• Part A Part A

    • High Level Standards

      • AU AU Ancillary Service Providers Authorisation Module

        • AU-A AU-A Introduction

          • AU-A.1 AU-A.1 Purpose

            • Executive Summary

              • AU-A.1.1

                The executive summary only provides an overview. For detailed rules, reference must be made to the individual Rules outlined in the remainder of this Module.

                April 2016

              • AU-A.1.2

                Module AU sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated ancillary services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

                April 2016

              • AU-A.1.3

                Licensed providers of regulated ancillary services fall into the following categories: third party administrators, card processing services, operating a credit reference bureau, payment service providers, Shari'a advisory/review services, operating a crowdfunding platform, account information service providers and payment initiation service providers and carrying out services in accordance with the CBB Law. These licensees are referred to as financial sector support institutions under Article (1) of the CBB Law and its amendments.

                Amended: October 2019
                April 2016

              • AU-A.1.4

                Regulated ancillary services are defined in Paragraph AU-1.2.1.

                April 2016

              • AU-A.1.5

                Persons undertaking certain functions in relation to ancillary service provider licensees require prior CBB approval. These functions (called 'controlled functions') include members of the board of directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of ancillary service provider licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

                April 2016

            • Retaining Authorised Status

              • AU-A.1.6

                The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

                April 2016

            • Legal Basis

              • AU-A.1.7

                This Module contains the CBB's Directive incorporating the relevant Regulations and Resolutions (as amended from time to time) applicable to all ancillary service provider licensees (including their approved persons) regarding authorisation under CBB Rulebook Volume 5: Specialised Licensees and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). It includes:

                (a) the requirements (as amended from time to time) under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and those requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and issued under the powers available to the CBB under Article 44(c);
                (b) the requirements under Resolution No. (16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law;
                (c) the prior approval requirements for approved persons under Resolution No (23) of 2015; and
                (d) the requirements (as amended from time to time) contained in Resolution No (1) of 2007 with respect to determining fees categories due for licenses and services provided by the CBB.
                Amended: October 2019
                Amended: December 2018
                April 2016

              • AU-A.1.8

                For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                April 2016

              • AU-A.1.9

                Persons wishing to undertake regulated ancillary services are required to be licensed by the CBB as an ancillary service provider licensee.

                April 2016

            • Licensing Conditions

              • AU-A.1.10

                Ancillary service provider licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules (such as Module BR). These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.

                April 2016

            • Information Requirements and Processes

              • AU-A.1.11

                Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking an ancillary service provider license. It also covers the voluntary surrender of a license, or its cancellation by the CBB.

                April 2016

          • AU-A.2 AU-A.2 Module History

            • Evolution of Module

              • AU-A.2.1

                This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

                April 2016

              • AU-A.2.2

                A list of recent changes made to this Module is provided below:

                Module Ref. Change Date Description of Changes
                AU-1.2.10A, AU-1.2.10B and AU-1.2.10C 04/2017 Added Paragraphs on issuance of pre-paid cards and PCI-DSS certification for Payment Service Providers.
                AU-1.2.11 04/2017 Amended Paragraph on the settlement.
                AU-2.3.2 04/2017 Amendment of reference.
                AU-4.1.12 04/2017 Specified bank guarantee amounts.
                AU-4.1.16 (l) 04/2017 Amended bank guarantee amount.
                AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License
                AU-1.2.1(ee) 10/2017 Added Crowdfunding Platform Operators under the definition of regulated services.
                AU-1.2.10A(b) 10/2017 Amended bank guarantee requirement.
                AU-1.2.14 – AU-1.2.20 10/2017 Added requirements on crowdfunding platform operators
                AU-2.5.6A 10/2017 Added Paragraph on minimum core capital for crowdfunding platform operators.
                AU-3.1.2 10/2017 Amended Paragraph.
                AU-3.2 10/2017 Added a new section for the Approved Persons Requirements.
                AU-4.1.12 10/2017 Amended bank guarantee amount for PSP and Card Processing Companies.
                AU-4.1.16(l) 10/2017 Amended bank guarantee requirement for PSP issuing any multipurpose, electronic or otherwise, prepaid cards.
                AU-4.3 10/2017 Deleted Approved Persons requirements from AU-4.3 and added to AU-3.2.
                AU-4.6 10/2017 Added new section on Additional Requirements for Licensing Crowdfunding Platform Operators.
                AU-4.1.1 04/2018 Amended Paragraph.
                AU-4.3.2 04/2018 Amended Paragraph.
                AU-1.2.1 12/2018 Added AISP and PISPs.
                AU-1.2.10A 10/2018 Amended Paragraph.
                AU-1.2.11A
                AU-1.2.11B
                10/2018 Added new Paragraphs on enabling PSPs to participate in EFTS
                AU-1.2.21 – AU1.2.25 12/2018 Added new Paragraphs on AISPs and PISPs.
                AU-2.5.6B
                AU-2.5.6C
                12/2018 Added new Paragraphs on Account Information Service Provider & Payment Initiation Services Provider.
                AU-1.2.8 (a) & (b) 01/2019 Amended sub-paragraphs on clients' money account services.
                AU-1.2.10 01/2019 Amended guidance on clients' money account.
                AU-1.2.10A 01/2019 Amended sub-paragraph (a) on maximum balance limit for a natural person.
                Added new sub-paragraph (bb) on maximum balance limit for a legal person.
                Amend sub-paragraph (f).
                AU-1.2.11 01/2019 Amended Paragraph.
                AU-1.2.12 01/2019 Added a new Paragraph on audit of clients' money account.
                AU-1.2.14 01/2019 Amended Paragraph to include B2B.
                AU-1.2.16 01/2019 Changed guidance to rule and amended deleting B2B.
                AU-1.2.24 01/2019 Amended Paragraph.
                AU-2.5.6A 01/2019 Amended Core Capital amount.
                AU-4.1.16(m) 01/2019 Amended sub-paragraph.
                AU-1.2.11A 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11B 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11C 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11D 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11E 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11F 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11G 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11H 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11I 04/2019 Added a new Paragraph CDMs/kiosks.
                AU-1.2.11J 04/2019 Amended Paragraph number.
                AU-1.2.11K 04/2019 Amended Paragraph number.
                AU-1.2.11L 04/2019 Amended Paragraph number.
                AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
                AU-A.1.3 10/2019 Amended Paragraph on licensed providers categories.
                AU-1.2.1 10/2019 Amended Subparagraphs (a), (c), (d) and (ee).
                AU-1.2.2 10/2019 Amended Paragraph.
                AU-1.2.5 10/2019 Amended Paragraph.
                AU-1.2.21 10/2019 Added full term of AISP.
                AU-1.2.23 10/2019 Added full term of PISP.
                AU-4.1.13 10/2019 Amended Guidance.
                AU-4.1.15 10/2019 Amended Guidance.
                AU-4.2.4 10/2019 Changed from Rule to Guidance.
                AU-4.5.1 10/2019 Changed from Rule to Guidance.
                AU-1.2.11L 07/2020 Paragraph moved to Module BR.
                AU-1.2.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards.
                AU-5.2.2 10/2020 Amended Paragraph on fixed annual licence fees.
                AU-3.2.13A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.
                AU-5.2.2A 01/2021 Added a new guidance clarifying the applicable fees for licensees.
                AU-4.1.4 07/2021 Amended Paragraph on the submission of licensing forms and applications.
                AU-4.7.9 07/2021 Added a new Paragraph on additional requirements for PISPs and AISPs.

            • Superseded Requirements

              • AU-A.2.3

                This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                Circular / other reference Subject
                Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions.
                EDBS/KH/C/63/2018 Enabling PSPs to participate in EFTS.
                EDBS/KH/C/74/2018 Amendments to the Crowdfunding Requirements under the CBB Rulebook Volume 5 (Ancillary Service Providers).
                EDBS/KH/C/83/2018 Amendments in Authorization Module (AU) of Ancillary Service Providers
                Amended: January 2019
                Amended: October 2018
                April 2016

        • AU-B AU-B Scope of Application

          • AU-B.1 AU-B.1 Scope of Application

            • AU-B.1.1

              The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

              April 2016

            • AU-B.1.2

              Two types of authorisation are prescribed:

              (a) Any person seeking to provide regulated ancillary services within or from the Kingdom of Bahrain must hold the appropriate CBB license (see Section AU-1.1); and
              (b) Natural persons wishing to perform a controlled function in a licensee also require prior CBB's approval, as an approved person (see Section AU-1.2).
              April 2016

            • AU-B.1.3

              The authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated ancillary services within or from the Kingdom of Bahrain, unless they have been licensed as a an ancillary service provider by the CBB (see Rule AU-1.1.1).

              April 2016

            • AU-B.1.4

              The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.1 above) apply to all those licensed by the CBB as an ancillary service provider licensee, or which are in the process of seeking such a license. They apply to persons incorporated in the Kingdom of Bahrain, unless otherwise specified.

              April 2016

            • AU-B.1.5

              Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

              April 2016

        • AU-1 AU-1 Authorisation Requirements

          • AU-1.1 AU-1.1 Ancillary Service Provider Licensees

            • General Prohibitions

              • AU-1.1.1

                No person may:

                (a) Undertake (or hold themselves out to undertake) regulated ancillary services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;
                (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
                (c) Market any financial services in the Kingdom of Bahrain unless:
                (i) Allowed to do so by the terms of a license issued by the CBB;
                (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
                (iii) Has obtained the express written permission of the CBB to offer financial services.
                April 2016

              • AU-1.1.2

                In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

                April 2016

              • AU-1.1.3

                Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

                April 2016

            • Licensing

              • AU-1.1.4

                Persons wishing to be licensed to undertake any of the regulated ancillary services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.

                April 2016

              • AU-1.1.5

                An application for a license must be in the form prescribed by the CBB (Form 1) and must contain:

                (a) A business plan specifying the type of business to be conducted;
                (b) Application forms (Form 2) for all controllers; and
                (c) Application forms (Form 3) for all controlled functions.
                April 2016

              • AU-1.1.6

                The CBB will review the application and duly advise the applicant in writing when it has:

                (a) Granted the application without conditions;
                (b) Granted the application subject to conditions specified by the CBB; or
                (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
                April 2016

              • AU-1.1.7

                Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

                April 2016

              • AU-1.1.8

                In granting new licenses, the CBB will specify the specific categories of regulated ancillary service for which a license has been granted.

                April 2016

              • AU-1.1.9

                All applicants for ancillary service provider license must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed, licensees must be in compliance with these criteria on an on-going basis.

                April 2016

          • AU-1.2 AU-1.2 Definition of Regulated Ancillary Services

            • AU-1.2.1

              Regulated ancillary services are any of the following activities, carried on by way of business:

              (a) Permitted services undertaken by third party administrators (TPA);
              (b) Card processing;
              (c) Services undertaken by Credit reference bureau;
              (d) Permitted payment services provided by payment service provider (PSP);
              (e) Shari'a advisory/review services;
              (ee) Permitted activities of a crowdfunding platform operator;
              (f) Providing account information services;
              (g) Providing payment initiation services; and
              (h) Any other ancillary services that are related to the financial services industry.
              Amended: October 2019
              Amended: December 2018
              Amended: October 2017
              April 2016

            • AU-1.2.2 AU-1.2.2

              For the purposes of Paragraph AU-1.2.1, carrying on a regulated ancillary service by way of business means:

              (a) Undertaking any of the regulated ancillary service activities as defined in Section AU-1.2, for commercial gain; or
              (b) Holding oneself out as willing and able to engage in such activities.
              Amended: October 2019
              April 2016

              • AU-1.2.1A

                Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by licensees must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.

                Added: October 2020

              • AU-1.2.3

                While Paragraph AU-1.2.1 covers different activities under regulated ancillary services, only the license itself will specify the list of activities the licensee has been authorised to carry out. For existing ancillary service providers at April 2016, no new license will be issued.

                April 2016

              • Third Party Administrators (TPAs)

                • AU-1.2.4

                  TPA refers to processing claims in connection with insurance coverage offered by insurance firms.

                  April 2016

                • AU-1.2.5

                  Notwithstanding Paragraph AU-1.2.4, TPAs are also allowed to offer their services to self-funded schemes outside Bahrain.

                  Amended: October 2019
                  April 2016

                • AU-1.2.5A

                  When TPAs process claims for insurance firms, the CBB regards this activity as an outsourced activity and insurance firms should refer to Chapter RM-7 Outsourcing Risk under Volume 3 (Insurance) of the CBB Rulebook.

                  April 2016

              • Card Processing

                • AU-1.2.5

                  Card processing includes:

                  (a) The act of processing or transmitting debit/credit/prepaid card holder and transaction related data;
                  (b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet);
                  (c) Hosting and managing card program;
                  (d) Approving and authenticating payment transactions as per financial institutions rules;
                  (e) Providing technical service support for E-commerce and M-commerce transactions;
                  (f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks;
                  (g) Reporting and customising reporting engine;
                  (h) Call centre outsourcing services; and
                  (i) Online and mobile portals for bank customers.
                  April 2016

              • Credit Reference Bureau

                • AU-1.2.6

                  A credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies the credit information of customers and issues credit reports and provides the members of the credit reference bureau with such reports upon their request.

                  April 2016

                • AU-1.2.7

                  For purposes of Paragraph AU-1.2.6, 'customers' refers to customers of the members of the credit reference bureau as defined under Article (68 bis) b) 3) of the CBB Law.

                  April 2016

              • Payment Service Provider ("PSP")

                • AU-1.2.8

                  Payment service providers, may act as an intermediary for the following services:

                  (a) Services enabling cash to be placed in clients' money account and all of the operations required for operating the account;
                  (b) Services enabling cash withdrawals from clients' money account and all of the operations required for operating the account;
                  (c) The settlement of the direct debits of payment transactions;
                  (d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and
                  (e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.
                  Amended: January 2019
                  Amended: April 2017
                  April 2016

                • AU-1.2.9

                  Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.

                  April 2016

                • AU-1.2.10

                  For purposes of Paragraph AU-1.2.8, clients' money account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this clients' money account at any time.

                  Amended: January 2019
                  April 2016

                • AU-1.2.10A

                  When issuing any multi-purpose, electronic or otherwise, pre-paid cards, payment service providers must comply with the following requirements:

                  (a) The maximum balance limit under each natural person must not exceed BD1,000 and the maximum single transaction value limit must not exceed BD500;
                  (bb) The maximum balance limit for each legal person must not exceed BD10,000 (Loading and transaction size).
                  (b) The payment service provider must obtain a bank guarantee of BD100,000 from a retail bank licensed in the Kingdom of Bahrain; instead of the bank guarantee amount required under Paragraph AU-4.1.12.
                  (c) Comply with all the requirements outlined under Module FC (Financial Crime) and Module CL (Client Money);
                  (d) All pre-paid plastic cards must be EMV compliant (chip and PIN and online authentication);
                  (e) Any pre-paid card which is inactive for a period of six months must be placed in a dormant list;
                  (f) All transactions on pre-paid cards must be made through clients' money account with a retail bank in Bahrain.
                  Amended: January 2019
                  Amended: October 2018
                  Amended: October 2017
                  Added: April 2017

                • AU-1.2.10B

                  In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017.

                  Added: April 2017

                • AU-1.2.10C

                  In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

                  Added: April 2017

                • AU-1.2.11

                  When a customer load cash into the card through kiosk or company/bank counter, the payment service provider must update the amount into the card immediately, and must deposit the relevant cash amount into the clients' money account within 24 hours.

                  Amended: January 2019
                  Amended: April 2017
                  April 2016

                • AU-1.2.11A

                  When owning or operating Cash Dispensing Machines (CDM) or Kiosks, payment service providers must comply with the requirements stated in Paragraphs AU-1.2.11B to Paragraph AU-1.2.11I.

                  Added: April 2019

                • AU-1.2.11B

                  Payment service providers must obtain CBB's prior written approval for owning or operating any Cash Dispensing Machine (CDM) or Kiosk.

                  Added: April 2019

                • AU-1.2.11C

                  Payment service providers must submit a written application to the Supervisory Point of Contact (SPoC) at the CBB, detailing the type of CDM or Kiosk, the proposed location(s) and the proposed security measures.

                  Added: April 2019

                • AU-1.2.11D

                  The application referred to in Paragraph AU-1.2.11C will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:

                  (a) The suitability of the location(s) in question;
                  (b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and
                  (c) The type and range of facilities which the applicant proposes to offer through the CDM or Kiosk at the proposed location(s).
                  Added: April 2019

                • AU-1.2.11E

                  In addition to the information required by the CBB, further information/clarification may be requested by the CBB before it takes a decision regarding the application. The CBB's decision in this regard will be communicated to the applicant payment service provider in writing.

                  Added: April 2019

                • AU-1.2.11F

                  CDMs or Kiosks may be owned individually or jointly by ancillary service providers.

                  Added: April 2019

                • AU-1.2.11G

                  Payment service providers must not charge their customers for cash withdrawal transactions. When a customer uses CDMs, Kiosks or ATMs belonging to other banks or PSPs, the acquiring PSP/ bank may apply a charge capped at 100 fils per transaction to the issuing PSP.

                  Added: April 2019

                • AU-1.2.11H

                  Payment service providers must obtain the CBB's prior written approval for the termination/suspension of any of its CDMs or Kiosks.

                  Added: April 2019

                • AU-1.2.11I

                  The CBB may, at its sole discretion, require a payment service provider to terminate/suspend a CDM or Kiosk at any time.

                  Added: April 2019

                • AU-1.2.11J

                  Payment service providers must ensure they have a robust internal technological infrastructure and direct technical access to the EFTS, on an uninterrupted basis (24 X 7 days and 365 days in the year), to send, authorise and receive Fawri+/Fawateer direct credits on a real-time basis.

                  Amended: April 2019
                  Added: October 2018

                • AU-1.2.11K

                  Payment service providers must maintain a daily value limit of BD1,000 for the total Fawri+ and Fawateer transactions (with assured immediate finality, i.e. within 30 seconds) for each STV card/IBAN account per day.

                  Amended: April 2019
                  Added: October 2018

                • AU-1.2.11L

                  [This Paragraph was moved to BR-1.1.6 in July 2020].

                  Amended: July 2020
                  Amended: April 2019
                  Added: January 2019

              • Shari'a Advisory/Review Services

                • AU-1.2.12

                  Shari'a advisory/review services refer to:

                  (a) Regular assessment on Shari'a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari'a review services, with the objective of ensuring that the activities and operations carried out by these financial institutions do not contravene the Shari'a principles. The services include the examination and evaluation of the financial institutions' level of compliance to the Shari'a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports;
                  (b) Issuance of Shari'a pronouncements on any aspect of the Islamic financial institution's activities or operations; and
                  (c) Ad-hoc Shari'a advisory services for products and services governed by financial services.
                  April 2016

                • AU-1.2.13

                  In offering Shari'a advisory/review services, the licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU-1.2.12(b), no service can be offered under Subparagraph AU-1.2.12(a) in relation to the pronouncement.

                  April 2016

              • Crowdfunding Platform Operator

                • AU-1.2.14

                  Crowdfunding platform operator refers to a person licensed by the CBB to operate an e-platform which takes place on an online portal, on which people lend money to businesses (Person to Business-P2B), and businesses lend money to other businesses (Business to Business – B2B) for the purpose of gaining a financial return in the form of interest/profit payment and a repayment of credit over a pre-specified period of time (financing-based crowdfunding), and/or raising of capital by issuance of ordinary shares by closed, private, family companies, start-up and small and medium size companies, entities engaged in real estate projects (equity-based crowdfunding).

                  Amended: January 2019
                  Added: October 2017

                • AU-1.2.15

                  The role of crowdfunding platform operator is restricted to arranging deals, bringing together borrowers and lenders, in case of financing-based crowdfunding, and investors and issuers, in case of equity-based crowdfunding. Crowdfunding platform operators are strictly prohibited to provide any advice on deals.

                  Added: October 2017

                • AU-1.2.16

                  Crowdfunding Platform Operator must not undertake Business to Person (B2P) or Person to Person (P2P) lending/investing.

                  Amended: January 2019
                  Added: October 2017

                • AU-1.2.17

                  Crowdfunding platform operators may raise funds for borrowers/issuers based in the Kingdom of Bahrain or abroad.

                  Added: October 2017

                • AU-1.2.18

                  For Shari'a-compliant financing-based crowdfunding the term lender refers to the financier and the term borrower refers to the fundraiser

                  Added: October 2017

                • AU-1.2.19

                  For the purpose of financing-based crowdfunding, licensees must also comply with the requirements stipulated in General Requirements Module (Module GR) for Ancillary Service Providers-Volume 5.

                  Added: October 2017

                • AU-1.2.20

                  For the purpose of equity-based crowdfunding, licensees must also comply with the requirements stipulated in Markets and Exchanges Module (Module MAE) of Volume 6.

                  Added: October 2017

              • Account Information Service Provider (AISP)

                • AU-1.2.21

                  Account Information Services Provider (AISP) refers to a person licensed by the CBB to provide account information services using an online portal, mobile or smart phone application, device or other electronic media which a consenting customer can use to obtain aggregate or consolidated information about his account balances with licensed banks, financing companies and other licensees.

                  Amended: October 2019
                  Added: December 2018

                • AU-1.2.22

                  The role of an AISP is restricted to providing the technology or other means in order to provide account information to the customer and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. AISPs must not receive or otherwise handle customer funds in the course of providing account information services.

                  Added: December 2018

              • Payment Initiation Service Provider (PISP)

                • AU-1.2.23

                  Payment Initiation Service Provider (PISP) refers to a person licensed by the CBB to initiate payment or credit transfers for the customer from an account held with a licensed bank, financing company or PSP.

                  Amended: October 2019
                  Amended: January 2019
                  Added: December 2018

                • AU-1.2.24

                  The role of a PISP is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing payment initiation information services.

                  Added: December 2018

              • Insurance Cover

                • AU-1.2.25

                  AISPs and PISPs must, at all times, hold an insurance cover against liabilities arising from cyber security breaches.

                  Added: December 2018

          • AU-1.3 AU-1.3 Approved Persons

            • General Requirements

              • AU-1.3.1

                Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment.

                April 2016

              • AU-1.3.2

                Controlled functions are those occupied by board members and persons in executive positions and include:

                (a) Member of the Board of Directors;
                (b) Chief executive or general manager and their deputies;
                (c) Head of function;
                (d) Compliance officer; and
                (e) Money Laundering Reporting Officer (for PSPs).
                April 2016

              • AU-1.3.3

                Combination of the above controlled functions is subject to the requirements contained in Module HC.

                April 2016

            • Basis for Approval

              • AU-1.3.4

                Approval under Paragraph AU-1.3.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Section AU-3.1.

                April 2016

              • AU-1.3.5

                The chief executive or general manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The chief executive or general manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.

                April 2016

              • AU-1.3.6

                Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

                April 2016

              • AU-1.3.7

                Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy chief executive; heads of departments such as risk management, compliance or internal audit; the chief financial officer; head of business department, etc..

                April 2016

              • AU-1.3.8

                Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

                April 2016

              • AU-1.3.9

                All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The compliance officer must report to senior management and must have access to the board of directors. The duties of the compliance officer include:

                (a) Assisting senior management/head of function to identify and assess the main compliance risks facing the licensees and the plans to manage them;
                (b) Advising senior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area;
                (c) Assisting senior management/head of function in educating staff on compliance issues, and acting as a contact point within the licensee for compliance queries from staff members;
                (d) Establishing written guidance to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;
                (e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with the licensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;
                (f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and
                (g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors.
                April 2016

        • AU-2 AU-2 Licensing Conditions

          • AU-2.1 AU-2.1 Condition 1: Legal Status

            • AU-2.1.1

              The legal status of a licensee that is an ancillary service provider licensee must be a legal form approved by the CBB.

