• GR GR Ancillary Service Providers General Requirements Module

    • GR-A GR-A Introduction

      • GR-A.1 GR-A.1 Purpose

        • Executive Summary

          • GR-A.1.1

            Module GR presents a variety of different requirements that are not extensive enough to warrant their own stand-alone Module, but for the most part are generally applicable. These include general requirements on confidentiality, books and records, publication of documents, the distribution of dividends, controllers; close links and on suspension of business. There are also included specific requirements for TPAs and credit reference bureaus. Each set of requirements is contained in its own Chapter.

            April 2016

        • Legal Basis

          • GR-A.1.2

            This Module contains the Central Bank of Bahrain ('CBB') Directive (as amended from time to time) regarding general requirements applicable to ancillary service provider licensees, and is issued under the powers available to the CBB under Article 38 of the Central Bank of Bahrain and Financial Institutions Law 2006 and its amendments ('CBB Law'). Requirements regarding controllers (see Chapter GR-7) are also included in Regulations, to be issued by the CBB.

            April 2016

          • GR-A.1.3

            For an explanation of the CBB's rule-making powers and different regulatory instruments, see section UG-1.1.

            April 2016

      • GR-A.2 GR-A.2 Module History

        • Evolution of Module

          • GR-A.2.1

            This Module was first issued in April 2016 by the CBB. Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

            April 2016

          • GR-A.2.2

            A list of recent changes made to this Module is detailed in the table below:

            Module Ref. Change Date Description of Changes
            GR-9.1.8 10/2016 Added a Rule in the Cessation of Business Section to be consistent with other Volumes of the CBB Rulebook.
            GR-4.3.8 01/2017 Amended Paragraph reference.
            GR-7.1.6 01/2017 Consistency of notification timeline rule on controllers with other Volumes of the CBB Rulebook.
            GR-2.2.1 07/2017 Amended paragraph according to the Legislative Decree No. (28) of 2002.
            GR-2.2.2 07/2017 Deleted paragraph.
            GR-5A.1 10/2017 Added a chapter on "General Requirements for Financing-Based Crowdfunding Platform Operators".
            GR-5A.2 10/2017 Additional requirements for “Shari'a — Compliant Financing — Based Crowdfunding Platform Operators".
            GR-6.1.3 10/2017 Added additional requirement to submit when requesting no-objection letter for proposed dividends.
            GR-5A.1.4 10/2018 Amended Paragraph to further clarify the scope of exemption.
            GR-10 11/2018 Amended Paragraph to further clarify the scope of exemption.
            GR-11 11/2018 Added new Section on Outsourcing
            GR-5A.1.4 01/2019 Amended Paragraph on maximum credit provided to each borrower under a crowdfunding agreement.
            GR-5A.1.5 01/2019 Amended Paragraph.
            GR-5A.1.8 01/2019 Amended Paragraph.
            GR-5A.1.11A 01/2019 Added a new Paragraph on the minimum time to withdraw a commitment.
            GR-5B.1 04/2019 Added a Chapter on "Physical Security measures for Payment Service Providers owning or Operating Cash Dispensing Machines (CDMs) or Kiosks".
            GR-5B.2 04/2019 Additional requirements for "CDM/Kiosk Security Measures: Hardware/Software".
            GR-7.1.1A 04/2019 Added a new Paragraph on exposure to controllers.
            GR-7.1.1B 04/2019 Added a new Paragraph on exposure to controllers.
            GR-5B.1.13 07/2019 Added a new Paragraph on Europay, MasterCard and Visa (EMV) Compliance.
            GR-5B.1.14 & GR-5B.1.15 10/2019 Added new Paragraphs on Contactless Payment Transactions.
            GR-2.2.1 01/2020 Amended Paragraph.
            GR-9.1.8 04/2020 Amended Paragraph.
            GR-10.3.14 04/2020 Amended Paragraph adding reference to CBB consumer protection.
            GR-10.5.6 04/2020 Amended Paragraph adding reference to CBB consumer protection.
            GR-10.7.1 -  GR-10.7.3 04/2020 Amended Paragraphs adding reference to CBB consumer protection.
            GR-5B.1.13A 07/2020 Added a new Paragraph on contactless payment.
            GR-C 10/2020 Added a new Chapter on Provision of Financial Services on a Non-discriminatory Basis.
            GR-12 01/2021 Added a new Chapter on Information Security.

    • GR-B GR-B Scope of Application

      • GR-B.1 GR-B.1 Ancillary Service Provider Licensees

        • GR-B.1.1

          Unless otherwise indicated, the requirements in this Module apply to all ancillary service provider licensees, thereafter referred to in this Module as licensees.

          April 2016

    • GR-C GR-C Provision of Financial Services on a Non-discriminatory Basis

      • GR-C.1 GR-C.1 Provision of Financial Services on a Non-discriminatory Basis

        • GR-C.1.1

          Ancillary service provider licensees must ensure that all regulated financial services are provided without any discrimination based on gender, nationality, origin, language, faith, religion, physical ability or social standing.

          Added: October 2020

    • GR-1 GR-1 Confidentiality

      • GR-1.1 GR-1.1 General Requirements

        • GR-1.1.1

          Licensees must ensure that any information in their control or custody is not used or disclosed unless:

          (a) They have the customer's or licensee's written consent;
          (b) Disclosure is made in accordance with the licensee's regulatory obligations; or
          (c) The licensee and members of the credit reference bureau are legally obliged to disclose the information in accordance with Article 117 of the CBB Law.
          April 2016

        • GR-1.1.2

          Ancillary service providers must take appropriate steps to ensure the security of any information handled for its customers or held on behalf of other CBB licensees.

          April 2016

    • GR-2 GR-2 Books and Records

      • GR-2.1 GR-2.1 General Requirements

        • GR-2.1.1

          In accordance with Article 59 of the CBB Law, all licensees must maintain books and records (whether in electronic or hard copy form) sufficient to produce financial statements and show a complete record of the business undertaken by a licensee. These records must be retained for at least ten years according to Article 60 of the CBB Law.

          April 2016

        • GR-2.1.2

          Paragraph GR-2.1.1 includes accounts, books, files and other records related to client information (e.g. trial balance, general ledger, reconciliations, list of counterparties, etc.). It also includes records that substantiate the value of the assets and liabilities.

          April 2016

        • GR-2.1.3

          Separately, Bahrain Law currently requires other transaction records to be retained for at least five years (see Ministerial Order No. 23 of 2002, Article 5(2), made pursuant to the Amiri Decree Law No. 4 of 2001).

          April 2016

        • GR-2.1.4

          Unless otherwise agreed to by the CBB in writing, records must be kept in either English or Arabic. Any records kept in languages other than English or Arabic must be accompanied by a certified English or Arabic translation. Records must be kept current. The records must be sufficient to allow an audit of the licensee's business or an on-site examination of the licensee by the CBB.

          April 2016

        • GR-2.1.5

          Translations produced in compliance with Rule GR-2.1.4 may be undertaken in-house, by an employee or contractor of the licensee, provided they are certified by an appropriate officer of the licensee.

          April 2016

        • GR-2.1.6

          Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing.

          April 2016

        • GR-2.1.7

          Where older records have been archived, the CBB may accept that records be accessible within a reasonably short time frame (e.g. within 5 business days), instead of immediately. The CBB may also agree similar arrangements where elements of record retention and management have been centralised in another group company, whether inside or outside of Bahrain.

          April 2016

        • GR-2.1.8

          Paragraphs GR-2.1.1 to GR-2.1.7 apply to licensees, with respect to all business activities.

