Bahrain -- Licensing Requirements Regulatory Overview

CBB — Crypto-Asset Service Provider licensing (4 categories), prudential supervision — first MENA jurisdiction with comprehensive crypto framework (2019)

**Central Bank of Bahrain (CBB) Official Website:** https://www.cbb.gov.bh/

The Central Bank of Bahrain’s regulatory requirements are contained in the multi‑volume CBB Rulebook, which is accessed via the Laws & Regulations section of the CBB website (with detailed modules hosted on the linked Thomson Reuters Rulebook portal), rather than a single static URL such as https://www.cbb.gov.bh/cbb-rulebook/.

Bahrain’s primary AML/CFT statute is Decree‑Law No. (4) of 2001 on the Prohibition and Combating of Money Laundering and Terrorist Financing, as amended, most recently by Decree‑Law No. (36) of 2025.

**Law No. (4) of 2001 with respect to the Prevention and Prohibition of the Laundering of Money (as amended):** This is Bahrain's overarching anti-money laundering law, which defines ML/TF offenses and imposes obligations on financial institutions (including VASPs, as they are deemed FIs under CBB regulations) to report suspicious transactions.

Virtual asset service providers in Bahrain are regulated under the Central Bank of Bahrain Rulebook, specifically through the Crypto-Asset (CRA) Module in Volume 6 (Capital Markets), which sets out licensing categories, prudential, conduct, technology, and ongoing compliance requirements for crypto-asset service providers operating in or from Bahrain, alongside cross‑referenced modules (e.g., AML/CFT, outsourcing, conduct) in the wider CBB Rulebook.

**Module RA (Risk Management Module) - Specifically, RA-6 Virtual Asset Regulatory Framework:** This module (introduced in 2019) is the cornerstone of VA regulation in Bahrain. It provides specific licensing requirements, operational standards, technological governance, and crucial AML/CFT measures tailored for VASPs. It categorizes virtual assets and defines various VASP activities (e.g., exchange, custody, portfolio management, advisory).

Module FC (Financial Crime) sets out core AML/CFT requirements for specific categories of CBB licensees, with separate FC Modules issued in different CBB Volumes (e.g., for conventional banks, Islamic banks, insurance licensees). VASPs, where regulated by the CBB, must comply with those FC provisions expressly applicable to their licensee category, including requirements on CDD, EDD, suspicious transaction reporting, record‑keeping, and internal controls, rather than a single generic FC module covering all CBB licensees uniformly.

Other relevant modules may include remuneration/compensation and controls/compliance modules, but the abbreviations RM (Remuneration Module) and HC (High-Level Controls Module) are not shown here as standard, generally applicable regulatory modules and appear system-specific or legacy.

Obtain name, permanent address, date of birth, nationality, and an official identification number (e.g., CPR/National ID, passport number).

Verify identity using reliable, independent source documents (e.g., government-issued photo ID, passport) and proof of address (e.g., utility bill).

**Legal Entities (Companies, Partnerships, etc.):**

Obtain legal name, legal form, proof of existence (e.g., certificate of incorporation), names of directors and authorized signatories, registered address, and details of principal business activity.

Identify and verify the identity of the beneficial owner(s) (any natural person owning or controlling 10% or more of shares/voting rights, or otherwise exercising control).

Understand the ownership and control structure.

Regulatory requirements concerning the “purpose and intended nature of the business relationship” are no longer treated as a one‑time, static checkbox but as a continuing, risk‑based customer due diligence obligation that must be understood, reassessed, and updated over the life of the relationship, in conjunction with beneficial ownership and ongoing transaction monitoring.

Understand the purpose and intended nature of the business relationship or the occasional transaction.

Assess and, on an ongoing risk‑based and event‑driven basis, reassess the customer’s risk profile using collected and updated customer information, including beneficial ownership information, as part of the institution’s customer due diligence obligations.