              April 2016

          • AU-2.2 AU-2.2 Condition 2: Mind and Management

            • AU-2.2.1

              Licensees must maintain their head office and management in the Kingdom.

              April 2016

          • AU-2.3 AU-2.3 Condition 3: Controllers

            • AU-2.3.1

              Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their group structures do not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

              April 2016

            • AU-2.3.2

              Chapter GR-7 contains the CBB's requirements and definitions regarding controllers.

              Amended: April 2017
              April 2016

            • AU-2.3.3

              In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.

              April 2016

            • AU-2.3.4

              As regards group structures, the CBB seeks to ensure that these do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the licensee.

              April 2016

            • AU-2.3.5

              In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

              April 2016

          • AU-2.4 AU-2.4 Condition 4: Board and Employees

            • AU-2.4.1

              Those nominated to carry out controlled functions must satisfy the CBB's approved persons requirements. This rule is supported by Article 65 of the CBB Law.

              April 2016

            • AU-2.4.2

              The definition of controlled functions is contained in Paragraph AU-1.3.2, whilst Chapter AU-3 sets out CBB's approved persons requirements.

              April 2016

            • AU-2.4.3

              The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

              April 2016

          • AU-2.5 AU-2.5 Condition 5: Financial Resources

            • Capital Funds

              • AU-2.5.1

                Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. A greater amount of capital than specified in this Section may be required by the CBB on a case-by-case basis.

                April 2016

              • AU-2.5.2

                Where a licensee undertakes more than one activity outlined under Paragraph AU-1.2.1, the licensee must maintain the highest level of core capital required amongst all categories of activities which it provides.

                April 2016

            • Third Party Administrators

              • AU-2.5.3

                For third party administrators, licensees must maintain a minimum core capital of BD 100,000.

                April 2016

            • Card Processing and Payment Service Providers

              • AU-2.5.4

                For card processing and payment service providers, licensees must maintain a minimum core capital of BD 250,000.

                April 2016

            • Credit Reference Bureau

              • AU-2.5.5

                Licensees must maintain a minimum core capital of BD 2 million.

                April 2016

            • Shari'a Advisory/Review Services

              • AU-2.5.6

                Licensees must maintain a minimum core capital of BD 30,000.

                April 2016

            • Crowdfunding Platform Operator

              • AU-2.5.6A

                Licensees must maintain a minimum core capital of BD 25,000.

                Amended: January 2019
                Added: October 2017

            • Account Information Services Provider

              • AU-2.5.6B

                Licensees must maintain a minimum core capital of BD 25,000.

                Added: January 2019

            • Payment Initiation Services Provider

              • AU-2.5.6C

                Licensees must maintain a minimum core capital of BD 30,000.

                Added: January 2019

            • Liquidity

              • AU-2.5.7

                Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business.

                April 2016

          • AU-2.6 AU-2.6 Condition 6: Systems and Controls

            • AU-2.6.1

              Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC and RM (to be issued at a later date).

              April 2016

            • AU-2.6.2

              Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee.

              April 2016

          • AU-2.7 AU-2.7 Condition 7: External Auditor

            • AU-2.7.1

              Article 61 of the CBB Law requires that licensees appoint an external auditor, subject to the CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

              April 2016

          • AU-2.8 AU-2.8 Condition 8: Other Requirements

            • Books and Records

              • AU-2.8.1

                Article 59 of the CBB Law requires that licensees must maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module GR. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamic licensees.

                April 2016

            • Provision of Information

              • AU-2.8.2

                Articles 58, 111, 114 and 163 of the CBB Law require that licensees and their staff must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and disclosure requirements contained in Module BR. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of the licensee's financial year-end.

                April 2016

            • General Conduct

              • AU-2.8.3

                Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice. Licensees must comply with the general standards of business conduct contained in Modules PB and GR.

                April 2016

            • Additional Conditions

              • AU-2.8.4

                Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

                April 2016

              • AU-2.8.5

                Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law. Thus, when granting a license, the CBB specifies the regulated ancillary services that the licensee may undertake. Licensees must respect the scope of their license.

                April 2016

              • AU-2.8.6

                In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.

                April 2016

        • AU-3 AU-3 Approved Persons

          • AU-3.1 AU-3.1 Approved Persons Conditions

            • AU-3.1.1

              Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

              April 2016

            • AU-3.1.2

              The authorisation requirements for persons nominated to carry out controlled functions is contained in Section AU-1.3. The authorisation process is described in Section AU-3.2.

              Amended: October 2017
              April 2016

            • AU-3.1.3

              Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

              (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
              (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
              (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
              (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
              (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
              (f) Must have personal integrity, good conduct and reputation;
              (g) Has appropriate professional and other qualifications for the controlled function in question; and
              (h) Has sufficient experience to perform the duties of the controlled function.
              April 2016

            • AU-3.1.4

              In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1-5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

              April 2016

            • AU-3.1.5

              In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

              (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
              (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
              (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
              (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
              (e) The contravention of any financial services legislation;
              (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
              (g) Dismissal or a request to resign from any office or employment;
              (h) Whether the person has been a member of a board of directors, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
              (i) The extent to which the person has been truthful and open with supervisors; and
              (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
              April 2016

            • AU-3.1.6

              With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

              April 2016

            • AU-3.1.7

              Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

              April 2016

            • AU-3.1.8

              In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

              (a) A person has breached any fiduciary obligations to the company or terms of employment;
              (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
              (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
              April 2016

            • AU-3.1.9

              Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

              April 2016

          • AU-3.2 AU-3.2 Approved Persons Requirements

            • AU-3.2.1

              Licensees must obtain CBB prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

              Added: October 2017

            • AU-3.2.2

              When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the concerned supervisory point of contact at the CBB. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

              Amended: April 2018
              Added: October 2017

            • AU-3.2.3

              When submitting Form 3, licensees must ensure that the Form 3 is:

              (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
              (b) Submitted in original form;
              (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
              (d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
              Added: October 2017

            • AU-3.2.4

              Licensees seeking to appoint members of the board of directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

              Added: October 2017

            • AU-3.2.5

              For existing licensees applying for the appointment of any controlled functions, the authorised representative should be a duly authorised representative of the licensee and must submit with Form 3: Application for Approved Person Status, internal documentary evidence supporting the appointment of the duly authorised representative of the licensee.

              Added: October 2017

            • Assessment of Application

              • AU-3.2.6

                The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5

                Added: October 2017

              • AU-3.2.7

                For purposes of Paragraph AU-3.2.6, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.

                Added: October 2017

              • AU-3.2.8

                The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and does not satisfy the CBB criteria in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

                Added: October 2017

            • Appeal Process

              • AU-3.2.9

                Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

                Added: October 2017

              • AU-3.2.10

                Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved personsmay appeal to the concerned Executive Director of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

                Added: October 2017

            • Notification Requirements and Process

              • AU-3.2.11

                Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.4.9). In such cases, their approved person status is automatically withdrawn by the CBB.

                Added: October 2017

              • AU-3.2.12

                Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

                Added: October 2017

              • AU-3.2.13

                Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

                Added: October 2017

              • AU-3.2.13A

                Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

                Added: January 2021

            • Change in Controlled Function

              • AU-3.2.14

                Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

                Added: October 2017

              • AU-3.2.15

                In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.4.9), and the new licensee should submit a request for approval under Rule AU-1.3.1.

                Added: October 2017

        • AU-4 AU-4 Information Requirements and Processes

          • AU-4.1 AU-4.1 Licensing

            • Applications Form and Documents

              • AU-4.1.1

                Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

                Amended: July 2019
                Amended: April 2018
                April 2016

              • AU-4.1.2

                Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.

                April 2016

              • AU-4.1.3

                References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

                April 2016

              • AU-4.1.4

                Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:

                (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
                (b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertake controlled functions of the proposed licensee;
                (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
                (d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;
                (e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBB ancillary service provider license;
                (f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;
                (g) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application;
                (h) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7;
                (i) Evidence of competency and qualifications for Shari'a advisor; and
                (j) Information and documents required under Section AU-4.7 for PSP, AISP and PSIP applicants.
                Amended: July 2021
                Added: April 2016

              • AU-4.1.5

                The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from controllers. Where the application is for an overseas licensee, the CBB may seek a letter of guarantee from the parent company.

                April 2016

              • AU-4.1.6

                The business plan submitted in support of an application should include:

                (a) An outline of the history of the applicant and its shareholders;
                (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
                (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
                (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
                (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions. For card processing and payment services providers, IT security measures must be outlined in the plan;
                (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements; and
                (g) For TPA's, details setting forth the applicant's capability for providing a sufficient number of experienced and qualified personnel in the areas of claims' processing and recordkeeping.
                April 2016

              • AU-4.1.7

                The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its activities or are incidental to those.

                April 2016

              • AU-4.1.8

                All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

                April 2016

              • AU-4.1.9

                Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

                April 2016

              • AU-4.1.10

                Failure to inform the CBB of the changes specified in AU-4.1.9 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.

                April 2016

            • Licensing Process and Timelines

              • AU-4.1.11

                As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.

                April 2016

              • AU-4.1.12

                Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, a bank guarantee of BD50,000 must be provided.

                Amended: October 2017
                Amended: April 2017
                April 2016

            • Granting or Refusal of a License

              • AU-4.1.13

                To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

                Amended: October 2019
                April 2016

              • AU-4.1.14

                The CBB may refuse to grant a license if in its opinion:

                (a) The requirements of the CBB Law or this Module are not met;
                (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
                (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
                April 2016

              • AU-4.1.15

                Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

                Amended: October 2019
                April 2016

            • Starting Operations

              • AU-4.1.16

                Within 6 months of the license being issued, the new licensee must provide to the CBB:

                (a) A detailed action plan for establishing the operations and supporting infrastructure of the licensee, such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);
                (b) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
                (c) The address in the Kingdom of Bahrain where full business records will be kept;
                (d) The licensee's contact details including telephone and fax number, e-mail address and website;
                (e) A description of the business continuity plan;
                (f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
                (g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;
                (h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;
                (i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the ancillary service provider is licensed by the CBB;
                (j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
                (k) A copy of the licensee's professional indemnity insurance policy or confirmation that a deposit to an amount specified by the CBB has been placed in an escrow account with a retail bank licensed in the Kingdom of Bahrain;
                (l) A bank guarantee of BD100,000 for payment service providers issuing any multi-purpose, electronic or otherwise, pre-paid cards, instead of the bank guarantee amount required under Paragraph AU-4.1.12. Such bank guarantee must be in the format approved by the CBB;
                (m) Proof that the PSP has set up the clients' money account as required under Paragraph AU-1.2.8;
                (n) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6; and
                o) Other information as may be specified by the CBB.
                Amended: January 2019
                Amended: October 2017
                Amended: April 2017
                April 2016

              • AU-4.1.17

                Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the licensee concerned, as specified in Article 128 of the CBB Law. A licensee must at all times keep an approved copy of the license displayed in a visible place on the licensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.

                April 2016

              • AU-4.1.18

                Applicants may not publicise in any way the application for a licence for, or formation of, an ancillary service provider before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.

                April 2016

          • AU-4.2 AU-4.2 Variations to a License

            • AU-4.2.1

              As per Article 48 of the CBB Law, licensees must seek prior CBB approval before undertaking new regulated ancillary services.

              April 2016

            • AU-4.2.2

              Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person in accordance with Article 40 of the CBB Law.

              April 2016

            • AU-4.2.3

              In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a licensee requesting CBB approval to undertake a new regulated ancillary service must provide the following information:

              (a) A summary of the rationale for undertaking the proposed new activities;
              (b) A description of how the new business will be managed and controlled;
              (c) An analysis of the financial impact of the new activities; and
              (d) A summary of the due diligence undertaken by the Board and management of the licensee on the proposed new activities.
              April 2016

            • AU-4.2.4

              The CBB may amend or revoke a licence in any of the following cases:

              (a) If the licensee fails to satisfy any of the license conditions;
              (b) If the licensee violates the terms of the CBB Rulebook;
              (c) If the licensee fails to start business within six months from the date of the licence;
              (d) If the licensee ceases to carry out the licensed activity in the Kingdom; or
              (e) The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
              Amended: October 2019
              April 2016

            • AU-4.2.5

              The CBB's procedure for amending or revoking a license is outlined in detail in the Enforcement Module (EN).

              April 2016

          • AU-4.3 AU-4.3 [This section was moved to AU-3.2 in October 2017]

            • AU-4.3.1

              [This Paragraph was moved to AU-3.2.1 in October 2017].

              Moved: October 2017
              April 2016

            • AU-4.3.2

              [This Paragraph was moved to AU-3.2.2 in October 2017].

              Moved: October 2017
              April 2016

            • AU-4.3.3

              [This Paragraph was moved to AU-3.2.3 in October 2017].

              Moved: October 2017
              April 2016

            • AU-4.3.4

              [This Paragraph was moved to AU-3.2.4 in October 2017].

              Moved: October 2017
              April 2016

            • AU-4.3.5

              [This Paragraph was moved to AU-3.2.5 in October 2017].

              Moved: October 2017
              April 2016

            • [This heading was moved to AU-3.2 in October 2017]

              • AU-4.3.6

                [This Paragraph was moved to AU-3.2.6 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.7

                [This Paragraph was moved to AU-3.2.7 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.8

                [This Paragraph was moved to AU-3.2.8 in October 2017].

                Moved: October 2017
                April 2016

            • [This heading was moved to AU-3.2 in October 2017]

              • AU-4.3.9

                [This Paragraph was moved to AU-3.2.9 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.10

                [This Paragraph was moved to AU-3.2.10 in October 2017].

                Moved: October 2017
                April 2016

            • [This heading was moved to AU-3.2 in October 2017]

              • AU-4.3.11

                [This Paragraph was moved to AU-3.2.11 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.12

                [This Paragraph was moved to AU-3.2.12 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.13

                [This Paragraph was moved to AU-3.2.13 in October 2017].

                Moved: October 2017
                April 2016

            • [This heading was moved to AU-3.2 in October 2017]

              • AU-4.3.14

                [This Paragraph was moved to AU-3.2.14 in October 2017].

                Moved: October 2017
                April 2016

              • AU-4.3.15

                [This Paragraph was moved to AU-3.2.15 in October 2017].

                Moved: October 2017
                April 2016

          • AU-4.4 AU-4.4 Cancellation of Authorisation

            • Licenses

              • Voluntary Surrender

                • AU-4.4.1 AU-4.4.1

                  According to Article 50 of the CBB Law, all requests for the voluntary surrender of a license are subject to CBB approval. Such requests must be made in writing and must set out in full the reasons for the request and how the voluntary surrender is to be carried out. Requests must be addressed to the concerned Executive Director at the CBB.

                  April 2016

                  • AU-4.4.2 AU-4.4.2

                    Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed voluntary surrender. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                    April 2016

                    • AU-4.4.3 AU-4.4.3

                      Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant customers' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at preempting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                      April 2016

                      • AU-4.4.4 AU-4.4.4

                        In accordance with Articles 50(a) and 51(a) of the CBB Law, a licensee wishing to cancel an authorisation for a service or a branch must obtain the CBB's prior written approval. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                        April 2016

                        • Cancellation

                          • AU-4.4.5 AU-4.4.5

                            As provided for under Article 48 of the CBB Law, the CBB may itself move to cancel a license, should the licensee fail to meet the conditions outlined in Paragraph AU-4.2.4.

                            April 2016

                            • AU-4.4.6 AU-4.4.6

                              Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                              April 2016

                              • AU-4.4.7 AU-4.4.7

                                The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.

                                April 2016

                                • AU-4.4.8 AU-4.4.8

                                  Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to customers. Until such time, the CBB will retain all its regulatory powers with regards to the licensee, and will direct the licensee such that no new regulated activity may be undertaken whilst the licensee discharges its obligations to customers.

                                  April 2016

                                  • Cancellation of Approved Person Status

                                    • AU-4.4.9 AU-4.4.9

                                      In accordance with Paragraph AU-4.3.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                                      April 2016

                                      • AU-4.4.10 AU-4.4.10

                                        The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                                        April 2016

                                        • AU-4.4.11 AU-4.4.11

                                          The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                                          April 2016

                                          • AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

                                            • AU-4.5.1

                                              In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                                              Amended: October 2019
                                              Added: July 2017

                                            • AU-4.5.2

                                              For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

                                              Added: July 2017

                                            • AU-4.5.3

                                              The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                                              Added: July 2017

                                          • AU-4.6 AU-4.6 Additional Requirements for Licensing of Crowdfunding Platform Operator

                                            • AU-4.6.1

                                              This section sets out additional licensing requirements for crowdfunding platform operator, including conventional and Shari'a-compliant crowdfunding platform operators.

                                              Added: October 2017

                                            • AU-4.6.2

                                              The CBB may license a person as a crowdfunding platform operator provided that:

                                              (a) The applicant must be locally incorporated as a Joint Stock Company;
                                              (b) The applicant is able to demonstrate that will be able to operate an orderly, fair and transparent market in relation to the transactions offered through its electronic facilities;
                                              (c) The applicant appoints at least two approved persons. One of the approved persons must be a Compliance Officer who can also handle the responsibilities of the MLRO, and the second person is the CEO of the crowdfunding platform operator;
                                              (d) The business rules of the crowdfunding platform operator must make satisfactory provisions–
                                              (i) For the protection of investors/lenders and public interest;
                                              (ii) To ensure proper functioning of the platform;
                                              (iii) To promote fairness and transparency;
                                              (iv) To manage any conflict of interest that may arise;
                                              (v) To promote fair treatment of its users or any person who subscribe for its services;
                                              (vi) To promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;
                                              (vii) To ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such persons;
                                              (viii) To provide an avenue of appeal against the decision of the licensed crowdfunding platform operator.
                                              (ix) To clarify the criteria for admission of lenders/investors and the exclusion, suspension, expulsion and re-admission of lenders/investors therefrom or thereto;
                                              (x) To describe the proposed technology, IT system and disaster recovery plan; and
                                              (xi) For the oversight and controls over outsourced activities, if any.
                                              Added: October 2017

                                          • AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs

                                            • Business plan

                                              • AU-4.7.1

                                                The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:

                                                (a) a marketing plan consisting of:
                                                (i) an analysis of the company's competitive position;
                                                (ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;
                                                (b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;
                                                (c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:
                                                (i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;
                                                (ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;
                                                (iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.
                                                Added: December 2018

                                            • Programme of Operations

                                              • AU-4.7.2

                                                The programme of operations to be provided by the applicant must contain the following information:

                                                (a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;
                                                (b) a declaration of the applicant that they will not enter at any time into possession of client funds;
                                                (c) a description of the service including:
                                                (i) draft contracts between all the parties involved, if applicable;
                                                (ii) terms and conditions of the provision of the services;
                                                (iii) processing times;
                                                (d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;
                                                (e) a description of the proposed ancillary services;
                                                (f) a declaration of whether or not the applicant intends to provide services in another country once licensed;
                                                (g) a description of the relevant operational outsourcing arrangements consisting of:
                                                (i) the identity and geographical location of the outsourcing provider;
                                                (ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;
                                                (iii) a detailed description of the outsourced activities and its main characteristics; and
                                                (h) a copy of draft outsourcing agreements.
                                                Added: December 2018

                                            • Governance arrangements and internal control mechanisms

                                              • AU-4.7.3

                                                The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:

                                                (a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;
                                                (b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;
                                                (c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;
                                                (d) the composition of the management body and, if applicable, of any other oversight body or committee;
                                                (e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;
                                                (f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;
                                                (g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.
                                                Added: December 2018

                                            • Business continuity arrangements

                                              • Governance arrangements and internal control mechanisms

                                                • AU-4.7.4 AU-4.7.4

                                                  The applicant should provide a description of the business continuity arrangements consisting of the following information:

                                                  (a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
                                                  (b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
                                                  (c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;
                                                  (d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
                                                  Added: December 2018

                                                  • Internal Control Mechanisms to comply with AML/CFT obligations

                                                    • AU-4.7.5

                                                      The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:

                                                      (a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;
                                                      (b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;
                                                      (c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;
                                                      (d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;
                                                      (e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;
                                                      (f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and
                                                      (g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).
                                                      Added: December 2018

                                                  • Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints

                                                    • AU-4.7.6

                                                      The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:

                                                      (a) organisational measures and tools for the prevention of cyber events and fraud;
                                                      (b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;
                                                      (c) reporting lines in cases of fraud;
                                                      (d) the contact point for customers, including a name and email address;
                                                      (e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;
                                                      (f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.
                                                      Added: December 2018

                                                  • Process for filing, monitoring, tracking and restricting access to sensitive payment data

                                                    • AU-4.7.7

                                                      The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:

                                                      (a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;
                                                      (b) the procedures in place to authorise access to sensitive payment data;
                                                      (c) a description of the monitoring tool;
                                                      (d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;
                                                      (e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;
                                                      (f) the expected internal and/or external use of the collected data;
                                                      (g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;
                                                      (h) confirmation that access to sensitive customer data is not available to the applicant;
                                                      (i) an explanation of how breaches will be detected and addressed; and
                                                      (j) an annual internal control programme in relation to the safety of the IT systems.
                                                      Added: December 2018

                                                  • Security policy documentation

                                                    • AU-4.7.8

                                                      The applicant should provide a security policy document containing the following information:

                                                      (a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;
                                                      (b) a description of the IT systems, which should include:
                                                      (i) the architecture of the systems and their network elements;
                                                      (ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;
                                                      (iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;
                                                      (iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;
                                                      (v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
                                                      (vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
                                                      (c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:
                                                      (i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;
                                                      (ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;
                                                      (d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;
                                                      (e) the security of the payment processes, which should include:
                                                      (i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;
                                                      (ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;
                                                      (iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;
                                                      (f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;
                                                      (g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.
                                                      Added: December 2018

                                                    • AU-4.7.9

                                                      AISPs/PISPs must submit a report of an independent review undertaken by a third-party expert confirming compliance with the Bahrain Open Banking Framework prior to going live. The detailed scope and procedures for such review and the appointment of the third party expert must be approved by CBB.

                                                      Added: July 2021

        • AU-5 AU-5 License Fees

          • AU-5.1 AU-5.1 License Application Fees

            • AU-5.1.1

              Applicants seeking an ancillary service provider license from the CBB AU-5.1.1 must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

              April 2016

            • AU-5.1.2

              There are no application fees for those seeking approved persons status.

              April 2016

          • AU-5.2 AU-5.2 Annual License Fees

            • AU-5.2.1

              Licensees must pay the relevant annual license fee to the CBB on 1st December of the preceding year for which the fee is due.

              April 2016

            • AU-5.2.2

              The applicable fixed annual license fees are as follows:

              (a) Third party administrators - BD 2,000;
              (b) Card processing services - BD 1,000;
              (c) Operating a credit reference bureau - BD 100,000;
              (d) Payment service providers - BD 2,000;
              (e) Shari’a advisory/review services - BD 500;
              (f) Operating a crowdfunding platform - BD 200;
              (g) Account information service providers - BD 1,000;
              (h) Payment initiation service providers - BD 1,000;
              (i) Any other ancillary services that are related to the financial services industry - BD 500.
              Amended: October 2020
              Added: April 2016

            • AU-5.2.2A

              Licensees providing multiple regulated ancillary services are required to pay the annual license fees applicable for each activity in accordance with Paragraph AU-5.2.2.

              Added: January 2021

            • AU-5.2.3

              For new licensees, their first annual license fee is the amount stated in Paragraph AU-5.2.2 and is payable when their license is issued by the CBB.

              April 2016

            • AU-5.2.4

              Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

              April 2016

            • AU-5.2.5

              All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

              April 2016

            • AU-5.2.6

              Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

              April 2016

      • HC HC High-Level Controls

        • HC-A HC-A Introduction

          • HC-A.1 HC-A.1 Purpose

            • Executive Summary

              • HC-A.1.1

                The purpose of the Module is to establish best practice corporate governance principles in the Kingdom of Bahrain, and to provide protection for shareholders and other company stakeholders through compliance with those principles.

