other names.

BC-3.1.13

For the purposes of Paragraph BC-3.1.10, the disclosures can be provided as one APR or a range of APRs for licensees that provide instalment financing to different segments and products. A licensee may have different customer segments with different risk profiles, for whom the APR offered on the same product may vary. However, the disclosures must comply with the scenarios outlined in Subparagraph BC-3.1.10 (a).

BC-3.1.14

In addition to the requirements under paragraph BC-3.1.9, licensees must publicly disclose by conspicuous notice for Credit Agreements other than instalment financing facilities:

BC-3.1.15

For credit agreements other than instalment financing facilities, any advertising through any media means must specify only the annual proft/interest rate and other fees and charges.

BC-3.1.16

For credit agreements other than instalment financing facilities, licensees are prohibited from using the term APR in any advertising.

BC-3.1.17

Licensees must make clear to potential customers, prior to entering into a credit agreement, all relevant key terms of the agreement in the credit application and 'key terms disclosure' document, in order for them to clearly understand the characteristics of the services and products on offer. Licensees must also comply with the disclosure requirements under the "Code of Best Practice on Consumer Credit and Charging" (see Appendix CM-1).

BC-3.1.18

The above "key terms disclosure" document must be summarised in plain English and Arabic. This document must be signed and dated by the customer(s) in duplicate as having been read and understood, prior to signing a credit agreement. One copy should be retained by the customer and the other must be retained by the licensee in their customer file.

BC-3.1.19

For credit agreements where a retailer extends credit to purchase goods or services by operating in agreement with licensees, all conditions of the credit agreement must be disclosed in the credit agreement application and 'key terms disclosure' document, including when interest will begin to accrue, along with information on any indirect charges.

BC-3.1.20

Credit agreements, referred to in Paragraph BC-3.1.19, must be finalised with an employee of the licensee, whether located at the premises of the retailer or at the premises of the licensee providing the credit. Profit/interest must in no event be charged before the disbursement of funds.

BC-3.1.21

Licensees must inform the customers on the nature of their contractual relationship with the retail outlet and the customers' rights arising as a result of this relationship.

BC-3.1.22

In addition to the initial disclosure of key terms noted in Paragraphs BC-3.1.17 to BC-3.1.21, the "key terms disclosure" document must, at the time of signing the credit agreement, amongst other things, make clear:

BC-3.1.23

Licensees are free to design the layout and wording to be used in their 'key terms disclosure' document, as they see fit, providing they contain the information specified in Paragraph BC-3.1.22. The CBB will monitor compliance with the spirit as well as the letter of the requirements in this Chapter.

BC-3.1.24

Licensees must, at the time of singing the credit agreement, give the clients information on the payment schedule of the credit agreement, including the breakdown of principal, profit/interest and other charges per month for the whole life of the facility. Information must be given, free of charge, at least on a semi-annual basis, unless the period of debt servicing is shorter or where there exists a prior agreement on a more frequent basis.

BC-3.1.25

In addition to the requirements under Paragraph BC-3.1.24, when credit is granted through credit cards, monthly statements must be provided and include information on minimum payment.

BC-3.1.25A

Licensees must, when billing their customers, reflect the card transactions without rounding off the amounts in Fils. Licensees must collaborate with acquirers and Visa/MasterCard network schemes to ensure that there is no rounding off in any transaction irrespective of the currency of the transaction.

BC-3.1.26

Licensees must disclose to the customer in advance, either collectively or individually, all relevant changes or variations to a credit agreement. The circumstances in which a customer must be provided with variation disclosures are:

BC-3.1.27

Any increase of the profit/interest rate or the amount of any fee or charge payable under a credit agreement, must be disclosed publicly, by conspicuous notice, at least thirty calendar days prior to the date the change takes effect by:

BC-3.1.28

Any deferral of profit/interest or principal announced by the licensee must also take account of the APR methodology as shown in Paragraphs BC-3.1.31 to BC-3.1.33, and the new APR must be given to the client or made public in advertisements.

