Consultation on Modules for Ancillary Service Providers (Volume 5)

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 1 of 36 Industry Comments General Comments: Ref CBB’s Response Applicability of Volume 5 Rulebook to non-resident TPAs of insurance licensees A TPA stated that as a matter of concern, it refers to CBB’s letter dated May 29, 2012 giving notice to insurance licensees to refrain from dealing with unregistered TPAs by November 29, 2012. Despite the clear deadline, it noted that several insurance companies did not adhere to the instructions of CBB. GR1 Noted International Definition and Role of TPAs A TPA stated that based on Wikipedia Encyclopedia, a TPA is defined as follows: “A Third Party Administrator is an organization that processes insurance claims or certain aspects of employee benefit plans for a separate entity. This can be viewed as "outsourcing" the administration of the claims processing, since the TPA is performing a task traditionally handled by the company providing the insurance or the company itself. Often, in the case of insurance claims, a TPA handles the claims processing for an employer that self-insures its employees. Thus, the employer is acting as an insurance company and underwrites the risk. The risk of loss remains with the employer, and not with the TPA. An insurance company may also use a TPA to manage its claims processing, provider networks, utilization review, or membership functions. While some third-party administrators may operate as units of insurance companies, they are often independent.” The definition also states that TPAs have a significant role not only in healthcare insurance but also in commercial general liability (which includes motor insurance). International Risk Management Institute, Inc. (IRMI), the premier authority and educator for risk management, insurance and legal professionals, defines TPA as follows: “A firm that handles various types of administrative responsibilities, on a fee-for-service basis, for organizations involved in cash flow programs. These responsibilities typically include claims administration, loss control, risk management information systems, and risk management GR2 AU-1.2.4 has been amended to read as follows: TPA refers to processing claims in connection with insurance coverage offered. Self-insured schemes will be allowed for schemes outside of Bahrain.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 2 of 36 consulting.” Above international definition does not confine TPA role to healthcare insurance only. In fact there are many international TPAs offering TPA services other than healthcare insurance which a TPA cite as an example below: Sedgwick Claims Management Services, Inc., is the leading North American provider of technology￾enabled claims and productivity management solutions. Sedgwick and its affiliated companies deliver cost-effective claims, productivity, managed care, risk consulting, and other services to clients through the expertise of nearly 11,000 colleagues in some 200 offices located in the U.S. and Canada. The company specializes in workers’ compensation; disability, FMLA, and other employee absence; managed care; general, automobile, and professional liability; warranty and credit card claims services; fraud and investigation; structured settlements; and Medicare compliance solutions. Sedgwick and its affiliates design and implement customized programs based on proven practices and advanced technology that exceed client expectations. Crawford & Company, has the broadest array of services in the industry based in Atlanta Georgia, and can administer virtually any claim function. From accident and health to large-scale complex property and liability losses to individual task assignments, the company can configure the services exactly as clients demand, anywhere and anytime. The service offerings are unmatched in the industry and include:  Financial Risks  Liability  Marine, Aviation and Transportation  Motor/Auto  Property A TPA Existing Approved Regulated Ancillary Services A TPA was incorporated after BMA granted it the license to operate as an Insurance Ancillary Services Licensee to carry out activities as stated in its business plan which is summarized below:

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 3 of 36 a) Medical business policy administration and claims processing b) Motor business claims processing c) Back office services of workshops Since incorporation, a TPA has achieved its business plan as follows: a) Executed medical business TPA services. b) Executed motor business TPA services. c) Executed back office services. d) Entered into partnership to carry out laboratory testing services in Bahrain for hospitals and clinics. Being a TPA company licensed by the BMA/CBB, the TPA greatly appreciate the confidence given by CBB which enabled a local company to compete with the international TPA service providers not only in Bahrain but also in Saudi Arabia and hopefully in Oman. This success story of a local company is a tribute to the wisdom and vision of CBB. Grandfathering Rule It is in the above context that we welcome the initiative of CBB in developing the new regulatory framework to specifically address the ancillary service industry. However, any changes in law should protect and further enhance the successful operations of existing local TPA companies. To achieve this objective we would request that the grandfathering provision stated in CBB Rulebook Volume 3 for Insurance AU-1.1.15 for insurance licensees to be applied also to CBB Rulebook Volume 5 for Ancillary Service Providers (Specialized Licensees) particularly for the following sections:

1. AU-1.2.4 which limits the regulated ancillary service for TPAs to healthcare insurance coverage only and therefore should also include the previously approved ancillary services of the TPA.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 4 of 36 2. AU-4.2.1 which require licensees to seek prior CBB approval before undertaking new regulated ancillary services and therefore should exempt the TPA from seeking approval for previously approved regulated ancillary services.