          April 2016

      • GR-2.2 GR-2.2 Transaction Records

        • GR-2.2.1

          Licensees must keep completed transaction records for as long as they are relevant for the purposes for which they were made (with a minimum period in all cases of five years from the date when the transaction was terminated). Records of terminated transactions must be kept whether in hard copy or electronic format as per the Legislative Decree No. (54) of 2018 with respect to Electronic Transactions “The Electronic Communications and Transactions Law” and its amendments.

          Amended: January 2020
          Amended: July 2017
          Added: April 2016

        • GR-2.2.2

          [This Paragraph has been deleted in July 2017].

          Deleted: July 2017
          April 2016

        • GR-2.2.3

          Rule GR-2.2.1 applies only to transactions relating to business booked in Bahrain by the licensee.

          April 2016

      • GR-2.3 GR-2.3 Other Records

        • Corporate Records

          • GR-2.3.1

            Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain:

            (a) Internal policies, procedures and operating manuals;
            (b) Corporate records, including minutes of shareholders', Directors' and management meetings;
            (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
            (d) Reports prepared by the licensee's internal and external auditors; and
            (e) Employee records.
            April 2016

        • Customer Records

          • GR-2.3.2

            Record-keeping requirements with respect to customer records, including customer identification and due diligence records, are contained in Module FC (Financial Crime).

            April 2016

    • GR-3 GR-3 Publication of Documents by the Licensee

      • GR-3.1 GR-3.1 General Requirements

        • GR-3.1.1

          Any written communication, including stationery, business cards or other business documentation published by the licensee, or used by its employees must include a statement that the licensee is regulated by the Central Bank of Bahrain, the type of license and the legal status.

          April 2016

    • GR-4 GR-4 General Requirements for TPAs

      • GR-4.1 GR-4.1 Compensation

        • GR-4.1.1

          A TPA's compensation may be determined:

          (a) As a percentage of the claims processed by the TPA; or
          (b) On another basis as specified in the written agreement.
          April 2016

      • GR-4.2 GR-4.2 Code of Conduct

        • GR-4.2.1

          TPAs are allowed to enter into agreement with more than one:

          (a) Insurance firm; and/or
          (b) A self-funded scheme outside of Bahrain.
          April 2016

        • GR-4.2.2

          TPAs must not charge any kind of fees to the claimants/policyholders.

          April 2016

        • GR-4.2.3

          TPAs must not market or sell insurance nor own any part of a healthcare facility or company.

          April 2016

        • GR-4.2.4

          Where a TPA owns any part of a healthcare facility or company at the time this Module is issued, it will be permitted to retain its ownership in the company.

          April 2016

        • GR-4.2.5

          TPAs must act in the insurance firm's and/or self-funded scheme's (limited to outside Bahrain) best interests at all times and must fulfill their needs to the best of their ability.

          April 2016

        • GR-4.2.6

          TPAs must improve the skills of their employees and increase their knowledge through continuing education and training.

          April 2016

        • GR-4.2.7

          TPAs must disclose to the existing and prospective insurance firm and/or self-funded scheme (limited to outside Bahrain) any and all information that may affect the TPA's ability to provide services and/or advice to the clients.

          April 2016

        • GR-4.2.8

          TPAs must ensure that all client funds collected and/or held by the TPA are used for the express purpose for which the funds are collected and/or held as understood by the insurance firm and/or self-funded scheme (limited to outside Bahrain).

          April 2016

        • GR-4.2.9

          TPAs must fully disclose to each insurance firm and/or self-funded scheme (limited to outside Bahrain) the terms of engagement and the services to be rendered to that client.

          April 2016

      • GR-4.3 GR-4.3 Segregation of Funds

        • GR-4.3.1

          All funds remitted to a TPA by an insurance firm and/or self-funded scheme (limited to outside Bahrain) must be held by the TPA in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or in a separate account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA.

          April 2016

        • GR-4.3.2

          When funds are collected by a TPA from a healthcare provider on behalf of an insurance firm and/or self-funded scheme (limited to outside Bahrain), such funds must be promptly deposited in a separate account maintained in the name of the insurance firm and/or self-funded scheme (limited to outside Bahrain) or an account maintained jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, or remitted to the insurance firm and/or self-funded scheme (limited to outside Bahrain), as provided for in the agreement.

          April 2016

        • GR-4.3.3

          When an account is held jointly in the names of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA, the TPA must provide the insurance firm and/or self-funded scheme (limited to outside Bahrain) on a monthly basis a record of all transactions in the joint account.

          April 2016

        • GR-4.3.4

          Funds must not be commingled with any other funds of the TPA nor other insurance firm and/or self-funded scheme (limited to outside Bahrain) of the TPA. Records of a TPA must clearly show funds received and paid out allocated per insurance firm and/or self-funded scheme (limited to outside Bahrain) and must be made available to the insurance firm and/or self-funded scheme (limited to outside Bahrain) upon request.

          April 2016

        • GR-4.3.5

          An insurance firm and/or self-funded scheme (limited to outside Bahrain) shall have the responsibility to make available to the TPA funds necessary to enable the TPA to pay claims in a timely manner, as provided in the agreement.

          April 2016

        • GR-4.3.6

          TPAs must process and settle claims of the policyholder/claimant within 15 calendar days from the receipt of all necessary documents.

          April 2016

        • GR-4.3.7

          TPAs must process and settle claims from healthcare service providers within 30 calendar days from the receipt of all necessary documents from the healthcare service providers.

          April 2016

        • GR-4.3.8

          TPAs must comply with Paragraphs GR-4.3.6 and GR-4.3.7 by 30th September 2016 at the latest.

          Amended: January 2017
          April 2016

      • GR-4.4 GR-4.4 Content of Written Agreement

        • GR-4.4.1

          A TPA must not conduct any business with an insurance firm and/or self-funded scheme (limited to outside Bahrain) in the absence of a written agreement between the TPA and the insurance firm and/or self-funded scheme (limited to outside Bahrain). The agreement must be retained as part of the official records of the TPA for the duration of the agreement.

          April 2016

        • GR-4.4.2

          The agreement referred to in Paragraph GR-4.4.1 must include at a minimum:

          (a) The services to be provided by the TPA on behalf of the insurance firm and/or self-funded scheme (limited to outside Bahrain);
          (b) Financial arrangements;
          (c) Provisions setting forth the respective liability of the insurance firm and/or self-funded scheme (limited to outside Bahrain) and the TPA for the accuracy and eligibility of submitted claims, and for the prompt submission of claims; and
          (d) The responsibilities of the TPA to the insurance firm and/or self-funded scheme (limited to outside Bahrain) with respect to the maintenance of appropriate back-up systems against the loss of records, and the maintenance of appropriate insurance coverage by the TPA against the risk of loss.
          April 2016

      • GR-4.5 GR-4.5 Prohibition of Collection of Premiums/Contributions

        • GR-4.5.1

          TPAs are prohibited from collecting premiums/contributions from policyholders. Premiums/contributions must be paid directly by the policyholders to insurance firms.

          April 2016

    • GR-5 GR-5 General Requirements for Credit Reference Bureaus

      • GR-5.1 GR-5.1 Code of Practice

        • GR-5.1.1

          Credit reference bureaus must comply with the Code of Practice (Appendix CM-3 under Volumes 1 and 2 of the CBB Rulebook).

          April 2016

    • GR-5A GR-5A General Requirements for Financing-Based Crowdfunding Platform Operators

      • GR-5A.1 GR-5A.1 General Requirements for Financing-Based Crowdfunding Platform Operators

        • GR-5A.1.1

          A crowdfunding platform operator must become a member of the Bahrain Credit Reference Bureau.

