Back Custom print Link Text Only Rich Text Print

  • Business Standards

    • OB OB Open Banking Module

      • OB-A OB-A Introduction

        • OB-A.1 OB-A.1 Purpose

          • OB-A.1.1

            This Module sets out the Central Bank of Bahrain's (CBB's) Directive relevant to ancillary service providers providing either or both of the following regulated services defined in the Ancillary Services Authorisation Module of the CBB Rulebook Volume 5 in the Kingdom of Bahrain:

            (a) the provision of account information services; or
            (b) the provision of payment initiation services.
            Added: December 2018

          • OB-A.1.2

            This Module should be read in conjunction with the requirements in other parts of the CBB Rulebook, Volume 5, applicable to specialised licensees particularly:

            (c) Ancillary Service Providers Authorisation Module;
            (d) Principles of Business Module;
            (e) General Requirements Module;
            (f) CBB Reporting Requirements Module
            (g) Auditors and Accounting Standards Module;
            (h) Financial Crime Module; and
            (i) Enforcement Module.
            Added: December 2018

          • Legal Basis

            • OB-A.1.3

              This Module contains the CBB's Directive (as amended from time to time) applicable to ancillary services providers undertaking account information services or payment initiation services, and is issued under the powers available to the CBB under Article 38 of the CBB Law.

              Added: December 2018

            • OB-A.1.4

              For an explanation of the CBB's rule-making powers and different regulatory instruments, see Section UG-1.1.

              Added: December 2018

        • OB-A.2 OB-A.2 Module History

          • OB-A.2.1

            This Module was first issued in November 2018. It is numbered as version 01. All subsequent changes to this Module are annotated with a sequential version number. UG-3 provides further details on Rulebook maintenance and version control.

            Added: December 2018

          • OB-A.2.2

            A list of recent changes made to this Module is provided below:

            Module Ref.Change DateDescription of Changes
            OB-1.1.1207/2021Amended Paragraph on PISPs procedures..
            OB-1.1.1307/2021Amended Paragraph on AISPs procedures..
            OB-2.1.107/2021Amended Paragraph on AISPs and PISPs framework contract.
            OB-2.1.507/2021Added a new Paragraph on customer consent.
            OB-2.1.607/2021Added A new Paragraph on data access.
            OB-2.2.107/2021Amended Paragraph on authentication.
            OB-2.2.207/2021Deleted Paragraph.
            OB-2.2.307/2021Deleted Paragraph.
            OB-2.2.407/2021Deleted Paragraph.
            OB-2.2.507/2021Deleted Paragraph.
            OB-2.2.607/2021Deleted Paragraph.
            OB-2.3.807/2021Amended Paragraph on fees and charges.
            OB-2.4.107/2021Amended Paragraph on adherence to guidelines.
            OB-2.4.207/2021Amended Paragraph on compliance.
            OB-2.4.307/2021Added a new Paragraph on technology solutions provided.
            OB-2.4.301/2024Amended Paragraph on technology solutions provided.
            OB-B.1.105/2024Amended introduction Paragraph.
            OB-2.4.105/2024Amended Paragraph on technology related requirements.

      • OB-B OB-B Scope of Application

        • OB-B.1 OB-B.1 Introduction

          • OB-B.1.1

            The provision of account information services and payment initiation services entails obtaining access to customer accounts (the term ‘customer’ refers to both natural and legal persons) through 'application program interfaces' (APIs) with licensees maintaining customer accounts include conventional retail bank licenseesIslamic retail bank licensees financing companies and PSPs operating electronic wallets, (referred to in this Module as "licensees maintaining customer accounts"). Given the nature of risks inherent in online activities, the ancillary service providers undertaking such activities will be subject to strict regulatory standards to ensure the integrity and safety of customer data, the APIs, customer on boarding process, authentication process, communication sessions, process for tracking of security incidents and associated standards of dealing with the customers while undertaking this activity.

            Amended: September 2024
            Added: December 2018

      • OB-1 OB-1 Risks, Systems and Controls

        • OB-1.1 OB-1.1 Risks, Systems and Controls

          • Internal Controls

            • OB-1.1.1

              The Board of Directors or equivalent authority must take responsibility for the establishment and oversight of effective risk management and internal controls.

              Added: December 2018

            • OB-1.1.2

              Account information service providers (AISPs) and payment initiation service providers (PISPs) must use technology solutions which are capable of interfacing with software and systems used by licensees maintaining customer accounts with no material modifications to their systems.

              Added: December 2018

            • OB-1.1.3

              Consistent with Module PB: Principles of Business, Paragraph, PB-1.1.10, AISPs and PISPs must establish adequate internal controls to safeguard the business, its customers and licensees to which they have online access to.

              Added: December 2018

            • OB-1.1.4

              The internal controls must include, but not be limited to, those relating to the following:

              (a) The development and or acquisition of the technology solutions to conduct the activity;
              (b) Testing of the solutions and application program interfaces;
              (c) Standards of communication and access and security of communication sessions;
              (d) Safe authentication of the users;
              (e) Processes and measures that protect customer data confidentiality and personalised security credentials consistent with Law No. 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018;
              (f) Tools and measures to prevent frauds and errors;
              (g) Security policy;
              (h) Information security testing including web applications testing, configuration reviews, penetration testing and smart device application testing
              (i) Risk management controls;
              (j) Prevention of anti-money laundering (AML) and combating terrorist financing (CTF);
              (k) Record keeping and audit trails; and
              (l) Operational and financial controls.
              Added: December 2018

          • Operational Risks

            • OB-1.1.5

              AISPs and PISPs must document the process by which they identify, prioritise and manage their operational risks.

              Added: December 2018

            • OB-1.1.6

              Operational risk in AISPs' and PISPs' activities include the risk of loss of confidential customer data, financial loss or reputational loss resulting from inadequate or failed internal processes, people, technology and systems, or from external events including risks of internal and external frauds and cyber threats. In assessing potential operational risk, the following are some of the factors that may affect the licensee's risk exposure:

              (a) Lack of governance, board and management oversight;
              (b) Inadequate internal controls;
              (c) Insufficient transaction monitoring;
              (d) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
              (e) Failure or insufficient cyber and information security controls;
              (f) Failure of processes and procedures;
              (g) Internal and external fraud;
              (h) Legal risks;
              (i) Outsourcing risk;
              (j) Business continuity and disaster recovery; and
              (k) Reputational risks.
              Added: December 2018

            • OB-1.1.7

              AISPs and PISPs must establish comprehensive procedures for monitoring, handling and following up on security and fraud incidents and related customer complaints including but not limited to the following:

              a) organisational measures and tools for the prevention of such incidents;
              b) details of the individual(s) and bodies responsible for assisting customers in cases of the incidents and technical issues and/or claim management;
              c) reporting lines in cases of such incidents;
              d) the contact point for customers, including a name and email address;
              e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities; and
              f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security and fraud risks.
              Added: December 2018

            • OB-1.1.8

              AISPs and PISPs must maintain an up to date security policy document containing the following information:

              a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
              i. a description of the business IT systems supporting the business activities;
              ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
              iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
              iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
              b) the logical security measures and mechanisms that govern the internal access to IT systems;
              c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
              d) the security of the account information and payment initiation processes, which should include:
              i. the customer authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
              ii. an explanation of how safe delivery of tokens to the legitimate customer; and
              iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
              Added: December 2018

            • OB-1.1.9

              AISPs and PISPs must ensure they have an up to date business continuity plan and arrangements consisting of the following information:

              a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
              b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
              c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
              d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
              Added: December 2018

            • OB-1.1.10

              AISPs and PISPs must appoint a third party specialist to conduct vulnerability assessments against cyber-attacks and penetration testing on the specific API security standards every 6 months. The specialist's report must be submitted to the CBB, along with the licensee's related action plan to resolve any issues identified. All relevant threat profiles referenced in the security standards including the risk of social engineering must be considered for the reviews.

              Added: December 2018

            • OB-1.1.11

              AISPs and PISPs must ensure that their overall systems and controls including but not limited to the business continuity, disaster recovery, information security testing, web-applications testing, smart device application testing, and cyber resilience are evaluated and independently tested by an external consultant:

              a) initially upon implementation of this Module;
              b) when there are any material changes to the systems and controls; and
              c) at least once every 3 years.
              Added: December 2018

            • OB-1.1.12

              A PISP must establish procedures to ensure:

              (a) that it will not store a customer's personalised security credentials, such as customer’s KYC and biometric information and that such data are:
              i. not accessible to other parties, with the exception of the issuer of the credentials; and
              ii. transmitted through safe and efficient channels;
              (b) that any other information about a customer is not provided to any person except a payee, and is provided to the payee only with the customer's explicit consent;
              (c) that each time a PISP initiates a payment order on behalf of its customer, the PISP identifies itself to the licensee with whom the customer maintains the account in a secure way;
              (d) [This Sub-paragraph was deleted in July 2021];
              (e) that it will not access, use or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer, however, it may store payment details initiated by the customer such as payment amounts, payment accounts, payment reference number, payment execution dates, time and payee’s IBAN number;
              (f) that it cannot and does not change the amount, the payee or any other feature of a transaction notified to it by the customer.
              (g) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation.
              Amended: July 2021
              Added: December 2018

            • OB-1.1.13

              An AISP must establish procedures to ensure:

              (a) it does not provide account information services without the customer's explicit consent;
              (b) that it will not store the customer's personalised security credentials such as customer’s KYC and biometric information and that such data are:
              i. not accessible to other parties, with the exception of the issuer of the credentials; and
              ii. transmitted through safe and efficient channels;
              (c) for each communication session, communicate securely with licensee and the customer in accordance with the regulatory requirements of this Module;
              (d) that it does not access any information other than information from designated accounts;
              (e) it will not access, use or store any information for any purpose except for the provision of the account information service explicitly requested by the customer;
              (f) that any data accessed and stored is encrypted in transit and at rest and, must not be accessible to any unauthorised person within the licensee’s organisation; and
              (g) that customer information accessed must not be stored in a form which permits identification of customer once the customer consent is withdrawn.
              Amended: July 2021
              Added: December 2018

      • OB-2 OB-2 Operating Rules

        • OB-2.1 OB-2.1 Framework Contracts

          • Legal arrangement and transparency

            • OB-2.1.1

              AISPs and PISPs must establish a framework contract (a legal arrangement) with the customer prior to providing AIS or PIS services. The framework contract must provide the information set forth below that are relevant to the services they provide:

              (a) The following information about the service and the provider:
              i. the name, address and contact details of the PISP or AISP as the case may be;
              ii. a description of the main characteristics of the service to be provided;
              iii. the information or unique identifier that must be provided by the customer in order for a payment order to be properly initiated or executed;
              (b) the form and procedures for giving consent to provide account information service, the initiation of a payment order and for the withdrawal of consent;
              (c) provisions regarding the time of receipt of a payment order and the cut-off time, if any, established by the licensee and the maximum execution time for the payment services to be provided;
              (d) whether spending limits for the use of a payment instrument may be agreed;
              (e) the detail of all fees and charges payable by the customer to the PISP/AISP, including those connected to the manner in and frequency with which information is provided or made available and, where applicable, a breakdown of the amounts of any charges;
              (f) the means of communication agreed between the parties for the transmission of information or notifications under this Module including, where relevant, any technical requirements for the customer's equipment and software for receipt of the information or notifications;
              (g) The terms under which the customer may opt out from the use of the payment instrument;
              (h) explicit consents required for generic marketing promotions by the PISP/AISP; and
              (i) the terms of the framework contract and information.
              (j) The following information about safeguards and corrective measures in compliance with PDPL:
              i. where relevant, a description of the steps that the customer is to take in order to keep safe a payment instrument and how to notify the PISP/AISP for the purposes of obligations of the customer in relation to loss, theft, misappropriation, unauthorised use of the payment instruments and personalised security credentials;
              ii. the secure procedures, by which the PISP/AISP will contact the customer in the event of suspected or actual fraud or security threats;
              iii. the conditions under which the PISP/AISP stops or prevents the use of a payment instrument;
              iv. the customer's liability, (payer or payee's liability for unauthorized payment transactions), including details of any limits on such liability;
              v. how and within what period of time the customer is to notify the licensee maintaining customer account of any unauthorised or incorrectly initiated or executed payment transaction, and liability, if any for unauthorised payment transactions falling on the licensee maintaining customer account for execution of unauthorised payment transactions);
              vi. liability, if any, in the event of initiation or execution or non-execution or defective or late execution of payment transactions;
              vii. liability of parties in the event of a cyber-attack and loss of sensitive data; and
              viii. the conditions for any refunds for payment transactions initiated by or through a payee.
              (k) The following information about changes to and termination of the framework contract:
              i. the time given to the customer to review and accept any proposed changes; which under no circumstances, shall be less than 10 calendar days;
              ii. the proposed terms under which the customer will be deemed to have accepted changes to the framework contract in accordance, unless they notify the service provider that they do not accept such changes before the proposed date of their entry into force;
              iii. the duration of the framework contract;
              iv. where relevant, the right of the customer to terminate the framework contract and any agreements relating to.
              (l) The following information about redress:
              i. any contractual clause on the law applicable to the framework contract;
              ii. the customer complaint procedures and the availability of alternative dispute resolution procedures for the customer and the methods for having access to them; and
              iii. the name/title and contact number of the person designated to handle any queries or complaints.
              Amended: July 2021
              Added: December 2018

            • OB-2.1.2

              The information specified in Paragraph OB-2.1.1 must be provided to the customer free of charge before initiation of service.

              Added: December 2018

            • OB-2.1.3

              (a) A framework contract may provide for the PISP to have the right to stop the use of a payment instrument on reasonable ground relating to: the security of the payment instrument; or
              (b) the suspected unauthorised or fraudulent use of the payment instrument.
              Added: December 2018

            • OB-2.1.4

              AISPs and PISPs must agree the basis, the time period and the manner in which the information on its intention to stop the use of the payment instrument will be provided to the customer and to the relevant licensees maintaining customer accounts.

              Added: December 2018

            • OB-2.1.5

              AISPs must allow customers to provide consent for accessing their account information for a duration of up to 12 months.

              Added: July 2021

            • OB-2.1.6

              AISPs must allow their customers to choose the nature and type of data to be collected or accessed and used by the AISP for the purpose of providing the services.

              Added: July 2021

        • OB-2.2 OB-2.2 Standards for Authentication and Communication

          • Secure authentication

            • OB-2.2.1

              AISPs and PISPs must have in place a 2-factor authentication process to prevent unauthorised access.

              (a) [This sub-paragraph was deleted in July 2021];
              (b) [This sub-paragraph was deleted in July 2021];
              (c) [This sub-paragraph was deleted in July 2021].
              Amended: July 2021
              Added: December 2018

            • OB-2.2.2

              [This Paragraph was deleted in July 2021].

              Deleted: July 2021
              Added: December 2018

            • OB-2.2.3

              [This Paragraph was deleted in July 2021].

              (a) [This sub-paragraph was deleted in July 2021];
              (b) [This sub-paragraph was deleted in July 2021];
              (c) [This sub-paragraph was deleted in July 2021];
              (d) [This sub-paragraph was deleted in July 2021].
              Deleted: July 2021
              Added: December 2018

          • Independence of elements of strong authentication

            • OB-2.2.4

              [This Paragraph was deleted in July 2021].

              (a) [This sub-paragraph was deleted in July 2021];
              (b) [This sub-paragraph was deleted in July 2021];
              (c) [This sub-paragraph was deleted in July 2021].
              Deleted: July 2021
              Added: December 2018

            • OB-2.2.5

              [This Paragraph was deleted in July 2021].

              Deleted: July 2021
              Added: December 2018

            • OB-2.2.6

              [This Paragraph was deleted in July 2021].

              (a) [This sub-paragraph was deleted in July 2021];
              (b) [This sub-paragraph was deleted in July 2021].
              Deleted: July 2021
              Added: December 2018

          • Confidentiality and Integrity of Personalised Security Credentials

            • OB-2.2.7

              AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.

              Added: December 2018

            • OB-2.2.8

              AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the customer, including authentication codes, during all phases of authentication including display and transmission.

              Added: December 2018

            • OB-2.2.9

              For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:

              (a) personalised security credentials are masked when displayed and not readable in their full extent when input by the customer during the authentication;
              (b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;
              (c) secret cryptographic material is protected from unauthorised disclosure.
              Added: December 2018

            • OB-2.2.10

              PISPs and AISPs must ensure that only the customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.

              Added: December 2018

          • Security of Communication Sessions

            • OB-2.2.11

              AISPs and PISPs must ensure that any communication session established with the customer, and other entities, including merchants, relies on each of the following:

              (a) a unique identifier of the session;
              (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and
              (c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
              Added: December 2018

            • OB-2.2.12

              AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.

              Added: December 2018

            • OB-2.2.13

              AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other customers' interfaces offering electronic payment services are effectively mitigated.

              Added: December 2018

            • OB-2.2.14

              AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

              Added: December 2018

            • OB-2.2.15

              AISPs and PISPs must keep the access sessions offered by the licensee maintaining customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.

              Added: December 2018

            • OB-2.2.16

              When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

              Added: December 2018

            • OB-2.2.17

              AISPs and PISPs, with the licensee maintaining customer accounts must include unambiguous reference to each of the following items:

              (a) the customer or users and the corresponding communication session in order to distinguish several requests from the same customer or users;
              (b) for payment initiation services, the uniquely identified payment transaction initiated;
              (c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.
              Added: December 2018

            • OB-2.2.18

              AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the customer associated with them and the issuer of the personalised security credentials.

              Added: December 2018

            • OB-2.2.19

              AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the customer's explicit consent.

              Added: December 2018

            • OB-2.2.20

              PISPs must provide the licensees maintaining customer accounts with the same information requested from the customer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintaining customer accounts.

              Added: December 2018

        • OB-2.3 OB-2.3 Payment Transactions

          • Consent to Initiate Payment Transactions

            • OB-2.3.1

              A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Module only if the payer has given its consent to:

              (a) the execution of the payment transaction; or
              (b) the execution of a series of payment transactions of which that payment transaction forms part.
              Added: December 2018

            • OB-2.3.2

              For the purpose of Paragraph OB-2.3.1, such consent must be given in the form, and in accordance with the procedure, agreed between the licensee maintaining the customer account, the payer and the PISP and may be given via the payee or a PISP.

              Added: December 2018

            • OB-2.3.3

              PISP must ensure that the payer can withdraw its consent to a payment transaction at any time before the point at which the payment order can no longer be revoked under the terms of the framework contract with the customer.

              Added: December 2018

            • OB-2.3.4

              The customer may withdraw its consent to the execution of a series of payment transactions at any time with the effect that any future payment transactions are not regarded as authorised for the purposes of this section.

              Added: December 2018

          • Limits on Payment Transactions

            • OB-2.3.5

              The PISP may agree on payment transaction limits based on its own discretion or on account of the following limitations:

              (a) limits imposed by the CBB from time to time;
              (b) limits imposed by any of the licensees; and/or
              (c) limits imposed based on customer request.
              Added: December 2018

            • OB-2.3.6

              Subject to the framework contract, a PISP has the right to stop the use of a payment instrument on reasonable ground relating to:

              (a) the security of the payment instrument; or
              (b) the suspected unauthorised or fraudulent use of the payment instrument.
              Added: December 2018

            • OB-2.3.7

              PISPs must ensure that a customer to whom a payment instrument has been issued must keep safe the personalised security credentials and must:

              (a) use it in accordance with the terms and conditions governing such use; and
              (b) notify the PISP in an agreed manner and without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.
              Added: December 2018

          • Fees and charges

            • OB-2.3.8

              The AISPs and PISPs may charge fees and charges which reasonably corresponds to the AISP’s or PISP’s costs, as the case may be, which must be explicitly agreed in the framework contract.

              Amended: July 2021
              Added: December 2018

        • OB-2.4 OB-2.4 Technology Related Requirements

          • OB-2.4.1

            AISPs and PIPSs must adhere to the Operational Guidelines, Security Standards and Guidelines, Open Banking Application Program Interface (API) Specifications and Customer Journey Guidelines included in Bahrain Open Banking Framework “BOBF” (See CBB website) for the use cases defined in the BOBF. Where licensees have arrangements to obtain access to customer account information or initiate payments for use cases not defined in BOBF, they must develop API Specifications, Customer Journeys and Operational Guidelines consistent with the Security Standards and Guidelines in BOBF.

            Amended: September 2024
            Amended: July 2021
            Added: December 2018

          • OB-2.4.2

            AISPs, PISPs must ensure that compliance with standards and guidelines specified in Paragraph OB-2.4.1 is subject to independent review and tests, including testing in a test environment, by an independent consultant upon implementation.

            Amended: July 2021
            Added: December 2018

          • OB-2.4.3

            AISPs and PISPs that offer services directly to end user customers must ensure that the technology solution provided to their customers is easily accessible (e.g. website, IOS/Android/Microsoft Windows standalone application or other platform).

            Amended: January 2024
            Added: July 2021

    • CFP CFP Crowdfunding Platform Operators Module

      • CFP-A CFP-A Introduction

        • CFP-A.1 CFP-A.1 Purpose and Scope

          • CFP-A.1.1

            This Module sets out the Central Bank of Bahrain’s (CBB) regulations applicable to financing-based and equity-based offers on crowdfunding platforms and to crowdfunding platform operators. Reward-based or donation-based crowdfunding models are excluded from the scope of this Module. The authorisation requirements for crowdfunding platform operators undertaking regulated ancillary services in the Kingdom of Bahrain are stipulated in the Authorisation Module (Module AU) of CBB Rulebook - Volume 5. Crowdfunding platform operators are also subject to ongoing provisions contained in this Module and the following modules of CBB Rulebook Volume 5:

            (a) Common Modules: Principles of Business Module, Auditors and Accounting Standards Module, Financial Crime Module, Enforcement Module (Modules PB, AA, FC and EN)
            (b) CBB Reporting Requirements Module (Module BR);
            (c) General Requirements Module (Module GR); and
            (d) High-Level Controls Module (Module HC).
            Added: April 2022

          • CFP-A.1.2

            Crowdfunding platform operator refers to a person licensed by the CBB to operate a platform through an online portal, on which funding to businesses (Person to Business – P2B) and (Business to Business – B2B) are allowed. Licensees may also host income producing real estate on the platform which can include both residential and commercial properties.

            Added: April 2022

          • CFP-A.1.3

            Crowdfunding generally involves the raising of funds usually through an online portal or other electronic media from a large number of people who make relatively small financial contributions to the fund raising. The CBB recognises both conventional and sharia complaint crowdfunding business models. The crowdfunding platform operator may operate either one or both of the following models:

            1. Financing-based crowdfunding: people or businesses (lenders) lend money to businesses (borrowers) hosted on the platform in return for interest/profit and repayment of principal over a pre-specified period.
            2. Equity-based crowdfunding: businesses (issuers) raise capital through issuance of ordinary shares, or other equity instruments like preferred shares, and people or business (investors) invest in these instruments in return for dividends, capital appreciation etc.
            Added: April 2022

          • CFP-A.1.4

            For the purposes of this Module, equity crowdfunding offers exclude financial instruments such as SAFE agreements (Simple Agreement for Future Equity) or similar products which has conversion features contingent on certain pre-determined conditions being met.

            Added: April 2022

          • Legal Basis

            • CFP-A.1.5

              This Module contains the CBB’s Directive, Regulation and Resolutions (as amended from time to time) applicable to crowdfunding platform operators under Volume 5 of the CBB Rulebook. It is issued under the powers available to the CBB under Articles 37 to 42, 44 to 48 and 180 of the Central Bank of Bahrain and Financial Institutions Law 2006 (‘CBB Law’).

              Added: April 2022

        • CFP-A.2 CFP-A.2 Module History

          • Evolution of Module

            • CFP-A.2.1

              This Module was first issued in xx 2022 as part of Volume 5 (Specialised Licensees). Any material changes that have subsequently been made to this Module are annotated with the calendar quarter date in which the change was made: Chapter UG-3 provides further details on Rulebook maintenance and version control.

              Added: April 2022

            • CFP-A.2.2

              A list of recent changes made to this Module is provided below:

              Module Ref. Change Date Description of Changes
              CFP-1.3.2(d) 07/2022 Deleted Subparagraph.

      • CFP-1 CFP-1 Operating Requirements

        • CFP-1.1 CFP-1.1 Platform Offers & Disclosures

          • CFP-1.1.1

            Crowdfunding platform operators must prominently display on their website the following:

            (a) A general risk warning;
            (b) Details of how and by whom the operator is remunerated for the service it provides, including fees and charges it imposes on lenders/investors and borrowers/issuers;
            (c) For financing-based crowdfunding: the actual default rates as a percentage of loans entered into on the platform and the number and aggregate value of loans in default; and
            (d) For equity-based crowdfunding: the actual failure rate of issuers who use the platform.
            (e) The offering statement for each crowdfunding offer which must disclose any conflicts of interest (as required by Chapter 2); and
            (f) Information on rights of clients relating to participation in crowdfunding offer, including right to withdraw commitments, lodging complaints and any voting rights.
            Added: April 2022

          • CFP-1.1.2

            A crowdfunding offer is open from the time when it is first published on the platform and must be closed on the closing date or at the earliest of the following:

            (a) Three months after the offer is made, unless a specific approval has obtained from the CBB;
            (b) When the offer is fully subscribed (unless over-subscription is allowed); and
            (c) When the borrower/issuer making the offer withdraws the offer;
            Added: April 2022

          • CFP-1.1.3

            A crowdfunding offer must be withdrawn by the crowdfunding platform operator if it has material concerns regarding the crowdfunding borrower/issuer or it becomes aware of any information that indicates the offer is misleading, fraudulent, deceptive.

            Added: April 2022

          • CFP-1.1.4

            A crowdfunding borrower/issuer is subject to the following limits in respect of crowdfunding:

            (a) Financing-based crowdfunding offers must be less than or equal to BD 500,000 in aggregate, per borrower, within a 12-month period, except where the funding raised is to be used for a Government of Bahrain led initiative/project. Additionally, the tenor of loans must not exceed 5 years; and
            (b) Equity-based crowdfunding offers must be less than or equal to BD 250,000, per issuer, (or BD 500,000 in respect of equity crowdfunding issuers who qualify as entities engaged in real estate projects) within a 12-month period.
            Added: April 2022

          • CFP-1.1.5

            The minimum subscription to be received in a crowdfunding offer must not be less than 80% of the crowdfunding offer size.

            Added: April 2022

          • CFP-1.1.6

            Crowdfunding platform operators must provide users the following information upon on-boarding:

            (a) The process for the offering of loans or equity through the platform and the risks associated with lending or investing in crowdfunding offers;
            (b) The limits on raising funds applicable on borrowers/issuers;
            (c) The right of retail clients to withdraw their commitments within 5 working days from the time the commitment is made;
            (d) The existence or non-existence of a secondary market;
            (e) The due-diligence process of the platform for hosting a borrower/issuer; and
            (f) Whether there will be an ongoing relationship between the platform and the borrower/issuer following the closing of an offer.
            Added: April 2022

          • CFP-1.1.7

            Crowdfunding platform operators must additionally display on their website key information on how their platform operates, including:

            (a) The eligibility criteria for borrowers/lenders and issuers/investors that use the platform;
            (b) Arrangements and safeguards for client money held or controlled by the operator, including details of any legal arrangements (such as nominee accounts) that may be used to hold client money;
            (c) What will happen if loans sought by a borrower or funds sought by an issuer either fail to meet, or exceed, the target level;
            (d) Steps the operator will take and the rights of the relevant parties if there is a material change in a borrower’s or an issuer’s circumstances;
            (e) How the operator will deal with overdue payments or a default by a borrower or failure of an issuer; and
            (f) Which jurisdiction’s laws will govern the financing agreement.
            Added: April 2022

          • CFP-1.1.8

            Crowdfunding platform operators must provide on their platform a user-friendly facility to allow investors/lenders to make their bid to crowdfunding offers. Such bids may only be made during the period a crowdfunding offer is available for investment/lending. Licensees must also provide on their platform a facility for communication among the investors/lenders, borrowers/issuers and the crowdfunding platform operator (e.g. an online forum).

            Added: April 2022

          • CFP-1.1.9

            Crowdfunding platform operators must allot/allocate shares, in accordance with the allotment basis stipulated in the equity crowdfunding offering statement, within 7 working days from closing date.

            Added: April 2022

          • CFP-1.1.10

            Crowdfunding platform operators must not advertise a specific crowdfunding offer hosted on its platform or make any public statements that are reasonably likely to induce people to fund a particular crowdfunding offer. This requirement does not prevent an operator from generally promoting its platform to potential clients, provided it does not advertise a specific offer.

            Added: April 2022

          • CFP-1.1.11

            Crowdfunding platform operators must have in place effective and transparent procedures for the prompt, fair and consistent handling of complaints received from clients in accordance with Section GR-10 of GR Module and publish the procedures on their websites.

            Added: April 2022

          • CFP-1.1.12

            For the purposes of this module, commercial entities incorporated in the Kingdom of Bahrain or incorporated in an overseas jurisdiction that is not a UN sanctioned, non-cooperative or high-risk jurisdiction are eligible to be hosted on crowdfunding platform operator, except the following:

            (a) Financial institutions;
            (b) Public-listed companies; and
            (c) Holding company structures and non-operative special purposes vehicles (SPVs).
            Added: April 2022

          • Offers to Retail Clients

            • CFP-1.1.13

              Crowdfunding platform operators, upon onboarding retail clients, must undertake a suitability and appropriateness assessment to gauge the client’s knowledge, experience, financial situation (including the client’s ability to bear losses) and the client’s understanding of risks associated with crowdfunding by seeking information from the lender/investor.

              Added: April 2022

            • CFP-1.1.14

              Crowdfunding platform operators must ensure that each retail client completes a self-declaration form before the client is allowed to use the platform which must include the following acknowledgements:

              (a) that the client understands the risks involved in crowdfunding;
              (b) that the client will only commit money that the client can afford to lose;
              (c) that the client understands the potential to lose part or all of his investment made on the platform;
              (d) that the client may face difficulties in exiting his investments made on the platform; and
              (e) that the client is aware that the crowdfunding offer has neither been reviewed nor approved by the CBB.
              Added: April 2022

            • CFP-1.1.15

              Crowdfunding platform operators must provide retail clients unconditional right to withdraw their commitment to lend or invest in a crowdfunding offer within 5 working days from the time the commitment is made. No fee or penalty must be charged to such persons if a commitment is withdrawn.

              Added: April 2022

        • CFP-1.2 CFP-1.2 Managing Conflicts of Interest

          • CFP-1.2.1

            Crowdfunding platform operators must not participate in any crowdfunding offer hosted on their platform.

            Added: April 2022

          • CFP-1.2.2

            Crowdfunding platform operators must maintain and operate effective internal rules to prevent conflicts of interest. Licensees must take appropriate steps to prevent, identify, and manage conflicts of interest between their shareholders, their managers or employees, or any natural or legal person linked to them by control and their clients, or between one client and another client. Licensees must disclose to their clients the general nature and sources of conflicts of interest and the steps taken to mitigate them.

            Added: April 2022

          • CFP-1.2.3

            Crowdfunding platform operators must not accept the following persons as borrowers/issuers on their crowdfunding platform:

            (a) Shareholders that hold 20% or more of share capital or voting rights of the platform;
            (b) Managers or employees of the platform; and
            (c) Any natural or legal persons linked to those shareholders, managers or employees by control.
            Added: April 2022

          • CFP-1.2.4

            Crowdfunding platform operators that accept as investors/lenders any of the persons referred to in Subparagraphs CFP-1.2.3 (a), (b) and (c) in their crowdfunding offers must fully disclose on their website the fact that they accept such persons as investors/lenders and information on the specific crowdfunding projects invested in. Licensees must ensure that such crowdfunding offers are funded under the same conditions as those of other investors/lenders and that persons under (a), (b) and (c) do not enjoy any preferential treatment or privileged access to information.

            Added: April 2022

          • CFP-1.2.5

            Crowdfunding platform operators must not provide direct or indirect financial assistance to lenders/investors to lend or invest in a crowdfunding borrower/issuer hosted on its platform.

            Added: April 2022

          • CFP-1.2.6

            Crowdfunding platform operators must not provide advice on the crowdfunding offers hosted on their platform. The existence of filtering tools on the platform is not regarded as advice if such tools provide information to clients in an objective and neutral manner that does not constitute a recommendation. Such tools include those that display results based on criteria relating to purely objective product features. Objective product features in this context could be pre-defined project criteria such as the economic sector, the instrument used and the interest rate, or the risk category where sufficient information regarding the calculation method is disclosed. Similarly, key financial figures calculated without any scope for discretion are also considered to be objective criteria.

            Added: April 2022

        • CFP-1.3 CFP-1.3 Due-diligence of crowdfunding borrowers/issuers

          • CFP-1.3.1

            Crowdfunding platform operators must conduct due-diligence of crowdfunding borrowers/issuers which includes at minimum procedures to confirm the following:

            (a) The identity of the company through its commercial registration (or Legal Entity Identifier where relevant) and its registered office and principal place of business;
            (b) The identity and place of domicile of the company’s owners and key management personnel;
            (c) That the borrower/issuer and its key personnel have no criminal record in respect of local laws in the fields of commercial law, insolvency law, financial services law, anti-money laundering law, fraud law or professional liability obligations;
            (d) That the borrower/issuer is not established in a UN sanctioned or non-cooperative jurisdiction or in a high-risk country;
            (e) The borrower/issuer’s current state and past performance, credit history and business valuation (where relevant);
            (f) That the business is being operated in accordance with applicable laws (in the case of overseas crowdfunding borrowers/issuers a confirmation that the overseas jurisdiction allows hosting of businesses on crowdfunding platforms of other jurisdictions); and
            (g) That the crowdfunding offering statement provided by the borrower/issuer is complete and not misleading.
            Added: April 2022

          • CFP-1.3.2

            Crowdfunding platform operators that allow real estate crowdfunding on their platforms must undertake the following due-diligence prior to hosting a real estate crowdfunding offer:

            (a) Confirm that the offer is for an income producing property and not a new development or construction project;
            (b) Confirm the identity of the seller, including, if it is a body corporate, details of its incorporation and business registration;
            (c) Ensure that the seller holds valid legal title to the property; and
            (d) This Subparagraph was deleted in July 2022;
            (e) Obtain a valuation report from the crowdfunding borrower/issuer provided by an independent, professional and reputable valuer.
            Amended: July 2022
            Added: April 2022

        • CFP-1.4 CFP-1.4 Client Money

          • CFP-1.4.1

            Crowdfunding platform operators must hold client money, securities or other client assets, separate from its own and are not subject to any lien or other restrictions. Client money must be kept in a client bank account with a retail bank in the Kingdom of Bahrain. Licensees must designate a separate bank account (or sub-account) for each crowdfunding offer. Licensees must establish systems and controls for handling of securities, money or other assets, including maintaining up-to-date records of client assets held.

            Added: April 2022

          • CFP-1.4.2

            Crowdfunding platform operators must appoint their external auditors or independent third-party audit firm to perform an audit on client assets and the licensee’s procedures for handling client assets. The objectives of the audit must include:

            (a) Ensuring that client assets are properly segregated and not comingled with the licensee’s own assets (as per Paragraph CFP-1.4.1);
            (b) The licensee has established and implemented adequate internal control procedures and systems to ensure client assets are always segregated;
            (c) Client assets are not used for purposes other than for crowdfunding arrangements; and
            (d) Fraud risks are adequately controlled and mitigated.
            Added: April 2022

          • CFP-1.4.3

            Funds raised must be released to the issuer within one business day of registering the shares in the share register. In case of financing-based crowdfunding, the money must be released to the borrower within one business day of the completion of fund raising. In all cases, client money may only be released if the criteria for raising the funds has been met i.e. the minimum amount required in the offering statements has been met and there has not been any material adverse change to the crowdfunding offer.

            Added: April 2022

          • CFP-1.4.4

            Crowdfunding platform operators must have mechanisms in place to refund the money to lenders/investors within 7 working days if:

            (a) due to any reason the crowdfunding offer is withdrawn by the platform;
            (b) the subscription amount is less than the minimum required in accordance with the offering statement; or
            (c) the offer is oversubscribed, and the platform does not allow oversubscription.
            Added: April 2022

        • CFP-1.5 CFP-1.5 Secondary Market

          • CFP-1.5.1

            Crowdfunding platform operators that operate a secondary over-the-counter market to facilitate transfers of client’s holdings of financings/shares must ensure that only crowdfunding offers hosted and successfully funded through their platforms are permitted to be hosted on the secondary market.

            Added: April 2022

          • CFP-1.5.2

            The secondary market must not consist of an internal matching system which executes client orders on a multilateral basis unless the licensee has obtained approval from the CBB.

            Added: April 2022

          • CFP-1.5.3

            Crowdfunding platform operators that operate a secondary market must ensure that financings or equity securities hosted on the secondary market include all the information that was required to be disclosed in the initial crowdfunding offer and include up to date information on the performance of the borrowers and issuers.

            Added: April 2022

          • CFP-1.5.4

            Crowdfunding platform operators must have in place mechanisms to transfer ownership of issuer shares in a timely manner through the use of third-party registrars where relevant.

            Added: April 2022

        • CFP-1.6 CFP-1.6 Other Operating Requirements

          • CFP-1.6.1

            A financing-based crowdfunding platform operator must become a member of the Bahrain Credit Reference Bureau.

            Added: April 2022

          • CFP-1.6.2

            Crowdfunding platform operators must ensure that the terms and conditions for the arrangements between the relevant parties to the crowdfunding offer are legally enforceable. Such terms must include the following details:

            (a) For financing-based crowdfunding offers, details of the borrowing, tenor, terms of repayment, the nature and frequency of reporting of performance by the borrower to the lender;
            (b) For equity-based crowdfunding offers, the amount of shares offered, the nature of the shares, and the price;
            (c) The duties, rights and obligations of the crowdfunding platform operator, borrower/issuer and lender/investor, including legal remedies.
            Added: April 2022

          • CFP-1.6.3

            A financing-based crowdfunding platform operator that hosts sharia-compliant financing offers, must ensure that such facilities are based on Sharia-compliant financing contracts such as Murabaha, Ijarah, Salam, Istisna’a, etc. Licensees hosting sharia-compliant facilities must make an arrangement with one independent Sharia Scholar to monitor, review and verify that the crowdfunding transactions, including documentation and structuring are in full compliance with Sharia rules and principles. The Sharia Scholar to be appointed must fulfil the eligibility criteria outlined in the CBB’s Sharia Governance Module of Volume 2.

            Added: April 2022

          • CFP-1.6.4

            Crowdfunding platform operators must not host a crowdfunding borrower/issuer that is concurrently hosted on other crowdfunding platforms.

            Added: April 2022

      • CFP-2 CFP-2 Obligations of the borrower/issuer

        • CFP-2.1 CFP-2.1 General Requirements

          • CFP-2.1.1

            Crowdfunding borrowers and issuers must provide the minimum information required in this Section in their crowdfunding offer statements and disclosures provided on the platform. The information must be worded and presented in a ‘clear, concise and effective’ manner and must not be misleading or deceptive.

            Added: April 2022

          • CFP-2.1.2

            The minimum information required in crowdfunding offer statement, includes:

            (a) General risk warning about crowdfunding:
            1. crowdfunding is risky, companies using this facility include new or rapidly growing ventures and lending or investment in these types of ventures is speculative and carries high risks;
            2. you may lose your entire investment, and you should be in a position to bear this risk without undue hardship; and
            3. for equity crowdfunding offers: the value of your investment and any return on the investment could be reduced if the company issues more shares. Your investment is unlikely to be liquid which means you are unlikely to be able to sell your shares quickly or at all.
            (b) Information about the company (i.e. the borrower or issuer):
            1. company details: identity and legal form;
            2. business nature and organisational structure;
            3. main risks associated with the business, products, industry/sector/geography, legal/regulatory concerns;
            4. ownership capital structure;
            5. financial statements (audited statements for existing companies required to conduct audit as per local laws, and projected financial statements);
            6. key financial ratios;
            7. directors and senior managers;
            8. contact details; and
            9. details of convictions, penalties or administrative actions against the company and its directors or senior managers.
            (a) Information about the offer:
            1. details of the financing facility, interest/profit rates, maturity, payment terms, guarantee/collateral etc. (for financing crowdfunding offers);
            2. the rights associated with the shares on offer (e.g. voting and dividends), their custody and registration arrangements and buyback commitments (for equity crowdfunding offers);
            3. the offer period, the offer size, the maximum subscription under the offer and the basis for allotment;
            4. how the funds raised will be used;
            5. Any situations of actual or potential conflict of interest involving the direct and indirect interest of a director, substantial shareholder etc.
            (b) Information about investor rights:
            1. the right of retail clients to withdraw commitments;
            2. the availability of a communication facility on the platform and other methods to contact the company; and
            3. the applicable reporting and corporate governance obligations in accordance with the law.
            Added: April 2022

          • CFP-2.1.3

            Crowdfunding borrowers and issuers must also inform the lenders/investors, where relevant, about the use of an SPV for raising the funds and any impact on the lenders/investors rights.

            Added: April 2022

          • CFP-2.1.4

            For real estate crowdfunding offers, the following additional information must be disclosed:

            (a) details about the property, including its location and condition, and whether it is currently rented;
            (b) details about the seller’s legal title to the property such as whether it is freehold, leasehold and whether the seller is able to sell the property free of any encumbrance;
            (c) whether the property requires renovation or other work before it can be let;
            (d) the independent valuation report on the property;
            (e) the estimated annual charges and expenses relating to the property; and
            (f) the estimated annual rental income on the property.
            Added: April 2022

          • CFP-2.1.5

            The crowdfunding offers must clearly state that the borrowers/issuers and the information provided have not been reviewed or approved by the CBB.

            Added: April 2022

          • CFP-2.1.6

            The crowdfunding borrowers and issuers must not advertise their crowdfunding offers outside the platform. This requirement does not prevent the borrowers/issuers to refer people to the home page of the platform.

            Added: April 2022

          • CFP-2.1.7

            A crowdfunding issuer that has successfully completed its fundraising exercise on the crowdfunding platform must ensure that there is effective, transparent and regular communication with its crowdfunding participants including providing regular updates on the progress of the business of the issuer and the issuer’s financial position.

            Added: April 2022