1. GR-4.2.3 which prohibits TPAs to own any part of healthcare facility or company and therefore should exempt the TPA from owning a laboratory testing facility duly incorporated under the Ministry of Industry and Commerce and licensed by the NHRA. GR3 Due to the possibility of conflict of interest by imposing the use of a facility used by the TPA, the CBB maintains its prohibition under GR￾4.2.3 prohibiting TPAs to own any part of a healthcare facility. However, the TPA will be allowed to maintain its facility (grandfathering) but it is strictly prohibited to compel policyholders to use their designated facility. Specific Comments: Reference to the draft Directive: Comments REF CBB’s Response AU-A.1.3 Licensed providers of regulated ancillary services fall into six categories: third party administrators, card processing services, operating a credit reference A law firm stated that it is good that the rule grant more flexibility by stating on other services that may be considered as ancillary services if it was carried out in accordance to the CBB Law. A card processing company stated that it believes that its business is similar to that of other ancillary licensees. As such it would request if the CBB could help to clarify the basis for separate classification of its activities as “Card S1 All licensees will be titled “Ancillary Service Providers” and then a list of their activities will be used instead of naming each of them separately. The word “data” has been added for more clarity, in Subparagraph Authorisation AU Module

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 5 of 36 bureau, payment service providers, Shari’a advisory/review services and carrying out services in accordance with the CBB Law. processing” v/s the activities of other entities as “Payment Processing Services (PSP)”. AU-1.2.5(b). The rule has been amended as follows: AU-1.2.5 (b) Integrating customer delivery channels to enterprises to enable data transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); AU-B.1.1 The content of this Module applies to all ancillary service provider licensees authorised in the Kingdom of Bahrain, thereafter referred to in this Module as licensees. An association noted: it seems that the regulation will cover activities in and outside Bahrain and not only activities inside Bahrain? While we understand that this might be important for other types of ancillary services, this might not be necessary for the Shari’a related services (unless the company is offering Shari’a pronouncement). S2 Noted. But no amendment required as other ancillary services may be offered outside of Bahrain.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 6 of 36 AU-1.2.1 Regulated ancillary services are any of the following activities, carried on by way of business: (a) Third party administrators (TPA); (b) Card processing; (c) Credit reference bureau; (d) Payment service provider (PSP); (e) Shari’a advisory/review services; and (f) Services, other than those included in Subparagraphs AU￾1.2.1 (a) to (e), that are carrying out services in accordance with the CBB Law. A firm stated that there are numerous common elements/ activities between “Card Processing (CP)” and “Payment Service Providers (PSPs)” as follows: CP AU-1.2.5 (a) and PSPs AU-1.2.7 (c) CP AU-1.2.5 (b) and PSPs AU-1.2.7 (d) CP AU-1.2.5 (f) and PSPs AU-1.2.7 (c) and suggest a more clear scope distinction between them. In addition, a firm Suggests explaining the underlined: (f) Services that are carrying out services…..” . A firm commented that The business category proposed is not structured well, there is a major mixed up in all of them such as, Card processing, PSP, CRB, TPA …etc. S3 Same as above, see S1 AU-1.2.3 Only TPAs, Shari’a advisory/review services, card processing and PSPs licensees are allowed to offer their services to both residents and non￾residents financial institutions of the Kingdom of Bahrain. Credit reference bureau can only offer their services to residents of the Kingdom. A firm commented that it is good that the rule has limited the services of the Credit Reference Bureau to the residents of Bahrain. It is not convenient to give information about persons to foreign institutions which is not a resident in Bahrain. A firm stated that it offers a number of services in additional to Corporate. In additional, we also do offer services to government, CRB corporate GCC corporate bureau, etc. S4 AU-1.2.3 has been deleted and no such restrictions exist.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 7 of 36 Third Party Administrators (TPAs) AU-1.2.4 TPA refers to processing claims in connection with health insurance coverage offered or provided by insurance firms. A TPA stated that the medical and motor insurance lines of business involve large volumes of claims (high claiming frequency) with repetitive nature for which TPAs are inherently geared towards processing. As the definition of Card Processing and Payment Service Provider firms involves various activities, TPAs similarly deliver various services that arise out of their primary activity and integral to insurance claims processing, as follows: a. Call center b. Card printing c. Policy administration (additions/deletions) d. Control of fraud and service abuse e. Managing pre-approval requests for services f. Provider network contracting and payment g. Claims storage h. Extensive reporting i. Provide underwriting advice based on claims analysis S5 See GR2 AU-1.2.5 Card processing includes: (a) The act of processing or transmitting debit/credit card holder and transaction related data; (b) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); A commenter stated that we are of the view that the entities to be licensed under this category are technical service providers of card payment transaction processing services. If so, item (e) “E-commerce M-commerce transactions” in the definition needs to be more specific as providing technical service support for E-commerce and M￾commerce. A card service provider requested the definition of Card processing to be amended as below: S6 Item (e ) will be amended to the following: Providing technical service support for M-commerce and e-commerce transactions. The word “Prepaid” will be added. The Rule will be amended as follows:

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 8 of 36 (c) Hosting and managing card program; (d) Approving and authenticating payment transactions as per financial institutions rules; (e) E-commerce and M-commerce transactions; (f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks; (g) Reporting and customising reporting engine; (h) Call centre outsourcing services; and (i) Online and mobile portals for bank customers. a) The act of processing or transmitting debit/credit/prepaid/loans etc. card holder /account and transaction related data; b) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); c) Hosting and managing card program; d) Approving and authenticating payment transactions as per financial institutions rules; e) E-commerce and M-commerce transactions; f) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks; g) ATM driving, POS driving and acquiring activities including mPOS, field services, merchant tie ups etc.; h) credit scoring/origination; i) consumer loan processing (operations only); j) Reporting and customizing reporting engine; k) Call centre outsourcing services including front end soft collections; l) Online and mobile portals for bank customers; m) application data entry on behalf of member banks relating to cards; n) card personalization and logistics including card embossing, statement, PIN mailer printing and other associated services; and o) range of value added services such as loyalty programs, card analytics, reconciliation, chargeback, SMS, fraud monitoring, 3D secure services etc. which are ancillary a) The act of processing or transmitting debit/credit/prepaid card and transaction related data; Item g) in the comment raised is already covered under point b) in the Rule AU-1.2.5. Item h) (credit scoring /origination) this service is (as explained by the licensee) related to only hosting the IT system for concerned banks. No further action required in the Rulebook. Item i) is not considered as a card processing activity. Item k) is included under (h), no need to so specific. Items m), n) and o) all fall within the ancillary activities for card processing. No need to add further details in the Rulebook.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 9 of 36 to the scope of activities specified above. Credit Reference Bureau AU-1.2.6 Credit reference bureau includes compiling public record data, statutory information, identity information, credit transactions related information and payment histories of natural and legal persons. A firm stated that this part concerning compiling public record is not clear? The firm offers also corporate bureau as per CBB direction without including it. This part will conflict with current Code of Practice, approved earlier by CBB. S7 The definition of the Credit Reference Bureau has been amended in AU-1.2.6 to be aligned with the amendment in the CBB Law. The new definition reads as follows: CRB is a company licensed by the CBB as an Ancillary service provider that receives, stores, analyses and classifies the credit information of customers and issues credit reports and provides the members of the credit reference bureau with such reports upon their request. AU-1.2.7 Payment Service Provider (‘PSP’) For the purposes of Volume 5 (Specialised Licensees), regulated ancillary services, in relation to a payment service provider, include: A payment service provider has only the following slight observation: It observed that the below ancillary services are missing from AU-1.2.7 for which it is licensed to undertake: a) The act of processing or transmitting debit/credit card holder and transaction related data; S8 See S1 and S6 above.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 10 of 36 (a) Services enabling cash to be placed on a payment account and all of the operations required for operating a payment account; (b) Services enabling cash withdrawals from a payment account and all of the operations required for operating a payment account; (c) The execution of the direct debits of payment transactions; (d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and (e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks. b) Hosting and managing card program, Merchant Processing, ATM & POS Driving and Management; c) Approving and authenticating payment transactions as per financial institutions rules; d) E-commerce and M-commerce transactions; e) Reporting and customising reporting engine; f) Online and mobile portals for bank customers. It has further noted that the above services are core functions to its business and provided to its customers. GPS hope that its observation is a valid one and to be considered in CBB’s final release of the rulebook. A firm stated the following: it is preferable to include the word “Ancillary” in the title to differentiate them as ‘Ancillary Payment Service Providers (APSP)’ and not ‘Payment Service Providers (PSP)’ viz. retail banks. I. The definition is not very clear whether these ancillary payment service providers will: a) Only act as an intermediary (operator of telecommunication or IT system or network etc.) between the customer (payer/payment user) and the merchant (supplier of goods or services) and will execute payment transactions for which the consent of the customers is given through ATMs, POS, Interactive Voice Response, mobile, internet; or b) Act as a fully pledged Payment Service Provider. All licensees will be titled “Ancillary Service Providers” and then a list of their activities will be used instead of naming each of them separately. Payment Service providers will act as an intermediary (operator of telecommunication or IT system or network etc.) between the customer (payer/payment user) and the merchant (supplier of goods or services) and will execute payment transactions for which the consent of the customers is given through ATMs, POS, Interactive Voice Response, mobile, internet. To amend the preamble as follows:

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 11 of 36 It further stated that the definition of Ancillary Payment Service Provider is broad and the licensees under this category will likely execute the following types of transactions: (a) payment transactions through ATMs, POS, Interactive Voice Response, mobile, internet; (b) direct debits: (c) payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills tec.); and (d) customer initiated payments. If so, CBB will allow these Ancillary Payment Service Providers to execute single and bulk payments by: accessing even deposit accounts at retail banks through card networks (using ATMs, national switch, debit cards and direct debits) and/or a retail payment system that will provide customer transactions via mobile & Internet i.e. they will operate as retail banks to an extent. A commenter added that it is preferable if the Rule Book is clear on the following areas: (a) the Ancillary Payment Service Provider should not use licensed payment services for taking any kind of deposits or other repayable funds from payment service users (to minimize operational and systemic risks); (b) the Ancillary Payment Service Provider should not keep its own funds in the escrow account; “For the purposes of Volume 5 (Specialised Licensees), regulated ancillary services, in relation to a payment service provider, acting as an intermediary for the following services which include:” a) Ancillary Service Providers are only allowed to undertake the activities listed in AU-1.2.7 (now AU-1.2.8). (i.e. deposits are not allowed as part of their activities). b) This is outlined in AU-1.2.7

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 12 of 36 (c) whether the Ancillary Payment Service Provider can grant credit to any payment service user: (d) the Ancillary Payment Service Provider should maintain separate accounts and prepare financial statements on the ancillary payment services in the case where it has other businesses; (e) the Ancillary Payment Service Provider should credit the full amount transferred by the payment service user to the account of the payee without deducting any shares from the payment amount; and (f) the responsibilities of an Ancillary Payment Service Provider& Card Processing Service Provider in respect of automatically executed transactions for:  Financial institutions & merchants obtaining it services; and  Payment service users. (now AU-1.2.8) where a separate payment account is required. c) Payment service providers cannot grant credit to any service user. d) There is no need for separate financial statements as long as there is a separate escrow account for payment service users. e) The deduction should be made in accordance with the agreement between both the Payment Service Provider and the merchant. This will be clarified in the Rulebook. Providers should be allowed to deduct commission as service has been rendered. f) This will be dictated by the clauses of the contract. Further the definition of PSPs regulated services has been amended from being “execution of the direct debits of payment transactions” to be “Settlement of payments and cheques”.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 13 of 36 AU-1.2.9 For purposes of Paragraph AU-1.2.7 payment account is defined as an account held in a retail bank in an escrow account which is used for the execution of payment transactions. The CBB has the right to stop this payment account at any time. A commenter stated that the definition of “Payment account” implies that an Ancillary Payment Service Provider is an intermediary and maintains this temporary pass through account at a third party retail bank during the process of a transaction between two parties. The term “payment account” is generally used for “an account held in the name of one, or more customers/payment service users for the execution of payment transactions using one of the payment instruments not for escrow accounts”. Therefore, it is preferable to use “escrow account” instead of “payment account”. S9 Agree, will use the term ‘escrow account’ in lieu of ‘payment account’ for all paragraphs affected. Paragraph AU-1.2.9 (now AU￾1.2.10) will be amended as follows: “For purposes of Paragraph AU￾1.2.8 escrow account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this escrow account at any time.” Shari’a Advisory/Review Services AU-1.2.11 Shari’a advisory/review services refer to: (a) Regular assessment on Shari’a compliance in the activities and operations of Islamic financial institutions or any financial institution offering regulated Islamic financial services, by those qualified to offer Shari’a review services, with the objective of ensuring that the activities and operations carried out by these financial (Shari’a Advisory) – A firm suggests to refer to a framework according to which these services can be performed. An association: The current proposed regulation define 3 types of services under the Shari’a advisory/review services as listed in section AU-1.2.11. While we understand why the CBB would like to regulate any company offering Shari’a pronouncements due to the risks related to this service, the other services related to Shari’a review, Shari’a compliance and product development will not have the same risks as the first one if the financial institution has it is own Shari’a supervisory board. We believe that the Shari’a review, Shari’a compliance and product development should be excluded from the regulation for the following reasons: a- As far as we know companies in Bahrain can currently provide product development services to S10 The Shari’a advisory/review services are described here in detail which is considered sufficient. This does not refer to external Shari’a audit which is covered by AAOIFI standard. The commenter seems to mix Shari’a review with Shari’a external audit which are 2 very separate activities. The rule is to cover Shari’a review – not Shari’a external audit.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 14 of 36 institutions do not contravene the Shari’a principles. The services include the examination and evaluation of the financial institutions’ level of compliance to the Shari’a, remedial rectification measures to resolve non-compliance and control mechanism to avoid recurrences. The examination includes contracts, agreements, policies, products, transactions, memorandum and articles of association, financial statements and reports; (b) Issuance of Shari’a pronouncements on any aspect of the Islamic financial institution’s activities or operations; and (c) Ad-hoc Shari’a advisory services for products and services governed by financial services. conventional banks without being regulated. Therefore, it seems that the proposed regulation will significantly reduce the ability of the Islamic finance industry in Bahrain to create and implement new ideas and will impact the level of innovation in Islamic banking if the CBB restrict these services to few regulated companies. Therefore, as long as the financial institution has its own Shari’a board that will review and approve any new product the risk or using any company to develop new products seems very limited. b- Shari’a review is in fact an audit function and fall under professional services. At the moment any licenced financial institution whether Islamic or conventional has to have a financial auditor. Central banks will usually control this function by approving a list of providers who has the capability to offer such service and /or require banks to seek approval from the central bank before they appoint an auditor. Regulating Shari’a review providers will means that CBB should consider also regulating all audit companies that offer their services to all financial institutions (Islamic and conventional). Therefore, using the same approach currently used for financial audit might be more practical approach than regulating the whole audit industry. Based on the above we urge CBB to reconsider the scope of Shari’a regulated services under the current draft regulation and restrict it to AU-1.2.11 (b) only “Issuance of Shari’a pronouncements” as other services can be controlled using different means applied currently by CBB to similar services

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 15 of 36 offered to financial institutions in Bahrain. AU-1.2.12 In offering Shari’a advisory/audit services, the licensee must not offer services to the same client where this may lead to a conflict of interest in terms of services offered. As an example, if the licensee has offered services under Subparagraph AU￾1.2.7(b), no service can be offered under Subparagraph AU-1.2.7(a) in relation to the pronouncement. A law firm stated that it is important to indicate that this rule tried to prevent the conflict of interest while the Shari’a advisory/review services is doing its job. Rule (AU￾1.2.12) states that the Sharia advisory must not offer services to the same client if this may lead to a conflict of interest in terms of services they previously offered, like if they offered a pronouncement on an aspect of Islamic operation to a client, then they must not offer regular assessment on its compliance with sharia. Also, the Lawyer highly suggests changing the word (audit) to (review) in the name of the provider. Shari’a Advisory – A firm requests CBB to clarify if the licensee will be allowed to perform Shari’a audit? Since AU￾1.2.11 states “Review” instead of audit. It further suggested including a clarification or having consistency. S11 Noted. To amend the rule and be consistent and use the term ‘review’. AU-1.3.2 Controlled functions are those of: (a) Director; (b) Chief executive or general manager; (c) Head of function; (d) Compliance officer; and (e) Money Laundering Reporting Officer (for PSPs). Controlled functions (e) – A firm requested CBB to clarify why the MLRO is a controlled function only for “Payment Service Providers” and not for “Card Processing”. A firm inquired that must we report any one holding this function? We currently do not have a Compliance officer and MLRO for it is not applicable? In addition, AU-1.3.3 states that combination of the above controlled functions is subject to the requirements contained in Module HC; the firm inquired can we combine compliance officer with any other related functions? S12 It is because for payment service providers there might occur fraudulent transactions for which an MLRO is responsible to monitor. All ancillary service providers must have a compliance officer. Yes it can be combined provided that there is no conflict of interest.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 16 of 36 AU-1.3.5 The chief executive or general manager means a person who is responsible for the conduct of the licensee (regardless of actual title). The chief executive or general manager must be resident in Bahrain. This person is responsible for the conduct of the whole of the firm. A law firm stated that as for their liability, Article 65 para C stated that if the approved persons who found to be unqualified or inappropriate continue in position, the institution itself may be suspended. Also, Article (278) the Commercial Companies Law will be applied on the approved persons for their breach, mistakes and mismanagements,: ((The managers shall be jointly liable towards the company, the partners and third parties for their breach of the provisions of the law or of the company's memorandum or articles of association and for any mismanagement in accordance with the rules regulating the joint-stock company. Any condition to the contrary shall be deemed non-existent.)) S13 Noted AU-1.3.6 Head of function means a person who exercises major managerial responsibilities, is responsible for a significant business or operating unit, or has senior managerial responsibility for maintaining accounts or other records of the licensee. A firm requests that the “Head of function” referred to in sections AU-1.3.6 & AU 1.3.7 be limited to the roles which report directly to the Chief Executive Officer (CEO). S14 Disagree. Head of function does not necessarily report to CEO (as an example the head of internal audit would be reporting to the Board.) No change required.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 17 of 36 AU-1.3.11 All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. A firm stated that it doesn’t have one presently. For currently, most of its activities are handled by DGM support. Is it possible to combine it under a function? The DGM can’t undertake the role of a compliance officer as it is considered a conflict of interest. Please also see S12 above. AU-1.3.11 All licensees must designate an employee, of appropriate standing and resident in Bahrain, as compliance officer. The duties of the compliance officer include: (a) Assisting senior management/head of function to identify and assess the main compliance risks facing the licensees and the plans to manage them; (b) Advising senior management/head of function on compliance with laws, rules and standards, including keeping them informed on developments in the area; (c) Assisting senior management/head of function in educating staff on compliance issues, and acting as a contact point within the licensee for compliance queries from staff members; (d) Establishing written guidance A firm requested the CBB to specify the reporting line of the “Compliance Officer”. S15 Agree. The Compliance officer reports to senior management and must have access to the board. To amend the rules accordingly.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 18 of 36 to staff on the appropriate implementation of compliance with laws, rules and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines; (e) On a pro-active basis, identifying, documenting and assessing the compliance risks associated with the licensee’s business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships; (f) Monitoring and testing compliance by performing sufficient and representative compliance testing; and (g) Reporting on a regular basis to the board of directors or the Audit committee of the board of directors. AU-2.1 Condition 1: Legal Status A TPA proposes to add TPA; regulated ancillary services type (a) as specified under Subparagraphs AU-1.2.1, after S16 AU-2.1.1 has been amended as follows:

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 19 of 36 AU-2.1.1 The legal status of a licensee that is an ancillary service provider licensee as outlined under Subparagraphs AU-1.2.1(a) to (d) and (f) must be in the form of a Bahraini joint stock company (BSC). For Shari’a advisory services outlined under Subparagraph AU-1.2.1(e), the legal status may also be in the form of a Bahraini company with limited liability (‛WLL’). point (e) to give the option to have a legal status as ‘WLL’, while keeping the minimum capital requirements. A firm inquired: does this apply to all ancillary service providers? This would imply that all licensees would have to change their structure and legal status. Please explain. Would the firm need to change its legal status to a Bahraini Joint Stock Company (BSC)? The legal status of a licensee that is an ancillary service provider licensee must be a legal form approved by the CBB. The above amendment will provide greater flexibility for the legal status.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 20 of 36 AU-2.3.3 In summary, controllers are persons who directly or indirectly are significant shareholders in a licensee, or who are otherwise able to exert significant influence on the licensee. The CBB seeks to ensure that controllers pose no significant risks to the licensee. In general terms, controllers are assessed in terms of their financial standing, their judicial and regulatory record, and standards of business and (where relevant) personal probity. A firm suggested adding “relevant knowledge” for Shari’a advisory after “In general terms, controllers are assessed in terms of….”. S17 Disagree. Controllers are the owners and do not need to have the ‘relevant knowledge’. The board and other approved persons are those that must have such knowledge. Capital Funds AU-2.5.1 Licensees must maintain a level of financial resources, as agreed with the CBB, adequate for the level of business proposed. Credit Reference Bureau AU-2.5.3 Licensees must maintain a minimum core capital of BD 2 million. A greater amount of capital may be required by the CBB on a case-by￾case basis. A firm further commented that CRB retail and Corporate is a part of its services. Core capital is part of its capital, which is greater for all the services. Switch, CRB (Retail, Corporate), BCTS, EFTS in future and other small services, etc. S18 The following paragraph AU-2.5.2 has been added: Where a licensee undertakes more than one activity outlined under Paragraph AU-1.2.1, the licensee must maintain the highest level of core capital required amongst all categories of activities which it provides. If the licensee has several sub licenses, only the highest capital requirement will need to be maintained.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 21 of 36 Liquidity AU-2.5.4 Licensees must maintain sufficient liquid assets to meet their obligations as they fall due in the normal course of their business, as required under Module CA. A firm requested to state a percentage or any other means to quantify this requirement. S19 This requirement will be stated in Module CA which will be sent out for consultation in the future before being finalised. Books and Records AU-2.8.1 Article 59 of the CBB Law requires that licensees must maintain comprehensive books of accounts and other records, and satisfy the minimum record-keeping requirements contained in Article 60 of the pre-mentioned Law and Module GR. Books of accounts must comply with the financial accounting standards issued by the International Financial Reporting Standards (IFRS)/International Accounting Standards (IAS) or the applicable AAOIFI standards for Islamic licensees. A firm requested CBB to clarify whether there is a separate category of Islamic licensees under this module? S20 All licensees will be referred to as “Ancillary Service Providers” and a list of their activities will be detailed. There will not be any distinction whether operating on a conventional or Islamic basis.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 22 of 36 AU-4.1.4 Unless otherwise directed by the CBB, the following documents must be provided together with the covering letter referred in Paragraph AU-4.1.1 above in support of a license application: (a) A duly completed Form 2 (Application for Authorisation of Controller) for each controller of the proposed licensee; (b) A duly completed Form 3 (Application for Approved Person status), for each individual applying to undertake controlled functions of the proposed licensee; (c) A comprehensive business plan for the application, addressing the matters described in AU￾4.1.6; (d) Where the applicant is an existing institution, a copy of the applicant’s commercial registration; (e) Where the applicant is a corporate body, a certified copy of a Board resolution of the applicant along with minutes of the concerned meeting, A firm suggested to include a new point as follows: (i) Evidence of competency and qualifications for Shari’a Advisor. S21 Added as item (i) under AU-4.1.4.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 23 of 36 confirming the board’s decision to seek a CBB ancillary service provider license; (f) In the case of applicants that are part of a regulated group, a letter of non-objection to the proposed license application from the applicant’s home supervisor, together with confirmation that the group is in good regulatory standing and is in compliance with applicable supervisory requirements, including those relating to capital adequacy and solvency requirements; (g) Copies of the audited financial statements of the applicant’s major shareholder and/or group (as directed by the CBB), for the three years immediately prior to the date of application; and (h) A draft copy of the applicant’s (and parent’s where applicable) memorandum and articles of association, addressing the matters described in AU-4.1.7.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 24 of 36 AU-4.1.5 The CBB may require that an acceptably worded letter of guarantee be provided in support of the application for a license. Where the application for the license is for an incorporated entity, the CBB may seek a letter of guarantee from controllers. Where the application is for an overseas licensee, the CBB may seek a letter of guarantee from the parent company. A law firm stated that the rule only requires a guarantee from the parent company if the applicant is from overseas, and this is not enough. CBB has to ask the same from the parent company, even if the applicant is Bahraini, therefore, we suggest to delete the word (overseas). S22 Disagree. No change. For an incorporated entity, the letter of guarantee is to be provided by the controllers which could be in fact the parent of the entity. AU-4.1.12 Before the final approval is granted to a licensee, confirmation from a retail bank addressed to the CBB that the licensee’s capital (injected funds) – as specified in the business plan submitted under Rule AU-4.1.4 – has been paid in must be provided to the CBB. In addition, for payment services providers and card processing companies, these licensees must provide a BD50,000 bank guarantee. A payment services provider stated that considering the nature of services provided by them and the minimum Share Capital requirement of BD250,000 the bank guarantee would be a burden. For e.g. 20% of the Share Capital would be locked up. Bank guarantees are also required for other projects – currently, the payment services provider has BD100,000 with banks as guarantee. S23 Disagree. Based on the nature of the activities being carried out, the CBB requires this guarantee.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 25 of 36 AU-5.2.2 The applicable fixed annual license fee varies based on the type of regulated ancillary services undertaken by the licensee as follows: (a) For TPAs, the annual fee is BD2,000; (b) For card processing, the annual fee is BD2,000; (c) For credit reference bureau, the annual fee is BD20,000; (d) For payment service provider, the annual fee is BD3,000; (e) For Shari’a advisory/review services, the annual fee is BD500; and (f) For regulated ancillary services, other than those specified in Subparagraphs AU-5.2.2 (a) to (e), carried out in accordance with the CBB Law, the annual fee is BD500. A payment services provider stated that the annual fee is BD500 currently, the proposed fee would be BD2,500 a fivefold increase. It further added that, could the rationale be explained please? A firm stated that the Proposed annual fee is too high. It is currently paying BD500. S24 AU-5.2.2 has been amended as follows: The applicable fixed annual license fee is BD500.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 26 of 36 GR-1.1.1 Licensees must ensure that any information in their control or custody is not used or disclosed unless: (a) They have the customer’s or licensee’s written consent; (b) Disclosure is made in accordance with the licensee’s regulatory obligations; or (c) The licensee is legally obliged to disclose the information in accordance with Article 117 of the CBB Law. A TPA recommends adding the right of TPA in using the information under their custody, through the following suggested points: I. Access portfolio information to serve its clients II. Waiver of medical confidentiality by signing the TPA contract with any insurance firm and/or employer, enabling TPA to perform its services, and III. TPA has the right to market and announce the cooperation with its clients without disclosing contract terms. S25 GR-1.1.1 is as per Article 117 of the CBB law. The Licensee was confused on the interpretation of this rule. No change required in the rules. GR-2.1.6 Records must be accessible at any time from within the Kingdom of Bahrain, or as otherwise agreed with the CBB in writing. A firm requested to clarify the following: a) if the licensee wants to keep records physically outside Bahrain, whilst replica records are available through integrated systems, will this be allowed? ; and b) whether licensees are allowed to keep back-up records outside Bahrain (especially in case of group entity)? S26 Records must be accessible within Bahrain regardless of the format. General Requirements Module (GR)

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 27 of 36 Corporate Records GR-2.3.1 Licensees must maintain the following records in original form or in hard copy at their premises in Bahrain: (a) Internal policies, procedures and operating manuals; (b) Corporate records, including minutes of shareholders', Directors' and management meetings; (c) Correspondence with the CBB and records relevant to monitoring compliance with CBB requirements; (d) Reports prepared by the licensee’s internal and external auditors; and (e) Employee records. A card processing company requested the CBB to mention the period of retention of “Corporate Records”. S27 These must be retained for as long as the licensee operates.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 28 of 36 GR-4.2 Code of Conduct GR-4.2.1 TPAs are allowed to enter into agreement with more than one insurance firm. GR-4.2.2 TPAs must not charge any kind of fees from the customers/policyholders. GR-4.2.3 TPAs must not market or sell health insurance nor own any part of a healthcare facility or company, and must not contract with non-CBB licensees. GR-4.2.4 TPAs must act in the insurance firms’ best interests at all times and must fulfill their needs to the best of their ability. GR-4.2.5 TPAs must improve the skills of their employees and increase their knowledge through continuing education and training. GR-4.2.6 TPAs must disclose to the existing and prospective GR-4.2.1 and GR-4.2.3 a TPA inquired: are employers who wish to outsource their Healthcare Benefit System through TPA services for claims management (i.e. the Risk being handled totally by the employer) permitted? GR-4.2.3 A TPA stated that our opinion in regard to this clause is two-fold: a. Contracting with Non-CBB licensees: As outlined earlier, the international scope of activities a TPA may engage in typically involves self-insured schemes. As long as the TPA does not take financial risk and since health insurance is not compulsory as of yet, we believe TPAs should be allowed to exercise one of their most vital contributions to delivering cost effective healthcare, namely applying the rules of medical coverage offered by corporates for its staff and their dependents (self-insured groups who are non CBB licensees). This helps contain the escalating healthcare costs that burden corporates. b. Ownership of healthcare facility or company: The ownership of a healthcare facility by the TPA would add significant value to insurance companies it services and to the community at large. At a time when the government is emphasizing on the provision of cost effective healthcare, slashing drugs prices and reducing wastage of healthcare resources we believe that TPAs can contribute to this effort by investing in quality S28 See GR2 and GR3.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 29 of 36 insurance firms any and all information that may affect the TPA’s ability to provide services and/or advice to the insurance firms. healthcare facilities that deliver the best level of care and under the supervision and control of the NHRA. The TPA would further wish to learn CBB’s opinion in regard to the ownership of TPAs by healthcare facilities or the ownership of healthcare facilities by insurance companies. Internationally, medical insurers and TPAs own healthcare facilities as part of their effort to contain rising costs while ensuring the provision of quality healthcare services (e.g. BUPA). GR-4.2.7 TPAs must ensure that all client (insurance firm) funds collected and/or held by the TPA are used for the express purpose for which the funds are collected and/or held as understood by the client (insurance firm). GR-4.2.7 A law firm suggested removing the word client as it was not used in the other modules to refer to the insurance firms. S29 Have amended the rules by removing the reference to insurance firm. But keep the word ‘client’ as it could also pertain to a self funded scheme.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 30 of 36 GR-4.2.8 TPAs must fully disclose to each client (insurance firm) the terms of engagement and the services to be rendered to that client (insurance firm). GR-4.2.8 A TPA recommends adding the following clauses: a. The payment obligation of the claim is the sole responsibility of the insurance companies. b. TPA can provide insurance companies, directly or indirectly through an outsourcing agent, other services such as actuarial services, product design, underwriting. GR-4.2.9 A Law firm suggested removing the word client as it was not used in the other modules to refer to the insurance firms. S30 S31 Item a. is specified in the contract and there is no need to add such reference in the CBB rules. Item b. As communicated to the licensee actuarial services and underwriting require separate application for authorisation/license. TPAs can only process insurance claims. See S29 above. GR-4.3.7 TPAs must process and settle claims within 30 days from the receipt of all necessary documents from healthcare providers. GR-4.3.5 A TPA stated that provider contracts signed with insurers/TPAs stipulate payment of settled claims within a 30 – 60 days period. Reducing this credit period to only 30 days will negatively impact insurers/TPAs, as follows: a. Cash flow strain. b. Manpower strain: more manpower (nearly double the existing) will be required to settle claims within 30 days instead of 30 – 60 days. The above will clearly have a negative impact on insurer and TPA liquidity and will increase cost of servicing and ultimately increase price to be borne by customers. We therefore request the CBB to keep the claims settlement period at a maximum of 60 days, as it is currently agreed with all network providers. A TPA suggests switching ‘settle claims within 30 days’ to be S32 The rules have been amended to differentiate between the period of settling claims to policyholders (insurance firms) and to healthcare providers.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 31 of 36 as per the “contractually agreed terms with Providers”. A firm requested CBB to clarify, whether it is 30 calendar days or working days. Calendar days. The rules has been amended accordingly. GR-6.2.1 A controller of a licensee is a natural or legal person who either alone, or with his associates: (a)Holds 10% or more of the shares in the licensee (“L”), or is able to exercise (or control the exercise of) 10% or more of the voting power in L; (b)Holds 10% or more of the shares in a parent undertaking ("P") of L, or is able to exercise (or control the exercise of ) 10% or more of the voting power in P; or (c)Is able to exercise significant influence over the management of L or P. A firm suggested to explain the word “significant influence” by including: a) a definition; or b) a reference to IFRS for definition; or c) a reference to elsewhere in the Rulebook where already defined. S33 This is standard wording that has been used throughout the Rulebook for a number of years and there is no need for further definition. GR-8.1.1 As specified in Article 50 of the CBB Law, a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations and/or liquidate its business must obtain the CBB’s prior approval. A firm suggests having more clarity as to what “any” means: “..a licensee wishing to cease to provide or suspend any or all of the licensed regulated services of its operations….” Can one Ancillary Service Licensee have more than one type of Ancillary services license? S34 “Any” means “partial of its business”. Yes, As an example a licensee can offer card processing services as well as payment service provider services.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 32 of 36 BR-1.1.1 All licensees are required to submit to the CBB their annual audited financial statements within 3 months of their financial year end. A licensee stated that in addition to the year-end statements; it also submits quarterly financial statements. It further inquired “do we need to only submit at the year￾end?” S35 As per Rulebook Volume 5, all licensees are required to report annual audited financial statements (to the Banking Supervision Directorate of the CBB). Any other requirements imposed by the Banking Services Directorate of the CBB must be complied with separately. BR-1.1.2 The notes to the financial statements must: a) For TPAs, contain complete names and addresses of all insurance companies with which the TPA had a contract in effect during the preceding calendar year; and b) For PSPs, refer to the breakdown of clients’ money and own funds. (b) Clients’ money and own funds - A firm suggested to explain “Client’s money” and “Own funds” by including: a. a definition; or b. a reference to elsewhere in the Rulebook where already defined. S36 These terms are self- explanatory. No change to be made. CBB Reporting Requirements Module (BR)

