• AU AU Ancillary Service Providers Authorisation Module

    • AU-A AU-A Introduction

      • AU-A.1 AU-A.1 Purpose

        • Executive Summary

          • AU-A.1.1

            The executive summary only provides an overview. For detailed rules, reference must be made to the individual Rules outlined in the remainder of this Module.

            April 2016

          • AU-A.1.2

            Module AU sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated ancillary services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.

            April 2016

          • AU-A.1.3

            Licensed providers of regulated ancillary services fall into the following categories: third party administrators, card processing services, operating a credit reference bureau, payment service providers, Shari'a advisory/review services, operating a crowdfunding platform, account information service providers and payment initiation service providers and carrying out services in accordance with the CBB Law. These licensees are referred to as financial sector support institutions under Article (1) of the CBB Law and its amendments.

            Amended: October 2019
            April 2016

          • AU-A.1.4

            Regulated ancillary services are defined in Paragraph AU-1.2.1.

            April 2016

          • AU-A.1.5

            Persons undertaking certain functions in relation to ancillary service provider licensees require prior CBB approval. These functions (called 'controlled functions') include members of the board of directors and members of senior management. The controlled functions regime supplements the licensing regime by ensuring that key persons involved in the running of ancillary service provider licensees are fit and proper. Those authorised by the CBB to undertake controlled functions are called approved persons.

            April 2016

        • Retaining Authorised Status

          • AU-A.1.6

            The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.

            April 2016

        • Legal Basis

          • AU-A.1.7

            This Module contains the CBB's Directive incorporating the relevant Regulations and Resolutions (as amended from time to time) applicable to all ancillary service provider licensees (including their approved persons) regarding authorisation under CBB Rulebook Volume 5: Specialised Licensees and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). It includes:

            (a) the requirements (as amended from time to time) under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and those requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and issued under the powers available to the CBB under Article 44(c);
            (b) the requirements under Resolution No. (16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law;
            (c) the prior approval requirements for approved persons under Resolution No (23) of 2015; and
            (d) the requirements (as amended from time to time) contained in Resolution No (1) of 2007 with respect to determining fees categories due for licenses and services provided by the CBB.
            Amended: October 2019
            Amended: December 2018
            April 2016

          • AU-A.1.8

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

            April 2016

          • AU-A.1.9

            Persons wishing to undertake regulated ancillary services are required to be licensed by the CBB as an ancillary service provider licensee.

            April 2016

        • Licensing Conditions

          • AU-A.1.10

            Ancillary service provider licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules (such as Module BR). These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.

            April 2016

        • Information Requirements and Processes

          • AU-A.1.11

            Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking an ancillary service provider license. It also covers the voluntary surrender of a license, or its cancellation by the CBB.

            April 2016

      • AU-A.2 AU-A.2 Module History

        • Evolution of Module

          • AU-A.2.1

            This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.

            April 2016

          • AU-A.2.2

            A list of recent changes made to this Module is provided below:

            Module Ref. Change Date Description of Changes
            AU-1.2.10A, AU-1.2.10B and AU-1.2.10C 04/2017 Added Paragraphs on issuance of pre-paid cards and PCI-DSS certification for Payment Service Providers.
            AU-1.2.11 04/2017 Amended Paragraph on the settlement.
            AU-2.3.2 04/2017 Amendment of reference.
            AU-4.1.12 04/2017 Specified bank guarantee amounts.
            AU-4.1.16 (l) 04/2017 Amended bank guarantee amount.
            AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License
            AU-1.2.1(ee) 10/2017 Added Crowdfunding Platform Operators under the definition of regulated services.
            AU-1.2.10A(b) 10/2017 Amended bank guarantee requirement.
            AU-1.2.14 – AU-1.2.20 10/2017 Added requirements on crowdfunding platform operators
            AU-2.5.6A 10/2017 Added Paragraph on minimum core capital for crowdfunding platform operators.
            AU-3.1.2 10/2017 Amended Paragraph.
            AU-3.2 10/2017 Added a new section for the Approved Persons Requirements.
            AU-4.1.12 10/2017 Amended bank guarantee amount for PSP and Card Processing Companies.
            AU-4.1.16(l) 10/2017 Amended bank guarantee requirement for PSP issuing any multipurpose, electronic or otherwise, prepaid cards.
            AU-4.3 10/2017 Deleted Approved Persons requirements from AU-4.3 and added to AU-3.2.
            AU-4.6 10/2017 Added new section on Additional Requirements for Licensing Crowdfunding Platform Operators.
            AU-4.1.1 04/2018 Amended Paragraph.
            AU-4.3.2 04/2018 Amended Paragraph.
            AU-1.2.1 12/2018 Added AISP and PISPs.
            AU-1.2.10A 10/2018 Amended Paragraph.
            AU-1.2.11A
            AU-1.2.11B
            10/2018 Added new Paragraphs on enabling PSPs to participate in EFTS
            AU-1.2.21 – AU1.2.25 12/2018 Added new Paragraphs on AISPs and PISPs.
            AU-2.5.6B
            AU-2.5.6C
            12/2018 Added new Paragraphs on Account Information Service Provider & Payment Initiation Services Provider.
            AU-1.2.8 (a) & (b) 01/2019 Amended sub-paragraphs on clients' money account services.
            AU-1.2.10 01/2019 Amended guidance on clients' money account.
            AU-1.2.10A 01/2019 Amended sub-paragraph (a) on maximum balance limit for a natural person.
            Added new sub-paragraph (bb) on maximum balance limit for a legal person.
            Amend sub-paragraph (f).
            AU-1.2.11 01/2019 Amended Paragraph.
            AU-1.2.12 01/2019 Added a new Paragraph on audit of clients' money account.
            AU-1.2.14 01/2019 Amended Paragraph to include B2B.
            AU-1.2.16 01/2019 Changed guidance to rule and amended deleting B2B.
            AU-1.2.24 01/2019 Amended Paragraph.
            AU-2.5.6A 01/2019 Amended Core Capital amount.
            AU-4.1.16(m) 01/2019 Amended sub-paragraph.
            AU-1.2.11A 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11B 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11C 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11D 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11E 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11F 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11G 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11H 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11I 04/2019 Added a new Paragraph CDMs/kiosks.
            AU-1.2.11J 04/2019 Amended Paragraph number.
            AU-1.2.11K 04/2019 Amended Paragraph number.
            AU-1.2.11L 04/2019 Amended Paragraph number.
            AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission.
            AU-A.1.3 10/2019 Amended Paragraph on licensed providers categories.
            AU-1.2.1 10/2019 Amended Subparagraphs (a), (c), (d) and (ee).
            AU-1.2.2 10/2019 Amended Paragraph.
            AU-1.2.5 10/2019 Amended Paragraph.
            AU-1.2.21 10/2019 Added full term of AISP.
            AU-1.2.23 10/2019 Added full term of PISP.
            AU-4.1.13 10/2019 Amended Guidance.
            AU-4.1.15 10/2019 Amended Guidance.
            AU-4.2.4 10/2019 Changed from Rule to Guidance.
            AU-4.5.1 10/2019 Changed from Rule to Guidance.
            AU-1.2.11L 07/2020 Paragraph moved to Module BR.
            AU-1.2.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards.
            AU-5.2.2 10/2020 Amended Paragraph on fixed annual licence fees.
            AU-3.2.13A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement.
            AU-5.2.2A 01/2021 Added a new guidance clarifying the applicable fees for licensees.