                October 2019

              • HC-A.1.2

                All references in this Module to 'he' or 'his' shall, unless the context otherwise requires, be construed as also being references to 'she' and 'her'.

                October 2019

            • The Comply or Explain Principle for Guidance Paragraphs

              • HC-A.1.3

                All ancillary service provider licensees must comply with the Guidance in Module HC or explain their noncompliance by way of a report to the CBB.

                October 2019

            • Monitoring and Enforcement of Module HC

              • HC-A.1.4

                It is the Board's responsibility to see to the accuracy and completeness of the ancillary service provider licensee's corporate governance framework in compliance with this Module.

                October 2019

            • Legal Basis

              • HC-A.1.5

                This Module contains the CBB's Directive (as amended from time to time) relating to high-level controls and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 ('CBB Law'), as amended. The Directive in this Module is applicable to ancillary service provider licensees (including their approved persons).

                October 2019

              • HC-A.1.6

                For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                October 2019

            • Effective Date

              • HC-A.1.7

                All ancillary service provider licensees to which Module HC applies should be in full compliance by 31st December 2020. Where possible, the ancillary service provider licensee should also have corporate governance guidelines in place at that time and should have a "comply or explain" report as described in Paragraph HC-A.1.3.

                Amended: October 2020
                Added: October 2019

          • HC-A.2 HC-A.2 Module History

            • HC-A.2.1

              This Module was first issued in April 2019. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

              October 2019

            • HC-A.2.2

              A list of recent changes made to this Module is detailed in the table below:

              Module Ref. Change Date Description of Changes
              HC-1.2.2 & HC-2.2.8 01/2020 Amended Paragraphs on policy and procedures approval.
              HC-1.5.8 01/2020 Added a new Paragraph on independent directors.
              HC-1.5.9 01/2020 Added a new Paragraph on termination of Board membership of a retired, terminated CEO.
              HC-1.8.5 04/2020 Amended Paragraph.
              HC-3.3.1 04/2020 Amended Paragraph.
              HC-3.3.2 04/2020 Amended Paragraph.
              HC-5.2.4 04/2020 Added a new Paragraph on KPIs compliance with AML/CFT requirements.
              HC-A.1.7 10/2020 Amended Paragraph reference.
                   
                   

            • Superseded Requirements

              • HC-A.2.3

                This Module supersedes the following provisions contained in circulars or other regulatory requirements:

                Document Ref. Subject
                   
                Standard Conditions and Licensing Criteria for providers of ancillary services to the financial sector. Board, Management and Staffing
                October 2019

        • HC-B HC-B Scope of Application

          • HC-B.1 HC-B.1 Scope of Application

            • HC-B.1.1

              The contents of Chapters HC-1 to HC-7 of this Module, unless otherwise stated, apply to card processing services, payment service providers and credit reference bureaus.

              October 2019

            • HC-B.1.2

              The guidance in Chapter HC-8 of this Module apply to TPAs, Shari'a advisory/review services, Crowdfunding Platform Operators and other Ancillary Service Providers. The "comply or explain" principle (see Paragraph HC-A.1.3) applies to the contents of Chapter HC-8.

              October 2019

        • HC-1 HC-1 The Board

          • HC-1.1 HC-1.1 Principle

            • HC-1.1.1

              All licensees must be headed by an effective, collegial and informed Board of Directors ('the Board').

              October 2019

          • HC-1.2 HC-1.2 Role and Responsibilities

            • HC-1.2.1

              All directors must understand the Board's role and responsibilities under the Bahrain Commercial Companies Law (2001), as amended and any other laws or regulations that may govern their responsibilities from time to time. In particular:

              (a) The Board's role as distinct from the role of the shareholders (who elect the Board and whose interests the Board serves) and the role of officers (whom the Board appoints and oversees); and
              (b) The Board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-2.1).
              October 2019

            • HC-1.2.2

              The Board's role and responsibilities include but are not limited to:

              (a) Approving and reviewing at least annually the overall business performance and strategy for the licensee;
              (b) Reviewing regularly the implementation of the strategy and operational performance;
              (c) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
              (d) Monitoring management performance;
              (e) Reviewing regularly the level of risk;
              (f) Approving and reviewing at least annually systems and controls framework (including policies);
              (g) Approving the agenda for shareholders' meetings;
              (h) Monitoring conflicts of interest and preventing abusive related party transactions;
              (i) Assuring equitable treatment of shareholders including minority shareholders; and
              (j) Setting out clearly and reviewing on a regular basis who has authority to enter the licensee into contractual obligations.
              Amended: January 2020
              Added: October 2019

            • HC-1.2.3

              With respect to Subparagraph HC-1.2.2(j), the Board should set a materiality threshold so that contractual obligations above this set threshold are regularly reported to the Board. In setting the materiality threshold, the Board will consider the financial impact the contractual obligation may have in relation to its capital.

              October 2019

            • HC-1.2.4

              The members of the board of directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-1.2.2 and must have sufficient expertise as a Board to understand the important issues relating to operation and control of the licensee. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place. This statement must be clearly communicated to Board members and senior management.

              October 2019

            • HC-1.2.5

              When a member of the board of directors is inducted, the chairman of the Board, or the licensee's legal counsel or compliance officer, or other individual delegated by the chairman of the board, should review the Board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC (see also HC-4.3.1).

              October 2019

            • HC-1.2.6

              The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

              October 2019

            • HC-1.2.7

              The Board should adopt a formal Board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of board directors.

              October 2019

            • Additional Guidance

              • HC-1.2.8

                In assessing the licensee's strategic plans (see Paragraph HC-1.2.2), the CBB would expect the Board to address the licensee's current and future aspirations with respect to its position in the market place, its size, products, value and other key aspirations that would be considered important by investors. Furthermore, the Board should demonstrate that it is able to identify proactively and understand the significant risks that the licensee faces in achieving its business objectives. A description of the licensee's strategy should be included in the annual financial statements.

                October 2019

              • HC-1.2.9

                The Board must have effective policies and processes in place for:

                (a) Ensuring a formal and transparent Board nomination process;
                (b) Appointing senior managers, and ensuring that they have the necessary integrity, technical and managerial competence, and experience;
                (c) Overseeing succession planning, and minimising undue reliance on key individuals;
                (d) Reviewing key senior management and Board remuneration packages and ensuring such packages are consistent with the corporate values and strategy of the licensee and encourage prudent risk taking;
                (e) Monitoring and evaluating management's performance in implementing agreed strategy and business plans, and ensuring appropriate resources are available; and
                (f) Approving budgets and reviewing performance against those budgets.
                October 2019

              • HC-1.2.10

                The Board must be able to demonstrate that the licensee's operations, individually and collectively:

                (a) Are measured, monitored and controlled by appropriate, effective and prudent risk management systems commensurate with the scope of the licensee's activities. The systems must produce information on a timely basis, and in a form and quality appropriate to the needs of the different recipients;
                (b) Are supported by an appropriate control environment. The risk management and financial reporting functions must be independent of business lines and must be run by individuals not involved with the day-to-day running of the various business areas; and
                (c) Make effective use of the work of internal and external auditors.
                October 2019

          • HC-1.3 HC-1.3 Composition

            • HC-1.3.1

              The Memorandum and Articles of Association of licensees must adequately set out procedures for the appointment, removal and retirement of directors.

              October 2019

            • HC-1.3.2

              The Board should have a minimum of 3 members and no more than 5 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision-making yet large enough to have members who can contribute from different specialties and viewpoints. The Board should recommend changes in Board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

              October 2019

            • HC-1.3.3

              It is not expected that every Board member is proficient in all areas, but collectively the Board is expected to have the required expertise. The CBB expects Board members to undertake relevant training on a regular basis to help them fulfill their responsibilities as board members.

              October 2019

            • HC-1.3.4

              Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. Where applicable, the Nominating Committee should regularly review the time commitment required from each non-executive director and should require each non-executive director to inform the Committee before he accepts any Board appointments to another company. One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

              October 2019

            • HC-1.3.5

              To fulfil its responsibilities outlined in Section HC-1.2, the Board of licensees must periodically assess its composition and size and, where appropriate, reconstitute itself and its committees by selecting new directors to replace long-standing members or those members whose contributions to the licensee or its committees is not adequate.

              October 2019

            • HC-1.3.6

              To demonstrate compliance with Rule HC-1.3.5, the Board should be able to demonstrate that it regularly considers (e.g. every one or two years) the mix of executive, non-executive and independent non-executive Directors, and skills and experience, that it requires. See also Paragraph HC-1.3.2.

              October 2019

            • HC-1.3.7

              A Board member must not serve in two or more competing licensees.

              October 2019

            • HC-1.3.8

              The appointment of Board members is conditional on the approval of the CBB (See Section AU-1.2).

              October 2019

          • HC-1.4 HC-1.4 Decision Making Process

            • HC-1.4.1

              The Board must be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

              October 2019

            • HC-1.4.2

              The Board must meet frequently but in no event less than four times a year. All directors must attend the meetings whenever possible and the directors must maintain informal communication between meetings.

              October 2019

            • HC-1.4.3

              Individual board members must attend at least 75% of all Board meetings in a given financial year to enable the Board to discharge its responsibilities effectively (see table below). Voting and attendance by proxies for board meetings are prohibited at all times.

              Meetings per year 75% Attendance requirement
              4 3
              5 4
              6 5
              7 5
              8 6
              9 7
              10 8
              October 2019

            • HC-1.4.4

              The absence of Board members at Board and committee meetings must be noted in the meeting minutes. In addition, Board attendance percentage must be reported during any general assembly meeting when Board members stand for re-election (e.g. Board member XYZ attended 95% of scheduled meetings this year).

              October 2019

            • HC-1.4.5

              The chairman should take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

              October 2019

            • HC-1.4.6

              In the event that a Board member has not attended at least 75% of Board meetings in any given financial year, the licensee must immediately notify the CBB indicating which member has failed to satisfy this requirement, his level of attendance and any mitigating circumstances affecting his non-attendance. The CBB shall then consider the matter and determine whether disciplinary action, including disqualification of that Board member pursuant to Article 65 of the CBB Law, is appropriate. Unless there are exceptional circumstances, it is likely that the CBB will take disciplinary action.

              October 2019

            • HC-1.4.7

              To meet its obligations under Rule HC-1.4.3 above, the Board should meet preferably no less than four times per year. The CBB recommends that meetings should take place once every quarter to address the Board's responsibilities for management oversight and performance monitoring. Furthermore, Board rules should require members to step down if they are not actively participating in Board meetings. Board members are reminded that non-attendance at board meetings does not absolve them of their responsibilities as directors. It is important that each individual director should allocate adequate time and effort to discharge his responsibilities. All Directors are expected to contribute actively to the work of the Board in order to discharge their responsibilities and should make every effort to attend board meetings where major issues are to be discussed. Licensees are encouraged to amend their Articles of Association to provide for telephonic and videoconference meetings. Participation in board meetings by means of video or telephone conferencing is regarded as attendance and may be recorded as such.

              October 2019

            • HC-1.4.8

              The chairman must ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors must receive the same Board information. At the same time, directors have a legal duty to inform themselves and they must ensure that they receive adequate and timely information and must study it carefully.

              October 2019

            • HC-1.4.9

              The Board must maintain adequate records of its meetings, such that key decisions and how they are arrived at can be traced.

              October 2019

          • HC-1.5 HC-1.5 Independence of Judgment

            • HC-1.5.1

              The Board must ensure that it has at least one independent director, in order to provide sufficient independent scrutiny of management.

              October 2019

            • HC-1.5.2

              Every director must bring independent judgment to bear in decision-making. No individual or group of directors must dominate the Board's decision-making and no one individual must have unfettered powers of decision.

              October 2019

            • HC-1.5.3

              Executive directors must provide the Board with all relevant business and financial information within their cognizance, and must recognise that their role as a director is different from their role as an officer.

              October 2019

            • HC-1.5.4

              Non-executive directors must be fully independent of management and must constructively scrutinise and challenge management including the management performance of executive directors.

              October 2019

            • HC-1.5.5

              The chairman of the Board should be an independent director so that there will be an appropriate balance of power and greater capacity of the Board for independent decision making.

              October 2019

            • HC-1.5.6

              The chairman and/or deputy chairman must not be the same person as the CEO.

              October 2019

            • HC-1.5.7

              The Board should review the independence of each director at least annually in light of interests disclosed by them. Each independent director shall provide the Board with all necessary and updated information for this purpose.

              October 2019

            • HC-1.5.8

              Where an independent director has served three consecutive terms on the board, such director will lose his/her independence status and must not be classified as an independent director if reappointed.

              Added: January 2020

            • HC-1.5.9

              Where a Chief Executive Officer of an ancillary service provider licensee, who is also a Board member, no longer occupies the CEO position, whether due to resignation, retirement or termination, his/her Board Membership must also be immediately terminated.

              Added: January 2020

          • HC-1.6 HC-1.6 Directors' Access to Independent Advice

            • HC-1.6.1

              The Board should ensure that individual directors have access to independent legal or other professional advice at the licensee's expense whenever they judge this necessary to discharge their responsibilities as directors and this must be in accordance with the licensee's policy approved by the Board.

              October 2019

            • HC-1.6.2

              Whenever a director has serious concerns which cannot be resolved concerning the running of the licensee or a proposed action, he should consider seeking independent advice and should ensure that the concerns are recorded in the Board minutes and that any dissent from a Board action is noted or delivered in writing.

              October 2019

            • HC-1.6.3

              Upon resignation, a non-executive director should provide a written statement to the chairman, for circulation to the Board, if he has any concerns such as those in Paragraph HC-1.6.3.

              October 2019

          • HC-1.7 HC-1.7 Directors' Communication with Management

            • HC-1.7.1

              The Board should encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

              October 2019

          • HC-1.8 HC-1.8 Committees of the Board

            • HC-1.8.1

              While the evaluation is a responsibility of the entire board, it should be organised and assisted by an internal board committee and, when appropriate, with the help of external experts.

              October 2019

            • HC-1.8.2

              The Board or a committee may invite non-directors to participate in, but not vote at committee meetings so that the committee may gain the benefit of their advice and expertise in financial or other areas.

              October 2019

            • HC-1.8.3

              Committees should act only within their mandates and therefore the Board must not allow any committee to dominate or effectively replace the whole Board in its decision-making responsibility.

              October 2019

            • HC-1.8.4

              Committees may be combined provided that no conflict of interest might arise between the duties of such committees.

              October 2019

            • HC-1.8.5

              Every committee should have a formal written charter similar in form to the model charter.

              Amended: April 2020
              Added: October 2019

        • HC-2 HC-2 Approved Persons Loyalty

          • HC-2.1 HC-2.1 Principle

            • HC-2.1.1

              The approved persons must have full loyalty to the licensee.

              October 2019

          • HC-2.2 HC-2.2 Personal Accountability

            • HC-2.2.1

              The Board and its members must act with honesty, integrity, due skill and care, and in the best interests of the licensee, its shareholders and clients.

              October 2019

            • HC-2.2.2

              In assessing compliance with Paragraph HC-2.2.1, the CBB will take into account all actions of the Board and its members. The interest of the licensee includes the licensee's continued compliance with all relevant rules and regulations, and the interests of employees, clients and other stakeholders. The interest of shareholders includes the current and future value of the licensee, its status as a going concern, transparency and disclosure of information to the market. The interest of clients includes ensuring that the licensee fulfils its obligations under its terms of business and treats all clients fairly and pays equal regard to the interests of all clients.

              October 2019

            • HC-2.2.3

              Each member of the board must understand that under the Commercial Companies Law 2001, as amended, he is personally accountable to the licensee and the shareholders if he violates his legal duty of loyalty to the licensee, and that he can be personally sued by the licensee or the shareholders for such violations.

              October 2019

            • HC-2.2.4

              A licensee's Board must establish and disseminate to all employees of the licensee a corporate code of conduct.

              October 2019

            • HC-2.2.5

              The code of conduct must establish standards by giving examples or expectations as regards:

              (a) Honesty;
              (b) Integrity;
              (c) The avoidance or disclosure of conflicts of interest;
              (d) Maintaining confidentiality;
              (e) Professionalism;
              (f) Commitment to the law and best practices; and
              (g) Reliability.
              October 2019

            • HC-2.2.6

              The Board must establish and disseminate to employees policies and processes for the identification, reporting and prevention or management of potential conflicts of interest, including matters such as:

              (a) Related party transactions;
              (b) The misuse of the licensee's assets; and
              (c) The use of privileged information for personal advantage ('insider trading').
              October 2019

            • HC-2.2.7

              Any transaction in which Board members or any member of management have potential conflicts of interest should either be proscribed or require formal documented approval by the Board, with measures taken to manage those conflicts (see also Paragraph HC-2.4.1).

              October 2019

            • HC-2.2.8

              The Board must ensure that policies are in place to ensure that necessary customer confidentiality is maintained.

              Amended: January 2020
              Added: October 2019

            • HC-2.2.9

              The duty of loyalty includes a duty not to use property of the licensee for his personal needs as though it was his own property, not to disclose confidential information of the licensee or use it for his personal profit, not to take business opportunities of the licensee for himself, not to compete in business with the licensee, and to serve the licensee's interest in any transactions with the company in which he has a personal interest.

              October 2019

            • HC-2.2.10

              For purposes of Paragraph HC-2.2.9, an approved person must be considered to have a "personal interest" in a transaction with the company if:

              (a) He himself;
              (b) A member of his family (i.e. spouse, father, mother, sons, daughters, brothers or sisters); or
              (c) Another company of which he is a director or controller, is a party to the transaction or has a material financial interest in the transaction.
              October 2019

          • HC-2.3 HC-2.3 Avoidance of Conflicts of Interest

            • HC-2.3.1

              Licensees must maintain an organisational structure that minimises the risk of conflicts of interest arising.

              October 2019

            • HC-2.3.2

              For the purposes of Rule HC-2.3.1, the CBB would expect licensees to separate front and back office functions.

              October 2019

            • HC-2.3.3

              Each approved person must make every practicable effort to arrange his personal and business affairs to avoid a conflict of interest with the licensee.

              October 2019

            • HC-2.3.4

              Board members must absent themselves from any discussion or decision-making that involves a subject where they are incapable of providing objective advice, or which involves a subject, transaction or proposed transaction where there is a potential conflict of interest.

              October 2019

          • HC-2.4 HC-2.4 Disclosure of Conflicts of Interest

            • HC-2.4.1

              Each approved person of licensees must inform the entire Board of conflicts of interest as they arise. Board members must abstain from voting on the matter in accordance with the relevant provisions of the Commercial Companies Law 2001, as amended. This disclosure must include all material facts in the case of a contract or transaction involving the approved person. The approved persons must understand that any approval of a conflict transaction is effective only if all material facts are known to the authorising persons and the conflicted person did not participate in the decision.

              October 2019

            • HC-2.4.2

              Board members must declare annually in writing all of their interests (and those of their family) in other enterprises or activities (whether as a Director, shareholder, senior executive or other form of participation) to the Board (or appropriate Board sub-Committee).

              October 2019

            • HC-2.4.3

              The Board should establish formal procedures for:

              (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
              (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a card processing services', credit reference bureaus', and payment service providers' approved person has a personal interest. The Board should require such advance approval in every case.
              October 2019

          • HC-2.5 HC-2.5 Disclosure of Conflicts of Interest to Shareholders

            • HC-2.5.1

              The licensee must disclose to its shareholders through Annual General Meetings any abstention from voting motivated by a conflict of interest and must disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Commercial Companies Law 2001, as amended.

              October 2019

        • HC-3 HC-3 Audit Committee and Financial Statements Certification

          • HC-3.1 HC-3.1 Principle

            • HC-3.1.1

              The Board of all licensees must have rigorous controls for financial audit and reporting, internal control, and compliance with law.

              October 2019

          • HC-3.2 HC-3.2 Audit Committee

            • HC-3.2.1

              The Board of licensees should establish an audit committee commensurate with the size, complexity and nature of its business. The audit committee should consider having at least three directors.

              October 2019

            • HC-3.2.2

              The majority of the directors should be independent including the Chairman.

              October 2019

            • HC-3.2.3

              Where there is an audit committee, it must:

              (a) Review the company's accounting and financial practices;
              (b) Review the integrity of the licensees' financial and internal controls and financial statements;
              (c) Review the licensees' compliance with legal requirements;
              (d) Recommend the appointment, compensation and oversight of the licensees' external auditor; and
              (e) Recommend the appointment of the internal auditor (whether in-house or outsourced).
              October 2019

            • HC-3.2.4

              The Board or Audit Committee must ensure that the external audit firm and its partners are truly independent of the licensee and have no financial or other relationship with the licensee. Audit findings must be used as an independent check on the information received from management about the licensees' operations and performance and the effectiveness of internal controls.

              October 2019

          • HC-3.3 HC-3.3 Audit Committee Charter

            • HC-3.3.1

              The audit committee should adopt a written charter which shall, at a minimum, state the duties outlined in Paragraph HC-3.2.4.

              Amended: April 2020
              Added: October 2019

            • HC-3.3.2

              A majority of the audit committee should have the financial literacy and information technology qualifications.

              Amended: April 2020
              Added: October 2019

            • HC-3.3.3

              The Board should adopt a "whistleblower" program under which employees can confidentially raise concerns about possible improprieties in financial or legal matters. Under the program, concerns may be communicated directly to any audit committee member or, alternatively, to an identified officer or employee who will report directly to the Audit Committee on this point.

              October 2019

          • HC-3.4 HC-3.4 CEO and CFO Certification of Financial Reporting

            • HC-3.4.1

              The licensee's CEO and chief financial officer must state in writing to the audit committee and the Board as a whole the licensee's annual and, where applicable, interim financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

              October 2019

        • HC-4 HC-4 Appointment, Training and Evaluation of the Board

          • HC-4.1 HC-4.1 Principle

            • HC-4.1.1

              Licensees must have rigorous procedures for appointment, training and evaluation of the Board.

              October 2019

          • HC-4.2 HC-4.2 Board Nominations to Shareholders

            • HC-4.2.1

              Each proposal by the Board to the shareholders for election or reelection of a director must be accompanied by a recommendation from the Board, and the following specific information:

              (a) The term to be served, which may not exceed three years (but there need not be a limit on reelection for further terms);
              (b) Biographical details and professional qualifications;
              (c) In the case of an independent director, a statement that the Board has determined that the criteria of independent director have been met;
              (d) Any other directorships held;
              (e) Particulars of other positions which involve significant time commitments, and
              (f) Details of relationships between:
              (i) The candidate and the licensee, and
              (ii) The candidate and other directors of the licensee.
              October 2019

            • HC-4.2.2

              The chairman of the Board should confirm to shareholders when proposing re-election of a director that, following a formal performance evaluation, the person's performance continues to be effective and continues to demonstrate commitment to the role. Any term beyond six years (e.g. two three-year terms) for a director should be subject to particularly rigorous review, and should take into account the need for progressive refreshing of the Board.

              October 2019

          • HC-4.3 HC-4.3 Induction and Training of Directors

            • HC-4.3.1

              The chairman of the Board of licensees must ensure that each new director receives a formal and tailored induction to ensure his contribution to the Board from the beginning of his term. The induction must include meetings with senior management, visits to company facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, its internal and external auditors and legal counsel.

              October 2019

            • HC-4.3.2

              All continuing directors must be invited to attend orientation meetings and all directors must continually educate themselves as to the licensee's business and corporate governance.

              October 2019

            • HC-4.3.3

              Management, in consultation with the chairman of the Board, should hold programs and presentations to directors respecting the licensees' business and industry, which may include periodic attendance at conferences and management meetings.

              October 2019

        • HC-5 HC-5 Remuneration of Approved Persons

          • HC-5.1 HC-5.1 Principle

            • HC-5.1.1

              The licensee must remunerate approved persons fairly and responsibly.