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 33 of 36 BR-1.1.3 In addition to the statements required in Paragraph BR-1.1.1, licensees are required to submit to the CBB the following information within 3 months of their financial year end: a) The external auditor’s management letter; b) A report on the licensee’s close links as required under Paragraph GR-7.1.3; c) The licensee’s group structure and the internal organisation chart; d) The report on controllers as required under Paragraph GR￾6.1.10; and e) Any supplementary information as required by the CBB. A licensee stated that its current practice is sending quarterly Audit review [consolidated] to the CBB, Year-end Audit report and a Management letter. S37 Please refer to S35 Above.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 34 of 36 BR-1.1.4 In accordance with the provisions of Section AA-4.1, the audited financial statements of the licensees must comply with the International Financial Reporting Standards (IFRS), and where applicable with the Accounting and Auditing Organisation for Islamic Financial Institutions (AAOIFI). A firm stated that it is not clear as to how a Licensee can adopt AAIOFI. It suggests including certain conditions that a licensee should qualify to adopt. A firm further observed: AAIOFI does not seem to have much relevance to these types of entities and their operations/ reporting covered under Ancillary Service Providers License. S38 It is up to the licensee to decide which model it wishes to adopt, conventional or Islamic. BR-1.2.1 PSPs are required to submit to the CBB reviewed (unaudited) semi￾annual financial statements (in the same format as their annual audited accounts) on a semi-annual basis, within two months of the date of these statements. Such statements must provide the breakdown of clients’ money and own funds. A licensee stated that its current scope is to offer Payment Services as well. It further added that its license is “Ancillary Service Providers” – offering Local routing for ATM and POS, GCC Net ATM/POS, CRB Retail and Corporate, BCTS, Bill payments, electronic Payment Gateway, Internet Banking, Local and GCC Disputes. “PSPs are required to submit to the CBB reviewed (unaudited) semi-annual financial statements (in the same format as their annual audited accounts) on semi-annual basis…..” A firm suggests that semi-annual financial statements should be based on IAS 34 requirements. However, any additional disclosure be added in the clause, that CBB may require. Also requested CBB to clarify if other licensees are not required to get the semi-annual financial statements reviewed. It further noted that Licensees other than “Payment Service Providers” are not required to submit on semi-annual basis as per BR -1.2.1. S39 See S1 above. This is the language used throughout the CBB Rulebook when reference is made to semi-annual statements.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 35 of 36 BR-2.2.4 A licensee must notify the CBB immediately of any legal, professional or administrative or other proceedings instituted against the licensee, controller of the licensee that is known to the licensee and is significant in relation to the licensee’s financial resources or its reputation. A licensee stated that this information is slightly ambiguous for them to understand. It further inquired “How is the licensee to know if any institutes are against them?” (The licensee would highly appreciate further clarification). S40 Every institution would know the legal proceeding filed against it and it should notify the CBB if it is significant in relation to the licensee’s financial resources or its reputation. Litigation that are assessed by the external auditor to be material must be published in the annual report. BR-2.2.12 In the event that a licensee fails to meet any of the requirements specified in Module CA (Capital Adequacy), it must, on becoming aware that it has breached the requirements, immediately notify the CBB in writing (ref. CA-1.1.4). A firm: Capital Adequacy and Liquidity Requirements – Suggest that, upon breach of requirements specified in Module CA-1.1.4, along with a notification a Licensee should also provide a plan to meet the required level of liquidity/ capital adequacy. S41 The reference has now been changed to Section AU-2.5 and more details will be provided when Module CA is issued for consultation. BR-2.2.17 All licensees should notify the CBB of information relating to any new or expanded customer products and services. A card processing company suggest that notification to CBB be limited to the new or expanded customer products and facilities which are not consistent with the definition of Licensee’s scope of activities. For e.g. if the card processing company desires to launch a new services similar to our existing services such as card analytics or loyalty card solutions, these services are ancillary to the card processing business and therefore CBB may not want to be notified to launch these. S42 The licensee must notify the CBB of any new or expanded products and services that were not agreed with the CBB and included in its M&A.

Consultation paper – Rulebook Volume 5 Ancillary Service Providers Industry Comments and Feedback March 2016 Page 36 of 36 BR-3.4.3 The CBB considers that a licensee should: (a) Make itself readily available for meetings with representatives or appointees of the CBB; A licensee inquired: “what action is to be carried out in the case of confidential information?” S43 Confidentiality rules apply to third party not to CBB. See S25. Please refer to Article 117 (4) of the CBB Law. BR-3.5.5 Unless the CBB otherwise permits, appointed experts should not be the same firm appointed as the external auditor of the licensee. A licensee stated that this sentence is unclear. S44 This means that the special investigators that are appointed must not be the same as the external auditor. The Required Report BR-3.5.12 The scope of the required report will be determined and detailed by the CBB in the appointment letter. Commissioned appointed experts would normally be required to report on one or more of the following aspects of a licensee’s business: a) Accounting and other records; b) Internal control systems; c) Returns of information provided to the CBB; d) Operations of certain departments; and/or e) Other matters specified by the CBB. A licensee inquired is this matter a onetime act or a consistent one? Or when needed by the CBB? S45 This is done when the CBB views that investigations must be conducted on licensees in certain circumstances.