Taking too long? Close loading screen.

Taxflash 4 April 2019

This week’s TaxFlash is out! Updates from Bahrain, Kuwait, the UAE and Saudi Arabia – and technical tips for the healthcare sector. Contact us to be added to our mailing list – you would be amazed at who reads us every week!

NBR issues financial services VAT guide

Bahrain’s National Bureau for Revenue (NBR) has recently circulated welcome guidance in the form of a financial services VAT guide which sets out VAT principles specifically relevant to the financial services and insurance sectors. Keypoint’s market-leading tax team has analysed the 119 page guide and highlight key findings in the attached VAT alert.

To discuss this development – or any VAT issue – with one of our VAT specialists, contact the VAT team at vat@keypoint.com or +973 1720 6809.

IRS FAQ update

The IRS has released (issue 2019-3 dated 28 March 2019) new FAQs clarifying compliance for foreign financial institutions (FFIs).

The highlights:

  1. FAQ20 explains the certification requirements of sponsoring entities with certification period ending 31 December 2017
  2. FAQ17 clarifies steps for FFIs whose status is initiated, incomplete or under review for a period of six months or more
  3. FAQ7 reinforces the importance of constantly updating contact information of an FFI’s person of contact (POC) and responsible officer (RO)

For more details please contact:

Dr Mukund Ballal

Advisor, Financial Regulatory Compliance


+973 1720 6813


Sindhu Balasubramanian

Senior Manager, Financial Regulatory Compliance


+973 1720 6838


Osama Al Alawi

Manager, Financial Regulatory Compliance


+973 1720 6857

FATCA & CRS reporting

The Central Bank of Bahrain (CBB) issued circular OG/144/2019 on 24 March 2019 announcing:

  • FATCA and CRS reporting for the year ending 31 December 2018 starts on 1 April 2019 through the CBB’s AEOI portal
  • Reports must be submitted by 2 May 2019
  • FATCA and CRS report submission deadlines from now on will be 2 May every year
  • There are 60 reportable CRS jurisdictions* for the year ending 31 December 2018
  • Reporting financial institutions (RFIs) must comply with CBB requirements, ensuring information is accurate and complete
  • Delays in submission will be penalised
  • Please refer to the CRS standards for CRS compliance guidelines

Please refer to the IGA for FATCA compliance guidance.

For more details on both these updates, please click here or contact:

Dr Mukund Ballal

Advisor – Financial Regulatory Compliance

T +973 1720 6813




Are CISOs right to be scared of artificial intelligence

Artificial intelligence (AI) has become a buzzword for next generation technocrats, who swear by the capability of AI-based systems to accurately mimic and, in some cases, improve human behaviour – but without the inconsistencies arising from “being human”. Perceived benefits – including increased cost effectiveness and strategic differentiators – have motivated businesses to invest in and deploy AI-based systems in various walks of life.

Will AI remain a tool simply for business users? History indicates otherwise. Nearly every invention intended to improve our lives has been distorted in some way and used for nefarious activities. AI is most unlikely to be an exception.

Even as AI applications find a foothold in the market, the concept has been highjacked by cyber criminals. You should expect to see autonomous malware with AI capabilities that can modify, adapt and repurpose itself based on contextual learning from the target environment, security measures in place and information collected. This exponentially increases the cost of detection and prevention and in many ways nullifies the ability to respond using automated solutions. Manual solutions may be no match either.

What are security solution and service providers doing to react to this growing threat?

For more details:

Srikant Ranganathan

Senior Director

IT Consulting

+973 1720 6827

+973 3626 6286


Bahrain’s personal data protection law (PDPL)

Bahrain issued Law 30 of 2018 – the personal data protection law (PDPL) – on 19 July 2018. The PDPL, which comes into effect on 1 August 2019, applies to almost every entity processing personal data. The PDPL will dramatically change the way businesses in Bahrain process personal data. Businesses are required to seek approval before collecting, processing or storing personal data. There are also new rules for how businesses manage data.

The PDPL, in a first for the region, also introduces criminal penalties, with prison terms of up to one year for serious offences.

Keypoint’s data privacy team has deep data privacy and protection experience, having been engaged on a number of projects related to data classification, end-to-end data process reviews and data life cycles. We have also been engaged by clients to implement various information security-related controls.

