BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player



Location: Central Bank of Bahrain Volume 5—Specialised Licensees > Specific Modules (By Type of Licensee) > Type 7: Ancillary Service Providers > Part A > Business Standards > OB Open Banking Module > OB-1 Risks, Systems and Controls > OB-1.1 Risks, Systems and Controls > Operational Risks > OB-1.1.7
  • Operational Risks

    • OB-1.1.5

      AISPs and PISPs must document the process by which they identify, prioritise and manage their operational risks.

      Added: December 2018

    • OB-1.1.6

      Operational risk in AISPs' and PISPs' activities include the risk of loss of confidential customerG data, financial loss or reputational loss resulting from inadequate or failed internal processes, people, technology and systems, or from external events including risks of internal and external frauds and cyber threats. In assessing potential operational risk, the following are some of the factors that may affect the licensee's risk exposure:

      (a) Lack of governance, board and management oversight;
      (b) Inadequate internal controls;
      (c) Insufficient transaction monitoring;
      (d) Failure of information technology through breakdown, incompatibility of legacy systems and poor scalability, poor security, etc.;
      (e) Failure or insufficient cyber and information security controls;
      (f) Failure of processes and procedures;
      (g) Internal and external fraud;
      (h) Legal risks;
      (i) Outsourcing risk;
      (j) Business continuity and disaster recovery; and
      (k) Reputational risks.
      Added: December 2018

    • OB-1.1.7

      AISPs and PISPs must establish comprehensive procedures for monitoring, handling and following up on security and fraud incidents and related customerG complaints including but not limited to the following:

      a) organisational measures and tools for the prevention of such incidents;
      b) details of the individual(s) and bodies responsible for assisting customersG in cases of the incidents and technical issues and/or claim management;
      c) reporting lines in cases of such incidents;
      d) the contact point for customersG , including a name and email address;
      e) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to national competent authorities; and
      f) the monitoring tools used and the follow-up measures and procedures in place to mitigate security and fraud risks.
      Added: December 2018

    • OB-1.1.8

      AISPs and PISPs must maintain an up to date security policy document containing the following information:

      a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
      i. a description of the business IT systems supporting the business activities;
      ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
      iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
      iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
      b) the logical security measures and mechanisms that govern the internal access to IT systems;
      c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
      d) the security of the account information and payment initiation processes, which should include:
      i. the customerG authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
      ii. an explanation of how safe delivery of tokens to the legitimate customerG ; and
      iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
      Added: December 2018

    • OB-1.1.9

      AISPs and PISPs must ensure they have an up to date business continuity plan and arrangements consisting of the following information:

      a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives and protected assets;
      b) the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;
      c) an explanation of how the licensee will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; the inaccessibility of the premises; and the loss of key persons; and
      d) the frequency with which the licensee intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded.
      Added: December 2018

    • OB-1.1.10

      AISPs and PISPs must appoint a third party specialist to conduct vulnerability assessments against cyber-attacks and penetration testing on the specific API security standards every 6 months. The specialist's report must be submitted to the CBB, along with the licensee's related action plan to resolve any issues identified. All relevant threat profiles referenced in the security standards including the risk of social engineering must be considered for the reviews.

      Added: December 2018

    • OB-1.1.11

      AISPs and PISPs must ensure that their overall systems and controls including but not limited to the business continuity, disaster recovery, information security testing, web-applications testing, smart device application testing, and cyber resilience are evaluated and independently tested by an external consultant:

      a) initially upon implementation of this Module;
      b) when there are any material changes to the systems and controls; and
      c) at least once every 3 years.
      Added: December 2018

    • OB-1.1.12

      A PISP must establish payment initiation procedures to ensure:

      (a) that a customer'sG personalised security credentials are:
      i. not accessible to other parties, with the exception of the issuer of the credentials; and
      ii. transmitted through safe and efficient channels;
      (b) that any other information about a customerG is not provided to any person except a payee, and is provided to the payee only with the customer'sG explicit consent;
      (c) that each time a customerG initiates a payment order, identify himself to the PISP, the licensee with who he maintains the account in a secure way;
      (d) that it will not store sensitive data (such as customerG security credentials or other personalized data, the holding of which is not authorized by the customerG , and data which may be used by the holder for unauthorized, fraudulent or illegal activity or transactions) of the customerG ;
      (e) that it will not use or access any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer;
      (f) that it cannot and does not change the amount, the payee or any other feature of a transaction notified to it by the customerG .
      Added: December 2018

    • OB-1.1.13

      An AISP must establish account information procedures to ensure:

      (a) it does not provide account information servicesG without the customer'sG explicit consent;
      (b) that the customer'sG personalised security credentials are:
      i. not accessible to other parties, with the exception of the issuer of the credentials; and
      ii. transmitted through safe and efficient channels;
      (c) for each communication session, communicate securely with licensee and the customerG in accordance with the regulatory requirements of this Module;
      (d) that it does not access any information other than information from designated accounts; and
      (e) it cannot and does not use, access or store any information for any purpose except for the provision of the account information service explicitly requested by the customerG .
      Added: December 2018

Back to top