AU AU Ancillary Service Providers Authorisation Module
AU-A AU-A Introduction
AU-A.1 AU-A.1 Purpose
Executive Summary
AU-A.1.1
The executive summary only provides an overview. For detailed rules, reference must be made to the individual Rules outlined in the remainder of this Module.
April 2016AU-A.1.2
Module AU sets out the Central Bank of Bahrain's ('CBB's) approach to licensing providers of regulated ancillary services in the Kingdom of Bahrain. It also sets out CBB requirements for approving persons undertaking key functions in those providers.
April 2016AU-A.1.3
Licensed providers of regulated ancillary services fall into the following categories: third party administrators,
card processing services , operating a credit reference bureau, payment service providers, Shari'a advisory/review services, operating a crowdfunding platform,account information service providers andpayment initiation service providers and carrying out services in accordance with the CBB Law. These licensees are referred to as financial sector support institutions under Article (1) of the CBB Law and its amendments.Amended: October 2019
April 2016AU-A.1.4
Regulated ancillary services are defined in Paragraph AU-1.2.1.April 2016AU-A.1.5
Persons undertaking certain functions in relation to
ancillary service provider licensees require prior CBB approval. These functions (called 'controlled functions ') include members of the board of directors and members of senior management. Thecontrolled functions regime supplements the licensing regime by ensuring that key persons involved in the running ofancillary service provider licensees are fit and proper. Those authorised by the CBB to undertakecontrolled functions are calledapproved persons .April 2016Retaining Authorised Status
AU-A.1.6
The requirements set out in Chapters AU-2 and AU-3 represent the minimum conditions that have to be met in each case, both at the point of authorisation and on an on-going basis thereafter, in order for authorised status to be retained.
April 2016Legal Basis
AU-A.1.7
This Module contains the CBB's Directive incorporating the relevant Regulations and Resolutions (as amended from time to time) applicable to all
ancillary service provider licensees (including theirapproved persons ) regarding authorisation under CBB Rulebook Volume 5: Specialised Licensees and is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). It includes:(a) the requirements (as amended from time to time) under Regulation No (1) of 2007 pertaining to the CBB's regulated services issued under Article 39 of the CBB Law and those requirements governing the conditions of granting a license for the provision of regulated services as prescribed under Resolution No (43) of 2011 and issued under the powers available to the CBB under Article 44(c);(b) the requirements under Resolution No. (16) for the year 2012 including the prohibition of marketing financial services pursuant to Article 42 of the CBB Law;(c) the prior approval requirements for approved persons under Resolution No (23) of 2015; and(d) the requirements (as amended from time to time) contained in Resolution No (1) of 2007 with respect to determining fees categories due for licenses and services provided by the CBB.Amended: October 2019
Amended: December 2018
April 2016AU-A.1.8
For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.
April 2016AU-A.1.9
Persons wishing to undertake regulated ancillary services are required to be licensed by the CBB as an
ancillary service provider licensee .April 2016Licensing Conditions
AU-A.1.10
Ancillary service provider licensees are subject to 8 licensing conditions, mostly specified at a high-level in Module AU, and further expanded in underlying subject Modules (such as Module BR). These licensing conditions are broadly equivalent to the standards applied in other Volumes of the CBB Rulebook, to other license categories, and are consistent with international good practice.April 2016Information Requirements and Processes
AU-A.1.11
Chapter AU-3 specifies the processes and information requirements that have to be followed for applicants seeking an
ancillary service provider license. It also covers the voluntary surrender of a license, or its cancellation by the CBB.April 2016AU-A.2 AU-A.2 Module History
Evolution of Module
AU-A.2.1
This Module was first issued in April 2016. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made. Chapter UG-3 provides further details on Rulebook maintenance and version control.
April 2016AU-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes AU-1.2.10A, AU-1.2.10B and AU-1.2.10C 04/2017 Added Paragraphs on issuance of pre-paid cards and PCI-DSS certification for Payment Service Providers. AU-1.2.11 04/2017 Amended Paragraph on the settlement. AU-2.3.2 04/2017 Amendment of reference. AU-4.1.12 04/2017 Specified bank guarantee amounts. AU-4.1.16 (l) 04/2017 Amended bank guarantee amount. AU-4.5 07/2017 Added new Section on Publication of the Decision to Grant, Cancel or Amend a License AU-1.2.1(ee) 10/2017 Added Crowdfunding Platform Operators under the definition of regulated services. AU-1.2.10A(b) 10/2017 Amended bank guarantee requirement. AU-1.2.14 – AU-1.2.20 10/2017 Added requirements on crowdfunding platform operators AU-2.5.6A 10/2017 Added Paragraph on minimum core capital for crowdfunding platform operators. AU-3.1.2 10/2017 Amended Paragraph. AU-3.2 10/2017 Added a new section for the Approved Persons Requirements. AU-4.1.12 10/2017 Amended bank guarantee amount for PSP and Card Processing Companies. AU-4.1.16(l) 10/2017 Amended bank guarantee requirement for PSP issuing any multipurpose, electronic or otherwise, prepaid cards. AU-4.3 10/2017 Deleted Approved Persons requirements from AU-4.3 and added to AU-3.2. AU-4.6 10/2017 Added new section on Additional Requirements for Licensing Crowdfunding Platform Operators. AU-4.1.1 04/2018 Amended Paragraph. AU-4.3.2 04/2018 Amended Paragraph. AU-1.2.1 12/2018 Added AISP and PISPs. AU-1.2.10A 10/2018 Amended Paragraph. AU-1.2.11A
AU-1.2.11B10/2018 Added new Paragraphs on enabling PSPs to participate in EFTS AU-1.2.21 – AU1.2.25 12/2018 Added new Paragraphs on AISPs and PISPs. AU-2.5.6B
AU-2.5.6C12/2018 Added new Paragraphs on Account Information Service Provider & Payment Initiation Services Provider. AU-1.2.8 (a) & (b) 01/2019 Amended sub-paragraphs on clients' money account services. AU-1.2.10 01/2019 Amended guidance on clients' money account. AU-1.2.10A 01/2019 Amended sub-paragraph (a) on maximum balance limit for a natural person.
Added new sub-paragraph (bb) on maximum balance limit for a legal person.
