• RM RM Microfinance Institutions Risk Management Module

    • RM-A RM-A Introduction

      • RM-A.1 RM-A.1 Purpose

        • RM-A.1.1

          This Module contains requirements relating to the management of risk by microfinance institution licensees.

          July 2014

        • RM-A.1.2

          This Module details the minimum key elements of a sound credit risk management system which the Central Bank of Bahrain ('CBB') requires its microfinance institutions licensees to observe. These minimum requirements reflect the unique environment within which microfinance institutions licensees operate and the range of products which they typically offer. However, the CBB, at its sole discretion, retains the right to impose more stringent requirements and guidelines upon one or more microfinance institution licensees should it consider such action to be in the best interest of the Bahrain financial system at any time.

          July 2014

        • RM-A.1.3

          This Module obliges microfinance institution licensees to identify and document the major risks that they face, and what action will be taken to manage those risks effectively. Effective compliance with this Module will require the risk management framework to be supported by adequate resources and the appropriate tools to identify, monitor and control all material risks.

          July 2014

        • RM-A.1.4

          This Module provides support for certain other parts of the Rulebook, mainly:

          (a) Principles of Business;
          (b) The CBB Reporting Requirements;
          (c) Auditors and Accounting Standards; and
          (d) High-level Controls.
          July 2014

        • Legal Basis

          • RM-A.1.5

            This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the credit and operational risk management of microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all microfinance institutions licensees.

            July 2014

          • RM-A.1.6

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

            July 2014

      • RM-A.2 RM-A.2 Module History

        • RM-A.2.1

          This Module was first issued in July 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG 3 provides further details on Rulebook maintenance and version control.

          July 2014

        • Summary of Changes

          • RM-A.2.2

            The most recent changes made to this Module are detailed in the table below:

            Module Ref. Change Date Description of Changes
            RM-4.3.1 10/2017 Amended Paragraph.
            RM-4.4.3 10/2017 Amended Paragraph.
            RM-4.5.1(c) 10/2017 Amended sub-sub-Paragraph no. (2).
            RM-4.5.1(e) 10/2017 Amended sub-sub-Paragraph no. (3).
            RM-4.5.2 10/2017 Added a new paragraph for security measures related to cloud services.

        • Superseded Requirements

          • RM-A.2.3

            This Module supersedes the following provisions contained in circulars or other regulatory requirements:

            Document Ref. Document Subject
            Volumes 1 and 2 Modules CM and OM

    • RM-B RM-B Scope of Application

      • RM-B.1 RM-B.1 Scope

        • RM-B.1.1

          This Module applies to all microfinance institution licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

          July 2014

    • RM-1 RM-1 Risk Management

      • RM-1.1 RM-1.1 General Requirements

        • Board of Directors

          • RM-1.1.1

            The board of directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

            July 2014

          • RM-1.1.2

            The CBB expects the board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licensee is exposed to, a risk management framework that includes approving and monitoring policies, systems, tools and controls.

            July 2014

          • RM-1.1.3

            Although authority for the management of a licensee's risks is likely to be delegated to some degree to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

            July 2014

          • RM-1.1.4

            A licensee's failure to establish an adequate risk management framework to the satisfaction of the CBB will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing the licence or imposing other restrictions on the licensee, or the licensee being required to inject more capital.

            July 2014

          • RM-1.1.5

            The board of directors must ensure that there is adequate documentation of the licensee's risk management framework, and that the documentation is reviewed at least annually to ensure the framework continues to meet the needs of the licensee and complies with CBB requirements.

            July 2014

        • Senior Management

          • RM-1.1.6

            The responsibilities of the senior management of the licensee must include:

            (a) Implementing the overall risk strategy approved by the Board of Directors;
            (b) Ensuring that the strategy is implemented consistently throughout the whole organisation;
            (c) Ensuring that all levels of staff understand their responsibilities with respect to risk management;
            (d) Ensuring that each member of staff has the requisite knowledge, skills, and understanding of the principles and practices of risk management to discharge their duties effectively; and
            (e) Developing and implementing policies, processes and procedures for managing risk in all of the licensee's products, activities, processes and systems.
            July 2014

        • Systems and Controls

          • RM-1.1.7

            The risk management framework of a licensee must describe the systems and controls which are appropriate to their business, so as to identify, measure, mitigate, and monitor risks to which the licensee may be exposed.