        • Superseded Requirements

          • AU-A.2.3

            This Module supersedes the following provisions contained in circulars or other regulatory instruments:

            Circular / other reference Subject
            Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions.
            EDBS/KH/C/63/2018 Enabling PSPs to participate in EFTS.
            EDBS/KH/C/74/2018 Amendments to the Crowdfunding Requirements under the CBB Rulebook Volume 5 (Ancillary Service Providers).
            EDBS/KH/C/83/2018 Amendments in Authorization Module (AU) of Ancillary Service Providers
            Amended: January 2019
            Amended: October 2018
            April 2016

    • AU-B AU-B Scope of Application

      • AU-B.1 AU-B.1 Scope of Application

        • AU-B.1.1

          The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees.

          April 2016

        • AU-B.1.2

          Two types of authorisation are prescribed:

          (a) Any person seeking to provide regulated ancillary services within or from the Kingdom of Bahrain must hold the appropriate CBB license (see Section AU-1.1); and
          (b) Natural persons wishing to perform a controlled function in a licensee also require prior CBB's approval, as an approved person (see Section AU-1.2).
          April 2016

        • AU-B.1.3

          The authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated ancillary services within or from the Kingdom of Bahrain, unless they have been licensed as a an ancillary service provider by the CBB (see Rule AU-1.1.1).

          April 2016

        • AU-B.1.4

          The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.1 above) apply to all those licensed by the CBB as an ancillary service provider licensee, or which are in the process of seeking such a license. They apply to persons incorporated in the Kingdom of Bahrain, unless otherwise specified.

          April 2016

        • AU-B.1.5

          Chapter AU-2 applies to licensees (not just applicants), since licensing conditions have to be met on a continuous basis by licensees. Similarly, Chapter AU-3 applies to approved persons on a continuous basis; it also applies to licensees seeking an approved person authorisation. Chapter AU-4 contains requirements applicable to licensees, with respect to the starting up of their operations, as well as to licensees and approved persons, with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees on licensees.

          April 2016

    • AU-1 AU-1 Authorisation Requirements

      • AU-1.1 AU-1.1 Ancillary Service Provider Licensees

        • General Prohibitions

          • AU-1.1.1

            No person may:

            (a) Undertake (or hold themselves out to undertake) regulated ancillary services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;
            (b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or
            (c) Market any financial services in the Kingdom of Bahrain unless:
            (i) Allowed to do so by the terms of a license issued by the CBB;
            (ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or
            (iii) Has obtained the express written permission of the CBB to offer financial services.
            April 2016

          • AU-1.1.2

            In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire financial services in return for monetary payment or some other form of valuable consideration.

            April 2016

          • AU-1.1.3

            Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).

            April 2016

        • Licensing

          • AU-1.1.4

            Persons wishing to be licensed to undertake any of the regulated ancillary services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.

            April 2016

          • AU-1.1.5

            An application for a license must be in the form prescribed by the CBB (Form 1) and must contain:

            (a) A business plan specifying the type of business to be conducted;
            (b) Application forms (Form 2) for all controllers; and
            (c) Application forms (Form 3) for all controlled functions.
            April 2016

          • AU-1.1.6

            The CBB will review the application and duly advise the applicant in writing when it has:

            (a) Granted the application without conditions;
            (b) Granted the application subject to conditions specified by the CBB; or
            (c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
            April 2016

          • AU-1.1.7

            Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

            April 2016

          • AU-1.1.8

            In granting new licenses, the CBB will specify the specific categories of regulated ancillary service for which a license has been granted.

            April 2016

          • AU-1.1.9

            All applicants for ancillary service provider license must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed, licensees must be in compliance with these criteria on an on-going basis.

            April 2016

      • AU-1.2 AU-1.2 Definition of Regulated Ancillary Services

        • AU-1.2.1

          Regulated ancillary services are any of the following activities, carried on by way of business:

          (a) Permitted services undertaken by third party administrators (TPA);
          (b) Card processing;
          (c) Services undertaken by Credit reference bureau;
          (d) Permitted payment services provided by payment service provider (PSP);
          (e) Shari'a advisory/review services;
          (ee) Permitted activities of a crowdfunding platform operator;
          (f) Providing account information services;
          (g) Providing payment initiation services; and
          (h) Any other ancillary services that are related to the financial services industry.
          Amended: October 2019
          Amended: December 2018
          Amended: October 2017
          April 2016

        • AU-1.2.2 AU-1.2.2

          For the purposes of Paragraph AU-1.2.1, carrying on a regulated ancillary service by way of business means:

          (a) Undertaking any of the regulated ancillary service activities as defined in Section AU-1.2, for commercial gain; or
          (b) Holding oneself out as willing and able to engage in such activities.
          Amended: October 2019
          April 2016

          • AU-1.2.1A

            Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by licensees must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.

            Added: October 2020

          • AU-1.2.3

            While Paragraph AU-1.2.1 covers different activities under regulated ancillary services, only the license itself will specify the list of activities the licensee has been authorised to carry out. For existing ancillary service providers at April 2016, no new license will be issued.