              October 2019

          • HC-5.2 HC-5.2 Remuneration Structure

            • HC-5.2.1

              The Board of Directors must:

              (a) Review the licensee's remuneration policies and amounts for approved persons taking into account total remuneration including salaries, fees, expenses and employee benefits which must be approved by the shareholders; and
              (b) Recommend Board members remuneration based on their attendance and performance.
              October 2019

            • HC-5.2.2

              Remuneration (including incentives, bonuses and other rewards) of approved persons must be sufficient enough to attract, retain and motivate persons of the quality needed to run the licensee successfully, but the licensee must avoid paying more than is necessary for that purpose.

              October 2019

            • HC-5.2.3

              Where remuneration is structured so as to link rewards to corporate and individual performance, criteria should avoid excessive focus on short-term profitability measures, without due regard to the longer-term consequences of actions taken.

              October 2019

            • Alignment of All Staff Remuneration with Compliance with AML/CFT Requirements

              • HC-5.2.4

                The performance evaluation and remuneration of senior management and staff of the licensee must be based on the achievement of the Key Performance Indicators (KPIs) relevant to ensuring compliance with AML/CFT requirements as specified in Paragraphs FC-2.1.3 and FC-2.1.4.

                Added: April 2020

          • HC-5.3 HC-5.3 Directors' Remuneration

            • HC-5.3.1

              The review of Directors' remuneration must be a standing item on the licensee's Annual General Meeting agenda, and must be considered by shareholders at every Annual General Meeting. Directors' remuneration and bonuses to executive directors must be clearly disclosed in the annual financial statements.

              October 2019

            • HC-5.3.2

              Directors' remuneration should also comply with all applicable laws, such as Legislative Decree No. 21 of 2001, with respect to promulgating the Commercial Companies Law.

              October 2019

            • HC-5.3.3

              Remuneration of non-executive directors must not include performance-related elements such as grants of shares, share options or other deferred stock-related incentive schemes, bonuses, or pension benefits.

              October 2019

          • HC-5.4 HC-5.4 Senior Management Remuneration

            • HC-5.4.1

              Remuneration of senior management must be structured so that a portion of the total is linked to licensee and individual performance and aligns their interests with the interests of the shareholders.

              October 2019

            • HC-5.4.2

              Such rewards may include grants of shares, share options and other deferred stock-related incentive schemes, bonuses, and pension benefits which are not based on salary.

              October 2019

            • HC-5.4.3

              If a senior manager is also a director, his remuneration as a senior manager must take into account compensation received in his capacity as a director.

              October 2019

            • HC-5.4.4

              All share incentive plans must be approved by the shareholders.

              October 2019

            • HC-5.4.5

              All performance-based incentives should be awarded under written objective performance standards which have been approved by the Board and are designed to enhance shareholder and company value, and under which shares should not vest and options should not be exercisable within less than two years of the date of award of the incentive.

              October 2019

            • HC-5.4.6

              All policies for performance-based incentives should be approved by the shareholders, but the approval should be only of the plan itself and not of the grant to specific individuals of benefits under the plan.

              October 2019

        • HC-6 HC-6 Management Structure

          • HC-6.1 HC-6.1 Principle

            • HC-6.1.1

              The Board of licensees must establish a clear and efficient management structure.

              October 2019

          • HC-6.2 HC-6.2 Establishment of Management Structure

            • HC-6.2.1

              The Board must approve and review at least annually the licensees' management structure, responsibilities and authorities.

              October 2019

            • HC-6.2.2

              The Board must appoint senior management whose authority must include management and operation of current activities of the licensees, reporting to and under the direction of the Board. The senior managers must include at a minimum:

              (a) A CEO;
              (b) A chief financial officer;
              (c) An internal auditor;
              (d) A compliance officer/MLRO (see HC-6.5 and AU-1.3); and
              (e) must also include such other approved persons as the Board considers appropriate and as a minimum must include persons occupying controlled functions as outlined in Paragraph AU-1.3.2.
              October 2019

            • HC-6.2.3

              For purposes of HC-6.2.2 given the nature, scale and complexity of its business, licensees may appoint a part-time or a seconded internal auditor.

              October 2019

          • HC-6.3 HC-6.3 Titles, Authorities, Duties and Reporting Responsibilities

            • HC-6.3.1

              Licensees must maintain clearly documented and communicated staff responsibilities and reporting lines.

              October 2019

            • HC-6.3.2

              For the purposes of Rule HC-6.3.1, licensees should maintain and document their delegated authority structure as well as written terms of reference for staff positions.

              October 2019

            • HC-6.3.3

              For the purpose of Paragraph HC-6.3.1, the responsibilities and reporting lines must among other matters include the following:

              (a) The CEO must have authority to act generally in the licensee's name, representing the licensee's interests in concluding transactions on the licensee's behalf and giving instructions to other approved persons and licensee employees;
              (b) The chief financial officer must be responsible and accountable for:
              (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and policies of the licensee (see HC-3.4.1); and
              (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
              (c) The internal auditor's (see HC-6.4) duties must include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the licensee's risk management, control, and governance processes; and
              (d) The compliance officer's (see HC-6.5) duties include maintaining effective systems and MLRO controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.
              October 2019

            • HC-6.3.4

              The Board must also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorize without separate Board approval.

              October 2019

          • HC-6.4 HC-6.4 Internal Audit

            • HC-6.4.1

              Licensees must consider establishing an internal audit function commensurate with the size, complexity and nature of its business to monitor the adequacy of their systems and controls.

              October 2019

            • HC-6.4.2

              The internal audit function must be independent of the senior management, reporting either to the Board or its Audit committee. The internal audit function must not be combined with any other function.

              October 2019

            • HC-6.4.3

              Where licensees outsource part or all of their internal audit function, the outsourcing arrangements must provide for an adequate level of scrutiny of the licensees. A licensee cannot outsource its internal audit function to its external auditor.

              October 2019

            • HC-6.4.4

              Prior approval from the CBB is required for material outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2).

              October 2019

            • HC-6.4.5

              Internal audit functions must have terms of reference that clearly indicate:

              (a) The scope and frequency of audits;
              (b) Reporting lines; and
              (c) The review and approval process applied to audits.
              October 2019

            • HC-6.4.6

              Internal audit function must report directly to the Board/Audit committee. They must have unrestricted access to all the appropriate records of the licensees. They must have open and regular access to the Audit Committee, the Board, the Chief Executive, and the licensees' external auditor.

              October 2019

          • HC-6.5 HC-6.5 Compliance/MLRO

            • HC-6.5.1

              Licensees must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements in the Kingdom's legislation and those set by the CBB, and those established under any other statute or regulator to which they are subject.

              October 2019

            • HC-6.5.2

              Depending on the nature, scale and complexity of its business, licensees should consider having a separate compliance function. A compliance function should:

              (a) Document its organisation and responsibilities;
              (b) Be appropriately staffed with competent individuals;
              (c) Have unrestricted access to the licensees' relevant records; and
              (d) Have ultimate recourse to the Board.
              October 2019

            • HC-6.5.3

              The compliance function/MLRO must not be combined with the internal audit function or any other operational function as such combination may lead to a conflict of interest.

              October 2019

        • HC-7 HC-7 Communication between Board and Shareholders

          • HC-7.1 HC-7.1 Principle

            • HC-7.1.1

              The licensees must communicate with shareholders, encourage their participation, and respect their rights.

              October 2019

          • HC-7.2 HC-7.2 Conduct of Shareholders' Meetings

            • HC-7.2.1

              The Board must observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

              (a) Notices of meetings must be honest, accurate and not misleading. They must clearly state and, where necessary, explain the nature of the business of the meeting;
              (b) Meetings must be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
              (c) Notices of meetings must encourage shareholders to participate by proxy and must refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement must list the agenda items and must specify the vote (such as "yes," "no" or "abstain");
              (d) Notices must ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
              (e) The Board must propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
              (f) In meetings where directors are to be elected or removed the Board must ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
              (g) The chairman of the meeting must encourage questions from shareholders, including questions regarding licensees' corporate governance guidelines;
              (h) The minutes of the meeting must be made available to shareholders upon their request within 30 days from the date of receipt of the request and must be endorsed at the next general assembly; and
              (i) Disclosure of all material facts must be made to the shareholders.
              October 2019

            • HC-7.2.2

              The licensee must require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

              October 2019

        • HC-8 HC-8 TPAs, Shari'a Advisory/Review Services, Crowdfunding Platform Operators and Other Ancillary Service Providers

          • HC-8.1 HC-8.1 The Board

            • HC-8.1.1

              Licensees should be headed by an effective, collegial and informed Board of Directors ('the Board').

              October 2019

            • Role and Responsibilities

              • HC-8.1.2

                All members of the board of directors should understand the Board's role and responsibilities under the Bahrain Commercial Companies Law (2001) and its amendments and any other laws or regulations that may govern their responsibilities from time to time. In particular:

                (a) The Board's role as distinct from the role of the shareholders (who elect the Board and whose interests the Board serves) and the role of officers (whom the Board appoints and oversees); and
                (b) The Board's fiduciary duties of care and loyalty to the licensee and the shareholders (see HC-8.2).
                October 2019

              • HC-8.1.3

                The Board's role and responsibilities include but are not limited to:

                (a) The overall business performance and strategy for the licensee;
                (b) Causing financial statements to be prepared which accurately disclose the licensee's financial position;
                (c) Monitoring management performance;
                (d) Approving the agenda for shareholders' meetings;
                (e) Monitoring conflicts of interest and preventing abusive related party transactions; and
                (e) Assuring equitable treatment of shareholders including minority shareholders.
                October 2019

              • HC-8.1.4

                The members of the board of directors are responsible both individually and collectively for performing the responsibilities outlined in Paragraph HC-8.1.3. Although the Board may delegate certain functions to committees or management, it may not delegate its ultimate responsibility to ensure that an adequate, effective, comprehensive and transparent corporate governance framework is in place.

                October 2019

              • HC-8.1.5

                When a member of the board of directors is inducted, the chairman of the Board, assisted by company legal counsel or compliance officer, should review the Board's role and duties with that person, particularly covering legal and regulatory requirements and Module HC.

                October 2019

              • HC-8.1.6

                The licensee should have a written appointment agreement with each director which recites the directors' powers and duties and other matters relating to his appointment including his term, the time commitment envisaged, the committee assignment if any, his remuneration and expense reimbursement entitlement, and his access to independent professional advice when that is needed.

                October 2019

              • HC-8.1.7

                The Board should adopt a formal Board charter or other statement specifying matters which are reserved to it, which should include but need not be limited to the specific requirements and responsibilities of board directors.

                October 2019

            • Composition

              • HC-8.1.8

                The Board should have no more than 15 members, and should regularly review its size and composition to ensure that it is small enough for efficient decision-making yet large enough to have members who can contribute from different specialties and viewpoints. The Board should recommend changes in Board size to the shareholders when a needed change requires amendment of the licensee's Memorandum of Association.

                October 2019

              • HC-8.1.9

                Potential non-executive directors should be made aware of their duties before their nomination, particularly as to the time commitment required. The Board should regularly review the time commitment required from each non-executive director and should require each non-executive_director to inform the Board before he accepts any Board appointments to another company. One person should not hold more than three directorships in public companies in Bahrain with the provision that no conflict of interest may exist, and the Board should not propose the election or reelection of any director who does.

                October 2019

            • Decision Making Process

              • HC-8.1.10

                The Board should be collegial and deliberative, to gain the benefit of each individual director's judgment and experience.

                October 2019

              • HC-8.1.11

                The chairman should take an active lead in promoting mutual trust, open discussion, constructive dissent and support for decisions after they have been made.

                October 2019

              • HC-8.1.12

                The Board should meet frequently but in no event less than four times a year. All directors should attend the meetings whenever possible and the directors should maintain informal communication between meetings.

                October 2019

              • HC-8.1.13

                The chairman should ensure that all directors receive an agenda, minutes of prior meetings, and adequate background information in writing before each Board meeting and when necessary between meetings. All directors should receive the same Board information. At the same time, directors have a legal duty to inform themselves and they should ensure that they receive adequate and timely information and should study it carefully.

                October 2019

            • Directors' Communication with Management

              • HC-8.1.14

                The Board should encourage participation by management regarding matters the Board is considering, and also by management members who by reason of responsibilities or succession, the CEO believes should have exposure to the directors.

                October 2019

              • HC-8.1.15

                Non-executive directors should have free access to the licensee's management beyond that provided in Board meetings. Such access should be through the Chairman of the Audit Committee or CEO. The Board should make this policy known to management to alleviate any management concerns about a director's authority in this regard.

                October 2019

          • HC-8.2 HC-8.2 Approved Persons Loyalty

            • HC-8.2.1

              The Board should establish formal procedures for:

              (a) Periodic disclosure and updating of information by each approved person on his actual and potential conflicts of interest; and
              (b) Advance approval by directors or shareholders who do not have an interest in the transactions in which a licensee's 'approved person' has a personal interest. The Board should require such advance approval in every case.
              October 2019

            • Disclosure of Conflicts of Interests to Shareholders

              • HC-8.2.2

                The licensee should disclose to its shareholders in the Annual Report any abstention from voting motivated by a conflict of interest and should disclose to its shareholders any authorisation of a conflict of interest contract or transaction in accordance with the Company Law.

                October 2019

          • HC-8.3 HC-8.3 Financial Statements Certification

            • HC-8.3.1

              The Board should have rigorous controls for financial audit and reporting, internal control, and compliance with law.

              October 2019

            • CEO and CFO Certification of Financial Statements

              • HC-8.3.2

                To encourage management accountability for the financial statements required by the directors, the licensee's CEO and chief financial officer should state in writing to the audit committee and the Board as a whole that the licensee's interim and annual financial statements present a true and fair view, in all material respects, of the licensee's financial condition and results of operations in accordance with applicable accounting standards.

                October 2019

          • HC-8.4 HC-8.4 Appointment, Training and Evaluation of the Board

            • HC-8.4.1

              The licensee should have rigorous procedures for appointment, training and evaluation of the Board.

              October 2019

            • Induction and Training of Directors

              • HC-8.4.2

                The chairman of the Board should ensure that each new director receives a formal and tailored induction to ensure his contribution to the Board from the beginning of his term. The induction should include meetings with senior management, visits to company facilities, presentations regarding strategic plans, significant financial, accounting and risk management issues, compliance programs, its internal and external auditors and legal counsel.

                October 2019

              • HC-8.4.3

                All continuing directors should be invited to attend orientation meetings and all directors should continually educate themselves as to the licensee's business and corporate governance.

                October 2019

              • HC-8.4.4

                Management, in consultation with the chairman of the Board, should hold programs and presentations to directors respecting the licensee's business and industry, which may include periodic attendance at conferences and management meetings. The Board should oversee directors' corporate governance educational activities.

                October 2019

          • HC-8.5 HC-8.5 Remuneration of Approved Persons

            • HC-8.5.1

              Licensees should remunerate approved persons fairly and responsibly.

              October 2019

            • HC-8.5.2

              Remuneration of approved persons should be sufficient enough to attract, retain and motivate persons of the quality needed to run the operations of the licensee successfully, but the licensee should avoid paying more than is necessary for that purpose.

              October 2019

          • HC-8.6 HC-8.6 Management Structure

            • HC-8.6.1

              The Board of the licensee should establish a clear and efficient management structure.

              October 2019

            • Establishment of Management Structure

              • HC-8.6.2

                The Board should appoint senior management whose authority should include management and operation of current activities of the licensee, reporting to and under the direction of the Board. The senior managers should include at a minimum:

                (a) A CEO/General Manager;
                (b) A chief financial officer and/or Financial Controller;
                (c) Compliance Officer/MLRO

                and should also include such other approved persons as the Board considers appropriate and as a minimum should include persons occupying controlled functions as outlined in Paragraph AU-1.2.2.

                October 2019

              • HC-8.6.3

                For purposes of HC-8.6.2 (c) given the nature, scale and complexity of its business, licensees may appoint a part-time or a seconded corporate secretary.

                October 2019

            • Titles, Authorities, Duties and Reporting Responsibilities

              • HC-8.6.4

                The Board should adopt by-laws prescribing each senior manager's title, authorities, duties and internal reporting responsibilities. This should be done in consultation with the CEO, to whom the other senior managers should normally report.

                October 2019

              • HC-8.6.5

                These provisions should include but should not be limited to the following:

                (a) The CEO should have authority to act generally in the licensee's name, representing its interests in concluding transactions on its behalf and giving instructions to other senior managers and employees;
                (b) The chief financial officer should be responsible and accountable for:
                (i) The complete, timely, reliable and accurate preparation of the licensee's financial statements, in accordance with the accounting standards and board approved policies; and
                (ii) Presenting the Board with a balanced and understandable assessment of the licensee's financial situation;
                (c) The corporate secretary's duties should include arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
                (d) The internal auditor's duties should include providing an independent and objective review of the efficiency of the licensee's operations. This would include a review of the accuracy and reliability of the licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the risk management, control, and governance processes.
                October 2019

            • Titles, Authorities, Duties and Reporting Responsibilities

              • HC-8.6.6

                The Board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate Board approval.

                October 2019

              • HC-8.6.7

                The corporate secretary should be given general responsibility for reviewing the licensee's procedures and advising the Board directly on such matters. Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training.

                October 2019

              • HC-8.6.8

                At least annually, the Board should review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

                October 2019

          • HC-8.7 HC-8.7 Communication between Board and Shareholders

            • HC-8.7.1

              Licensees should communicate with shareholders, encourage their participation, and respect their rights.

              October 2019

            • Conduct of Shareholders' Meetings

              • HC-8.7.2

                The Board should observe both the letter and the intent of the Company Law's requirements for shareholder meetings. Among other things:

                (a) Notices of meetings should be honest, accurate and not misleading. They should clearly state and, where necessary, explain the nature of the business of the meeting;
                (b) Meetings should be held during normal business hours and at a place convenient for the greatest number of shareholders to attend;
                (c) Notices of meetings should encourage shareholders to participate by proxy and should refer to procedures for appointing a proxy and for directing the proxy how to vote on a particular resolution. The proxy agreement should list the agenda items and should specify the vote (such as "yes," "no" or "abstain");
                (d) Notices should ensure that all material information and documentation is provided to shareholders on each agenda item for any shareholder meeting, including but not limited to any recommendations or dissents of directors;
                (e) The Board should propose a separate resolution at any meeting on each substantially separate issue, so that unrelated issues are not "bundled" together;
                (f) In meetings where directors are to be elected or removed the Board should ensure that each person is voted on separately, so that the shareholders can evaluate each person individually;
                (g) The chairman of the meeting should encourage questions from shareholders, including questions regarding the licensee's corporate governance guidelines;
                (h) The minutes of the meeting should be made available to shareholders upon their request as soon as possible but not later than 30 days after the meeting; and
                (i) Disclosure of all material facts should be made to the shareholders.
                October 2019

              • HC-8.7.3

                Licensees should require all directors to attend and be available to answer questions from shareholders at any shareholder meeting and, in particular, ensure that the chairs of the audit, remuneration and nominating committees are ready to answer appropriate questions regarding matters within their committee's responsibility (it being understood that confidential and proprietary business information may be kept confidential).

                October 2019

              • HC-8.7.4

                Licensees should require its external auditor to attend the annual shareholders' meeting and be available to answer shareholders' questions concerning the conduct and conclusions of the audit.

                October 2019

              • HC-8.7.5

                Licensees should maintain a company website. Licensees should dedicate a specific section of its website to describing shareholders' rights to participate and vote at each shareholders' meeting, and should post significant documents relating to meetings including the full text of notices and minutes. Licensees may also consider establishing an electronic means for shareholders' communications including appointment of proxies. For confidential information, licensees should grant a controlled access to such information to its shareholders.

                October 2019

              • HC-8.7.6

                In notices of meetings at which directors are to be elected or removed licensees should ensure that:

                (a) Where the number of candidates exceeds the number of available seats, the notice of the meeting should explain the voting method by which the successful candidates will be selected and the method to be used for counting of votes; and
                (b) The notice of the meeting should present a factual and objective view of the candidates so that shareholders may make an informed decision on any appointment to the board.
                October 2019

      • GR GR Ancillary Service Providers General Requirements Module

        • GR-A GR-A Introduction

          • GR-A.1 GR-A.1 Purpose

            • Executive Summary

              • GR-A.1.1

                Module GR presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on confidentiality, books and records, publication of documents, the distribution of dividends, controllers; close links and on suspension of business. There are also included specific requirements for TPAs and credit reference bureaus. Each set of requirements is contained in its own Chapter.

                April 2016

            • Legal Basis

              • GR-A.1.2

                This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to ancillary service provider licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). Requirements regarding controllers (see Chapter GR-7) are also included in Regulations, to be issued by the CBB.

                April 2016

              • GR-A.1.3

                For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

                April 2016

          • GR-A.2 GR-A.2 Module History

            • Evolution of Module

              • GR-A.2.1

                This Module was first issued in April 2016 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

                April 2016

              • GR-A.2.2

                A list of recent changes made to this Module is detailed in the table below:

                Module Ref. Change Date Description of Changes
                GR-9.1.8 10/2016 Added a Rule in the Cessation of Business Section to be consistent with other Volumes of the CBB Rulebook.
                GR-4.3.8 01/2017 Amended Paragraph reference.
                GR-7.1.6 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
                GR-2.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
                GR-2.2.2 07/2017 Deleted paragraph.
                GR-5A.1 10/2017 Added a chapter on "General Requirements for Financing-Based Crowdfunding Platform Operators".
                GR-5A.2 10/2017 Additional requirements for “Shari'a — Compliant Financing — Based Crowdfunding Platform Operators".
                GR-6.1.3 10/2017 Added additional requirement to submit when requesting no-objection letter for proposed dividends.
                GR-5A.1.4 10/2018 Amended Paragraph to further clarify the scope of exemption.
                GR-10 11/2018 Amended Paragraph to further clarify the scope of exemption.
                GR-11 11/2018 Added new Section on Outsourcing
                GR-5A.1.4 01/2019 Amended Paragraph on maximum credit provided to each borrower under a crowdfunding agreement.
                GR-5A.1.5 01/2019 Amended Paragraph.
                GR-5A.1.8 01/2019 Amended Paragraph.
                GR-5A.1.11A 01/2019 Added a new Paragraph on the minimum time to withdraw a commitment.
                GR-5B.1 04/2019 Added a Chapter on "Physical Security measures for Payment Service Providers owning or Operating Cash Dispensing Machines (CDMs) or Kiosks".
                GR-5B.2 04/2019 Additional requirements for "CDM/Kiosk Security Measures: Hardware/Software".
                GR-7.1.1A 04/2019 Added a new Paragraph on exposure to controllers.
                GR-7.1.1B 04/2019 Added a new Paragraph on exposure to controllers.
                GR-5B.1.13 07/2019 Added a new Paragraph on Europay, MasterCard and Visa (EMV) Compliance.
                GR-5B.1.14 & GR-5B.1.15 10/2019 Added new Paragraphs on Contactless Payment Transactions.
                GR-2.2.1 01/2020 Amended Paragraph.
                GR-9.1.8 04/2020 Amended Paragraph.
                GR-10.3.14 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                GR-10.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
                GR-10.7.1 -  GR-10.7.3 04/2020 Amended Paragraphs adding reference to CBB consumer protection.
                GR-5B.1.13A 07/2020 Added a new Paragraph on contactless payment.
                GR-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
                GR-12 01/2021 Added a new Chapter on Information Security.
                GR-13 04/2021 Added a new Chapter on Fees and Charges.
                GR-12.2 07/2021 Added a new Section on Cyber Security.

        • GR-B GR-B Scope of Application

          • GR-B.1 GR-B.1 Ancillary Service Provider Licensees

            • GR-B.1.1

              Unless otherwise indicated, the requirements in this Module apply to all ancillary service provider licensees, thereafter referred to in this Module as licensees.