BC-3.1.28A

All requests for early repayment of Shari'a compliant financing must satisfy the condition requiring the licensees to restrict the profit on the transaction to one month profit; i.e. the month in which the actual early repayment takes place. This is effective from 1st October 2011.

BC-3.1.29

The licensee must provide a reply to any request for disclosure within fifteen business days of receiving the request.

BC-3.1.30

Disclosures requested by the customer may include but are not limited to any or all of the following information about a credit agreement:

BC-3.1.31

The APR must be calculated using the following methodology:

BC-3.1.32

The meaning of letters and symbols used in the above formula are:

BC-3.1.33

For the purpose of this Chapter, the 'relevant date' is the earliest identifiable date on which the borrower is able to acquire anything which is the subject of the agreement (e.g. delivery of goods), or otherwise the 'relevant date' is the date on which the credit agreement is made.

BC-4.3.2

"How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

BC-4.3.3

A complaints handling process must be easily accessible to all customers and must be free of charge.

BC-4.3.4

While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

BC-4.3.5

Process information must be readily accessible and must include flexibility in the method of making complaints.

BC-4.3.6

Support for customers in interpreting the complaints procedures must be provided, upon request.

BC-4.3.7

Information and assistance must be available on details of making and resolving a complaint.

BC-4.3.8

Supporting information must be easy to understand and use.

BC-4.3.9

Receipt of complaints must be acknowledged in accordance with Section BC-4.5 "Response to Complaints".

BC-4.3.10

Complaints must be addressed promptly in accordance with their urgency.

BC-4.3.11

Customers must be treated with courtesy.

BC-4.3.12

Customers must be kept informed of the progress of their complaint, in accordance with Section BC-4.5.

BC-4.3.13

If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

BC-4.3.14

In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

BC-4.3.15

Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

BC-4.3.16

General principles for objectivity in the complaints handling process include:

BC-4.5.3

A licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

BC-4.5.4

Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

BC-4.5.5

Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

BC-4.5.6

Should the customer that filed a complaint not be satisfied with the response received as per Paragraph BC-4.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

OM-A.1.1

The Operational Risk Management Module sets out the Central Bank of Bahrain's ('CBB's') rules and guidance for financing company licensees operating in Bahrain on establishing parameters and control procedures to monitor and mitigate operational risks.

OM-A.1.2

This Module provides support for certain other parts of the Rulebook, mainly:

OM-A.1.3

This Module contains the CBB's Directive (as amended from time to time) relating to operational risk management and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees (including their approved persons).

OM-A.1.4

For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

OM-A.2.3

This Module supersedes the following provisions contained in circulars or other regulatory requirements:

OM-1.2.7

The board of directors must establish, approve and periodically review the framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.

OM-1.2.8

The board of directors must:

OM-1.2.9

Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions

OM-1.2.10

A licensee's governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, a licensee must take the following into consideration:

OM-1.2.11

Sound industry practice for larger and more complex organisations with a central group function and separate business units is to utilise a board-created enterprise level risk committee for overseeing all risks, to which a management level operational risk committee reports. Depending on the nature, size and complexity of the licensee, the enterprise level risk committee may receive input from operational risk committees by country, business or functional area. Smaller and less complex organisations may utilise a flatter organisational structure that oversees operational risk directly within the board's risk management committee.

OM-1.2.12

Sound industry practice is for operational risk committees (or the risk committee in smaller licensees) to include a combination of members with expertise in business activities and financial, as well as independent risk management

OM-1.2.13

The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the licensee is willing to assume.

OM-1.2.14

When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the licensee's level of risk aversion, its current financial condition and the licensee's strategic direction. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.

OM-1.2.15

The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a licensee and ensure that they are consistent.

OM-1.2.16

The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

OM-1.2.17

The licensee must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance.

OM-1.2.18

The board of directors must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (See Section HC-2.2).