            July 2014

          • RM-1.1.8

            The board must ensure that the licensee undertakes a timely review and evaluation of all internal systems and control weaknesses identified by external and/or internal auditors, the risk management function and management, and that actions are implemented to effectively mitigate such control weaknesses.

            July 2014

          • RM-1.1.9

            Licensees must establish mechanisms to verify that controls, once established, are implemented effectively at all times.

            July 2014

        • The Role of Internal Audit

          • RM-1.1.10

            The internal audit function, which may be outsourced subject to the conditions outlined in Chapter RM-4 must, on an on-going basis, monitor, assess, and evaluate the system of internal controls.

            July 2014

    • RM-2 RM-2 Credit Risk

      • RM-2.1 RM-2.1 General Requirements

        • RM-2.1.1

          Credit risk is the likelihood that a counterparty of the licensee will not meet its obligations in accordance with the agreed terms. The magnitude of the specific credit risk depends on the likelihood of default by the counterparty, and on the potential value of the licensees' contracts with the customer at the time of default. Credit risk largely arises in assets shown on the balance sheet, but it can also show up off the balance sheet in a variety of contingent obligations.

          July 2014

        • RM-2.1.2

          Exposure to credit risk, notably in the form of traditional and Shari'a compliant financing has historically been the most frequent source of risk.

          July 2014

        • RM-2.1.3

          The lack of continuous credit facility supervision and effective internal controls, and/or the failure to identify the application of effective controls and fraud are also sources of risk.

          July 2014

      • RM-2.2 RM-2.2 Credit Analysis

        • RM-2.2.1

          All licensees which provide credit facilities to resident natural or legal persons in Bahrain must become members of the Credit Reference Bureau (CRB). All requests by residents of Bahrain for new credit facilities must be submitted to the CRB.

          July 2014

        • RM-2.2.2

          All CRB members must implement the requirements of Module BC (Business Conduct), in matters such as the protection of confidential customer data (see Section BC-1.7) and payment of enquiry fees.

          July 2014

      • RM-2.3 RM-2.3 Credit Policy

        • RM-2.3.1

          Licensees must have a properly documented credit framework. The framework must include a board approved policy which is supported by appropriate procedures and practices designed to bring professional discipline to the credit granting activities and ensure that credit facilities are granted based on clear and relevant criteria.

          July 2014

        • RM-2.3.2

          It is prudent to review the credit policy regularly to ensure that once it is established, it remains flexible enough to be current and continues to accomplish its original purpose taking into consideration market developments.

          July 2014

        • RM-2.3.3

          A sound credit policy should consider which types of credit products and borrowers the licensee is prepared to accept and the underwriting standards the licensee will utilise.

          July 2014

        • RM-2.3.4

          A licensee's credit policy should address all credit matters of significance including:

          (a) Objectives of credit monitoring;
          (b) Organisation and reporting structure of the credit department;
          (c) The target economic sectors and products;
          (d) Establishment of a credit limit framework;
          (e) Guidelines for assessment of concentration;
          (f) Authorisation procedures for the advancement of credit;
          (g) Effective oversight and review of all credit facilities;
          (h) Establishment of desirable pricing levels and criteria; and
          (i) Problem credit identification, classification and administration.
          July 2014

      • RM-2.4 RM-2.4 Credit Grading System

        • RM-2.4.1

          Licensees must have in place appropriate credit grading systems (sometimes referred to as credit classification systems) to help assess credit quality.

          July 2014

        • RM-2.4.2

          Each licensee must have a credit grading system and provisioning requirements within its credit policy.