            April 2016

          • Third Party Administrators (TPAs)

            • AU-1.2.4

              TPA refers to processing claims in connection with insurance coverage offered by insurance firms.

              April 2016

            • AU-1.2.5

              Notwithstanding Paragraph AU-1.2.4, TPAs are also allowed to offer their services to self-funded schemes outside Bahrain.

              Amended: October 2019
              April 2016

            • AU-1.2.5A

              When TPAs process claims for insurance firms, the CBB regards this activity as an outsourced activity and insurance firms should refer to Chapter RM-7 Outsourcing Risk under Volume 3 (Insurance) of the CBB Rulebook.

              April 2016

          • Card Processing

            • AU-1.2.5

              Card processing includes:

              (a) The act of processing or transmitting debit/credit/prepaid card holder and transaction related data;
              (b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet);
              (c) Hosting and managing card program;
              (d) Approving and authenticating payment transactions as per financial institutions rules;
              (e) Providing technical service support for E-commerce and M-commerce transactions;
              (f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks;
              (g) Reporting and customising reporting engine;
              (h) Call centre outsourcing services; and
              (i) Online and mobile portals for bank customers.
              April 2016

          • Credit Reference Bureau

            • AU-1.2.6

              A credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies the credit information of customers and issues credit reports and provides the members of the credit reference bureau with such reports upon their request.

              April 2016

            • AU-1.2.7

              For purposes of Paragraph AU-1.2.6, 'customers' refers to customers of the members of the credit reference bureau as defined under Article (68 bis) b) 3) of the CBB Law.

              April 2016

          • Payment Service Provider ("PSP")

            • AU-1.2.8

              Payment service providers, may act as an intermediary for the following services:

              (a) Services enabling cash to be placed in clients' money account and all of the operations required for operating the account;
              (b) Services enabling cash withdrawals from clients' money account and all of the operations required for operating the account;
              (c) The settlement of the direct debits of payment transactions;
              (d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and
              (e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.
              Amended: January 2019
              Amended: April 2017
              April 2016

            • AU-1.2.9

              Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.

              April 2016

            • AU-1.2.10

              For purposes of Paragraph AU-1.2.8, clients' money account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this clients' money account at any time.

              Amended: January 2019
              April 2016

            • AU-1.2.10A

              When issuing any multi-purpose, electronic or otherwise, pre-paid cards, payment service providers must comply with the following requirements:

              (a) The maximum balance limit under each natural person must not exceed BD1,000 and the maximum single transaction value limit must not exceed BD500;
              (bb) The maximum balance limit for each legal person must not exceed BD10,000 (Loading and transaction size).
              (b) The payment service provider must obtain a bank guarantee of BD100,000 from a retail bank licensed in the Kingdom of Bahrain; instead of the bank guarantee amount required under Paragraph AU-4.1.12.
              (c) Comply with all the requirements outlined under Module FC (Financial Crime) and Module CL (Client Money);
              (d) All pre-paid plastic cards must be EMV compliant (chip and PIN and online authentication);
              (e) Any pre-paid card which is inactive for a period of six months must be placed in a dormant list;
              (f) All transactions on pre-paid cards must be made through clients' money account with a retail bank in Bahrain.
              Amended: January 2019
              Amended: October 2018
              Amended: October 2017
              Added: April 2017

            • AU-1.2.10B

              In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017.

              Added: April 2017

            • AU-1.2.10C

              In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

              Added: April 2017

            • AU-1.2.11

              When a customer load cash into the card through kiosk or company/bank counter, the payment service provider must update the amount into the card immediately, and must deposit the relevant cash amount into the clients' money account within 24 hours.

              Amended: January 2019
              Amended: April 2017
              April 2016

            • AU-1.2.11A

              When owning or operating Cash Dispensing Machines (CDM) or Kiosks, payment service providers must comply with the requirements stated in Paragraphs AU-1.2.11B to Paragraph AU-1.2.11I.

              Added: April 2019

            • AU-1.2.11B

              Payment service providers must obtain CBB's prior written approval for owning or operating any Cash Dispensing Machine (CDM) or Kiosk.

              Added: April 2019

            • AU-1.2.11C

              Payment service providers must submit a written application to the Supervisory Point of Contact (SPoC) at the CBB, detailing the type of CDM or Kiosk, the proposed location(s) and the proposed security measures.

              Added: April 2019

            • AU-1.2.11D

              The application referred to in Paragraph AU-1.2.11C will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:

              (a) The suitability of the location(s) in question;
              (b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and
              (c) The type and range of facilities which the applicant proposes to offer through the CDM or Kiosk at the proposed location(s).
              Added: April 2019

            • AU-1.2.11E

              In addition to the information required by the CBB, further information/clarification may be requested by the CBB before it takes a decision regarding the application. The CBB's decision in this regard will be communicated to the applicant payment service provider in writing.

              Added: April 2019

            • AU-1.2.11F

              CDMs or Kiosks may be owned individually or jointly by ancillary service providers.

              Added: April 2019

            • AU-1.2.11G

              Payment service providers must not charge their customers for cash withdrawal transactions. When a customer uses CDMs, Kiosks or ATMs belonging to other banks or PSPs, the acquiring PSP/ bank may apply a charge capped at 100 fils per transaction to the issuing PSP.

              Added: April 2019

            • AU-1.2.11H

              Payment service providers must obtain the CBB's prior written approval for the termination/suspension of any of its CDMs or Kiosks.

              Added: April 2019

            • AU-1.2.11I

              The CBB may, at its sole discretion, require a payment service provider to terminate/suspend a CDM or Kiosk at any time.

              Added: April 2019

            • AU-1.2.11J

              Payment service providers must ensure they have a robust internal technological infrastructure and direct technical access to the EFTS, on an uninterrupted basis (24 X 7 days and 365 days in the year), to send, authorise and receive Fawri+/Fawateer direct credits on a real-time basis.

              Amended: April 2019
              Added: October 2018

            • AU-1.2.11K

              Payment service providers must maintain a daily value limit of BD1,000 for the total Fawri+ and Fawateer transactions (with assured immediate finality, i.e. within 30 seconds) for each STV card/IBAN account per day.

              Amended: April 2019
              Added: October 2018

            • AU-1.2.11L

              [This Paragraph was moved to BR-1.1.6 in July 2020].

