AU-4 AU-4 Information Requirements and Processes
AU-4.1 AU-4.1 Licensing
Applications Form and Documents
AU-4.1.1
Applicants for a license must fill in the Application Form 1 (Application for a License) online, available on the CBB website under Eservices/online Forms. The applicant must upload scanned copies of supporting documents listed in Paragraph AU-4.1.4, unless otherwise directed by the CBB.
Amended: July 2019
Amended: April 2018
April 2016AU-4.1.2
Articles 44 to 47 of the CBB Law govern the licensing process. This prescribes a single stage process, with the CBB required to take a decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). See below, for further details on the licensing process and timelines.
April 2016AU-4.1.3
References to applicant mean the proposed
licensee seeking authorisation. An applicant may appoint a representative — such as a law firm or professional consultancy — to prepare and submit the application. However, the applicant retains full responsibility for the accuracy and completeness of the application, and is required to certify the application form accordingly. The CBB also expects to be able to liaise directly with the applicant during the authorisation process, when seeking clarification of any issues.April 2016AU-4.1.4
Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application:
(a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposedlicensee ;(b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertakecontrolled functions of the proposedlicensee ;(c) A comprehensive business plan for the application, addressing the matters described in AU-4.1.6;(d) Where the applicant is an existing institution, a copy of the applicant's commercial registration;(e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, confirming the board's decision to seek a CBBancillary service provider license;(f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant'shome supervisor , together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements;(g) Copies of the audited financial statements of the applicant's major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application;(h) A draft copy of the applicant's (and parent's where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7;(i) Evidence of competency and qualifications for Shari'a advisor; and(j) Information and documents required under Section AU-4.7 for PSP, AISP and PSIP applicants.Amended: July 2021
Added: April 2016AU-4.1.5
The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from
controllers . Where the application is for anoverseas licensee , the CBB may seek a letter of guarantee from the parent company.April 2016AU-4.1.6
The business plan submitted in support of an application should include:
(a) An outline of the history of the applicant and its shareholders;(b) The reasons for applying for a license, including the applicant's strategy and market objectives;(c) The proposed type of activities to be carried on by the applicant in/from the Kingdom of Bahrain;(d) The proposed Board and senior management of the applicant and the proposed organisational structure of the applicant;(e) An independent assessment of the risks that may be faced by the applicant, together with the proposed systems and controls framework to be put in place for addressing those risks and to be used for the main business functions. For card processing and payment services providers, IT security measures must be outlined in the plan;(f) An opening balance sheet for the applicant, together with a three-year financial projection, with all assumptions clearly outlined, demonstrating that the applicant will be able to meet applicable leverage and liquidity requirements; and(g) For TPA's, details setting forth the applicant's capability for providing a sufficient number of experienced and qualified personnel in the areas of claims' processing and recordkeeping.April 2016AU-4.1.7
The applicant's (and where applicable, its parent's) memorandum and articles of association must explicitly provide for it to undertake the activities proposed in the licensed application, and must preclude the applicant from undertaking other commercial activities, unless these arise out of its activities or are incidental to those.
April 2016AU-4.1.8
All documentation provided to the CBB as part of an application for a license must be in either Arabic or English language. Any documentation in a language other than English or Arabic must be accompanied by a certified English or Arabic translation thereof.
April 2016AU-4.1.9
Any material changes or proposed changes to the information provided to the CBB in support of an authorisation application that occurs prior to authorisation must be reported to the CBB.
April 2016AU-4.1.10
Failure to inform the CBB of the changes specified in AU-4.1.9 is likely to be viewed as a failure to provide full and open disclosure of information, and thus a failure to meet licensing condition AU-2.8.2.
April 2016Licensing Process and Timelines
AU-4.1.11
As part of the application process, the CBB will provide a formal decision on a license application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB, as specified in Article 44 (e) of the CBB Law. The applicant must submit within 6 months of the application date, all remaining requirements or otherwise has to submit a new application to the CBB. Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.
April 2016AU-4.1.12
Before the final approval is granted to a
licensee , confirmation from a retail bank addressed to the CBB that thelicensee's capital (injected funds) — as specified in the business plan submitted under Rule AU-4.1.4 — has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, a bank guarantee of BD50,000 must be provided.Amended: October 2017
Amended: April 2017
April 2016Granting or Refusal of a License
AU-4.1.13
To be granted a license, an applicant should demonstrate compliance with the applicable requirements of the CBB Law and this Module. Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.
