Back Custom print Link Text Only Rich Text Print

  • AU-4.7 AU-4.7 Additional Requirements for Payment Service Providers, PISPs and AISPs

    • Business plan

      • AU-4.7.1

        The business plan must include an indication of and a description of the type and expected volume of the activities for the next three years. The business plan to be provided by the applicant must contain:

        (a) a marketing plan consisting of:
        (i) an analysis of the company's competitive position;
        (ii) a description of account information service users in the account information market segment concerned, marketing materials and distribution channels;
        (b) certified annual accounts for the previous three years, if available, or a summary of the financial situation for those applicants that have not yet produced annual accounts;
        (c) a forecast budget for the first three financial years that demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures that allow the applicant to operate soundly; it must include:
        (i) an income statement and balance-sheet forecast, including target scenarios and stress scenarios as well as their base assumptions such as number of clients, pricing and expected increase in profitability threshold;
        (ii) explanations of the main lines of income and expenses, the financial debts and the capital assets;
        (iii) a diagram and detailed breakdown of the estimated cash flows for the next three years.
        Added: December 2018

    • Programme of Operations

      • AU-4.7.2

        The programme of operations to be provided by the applicant must contain the following information:

        (a) a description of the services that are intended to be provided, including an explanation of how the applicant determined that the activity fits the definition of regulated ancillary services;
        (b) a declaration of the applicant that they will not enter at any time into possession of client funds;
        (c) a description of the service including:
        (i) draft contracts between all the parties involved, if applicable;
        (ii) terms and conditions of the provision of the services;
        (iii) processing times;
        (d) the estimated number of different premises from which the applicant intends to provide the services, if applicable;
        (e) a description of the proposed ancillary services;
        (f) a declaration of whether or not the applicant intends to provide services in another country once licensed;
        (g) a description of the relevant operational outsourcing arrangements consisting of:
        (i) the identity and geographical location of the outsourcing provider;
        (ii) the identities of the persons within the ancillary services provider that are responsible for each of the outsourced activities;
        (iii) a detailed description of the outsourced activities and its main characteristics; and
        (h) a copy of draft outsourcing agreements.
        Added: December 2018

    • Governance arrangements and internal control mechanisms

      • AU-4.7.3

        The applicant must provide a description of the governance arrangement and the internal control mechanisms consisting of:

        (a) a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks;
        (b) the different procedures to carry out periodical and permanent controls including the frequency and the human resources allocated;
        (c) the identity of the person(s) responsible for the internal control functions, including for periodic, permanent and compliance control, as well as an up-to-date curriculum vitae;
        (d) the composition of the management body and, if applicable, of any other oversight body or committee;
        (e) a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant's internal controls;
        (f) a description of the way any agents and branches are monitored and controlled within the framework of the applicant's internal controls;
        (g) where the applicant is the subsidiary of a regulated entity in another country, a description of the group governance.
        Added: December 2018

    • Business continuity arrangements

      • Governance arrangements and internal control mechanisms

        • AU-4.7.4

          The applicant should provide a description of the business continuity arrangements consisting of the following information:

          (a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
          (b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
          (c) an explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons;
          (d) the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
          Added: December 2018

    • Internal Control Mechanisms to comply with AML/CFT obligations

      • AU-4.7.5

        The applicant must establish a description of the internal control mechanisms containing, where applicable, the following information:

        (a) the applicant's assessment of the money laundering and terrorist financing risks associated with its business;
        (b) the measures the applicant has or will put in place to mitigate the risks and comply with applicable anti-money laundering and counter terrorist financing obligations, including the applicant's risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities;
        (c) arrangements the applicant has or will put in place to ensure that staff and agents are appropriately trained in anti-money laundering and counter terrorist financing matters;
        (d) the identity of the person in charge of ensuring the applicant's compliance with anti-money laundering and counter-terrorism obligations, and evidence that their anti-money laundering and counter-terrorism expertise is sufficient to enable them to fulfil this role effectively;
        (e) the systems and controls the applicant has or will put in place to ensure that its anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;
        (f) the systems and controls the applicant has or will put in place to ensure that the agents do not expose the applicant to increased money laundering and terrorist financing risk; and
        (g) the draft anti-money laundering and counter terrorism manual for the staff of the applicant (to be provided following receipt of in-principle approval from the CBB).
        Added: December 2018

    • Procedure for monitoring, handling, and following up on security incidents and security-related customer complaints

      • AU-4.7.6

        The applicant should provide a procedure for monitoring, handling and following up on security incidents and security-related customer complaints, containing, but not limited to, the following information:

        (a) organisational measures and tools for the prevention of cyber events and fraud;
        (b) details of the individual(s) and bodies responsible for assisting customers in cases of fraud, technical issues and/or claim;
        (c) reporting lines in cases of fraud;
        (d) the contact point for customers, including a name and email address;
        (e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities;
        (f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.
        Added: December 2018

    • Process for filing, monitoring, tracking and restricting access to sensitive payment data

      • AU-4.7.7

        The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:

        (a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;
        (b) the procedures in place to authorise access to sensitive payment data;
        (c) a description of the monitoring tool;
        (d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;
        (e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;
        (f) the expected internal and/or external use of the collected data;
        (g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;
        (h) confirmation that access to sensitive customer data is not available to the applicant;
        (i) an explanation of how breaches will be detected and addressed; and
        (j) an annual internal control programme in relation to the safety of the IT systems.
        Added: December 2018

    • Security policy documentation

      • AU-4.7.8

        The applicant should provide a security policy document containing the following information:

        (a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;
        (b) a description of the IT systems, which should include:
        (i) the architecture of the systems and their network elements;
        (ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;
        (iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;
        (iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;
        (v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
        (vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
        (c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:
        (i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;
        (ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;
        (d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;
        (e) the security of the payment processes, which should include:
        (i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;
        (ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;
        (iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;
        (f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;
        (g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.
        Added: December 2018

      • AU-4.7.9

        AISPs/PISPs must submit a report of an independent review undertaken by a third-party expert confirming compliance with the Bahrain Open Banking Framework prior to going live. The detailed scope and procedures for such review and the appointment of the third party expert must be approved by CBB.

        Added: July 2021