          Added: October 2017

        • GR-5A.1.2

          A crowdfunding platform operator must make arrangements with a local retail bank (which holds the appropriate CBB license) to facilitate transactions, whereby:

          i. Lenders must prefund the full committed amount by depositing it at the designated licensed retail bank in the Kingdom of Bahrain. The name of the retail bank must be disclosed to the CBB; and
          ii. The crowdfunding platform operator must designate an escrow account as an aggregate account for all borrowers. The crowdfunding platform operator must maintain within its records separate sub-accounts for each borrower. The name of the designated bank must be provided to the lenders.
          Added: October 2017

        • GR-5A.1.3

          Crowdfunding platform operators must make sure that the lending thresholds and the prescribed tenors for the loans, as prescribed in GR-5A.1.3 to GR-5A.1.6, are all met.

          Added: October 2017

        • GR-5A.1.4

          Under a crowdfunding agreement, the amount of credit provided must be less than or equal to BD 500,000 in aggregate, per borrower, in any given calendar year, except where, subject to the CBB's prior written approval, the funding raised is to be used for a Government of Bahrain-led initiative/project. Additionally, the tenor of loans must not exceed 5 years.

          Amended: January 2019
          Amended: October 2018
          Added: October 2017

        • GR-5A.1.5

          All lenders intending to participate in a crowdfunding platform must fill out the 'Self Declaration Form' declaring that they meet this requirement.

          Amended: January 2019
          Added: October 2017

        • GR-5A.1.6

          The minimum subscription to be received in a crowdfunding offer must not be less than 80% of the crowdfunding offer size. In the event that the borrower is unable to receive the minimum required loan subscription, all subscription monies received must be refunded to the lenders no later than 7 calendar days of the closing date of the crowdfunding offer.

          Added: October 2017

        • GR-5A.1.7

          In case of over-subscription, crowdfunding platform operator must ensure that no funding shall be made to the borrower in excess of the original offer size. Also, the lenders must get proportionate share of the Crowdfunding offer size.

          Added: October 2017

        • GR-5A.1.8

          The lender in a crowdfunding agreement has to be an accredited investor or an expert investor (as defined in the CBB Rulebook, Volume 4.

          Amended: January 2019
          Added: October 2017

        • GR-5A.1.9

          Crowdfunding platform operator are responsible to check that the 'Self-Declaration' form1 has been signed and submitted by the lenders, prior to investing in borrowings arranged through the platform.

          Added: October 2017

        • GR-5A.1.10

          The 'Self-Declaration Form' must include, amongst other things, a declaration that the lender will meet the lending thresholds imposed by the CBB and an acknowledgment that they may lose all or part of their funds invested.

          Added: October 2017

        • GR-5A.1.11

          Crowdfunding platform operator must demonstrate to the CBB that they have devised appropriate consumer protection standards.

          Added: October 2017

        • GR-5A.1.11A

          Crowdfunding platform operators must allow persons (whether natural or legal) who commit to a borrower on a crowdfunding platform, a minimum of 48 hours from the time the commitment is made, to withdraw the commitment. No fee or penalty must be charged to such persons if a commitment is withdrawn.

          Added: January 2019

        • GR-5A.1.12

          Crowdfunding platform operator must ensure that sufficient information is available to lenders on the profiles of the borrowers, by relying on the information disclosed by the borrowers in the 'Standard Forms for Borrowers' and the related required documents to be submitted by the borrowers, thus allowing lenders to make informed lending decisions. Moreover, the documentation must state the governing law for the financing transaction. The disclosure of such information shall be on standard CBB-prescribed templates. Additionally, such information must be provided to potential lenders before they agree to commit to lending. In cases where the borrower is not based in the Kingdom of Bahrain, adequate disclosure on the governing law and cross-border risks must be provided to the potential lenders.

          Added: October 2017

        • GR-5A.1.13

          It is the responsibility of the lenders to perform their own creditworthiness assessments on the borrowers and other related due diligence before making any commitment to lend.

          Added: October 2017

        • GR-5A.1.14

          Crowdfunding platform operator must comply with the Financial Crime Module of Rulebook Volume 5 under 'Common Modules' with respect to Anti-Money Laundering and Combating the Financing of Terrorism requirements.

          Added: October 2017

        • GR-5A.1.15

          Crowdfunding platform operator must establish effective systematic internal procedures for establishing and verifying the identity of lenders and the source of their funds. They must undertake lender due diligence ('KYC') by requiring them to fill out the 'Standard Lender Form', along with submitting the required related documents, including FATCA report.

          Added: October 2017

        • GR-5A.1.16

          The "Standard Lender Form" referred to in Paragraph GR-5A.1.15 shall be provided by the CBB under Part B of Rulebook Volume 5 (Ancillary Service Providers).

          Added: October 2017

        • GR-5A.1.17

          Crowdfunding platform operators must establish a framework which sets out policies and procedures to effectively and efficiently manage conflicts of interest. Such conflicts must be managed in a timely manner.

          Added: October 2017

        • GR-5A.1.18

          Crowdfunding platform operators must have a fair dealing policy for excluding a borrower from using the crowdfunding platform if there is adequate reason to believe that the borrower, in relation to any loan arrangements, has:

          i. Engaged in a conduct that is misleading or deceptive or likely to mislead or deceive; or
          ii. Made a false or misleading representation; or
          iii. Made an unsubstantiated representation.
          Added: October 2017

        • GR-5A.1.19

          Crowdfunding platform operators are responsible for tracking the performance of the loan portfolios and are required to disclose this information to the lenders and the CBB on a quarterly basis as per the templates to be specified by the CBB. The information provided by the Crowdfunding Platform Operators must be clear, fair, relevant and not misleading.

          Added: October 2017

        • GR-5A.1.20

          Crowdfunding platform operators are responsible for having Business Continuity and Disaster Recovery plans in place, which must be approved by the CBB, to ensure that all existing outstanding loans will continue to be administered if the platform collapses or goes out of business.

          Added: October 2017

        • GR-5A.1.21

          The CBB has the right to impose additional requirements on Crowdfunding Platform Operators, as and when it deems necessary.

          Added: October 2017

        • GR-5A.1.22

          Crowdfunding platform operators must clearly and publicly disclose their fees, charges and commissions.

          Added: October 2017

        • GR-5A.1.23

          Crowdfunding platform operators must have adequate financial resources to run their business and take on the needed risks.

          Added: October 2017

        • GR-5A.1.24

          Crowdfunding platform operators must have adequate non-financial resources (e.g. efficient management with sufficient knowledge of the business and adequate experience, IT strategy, controls and systems, etc.) required to run the business.

          Added: October 2017

        • GR-5A.1.25

          Crowdfunding platform operators must ensure cyber-security at all times including conducting IT security penetration testing semiannually by an independent consultant.

          Added: October 2017

        • GR-5A.1.26

          Crowdfunding platform operators must maintain relevant systems in place for mitigating and managing operational and other risks.

          Added: October 2017

        • GR-5A.1.27

          Crowdfunding platform operators are obliged to exert their best efforts in following up the repayment process (collection of installments) from the borrowers on behalf of the lenders.

          Added: October 2017

        • GR-5A.1.28

          A crowdfunding platform operator must ensure that its officers, employees and their family members do not carry the following activities through the crowdfunding platform:

          (a) Lend money or provide finance to a borrower;
          (b) Borrow money from a lender; or
          (c) Hold any direct or indirect interest in the capital or voting rights of a borrower or lender.
          Added: October 2017

        • GR-5A.1.29

          A crowdfunding platform operator itself may lend money to borrowers, who use the platform subject to:

          i. Obtaining the required license from the CBB for carrying financial services of providing credit; and
          ii. Adequate disclosure of the conflicts of interest which will arise for each transaction on their website.
          Added: October 2017

      • GR-5A.2 GR-5A.2 Additional Requirements for Shari'a-Compliant Financing — Based Crowdfunding Platform Operators

        • GR-5A.2.1

          In addition to the requirements stipulated in Section GR-5A.1, Shari'a-compliant crowdfunding platform operators must comply with the requirements in this section.

