It’s a matter of trust – Accreditation of Trust Service Providers under Bahrain’s Electronic Communications and Transactions Law

Due to the boost to digital transformation that has come as a by–product of the COVID-19 circumstances , electronic transactions today facilitate a large part of our daily interactions. The Kingdom of Bahrain (“Kingdom”)  recognised  the integral role of electronic transactions through its implementation of Decree Law No. 54 of 2018 on the issuance of Electronic Communications and Transactions Law (“ECTL”), which covered various topics pertaining to electronic transactions, including Trust Service Providers (“TSP”).

To promote e-signatures as a safe, efficient, and reliable method of conducting electronic transactions in the Kingdom, under the law the role of the TSP is that of  an independent third party that provides so-called “trust services” involved with the creation, validation and preservation of e-signatures and digital certificates and authenticating signatories.

TSPs need to be given accredited status and permission to  provide their services.

To do this, the Kingdom has recently set out the standards and requirements for the accreditation of TSPs through Resolution No. 4 of 2021 promulgating the Regulation on the Requirements and Standards for the Accreditation of Trust Services (“Regulation”).

The Regulation indicates that accreditation may be mandatory for TSPs duly incorporated in the Kingdom, whereas it is  optional for TSPs based outside of the Kingdom (in which case, such TSPs must be accredited in their respective jurisdictions in order to request TSP accreditation).

In addition, the ECTL stipulates for the issuance of a decision regarding the evidential weighing of electronic signatures more generally, which is still pending publication by the Telecommunications Regulatory Authority (“TRA”) in coordination with the Ministry of Justice, Awqaf and Islamic Affairs). Until that occurs  the technological standards and technical specifications of the TRA with respect to unaccredited TSPs is unclear.

Set out below are the relevant procedures and requirements for entities seeking to become ‘Accredited’ TSPs in Bahrain, in addition to any other key considerations thereof.

Procedures relating to TSPs’ request for accreditation

Entities seeking to become accredited TSPs must submit an application to theTRA. Applicants will need to demonstrate, amongst other things, their financial, management and technical capability. Applicants must also fulfil all the requirements and standards set out by the TRA through an audited report detailing the following:

• Details of the auditing authority;
• The period of time covered by the auditing process; and
• Instances of non-conformity towards the required technical specifications, details on the degree of importance of each such instance, the expected impact on the trust services system and the expected period required for correcting the non-conformity.

Another key requirement for the accreditation request is that the relevant entity must be able to demonstrate that its founders / partners / directors have not been convicted of moral turpitude or breach of trust unless he or she has rehabilitated. Furthermore, entities must be of good financial standing and capable of adequate Trust Services management and operations.

Depending on the TRA’s evaluation and review of the request for accreditation – the request may be approved, upon which the TRA shall register the TSP as an Accredited TSP and approve the accreditation by way of publishing a resolution in the Official Gazette to that effect.

Obligations of Accredited TSPs

The Regulation imposes certain obligations on entities once they become Accredited TSPs. The obligations set out in this Regulation include:

• Compliance with TRA orders and decisions as issued from time to time.
• Adhering to the technical specifications, technological standards and quality of service requirements as specified by the TRA. It is worth noting here that Publishing the Code of Practice including any amendments, and obtaining the TRA’s approval for any material changes to the Trust Services System or Code of Practice.
• Safeguarding the confidentiality of those that use the services of Accredited TSPs, and immediately notifying the TRA in the event of any security breaches that negatively impact the Trust Services System’s reliability; and/or availability.
• Conduct and submit to the TRA technical inspections that analyse risks / threats on a quarterly basis.
• Notifying the TRA immediately if the Accredited TSP becomes aware of any material changes to its financial or legal standing that may affect its capabilities as a TSP in accordance with the Regulation.

Withdrawing Accreditation

The obligations serve as a set of terms and conditions which allow for the maintenance of the Accredited TSP’s status. The TRA reserves the right to withdraw the relevant entity’s accreditation (either fully or in respect of a specific Trust Service) in the event that (inter alia) an Accredited TSP breaches a material provision of the ECTL and/or the Regulation, or fails to comply with the terms and conditions of accreditation without taking appropriate remedial measures in the time-span specified by the TRA. The TRA also reserves the right to withdraw accreditation in other specified instances which include the TRA establishing that the relevant information submitted to obtain accreditation was false or materially inaccurate or if the Accredited TSP fails to provide Trust Services within the period of one year commencing from the date of obtaining the accreditation.

The Kingdom’s first Accredited TSP

With Trust Services and electronic signatures establishing their efficiency in enhancing administrative work and the level of performance of government and privates sectors in accordance with rapid technological trends, the TRA  has emphasised its commitment to assess all systems and processes to safeguard the needs of subscribers  in such sectors whilst preserving all parties’ rights.  In the beginning of August 2021, the TRA issued the first license to execute e-signatures and Trust Services to The Benefit Company (“Benefit”), subsequently making Benefit the first entity to obtain Trust Services accreditation in the Kingdom.

Benefit is the only financial network of its kind in the country, providing ancillary services to the financial sector and acting as the local switch in the Kingdom handling ATM and POS transactions among other services. Benefit’s Assistant General Manager for Information Technology, according to media reports Mr. Riyadh Al-Maraj stated that “Benefit has invested in establishing an advanced technical infrastructure according to the very best international practices to meet the requirements of this license, which we look forward to opening wide doors for many future applications.”

Now that the process for becoming an Accreditated TSP has been formally regulated , more entities are expected to follow in the footsteps of Benefit.