          July 2014

        • RM-2.4.3

          Credit facilities must be classified by licensees on an ongoing basis. The classification framework must, at a minimum, include the categories listed below, and licensees must apply provisions (sometimes referred to as "allowances") at or above the minimum levels specified in Paragraph RM-2.4.4. Licensees are free to classify a credit facility in a category which requires a higher level of provisioning if the licensee has information which gives doubt as to the collectability of the facility, even if the concerned credit facility is performing. These standards must also be applied in the case of the suspension of profit and the classification of other non-financing receivables (e.g. fees):

          (a) 'Standard facilities' are those, which are 'performing' as the contract requires. These facilities are not past due and there is no reason to suspect that the customer's financial condition or the adequacy of collateral has deteriorated in any way;
          (b) 'Watch-list facilities' are those which show some weaknesses in the customer's (or counterparty's) financial condition or creditworthiness, requiring more than normal attention but not necessarily requiring the allocation of specific provisions (or impairment allowances). 'Watch' could include 'performing' facilities which are not regular in repayment or are regular but there is minor deterioration in the financial position of the customer or counterparty or the underlying collateral. 'Watch' must include any facilities which are less than 90 days overdue and which are not (yet) included in 'sub-standard', 'doubtful' or 'loss' (i.e. the facility can be regarded as overdue but not yet 'impaired' according to IFRS);
          (c) 'Sub-standard facilities' are those where interest/profit or principal is 90 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Sub-standard facilities' also include those where full repayment (collectability) is in doubt due to inadequate protection by the impaired paying capacity of the customer or by impairment of the collateral pledged. Sub-standard facilities are characterised by the distinct possibility of loss if observed weaknesses are not corrected and may therefore be viewed as 'impaired' or non-performing. Sub-standard may therefore include facilities that are not yet overdue, or are less than 90 days overdue;
          (d) 'Doubtful facilities' are those where interest/profit or principal is 180 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Doubtful facilities' have all the weaknesses inherent in a facility classified as 'substandard' with the added characteristic that observed weaknesses make full collection (or liquidation), on the basis of currently existing facts and valuations highly questionable or improbable. The probability of loss is extremely high, but total loss may not necessarily occur because some mitigating factors may strengthen the asset quality; and
          (e) 'Loss facilities' are those where interest/profit or principal is 360 days or more overdue (see Paragraph RM 2.5.6 for minimum required provisioning levels). 'Loss facilities' are considered uncollectible or of such little value that their continuance at any material value is not warranted. The category 'loss' means that it is not considered practical or desirable to give a positive valuation to this facility, even though partial recovery may be effected in the future.
          July 2014

        • RM-2.4.4

          The following categories of credit facilities are defined as 'Non-performing'. Licensees must apply the minimum specific provision levels outlined below:

          Substandard : 10% of the outstanding amount
          Doubtful : 30% of the outstanding amount
          Loss : 100% of the outstanding amount.
          July 2014

        • RM-2.4.5

          The minimum provisioning levels set out above must be taken on the net amount of the outstanding facility after deducting the eligible collateral. If a licensee has collateral but is unprepared to exercise it after a facility becomes non-performing, then the collateral is not providing protection to the licensee and therefore provisions must be taken on the full amount of the outstanding balance until either the facility is repaid, the collateral (or guarantees) exercised or the facility rescheduled or restructured.

          July 2014

      • RM-2.5 RM-2.5 Treatment of Profit/Interest in Suspense and Provisioning

        • Non-accrual of Profit/Interest Income

          • RM-2.5.1

            Licensees are required to place on a non-accrual basis any facility where there is reasonable doubt about the collectability of the receivable irrespective of whether the facility is overdue or not. All accrued profit/interest, including related interest/profit earned but not collected and recognised as income in prior periods, for non-accrual assets identified in Paragraph RM-2.5.2 must be credited to an off-balance sheet special account in the licensee's records under the name 'profit/interest in suspense account' and not to the profit and loss account, i.e. it must not be recognised as income.

            July 2014

          • RM-2.5.2

            For the purpose of this Module, the following 'non-performing' categories of assets must be considered as non-accrual items:

            (a) Substandard;
            (b) Doubtful;
            (c) Loss; and
            (d) Any other credit facilities that are overdue for a period of less than 90 days but the licensee has doubts about their collectability.
            July 2014

        • Treatment of Restructured and Rescheduled Facilities and Facilities Which Cease to be Non-performing

          • RM-2.5.3

            Any facility where principal or profit/interest is 90 days or more overdue must be categorised as 'non-performing'. A facility becomes overdue from the first date that profit/interest or principal is not received.

            July 2014

          • RM-2.5.4

            For purposes of Paragraph RM-2.5.3, if an instalment is missed on 1st March 2010, but payment is made on 1st April 2010 (and the March instalment is still not paid), then the credit facility will become over 90 days overdue by 1st June 2010, even if the April and May instalments are paid on time and in full, and a provision must at least be taken in respect of the overdue amount (but not necessarily the full outstanding amount of the credit facility if other payments were made).

            July 2014

          • RM-2.5.5

            If a non-performing credit facility is formally rescheduled (by way of a written agreement), the rescheduled credit facility may be considered 'performing' again (as 'standard') after a period of one year from the date of rescheduling if all payments have been made on schedule and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

            July 2014

          • RM-2.5.6

            If a facility ceases to be non-performing (due to full repayment of all arrears on profit/interest and principal) it may be categorised as performing after a period of one year and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

            July 2014

      • RM-2.6 RM-2.6 Collateral

        • RM-2.6.1

          The extension of credit is sometime supported by collateral provided by the customer or third parties. In the case of a credit facility supported by a guarantee, an assessment of the guarantor must be made by the licensee on at least an annual basis.

          July 2014

      • RM-2.7 RM-2.7 Developing a Sound Credit Culture

        • RM-2.7.1

          Credit culture is defined as the sum total of a licensee's approach to managing credit risk, including business strategy, credit policy, shared assumptions about credit, the effectiveness of communications, and the composition and quality of the resulting loan portfolio.

          July 2014

        • The Role of the Board of Directors

          • RM-2.7.2

            The board must review and reassess the credit policies of the licensee (including collateral, provisioning and concentration policies) on at least an annual basis. The board must also review overdue facilities in terms of performance on a quarterly basis.

            July 2014

        • The Role of Senior Management

          • RM-2.7.3

            Senior management must be involved in the credit review process of existing facilities, including visiting clients, assessing the financial status of the borrower and verifying the appropriateness of collateral.

            July 2014

        • Effective Internal Systems and Controls

          • RM-2.7.4

            Licensees must utilise internal grading systems (as outlined in Paragraph RM-2.4.3) to manage credit risk and to set adequate provisions on a timely basis.

            July 2014

          • RM-2.7.5

            Policies and procedures must include the requirement for a thorough understanding of the customer, the purpose of the credit facility and the source of repayment. This data must be reviewed as part of the risk management framework in any assessment of the customer for risk profiling purposes.

            July 2014

      • RM-2.8 RM-2.8 The CBB's Approach to Microfinance Credit Facilities

        • RM-2.8.1

          Licensees must implement a sound internal controls framework, including an effective credit culture (see Section RM-2.7). Licensees must display and communicate charges and the APR clearly (see Section BC-1.4).

          July 2014

        • RM-2.8.2

          The CBB requires licensees to demonstrate transparency in their dealings with their customers, as regards the costs and terms of their lending.

          July 2014

        • RM-2.8.3

          The measures presented in this Chapter should be viewed as minimum standards, rather than best practice. They are aimed at encouraging prudent lending and full, frank and fair disclosures, rather than dictating comprehensively how licensees should engage in microfinance credit facilities.

