AU-1 AU-1 Authorisation Requirements
AU-1.1 AU-1.1 Ancillary Service Provider Licensees
General Prohibitions
AU-1.1.1
No person may:
(a) Undertake (or hold themselves out to undertake) regulated ancillary services, by way of business within or from the Kingdom of Bahrain unless duly licensed by the CBB;(b) Hold themselves out to be licensed by the CBB unless they have as a matter of fact been so licensed; or(c) Market anyfinancial services in the Kingdom of Bahrain unless:(i) Allowed to do so by the terms of a license issued by the CBB;(ii) The activities come within the terms of an exemption granted by the CBB by way of a Directive; or(iii) Has obtained the express written permission of the CBB to offerfinancial services .April 2016AU-1.1.2
In accordance with Resolution No.(16) for the year 2012 and for the purpose of Subparagraph AU-1.1.1(c), the word 'market' refers to any promotion, offering, announcement, advertising, broadcast or any other means of communication made for the purpose of inducing recipients to purchase or otherwise acquire
financial services in return for monetary payment or some other form of valuable consideration.April 2016AU-1.1.3
Persons in breach of Subparagraph AU-1.1.1(c) are considered in breach of Resolution No.(16) for the year 2012 and are subject to penalties under Articles 129 and 161 of the CBB Law (see also Section EN-9.3).
April 2016Licensing
AU-1.1.4
Persons wishing to be licensed to undertake any of the regulated ancillary services within or from the Kingdom of Bahrain must apply in writing to the CBB. An application for a license must be in the form prescribed by the CBB as indicated in Chapter AU-4.
April 2016AU-1.1.5
An application for a license must be in the form prescribed by the CBB (Form 1) and must contain:
(a) A business plan specifying the type of business to be conducted;(b) Application forms (Form 2) for allcontrollers ; and(c) Application forms (Form 3) for allcontrolled functions .April 2016AU-1.1.6
The CBB will review the application and duly advise the applicant in writing when it has:
(a) Granted the application without conditions;(b) Granted the application subject to conditions specified by the CBB; or(c) Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.April 2016AU-1.1.7
Detailed rules and guidance regarding information requirements and processes for license applications can be found in Section AU-4.1. As specified in Paragraph AU-4.1.14, the CBB will provide a formal decision on license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.
April 2016AU-1.1.8
In granting new licenses, the CBB will specify the specific categories of regulated ancillary service for which a license has been granted.
April 2016AU-1.1.9
All applicants for
ancillary service provider license must satisfy the CBB that they meet, by the date of their license, the minimum conditions for licensing, as specified in Chapter AU-2. Once licensed,licensees must be in compliance with these criteria on an on-going basis.April 2016AU-1.2 AU-1.2 Definition of Regulated Ancillary Services
AU-1.2.1
Regulated ancillary services are any of the following activities, carried on by way of business:
(a) Permitted services undertaken by third party administrators (TPA);(b)Card processing ;(c) Services undertaken byCredit reference bureau ;(d) Permitted payment services provided by payment service provider (PSP);(e) Shari'a advisory/review services;(ee) Permitted activities of a crowdfunding platform operator;(f) Providing account information services;(g) Providing payment initiation services; and(h) Any other ancillary services that are related to the financial services industry.Amended: October 2019
Amended: December 2018
Amended: October 2017
April 2016AU-1.2.2 AU-1.2.2
For the purposes of Paragraph AU-1.2.1, carrying on a regulated ancillary service by way of business means:
(a) Undertaking any of the regulated ancillary service activities as defined in Section AU-1.2, for commercial gain; or(b) Holding oneself out as willing and able to engage in such activities.Amended: October 2019
April 2016AU-1.2.1A
Where licensees are undertaking regulated activities in accordance with Shari'a, all transactions and contracts concluded by licensees must comply with Sharia standards issued by the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). The validity of the contract or transaction is not impacted, if at a later date, the relevant AAOIFI Sharia standards are amended.