          Added: October 2017

        • GR-5A.2.2

          Financing transactions arranged and introduced through a Shari'acompliant crowdfunding platform operator must be Shari'a-compliant in nature. This means that the financing must be done based on a Shari'a-compliant financing contract (such as Murabaha, Ijarah, Salam, Istisna'a, etc.).

          Added: October 2017

        • GR-5A.2.3

          Shari'a-compliant crowdfunding platform operators must make arrangements with a local Islamic retail bank (which holds the appropriate CBB license) to facilitate transactions.

          Added: October 2017

        • GR-5A.2.4

          Shari'a-compliant crowdfunding platform operators must make an arrangement with one independent Shari'a Scholar to monitor, review and verify that the crowdfunding transactions, including documentation, structuring, financing as well as other administrative, marketing and operational matters are in full compliance with Shari'a rules and principles. The Shari'a Scholar to be appointed must fulfill the eligibility criteria outlined in the CBB's Shari'a Governance module.

          Added: October 2017

        • GR-5A.2.5

          The name of the Shari'a Scholar appointed, along with his brief profile, must be disclosed to the public.

          Added: October 2017

        • GR-5A.2.6

          For the purpose of Paragraph GR-5A.2.5, the Shari'a-compliant crowdfunding platform operators may use the services of a third party Shari'a advisory firm on an outsourced basis. The name of the outsourced Shari'a advisory firm, along with its credentials, must be disclosed to the public.

          Added: October 2017

        • GR-5A.2.7

          The Fatwa of the Shari'a Scholar/Shari'a Advisory firm, confirming that the crowdfunding transaction is in full compliance with Shari'a rules and principles, must be made available to financiers/investors before the crowdfunding transaction offer in order to enable them to make an informed decision.

          Added: October 2017

    • GR-5B GR-5B Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

      • GR-5B.1 GR-5B.1 Physical Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

        • General Requirement

          • GR-5B.1.1

            Where CDMs/Kiosks are installed at an outdoor location, the Payment Service Providers (PSPs) must provide adequate shade covering the area above the customers and the machine.

            Added: April 2019

        • Record Keeping

          • GR-5B.1.2

            PSPs must record the details of the site risk assessments and retain such records for a period of five years from the date of the CDMs/Kiosks installation, or for any other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

            Added: April 2019

        • CDM/ Kiosk Alarms

          • GR-5B.1.3

            In addition to alarming the premises, PSPs must alarm the CDM/Kiosk itself, in a way which activates audibly when the CDM/Kiosk is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of Interior. PSPs must consider the following:

            (a) The design of the system must ensure that the CDMs/Kiosks have a panic alarm installed;
            (b) The design of the system must give an immediate, system controlled warning of an attack on the CDMs/Kiosks, and all CDMs/ Kiosks must be fitted with fully operational fraud detection and inhibiting devices;
            (c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and
            (d) The alarm system must be monitored by the PSP's head office 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.
            Added: April 2019

        • Closed-circuit Television (CCTV)

          • GR-5B.1.4

            PSPs must ensure that the Cash Dispensing Machines (CDMs) and Kiosks owned and operated by them are equipped with closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the CDM/Kiosk are recorded, however keypad entry or the screen of the CDM/Kiosk must not be captured by the CCTV recording. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

            Added: April 2019

          • GR-5B.1.5

            As a minimum, the CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by the PSP's head office.

            Added: April 2019

          • GR-5B.1.6

            When a CDM or Kiosk is located in an area where a public CCTV system operates, the PSP must liaise with the authority responsible for the CCTV system to include the CDM/Kiosk site in any preset automatic camera settings and request regular sweeps of the site. The CCTV system must not be able to view the CDM/Kiosk keypad or screen, thereby preventing observation of PIN entry.

            Added: April 2019

          • GR-5B.1.7

            PSPs must ensure that the specifications of CCTV cameras meet the following minimum requirements:

            (a) Analogue Cameras:
            Resolution — Minimum 700 TVL
            Lens — Vari-focal lenses from 2.8 to 12mm
            Sensitivity — Minimum 0.5 Luminance
            (Lux) without Infrared (IR), 0 Lux with IR
            IR — At least 10 to 20 meters (Camera that detects motion); and
            (b) IP Cameras:
            Resolution — 2 MP — 1080 p
            Lens — Vari-focal lenses from 2.8 to 12mm
            Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR
            IR — At least 10 to 20 meters.
            Added: April 2019

        • CCTV Network Systems

          • GR-5B.1.8

            Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. The CCTV system must be operational 24 hours per day.

            Added: April 2019

        • CDMs/Kiosks Lighting

          • GR-5B.1.9

            Banks must ensure that adequate and effective lighting is operational at all times within the CDMs/Kiosks environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

            Added: April 2019

        • Fire Alarm

          • GR-5B.1.10

            PSPs must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all CDMs/Kiosks. These alarms must be linked to the main offices of the PSP.

            Added: April 2019

        • Cash Replenishment

          • GR-5B.1.11

            All physical cash movements between PSP offices and offsite CDMs/Kiosks must be performed by specialized service providers.

            Added: April 2019

        • CDMs/Kiosks Service and Maintenance

          • GR-5B.1.12

            PSPs must maintain a list of all details on maintenance, replenishment and inspection visits by staff or other authorized parties.

            Added: April 2019

        • Europay, MasterCard and Visa (EMV) Compliance

          • GR-5B.1.13

            Prepaid cards issued by PSPs in the Kingdom of Bahrain must be EMV compliant. Moreover, all POSs, CDMs and Kiosks must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

            Added: July 2019

          • GR-5B.1.13A

            Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph GR-5B.1.13 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

            Added: July 2020

          • GR-5B.1.14

            Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

            Added: October 2019

          • GR-5B.1.15

            Licenseesmust ensure, that any payment card issued or reissued on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

            Added: October 2019

      • GR-5B.2 GR-5B.2 CDM/Kiosk Security Measures: Hardware/ Software

        • GR-5B.2.1

          Entry to sensitive areas by the PSP staff or other authorized parties into the CDM/Kiosk environment/surroundings must be controlled, monitored and recorded. The names of the persons accessing the area; the date; and the time of access to and exit from the area must be recorded. CCTV cameras must be installed, and used to record all activities within the CDM/Kiosk environment.

          Added: April 2019

        • GR-5B.2.2

          The applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must, in all instances, be fully complied with.

          Added: April 2019

        • GR-5B-2.3

          PSPs must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

          Added: April 2019

        • GR-5B-2.4

          PSPs must ensure that all CDMs/Kiosks are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

          Added: April 2019

    • GR-6 GR-6 Dividends

      • GR-6.1 GR-6.1 CBB Non-Objection

        • GR-6.1.1

          Licensees must obtain a letter of no-objection from the CBB to any dividend proposed, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

          April 2016

        • GR-6.1.2

          The CBB will grant a no-objection letter where it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable — for the foreseeable future — to breaching the CBB's capital requirements, taking into account (as appropriate) the licensee's liquidity.

