Entire section Custom print Link Text Only Rich Text Print

RM-7.1.7

Licensees must comply with the following requirements:

(i) Prior CBB approval is required on any outsourcing to a third-party outside Bahrain (excluding cloud data services). The request application must:
a. include information on the legal and technical due diligence, risk assessment and detailed compliance assessment; and
b. be made at least 30 calendar days before the licensee intends to commit to the arrangement.
(ii) Post notification to the CBB, within 5 working days from the date of signing the outsourcing agreement, is required on any outsourcing to an intragroup entity within or outside Bahrain or to a third-party within Bahrain, provided that the outsourced service does not require a license, or to a third-party cloud data services provider inside or outside Bahrain.
(iii) Licensees must have in place sufficient written requirements in their internal policies and procedures addressing all strategic, operational, logistical, business continuity and contingency planning, legal and risks issues in relation to outsourcing.
(iv) Licensees must sign a service level agreement (SLA) or equivalent with every outsourcing service provider. The SLA must clearly address the scope, rights, confidentiality and encryption requirements, reporting and allocation of responsibilities. The SLA must also stipulate that the CBB, external auditors, internal audit function, compliance function and where relevant the Shari’a coordination and implementation and internal Shari’a audit functions of the licensee have unrestricted access to all relevant information and documents maintained by the outsourcing service provider in relation to the outsourced activity.
(v) Licensees must designate an approved person to act as coordinator for monitoring and assessing the outsourced arrangement to ensure compliance with the licensee’s internal policies and applicable laws and regulations.
(vi) Licensee must submit to the CBB any report by any other regulatory authority on the quality of controls of an outsourcing service provider immediately after its receipt or after coming to know about it.
(vii) Licensee must inform its normal supervisory point of contact at the CBB of any material problems encountered with the outsourcing service provider if they remain unresolved for a period of three months from its identification date.
(viii) Where the internal audit function is fully or partially outsourced, licensees must ensure that:
i. The use of external experts does not compromise the independence and objectivity of the internal audit function;
ii. The outsourcing service provider has not been previously engaged in a consulting or external audit engagement with the licensee unless a one year “cooling-off” period has elapsed;
iii. The outsourcing service provider must not provide consulting services to the licensee during the engagement period; and
iv. Adequate oversight is maintained over the outsourcing service provider to ensure that it complies with the licensee’s internal audit charter, policy and applicable laws and regulations.
Amended: July 2023
Amended: July 2022
Adopted: July 2010