Amended: October 2019
April 2016AU-4.1.14
The CBB may refuse to grant a license if in its opinion:
(a) The requirements of the CBB Law or this Module are not met;(b) False or misleading information has been provided to the CBB, or information which should have been provided to the CBB has not been so provided; or(c) The CBB believes it necessary in order to safeguard the interests of potential customers.April 2016AU-4.1.15
Where the CBB proposes to refuse an application for a license, it will give the applicant a written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice; these procedures will comply with the provisions contained in Article 46 of the CBB Law.
Amended: October 2019
April 2016Starting Operations
AU-4.1.16
Within 6 months of the license being issued, the new
licensee must provide to the CBB:(a) A detailed action plan for establishing the operations and supporting infrastructure of thelicensee , such as the completion of written policies and procedures, and recruitment of remaining employees (having regard to the time limit set by Article 48 (c) of the CBB Law);(b) The registered office address and details of premises to be used to carry out the business of the proposedlicensee ;(c) The address in the Kingdom of Bahrain where full business records will be kept;(d) Thelicensee's contact details including telephone and fax number, e-mail address and website;(e) A description of the business continuity plan;(f) A description of the IT system that will be used, including details of how IT systems and other records will be backed up;(g) A copy of the external auditor's acceptance to act as an external auditor for the applicant;(h) A copy of the Ministry of Industry & Commerce commercial registration certificate in Arabic and English languages;(i) A copy of the licensee's business card and any written communication (including stationery, website, e-mail, business documentation, etc.) including a statement that the ancillary service provider is licensed by the CBB;(j) An updated organisation chart showing the reporting lines, committees (if any) and including the names of the persons undertaking thecontrolled functions ;(k) A copy of thelicensee's professional indemnity insurance policy or confirmation that a deposit to an amount specified by the CBB has been placed in an escrow account with a retail bank licensed in the Kingdom of Bahrain;(l) A bank guarantee of BD100,000 for payment service providers issuing any multi-purpose, electronic or otherwise, pre-paid cards, instead of the bank guarantee amount required under Paragraph AU-4.1.12. Such bank guarantee must be in the format approved by the CBB;(m) Proof that the PSP has set up the clients' money account as required under Paragraph AU-1.2.8;(n) A copy of the applicant's notarised memorandum and articles of association, addressing the matters described in Paragraph AU-4.1.6; ando) Other information as may be specified by the CBB.Amended: January 2019
Amended: October 2017
Amended: April 2017
April 2016AU-4.1.17
Applicants issued new licenses by the CBB must start operations within 6 months of the license being issued, as per Article 48 (c) of the CBB Law. Failure to comply with this rule may lead to enforcement action being taken against the
licensee concerned, as specified in Article 128 of the CBB Law. Alicensee must at all times keep an approved copy of the license displayed in a visible place on thelicensee's premises in the Kingdom, as per Article 47 (b) of the CBB Law.April 2016AU-4.1.18
Applicants may not publicise in any way the application for a licence for, or formation of, an ancillary service provider before the formal decision referred to in Paragraph AU-4.1.11 is provided to the applicant or the concerned agent.
April 2016AU-4.2 AU-4.2 Variations to a License
AU-4.2.1
As per Article 48 of the CBB Law,
licensees must seek prior CBB approval before undertaking new regulated ancillary services.April 2016AU-4.2.2
Failure to secure CBB approval prior to undertaking a new regulated activity may lead to enforcement action being taken against the concerned person in accordance with Article 40 of the CBB Law.
April 2016AU-4.2.3
In addition to any other information requested by the CBB, and unless otherwise directed by the CBB, a
licensee requesting CBB approval to undertake a new regulated ancillary service must provide the following information:(a) A summary of the rationale for undertaking the proposed new activities;(b) A description of how the new business will be managed and controlled;(c) An analysis of the financial impact of the new activities; and(d) A summary of the due diligence undertaken by the Board and management of thelicensee on the proposed new activities.April 2016AU-4.2.4
The CBB may amend or revoke a licence in any of the following cases:
(a) If thelicensee fails to satisfy any of the license conditions;(b) If thelicensee violates the terms of the CBB Rulebook;(c) If thelicensee fails to start business within six months from the date of the licence;(d) If thelicensee ceases to carry out the licensed activity in the Kingdom; or(e) The legitimate interests of thecustomers or creditors of alicensee required such amendment or cancellation.Amended: October 2019
April 2016AU-4.2.5
The CBB's procedure for amending or revoking a license is outlined in detail in the Enforcement Module (EN).
April 2016AU-4.3 AU-4.3 [This section was moved to AU-3.2 in October 2017]
AU-4.3.1
[This Paragraph was moved to AU-3.2.1 in October 2017].
Moved: October 2017
April 2016AU-4.3.2
[This Paragraph was moved to AU-3.2.2 in October 2017].
Moved: October 2017
April 2016AU-4.3.3
[This Paragraph was moved to AU-3.2.3 in October 2017].