              Amended: July 2020
              Amended: April 2019
              Added: January 2019

          • Shari'a Advisory/Review Services

            • AU-1.2.12

              Shari'a advisory/review services refer to:

              (a) Regular assessment on Shari'a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari'a review services, with the objective of ensuring that the activities and operations carried out by these financial institutions do not contravene the Shari'a principles. The services include the examination and evaluation of the financial institutions' level of compliance to the Shari'a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports;
              (b) Issuance of Shari'a pronouncements on any aspect of the Islamic financial institution's activities or operations; and
              (c) Ad-hoc Shari'a advisory services for products and services governed by financial services.
              April 2016

            • AU-1.2.13

              In offering Shari'a advisory/review services, the licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU-1.2.12(b), no service can be offered under Subparagraph AU-1.2.12(a) in relation to the pronouncement.

              April 2016

          • Crowdfunding Platform Operator

            • AU-1.2.14

              Crowdfunding platform operator refers to a person licensed by the CBB to operate an e-platform which takes place on an online portal, on which people lend money to businesses (Person to Business-P2B), and businesses lend money to other businesses (Business to Business – B2B) for the purpose of gaining a financial return in the form of interest/profit payment and a repayment of credit over a pre-specified period of time (financing-based crowdfunding), and/or raising of capital by issuance of ordinary shares by closed, private, family companies, start-up and small and medium size companies, entities engaged in real estate projects (equity-based crowdfunding).

              Amended: January 2019
              Added: October 2017

            • AU-1.2.15

              The role of crowdfunding platform operator is restricted to arranging deals, bringing together borrowers and lenders, in case of financing-based crowdfunding, and investors and issuers, in case of equity-based crowdfunding. Crowdfunding platform operators are strictly prohibited to provide any advice on deals.

              Added: October 2017

            • AU-1.2.16

              Crowdfunding Platform Operator must not undertake Business to Person (B2P) or Person to Person (P2P) lending/investing.

              Amended: January 2019
              Added: October 2017

            • AU-1.2.17

              Crowdfunding platform operators may raise funds for borrowers/issuers based in the Kingdom of Bahrain or abroad.

              Added: October 2017

            • AU-1.2.18

              For Shari'a-compliant financing-based crowdfunding the term lender refers to the financier and the term borrower refers to the fundraiser

              Added: October 2017

            • AU-1.2.19

              For the purpose of financing-based crowdfunding, licensees must also comply with the requirements stipulated in General Requirements Module (Module GR) for Ancillary Service Providers-Volume 5.

              Added: October 2017

            • AU-1.2.20

              For the purpose of equity-based crowdfunding, licensees must also comply with the requirements stipulated in Markets and Exchanges Module (Module MAE) of Volume 6.

              Added: October 2017

          • Account Information Service Provider (AISP)

            • AU-1.2.21

              Account Information Services Provider (AISP) refers to a person licensed by the CBB to provide account information services using an online portal, mobile or smart phone application, device or other electronic media which a consenting customer can use to obtain aggregate or consolidated information about his account balances with licensed banks, financing companies and other licensees.

              Amended: October 2019
              Added: December 2018

            • AU-1.2.22

              The role of an AISP is restricted to providing the technology or other means in order to provide account information to the customer and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. AISPs must not receive or otherwise handle customer funds in the course of providing account information services.

              Added: December 2018

          • Payment Initiation Service Provider (PISP)

            • AU-1.2.23

              Payment Initiation Service Provider (PISP) is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing payment initiation services.

              Amended: October 2019
              Amended: January 2019
              Added: December 2018

            • AU-1.2.24

              The role of a PISP is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing payment initiation information services.

              Added: December 2018

          • Insurance Cover

            • AU-1.2.25

              AISPs and PISPs must, at all times, hold an insurance cover against liabilities arising from cyber security breaches.

              Added: December 2018

      • AU-1.3 AU-1.3 Approved Persons

        • General Requirements

          • AU-1.3.1

            Licensees must obtain the CBB's prior written approval for any person wishing to undertake a controlled function at a licensee. The approval from the CBB must be obtained prior to their appointment.

            April 2016

          • AU-1.3.2

            Controlled functions are those occupied by board members and persons in executive positions and include:

            (a) Member of the Board of Directors;
            (b) Chief executive or general manager and their deputies;
            (c) Head of function;
            (d) Compliance officer; and
            (e) Money Laundering Reporting Officer (for PSPs).
            April 2016

          • AU-1.3.3

            Combination of the above controlled functions is subject to the requirements contained in Module HC.

            April 2016

        • Basis for Approval

          • AU-1.3.4

            Approval under Paragraph AU-1.3.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Section AU-3.1.

            April 2016

          • AU-1.3.5

            The chief executive or general manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The chief executive or general manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.

            April 2016

          • AU-1.3.6

            Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee.

            April 2016

          • AU-1.3.7

            Whether a person is a head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples of head of function might include, depending on the scale, nature and complexity of the business, a deputy chief executive; heads of departments such as risk management, compliance or internal audit; the chief financial officer; head of business department, etc..

            April 2016

          • AU-1.3.8

            Where a licensee is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

            April 2016

          • AU-1.3.9

            All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The compliance officer must report to senior management and must have access to the board of directors. The duties of the compliance officer include:

            (a) Assisting senior management/head of function to identify and assess the main compliance risks facing the licensees and the plans to manage them;
            (b) Advising senior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area;
            (c) Assisting senior management/head of function in educating staff on compliance issues, and acting as a contact point within the licensee for compliance queries from staff members;
            (d) Establishing written guidance to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;
            (e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with the licensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;
            (f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and
            (g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors.
            April 2016

    • AU-2 AU-2 Licensing Conditions

      • AU-2.1 AU-2.1 Condition 1: Legal Status

        • AU-2.1.1

          The legal status of a licensee that is an ancillary service provider licensee must be a legal form approved by the CBB.

          April 2016

      • AU-2.2 AU-2.2 Condition 2: Mind and Management

        • AU-2.2.1

          Licensees must maintain their head office and management in the Kingdom.

