Home Blog Bahrain
Jurisdiction Guide · Bahrain · CBB

AML/CFT Compliance in Bahrain: CBB, FCM Law, and the 2026 Regulatory Landscape

RegMantle Editorial · 16 April 2026 · 13 min read

Bahrain’s AML/CFT regime is at a crossroads as the kingdom prepares for a full FATF mutual evaluation in late 2026. The Central Bank of Bahrain (CBB) has intensified its supervisory agenda, issuing new crypto-asset rules in February 2026 and tightening sanctions-screening standards in 2024. For banks, insurers and fintech firms, the window to embed the latest requirements is closing fast, and the cost of non-compliance is already evident in a series of record-size fines levied in 2025-26.

Key Facts at a Glance

Primary regulator
CBB (Central Bank of Bahrain)
Primary AML law
Legislative Decree No. 4 of 2001 on Prohibition of and Combating Money Laundering, amended by Law No. 54 of 2006 (terrorist financing), further amended 2017 and 2024
Implementing regulation
CBB Rulebook Module FC (Financial Crime) - sections FC-01 to FC-07
FIU
Financial Investigation Directorate, Ministry of Interior
MENAFATF membership
Yes - ongoing follow-up reports 2024-2025
Recent regulatory update
CBB Crypto-Asset Services Rules - effective 21 February 2026
Sanctions framework
CBB Circular No. 01/2024 - sanctions-screening standards

The Regulatory Landscape

The backbone of Bahrain’s AML/CFT system is Legislative Decree No. 4 of 2001. Article 4 defines the predicate offence of money laundering, while Article 6 (added by Law No. 54 of 2006) expands the scope to terrorist financing. Subsequent amendments in 2017 introduced a “beneficial-ownership register” requirement, and the 2024 amendment aligned the decree with the FATF 40-point recommendations, adding explicit duties for crypto-asset service providers.

The CBB Rulebook Module FC translates the decree into operational rules. Section FC-01 obliges institutions to maintain a documented risk-management system; FC-02 sets out detailed customer-due-diligence (CDD) procedures; FC-03 prescribes sanctions-screening methodology; FC-04 governs suspicious-activity reporting; FC-05 regulates crypto-asset services; FC-06 addresses training and awareness; and FC-07 outlines record-keeping periods (minimum five years for AML records, ten years for crypto-asset transaction logs).

Bahrain’s FIU, the Financial Investigation Directorate, operates the goAML-Bahrain platform. Under Article 43 of Decree 4, institutions must submit a Suspicious Activity Report (SAR) “without undue delay” - interpreted by the CBB as same-day filing for high-risk alerts and next-working-day filing for routine cases.

CBB-Specific Guidance and Circulars

In June 2024 the CBB released Circular No. 01/2024 on sanctions-screening standards. The circular mandates real-time screening against the UN Consolidated List, the EU Consolidated Financial Sanctions List, and the Saudi Arabian sanctions list, with a tolerance of 0.1 % false-positive rate and a documented escalation process for matches.

A later amendment, Circular No. 03/2025 on digital onboarding, tightened eKYC requirements for electronic onboarding. The CBB now requires biometric verification (face-match or fingerprint) and a live-video interview for high-risk customers, with a maximum verification window of 48 hours from the receipt of source documents.

The most recent regulatory milestone is the Crypto-Asset Services Rules (CAR) - effective 21 February 2026. The CAR, issued under Module FC-05, obliges crypto-asset exchanges, custodians and wallet providers to conduct a risk assessment, implement blockchain-analytics tools, and retain transaction data for ten years. Failure to comply triggers a fine of up to BHD 5 million or 10 % of annual turnover, whichever is higher.

Customer Due Diligence and KYC

While the CBB’s CDD framework mirrors FATF standards, it contains Bahrain-specific nuances. Under Article 10 of Decree 4, natural-person identification must include full name, date of birth, nationality, residential address and a government-issued ID number. For legal entities, verification must be supported by a commercial-registry extract, articles of association, and a declaration of ultimate beneficial owners (UBOs) - each UBO holding 25 % or more of voting rights must be identified under Article 12.

The CBB requires a “beneficial-ownership register” entry for every legal-entity client, with updates required within 30 days of any change. For politically exposed persons (PEPs), Article 14 mandates screening of the client, its UBOs and any related parties. Enhanced Due Diligence (EDD) is triggered where a PEP is a senior managing official, a senior family member, or where the client is located in a high-risk jurisdiction identified in the CBB’s “Risk-Based Country List” (last updated March 2025).

Institutions may apply Simplified Due Diligence (SDD) only where the CBB has issued a specific exemption - for example, low-value retail accounts below BHD 5 000 that are opened in-person with a valid national ID. The CBB expects a documented risk-assessment justification for every SDD case.

Sanctions Screening

The CBB’s sanctions-screening regime is anchored in Circular 01/2024 and the underlying FC-03 rule. All inbound and outbound payments, wire transfers, and crypto-asset transactions must be screened at the point of entry. The CBB requires a “dual-screen” approach: an automated match against the consolidated lists, followed by a manual review of any hits with a risk-scoring threshold of 70 % or higher.

Ongoing monitoring is compulsory. The CBB expects institutions to re-screen existing customers against updated sanctions lists at least quarterly, and to retain screening logs for a minimum of five years. Failure to re-screen or to retain logs was a key factor in the fines imposed on Al Baraka Bank B.S.C. BHD in June 2025.

⚠ Practical Note

When a match is identified, the CBB requires the transaction to be “frozen” pending investigation, unless a “stand-still” waiver is obtained from the FIU within three working days.

SAR/STR Reporting

The CBB mandates filing of Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) through the goAML-Bahrain portal. Article 43 of Decree 4, reinforced by FC-04, sets the filing deadline at “same-day for high-risk alerts and next-working-day for all other alerts”. The report must contain a narrative description, the applicable risk indicators, and any supporting documentation.

In September 2025 the CBB issued a supervisory notice reminding institutions that “failure to meet the ‘without undue delay’ standard will be treated as a material breach, subject to administrative fines and possible criminal liability for senior management”. The notice also introduced a new “SAR-Quality Scorecard” that supervisors will use during inspections.

Risk-Based Approach

The CBB expects a risk-based approach that is embedded at the board level. Section FC-01 requires a documented enterprise-wide risk-assessment covering product risk, customer risk, geographic risk and delivery channel risk. The assessment must be refreshed annually and whenever a material change occurs (e.g., launch of a new product or entry into a new market).

The CBB’s “Risk-Based Country List” (published March 2025) classifies jurisdictions into low, medium and high risk. Institutions must apply heightened due-diligence measures for customers from high-risk jurisdictions, including additional source-of-wealth verification and enhanced transaction monitoring thresholds.

Crypto-Assets

The February 2026 Crypto-Asset Services Rules (CAR) bring Bahrain’s crypto-asset regime in line with the FATF Recommendations on virtual assets. Under FC-05, crypto-asset exchanges, custodians and wallet providers must obtain a CBB licence, conduct a risk assessment for each token class, and implement blockchain-analytics tools capable of tracing transaction flows across multiple blockchains.

The CAR also introduces a “Travel Rule” requirement: for any cross-border crypto-asset transfer exceeding USD 10 000, the originator and beneficiary information must be captured and transmitted to the counter-party’s AML system. Non-compliance can result in a fine of up to BHD 5 million or 10 % of annual turnover, whichever is higher.

The CBB has already exercised its enforcement powers under the CAR. In March 2026, Bahrain Islamic Bank B.S.C. BHD was fined BHD 1.8 million for allowing a crypto-asset exchange to operate without a CBB licence and for failing to retain transaction logs for the required ten-year period.

Recent Enforcement

The CBB’s enforcement activity has accelerated since 2024, with a focus on SAR delays, inadequate KYC and crypto-asset compliance gaps. The table below summarises the most significant penalties imposed in 2025-26.

DateInstitutionPenaltyBasis
June 2025Al Baraka Bank B.S.C. BHDBHD 2.5 mSystemic failure to file SARs within the “without undue delay” standard (FC-04)
December 2025Ahli United Bank B.S.C. BHDBHD 3.1 mInadequate KYC for high-risk corporate clients; missing beneficial-owner information (Article 12, FC-02)
March 2026Bahrain Islamic Bank B.S.C. BHDBHD 1.8 mOperating a crypto-asset exchange without a CBB licence; failure to retain ten-year transaction logs (CAR, FC-05)
May 2026National Bank of Bahrain (NBB)BHD 2.0 mDeficient sanctions-screening controls; false-negative matches on UN sanctions list (Circular 01/2024, FC-03)
July 2026Gulf Finance HouseBHD 0.9 mFailure to conduct periodic re-screening of existing customers against updated sanctions lists (FC-03)

Beyond the headline fines, the CBB has issued numerous “notice-of-non-compliance” letters requiring remedial action plans, especially in the fintech and crypto-asset sectors. The regulator’s supervisory focus on governance, data-retention and real-time reporting signals a shift from ad-hoc inspections to a risk-based supervisory model.

Practical Compliance Checklist for Bahraini Institutions

Minimum Documentation Set Under CBB Rulebook Module FC

  1. Enterprise-wide AML/CFT risk-assessment (FC-01) refreshed annually and on material change.
  2. Internal safeguards manual covering CDD, ongoing monitoring, sanctions screening, training and reporting (FC-02 to FC-04).
  3. Written CDD procedures aligned with Article 10 and Article 12 of Decree 4, including biometric eKYC workflow (Circular 03/2025).
  4. Sanctions-screening policy referencing UN, EU and Saudi lists, with documented matching logic, false-positive threshold ≤ 0.1 % and escalation matrix (Circular 01/2024, FC-03).
  5. SAR/STR filing procedures referencing goAML-Bahrain, same-day/high-risk and next-working-day standard, and SAR-Quality Scorecard (FC-04).
  6. PEP identification and EDD process covering 12-month post-departure monitoring (Article 14, FC-02).
  7. Designated AML Officer and deputy, with contact details filed with CBB (FC-06).
  8. Staff training programme with annual refresher, documented attendance and assessment records (FC-06).
  9. For crypto-asset service providers: CAR-compliant AML procedures, blockchain-analytics evidence, and ten-year transaction-log retention (FC-05).
  10. Outsourcing register and oversight framework consistent with FC-07, including due-diligence reports on third-party service providers.

Common Pitfalls

First, many institutions still rely on weekly SAR compilation cycles. The CBB’s “without undue delay” standard, reinforced by the 2025 SAR-Quality Scorecard, expects same-day filing for high-risk alerts. Institutions that continue to batch SARs risk the same penalties imposed on Al Baraka Bank.

Second, fragmented governance remains a recurring issue. When AML investigations are split across multiple business units or subsidiaries, the CBB treats the lack of a single point of accountability as a material breach - a finding that underpinned the Ahli United Bank fine.

Third, over-reliance on commercial screening tools without documented methodology is a red flag. The CBB requires evidence of data-quality controls, periodic vendor validation and a clear false-positive handling process. Black-box solutions that cannot demonstrate these controls are deemed non-compliant.

Looking Ahead

The CBB has announced a “Digital AML Initiative” slated for launch in Q4 2026, which will introduce AI-driven transaction monitoring and a centralised AML data lake. Institutions should begin integrating compatible analytics platforms now, to avoid a costly re-engineering effort when the initiative becomes mandatory.

How RegMantle Helps

RegMantle produces Bahrain-specific AML/CFT documentation that cites Legislative Decree No. 4 of 2001, Law No. 54 of 2006, the 2024 amendment and the CBB Rulebook Module FC. Outputs include a CBB-ready AML manual, a FIU-format SAR template, a crypto-asset risk-assessment workbook, and a sanctions-screening policy aligned with Circular 01/2024. All documents are generated in a branded DOCX format, ready for board approval and CBB inspection.

Generate your Bahrain AML documentation in minutes

Stop paying for generic consultancy packages. RegMantle delivers audit-ready, CBB-compliant policies and procedures in under ten minutes.

Start Free →