Back Custom print Link Text Only Rich Text Print

  • RM RM Microfinance Institutions Risk Management Module

    • RM-A RM-A Introduction

      • RM-A.1 RM-A.1 Purpose

        • RM-A.1.1

          This Module contains requirements relating to the management of risk by microfinance institution licensees.

          July 2014

        • RM-A.1.2

          This Module details the minimum key elements of a sound credit risk management system which the Central Bank of Bahrain ('CBB') requires its microfinance institutions licensees to observe. These minimum requirements reflect the unique environment within which microfinance institutions licensees operate and the range of products which they typically offer. However, the CBB, at its sole discretion, retains the right to impose more stringent requirements and guidelines upon one or more microfinance institution licensees should it consider such action to be in the best interest of the Bahrain financial system at any time.

          July 2014

        • RM-A.1.3

          This Module obliges microfinance institution licensees to identify and document the major risks that they face, and what action will be taken to manage those risks effectively. Effective compliance with this Module will require the risk management framework to be supported by adequate resources and the appropriate tools to identify, monitor and control all material risks.

          July 2014

        • RM-A.1.4

          This Module provides support for certain other parts of the Rulebook, mainly:

          (a) Principles of Business;
          (b) The CBB Reporting Requirements;
          (c) Auditors and Accounting Standards; and
          (d) High-level Controls.
          July 2014

        • Legal Basis

          • RM-A.1.5

            This Module contains the Central Bank of Bahrain's ('CBB') Directive (as amended from time to time) relating to the credit and operational risk management of microfinance institution licensees, and is issued under the powers available to the CBB under Article 38 of the CBB Law. The Directive in this Module is applicable to all microfinance institutions licensees.

            July 2014

          • RM-A.1.6

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

            July 2014

      • RM-A.2 RM-A.2 Module History

        • RM-A.2.1

          This Module was first issued in July 2014 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG 3 provides further details on Rulebook maintenance and version control.

          July 2014

        • Summary of Changes

          • RM-A.2.2

            The most recent changes made to this Module are detailed in the table below:

            Module Ref. Change Date Description of Changes
            RM-4.3.1 10/2017 Amended Paragraph.
            RM-4.4.3 10/2017 Amended Paragraph.
            RM-4.5.1(c) 10/2017 Amended sub-sub-Paragraph no. (2).
            RM-4.5.1(e) 10/2017 Amended sub-sub-Paragraph no. (3).
            RM-4.5.2 10/2017 Added a new paragraph for security measures related to cloud services.
            RM-4 07/2022 Replaced Chapter RM-4 with new Outsourcing Requirements.

        • Superseded Requirements

          • RM-A.2.3

            This Module supersedes the following provisions contained in circulars or other regulatory requirements:

            Document Ref. Document Subject
            Volumes 1 and 2 Modules CM and OM
               

    • RM-B RM-B Scope of Application

      • RM-B.1 RM-B.1 Scope

        • RM-B.1.1

          This Module applies to all microfinance institution licensees authorised in the Kingdom, thereafter referred to in this Module as licensees.

          July 2014

    • RM-1 RM-1 Risk Management

      • RM-1.1 RM-1.1 General Requirements

        • Board of Directors

          • RM-1.1.1

            The board of directors of licensees must take responsibility for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

            July 2014

          • RM-1.1.2

            The CBB expects the board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licensee is exposed to, a risk management framework that includes approving and monitoring policies, systems, tools and controls.

            July 2014

          • RM-1.1.3

            Although authority for the management of a licensee's risks is likely to be delegated to some degree to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

            July 2014

          • RM-1.1.4

            A licensee's failure to establish an adequate risk management framework to the satisfaction of the CBB will result in it being in breach of Condition 6 of the Licensing Conditions of Section AU-2.6. This failure may result in the CBB withdrawing the licence or imposing other restrictions on the licensee, or the licensee being required to inject more capital.

            July 2014

          • RM-1.1.5

            The board of directors must ensure that there is adequate documentation of the licensee's risk management framework, and that the documentation is reviewed at least annually to ensure the framework continues to meet the needs of the licensee and complies with CBB requirements.