OM-1.2.19

Clear expectations and accountabilities ensure that staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

OM-1.2.20

Compensation policies must be aligned to the licensee's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward.

OM-1.2.21

Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

OM-1.2.22

Licensees must develop, implement and maintain a framework that is fully integrated into the licensee's overall risk management processes.

OM-1.2.23

The framework for operational risk management chosen by an individual licensee will depend on a range of factors, including its nature, size, complexity and risk profile.

OM-1.2.24

The board is responsible for establishing a management structure capable of implementing the licensee's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the licensee needs to have in place to manage operational risk.

OM-1.2.25

The framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss.

OM-1.2.26

Licensees that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their framework.

OM-1.2.27

Framework documentation must clearly:

OM-1.2.28

The board should review the framework regularly to ensure that the licensee is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the licensee's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.

OM-1.2.29

The board of directors must ensure that the licensee's operational risk management framework is subject to effective and comprehensive independent review.

OM-1.2.30

The independent review functions are the internal audit and compliance functions and the staff occupying these functions must be competent and appropriately trained and not be involved in the development, implementation and operation of the operational risk framework.

OM-1.2.31

With reference to Paragraph OM-1.2.30, internal audit and compliance should not be involved with the setting of risk appetite or risk tolerance. Internal audit should be reviewing the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances. More details on the internal audit function and the role of the audit committee are included in Chapter HC-3.

OM-1.2.32

An independent review consists of the verification of the framework on a periodic basis and is typically performed by the licensee's internal and/or external audit, but may involve other suitably qualified independent parties from external sources. Verification activities test the effectiveness of the overall framework, consistent with policies approved by the board of directors, and also test validation processes to ensure that they are independent and implemented in a manner consistent with established policies of the licensee.

OM-1.2.33

Licensees should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the licensee's operational risk management framework is being implemented effectively across the licensee.

OM-1.2.34

The responsibilities of the senior management of the licensee must include:

OM-1.2.35

Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution. Licensees must be able to demonstrate that the three lines of defence approach is operating satisfactorily and to explain how the board and senior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.

OM-1.2.36

Senior management must translate the operational risk strategy established by the board of directors into an operational risk management framework that refers to specific policies, processes and procedures that can be implemented and verified within the different business units.

OM-1.2.37

While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability.

OM-1.2.38

Senior management must ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management must assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's activity.

OM-1.2.39

Senior management should ensure that the licensee's activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.

OM-1.2.40

Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the licensee who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in a licensee's overall risk management programme.

OM-1.2.41

The managers of the corporate operational risk management function should be of sufficient stature within the licensee to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.

OM-1.2.42

Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.

OM-1.2.43

The management information system of an organisation plays a key role in establishing and maintaining an effective operational risk management framework.

OM-1.2.44

Communication flow serves the purpose of establishing a consistent operational risk management culture across the licensee. Reporting flow enables:

OM-1.3.5

Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

OM-1.3.6

In general, a licensee's operational risk exposure is increased when a licensee engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A licensee should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

OM-1.3.7

A licensee must have policies and procedures that address the process for review and approval of new products, activities, processes and systems.

OM-1.3.8

The review and approval process referred to in Paragraph OM-1.3.7 should consider:

OM-1.3.9

The approval process should also ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

OM-4.2.1

A licensee's Board of Directors and senior management are collectively responsible for a licensee's business continuity. The Board must endorse the policies, standards and processes for a licensee's BCP, as established by its senior management. The Board and senior management must delegate adequate resources to develop the BCP, and for its maintenance and periodic testing.

OM-4.2.2

Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members of senior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).

OM-4.2.3

Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).

OM-4.2.4

The CMT must submit regular reports to the Board and senior management on the results of the testing of the BCP (refer to section OM-4.8). Major changes must be developed by the CMT, reported to senior management, and endorsed by the Board.

OM-4.2.5

The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCP documentation and will be reviewed as part of the CBB's on-site examinations.

OM-4.3.1

Licensees' BCPs must be based on:

These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.