          April 2016

      • AU-2.3 AU-2.3 Condition 3: Controllers

        • AU-2.3.1

          Licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee. Licensees must also satisfy the CBB that their group structures do not prevent the effective supervision of the licensee by the CBB and otherwise pose no undue risks to the licensee.

          April 2016

        • AU-2.3.2

          Chapter GR-7 contains the CBB's requirements and definitions regarding controllers.

          Amended: April 2017
          April 2016

        • AU-2.3.3

          In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.

          April 2016

        • AU-2.3.4

          As regards group structures, the CBB seeks to ensure that these do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the licensee.

          April 2016

        • AU-2.3.5

          In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.

          April 2016

      • AU-2.4 AU-2.4 Condition 4: Board and Employees

        • AU-2.4.1

          Those nominated to carry out controlled functions must satisfy the CBB's approved persons requirements. This rule is supported by Article 65 of the CBB Law.

          April 2016

        • AU-2.4.2

          The definition of controlled functions is contained in Paragraph AU-1.3.2, whilst Chapter AU-3 sets out CBB's approved persons requirements.

          April 2016

        • AU-2.4.3

          The licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of the licensee in a sound and prudent manner. Licensees must ensure their employees meet any training and competency requirements specified by the CBB.

          April 2016

      • AU-2.5 AU-2.5 Condition 5: Financial Resources

        • Capital Funds

          • AU-2.5.1

            Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. A greater amount of capital than specified in this Section may be required by the CBB on a case-by-case basis.

            April 2016

          • AU-2.5.2

            Where a licensee undertakes more than one activity outlined under Paragraph AU-1.2.1, the licensee must maintain the highest level of core capital required amongst all categories of activities which it provides.

            April 2016

        • Third Party Administrators

          • AU-2.5.3

            For third party administrators, licensees must maintain a minimum core capital of BD 100,000.

            April 2016

        • Card Processing and Payment Service Providers

          • AU-2.5.4

            For card processing and payment service providers, licensees must maintain a minimum core capital of BD 250,000.

            April 2016

        • Credit Reference Bureau

          • AU-2.5.5

            Licensees must maintain a minimum core capital of BD 2 million.

            April 2016

        • Shari'a Advisory/Review Services

          • AU-2.5.6

            Licensees must maintain a minimum core capital of BD 30,000.

            April 2016

        • Crowdfunding Platform Operator

          • AU-2.5.6A

            Licensees must maintain a minimum core capital of BD 25,000.

            Amended: January 2019
            Added: October 2017

        • Account Information Services Provider

          • AU-2.5.6B

            Licensees must maintain a minimum core capital of BD 25,000.

            Added: January 2019

        • Payment Initiation Services Provider

          • AU-2.5.6C

            Licensees must maintain a minimum core capital of BD 30,000.

            Added: January 2019

        • Liquidity

          • AU-2.5.7

            Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business.

            April 2016

      • AU-2.6 AU-2.6 Condition 6: Systems and Controls

        • AU-2.6.1

          Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC and RM (to be issued at a later date).

          April 2016

        • AU-2.6.2

          Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in the licensee.

          April 2016

      • AU-2.7 AU-2.7 Condition 7: External Auditor

        • AU-2.7.1

          Article 61 of the CBB Law requires that licensees appoint an external auditor, subject to the CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.

          April 2016

      • AU-2.8 AU-2.8 Condition 8: Other Requirements

        • Books and Records

          • AU-2.8.1

            Article 59 of the CBB Law requires that licensees must maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module GR. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamic licensees.

            April 2016

        • Provision of Information

          • AU-2.8.2

            Articles 58, 111, 114 and 163 of the CBB Law require that licensees and their staff must act in an open and cooperative manner with the CBB. Licensees must meet the regulatory reporting and disclosure requirements contained in Module BR. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of the licensee's financial year-end.

            April 2016

        • General Conduct

          • AU-2.8.3

            Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice. Licensees must comply with the general standards of business conduct contained in Modules PB and GR.

            April 2016

        • Additional Conditions

          • AU-2.8.4

            Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

            April 2016

          • AU-2.8.5

            Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law. Thus, when granting a license, the CBB specifies the regulated ancillary services that the licensee may undertake. Licensees must respect the scope of their license.

            April 2016

          • AU-2.8.6

            In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.

            April 2016

    • AU-3 AU-3 Approved Persons

      • AU-3.1 AU-3.1 Approved Persons Conditions

        • AU-3.1.1

          Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake the controlled function in question.

          April 2016

        • AU-3.1.2

          The authorisation requirements for persons nominated to carry out controlled functions is contained in Section AU-1.3. The authorisation process is described in Section AU-3.2.

          Amended: October 2017
          April 2016

        • AU-3.1.3

          Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

          (a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;
          (b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
          (c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;
          (d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
          (e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;
          (f) Must have personal integrity, good conduct and reputation;
          (g) Has appropriate professional and other qualifications for the controlled function in question; and
          (h) Has sufficient experience to perform the duties of the controlled function.
          April 2016

        • AU-3.1.4

          In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1-5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

          April 2016

        • AU-3.1.5

          In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

          (a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
          (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
          (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
          (d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
          (e) The contravention of any financial services legislation;
          (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
          (g) Dismissal or a request to resign from any office or employment;
          (h) Whether the person has been a member of a board of directors, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;
          (i) The extent to which the person has been truthful and open with supervisors; and
          (j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.
          April 2016

        • AU-3.1.6

          With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

          April 2016

        • AU-3.1.7

          Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking a controlled function.

          April 2016

        • AU-3.1.8

          In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

          (a) A person has breached any fiduciary obligations to the company or terms of employment;
          (b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
          (c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with the licensee.
          April 2016

        • AU-3.1.9

          Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.

          April 2016

      • AU-3.2 AU-3.2 Approved Persons Requirements

        • AU-3.2.1

          Licensees must obtain CBB prior written approval before a person is formally appointed to a controlled function. The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.

          Added: October 2017

        • AU-3.2.2

          When the request for approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, the Form 3, except if dealing with a MLRO, must be marked for the attention of the concerned supervisory point of contact at the CBB. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.

          Amended: April 2018
          Added: October 2017

        • AU-3.2.3

          When submitting Form 3, licensees must ensure that the Form 3 is:

          (a) Submitted to the CBB with a covering letter signed by an authorised representative of the licensee, seeking approval for the proposed controlled function;
          (b) Submitted in original form;
          (c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and
          (d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.
          Added: October 2017

        • AU-3.2.4

          Licensees seeking to appoint members of the board of directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.

          Added: October 2017

        • AU-3.2.5

          For existing licensees applying for the appointment of any controlled functions, the authorised representative should be a duly authorised representative of the licensee and must submit with Form 3: Application for Approved Person Status, internal documentary evidence supporting the appointment of the duly authorised representative of the licensee.

          Added: October 2017

        • Assessment of Application

          • AU-3.2.6

            The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5

            Added: October 2017

          • AU-3.2.7

            For purposes of Paragraph AU-3.2.6, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.

            Added: October 2017

          • AU-3.2.8

            The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and does not satisfy the CBB criteria in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to the licensee concerned, setting out the basis for the decision.

            Added: October 2017

        • Appeal Process

          • AU-3.2.9

            Licensees or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

            Added: October 2017

          • AU-3.2.10

            Where notification of the CBB's decision to grant a person approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved personsmay appeal to the concerned Executive Director of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

            Added: October 2017

        • Notification Requirements and Process

          • AU-3.2.11

            Licensees must immediately notify the CBB when an approved person ceases to hold a controlled function together with an explanation as to the reasons why (see Paragraph AU-4.4.9). In such cases, their approved person status is automatically withdrawn by the CBB.

            Added: October 2017

          • AU-3.2.12

            Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

            Added: October 2017

          • AU-3.2.13

            Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of their approved persons.

            Added: October 2017

          • AU-3.2.13A

            Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).

            Added: January 2021

        • Change in Controlled Function

          • AU-3.2.14

            Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

            Added: October 2017

          • AU-3.2.15

            In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience. Where an approved person is moving to a controlled function in another licensee, the first licensee should notify the CBB of that person's departure (see Rule AU-4.4.9), and the new licensee should submit a request for approval under Rule AU-1.3.1.

            Added: October 2017

    • AU-4 AU-4 Information Requirements and Processes

      • AU-4.1 AU-4.1 Licensing

        • Applications Form and Documents

          • AU-4.1.1

            Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.

            Amended: July 2019
            Amended: April 2018
            April 2016

          • AU-4.1.2

            Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.

            April 2016

          • AU-4.1.3

            References to applicant mean the proposed licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.

            April 2016

          • AU-4.1.4

            Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:

            (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
            (b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertake controlled functions of the proposed licensee;
            (c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;
            (d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;
            (e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBB ancillary service provider license;
            (f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant's home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;
            (g) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application;
            (h) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7; and
            (i) Evidence of competency and qualifications for Shari'a advisor.
            April 2016

          • AU-4.1.5

            The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from controllers. Where the application is for an overseas licensee, the CBB may seek a letter of guarantee from the parent company.

            April 2016

          • AU-4.1.6

            The business plan submitted in support of an application should include:

            (a) An outline of the history of the applicant and its shareholders;
            (b) The reasons for applying for a license, including the applicant's strategy and market objectives;
            (c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;
            (d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;
            (e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions. For card processing and payment services providers, IT security measures must be outlined in the plan;
            (f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements; and
            (g) For TPA's, details setting forth the applicant's capability for providing a sufficient number of experienced and qualified personnel in the areas of claims' processing and recordkeeping.
            April 2016

          • AU-4.1.7

            The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its activities or are incidental to those.

            April 2016

          • AU-4.1.8

            All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.

            April 2016

          • AU-4.1.9

            Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.

            April 2016

          • AU-4.1.10

            Failure to inform the CBB of the changes specified in AU-4.1.9 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.

            April 2016

        • Licensing Process and Timelines

          • AU-4.1.11

            As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.

            April 2016

          • AU-4.1.12

            Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, a bank guarantee of BD50,000 must be provided.

            Amended: October 2017
            Amended: April 2017
            April 2016

        • Granting or Refusal of a License

          • AU-4.1.13

            To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

            Amended: October 2019
            April 2016

          • AU-4.1.14

            The CBB may refuse to grant a license if in its opinion:

            (a) The requirements of the CBB Law or this Module are not met;
            (b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or
            (c) The CBB believes it necessary in order to safeguard the interests of potential customers.
            April 2016

          • AU-4.1.15

            Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.

            Amended: October 2019
            April 2016

        • Starting Operations

          • AU-4.1.16

            Within 6 months of the license being issued, the new licensee must provide to the CBB:

            (a) A detailed action plan for establishing the operations and supporting infrastructure of the licensee, such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);
            (b) The registered office address and details of premises to be used to carry out the business of the proposed licensee;
            (c) The address in the Kingdom of Bahrain where full business records will be kept;
            (d) The licensee's contact details including telephone and fax number, e-mail address and website;
            (e) A description of the business continuity plan;
            (f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;
            (g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;
            (h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;
            (i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the ancillary service provider is licensed by the CBB;
            (j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking the controlled functions;
            (k) A copy of the licensee's professional indemnity insurance policy or confirmation that a deposit to an amount specified by the CBB has been placed in an escrow account with a retail bank licensed in the Kingdom of Bahrain;
            (l) A bank guarantee of BD100,000 for payment service providers issuing any multi-purpose, electronic or otherwise, pre-paid cards, instead of the bank guarantee amount required under Paragraph AU-4.1.12. Such bank guarantee must be in the format approved by the CBB;
            (m) Proof that the PSP has set up the clients' money account as required under Paragraph AU-1.2.8;
            (n) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6; and
            o) Other information as may be specified by the CBB.
            Amended: January 2019
            Amended: October 2017
            Amended: April 2017
            April 2016

          • AU-4.1.17

            Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the licensee concerned, as specified in Article 128 of the CBB Law. A licensee must at all times keep an approved copy of the license displayed in a visible place on the licensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.

            April 2016

          • AU-4.1.18

            Applicants may not publicise in any way the application for a licence for, or formation of, an ancillary service provider before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.

            April 2016

      • AU-4.2 AU-4.2 Variations to a License

        • AU-4.2.1

          As per Article 48 of the CBB Law, licensees must seek prior CBB approval before undertaking new regulated ancillary services.

          April 2016

        • AU-4.2.2

          Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person in accordance with Article 40 of the CBB Law.