              April 2016

        • GR-C GR-C Provision of Financial Services on a Non-discriminatory Basis

          • GR-C.1 GR-C.1 Provision of Financial Services on a Non-discriminatory Basis

            • GR-C.1.1

              Ancillary service provider licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

              Added: October 2020

        • GR-1 GR-1 Confidentiality

          • GR-1.1 GR-1.1 General Requirements

            • GR-1.1.1

              Licensees must ensure that any information in their control or custody is not used or disclosed unless:

              (a) They have the customer's or licensee's written consent;
              (b) Disclosure is made in accordance with the licensee's regulatory obligations; or
              (c) The licensee and members of the credit reference bureau are legally obliged to disclose the information in accordance with Article 117 of the CBB Law.
              April 2016

            • GR-1.1.2

              Ancillary service providers must take appropriate steps to ensure the security of any information handled for its customers or held on behalf of other CBB licensees.

              April 2016

        • GR-2 GR-2 Books and Records

          • GR-2.1 GR-2.1 General Requirements

            • GR-2.1.1

              In accordance with Article 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

              April 2016

            • GR-2.1.2

              Paragraph GR-2.1.1 includes accounts, books, files and other records related to client information (e.g. trial balance, general ledger, reconciliations, list of counterparties, etc.). It also includes records that substantiate the value of the assets and liabilities.

              April 2016

            • GR-2.1.3

              Separately, Bahrain Law currently requires other transaction records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

              April 2016

            • GR-2.1.4

              Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

              April 2016

            • GR-2.1.5

              Translations produced in compliance with Rule GR-2.1.4 may be undertaken in-house, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

              April 2016

            • GR-2.1.6

              Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

              April 2016

            • GR-2.1.7

              Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

              April 2016

            • GR-2.1.8

              Paragraphs GR-2.1.1 to GR-2.1.7 apply to licensees, with respect to all business activities.

              April 2016

          • GR-2.2 GR-2.2 Transaction Records

            • GR-2.2.1

              Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

              Amended: January 2020
              Amended: July 2017
              Added: April 2016

            • GR-2.2.2

              [This Paragraph has been deleted in July 2017].

              Deleted: July 2017
              April 2016

            • GR-2.2.3

              Rule GR-2.2.1 applies only to transactions relating to business booked in Bahrain by the licensee.

              April 2016

          • GR-2.3 GR-2.3 Other Records

            • Corporate Records

              • GR-2.3.1

                Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

                (a) Internal policies, procedures and operating manuals;
                (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
                (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
                (d) Reports prepared by the licensee's internal and external auditors; and
                (e) Employee records.
                April 2016

            • Customer Records

              • GR-2.3.2

                Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

                April 2016

        • GR-3 GR-3 Publication of Documents by the Licensee

          • GR-3.1 GR-3.1 General Requirements

            • GR-3.1.1

              Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees must include a statement that the licensee is regulated by the Central Bank of Bahrain, the type of license and the legal status.

              April 2016

        • GR-4 GR-4 General Requirements for TPAs

          • GR-4.1 GR-4.1 Compensation

            • GR-4.1.1

              A TPA's compensation may be determined:

              (a) As a percentage of the claims processed by the TPA; or
              (b) On another basis as specified in the written agreement.
              April 2016

          • GR-4.2 GR-4.2 Code of Conduct

            • GR-4.2.1

              TPAs are allowed to enter into agreement with more than one:

              (a) Insurance firm; and/or
              (b) A self-funded scheme outside of Bahrain.
              April 2016

            • GR-4.2.2

              TPAs must not charge any kind of fees to the claimants/policyholders.

              April 2016

            • GR-4.2.3

              TPAs must not market or sell insurance nor own any part of a healthcare facility or company.

              April 2016

            • GR-4.2.4

              Where a TPA owns any part of a healthcare facility or company at the time this Module is issued, it will be permitted to retain its ownership in the company.

              April 2016

            • GR-4.2.5

              TPAs must act in the insurance firm's and/or self-funded scheme's (limited to outside Bahrain) best interests at all times and must fulfill their needs to the best of their ability.

              April 2016

            • GR-4.2.6

              TPAs must improve the skills of their employees and increase their knowledge through continuing education and training.

              April 2016

            • GR-4.2.7

              TPAs must disclose to the existing and prospective insurance firm and/or self-funded scheme (limited to outside Bahrain) any and all information that may affect the TPA's ability to provide services and/or advice to the clients.

              April 2016

            • GR-4.2.8

              TPAs must ensure that all client funds collected and/or held by the TPA are used for the express purpose for which the funds are collected and/or held as understood by the insurance firm and/or self-funded scheme (limited to outside Bahrain).

              April 2016

            • GR-4.2.9

              TPAs must fully disclose to each insurance firm and/or self-funded scheme (limited to outside Bahrain) the terms of engagement and the services to be rendered to that client.

              April 2016

          • GR-4.3 GR-4.3 Segregation of Funds

            • GR-4.3.1

              All funds remitted to a TPA by an insurance firm and/or self-funded scheme (limited to outside Bahrain) must be held by the TPA in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or in a separate account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA.

              April 2016

            • GR-4.3.2

              When funds are collected by a TPA from a healthcare provider on behalf of an insurance firm and/or self-funded scheme (limited to outside Bahrain), such funds must be promptly deposited in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or an account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, or remitted to the insurance firm and/or self-funded scheme (limited to outside Bahrain), as provided for in the agreement.

              April 2016

            • GR-4.3.3

              When an account is held jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, the TPA must provide the insurance firm and/or self-funded scheme (limited to outside Bahrain) on a monthly basis a record of all transactions in the joint account.

              April 2016

            • GR-4.3.4

              Funds must not be commingled with any other funds of the TPA nor other insurance firm and/or self-funded scheme (limited to outside Bahrain) of the TPA. Records of a TPA must clearly show funds received and paid out allocated per insurance firm and/or self-funded scheme (limited to outside Bahrain) and must be made available to the insurance firm and/or self-funded scheme (limited to outside Bahrain) upon request.

              April 2016

            • GR-4.3.5

              An insurance firm and/or self-funded scheme (limited to outside Bahrain) shall have the responsibility to make available to the TPA funds necessary to enable the TPA to pay claims in a timely manner, as provided in the agreement.

              April 2016

            • GR-4.3.6

              TPAs must process and settle claims of the policyholder/claimant within 15 calendar days from the receipt of all necessary documents.

              April 2016

            • GR-4.3.7

              TPAs must process and settle claims from healthcare service providers within 30 calendar days from the receipt of all necessary documents from the healthcare service providers.

              April 2016

            • GR-4.3.8

              TPAs must comply with Paragraphs GR-4.3.6 and GR-4.3.7 by 30th September 2016 at the latest.

              Amended: January 2017
              April 2016

          • GR-4.4 GR-4.4 Content of Written Agreement

            • GR-4.4.1

              A TPA must not conduct any business with an insurance firm and/or self-funded scheme (limited to outside Bahrain) in the absence of a written agreement between the TPA and the insurance firm and/or self-funded scheme (limited to outside Bahrain). The agreement must be retained as part of the official records of the TPA for the duration of the agreement.

              April 2016

            • GR-4.4.2

              The agreement referred to in Paragraph GR-4.4.1 must include at a minimum:

              (a) The services to be provided by the TPA on behalf of the insurance firm and/or self-funded scheme (limited to outside Bahrain);
              (b) Financial arrangements;
              (c) Provisions setting forth the respective liability of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA for the accuracy and eligibility of submitted claims, and for the prompt submission of claims; and
              (d) The responsibilities of the TPA to the insurance firm and/or self-funded scheme (limited to outside Bahrain) with respect to the maintenance of appropriate back-up systems against the loss of records, and the maintenance of appropriate insurance coverage by the TPA against the risk of loss.
              April 2016

          • GR-4.5 GR-4.5 Prohibition of Collection of Premiums/Contributions

            • GR-4.5.1

              TPAs are prohibited from collecting premiums/contributions from policyholders. Premiums/contributions must be paid directly by the policyholders to insurance firms.

              April 2016

        • GR-5 GR-5 General Requirements for Credit Reference Bureaus

          • GR-5.1 GR-5.1 Code of Practice

            • GR-5.1.1

              Credit reference bureaus must comply with the Code of Practice (Appendix CM-3 under Volumes 1 and 2 of the CBB Rulebook).

              April 2016

        • GR-5A GR-5A General Requirements for Financing-Based Crowdfunding Platform Operators

          • GR-5A.1 GR-5A.1 General Requirements for Financing-Based Crowdfunding Platform Operators

            • GR-5A.1.1

              A crowdfunding platform operator must become a member of the Bahrain Credit Reference Bureau.

              Added: October 2017

            • GR-5A.1.2

              A crowdfunding platform operator must make arrangements with a local retail bank (which holds the appropriate CBB license) to facilitate transactions, whereby:

              i. Lenders must prefund the full committed amount by depositing it at the designated licensed retail bank in the Kingdom of Bahrain. The name of the retail bank must be disclosed to the CBB; and
              ii. The crowdfunding platform operator must designate an escrow account as an aggregate account for all borrowers. The crowdfunding platform operator must maintain within its records separate sub-accounts for each borrower. The name of the designated bank must be provided to the lenders.
              Added: October 2017

            • GR-5A.1.3

              Crowdfunding platform operators must make sure that the lending thresholds and the prescribed tenors for the loans, as prescribed in GR-5A.1.3 to GR-5A.1.6, are all met.

              Added: October 2017

            • GR-5A.1.4

              Under a crowdfunding agreement, the amount of credit provided must be less than or equal to BD 500,000 in aggregate, per borrower, in any given calendar year, except where, subject to the CBB's prior written approval, the funding raised is to be used for a Government of Bahrain-led initiative/project. Additionally, the tenor of loans must not exceed 5 years.

              Amended: January 2019
              Amended: October 2018
              Added: October 2017

            • GR-5A.1.5

              All lenders intending to participate in a crowdfunding platform must fill out the 'Self Declaration Form' declaring that they meet this requirement.

              Amended: January 2019
              Added: October 2017

            • GR-5A.1.6

              The minimum subscription to be received in a crowdfunding offer must not be less than 80% of the crowdfunding offer size. In the event that the borrower is unable to receive the minimum required loan subscription, all subscription monies received must be refunded to the lenders no later than 7 calendar days of the closing date of the crowdfunding offer.

              Added: October 2017

            • GR-5A.1.7

              In case of over-subscription, crowdfunding platform operator must ensure that no funding shall be made to the borrower in excess of the original offer size. Also, the lenders must get proportionate share of the Crowdfunding offer size.

              Added: October 2017

            • GR-5A.1.8

              The lender in a crowdfunding agreement has to be an accredited investor or an expert investor (as defined in the CBB Rulebook, Volume 4.

              Amended: January 2019
              Added: October 2017

            • GR-5A.1.9

              Crowdfunding platform operator are responsible to check that the 'Self-Declaration' form1 has been signed and submitted by the lenders, prior to investing in borrowings arranged through the platform.

              Added: October 2017

            • GR-5A.1.10

              The 'Self-Declaration Form' must include, amongst other things, a declaration that the lender will meet the lending thresholds imposed by the CBB and an acknowledgment that they may lose all or part of their funds invested.

              Added: October 2017

            • GR-5A.1.11

              Crowdfunding platform operator must demonstrate to the CBB that they have devised appropriate consumer protection standards.

              Added: October 2017

            • GR-5A.1.11A

              Crowdfunding platform operators must allow persons (whether natural or legal) who commit to a borrower on a crowdfunding platform, a minimum of 48 hours from the time the commitment is made, to withdraw the commitment. No fee or penalty must be charged to such persons if a commitment is withdrawn.

              Added: January 2019

            • GR-5A.1.12

              Crowdfunding platform operator must ensure that sufficient information is available to lenders on the profiles of the borrowers, by relying on the information disclosed by the borrowers in the 'Standard Forms for Borrowers' and the related required documents to be submitted by the borrowers, thus allowing lenders to make informed lending decisions. Moreover, the documentation must state the governing law for the financing transaction. The disclosure of such information shall be on standard CBB-prescribed templates. Additionally, such information must be provided to potential lenders before they agree to commit to lending. In cases where the borrower is not based in the Kingdom of Bahrain, adequate disclosure on the governing law and cross-border risks must be provided to the potential lenders.

              Added: October 2017

            • GR-5A.1.13

              It is the responsibility of the lenders to perform their own creditworthiness assessments on the borrowers and other related due diligence before making any commitment to lend.

              Added: October 2017

            • GR-5A.1.14

              Crowdfunding platform operator must comply with the Financial Crime Module of Rulebook Volume 5 under 'Common Modules' with respect to Anti-Money Laundering and Combating the Financing of Terrorism requirements.

              Added: October 2017

            • GR-5A.1.15

              Crowdfunding platform operator must establish effective systematic internal procedures for establishing and verifying the identity of lenders and the source of their funds. They must undertake lender due diligence ('KYC') by requiring them to fill out the 'Standard Lender Form', along with submitting the required related documents, including FATCA report.

              Added: October 2017

            • GR-5A.1.16

              The "Standard Lender Form" referred to in Paragraph GR-5A.1.15 shall be provided by the CBB under Part B of Rulebook Volume 5 (Ancillary Service Providers).

              Added: October 2017

            • GR-5A.1.17

              Crowdfunding platform operators must establish a framework which sets out policies and procedures to effectively and efficiently manage conflicts of interest. Such conflicts must be managed in a timely manner.

              Added: October 2017

            • GR-5A.1.18

              Crowdfunding platform operators must have a fair dealing policy for excluding a borrower from using the crowdfunding platform if there is adequate reason to believe that the borrower, in relation to any loan arrangements, has:

              i. Engaged in a conduct that is misleading or deceptive or likely to mislead or deceive; or
              ii. Made a false or misleading representation; or
              iii. Made an unsubstantiated representation.
              Added: October 2017

            • GR-5A.1.19

              Crowdfunding platform operators are responsible for tracking the performance of the loan portfolios and are required to disclose this information to the lenders and the CBB on a quarterly basis as per the templates to be specified by the CBB. The information provided by the Crowdfunding Platform Operators must be clear, fair, relevant and not misleading.

              Added: October 2017

            • GR-5A.1.20

              Crowdfunding platform operators are responsible for having Business Continuity and Disaster Recovery plans in place, which must be approved by the CBB, to ensure that all existing outstanding loans will continue to be administered if the platform collapses or goes out of business.

              Added: October 2017

            • GR-5A.1.21

              The CBB has the right to impose additional requirements on Crowdfunding Platform Operators, as and when it deems necessary.

              Added: October 2017

            • GR-5A.1.22

              Crowdfunding platform operators must clearly and publicly disclose their fees, charges and commissions.

              Added: October 2017

            • GR-5A.1.23

              Crowdfunding platform operators must have adequate financial resources to run their business and take on the needed risks.

              Added: October 2017

            • GR-5A.1.24

              Crowdfunding platform operators must have adequate non-financial resources (e.g. efficient management with sufficient knowledge of the business and adequate experience, IT strategy, controls and systems, etc.) required to run the business.

              Added: October 2017

            • GR-5A.1.25

              Crowdfunding platform operators must ensure cyber-security at all times including conducting IT security penetration testing semiannually by an independent consultant.

              Added: October 2017

            • GR-5A.1.26

              Crowdfunding platform operators must maintain relevant systems in place for mitigating and managing operational and other risks.

              Added: October 2017

            • GR-5A.1.27

              Crowdfunding platform operators are obliged to exert their best efforts in following up the repayment process (collection of installments) from the borrowers on behalf of the lenders.

              Added: October 2017

            • GR-5A.1.28

              A crowdfunding platform operator must ensure that its officers, employees and their family members do not carry the following activities through the crowdfunding platform:

              (a) Lend money or provide finance to a borrower;
              (b) Borrow money from a lender; or
              (c) Hold any direct or indirect interest in the capital or voting rights of a borrower or lender.
              Added: October 2017

            • GR-5A.1.29

              A crowdfunding platform operator itself may lend money to borrowers, who use the platform subject to:

              i. Obtaining the required license from the CBB for carrying financial services of providing credit; and
              ii. Adequate disclosure of the conflicts of interest which will arise for each transaction on their website.
              Added: October 2017

          • GR-5A.2 GR-5A.2 Additional Requirements for Shari'a-Compliant Financing — Based Crowdfunding Platform Operators

            • GR-5A.2.1

              In addition to the requirements stipulated in Section GR-5A.1, Shari'a-compliant crowdfunding platform operators must comply with the requirements in this section.

              Added: October 2017

            • GR-5A.2.2

              Financing transactions arranged and introduced through a Shari'acompliant crowdfunding platform operator must be Shari'a-compliant in nature. This means that the financing must be done based on a Shari'a-compliant financing contract (such as Murabaha, Ijarah, Salam, Istisna'a, etc.).

              Added: October 2017

            • GR-5A.2.3

              Shari'a-compliant crowdfunding platform operators must make arrangements with a local Islamic retail bank (which holds the appropriate CBB license) to facilitate transactions.

              Added: October 2017

            • GR-5A.2.4

              Shari'a-compliant crowdfunding platform operators must make an arrangement with one independent Shari'a Scholar to monitor, review and verify that the crowdfunding transactions, including documentation, structuring, financing as well as other administrative, marketing and operational matters are in full compliance with Shari'a rules and principles. The Shari'a Scholar to be appointed must fulfill the eligibility criteria outlined in the CBB's Shari'a Governance module.

              Added: October 2017

            • GR-5A.2.5

              The name of the Shari'a Scholar appointed, along with his brief profile, must be disclosed to the public.

              Added: October 2017

            • GR-5A.2.6

              For the purpose of Paragraph GR-5A.2.5, the Shari'a-compliant crowdfunding platform operators may use the services of a third party Shari'a advisory firm on an outsourced basis. The name of the outsourced Shari'a advisory firm, along with its credentials, must be disclosed to the public.

              Added: October 2017

            • GR-5A.2.7

              The Fatwa of the Shari'a Scholar/Shari'a Advisory firm, confirming that the crowdfunding transaction is in full compliance with Shari'a rules and principles, must be made available to financiers/investors before the crowdfunding transaction offer in order to enable them to make an informed decision.

              Added: October 2017

        • GR-5B GR-5B Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

          • GR-5B.1 GR-5B.1 Physical Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

            • General Requirement

              • GR-5B.1.1

                Where CDMs/Kiosks are installed at an outdoor location, the Payment Service Providers (PSPs) must provide adequate shade covering the area above the customers and the machine.

                Added: April 2019

            • Record Keeping

              • GR-5B.1.2

                PSPs must record the details of the site risk assessments and retain such records for a period of five years from the date of the CDMs/Kiosks installation, or for any other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

                Added: April 2019

            • CDM/ Kiosk Alarms

              • GR-5B.1.3

                In addition to alarming the premises, PSPs must alarm the CDM/Kiosk itself, in a way which activates audibly when the CDM/Kiosk is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of Interior. PSPs must consider the following:

                (a) The design of the system must ensure that the CDMs/Kiosks have a panic alarm installed;
                (b) The design of the system must give an immediate, system controlled warning of an attack on the CDMs/Kiosks, and all CDMs/ Kiosks must be fitted with fully operational fraud detection and inhibiting devices;
                (c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and
                (d) The alarm system must be monitored by the PSP's head office 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.
                Added: April 2019

            • Closed-circuit Television (CCTV)

              • GR-5B.1.4

                PSPs must ensure that the Cash Dispensing Machines (CDMs) and Kiosks owned and operated by them are equipped with closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the CDM/Kiosk are recorded, however keypad entry or the screen of the CDM/Kiosk must not be captured by the CCTV recording. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

                Added: April 2019

              • GR-5B.1.5

                As a minimum, the CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by the PSP's head office.

                Added: April 2019

              • GR-5B.1.6

                When a CDM or Kiosk is located in an area where a public CCTV system operates, the PSP must liaise with the authority responsible for the CCTV system to include the CDM/Kiosk site in any preset automatic camera settings and request regular sweeps of the site. The CCTV system must not be able to view the CDM/Kiosk keypad or screen, thereby preventing observation of PIN entry.

                Added: April 2019

              • GR-5B.1.7

                PSPs must ensure that the specifications of CCTV cameras meet the following minimum requirements:

                (a) Analogue Cameras:
                Resolution — Minimum 700 TVL
                Lens — Vari-focal lenses from 2.8 to 12mm
                Sensitivity — Minimum 0.5 Luminance
                (Lux) without Infrared (IR), 0 Lux with IR
                IR — At least 10 to 20 meters (Camera that detects motion); and
                (b) IP Cameras:
                Resolution — 2 MP — 1080 p
                Lens — Vari-focal lenses from 2.8 to 12mm
                Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR
                IR — At least 10 to 20 meters.
                Added: April 2019

            • CCTV Network Systems

              • GR-5B.1.8

                Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. The CCTV system must be operational 24 hours per day.

                Added: April 2019

            • CDMs/Kiosks Lighting

              • GR-5B.1.9

                Banks must ensure that adequate and effective lighting is operational at all times within the CDMs/Kiosks environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

                Added: April 2019

            • Fire Alarm

              • GR-5B.1.10

                PSPs must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all CDMs/Kiosks. These alarms must be linked to the main offices of the PSP.

                Added: April 2019

            • Cash Replenishment

              • GR-5B.1.11

                All physical cash movements between PSP offices and offsite CDMs/Kiosks must be performed by specialized service providers.

                Added: April 2019

            • CDMs/Kiosks Service and Maintenance

              • GR-5B.1.12

                PSPs must maintain a list of all details on maintenance, replenishment and inspection visits by staff or other authorized parties.

                Added: April 2019

            • Europay, MasterCard and Visa (EMV) Compliance

              • GR-5B.1.13

                Prepaid cards issued by PSPs in the Kingdom of Bahrain must be EMV compliant. Moreover, all POSs, CDMs and Kiosks must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

                Added: July 2019

              • GR-5B.1.13A

                Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph GR-5B.1.13 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

                Added: July 2020

              • GR-5B.1.14

                Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

                Added: October 2019

              • GR-5B.1.15

                Licenseesmust ensure, that any payment card issued or reissued on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

                Added: October 2019

          • GR-5B.2 GR-5B.2 CDM/Kiosk Security Measures: Hardware/ Software

            • GR-5B.2.1

              Entry to sensitive areas by the PSP staff or other authorized parties into the CDM/Kiosk environment/surroundings must be controlled, monitored and recorded. The names of the persons accessing the area; the date; and the time of access to and exit from the area must be recorded. CCTV cameras must be installed, and used to record all activities within the CDM/Kiosk environment.

              Added: April 2019

            • GR-5B.2.2

              The applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must, in all instances, be fully complied with.

              Added: April 2019

            • GR-5B-2.3

              PSPs must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

              Added: April 2019

            • GR-5B-2.4

              PSPs must ensure that all CDMs/Kiosks are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

              Added: April 2019

        • GR-6 GR-6 Dividends

          • GR-6.1 GR-6.1 CBB Non-Objection

            • GR-6.1.1

              Licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

              April 2016

            • GR-6.1.2

              The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's capital requirements, taking into account (as appropriate) the licensee's liquidity.

              April 2016

            • GR-6.1.3

              To facilitate the prior approval required under Paragraph GR-6.1.1, licensees must provide the CBB with:

              (a) The licensee's intended percentage and amount of proposed dividends for the year;
              (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
              (c) A detailed analysis of the impact of the proposed dividend on the capital requirements outlined in Section AU-2.5 and liquidity position of the licensee.
              Amended: October 2017
              April 2016

        • GR-7 GR-7 Controllers

          • GR-7.1 GR-7.1 Key Provisions

            • GR-7.1.1

              Licensees must obtain prior written approval from the CBB for any changes to their controllers (as defined in Section GR-7.2):

              April 2016

            • GR-7.1.2

              Condition 3 of the CBB's licensing conditions specifies, among other things, that licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee (See Paragraph AU-2.3.1). There are also certain procedures which are set out in Articles 52 to 56 of the CBB Law on controllers.

