Law and Practice
1. Fintech Market
1.1 Evolution of the Fintech Market
Since the announcement of its fintech strategy in November 2017, the Bermuda government has positioned Bermuda as a market-leading jurisdiction with respect to fintech, with a view to Bermuda operating as an innovation hub for businesses seeking to conduct operations utilising new technologies or to deploy new technologies to provide services and solutions for other business sectors.
The Bermuda government, along with Bermuda?s sole financial services regulator, the Bermuda Monetary Authority (BMA), have taken a collaborative approach and, with the assistance of technical advisers from other pioneering jurisdictions and participation across Bermuda?s private industry sectors, Bermuda has developed a robust and effective, fit-for-purpose legal and regulatory framework that offers certainty with respect to the regulatory status of digital assets issuances and digital assets business activities, providing adequate protection for customers and investors, while also encouraging and fostering innovation.
Bermuda operates one of the largest (re)insurance markets in the world, which itself is a sector that is known for developing cutting-edge risk solutions and innovative alternative-risk structures. The BMA was able to leverage its experience in supervising and regulating companies in the (re)insurance sector (from start-ups to global giants) to develop a risk-based, proportionate but flexible regulatory regime that is dynamic and receptive to the needs of digital asset businesses and issuers, and responsive to the rapid deployment of distributed ledger and other technologies.
Key Legislation
As part of its fintech strategy, Bermuda has enacted the following key pieces of legislation:
- the landmark first-in-class Digital Asset Business Act 2018 (DABA), which provides for the licensing and supervision of digital asset business activities in Bermuda, along with associated codes of practice, statement of principles, client disclosure rules, cybersecurity rules, accounts rules and sector-specific anti-money laundering and anti-terrorist financing guidelines, specifically tailored to the digital asset business sector;
- the Digital Asset Issuance Act 2020, which regulates the conduct of digital asset issuances, in a similar manner to initial public offerings of shares;
- amendments to the Banks and Deposit Companies Act 1999, to provide for a special class of banking licence to promote the establishment of banking institutions offering services to the fintech sector; and
- amendments to the Insurance Act 1978, to create a special class of insurance regulatory sandbox licence to be issued by the BMA to innovative insurers, insurance managers and other insurance intermediaries, as well as the creation of a new class of innovative insurance company that companies can apply to register as, or mitigate from the sandbox into.
DABA has been enhanced a number of times since its enactment, to extend the scope of digital asset business activities that are captured under the DABA regime, and which require a licence from the BMA to conduct such activities in Bermuda, in line with the fast-paced developments intrinsic to this sector. One of the key enhancements was the introduction of regulation for the digital assets derivative market, including options, futures, contracts for differences and swaps with digital assets underlying. In addition, the licensing regime was extended to those who operate as a digital assets derivative exchange or who act as digital asset benchmark administrators and trustee companies that safeguard and administer digital assets. The definition of "market marker" was also refined in line with the actual activities of market makers on digital assets exchanges and includes anyone:
- quoting buy and sell prices in furtherance of profit or gain on the bid offer spread;
- fulfilling orders initiated by clients or in response to clients' requests to trade; or
- hedging positions arising from the fulfilment of tasks under the two points above.
Bermuda intends to embrace and enable the acceleration of digital asset businesses from within Bermuda, while protecting its long-standing reputation as one of the world?s leading offshore financial centres. Fintech businesses, investors and financiers will find a highly developed ecosystem in Bermuda, which benefits from a sophisticated legal system, significant wealth of intellectual capital, regulatory sandboxes, an innovation hub, a significant customer base and a progressive government and regulator seeking to establish Bermuda as a leading jurisdiction for fintech, while maintaining and, in some cases, establishing international standards and best practices that protect investors, customers and other stakeholders.
2. Fintech Business Models and Regulation in General
2.1 Predominant Business Models
Bermuda is currently home to a variety of business models, due to the wide scope of the licensing regime for digital asset businesses, and there is currently no predominant business model. These business models cover a range of industry sectors, including:
- investment funds, fund managers and administrators;
- digital banks;
- payment service providers;
- financial services businesses;
- digital assets and digital asset derivatives exchanges and trading platforms;
- crypto lending and yield platforms;
- innovative insurance companies, managers and intermediaries;
- custodians and custodial wallet providers;
- regtech businesses; and
- companies seeking to raise capital and fund products or services through the issuance of digital assets.
2.2 Regulatory Regime
The DAI Act
The Digital Asset Issuance Act 2020 (the "DAI Act") creates a statutory framework for the authorisation of digital asset issuances by the regulator, the BMA, which has produced the Statement of Principles and Digital Asset Issuance Rules 2020 ("the DAI Rules") to expand upon the requirements under the DAI Act.
Requirements
The DAI Act applies to any person who wishes to conduct an offer to the public to acquire "digital assets" or to enter into an agreement to acquire digital assets at a future date in or from within Bermuda. Such person is required to incorporate a company, limited liability company or partnership and, because the conduct of such an offer to the public is categorised as a "restricted business activity", to seek the consent of the minister of finance of Bermuda prior to launching the offer.
Definition of a "digital asset"
Under the DAI Act, the term "digital asset" is very broadly defined (using the same definition as under DABA). The term covers anything that exists in binary format that comes with the right to use it, and includes a digital representation of value that is:
- used as a medium of exchange, unit of account or store of value and is not legal tender, whether or not determined in legal tender;
- intended to represent assets such as debt and equity in the issuer;
- otherwise intended to represent any assets or rights associated with such assets; or
- intended to provide access to an application, service or product by means of distributed ledger technology.
As such, the DAI Act captures most forms of digital coins, cryptocurrencies, exchange, security, utility and equity token offerings.
Application to the BMA
The application for the authorisation of the BMA must include the following minimum required information:
- a business plan setting out the nature and scale of the digital asset issuance which is to be carried on by the applicant;
- a copy of the issuance documents to be made available to the public;
- particulars of the applicant's arrangements for the management of the offering via the issuance;
- such other information and documents as the BMA may reasonably require for the purpose of determining the application; and
- the relevant application fee.
Offer document
A person conducting a public offer for the acquisition of digital assets will typically be required to publish an offer document and file the same with the BMA. The offer document is usually based on the White Paper with, to the extent not already included, the addition of the information required under the DAI Act, including:
- details of the registered or principal office of the promoter and the officers of the promoter;
- details of all persons involved with such issuances, including the applicant?s directors, chief executives, senior executives, shareholder controllers, promoters, service providers, auditors and other such information;
- disclosure of any legal proceedings;
- the name and nature of the project;
- key features of the product or service to be developed;
- a description of the project and proposed timelines, including any milestones;
- the targeted digital acquirers and jurisdictions (and any restrictions that apply);
- the amount of money intended to be raised;
- a description of the proposed offer, including the timing of opening and closing the offer;
- two-year financial projections;
- details and descriptions of the technologies being used;
- a description of the risks associated with the issuance and any mitigations in place;
- details of the custodial arrangements in place; and
- a description of the data protection and privacy in place.
Exceptions
An offer is not deemed to be made to the public, and consequently the issuer is not required to publish and file an offer document, in the following circumstances:
- an offer which the board considers as not being calculated to result directly or indirectly in the digital assets becoming available to more than 150 persons;
- an offer to "qualified acquirers"; or
- an offer which the board considers as not being calculated to result directly or indirectly in digital assets becoming available to persons other than those whose ordinary course of business involves the acquisition, disposal or holding of digital assets, whether as principals or agents.
Under the DAI Act, a qualified acquirer means:
- a high income private acquirer – namely, an individual who had a personal income in excess of USD200,000, or joint income with their spouse in excess of USD300,000, in each of the two preceding years, and who has a reasonable expectation of reaching the same income level in the year in which they acquire a digital asset;
- a high net worth private acquirer – namely, an individual whose net worth, or joint net worth with their spouse exceeds USD1 million, in the year in which they acquire a digital asset;
- a body corporate or unincorporated association, partnership or trust which has total assets of not less than USD5 million, which are held solely by such entity or held partly by the entity and a member of its group; or
- a body corporate, partnership, limited liability company or trust, all of whose shareholders, members or beneficiaries (as the case may be) fall within the above categories.
AML/ATF Requirements
Companies subject to the DAI Act must comply with the continuing obligations under the proposed DAI Rules. These include having appropriate measures in place relating to the identification and verification of the identity of participants in the offer, in compliance with Bermuda?s applicable anti-money laundering and anti-terrorist financing legislation and regulations (the "AML/ATF Requirements"), record-keeping and an internal audit requirement for compliance purposes.
DABA Regulations
DABA is the statutory licensing framework for digital asset businesses and services to be operated within a regulated environment in Bermuda under the supervision and oversight of the BMA.
DABA regulates the following "digital asset business" activities where they are conducted as a business by any entity in or from within Bermuda (whether or not incorporated or formed in Bermuda):
- issuing, selling or redeeming virtual coins, tokens or any other form of digital asset;
- operating as a payment service-provider business utilising digital assets, which includes the provision of services for the transfer of funds;
- operating as a digital assets exchange;
- carrying on digital asset trust services;
- providing custodial wallet services;
- operating as a digital assets derivative exchange provider; and
- operating as a digital asset services vendor.
The term "digital asset", for the purpose of DABA, has the same meaning as under the DAI Act described above.
BMA licensing
DABA requires any person conducting digital asset business activities in or from within Bermuda (unless specifically exempted) to be licensed by the BMA. There are three classes of licence – a Class F (full) licence, a Class M (modified) licence or a Class T (test) licence.
Class T licence
The Class T licence is designed to operate as a test licence for beta testing to enable businesses to develop a minimum viable product within an initial duration of 12 months or less. It is expected that once the business has successfully achieved the objectives under the Class T licence, it will migrate to a Class M licence, as described below, or potentially to a Class F licence, if the BMA considers this to be appropriate. A Class T licence is particularly suitable for start-ups, as there is a relaxation of the minimum licensing criteria under DABA, such as the removal of the requirement for the business to maintain a head office in Bermuda and a reduction of the required minimum net assets, during the Class T licence period.
Class M licence
The Class M licence is designed to operate as a "regulatory sandbox" from which licensed undertakings will migrate to a full Class F licence once proof of concept has been established or satisfied. It is particularly appropriate for businesses who may not be able to meet all of the minimum licensing criteria and the Class M licence will operate to permit a modification of the specified criteria for a defined period, subject to such restrictions on operations that the BMA considers appropriate in the circumstances.
Class F licence
A Class F licence is a full licence and is not subject to a defined time period, but may also have restrictions placed upon it where the BMA considers this necessary, having regard to the proposed business operations.
Applications for all classes of licence must be accompanied by:
- a detailed business plan;
- details of beneficial owners, directors and officers;
- proposed staffing and financial projections;
- evidence of controls and risk management; and
- a description of the governance framework, including AML/ATF policies and procedures, which must be in place and submitted with the application for consideration by the BMA.
Minimum licensing criteria
The BMA will not issue a licence under DABA unless it is satisfied that the minimum licensing criteria have been met in respect of the applicant (or that it is appropriate to waive or modify the same for a Class T or Class M licence). These criteria are similar to those applicable to other regulated business sectors in Bermuda (eg, insurance, insurance managers, investment funds, fund managers and administrators) and include the following requirements:
- the "controllers" (managing directors, CEOs, shareholder controllers (owning or controlling more than 10%) and persons in accordance with whose instructions or directions the business is accustomed to acting) must be "fit and proper" and full credentials will be required;
- the business must be conducted in a prudent manner (taking into account any failure to comply with the provisions of DABA, AML/ATF Requirements, codes of practice and other rules issued by the BMA under DABA, and international sanctions measures). A business will be deemed not to be conducted in a prudent manner if it does not maintain minimum net assets of USD100,000 (for a Class T licence this is reduced to USD10,000) or such other amount as the BMA considers appropriate, taking into account the nature, size and complexity of the particular business;
- the business must have appropriate insurance and other risk mitigation measures as the BMA approves;
- the business must maintain adequate accounting records, control systems, policies and procedures, and implement appropriate corporate governance measures; and
- the business must be effectively directed by at least two directors and under the oversight of such number of non-executive directors as the BMA considers appropriate given the nature, size and complexity of the business.
Companies licensed under DABA with a Class M or Class F licence must maintain a head office in Bermuda from which the business is effectively directed and managed and, in considering whether this requirement is met, the BMA will take into account factors such as the location and residence of the directors and senior executives, and whether board meetings and strategic decisions (among other things) take place in Bermuda. There is no head office requirement for a Class T licence.
DABA-licensed entities must also demonstrate a comprehensive cybersecurity programme that is commensurate with the nature, size and complexity of the business and a written cybersecurity policy, in each case, that is reviewed and subject to an external audit.
2.3 Compensation Models
DABA-licensed entities are not restricted from charging customers in the manner applicable to their business model. However, DABA-licensed entities are required to comply with the Digital Asset Business (Client Disclosure) Rules 2018 (the "Disclosure Rules"), which require that all material risks associated with their products? services and activities are disclosed to their clients, along with any additional disclosure requirements the BMA determines reasonably necessary for the protection of clients. The Disclosure Rules also provide a list of what information must be provided to the client at the time of entering into any agreement with the DABA-licensed entities, including – but not limited to – the class of licence, description of any voting rights, outline of any insurance cover and a schedule of fees and charges.
2.4 Variations Between the Regulation of Fintech and Legacy Players
The above legislation only covers participants that are offering digital assets to the public for the acquisition of digital assets or conducting digital asset business activities in, or from within, Bermuda.
2.5 Regulatory Sandbox
As noted at 2.2 Regulatory Regime, the concept of a regulatory sandbox is built into DABA, which enables businesses seeking to be innovative and involved in the testing of new products or services utilising digital assets to apply for a Class T licence or a Class M licence, each of which effectively operates as a regulatory sandbox for digital asset businesses.
In addition, the BMA recognises the importance of disruptive innovation in the insurance and wider financial industry and the critical role that innovation plays in promoting efficiency and enhancing competitiveness in these markets. To this end, the BMA has established two parallel innovation tracks.
- An insurance regulatory sandbox to cater to companies that are seeking subsequent licensing as insurance entities or insurance intermediaries under the Insurance Act 1978. The sandbox allows companies to test new technologies and offer innovative products, services and delivery mechanisms to a limited number of policyholders (or other clients) in a controlled environment for a limited period of time. The BMA will review applications for the sandbox and will determine the appropriate legislative and regulatory requirements that should be modified during the period within the sandbox. Companies within the sandbox will be issued a special class of licence (designated with the prefix "I" for "innovative") and may migrate to an existing class once the sandbox has been completed successfully.
- An "Innovation Hub" to promote dialogue between those who desire to work closely with the BMA to receive regulatory guidance on standards and expectations related to innovative insurance solutions. The idea is that the Innovation Hub will also serve as a platform for the exchange of ideas and information, and will be used by companies at an early stage, prior to applying for entry into the insurance regulatory sandbox.
2.6 Jurisdiction of Regulators
The BMA is the sole financial services regulator and controller for foreign exchange control purposes in Bermuda. Where digital assets issuers offer digital assets or make services or products utilising blockchain available in other countries, the applicable regulators in those countries may also have jurisdiction to the extent that such offering products or services are regulated in those other countries.
2.7 Outsourcing of Regulated Functions
DABA contemplates that certain regulated functions may be outsourced to third parties. These include asset management, custodial services, cybersecurity, compliance and internal audit functions required under DABA by third parties. The BMA has published detailed guidance on outsourcing generally, and in the Digital Asset Business Act Code of Practice 2018 specifically, in relation to businesses which are licensed under DABA. The overarching principle is that such action does not relieve the digital asset business from the responsibility to ensure that all requirements of DABA and related legislation (including AML/ATF Requirements) and the Code of Practice are complied with to the same level as if they were performed in-house. The directors of the licensed entity must ensure that there is oversight and clear accountability for all outsourced roles and that the related service agreements include terms on compliance with jurisdictional laws and regulations. Such agreements should not prohibit the BMA?s access to data and records in a timely manner. The BMA will require disclosure of any material outsourcing arrangements. While there is no list of recognised equivalent jurisdictions for the purposes of approving outsourcing arrangements, it would be preferable to outsource to an entity that is regulated by a competent jurisdiction which applies equivalent standards to those applied in Bermuda. For the purposes of meeting AML/ATF Requirements, the outsourced entity must comply with the requirements under Bermuda?s AML/ATF laws and regulations.
2.8 Gatekeeper Liability
Under the DAI Act, a licensed exchange under DABA can apply to become an "accredited digital asset exchange". In applying for this accreditation, the exchange effectively becomes a "gatekeeper" for digital asset issuances. The "accredited digital asset exchange" may authorise digital asset issuances, without the issuer being required to file its issuance documents with the BMA, as otherwise stipulated under the DAI Act.
2.9 Significant Enforcement Actions
The BMA has granted enforcement powers under DABA which include the imposition of civil penalties of up to USD10 million, and the issuance of prohibition orders, public censures and injunctions. The BMA is also able to demand the production of any information required and can restrict or revoke licences where a licensed undertaking is not compliant with DABA and its rules and regulations.
The BMA has issued a number of public notices in respect of entities that have falsely claimed to be licensed by the BMA as an investment business or a digital asset business.
2.10 Implications of Additional, Non-financial Services Regulations
The Personal Information and Protection Act (PIPA)
Digital asset businesses and companies offering digital assets to the public are subject to Bermuda?s laws relating to privacy. The Personal Information and Protection Act 2016 (PIPA) is the principal Bermuda statute regarding the regulation of personal data. Bermuda?s first privacy commissioner took office in January 2020, and it is expected that PIPA will become wholly operative, in a phased implementation, commencing prior to the end of 2023.
Compliance
PIPA applies to every organisation that uses personal information in Bermuda, where that personal information is used wholly or partly by automated means, and for use other than by automated means of personal information which forms, or is intended to form, part of a structured filing system. Since fintech businesses typically use a significant amount of personal information, these businesses will be required to meet the following obligations to be in compliance with PIPA:
- develop measures and policies to give effect to the obligations and to the rights of individuals under PIPA, which takes into account the nature, scope, context and purpose of the use of personal information and the risk to individuals through the use of this personal information by the fintech business;
- designate a privacy officer for the purposes of compliance with PIPA who will have the primary responsibility of communicating with the privacy commissioner;
- develop a clear, prominent and easily understandable and accessible consent mechanism in relation to the use of personal information within the fintech business;
- develop controls to ensure that the fintech business does not use "sensitive" personal information (as described therein) in order to discriminate against any person;
- develop and provide individuals with a clear and accessible privacy notice about its practices and policies with respect to personal information that must include:
- the fact that the personal information is being used;
- the purpose for which the personal information is or might be used;
- the identity and types of individuals or organisations to whom personal information might be disclosed;
- the identity and location of the fintech business, including information on how to contact the entity about its handling of personal information;
- the name of the privacy officer; and
- the choices and means that the fintech business provides to an individual to limit the use of, and to access, rectify, block, erase and destroy an individual?s personal information.
Fintech businesses that are required to comply with PIPA will be required to consider other aspects such as:
- security safeguards;
- maintaining the integrity of the personal information they hold;
- ensuring that the personal information they hold is relevant and not excessive;
- ensuring that there are protocols in place where there is a breach of security; and
- ensuring that they have regard to the statutory regulations relating to the privacy of children?s personal information.
Transfer of personal information to an overseas third party
Once PIPA substantively takes effect, an organisation transferring personal information to an overseas third party, either on behalf of the organisation or for its own business purposes, shall remain responsible for compliance with PIPA in relation to that personal information. This will include an assessment of the level of protection provided by the overseas third party for that personal information, including considering the level of protection afforded by the applicable law in the relevant jurisdiction. It is contemplated by the legislation that the responsible minister, on the advice of the privacy commissioner, may designate any jurisdiction as providing a comparable level of protection. If the fintech business reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by PIPA, the fintech business may rely on such comparable level of protection while the personal information is being used by the overseas third party. The "equivalent jurisdiction" may be evidenced by the third party?s adoption of a certification mechanism recognised by the privacy commissioner. However, if the organisation is not satisfied that the level of protection provided by the overseas third party is comparable to the level of protection required by PIPA, the organisation must employ contractual mechanisms and corporate codes of conduct, including binding corporate rules or other means, to ensure that the overseas third party provides a comparable level of protection.
An organisation is not, however, required to comply with these rules if:
- the transfer of personal information to an overseas third party is necessary for the establishment, exercise or defence of legal rights; or
- following the assessment of the organisation, the transfer is reasonably considered to be small scale, occasional and unlikely to prejudice the rights of an individual.
Business transactions
Where a fintech business is party to a "business transaction", which is a transaction consisting of the purchase, sale, lease, merger or amalgamation or any other type of acquisition, or the disposal of, or the taking of a security interest in respect of, any organisation or portion of an organisation or any business or activity or business asset of an organisation, and including a prospective transaction of such nature, fintech businesses during the period leading up to and including the completion of the business transaction, may use personal information about a person without? the consent of the person provided that certain conditions are satisfied. However, this does not apply to a business transaction where the primary purpose, objective or result of the transaction is the purchase, sale, lease, transfer, disposal, or disclosure of personal information.
Bermuda companies may also be subject to the privacy laws of other jurisdictions to the extent that they have extraterritorial effect (including the GDPR).
AML/ATF Requirements
Licensed undertakings under DABA will be regarded as "regulated financial institutions" for the purposes of the AML/ATF Requirements and are required to comply with all applicable Bermuda legislation along with other "regulated financial institutions". This may mean that fintech businesses which require a licence under DABA are subject to more stringent AML/ATF Requirements than other fintech businesses which do not. Banks, long-term life insurance companies, investment funds and fund administrators are also "regulated financial institutions" for the purposes of the AML/ATF Requirements. The BMA has issued detailed sector-specific guidance for digital asset businesses which are regulated financial institutions, requiring them to adopt a risk-based approach to obtaining adequate due diligence on and verifying the identity of their clients, and requiring ongoing monitoring and reporting of any suspicious activities.
Companies which are conducting public offers of digital assets are also required to identify and verify participants in the offer and to comply with the AML/ATF Requirements set out in the proposed DAI Rules. If a company is unable to comply with such AML/ATF Requirements, it is prohibited from opening an account or issuing a digital asset to such person and must terminate the business relationship. Such requirements do not apply to a company which is offering shares to the public, unless that company is a regulated financial institution in terms of the AML/ATF Requirements.
Cybersecurity
The DAI Act and DABA contain detailed cybersecurity requirements. The BMA has issued Cybersecurity Rules which apply to licensed undertakings and require a comprehensive cybersecurity programme and an annual external audit.
2.11 Review of Industry Participants by Parties Other than Regulators
Bermuda-licensed banks and service providers to the financial services sector are keenly reviewing the environment and their own ability to provide services to Bermuda?s fintech businesses.
Auditing Firms
Bermuda?s auditing firms (particularly the Big Four present in Bermuda and Grant Thornton which was established in the jurisdiction in 2022) are cognisant of the requirement for audited financial statements under DABA (for Class M or F licence holders) to determine how they can service this need, given the absence of international accounting standards applicable to this sector. In addition, many Bermuda-licensed digital assets businesses have engaged overseas audit firms to carry out external audits, which is acceptable to the BMA.
Banks and Lending Institutions
The Banks and Deposit Companies Amendment Act 2018 (the "Banks Act") was enacted by the Bermuda government to remove an impediment to the ability of banks and lending institutions to service the fintech sector, given the initial reticence of Bermuda?s incumbent banks to provide banking services to the sector. The amendments permit the issue of restricted banking licences to banks wishing to provide services to fintech businesses that do not require the establishment of a retail business on the island. However, some of the incumbent banks have since revised their stance and are servicing fintech businesses in Bermuda. Furthermore, certain US banks which are active in the fintech space are willing to provide a full range of banking services to Bermuda-licensed fintech businesses. In June 2022, the BMA issued Jewel bank, a digital asset bank, a full banking and digital assets business licence, and was the first new bank established in Bermuda in over 20 years. Jewel will offer a full range of digital asset customised services and is expecting to be operational during 2023.
Other Digital Asset Service Vendors
A significant number of custodians and other digital asset service vendors, including those seeking to assist fintech businesses in satisfying the AML/ATF Requirements, are seeking to take advantage of the growing fintech sector in Bermuda, including a Bermuda-based global fund administrator which has received a Class T licence to enable it to service tokenised funds.
2.12 Conjunction of Unregulated and Regulated Products and Services
As a result of the wide scope of the DAI Act and DABA and, in particular, the definition of "digital assets" for the purposes of this legislation, it is anticipated that most companies seeking to conduct public digital asset offerings or conducting digital asset business activities utilising blockchain, will fall within this scope. Those that do not (because they are conducting their activities solely for the purpose of their own business operations or those of a subsidiary, or because they fall within one of the other specified exemptions) will not be caught under the DAI Act or DABA regime.
2.13 Impact of AML Rules
As outlined at 2.10 Implications of Additional, Non-financial Services Regulations, any licensed undertakings under DABA will be regarded as "regulated financial institutions" for the purposes of the AML/ATF Requirements and are required to comply with all applicable Bermuda legislation along with other "regulated financial institutions", which in Bermuda includes banks, long-term life insurance companies, insurance intermediaries, investment funds, money service businesses, corporate service providers, and fund administrators. Any businesses out of DABA's scope that are unregulated are not regarded as "regulated financial institutions" and consequently do not need to comply with Bermuda?s AML/ATF Requirements.
A fintech company that is unregulated and is conducting public offers of digital assets is also required to identify and verify participants in the offer and to comply with the AML/ATF Requirements set out in the proposed DAI Rules.
3. Robo-advisers
3.1 Requirement for Different Business Models
There are no discrepancies between different types of digital asset classes under DABA, as outlined under 2.2 Regulatory Regime.
In addition, any person who carries on investment business in or from Bermuda is required to be licensed under the Investment Business Act 2003, as amended (IBA), unless an exemption is available. Under the IBA, investment activities include, but are not limited to, dealing, arranging, managing and providing investment advice. "Investments" under the IBA are wide in scope and include assets ranging from shares and debentures to options and futures. The IBA does not distinguish between certain asset classes – if the activity and asset are captured under the scope of the IBA, then a licence must be applied for, unless an exemption is available.
3.2 Legacy Players' Implementation of Solutions Introduced by Robo-advisers
In Bermuda?s current fintech environment, a number of legacy players are actively considering the use of robo-advisers, including in the banking, operational and government sectors.
3.3 Issues Relating to Best Execution of Customer Trades
For any investment provider licensed under the IBA, the BMA has drafted the Investment Business Code of Conduct to provide guidance for best execution. The Code of Conduct recommends that an investment provider should not transact business for a client on worse terms than it would expect to obtain for itself, subject to certain allowances that are set out in the Code of Conduct.
No specific guidance has so far been published by the BMA for a DABA-licensed entity to adhere to for best execution. However, the BMA will consider any methodology that is applied by any exchange and/or trading platform for settlement when reviewing a DABA application and as part of its ongoing supervision of the entity.
4. Online Lenders
4.1 Differences in the Business or Regulation of Loans Provided to Different Entities
Any person who wishes to provide banking or deposit-taking services in or from within Bermuda is required to hold a licence under the Banks Act.
As noted in 2.11 Review of Industry Participants by Parties Other than Regulators, the Bermuda government has enacted legislation creating a new restricted banking licence. The restricted banking licence allows applicants outside the jurisdiction to become licensed under the Banks Act to provide banking services in Bermuda to digital asset businesses, without the requirement for a retail presence in Bermuda.
With ongoing regulatory uncertainty onshore, digital assets brokers and platforms offering crypto-lending or yield-generating products are seeking to take advantage of the legal certainty offered under DABA. Such activities are currently licensable as a digital assets business activity under the category of digital asset service vendor but it is anticipated that changes to DABA will be implemented during 2023 to include a specific digital assets business activity related to crypto borrowing and lending.
4.2 Underwriting Processes
There are no additional regulations for industry participants other than those provided under the Banks Act and the associated regulations and guidance. Entities that are conducting crypto lending will be required to provide details of their credit risk management framework and controls.
4.3 Sources of Funds for Loans
Under Bermuda law, and subject to compliance with anti-money laundering and anti-terrorist financing requirements, as well as international screening for sanctioned individuals and entities, the legal and regulatory landscape does not distinguish between the sources of funds for loans.
4.4 Syndication of Loans
The on-sale or syndication of a loan and the sale of one or more participations in a loan to a Bermuda company are fairly common. Most sales, syndications or participations are governed by the same law as that of the underlying loan agreement, which would not typically be Bermuda law.
5. Payment Processors
5.1 Payment Processors' Use of Payment Rails
There is no legal requirement under Bermuda law for payment processors to use existing payment rails. To the extent that payment processors utilise digital assets, the person may require a licence under DABA.
If the payment processor provides money services or any of the following "money service business activities" to the general public in Bermuda (excluding any entity licensed under the Banks Act) then (unless exempted) it will require a licence to do so from the BMA under the Money Service Business Act 2016:
- money transmission services;
- cashing cheques which are made payable to customers, and guaranteeing cheques;
- issuing, selling or redeeming drafts, money orders or traveller's cheques for cash;
- payment service business; or
- operating a bureau de change where cash in one currency is exchanged for cash in another currency.
5.2 Regulation of Cross-Border Payments and Remittances
There is no additional regulation for cross-border payments and remittances, other than DABA and the requirements under the Money Services Business Act 2016 and the associated regulations and guidance, outlined in 5.1 Payment Processors? Use of Payment Rails.
6. Fund Administrators
6.1 Regulation of Fund Administrators
All fund administrators who conduct business in or from Bermuda are required to be licensed by the BMA in accordance with the Fund Administration Provider Business Act 2019 (the "Fund Administration Act"). Under the Fund Administration Act, a fund administrator is any person who provides one or more of the following services to an investment fund:
- applying the subscription monies received by a fund in accordance with its constitution and its prospectus;
- processing the issue, conversion and redemption of units of a fund;
- applying the income of a fund in accordance with its constitution and its prospectus;
- calculating the net asset value of the units, and their issue, conversion and redemption price;
- maintaining the accounts of a fund;
- distributing to the participants of a fund all dividends or other distributions which may from time to time be declared and paid by it on units in a fund; and
- any other services or activities that the minister of finance, acting on the advice of the BMA, may specify by notice in the Gazette.
6.2 Contractual Terms
It is customary for funds and their advisers to require contractual commitments from the fund administrator, including in relation to:
- compliance with AML/ATF Requirements;
- the implementation of effective internal controls to support services; and
- the requirement at all times to exercise due care and diligence?and to act in good faith in the performance of services under its agreement.
Such terms are not dictated by regulation but rather, contractual negotiation and market practice. The BMA has issued the Code of Conduct for Fund Administrators in connection with the manner according to which licensed undertakings should carry on fund administration provider business, including the duties, requirements and standards to be complied with, and the procedures (whether as to client identification, record-keeping, internal reporting and training, or otherwise) and sound principles to be observed by persons carrying on the business of fund administration.
7. Marketplaces, Exchanges and Trading Platforms
7.1 Permissible Trading Platforms
Digital Assets Exchange and Digital Assets Derivative Exchange
The operation of a digital assets exchange or a digital assets derivative exchange requires a licence under DABA.
Under DABA, "digital assets exchange" means a centralised or decentralised electronic marketplace used for digital asset issuances, distributions, conversions and trades, including primary and secondary distributions with or without payment; provided that digital asset conversions and trades may also be entered into by the electronic marketplace as principal or agent.
A "digital assets derivative exchange" is a centralised or decentralised electronic marketplace used for digital asset derivatives issuances, distributions, conversions and trades, including primary and secondary distributions with or without payment; provided that digital asset derivatives trades may also be entered into by the electronic marketplace as principal or agent.
Digital asset derivatives as defined under DABA include contracts for differences, options, swaps and future contracts based on a digital assets underlying interest.
Digital Asset Benchmark Administrator
In addition to trading platforms, a DABA licence may be required if a person is acting as a "digital asset benchmark administrator". This is a person with control over the provision of a "digital asset benchmark", which includes any rate, index or figure made available to the public, or published, that is periodically or regularly determined by the application of a formula to, or on the basis of the value of one or more underlying assets or prices, by reference to which the amount payable under a digital asset, or the value of a digital asset, is determined.
Bermuda Stock Exchange
With respect to the trading of securities, the Bermuda Stock Exchange (BSX) is one of the world?s pre-eminent fully electronic, offshore securities exchanges, offering a variety of domestic and international listing services for debt and equity securities. The BSX?s trading, settlement and depositary platform is licensed by NASDAQ OMX and is specifically designed to support the secondary market trading and settlement of both equity and fixed income securities. With the launch of Hashdex Nasdaq Crypto Index ETF, the BSX approved the listing of one of the first digital assets ETFs and it is anticipated that further opportunities will arise to list debt instruments and funds within the fintech space on the BSX.
7.2 Regulation of Different Asset Classes
See 7.1 Permissible Trading Platforms.
7.3 Impact of the Emergence of Cryptocurrency Exchanges
The emergence of cryptocurrency exchanges has resulted in the Bermuda government establishing DABA and the licensing regime in Bermuda. All cryptocurrency exchanges fall under the scope of a "digital assets exchange" and are required to be licensed in Bermuda in accordance with DABA, as described in 2.2 Regulatory Regime.
7.4 Listing Standards
At this point, the BMA has not stipulated any listing standards for the purposes of digital assets exchanges and digital assets derivatives exchanges licensed under DABA and such exchanges are free to determine their own standards in accordance with industry norms. Such listing standards will be subject to approval by the BMA, including where the exchange seeks to be an accredited digital assets exchange for the purpose of the DAI.
Issuers of securities listed on the BSX will be required to comply with the applicable sections of the BSX?s Listing Regulations, which are available on the BSX?s website at www.bsx.com.
7.5 Order-Handling Rules
See 7.4 Listing Standards.
7.6 Rise of Peer-to-Peer Trading Platforms
Peer-to-peer trading platforms may be captured under DABA but only to the extent that the trading is conducted as a business in Bermuda available to the public and amounts to operating a digital assets exchange or digital assets derivative exchange, as noted in 7.1 Permissible Trading Platforms, in which case, they would be required to meet the same regulatory standards as such an exchange.
7.7 Issues Relating to Best Execution of Customer Trades
See 3.3 Issues Relating to Best Execution of Customer Trades and 7.4 Listing Standards.
7.8 Rules of Payment for Order Flow
See 7.4 Listing Standards.
7.9 Market Integrity Principles
Businesses that are regulated under DABA are required to comply with the Disclosure Rules, Digital Asset Custody Code of Practice 2019, and the Code of Practice, which contain elements of ethical guidelines and a requirement to act prudently. While there are no specific market-abuse restrictions, the BMA will review and monitor the practices of any proposed business at the time of the licensing application and subsequently, and in the event of undesirable or unethical market practices or behaviour, may consider that a business is not conducting business in a prudent manner and is therefore in breach of DABA.
8. High-Frequency and Algorithmic Trading
8.1 Creation and Usage Regulations
There are no separate regulations applicable solely to creation and use, and creation and use of digital assets for the purposes of high-frequency and algorithmic trading would be captured under the DABA licensing regime or the IBA (to the extent applicable).
8.2 Requirement to Register as Market Makers When Functioning in a Principal Capacity
Market-making activities are specifically caught by DABA under the definition of "digital asset service vendors" and a licence is required to conduct such activities in or from within Bermuda. For the purposes of DABA, a market maker is someone who, under an agreement as part of its business, conducts the business of trading in digital assets, including:
- quoting buy-and-sell prices in furtherance of profit or gain on the bid offer spread;
- fulfilling orders initiated by clients or in response to clients' requests to trade; or
- hedging positions arising from fulfilment of tasks under either of the above.
Where the person is trading in a purely principal capacity, such as proprietary traders, it is possible that they would not fall within the definition of market maker under DABA. Careful scrutiny of any arrangements between such person and the trading platforms or exchanges is required in each case to confirm this position.
8.3 Regulatory Distinction Between Funds and Dealers
DABA does not make a distinction between funds and dealers engaged in these activities. However, an investment fund is not usually caught under DABA, provided it does not conduct any of the digital asset business activities, and would be subject to regulation under the Investment Funds Act 2006, as amended (IFA) rather than DABA. An entity that is a licensed DAB undertaking is specifically excluded from the definition of investment fund for the purposes of the IFA. It is possible for a dealer in digital assets to require a licence under DABA as well as a licence under the IBA, but in such cases the BMA would permit a dual application and would make every effort to streamline the application process.
8.4 Regulation of Programmers and Programming
There is no regulation for programmers or developers who create trading algorithms and other electronic trading tools, as long as such services are not being offered directly to the public as part of a business.
9. Financial Research Platforms
9.1 Registration
There is no requirement for registration in Bermuda.
9.2 Regulation of Unverified Information
Unverified information is not currently directly regulated in Bermuda, although the BMA will monitor this and, if applicable, take action against exchanges that engage in activities that amount to market manipulation, on the basis that they would not thereby be carrying on business in a prudent manner.
9.3 Conversation Curation
See 9.2 Regulation of Unverified Information.
10. Insurtech
10.1 Underwriting Processes
There are no required underwriting processes specifically applicable to the insurtech sector in Bermuda. In practice, such processes would probably be dictated by the requirements of the existing insurance companies who are most likely to utilise the products, services and delivery channels offered by this sector. Bermuda (re)insurers are currently exercising caution and are largely engaged in purchasing or investing in insurtech products and apps for implementation into their existing underwriting platforms.
10.2 Treatment of Different Types of Insurance
The Insurance Act 1978, as amended, governs the various (re)insurance sectors. Long-term insurance is treated somewhat differently by industry participants and the BMA, in so far as it is subject to specific regulations, including (among other things) relating to the maintenance and segregation of assets for the protection of policyholders.
Ultimately, it is the obligation of CEOs and chief underwriting officers to decide the blend of business that they will underwrite, and ensure that they are licensed appropriately.
11. Regtech
11.1 Regulation of Regtech Providers
To the extent that a regtech business is conducting a digital assets business activity in and from within Bermuda, it will require a licence under DABA.
11.2 Contractual Terms to Assure Performance and Accuracy
There are currently no specific regulations in place for the regtech sector, and contractual terms would be subject to negotiation and market practice. This sector is still emerging in Bermuda and market practice is more likely to be based on international industry norms, rather than Bermuda-specific terms.
12. Blockchain
12.1 Use of Blockchain in the Financial Services Industry
In Bermuda?s current fintech environment, a number of legacy players are actively considering the use of blockchain, including in the insurance, funds, banking, operational and government sectors.
12.2 Local Regulators' Approach to Blockchain
See 2. Fintech Business Models and Regulation in General.
12.3 Classification of Blockchain Assets
See 2. Fintech Business Models and Regulation in General.
12.4 Regulation of "Issuers" of Blockchain Assets
See 2. Fintech Business Models and Regulation in General concerning the DAI Act and DAI Rules.
12.5 Regulation of Blockchain Asset Trading Platforms
To the extent that such trading platforms are being operated by an entity as a digital assets business offered to the public and meet the definition of digital assets exchange or digital assets derivative exchange under DABA, they will require a licence from the BMA. DABA-licensed businesses that wish to utilise third-party software and trading platforms for the purpose of conducting initial digital assets offerings or for secondary trading of digital assets are permitted to do so, but the DABA-licensed entity will need to comply with the BMA?s rules relating to outsourcing arrangements. Peer-to-peer trading is not specifically regulated unless such trading is conducted as a business available to the public and amounts to operating a digital assets exchange or digital assets derivative exchange, as noted in 7.1 Permissible Trading Platforms.
12.6 Regulation of Funds
Funds that fall within the definition of "investment funds" are regulated under the IFA, and it does not matter if the underlying investments are digital assets or other types of assets for the purpose of the IFA. If the fund wishes to conduct an issuance of digital assets to enable subscribers to subscribe other than in fiat, it will be able to do so, subject to compliance (if applicable) with the DAI Act. To the extent that the offer is not being made to the public (such as in a private character offering), such offer will be exempt from the requirements under the DAI Act.
12.7 Virtual Currencies
Virtual currencies are caught within the definition of "digital assets" for the purpose of the DAI Act and DABA, and are regulated accordingly.
12.8 Impact of Regulation on "DeFi" Platforms
Depending on what type of services are being provided to the public, DeFi platforms could fall under the scope of DABA as one of the following:
- a digital assets exchange;
- a digital assets derivative exchange provider; or
- a digital asset services vendor.
If they fall under one of these definitions and offer services to the public, then such activities would be regulated under DABA.
However, the activity of merely developing software technology is unlikely to fall under any regulations and a number of such developers are looking to establish in Bermuda the use of a company limited by guarantee structure whereby the company does not have shareholders, but rather members limited by guarantee, and is restricted from making a distribution to its members in order to develop DeFi blockchain protocols.
12.9 Non-fungible Tokens (NFTs)
As previously outlined, the definition of "digital assets" under DABA is very wide and covers anything that exists in binary format, that comes with the right to use it, and includes a digital representation of value that is:
- used as a medium of exchange, unit of account or store of value and is not legal tender, whether or not determined in legal tender;
- intended to represent assets such as debt and equity in the issuer;
- otherwise intended to represent any assets or rights associated with such assets; or
- intended to provide access to an application, service or product by means of distributed ledger technology.
As NFTs are included in the definition of "digital assets", it depends on the type of services being provided to the public (ie, an NFT or an NFT platform) as to whether such activities are captured under DABA as one of the following:
- issuing, selling or redeeming virtual coins, tokens or any other form of digital assets;
- a digital assets exchange; or
- a digital assets derivative exchange provider.
If they fall under one of these definitions and offer services to the public, then such activities would be regulated under DABA.
13. Open Banking
13.1 Regulation of Open Banking
There is no restriction under Bermuda law on open banking specifically. As outlined in 2.11 Review of Industry Participants by Parties Other than Regulators, the licensing requirements of the Banks Act are applicable if such activities are being conducted in or from within Bermuda.
13.2 Concerns Raised by Open Banking
This is not applicable in Bermuda.
Originally Published by Chambers and Partners Fintech Practice Guide 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.