OM-4.3.2

The key objective of a business impact analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.

OM-4.3.3

A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.

OM-4.3.4

Operational impact analysis focuses on the licensee's ability to maintain communications with customers and to retrieve key activity records. It identifies the organisational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.

OM-4.3.5

A financial impact analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.

OM-4.3.6

In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.

OM-4.3.7

Business continuity plans must take into account different types of likely or plausible scenarios to which the licensee will be vulnerable. The following specific scenarios must at a minimum, be considered in the BCP:

OM-4.4.5

The BCP must contain a list of all key personnel. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone so they may be contacted in case of a disaster or other emergency.

OM-4.4.6

The BCP must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.

OM-4.4.7

Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or premises owned or under the control of the licensee. A useable, functional alternate site is an integral component of BCP.

OM-4.4.8

Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).

OM-4.4.9

Licensees' alternate sites and alternate recovery mechanisms must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with the licensee's security policy.

OM-4.4.10

Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.

OM-4.4.11

Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.

OM-4.4.12

Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.

OM-4.4.13

The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.

OM-4.4.14

Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability. Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.

OM-4.5.2

A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:

OM-4.5.3

If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.

OM-4.5.4

Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.

OM-4.5.5

Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.

OM-4.5.6

Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.

OM-4.5.7

Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.

OM-4.7.1

Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.

OM-4.7.2

Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.

OM-4.7.3

Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers as well as the public in general.

OM-4.7.4

The BCP must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or licensees' intranet).

OM-4.7.5

Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.

OM-4.7.6

As regards internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff, licensees websites, e-mails, intranet and instant messaging).

OM-4.7.7

Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope. Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. The licensees might make these disclosures on their website, or through mailing to key external parties upon request. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.

OM-4.8.1

Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).

OM-4.8.2

All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided depending on the situation. The following points must be included in the annual testing:

OM-4.8.3

Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.

OM-4.8.4

Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreement.

OM-4.8.5

Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.

OM-4.8.6

The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.

OM-4.8.7

Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.

OM-4.8.8

Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to senior management and other key personnel.

OM-4.8.9

The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

OM-4.8.10

Significant findings must be brought to the attention of the Board and senior management within three months of the completion of the review. Furthermore, senior management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

OM-5.1.1

Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

OM-5.1.2

Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances should have the following security measures:

OM-5.1.3

If additional security measures to those mentioned in Paragraph OM-5.1.2 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

OM-5.1.4

External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, licensees may also wish to add steel grills fastened into the wall.

OM-5.1.5

Alarm systems should have the following features:

OM-5.1.6

All areas where cash is handled must be screened off from customers and other staff areas.

OM-5.1.7

Access to areas where cash is handled must be restricted to authorised staff only. The design of the teller area should not allow customers to pass through it.

OM-5.1.8

Panic alarm systems for staff handling cash may be installed. The choice between silent or audible panic alarms is left to individual licensees. Kick bars and/or hold up buttons may be spread throughout the teller and customer service areas and the branch manager's office.

OM-5.1.9

Cash and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes should be located in strong rooms.

OM-5.1.10

Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

OM-5.1.11

Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

OM-5.1.12

Licensees must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

OM-5.1.13

All head offices and branches must have a CCTV network which is connected to a central monitoring unit located in the head office.

OM-5.1.14

The location and type of CCTV cameras is left to the discretion of the licensee. At a minimum, CCTV cameras must cover the following areas:

OM-5.1.15

Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) should be high enough to make for effective monitoring. Delayed transmission of pictures to the central monitoring unit is not acceptable. The CCTV system must be operational 24 hours per day.

OM-5.1.16

Licensees must establish the formal position of security manager. This person will be responsible for ensuring all licensee staff are given annual, comprehensive security training. Licensees must produce a security manual or procedures for staff, especially those dealing directly with customers. For licensees with three or more branches, this position must be a formally identified position. For licensees with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

OM-5.1.17

The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

OM-5.1.18

Licensees must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All licensees are required to hold an insurance blanket bond (which includes theft of cash in its cover).

