Bahrain

CBB — Crypto-Asset Service Provider licensing (4 categories), prudential supervision — first MENA jurisdiction with comprehensive crypto framework (2019)

**Central Bank of Bahrain (CBB) Official Website:** https://www.cbb.gov.bh/

The Central Bank of Bahrain’s regulatory requirements are contained in the multi‑volume CBB Rulebook, which is accessed via the Laws & Regulations section of the CBB website (with detailed modules hosted on the linked Thomson Reuters Rulebook portal), rather than a single static URL such as https://www.cbb.gov.bh/cbb-rulebook/.

Bahrain’s primary AML/CFT statute is Decree‑Law No. (4) of 2001 on the Prohibition and Combating of Money Laundering and Terrorist Financing, as amended, most recently by Decree‑Law No. (36) of 2025.

**Law No. (4) of 2001 with respect to the Prevention and Prohibition of the Laundering of Money (as amended):** This is Bahrain's overarching anti-money laundering law, which defines ML/TF offenses and imposes obligations on financial institutions (including VASPs, as they are deemed FIs under CBB regulations) to report suspicious transactions.

Virtual asset service providers in Bahrain are regulated under the Central Bank of Bahrain Rulebook, specifically through the Crypto-Asset (CRA) Module in Volume 6 (Capital Markets), which sets out licensing categories, prudential, conduct, technology, and ongoing compliance requirements for crypto-asset service providers operating in or from Bahrain, alongside cross‑referenced modules (e.g., AML/CFT, outsourcing, conduct) in the wider CBB Rulebook.

**Module RA (Risk Management Module) - Specifically, RA-6 Virtual Asset Regulatory Framework:** This module (introduced in 2019) is the cornerstone of VA regulation in Bahrain. It provides specific licensing requirements, operational standards, technological governance, and crucial AML/CFT measures tailored for VASPs. It categorizes virtual assets and defines various VASP activities (e.g., exchange, custody, portfolio management, advisory).

Module FC (Financial Crime) sets out core AML/CFT requirements for specific categories of CBB licensees, with separate FC Modules issued in different CBB Volumes (e.g., for conventional banks, Islamic banks, insurance licensees). VASPs, where regulated by the CBB, must comply with those FC provisions expressly applicable to their licensee category, including requirements on CDD, EDD, suspicious transaction reporting, record‑keeping, and internal controls, rather than a single generic FC module covering all CBB licensees uniformly.

Other relevant modules may include remuneration/compensation and controls/compliance modules, but the abbreviations RM (Remuneration Module) and HC (High-Level Controls Module) are not shown here as standard, generally applicable regulatory modules and appear system-specific or legacy.

Obtain name, permanent address, date of birth, nationality, and an official identification number (e.g., CPR/National ID, passport number).

Verify identity using reliable, independent source documents (e.g., government-issued photo ID, passport) and proof of address (e.g., utility bill).

**Legal Entities (Companies, Partnerships, etc.):**

Obtain legal name, legal form, proof of existence (e.g., certificate of incorporation), names of directors and authorized signatories, registered address, and details of principal business activity.

Identify and verify the identity of the beneficial owner(s) (any natural person owning or controlling 10% or more of shares/voting rights, or otherwise exercising control).

Understand the ownership and control structure.

Regulatory requirements concerning the “purpose and intended nature of the business relationship” are no longer treated as a one‑time, static checkbox but as a continuing, risk‑based customer due diligence obligation that must be understood, reassessed, and updated over the life of the relationship, in conjunction with beneficial ownership and ongoing transaction monitoring.

Understand the purpose and intended nature of the business relationship or the occasional transaction.

Assess and, on an ongoing risk‑based and event‑driven basis, reassess the customer’s risk profile using collected and updated customer information, including beneficial ownership information, as part of the institution’s customer due diligence obligations.

**Source of Funds and Source of Wealth (SoF/SoW):**

VASPs must perform due diligence on the source of funds and, where appropriate, the source of wealth, particularly for high-value transactions, high-risk customers, or when there are suspicions of ML/TF. This is especially critical for virtual assets due to their pseudonymous nature.

Regularly review existing customer information and update it as necessary.

Conduct ongoing monitoring of transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Pay close attention to complex, unusually large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose.

