OM-A.2.2
The changes made to this Module are detailed in the table below:
Summary of Changes
Module Ref. | Change Date | Description of Changes |
OM-5.1 | 01/04/05 | Physical security measures. |
OM-4.2 | 01/10/05 | Succession planning for locally incorporated banks. |
OM-5.1 | 01/10/05 | Clarification of security manager role for smaller banks and deletion of requirement for cash trays. |
OM-B & OM-1.2 | 01/04/06 | Minor amendments concerning roles of Board and management and editing of OM B. |
OM-5.1.15-OM-5.1.24 | 01/04/06 | New security requirements for ATM security arrangements and reporting of security related complaints. |
OM-A.2.1-OM-A.2.6 | 01/10/07 | Purpose (expanded) |
OM-A.2.1-OM-A.2.6 | 01/10/07 | Key Requirements (deleted) |
OM-5.1-OM-5.9 | 01/10/07 | Business Continuity Planning (expanded) |
OM-7 | 01/10/07 | New Books and Records Chapter transferred from Module GR |
OM-8 | 01/04/08 | Basel II Qualitative Operational Risk Requirements |
OM | 01/2011 | Various minor amendments to ensure consistency in CBB Rulebook. |
OM-A.1.3 and OM-A.1.4 | 01/2011 | Clarified legal basis. |
OM-7.1.4 | 04/2011 | This paragraph was deleted as Ministerial Order 23 does not apply to CBB licensees. |
OM-7.3.4 | 04/2011 | Clarified retention period of records for promotional schemes. |
OM | 07/2011 | Various minor amendments to clarify Rules and have consistent language. |
OM-2.4 | 07/2011 | Amended CBB reporting requirements regarding succession planning. |
OM-3.1.7 | 07/2011 | Paragraph deleted as no longer applicable since standard conditions and licensing criteria document has now been incorporated as part of Volume 1. |
OM-6.2 | 10/2011 | Added new Section on internet security. |
OM-7.1.7 | 10/2011 | Corrected typo. |
OM-A.1.3 | 01/2012 | Updated legal basis. |
OM-2.1.4 | 01/2012 | Corrected cross reference. |
OM-3.2.2 | 04/2012 | Deleted last sentence of Paragraph as it repeats the requirement under Paragraph OM-3.3.1 |
OM-6.2.2 | 04/2012 | Clarified penetration testing interval for internet security. |
OM-1.1.4 | 10/2012 | Amended to reflect updated version of Basel Committee document. |
OM-3.2.6, OM-5.2.1, OM-5.4.8, OM-8 | 10/2012 | Amended to reflect the Basel June 2011 paper on Principles for the Sound Management of Operational Risk. |
OM-6.2 | 07/2013 | Amended reporting requirements related to internet security measures. |
OM-6.2.1 | 10/2013 | Amended Rule to apply to all banks. |
OM-3.7.2 | 10/2015 | Clarified Rule on internal audit outsourcing. |
OM-6 | 04/2016 | Updated ATM security measures for banks. |
OM-3.9 | 07/2016 | Added new Section dealing with outsourcing of functions containing customer information. |
OM-5.10 | 10/2016 | Added new Section on Cyber Security Risk Management |
OM-6.1.1 | 10/2016 | Added implementation deadline date |
OM-6.4.3 | 10/2016 | Corrected cross references |
OM-6.4.4 | 10/2016 | Corrected cross references |
OM-6.4.5 | 10/2016 | Corrected cross references |
OM-6.6 | 10/2016 | Added new Section on Cyber Security Measures |
OM-3.9.2 | 01/2017 | Amended Paragraph on customer information |
OM-3.9.6 | 01/2017 | Added new guidance paragraph on customer information |
OM-6.4.22 | 04/2017 | ATM requirement on Solid Wall deleted. |
OM-6.4.23 | 04/2017 | ATM requirement on Solid Wall deleted. |
OM-6.3.1 | 07/2017 | Clarified requirements on compliance date. |
OM-6.3.2A | 07/2017 | Added new paragraph on Prohibition of Double Swiping. |
OM-6.3.2B | 07/2017 | Added new paragraph on Prohibition of Double Swiping. |
OM-6.3.2C | 07/2017 | Added new paragraph on Prohibition of Double Swiping. |
OM-6.3.2D | 07/2017 | Added new paragraph on Prohibition of Double Swiping. |
OM-6.3.2E | 07/2017 | Added new paragraph on Prohibition of Double Swiping. |
OM-6.4.21 | 07/2017 | Deleted paragraph. |
OM-7.2.1 | 07/2017 | Amended paragraph according to the Legislative Decree No. (28) of 2002. |
OM-7.2.2 | 07/2017 | Deleted paragraph. |
OM-3.1.2 | 10/2017 | Amended paragraph to allow the utilization of cloud services. |
OM-3.1.5A | 10/2017 | Added a new paragraph on outsourcing requirements. |
OM-3.2.3 | 10/2017 | Amended paragraph. |
OM-3.3.1 | 10/2017 | Amended paragraph. |
OM-3.3.2 | 10/2017 | Amended paragraph. |
OM-3.3.3 | 10/2017 | Amended paragraph. |
OM-3.3.4 | 10/2017 | Amended paragraph. |
OM-3.3.5 | 10/2017 | Added a new paragraph on outsourcing. |
OM-3.4.1 | 10/2017 | Amended paragraph. |
OM-3.4.2(b) | 10/2017 | Amended sub-paragraph. |
OM-3.4.3 | 10/2017 | Deleted paragraph. |
OM-3.4.5 | 10/2017 | Amended paragraph. |
OM-3.5.1(a) | 10/2017 | Amended sub-sub-paragraph no. (5). |
OM-3.5.1(c) | 10/2017 | Amended sub-sub-paragraphs no. (2) and (3). |
OM-3.5.1(e) | 10/2017 | Amended sub-sub-paragraph no. (3). |
OM-3.8.3 | 10/2017 | Amended paragraph. |
OM-3.9.1 | 10/2017 | Amended paragraph. |
OM-3.9.2 | 10/2017 | Amended paragraph on third party outsourcing of functions. |
OM-3.9.3 | 10/2017 | Amended paragraph. |
OM-3.9.4) | 10/2017 | Amended paragraph. |
OM-3.9.4(b) | 10/2017 | Amended sub-paragraph. |
OM-3.9.4(d) | 10/2017 | Deleted sub-paragraph. |
OM-3.9.5 | 10/2017 | Deleted paragraph. |
OM-3.9.7 | 10/2017 | Added a new paragraph for security measures related to cloud services. |
OM-6.4.6 | 10/2017 | Amended paragraph to include ancillary service providers. |
OM-6.3.1A | 04/2018 | Added a new Paragraph on card (EMV) compliance. |
OM-6.3.1B | 04/2018 | Added a new Paragraph on "provision of cash withdrawal and payment services through various channels". |
OM-6.3.2 | 04/2018 | Amended Paragraph to mention "Conventional bank licensees". |
OM-3.9.2 | 07/2018 | Amended Paragraph to include call centres. |
OM-3.9.2A | 07/2018 | Added new Paragraph on customer notification. |
OM-6.4.15A | 10/2018 | Added a new Paragraph on drive-thru ATMs. |
OM-6.4.20A | 10/2018 | Added a new Paragraph on drive-thru ATMs. |
OM Module | 01/2020 | Entire Module revised for better alignment with the principles and guidance from Basel Committee on Banking Supervision. |
OM-5.2.1A | 07/2020 | Added a new Paragraph on contactless payments. |
OM-5.1.2A & OM-5.1.2B | 10/2020 | Added new Paragraphs on fraudulent phishing attempts measures. |
OM-2.8.5 | 01/2021 | Deleted Subparagraph (a). |
OM-3.1.2(f) | 01/2021 | Amended Subparagraph on electronic fraud. |
OM-3.3.11 | 01/2021 | Added a new Paragraph on electronic fraud awareness. |
OM-5.1.5 | 04/2021 | Amended Paragraph. |
OM-5.5 | 07/2021 | New enhanced Section. |
Appendix C | 07/2021 | Added a new Appendix - Cyber security Control Guidelines |
OM-1.6.1 | 01/2022 | Deleted Paragraph. |
OM-1.6.2 | 01/2022 | Deleted Paragraph. |
OM-1.6.3 | 01/2022 | Amended Paragraph. |
OM-1.6.4 – OM-1.6.6 | 01/2022 | Deleted Paragraphs. |
OM-5.3.2 | 01/2022 | Amended Paragraph. |
OM-5.3.3 – OM-5.3.11 | 01/2022 | Deleted Paragraphs. |
OM-1.3.17(g) | 04/2022 | Amended Subparagraph on vacation policy. |
OM-5.5.57 | 04/2022 | Amended Paragraph on cyber security incident reporting. |
OM-5.5.58 | 04/2022 | Amended Paragraph on submission period of the cyber security incident report. |
OM-5.5.61 | 04/2022 | Deleted reference to BR. |
OM-2 | 07/2022 | Replaced Chapter OM-2 with new Outsourcing Requirements. |
OM-5.3.25 | 10/2022 | Added a new Paragraph on compliance with the physical security requirements for ATM installations. |
OM-5.5.21 | 10/2022 | Amended Paragraph on email domains requirements. |
OM-5.5.21A | 10/2022 | Added a new Paragraph on additional domains requirements. |
OM-2.1.7(v) | 04/2023 | Amended Subparagraph on the outsourcing coordinator. |
OM-2.1.7(viii) | 04/2023 | Added a new Subparagraph on outsourcing the internal audit function. |
OM-5.2.1 – OM-5.2.1A | 04/2023 | Amended contactless payment amount permitted where no pin or authentication is required. |