Added: October 2020AU-1.2.3
While Paragraph AU-1.2.1 covers different activities under regulated ancillary services, only the license itself will specify the list of activities the licensee has been authorised to carry out. For existing
ancillary service providers at April 2016, no new license will be issued.April 2016Third Party Administrators (TPAs)
AU-1.2.4
TPA refers to processing claims in connection with insurance coverage offered by insurance firms.
April 2016AU-1.2.5
Notwithstanding Paragraph AU-1.2.4, TPAs are also allowed to offer their services to self-funded schemes outside Bahrain.
Amended: October 2019
April 2016AU-1.2.5A
When TPAs process claims for insurance firms, the CBB regards this activity as an outsourced activity and insurance firms should refer to Chapter RM-7 Outsourcing Risk under Volume 3 (Insurance) of the CBB Rulebook.
April 2016Card Processing
AU-1.2.5
Card processing includes:(a) The act of processing or transmitting debit/credit/prepaid card holder and transaction related data;(b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet);(c) Hosting and managing card program;(d) Approving and authenticating payment transactions as per financial institutions rules;(e) Providing technical service support for E-commerce and M-commerce transactions;(f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks;(g) Reporting and customising reporting engine;(h) Call centre outsourcing services; and(i) Online and mobile portals for bank customers.April 2016Credit Reference Bureau
AU-1.2.6
A
credit reference bureau is a company licensed by the CBB as an ancillary services provider that receives, stores, analyses and classifies thecredit information of customers and issuescredit reports and provides themembers of the credit reference bureau with such reports upon their request.April 2016AU-1.2.7
For purposes of Paragraph AU-1.2.6, 'customers' refers to customers of the
members of the credit reference bureau as defined under Article (68 bis) b) 3) of the CBB Law.April 2016Payment Service Provider ("PSP")
AU-1.2.8
Payment service providers, may act as an intermediary for the following services:
(a) Services enabling cash to be placed in clients' money account and all of the operations required for operating the account;(b) Services enabling cash withdrawals from clients' money account and all of the operations required for operating the account;(c) The settlement of the direct debits of payment transactions;(d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and(e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.Amended: January 2019
Amended: April 2017
April 2016AU-1.2.9
Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.
April 2016AU-1.2.10
For purposes of Paragraph AU-1.2.8, clients' money account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this clients' money account at any time.
Amended: January 2019
April 2016AU-1.2.10A
When issuing any multi-purpose, electronic or otherwise, pre-paid cards, payment service providers must comply with the following requirements:
(a) The maximum balance limit under each natural person must not exceed BD2,500;(bb) The maximum balance limit for each legal person must not exceed BD10,000 (Loading and transaction size).(b) The payment service provider must obtain a bank guarantee of BD100,000 from a retail bank licensed in the Kingdom of Bahrain; instead of the bank guarantee amount required under Paragraph AU-4.1.12.(c) Comply with all the requirements outlined under Module FC (Financial Crime);(d) All pre-paid plastic cards must be EMV compliant (chip and PIN and online authentication);(e) Any pre-paid card which is inactive for a period of six months must be placed in a dormant list; and(f) All transactions on pre-paid cards must be made through theclient money account with a retail bank in Bahrain (See also Chapter GR-15, Client Money Requirements).Amended: April 2023
Amended: July 2022
Amended: January 2019
Amended: October 2018
Amended: October 2017
Added: April 2017AU-1.2.10B
In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017.
Added: April 2017
AU-1.2.10C
In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance.
Licensees are asked to make certified copies of such documents available if requested by the CBB.Added: April 2017
AU-1.2.11
When a customer load cash into the card through kiosk or company/bank counter, the payment service provider must update the amount into the card immediately, and must deposit the relevant cash amount into the clients' money account within 24 hours.
Amended: January 2019
Amended: April 2017
April 2016AU-1.2.11A
When owning or operating Cash Dispensing Machines (CDM) or Kiosks, payment service providers must comply with the requirements stated in Paragraphs AU-1.2.11B to Paragraph AU-1.2.11I.
Added: April 2019AU-1.2.11B
Payment service providers must obtain CBB's prior written approval for owning or operating any Cash Dispensing Machine (CDM) or Kiosk.