Amend sub-paragraph (f).AU-1.2.11 01/2019 Amended Paragraph. AU-1.2.12 01/2019 Added a new Paragraph on audit of clients' money account. AU-1.2.14 01/2019 Amended Paragraph to include B2B. AU-1.2.16 01/2019 Changed guidance to rule and amended deleting B2B. AU-1.2.24 01/2019 Amended Paragraph. AU-2.5.6A 01/2019 Amended Core Capital amount. AU-4.1.16(m) 01/2019 Amended sub-paragraph. AU-1.2.11A 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11B 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11C 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11D 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11E 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11F 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11G 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11H 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11I 04/2019 Added a new Paragraph CDMs/kiosks. AU-1.2.11J 04/2019 Amended Paragraph number. AU-1.2.11K 04/2019 Amended Paragraph number. AU-1.2.11L 04/2019 Amended Paragraph number. AU-4.1.1 07/2019 Amended Paragraph to remove references to hardcopy Form 1 submission to online submission. AU-A.1.3 10/2019 Amended Paragraph on licensed providers categories. AU-1.2.1 10/2019 Amended Subparagraphs (a), (c), (d) and (ee). AU-1.2.2 10/2019 Amended Paragraph. AU-1.2.5 10/2019 Amended Paragraph. AU-1.2.21 10/2019 Added full term of AISP. AU-1.2.23 10/2019 Added full term of PISP. AU-4.1.13 10/2019 Amended Guidance. AU-4.1.15 10/2019 Amended Guidance. AU-4.2.4 10/2019 Changed from Rule to Guidance. AU-4.5.1 10/2019 Changed from Rule to Guidance. AU-1.2.11L 07/2020 Paragraph moved to Module BR. AU-1.2.1A 10/2020 Added a new Paragraph on compliance with AAOIFI Shari’a Standards. AU-5.2.2 10/2020 Amended Paragraph on fixed annual licence fees. AU-3.2.13A 01/2021 Added a new Paragraph on compliance of approved persons with the fit and proper requirement. AU-5.2.2A 01/2021 Added a new guidance clarifying the applicable fees for licensees. Superseded Requirements
AU-A.2.3
This Module supersedes the following provisions contained in circulars or other regulatory instruments:
Circular / other reference Subject Standard Conditions and Licensing Criteria for Providers of Ancillary Services to the Financial Sector Scope of license and licensing conditions. EDBS/KH/C/63/2018 Enabling PSPs to participate in EFTS. EDBS/KH/C/74/2018 Amendments to the Crowdfunding Requirements under the CBB Rulebook Volume 5 (Ancillary Service Providers). EDBS/KH/C/83/2018 Amendments in Authorization Module (AU) of Ancillary Service Providers Amended: January 2019
Amended: October 2018
April 2016AU-B AU-B Scope of Application
AU-B.1 AU-B.1 Scope of Application
AU-B.1.1
The content of this Module applies to all
ancillary service provider licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module aslicensees .April 2016AU-B.1.2
Two types of authorisation are prescribed:
(a) Any person seeking to provide regulated ancillary services within or from the Kingdom of Bahrain must hold the appropriate CBB license (see Section AU-1.1); and(b) Natural persons wishing to perform acontrolled function in alicensee also require prior CBB's approval, as anapproved person (see Section AU-1.2).April 2016AU-B.1.3
The authorisation requirements in Chapter AU-1 have general applicability, in that they prevent any person from providing (or seeking to provide) regulated ancillary services within or from the Kingdom of Bahrain, unless they have been licensed as a an
ancillary service provider by the CBB (see Rule AU-1.1.1).April 2016AU-B.1.4
The remaining requirements in Chapters AU-1 to AU-3 (besides those mentioned in Section AU-B.1 above) apply to all those licensed by the CBB as an
ancillary service provider licensee , or which are in the process of seeking such a license. They apply to persons incorporated in the Kingdom of Bahrain, unless otherwise specified.April 2016AU-B.1.5
Chapter AU-2 applies to
licensees (not just applicants), since licensing conditions have to be met on a continuous basis bylicensees . Similarly, Chapter AU-3 applies toapproved persons on a continuous basis; it also applies tolicensees seeking anapproved person authorisation. Chapter AU-4 contains requirements applicable tolicensees , with respect to the starting up of their operations, as well as tolicensees andapproved persons , with respect to the amendment or cancellation of their authorised status. Finally, Section AU-5.2 imposes annual fees onlicensees .April 2016AU-1 AU-1 Authorisation Requirements
AU-1.1 AU-1.1 Ancillary Service Provider Licensees
General Prohibitions
AU-1.1.1
No person may:
(a) Undertake (or hold themselves out to undertake) regulated ancillary services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;(b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or(c) Market anyfinancial services in the Kingdom of Bahrain unless:(i) Allowed to do so by the terms of a license issued by the CBB;(ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or(iii) Has obtained the express written permission of the CBB to offerfinancial services .April 2016AU-1.1.2
In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire
financial services in return for monetary payment or some other form of valuable consideration.April 2016AU-1.1.3
Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).
April 2016Licensing
AU-1.1.4
Persons wishing to be licensed to undertake any of the regulated ancillary services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.
April 2016AU-1.1.5
An application for a license must be in the form prescribed by the CBB (Form 1) and must contain:
(a) A business plan specifying the type of business to be conducted;(b) Application forms (Form 2) for allcontrollers ; and(c) Application forms (Form 3) for allcontrolled functions .April 2016AU-1.1.6
The CBB will review the application and duly advise the applicant in writing when it has:
(a) Granted the application without conditions;(b) Granted the application subject to conditions specified by the CBB; or(c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.April 2016AU-1.1.7
Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.
April 2016AU-1.1.8
In granting new licenses, the CBB will specify the specific categories of regulated ancillary service for which a license has been granted.
April 2016AU-1.1.9
All applicants for
ancillary service provider license must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed,licensees must be in compliance with these criteria on an on-going basis.April 2016AU-1.2 AU-1.2 Definition of Regulated Ancillary Services
AU-1.2.1
Regulated ancillary services are any of the following activities, carried on by way of business:
(a) Permitted services undertaken by third party administrators (TPA);(b)Card processing ;(c) Services undertaken byCredit reference bureau ;(d) Permitted payment services provided by payment service provider (PSP);(e) Shari'a advisory/review services;(ee) Permitted activities of a crowdfunding platform operator;(f) Providing account information services;(g) Providing payment initiation services; and(h) Any other ancillary services that are related to the financial services industry.Amended: October 2019
Amended: December 2018
Amended: October 2017
April 2016AU-1.2.2 AU-1.2.2
For the purposes of Paragraph AU-1.2.1, carrying on a regulated ancillary service by way of business means:
(a) Undertaking any of the regulated ancillary service activities as defined in Section AU-1.2, for commercial gain; or(b) Holding oneself out as willing and able to engage in such activities.Amended: October 2019
April 2016AU-1.2.1A
Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by licensees must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.
Added: October 2020AU-1.2.3
While Paragraph AU-1.2.1 covers different activities under regulated ancillary services, only the license itself will specify the list of activities the licensee has been authorised to carry out. For existing
ancillary service providers at April 2016, no new license will be issued.April 2016Third Party Administrators (TPAs)
AU-1.2.4
TPA refers to processing claims in connection with insurance coverage offered by insurance firms.
April 2016AU-1.2.5
Notwithstanding Paragraph AU-1.2.4, TPAs are also allowed to offer their services to self-funded schemes outside Bahrain.
Amended: October 2019
April 2016AU-1.2.5A
When TPAs process claims for insurance firms, the CBB regards this activity as an outsourced activity and insurance firms should refer to Chapter RM-7 Outsourcing Risk under Volume 3 (Insurance) of the CBB Rulebook.
April 2016Card Processing
AU-1.2.5
Card processing includes:(a) The act of processing or transmitting debit/credit/prepaid card holder and transaction related data;(b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet);(c) Hosting and managing card program;(d) Approving and authenticating payment transactions as per financial institutions rules;(e) Providing technical service support for E-commerce and M-commerce transactions;(f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks;(g) Reporting and customising reporting engine;(h) Call centre outsourcing services; and(i) Online and mobile portals for bank customers.April 2016Credit Reference Bureau
AU-1.2.6
A
credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies thecredit information of customers and issuescredit reports and provides themembers of the credit reference bureau with such reports upon their request.April 2016AU-1.2.7
For purposes of Paragraph AU-1.2.6, 'customers' refers to customers of the
members of the credit reference bureau as defined under Article (68 bis) b) 3) of the CBB Law.April 2016Payment Service Provider ("PSP")
AU-1.2.8
Payment service providers, may act as an intermediary for the following services:
(a) Services enabling cash to be placed in clients' money account and all of the operations required for operating the account;(b) Services enabling cash withdrawals from clients' money account and all of the operations required for operating the account;(c) The settlement of the direct debits of payment transactions;(d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and(e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.Amended: January 2019
Amended: April 2017
April 2016AU-1.2.9
Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.
April 2016AU-1.2.10
For purposes of Paragraph AU-1.2.8, clients' money account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this clients' money account at any time.
Amended: January 2019
April 2016AU-1.2.10A
When issuing any multi-purpose, electronic or otherwise, pre-paid cards, payment service providers must comply with the following requirements:
(a) The maximum balance limit under each natural person must not exceed BD1,000 and the maximum single transaction value limit must not exceed BD500;(bb) The maximum balance limit for each legal person must not exceed BD10,000 (Loading and transaction size).(b) The payment service provider must obtain a bank guarantee of BD100,000 from a retail bank licensed in the Kingdom of Bahrain; instead of the bank guarantee amount required under Paragraph AU-4.1.12.(c) Comply with all the requirements outlined under Module FC (Financial Crime) and Module CL (Client Money);(d) All pre-paid plastic cards must be EMV compliant (chip and PIN and online authentication);(e) Any pre-paid card which is inactive for a period of six months must be placed in a dormant list;(f) All transactions on pre-paid cards must be made through clients' money account with a retail bank in Bahrain.Amended: January 2019
Amended: October 2018
Amended: October 2017
Added: April 2017
AU-1.2.10B
In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017.
Added: April 2017
AU-1.2.10C
In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance.
Licensees are asked to make certified copies of such documents available if requested by the CBB.Added: April 2017
AU-1.2.11
When a customer load cash into the card through kiosk or company/bank counter, the payment service provider must update the amount into the card immediately, and must deposit the relevant cash amount into the clients' money account within 24 hours.
Amended: January 2019
Amended: April 2017
April 2016AU-1.2.11A
When owning or operating Cash Dispensing Machines (CDM) or Kiosks, payment service providers must comply with the requirements stated in Paragraphs AU-1.2.11B to Paragraph AU-1.2.11I.
Added: April 2019AU-1.2.11B
Payment service providers must obtain CBB's prior written approval for owning or operating any Cash Dispensing Machine (CDM) or Kiosk.
Added: April 2019AU-1.2.11C
Payment service providers must submit a written application to the Supervisory Point of Contact (SPoC) at the CBB, detailing the type of CDM or Kiosk, the proposed location(s) and the proposed security measures.
Added: April 2019AU-1.2.11D
The application referred to in Paragraph AU-1.2.11C will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:
(a) The suitability of the location(s) in question;(b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and(c) The type and range of facilities which the applicant proposes to offer through the CDM or Kiosk at the proposed location(s).Added: April 2019AU-1.2.11E
In addition to the information required by the CBB, further information/clarification may be requested by the CBB before it takes a decision regarding the application. The CBB's decision in this regard will be communicated to the applicant payment service provider in writing.
Added: April 2019AU-1.2.11F
CDMs or Kiosks may be owned individually or jointly by ancillary service providers.
Added: April 2019AU-1.2.11G
Payment service providers must not charge their customers for cash withdrawal transactions. When a customer uses CDMs, Kiosks or ATMs belonging to other banks or PSPs, the acquiring PSP/ bank may apply a charge capped at 100 fils per transaction to the issuing PSP.
Added: April 2019AU-1.2.11H
Payment service providers must obtain the CBB's prior written approval for the termination/suspension of any of its CDMs or Kiosks.
Added: April 2019AU-1.2.11I
The CBB may, at its sole discretion, require a payment service provider to terminate/suspend a CDM or Kiosk at any time.
Added: April 2019AU-1.2.11J
Payment service providers must ensure they have a robust internal technological infrastructure and direct technical access to the EFTS, on an uninterrupted basis (24 X 7 days and 365 days in the year), to send, authorise and receive Fawri+/Fawateer direct credits on a real-time basis.
Amended: April 2019
Added: October 2018AU-1.2.11K
Payment service providers must maintain a daily value limit of BD1,000 for the total Fawri+ and Fawateer transactions (with assured immediate finality, i.e. within 30 seconds) for each STV card/IBAN account per day.
Amended: April 2019
Added: October 2018AU-1.2.11L
[This Paragraph was moved to BR-1.1.6 in July 2020].