          April 2016

        • AU-4.2.3

          In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a licensee requesting CBB approval to undertake a new regulated ancillary service must provide the following information:

          (a) A summary of the rationale for undertaking the proposed new activities;
          (b) A description of how the new business will be managed and controlled;
          (c) An analysis of the financial impact of the new activities; and
          (d) A summary of the due diligence undertaken by the Board and management of the licensee on the proposed new activities.
          April 2016

        • AU-4.2.4

          The CBB may amend or revoke a licence in any of the following cases:

          (a) If the licensee fails to satisfy any of the license conditions;
          (b) If the licensee violates the terms of the CBB Rulebook;
          (c) If the licensee fails to start business within six months from the date of the licence;
          (d) If the licensee ceases to carry out the licensed activity in the Kingdom; or
          (e) The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
          Amended: October 2019
          April 2016

        • AU-4.2.5

          The CBB's procedure for amending or revoking a license is outlined in detail in the Enforcement Module (EN).

          April 2016

      • AU-4.3 AU-4.3 [This section was moved to AU-3.2 in October 2017]

        • AU-4.3.1

          [This Paragraph was moved to AU-3.2.1 in October 2017].

          Moved: October 2017
          April 2016

        • AU-4.3.2

          [This Paragraph was moved to AU-3.2.2 in October 2017].

          Moved: October 2017
          April 2016

        • AU-4.3.3

          [This Paragraph was moved to AU-3.2.3 in October 2017].

          Moved: October 2017
          April 2016

        • AU-4.3.4

          [This Paragraph was moved to AU-3.2.4 in October 2017].

          Moved: October 2017
          April 2016

        • AU-4.3.5

          [This Paragraph was moved to AU-3.2.5 in October 2017].

          Moved: October 2017
          April 2016

        • [This heading was moved to AU-3.2 in October 2017]

          • AU-4.3.6

            [This Paragraph was moved to AU-3.2.6 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.7

            [This Paragraph was moved to AU-3.2.7 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.8

            [This Paragraph was moved to AU-3.2.8 in October 2017].

            Moved: October 2017
            April 2016

        • [This heading was moved to AU-3.2 in October 2017]

          • AU-4.3.9

            [This Paragraph was moved to AU-3.2.9 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.10

            [This Paragraph was moved to AU-3.2.10 in October 2017].

            Moved: October 2017
            April 2016

        • [This heading was moved to AU-3.2 in October 2017]

          • AU-4.3.11

            [This Paragraph was moved to AU-3.2.11 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.12

            [This Paragraph was moved to AU-3.2.12 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.13

            [This Paragraph was moved to AU-3.2.13 in October 2017].

            Moved: October 2017
            April 2016

        • [This heading was moved to AU-3.2 in October 2017]

          • AU-4.3.14

            [This Paragraph was moved to AU-3.2.14 in October 2017].

            Moved: October 2017
            April 2016

          • AU-4.3.15

            [This Paragraph was moved to AU-3.2.15 in October 2017].

            Moved: October 2017
            April 2016

      • AU-4.4 AU-4.4 Cancellation of Authorisation

        • Licenses

          • Voluntary Surrender

            • AU-4.4.1 AU-4.4.1

              According to Article 50 of the CBB Law, all requests for the voluntary surrender of a license are subject to CBB approval. Such requests must be made in writing and must set out in full the reasons for the request and how the voluntary surrender is to be carried out. Requests must be addressed to the concerned Executive Director at the CBB.

              April 2016

              • AU-4.4.2 AU-4.4.2

                Licensees must satisfy the CBB that their customers' interests are to be safeguarded during and after the proposed voluntary surrender. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                April 2016

                • AU-4.4.3 AU-4.4.3

                  Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant customers' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at preempting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory responsibilities to customers.

                  April 2016

                  • AU-4.4.4 AU-4.4.4

                    In accordance with Articles 50(a) and 51(a) of the CBB Law, a licensee wishing to cancel an authorisation for a service or a branch must obtain the CBB's prior written approval. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.

                    April 2016

                    • Cancellation

                      • AU-4.4.5 AU-4.4.5

                        As provided for under Article 48 of the CBB Law, the CBB may itself move to cancel a license, should the licensee fail to meet the conditions outlined in Paragraph AU-4.2.4.

                        April 2016

                        • AU-4.4.6 AU-4.4.6

                          Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.

                          April 2016

                          • AU-4.4.7 AU-4.4.7

                            The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.

                            April 2016

                            • AU-4.4.8 AU-4.4.8

                              Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to customers. Until such time, the CBB will retain all its regulatory powers with regards to the licensee, and will direct the licensee such that no new regulated activity may be undertaken whilst the licensee discharges its obligations to customers.

                              April 2016

                              • Cancellation of Approved Person Status

                                • AU-4.4.9 AU-4.4.9

                                  In accordance with Paragraph AU-4.3.11, licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected. These interim arrangements must be approved by the CBB.

                                  April 2016

                                  • AU-4.4.10 AU-4.4.10

                                    The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

                                    April 2016

                                    • AU-4.4.11 AU-4.4.11

                                      The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.

                                      April 2016

                                      • AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License

                                        • AU-4.5.1

                                          In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.

                                          Amended: October 2019
                                          Added: July 2017

                                        • AU-4.5.2

                                          For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.

                                          Added: July 2017

                                        • AU-4.5.3

                                          The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.

                                          Added: July 2017

                                      • AU-4.6 AU-4.6 Additional Requirements for Licensing of Crowdfunding Platform Operator

                                        • AU-4.6.1

                                          This section sets out additional licensing requirements for crowdfunding platform operator, including conventional and Shari'a-compliant crowdfunding platform operators.