              April 2016

            • GR-7.1.3

              Applicants for a license must provide details of their controllers, by submitting a duly completed Form 2 (Application for Authorisation of Controller). (See sub-Paragraph AU-4.1.4(a)).

              April 2016

            • GR-7.1.4

              Where a controller is a legal person, the controller must notify the CBB of any change in its shareholding at the earlier of:

              (a) When the change takes effect; and
              (b) When the controller becomes aware of the proposed change.
              April 2016

            • GR-7.1.5

              For approval under Paragraph GR-7.1.1 to be granted, the CBB must be satisfied that the proposed controller or increase in control poses no undue risks to the licensee or the financial system. The CBB may impose any restrictions that it considers necessary to be observed where approval is given for a new or a change in controller. A duly completed Form 2 (Controllers) must be submitted as part of the request for a change in controllers. An approval of controller will specify the applicable period for effecting the proposed acquisition of shares.

              April 2016

            • GR-7.1.6

              If, as a result of circumstances outside the licensee's knowledge and/or control, a change in controller is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days on which those changes have occurred.

              Amended: January 2017
              April 2016

            • GR-7.1.7

              The approval provisions outlined above do not apply to existing holdings or existing voting control by controllers already approved by the CBB. The approval provisions apply to new/prospective controllers or to increases in existing holdings/voting control.

              April 2016

            • GR-7.1.8

              Licensees are required to notify the CBB as soon as they become aware of events that are likely to lead to changes in their controllers.

              April 2016

            • GR-7.1.9

              The criteria by which the CBB assesses the suitability of controllers are set out in Section GR-7.3. The CBB aims to respond to requests for approval within 30 calendar days and is obliged to reply within 3 months to a request for approval. The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in Form 2, if required to satisfy itself as to the suitability of the applicant.

              April 2016

            • GR-7.1.10

              Licensees must submit, within 3 months of their financial year-end, a report on their controllers (See Subparagraph BR-1.1.3(d)). This report must identify all controllers of the licensee, as defined in Section GR-7.2, the extent of their shareholding interests and any change in their legal status or any adverse information on the controllers.

              April 2016

            • GR-7.1.1A

              Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

              Added: April 2019

            • GR-7.1.1B

              For the purpose of Paragraph GR-7.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

              Added: April 2019

          • GR-7.2 GR-7.2 Definition of Controller

            • GR-7.2.1

              A controller of a licensee is a natural or legal person who either alone, or with his associates:

              (a) Holds 10% or more of the shares in the licensee ("L"), or is able to exercise (or control the exercise of) 10% or more of the voting power in L;
              (b) Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or
              (c) Is able to exercise significant influence over the management of L or P.
              April 2016

            • GR-7.2.2

              For the purposes of Paragraph GR-7.2.1, "associate" includes:

              (a) The spouse, son(s) or daughter(s) of a controller;
              (b) An undertaking of which a controller is a director;
              (c) A person who is an employee or partner of the controller; and
              (d) If the controller is a corporate entity, a director of the controller, a subsidiary of the controller, or a director of any subsidiary undertaking of the controller.
              April 2016

            • GR-7.2.3

              Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

              April 2016

          • GR-7.3 GR-7.3 Suitability of Controllers

            • GR-7.3.1

              All new controllers or prospective controllers (as defined in Section GR-7.2) of a licensee must obtain the prior written approval of the CBB. Any increases to existing controllers' holdings or voting control must also have prior written approval from the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-7.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-7.4.

              April 2016

            • GR-7.3.2

              All controllers or prospective controllers (whether natural or legal persons) of all licensees are subject to the approval of the CBB. Persons who intend to take ownership stakes of 10% or above of the voting capital of a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the criteria for approval become more onerous as the level of proposed ownership increases.

              April 2016

            • GR-7.3.3

              In assessing the suitability and the appropriateness of new/prospective controllers (and existing controllers proposing to increase their shareholdings) who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

              (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
              (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
              (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
              (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
              (e) The contravention of any financial services legislation or regulation;
              (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
              (g) Dismissal or a request to resign from any office or employment;
              (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
              (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
              (j) The extent to which the person has been truthful and open with regulators;
              (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
              (l) The person's track record as a controller of, or investor in financial institutions;
              (m) The financial resources of the person and the likely stability of their shareholding;
              (n) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
              (o) The legitimate interests of creditors and minority shareholders of the licensee;
              (p) If the approval of a person as a controller is or could be detrimental to the subject licensee, Bahrain's banking and financial sector or the national interests of the Kingdom of Bahrain; and
              (q) Whether the person is able to deal with existing shareholders and the board in a constructive and co-operative manner.
              April 2016

            • GR-7.3.4

              In assessing the suitability and appropriateness of legal persons as controllers (wishing to increase their shareholding) or new/potential controllers, the CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

              (a) The financial strength of the person, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the person's shareholding;
              (b) Whether the person or members of its group have ever entered into any arrangement with creditors in relation to the inability to pay due debts;
              (c) The person's jurisdiction of incorporation, location of head office, group structure and connected counterparties and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
              (d) The person's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations including financial services legislation on regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
              (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
              (f) Any criminal actions instigated against the person or other members of its group, whether or not this resulted in an adverse finding;
              (g) The extent to which the person or other members of its group have been truthful and open with regulators and supervisors;
              (h) Whether the person has ever been refused a licence, authorisation, registration or other authority;
              (i) The person's track record as a controller of, or investor in financial institutions;
              (j) The legitimate interests of creditors and shareholders of the licensee;
              (k) Whether the approval of a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain;
              (l) Whether the person is able to deal with existing shareholders and the board in a constructive manner; and
              (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply.
              April 2016

          • GR-7.4 GR-7.4 Approval Process

            • GR-7.4.1

              Within 3 months of receipt of an approval request under Paragraph GR-7.1.1, the CBB will issue an approval notice (with or without restrictions) or a written notice of refusal if it is not satisfied that the person concerned is suitable to increase his shareholding in, or become a controller of the licensee. The notice of refusal or notice of approval with conditions will specify the reasons for the objection or restriction and specify the applicant's right of appeal in either case. Where an approval notice is given, it will specify the period for which it is valid and any conditions that attach. These conditions will include the maximum permitted limit of holding or voting control exercisable by the controller.

              April 2016

            • GR-7.4.2

              Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of the notice in which to make written representation as to why his application should not be refused. The CBB then has 30 calendar days from the date of receipt of those representations to reconsider the evidence submitted and make a final determination, pursuant to Article 53 of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) ("CBB Law") and Module EN (Enforcement).

              April 2016

            • GR-7.4.3

              Pursuant to Article 56 of the CBB Law, where a person has become a controller by virtue of his shareholding in contravention of Paragraph GR-7.1.1, or a notice of refusal has been served to him under Paragraph GR-7.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, direct that his shareholding shall be transferred or until further notice, no voting right shall be exercisable in respect of those shares.

              April 2016

            • GR-7.4.4

              Article 56 of the CBB Law empowers the CBB to take appropriate precautionary measures, or sell such shares mentioned in Paragraph GR-7.4.3, if the licensee fails to carry out the order referred to in the preceding Paragraph.

              April 2016

        • GR-8 GR-8 Close Links

          • GR-8.1 GR-8.1 Key Provisions

            • GR-8.1.1

              Condition 3 of the CBB's licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

              April 2016

            • GR-8.1.2

              Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraph AU-4.1.1).

              April 2016

            • GR-8.1.3

              Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links (See Subparagraph BR-1.1.3(b)). The report must identify all undertakings closely linked to the licensee, as defined in Section GR-8.2.

              April 2016

            • GR-8.1.4

              Licensees may satisfy the requirement in Paragraph GR-8.1.3 by submitting a corporate structure chart, identifying all undertakings closely linked to the licensee.

              April 2016

            • GR-8.1.5

              Licensees must provide information on undertakings with which they are closely linked, as requested by the CBB.

              April 2016

          • GR-8.2 GR-8.2 Definition of Close Links

            • GR-8.2.1

              A licensee ('L') has close links with another undertaking ('U'), if:

              (a) U is a parent undertaking of L;
              (b) U is a subsidiary undertaking of L;
              (c) U is a subsidiary undertaking of a parent undertaking of L;
              (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
              (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
              April 2016

          • GR-8.3 GR-8.3 Assessment Criteria

            • GR-8.3.1

              In assessing whether a licensee's close links may prevent the effective supervision of the licensee, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

              (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
              (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
              (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
              April 2016

        • GR-9 GR-9 Cessation of Business

          • GR-9.1 GR-9.1 CBB Approval

            • GR-9.1.1

              As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB's prior approval.

              April 2016

            • GR-9.1.2

              Licensees must notify the CBB in writing at least six months in advance of their intended suspension of any or all the licensed regulated services or cessation of business, setting out how they propose to do so and, in particular, how they will treat any of their liabilities.

              April 2016

            • GR-9.1.3

              If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

              April 2016

            • GR-9.1.4

              A licensee in liquidation must continue to meet its contractual and regulatory obligations to its clients and creditors.

              April 2016

            • GR-9.1.5

              Once the licensee believes that it has discharged all its remaining contractual obligations to clients and creditors, it must publish a notice in two national newspapers in Bahrain approved by the CBB (one being in English and one in Arabic), stating that it has settled all its dues and wishes to leave the market. According to Article 50 of the CBB Law, such notice shall be given after receiving the approval of the CBB, not less than 30 days before the actual cessation is to take effect.

              April 2016

            • GR-9.1.6

              The notice referred to in Paragraph GR-9.1.5 must include a statement that written representations concerning the liquidation may be sent to the CBB before a specified day, which shall not be later than thirty days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

              April 2016

            • GR-9.1.7

              If no objections to the liquidation are upheld by the CBB, then the CBB may issue a written notice of approval for the surrender of the license.

              April 2016

            • GR-9.1.8

              Upon satisfactorily meeting the requirements set out in GR-9.1, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

              Amended: April 2020
              Added: October 2016

        • GR-10 GR-10 Customer Complaints Procedures

          • GR-10.1 GR-10.1 General Requirements

            • GR-10.1.1

              All licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints, whether received directly by the licensee or through other parties connected to the licensee.

              Added: December 2018

            • GR-10.1.2

              Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

              Added: December 2018

            • GR-10.1.3

              All licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches and on the licensee's website. The customer complaints officer must be of a senior level at the licensee and must be independent of the parties to the complaint to minimise any potential conflict of interest.

              Added: December 2018

            • GR-10.1.4

              The position of customer complaints officer may be combined with that of compliance officer.

              Added: December 2018

          • GR-10.2 GR-10.2 Documenting Customer Complaints Handling Procedures

            • GR-10.2.1

              In order to make customer complaints handling procedures as transparent and accessible as possible, all licensees must document their customer complaints handling procedures. These include setting out in writing:

              (a) The procedures and policies for:
              (i) Receiving and acknowledging complaints;
              (ii) Investigating complaints;
              (iii) Responding to complaints within appropriate time limits;
              (iv) Recording information about complaints;
              (v) Identifying recurring system failure issues;
              (b) The types of remedies available for resolving complaints; and
              (c) The organisational reporting structure for the complaints handling function.
              Added: December 2018

            • GR-10.2.2

              Licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

              Added: December 2018

            • GR-10.2.3

              Licensees are required to ensure that all financial services related documentation provided to the customer includes a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

              Added: December 2018

          • GR-10.3 GR-10.3 Principles for Effective Handling of Complaints

            • GR-10.3.1

              Adherence to the following principles is required for effective handling of complaints:

              Added: December 2018

            • Visibility

              • GR-10.3.2

                "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

                Added: December 2018

            • Accessibility

              • GR-10.3.3

                A complaints handling process must be easily accessible to all customers and must be free of charge.

                Added: December 2018

              • GR-10.3.4

                While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

                Added: December 2018

              • GR-10.3.5

                Process information must be readily accessible and must include flexibility in the method of making complaints.

                Added: December 2018

              • GR-10.3.6

                Support for customers in interpreting the complaints procedures must be provided, upon request.

                Added: December 2018

              • GR-10.3.7

                Information and assistance must be available on details of making and resolving a complaint.

                Added: December 2018

              • GR-10.3.8

                Supporting information must be easy to understand and use.

                Added: December 2018

            • Responsiveness

              • GR-10.3.9

                Receipt of complaints must be acknowledged in accordance with Section GR-10.5 "Response to Complaints".

                Added: December 2018

              • GR-10.3.10

                Complaints must be addressed promptly in accordance with their urgency.

                Added: December 2018

              • GR-10.3.11

                Customers must be treated with courtesy.

                Added: December 2018

              • GR-10.3.12

                Customers must be kept informed of the progress of their complaint, in accordance with Section BC-10.5.

                Added: December 2018

              • GR-10.3.13

                If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

                Added: December 2018

              • GR-10.3.14

                In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

                Amended: April 2020
                Added: December 2018

            • Objectivity and Efficiency

              • GR-10.3.15

                Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

                Added: December 2018

              • GR-10.3.16

                General principles for objectivity in the complaints handling process include:

                (a) Openness:

                The process must be clear and well publicised so that both staff and customers can understand;
                (b) Impartiality:
                (i) Measures must be taken to protect the person the complaint is made against from bias;
                (ii) Emphasis must be placed on resolution of the complaint not blame; and
                (iii) The investigation must be carried out by a person independent of the person complained about;
                (c) Accessibility:
                (i) The licensee must allow customer access to the process at any reasonable point in time; and
                (ii) A joint response must be made when the complaint affects different participants;
                (d) Completeness:

                The complaints officer must find relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
                (e) Equitability:

                Give equal treatment to all parties;
                (f) Sensitivity:

                Each complaint must be treated on its merits and paying due care to individual circumstances;
                (g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:
                (i) Informing them immediately and completely on complaints about performance;
                (ii) Giving them an opportunity to explain and providing appropriate support;
                (iii) Keeping them informed of the progress and result of the complaint investigation;
                (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
                (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
                (h) Confidentiality:
                (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
                (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
                (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination;
                (i) Objectivity monitoring:

                Licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints;
                (j) Charges:

                The process must be free of charge to customers;
                (k) Customer Focused Approach:
                (i) Licensees must have a customer focused approach;
                (ii) Licensees must be open to feedback; and
                (iii) Licensees must show commitment to resolving problems;
                (l) Accountability:

                Licensees must ensure accountability for reporting actions and decisions with respect to complaints handling;
                (m) Continual improvement:

                Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the licensee.
                Added: December 2018

          • GR-10.4 GR-10.4 Internal Complaint Handling Procedures

            • GR-10.4.1

              A licensee's internal complaint handling procedures must provide for:

              (a) The receipt of written complaints;
              (b) The appropriate investigation of complaints;
              (c) An appropriate decision-making process in relation to the response to a customer complaint;
              (d) Notification of the decision to the customer;
              (e) The recording of complaints; and
              (f) How to deal with complaints when a business continuity plan (BCP) is operative.
              Added: December 2018

            • GR-10.4.2

              A licensee's internal complaint handling procedures must be designed to ensure that:

              (a) All complaints are handled fairly, effectively and promptly;
              (b) Recurring systems failures are identified, investigated and remedied;
              (c) The number of unresolved complaints referred to the CBB is minimised;
              (d) NThe employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
              (e) Relevant employees are aware of the licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
              Added: December 2018

          • GR-10.5 GR-10.5 Response to Complaints

            • GR-10.5.1

              A licensee must acknowledge in writing customer written complaints within 5 working days of receipt.

              Added: December 2018

            • GR-10.5.2

              A licensee must respond in writing to a customer complaint within 4 weeks of receiving the complaint, explaining their position and how they propose to deal with the complaint.

              Added: December 2018

            • Redress

              • GR-10.5.3

                A licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

                Added: December 2018

              • GR-10.5.4

                Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

                Added: December 2018

              • GR-10.5.5

                Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

                Added: December 2018

              • GR-10.5.6

                Should the customer that filed a complaint not be satisfied with the response received as per Paragraph GR-10.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

                Amended: April 2020
                Added: December 2018

          • GR-10.6 GR-10.6 Records of Complaints

            • GR-10.6.1

              A licensee must maintain a record of all customers' complaints. The record of each complaint must include:

              (a) The identity of the complainant;
              (b) The substance of the complaint;
              (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
              (d) All correspondence in relation to the complaint. Such records must be retained by the licensees for a period of 5 years from the date of receipt of the complaint.
              Added: December 2018

          • GR-10.7 GR-10.7 Reporting of Complaints

            • GR-10.7.1

              A licensee must submit to the CBB's Consumer Protection Unit, 20 days after the end of the quarter, a quarterly report summarising the following:

              (a) The number of complaints received;
              (b) The substance of the complaints;
              (c) The number of days it took the licensee to acknowledge and to respond to the complaints; and
              (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
              Amended: April 2020
              Added: December 2018

            • GR-10.7.2

              The report referred to in Paragraph GR-10.7.1 must be sent electronically to complaint@cbb.gov.bh.

              Amended: April 2020
              Added: December 2018

            • GR-10.7.3

              Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB's Consumer Protection Unit.

              Amended: April 2020
              Added: December 2018

          • GR-10.8 GR-10.8 Monitoring and Enforcement

            • GR-10.8.1

              Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

              Added: December 2018

        • GR-11 GR-11 Outsourcing

          • GR-11.1 GR-11.1 Outsourcing

            • GR-11.1.1

              Ancillary service providers must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

              Added: December 2018

            • GR-11.1.2

              The risk assessment should — amongst other things — include an analysis of (i) the business case; (ii) the suitability of the outsourcing provider including but not limited to the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and (iii) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.

              Added: December 2018

            • GR-11.1.3

              Outsourcing means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

              Added: December 2018

            • GR-11.1.4

              Ancillary service providers must seek the CBB's prior written approval before committing to a new material outsourcing arrangement and/or when the terms or conditions of the outsourcing arrangement are altered.

              The prior approval request must:

              (a) Be made in writing to the licensee's normal supervisory contact;
              (b) Contain sufficient detail to demonstrate that relevant risks are satisfactorily addressed; and
              (c) Be made at least 6 weeks before the licensee intends to commit to the arrangement.
              Added: December 2018

            • GR-11.1.5

              Ancillary service providers must retain ultimate responsibility for functions or activities that are outsourced. In particular, licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

              Added: December 2018

            • GR-11.1.6

              Once an activity has been outsourced, ancillary service providers must continue to monitor the associated risks and the effectiveness of its mitigating controls. Ancillary service providers must inform its normal supervisory contact at the CBB if material problems are encountered with the outsourcing provider. The CBB may direct the ancillary service providers to make alternative arrangements for the outsourced activity.

              Added: December 2018

            • GR-11.1.7

              Ancillary service providers must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fail.

              Added: December 2018

            • GR-11.1.8

              Ancillary service providers must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed.

              Added: December 2018

            • GR-11.1.9

              A legally enforceable contract document must be available for any material outsourcing arrangement. Where the outsourcing provider interacts directly with a licensee's customers, the contract must — where relevant — reflect the licensee's own standards regarding customer care.

              Added: December 2018

            • GR-11.1.10

              Mechanisms for the regular monitoring by licensees of performance against service level agreement and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement. Such reviews must take place at least every year.

              Added: December 2018

            • GR-11.1.11

              Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.

              Added: December 2018

            • GR-11.1.12

              Ancillary service providers must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.

              Added: December 2018

            • GR-11.1.13

              Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed experts, as appropriate.

              Added: December 2018

            • GR-11.1.14

              The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.

              Added: December 2018

            • GR-11.1.15

              Termination under any other circumstances allowed under the outsourcing agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.

              Added: December 2018

            • GR-11.1.16

              In the event of termination, for whatever reason, the agreement must provide for the return of all customer data — where required by licensees — or destruction of the records.

              Added: December 2018

          • Customer Data Confidentiality

            • GR-11.1.17

              Licensees must ensure that outsourcing agreements comply with the CBB Law and the Personal Data Protection Law, issued on 19th July 2018.

              Added: December 2018

            • GR-11.1.18

              Licensees must ensure that the outsourcing provider implements adequate safeguards and procedures.

              Added: December 2018

            • GR-11.1.19

              The implementation of adequate safeguards and procedures would include the proper segregation of customer data from those belonging to other clients of the outsourcing provider. Ancillary service providers should have contractual rights to take action against the service provider in the event of a breach of confidentiality.

              Added: December 2018

            • GR-11.1.20

              Ancillary service provider licensees must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of the firm.

              Added: December 2018

          • Use of Cloud

            • GR-11.1.21

              In case the licensees use cloud services, they must seek the CBB's prior approval and ensure that, at a minimum, the following security measures are in place:

              (a) Customer information must be encrypted and that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
              (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing provider;
              (c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
              (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
              (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
              (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
              Added: December 2018

        • GR-12 GR-12 Information Security

          • GR-12.1 GR-12.1 Electronic Frauds

            • GR-12.1.1

              PSPs must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

              Added: January 2021

            • GR-12.1.2

              PSPs must have in place customer awareness communications, pre and post onboarding process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

              Added: January 2021

          • GR-12.2 GR-12.2 Cyber Security

            • GR-12.2.1

              This Section applies to licensees that provide services through digital channels.

              Added: July 2021

            • GR-12.2.2

              All licensees must have in place vulnerability and patch management processes, including remediation processes to ensure that the vulnerabilities identified are addressed. Security patches must be applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability. The licensees must ensure that their systems are subject to Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

              Added: July 2021

            • GR-12.2.3

              All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be conducted each year in June and December simulating real world cyber attacks on the technology environment and must:

              (a) Follow a risk-based approach based on an internationally recognised methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
              (b) Include both Grey Box and Black Box testing in its scope;
              (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
              (d) Be performed by external, independent third parties which must be changed at least every two years; and
              (e) Be performed on either the production environment or on non-production exact replicas of the production environment.
              Added: July 2021

            • GR-12.2.4

              Reports on penetration testing referred to in Paragraph GR-12.2.3 must be submitted to CBB before 30th September for the tests as at 30th June and 31st March for the tests as at 31st December. The penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

              Added: July 2021

        • GR-12 GR-13 Fees and Charges

          • GR-13.1 GR-13.1 Merchant Fees on Payments to Zakat and Charity Fund

            • GR-13.1.1

              PSPs must exempt the Zakat and Charity Fund (“the Fund”) of the Ministry of Justice, Islamic Affairs and Awqaf from merchant fees for payments made to the Fund.

              Added: April 2021

    • Business Standards

      • OB OB Open Banking Module

        • OB-A OB-A Introduction

          • OB-A.1 OB-A.1 Purpose

            • OB-A.1.1

              This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to ancillary service providers providing either or both of the following regulated services defined in the Ancillary Services Authorisation Module of the CBB Rulebook Volume 5 in the Kingdom of Bahrain:

              (a) the provision of account information services; or
              (b) the provision of payment initiation services.
              Added: December 2018

            • OB-A.1.2

              This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 5, applicable to specialised licensees particularly:

              (c) Ancillary Service Providers Authorisation Module;
              (d) Principles of Business Module;
              (e) General Requirements Module;
              (f) CBB Reporting Requirements Module
              (g) Auditors and Accounting Standards Module;
              (h) Financial Crime Module; and
              (i) Enforcement Module.
              Added: December 2018

            • Legal Basis

              • OB-A.1.3

                This Module contains the CBB's Directive (as amended from time to time) applicable to ancillary services providers undertaking account information services or payment initiation services, and is issued under the powers available to the CBB under Article 38 of the CBB Law.

                Added: December 2018

              • OB-A.1.4

                For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                Added: December 2018

          • OB-A.2 OB-A.2 Module History

            • OB-A.2.1

              This Module was first issued in November 2018. It is numbered as version 01. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.