          April 2016

        • GR-6.1.3

          To facilitate the prior approval required under Paragraph GR-6.1.1, licensees must provide the CBB with:

          (a) The licensee's intended percentage and amount of proposed dividends for the year;
          (b) A letter of no objection from the licensee's external auditor on such profit distribution; and
          (c) A detailed analysis of the impact of the proposed dividend on the capital requirements outlined in Section AU-2.5 and liquidity position of the licensee.
          Amended: October 2017
          April 2016

    • GR-7 GR-7 Controllers

      • GR-7.1 GR-7.1 Key Provisions

        • GR-7.1.1

          Licensees must obtain prior written approval from the CBB for any changes to their controllers (as defined in Section GR-7.2):

          April 2016

        • GR-7.1.2

          Condition 3 of the CBB's licensing conditions specifies, among other things, that licensees must satisfy the CBB that their controllers are suitable and pose no undue risks to the licensee (See Paragraph AU-2.3.1). There are also certain procedures which are set out in Articles 52 to 56 of the CBB Law on controllers.

          April 2016

        • GR-7.1.3

          Applicants for a license must provide details of their controllers, by submitting a duly completed Form 2 (Application for Authorisation of Controller). (See sub-Paragraph AU-4.1.4(a)).

          April 2016

        • GR-7.1.4

          Where a controller is a legal person, the controller must notify the CBB of any change in its shareholding at the earlier of:

          (a) When the change takes effect; and
          (b) When the controller becomes aware of the proposed change.
          April 2016

        • GR-7.1.5

          For approval under Paragraph GR-7.1.1 to be granted, the CBB must be satisfied that the proposed controller or increase in control poses no undue risks to the licensee or the financial system. The CBB may impose any restrictions that it considers necessary to be observed where approval is given for a new or a change in controller. A duly completed Form 2 (Controllers) must be submitted as part of the request for a change in controllers. An approval of controller will specify the applicable period for effecting the proposed acquisition of shares.

          April 2016

        • GR-7.1.6

          If, as a result of circumstances outside the licensee's knowledge and/or control, a change in controller is triggered prior to CBB approval being sought or obtained, the licensee must notify the CBB no later than 15 calendar days on which those changes have occurred.

          Amended: January 2017
          April 2016

        • GR-7.1.7

          The approval provisions outlined above do not apply to existing holdings or existing voting control by controllers already approved by the CBB. The approval provisions apply to new/prospective controllers or to increases in existing holdings/voting control.

          April 2016

        • GR-7.1.8

          Licensees are required to notify the CBB as soon as they become aware of events that are likely to lead to changes in their controllers.

          April 2016

        • GR-7.1.9

          The criteria by which the CBB assesses the suitability of controllers are set out in Section GR-7.3. The CBB aims to respond to requests for approval within 30 calendar days and is obliged to reply within 3 months to a request for approval. The CBB may contact references and supervisory bodies in connection with any information provided to support an application for controller. The CBB may also ask for further information, in addition to that provided in Form 2, if required to satisfy itself as to the suitability of the applicant.

          April 2016

        • GR-7.1.10

          Licensees must submit, within 3 months of their financial year-end, a report on their controllers (See Subparagraph BR-1.1.3(d)). This report must identify all controllers of the licensee, as defined in Section GR-7.2, the extent of their shareholding interests and any change in their legal status or any adverse information on the controllers.

          April 2016

        • GR-7.1.1A

          Licensees must not incur or otherwise have an exposure (either directly or indirectly) to their controllers, including subsidiaries and associated companies of such controllers.

          Added: April 2019

        • GR-7.1.1B

          For the purpose of Paragraph GR-7.1.1A, licensees that already have an exposure to controllers must have an action plan agreed with the CBB's supervisory point of contact to address such exposures within a timeline agreed with the CBB.

          Added: April 2019

      • GR-7.2 GR-7.2 Definition of Controller

        • GR-7.2.1

          A controller of a licensee is a natural or legal person who either alone, or with his associates:

          (a) Holds 10% or more of the shares in the licensee ("L"), or is able to exercise (or control the exercise of) 10% or more of the voting power in L;
          (b) Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or
          (c) Is able to exercise significant influence over the management of L or P.
          April 2016

        • GR-7.2.2

          For the purposes of Paragraph GR-7.2.1, "associate" includes:

          (a) The spouse, son(s) or daughter(s) of a controller;
          (b) An undertaking of which a controller is a director;
          (c) A person who is an employee or partner of the controller; and
          (d) If the controller is a corporate entity, a director of the controller, a subsidiary of the controller, or a director of any subsidiary undertaking of the controller.
          April 2016

        • GR-7.2.3

          Associate also includes any other person or undertaking with which the controller has entered into an agreement or arrangement as to the acquisition, holding or disposal of shares or other interests in the licensee, or under which they undertake to act together in exercising their voting power in relation to the licensee.

          April 2016

      • GR-7.3 GR-7.3 Suitability of Controllers

        • GR-7.3.1

          All new controllers or prospective controllers (as defined in Section GR-7.2) of a licensee must obtain the prior written approval of the CBB. Any increases to existing controllers' holdings or voting control must also have prior written approval from the CBB and are subject to the conditions outlined in this Section. Such changes in existing controllers (as defined in the Section GR-7.2) or new/prospective controllers of a licensee must satisfy the CBB of their suitability and appropriateness. The CBB will issue an approval notice or notice of refusal of a controller according to the approval process outlined in Section GR-7.4.

          April 2016

        • GR-7.3.2

          All controllers or prospective controllers (whether natural or legal persons) of all licensees are subject to the approval of the CBB. Persons who intend to take ownership stakes of 10% or above of the voting capital of a licensee are subject to enhanced scrutiny, given the CBB's position as home supervisor of such licensees. The level of scrutiny and the criteria for approval become more onerous as the level of proposed ownership increases.

          April 2016

        • GR-7.3.3

          In assessing the suitability and the appropriateness of new/prospective controllers (and existing controllers proposing to increase their shareholdings) who are natural persons, the CBB has regard to their professional and personal conduct, including, but not limited to, the following:

          (a) The propriety of a person's conduct, whether or not such conduct resulted in conviction for a criminal offence, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
          (b) A conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
          (c) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
          (d) Whether the person has been the subject of any disciplinary proceeding by any government authority, regulatory agency or professional body or association;
          (e) The contravention of any financial services legislation or regulation;
          (f) Whether the person has ever been refused a license, authorisation, registration or other authority;
          (g) Dismissal or a request to resign from any office or employment;
          (h) Disqualification by a court, regulator or other competent body, as a Director or as a manager of a corporation;
          (i) Whether the person has been a Director, partner or manager of a corporation or partnership which has gone into liquidation or administration or where one or more partners or managers have been declared bankrupt whilst the person was connected with that partnership or corporation;
          (j) The extent to which the person has been truthful and open with regulators;
          (k) Whether the person has ever been adjudged bankrupt, entered into any arrangement with creditors in relation to the inability to pay due debts, or failed to satisfy a judgement debt under a court order or has defaulted on any debts;
          (l) The person's track record as a controller of, or investor in financial institutions;
          (m) The financial resources of the person and the likely stability of their shareholding;
          (n) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply;
          (o) The legitimate interests of creditors and minority shareholders of the licensee;
          (p) If the approval of a person as a controller is or could be detrimental to the subject licensee, Bahrain's banking and financial sector or the national interests of the Kingdom of Bahrain; and
          (q) Whether the person is able to deal with existing shareholders and the board in a constructive and co-operative manner.
          April 2016

        • GR-7.3.4

          In assessing the suitability and appropriateness of legal persons as controllers (wishing to increase their shareholding) or new/potential controllers, the CBB has regard to their financial standing, judicial and regulatory record, and standards of business practice and reputation, including, but not limited to, the following:

          (a) The financial strength of the person, its parent(s) and other members of its group, its implications for the licensee and the likely stability of the person's shareholding;
          (b) Whether the person or members of its group have ever entered into any arrangement with creditors in relation to the inability to pay due debts;
          (c) The person's jurisdiction of incorporation, location of head office, group structure and connected counterparties and the implications for the licensee as regards effective supervision of the licensee and potential conflicts of interest;
          (d) The person's (and other group members') propriety and general standards of business conduct, including the contravention of any laws or regulations including financial services legislation on regulations, or the institution of disciplinary proceedings by a government authority, regulatory agency or professional body;
          (e) Any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud, misfeasance or other misconduct;
          (f) Any criminal actions instigated against the person or other members of its group, whether or not this resulted in an adverse finding;
          (g) The extent to which the person or other members of its group have been truthful and open with regulators and supervisors;
          (h) Whether the person has ever been refused a licence, authorisation, registration or other authority;
          (i) The person's track record as a controller of, or investor in financial institutions;
          (j) The legitimate interests of creditors and shareholders of the licensee;
          (k) Whether the approval of a controller is or could be detrimental to the subject licensee, Bahrain's financial sector or the national interests of the Kingdom of Bahrain;
          (l) Whether the person is able to deal with existing shareholders and the board in a constructive manner; and
          (m) Existing Directorships or ownership of more than 20% of the capital or voting rights of any financial institution in the Kingdom of Bahrain or elsewhere, and the potential for conflicts of interest that such Directorships or ownership may imply.
          April 2016

      • GR-7.4 GR-7.4 Approval Process

        • GR-7.4.1

          Within 3 months of receipt of an approval request under Paragraph GR-7.1.1, the CBB will issue an approval notice (with or without restrictions) or a written notice of refusal if it is not satisfied that the person concerned is suitable to increase his shareholding in, or become a controller of the licensee. The notice of refusal or notice of approval with conditions will specify the reasons for the objection or restriction and specify the applicant's right of appeal in either case. Where an approval notice is given, it will specify the period for which it is valid and any conditions that attach. These conditions will include the maximum permitted limit of holding or voting control exercisable by the controller.

          April 2016

        • GR-7.4.2

          Notices of refusal have to be approved by an Executive Director of the CBB. The applicant has 30 calendar days from the date of the notice in which to make written representation as to why his application should not be refused. The CBB then has 30 calendar days from the date of receipt of those representations to reconsider the evidence submitted and make a final determination, pursuant to Article 53 of the Central Bank of Bahrain and Financial Institutions Law (Decree No. 64 of 2006) ("CBB Law") and Module EN (Enforcement).

          April 2016

        • GR-7.4.3

          Pursuant to Article 56 of the CBB Law, where a person has become a controller by virtue of his shareholding in contravention of Paragraph GR-7.1.1, or a notice of refusal has been served to him under Paragraph GR-7.4.1 and the period of appeal has expired, the CBB may, by notice in writing served on the person concerned, direct that his shareholding shall be transferred or until further notice, no voting right shall be exercisable in respect of those shares.

          April 2016

        • GR-7.4.4

          Article 56 of the CBB Law empowers the CBB to take appropriate precautionary measures, or sell such shares mentioned in Paragraph GR-7.4.3, if the licensee fails to carry out the order referred to in the preceding Paragraph.

          April 2016

    • GR-8 GR-8 Close Links

      • GR-8.1 GR-8.1 Key Provisions

        • GR-8.1.1

          Condition 3 of the CBB's licensing conditions specifies, amongst other things, that licensees must satisfy the CBB that their close links do not prevent the effective supervision of the licensee and otherwise pose no undue risks to the licensee. (See Paragraph AU-2.3.1).

          April 2016

        • GR-8.1.2

          Applicants for a license must provide details of their close links, as provided for under Form 1 (Application for a License). (See Paragraph AU-4.1.1).

          April 2016

        • GR-8.1.3

          Licensees must submit to the CBB, within 3 months of their financial year-end, a report on their close links (See Subparagraph BR-1.1.3(b)). The report must identify all undertakings closely linked to the licensee, as defined in Section GR-8.2.

          April 2016

        • GR-8.1.4

          Licensees may satisfy the requirement in Paragraph GR-8.1.3 by submitting a corporate structure chart, identifying all undertakings closely linked to the licensee.

          April 2016

        • GR-8.1.5

          Licensees must provide information on undertakings with which they are closely linked, as requested by the CBB.

          April 2016

      • GR-8.2 GR-8.2 Definition of Close Links

        • GR-8.2.1

          A licensee ('L') has close links with another undertaking ('U'), if:

          (a) U is a parent undertaking of L;
          (b) U is a subsidiary undertaking of L;
          (c) U is a subsidiary undertaking of a parent undertaking of L;
          (d) U, or any other subsidiary undertaking of its parent, owns or controls 20% or more of the voting rights or capital of L; or
          (e) L, any of its parent or subsidiary undertakings, or any of the subsidiary undertakings of its parent, owns or controls 20% or more of the voting rights or capital of U.
          April 2016

      • GR-8.3 GR-8.3 Assessment Criteria

        • GR-8.3.1

          In assessing whether a licensee's close links may prevent the effective supervision of the licensee, or otherwise poses no undue risks to the licensee, the CBB takes into account the following:

          (a) Whether the CBB will receive adequate information from the licensee, and those with whom the licensee has close links, to enable it to determine whether the licensee is complying with CBB requirements;
          (b) The structure and geographical spread of the licensee, its group and other undertakings with which it has close links, and whether this might hinder the provision of adequate and reliable flows of information to the CBB, for instance because of operations in territories which restrict the free flow of information for supervisory purposes; and
          (c) Whether it is possible to assess with confidence the overall financial position of the group at any particular time, and whether there are factors that might hinder this, such as group members having different financial year ends or auditors, or the corporate structure being unnecessarily complex and opaque.
          April 2016

    • GR-9 GR-9 Cessation of Business

      • GR-9.1 GR-9.1 CBB Approval

        • GR-9.1.1

          As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB's prior approval.

          April 2016

        • GR-9.1.2

          Licensees must notify the CBB in writing at least six months in advance of their intended suspension of any or all the licensed regulated services or cessation of business, setting out how they propose to do so and, in particular, how they will treat any of their liabilities.

          April 2016

        • GR-9.1.3

          If the licensee wishes to liquidate its business, the CBB will revise its license to restrict the firm from entering into new business. The licensee must continue to comply with all applicable CBB requirements until such time as it is formally notified by the CBB that its obligations have been discharged and that it may surrender its license.

          April 2016

        • GR-9.1.4

          A licensee in liquidation must continue to meet its contractual and regulatory obligations to its clients and creditors.

          April 2016

        • GR-9.1.5

          Once the licensee believes that it has discharged all its remaining contractual obligations to clients and creditors, it must publish a notice in two national newspapers in Bahrain approved by the CBB (one being in English and one in Arabic), stating that it has settled all its dues and wishes to leave the market. According to Article 50 of the CBB Law, such notice shall be given after receiving the approval of the CBB, not less than 30 days before the actual cessation is to take effect.

          April 2016

        • GR-9.1.6

          The notice referred to in Paragraph GR-9.1.5 must include a statement that written representations concerning the liquidation may be sent to the CBB before a specified day, which shall not be later than thirty days after the day of the first publication of the notice. The CBB will not decide on the application until after considering any representations made to the CBB before the specified day.

          April 2016

        • GR-9.1.7

          If no objections to the liquidation are upheld by the CBB, then the CBB may issue a written notice of approval for the surrender of the license.

          April 2016

        • GR-9.1.8

          Upon satisfactorily meeting the requirements set out in GR-9.1, the licensees must surrender the original license certificate issued by the Licensing Directorate at the time of establishment, and submit confirmation of the cancellation of its commercial registration from the Ministry of Industry, Commerce and Tourism.

