Back Custom print Link Text Only Rich Text Print

  • CRA-6 CRA-6 Risk Management

    • CRA-6.1 CRA-6.1 Board of Directors' Responsibility

      • CRA-6.1.1

        The Board of Directors of licensees are responsible for the establishment of an adequate and effective framework for identifying, monitoring and managing risks across all its operations.

        Amended: April 2023
        Added: April 2019

      • CRA-6.1.2

        The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes, in relation to all the risks the licensee is exposed to, a risk management framework that includes setting and monitoring policies, systems, tools and controls.

        Added: April 2019

      • CRA-6.1.3

        Although authority for the management of a firm's risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, the overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

        Added: April 2019

      • CRA-6.1.4

        A licensee's failure to establish, in the opinion of the CBB, an adequate risk management framework will result in it being in breach of Condition 6 of the Licensing Conditions. This failure may result in the CBB withdrawing or imposing restrictions on the licensee, or the licensee being required to inject more capital.

        Amended: April 2023
        Added: April 2019

      • CRA-6.1.5

        The Board of Directors must also ensure that there is adequate documentation of the licensee's risk management framework.

        Added: April 2019

      • Systems and Controls

        • CRA-6.1.6

          The risk management framework of licensee must provide for the establishment and maintenance of effective systems and controls as are appropriate to their business, so as to identify, measure, monitor and manage risks.

          Added: April 2019

        • CRA-6.1.7

          An effective framework for risk management should include systems to identify, measure, monitor and control all major risks on an on-going basis. The risk management systems should be approved and periodically reviewed by the Board.

          Added: April 2019

        • CRA-6.1.8

          The systems and controls required under Paragraph CRA-6.1.6 must be proportionate to the nature, scale and complexity of the licensee’s activities.

          Amended: April 2023
          Added: April 2019

        • CRA-6.1.9

          The processes and systems required must enable the licensee to identify the major sources of risk to its ability to meet its liabilities as they fall due, including the major sources of risk in each of the following categories:

          (a) Counterparty risk;
          (b) Market risk;
          (c) Liquidity risk;
          (d) Operational risk including cyber security risk;
          (e) Outsourcing risk;
          (f) Group risk; and
          (g) Any additional categories relevant to its business.
          Amended: April 2023
          Added: April 2019

        • CRA-6.1.10

          Licensees must establish and maintain a risk management function that operates independently and which has sufficient authority and resources, including access to the Board of Directors, to facilitate the carrying out of the following tasks:

          (a) The implementation of the risk management framework and maintenance of effective systems and controls referred to in Paragraph CRA-6.1.6;
          (b) The provision of reports and advice to senior management;
          (c) The development of the licensee's risk strategy; and
          (d) Direct communication with the Board of Directors, independently from the licensee's senior management, regarding concerns, where specific risk developments affect or may affect the licensee, without prejudice to the responsibilities of the Board of Board in its supervisory and/or managerial functions.
          Amended: April 2023
          Added: April 2019

        • CRA-6.1.11

          The CBB may permit a licensee to establish and maintain a risk management function which does not operate independently, provided this does not give rise to conflicts of interest and the licensee demonstrates to the CBB that the establishment and maintenance of a dedicated independent risk management function with sole responsibility for the risk management function is not appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the regulated crypto-asset services undertaken in the course of that business.

          Amended: April 2023
          Added: April 2019

        • CRA-6.1.12

          Where a licensee is granted an exemption referred to in Paragraph CRA-6.1.11, the licensee must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with Paragraph CRA-6.1.6 satisfy the requirements thereof and are consistently effective.

          Added: April 2019

    • CRA-6.2 CRA-6.2 Counterparty Risk

      • CRA-6.2.1

        Licensees must adequately document the necessary policies and procedures for identifying, measuring, monitoring and controlling counterparty risk. This policy must be approved by the Board of Directors and regularly reviewed by the senior management of the licensee.

        Amended: April 2023
        Added: April 2019

      • CRA-6.2.2

        Among other things, the licensee's policies and procedures must identify the limits it applies to counterparties, how it monitors movements in counterparty risk and how it mitigates loss in the event of counterparty failure.

        Added: April 2019

    • CRA-6.3 CRA-6.3 Market Risk

      • CRA-6.3.1

        Licensees must document their framework for the proactive management of market risk for accepted crypto-assets. This policy must be approved by the Board of Directors and regularly reviewed by the senior management of the licensee.

        Amended: April 2023
        Added: April 2019

      • CRA-6.3.2

        Licensees must ensure that clients, before undertaking transactions, pre-fund their accounts.

        Added: April 2023

      • CRA-6.3.3

        Licensees must not provide any financial assistance to clients to acquire or undertake a transaction in crypto-assets.

        Added: April 2023

    • CRA-6.4 CRA-6.4 Liquidity Risk

      • CRA-6.4.1

        Licensees must maintain a liquidity risk policy for the management of liquidity risk, which is commensurate to the nature, scale and complexity of its activities. This policy must be approved by the Board of Directors and regularly reviewed by the senior management of the licensee.

        Amended: April 2023
        Added: April 2019

      • CRA-6.4.2

        Among other things, the licensee's liquidity risk policy must identify the limits it applies, how it monitors movements in risk and how it mitigates loss in the event of unexpected liquidity events.

        Added: April 2019

    • CRA-6.5 CRA-6.5 Operational Risk

      • CRA-6.5.1

        Licensees must document their framework for the proactive management of operational risk. This policy must be approved by the Board of Directors and regularly reviewed by the senior management of the licensee.

        Amended: April 2023
        Added: April 2019

      • CRA-6.5.2

        Licensees must consider the impact of operational risks on their financial resources and solvency.

        Added: April 2019

      • CRA-6.5.2A

        Licensees must identify possible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability including having adequate capacity.

        Added: April 2023

      • CRA-6.5.2B

        Licensees must, among other things:

        (a) Establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, mitigate and manage operational risks;
        (b) Have in place clearly defined roles and responsibilities for addressing operational risk;
        (c) Have in place clearly defined operational reliability objectives and have policies in place that are designed to achieve those objectives;
        (d) Ensure that it has adequate capacity proportionate to stress volumes to achieve its service-level objectives; and
        (e) Have a comprehensive physical and information security policy that addresses all potential vulnerabilities and threats.
        Added: April 2023

      • CRA-6.5.3

        Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

        Added: April 2019

      • CRA-6.5.4

        Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, licensees should not ignore the nature of risks to which they are exposed.

        Added: April 2019

      • Business Continuity and Disaster Recovery

        • CRA-6.5.5

          Licensees must establish and maintain a written business continuity and disaster recovery plan reasonably designed to ensure the availability and functionality of the Licensee's services in the event of an emergency or other disruption to the Licensee's normal business activities. The business continuity and disaster recovery plan, at minimum, must:

          (a) Identify documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the Licensee's business;
          (b) Identify the supervisory personnel responsible for implementing each aspect of the business continuity and disaster recovery plan; include a plan to communicate with essential Persons in the event of an emergency or other disruption to the operations of the Licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other Persons essential to the recovery of documentation and data and the resumption of operations;
          (c) Include procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activities;
          (d) Include procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the Licensee and storing of the information off site; and
          (e) Identify third parties that are necessary to the continued operations of the Licensee's business.
          Amended: April 2023
          Added: April 2019

        • CRA-6.5.6

          Licensees must distribute a copy of the business continuity and disaster recovery plan, and any revisions thereto, to all relevant employees and must maintain copies of the business continuity and disaster recovery plan at one or more accessible off-site locations.

          Amended: April 2023
          Added: April 2019

        • CRA-6.5.7

          Licensees must provide relevant training to all employees responsible for implementing the business continuity and disaster recovery plan regarding their roles and responsibilities.

          Amended: April 2023
          Added: April 2019

        • CRA-6.5.8

          Licensees must immediately notify the CBB of any emergency or other disruption to its operations that may affect its ability to fulfil regulatory obligations or that may have a significant adverse effect on the Licensee, its counterparties, or the market.

          Amended: April 2023
          Added: April 2019

        • CRA-6.5.9

          The business continuity and disaster recovery plan must be tested at least annually by qualified, independent internal personnel or a qualified third party, and revised accordingly.

          Amended: April 2023
          Added: April 2019

    • CRA-6.6 CRA-6.6 Outsourcing Arrangements

      • CRA-6.6.1

        This Chapter sets out the CBB’s approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

        Amended: July 2022
        Added: April 2019

      • CRA-6.6.2

        In the context of this Chapter, ‘outsourcing’ means an arrangement whereby a third party performs on behalf of a licensee an activity which commonly would have been performed internally by the licensee. Examples of services that are typically outsourced include data processing, cloud services, customer call centres and back-office related activities.

        Amended: July 2022
        Added: April 2019

      • CRA-6.6.3

        In the case of branches of foreign entities, the CBB may consider a third-party outsourcing arrangement entered into by the licensee’s head office/regional office or other offices of the foreign entity as an intragroup outsourcing, provided that the head office/regional office submits to the CBB a letter of comfort which includes, but is not limited to, the following conditions:

        i. The head office/regional office declares its ultimate responsibility of ensuring that adequate control measures are in place; and
        ii. The head office/regional office is responsible to take adequate rectification measures, including compensation to the affected customers, in cases where customers suffer any loss due to inadequate controls applied by the third-party service provider.
        Amended: July 2022
        Added: April 2019

      • CRA-6.6.4

        The licensee must not outsource the following functions:

        (i) Compliance;
        (ii) AML/CFT;
        (iii) Financial control;
        (iv) Risk management; and
        (v) Business line functions offering regulated services directly to the customers (refer to Regulation No. (1) of 2007 and its amendments for the list of CBB regulated services).
        Amended: July 2022
        Added: April 2019

      • CRA-6.6.5

        For the purposes of Paragraph CRA-6.6.4, certain support activities, processes and systems under these functions may be outsourced (e.g. call centres, data processing, credit recoveries, cyber security, e-KYC solutions) subject to compliance with Paragraph CRA-6.6.7. However, strategic decision-making and managing and bearing the principal risks related to these functions must remain with the licensee.

        Amended: July 2022
        Added: April 2019

      • CRA-6.6.6

        Branches of foreign entities may be allowed to outsource to their head office, the risk management function stipulated in Subparagraph CRA-6.6.4 (iv), subject to CBB’s prior approval.

        Amended: July 2022
        Added: April 2019

      • CRA-6.6.7

        Licensees must comply with the following requirements:

        (i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
        a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
        b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
        (ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
        (iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
        (iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
        (v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement.
        (vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
        (vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
        Amended: July 2022
        Added: April 2019

      • CRA-6.6.8

        For the purpose of Subparagraph CRA-6.6.7 (iv), licensees as part of their assessments may use the following:

        a) Independent third-party certifications on the outsourcing service provider’s security and other controls;
        b) Third-party or internal audit reports of the outsourcing service provider; and
        c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.

        When conducting on-site examinations, licensees should ensure that the data of the outsourcing service provider’s other clients is not negatively impacted, including impact on service levels, availability of data and confidentiality.

        Amended: July 2022
        Added: April 2019

      • CRA-6.6.9

        For the purpose of Subparagraph CRA-6.1.7 (i), the CBB will provide a definitive response to any prior approval request for outsourcing within 10 working days of receiving the request complete with all the required information and documents.

        Amended: July 2022
        Added: April 2019