              Added: December 2018

            • OB-A.2.2

              A list of recent changes made to this Module is provided below:

              Module Ref. Change Date Description of Changes
              OB-1.1.12 07/2021 Amended Paragraph on PISPs procedures..
              OB-1.1.13 07/2021 Amended Paragraph on AISPs procedures..
              OB-2.1.1 07/2021 Amended Paragraph on AISPs and PISPs framework contract.
              OB-2.1.5 07/2021 Added a new Paragraph on customer consent.
              OB-2.1.6 07/2021 Added A new Paragraph on data access.
              OB-2.2.1 07/2021 Amended Paragraph on authentication.
              OB-2.2.2 07/2021 Deleted Paragraph.
              OB-2.2.3 07/2021 Deleted Paragraph.
              OB-2.2.4 07/2021 Deleted Paragraph.
              OB-2.2.5 07/2021 Deleted Paragraph.
              OB-2.2.6 07/2021 Deleted Paragraph.
              OB-2.3.8 07/2021 Amended Paragraph on fees and charges.
              OB-2.4.1 07/2021 Amended Paragraph on adherence to guidelines.
              OB-2.4.2 07/2021 Amended Paragraph on compliance.
              OB-2.4.3 07/2021 Added a new Paragraph on technology solutions provided.

        • OB-B OB-B Scope of Application

          • OB-B.1 OB-B.1 Introduction

            • OB-B.1.1

              The provision of account information services and payment initiation services entails obtaining access to customer accounts through 'application program interfaces' (APIs) with licensees maintaining customer accounts include conventional retail bank licensees, Islamic retail bank licensees financing companies and PSPs operating electronic wallets, (referred to in this Module as "licensees maintaining customer accounts"). Given the nature of risks inherent in online activities, the ancillary service providers undertaking such activities will be subject to strict regulatory standards to ensure the integrity and safety of customer data, the APIs, customer on boarding process, authentication process, communication sessions, process for tracking of security incidents and associated standards of dealing with the customers while undertaking this activity.

              Added: December 2018

        • OB-1 OB-1 Risks, Systems and Controls

          • OB-1.1 OB-1.1 Risks, Systems and Controls

            • Internal Controls

              • OB-1.1.1

                The Board of Directors or equivalent authority must take responsibility for the establishment and oversight of effective risk management and internal controls.

                Added: December 2018

              • OB-1.1.2

                Account information service providers (AISPs) and payment initiation service providers (PISPs) must use technology solutions which are capable of interfacing with software and systems used by licensees maintaining customer accounts with no material modifications to their systems.

                Added: December 2018

              • OB-1.1.3

                Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.10, AISPs and PISPs must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

                Added: December 2018

              • OB-1.1.4

                The internal controls must include, but not be limited to, those relating to the following:

                (a) The development and or acquisition of the technology solutions to conduct the activity;
                (b) Testing of the solutions and application program interfaces;
                (c) Standards of communication and access and security of communication sessions;
                (d) Safe authentication of the users;
                (e) Processes and measures that protect customer data confidentiality and personalised security credentials consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018;
                (f) Tools and measures to prevent frauds and errors;
                (g) Security policy;
                (h) Information security testing including web applications testing, configuration reviews, penetration testing and smart device application testing
                (i) Risk management controls;
                (j) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
                (k) Record keeping and audit trails; and
                (l) Operational and financial controls.
                Added: December 2018

            • Operational Risks

              • OB-1.1.5

                AISPs and PISPs must document the process by which they identify, prioritise and manage their operational risks.

                Added: December 2018

              • OB-1.1.6

                Operational risk in AISPs' and PISPs' activities include the risk of loss of confidential customer data, financial loss or reputational loss resulting from inadequate or failed internal processes, people, technology and systems, or from external events including risks of internal and external frauds and cyber threats. In assessing potential operational risk, the following are some of the factors that may affect the licensee's risk exposure:

                (a) Lack of governance, board and management oversight;
                (b) Inadequate internal controls;
                (c) Insufficient transaction monitoring;
                (d) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
                (e) Failure or insufficient cyber and information security controls;
                (f) Failure of processes and procedures;
                (g) Internal and external fraud;
                (h) Legal risks;
                (i) Outsourcing risk;
                (j) Business continuity and disaster recovery; and
                (k) Reputational risks.
                Added: December 2018

              • OB-1.1.7

                AISPs and PISPs must establish comprehensive procedures for monitoring, handling and following up on security and fraud incidents and related customer complaints including but not limited to the following:

                a) organisational measures and tools for the prevention of such incidents;
                b) details of the individual(s) and bodies responsible for assisting customers in cases of the incidents and technical issues and/or claim management;
                c) reporting lines in cases of such incidents;
                d) the contact point for customers, including a name and email address;
                e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities; and
                f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security and fraud risks.
                Added: December 2018

              • OB-1.1.8

                AISPs and PISPs must maintain an up to date security policy document containing the following information:

                a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
                i. a description of the business IT systems supporting the business activities;
                ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
                iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
                iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
                b) the logical security measures and mechanisms that govern the internal access to IT systems;
                c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
                d) the security of the account information and payment initiation processes, which should include:
                i. the customer authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
                ii. an explanation of how safe delivery of tokens to the legitimate customer; and
                iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
                Added: December 2018

              • OB-1.1.9

                AISPs and PISPs must ensure they have an up to date business continuity plan and arrangements consisting of the following information:

                a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
                b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
                c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
                d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
                Added: December 2018

              • OB-1.1.10

                AISPs and PISPs must appoint a third party specialist to conduct vulnerability assessments against cyber-attacks and penetration testing on the specific API security standards every 6 months. The specialist's report must be submitted to the CBB, along with the licensee's related action plan to resolve any issues identified. All relevant threat profiles referenced in the security standards including the risk of social engineering must be considered for the reviews.

                Added: December 2018

              • OB-1.1.11

                AISPs and PISPs must ensure that their overall systems and controls including but not limited to the business continuity, disaster recovery, information security testing, web-applications testing, smart device application testing, and cyber resilience are evaluated and independently tested by an external consultant:

                a) initially upon implementation of this Module;
                b) when there are any material changes to the systems and controls; and
                c) at least once every 3 years.
                Added: December 2018

              • OB-1.1.12

                A PISP must establish procedures to ensure:

                (a) that it will not store a customer's personalised security credentials, such as customer’s KYC and biometric information and that such data are:
                i. not accessible to other parties, with the exception of the issuer of the credentials; and
                ii. transmitted through safe and efficient channels;
                (b) that any other information about a customer is not provided to any person except a payee, and is provided to the payee only with the customer's explicit consent;
                (c) that each time a PISP initiates a payment order on behalf of its customer, the PISP identifies itself to the licensee with whom the customer maintains the account in a secure way;
                (d) [This Sub-paragraph was deleted in July 2021];
                (e) that it will not access, use or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer, however, it may store payment details initiated by the customer such as payment amounts, payment accounts, payment reference number, payment execution dates, time and payee’s IBAN number;
                (f) that it cannot and does not change the amount, the payee or any other feature of a transaction notified to it by the customer.
                (g) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation.
                Amended: July 2021
                Added: December 2018

              • OB-1.1.13

                An AISP must establish procedures to ensure:

                (a) it does not provide account information services without the customer's explicit consent;
                (b) that it will not store the customer's personalised security credentials such as customer’s KYC and biometric information and that such data are:
                i. not accessible to other parties, with the exception of the issuer of the credentials; and
                ii. transmitted through safe and efficient channels;
                (c) for each communication session, communicate securely with licensee and the customer in accordance with the regulatory requirements of this Module;
                (d) that it does not access any information other than information from designated accounts;
                (e) it will not access, use or store any information for any purpose except for the provision of the account information service explicitly requested by the customer;
                (f) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation; and
                (g) that customer information accessed must not be stored in a form which permits identification of customer once the customer consent is withdrawn.
                Amended: July 2021
                Added: December 2018

        • OB-2 OB-2 Operating Rules

          • OB-2.1 OB-2.1 Framework Contracts

            • Legal arrangement and transparency

              • OB-2.1.1

                AISPs and PISPs must establish a framework contract (a legal arrangement) with the customer prior to providing AIS or PIS services. The framework contract must provide the information set forth below that are relevant to the services they provide:

                (a) The following information about the service and the provider:
                i. the name, address and contact details of the PISP or AISP as the case may be;
                ii. a description of the main characteristics of the service to be provided;
                iii. the information or unique identifier that must be provided by the customer in order for a payment order to be properly initiated or executed;
                (b) the form and procedures for giving consent to provide account information service, the initiation of a payment order and for the withdrawal of consent;
                (c) provisions regarding the time of receipt of a payment order and the cut-off time, if any, established by the licensee and the maximum execution time for the payment services to be provided;
                (d) whether spending limits for the use of a payment instrument may be agreed;
                (e) the detail of all fees and charges payable by the customer to the PISP/AISP, including those connected to the manner in and frequency with which information is provided or made available and, where applicable, a breakdown of the amounts of any charges;
                (f) the means of communication agreed between the parties for the transmission of information or notifications under this Module including, where relevant, any technical requirements for the customer's equipment and software for receipt of the information or notifications;
                (g) The terms under which the customer may opt out from the use of the payment instrument;
                (h) explicit consents required for generic marketing promotions by the PISP/AISP; and
                (i) the terms of the framework contract and information.
                (j) The following information about safeguards and corrective measures in compliance with PDPL:
                i. where relevant, a description of the steps that the customer is to take in order to keep safe a payment instrument and how to notify the PISP/AISP for the purposes of obligations of the customer in relation to loss, theft, misappropriation, unauthorised use of the payment instruments and personalised security credentials;
                ii. the secure procedures, by which the PISP/AISP will contact the customer in the event of suspected or actual fraud or security threats;
                iii. the conditions under which the PISP/AISP stops or prevents the use of a payment instrument;
                iv. the customer's liability, (payer or payee's liability for unauthorized payment transactions), including details of any limits on such liability;
                v. how and within what period of time the customer is to notify the licensee maintaining customer account of any unauthorised or incorrectly initiated or executed payment transaction, and liability, if any for unauthorised payment transactions falling on the licensee maintaining customer account for execution of unauthorised payment transactions);
                vi. liability, if any, in the event of initiation or execution or non-execution or defective or late execution of payment transactions;
                vii. liability of parties in the event of a cyber-attack and loss of sensitive data; and
                viii. the conditions for any refunds for payment transactions initiated by or through a payee.
                (k) The following information about changes to and termination of the framework contract:
                i. the time given to the customer to review and accept any proposed changes; which under no circumstances, shall be less than 10 calendar days;
                ii. the proposed terms under which the customer will be deemed to have accepted changes to the framework contract in accordance, unless they notify the service provider that they do not accept such changes before the proposed date of their entry into force;
                iii. the duration of the framework contract;
                iv. where relevant, the right of the customer to terminate the framework contract and any agreements relating to.
                (l) The following information about redress:
                i. any contractual clause on the law applicable to the framework contract;
                ii. the customer complaint procedures and the availability of alternative dispute resolution procedures for the customer and the methods for having access to them; and
                iii. the name/title and contact number of the person designated to handle any queries or complaints.
                Amended: July 2021
                Added: December 2018

              • OB-2.1.2

                The information specified in Paragraph OB-2.1.1 must be provided to the customer free of charge before initiation of service.

                Added: December 2018

              • OB-2.1.3

                (a) A framework contract may provide for the PISP to have the right to stop the use of a payment instrument on reasonable ground relating to: the security of the payment instrument; or
                (b) the suspected unauthorised or fraudulent use of the payment instrument.
                Added: December 2018

              • OB-2.1.4

                AISPs and PISPs must agree the basis, the time period and the manner in which the information on its intention to stop the use of the payment instrument will be provided to the customer and to the relevant licensees maintaining customer accounts.

                Added: December 2018

              • OB-2.1.5

                AISPs must allow customers to provide consent for accessing their account information for a duration of up to 12 months.

                Added: July 2021

              • OB-2.1.6

                AISPs must allow their customers to choose the nature and type of data to be collected or accessed and used by the AISP for the purpose of providing the services.

                Added: July 2021

          • OB-2.2 OB-2.2 Standards for Authentication and Communication

            • Secure authentication

              • OB-2.2.1

                AISPs and PISPs must have in place a 2-factor authentication process to prevent unauthorised access.

                (a) [This sub-paragraph was deleted in July 2021];
                (b) [This sub-paragraph was deleted in July 2021];
                (c) [This sub-paragraph was deleted in July 2021].
                Amended: July 2021
                Added: December 2018

              • OB-2.2.2

                [This Paragraph was deleted in July 2021].

                Deleted: July 2021
                Added: December 2018

              • OB-2.2.3

                [This Paragraph was deleted in July 2021].

                (a) [This sub-paragraph was deleted in July 2021];
                (b) [This sub-paragraph was deleted in July 2021];
                (c) [This sub-paragraph was deleted in July 2021];
                (d) [This sub-paragraph was deleted in July 2021].
                Deleted: July 2021
                Added: December 2018

            • Independence of elements of strong authentication

              • OB-2.2.4

                [This Paragraph was deleted in July 2021].

                (a) [This sub-paragraph was deleted in July 2021];
                (b) [This sub-paragraph was deleted in July 2021];
                (c) [This sub-paragraph was deleted in July 2021].
                Deleted: July 2021
                Added: December 2018

              • OB-2.2.5

                [This Paragraph was deleted in July 2021].

                Deleted: July 2021
                Added: December 2018

              • OB-2.2.6

                [This Paragraph was deleted in July 2021].

                (a) [This sub-paragraph was deleted in July 2021];
                (b) [This sub-paragraph was deleted in July 2021].
                Deleted: July 2021
                Added: December 2018

            • Confidentiality and Integrity of Personalised Security Credentials

              • OB-2.2.7

                AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.

                Added: December 2018

              • OB-2.2.8

                AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the customer, including authentication codes, during all phases of authentication including display and transmission.

                Added: December 2018

              • OB-2.2.9

                For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:

                (a) personalised security credentials are masked when displayed and not readable in their full extent when input by the customer during the authentication;
                (b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;
                (c) secret cryptographic material is protected from unauthorised disclosure.
                Added: December 2018

              • OB-2.2.10

                PISPs and AISPs must ensure that only the customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.

                Added: December 2018

            • Security of Communication Sessions

              • OB-2.2.11

                AISPs and PISPs must ensure that any communication session established with the customer, and other entities, including merchants, relies on each of the following:

                (a) a unique identifier of the session;
                (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and
                (c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
                Added: December 2018

              • OB-2.2.12

                AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.

                Added: December 2018

              • OB-2.2.13

                AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other customers' interfaces offering electronic payment services are effectively mitigated.

                Added: December 2018

              • OB-2.2.14

                AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

                Added: December 2018

              • OB-2.2.15

                AISPs and PISPs must keep the access sessions offered by the licensee maintaining customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.

                Added: December 2018

              • OB-2.2.16

                When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

                Added: December 2018

              • OB-2.2.17

                AISPs and PISPs, with the licensee maintaining customer accounts must include unambiguous reference to each of the following items:

                (a) the customer or users and the corresponding communication session in order to distinguish several requests from the same customer or users;
                (b) for payment initiation services, the uniquely identified payment transaction initiated;
                (c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.
                Added: December 2018

              • OB-2.2.18

                AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the customer associated with them and the issuer of the personalised security credentials.

                Added: December 2018

              • OB-2.2.19

                AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the customer's explicit consent.

                Added: December 2018

              • OB-2.2.20

                PISPs must provide the licensees maintaining customer accounts with the same information requested from the customer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintaining customer accounts.

                Added: December 2018

          • OB-2.3 OB-2.3 Payment Transactions

            • Consent to Initiate Payment Transactions

              • OB-2.3.1

                A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Module only if the payer has given its consent to:

                (a) the execution of the payment transaction; or
                (b) the execution of a series of payment transactions of which that payment transaction forms part.
                Added: December 2018

              • OB-2.3.2

                For the purpose of Paragraph OB-2.3.1, such consent must be given in the form, and in accordance with the procedure, agreed between the licensee maintaining the customer account, the payer and the PISP and may be given via the payee or a PISP.

                Added: December 2018

              • OB-2.3.3

                PISP must ensure that the payer can withdraw its consent to a payment transaction at any time before the point at which the payment order can no longer be revoked under the terms of the framework contract with the customer.

                Added: December 2018

              • OB-2.3.4

                The customer may withdraw its consent to the execution of a series of payment transactions at any time with the effect that any future payment transactions are not regarded as authorised for the purposes of this section.

                Added: December 2018

            • Limits on Payment Transactions

              • OB-2.3.5

                The PISP may agree on payment transaction limits based on its own discretion or on account of the following limitations:

                (a) limits imposed by the CBB from time to time;
                (b) limits imposed by any of the licensees; and/or
                (c) limits imposed based on customer request.
                Added: December 2018

              • OB-2.3.6

                Subject to the framework contract, a PISP has the right to stop the use of a payment instrument on reasonable ground relating to:

                (a) the security of the payment instrument; or
                (b) the suspected unauthorised or fraudulent use of the payment instrument.
                Added: December 2018

              • OB-2.3.7

                PISPs must ensure that a customer to whom a payment instrument has been issued must keep safe the personalised security credentials and must:

                (a) use it in accordance with the terms and conditions governing such use; and
                (b) notify the PISP in an agreed manner and without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.
                Added: December 2018

            • Fees and charges

              • OB-2.3.8

                The AISPs and PISPs may charge fees and charges which reasonably corresponds to the AISP’s or PISP’s costs, as the case may be, which must be explicitly agreed in the framework contract.

                Amended: July 2021
                Added: December 2018

          • OB-2.4 OB-2.4 Technology Related Requirements

            • OB-2.4.1

              AISPs and PIPSs must adhere to the Operational Guidelines, Security Standards and Guidelines, Open Banking Application Program Interface (API) Specifications and Customer Journey Guidelines included in Bahrain Open Banking Framework (See CBB website).

              Amended: July 2021
              Added: December 2018

            • OB-2.4.2

              AISPs, PISPs must ensure that compliance with standards and guidelines specified in Paragraph OB-2.4.1 is subject to independent review and tests, including testing in a test environment, by an independent consultant upon implementation.

              Amended: July 2021
              Added: December 2018

            • OB-2.4.3

              AISPs and PISPs must ensure that the technology solution provided to their customers is easily accessible and can be downloaded as a standalone application (e.g. IOS/Android/Microsoft Windows etc.).

              Added: July 2021

    • Reporting Requirements

      • BR BR Ancillary Service Providers CBB Reporting Requirements Module

        • BR-A BR-A Introduction

          • BR-A.1 BR-A.1 Purpose

            • Executive Summary

              • BR-A.1.1

                This Module sets out requirements applicable to ancillary service provider licensees regarding reporting to the CBB. These include the provision of financial information to the CBB by way of prudential returns, as well as notification to the CBB of certain specified events, some of which require prior CBB approval. This Module also outlines the methods used by the CBB in gathering information required in the supervision of ancillary service provider licensees.

                April 2016

              • BR-A.1.2

                This Module provides support for certain other parts of the Rulebook, mainly:

                (a) Principles of Business;
                (c) Risk Management (to be issued);
                (d) Financial Crime;
                (e) High-Level Controls (to be issued); and
                (f) Auditors and Accounting Standards.
                April 2016

              • BR-A.1.3

                Unless otherwise stated, all reports referred to in this Module should be addressed to the Director of relevant supervision directorate of the CBB.

                April 2016

            • Legal Basis

              • BR-A.1.4

                This Module contains the CBB's Directive relating to reporting requirements applicable to ancillary service provider licensees and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law').

                April 2016

              • BR-A.1.5

                For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

                April 2016

          • BR-A.2 BR-A.2 Module History

            • Evolution of Module

              • BR-A.2.1

                This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.

                April 2016

              • BR-A.2.2

                A list of recent changes made to this Module is provided below:

                Module Ref. Change Date Description of Changes
                BR-1.4 04/2017 Added a new Section on Onsite Inspection Reporting.
                BR-2.2.6 12/2018 Amended sub-paragraphs (a) & (b).
                BR-1.1.1A 10/2019 Added a new Paragraph on disclosure of financial penalties.
                BR-2.3.6 01/2020 Amended Paragraph.
                BR-1.1.6 07/2020 Added a new Paragraph on audited clients money report.
                BR-1.1.6 01/2021 Amended Paragraph on audited clients money report.
                BR-1.1.7 01/2021 Added a new Paragraph on audited clients money.

            • Superseded Requirements

              • BR-A.2.3

                This Module supersedes the following provisions contained in circulars or other regulatory instruments:

                Circular / other reference Subject
                Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions.
                April 2016

        • BR-B BR-B Scope of Application

          • BR-B.1 BR-B.1 Scope of Application

            • BR-B.1.1

              The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom (thereafter referred to in this Module as licensees).

              April 2016

        • BR-1 BR-1 Prudential Reporting

          • BR-1.1 BR-1.1 Annual Requirements

            • BR-1.1.1

              All licensees are required to submit to the CBB their annual audited financial statements within 3 months of their financial year end.

              April 2016

            • BR-1.1.1A

              In accordance with Paragraphs EN-B.4.5 and EN-5.2.2, licensees must disclose in their annual audited financial statements the amount of any financial penalties paid to the CBB, together with a factual description of the reason(s) given by the CBB for the penalty. Licensees which fail to comply with this requirement will be required to make the disclosure in the annual audited financial statements of the subsequent year and will be subject to an enforcement action for non-disclosure.

              Added: October 2019

            • TPAs and PSPs

              • BR-1.1.2

                The notes to the financial statements must:

                (a) For TPAs, contain complete names and addresses of all insurance companies or self-funded schemes outside Bahrain with which the TPA had a contract in effect during the preceding calendar year; and
                (b) For PSPs, refer to the breakdown of clients' money and own funds.
                April 2016

              • BR-1.1.3

                In addition to the statements required in Paragraph BR-1.1.1, licensees are required to submit to the CBB the following information within 3 months of their financial year end:

                (a) The external auditor's management letter;
                (b) A report on the licensee's close links as required under Paragraph GR-8.1.3;
                (c) The licensee's group structure and the internal organisation chart;
                (d) The report on controllers as required under Paragraph GR-7.1.10; and
                (e) Any supplementary information as required by the CBB.
                April 2016

              • BR-1.1.4

                TPAs must also submit to the CBB a breakdown of their sources of revenue within 3 months following the year end in accordance with Appendix BR-10, included under Part B Volume 5 of the CBB Rulebook.

                April 2016

              • BR-1.1.5

                In accordance with the provisions of Section AA-4.1, the audited financial statements of the licensees must comply with the International Financial Reporting Standards (IFRS), and where applicable with the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI).

                April 2016

              • BR-1.1.6

                Payment Service Providers must appoint independent auditors to perform an in-depth audit on clients’ money account (i.e. client money received and its usage, accounting records, internal controls etc.) every 6 months and submit the report to the CBB after two months of period end, i.e. 31st August for the June report and end of February for the December report. The audit must be performed by the licensee’s external auditor or an independent third-party audit firm acceptable to the CBB.

                Amended: January 2021
                Added: July 2020

              • BR-1.1.7

                The overarching objectives of the audit, required under Paragraph BR-1.1.6, must be:

                (a) Ensuring that client money is properly segregated and not comingled with the licensee’s own funds;
                (b) The licensee has established and implemented adequate internal control procedures and systems to ensure client money is always segregated;
                (c) Client money is not used for purposes other than for client transactions as stipulated in the terms of products/services with its customers;
                (d) The balances are maintained with a retail bank licensee in Bahrain and such balances are not subject to any lien or other restrictions; and
                (e) Fraud risks are adequately controlled and mitigated.
                Added: January 2021

          • BR-1.2 BR-1.2 Periodical Financial Statements

            • BR-1.2.1

              PSPs are required to submit to the CBB reviewed (unaudited) semi-annual financial statements (in the same format as their annual audited accounts) on a semi-annual basis, within two months of the date of these statements. Such statements must provide the breakdown of clients' money and own funds.