Amended: July 2020
Amended: April 2019
Added: January 2019Shari'a Advisory/Review Services
AU-1.2.12
Shari'a advisory/review services refer to:
(a) Regular assessment on Shari'a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari'a review services, with the objective of ensuring that the activities and operations carried out by these financial institutions do not contravene the Shari'a principles. The services include the examination and evaluation of the financial institutions' level of compliance to the Shari'a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports;(b) Issuance of Shari'a pronouncements on any aspect of the Islamic financial institution's activities or operations; and(c) Ad-hoc Shari'a advisory services for products and services governed by financial services.April 2016AU-1.2.13
In offering Shari'a advisory/review services, the
licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU-1.2.12(b), no service can be offered under Subparagraph AU-1.2.12(a) in relation to the pronouncement.April 2016Crowdfunding Platform Operator
AU-1.2.14
Crowdfunding platform operator refers to a person licensed by the CBB to operate an e-platform which takes place on an online portal, on which people lend money to businesses (Person to Business-P2B), and businesses lend money to other businesses (Business to Business – B2B) for the purpose of gaining a financial return in the form of interest/profit payment and a repayment of credit over a pre-specified period of time (financing-based crowdfunding), and/or raising of capital by issuance of ordinary shares by closed, private, family companies, start-up and small and medium size companies, entities engaged in real estate projects (equity-based crowdfunding).Amended: January 2019
Added: October 2017AU-1.2.15
The role of
crowdfunding platform operator is restricted to arranging deals, bringing together borrowers and lenders, in case of financing-based crowdfunding, and investors and issuers, in case of equity-based crowdfunding.Crowdfunding platform operators are strictly prohibited to provide any advice on deals.Added: October 2017AU-1.2.16
Crowdfunding Platform Operator must not undertake Business to Person (B2P) or Person to Person (P2P) lending/investing.Amended: January 2019
Added: October 2017AU-1.2.17
Crowdfunding platform operators may raise funds for borrowers/issuers based in the Kingdom of Bahrain or abroad.Added: October 2017AU-1.2.18
For Shari'a-compliant financing-based crowdfunding the term lender refers to the financier and the term borrower refers to the fundraiser
Added: October 2017AU-1.2.19
For the purpose of financing-based crowdfunding, licensees must also comply with the requirements stipulated in General Requirements Module (Module GR) for Ancillary Service Providers-Volume 5.
Added: October 2017AU-1.2.20
For the purpose of equity-based crowdfunding, licensees must also comply with the requirements stipulated in Markets and Exchanges Module (Module MAE) of Volume 6.
Added: October 2017Account Information Service Provider (AISP)
AU-1.2.21
Account Information Services Provider (AISP) refers to a person licensed by the CBB to provide account information services using an online portal, mobile or smart phone application, device or other electronic media which a consenting customer can use to obtain aggregate or consolidated information about his account balances with licensed banks, financing companies and other licensees.
Amended: October 2019
Added: December 2018AU-1.2.22
The role of an AISP is restricted to providing the technology or other means in order to provide account information to the customer and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. AISPs must not receive or otherwise handle customer funds in the course of providing
account information services .Added: December 2018Payment Initiation Service Provider (PISP)
AU-1.2.23
Payment Initiation Service Provider (PISP) is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing
payment initiation services .Amended: October 2019
Amended: January 2019
Added: December 2018AU-1.2.24
The role of a PISP is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing
payment initiation information services .Added: December 2018Insurance Cover
AU-1.2.25
AISPs and PISPs must, at all times, hold an insurance cover against liabilities arising from cyber security breaches.
Added: December 2018AU-1.3 AU-1.3 Approved Persons
General Requirements
AU-1.3.1
Licensees must obtain the CBB's prior written approval for any person wishing to undertake a
controlled function at alicensee . The approval from the CBB must be obtained prior to their appointment.April 2016AU-1.3.2
Controlled functions are those occupied by board members and persons in executive positions and include:(a) Member of the Board ofDirectors ;(b)Chief executive orgeneral manager and their deputies;(c)Head of function ;(d) Compliance officer; and(e) Money Laundering Reporting Officer (for PSPs).April 2016AU-1.3.3
Combination of the above
controlled functions is subject to the requirements contained in Module HC.April 2016Basis for Approval
AU-1.3.4
Approval under Paragraph AU-1.3.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the
licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Section AU-3.1.April 2016AU-1.3.5
The
chief executive orgeneral manager means a person who is responsible for the conduct of thelicensee (regardless of actual title). Thechief executive orgeneral manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.April 2016AU-1.3.6
Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of thelicensee .April 2016AU-1.3.7
Whether a person is a
head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples ofhead of function might include, depending on the scale, nature and complexity of the business, a deputychief executive ; heads of departments such as risk management, compliance or internal audit; the chief financial officer; head of business department, etc..April 2016AU-1.3.8
Where a
licensee is in doubt as to whether a function should be considered acontrolled function it must discuss the case with the CBB.April 2016AU-1.3.9
All
licensees must designate anemployee , of appropriate standing and resident in Bahrain, as compliance officer. The compliance officer must report to senior management and must have access to the board of directors. The duties of the compliance officer include:(a) Assistingsenior management/head of function to identify and assess the main compliance risks facing thelicensees and the plans to manage them;(b) Advisingsenior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area;(c) Assistingsenior management/head of function in educating staff on compliance issues, and acting as a contact point within thelicensee for compliance queries from staff members;(d) Establishing written guidance to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;(e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with thelicensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;(f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and(g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors.April 2016AU-2 AU-2 Licensing Conditions
AU-2.1 AU-2.1 Condition 1: Legal Status
AU-2.1.1
The legal status of a
licensee that is anancillary service provider licensee must be a legal form approved by the CBB.April 2016AU-2.2 AU-2.2 Condition 2: Mind and Management
AU-2.2.1
Licensees must maintain their head office and management in the Kingdom.April 2016AU-2.3 AU-2.3 Condition 3: Controllers
AU-2.3.1
Licensees must satisfy the CBB that theircontrollers are suitable and pose no undue risks to thelicensee .Licensees must also satisfy the CBB that their group structures do not prevent the effective supervision of thelicensee by the CBB and otherwise pose no undue risks to thelicensee .April 2016AU-2.3.2
Chapter GR-7 contains the CBB's requirements and definitions regarding
controllers .Amended: April 2017
April 2016AU-2.3.3
In summary,
controllers are persons who directly or indirectly are significant shareholders in alicensee , or who are otherwise able to exert significant influence on thelicensee . The CBB seeks to ensure thatcontrollers pose no significant risks to thelicensee . In general terms,controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity.April 2016AU-2.3.4
As regards group structures, the CBB seeks to ensure that these do not prevent adequate consolidated supervision being applied to financial entities within the group, and that other group entities do not pose any material financial, reputational or other risks to the
licensee .April 2016AU-2.3.5
In all cases, when judging applications from existing groups, the CBB will have regard to the reputation and financial standing of the group as a whole. Where relevant, the CBB will also take into account the extent and quality of supervision applied to overseas members of the group and take into account any information provided by other supervisors in relation to any member of the group.
