In a possible sign of things to come, the Central Bank of Bahrain has proposed changes to Volume 4 of its Rulebook (investment firms), revising the authorisation module, drafting a new module on digital financial advice and adding a chapter on cyber security risk measures, as well as adding to Volume 4’s glossary. The new cyber security chapter is a complete rewrite of the existing regulation and goes into detail on areas including accountability and responsibility, roles and responsibilities, and policies and procedures. Licensees providing internet services are required to test their systems twice a year – and to report the findings to the CBB within two months. These tests must be conducted by external, independent security professionals, such as ethical hackers. The proposed rules – which currently apply only to investment firms – are available on the CBB website in the ‘open consultations’ section.
SWIFT – a standard format for business identifier codes (BICs) used to identify banks and financial institutions globally – has announced a trial integration with R3’s Corda blockchain platform in the hopes of creating a transparent system that can be used to monitor payment flows and support application programming interfaces (APIs). Initially, the trial will be limited to R3’s trade ecosystem but – if successful – could be extended to support other distributed ledgers, non-distributed ledgers and e-commerce platforms. Companies using the R3 platform will authorise payments from their banks using global payments innovation (GPI) links. Payments will be settled and confirmations – once completed – reported back to trade platforms using those same links.
The growth of Blockchain-based solutions indicates that the technology is here to stay, becoming the basis for highly efficient, transparent systems.
In a move designed to strengthen protection for Bahrain’s critical telecommunications infrastructure, the Telecommunications Regulatory Authority (TRA) released Resolution 5 of 2017, 1918regulating risk management for critical telecommunications infrastructure, in May 2017. The resolution establishes a risk management process that is closely aligned with ISO 27001:2013, sets out expectations for business continuity (ISO 22301:2012), standardises licensees’ approach to assessing and protecting the security and availability of critical telecoms infrastructure and defines licensees’ responsibilities. Licensees which install, operate or manage critical telecoms infrastructure, as well as holders of particular licences, should expect to receive, if they haven’t already, a risk management determination (RMD). Based on the RMDs, licensees are expected to adhere to two specific timelines – a three-month deadline requiring an asset inventory and an 18-month deadline requiring licensees to develop, implement and maintain a business continuity plan; ISO27001 certification; a certification audit report; and a risk assessment.
The TRA also expects business to recertify every three years and reserves the right to ask for additional risk assessments, including penetration testing. Licensees that are found to be non-compliant will be deemed to be in material breach of the telecommunications law and could face penalties and sanctions.
Keypoint is working with a number of telcos on a range of ISO certification engagements and has a skilled, seasoned team with the required credentials. More details on resolution 5 can be found in our recently released flyer . Alternatively, please contact Srikant Ranganathan at email@example.com or Darrshan Manukulasooriya at firstname.lastname@example.org.
Srikant Ranganathan addressed the Bahrain Chapter of the Institute of Chartered Accountants of India (BCICAI) on Bahrain’s upcoming personal data protection law (PDPL) on 26 February. Speaking to a packed audience at the BCICAI’s ‘High Tea’ event, Srikant explained that Bahrain had released Law 30 of 2018, the Personal Data Protection Law (PDPL) in July 2018, with the PDPL coming into force on 1 August 2019. The PDPL gives individuals and entities in Bahrain rights in relation to how their personal data can be collected, processed and stored. It imposes new obligations on how businesses manage data. Under the law, personal data must be processed ‘fairly’. Data owners must be notified when their personal data is collected and processed. Personal data must be stored securely. Data owners can exercise their rights directly with businesses. The PDPL also requires entities to seek prior approval from the relevant data protection authority (DPA) when collecting, processing and storing personal data. In a striking contrast to the EU’s recently implemented GDPR, the PDPL includes severe penalties (including jail time) for non-compliance.
Keypoint was one of the first professional firms in the region to understand and highlight the challenges that personal data requirements – whether the EU’s GDPR or Bahrain’s PDPL – will have on Bahraini businesses. For more details on how our data privacy team can help you, or to request a gap assessment, contact Srikant Ranganathan at email@example.com.
The Central Bank of Bahrain (CBB) issued two circulars in January – circular EDBS/KH/C/2/2019 on 13 January 2019 announcing agreed upon procedures (AUPs) for annual reviews of AML processes under FC Module of Volume 1 and 2 and circular EDBS/KH/4/2019 on 15 January 2019 enhancing compliance functions.
Further details on the circulars can be found here.
To discuss these circulars – or any AML or compliance issues – with a member of our Financial Regulatory Compliance team, please contact Dr Mukund Ballal on +973 1720 6813 or firstname.lastname@example.org
Over 75 senior executives from across the GCC discussed Bahrain’s approach to the cloud, infrastructure as code and the primacy of security at a half-day seminar at the Downtown Rotana in Manama on Wednesday 23 January 2019.
Co-hosted with Infonas, an AWS consulting partner specialising in data centre migrations to cloud, re-platforming and serverless technologies, the seminar raised a number of critical issues, according to Srikant Ranganathan, a senior director who leads Keypoint’s IT consulting function. “With the public sector in Bahrain – and across much of the GCC – taking the lead in migrating data and systems to the cloud, some key decisions have already been taken. But – as with any journey – there are a number of different ways of reaching the same destination so roadmaps are key. Giving our audience access not just to our expertise but also Infonas’s expertise in infrastructure as cloud offered a number of different perspectives.”
Studies suggest that cloud computing – the practice of using a network of remote servers on the internet to store, manage and process data, rather than a local or on-site server – has significant advantages over traditional computing practices. Bahrain’s cloud-first policy document, developed by the Information and e-Government Authority (iGA), suggests that the migration of government services to the cloud could deliver higher business value, optimise costs through standardised infrastructure management, improve service quality and business continuity, and promote a holistic, nationwide approach.
Srikant says that the advantages of a cloud-first policy are clear. “The benefits of a cloud-first policy include an immediate reduction in costs, improved systems resiliency, better integration and improved collaboration, improved agility, better budget control and upgraded continuity. However, there are significant hurdles – and making security ‘front of mind’ is a significant part of every successful cloud migration.”
Speakers at Wednesday’s seminar included Osama Al Alawi, a manager with Keypoint’s IT and financial regulatory compliance functions who spoke on Bahrain’s position in the cloud, and Rayan Britto, a senior IT security specialist, who stressed the importance of cloud security, both data and systems.