            July 2014

        • Senior Management

          • RM-1.1.6

            The responsibilities of the senior management of the licensee must include:

            (a) Implementing the overall risk strategy approved by the Board of Directors;
            (b) Ensuring that the strategy is implemented consistently throughout the whole organisation;
            (c) Ensuring that all levels of staff understand their responsibilities with respect to risk management;
            (d) Ensuring that each member of staff has the requisite knowledge, skills, and understanding of the principles and practices of risk management to discharge their duties effectively; and
            (e) Developing and implementing policies, processes and procedures for managing risk in all of the licensee's products, activities, processes and systems.
            July 2014

        • Systems and Controls

          • RM-1.1.7

            The risk management framework of a licensee must describe the systems and controls which are appropriate to their business, so as to identify, measure, mitigate, and monitor risks to which the licensee may be exposed.

            July 2014

          • RM-1.1.8

            The board must ensure that the licensee undertakes a timely review and evaluation of all internal systems and control weaknesses identified by external and/or internal auditors, the risk management function and management, and that actions are implemented to effectively mitigate such control weaknesses.

            July 2014

          • RM-1.1.9

            Licensees must establish mechanisms to verify that controls, once established, are implemented effectively at all times.

            July 2014

        • The Role of Internal Audit

          • RM-1.1.10

            The internal audit function, which may be outsourced subject to the conditions outlined in Chapter RM-4 must, on an on-going basis, monitor, assess, and evaluate the system of internal controls.

            July 2014

    • RM-2 RM-2 Credit Risk

      • RM-2.1 RM-2.1 General Requirements

        • RM-2.1.1

          Credit risk is the likelihood that a counterparty of the licensee will not meet its obligations in accordance with the agreed terms. The magnitude of the specific credit risk depends on the likelihood of default by the counterparty, and on the potential value of the licensees' contracts with the customer at the time of default. Credit risk largely arises in assets shown on the balance sheet, but it can also show up off the balance sheet in a variety of contingent obligations.

          July 2014

        • RM-2.1.2

          Exposure to credit risk, notably in the form of traditional and Shari'a compliant financing has historically been the most frequent source of risk.

          July 2014

        • RM-2.1.3

          The lack of continuous credit facility supervision and effective internal controls, and/or the failure to identify the application of effective controls and fraud are also sources of risk.

          July 2014

      • RM-2.2 RM-2.2 Credit Analysis

        • RM-2.2.1

          All licensees which provide credit facilities to resident natural or legal persons in Bahrain must become members of the Credit Reference Bureau (CRB). All requests by residents of Bahrain for new credit facilities must be submitted to the CRB.

          July 2014

        • RM-2.2.2

          All CRB members must implement the requirements of Module BC (Business Conduct), in matters such as the protection of confidential customer data (see Section BC-1.7) and payment of enquiry fees.

          July 2014

      • RM-2.3 RM-2.3 Credit Policy

        • RM-2.3.1

          Licensees must have a properly documented credit framework. The framework must include a board approved policy which is supported by appropriate procedures and practices designed to bring professional discipline to the credit granting activities and ensure that credit facilities are granted based on clear and relevant criteria.

          July 2014

        • RM-2.3.2

          It is prudent to review the credit policy regularly to ensure that once it is established, it remains flexible enough to be current and continues to accomplish its original purpose taking into consideration market developments.

          July 2014

        • RM-2.3.3

          A sound credit policy should consider which types of credit products and borrowers the licensee is prepared to accept and the underwriting standards the licensee will utilise.

          July 2014

        • RM-2.3.4

          A licensee's credit policy should address all credit matters of significance including:

          (a) Objectives of credit monitoring;
          (b) Organisation and reporting structure of the credit department;
          (c) The target economic sectors and products;
          (d) Establishment of a credit limit framework;
          (e) Guidelines for assessment of concentration;
          (f) Authorisation procedures for the advancement of credit;
          (g) Effective oversight and review of all credit facilities;
          (h) Establishment of desirable pricing levels and criteria; and
          (i) Problem credit identification, classification and administration.
          July 2014

      • RM-2.4 RM-2.4 Credit Grading System

        • RM-2.4.1

          Licensees must have in place appropriate credit grading systems (sometimes referred to as credit classification systems) to help assess credit quality.

          July 2014

        • RM-2.4.2

          Each licensee must have a credit grading system and provisioning requirements within its credit policy.