          Amended: April 2020
          Added: October 2016

    • GR-10 GR-10 Customer Complaints Procedures

      • GR-10.1 GR-10.1 General Requirements

        • GR-10.1.1

          All licensees must have appropriate customer complaints handling procedures and systems for effective handling of complaints, whether received directly by the licensee or through other parties connected to the licensee.

          Added: December 2018

        • GR-10.1.2

          Customer complaints procedures must be documented appropriately and their customers must be informed of their availability.

          Added: December 2018

        • GR-10.1.3

          All licensees must appoint a customer complaints officer and publicise his/ her contact details at all departments and branches and on the licensee's website. The customer complaints officer must be of a senior level at the licensee and must be independent of the parties to the complaint to minimise any potential conflict of interest.

          Added: December 2018

        • GR-10.1.4

          The position of customer complaints officer may be combined with that of compliance officer.

          Added: December 2018

      • GR-10.2 GR-10.2 Documenting Customer Complaints Handling Procedures

        • GR-10.2.1

          In order to make customer complaints handling procedures as transparent and accessible as possible, all licensees must document their customer complaints handling procedures. These include setting out in writing:

          (a) The procedures and policies for:
          (i) Receiving and acknowledging complaints;
          (ii) Investigating complaints;
          (iii) Responding to complaints within appropriate time limits;
          (iv) Recording information about complaints;
          (v) Identifying recurring system failure issues;
          (b) The types of remedies available for resolving complaints; and
          (c) The organisational reporting structure for the complaints handling function.
          Added: December 2018

        • GR-10.2.2

          Licensees must provide a copy of the procedures to all relevant staff, so that they may be able to inform customers. A simple and easy-to-use guide to the procedures must also be made available to all customers, on request, and when they want to make a complaint.

          Added: December 2018

        • GR-10.2.3

          Licensees are required to ensure that all financial services related documentation provided to the customer includes a statement informing the customer of the availability of a simple and easy-to-use guide on customer complaints procedures in the event the customer is not satisfied with the services provided.

          Added: December 2018

      • GR-10.3 GR-10.3 Principles for Effective Handling of Complaints

        • GR-10.3.1

          Adherence to the following principles is required for effective handling of complaints:

          Added: December 2018

        • Visibility

          • GR-10.3.2

            "How and where to complain" must be well publicised to customers and other interested parties, in both English and Arabic languages.

            Added: December 2018

        • Accessibility

          • GR-10.3.3

            A complaints handling process must be easily accessible to all customers and must be free of charge.

            Added: December 2018

          • GR-10.3.4

            While a licensee's website is considered an acceptable mean for dealing with customer complaints, it should not be the only means available to customers as not all customers have access to the internet.

            Added: December 2018

          • GR-10.3.5

            Process information must be readily accessible and must include flexibility in the method of making complaints.

            Added: December 2018

          • GR-10.3.6

            Support for customers in interpreting the complaints procedures must be provided, upon request.

            Added: December 2018

          • GR-10.3.7

            Information and assistance must be available on details of making and resolving a complaint.

            Added: December 2018

          • GR-10.3.8

            Supporting information must be easy to understand and use.

            Added: December 2018

        • Responsiveness

          • GR-10.3.9

            Receipt of complaints must be acknowledged in accordance with Section GR-10.5 "Response to Complaints".

            Added: December 2018

          • GR-10.3.10

            Complaints must be addressed promptly in accordance with their urgency.

            Added: December 2018

          • GR-10.3.11

            Customers must be treated with courtesy.

            Added: December 2018

          • GR-10.3.12

            Customers must be kept informed of the progress of their complaint, in accordance with Section BC-10.5.

            Added: December 2018

          • GR-10.3.13

            If a customer is not satisfied with a licensee's response, the licensee must advise the customer on how to take the complaint further within the organisation.

            Added: December 2018

          • GR-10.3.14

            In the event that they are unable to resolve a complaint, licensees must outline the options that are open to that customer to pursue the matter further, including, where appropriate, referring the matter to the Consumer Protection Unit at the CBB.

            Amended: April 2020
            Added: December 2018

        • Objectivity and Efficiency

          • GR-10.3.15

            Complaints must be addressed in an equitable, objective, unbiased and efficient manner.

            Added: December 2018

          • GR-10.3.16

            General principles for objectivity in the complaints handling process include:

            (a) Openness:

            The process must be clear and well publicised so that both staff and customers can understand;
            (b) Impartiality:
            (i) Measures must be taken to protect the person the complaint is made against from bias;
            (ii) Emphasis must be placed on resolution of the complaint not blame; and
            (iii) The investigation must be carried out by a person independent of the person complained about;
            (c) Accessibility:
            (i) The licensee must allow customer access to the process at any reasonable point in time; and
            (ii) A joint response must be made when the complaint affects different participants;
            (d) Completeness:

            The complaints officer must find relevant facts, talk to both sides, establish common ground and verify explanations wherever possible;
            (e) Equitability:

            Give equal treatment to all parties;
            (f) Sensitivity:

            Each complaint must be treated on its merits and paying due care to individual circumstances;
            (g) Objectivity for personnel — complaints handling procedures must ensure those complained about are treated fairly which implies:
            (i) Informing them immediately and completely on complaints about performance;
            (ii) Giving them an opportunity to explain and providing appropriate support;
            (iii) Keeping them informed of the progress and result of the complaint investigation;
            (iv) Full details of the complaint are given to those the complaint is made against prior to interview; and
            (v) Personnel must be assured they are supported by the process and should be encouraged to learn from the experience and develop a better understanding of the complaints process;
            (h) Confidentiality:
            (i) In addition to customer confidentiality, the process must ensure confidentiality for staff who have a complaint made against them and the details must only be known to those directly concerned;
            (ii) Customer information must be protected and not disclosed, unless the customer consents otherwise; and
            (iii) Protect the customer and customer's identity as far as is reasonable to avoid deterring complaints due to fear of inconvenience or discrimination;
            (i) Objectivity monitoring:

            Licensees must monitor responses to customers to ensure objectivity which could include random monitoring of resolved complaints;
            (j) Charges:

            The process must be free of charge to customers;
            (k) Customer Focused Approach:
            (i) Licensees must have a customer focused approach;
            (ii) Licensees must be open to feedback; and
            (iii) Licensees must show commitment to resolving problems;
            (l) Accountability:

            Licensees must ensure accountability for reporting actions and decisions with respect to complaints handling;
            (m) Continual improvement:

            Continual improvement of the complaints handling process and the quality of products and services must be a permanent objective of the licensee.
            Added: December 2018

      • GR-10.4 GR-10.4 Internal Complaint Handling Procedures

        • GR-10.4.1

          A licensee's internal complaint handling procedures must provide for:

          (a) The receipt of written complaints;
          (b) The appropriate investigation of complaints;
          (c) An appropriate decision-making process in relation to the response to a customer complaint;
          (d) Notification of the decision to the customer;
          (e) The recording of complaints; and
          (f) How to deal with complaints when a business continuity plan (BCP) is operative.
          Added: December 2018

        • GR-10.4.2

          A licensee's internal complaint handling procedures must be designed to ensure that:

          (a) All complaints are handled fairly, effectively and promptly;
          (b) Recurring systems failures are identified, investigated and remedied;
          (c) The number of unresolved complaints referred to the CBB is minimised;
          (d) NThe employee responsible for the resolution of complaints has the necessary authority to resolve complaints or has ready access to an employee who has the necessary authority; and
          (e) Relevant employees are aware of the licensee's internal complaint handling procedures and comply with them and receive training periodically to be kept abreast of changes in procedures.
          Added: December 2018

      • GR-10.5 GR-10.5 Response to Complaints

        • GR-10.5.1

          A licensee must acknowledge in writing customer written complaints within 5 working days of receipt.