Moved: October 2017
April 2016AU-4.3.4
[This Paragraph was moved to AU-3.2.4 in October 2017].
Moved: October 2017
April 2016AU-4.3.5
[This Paragraph was moved to AU-3.2.5 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.6
[This Paragraph was moved to AU-3.2.6 in October 2017].
Moved: October 2017
April 2016AU-4.3.7
[This Paragraph was moved to AU-3.2.7 in October 2017].
Moved: October 2017
April 2016AU-4.3.8
[This Paragraph was moved to AU-3.2.8 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.9
[This Paragraph was moved to AU-3.2.9 in October 2017].
Moved: October 2017
April 2016AU-4.3.10
[This Paragraph was moved to AU-3.2.10 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.11
[This Paragraph was moved to AU-3.2.11 in October 2017].
Moved: October 2017
April 2016AU-4.3.12
[This Paragraph was moved to AU-3.2.12 in October 2017].
Moved: October 2017
April 2016AU-4.3.13
[This Paragraph was moved to AU-3.2.13 in October 2017].
Moved: October 2017
April 2016[This heading was moved to AU-3.2 in October 2017]
AU-4.3.14
[This Paragraph was moved to AU-3.2.14 in October 2017].
Moved: October 2017
April 2016AU-4.3.15
[This Paragraph was moved to AU-3.2.15 in October 2017].
Moved: October 2017
April 2016AU-4.4 AU-4.4 Cancellation of Authorisation
Licenses
Voluntary Surrender
AU-4.4.1
According to Article 50 of the CBB Law, all requests for the voluntary surrender of a license are subject to CBB approval. Such requests must be made in writing and must set out in full the reasons for the request and how the voluntary surrender is to be carried out. Requests must be addressed to the concerned Executive Director at the CBB.
April 2016AU-4.4.2
Licensees must satisfy the CBB that theircustomers ' interests are to be safeguarded during and after the proposed voluntary surrender. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.April 2016AU-4.4.3
Failure to comply with Rule AU-4.4.1 may constitute a breach of Article 50(a) of the CBB Law. The CBB will only approve a voluntary surrender where it has no outstanding regulatory concerns and any relevant
customers ' interests would not be prejudiced. A voluntary surrender will not be accepted where it is aimed at preempting supervisory actions by the CBB. Also, a voluntary surrender will only take effect once thelicensee , in the opinion of the CBB, has discharged all its regulatory responsibilities tocustomers .April 2016AU-4.4.4
In accordance with Articles 50(a) and 51(a) of the CBB Law, a
licensee wishing to cancel an authorisation for a service or a branch must obtain the CBB's prior written approval. The requirements contained in Chapter GR-9 regarding cessation of business must be satisfied.April 2016Cancellation
AU-4.4.5
As provided for under Article 48 of the CBB Law, the CBB may itself move to cancel a license, should the licensee fail to meet the conditions outlined in Paragraph AU-4.2.4.
April 2016AU-4.4.6
Cancellation of a license requires the CBB to issue a formal notice of cancellation to the person concerned. The notice of cancellation describes the CBB's rationale for the proposed cancellation, as specified in Article 48(d) of the CBB Law.
April 2016AU-4.4.7
The CBB generally views cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand. Further guidance is contained in Module EN (Enforcement), regarding CBB's approach to enforcement and on the process for issuing a notice of cancellation and the recipient's right to appeal the notice.
April 2016AU-4.4.8
Normally, where cancellation of a license has been confirmed by the CBB, the CBB will only effect the cancellation once a
licensee has discharged all its regulatory responsibilities tocustomers . Until such time, the CBB will retain all its regulatory powers with regards to thelicensee , and will direct thelicensee such that no new regulated activity may be undertaken whilst thelicensee discharges its obligations tocustomers .April 2016Cancellation of Approved Person Status
AU-4.4.9
In accordance with Paragraph AU-4.3.11,
licensees must promptly notify the CBB in writing when a person undertaking acontrolled function will no longer be carrying out that function. If acontrolled function falls vacant, thelicensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, thelicensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of thecontrolled function affected. These interim arrangements must be approved by the CBB.April 2016AU-4.4.10
The explanation given for any such changes should simply identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.
April 2016AU-4.4.11
The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person: see Chapter EN-8 regarding the cancellation of 'fit and proper' approval.
April 2016AU-4.5 AU-4.5 Publication of the Decision to Grant, Cancel or Amend a License
AU-4.5.1
In accordance with Articles 47 and 49 of the CBB Law, the CBB will publish its decision to grant, cancel or amend a license in the Official Gazette and in two local newspapers, one in Arabic and the other in English.