          July 2014

        • RM-2.4.3

          Credit facilities must be classified by licensees on an ongoing basis. The classification framework must, at a minimum, include the categories listed below, and licensees must apply provisions (sometimes referred to as "allowances") at or above the minimum levels specified in Paragraph RM-2.4.4. Licensees are free to classify a credit facility in a category which requires a higher level of provisioning if the licensee has information which gives doubt as to the collectability of the facility, even if the concerned credit facility is performing. These standards must also be applied in the case of the suspension of profit and the classification of other non-financing receivables (e.g. fees):

          (a) 'Standard facilities' are those, which are 'performing' as the contract requires. These facilities are not past due and there is no reason to suspect that the customer's financial condition or the adequacy of collateral has deteriorated in any way;
          (b) 'Watch-list facilities' are those which show some weaknesses in the customer's (or counterparty's) financial condition or creditworthiness, requiring more than normal attention but not necessarily requiring the allocation of specific provisions (or impairment allowances). 'Watch' could include 'performing' facilities which are not regular in repayment or are regular but there is minor deterioration in the financial position of the customer or counterparty or the underlying collateral. 'Watch' must include any facilities which are less than 90 days overdue and which are not (yet) included in 'sub-standard', 'doubtful' or 'loss' (i.e. the facility can be regarded as overdue but not yet 'impaired' according to IFRS);
          (c) 'Sub-standard facilities' are those where interest/profit or principal is 90 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Sub-standard facilities' also include those where full repayment (collectability) is in doubt due to inadequate protection by the impaired paying capacity of the customer or by impairment of the collateral pledged. Sub-standard facilities are characterised by the distinct possibility of loss if observed weaknesses are not corrected and may therefore be viewed as 'impaired' or non-performing. Sub-standard may therefore include facilities that are not yet overdue, or are less than 90 days overdue;
          (d) 'Doubtful facilities' are those where interest/profit or principal is 180 days or more overdue (see Paragraph RM-2.4.4 for minimum required provisioning levels). 'Doubtful facilities' have all the weaknesses inherent in a facility classified as 'substandard' with the added characteristic that observed weaknesses make full collection (or liquidation), on the basis of currently existing facts and valuations highly questionable or improbable. The probability of loss is extremely high, but total loss may not necessarily occur because some mitigating factors may strengthen the asset quality; and
          (e) 'Loss facilities' are those where interest/profit or principal is 360 days or more overdue (see Paragraph RM 2.5.6 for minimum required provisioning levels). 'Loss facilities' are considered uncollectible or of such little value that their continuance at any material value is not warranted. The category 'loss' means that it is not considered practical or desirable to give a positive valuation to this facility, even though partial recovery may be effected in the future.
          July 2014

        • RM-2.4.4

          The following categories of credit facilities are defined as 'Non-performing'. Licensees must apply the minimum specific provision levels outlined below:

          Substandard : 10% of the outstanding amount
          Doubtful : 30% of the outstanding amount
          Loss : 100% of the outstanding amount.
          July 2014

        • RM-2.4.5

          The minimum provisioning levels set out above must be taken on the net amount of the outstanding facility after deducting the eligible collateral. If a licensee has collateral but is unprepared to exercise it after a facility becomes non-performing, then the collateral is not providing protection to the licensee and therefore provisions must be taken on the full amount of the outstanding balance until either the facility is repaid, the collateral (or guarantees) exercised or the facility rescheduled or restructured.

          July 2014

      • RM-2.5 RM-2.5 Treatment of Profit/Interest in Suspense and Provisioning

        • Non-accrual of Profit/Interest Income

          • RM-2.5.1

            Licensees are required to place on a non-accrual basis any facility where there is reasonable doubt about the collectability of the receivable irrespective of whether the facility is overdue or not. All accrued profit/interest, including related interest/profit earned but not collected and recognised as income in prior periods, for non-accrual assets identified in Paragraph RM-2.5.2 must be credited to an off-balance sheet special account in the licensee's records under the name 'profit/interest in suspense account' and not to the profit and loss account, i.e. it must not be recognised as income.

            July 2014

          • RM-2.5.2

            For the purpose of this Module, the following 'non-performing' categories of assets must be considered as non-accrual items:

            (a) Substandard;
            (b) Doubtful;
            (c) Loss; and
            (d) Any other credit facilities that are overdue for a period of less than 90 days but the licensee has doubts about their collectability.
            July 2014

        • Treatment of Restructured and Rescheduled Facilities and Facilities Which Cease to be Non-performing

          • RM-2.5.3

            Any facility where principal or profit/interest is 90 days or more overdue must be categorised as 'non-performing'. A facility becomes overdue from the first date that profit/interest or principal is not received.

            July 2014

          • RM-2.5.4

            For purposes of Paragraph RM-2.5.3, if an instalment is missed on 1st March 2010, but payment is made on 1st April 2010 (and the March instalment is still not paid), then the credit facility will become over 90 days overdue by 1st June 2010, even if the April and May instalments are paid on time and in full, and a provision must at least be taken in respect of the overdue amount (but not necessarily the full outstanding amount of the credit facility if other payments were made).

