Regulatory Alerts2017-01-05
Proposed Amendments to the Authorisation Module for Ancillary Service Providers
The Central Bank of Bahrain proposes amendments to Module AU-1.2 of its Authorisation framework to authorize payment service providers to issue multi-purpose prepaid cards for point-of-sale, ATM, online, and remittance transactions. Licensees must cap individual account balances at BD200, limit total outstanding card values to 50% of core capital, secure a retail bank guarantee, ensure EMV compliance for plastic cards, and maintain PCI-DSS certification by December 2017. The regulatory changes also mandate periodic PCI audits, require accounts to be classified as dormant after three months of inactivity, and stipulate that payment settlements must be finalized within two business days.
# Central Bank of Bahrain
## Executive Director - Banking Supervision
---
**EDBS/KH/C/54/2016**
**22<sup>nd</sup> December 2016**
---
### Chief Executive Officer
All Payment Service Providers
All Audit Firms
All Law Firms
Manama, Kingdom of Bahrain
---
**Dear Sir,**
## Consultation: A proposed amendment to the Authorisation Module of Ancillary Service Providers
As part of the CBB’s objective in enhancing its regulatory framework, the CBB is proposing an amendment to the Authorisation Module (Module AU), Section AU-1.2 “Definition of Regulated Ancillary Services” by adding a new paragraph AU-1.2.10A. The proposed amendment will allow payment service providers to issue any multi-purpose prepaid cards, electronic or otherwise, which can be used on POS terminals and ATMs as well as for online purchases and remittances.
The proposed amendment shall be available in the CBB website (www.cbb.gov.bh) under “Open Consultations” Section.
The CBB requests all Payment Service Providers, Audit firms and Law firms to provide their comments, including ‘nil comments’ electronically to CBB Consultations Team at “consultation@cbb.gov.bh”, by 5<sup>th</sup> January 2017.
---
**Yours faithfully**
*Khalid Hamad*
---
*ص.ب: ٢٧، المنامة - مملكة البحرين
هاتف : (+973) ١٧٥٤٧٤٠٠ - فاكس: (+973) ١٧٥٣٢٦٠٥
P.O. Box : 27, Manama - Kingdom of Bahrain
Tel: (+973) 17547400 - Fax: (+973) 17532605
website: www.cbb.gov.bh
E-mail: khalid.hamad@cbb.gov.bh*
---
# Central Bank of Bahrain Rulebook
## Volume 5: Specialised Licensees (Ancillary Service Providers)
---
### MODULE | AU: Authorisation
### CHAPTER | AU-1: Requirement to Hold a License
---
## AU-1.2 Definition of Regulated Ancillary Services (continued)
### Payment Service Provider ('PSP')
#### AU-1.2.8
For the purposes of Volume 5 (Specialised Licensees), regulated ancillary services, in relation to a payment service provider, acting as an intermediary for the following services which include:
(a) Services enabling cash to be placed on an escrow account and all of the operations required for operating an escrow account;
(b) Services enabling cash withdrawals from an escrow account and all of the operations required for operating an escrow account;
(c) The settlement of the direct debits of payment transactions;
(d) Integrating customer delivery channels to enterprises to enable transactions at delivery channels (e.g. ATMs, POS, Interactive Voice Response, mobile, internet); and
(e) Interfacing with external networks/institutions (e.g. national switch, VISA, MasterCard), enabling automated exchange of transactions between the enterprise and external networks.
#### AU-1.2.9
Payment service providers also facilitate the payment of high volume periodic/repetitive bills (e.g. utility bills, phone bills etc), and customer initiated payments.
#### AU-1.2.10
For purposes of Paragraph AU-1.2.8, escrow account is defined as an account held in a retail bank which is used for the execution of payment transactions. The CBB has the right to stop this escrow account at any time.
#### AU-1.2.10A
When issuing any multi-purpose pre-paid cards, electronic or otherwise, payment service providers must comply with the following requirements:
(a) The maximum amount under each individual customer pre-paid account must not exceed BD200;
(b) The maximum overall outstanding amount of pre-paid cards for all customers is limited to 50% of the payment service provider’s core capital;
(c) The payment service provider must obtain a bank guarantee from a retail bank licensed in the Kingdom of Bahrain to cover the maximum overall outstanding amount of pre-paid cards;
(d) Comply with all the requirements outlined under Module FC (Financial Crime);
(e) Where a pre-paid plastic card is issued, it must be EMV compliant (chip and PIN and online authentication);
---
*AU: Authorisation
Section AU-1.2: Page 3 of 5
January 2017*
---
## AU-1.2 Definition of Regulated Ancillary Services (continued)
#### (f) Any account not active/used for three months must be placed in a dormant account;
#### AU 1.2.10B
In addition to the requirements listed under Paragraph AU 1.2.10A, Payment service providers must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31<sup>st</sup> December 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).
#### AU-1.2.10C
In order to maintain up to date PCI-DSS certification, payment service providers will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.
#### AU-1.2.11
Payment service providers must finalise settlements within 2 business days.
---
*AU: Authorisation
Section AU-1.2: Page 4 of 5
January 2017*
Share