For more details on how the PDPL will impact your business – and how Keypoint can help assess and mitigate that impact – please download or contact:

Srikant Ranganathan

Senior Director

+973 1720 6827

+973 3626 6286


CBB releases crypto-assets module (CRA)

Following industry-wide consultation, the Central Bank of Bahrain (CBB) has issued a crypto-assets module (CRA) under Volume 6 (Capital Markets) of the CBB Rulebook. The new module outlines four licensing categories, with capital requirements dependent on the scope and type of crypto-asset services offered. Bahrain is the first country in the region to have an on-shore regulatory framework for crypto-assets.

The CRA module includes requirements for licensing and supervising crypto-asset exchanges and other crypto-asset services, including trading, dealing, advisory, and portfolio management in accepted crypto-assets as principals, agents or custodians. The module introduces specific rules relating to market abuse, manipulation and enforcement and explains how the CBB will penalise late – or non-compliant – submission of date-sensitive requirements.

The CBB’s regulatory sandbox currently has 11 companies that provide a wide range of crypto-asset services.

For more information on crypto-assets, please contact Osama Al Alawi at osama.alalawi@keypoint.com or +973 1720 6857.

CBB drafts rules on cyber security

In a possible sign of things to come, the Central Bank of Bahrain has proposed changes to Volume 4 of its Rulebook (investment firms), revising the authorisation module, drafting a new module on digital financial advice and adding a chapter on cyber security risk measures, as well as adding to Volume 4’s glossary. The new cyber security chapter is a complete rewrite of the existing regulation and goes into detail on areas including accountability and responsibility, roles and responsibilities, and policies and procedures. Licensees providing internet services are required to test their systems twice a year – and to report the findings to the CBB within two months. These tests must be conducted by external, independent security professionals, such as ethical hackers. The proposed rules – which currently apply only to investment firms – are available on the CBB website in the ‘open consultations’ section.

For more details, please read here or contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Rayan Britto at rayan.britto@keypoint.com

SWIFT launches blockchain trial

SWIFT – a standard format for business identifier codes (BICs) used to identify banks and financial institutions globally – has announced a trial integration with R3’s Corda blockchain platform in the hopes of creating a transparent system that can be used to monitor payment flows and support application programming interfaces (APIs). Initially, the trial will be limited to R3’s trade ecosystem but – if successful – could be extended to support other distributed ledgers, non-distributed ledgers and e-commerce platforms. Companies using the R3 platform will authorise payments from their banks using global payments innovation (GPI) links. Payments will be settled and confirmations – once completed – reported back to trade platforms using those same links.

The growth of Blockchain-based solutions indicates that the technology is here to stay, becoming the basis for highly efficient, transparent systems.

For more details, read here or contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Rayan Britto at rayan.britto@keypoint.com.

TRA to enforce risk standards

In a move designed to strengthen protection for Bahrain’s critical telecommunications infrastructure, the Telecommunications Regulatory Authority (TRA) released Resolution 5 of 2017, 1918regulating risk management for critical telecommunications infrastructure, in May 2017. The resolution establishes a risk management process that is closely aligned with ISO 27001:2013, sets out expectations for business continuity (ISO 22301:2012), standardises licensees’ approach to assessing and protecting the security and availability of critical telecoms infrastructure and defines licensees’ responsibilities. Licensees which install, operate or manage critical telecoms infrastructure, as well as holders of particular licences, should expect to receive, if they haven’t already, a risk management determination (RMD). Based on the RMDs, licensees are expected to adhere to two specific timelines – a three-month deadline requiring an asset inventory and an 18-month deadline requiring licensees to develop, implement and maintain a business continuity plan; ISO27001 certification; a certification audit report; and a risk assessment.

The TRA also expects business to recertify every three years and reserves the right to ask for additional risk assessments, including penetration testing. Licensees that are found to be non-compliant will be deemed to be in material breach of the telecommunications law and could face penalties and sanctions.

Keypoint is working with a number of telcos on a range of ISO certification engagements and has a skilled, seasoned team with the required credentials. More details on resolution 5 can be found in our recently released flyer . Alternatively, please contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Darrshan Manukulasooriya at darrshan.m@keypoint.com.