            July 2014

          • RM-2.5.5

            If a non-performing credit facility is formally rescheduled (by way of a written agreement), the rescheduled credit facility may be considered 'performing' again (as 'standard') after a period of one year from the date of rescheduling if all payments have been made on schedule and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

            July 2014

          • RM-2.5.6

            If a facility ceases to be non-performing (due to full repayment of all arrears on profit/interest and principal) it may be categorised as performing after a period of one year and the concerned provisions and suspended profit/interest may be credited (back) to the profit & loss account.

            July 2014

      • RM-2.6 RM-2.6 Collateral

        • RM-2.6.1

          The extension of credit is sometime supported by collateral provided by the customer or third parties. In the case of a credit facility supported by a guarantee, an assessment of the guarantor must be made by the licensee on at least an annual basis.

          July 2014

      • RM-2.7 RM-2.7 Developing a Sound Credit Culture

        • RM-2.7.1

          Credit culture is defined as the sum total of a licensee's approach to managing credit risk, including business strategy, credit policy, shared assumptions about credit, the effectiveness of communications, and the composition and quality of the resulting loan portfolio.

          July 2014

        • The Role of the Board of Directors

          • RM-2.7.2

            The board must review and reassess the credit policies of the licensee (including collateral, provisioning and concentration policies) on at least an annual basis. The board must also review overdue facilities in terms of performance on a quarterly basis.

            July 2014

        • The Role of Senior Management

          • RM-2.7.3

            Senior management must be involved in the credit review process of existing facilities, including visiting clients, assessing the financial status of the borrower and verifying the appropriateness of collateral.

            July 2014

        • Effective Internal Systems and Controls

          • RM-2.7.4

            Licensees must utilise internal grading systems (as outlined in Paragraph RM-2.4.3) to manage credit risk and to set adequate provisions on a timely basis.

            July 2014

          • RM-2.7.5

            Policies and procedures must include the requirement for a thorough understanding of the customer, the purpose of the credit facility and the source of repayment. This data must be reviewed as part of the risk management framework in any assessment of the customer for risk profiling purposes.

            July 2014

      • RM-2.8 RM-2.8 The CBB's Approach to Microfinance Credit Facilities

        • RM-2.8.1

          Licensees must implement a sound internal controls framework, including an effective credit culture (see Section RM-2.7). Licensees must display and communicate charges and the APR clearly (see Section BC-1.4).

          July 2014

        • RM-2.8.2

          The CBB requires licensees to demonstrate transparency in their dealings with their customers, as regards the costs and terms of their lending.

          July 2014

        • RM-2.8.3

          The measures presented in this Chapter should be viewed as minimum standards, rather than best practice. They are aimed at encouraging prudent lending and full, frank and fair disclosures, rather than dictating comprehensively how licensees should engage in microfinance credit facilities.

          July 2014

      • RM-2.9 RM-2.9 Refunds and Prepayments

        • Refund/Adjustment of Insurance Premium on Loan Prepayments and Top-Ups

          • RM-2.9.1

            Licensees must refund/adjust proportionately the insurance premium charged on individual loans/facilities when the borrower either requests for a top-up or prepayment of the loan/facility as per the prescribed formula below:

            Refund/Adjustment Amount = Remaining Period to Maturity X Premium Paid / Original Maturity
            July 2014

        • Early Repayment Fees/Charges

          • RM-2.9.2

            If early repayment charges are imposed by the licensee, the CBB imposes a ceiling on the early repayment charges on microfinance credit facilities as follows:

            (a) 1% of the outstanding credit facility amount or BD20 whichever is lower;
            (b) The ceilings on the charges have a retroactive effect i.e. covering existing and new credit facilities; and
            (c) Licensees must not charge any remaining interest/profit amount if prepayment is made.
            July 2014

    • RM-3 RM-3 Operational Risk

      • RM-3.1 RM-3.1 General Requirements

        • RM-3.1.1

          Licensees must document their framework for the proactive management of operational risk. This policy must be approved and reviewed at least annually by the board of directors of the licensee.

          July 2014

        • RM-3.1.2

          Operational risk is the risk to the licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In identifying the types of operational risk losses that it may be exposed to, licensees should consider, for instance, the following:

          (a) The nature of a licensee's customers, products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;
          (b) The design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for a licensee's products and activities;
          (c) The risk culture and human resource management practices at a licensee; and
          (d) The business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.
          July 2014

        • RM-3.1.3

          Licensees must assess and evaluate the impact of operational risks on their financial resources and solvency.