Added: April 2019AU-1.2.11C
Payment service providers must submit a written application to the Supervisory Point of Contact (SPoC) at the CBB, detailing the type of CDM or Kiosk, the proposed location(s) and the proposed security measures.
Added: April 2019AU-1.2.11D
The application referred to in Paragraph AU-1.2.11C will be assessed on its individual merits, and at the CBB's sole discretion, taking into account factors which the CBB considers relevant including, but not limited to:
(a) The suitability of the location(s) in question;(b) The level of overall activities of the applicant in the market as well as the size and make-up of its customer base; and(c) The type and range of facilities which the applicant proposes to offer through the CDM or Kiosk at the proposed location(s).Added: April 2019AU-1.2.11E
In addition to the information required by the CBB, further information/clarification may be requested by the CBB before it takes a decision regarding the application. The CBB's decision in this regard will be communicated to the applicant payment service provider in writing.
Added: April 2019AU-1.2.11F
CDMs or Kiosks may be owned individually or jointly by ancillary service providers.
Added: April 2019AU-1.2.11G
Payment service providers must not charge their customers for cash withdrawal transactions. When a customer uses CDMs, Kiosks or ATMs belonging to other banks or PSPs, the acquiring PSP/ bank may apply a charge capped at 100 fils per transaction to the issuing PSP.
Added: April 2019AU-1.2.11H
Payment service providers must obtain the CBB's prior written approval for the termination/suspension of any of its CDMs or Kiosks.
Added: April 2019AU-1.2.11I
The CBB may, at its sole discretion, require a payment service provider to terminate/suspend a CDM or Kiosk at any time.
Added: April 2019AU-1.2.11J
Payment service providers must ensure they have a robust internal technological infrastructure and direct technical access to the EFTS, on an uninterrupted basis (24 X 7 days and 365 days in the year), to send, authorise and receive Fawri+/Fawateer direct credits on a real-time basis.
Amended: April 2019
Added: October 2018AU-1.2.11K
Payment service providers must maintain a daily value limit of BD1,000 for the total Fawri+ and Fawateer transactions (with assured immediate finality, i.e. within 30 seconds) for each STV card/IBAN account per day.
Amended: April 2019
Added: October 2018AU-1.2.11L
[This Paragraph was moved to BR-1.1.6 in July 2020].
Amended: July 2020
Amended: April 2019
Added: January 2019Shari'a Advisory/Review Services
AU-1.2.12
Shari'a advisory/review services refer to:
(a) Regular assessment on Shari'a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari'a review services, with the objective of ensuring that the activities and operations carried out by these financial institutions do not contravene the Shari'a principles. The services include the examination and evaluation of the financial institutions' level of compliance to the Shari'a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports;(b) Issuance of Shari'a pronouncements on any aspect of the Islamic financial institution's activities or operations; and(c) Ad-hoc Shari'a advisory services for products and services governed by financial services.April 2016AU-1.2.13
In offering Shari'a advisory/review services, the
licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU-1.2.12(b), no service can be offered under Subparagraph AU-1.2.12(a) in relation to the pronouncement.April 2016Crowdfunding Platform Operator
AU-1.2.14
Crowdfunding platform operator refers to a person licensed by the CBB to operate an online portal or other electronic media through which people lend money to businesses (Person to Business-P2B), and businesses lend money to other businesses (Business to Business – B2B) for the purpose of gaining a financial return in the form of interest/profit payment and a repayment of credit over a pre-specified period of time (financing-based crowdfunding), and/or raising of capital by issuance of ordinary shares, or other equity instruments like preferred shares (equity-based crowdfunding).Amended: April 2022
Amended: January 2019
Added: October 2017AU-1.2.15
The role of
crowdfunding platform operator is restricted to arranging deals, bringing together borrowers and lenders, in case of financing-based crowdfunding, and investors and issuers, in case of equity-based crowdfunding.Crowdfunding platform operators are strictly prohibited to provide any advice on deals.Added: October 2017AU-1.2.16
Crowdfunding Platform Operator must not undertake Business to Person (B2P) or Person to Person (P2P) lending/investing.Amended: January 2019
Added: October 2017AU-1.2.17
Crowdfunding platform operators may raise funds for borrowers/issuers based in the Kingdom of Bahrain or abroad.Added: October 2017AU-1.2.18
[This Paragraph was deleted in April 2022].