**Politically Exposed Persons (PEPs):** For customers identified as PEPs, their family members, or close associates.

High‑risk jurisdictions are those on the FATF list of High‑Risk Jurisdictions Subject to a Call for Action (currently Iran, North Korea/DPRK and Myanmar/Burma), together with any other countries that the CBB designates as high‑risk based on its own assessment; countries on the FATF list of Jurisdictions Under Increased Monitoring (the grey list) should generally be treated as higher‑risk but are not formally labelled by FATF as “high‑risk jurisdictions subject to a call for action.”

**High-Risk Business Activities:** For customers engaged in activities deemed high-risk by the VASP or CBB.

**Unusual or Large Transactions:** Transactions that are particularly complex, unusually large, or exhibit unusual patterns.

**Use of Mixers/Tumblers or Privacy Coins:** Transactions involving these technologies should trigger EDD due to their inherent anonymity features.

**Cross-border Virtual Asset Transfers:** The CBB's Module RA-6 specifically highlights the need for heightened scrutiny for international transfers.

FATF’s “Travel Rule” under Recommendation 16 remains in force but was substantively revised in June 2025: R.16 has been retitled “Payment transparency,” its scope and data requirements for originator and beneficiary information have been expanded and clarified, and implementation of the updated standard is expected by end‑2030; virtual asset and crypto‑asset service provider Travel Rule obligations are now primarily addressed under Recommendation 15 rather than the revised R.16.

Obtain and hold required originator information (including the sender’s name and account / wallet identifier), and, consistent with applicable travel-rule style requirements, ensure that sufficient additional identifying data is collected (such as physical address OR a customer/national ID number OR date and place of birth), rather than mandating all of these elements for every transaction and value tier.

Obtain, hold, and transmit required beneficiary information (receiver's name/account number or wallet address) for applicable crypto transfers, rather than only obtaining and holding it internally.

Transmit this information to the beneficiary VASP; if the beneficiary is not a VASP, the Travel Rule transmission obligation does not require direct transmission to that non-VASP beneficiary.

Take reasonable measures to verify the identity of their customers (originator or beneficiary).

VASPs must establish and maintain systems to detect and report suspicious transactions.

Any employee who knows or suspects that funds are proceeds of a crime or are related to terrorist financing must report their suspicions internally to the VASP's Money Laundering Reporting Officer (MLRO).

The MLRO, after due consideration, must submit an STR to Bahrain's **Financial Intelligence Unit (FIU)**.

It is strictly prohibited to inform the customer or any third party that an STR has been filed or that an investigation is underway.

STRs must be submitted promptly, without delay, once suspicion has been formed.

Unusual or complex virtual asset transactions that do not make economic sense.

Structuring transactions to evade Bank Secrecy Act (BSA) reporting thresholds remains prohibited and is a valid basis for suspicious activity reporting (SARs), but current guidance clarifies that institutions must file SARs when they reasonably suspect structuring to evade reporting requirements, rather than automatically filing based solely on a pattern of sub‑threshold transactions.

Frequent and rapid transfers of virtual assets, especially to and from multiple addresses.

Transactions involving mixers, tumblers, or privacy coins are considered high‑risk red flags that require enhanced due diligence and a documented legitimate justification, but they are no longer presumed to be illegitimate per se.

Large deposits of virtual assets followed by immediate withdrawal.

Customer refusal to provide requested CDD information or providing inconsistent information.

Transactions linked to identified illicit activities or sanctioned entities/individuals are subject to Bahrain’s AML/CFT framework under Decree-Law No. (4) of 2001 as amended, including by Decree-Law No. (36) of 2025, which introduced updated treatment of such transactions (including a good-faith defense for acquirers unaware of illicit origin) and strengthened measures against money laundering and terrorism financing.

Rapid changes in transaction patterns or sudden increases in activity without explanation.

All customer identification data, transaction records, and business correspondence must be retained for at least **five years** following the termination of the business relationship or after the date of an occasional transaction.

Records of STRs and any internal suspicious activity reports must also be kept for at least five years.

**CDD Records:** Copies of identification documents, verification data, beneficial ownership information, and risk assessments.

**Transaction Records:** Details of all virtual asset transactions, including dates, amounts, types of virtual assets, sender and receiver wallet addresses (or other identifiers), and any associated fiat currency conversions.