              April 2016

          • BR-1.3 BR-1.3 IIS Reporting Requirements

            • Institutional Information System (IIS)

              • BR-1.3.1

                All licensees are required to complete online non-financial information related to their institution by accessing the CBB's institutional information system (IIS). Licensees must update the required information at least on a quarterly basis or when a significant change occurs in the non-financial information included in the IIS. If no information has changed during the quarter, the licensee must still access the IIS quarterly and confirm that the information contained in the IIS is correct. Licensees must ensure that they access the IIS within 20 calendar days from the end of the related quarter and either confirm or update the information contained in the IIS.

                April 2016

              • BR-1.3.2

                Licensees failing to comply with the requirements of Paragraph BR-1.3.1 or reporting inaccurate information may be subject to financial penalties or other enforcement action as outlined in Module (EN) Enforcement.

                April 2016

          • BR-1.4 BR-1.4 Onsite Inspection Reporting

            • BR.1.4.1

              For the purpose of onsite inspection by the CBB, licensees must submit requested documents and completed questionnaires to the Inspection Directorate at the CBB three working days ahead of inspection team entry date.

              Added: April 2017

            • BR-1.4.2

              Licensees must review the contents of the draft Inspection Report and submit to the Inspection Directorate at the CBB a written assessment of the observations/issues raised within ten working days of receipt of such report. Evidentiary documents supporting management's comments must also be included in the response package.

              Added: April 2017

            • BR-1.4.3

              Licensees' board are required to review the contents of the Inspection Report and submit within one month, of the report issue date, a final response to such report along with an action plan addressing the issues raised within the stipulated timeline.

              Added: April 2017

            • BR-1.4.4

              Licensees failing to comply with the requirements of Paragraphs BR-1.4.1 and BR-1.4.2 are subject to date sensitive requirements and other enforcement actions as outlined in Module (EN) Enforcement.

              Added: April 2017

        • BR-2 BR-2 Notifications and Approvals

          • BR-2.1 BR-2.1 Introduction

            • BR-2.1.1

              All notifications and requests for approvals required in this Chapter are to be submitted by licensees in writing and signed by an authorised officer in accordance with Paragraph BR-2.2.11.

              April 2016

            • BR-2.1.2

              Licensees are required to provide the CBB with a range of information to enable it to monitor the licensee's compliance with Volume 5 of the CBB Rulebook. Some of this information is provided through regular reports, whereas others are in response to the occurrence of a particular event (such as a change in name or address). The following Sections list the commonly occurring reports for which a licensee will be required to notify the CBB or seek its approval.

              April 2016

          • BR-2.2 BR-2.2 Notification Requirements

            • Matters Having a Serious Supervisory Impact

              • BR-2.2.1

                A licensee must notify the CBB if any of the following has occurred, may have occurred or may occur in the near future:

                (a) The licensee failing to satisfy one or more of the Principles of Business referred to in Module PB;
                (b) Any matter which could have a significant adverse impact on the licensee's reputation;
                (c) Any matter which could affect the licensee's ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the licensee;
                (d) Any matter in respect of the licensee that could result in material financial consequences to the financial system or to other licensees;
                (e) A breach of any requirement imposed by law, regulation, directive or any other instruction issued by the CBB;
                (f) If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way; or
                (g) If the licensee intends to suspend any or all the licensed regulated services or ceases business, setting out how it proposes to do so and, in particular, how it will treat any of its liabilities (ref GR-9.1.2).
                April 2016

              • BR-2.2.2

                The circumstances that may give rise to any of the events in Paragraph BR-2.2.1 are wide-ranging and the probability of any matter resulting in such an outcome, and the severity of the outcome, may be difficult to determine. However, the CBB expects licensees to properly consider all potential events and consequences that may arise from them.

                April 2016

              • BR-2.2.3

                In determining whether an event that may occur in the near future should be notified to the CBB, a licensee should consider both the probability of the event happening and the severity of the outcome should it happen. Matters having a supervisory impact could also include matters relating to a controller that may directly or indirectly have an effect on the licensee.

                April 2016

            • Legal, Professional, Administrative or other Proceedings against a Licensee

              • BR-2.2.4

                A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller of the licensee that is known to the licensee and is significant in relation to the licensee's financial resources or its reputation.

                April 2016

              • BR-2.2.5

                A licensee must notify the CBB of the bringing of a prosecution for, or conviction of, any offence under any relevant law against the licensee or any of its approved persons.

                April 2016

            • Fraud, Errors and other Irregularities

              • BR-2.2.6

                A licensee must notify the CBB immediately if one of the following events arises:

                (a) It becomes aware that a person, whether or not employed by it may have committed, or is acting with intent to commit fraud against its customers or itself;
                (b) A major operational or security incident where the incident has or may have a major negative impact on the financial interests of its customers or other licensees, or itself;
                (c) It identifies irregularities in its accounting or other records, whether or not there is evidence of fraud;
                (d) It suspects that one of its employees may be guilty of serious misconduct concerning his honesty or integrity and which is connected with the licensee's regulated activities; or
                (e) Conflicts of interest that may affect the operation of the licensee.
                Amended: December 2018
                April 2016

              • BR-2.2.7

                If the licensee may have suffered material financial losses as a result of the incident, or may suffer reputational loss, the CBB will wish to consider this and whether the incident is indicative of weaknesses in the licensee's internal controls.

                April 2016

            • Insolvency, Bankruptcy and Winding Up

              • BR-2.2.8

                Except in instances where the CBB has initiated the following actions, a licensee must notify the CBB immediately of any of the following events:

                (a) The calling of a meeting to consider a resolution for winding up the licensee or a controller of the licensee;
                (b) An application to dissolve a controller of the licensee;
                (c) The presentation of a petition for the winding up of a controller of the licensee;
                (d) The making of any proposals, or the making of, a composition or arrangement with any one or more of the licensee's creditors, for material amounts of debt;
                (e) An application for the appointment of an administrator or trustee in bankruptcy to a controller of the licensee;
                (f) The appointment of a receiver to the licensee or to a controller of the licensee (whether an administrative receiver or a receiver appointed over particular property); or
                (g) An application against the licensee, a controller of the licensee under Part 10 of the CBB Law or the Bankruptcy and Composition Law of 1987 or similar legislation in another jurisdiction.
                April 2016

            • External Auditor

              • BR-2.2.9

                A licensee must notify the CBB of the following:

                (a) Removal or resignation of its external auditor (ref. AA-1.2.1); or
                (b) A change in the partner in charge of conducting the external audit. (Ref. AA-1.3.3).
                April 2016

            • Approved Persons

              • BR-2.2.10

                A licensee must notify the CBB of the termination of employment of any approved persons, including reasons for their termination and arrangements for replacing them (ref. AU-4.4.9).

                April 2016

            • Authorised Signatories

              • BR-2.2.11

                At the time of authorisation (when the license is granted) or whenever a change occurs, in order to maintain an up-to-date record of authorised signatories of respective ancillary service providers, the CBB requires all licensees to submit to the licensee's CBB supervisory point of contact a list of specimen signatures of the officials authorised to sign on behalf of the concerned licensee, together with, where appropriate, details of what they are authorised to sign for.

                April 2016

            • Capital Adequacy Requirements

              • BR-2.2.12

                In the event that a licensee fails to meet any of the requirements specified in Section AU-2.5 it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing.

                April 2016

              • BR-2.2.13

                As specified in Article 58 of the CBB Law, a licensee must notify the CBB immediately of any matter that may affect its financial position, currently or in the future, or limit its ability to meet its obligations.

                April 2016

            • Outsourcing Arrangements

              • BR-2.2.14

                Licensees must immediately inform their normal supervisory contact at the CBB of any material problems or changes encountered with an outsourcing provider.

                April 2016

            • Controllers

              • BR-2.2.15

                If, as a result of circumstances outside the licensee's knowledge and/or control, a change in controllers is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB on the earlier of:

                (a) The moment the change takes effect; or
                (b) The moment the licensee becomes aware of the proposed change (ref. GR-7.1.6).
                April 2016

              • BR-2.2.16

                A licensee must notify the CBB of any event as specified under Article 52 of the CBB Law.

                April 2016

            • Introduction of New or Expanded Customer Products and Facilities

              • BR-2.2.17

                All licensees should notify the CBB of information relating to any new or expanded customer products and services.

                April 2016

          • BR-2.3 BR-2.3 Approval Requirements

            • Change of Address

              • BR-2.3.1

                As specified in Article 51 of the CBB Law, a licensee must seek approval from the CBB and give reasonable advance notice of a change in the address of the licensee's principal place of business in Bahrain.

                April 2016

              • BR-2.3.2

                The request under Paragraph BR-2.3.1 must include the details of the proposed new address and the date on which the licensee intends to use the new address.

                April 2016

            • Change in Legal Status

              • BR-2.3.3

                A licensee must seek CBB approval and give reasonable advance notice of a change in its legal status that may, in any way, affect its relationship with or limit its liability to its customers.

                April 2016

            • Change in Paid-up and/or Issued Capital

              • BR-2.3.4

                As specified in Article 57(3) of the CBB Law, a licensee must seek CBB prior approval before making any modification to its issued and/or paid-up capital.

                April 2016

            • Controllers

              • BR-2.3.5

                In accordance with Section GR-7.1, licensees must seek CBB prior approval and give reasonable advance notice of any of the following events:

                (a) A person acquiring control or ceasing to have control of the licensee;
                (b) An existing controller acquiring an additional type of control (such as ownership or significant influence) or ceasing to have a type of control of the licensee;
                (c) An existing controller increasing the percentage of shares or voting power of the licensee; and
                (d) An existing controller becoming or ceasing to be a parent undertaking of the licensee.
                April 2016

            • Mergers, Acquisitions and Disposals of Assets and Liabilities

              • BR-2.3.6

                A licensee incorporated in Bahrain must seek CBB prior approval and give reasonable advance notice of its intention to enter into a:

                (a) Merger with another undertaking;
                (b) Proposed acquisition or disposal of all or a major part of assets and liabilities, inside or outside the Kingdom; or
                (c) Modify its memorandum or articles of association.
                Amended: January 2020
                Added: April 2016

            • Outsourcing Arrangements

              • BR-2.3.7

                A licensee must seek prior approval from the CBB for outsourcing of its internal audit function.

                April 2016

            • Other Matters Having a Supervisory Impact

              • BR-2.3.8

                A licensee must seek prior approval from the CBB for any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs after authorisation has been granted.

                April 2016

            • External Auditor

              • BR-2.3.9

                A licensee must seek prior approval from the CBB for the appointment or re-appointment of its external auditor (ref. AU-2.7.1 and AA-1.1.1).

                April 2016

            • Dividend Distribution

              • BR-2.3.10

                Licensees, must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, in accordance with Chapter GR-6.

                April 2016

            • Approved Persons

              • BR-2.3.11

                A licensee must seek prior approval from the CBB for the appointment of persons undertaking a controlled function (ref. Article 65 of the CBB Law, AU-1.3 and AU-4.3.1).

                April 2016

              • BR-2.3.12

                Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee (ref. AU-4.3.11).

                April 2016

              • BR-2.3.13

                If a controlled function falls vacant, a licensee making immediate interim arrangements for the controlled function affected, must obtain approval from the CBB (ref. AU-4.4.9).

                April 2016

            • Cessation of Business

              • BR-2.3.14

                In accordance with Paragraph GR-9.1.1 and Article 50 of the CBB Law, licensees must seek the CBB's prior approval should they wish to cease to provide or suspend any or all of the licensed regulated services of their operations and/or liquidate their business.

                April 2016

        • BR-3 BR-3 Information Gathering by the CBB

          • BR-3.1 BR-3.1 Power to Request Information

            • BR-3.1.1

              In accordance with Article 111 of the CBB Law, licensees must provide all information that the CBB may reasonably request in order to discharge its regulatory obligations.

              April 2016

            • BR-3.1.2

              Licensees must provide all relevant information and assistance to the CBB inspectors and appointed experts on demand as required by Articles 111 and 114 of the CBB Law. Failure by licensees to cooperate fully with the CBB's inspectors or appointed experts, or to respond to their examination reports within the time limits specified, will be treated as demonstrating a material lack of cooperation with the CBB which will result in other enforcement measures being considered, as described elsewhere in Module EN. This rule is supported by Article 114(a) of the CBB Law.

              April 2016

            • BR-3.1.3

              Article 163 of the CBB Law provides for criminal sanctions where false or misleading statements are made to the CBB or any person /appointed expert appointed by the CBB to conduct an inspection or investigation on the business of the licensee or the listed licensee.

              April 2016

            • Information Requested on Behalf of other Supervisors

              • BR-3.1.4

                The CBB may ask licensees to provide it with information at the request of or on behalf of other supervisors to enable them to discharge their functions properly. Those supervisors may include overseas supervisors or government agencies in Bahrain.

                April 2016

          • BR-3.2 BR-3.2 Access to Premises

            • BR-3.2.1

              In accordance with Article 114 of the CBB Law, a licensee must permit representatives of the CBB, or persons appointed for the purpose by the CBB to have access, with or without notice, during reasonable business hours to any of its business premises in relation to the discharge of the CBB's functions under the relevant law.

              April 2016

            • BR-3.2.2

              A licensee must take reasonable steps to ensure that its agents and providers under outsourcing arrangements permit such access to their business premises, to the CBB.

              April 2016

            • BR-3.2.3

              A licensee must take reasonable steps to ensure that each of its providers under material outsourcing arrangements deals in an open and cooperative way with the CBB in the discharge of its functions in relation to the licensee.

              April 2016

            • BR-3.2.4

              The cooperation that licensees are expected to procure from such providers is similar to that expected of licensees themselves.

              April 2016

          • BR-3.3 BR-3.3 Accuracy of Information

            • BR-3.3.1

              Licensees must take reasonable steps to ensure that all information they give to the CBB is:

              (a) Factually accurate or, in the case of estimates and judgements, fairly and properly based after appropriate enquiries have been made by the licensee; and
              (b) Complete, in that it should include everything which the CBB would reasonably and ordinarily expect to have.
              April 2016

            • BR-3.3.2

              If a licensee becomes aware, or has information that reasonably suggests that it has or may have provided the CBB with information that was or may have been false, misleading, incomplete or inaccurate, or has or may have changed in a material way, it must notify the CBB immediately. The notification must include:

              (a) Details of the information which is or may be false, misleading, incomplete or inaccurate, or has or may have changed;
              (b) An explanation why such information was or may have been provided; and
              (c) The correct information.
              April 2016

            • BR-3.3.3

              If the information in Paragraph BR-3.3.2 cannot be submitted with the notification (because it is not immediately available), it must instead be submitted as soon as possible afterwards.

              April 2016

          • BR-3.4 BR-3.4 Methods of Information Gathering

            • BR-3.4.1

              The CBB uses various methods of information gathering on its own initiative which require the cooperation of licensees:

              (a) Representatives of the CBB may make onsite visits at the premises of the licensee. These visits may be made on a regular basis, or on a sample basis, for special purposes such as theme visits (looking at a particular issue across a range of licensees), or when the CBB has a particular reason for visiting a licensee;
              (b) Appointees of the CBB may also make onsite visits at the premises of the licensee. Appointees of the CBB may include persons who are not CBB staff, but who have been appointed to undertake particular monitoring activities for the CBB, such as in the case of appointed experts (refer to Chapter EN-2);
              (c) The CBB may request the licensee to attend meetings at the CBB's premises or elsewhere;
              (d) The CBB may seek information or request documents by telephone, at meetings or in writing, including electronic communication; or
              (e) The CBB may require licensees to submit various documents or notifications, as per Chapter BR-2, in the ordinary course of their business such as financial reports or on the happening of a particular event in relation to the licensee such as a change in control.
              April 2016

            • BR-3.4.2

              When seeking meetings with a licensee or access to the licensee's premises, the CBB or the CBB appointee needs to have access to a licensee's documents and personnel. Such requests will be made during reasonable business hours and with proper notice. There may be instances where the CBB may seek access to the licensee's premises without prior notice. While such visits are not common, the prospect of unannounced visits is intended to encourage licensees to comply at all times with the requirements and standards imposed by the CBB as per legislation and Volume 5 of the CBB Rulebook.

              April 2016

            • BR-3.4.3

              The CBB considers that a licensee should:

              (a) Make itself readily available for meetings with representatives or appointees of the CBB;
              (b) Give representatives or appointees of the CBB reasonable access to any records, files, tapes or computer systems, which are within the licensee's possession or control, and provide any facilities which the representatives or appointees may reasonably request;
              (c) Produce to representatives or appointees of the CBB specified documents, files, tapes, computer data or other material in the licensee's possession or control as may be reasonably requested;
              (d) Print information in the licensee's possession or control which is held on computer or otherwise convert it into a readily legible document or any other record which the CBB may reasonably request;
              (e) Permit representatives or appointees of the CBB to copy documents of other material on the premises of the licensee at the licensee's expense and to remove copies and hold them elsewhere, or provide any copies, as may be reasonably requested; and
              (f) Answer truthfully, fully and promptly all questions which representatives or appointees of the CBB reasonably put to it.
              April 2016

            • BR-3.4.4

              The CBB considers that a licensee should take reasonable steps to ensure that its employees act in the manner set out in Paragraph BR-3.4.3.

              April 2016

            • BR-3.4.5

              In gathering information to fulfill its supervisory duties, the CBB acts in a professional manner and with due regard to maintaining confidential information obtained during the course of its information gathering activities.

              April 2016

          • BR-3.5 BR-3.5 Role of the Appointed Expert

            • Introduction

              • BR-3.5.1

                The content of this Chapter is applicable to all licensees and appointed experts.

                April 2016

              • BR-3.5.2

                The purpose of the contents of this Chapter is to set out the roles and responsibilities of appointed experts when appointed pursuant to Article 114 or 121 of the CBB Law (see EN-2.1.1). These Articles empower the CBB to assign some of its officials or others to inspect or conduct investigations of licensees.

                April 2016

              • BR-3.5.3

                The CBB uses its own inspectors to undertake on-site examinations of licensees as an integral part of its regular supervisory efforts. In addition, the CBB may commission reports on matters relating to the business of licensees in order to help it assess their compliance with CBB requirements. Inspections may be carried out either by the CBB's own officials, by duly qualified appointed experts appointed for the purpose by the CBB, or a combination of the two.

                April 2016

              • BR-3.5.4

                The CBB will not, as a matter of general policy, publicise the appointment of an appointed expert, although it reserves the right to do so where this would help achieve its supervisory objectives. Both the appointed expert and the CBB are bound to confidentiality provisions restricting the disclosure of confidential information with regards to any such information obtained in the course of the investigation.

                April 2016

              • BR-3.5.5

                Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as external auditor of the licensee.

                April 2016

              • BR-3.5.6

                Appointed experts will be appointed in writing, through an appointment letter, by the CBB. In each case, the CBB will decide on the range, scope and frequency of work to be carried out by appointed experts.

                April 2016

              • BR-3.5.7

                All proposals to appoint appointed experts require approval by an Executive Director or more senior official of the CBB. The appointment will be made in writing, and made directly with the appointed experts concerned. A separate letter is sent to the licensee, notifying them of the appointment. At the CBB's discretion, a trilateral meeting may be held at any point, involving the CBB and representatives of the licensee and the appointed experts, to discuss any aspect of the investigation.

                April 2016

              • BR-3.5.8

                Following the completion of the investigation, the CBB will normally provide feedback on the findings of the investigation to the licensee.

                April 2016

              • BR-3.5.9

                Appointed experts will report directly to and be responsible to the CBB in this context and will specify in their report any limitations placed on them in completing their work (for example due to the licensee's group structure). The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned).

                April 2016

              • BR-3.5.10

                Compliance by appointed experts with the contents of this Chapter will not, of itself, constitute a breach of any other duty owed by them to a particular licensee (i.e. create a conflict of interest).

                April 2016

              • BR-3.5.11

                The CBB may appoint one or more of its officials to work on the appointed experts' team for a particular licensee.

                April 2016

            • The Required Report

              • BR-3.5.12

                The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee's business:

                (a) Accounting and other records;
                (b) Internal control systems;
                (c) Returns of information provided to the CBB;
                (d) Operations of certain departments; and/or
                (e) Other matters specified by the CBB.
                April 2016

              • BR-3.5.13

                Appointed experts will be required to form an opinion on whether, during the period examined, the licensee is in compliance with the relevant provisions of the CBB Law and the CBB's relevant requirements, as well as other requirements of Bahrain Law and, where relevant, industry best practice locally and/or internationally.

                April 2016

              • BR-3.5.14

                The appointed experts' report should follow the format set out in Appendix BR-1, in part B of the CBB Rulebook.

                April 2016

              • BR-3.5.15

                Unless otherwise directed by the CBB or unless the circumstances described in Section BR-3.5.19 apply, the report must be discussed with the Board of directors and/or senior management in advance of it being sent to the CBB.

                April 2016

              • BR-3.5.16

                Where the report is qualified by exception, the report must clearly set out the risks which the licensee runs by not correcting the weakness, with an indication of the severity of the weakness should it not be corrected. Appointed experts will be expected to report on the type, nature and extent of any weaknesses found during their work, as well as the implications of a failure to address and resolve such weaknesses.

                April 2016

              • BR-3.5.17

                If the appointed experts conclude, after discussing the matter with the licensee, that they will give a negative opinion (as opposed to one qualified by exception) or that the issue of the report will be delayed, they must immediately inform the CBB in writing giving an explanation in this regard.

                April 2016

              • BR-3.5.18

                The report must be completed, dated and submitted, together with any comments by directors or management (including any proposed timeframe within which the licensee has committed to resolving any issues highlighted by the report), to the CBB within the timeframe applicable.

                April 2016

            • Other Notifications to the CBB

              • BR-3.5.19

                Appointed experts must communicate to the CBB, during the conduct of their duties, any reasonable belief or concern they may have that any of the requirements of the CBB, including the criteria for licensing a licensee (see Module AU), are not or have not been fulfilled, or that there has been a material loss or there exists a significant risk of material loss in the concerned licensee, or that the interests of customers are at risk because of adverse changes in the financial position or in the management or other resources of a licensee. Notwithstanding the above, it is primarily the licensee's responsibility to report such matters to the CBB.

                April 2016

              • BR-3.5.20

                The CBB recognises that appointed experts cannot be expected to be aware of all circumstances which, had they known of them, would have led them to make a communication to the CBB as outlined above. It is only when appointed experts, in carrying out their duties, become aware of such a circumstance that they should make detailed inquiries with the above specific duty in mind.

                April 2016

              • BR-3.5.21

                If appointed experts decide to communicate directly with the CBB in the circumstances set out in Paragraph BR-3.5.19, they may wish to consider whether the matter should be reported at an appropriate senior level in the licensee at the same time and whether an appropriate senior representative of the licensee should be invited to attend the meeting with the CBB.

                April 2016

            • Permitted Disclosure by the CBB

              • BR-3.5.22

                Information which is confidential and has been obtained under, or for the purposes of, this chapter or the CBB Law may only be disclosed by the CBB in the circumstances permitted under the Law. This will allow the CBB to disclose information to appointed experts to fulfil their duties. It should be noted, however, that appointed experts must keep this information confidential and not divulge it to a third party except with the CBB's permission and/or unless required by Bahrain Law.

                April 2016

            • Trilateral Meeting

              • BR-3.5.23

                The CBB may, at its discretion, call for a trilateral meeting(s) to be held between the CBB and representatives of the relevant licensee and the appointed experts. This meeting will provide an opportunity to discuss the appointed experts' examination of, and report on, the licensee.

                April 2016