OM-5.1.19

Licensees must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

OM-5.1.19A

In order to maintain up to date PCI-DSS certification, licensees will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

OM-5.1.20

All financing companies issuing prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS). This requirement must be complied with by 28^th February 2018.

OM-5.1.20AA

All cards (credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all POS must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

OM-5.1.20AAA

Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph OM-5.1.20AA is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

OM-5.1.20BB

Licensees are allowed to provide payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

OM-5.1.20A

All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

OM-5.1.20B

For the purpose of Paragraph OM-5.1.20A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

OM-5.1.20C

For the purpose of Paragraph OM-5.1.20A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

OM-5.1.20D

All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

OM-5.1.20E

All card acquirer licensees must:

OM-5.1.21

Licensees must ensure, with effect from 1^st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

OM-5.1.22

Licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12^th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

LM-A.1.1

This Module provides detailed Rules and Guidance on risk management systems and controls required for minimum liquidity requirements for financing company licensees.

LM-A.1.2

This Module expands on certain high-level requirements contained in various High-Level Standards Modules. In particular, Condition 5 of the Licensing Conditions (see Section AU-2.5) notes that financing company licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of business. In addition, Principle 9 of the Principles of Business (see Paragraph PB-1.1.9) refers to the requirement to maintain adequate resources for financing company licensees to run their business in an orderly manner. Principle 10 of the Principles of Business (see Paragraph PB-1.1.10) also notes the requirement for licensees to maintain systems and controls to manage the level of risk inherent in their business and ensure compliance with the CBB Rulebook.

LM-A.1.3

This Module sets out the minimum stock liquidity ratio and maturity mismatch ratios which financing company licensees must meet as a condition of their licensing. In addition, it outlines the need for proper systems and controls to ensure the prudent management of liquidity and the liquidity reporting and other requirements.

LM-A.1.4

Liquidity risk is the risk of not being able to meet liabilities when they fall due, even though a firm may still be solvent. Liquidity risk in financing company licensees relates to the management of their cash flow and the risk to their meeting short-term liabilities due to liquidity problems. The purpose of these requirements is to ensure that financing company licensees hold sufficient liquid assets to meet their obligations as they fall due.

LM-A.1.5

This Module contains the Central Bank of Bahrain's ('CBB') Directive relating to the liquidity risk management of financing company licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees.

LM-A.2.1

This Module was first issued in January 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

LM-A.2.2

A list of recent changes made to this Module is provided below:

LM-1.2.5

For purposes of Paragraph LM-1.2.3, liquid assets are defined as:

LM-1.2.6

The liquid assets noted under Paragraph LM-1.2.5 must also meet the following requirements to be included in the calculation of the stock liquidity ratio. They must be:

LM-1.2.7

For purposes of Paragraph LM-1.2.3, qualifying liabilities are defined as:

LM-1.2.8

For purposes of Subparagraph LM-1.2.7 (b), irrevocable commitments include facilities:

LM-1.2.9

Potential commitments relating to credit card facilities, which may be cancelled at any time are excluded from qualifying liabilities.

LM-2.1.5

Licensees are encouraged to carry out stress testing to assess the resilience of their financial resources to any identified areas of material liquidity risk. This stress testing may take into account the general characteristics, and licensee's experience, and any mitigating factors that it considers relevant such as the ability to sell assets quickly and the options available to re-schedule the payment of liabilities.

LM-2.1.6

Where the licensee considers that the nature of its assets or liabilities and the matching of its liabilities result in no significant liquidity risk exposure, it will not be expected to carry out stress testing. The CBB will expect it to document the reasons for its decision and be prepared to discuss these during an on-site visit.

LM-2.1.7

When assessing liquidity risk, the licensee should consider the extent of mismatch between assets and liabilities and the amount of assets held in highly liquid, marketable forms should unexpected cash flows lead to a liquidity problem. The price concession of liquidating assets is a prime concern when assessing such liquidity risk and should be built into any assessment of liquidity risk management.

