The CBB Law and Rulebook

The financial services sector in Bahrain is primarily governed by Decree No 64 of 2006 promulgating the Central Bank of Bahrain (CBB) and Financial Institutions Law, as amended (“CBB Law”).

The CBB is the sole regulator of the financial services sector in Bahrain.

The CBB in its capacity as the regulatory and supervisory authority for all financial institutions in Bahrain, issues regulatory instruments that licensees and other specified persons are legally obliged to comply with. These regulatory instruments are contained in the CBB Rulebook, which is divided into separate volumes, each focusing on a particular category of licence or industry sector as follows:

• volume 1 – conventional banks;
• volume 2 – Islamic banks;
• volume 3 – insurance licensees;
• volume 4 – investment business;
• volume 5 – specialised licensees;
• volume 6 – capital markets; and
• volume 7 – collective investment undertakings (CIUs).

Volume 5 (specialised licensees) covers money changers, financing companies, representative offices, administrators, trust service providers, micro-finance institutions and providers of ancillary services to the financial sector.

Except for volumes 5, 6 and 7, the basic structure of each CBB Rulebook is the same. Each volume starts with a contents page and user’s guide. Subsequent material is organised underneath the following headings:

• high-level standards;
• business standards;
• prudential requirements;
• reporting requirements;
• enforcement and redress; and, where appropriate,
• sector guides.

In addition, the CBB has the power under the CBB Law to issue regulations, resolutions and directives.

Other Key Legislation

Other key laws relevant to the financial services sector are:

• Law No 12 of 1971 promulgating the civil and commercial procedures law, as amended, that governs litigation in Bahrain’s civil courts;
• Law No 7 of 1987 promulgating the law of commerce, as amended, that governs commercial activities and covers specific provisions pertaining to banking, including bills of exchange, promissory notes and cheques;
• Law No 19 of 2001 promulgating the Civil Code, as amended, which serves as the primary law governing civil and commercial matters and contains provisions pertaining to security creation, including assignments, guarantees, pledges and mortgages;
• Law No 21 of 2001 promulgating the commercial companies’ law, as amended (the “Companies Law”), which is the primary legislation governing the incorporation, operation and dissolution of commercial companies in Bahrain. It establishes the framework for company structures; sets rules for corporate governance, shareholder rights, and financial reporting; and includes provisions for mergers, liquidation, and foreign ownership;
• Law No 6 of 2015 concerning the conflict of laws in civil and commercial matters involving a foreign party, as amended, which provides a framework for determining which law applies to civil and commercial disputes that involve a foreign element;
• Law No 22 of 2018 promulgating the restructuring and insolvency law, as amended (the “Insolvency Law”) which sets out the insolvency regime that applies to non-CBB licensed entities; and
• Law No 54 of 2018 promulgating the electronic communications and transactions law, which provides a legal framework for electronic documents and transactions.

Bank Requirements

For a bank to operate in Bahrain, it requires a licence from the CBB.

Banks can be conventional or Islamic. A bank may be incorporated in Bahrain, or it may be incorporated in a jurisdiction outside Bahrain and operate via a branch in Bahrain. 

Banks are divided into two categories, namely wholesale and retail banks.

Retail banks

A retail bank may undertake transactions in any currency, with Bahraini residents and non-residents. To qualify as a retail bank, the activity of providing credit or Sharia financing contracts (for conventional and Islamic banks respectively) must account for a significant portion of the institution’s business (broadly defined as over 20% of a conventional retail bank’s assets and at least 20% of the total assets of an Islamic retail bank).

Wholesale banks

Conventional wholesale banks may also undertake transactions without restriction, when dealing with the Government of Bahrain and its agencies, CBB bank licensees, and non-residents. However, they may only undertake transactions denominated in Bahraini dinars (BHD) and/or with a resident of Bahrain, if these are wholesale in nature. Wholesale transactions are defined in terms of transaction size (broadly, BHD7 million or more for a credit or deposit transaction, and USD100,000 or more for an investment transaction).

Permitted Activities

Conventional banks

Conventional banks can undertake the following activities:

• deposit-taking;
• providing credit;
• accepting Sharia money placements/deposits;
• managing Sharia profit/loss sharing investment accounts;
• offering Sharia financing contracts;
• dealing in financial instruments as principal;
• dealing in financial instruments as agent;
• managing financial instruments;
• safeguarding financial instruments;
• operating a CIU;
• arranging deals in financial instruments;
• advising on financial instruments;
• providing money exchange/remittance services;
• issuing/administering means of payment;
• providing trust services;
• providing account information services; and
• providing payment initiation services.

Islamic banks

Islamic banks can undertake the following activities:

• accepting Sharia money placements/deposits;
• offering Sharia financing contracts;
• managing unrestricted Sharia profit-sharing investment accounts;
• managing restricted Sharia profit-sharing investment accounts;
• dealing in Sharia-compliant financial instruments as principal;
• dealing in Sharia-compliant financial instruments as agent;
• managing Sharia-compliant financial instruments;
• safeguarding Sharia-compliant financial instruments;
• operating a Sharia-compliant CIU;
• arranging deals in Sharia-compliant financial instruments;
• advising on Sharia-compliant financial instruments;
• providing money exchange/remittance services;
• issuing/administering means of payment;
• providing trust services;
• providing account information services; and
• providing payment initiation services.

Licensing Process

The legal status of a bank must be either a Bahraini joint stock company or a branch of a foreign bank. Incorporating an entity in Bahrain is a two-stage process.

Stage one involves the submission of an electronic application to the Ministry of Industry and Commerce (MOIC) with specific details of the new entity, including the legal form, commercial name (for approval), share capital, and details of the shareholder(s). All relevant supporting documentation will be uploaded to the MOIC system at this stage. The MOIC then verifies the uploaded details. Upon verification of all uploaded details by the MOIC, a provisional inactive commercial registration (CR) is issued. This means that the entity is incorporated, albeit it remains inactive. A provisional inactive CR is valid for one year from the date of issuance.

Stage two involves satisfying the MOIC that all approvals, consents and/or licences, as may be required, have been issued by the relevant government authorities in Bahrain, culminating in the issuance of the final CR and rendering the entity legally operational. For a bank, the key approval will be that of the CBB.

To obtain the CBB’s approval, Form 1 (Application for a Licence) must be completed online (available on the CBB website under E-services/online forms). The applicant must also upload scanned copies of supporting documents including, without limitation:

• a completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee;
• a completed Form 3 (Application for Approved Person Status) for each approved person of the licensee; and
• the business plan.

The CBB will provide a formal decision on a licence application within 60 calendar days of all required documentation having been submitted in a form acceptable to the CBB.

Applicants are encouraged to approach the CBB to discuss their application at an early stage, so that any specific questions can be dealt with prior to the finalisation of the application.

The process of acquiring or increasing the control of a bank is subject to stringent regulatory oversight to ensure financial stability, transparency, and competition in the market and is governed by Resolution No 16 of 2021 issuing the Bank Control Regulations.

A controller in a Bahraini bank is defined as:

• a person who, either individually or together with an associate, owns 10% or more of the share capital of a licensed bank or of a “holding company” of a licensed bank (defined as a company that holds more than half of a bank’s capital in the Bank Control Regulations);

• a person who, either individually or together with an associate, is able to exercise voting rights determined for whoever owns 10% or more of the share capital of a licensed bank or of a holding company of a licensed bank; or
• a person who, either individually or together with an associate, is able to exercise significant influence over the management of a licensed bank or a holding company of a licensed bank.

The Bank Control Regulations provide that the following requirements be met for a change of control, namely:

• the incoming shareholder will need to obtain prior written approval from the CBB as the new controller of the bank;
• the outgoing shareholder will need to obtain prior written approval from the CBB as the current controller of the bank; and
• an application will need to be submitted to the CBB by the incoming shareholder as the new controller of the bank. This application will be accompanied by specific documents and/or information, including but not limited to:
1. Form 2 (Application for Authorisation of Controller);
2. the complete CV of the applicant and its associates;
3. a list of companies in which the applicant and its associates hold 10% or more of the capital, and a copy of the latest audited financial statements of such companies and the proposed applicant;
4. credit reference reports from the Credit Information Centres on the applicant and its named associates by the relevant credit reference bureaus;
5. a copy of the passport and identity card of the applicant and its associates if they are natural persons; and
6. a report containing the data of three persons from supervisory institutions or authorities, who/which the CBB can contact to gather information about the applicant and its associates.

Although Form 2 (above) contains the principal elements that are required, should applicants consider additional evidence to be relevant to the application, this should be submitted with this form. It should not be assumed that information is known to the CBB merely because it is in the public domain or has previously been disclosed to the CBB or another regulatory body. If there is any doubt about the relevance of any information, it should be disclosed.

In addition to obtaining the CBB’s approval, the bank will need to submit an application to the MOIC to change its shareholder. This involves the bank updating its constitutional documents and its shareholder registry. If the bank is a listed bank, then relevant disclosures will need to be made to the Bahrain Bourse (ie, the Bahrain Stock Exchange).

For banks, the principal source of corporate governance and systems-and-controls requirements is the high-level controls module (“HC Module”), complemented by the approved persons (“AU Module”), risk management (“RM Module”), business conduct, operational risk (“OM Module”), outsourcing (“OU Module”), internal audit, compliance and disclosure modules. Islamic banks are additionally subject to the CBB’s Sharia governance requirements, including Sharia supervisory board composition, Sharia compliance, and Sharia audit and review.

Composition of the Board and Committees

The HC Module mandates an effective, independent board with clear responsibility for setting strategy and risk appetite, overseeing senior management, and safeguarding the interests of depositors and the financial system. A board must include a sufficient number of independent directors (typically at least one third, and not less than two thirds), and establish key board committees with formal charters, notably audit, risk and nomination/remuneration. The audit committee must be chaired by an independent director and oversee internal and external audit integrity, financial reporting, and internal control effectiveness. The risk committee oversees the bank’s risk governance framework, including articulation and monitoring of risk appetite, while the nomination/remuneration committee manages board and senior management succession, fitness and propriety, and pay structures aligned with prudent risk-taking.

Fitness and Propriety Regime

Approved persons requirements embed a fitness and propriety regime covering integrity, competence, experience, and financial soundness for directors, senior managers, and control function heads. The CBB exercises an ex-ante approval and ongoing supervisory review of these individuals, supported by attestations, background checks, and continuing obligations to notify changes. The HC and AU Modules require segregation of duties, avoidance and management of conflicts of interest, and robust policies on related party transactions with enhanced approvals and disclosures.

Systems and Controls

Systems and controls must reflect a “three lines of defence” model comprising business line controls, independent risk management, and an independent internal audit. Banks must maintain an independent, resourced compliance function with direct reporting to the board/audit committee; an independent risk management function responsible for enterprise risk management, the internal capital adequacy assessment process (ICAAP)/internal liquidity adequacy assessment process (ILAAP) co-ordination and stress testing; and an internal audit function with unrestricted access and a risk-based audit plan. The RM Module and OM Module require comprehensive risk frameworks covering credit, market, liquidity, operational, outsourcing, IT/cyber, and conduct risk, supported by policies, limits, scenario analysis, and issue remediation. The OU Module and OM Module impose due diligence, contractual, concentration, and oversight standards on material outsourcing, including cloud. Business conduct requirements address customer interests, fair treatment, suitability, product governance, personal account dealing, inducements, and complaints handling.

Bankers’ Rules of Conduct

Bahrain does not have a formal Bankers’ Oath. Instead, binding rules of conduct arise from the CBB Rulebook and require banks to adopt codes of ethics, conflicts and gifts policies, whistle-blowing mechanisms, and staff competency and training frameworks, reinforced by disciplinary procedures and regulatory enforcement for breaches.

CBB Approval

The CBB Rulebook provides that banks must obtain the CBB’s prior written approval for any person wishing to undertake a controlled function in a bank. The approval from the CBB must be obtained prior to their appointment.

The CBB Rulebook provides that “controlled functions” are those functions occupied by board members and persons in executive positions and include:

• board members;
• the chief executive officer (CEO) or general manager and their deputies;
• the chief financial officer and/or financial controller;
• the head of risk management;
• the head of internal audits;
• the head of Sharia review or Sharia officer;
• the compliance officer;
• the money-laundering reporting officer (MLRO);
• the deputy MLRO;
• the head of internal Sharia audits; and
• heads of other functions.

The CBB’s approval is only granted if the CBB is satisfied that the individual meets the CBB’s “fit and proper” requirements.

Requirements of Applicants

Each applicant applying for approved person status, and those individuals occupying approved person positions, must comply with the following conditions:

• they have not previously been convicted of any felony or crime that relates to their honesty and/or integrity unless they have subsequently been restored to good standing;
• they have not been the subject of any adverse finding in a civil action by any court or competent jurisdiction, relating to fraud;
• they have not been adjudged bankrupt by a court unless a period of ten years has passed, during which the person has been able to meet all their obligations and has achieved economic stability;
• they have not been disqualified by a court, regulator or other competent body, as a director or as a manager of a corporation;
• they have not failed to satisfy a judgement debt under a court order resulting from a business relationship;
• they must have personal integrity, good conduct and reputation;
• they have appropriate professional and other qualifications for the controlled function in question; and
• they have sufficient experience to perform the duties of the controlled function.

The CBB reviews each application on a case-by-case basis, taking into account all relevant circumstances. A person may be considered “fit and proper” to undertake one type of controlled function but not another, depending on the function’s job size and required levels of experience and expertise. Similarly, a person approved to undertake a controlled function in one conventional bank licensee may not be considered to have sufficient expertise and experience to undertake nominally the same controlled function in a much bigger licensee.

The CBB will also consider previous professional and personal conduct (in Bahrain or elsewhere) including, but not limited to, the following:

• the propriety of a person’s conduct, whether or not such conduct resulted in a criminal offence being committed, the contravention of a law or regulation, or the institution of legal or disciplinary proceedings;
• a conviction or finding of guilt in respect of any offence, other than a minor traffic offence, by any court or competent jurisdiction;
• any adverse finding in a civil action by any court or competent jurisdiction, relating to misfeasance or other misconduct in connection with the formation or management of a corporation or partnership;
• whether the applicant – or any body corporate, partnership or unincorporated institution with which the applicant has been associated as a director, controller, manager or company secretary – has been the subject of any disciplinary proceeding, investigation or fines by any government authority, regulatory agency or professional body or association;
• the contravention of any financial services legislation;
• whether the person has ever been refused a licence, authorisation, registration or other authority;
• whether the person has been dismissed or requested to resign from any office or employment;
• whether the person has been a director, partner or manager of a corporation or partnership which has gone into liquidation or administration, or where one or more partners have been declared bankrupt while the person was connected with that partnership;
• the extent to which the person has been truthful and open with supervisors; and
• whether the person has ever entered into any arrangement with creditors in relation to their inability to pay due debts.

Requirements of Approved Persons

Approved persons undertaking a controlled function must act prudently, and with honesty, integrity, care, skill and due diligence in the performance of their duties. They must avoid conflicts of interest arising while undertaking a controlled function.

In determining whether a conflict of interest may arise, factors that may be considered include whether:

• a person has breached any fiduciary obligations to the company or terms of employment;
• a person has undertaken actions that would be difficult to defend, when looked at objectively, as being in the interest of the licensee; and
• a person has failed to declare a personal interest that has a material impact in terms of the person’s relationship with the licensee.

Oversight of the Board

The board must exercise proper oversight of senior management against formal performance and remuneration standards, consistent with the long-term strategic objectives and the financial soundness of the licensee. In doing so, the board must:

• meet regularly with senior management;
• subject senior management to an annual performance assessment and document such assessments;
• ensure that approved persons’ collective knowledge and expertise remain appropriate given the nature of the licensee’s business and risk profile;
• ensure that senior management’s actions are in full compliance with applicable laws and regulations, and consistent with the strategy, business plan and policies approved by the board, including risk appetite;
• question, challenge and critically review the explanations and information provided by senior management; and
• ensure that appropriate succession plans are in place for all approved persons within senior management (provided that such plans are subject to review in case of any changes to approved persons within senior management).

The remuneration framework for banks in Bahrain reflects the CBB emphasis on robust corporate governance, prudent risk management, and alignment between performance and sustainable value creation.

The remuneration provisions in the CBB Rulebook apply to two key groups within Bahraini banks – approved persons and material risk-takers (MRTs).

Approved persons are those whose appointment or continued employment requires prior approval from the CBB. This category typically includes members of the board of directors, the CEO, senior management, and heads of major control or business functions. These individuals are central to the bank’s governance and strategic direction, and therefore their compensation arrangements are subject to close regulatory scrutiny.

MRTs encompass employees whose professional activities can materially influence the bank’s risk profile. This group may include business-line leaders, traders, or other staff whose decisions affect the institution’s exposure to credit, market, or operational risks.

Both categories must be covered by the bank’s remuneration policy and related governance framework. While the CBB distinguishes these groups for regulatory purposes, in practice they represent the broader population of senior and risk-sensitive staff whose pay structures must align with prudent risk-taking and long-term performance.

For approved persons and MRTs whose total annual remuneration (including all benefits) is in excess of BHD100,000:

• an appropriate ratio between the fixed and variable components of total remuneration must be set to ensure that the fixed and variable components of the total remuneration are appropriately balanced and paid on the basis of individual, business-unit and bank-wide measures that adequately measure performance; and
• the variable proportion of remuneration must increase significantly along with the level of seniority and/or responsibility. More specifically –
1. at least 40% of the variable remuneration must be payable under deferral arrangements over a period of at least three years; and
2. for the CEO, their deputies and the other five most highly paid business line employees, at least 60% of the variable remuneration must be payable under deferral arrangements over a period of at least three years.

As a minimum, 50% of total variable remuneration (including both the deferred and undeferred portions) must be awarded in shares or share-linked instruments or, where appropriate, other non-cash instruments. The remaining portion of the deferred remuneration can be paid as cash remuneration vested over a minimum three-year period.

Remuneration, based on both quantitative measures and human judgement, must be adjusted for all types and magnitudes of risk, including intangible and other risks managed by the approved person and MRT, and remuneration outcomes must be aligned with risk outcomes.

The mix of cash, equity and other forms of remuneration must be consistent with risk alignment. The mix will vary depending on the employee’s position and role, and the licensee must document the rationale for its mix.

Banks must provide the CBB with details of total remuneration, including the mix of fixed and variable remuneration. The report must be submitted annually and must be provided within three months of the financial year end.

The following qualitative and quantitative information, pertaining to remuneration practices and policies, must be disclosed in the annual report of the bank:

• the name, composition and mandate of the main body overseeing remuneration;
• whether the advice of external consultants has been sought and by whom in the bank, and in what areas of the remuneration process the consultants have been involved;
• the independence of remuneration for staff in risk management, internal audit, operations, financial controls, anti-money laundering, and internal Sharia review/audit and compliance functions;
• the risk adjustment methodologies;
• the link between remuneration and performance;
• the long-term performance measures (deferral, malus, clawback);
• the types of remuneration (cash/equity, fixed/variable);
• whether the remuneration committee has reviewed the bank’s remuneration policy during the past year, and if so, an overview of any changes that were made;
• a discussion of how the bank ensures that approved persons engaged in risk management, internal audits, operations, financial controls, anti-money laundering, and internal Sharia review/audit and compliance functions, are remunerated independently of the business units they oversee;
• a description of the ways in which the current and future risks are taken into account in the remuneration processes. Disclosures must include:
1. an overview of the key risks that the bank takes into account when implementing remuneration measures;
2. an overview of the nature and type of the key measures used to take account of these risks, including risks difficult to measure;
3. a discussion on the ways in which these measures affect remuneration;
4. a discussion of how the nature and type of these measures have changed over the past year and reasons for the change, as well as the impact of changes on remuneration;
5. a description of the ways in which the bank seeks to link performance, during a performance assessment period, with levels of remuneration. Disclosures must include:
1. an overview of main performance metrics for banks, top-level business lines and individuals;
2. a discussion of how individual remuneration is linked to bank-wide and individual performance; and
3. a discussion of the measures the bank will generally implement to adjust remuneration in the event that performance metrics are weak;
• a description of the ways in which the bank seeks to adjust remuneration to take account of longer-term performance. Disclosures must include:
1. a discussion of the bank’s policy on deferral and vesting of variable remuneration and, if the fraction of variable remuneration that is deferred differs across employees or groups of employees, a description of the factors that determine the fraction and their relative importance; and
2. a discussion of the bank’s policy and criteria for adjusting deferred remuneration before vesting and after vesting through clawback arrangements;
• description of the different forms of variable remuneration that the bank utilises and the rationale for using these different forms. Disclosures must include:
1. an overview of the forms of variable remuneration offered (i.e. cash, shares and share-linked instruments and other forms); and
2. a discussion of the use of the different forms of variable remuneration and, if the mix of different forms of variable remuneration differs across employees or groups of employees, a description of the factors that determine the mix and their relative importance;
• the number of meetings held by the main body overseeing remuneration during the financial year and the aggregate remuneration paid to its members;
• the number and total amount of remuneration for approved persons and MRTs for the financial year, split into fixed and variable remuneration;
• the number and total amount of variable remuneration awarded during the financial year, split into cash, shares and share-linked instruments, and other;
• the number and total amount of guaranteed bonuses awarded during the financial year;
• the number and total amount of sign-on awards made during the financial year;
• the number and total amount of severance payments made during the financial year, and the highest such award to a single person;
• the total amount of outstanding deferred remuneration, split into cash, shares and share-linked instruments and other forms; and
• the total amount of deferred remuneration awarded during the financial year, paid out and reduced through performance adjustments.

The CBB exercises an active and risk-based supervisory approach to the remuneration practices of the banks in Bahrain.

CBB Oversight

Bahrain’s anti-money laundering (AML) and countering the financing of terrorism (CFT) regime is grounded in primary legislation prohibiting money laundering and terrorism financing and implemented through the CBB Rulebook, specifically the financial crime module (“FC Module”). Banks are required to adopt a risk-based approach aligned with Financial Action Task Force (FATF) standards, supported by robust governance, customer due diligence (CDD), ongoing monitoring, reporting, record-keeping, sanctions compliance, and staff training. The CBB exercises supervisory oversight through inspections, thematic reviews, and enforcement powers.

Banking

Banks must maintain a board-approved AML/CFT framework proportionate to their risk profile and business model. Governance includes appointment of an independent MLRO at a senior level with direct access to the board or an appropriate committee, clear roles for the compliance and internal audit functions, and documented policies and procedures that address enterprise-wide risk assessment and risk classification, and control design. Banks must conduct periodic enterprise-wide AML/CFT risk assessments covering products, services, delivery channels, geographies, customer types, and emerging threats, with outcomes embedded in CDD standards, transaction monitoring thresholds, and resourcing.

CDD must be performed at onboarding and repeated throughout the relationship on a risk-sensitive basis. Core elements include identifying and verifying the customer and beneficial owner, understanding ownership and control for legal persons and arrangements, and establishing the purpose and intended nature of the relationship. Enhanced due diligence is required for higher-risk situations such as politically exposed persons, complex or opaque structures, cross-border correspondent banking, high-risk jurisdictions, and unusual delivery channels. Where verification cannot be completed satisfactorily, accounts must not be opened or must be exited. Reliance on third parties is permitted only under prescribed conditions and with assurance as to the availability and quality of underlying CDD data.

Banks must monitor business relationships and transactions to detect anomalies, unusual patterns and potential proliferation financing exposure. Monitoring should combine automated and manual controls calibrated to risk, with timely investigation, documentation of alerts and decisions, and escalation to the MLRO. Suspicious transactions or activities must be reported promptly to the competent financial intelligence unit via the MLRO, with appropriate confidentiality safeguards and anti-tipping-off controls. Wire transfer compliance requires the capture and transmission of originator and beneficiary information and risk-based rejection or remediation where required data is missing.

Sanctions screening

Targeted financial sanctions screening is mandatory against United Nations and domestic lists, together with any other lists specified by the CBB. Banks must implement pre and post-transaction screening of customers, beneficial owners, connected parties and transactions, ensure immediate freezing and reporting of matches, and maintain procedures for handling potential, partial and false positives. Proliferation financing risk – particularly in trade finance – must be addressed through documentary scrutiny, red flag controls, dual-use goods risk assessment, and escalation protocols.

Record-keeping

Record-keeping obligations require retention of CDD, transaction records, internal and external reports, and training logs for the minimum statutory period and in a manner enabling prompt retrieval. Staff must receive role-specific, periodic AML/CFT training, including on sanctions, typologies and escalation, with effectiveness testing and senior management attestation. Outsourcing of AML/CFT processes is subject to CBB outsourcing rules and does not diminish the bank’s accountability.

Control failures and remediation

The CBB expects timely self-reporting of material control failures and meaningful remediation, including back-book reviews where warranted. Breaches can attract administrative fines, business restrictions, and approved-person consequences. Banks should evidence a proactive compliance culture, including quality management information to the board, auditable decision-making, and continuous enhancement aligned to evolving FATF guidance, national risk assessments, and regulatory circulars.

Bahrain has a depositor protection scheme (the “Scheme”) that applies to banks.

The definition of “Deposit” in Resolution No 23 of 2009 is: “A contract that grants the bank the right to possess the deposited money and to dispose thereof in its ordinary course of business with an obligation to return an equal amount thereof to the depositor. Repayment of the deposit shall be in the same currency of the original deposit.”

The following do not constitute a deposit:

• placements by Sharia-compliant banks, where the contract provides that the customer is entitled to a share of the profit generated directly from their placement or the trading activities of the institution as a whole;
• loans; and
• monies placed for mudaraba.

The Scheme applies to any deposit account and any other deposits or accounts similar in nature and which have similar characteristics that are approved by the CBB, regardless of currency, with the exception of bearer certificates of deposit (“Eligible Accounts”).

An “Eligible Depositor/Investor” is any natural person (resident or non-resident) who holds an Eligible Account(s) with a conventional bank or an Islamic bank in Bahrain. This does not include deposits and unrestricted investment accounts held with a conventional and/or an Islamic bank’s foreign branches operating outside Bahrain.

The Scheme does not apply to Deposits which have, in the opinion of the board, been illegally gained and/or relate to illicit or illegal matters. The Scheme also does not apply to:

• accounts of shareholders with 10% or more shareholding (ordinary or preference), board members and senior managers of the defaulting bank; and/or
• accounts of persons whose identity cannot be ascertained.

The Scheme established a board, which is responsible for operating the Scheme, determining eligibility, calculating compensation, calling for contributions, sending certificates, etc. The board may, at its discretion, exclude (in whole or in part) compensation payments to any Eligible Depositor of the defaulting bank in Bahrain who is entitled to claim in a similar scheme established in another jurisdiction, where such scheme covers the deposit liabilities of the Bahrain offices of such relevant bank.