Amended: October 2019
Added: July 2017AU-4.5.2
For the purposes of Paragraph AU-4.5.1, the cost of publication must be borne by the Licensee.
Added: July 2017AU-4.5.3
The CBB may also publish its decision on such cancellation or amendment using any other means it considers appropriate, including electronic means.
Added: July 2017AU-4.6 AU-4.6 Additional Requirements for Licensing of Crowdfunding Platform Operator
AU-4.6.1
This section sets out additional licensing requirements for
crowdfunding platform operator , including conventional and Shari'a-compliantcrowdfunding platform operators .Added: October 2017AU-4.6.2
The CBB may license a
person as acrowdfunding platform operator provided that:(a) [This Subparagraph was deleted in April 2022];(b) The applicant is able to demonstrate that will be able to operate an orderly, fair and transparent market in relation to the transactions offered through its electronic facilities;(c) The applicant appoints at least two approved persons. One of the approved persons must be a Compliance Officer who can also handle the responsibilities of the MLRO, and the second person is the CEO of thecrowdfunding platform operator ;(d) The business rules of thecrowdfunding platform operator must make satisfactory provisions–(i) For the protection of investors/lenders and public interest;(ii) To ensure proper functioning of the platform;(iii) To promote fairness and transparency;(iv) To manage any conflict of interest that may arise;(v) To promote fair treatment of its users or any person who subscribe for its services;(vi) To promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;(vii) To ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such persons;(viii) To provide an avenue of appeal against the decision of the licensed crowdfunding platform operator.(ix) To clarify the criteria for admission of lenders/investors and the exclusion, suspension, expulsion and re-admission of lenders/investors therefrom or thereto;(x) To describe the proposed technology, IT system and disaster recovery plan; and(xi) For the oversight and controls over outsourced activities, if any.Amended: April 2022
Added: October 2017AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs
Business plan
AU-4.7.1
The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:
(a) a marketing plan consisting of:(i) an analysis of the company's competitive position;(ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;(b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;(c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:(i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;(ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;(iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.Added: December 2018Programme of Operations
AU-4.7.2
The programme of operations to be provided by the applicant must contain the following information:
(a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;(b) a declaration of the applicant that they will not enter at any time into possession of client funds;(c) a description of the service including:(i) draft contracts between all the parties involved, if applicable;(ii) terms and conditions of the provision of the services;(iii) processing times;(d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;(e) a description of the proposed ancillary services;(f) a declaration of whether or not the applicant intends to provide services in another country once licensed;(g) a description of the relevant operational outsourcing arrangements consisting of:(i) the identity and geographical location of the outsourcing provider;(ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;(iii) a detailed description of the outsourced activities and its main characteristics; and(h) a copy of draft outsourcing agreements.Added: December 2018Governance arrangements and internal control mechanisms
AU-4.7.3
The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:
(a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;(b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;(c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;(d) the composition of the management body and, if applicable, of any other oversight body or committee;(e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;(f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;(g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.Added: December 2018Business continuity arrangements
Governance arrangements and internal control mechanisms
AU-4.7.4
The applicant should provide a description of the business continuity arrangements consisting of the following information:
(a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;(b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;(c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;(d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.Added: December 2018Internal Control Mechanisms to comply with AML/CFT obligations
AU-4.7.5
The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:
(a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;(b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;(c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;(d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;(e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;(f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and(g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).Added: December 2018Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints
AU-4.7.6
The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:
(a) organisational measures and tools for the prevention of cyber events and fraud;(b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;(c) reporting lines in cases of fraud;(d) the contact point for customers, including a name and email address;(e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;(f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.Added: December 2018Process for filing, monitoring, tracking and restricting access to sensitive payment data
AU-4.7.7
The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:
(a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;(b) the procedures in place to authorise access to sensitive payment data;(c) a description of the monitoring tool;(d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;(e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;(f) the expected internal and/or external use of the collected data;(g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;(h) confirmation that access to sensitive customer data is not available to the applicant;(i) an explanation of how breaches will be detected and addressed; and(j) an annual internal control programme in relation to the safety of the IT systems.Added: December 2018Security policy documentation
AU-4.7.8
The applicant should provide a security policy document containing the following information:
(a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;(b) a description of the IT systems, which should include:(i) the architecture of the systems and their network elements;(ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;(iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;(iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;(v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;(vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;(c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:(i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;(ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;(d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;(e) the security of the payment processes, which should include:(i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;(ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;(iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;(f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;(g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.Added: December 2018AU-4.7.9
AISPs/PISPs must submit a report of an independent review undertaken by a third-party expert confirming compliance with the Bahrain Open Banking Framework prior to going live. The detailed scope and procedures for such review and the appointment of the third party expert must be approved by CBB.
Added: July 2021