TC-A.1.1

This Module presents requirements that have to be met by financing company licensees with respect to training and competency of individuals undertaking controlled functions (i.e. approved persons) (as defined in Paragraph AU-1.2.2)

TC-A.1.2

Module TC provides Rules and Guidance to financing company licencees to ensure satisfactory levels of competence, in terms of an individual's knowledge, skills, experience, and professional qualifications. Financing company licencees must maintain the competence to provide regulated financing company services as outlined in Section AU-1.3. Individuals occupying controlled functions, as outlined in Paragraph AU-1.2.2, must therefore meet minimum levels of training and experience related to their functions.

TC-A.1.3

The Rules build upon Principles 3 and 9 of the Principles of Business (see Module PB (Principles of Business)). Principle 3 (Due Skill, Care and Diligence) requires financing company licensees to observe high standards of integrity and fair dealing, and to be honest and straightforward in its dealings with customers. Principle 9 (Adequate Resources) requires financing company licensees to maintain adequate human, financial and other resources sufficient to run its business in an orderly manner.

TC-A.1.4

Condition 4 of CBB's Licensing Conditions (Chapter AU-2.4) and Condition 1 of the Approved Persons regime (Chapter AU-3.1) impose further requirements. To satisfy Condition 4 of the CBB's Licensing Conditions, a financing company licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the financing company licensee in a sound and prudent manner (AU-2.4). This condition specifies that financing company licensees must ensure their employees meet any training and competency requirements specified by the CBB. Condition 1 of the Approved Persons Conditions (AU-3.1) sets forth the 'fit and proper' requirements in relation to competence, experience and expertise required by approved persons.

TC-A.1.5

This Module contains the CBB's Directive relating to Training and Competency and is issued under the powers available to the CBB under Articles 38 and 65(b) of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'). The Directive in this Module is applicable to all financing company licensees (including their approved persons).

TC-A.1.6

For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

TC-A.2.1

This Module was first issued in January 2014. Any material changes that are subsequently made to this Module will be annotated with the calendar quarter date in which the change is made; Chapter UG-3 provides further details on Rulebook maintenance and version control.

TC-A.2.2

A list of recent changes made to this Module is provided below:

TC-A.2.3

This Module does not replace any regulations or circulars in force prior to January 2014.

TC-1.1.4

Board Members collectively are responsible for the business performance and strategy of the licensee, as outlined in more details in Section HC-1.2.

TC-1.1.5

When taken as a whole, the board of directors of a licensee must be able to demonstrate that it has the necessary skills and expertise, as outlined in Paragraph HC-1.2.10.

TC-1.1.6

The chief executive or general manager (as appropriate) are responsible for the executive management and performance of the licensee within the framework or delegated authorities set by the Board. The scope of authority of the CEO is outlined in more detail in Paragraph HC-6.3.2 (a).

TC-1.1.7

Heads of function, where risk acquisition or control is involved, are responsible for tracking specific functional performance goals in addition to identifying, managing, and reporting critical organisational issues upstream. Certain functions require dealing directly with clients while others do not. Both categories of functions, however, require specific qualifications and experience to meet the objectives as well as compliance requirements of the financing company licensee.

TC-1.1.8

For purposes of Paragraph TC-1.1.7, licensees should contact the CBB should they require further clarification on whether a specific position falls under the definition of "Heads of Function".

TC-1.1.9

In accordance with Paragraph AU-1.2.12, an employee of appropriate standing must be designated by the licensee for the position of compliance officer. The duties of the compliance officer include:

TC-1.1.10

The attributes and responsibilities of the MLRO are described more fully in Paragraphs FC-4.1.7 and FC-4.2.1.