**Internal Policies and Procedures:** Records of all AML/CFT policies, procedures, and internal control manuals.

**Training Records:** Documentation of all AML/CFT training provided to staff.

**Audit Reports:** Records of internal and external AML/CFT audit findings.

**STRs:** Copies of all suspicious transaction reports filed.

Records must be kept in a manner that allows for easy retrieval by the CBB or other competent authorities upon request.

**Proactive Licensing and Regulation:** The CBB's early and clear VASP (Virtual Asset Service Provider) licensing framework means that entities operating within Bahrain's jurisdiction are largely required to be licensed and compliant from the outset. This reduces the scope for significant enforcement actions against *unlicensed* operators, as they are either licensed or prevented from operating.

**General AML/CFT Enforcement:** While the CBB regularly issues enforcement actions and fines against traditional financial institutions (banks, money exchangers, insurance companies) for AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) deficiencies, these actions are typically related to general compliance failures across all financial services, not specifically tied to virtual assets. Public announcements rarely specify the *type* of assets involved unless it's a dedicated crypto violation.

**CBB's Crypto-Asset Module:** This comprehensive rulebook outlines the requirements for licensing, governance, capital, risk management, and AML/CFT for virtual asset service providers.

**Source:** CBB Rulebook, Volume 6 – Capital Markets (specifically the Crypto-Asset Module)

**URL (General CBB Rulebook):** https://www.cbb.gov.bh/laws-regulations/cbb-rulebook/

*(Note: The specific module PDF might require navigation within the rulebook section, but this link is the starting point.)*

**Licensing of Key Players (e.g., Rain Financial, Binance):** These announcements highlight Bahrain's success in attracting and licensing major virtual asset entities.

**Rain Financial Licensing (as an example of early success):**

**Source:** CBB Press Release (older, but foundational to their strategy)

**URL (Example news coverage):** https://www.prnewswire.com/news-releases/bahrains-rain-becomes-first-licensed-crypto-asset-platform-in-the-middle-east-300890666.html

**Binance Obtaining License in Bahrain (2022):**

**Regulator:** Central Bank of Bahrain (CBB)

Received a crypto-asset service provider authorization/licence under the relevant local regulatory regime, not a MiCA-style CASP licence.

Binance Bahrain’s regulatory position and permissions must now be understood in light of both the original Binance press releases and CBB announcements on its CASP/Category 4 license and PSP arrangements, and the Central Bank of Bahrain’s July 2025 stablecoin issuance and offering (SIO) framework, which imposes additional, specific approval and licensing requirements for stablecoin‑related and yield‑bearing stablecoin services.

The Central Bank of Bahrain’s news and announcement content is now hosted under its Media Center, especially the alerts/press releases section at https://www.cbb.gov.bh/media-center/ (and filtered views such as https://www.cbb.gov.bh/media-center/?type=alert), rather than the old /news-announcements/ path.

Hong Kong requires licensing for virtual asset trading platforms, now generally referred to as a Virtual Asset Trading Platform (VATP) licence, rather than a 'Virtual Asset Exchange Operator License'.

Operating a licensed virtual-asset exchange covers providing fiat-to-crypto, crypto-to-fiat, and crypto-to-crypto trading or conversion services, but it no longer necessarily requires maintaining an order book or directly matching buy and sell orders, because many regulated on‑/off‑ramp providers perform these functions via direct conversion or brokerage models without order matching.

**Relevance:** Directly applicable to cryptocurrency exchanges.

In Hong Kong, a separate virtual asset custodian licensing regime has been proposed and consultation conclusions have been published, but it is still pending implementation/commencement of the relevant legislation.

**Covers:** Safeguarding virtual assets or instruments enabling control over virtual assets on behalf of others. This includes holding private keys.

Relevance: Directly applicable to U.S. custody providers for cryptocurrencies and other virtual assets; not directly applicable to Bahraini (BH) custody providers, though potentially informative as comparative background.

Covers: Engaging in the business of buying, selling, or offering to buy or sell virtual assets on behalf of another person, or dealing as principal in virtual assets.

**Relevance:** Applicable to brokers, dealers, and trading platforms that facilitate transactions without necessarily operating a full exchange. This can also apply to OTC desks.

Virtual Asset Portfolio Manager License:

**Covers:** Managing portfolios of virtual assets on behalf of others.

**Covers:** Providing advice regarding virtual assets.

In Bahrain, virtual asset payment processors are not regulated as a distinct licensing category; instead, they fall within the broader, unified regime for Virtual Asset Service Providers (VASPs)/crypto‑asset service providers and are subject to the general AML/CFT and licensing requirements that apply to all VASPs.

If the payment processing involves **"transferring virtual assets on behalf of another person,"** which is explicitly defined as a Virtual Asset Service, then a **Virtual Asset License** (likely a Virtual Asset Broker-Dealer license or a dedicated Virtual Asset Service Provider license, depending on the exact nature of the transfer and its relation to other VA activities) will be required.

If the service is solely processing fiat payments for virtual asset businesses (without directly handling or transferring virtual assets themselves), it might fall under a **Payment Services license** (regulated under CBB Rulebook, Volume 5 – Business and Market Practices, Module PS) rather than the Virtual Assets Module. However, given the broad definition of VA services, most payment processors dealing directly with virtual assets will likely fall under the VA Module.

The entity must be **incorporated in Bahrain** and have a physical presence.

The CBB requires substance, meaning local management and operational capabilities.

Minimum capital varies by the type of license and the specific services offered. These are specified in Appendix VA-1.2 of the Virtual Assets Module.

The VA-1.2 examples based on VA record control schedules and 38 CFR 3.12 do not apply to the Colorado Behavioral Health (BH) licensing jurisdiction, whose rules are maintained under Colorado state authority rather than federal VA regulations.

Under the Central Bank of Bahrain’s Crypto-Asset (CRA) Module, a full crypto-asset exchange operator (Category 4) must maintain a minimum paid-up capital of BHD 300,000 (approx. USD 795,000), not BHD 100,000. The BHD 100,000 minimum applies to Category 2 licensees (agent trading/custody/portfolio management), not to exchange operators.

Under the Central Bank of Bahrain’s crypto-asset service provider regime, a virtual asset custodian function falls under at least Category 2 (or higher), which requires a minimum paid-in capital of BHD 100,000 for Category 2, BHD 200,000 for Category 3, and BHD 300,000 for Category 4; thus, a blanket statement that the minimum is BHD 100,000 is incomplete and can be misleading because the capital requirement depends on the exact licensing category and business model.

**Virtual Asset Broker-Dealer:** Minimum BHD 50,000 (approx. USD 132,500) for basic activities, potentially higher.

*Note:* These are minimums and the CBB may require higher capital based on the business model, risk profile, and projected volumes.

Bahrain's AML/CTF and KYC framework was updated by Decree-Law No. (36) of 2025, enacted September 8, 2025, which amended Decree-Law No. (4) of 2001 to introduce stronger measures and enhanced preventative obligations.

Adherence to the CBB's comprehensive **AML/CFT Rulebook (FC Module)**, which applies to all licensees.

Robust **Know Your Customer (KYC)** procedures for all clients, including enhanced due diligence for high-risk clients.

Implementation of a **risk-based approach** to AML/CFT.

Compliance with updated FATF (Financial Action Task Force) recommendations, including the expanded Recommendation 16 “Travel Rule” requirements for both virtual asset transfers and other cross‑border payments, as implemented in the relevant BH framework.

Designation of a CBB-approved **Money Laundering Reporting Officer (MLRO)**.

Fit and Proper Requirements: Directors and certain senior management of CBB licensees must meet the CBB’s fit and proper criteria, demonstrating competence, integrity, and financial soundness. The CBB has streamlined its prior‑approval requirements and now places primary responsibility on the board and CEO to assess and ensure the suitability of senior management, while significant shareholders’ fitness and propriety are addressed under separate ownership and control provisions rather than this new common Fit and Proper Module.

Robust **corporate governance framework**, including clear roles, responsibilities, and internal controls.

Adequate **staffing** with relevant expertise.

Comprehensive framework for identifying, assessing, monitoring, and mitigating all relevant risks, including operational, market, credit, liquidity, and cybersecurity risks.

Bahrain's cloud infrastructure has experienced a significant disruption requiring months for restoration, while a Bahrain-based cybersecurity company continues to operate; the regulatory landscape is dynamic and involves active market growth.

Virtual asset firms are expected to maintain robust, secure IT systems, infrastructure, and security controls, with more explicit modern requirements focused on custody, governance, system resilience, and protection of client virtual assets and data.

Regular independent security audits and penetration testing.

Regulators expect organizations to maintain a documented, regularly tested business continuity and disaster recovery program—including detailed BCDR plans, defined continuity and recovery objectives (such as RTO/RPO), impact/risk analyses, governance, and ongoing review—rather than relying on static plans alone.

Clear and transparent disclosure of terms, conditions, and risks associated with virtual assets.

Fair and prompt handling of customer complaints.

Measures to prevent market manipulation and protect client assets.

Regular independent audits of financial statements and operational/internal controls are required only for institutions that meet or exceed the FDIC’s current Part 363 asset thresholds; institutions below the updated threshold (now $1 billion in assets) are no longer subject to a mandatory independent external audit requirement.

Periodic regulatory reporting to the CBB.

**Initial Contact / Pre-Application Meeting:**

Prospective applicants are strongly encouraged to engage in preliminary discussions with the CBB to understand the requirements and gauge the feasibility of their proposed business model.

A detailed **business plan** outlining the proposed services, target market, operational model, governance structure, risk management, and financial projections (minimum of 3 years).

Information on the legal structure, shareholding, and ultimate beneficial owners.

CVs and "Fit and Proper" declarations for all directors and senior management.

Comprehensive **AML/CFT policy and procedures manual**.

IT infrastructure details, cybersecurity policies, and disaster recovery plans.

Financial resources documentation (proof of capital).

Internal control policies and procedures.

**CBB Review and Due Diligence:**

The CBB conducts a thorough review of the submitted documents.

This includes extensive due diligence on the principals, business model, and operational readiness.

The CBB may request additional information, clarifications, or amendments to the business plan or policies.

Key personnel (e.g., CEO, MLRO, Compliance Officer) may be required to attend interviews with CBB officials.

If all requirements are met, the CBB may grant an "in-principle" approval, subject to final conditions (e.g., establishing the physical office, appointing key personnel).

Once all conditions of the in-principle approval are satisfied, the CBB issues the final license.

**CBB Rulebook, Volume 6 (Capital Markets):** This is the main volume.

**Virtual Assets Module (VA):** The dedicated module for virtual asset regulation, found within Volume 6.

**Financial Crime Module (FC):** Contains the comprehensive AML/CFT requirements applicable to all CBB licensees, including virtual asset service providers. It is also found within Volume 6.

Bahraini law and Central Bank of Bahrain (CBB) regulations require financial institutions, including VASPs, to comply with UN Security Council sanctions *and* with Bahrain’s own AML/CFT and terrorism‑financing measures, which include domestic designations and restrictions. This framework obliges institutions to freeze assets and prohibit transactions involving individuals and entities designated under applicable UN resolutions and corresponding Bahraini laws, ministerial orders, and CBB directives, not just UN lists alone.

Under the Central Bank of Bahrain Rulebook, Volume 6 (Capital Markets), the relevant sanctions/terrorism‑financing obligation is contained in Module AML: Anti‑Money Laundering & Combating of Financial Crime, not in a separate Module FC. The Module AML imposes requirements on Capital Market Service Providers to implement effective AML/CFT measures in line with FATF recommendations, including compliance with applicable UN Security Council resolutions on terrorism, proliferation, and related asset freezing; however, there is no Section FC‑1.1.1 (UN Sanctions) in a Volume 6 'Module FC (Financial Crime)' as cited.

The Central Bank of Bahrain’s crypto‑asset regulations are set out in Volume 6 (Capital Markets) of the CBB Rulebook, primarily in the Crypto‑Asset (CRA) Module, and are now complemented by an additional Stablecoin Issuance and Offering (SIO) Module in the same volume for stablecoin‑specific activities.

OFAC (the U.S. Department of the Treasury’s Office of Foreign Assets Control) and the European Union each operate their own, separate sanctions regimes; there is no dedicated OFAC sanctions program targeting Bosnia and Herzegovina, and EU sanctions are adopted and enforced under EU law rather than by OFAC.

While Bahraini law does not *directly* mandate compliance with OFAC or EU sanctions for entities purely operating within Bahrain and not involving US or EU persons/funds, in practice, due to the global nature of financial services and cryptocurrencies, most VASPs operating internationally or dealing with international partners will screen against these lists.

Non-compliance with OFAC sanctions can lead to secondary sanctions, loss of access to the USD clearing system, and reputational damage for any entity (including a VASP) facilitating transactions with sanctioned parties, regardless of its location. Similarly, EU sanctions have extraterritorial reach in certain circumstances.

**VASP Best Practice:** Given the interconnectedness of the crypto ecosystem and the potential for severe penalties, prudent VASPs in Bahrain handling international transactions or onboarding international clients will incorporate OFAC, EU, and other major international sanctions lists into their screening processes.

**Mandatory Screening:** Licensed VASPs must screen all customers (initial onboarding and ongoing), beneficial owners, and transactions against:

**UN Sanctions Lists:** Specifically the Consolidated List maintained by the UNSC 1267/1989/2253 ISIL (Da'esh) & Al-Qaida Sanctions Committee and the UNSC 1988 Taliban Sanctions Committee List, as well as other relevant UN sanctions lists.

**National Sanctions Lists of Bahrain:** This includes lists of designated terrorists and terrorist organizations issued by the Kingdom of Bahrain's competent authorities.

**Ongoing Monitoring:** Screening is not a one-time event. VASPs must conduct ongoing monitoring to identify if existing clients or parties to transactions subsequently appear on sanctions lists.

**Technology Solutions:** VASPs are expected to use reliable technology solutions for efficient and accurate screening.

**Sanctions Compliance:** Transactions involving jurisdictions subject to comprehensive UN (and implicitly, OFAC/EU) sanctions (e.g., Iran, North Korea, Syria, certain regions of Russia) are effectively prohibited due to sanctions regimes. VASPs must block or reject such transactions and report them.

**Risk-Based Approach (FATF Recommendations):** VASPs must implement a risk-based approach to customer due diligence (CDD). Higher-risk jurisdictions (e.g., those identified by FATF as having strategic AML/CFT deficiencies) will trigger enhanced due diligence measures. If the risks cannot be mitigated, the VASP may choose to restrict or prohibit business relationships with customers or transactions originating from/destined for such regions.

**Travel Rule:** The CBB has implemented the FATF's "Travel Rule," requiring VASPs to obtain and transmit originator and beneficiary information for crypto transfers above a certain threshold. This enhances the ability to identify cross-border transactions involving high-risk jurisdictions or sanctioned entities.

Imposition of specific conditions on the VASP's license.

Suspension or revocation of the VASP's license.

Imprisonment for individuals found responsible for serious AML/CFT breaches, including facilitating sanctioned transactions.

**CBB Law (Law No. 64 of 2006):** Grants the CBB powers to impose administrative sanctions and refer criminal offenses to the Public Prosecution.

**Law No. 4 of 2001 (as amended) concerning the Prevention and Prohibition of the Laundering of Money and Financing of Terrorism:** Defines criminal offenses and associated penalties.

**URL for CBB Law:** CBB Law No. 64 of 2006 (See Part 5, Offences and Penalties)

*Note: Finding an official, up-to-date English translation of Law No. 4 of 2001 online can be challenging; its provisions are incorporated into the CBB Rulebook's requirements.*

**United Nations Security Council Consolidated List:** This list is universally applied by Bahrain.

**URL:** UN Security Council Consolidated List

**Kingdom of Bahrain's National Terrorism Lists:** Bahrain maintains national lists of individuals and entities designated as terrorists or terrorist organizations, in accordance with **Law No. 54 of 2006 regarding the Proscription of Terrorist and Terrorist Entities**. Financial institutions, including VASPs, are required to screen against these lists. These lists are typically disseminated to regulated entities through CBB circulars.

*Note: These lists are not publicly published online in a single consolidated database for easy public access, but rather communicated confidentially to licensed institutions by the CBB or other competent authorities.*

**Adopted:** Yes, the principles of the FATF Travel Rule are adopted and integrated into Bahrain's regulatory framework for Crypto-Asset Service Providers (CASPs) licensed by the CBB. While not explicitly termed "Travel Rule" in every section, the requirements for originator and beneficiary information collection and transmission are mandated.

**Legislation/Guidance:** The primary regulatory framework is the **CBB Rulebook, Volume 6 – Capital Markets, Crypto-assets (CA) Module**.

**URL:** CBB Rulebook Volume 6 (Capital Markets) (Navigate to the Crypto-assets (CA) Module within this volume).

The CBB issues a range of regulatory instruments—including binding directives, circulars, guidance notes and other measures such as institution‑specific liquidity add‑ons—that complement and implement its rulebook within a broader, multi‑tiered supervisory framework.

The CBB's comprehensive regulatory framework for crypto-assets came into effect in **2019**. This framework included stringent AML/CFT obligations for CASPs, encompassing requirements aligned with the Travel Rule principles.

The CBB's AML/CFT requirements generally align with international standards. For the FATF Travel Rule, the general threshold is typically **USD/EUR 1,000** or equivalent for transactions involving at least one unhosted wallet, or in jurisdictions where such a threshold is applied.

For VASP-to-VASP transfers, the expectation is generally that required originator and beneficiary information must accompany the transfer regardless of amount, with CBB applying a risk-based framework for additional checks and handling of higher-risk cases.

The CBB's CA Module requires CASPs to conduct Customer Due Diligence (CDD) and ongoing monitoring, which would necessitate collecting originator and beneficiary information for virtually all transactions processed by a licensed VASP.

The CBB's framework covers all entities licensed as **Crypto-Asset Service Providers (CASPs)**. The CA Module defines various regulated crypto-asset activities, including:

Dealing in crypto-assets as a principal

Dealing in crypto-assets as an agent

Acting as a crypto-asset custodian

Any entity performing these activities and licensed by the CBB is subject to the AML/CFT requirements, including those aligning with the Travel Rule.

**Collect Information:** Obtain and hold accurate and meaningful originator and beneficiary information for all crypto-asset transfers. This includes:

Originator Information: Name, physical address, national identity number (or customer identification number), and the crypto-asset wallet address or account identifier.

Beneficiary Information: Name, physical address, and the crypto-asset wallet address or account identifier.

**Transmit Information:** Ensure that the collected information "travels" with the transaction to the beneficiary VASP, or is made available upon request. This implies secure and reliable methods for data transfer between CASPs.

**Verify Information:** Implement measures to verify the identity of their customers (both originators and beneficiaries) in accordance with CDD requirements.

Store Records: Maintain records of all transactions and the associated originator/beneficiary information for at least five years, as per CBB AML/CFT requirements.

**Monitor and Report:** Implement robust transaction monitoring systems to identify suspicious transactions and report them to the Financial Intelligence Directorate (FID) of Bahrain.

**Risk-Based Approach:** CASPs must have a comprehensive risk assessment framework to identify, assess, and mitigate AML/CFT risks, which informs the level of due diligence and information collection required.

Monetary Fines: Substantial financial penalties imposed on the CASP and/or its senior management.

Administrative Sanctions: Public reprimands, warnings, and specific directives to rectify deficiencies.

Restrictions on Operations: Imposing limitations on business activities or specific transactions.

**Suspension or Revocation of License:** For serious or repeated breaches, the CBB can suspend or revoke a CASP's operating license, effectively forcing them to cease operations.

**Individual Accountability:** Senior management and board members can be held personally accountable and face individual sanctions, including disqualification from holding similar positions.

**Referral for Criminal Prosecution:** In cases of severe AML/CFT breaches or suspected criminal activity, the CBB can refer cases to the Public Prosecution for criminal investigation and prosecution under Bahrain's AML/CFT laws (e.g., Law No. (4) of 2001 with respect to the prevention and combating of money laundering and terrorism financing, as amended).

**Regulatory Body:** Central Bank of Bahrain (CBB)

Core regulation for crypto-asset services (including custody and platform-type activities) is set out in CBB Rulebook Volume 6 – Capital Markets, primarily in the Crypto-Assets Module (CRA), with additional specialised modules such as the Stablecoin Issuance and Offering (SIO) Module governing specific activities like stablecoin issuance and offerings.

The CBB Rulebooks are now primarily hosted and maintained on the Thomson Reuters–powered platform at cbben.thomsonreuters.com (accessed via links from the CBB Laws & Regulations/Rulebook section), rather than being directly and comprehensively published at https://www.cbb.gov.bh/rulebooks/ as a standalone main page of substantive rulebook content.

*Note: Direct PDF links can change with updates, so it's best to navigate from the main rulebook page.*

The Central Bank of Bahrain's current cyber security rulebook, effective July 2025, has superseded the older CRY module references (CRY-1.1.1, CRY-1.2.1, CRY-1.3.1) with updated requirements under the 'Cyber Security Requirements' module.

**Authorization:** Obtain a license from the CBB.

Directors and senior management of CBB licensees must meet the Central Bank of Bahrain’s fit and proper criteria as set out in the standalone Fit and Proper Requirements Module (Module FP), rather than EN-1.2.1.

**Minimum Capital:** Maintain adequate financial resources. For a Class 4 (Custody) license, the minimum paid-up capital is BD 50,000 (approx. USD 132,600), plus additional operational risk capital requirements based on a risk assessment (CR-1.3.1).

Operational requirements for robust systems, controls, risk management, and internal audit functions in Bahrain custody have been updated under the 2026 CBB requirements and modern IIA standards, superseding the older GR-1.1.1, GR-1.1.2, RM-1.1.1 codes.

**Business Plan:** Submit a detailed business plan, including operational procedures for custody, security measures, and disaster recovery plans.

**Module Reference:** CRY-5.1.1 to CRY-5.1.5

**Absolute Segregation:** Crypto-asset platform operators must ensure that client crypto-assets are held separate from their own crypto-assets and are clearly identifiable as client assets (CRY-5.1.1).

**No Commingling:** Client crypto-assets must not be commingled with the operator's proprietary assets (CRY-5.1.2).

**Trust Arrangement:** Client crypto-assets must be held in trust for the clients (CRY-5.1.3).

**Prohibition on Use:** Operators are prohibited from using client crypto-assets for their own account or for the benefit of any other client without explicit, written client consent and regulatory approval (CRY-5.1.4).

**Reconciliation:** Regular reconciliation of client crypto-assets with internal records is mandated (CRY-5.1.5).

A crypto-asset platform operator should maintain appropriate risk management and, where required by its business model, adequate insurance or equivalent financial protections for client-asset safekeeping risks such as cyber incidents, theft, fraud, and operational failures; current U.S. regulatory guidance emphasizes safe-and-sound operations and broader risk controls rather than a universal standalone insurance mandate.

The CBB expects the coverage to be commensurate with the scale and nature of the operator's business and the value of assets under custody. Specific monetary amounts are not typically fixed in the rulebook but are assessed on a case-by-case, risk-based approach.

**Robust Security:** Operators must implement robust security measures for the custody of crypto-assets (CRY-4.2.1).

**Significant Proportion in Cold Storage:** This includes the use of cold storage (offline storage) for a significant proportion of client assets (CRY-4.2.1).

**Policy & Procedures:** Operators are required to have documented policies and procedures for determining the appropriate proportion of assets to be held in cold storage, taking into account factors such as asset type, liquidity needs, and the overall risk profile (CRY-4.2.2).

**Key Management:** Secure key generation, storage, and management procedures are also critical (CRY-4.2.3).

**Module Reference:** Module CRY establishes the requirements.

In Bahrain, there is no specific "Class 4 Custody License" or "Module CRY" for crypto-assets. Crypto-asset custody is a regulated crypto-asset service under the Central Bank of Bahrain (CBB) Rulebook, Volume 6 – Crypto-Asset Module (CRA). Only entities holding a CBB crypto-asset service provider licence in the relevant category (e.g., Category 2 or Category 3, which explicitly include "crypto-asset custody") may legally provide custody of accepted crypto-assets within or from Bahrain. The CBB is the licensing and supervisory authority, and licensees must meet requirements on capital, governance, operational controls, cybersecurity, and client asset protection, but the law does not use the separate legal label "qualified custodian" nor a "Class 4 Custody License" for this purpose.

**Continuous Updates:** The CBB's approach is to regularly review and update its rulebooks. Any amendments or new directives would be communicated through CBB circulars or updates to the relevant modules (e.g., updates to Module CRY).