          July 2014

      • RM-2.9 RM-2.9 Refunds and Prepayments

        • Refund/Adjustment of Insurance Premium on Loan Prepayments and Top-Ups

          • RM-2.9.1

            Licensees must refund/adjust proportionately the insurance premium charged on individual loans/facilities when the borrower either requests for a top-up or prepayment of the loan/facility as per the prescribed formula below:

            Refund/Adjustment Amount = Remaining Period to Maturity X Premium Paid / Original Maturity
            July 2014

        • Early Repayment Fees/Charges

          • RM-2.9.2

            If early repayment charges are imposed by the licensee, the CBB imposes a ceiling on the early repayment charges on microfinance credit facilities as follows:

            (a) 1% of the outstanding credit facility amount or BD20 whichever is lower;
            (b) The ceilings on the charges have a retroactive effect i.e. covering existing and new credit facilities; and
            (c) Licensees must not charge any remaining interest/profit amount if prepayment is made.
            July 2014

    • RM-3 RM-3 Operational Risk

      • RM-3.1 RM-3.1 General Requirements

        • RM-3.1.1

          Licensees must document their framework for the proactive management of operational risk. This policy must be approved and reviewed at least annually by the board of directors of the licensee.

          July 2014

        • RM-3.1.2

          Operational risk is the risk to the licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In identifying the types of operational risk losses that it may be exposed to, licensees should consider, for instance, the following:

          (a) The nature of a licensee's customers, products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;
          (b) The design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for a licensee's products and activities;
          (c) The risk culture and human resource management practices at a licensee; and
          (d) The business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.
          July 2014

        • RM-3.1.3

          Licensees must assess and evaluate the impact of operational risks on their financial resources and solvency.

          July 2014

        • Business Continuity Planning

          • RM-3.1.4

            A licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

            July 2014

        • Record Keeping

          • RM-3.1.5

            Licensees must retain an appropriate record of their operational risk management activities.

            July 2014

      • RM-3.2 RM-3.2 Identification, Measurement, Monitoring and Control

        • RM-3.2.1

          As part of an effective operational risk management system, licensees must:

          (a) Identify critical processes, resources and loss events; and
          (b) Develop policies, processes and procedures to control or mitigate operational risk.
          July 2014

      • RM-3.3 RM-3.3 Succession Planning

        • RM-3.3.1

          Succession planning is an essential precautionary measure for a licensee if its leadership stability — and hence ultimately its financial stability — is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

          July 2014

      • RM-3.4 RM-3.4 Business Continuity Requirements

        • Vital Records Management

          • RM-3.4.1

            A business continuity plan must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a significant disruption to business, including an event considered as a disaster, as well as the relevant protection measures to be taken for protecting vital information, whether stored on electronic or non-electronic media.

            July 2014

          • RM-3.4.2

            Copies of vital records must be stored off-site as soon as possible after creation. A back-up of all vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees should consider the need for instantaneous data back up to ensure prompt system and data recovery. There should be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.

            July 2014

      • RM-3.5 RM-3.5 Security Measures for Microfinance Institutions

        • RM-3.5.1

          Licensees that maintain cash on their premises must put in place security measures to minimize the risk of theft or fraud.

          July 2014

        • RM-3.5.2

          Licensees are required to install an alarm system for those premises where cash is held.

          July 2014

        • RM-3.5.3

          Where appropriate, licensees may consider the need to maintain a trained security guard on the premises.

          July 2014

        • RM-3.5.4

          All licensees are required to have in place insurance coverage to cover potential losses arising from liability, theft, fire and other potential operational risk.

          July 2014

    • RM-4 RM-4 Outsouring Risk

      • RM-4.1 RM-4.1 Introduction

        • RM-4.1.1

          Licensees must apply in writing to the CBB for approval to outsource any of their activities. The prior written approval of the CBB is required before any outsourcing is entered into by the licensee.

          July 2014

        • RM-4.1.2

          Licensees must not outsource 'core functions' which are defined as the offering of regulated microfinance services, customer due diligence and approval of customers.