**Source of Funds and Source of Wealth (SoF/SoW):**

VASPs must perform due diligence on the source of funds and, where appropriate, the source of wealth, particularly for high-value transactions, high-risk customers, or when there are suspicions of ML/TF. This is especially critical for virtual assets due to their pseudonymous nature.

Regularly review existing customer information and update it as necessary.

Conduct ongoing monitoring of transactions to ensure they are consistent with the VASP's knowledge of the customer, their business, and risk profile.

Pay close attention to complex, unusually large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose.

**Politically Exposed Persons (PEPs):** For customers identified as PEPs, their family members, or close associates.

High‑risk jurisdictions are those on the FATF list of High‑Risk Jurisdictions Subject to a Call for Action (currently Iran, North Korea/DPRK and Myanmar/Burma), together with any other countries that the CBB designates as high‑risk based on its own assessment; countries on the FATF list of Jurisdictions Under Increased Monitoring (the grey list) should generally be treated as higher‑risk but are not formally labelled by FATF as “high‑risk jurisdictions subject to a call for action.”

**High-Risk Business Activities:** For customers engaged in activities deemed high-risk by the VASP or CBB.

**Unusual or Large Transactions:** Transactions that are particularly complex, unusually large, or exhibit unusual patterns.

**Use of Mixers/Tumblers or Privacy Coins:** Transactions involving these technologies should trigger EDD due to their inherent anonymity features.

**Cross-border Virtual Asset Transfers:** The CBB's Module RA-6 specifically highlights the need for heightened scrutiny for international transfers.

FATF’s “Travel Rule” under Recommendation 16 remains in force but was substantively revised in June 2025: R.16 has been retitled “Payment transparency,” its scope and data requirements for originator and beneficiary information have been expanded and clarified, and implementation of the updated standard is expected by end‑2030; virtual asset and crypto‑asset service provider Travel Rule obligations are now primarily addressed under Recommendation 15 rather than the revised R.16.

Obtain and hold required originator information (including the sender’s name and account / wallet identifier), and, consistent with applicable travel-rule style requirements, ensure that sufficient additional identifying data is collected (such as physical address OR a customer/national ID number OR date and place of birth), rather than mandating all of these elements for every transaction and value tier.

Obtain, hold, and transmit required beneficiary information (receiver's name/account number or wallet address) for applicable crypto transfers, rather than only obtaining and holding it internally.

Transmit this information to the beneficiary VASP; if the beneficiary is not a VASP, the Travel Rule transmission obligation does not require direct transmission to that non-VASP beneficiary.

Take reasonable measures to verify the identity of their customers (originator or beneficiary).

VASPs must establish and maintain systems to detect and report suspicious transactions.

Any employee who knows or suspects that funds are proceeds of a crime or are related to terrorist financing must report their suspicions internally to the VASP's Money Laundering Reporting Officer (MLRO).

The MLRO, after due consideration, must submit an STR to Bahrain's **Financial Intelligence Unit (FIU)**.

It is strictly prohibited to inform the customer or any third party that an STR has been filed or that an investigation is underway.

STRs must be submitted promptly, without delay, once suspicion has been formed.

Unusual or complex virtual asset transactions that do not make economic sense.

Structuring transactions to evade Bank Secrecy Act (BSA) reporting thresholds remains prohibited and is a valid basis for suspicious activity reporting (SARs), but current guidance clarifies that institutions must file SARs when they reasonably suspect structuring to evade reporting requirements, rather than automatically filing based solely on a pattern of sub‑threshold transactions.

Frequent and rapid transfers of virtual assets, especially to and from multiple addresses.

Transactions involving mixers, tumblers, or privacy coins are considered high‑risk red flags that require enhanced due diligence and a documented legitimate justification, but they are no longer presumed to be illegitimate per se.

Large deposits of virtual assets followed by immediate withdrawal.

Customer refusal to provide requested CDD information or providing inconsistent information.

Transactions linked to identified illicit activities or sanctioned entities/individuals are subject to Bahrain’s AML/CFT framework under Decree-Law No. (4) of 2001 as amended, including by Decree-Law No. (36) of 2025, which introduced updated treatment of such transactions (including a good-faith defense for acquirers unaware of illicit origin) and strengthened measures against money laundering and terrorism financing.

Rapid changes in transaction patterns or sudden increases in activity without explanation.

All customer identification data, transaction records, and business correspondence must be retained for at least **five years** following the termination of the business relationship or after the date of an occasional transaction.

Records of STRs and any internal suspicious activity reports must also be kept for at least five years.

**CDD Records:** Copies of identification documents, verification data, beneficial ownership information, and risk assessments.

**Transaction Records:** Details of all virtual asset transactions, including dates, amounts, types of virtual assets, sender and receiver wallet addresses (or other identifiers), and any associated fiat currency conversions.

**Internal Policies and Procedures:** Records of all AML/CFT policies, procedures, and internal control manuals.

**Training Records:** Documentation of all AML/CFT training provided to staff.

**Audit Reports:** Records of internal and external AML/CFT audit findings.

**STRs:** Copies of all suspicious transaction reports filed.

Records must be kept in a manner that allows for easy retrieval by the CBB or other competent authorities upon request.

**Proactive Licensing and Regulation:** The CBB's early and clear VASP (Virtual Asset Service Provider) licensing framework means that entities operating within Bahrain's jurisdiction are largely required to be licensed and compliant from the outset. This reduces the scope for significant enforcement actions against *unlicensed* operators, as they are either licensed or prevented from operating.

**General AML/CFT Enforcement:** While the CBB regularly issues enforcement actions and fines against traditional financial institutions (banks, money exchangers, insurance companies) for AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) deficiencies, these actions are typically related to general compliance failures across all financial services, not specifically tied to virtual assets. Public announcements rarely specify the *type* of assets involved unless it's a dedicated crypto violation.

**CBB's Crypto-Asset Module:** This comprehensive rulebook outlines the requirements for licensing, governance, capital, risk management, and AML/CFT for virtual asset service providers.

**Source:** CBB Rulebook, Volume 6 – Capital Markets (specifically the Crypto-Asset Module)

**URL (General CBB Rulebook):** https://www.cbb.gov.bh/laws-regulations/cbb-rulebook/

*(Note: The specific module PDF might require navigation within the rulebook section, but this link is the starting point.)*

**Licensing of Key Players (e.g., Rain Financial, Binance):** These announcements highlight Bahrain's success in attracting and licensing major virtual asset entities.

**Rain Financial Licensing (as an example of early success):**

**Source:** CBB Press Release (older, but foundational to their strategy)

**URL (Example news coverage):** https://www.prnewswire.com/news-releases/bahrains-rain-becomes-first-licensed-crypto-asset-platform-in-the-middle-east-300890666.html

**Binance Obtaining License in Bahrain (2022):**

**Regulator:** Central Bank of Bahrain (CBB)

Received a crypto-asset service provider authorization/licence under the relevant local regulatory regime, not a MiCA-style CASP licence.

Binance Bahrain’s regulatory position and permissions must now be understood in light of both the original Binance press releases and CBB announcements on its CASP/Category 4 license and PSP arrangements, and the Central Bank of Bahrain’s July 2025 stablecoin issuance and offering (SIO) framework, which imposes additional, specific approval and licensing requirements for stablecoin‑related and yield‑bearing stablecoin services.

The Central Bank of Bahrain’s news and announcement content is now hosted under its Media Center, especially the alerts/press releases section at https://www.cbb.gov.bh/media-center/ (and filtered views such as https://www.cbb.gov.bh/media-center/?type=alert), rather than the old /news-announcements/ path.

Hong Kong requires licensing for virtual asset trading platforms, now generally referred to as a Virtual Asset Trading Platform (VATP) licence, rather than a 'Virtual Asset Exchange Operator License'.

Operating a licensed virtual-asset exchange covers providing fiat-to-crypto, crypto-to-fiat, and crypto-to-crypto trading or conversion services, but it no longer necessarily requires maintaining an order book or directly matching buy and sell orders, because many regulated on‑/off‑ramp providers perform these functions via direct conversion or brokerage models without order matching.

**Relevance:** Directly applicable to cryptocurrency exchanges.

In Hong Kong, a separate virtual asset custodian licensing regime has been proposed and consultation conclusions have been published, but it is still pending implementation/commencement of the relevant legislation.

**Covers:** Safeguarding virtual assets or instruments enabling control over virtual assets on behalf of others. This includes holding private keys.

Relevance: Directly applicable to U.S. custody providers for cryptocurrencies and other virtual assets; not directly applicable to Bahraini (BH) custody providers, though potentially informative as comparative background.

Covers: Engaging in the business of buying, selling, or offering to buy or sell virtual assets on behalf of another person, or dealing as principal in virtual assets.

**Relevance:** Applicable to brokers, dealers, and trading platforms that facilitate transactions without necessarily operating a full exchange. This can also apply to OTC desks.

Virtual Asset Portfolio Manager License:

**Covers:** Managing portfolios of virtual assets on behalf of others.

**Covers:** Providing advice regarding virtual assets.

In Bahrain, virtual asset payment processors are not regulated as a distinct licensing category; instead, they fall within the broader, unified regime for Virtual Asset Service Providers (VASPs)/crypto‑asset service providers and are subject to the general AML/CFT and licensing requirements that apply to all VASPs.

If the payment processing involves **"transferring virtual assets on behalf of another person,"** which is explicitly defined as a Virtual Asset Service, then a **Virtual Asset License** (likely a Virtual Asset Broker-Dealer license or a dedicated Virtual Asset Service Provider license, depending on the exact nature of the transfer and its relation to other VA activities) will be required.

If the service is solely processing fiat payments for virtual asset businesses (without directly handling or transferring virtual assets themselves), it might fall under a **Payment Services license** (regulated under CBB Rulebook, Volume 5 – Business and Market Practices, Module PS) rather than the Virtual Assets Module. However, given the broad definition of VA services, most payment processors dealing directly with virtual assets will likely fall under the VA Module.

The entity must be **incorporated in Bahrain** and have a physical presence.

The CBB requires substance, meaning local management and operational capabilities.

Minimum capital varies by the type of license and the specific services offered. These are specified in Appendix VA-1.2 of the Virtual Assets Module.

The VA-1.2 examples based on VA record control schedules and 38 CFR 3.12 do not apply to the Colorado Behavioral Health (BH) licensing jurisdiction, whose rules are maintained under Colorado state authority rather than federal VA regulations.

Under the Central Bank of Bahrain’s Crypto-Asset (CRA) Module, a full crypto-asset exchange operator (Category 4) must maintain a minimum paid-up capital of BHD 300,000 (approx. USD 795,000), not BHD 100,000. The BHD 100,000 minimum applies to Category 2 licensees (agent trading/custody/portfolio management), not to exchange operators.

Under the Central Bank of Bahrain’s crypto-asset service provider regime, a virtual asset custodian function falls under at least Category 2 (or higher), which requires a minimum paid-in capital of BHD 100,000 for Category 2, BHD 200,000 for Category 3, and BHD 300,000 for Category 4; thus, a blanket statement that the minimum is BHD 100,000 is incomplete and can be misleading because the capital requirement depends on the exact licensing category and business model.

**Virtual Asset Broker-Dealer:** Minimum BHD 50,000 (approx. USD 132,500) for basic activities, potentially higher.

*Note:* These are minimums and the CBB may require higher capital based on the business model, risk profile, and projected volumes.

Bahrain's AML/CTF and KYC framework was updated by Decree-Law No. (36) of 2025, enacted September 8, 2025, which amended Decree-Law No. (4) of 2001 to introduce stronger measures and enhanced preventative obligations.

Adherence to the CBB's comprehensive **AML/CFT Rulebook (FC Module)**, which applies to all licensees.

Robust **Know Your Customer (KYC)** procedures for all clients, including enhanced due diligence for high-risk clients.

Implementation of a **risk-based approach** to AML/CFT.

Compliance with updated FATF (Financial Action Task Force) recommendations, including the expanded Recommendation 16 “Travel Rule” requirements for both virtual asset transfers and other cross‑border payments, as implemented in the relevant BH framework.

Designation of a CBB-approved **Money Laundering Reporting Officer (MLRO)**.

Fit and Proper Requirements: Directors and certain senior management of CBB licensees must meet the CBB’s fit and proper criteria, demonstrating competence, integrity, and financial soundness. The CBB has streamlined its prior‑approval requirements and now places primary responsibility on the board and CEO to assess and ensure the suitability of senior management, while significant shareholders’ fitness and propriety are addressed under separate ownership and control provisions rather than this new common Fit and Proper Module.

Robust **corporate governance framework**, including clear roles, responsibilities, and internal controls.

Adequate **staffing** with relevant expertise.

Comprehensive framework for identifying, assessing, monitoring, and mitigating all relevant risks, including operational, market, credit, liquidity, and cybersecurity risks.

Bahrain's cloud infrastructure has experienced a significant disruption requiring months for restoration, while a Bahrain-based cybersecurity company continues to operate; the regulatory landscape is dynamic and involves active market growth.

Virtual asset firms are expected to maintain robust, secure IT systems, infrastructure, and security controls, with more explicit modern requirements focused on custody, governance, system resilience, and protection of client virtual assets and data.

Regular independent security audits and penetration testing.

Regulators expect organizations to maintain a documented, regularly tested business continuity and disaster recovery program—including detailed BCDR plans, defined continuity and recovery objectives (such as RTO/RPO), impact/risk analyses, governance, and ongoing review—rather than relying on static plans alone.

Clear and transparent disclosure of terms, conditions, and risks associated with virtual assets.

Fair and prompt handling of customer complaints.

Measures to prevent market manipulation and protect client assets.

Regular independent audits of financial statements and operational/internal controls are required only for institutions that meet or exceed the FDIC’s current Part 363 asset thresholds; institutions below the updated threshold (now $1 billion in assets) are no longer subject to a mandatory independent external audit requirement.

Periodic regulatory reporting to the CBB.

**Initial Contact / Pre-Application Meeting:**

Prospective applicants are strongly encouraged to engage in preliminary discussions with the CBB to understand the requirements and gauge the feasibility of their proposed business model.

A detailed **business plan** outlining the proposed services, target market, operational model, governance structure, risk management, and financial projections (minimum of 3 years).

Information on the legal structure, shareholding, and ultimate beneficial owners.

CVs and "Fit and Proper" declarations for all directors and senior management.

Comprehensive **AML/CFT policy and procedures manual**.

IT infrastructure details, cybersecurity policies, and disaster recovery plans.

Financial resources documentation (proof of capital).

Internal control policies and procedures.

**CBB Review and Due Diligence:**

The CBB conducts a thorough review of the submitted documents.

This includes extensive due diligence on the principals, business model, and operational readiness.

The CBB may request additional information, clarifications, or amendments to the business plan or policies.

Key personnel (e.g., CEO, MLRO, Compliance Officer) may be required to attend interviews with CBB officials.

If all requirements are met, the CBB may grant an "in-principle" approval, subject to final conditions (e.g., establishing the physical office, appointing key personnel).

Once all conditions of the in-principle approval are satisfied, the CBB issues the final license.

**CBB Rulebook, Volume 6 (Capital Markets):** This is the main volume.

**Virtual Assets Module (VA):** The dedicated module for virtual asset regulation, found within Volume 6.

**Financial Crime Module (FC):** Contains the comprehensive AML/CFT requirements applicable to all CBB licensees, including virtual asset service providers. It is also found within Volume 6.