          Added: December 2018

        • GR-10.5.2

          A licensee must respond in writing to a customer complaint within 4 weeks of receiving the complaint, explaining their position and how they propose to deal with the complaint.

          Added: December 2018

        • Redress

          • GR-10.5.3

            A licensee should decide and communicate how it proposes (if at all) to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

            Added: December 2018

          • GR-10.5.4

            Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

            Added: December 2018

          • GR-10.5.5

            Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

            Added: December 2018

          • GR-10.5.6

            Should the customer that filed a complaint not be satisfied with the response received as per Paragraph GR-10.5.2, he can forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter.

            Amended: April 2020
            Added: December 2018

      • GR-10.6 GR-10.6 Records of Complaints

        • GR-10.6.1

          A licensee must maintain a record of all customers' complaints. The record of each complaint must include:

          (a) The identity of the complainant;
          (b) The substance of the complaint;
          (c) The status of the complaint, including whether resolved or not, and whether redress was provided; and
          (d) All correspondence in relation to the complaint. Such records must be retained by the licensees for a period of 5 years from the date of receipt of the complaint.
          Added: December 2018

      • GR-10.7 GR-10.7 Reporting of Complaints

        • GR-10.7.1

          A licensee must submit to the CBB's Consumer Protection Unit, 20 days after the end of the quarter, a quarterly report summarising the following:

          (a) The number of complaints received;
          (b) The substance of the complaints;
          (c) The number of days it took the licensee to acknowledge and to respond to the complaints; and
          (d) The status of the complaint, including whether resolved or not, and whether redress was provided.
          Amended: April 2020
          Added: December 2018

        • GR-10.7.2

          The report referred to in Paragraph GR-10.7.1 must be sent electronically to complaint@cbb.gov.bh.

          Amended: April 2020
          Added: December 2018

        • GR-10.7.3

          Where no complaints have been received by the licensee within the quarter, a 'nil' report should be submitted to the CBB's Consumer Protection Unit.

          Amended: April 2020
          Added: December 2018

      • GR-10.8 GR-10.8 Monitoring and Enforcement

        • GR-10.8.1

          Compliance with these requirements is subject to the ongoing supervision of the CBB as well as being part of any CBB inspection of a licensee. Failure to comply with these requirements is subject to enforcement measures as outlined in Module EN (Enforcement).

          Added: December 2018

    • GR-11 GR-11 Outsourcing

      • GR-11.1 GR-11.1 Outsourcing

        • GR-11.1.1

          Ancillary service providers must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.

          Added: December 2018

        • GR-11.1.2

          The risk assessment should — amongst other things — include an analysis of (i) the business case; (ii) the suitability of the outsourcing provider including but not limited to the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and (iii) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.

          Added: December 2018

        • GR-11.1.3

          Outsourcing means an arrangement whereby a third party performs on behalf of a licensee an activity that was previously undertaken by the licensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

          Added: December 2018

        • GR-11.1.4

          Ancillary service providers must seek the CBB's prior written approval before committing to a new material outsourcing arrangement and/or when the terms or conditions of the outsourcing arrangement are altered.

          The prior approval request must:

          (a) Be made in writing to the licensee's normal supervisory contact;
          (b) Contain sufficient detail to demonstrate that relevant risks are satisfactorily addressed; and
          (c) Be made at least 6 weeks before the licensee intends to commit to the arrangement.
          Added: December 2018

        • GR-11.1.5

          Ancillary service providers must retain ultimate responsibility for functions or activities that are outsourced. In particular, licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.

          Added: December 2018

        • GR-11.1.6

          Once an activity has been outsourced, ancillary service providers must continue to monitor the associated risks and the effectiveness of its mitigating controls. Ancillary service providers must inform its normal supervisory contact at the CBB if material problems are encountered with the outsourcing provider. The CBB may direct the ancillary service providers to make alternative arrangements for the outsourced activity.

          Added: December 2018

        • GR-11.1.7

          Ancillary service providers must maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fail.

          Added: December 2018

        • GR-11.1.8

          Ancillary service providers must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed.

          Added: December 2018

        • GR-11.1.9

          A legally enforceable contract document must be available for any material outsourcing arrangement. Where the outsourcing provider interacts directly with a licensee's customers, the contract must — where relevant — reflect the licensee's own standards regarding customer care.

          Added: December 2018

        • GR-11.1.10

          Mechanisms for the regular monitoring by licensees of performance against service level agreement and other targets, and for implementing remedies in case of any shortfalls, must also form part of the agreement. Such reviews must take place at least every year.

          Added: December 2018

        • GR-11.1.11

          Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.

          Added: December 2018

        • GR-11.1.12

          Ancillary service providers must also ensure that the CBB inspectors and appointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.

          Added: December 2018

        • GR-11.1.13

          Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the CBB inspectors and appointed experts, as appropriate.

          Added: December 2018

        • GR-11.1.14

          The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.

          Added: December 2018

        • GR-11.1.15

          Termination under any other circumstances allowed under the outsourcing agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.

          Added: December 2018

        • GR-11.1.16

          In the event of termination, for whatever reason, the agreement must provide for the return of all customer data — where required by licensees — or destruction of the records.

          Added: December 2018

      • Customer Data Confidentiality

        • GR-11.1.17

          Licensees must ensure that outsourcing agreements comply with the CBB Law and the Personal Data Protection Law, issued on 19th July 2018.

          Added: December 2018

        • GR-11.1.18

          Licensees must ensure that the outsourcing provider implements adequate safeguards and procedures.

          Added: December 2018

        • GR-11.1.19

          The implementation of adequate safeguards and procedures would include the proper segregation of customer data from those belonging to other clients of the outsourcing provider. Ancillary service providers should have contractual rights to take action against the service provider in the event of a breach of confidentiality.

          Added: December 2018

        • GR-11.1.20

          Ancillary service provider licensees must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of the firm.

          Added: December 2018

      • Use of Cloud

        • GR-11.1.21

          In case the licensees use cloud services, they must seek the CBB's prior approval and ensure that, at a minimum, the following security measures are in place:

          (a) Customer information must be encrypted and that all encryption keys or similar forms of authentication are kept secure within the licensee's control;
          (b) A secure audit trail must be maintained for all actions performed at the cloud services outsourcing provider;
          (c) A comprehensive change management procedure must be developed to account for future changes to technology with adequate testing of such changes;
          (d) The licensee's data must be logically segregated from other entities data at the outsourcing service provider's platform;
          (e) The cloud service provider must provide information on measures taken at its platform to ensure adequate information security, data security and confidentiality, including but not limited to forms of protection available against unauthorized access and incident management process in cases of data breach or data loss; and
          (f) The right to release customer information/data in case of foreign government/court orders must be the sole responsibility of the licensee, subject to the CBB Law.
          Added: December 2018

    • GR-12 GR-12 Information Security

      • GR-12.1 GR-12.1 Electronic Frauds

        • GR-12.1.1

          PSPs must implement enhanced fraud monitoring of movements in customers’ accounts to guard against electronic frauds using various tools and measures, such as limits in value, volume and velocity.

          Added: January 2021

        • GR-12.1.2

          PSPs must have in place customer awareness communications, pre and post onboarding process, using video calls, short videos or pop-up messages, to alert and warn natural persons using online channels or applications about the risk of electronic frauds, and emphasise the need to secure their personal credentials and not share them with anyone, online or offline.

          Added: January 2021