Each Eligible Depositor/Investor is entitled under the Scheme to claim an amount equivalent to the amount deposited by them/it in an Eligible Account up to a maximum amount of BHD20,000 from all their/its Eligible Accounts in any one bank, regardless of the number of accounts and Deposits held by the Eligible Depositor/Investor in that bank.

Pursuant to the CBB Law, the CBB has issued binding prudential standards that implement the core elements of the Basel III regulatory framework for banks (“Basel III”) across capital, liquidity, leverage, large exposures, and disclosure, and that embed supervisory expectations through the ICAAP, ILAAP, stress testing, and risk governance requirements. The regime is principles-based but prescriptive where necessary to ensure resilience in a small, open financial system, with proportionately heightened expectations for systemically important institutions, consistent with the CBB Law and the CBB Rulebook.

Basel III Pillar 1

The capital framework follows Basel III’s three-pillar structure as transposed in volume 1 (conventional banks) and volume 2 (Islamic banks) of the CBB Rulebook, including the capital adequacy modules. Pursuant to Pillar 1, banks must hold high-quality regulatory capital against credit, market and operational risks, comprising common equity tier 1 (CET1), additional tier 1 (AT1), and tier 2 instruments meeting permanence, loss-absorbency, and subordination criteria set out in the CBB Rulebook. The CBB requires minimum CET1, AT1, and total capital ratios, together with a capital conservation buffer and, where applicable, a counter-cyclical buffer when activated under CBB directives. Domestic systemically important banks (“D‑SIBs”), where designated by the CBB pursuant to the CBB Law and CBB Rulebook guidance, are subject to additional loss‑absorbing capital in the form of CET1 buffers calibrated to their systemic footprint. The CBB also enforces a non‑risk‑based backstop via the leverage ratio requirements contained in the CBB Rulebook’s leverage ratio module to constrain excessive balance sheet growth relative to capital.

Risk‑weighted assets are calculated using standardised approaches unless the CBB has expressly approved the use of internal models; in each case, in line with the methodologies prescribed in the CBB Rulebook. For credit risk, the standardised approach applies risk weights to on and off‑balance‑sheet exposures based on counterparty, collateral, and external ratings where permitted, with recognition of eligible financial collateral and guarantees as defined in the CBB Rulebook. Market risk capital captures interest rate, equity, foreign exchange, and commodity risk in the trading book using standardised charges, with internal models subject to CBB approval, validation, and ongoing performance monitoring where used. Operational risk capital generally follows standardised measurement approaches, with advanced methods permissible only under stringent margining, netting, and collateralisation expectations reflected in the CBB Rulebook and CBB circulars issued under the CBB Law.

Basel III Pillar 2

Supervisory review under Pillar 2 is anchored in the ICAAP and the CBB’s supervisory review and evaluation process (SREP)‑style assessment, as required by the CBB Rulebook and under the supervisory powers conferred by the CBB Law. Banks must identify, measure, and hold capital against risks not fully captured in Pillar 1, including interest rate risk in the banking book, concentration risk, liquidity risk, model risk, strategic and conduct risks, and risks arising from business model and macro‑financial conditions. The CBB expects credible, board‑approved risk appetite frameworks, forward‑looking stress testing that is severe yet plausible, and capital planning over multi‑year horizons to demonstrate resilience under adverse scenarios. Where the ICAAP evidences heightened risks, the CBB may impose institution‑specific Pillar 2 capital add‑ons, restrictions on distributions, or remedial actions pursuant to its enforcement powers under the CBB Law.

Liquidity requirements implement the Basel liquidity coverage ratio (LCR) and net stable funding ratio (NSFR) through the liquidity risk management modules of volume 1 (conventional banks) of the CBB Rulebook and volume 2 (Islamic banks) of the CBB Rulebook, complemented by qualitative liquidity risk management standards. Banks must maintain sufficient high‑quality liquid assets to withstand acute 30-day stresses (LCR) and a stable funding profile over a one‑year horizon (NSFR). The CBB requires robust ILAAPs, with governance, measurement, limits, and contingency funding plans commensurate with the bank’s complexity and funding model. Currency mismatches, intraday liquidity, and collateral management are specifically monitored in a market where cross‑border and wholesale funding channels are significant. The CBB may also set institution‑specific liquidity add‑ons or heightened monitoring for banks with concentrated or volatile funding, consistent with the CBB Law and CBB Rulebook guidance.

Stress testing is a core cross‑cutting control mandated by the CBB Rulebook. Banks must conduct enterprise‑wide stress tests covering capital and liquidity under idiosyncratic, market‑wide, and combined scenarios, with reverse stress testing to identify states that would threaten viability. Results must inform risk appetite calibration, buffers, contingency plans, and management actions. The CBB’s supervisory review challenges scenario design, modelling assumptions, and the credibility and timeliness of proposed management responses, and the CBB may direct remedial measures under the CBB Law.

Risk management rules impose strong governance expectations under the CBB Rulebook’s high‑level controls and risk-management modules. Boards are accountable for overall solvency and liquidity resilience, setting risk appetite, and overseeing independent risk and audit functions with sufficient stature and resources. The “three lines of defence” model is expected to operate effectively, supported by comprehensive policies, limit frameworks, and management information systems enabling timely escalation. Model governance must ensure validation, back‑testing, and independent challenge, particularly where risk‑sensitive internal methodologies influence decisions or regulatory capital.

Basel III Pillar 3

Disclosure requirements under Pillar 3, set out in the CBB Rulebook’s public disclosure modules, enhance market discipline. Banks must publish regular, comprehensive disclosures on capital composition, capital ratios, RWA by risk type, leverage ratio, liquidity metrics, encumbrance, credit risk mitigation, and risk governance, using standardised templates and narrative explanations. The objective is to allow stakeholders to assess the quantity and quality of capital and liquidity and the bank’s risk profile against regulatory expectations. The CBB monitors timeliness and completeness of disclosures and may require corrective action for deficiencies under the CBB Law.

The CBB Law and the Insolvency Law are the primary pieces of legislation applicable to a corporate entity incorporated under the Companies Law that is subject to insolvency or analogous proceedings in Bahrain. The Insolvency Law applies to any corporate entity that is not licensed by the CBB, and the CBB Law applies to any corporate entity that is licensed by the CBB.

Part 10 (Insolvency of the Licensee and Placing it Under Administration and Compulsory Liquidation) of the CBB Law covers the insolvency of a CBB-licensed entity, which would apply to banks (“Licensees”) and the placing of a Licensee under administration and compulsory liquidation.

Article 133 (Insolvency of a Licensee) of the CBB Law provides that a Licensee is deemed to be insolvent if its financial position becomes unstable and it stops paying its due debts other than administrative fines and any applicable tax. Once a Licensee is insolvent, it must immediately cease to undertake any regulated services, make any payments or carry on any business in relation to regulated services in Bahrain, unless otherwise agreed in writing by the CBB (Article 134 (The Effects of Insolvency) of the CBB Law).

Administration

Pursuant to Article 136 (Reasons for Placing a Licensee Under Administration) of the CBB Law, the CBB may assume the administration of a Licensee or appoint an external administrator to conduct the administration of the Licensee on behalf of the CBB, if:

• the Licensee becomes insolvent or appears likely to become insolvent;
• the Licensee’s licence is amended or cancelled due to failure to satisfy any of its licence conditions, or failure to start conducting business within six months of the date of the licence; or
• the Licensee continues to provide regulated services, resulting in damage to the financial services industry in Bahrain.

Compulsory Liquidation

Pursuant to Article 144 (Application for Compulsory Liquidation) of the CBB Law, the administrator, the Licensee or any creditor may submit a petition to the courts of Bahrain for compulsory liquidation of the Licensee, and serve such petition at the Licensee’s principal place of business. The petition should be made available to the shareholders and creditors of the Licensee and may be requested by any interested party. The entity/individual who submits the petition for compulsory liquidation should advertise the petition in the Official Gazette and in two Arabic and two English-language newspapers at least 15 days before submitting the petition to the Bahraini court. Pursuant to Article 145 (Decision on the Petition of Compulsory Liquidation) of the CBB Law, the court will then appoint a liquidator and determine their fees with the guidance of the CBB. All liquidator fees will be borne by the Licensee.

The CBB Law provides a priority of claims under Article 156 of the CBB Law, determining the rights of interested parties in the property of the Licensee in liquidation namely:

• administrator’s fees and expenses incurred during the administration period of the Licensee, and the wages and salaries of officers and employees up to the date of petition for compulsory liquidation filed at the competent court;
• liquidator’s fees and expenses incurred during the period of liquidation;
• fees and taxes due to the government, its organisations, agencies and the CBB;
• deposits and loans taken with the approval of the CBB to protect the Licensee from insolvency;
• deposits of value not exceeding BHD20,000 per depositor;
• other deposits that exceed BHD20,000 per depositor, and all other unsecured debts; and
• amounts due to the shareholders in proportion to their respective shares.

The secured debts of the creditors of the Licensee and the current settlements taking place in the clearing house of the stock exchange must be paid first, and without reference to the order of priority above.

The environmental, social and governance (ESG) requirements module (“ESG Module”) under the CBB applies to all banks in Bahrain.

The ESG Module is directed at all listed companies, banks, financing companies, insurance firms, and Category 1 and 2 investment firms, providing them with guidelines on the reporting requirements for environmental, social and corporate governance factors.

The objective of the ESG Module is to foster consistency and reliability in ESG reporting, with the goal of facilitating the development of transparent and comparable ESG disclosures that align with both national and international targets and commitments.

From a governance perspective, the CBB Rulebook’s HC Module and RM Module require boards and senior management to maintain sound governance, effective internal controls and comprehensive enterprise risk frameworks. These obligations extend to material ESG risk drivers – such as environmental and climate-related financial risks, workforce conduct and data ethics – where these are relevant to safety and soundness. For Islamic banks, volume 2 of the CBB Rulebook adds Sharia governance (including Sharia supervisory boards and Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) standards), reinforcing fiduciary oversight and integrity in product structures and disclosures.

For listed entities and securities offerings, ESG disclosure expectations are driven by the CBB Rulebook volume 6 and Bahrain Bourse Listing Rules. The Bahrain Bourse ESG Reporting Guide (2020) provides a voluntary, reference-aligned framework that issuers are encouraged to use to enhance ESG transparency and comparability. Green, social, sustainability and sustainability‑linked bonds or sukuk are offered under existing prospectus and offering rules; there is no separate “green label” regulation. However, anti‑misleading and market conduct provisions under the capital markets framework operate as anti‑greenwashing guardrails, requiring accurate, balanced disclosure of use of proceeds, KPIs, external reviews and material risks.