          July 2014

      • RM-4.2 RM-4.2 Supervisory Approach

        • RM-4.2.1

          Once an outsourcing arrangement has been implemented, the CBB requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls. The CBB requires access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

          July 2014

        • RM-4.2.2

          The board and management of the licensee may not abdicate their responsibility for a licensee's business and the way its customers are treated. The board and management remain ultimately responsible for the effectiveness of systems and controls in outsourced activities.

          July 2014

      • RM-4.3 RM-4.3 Prior Approval Requirements

        • RM-4.3.1

          Where an activity has been outsourced, a licensee must immediately inform its supervisory point of contact at the CBB of any material problems encountered with the outsourcing provider. The CBB reserves the right to direct a licensee to make alternative arrangements for the outsourced activity.

          Amended: October 2017
          July 2014

      • RM-4.4 RM-4.4 Risk Assessment

        • RM-4.4.1

          Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting a request for prior written approval to the CBB and committing itself to an agreement.

          July 2014

        • RM-4.4.2

          Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the ongoing impact of the agreement on their risk profile and systems and controls framework. Such reviews should take place on at least an annual basis.

          July 2014

        • RM-4.4.3

          A licensee must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed. The name of this person must be communicated to the CBB as part of the prior approval process required under Section RM-4.3 or if any change occurs thereafter. Any subsequent replacement of such person must also be notified to the CBB.

          Amended: October 2017
          July 2014

      • RM-4.5 RM-4.5 Outsourcing Agreement

        • RM-4.5.1

          The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must -amongst other things - address the following points:

          (a) Control over outsourced activities:
          (i) The board and management of licensees are held ultimately responsible by the CBB for the adequacy of systems and controls over the outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider;
          (ii) A service level agreement ('SLA') - setting out the standards of service to be provided - must form part of the outsourcing agreement;
          (iii) Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement;
          (iv) Clear reporting and escalation mechanisms must be specified in the agreement; and
          (v) Where an outsourcing provider in turn decides to subcontract to other providers, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
          (b) Customer data confidentiality:
          (i) Licensees must ensure that outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality; and
          (ii) Licensees must ensure that the outsourcing provider implements adequate safeguards and procedures. Amongst other things, customer data should be properly segregated from those belonging to other clients the outsourcing provider may have. Outsourcing providers must give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees must have contractual rights to take action against the service provider in the event of a breach of confidentiality.
          (c) Access to information:
          (i) Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required;
          (ii) Licensees must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information they may reasonably require under the law and the regulatory framework. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider at the sole discretion of the CBB; and
          (iii) The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial and/or operational performance of the outsourcing provider.
          (d) Business continuity:
          (i) Licensees must ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service;
          (e) Termination:
          (i) Licensees must have the right to terminate the agreement should the outsourcing provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest, becomes insolvent, or goes into liquidation or administration;
          (ii) Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house; and
          (iii) In the event of termination, for whatever reason, the agreement should provide for the return of all customer data — where required by licensees — or destruction of the records under the supervision of and certified by the licensee.
          Amended: October 2017
          July 2014

        • Cloud services

          • RM-4.5.2

            For the purpose of outsourcing of cloud services, licensees must ensure that, at a minimum, the following security measures are in place:

            (a) Customer information must be encrypted and licensees must ensure that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
            (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing provider;
            (c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
            (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
            (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
            (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
            Added: October 2017

    • RM-5 RM-5 Liquidity Risk

      • RM-5.1 RM-5.1 Liquidity Risk

        • RM-5.1.1

          Licensees must design and implement a liquidity risk policy for the management of liquidity risk of the licensee. The policy must be appropriate to the nature, scale and complexity of the activities of the licensee, and it must be approved and regularly reviewed by the board of directors of the licensee.

          July 2014

        • Risk Measurement and Monitoring

          • RM-5.1.2

            A licensee must establish and maintain a process for the measurement, monitoring and controlling of liquidity risk.

            July 2014

        • Contingency Planning

          • RM-5.1.3

            Licensees must maintain contingency funding plans for taking action to ensure, so far as they can, that they can access sufficient liquid financial resources to meet liabilities as they fall due.

            July 2014