          July 2014

        • Business Continuity Planning

          • RM-3.1.4

            A licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

            July 2014

        • Record Keeping

          • RM-3.1.5

            Licensees must retain an appropriate record of their operational risk management activities.

            July 2014

      • RM-3.2 RM-3.2 Identification, Measurement, Monitoring and Control

        • RM-3.2.1

          As part of an effective operational risk management system, licensees must:

          (a) Identify critical processes, resources and loss events; and
          (b) Develop policies, processes and procedures to control or mitigate operational risk.
          July 2014

      • RM-3.3 RM-3.3 Succession Planning

        • RM-3.3.1

          Succession planning is an essential precautionary measure for a licensee if its leadership stability — and hence ultimately its financial stability — is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

          July 2014

      • RM-3.4 RM-3.4 Business Continuity Requirements

        • Vital Records Management

          • RM-3.4.1

            A business continuity plan must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a significant disruption to business, including an event considered as a disaster, as well as the relevant protection measures to be taken for protecting vital information, whether stored on electronic or non-electronic media.

            July 2014

          • RM-3.4.2

            Copies of vital records must be stored off-site as soon as possible after creation. A back-up of all vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees should consider the need for instantaneous data back up to ensure prompt system and data recovery. There should be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.

            July 2014

      • RM-3.5 RM-3.5 Security Measures for Microfinance Institutions

        • RM-3.5.1

          Licensees that maintain cash on their premises must put in place security measures to minimize the risk of theft or fraud.

          July 2014

        • RM-3.5.2

          Licensees are required to install an alarm system for those premises where cash is held.

          July 2014

        • RM-3.5.3

          Where appropriate, licensees may consider the need to maintain a trained security guard on the premises.

          July 2014

        • RM-3.5.4

          All licensees are required to have in place insurance coverage to cover potential losses arising from liability, theft, fire and other potential operational risk.

          July 2014

    • RM-4 RM-4 Outsourcing Requirements

      • RM-4.1 RM-4.1 Outsourcing Arrangements

        • RM-4.1.1

          This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

          Amended: July 2022
          July 2014

        • RM-4.1.2

          In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

          Amended: July 2022
          July 2014

        • RM-4.1.3

          In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

          i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
          ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
          Added: July 2022

        • RM-4.1.4

          The licensee must not outsource the following functions:

          (i) Compliance;
          (ii) AML/CFT;
          (iii) Financial control;
          (iv) Risk management; and
          (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
          Added: July 2022

        • RM-4.1.5

          For the purposes of Paragraph RM-4.1.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph RM-4.1.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

          Added: July 2022

        • RM-4.1.6

          Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph RM-4.1.4 (iv), subject to CBB’s prior approval

          Added: July 2022

        • RM-4.1.7

          Licensees must comply with the following requirements:

          (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
          a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
          b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
          (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
          (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
          (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
          (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
          (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
          (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
          Added: July 2022

        • RM-4.1.8

          For the purpose of Subparagraph RM-4.1.7 (iv), licensees as part of their assessments may use the following:

          a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
          b) Third-party or internal audit reports of the outsourcing service provider; and
          c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

          When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

          Added: July 2022

        • RM-4.1.9

          For the purpose of Subparagraph RM-4.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

          Added: July 2022

      • RM-4.2 [This Section was deleted in July 2022]

      • RM-4.3 [This Section was deleted in July 2022]

      • RM-4.4 [This Section was deleted in July 2022]

      • RM-4.5 [This Section was deleted in July 2022]

    • RM-5 RM-5 Liquidity Risk

      • RM-5.1 RM-5.1 Liquidity Risk

        • RM-5.1.1

          Licensees must design and implement a liquidity risk policy for the management of liquidity risk of the licensee. The policy must be appropriate to the nature, scale and complexity of the activities of the licensee, and it must be approved and regularly reviewed by the board of directors of the licensee.

          July 2014

        • Risk Measurement and Monitoring

          • RM-5.1.2

            A licensee must establish and maintain a process for the measurement, monitoring and controlling of liquidity risk.

            July 2014

        • Contingency Planning

          • RM-5.1.3

            Licensees must maintain contingency funding plans for taking action to ensure, so far as they can, that they can access sufficient liquid financial resources to meet liabilities as they fall due.

            July 2014