                                          Added: October 2017

                                        • AU-4.6.2

                                          The CBB may license a person as a crowdfunding platform operator provided that:

                                          (a) The applicant must be locally incorporated as a Joint Stock Company;
                                          (b) The applicant is able to demonstrate that will be able to operate an orderly, fair and transparent market in relation to the transactions offered through its electronic facilities;
                                          (c) The applicant appoints at least two approved persons. One of the approved persons must be a Compliance Officer who can also handle the responsibilities of the MLRO, and the second person is the CEO of the crowdfunding platform operator;
                                          (d) The business rules of the crowdfunding platform operator must make satisfactory provisions–
                                          (i) For the protection of investors/lenders and public interest;
                                          (ii) To ensure proper functioning of the platform;
                                          (iii) To promote fairness and transparency;
                                          (iv) To manage any conflict of interest that may arise;
                                          (v) To promote fair treatment of its users or any person who subscribe for its services;
                                          (vi) To promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;
                                          (vii) To ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such persons;
                                          (viii) To provide an avenue of appeal against the decision of the licensed crowdfunding platform operator.
                                          (ix) To clarify the criteria for admission of lenders/investors and the exclusion, suspension, expulsion and re-admission of lenders/investors therefrom or thereto;
                                          (x) To describe the proposed technology, IT system and disaster recovery plan; and
                                          (xi) For the oversight and controls over outsourced activities, if any.
                                          Added: October 2017

                                      • AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs

                                        • Business plan

                                          • AU-4.7.1

                                            The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:

                                            (a) a marketing plan consisting of:
                                            (i) an analysis of the company's competitive position;
                                            (ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;
                                            (b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;
                                            (c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:
                                            (i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;
                                            (ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;
                                            (iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.
                                            Added: December 2018

                                        • Programme of Operations

                                          • AU-4.7.2

                                            The programme of operations to be provided by the applicant must contain the following information:

                                            (a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;
                                            (b) a declaration of the applicant that they will not enter at any time into possession of client funds;
                                            (c) a description of the service including:
                                            (i) draft contracts between all the parties involved, if applicable;
                                            (ii) terms and conditions of the provision of the services;
                                            (iii) processing times;
                                            (d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;
                                            (e) a description of the proposed ancillary services;
                                            (f) a declaration of whether or not the applicant intends to provide services in another country once licensed;
                                            (g) a description of the relevant operational outsourcing arrangements consisting of:
                                            (i) the identity and geographical location of the outsourcing provider;
                                            (ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;
                                            (iii) a detailed description of the outsourced activities and its main characteristics; and
                                            (h) a copy of draft outsourcing agreements.
                                            Added: December 2018

                                        • Governance arrangements and internal control mechanisms

                                          • AU-4.7.3

                                            The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:

                                            (a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;
                                            (b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;
                                            (c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;
                                            (d) the composition of the management body and, if applicable, of any other oversight body or committee;
                                            (e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;
                                            (f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;
                                            (g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.
                                            Added: December 2018

                                        • Business continuity arrangements

                                          • Governance arrangements and internal control mechanisms

                                            • AU-4.7.4 AU-4.7.4

                                              The applicant should provide a description of the business continuity arrangements consisting of the following information:

                                              (a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
                                              (b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
                                              (c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;
                                              (d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
                                              Added: December 2018

                                              • Internal Control Mechanisms to comply with AML/CFT obligations

                                                • AU-4.7.5

                                                  The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:

                                                  (a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;
                                                  (b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;
                                                  (c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;
                                                  (d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;
                                                  (e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;
                                                  (f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and
                                                  (g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).
                                                  Added: December 2018

                                              • Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints

                                                • AU-4.7.6

                                                  The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:

                                                  (a) organisational measures and tools for the prevention of cyber events and fraud;
                                                  (b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;
                                                  (c) reporting lines in cases of fraud;
                                                  (d) the contact point for customers, including a name and email address;
                                                  (e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;
                                                  (f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.
                                                  Added: December 2018

                                              • Process for filing, monitoring, tracking and restricting access to sensitive payment data

                                                • AU-4.7.7

                                                  The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:

                                                  (a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;
                                                  (b) the procedures in place to authorise access to sensitive payment data;
                                                  (c) a description of the monitoring tool;
                                                  (d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;
                                                  (e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;
                                                  (f) the expected internal and/or external use of the collected data;
                                                  (g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;
                                                  (h) confirmation that access to sensitive customer data is not available to the applicant;
                                                  (i) an explanation of how breaches will be detected and addressed; and
                                                  (j) an annual internal control programme in relation to the safety of the IT systems.
                                                  Added: December 2018

                                              • Security policy documentation

                                                • AU-4.7.8

                                                  The applicant should provide a security policy document containing the following information:

                                                  (a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;
                                                  (b) a description of the IT systems, which should include:
                                                  (i) the architecture of the systems and their network elements;
                                                  (ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;
                                                  (iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;
                                                  (iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;
                                                  (v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
                                                  (vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
                                                  (c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:
                                                  (i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;
                                                  (ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;
                                                  (d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;
                                                  (e) the security of the payment processes, which should include:
                                                  (i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;
                                                  (ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;
                                                  (iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;
                                                  (f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;
                                                  (g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.
                                                  Added: December 2018

    • AU-5 AU-5 License Fees

      • AU-5.1 AU-5.1 License Application Fees

        • AU-5.1.1

          Applicants seeking an ancillary service provider license from the CBB AU-5.1.1 must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.

          April 2016

        • AU-5.1.2

          There are no application fees for those seeking approved persons status.

          April 2016

      • AU-5.2 AU-5.2 Annual License Fees

        • AU-5.2.1

          Licensees must pay the relevant annual license fee to the CBB on 1st December of the preceding year for which the fee is due.

          April 2016

        • AU-5.2.2

          The applicable fixed annual license fees are as follows:

          (a) Third party administrators - BD 2,000;
          (b) Card processing services - BD 1,000;
          (c) Operating a credit reference bureau - BD 100,000;
          (d) Payment service providers - BD 2,000;
          (e) Shari’a advisory/review services - BD 500;
          (f) Operating a crowdfunding platform - BD 200;
          (g) Account information service providers - BD 1,000;
          (h) Payment initiation service providers - BD 1,000;
          (i) Any other ancillary services that are related to the financial services industry - BD 500.
          Amended: October 2020
          Added: April 2016

        • AU-5.2.2A

          Licensees providing multiple regulated ancillary services are required to pay the annual license fees applicable for each activity in accordance with Paragraph AU-5.2.2.

          Added: January 2021

        • AU-5.2.3

          For new licensees, their first annual license fee is the amount stated in Paragraph AU-5.2.2 and is payable when their license is issued by the CBB.

          April 2016

        • AU-5.2.4

          Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.

          April 2016

        • AU-5.2.5

          All licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.

          April 2016

        • AU-5.2.6

          Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.

          April 2016