TC-1.1.11

The head of Shari'a review in a licensee, dealing with Islamic products and services, is responsible for the examination of the extent of a licensee's compliance, in all its activities, with the Shari'a. This examination includes contracts, agreements, policies, products, transactions memorandum and articles of association, financial statements, reports (especially internal audit and central bank inspection), circulars, etc. The objective of the Shari'a review is to ensure that the activities carried out by a licensee do not contravene the Shari'a.

TC-1.2.1

All individuals holding controlled functions in a licensee must undergo a minimum of 15 hours of CPD per annum.

TC-1.2.2

A licensee must ensure that an approved person undertaking a controlled function undergoes appropriate annual review and assessment of performance.

TC-1.2.3

The level of supervision should be proportionate to the level of competence demonstrated by the approved person. Supervision will include, as appropriate:

TC-1.2.4

Supervisors of approved persons should have technical knowledge and relevant managerial skills.

TC-1.2.5

A licensee should, for a minimum period of five years, retain records of:

TC-2.1.1

If a licensee recruits or promotes an individual to undertake a controlled function, it must first file Form 3 (Approved Persons) with the CBB and obtain the express written approval of the CBB for that person to occupy the desired position. In its application, the licensee must demonstrate to the CBB that full consideration has been given to the qualifications and core competencies for controlled functions in Appendix TC-1. (See Article 65(b) of the CBB Law and Paragraph AU-2.3.1).

TC-2.1.2

Licensees should refer to Module AU (Authorisation) providing detailed requirements on the appointment of individuals occupying controlled functions (approved persons).

TC-2.1.3

A licensee proposing to recruit an individual has to satisfy itself, of his/her relevant qualifications and experience. The licensee should:

TC-2.1.4

The licensee must retain the recruitment records of controlled functions for a minimum period of five years following termination of their services or employment with the licensee. Such records must include, but are not limited to, the following:

TC-2.1.5

Licensees must not allow an individual to undertake or supervise controlled functions unless that individual has been assessed by the licensee as competent in accordance with this Section.

TC-2.1.6

In the case of new personnel, the licensee should ensure that they work under proper supervision. Where a person is working towards attaining a level of competence, they should be supervised by a competent person until they can demonstrate the appropriate level of competence. It is the licensee's responsibility to ensure that such arrangements are in place and working successfully.

TC-2.1.7

In determining an individual's competence, licensees may assess if the person is fit and proper in accordance with Chapter AU-3.

TC-2.1.8

Licensees must assess individuals as competent when they have demonstrated the ability to apply the knowledge and skills required to perform a specific controlled function.

TC-2.1.9

The assessment of competence will be dependent on the nature and the level of complexity of the controlled function. Such assessment of competence of new personnel may take into account the fact that an individual has been previously assessed as competent in a similar controlled function with another licensee.

TC-2.1.10

If a licensee assesses an individual as competent in accordance with Paragraph TC-2.1.8 to perform a specific controlled function, it does not necessarily mean that the individual is competent to undertake other controlled functions.

TC-2.1.11

A financing company should use methods of assessment that are appropriate to the controlled function and to the individual's role.

TC-2.1.12

A licensee must, for a minimum period of five years, make and retain updated records of:

TC-2.1.13

For purposes of Paragraph TC-2.1.12, the record keeping requirements apply to both current employees as well as to employees following termination of their services or employment with the company, for a minimum period of five years.

TC-2.1.14

The recruitement procedures referred to in Subparagraph TC-2.1.12(a) should be designed to adequately take into account proof of the candidates' knowledge and skills and their previous activities and training.

TC-2.2.7

A licensee must make appropriate arrangements to ensure that approved persons maintain competence.

TC-2.2.8

A licensee should ensure that maintaining competence for an approved person takes into account:

TC-2.2.9

A licensee may utilise the CPD schemes of relevant professional bodies to demonstrate compliance with Paragraph TC-2.2.1. In-house training, seminars, conferences, further qualifications, product presentations, computer-based training and one-to-one tuition may also be considered to demonstrate compliance with Paragraph TC-2.2.1.

TC-2.2.10

A licensee must, for a minimum period of five years, make and retain records of: