CBB Volume 5: Contents

Central Bank of Bahrain Volume 5—Specialised Licensees
Specific Modules (By Type of Licensee)
Type 7: Ancillary Service Providers
Part A
High Level Standards
AU Ancillary Service Providers Authorisation Module
AU-4 Information Requirements and Processes
Skip to Content
Whole SectionText only Print Print Manager Link


The applicant should provide a security policy document containing the following information:

(a) A detailed risk assessment of the service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect service users against the risks identified;
(b) a description of the IT systems, which should include:
(i) the architecture of the systems and their network elements;
(ii) the business IT systems supporting the business activities provided, such as the applicant's website, wallets, the payment engine, the risk and fraud management engine, and customer accounting;
(iii) the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;
(iv) information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable;
(v) the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
(vi) the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control, such as technical versus organisational; preventative versus detective; and real-time monitoring versus regular reviews, such as the use of an active directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
(c) the logical security measures and mechanisms that govern the internal access to IT systems, which should include:
(i) the technical and organisational nature and frequency of each measure, such as whether it is preventative or detective and whether or not it is carried out in real time;
(ii) how the issue of client environment segregation is dealt with in cases where the applicant's IT resources are shared;
(d) the physical security measures and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;
(e) the security of the payment processes, which should include:
(i) the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;
(ii) an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors, such as hardware tokens and mobile applications, are ensured, at the time of both initial enrolment and renewal;
(iii) a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;
(f) a detailed risk assessment in relation to its payment services, including fraud, with a link to the control and mitigation measures explained in the application file, demonstrating that the risks are addressed;
(g) a list of the main written procedures in relation to the applicant's IT systems or, for procedures that have not yet been formalised, an estimated date for their finalisation.
Added: December 2018
(1 Version)
Dec 1 2018 onwards
Back to top