CRA-A.1.1

The purpose of this Module is to provide the CBB's Directive concerning trading, dealing, advisory services, portfolio management services in crypto-assets as principal, as agent, as custodian and as a crypto-asset exchange within or from the Kingdom of Bahrain. The key requirements relevant to these activities are outlined in this Module while the licensees are also subject to other relevant Modules of the CBB Rulebook Volume 6. This Directive is supported by Article 44(c) of the Central Bank of Bahrain ('CBB') and Financial Institutions Law (Decree No. 64 of 2006) ('CBB Law').

CRA-A.1.2

This Module must be read in conjunction with other parts of the Rulebook, mainly:

CRA-A.1.3

This Module contains the CBB's Directive (as amended from time-to-time) relating to licensees providing regulated crypto-asset services (henceforth referred to as licensees) as defined in the Rulebook and is issued under the powers available to the CBB under Article 38 of the CBB Law. Licensees must also comply with the relevant Modules of the Rulebook Volume 6.

CRA-A.1.4

For an explanation of the CBB's Rule-making powers and different regulatory instruments, see Section UG-1.1.

CRA-A.2.2

The contents of this Module are effective from the date of release of the Module or the changes to the Module unless specified otherwise.

CRA-1.1.6

Regulated crypto-asset services means the conduct of any or any combination of the following types of activities:

CRA-1.1.6A

Licensees intending to offer regulated crypto-asset services which were not included in its application for licence and/or additional services which are not part of the regulated crypto-asset services specified in Paragraph CRA-1.1.6, must seek the CBB’s prior written approval before offering the service. Licensees must provide the CBB with detailed description of the new services, the resources required and the operational framework for such service.

CRA-1.1.7

The following activities do not constitute regulated crypto-asset services:

CRA-1.1.8

Depending on the type of regulated crypto-asset services that a person wishes to undertake, applicants may seek to be licensed by the CBB under one of the following 4 categories of license:

CRA-1.1.9

Category 1 licensees may undertake one or more regulated crypto-asset service, as listed below:

CRA-1.1.10

When undertaking the regulated crypto-asset services listed under Rule CRA- 1.1.9, Category 1 licensees:

CRA-1.1.11

Category 2 licensees may undertake one or more regulated crypto-asset services, as listed below:

CRA-1.1.12

When undertaking the regulated crypto-asset services listed under Rule CRA- 1.1.11, Category 2 licensees may hold or control client asset and client money but must not deal from their own account ("dealing as principal") or operate a crypto-asset exchange.

CRA-1.1.13

Category 3 licensees may undertake one or more regulated crypto-asset services, as listed below:

CRA-1.1.14

When undertaking regulated crypto-asset services listed under Rule CRA-1.1.13, Category-3 licensees may hold or control client assets and client money, may deal on their own account ("dealing as principal") but must not operate a crypto-asset exchange.

CRA-1.1.15

Category 4 licensees may undertake one or more regulated crypto-asset service, as listed below:

CRA-1.1.16

Licensees offering crypto-asset exchange service (licensed crypto-asset exchange) must not execute client orders against proprietary capital, or engage in matched principal trading.

CRA-1.1.16A

Pursuant to Section CRA-15.4 (Trading and Settlement of Digital Tokens), licensees may undertake over-the-counter trading in digital tokens which are issued in accordance with the requirements of Chapter CRA-15. The requirements of Paragraph CRA-1.1.16 are not applicable to trading in digital tokens provided the CBB has provided the licensee with an approval to trade the digital token under the over-the-counter trading framework.

CRA-1.1.17

When undertaking the regulated crypto-asset services listed under Rule CRA-1.1.15, Category-4 licensees may hold or control client asset and client money.

CRA-1.1.18

Persons wishing to be licensed to undertake the activities of regulated crypto-asset services must apply in writing to the CBB in accordance with the requirements stipulated in CRA-1.2.

CRA-1.1.19

[This Paragraph was deleted in April 2023].

CRA-1.1.20

[This Paragraph was deleted in April 2023].

CRA-1.1.21

[This Paragraph was deleted in April 2023].

CRA-1.1.22

Applicants seeking a regulated crypto-asset service license must satisfy the CBB that they meet, by the date of grant of license, the minimum criteria for licensing, as contained in Chapter CRA-2. Once licensed, the regulated crypto-asset service licensee must continue to meet these criteria on an on-going basis.

CRA-1.1.23

[This Paragraph was deleted in April 2023].

CRA-1.1.24

[This Paragraph was deleted in April 2023].

CRA-1.1.25

[This Paragraph was deleted in April 2023].

CRA-1.1.26

Category-1, Category-2 and Category-3 crypto-asset licensees intending to operate solely as a broker and/or dealer for clients (intermediary service) are not permitted to structure their broking / dealing service or platform in such a way that it would be deemed as operating a market i.e. a crypto asset exchange. The CBB would consider features such as allowing for price discovery, displaying a public trading order book (accessible to any member of the public, regardless of whether they are clients), and allowing trades to automatically be matched using an exchange-type matching engine as characteristic of a crypto-asset exchange.

CRA-1.1.27

Category 1, Category 2 and Category 3 crypto-asset licensees should design and structure their operations, user interface, website, marketing materials and any public or client-facing information such that it does not create the impression that it is running a licensed crypto asset exchange. In practice, category 1, category 2 and category 3 crypto-asset licensees must not:

CRA-1.2.11

Articles 44 to 47 of the CBB Law govern the licensing process which stipulate that the CBB will issue its decision within 60 calendar days of an application being deemed complete (i.e. containing all required information and documents). By law, the 60 days' time limit only applies once the application is complete and all required information (which may include any clarifications requested by the CBB) and documents have been provided. This means that all the items specified in Rule CRA-1.2.4 have to be provided, before the CBB may issue a license.

CRA-1.2.12

The CBB recognises, however, that applicants may find it difficult to secure suitable senior management (refer CRA-1.2.4(b) above) in the absence of preliminary assurances regarding the likelihood of obtaining a license.

CRA-1.2.13

[This Paragraph was deleted in April 2023].

CRA-1.2.14

[This Paragraph was deleted in April 2023].

CRA-1.2.15

[This Paragraph was deleted in April 2023].

CRA-1.2.16

Therefore, all potential applicants are strongly encouraged to contact the CBB at an early stage to discuss their plans, for guidance on the CBB's license categories and associated requirements. The Licensing Directorate would normally expect to hold at least one pre-application meeting with an applicant, prior to receiving an application.

CRA-1.2.17

Potential applicants should initiate pre-application meetings in writing, setting out a short summary of their proposed business and any issues or questions that they may have already identified, once they have a clear business proposition in mind and have undertaken their preliminary research. The CBB can then guide the applicant on the specific areas in the Rulebook that will apply to them and the relevant requirements that they must address in their application.

CRA-1.2.18

An applicant must not hold himself out as having been licensed by the CBB, prior to the issuance of the CBB’s Resolution on granting the license. Failure to do so may constitute grounds for refusing an application and result in a contravention of Article 42 of the CBB Law (which carries a maximum penalty of BD 1 million).

CRA-1.2.19

Should a license be granted, the CBB will notify the applicant in writing of the fact; the CBB will also publish its decision to grant a license in the Official Gazette and in two local newspapers (one published in Arabic, the other in English). The license may be subject to such terms and conditions as the CBB deems necessary for the additional conditions being met.

CRA-1.2.20

The CBB may reject an application for a license if in its opinion:

CRA-1.2.21

Where the CBB intends to refuse an application for a license, it must give the applicant written notice to that effect. Applicants will be given a minimum of 30 calendar days from the date of the written notice to appeal the decision, as per the appeal procedures specified in the notice.

CRA-1.2.22

Before the final approval is granted to a licensee, a confirmation from a retail bank addressed to the CBB that the minimum capital, as specified in this Module, has been paid in must be provided to the CBB.

CRA-1.2.23

Prior to commencement of operation, a licensee must, after obtaining the CBB's prior written approval, appoint an independent third party to undertake a readiness assessment and submit a readiness assessment report.

CRA-1.2.24

The readiness assessment report must include the licensee's risk management system, capital adequacy, organisational structure, operational manuals, information technology, information system security, policies and procedures and internal controls and systems.

CRA-1.2.25

[This Paragraph was deleted in April 2023].

CRA-1.2.26

Prior to commencement of operation the new licensee must provide to the CBB (if not previously submitted):

CRA-1.2.27

Licensees must commence their commercial operations within 6 months of being granted a license by the CBB, failing which the CBB may cancel the license, in accordance with the provisions of the CBB Law.

CRA-1.2.28

[This Paragraph was deleted in April 2023].

CRA-1.3.1

In accordance with Article 50 of the CBB Law, licensees wishing to cease carrying out all the approved regulated services, must obtain the CBB's written approval, before ceasing their activities. All such requests must be made in writing to the Director, Capital Markets Supervision, setting out in full the reasons for the request and how the business is to be wound up.

CRA-1.3.2

Licensees must satisfy the CBB that their clients' interests are to be safeguarded during and after the proposed cancellation.

CRA-1.3.3

The CBB will approve a request for cancellation of license by a licensee where there is no outstanding regulatory concerns and client interests would not be prejudiced. A voluntary surrender will only be allowed to take effect once the licensee, in the opinion of the CBB, has discharged all its regulatory obligations towards clients.

CRA-1.3.4

Pursuant to Article 48 (c) of the CBB Law, the CBB may cancel a license, for instance if a licensee fails to satisfy any of its existing license conditions or in order to protect the legitimate interests of clients or creditors of the licensee. The CBB generally views the cancellation of a license as appropriate only in the most serious of circumstances, and generally tries to address supervisory concerns through other means beforehand.

CRA-1.3.5

The procedures for cancellation of a license are contained in Articles 48 and 49 of the CBB Law.

CRA-1.3.6

The CBB will only effect the cancellation once a licensee has discharged all its regulatory responsibilities to clients. Until such time, the CBB will retain all its regulatory powers towards the licensee and will direct the licensee so that no new regulated crypto-asset services may be undertaken whilst the licensee discharges its obligations to its clients.

CRA-1.3.7

Licensees wishing to vary the scope of the regulated services under their existing license, whether by adding or ceasing some services, must obtain the CBB’s prior written approval. The CBB’s prior written approval must also be sought in relation to an amendment to the licensee’s license category.

CRA-1.7.1

Licensees must obtain the CBB's prior written approval in relation to any person wishing to undertake a controlled function in a licensee. The approval from the CBB must be obtained prior to their appointment.

CRA-1.7.2

Controlled functions are those functions occupied by board members and persons in executive positions and include:

CRA-1.7.3

[This Paragraph was deleted in April 2023].

CRA-1.7.4

[This Paragraph was deleted in April 2023].

CRA-1.7.5

The CBB may grant an exemption from appointment of some of the controlled functions contained in Paragraph CRA-1.7.2, provided the licensee appoints at least the following controlled functions (i) Directors, (ii) Chief Executive or General Manager, (iii) Compliance Officer and (iv) Money Laundering Reporting Officer.

CRA-1.7.6

Pursuant to CRA-1.7.5, a licensee seeking exemption from appointment of persons to specific controlled functions should provide in writing to the satisfaction of the CBB:

CRA-1.7.7

Licensees seeking an approved person authorisation for an individual, must satisfy the CBB that the individual concerned is ‘fit and proper’ to undertake the controlled function in question.

CRA-1.7.8

Each applicant applying for approved person status and those individuals occupying approved person positions must comply with the following conditions:

CRA-1.7.8A

In assessing the conditions prescribed in Paragraph CRA-1.7.8, the CBB will take into account the criteria contained in Paragraph CRA-1.7.8B. The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered ‘fit and proper’ to undertake one type of controlled function but not another, depending on the function’s job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function with a licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function but in a much bigger licensee.

CRA-1.7.8B

In assessing a person’s fitness and propriety, the CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

CRA-1.7.8C

With respect to Paragraph CRA1.7.8B, the CBB will take into account the length of time since any such event occurred, as well as the seriousness of the matter in question.

CRA-1.7.8D

Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid any conflict of interest arising whilst undertaking a controlled function.

CRA-1.7.8E

In determining where there may be a conflict of interest arising, factors that may be considered will include whether:

CRA-1.7.8F

An application for approval for a person occupying a controlled function under Paragraph CRA-1.7.2 must be made by submitting to the CBB a duly completed Form 3 (Application for Approved Person Status) and Curriculum Vitae after verifying that the information in the Form 3, including previous experience is accurate. Form 3 is available under Volume 6 Part B Authorisation Forms CRA Forms of the CBB Rulebook.

CRA-1.7.8G

When the request for approved person status forms part of a license application, it must be marked for the attention of the Director, Licensing and Policy Directorate. When the submission to undertake a controlled function is in relation to an existing licensee, except if dealing with a MLRO, it must be marked for the attention of the Director, Capital Markets Supervision Directorate. In case of the MLRO, Form 3 must be marked for the attention of the Director, Compliance Directorate.

CRA-1.7.8H

When submitting the Forms 3, licensees must ensure that the Form 3 is:

CRA-1.7.8I

Licensees seeking to appoint Board Directors must seek CBB approval for all the candidates to be put forward for election/approval at a shareholders’ meeting, in advance of the agenda being issued to shareholders. CBB approval of the candidates does not in any way limit shareholders’ rights to refuse those put forward for election/approval.

CRA-1.7.8J

For existing licensees applying for the appointment of a Director or the Chief Executive/General Manager, the authorised representative should be the Chairman of the Board or a Director signing on behalf of the Board. For all other controlled functions, the authorised representative should be the Chief Executive/General Manager.

CRA-1.7.8K

The CBB shall review and assess the application for approved person status to ensure that it satisfies all the conditions required in Paragraph CRA-1.7.8 and the criteria outlined in Paragraph CRA-1.7.8B.

CRA-1.7.8L

For purposes of Paragraph CRA-1.7.8I, licensees should give the CBB a reasonable amount of notice in order for an application to be reviewed. The CBB shall respond within 15 business days from the date of meeting all required conditions and regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, as well as verifying references.

CRA-1.7.8M

The CBB reserves the right to refuse an application for approved person status if it does not satisfy the conditions provided for in Paragraph CRA-1.7.8 and the criteria outlined in Paragraph CRA-1.7.8B. A notice of such refusal is issued to the licensee concerned, setting out the basis for the decision.

CRA-1.7.8N

Licensee or the nominated approved persons may, within 30 calendar days of the notification, appeal against the CBB’s decision to refuse the application for approved person status. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from submitting the appeal.

CRA-1.7.8O

Where notification of the CBB’s decision to grant a person approved person status is not issued within 15 business days from the date of meeting all required conditions and regulatory requirements, including but not limited to, receiving the application complete with all the required information and documents, licensees or the nominated approved persons may appeal to the Executive Director, Financial Institutions Supervision of the CBB provided that the appeal is justified with supporting documents. The CBB shall decide on the appeal and notify the licensee of its decision within 30 calendar days from the date of submitting the appeal.

CRA-1.7.9

Licensees must promptly notify the CBB in writing when a person undertaking a controlled function will no longer be carrying out that function together with an explanation as to the reasons for not undertaking the controlled function. In such cases, their approved person status is automatically withdrawn by the CBB. If a controlled function falls vacant, the licensee must appoint a permanent replacement (after obtaining CBB approval), within 120 calendar days of the vacancy occurring. Pending the appointment of a permanent replacement, the licensee must make immediate interim arrangements to ensure continuity of the duties and responsibilities of the controlled function affected, provided that such arrangements do not pose a conflict of duties. These interim arrangements must be approved by the CBB.

CRA-1.7.10

The notification should identify if the planned move was prompted by any concerns over the person concerned, or is due to a routine staff change, retirement or similar reason.

CRA-1.7.10A

Licensees must immediately notify the CBB in case of any material change to the information provided in a Form 3 submitted for an approved person.

CRA-1.7.10B

Licensees must seek prior CBB approval before an approved person may move from one controlled function to another within the same licensee.

CRA-1.7.10C

For the purposes of Paragraph CRA-1.7.10B, a new application should be completed and submitted to the CBB. A person may be considered ‘fit and proper’ for one controlled function, but not for another, if for instance the new role requires a different set of skills and experience.

CRA-1.7.11

The CBB may also move to declare someone as not 'fit and proper', in response to significant compliance failures or other improper behaviour by that person.

CRA-1.7.12

[This Paragraph was deleted in April 2023].

CRA-1.7.13

[This Paragraph was deleted in April 2023].

CRA-1.7.14

[This Paragraph was deleted in April 2023].

CRA-1.7.15

[This Paragraph was deleted in April 2023].

CRA-1.7.16

[This Paragraph was deleted in April 2023].

CRA-1.7.17

[This Paragraph was deleted in April 2023].

CRA-1.7.18

Where a firm is in doubt as to whether a function should be considered a controlled function it must discuss the case with the CBB.

CRA-1.7.19

Licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The duties of the compliance officer include:

CRA-2.8.1

Licensees must maintain comprehensive books of accounts and other records, which must be available for inspection within the Kingdom of Bahrain by the CBB, or persons appointed by the CBB, at any time. Licensees must ensure that all relevant books and other information, as may be required by the CBB, are kept for a minimum period of 10 years.

CRA-2.8.2

Licensees must conduct their activities in a professional and orderly manner, in keeping with good market practice standards. Licensees must comply with the general standards of business conduct as well as the standards relating to treatment of clients contained in Chapter CRA-4 and CRA-12.

CRA-2.8.3

Licensees must comply with any other specific requirements or restrictions imposed by the CBB on the scope of their license.

CRA-2.8.4

In addition, the CBB may vary existing requirements or impose additional restrictions or requirements, beyond those already specified for licensees, to address specific risks.

CRA-3.1.1

Licensees are required to ensure that the minimum capital is paid into a retail bank licensed to operate in the Kingdom of Bahrain. They must provide, upon request, evidence to the CBB of the deposited amount.

CRA-3.1.2

The minimum capital requirement comprising of paid-up share capital, unimpaired by losses, for respective category of licensees are indicated in the table below:

Minimum Capital Requirement

CRA-3.1.3

In addition to the minimum capital requirements specified in CRA-3.1 onwards, the CBB may, at its discretion, require licensees to hold additional capital in an amount and form as the CBB determines, should this be necessary (in the CBB's view) to ensure the financial integrity of the licensee and its ongoing operations.

CRA-3.1.4

For the purposes of determining the additional amount of capital that must be maintained by a licensee, the CBB may consider a variety of factors, including but not limited to:

CRA-3.1.5

In the event that a licensee fails to meet any of the requirements specified in this Section, it must, on becoming aware that it has breached the minimum capital requirements, immediately notify the CBB in writing. Unless otherwise directed, the licensee must in addition submit to the CBB, within 30 calendar days of its notification, a plan demonstrating how it will achieve compliance with these requirements.

CRA-4.1.7

Licensees, prior to offering portfolio management service, investment advice or complex products such as but not limited to derivative products, margin or leverage products or products with features that may make it difficult for a retail investor to understand the essential characteristics of the product and its risks (including the pay-out structure and how the product may perform in different market and economic conditions), must undertake a suitability and appropriateness assessment for retail clients (investors other than accredited investors) to determine the suitability and appropriateness of crypto-assets products and services for retail clients. Licensees must gather sufficient information from every retail client to be in a position to decide whether the crypto-asset product and/or services are suitable and appropriate for the client.

CRA-4.1.8

Licensees may seek the following information for the purposes of suitability and appropriateness assessment:

CRA-4.1.9

A licensee should take reasonable measures to avoid transactions with another crypto-asset entity, infrastructure or service provider where the counterparty is unknown or anonymous (e.g., via certain peer to peer or decentralised exchanges) at any stage of its business process.

CRA-4.2.3

Licensees must submit to the CBB their annual audited financial statements no later than 3 months from the end of the licensee's financial year. The financial statements must include the statement of financial position (balance sheet), the statements of income, cash flow and changes in equity and where applicable, the statement of comprehensive income.

CRA-4.2.4

Licensees must submit a soft copy (electronic) of their full annual report to the CBB within 4 months of the end of their financial year.

CRA-4.2.5

Licensees must submit to the CBB unaudited quarterly financial statements (in the same format as their Annual Audited Accounts), reviewed by the licensee’s external auditor, on a quarterly basis within 45 calendar days from the end of each of the first 3 quarters of their financial year.

CRA-4.3.6

Licensees must establish and adopt a board approved crypto-asset listing policy in accordance with the framework stipulated in this Section.

CRA-4.3.7

Licensees must, prior to commencement of business operations, provide a copy of the crypto-asset listing policy to the CBB. Unless the CBB raises specific concerns with respect to the board approved crypto-asset listing policy, licensees may implement the policy and self-certify crypto-assets for listing on its platform.

CRA-4.3.8

Prior to listing a crypto-asset, a licensee must notify the CBB of its intent to list the crypto-asset, provide the findings of the risk assessment undertaken in accordance with Paragraph CRA- 4.3.14 along with the board resolution approving the crypto-asset. The licensee must confirm in its notification to CBB that the proposed new crypto-asset complies with the requirements of its crypto-asset listing policy.

CRA-4.3.9

Licensees must provide a list of all the crypto-assets listed on its platform no later than 10 days from the end of each quarter.

CRA-4.3.10

The crypto-asset listing policy referred to in Paragraph CRA-4.3.6 must include robust procedures that comprehensively address all steps involved in the review and approval of crypto-assets. Licensees must have necessary monitoring capability (e.g. via monitoring systems, internal monitoring control, on-chain analysis etc.) in place before listing of the crypto-asset on its platform.

CRA-4.3.11

The crypto-asset listing policy should help establish a mechanism for approval of a crypto-asset only if the licensee unambiguously concludes that the listing and trading of the crypto-asset is consistent with the CBB’s approach to establish a fair, transparent and orderly crypto-asset market, complies with applicable laws, rules and regulations and is not detrimental to the interest of the market or client.

CRA-4.3.12

Licensees must not list crypto-assets that facilitate or may facilitate the obfuscation or concealment of the identity of a client or counterparty or crypto-assets that are designed to, or substantially used to circumvent laws and regulations. Licensees must ensure that they only list crypto-assets to which they have in place the necessary AML monitoring capabilities.

CRA-4.3.13

Licensees must ensure that:

CRA-4.3.14

Licensees must establish criteria and undertake a comprehensive risk assessment of the crypto-assets that it intends to list on its platform. The assessment must include, but are not limited to, the following:

CRA-4.3.15

Licensees must have policies and procedures in place to monitor the listed crypto-assets to ensure that continued use of the crypto-asset remains prudent. This includes:

CRA-4.3.16

Licensees must make disclosures, which are easily accessible and prominently visible to clients, for each listed crypto-asset, containing at a minimum, the following information:

CRA-4.3.17

Licensees must prominently display on their platform the following statement, “THE CENTRAL BANK OF BAHRAIN HAS NEITHER REVIEWED NOR APPROVED THE LISTED CRYPTO-ASSETS”.

CRA-4.3.18

Where the CBB determines that undertaking regulated services in a crypto-asset may be detrimental to the financial sector of the Kingdom of Bahrain and/or it may affect the legitimate interest of clients, the licensees, based on the instruction of the CBB, must delist the crypto-asset. In such scenarios, the licensee shall remain responsible for orderly settlement of trade and any liability arising due to the delisting of the crypto-asset.

CRA-4.5.1

Licensees undertaking regulated crypto-asset service and authorised to hold clients’ assets must apply the same standards and comply with the requirements of segregation and handling of clients’ assets Rules set out in this Section.

CRA-4.5.1A

For the purpose of this Module, “clients assets” means crypto-assets, money and other assets received or held on behalf of a client by the licensee and any crypto-assets, money or other assets accruing therefrom.

CRA-4.5.2

For purposes of safeguarding client's rights in relation to crypto-assets and client money which are held or controlled by the licensee, a licensee must hold clients' money and/or to crypto-assets in specially created and segregated accounts. These accounts must be identified separately from any other accounts used to hold money and/or to crypto-assets belonging to the licensee.

CRA-4.5.3

A licensee must obtain a written declaration from the entities with whom the licensee has deposited client assets that the said entity renounces and will not attempt to enforce or execute, any charge, right of set-off or other claim against the account.

CRA-4.5.4

A licensee must properly handle and safeguard client money. The arrangement to handle and safeguard client money, must include, but not be limited to the following:

CRA-4.5.5

Client money must be received by the licensee directly into a client bank account.

CRA-4.5.5A

A licensee must match any unidentified receipts in its client bank accounts with all relevant information in order to establish the nature of any payment and the identity of the person who has made it. Where the receipt is not client money, within one business day of becoming so aware, that amount of money should be paid out of the client bank account.

CRA-4.5.6

Licensees must reconcile, at least on a monthly basis, the balance on each client's money account as recorded by the licensee with the balance on that account as set out in the statement issued by the entity with whom the licensee has deposited clients' money.

CRA-4.5.7

Licensees must also reconcile, at least on a monthly basis, the total of the balances on all clients' money accounts as recorded by the licensee with the total of the corresponding credit balances in respect of each of its clients as recorded by the license.

CRA-4.5.7A

Licensees must ensure that the client money reconciliations referred to in Paragraphs CRA-4.5.6 and CRA-4.5.7 are completed within 10 business days from the end of the months. Any differences, shortfalls and excess balances must be investigated, and corrective measures taken to restore correct client asset balance.

CRA-4.5.8

As part of establishing a relationship with a client, and prior to entering into an initial transaction with such client, licensee must disclose in clear, conspicuous, and legible writing in both Arabic and English languages, all material risks associated with crypto-asset products and services including at a minimum, the following:

CRA-4.5.9

When registering a new client, and prior to entering into transactions with such client, a licensee must disclose in clear, conspicuous, and legible writing in both Arabic and English languages, all relevant terms and conditions associated with its products and services including at a minimum, the following:

CRA-4.5.9A

In addition to the disclosure requirements stipulated in Paragraph CRA-4.5.9, Category-1, Category-2 and Category-3 crypto-asset licensees must disclose, in writing, the following information to clients:

CRA-4.5.10

Prior to each transaction in a crypto-asset with a client, a licensee must furnish to the client a written disclosure in clear, conspicuous, and legible writing in both Arabic or English languages, containing the terms and conditions of the transaction, which must include, at a minimum, to the extent applicable:

CRA-4.5.11

A licensee must ensure that all disclosures required in this Section are acknowledged as received by clients.

CRA-4.5.12

Upon completion of any transaction, a licensee must provide to the client a confirmation note containing the following information:

CRA-4.5.12A

Where a client undertakes more than one transaction, the licensee may prepare a single confirmation note which:

CRA-4.5.12B

Licensees must provide the confirmation note to the client no later than the end of the business day on which the transaction was undertaken.

CRA-4.5.13

[This Paragraph was deleted in April 2023].

CRA-4.5.14

Licensees must take reasonable steps to detect and prevent fraud, including by establishing and maintaining a written anti-fraud policy. The anti-fraud policy must, at a minimum, include:

CRA-4.5.14A

A client account must be considered dormant if the client does not trade for a period of 12 (twelve) continuous months. All the accounts designated as dormant need to be monitored carefully in order to avoid unauthorized transactions in the account.

CRA-4.5.14B

If a client wishes to make his/her account active after 12 continuous months or thereafter, the licensee must ensure that the client submits a request to reactivate his/her account. In case there is any change in the information such as; address, contact details, email ID, bank account, financial disclosure provided in KYC at the time of registration as client, the same must be submitted along with the request. After verification of the updated / revised details and approval from the compliance officer or money laundering reporting officer (MLRO), the account can be made active and transactions can take place.

CRA-4.5.15

Licensees must not provide a regulated crypto-asset service to a client as mentioned unless there is a client agreement entered into between the licensee and the client containing the key information specified in Rule CRA-4.5.16.

CRA-4.5.16

The client agreement referred to in Rule CRA-4.5.15 must include:

CRA-4.5.16A

Licensees must provide periodic statements i.e. confirmation note, monthly statement of account and annual statement of account to their clients. Licensees may provide to their clients the periodic statement information through their website and/or application. Where a licensee provides the periodic statement through its website and application, the licensee is not required to send the periodic statement to their clients separately.

CRA-4.5.17

A licensee must prepare and provide a monthly statement of account to the client no later than 7 business days following the month where any of the following circumstances apply:

CRA-4.5.18

The monthly statement of account referred to in Paragraph CRA-4.5.17 must include the following information:

CRA-4.5.19

Where a licensee receives a request from a client for a statement of account it must provide the client, as soon as practicable after the date of the request but no later than 5 working days from the date of the request, such statement of account which must include the information required as per Paragraph CRA-4.5.18 for the period specified by the client.

CRA-4.5.20

Where a licensee provides the statement of account at the request of the client (refer to CRA-4.5.19), it may impose a reasonable charge on the client for providing the statement of account.

CRA-4.5.21

A licensee must prepare and provide a statement of account to the client, on an annual basis, no later than the end of the seventh business day after the end of the financial year except under following circumstances:

CRA-4.5.22

Where a client requests for withdrawal of client assets, a licensee, unless the restriction is pursuant to a freeze or block order from a court or due to factors related to money laundering and terror financing (suspicious transactions), must not impose restriction on withdrawal of the client assets held under its control.

CRA-4.6.6

Licensees must ensure that all the following requirements are met with regards to promotion of products or services:

CRA-4.7.6

Licensees must acknowledge in writing customer written complaints within 5 working days of receipt.

CRA-4.7.7

Licensees must respond to a client complaint promptly and within a period of 4 weeks of receiving the complaint or provide the complainant with an appropriate explanation as to why the licensee is not, at that time, in a position to respond and must indicate by when the licensee will respond.

CRA-4.7.8

Licensees must decide and communicate how it proposes to provide the customer with redress. Where appropriate, the licensee must explain the options open to the customer and the procedures necessary to obtain the redress.

CRA-4.7.9

Where a licensee decides that redress in the form of compensation is appropriate, the licensee must provide the complainant with fair compensation and must comply with any offer of compensation made by it which the complainant accepts.

CRA-4.7.10

Where a licensee decides that redress in a form other than compensation is appropriate, it must provide the redress as soon as practicable.

CRA-4.7.11

A licensee must inform the clients who have filed a complaint with the licensee and are not satisfied with the response received as per Paragraph CRA-4.7.7, about their right to forward the complaint to the Consumer Protection Unit at the CBB within 30 calendar days from the date of receiving the letter from the licensee.

CRA-4.7.12

Licensees must submit to the Consumer Protection Unit at the CBB, a quarterly report summarising the following:

CRA-4.7.13

Where no complaints have been received by the licensee within the quarter, a 'nil' report must be submitted to the Consumer Protection Unit at the CBB.

CRA-4.7.14

A licensee must maintain a record of all client complaints. The record of each complaint must include:

Such records must be retained by the licensee for a period of 10 years from the date of receipt of the complaint.

CRA-4.8.1

Licensees handling client asset and/or client money must maintain a professional indemnity coverage (insurance policy) in accordance with the scope of coverage provided in Paragraph CRA-4.8.3.

CRA-4.8.2

For the purposes of Paragraph CRA-4.8.1, licensees must maintain professional indemnity coverage for an amount that is determined based on its assessment of the potential risk exposure. Such amount, however, must not be less than BD100,000.

CRA-4.8.3

Licensees must ensure that the Professional Indemnity Coverage, inter alia:

CRA-4.8.4

The professional indemnity coverage must be obtained from an insurance firm acceptable to the CBB and licensed in the Kingdom of Bahrain. Licensees must submit a Professional Indemnity Insurance Return (Form PIIR) on an annual basis. Additionally, they must provide, upon request, evidence to the CBB of the coverage in force.

CRA-4.8.5

[This Paragraph was deleted in April 2023].

CRA-4.8.6

The requirement to maintain professional indemnity coverage will normally be met by the licensee obtaining an insurance policy from an insurance firm. The CBB may also accept an insurance indemnity policy issued at group level, e.g. issued with respect to the parent of the licensee, provided the terms of the policy explicitly provide indemnity coverage with respect to the licensee and meets the requirements of Paragraphs CRA-4.8.1, CRA-4.8.2 and CRA-4.8.3.

CRA-4.8.7

Upon written application to the CBB, the requirement in Rule CRA-4.8.1 may instead be met by the licensee depositing with a retail bank licensed to operate in the Kingdom of Bahrain, an amount, specified by the CBB, to be held in escrow against future claims. This amount will not be less than the minimum required policy limit.

CRA-4.8.8

The policy must contain a clause that it may not be cancelled or lapsed without the prior notification of the CBB. The policy must also contain a provision for an automatic extended reporting period in the event that the policy is cancelled or lapsed, such that claims relating to the period during which the policy was in force may subsequently still be reported.

CRA-4.9.1

[This Paragraph was deleted in April 2023].

CRA-4.9.2

A licensee must maintain the confidentiality of all client information in accordance with the requirements of the Personal Data Protection Law (PDPL).

CRA-4.9.3

[This Paragraph was deleted in April 2023].

CRA-4.10.2

Licensees must obtain the CBB's prior written approval to any dividend proposed to be distributed to the shareholders, before announcing the proposed dividend by way of press announcement or any other means of communication and prior to submitting a proposal for a distribution of profits to a shareholder vote.

CRA-4.10.3

One of the factors that the CBB will consider while determining whether to grant an approval is when it is satisfied that the level of dividend proposed is unlikely to leave the licensee vulnerable to breaching the CBB's financial resources requirements, taking into account, as appropriate, the trends in the licensee's business volumes, profitability, expenses and performance.

CRA-4.10.4

To facilitate the prior approval required under Paragraph CRA-4.10.2, licensees must provide the CBB with:

CRA-4.12.1

[This Paragraph was deleted in April 2023].

CRA-4.12.2

[This Paragraph was deleted in April 2023].

CRA-4.12.3

[This Paragraph was deleted in April 2023].

CRA-4.12.4

Where a licensed crypto-asset exchange decides to delist or suspend the trading of one or more crypto-assets, it must notify the CBB with the rationale for the suspension or delisting of the crypto-asset.

CRA-4.12.5

Without prejudice to the right of the CBB to demand suspension or delisting of a crypto-asset from trading, a licensed crypto-asset exchange must suspend or delist from trading a crypto-asset which no longer complies with the Rules of the licensed crypto-asset exchange unless such suspension or delisting would likely cause significant damage to the clients' interests or the orderly functioning of the market.

CRA-4.12.6

Where a licensed crypto-asset exchange decides to suspends or delists from trading a crypto-asset, it must by way of a public announcement inform the clients' regarding the date of suspension or delisting of the crypto-asset.

CRA-4.12.7

Where a llicensed crypto-asset exchange has suspended or delisted a crypto-asset from trading, the CBB may require that other licensees, which fall under its jurisdiction and trade the same crypto-asset, also suspend or delist that crypto-asset from trading, where the suspension or delisting is due to suspected market abuse, a take-over bid or the non-disclosure of inside information about the issuer or crypto-asset except where such suspension or delisting could cause significant damage to the clients' interests or the orderly functioning of the market.

CRA-4.12.8

A licensed crypto-asset exchange must ensure expedient and accurate verification of trades and matching settlement instructions.

CRA-4.12.9

A licensed crypto-asset exchange must ensure that it has necessary systems and controls to verify the existence of funds and crypto-assets, as applicable, of clients submitting orders.

CRA-4.12.10

A licensed crypto-asset exchange must disclose to its clients and the public as appropriate, on a continuous basis during normal trading, the following information relating to trading of crypto-assets on its platform:

CRA-4.12.11

A licensed crypto-asset exchange must use appropriate mechanisms to enable pre-trade information to be made available to the public in an easy to access and uninterrupted manner.

CRA-4.12.12

A licensed crypto-asset exchange must disclose the price, volume and time of the transactions executed in respect of crypto-assets to the public as close to real-time as is technically possible on a non-discretionary basis. A licensed crypto-asset exchange must use adequate mechanisms to enable post-trade information to be made available to the public in an easy to access and uninterrupted manner, at least during business hours.

CRA-4.12.13

A licensed crypto-asset exchange must keep, for at least 10 years, the relevant data relating to all orders and all transactions in crypto-assets which are carried out through their systems.

CRA-4.12.14

For the purposes of Paragraph CRA-4.12.10, the records must contain the relevant data that constitute the characteristics of the order, including those that link an order with the executed transaction(s) that stems from that order. This shall include:

CRA-4.12.15

A licensed crypto-asset exchange must maintain adequate resources and have back-up facilities in place in order to be capable of reporting at all times.

CRA-4.12.16

[This Paragraph was deleted in April 2023].

CRA-4.12.17

[This Paragraph was deleted in April 2023].

CRA-4.12.18

A licensed crypto-asset exchange must have in place effective systems, procedures and arrangements to reject orders that exceed pre-determined volume and price thresholds or are clearly erroneous.

CRA-4.12.19

A licensed crypto-asset exchange must be able to temporarily halt or constrain trading if there is a significant price movement in a crypto-asset on its platform or a related platform during a short period and, in exceptional cases, to be able to cancel, vary or correct any transaction.

CRA-4.12.20

A licensed crypto-asset exchange must report the reasons for halting trading and any material changes to those reasons to the CBB in a consistent and comparable manner.

CRA-4.12.21

A licensed crypto-asset exchange must ensure that its fee structures are transparent, fair and non-discriminatory and that they do not create incentives to place, modify or cancel orders or to execute transactions in a way which contributes to disorderly trading conditions or market abuse.

CRA-4.12.22

A licensed crypto-asset exchange must ensure that its Rules on co-location services are transparent, fair and non-discriminatory.

CRA-4.12.23

A licensed crypto-asset exchange must be able to identify, by means of flagging from its clients, orders generated by algorithmic trading, the different algorithms used for the creation of orders and the relevant persons initiating those orders.

CRA-4.12.24

A licensed crypto-asset exchange must, upon request by the CBB, make available to the CBB, data relating to the order book or give the CBB access to the order book so that it is able to monitor trading.

CRA-4.12.25

A licensed crypto-asset exchange must establish procedures that enable the confirmation of relevant details of transactions in crypto-assets.

CRA-4.12.26

A licensed crypto-asset exchange's settlement procedures must clearly define the point at which settlement is final.

CRA-4.12.27

A licensed crypto-asset exchange must complete final settlement no later than the end of the trade date, and preferably intraday or in real time, to reduce settlement risk.

CRA-4.12.28

A licensed crypto-asset exchange must clearly define the point after which unsettled payments, transfer instructions, or other obligations may not be revoked by a client.

CRA-4.12.29

A licensed crypto-asset exchange must minimize and strictly control the credit and liquidity risk arising from money settlements.

CRA-4.12.30

A licensed crypto-asset exchange must clearly state its obligations with respect to the delivery of crypto-assets and should identify, monitor, and manage the risks associated with such delivery.

CRA-4.12.31

A licensed crypto-asset exchange must have in place adequate systems to safeguard against settlement failures as well as resolution systems which cater for such failures. Such systems should be clearly documented in the licensed crypto-asset exchange's policies, procedures and rules.

CRA-4.12.32

A licensed crypto-asset exchange must establish a system that monitors settlement failures of transactions in crypto-assets. Upon occurrence of such events, the licensed crypto-asset exchange must immediately report to the CBB, details of the settlement failure and any other relevant information.

CRA-4.12.33

A licensed crypto-asset exchange must issue clear and transparent Rules in order to ensure that any crypto-assets being traded on its platform is being traded in a fair, orderly and efficient manner. Such rules, and any changes or amendments thereto are to be approved by the CBB.

CRA 4.12.34

The CBB may require a licensed crypto-asset exchange to effect any changes to its Rules, as it may deem necessary.

CRA-4.12.35

The Rules must, inter alia, include Sections on:

CRA-4.12.36

Where, due to the occurrence of any event or circumstances, a licensed crypto-asset exchange is unable to discharge any of its functions whatsoever, it must on the day of such occurrence immediately notify the CBB of its inability to discharge that function, specifying:

CRA-4.12.37

Where a licensed crypto-asset exchange has taken any action against any of its clients, including the suspension of the client from trading, the blacklisting or expelling of a client or any other action, in respect of a breach of its rules, that licensed crypto-asset exchange must immediately notify the CBB of that event, providing:

CRA-5.1.4

Licensees must have in place effective systems, procedures and arrangements to ensure that their IT systems including the trading and settlement systems, are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress, are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements to ensure continuity of their services if there is any failure of their trading systems.

CRA-5.1.5

Licensees must continuously monitor the utilisation of their system resources against a set of pre-defined thresholds. Such monitoring must facilitate the licensee in carrying out capacity management to ensure IT resources are adequate to meet current and future business needs.

CRA-5.1.6

Licensees must conduct regular testing of resilience of its IT systems to meet its business requirements.

CRA-5.1.7

A licensee’s IT systems must be designed and implemented in a manner to achieve the level of system availability that is commensurate with its business needs. Fault-tolerant solutions must be implemented for IT systems which require high system availability and technical glitches must be minimized.

CRA-5.2.6

[This Paragraph was deleted in January 2020].

CRA-5.2.7

[This Paragraph was deleted in April 2023].

CRA-5.2.8

[This Paragraph was deleted in April 2023].

CRA-5.2.9

[This Paragraph was deleted in April 2023].

CRA-5.4.4

Both hot and cold wallets must be password protected and encrypted. The key storage file that is held on the online or offline device must be encrypted. The user is therefore protected against theft of the file (to the degree the password cannot be cracked). However, malware on the machine may still be able to gain access (e.g., a keystroke logger to capture the password).

CRA-5.4.5

Licensees must use multi-signature wallets (e.g., where multiple private keys are associated with a given public key and a subset of these private keys, held by different parties, are required to authorise transactions). Noting that there is no way to recover stolen or lost private keys unless a copy of that key has been made, multi-signature wallets offer more security because a user can still gain access to its crypto-assets when two or more Private Keys remain available. (see also CRA-4.1.2 and CRA-4.1.3).

CRA-5.4.6

To mitigate the risks associated with hot wallets, private keys can be stored in a cold wallet, which is not attached to a network. Licensees should implement cold wallet key storage where possible if they are offering wallet services to their Clients.

CRA-5.4.7

Wallets may also be stored on a secondary device that is never connected to a network. This device, referred to as an air-gapped device, is used to generate, sign, and export transactions. Care should be taken not to infect the air-gapped device with malware when, for example, inserting portable media to export the signed transactions. Hardware security modules emulate the properties of an air gap. A proper policy must be created to describe the responsibilities, methods, circumstances and time periods within which transactions can be initiated. Access and control of single private keys should be shared by multiple users to avoid transactions by a single user.

CRA-5.4.8

Some wallet solutions enable cryptographic keys to be derived from a user-chosen password (the "seed") in a "deterministic" wallet. The most basic version requires one password per key pair. A Hierarchical Deterministic wallet derives a set of keys from a given seed. The seed allows a user to restore a wallet without other inputs.

CRA-5.4.9

Licensees offering deterministic wallet solutions must ensure that users are provided with clear instructions for situations where keys, seeds or hardware supporting such wallet solutions are lost.

CRA-5.4.10

A licensee must establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. A licensee using a third party crypto-asset custodian must ensure that the third-party custodian establishes and implements such controls and procedures. The procedure must include the following:

CRA-5.4.11

Licensees must establish, maintain and implement a private key storage policy to ensure effective and prudent safekeeping of the seed and private key at all times. In particular, such policy must address:

The private key storage policy along with other documents and evidences confirming that the seed and private key are held securely must be made available to the CBB upon request.

CRA-5.8.1

A licensee must establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee's electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program must be designed to perform, at the minimum, the following five core cyber security functions:

CRA-5.8.1A

Licensees must have a robust cyber security risk management framework that encompasses, at a minimum, the following components:

CRA-5.8.1B

The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. Broadly, the cyber security risk management framework should be consistent with the licensee’s risk management framework.

CRA-5.8.1C

Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

CRA-5.8.1D

Licensees may establish a cyber security committee that is headed by an independent senior manager from a control function (like CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

CRA-5.8.2

The board must provide oversight and accord sufficient priority and resources to manage cyber security risk, as part of the licensee's overall risk management framework.

CRA-5.8.3

In discharging its oversight functions, the board must:

CRA-5.8.4

The management is responsible for:

CRA-5.8.4A

Management must ensure that:

CRA-5.8.4B

With respect to Paragraph CRA-5.8.4A(a), data classification entails analyzing the data the licensee retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects should be determined:

The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. The owner of data (i.e. the relevant business function) should be involved in such classification.

CRA-5.8.4C

An organisation-wide cyber security strategy must be defined and documented to include:

CRA-5.8.4D

The cyber security strategy should be communicated to the relevant stakeholders and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as a reference to support the licensee’s cyber security strategy and cyber security policy.

CRA-5.8.5

Licensees must implement a written cyber security risk policy setting out the licensee's Board approved policies and related procedures that are approved by senior management, for the protection of its electronic systems and client data stored on those systems. This policy must be reviewed and approved by the licensee's board of directors at least annually. The cyber security policy, among others, must address the following areas:

CRA-5.8.6

[This Paragraph was deleted in April 2023].

CRA-5.8.7

[This Paragraph was deleted in April 2023].

CRA-5.8.8

A licensee must conduct regular assessments as part of the licensee's compliance programme to identify potential vulnerabilities and cyber security threats in its operating environment which could undermine the security, confidentiality, availability and integrity of the information assets, systems and networks.

CRA-5.8.9

The assessment of the vulnerabilities of the licensee's operating environment must be comprehensive, including making an assessment of potential vulnerabilities relating to the personnel, parties with whom a licensee deals with, systems and technologies adopted, business processes and outsourcing arrangements.

CRA-5.8.10

A licensee must develop and implement preventive measures to minimise the licensee's exposure to cyber security risk.

CRA-5.8.11

Preventive measures referred to in Paragraph CRA-5.8.10 above must include, at a minimum, the following:

CRA-5.8.11A

Licensees should also implement the following prevention controls in the following areas:

CRA-5.8.11B

Licensees must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

CRA-5.8.11C

Licensees should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

CRA-5.8.11D

Licensees must use a single unified private email domain or its subdomains for communication with clients to prevent abuse by third parties. Licensees must not utilise third-party email provider domains for communication with clients. The email domains must comply with the requirements of Paragraph OM-5.8.11B with respect to SPF, DKIM and DMARC.

CRA-5.8.11E

For the purpose of Paragraph CRA-5.8.11D, licensees with subsidiaries or branches outside Bahrain will be allowed to use additional domains subject to CBB’s review. Licensees may be allowed, subject to CBB’s review, for their clients to receive emails from third-party service providers for specific services offered by such third-parties provided the clients were informed and agreed on such an arrangement. Examples of such third-party services include informational subscription services and document management services.

CRA-5.8.11F

Licensees must comply with the following requirements with respect to URLs or other clickable links in communications with clients:

CRA-5.8.12

[This Paragraph was deleted in April 2023].

CRA-5.8.13

[This Paragraph was deleted in April 2023].

CRA-5.8.13A

Licensees must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

CRA-5.8.13B

Licensees must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

CRA-5.8.13C

Licensees should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

CRA-5.8.13D

Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably, monthly assessments should be conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.

CRA-5.8.13E

With respect to Paragraph CRA-5.8.13D, external technology refers to the licensee’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

CRA-5.8.13F

Licensees must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

CRA-5.8.13G

All licensees must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

CRA-5.8.13H

The CBB may require additional third-party security reviews to be performed as needed.

CRA-5.8.13I

The time period between two consecutive penetration test and the vulnerability assessment by an independent third party, referred to in Paragraph CRA-5.8.13G(e) must be 6 months and the report on such testing must be provided to CBB within two months following the end of the month where the testing took place. The vulnerability assessment and penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

CRA-5.8.14

[This Paragraph was deleted in April 2023].

CRA-5.8.14A

Licensees must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.

CRA-5.8.14B

Licensees should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.

CRA-5.8.14C

Licensees should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.

CRA-5.8.14D

Once a cyber incident is detected, licensees should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.

CRA-5.8.14E

Licensees must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and clients. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.

CRA-5.8.14F

Licensees must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.

CRA-5.8.14G

The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Licensees should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Licensees should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.

CRA-5.8.14H

Licensees must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. See also Paragraph CRA-5.8.33 for the requirement to report to the CBB.

CRA-5.8.14I

Licensees should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:

CRA-5.8.14J

For the purpose of managing a critical cyber incident, the licensee should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.

CRA-5.8.14K

Licensees should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, the licensee should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and the person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.

CRA-5.8.14L

Licensees should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:

The cyber incident severity may be classified as:

CRA-5.8.14M

Licensees should determine the effects of the cyber incident on clients and to the wider financial system as a whole and report the results of such an assessment to the CBB if it is determined that the cyber incident may have a systemic impact.

CRA-5.8.14N

Licensees should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:

CRA-5.8.15

[This Paragraph was deleted in April 2023].

CRA-5.8.16

[This Paragraph was deleted in April 2023].

CRA-5.8.17

[This Paragraph was deleted in April 2023].

CRA-5.8.18

[This Paragraph was deleted in April 2023].

CRA-5.8.19

[This Paragraph was deleted in April 2023].

CRA-5.8.19A

[This Paragraph was deleted in April 2023].

CRA-5.8.20

[This Paragraph was deleted in April 2023].

CRA-5.8.20A

Licensees must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum levels of service during the downtime and determine how much time the licensee will require to return to full service and operations.

CRA-5.8.20B

Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:

CRA-5.8.20C

Licensees must define a program for recovery activities for the purpose of timely restoration of any capabilities or services that were impaired due to a cyber security incident. Licensees must establish recovery time objectives (“RTOs”), i.e. the time within which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption. Licensees must also consider the need for communication with third party service providers, clients and other relevant external stakeholders as may be necessary.

CRA-5.8.20D

Licensees must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.

CRA-5.8.20E

Licensees should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and clients.

CRA -5.8.20F

Licensees must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "tabletop" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.

CRA-5.8.20G

Licensees must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.

CRA-5.8.21

[This Paragraph was deleted in April 2023].

CRA-5.8.22

A licensee must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident breach.

CRA-5.8.23

A licensee's CISO, as referred to in Paragraph CRA-5.8.3(d), is responsible for overseeing and implementing the licensee's cyber security program and enforcing its cyber security policy. The CISO must report to an independent risk management function or the licensee must incorporate the responsibilities of cyber security risk into the risk management function.

CRA-5.8.24

[This Paragraph was deleted in January 2020]

CRA-5.8.25

[This Paragraph was deleted in January 2020]

CRA-5.8.25A

[This Paragraph was deleted in April 2023].

CRA-5.8.26

[This Paragraph was deleted in April 2023].

CRA-5.8.27

[This Paragraph was deleted in April 2023].

CRA-5.8.28

A licensee, based on the assessment of cyber security risk exposure and with an objective to mitigate cyber security risk, must evaluate and consider the option of availing cyber risk insurance. The evaluation process to determine suitability of cyber risk insurance as a risk mitigant must be undertaken on a yearly basis and be documented by the licensee.

CRA-5.8.29

The cyber risk insurance policy, referred to in Paragraph CRA-5.8.28, may include some or all of the following types of coverage, depending on the risk assessment outcomes:

CRA-5.8.30

Licensees must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.

CRA-5.8.31

The licensee must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.

CRA-5.8.32

The licensees must ensure that role specific cyber security training is provided on a regular basis to relevant staff including:

CRA-5.8.33

Upon occurrence or detection of any cyber security incident or detection of any unplanned outages, whether internal or external, that compromises client information or disrupts critical services that affect operations, licensees must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix-B) to the CBB’s cyber incident reporting email, incident.cra@cbb.gov.bh, as soon as possible, but not later than two hours, following occurrence or detection of any cyber incidents.

CRA-5.8.34 CRA-5.8.34

Following the submission referred to in Paragraph CRA 5.8.33, the licensee must submit to the CBB Section B of the Cyber Security Incident Report (Appendix B) within 10 calendar days of the occurrence of the cyber security incident. Licensees must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and clients, and all measures taken by the licensee to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved.