THE KINGDOM OF BAHRAIN’S NATIONAL RISK ASSESSMENT 2025

31 123. The provisions outlined in Volume 5 of the FC Module include similar requirements to those outlined in the other volumes including CDD, STR reporting and Record Keeping Requirements. 124. During the past four years, the CBB has conducted risk-based on-site examinations on Money Changers, resulting in enforcement actions against licensees. 125. Following the issuance of the examination reports, all licensees were required to provide the CBB with a comprehensive action plan to address the violations noted during on-site examination reports. The action plans were assessed by the Compliance Directorate to ensure adequacy, comprehensiveness and timely remediation of regulatory observations. 126. Given the ML threats faced by the sector, its vulnerabilities and the strengths of its controls, the sector’s overall ML risk is classified as medium-high . Virtual Asset Service Providers Introduction 127. The market for buying and selling of crypto-currencies has grown within the Kingdom of Bahrain in previous years, with companies registered and regulated as Crypto-Asset Service Providers (CASPs ) 1 . Accordingly, licensed VASPs are obliged to comply with the Crypto-Asset (CRA) Module which aims at minimizing the risks associated, in particular, the risk of financial crime and illegal use of virtual assets, and the AML/CFT/CPF regulatory requirements specified within the AML Module of the CBB Rulebook. 128. VASPs are inherently exposed to ML/TF/PF risks due to the anonymous nature of crypto transactions, the speed and global reach of transfers, and use of privacy-enhancing tools that obscure transaction trails. VASPs as a sector demands heightened scrutiny and robust AML/CFT/CPF controls. 129. The CBB has conducted multiple thorough AML/CFT/CPF risk-based on-site examinations on VASPs. The aim of such examinations was to identify and mitigate any gaps and vulnerabilities in the institution’s AML/CFT/CPF systems and controls. 130. It is important to note that none of the VASPs accept direct deposits of cash. All deposits must be conducted through banking channels. 131. VASPs are subject to enhanced supervisory scrutiny, including off-site and on-site examinations. The AML/CFT/CPF systems and controls of the examined institutions were found to be relatively sufficient with no alarming gaps identified. The CBB has fully incorporated the Travel Rule into its regulatory framework for VASPs. Under the AML Module of Volume 6, (AML-2A: Money Transfers and Accepted Crypto-Assets), VASPs are required to treat all crypto-asset transfers similar to cross-border transfers. Which includes obtaining comprehensive originator and beneficiary information such as full name, wallet identifiers and relevant identification details for every transfer. Furthermore, the CBB actively enforces compliance with travel rule requirements, including instances wherein VASPs 1 The term ‘Crypto-Asset (CRA)’ and ‘Crypto-Asset Service Providers (CASPs)’ is used by the CBB on their rulebook module to refer to the terms ‘Virtual Assets (VA)’ and ‘Virtual-Asset Service Providers (VASPs)’ which is adopted in this report and in line with FATF glossary.