Deleted: April 2022
Added: October 2017AU-1.2.19
[This Paragraph was deleted in April 2022].
Deleted: April 2022
Added: October 2017AU-1.2.20
[This Paragraph was deleted in April 2022].
Deleted: April 2022
Added: October 2017Account Information Service Provider (AISP)
AU-1.2.21
Account Information Services Provider (AISP) refers to a person licensed by the CBB to provide account information services using an online portal, mobile or smart phone application, device or other electronic media which a consenting customer can use to obtain aggregate or consolidated information about his account balances with licensed banks, financing companies and other licensees.
Amended: October 2019
Added: December 2018AU-1.2.22
The role of an AISP is restricted to providing the technology or other means in order to provide account information to the customer and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. AISPs must not receive or otherwise handle customer funds in the course of providing
account information services .Added: December 2018Payment Initiation Service Provider (PISP)
AU-1.2.23
Payment Initiation Service Provider (PISP) refers to a person licensed by the CBB to initiate payment or credit transfers for the customer from an account held with a licensed bank, financing company or PSP.
Amended: October 2019
Amended: January 2019
Added: December 2018AU-1.2.24
The role of a PISP is restricted to providing the technology or other means in order to initiate a payment order and the handling of communication or electronic documents between the customer and the licensees should the terms of the offer include such services. PISPs must not receive or otherwise handle customer funds in the course of providing
payment initiation information services .Added: December 2018Insurance Cover
AU-1.2.25
AISPs and PISPs must, at all times, hold an insurance cover against liabilities arising from cyber security breaches.
Added: December 2018AU-1.3 AU-1.3 Approved Persons
General Requirements
AU-1.3.1
Licensees must obtain the CBB's prior written approval for any person wishing to undertake a
controlled function at alicensee . The approval from the CBB must be obtained prior to their appointment.April 2016AU-1.3.2
Controlled functions are those occupied by board members and persons in executive positions and include:(a) Member of the Board ofDirectors ;(b)Chief executive orgeneral manager and their deputies;(c)Head of function ;(d) Compliance officer; and(e) Money Laundering Reporting Officer (for PSPs).April 2016AU-1.3.3
Combination of the above
controlled functions is subject to the requirements contained in Module HC.April 2016Basis for Approval
AU-1.3.4
Approval under Paragraph AU-1.3.1 is only granted by the CBB, if it is satisfied that the person is fit and proper to hold the particular position in the
licensee concerned. 'Fit and proper' is determined by the CBB on a case-by-case basis. The definition of 'fit and proper' and associated guidance is provided in Section AU-3.1.April 2016AU-1.3.5
The
chief executive orgeneral manager means a person who is responsible for the conduct of thelicensee (regardless of actual title). Thechief executive orgeneral manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm.April 2016AU-1.3.6
Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of thelicensee .April 2016AU-1.3.7
Whether a person is a
head of function will depend on the facts in each case and is not determined by the presence or absence of the word in their job title. Examples ofhead of function might include, depending on the scale, nature and complexity of the business, a deputychief executive ; heads of departments such as risk management, compliance or internal audit; the chief financial officer; head of business department, etc..April 2016AU-1.3.8
Where a
licensee is in doubt as to whether a function should be considered acontrolled function it must discuss the case with the CBB.April 2016AU-1.3.9
All
licensees must designate anemployee , of appropriate standing and resident in Bahrain, as compliance officer. The compliance officer must report to senior management and must have access to the board of directors. The duties of the compliance officer include:(a) Assistingsenior management/head of function to identify and assess the main compliance risks facing thelicensees and the plans to manage them;(b) Advisingsenior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area;(c) Assistingsenior management/head of function in educating staff on compliance issues, and acting as a contact point within thelicensee for compliance queries from staff members;(d) Establishing written guidance to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines;(e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with thelicensee's business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;(f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and(g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors.April 2016