In practice, banks should map ESG risks into board oversight, risk appetite and ICAAP/ILAAP processes; align customer conduct and disclosure with CBB conduct rules; ensure Personal Data Protection Law (PDPL)‑compliant data governance; and, if listed, consider the ESG Reporting Guide in order to meet evolving investor expectations. Supervisory focus remains on effective governance, risk integration and fair, non‑misleading disclosure within the existing framework of the CBB Rulebook.

While there is no direct equivalent to the European Union’s Digital Operational Resilience Act, the CBB imposes a comprehensive, largely harmonised cybersecurity regime on both conventional and Islamic banks through the Operational Risk Management Modules (“OM Module”) in the CBB Rulebook.

Scope and Foundation

The framework applies to all banks (including branches of foreign banks) proportionate to their size, complexity of work and structure, and risk profile, and is risk-based. It is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and integrates governance, prevention, detection, response, recovery, testing, reporting and third‑party oversight.

Governance and Organisation

Banks must maintain a board‑approved cybersecurity strategy and policy. The board is accountable for setting ownership and oversight, reviewing cyber-issues at each meeting (eg, key risk indicators (KRIs)/key performance indicators (KPIs), maturity, incidents, pen test results), and approving the framework at least every three years or upon material risk changes. An independent cybersecurity risk function led by a suitably qualified Chief Information Security Officer (CISO) must report to a risk function separate from IT. Banks are encouraged to establish a cybersecurity committee chaired by a senior control function leader.

Preventative and Technical Controls

Banks must deploy endpoint protection platform/endpoint detection and response, secure email and web gateways, and anti-spam/anti-spoofing measures.  Retail banks must maintain payment card industry data security standard certification. Email to customers must originate from a single unified private domain (no third-party provider domains).

Testing and Assurance

Banks must conduct comprehensive vulnerability assessments and biannual penetration tests using recognised methodologies by qualified internal and external testers rotated at least every two years. 

Security Operations

Banks must establish a Security Operations Centre with security information and event management integration, asset inventories, and network diagrams, and continuously tune use cases/rules as threats evolve.

Incident Management and Regulatory Reporting

Upon any incident that compromises customer data or disrupts critical services, banks must notify the CBB by telephone within one hour and submit an initial report within two hours, followed by a comprehensive report within ten calendar days and weekly updates until resolution. 

E-Banking and Payments Security

Boards must oversee e-banking risks, including secure authentication, user authorisation, privacy, log retention/time syncing, audit trails, customer awareness for fraud, and robust availability/incident response. Payment controls include Europay, Mastercard, and Visa, controls over contactless and cardless channels, anti-skimming automated teller machine (ATM) measures, secure ATM software/configuration, and geolocation blocking options.

Business Continuity and Recovery

Cyber-recovery must be embedded in business continuity planning/management, with crisis management teams, impact analyses, alternative sites, communications plans (including with regulators), periodic testing, and independent review.

The main upcoming regulatory developments expected to have an impact on banks in Bahrain are as follows.

Secured Transactions Law

The initial draft of the secured transactions law was circulated for consultation on 18 July 2017 and was based upon the UNCITRAL model Secured Transaction Model Law of 2016. On 23 March 2020 the CBB sent out a new draft of the proposed secured transactions law for consultation (the “Draft Law”). The Draft Law will materially change the way in which security is created, perfected and enforced in Bahrain. The Draft Law introduces a registry of security rights as well as the concept of self-help (which is not available under the current regulatory regime). The CBB has yet to announce the outcome of the consultation, but a version of the Draft Law is expected to be issued in due course, in line with a regional push to introduce laws enabling the creation of security over assets.

Netting Law

As part of the CBB’s objective to enhance its regulatory framework, it circulated a revised version of the draft netting law for consultation on 12 December 2024 (the first draft was initially circulated in 2017). The draft netting law is based on the International Swaps and Derivatives Association (ISDA) Model Netting Act which will supersede Resolution No 44 of 2014 with respect to promulgating a Resolution for Close-Out Netting under a Market Contract.

The implementation of the draft netting law will provide greater legal certainty for financial institutions and market participants in Bahrain. By clearly defining the enforceability of netting agreements and the treatment of collateral, the law should reduce legal risks and enhance confidence in the financial market.

The draft netting law aligns Bahrain’s legal framework with international standards and best practices for netting and collateral management. This will enhance Bahrain’s reputation as a well-regulated financial centre and facilitate its integration into the global financial system. By addressing Sharia compliance, the law will support the growth of Islamic finance in Bahrain. Financial institutions offering Sharia-compliant products will benefit from the legal clarity provided by the law, promoting innovation and development in the Islamic finance sector.

The legal certainty and robust framework provided by the draft netting law will make Bahrain a more attractive destination for foreign investment, giving international investors and financial institutions greater confidence about entering into financial contracts and transactions in Bahrain.

Proposed Sustainable and Sustainability-Linked Debt Securities Regulatory Framework

The CBB has launched a consultation proposing a regulatory framework for Sustainable Debt Securities and Sustainability-Linked Debt Securities (SLDs) under the Offering of Securities (OFS) Module of volume 6 (capital markets) of the CBB Rulebook. 

At its core, the proposal introduces new OFS sections that codify eligibility, disclosure, reporting, and verification standards for issuers of sustainable instruments.  It aligns closely with international best practice (eg, use of proceeds bonds and International Capital Markets Association-style sustainability-linked structures) and integrates these into Bahrain’s capital markets rulebook.

Overall, the consultation indicates that the CBB aims to standardise and elevate sustainable debt issuance practices, unlocking market growth while ensuring integrity, comparability and accountability – a mix that will not only expand opportunities for banks, but also raise the bar on controls, transparency and verification.