April 2016AU-2.4 AU-2.4 Condition 4: Board and Employees
AU-2.4.1
Those nominated to carry out
controlled functions must satisfy the CBB'sapproved persons requirements. This rule is supported by Article 65 of the CBB Law.April 2016AU-2.4.2
The definition of
controlled functions is contained in Paragraph AU-1.3.2, whilst Chapter AU-3 sets out CBB'sapproved persons requirements.April 2016AU-2.4.3
The
licensee's staff, taken together, must collectively provide a sufficient range of skills and experience to manage the affairs of thelicensee in a sound and prudent manner.Licensees must ensure their employees meet any training and competency requirements specified by the CBB.April 2016AU-2.5 AU-2.5 Condition 5: Financial Resources
Capital Funds
AU-2.5.1
Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. A greater amount of capital than specified in this Section may be required by the CBB on a case-by-case basis.April 2016AU-2.5.2
Where a
licensee undertakes more than one activity outlined under Paragraph AU-1.2.1, the licensee must maintain the highest level of core capital required amongst all categories of activities which it provides.April 2016Third Party Administrators
AU-2.5.3
For third party administrators,
licensees must maintain a minimumcore capital of BD 100,000.April 2016Card Processing and Payment Service Providers
AU-2.5.4
For card processing and payment service providers,
licensees must maintain a minimumcore capital of BD 250,000.April 2016Credit Reference Bureau
AU-2.5.5
Licensees must maintain a minimumcore capital of BD 2 million.April 2016Shari'a Advisory/Review Services
AU-2.5.6
Licensees must maintain a minimumcore capital of BD 30,000.April 2016Crowdfunding Platform Operator
AU-2.5.6A
Licensees must maintain a minimumcore capital of BD 25,000.Amended: January 2019
Added: October 2017Account Information Services Provider
AU-2.5.6B
Licensees must maintain a minimum core capital of BD 25,000.
Added: January 2019Payment Initiation Services Provider
AU-2.5.6C
Licensees must maintain a minimum core capital of BD 30,000.
Added: January 2019Liquidity
AU-2.5.7
Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business.April 2016AU-2.6 AU-2.6 Condition 6: Systems and Controls
AU-2.6.1
Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate for the scale and complexity of their activities. These systems and controls must meet the minimum requirements contained in Modules HC and RM (to be issued at a later date).April 2016AU-2.6.2
Licensees must maintain systems and controls that are, in the opinion of the CBB, adequate to address the risks of financial crime occurring in thelicensee .April 2016AU-2.7 AU-2.7 Condition 7: External Auditor
AU-2.7.1
Article 61 of the CBB Law requires that
licensees appoint an external auditor, subject to the CBB's prior approval. The minimum requirements regarding auditors contained in Module AA (Auditors and Accounting Standards) must be met.April 2016AU-2.8 AU-2.8 Condition 8: Other Requirements
Books and Records
AU-2.8.1
Article 59 of the CBB Law requires that
licensees must maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module GR. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamiclicensees .April 2016Provision of Information
AU-2.8.2
Articles 58, 111, 114 and 163 of the CBB Law require that
licensees and their staff must act in an open and cooperative manner with the CBB.Licensees must meet the regulatory reporting and disclosure requirements contained in Module BR. As per Article 62 of the CBB Law, audited financial statements must be submitted to the CBB within 3 months of thelicensee's financial year-end.April 2016General Conduct
AU-2.8.3
Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice.Licensees must comply with the general standards of business conduct contained in Modules PB and GR.April 2016Additional Conditions
AU-2.8.4
Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.April 2016AU-2.8.5
Licensees are subject to the provisions of the CBB Law. These include the right of the CBB to impose such terms and conditions, as it may deem necessary when issuing a license, as specified in Article 45 of the CBB Law. Thus, when granting a license, the CBB specifies the regulated ancillary services that thelicensee may undertake.Licensees must respect the scope of their license.April 2016AU-2.8.6
In addition, the CBB may impose additional restrictions or requirements, beyond those already specified in Volume 5, to address specific risks. For instance, a license may be granted subject to strict limitations on intra-group transactions.
April 2016AU-3 AU-3 Approved Persons
AU-3.1 AU-3.1 Approved Persons Conditions
AU-3.1.1
Licensees seeking anapproved person authorisation for an individual, must satisfy the CBB that the individual concerned is 'fit and proper' to undertake thecontrolled function in question.April 2016AU-3.1.2
The authorisation requirements for persons nominated to carry out
controlled functions is contained in Section AU-1.3. The authorisation process is described in Section AU-3.2.Amended: October 2017
April 2016AU-3.1.3
Each applicant applying for
approved person status and those individuals occupyingapproved person positions must comply with the following conditions:(a) Has not previously been convicted of any felony or crime that relates to his/her honesty and/or integrity unless he/she has subsequently been restored to good standing;(b) Has not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;(c) Has not been adjudged bankrupt by a court unless a period of 10 years has passed, during which the person has been able to meet all his/her obligations and has achieved economic accomplishments;(d) Has not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;(e) Has not failed to satisfy a judgement debt under a court order resulting from a business relationship;(f) Must have personal integrity, good conduct and reputation;(g) Has appropriate professional and other qualifications for thecontrolled function in question; and(h) Has sufficient experience to perform the duties of thecontrolled function .April 2016AU-3.1.4
In assessing the conditions prescribed in Rule AU-3.1.3, the CBB will take into account the criteria contained in Paragraph AU-3.1-5. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered 'fit and proper' to undertake one type of
controlled function but not another, depending on the function's job size and required levels of experience and expertise. Similarly, a person approved to undertake acontrolled function in onelicensee may not be considered to have sufficient expertise and experience to undertake nominally the samecontrolled function but in a much biggerlicensee .April 2016AU-3.1.5
In assessing a person's fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:
(a) The propriety of a person's conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;(b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;(c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;(d) Whether the person, or any body corporate, partnership or unincorporated institution to which the applicant has, or has been associated with as a director, controller, manager or company secretary been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;(e) The contravention of any financial services legislation;(f) Whether the person has ever been refused a license, authorisation, registration or other authority;(g) Dismissal or a request to resign from any office or employment;(h) Whether the person has been a member of a board of directors, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners have been declared bankrupt whilst the person was connected with that partnership;(i) The extent to which the person has been truthful and open with supervisors; and(j) Whether the person has ever entered into any arrangement with creditors in relation to the inability to pay due debts.April 2016AU-3.1.6
With respect to Paragraph AU-3.1.5, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.
April 2016AU-3.1.7
Approved persons undertaking acontrolled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising whilst undertaking acontrolled function .April 2016AU-3.1.8
In determining where there may be a conflict of interest arising, factors that may be considered will include whether:
(a) A person has breached any fiduciary obligations to the company or terms of employment;(b) A person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of thelicensee ; and(c) A person has failed to declare a personal interest that has a material impact in terms of the person's relationship with thelicensee .April 2016AU-3.1.9
Further guidance on the process for assessing a person's 'fit and proper' status is given in Module EN (Enforcement): see Chapter EN-8.
April 2016AU-3.2 AU-3.2 Approved Persons Requirements
AU-3.2.1
Licensees must obtain CBB prior written approval before a person is formally appointed to acontrolled function . The request for CBB approval must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person status) and Curriculum Vitae after verifying that all the information contained in the Form 3, including previous experience, is accurate. Form 3 is available under Volume 5 Part B Authorisation Forms of the CBB Rulebook.Added: October 2017AU-3.2.2
When the request for
approved person status forms part of a license application, the Form 3 must be marked for the attention of the Director, Licensing Directorate. When the submission to undertake acontrolled function is in relation to an existinglicensee , the Form 3, except if dealing with a MLRO, must be marked for the attention of the concerned supervisory point of contact at the CBB. In the case of the MLRO, Form 3 should be marked for the attention of the Director, Compliance Directorate.Amended: April 2018
Added: October 2017AU-3.2.3
When submitting Form 3,
licensees must ensure that the Form 3 is:(a) Submitted to the CBB with a covering letter signed by an authorised representative of thelicensee , seeking approval for the proposedcontrolled function ;(b) Submitted in original form;(c) Submitted with a certified copy of the applicant's passport, original or certified copies of educational and professional qualification certificates (and translation if not in Arabic or English) and the Curriculum Vitae; and(d) Signed by an authorised representative of the licensee and all pages stamped with the licensee's seal.Added: October 2017AU-3.2.4
Licensees seeking to appoint members of the board of directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders' meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders' rights to refuse those put forward for election/approval.Added: October 2017AU-3.2.5
For existing
licensees applying for the appointment of anycontrolled functions , the authorised representative should be a duly authorised representative of thelicensee and must submit with Form 3: Application for Approved Person Status, internal documentary evidence supporting the appointment of the duly authorised representative of thelicensee .Added: October 2017Assessment of Application
AU-3.2.6
The CBB shall review and assess the application for
approved person status to ensure that it satisfies all the conditions required in Paragraph AU-3.1.3 and the criteria outlined in Paragraph AU-3.1.5Added: October 2017AU-3.2.7
For purposes of Paragraph AU-3.2.6,
licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all regulatory requirements, including but not limited to receiving the application complete with all the required information and documents, as well as verifying references.Added: October 2017AU-3.2.8
The CBB reserves the right to refuse an application for
approved person status if it does not satisfy the conditions provided for in Paragraph AU-3.1.3 and does not satisfy the CBB criteria in Paragraph AU-3.1.5. A notice of such refusal is issued by registered mail to thelicensee concerned, setting out the basis for the decision.Added: October 2017Appeal Process
AU-3.2.9
Licensees or the nominatedapproved persons may, within 30 calendar days of the notification, appeal against the CBB's decision to refuse the application forapproved person status. The CBB shall decide on the appeal and notify thelicensee of its decision within 30 calendar days from submitting the appeal.Added: October 2017AU-3.2.10
Where notification of the CBB's decision to grant a person
approved person status is not issued within 15 business days from the date of meeting all regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents,licensees or the nominatedapproved persons may appeal to the concerned Executive Director of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify thelicensee of its decision within 30 calendar days from the date of submitting the appeal.Added: October 2017Notification Requirements and Process
AU-3.2.11
Licensees must immediately notify the CBB when anapproved person ceases to hold acontrolled function together with an explanation as to the reasons why (see Paragraph AU-4.4.9). In such cases, theirapproved person status is automatically withdrawn by the CBB.Added: October 2017AU-3.2.12
Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for anapproved person .Added: October 2017AU-3.2.13
Licensees must immediately notify the CBB when they become aware of any of the events listed in Paragraph EN-8.2.3, affecting one of theirapproved persons .Added: October 2017AU-3.2.13A
Licensees must immediately notify the CBB should they become aware of information that could reasonably be viewed as calling into question an approved person’s compliance with CBB’s ‘fit and proper’ requirement (see AU3.1).Added: January 2021Change in Controlled Function
AU-3.2.14
Licensees must seek prior CBB approval before anapproved person may move from onecontrolled function to another within the samelicensee .Added: October 2017AU-3.2.15
In such instances, a new Form 3 (Application for Approved Person status) should be completed and submitted to the CBB. Note that a person may be considered 'fit and proper' for one
controlled function , but not for another, if for instance the new role requires a different set of skills and experience. Where anapproved person is moving to acontrolled function in anotherlicensee , the firstlicensee should notify the CBB of that person's departure (see Rule AU-4.4.9), and the newlicensee should submit a request for approval under Rule AU-1.3.1.Added: October 2017AU-4 AU-4 Information Requirements and Processes
AU-4.1 AU-4.1 Licensing
Applications Form and Documents
AU-4.1.1
Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.
Amended: July 2019
Amended: April 2018
April 2016AU-4.1.2
Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.
April 2016AU-4.1.3
References to applicant mean the proposed
licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.April 2016AU-4.1.4
Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:
(a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposedlicensee ;(b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertakecontrolled functions of the proposedlicensee ;(c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;(d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;(e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBBancillary service provider license;(f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant'shome supervisor , together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;(g) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application;(h) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7; and(i) Evidence of competency and qualifications for Shari'a advisor.April 2016AU-4.1.5
The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from
controllers . Where the application is for anoverseas licensee , the CBB may seek a letter of guarantee from the parent company.April 2016AU-4.1.6
The business plan submitted in support of an application should include:
(a) An outline of the history of the applicant and its shareholders;(b) The reasons for applying for a license, including the applicant's strategy and market objectives;(c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;(d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;(e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions. For card processing and payment services providers, IT security measures must be outlined in the plan;(f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements; and(g) For TPA's, details setting forth the applicant's capability for providing a sufficient number of experienced and qualified personnel in the areas of claims' processing and recordkeeping.April 2016AU-4.1.7
The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its activities or are incidental to those.
April 2016AU-4.1.8
All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.
April 2016AU-4.1.9
Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.
April 2016AU-4.1.10
Failure to inform the CBB of the changes specified in AU-4.1.9 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.
April 2016Licensing Process and Timelines
AU-4.1.11
As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.
April 2016AU-4.1.12
Before the final approval is granted to a
licensee , confirmation from a retail bank addressed to the CBB that thelicensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, a bank guarantee of BD50,000 must be provided.Amended: October 2017
Amended: April 2017
April 2016Granting or Refusal of a License
AU-4.1.13
To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.
Amended: October 2019
April 2016AU-4.1.14
The CBB may refuse to grant a license if in its opinion:
(a) The requirements of the CBB Law or this Module are not met;(b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or(c) The CBB believes it necessary in order to safeguard the interests of potential customers.April 2016AU-4.1.15
Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.
Amended: October 2019
April 2016Starting Operations
AU-4.1.16
Within 6 months of the license being issued, the new
licensee must provide to the CBB:(a) A detailed action plan for establishing the operations and supporting infrastructure of thelicensee , such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);(b) The registered office address and details of premises to be used to carry out the business of the proposedlicensee ;(c) The address in the Kingdom of Bahrain where full business records will be kept;(d) Thelicensee's contact details including telephone and fax number, e-mail address and website;(e) A description of the business continuity plan;(f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;(g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;(h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;(i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the ancillary service provider is licensed by the CBB;(j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking thecontrolled functions ;(k) A copy of thelicensee's professional indemnity insurance policy or confirmation that a deposit to an amount specified by the CBB has been placed in an escrow account with a retail bank licensed in the Kingdom of Bahrain;(l) A bank guarantee of BD100,000 for payment service providers issuing any multi-purpose, electronic or otherwise, pre-paid cards, instead of the bank guarantee amount required under Paragraph AU-4.1.12. Such bank guarantee must be in the format approved by the CBB;(m) Proof that the PSP has set up the clients' money account as required under Paragraph AU-1.2.8;(n) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6; ando) Other information as may be specified by the CBB.Amended: January 2019
Amended: October 2017
Amended: April 2017
April 2016AU-4.1.17
Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the
licensee concerned, as specified in Article 128 of the CBB Law. Alicensee must at all times keep an approved copy of the license displayed in a visible place on thelicensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.April 2016AU-4.1.18
Applicants may not publicise in any way the application for a licence for, or formation of, an ancillary service provider before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.
April 2016AU-4.2 AU-4.2 Variations to a License
AU-4.2.1
As per Article 48 of the CBB Law,
licensees must seek prior CBB approval before undertaking new regulated ancillary services.April 2016AU-4.2.2
Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person in accordance with Article 40 of the CBB Law.
April 2016AU-4.2.3
In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a
licensee requesting CBB approval to undertake a new regulated ancillary service must provide the following information:(a) A summary of the rationale for undertaking the proposed new activities;(b) A description of how the new business will be managed and controlled;(c) An analysis of the financial impact of the new activities; and(d) A summary of the due diligence undertaken by the Board and management of thelicensee on the proposed new activities.April 2016AU-4.2.4
The CBB may amend or revoke a licence in any of the following cases:
(a) If thelicensee fails to satisfy any of the license conditions;(b) If thelicensee violates the terms of the CBB Rulebook;(c) If thelicensee fails to start business within six months from the date of the licence;(d) If thelicensee ceases to carry out the licensed activity in the Kingdom; or(e) The legitimate interests of thecustomers or creditors of alicensee required such amendment or cancellation.Amended: October 2019
April 2016AU-4.2.5
The CBB's procedure for amending or revoking a license is outlined in detail in the Enforcement Module (EN).
April 2016AU-4.3 AU-4.3 [This section was moved to AU-3.2 in October 2017]
AU-4.3.1
[This Paragraph was moved to AU-3.2.1 in October 2017].
Moved: October 2017
April 2016AU-4.3.2
[This Paragraph was moved to AU-3.2.2 in October 2017].
Moved: October 2017
April 2016AU-4.3.3
[This Paragraph was moved to AU-3.2.3 in October 2017].
Moved: October 2017
April 2016AU-4.3.4
[This Paragraph was moved to AU-3.2.4 in October 2017].
Moved: October 2017
April 2016AU-4.3.5
[This Paragraph was moved to AU-3.2.5 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.6
[This Paragraph was moved to AU-3.2.6 in October 2017].
Moved: October 2017
April 2016AU-4.3.7
[This Paragraph was moved to AU-3.2.7 in October 2017].
Moved: October 2017
April 2016AU-4.3.8
[This Paragraph was moved to AU-3.2.8 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.9
[This Paragraph was moved to AU-3.2.9 in October 2017].
Moved: October 2017
April 2016AU-4.3.10
[This Paragraph was moved to AU-3.2.10 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.11
[This Paragraph was moved to AU-3.2.11 in October 2017].
Moved: October 2017
April 2016AU-4.3.12
[This Paragraph was moved to AU-3.2.12 in October 2017].
Moved: October 2017
April 2016AU-4.3.13
[This Paragraph was moved to AU-3.2.13 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.14
[This Paragraph was moved to AU-3.2.14 in October 2017].
Moved: October 2017
April 2016AU-4.3.15
[This Paragraph was moved to AU-3.2.15 in October 2017].
Moved: October 2017
April 2016AU-4.4 AU-4.4 Cancellation of Authorisation
Licenses
Voluntary Surrender
AU-4.4.1 AU-4.4.1
According to Article 50 of the CBB Law, all requests for the voluntary surrender of a license are subject to CBB approval. Such requests must be made in writing and must set out in full the reasons for the request and how the voluntary surrender is to be carried out. Requests must be addressed to the concerned Executive Director at the CBB.
April 2016AU-4.4.2 AU-4.4.2
Licensees must satisfy the CBB that theircustomers ' interests are to be safeguarded during and after the proposed voluntary surrender. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.April 2016AU-4.4.3 AU-4.4.3
Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant
customers ' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at preempting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once thelicensee , in the opinion of the CBB, has discharged all its regulatory responsibilities tocustomers .April 2016AU-4.4.4 AU-4.4.4
In accordance with Articles 50(a) and 51(a) of the CBB Law, a
licensee wishing to cancel an authorisation for a service or a branch must obtain the CBB's prior written approval. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.April 2016Cancellation
AU-4.4.5 AU-4.4.5
As provided for under Article 48 of the CBB Law, the CBB may itself move to cancel a license, should the licensee fail to meet the conditions outlined in Paragraph AU-4.2.4.
April 2016AU-4.4.6 AU-4.4.6
Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.
April 2016AU-4.4.7 AU-4.4.7
The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.
April 2016AU-4.4.8 AU-4.4.8
Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a
licensee has discharged all its regulatory responsibilities tocustomers . Until such time, the CBB will retain all its regulatory powers with regards to thelicensee , and will direct thelicensee such that no new regulated activity may be undertaken whilst thelicensee discharges its obligations tocustomers .April 2016Cancellation of Approved Person Status
AU-4.4.9 AU-4.4.9
In accordance with Paragraph AU-4.3.11,
licensees must promptly notify the CBB in writing when a person undertaking acontrolled function will no longer be carrying out that function. If acontrolled function falls vacant, thelicensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, thelicensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of thecontrolled function affected. These interim arrangements must be approved by the CBB.April 2016AU-4.4.10 AU-4.4.10
The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.
April 2016AU-4.4.11 AU-4.4.11
The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.
April 2016AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License
AU-4.5.1
In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.
Amended: October 2019
Added: July 2017AU-4.5.2
For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.
Added: July 2017AU-4.5.3
The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.
Added: July 2017AU-4.6 AU-4.6 Additional Requirements for Licensing of Crowdfunding Platform Operator
AU-4.6.1
This section sets out additional licensing requirements for
crowdfunding platform operator , including conventional and Shari'a-compliantcrowdfunding platform operators .Added: October 2017AU-4.6.2
The CBB may license a
person as acrowdfunding platform operator provided that:(a) The applicant must be locally incorporated as a Joint Stock Company;(b) The applicant is able to demonstrate that will be able to operate an orderly, fair and transparent market in relation to the transactions offered through its electronic facilities;(c) The applicant appoints at least two approved persons. One of the approved persons must be a Compliance Officer who can also handle the responsibilities of the MLRO, and the second person is the CEO of thecrowdfunding platform operator ;(d) The business rules of thecrowdfunding platform operator must make satisfactory provisions–(i) For the protection of investors/lenders and public interest;(ii) To ensure proper functioning of the platform;(iii) To promote fairness and transparency;(iv) To manage any conflict of interest that may arise;(v) To promote fair treatment of its users or any person who subscribe for its services;(vi) To promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;(vii) To ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such persons;(viii) To provide an avenue of appeal against the decision of the licensed crowdfunding platform operator.(ix) To clarify the criteria for admission of lenders/investors and the exclusion, suspension, expulsion and re-admission of lenders/investors therefrom or thereto;(x) To describe the proposed technology, IT system and disaster recovery plan; and(xi) For the oversight and controls over outsourced activities, if any.Added: October 2017AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs
Business plan
AU-4.7.1
The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:
(a) a marketing plan consisting of:(i) an analysis of the company's competitive position;(ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;(b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;(c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:(i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;(ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;(iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.Added: December 2018Programme of Operations
AU-4.7.2
The programme of operations to be provided by the applicant must contain the following information:
(a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;(b) a declaration of the applicant that they will not enter at any time into possession of client funds;(c) a description of the service including:(i) draft contracts between all the parties involved, if applicable;(ii) terms and conditions of the provision of the services;(iii) processing times;(d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;(e) a description of the proposed ancillary services;(f) a declaration of whether or not the applicant intends to provide services in another country once licensed;(g) a description of the relevant operational outsourcing arrangements consisting of:(i) the identity and geographical location of the outsourcing provider;(ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;(iii) a detailed description of the outsourced activities and its main characteristics; and(h) a copy of draft outsourcing agreements.Added: December 2018Governance arrangements and internal control mechanisms
AU-4.7.3
The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:
(a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;(b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;(c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;(d) the composition of the management body and, if applicable, of any other oversight body or committee;(e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;(f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;(g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.Added: December 2018Business continuity arrangements
Governance arrangements and internal control mechanisms
AU-4.7.4 AU-4.7.4
The applicant should provide a description of the business continuity arrangements consisting of the following information:
(a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;(b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;(c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;(d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.Added: December 2018Internal Control Mechanisms to comply with AML/CFT obligations
AU-4.7.5
The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:
(a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;(b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;(c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;(d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;(e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;(f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and(g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).Added: December 2018Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints
AU-4.7.6
The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:
(a) organisational measures and tools for the prevention of cyber events and fraud;(b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;(c) reporting lines in cases of fraud;(d) the contact point for customers, including a name and email address;(e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;(f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.Added: December 2018Process for filing, monitoring, tracking and restricting access to sensitive payment data
AU-4.7.7
The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:
(a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;(b) the procedures in place to authorise access to sensitive payment data;(c) a description of the monitoring tool;(d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;(e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;(f) the expected internal and/or external use of the collected data;(g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;(h) confirmation that access to sensitive customer data is not available to the applicant;(i) an explanation of how breaches will be detected and addressed; and(j) an annual internal control programme in relation to the safety of the IT systems.Added: December 2018Security policy documentation
AU-4.7.8
The applicant should provide a security policy document containing the following information:
(a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;(b) a description of the IT systems, which should include:(i) the architecture of the systems and their network elements;(ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;(iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;(iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;(v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;(vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;(c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:(i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;(ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;(d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;(e) the security of the payment processes, which should include:(i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;(ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;(iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;(f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;(g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.Added: December 2018AU-5 AU-5 License Fees
AU-5.1 AU-5.1 License Application Fees
AU-5.1.1
Applicants seeking an
ancillary service provider license from the CBB AU-5.1.1 must pay a non-refundable license application fee of BD 100 at the time of submitting their formal application to the CBB.April 2016AU-5.1.2
There are no application fees for those seeking
approved persons status.April 2016AU-5.2 AU-5.2 Annual License Fees
AU-5.2.1
Licensees must pay the relevant annual license fee to the CBB on 1st December of the preceding year for which the fee is due.April 2016AU-5.2.2
The applicable fixed annual license fees are as follows:
(a) Third party administrators - BD 2,000;(b)Card processing services - BD 1,000;(c) Operating acredit reference bureau - BD 100,000;(d) Payment service providers - BD 2,000;(e) Shari’a advisory/review services - BD 500;(f) Operating acrowdfunding platform - BD 200;(g)Account information service providers - BD 1,000;(h)Payment initiation service providers - BD 1,000;(i) Any other ancillary services that are related to the financial services industry - BD 500.Amended: October 2020
Added: April 2016AU-5.2.2A
Licensees providing multipleregulated ancillary services are required to pay the annual license fees applicable for each activity in accordance with Paragraph AU-5.2.2.Added: January 2021AU-5.2.3
For new
licensees , their first annual license fee is the amount stated in Paragraph AU-5.2.2 and is payable when their license is issued by the CBB.April 2016AU-5.2.4
Where a license is cancelled (whether at the initiative of the firm or the CBB), no refund is paid for any months remaining in the calendar year in question, should a fee have been paid for that year.
April 2016AU-5.2.5
All
licensees are subject to direct debit for the payment of the annual fee and must complete and submit to the CBB a Direct Debit Authorisation Form by 15th September available under Part B of Volume 5 (Specialised Licensees) CBB Rulebook on the CBB Website.April 2016AU-5.2.6
Licensees failing to comply with this Section may be subject to financial penalties for date sensitive requirements as outlined in Section EN-5.3A or may have their licenses withdrawn by the CBB.April 2016
