Bermuda has a long-standing reputation for conservative and effective supervision and regulation in the financial services sector and currently operates one of the largest (re)insurance markets in the world. The approach of the financial service sector's regulatory authority, the Bermuda Monetary Authority (the "BMA") and the Bermuda Government has historically been to collaborate with industry to actively foster innovation within the regulatory environment.
The Bermuda Government is now well underway to implementing its strategy, announced in November 2017, to embrace blockchain technology and digital currencies, with a view to leveraging the island's significant expertise in regulatory management and to introduce pioneering legislation designed to create regulatory certainty, investor confidence and compliance with international standards.
The Digital Assets Business Act 2018 ("DABA") became operative with effect from 10 September 2018, creating a legislative framework for digital asset business and services to be operated within a regulated environment in or from within Bermuda.
Scope of DABA
DABA regulates the following 'digital asset business' activities where they are conducted by any entity in or from within Bermuda (whether or not incorporated or formed in Bermuda):
- issuing selling or redeeming virtual coins, tokens or any other form of digital asset
- payment service provider business utilising digital assets
- operating an electronic exchange whereby digital assets of any type are exchanged for cash or other digital assets
- provision of digital assets custodial wallet services
- digital asset services vendors
The term 'digital asset' is widely defined and covers anything which exists in binary form and comes with the right to use it and includes a digital representation of value. It captures digital coins, security, equity or utility tokens and anything intended to provide access to an application, product or service by means of distributed ledger technology.
Two Tiered Licensing Regime
DABA requires any person conducting a digital asset business in or from within Bermuda (unless exempted) to be licensed by the BMA. There are two classes of licence: Class F, a full licence and Class M, a defined period licence.
The Class M licence is designed to be a regulatory "sandbox" for start-up businesses, with a particular focus on those businesses whose desire is to be innovative and involved in the testing of new products and/or services. Such Class M licences may have modified requirements and certain restrictions that are implemented by the BMA. The BMA will also have the authority to award a Class M licence, regardless of the licence applied for if the regulator deems this licence more appropriate in the circumstances. A Class M licence is only valid for a specified period of time; after expiration of such time period the licensee can either cease to conduct business, make an application for extension or transition to a Class F licence.
A Class F Licence is a full licence and is not restricted to a specific time period, but may be subject to restrictions, if deemed necessary by the BMA.
Applications for licenses must be accompanied by the business plan, management arrangements, policies and procedures which will be in place to cover all of the ongoing requirements of DABA, including details of AML/ATF policies (further details of which can be provided by a member of our team).
The BMA will not issue a license unless it is satisfied that the 'minimum criteria' has been satisfied with respect to the applicant, which is set out in Schedule 1 to DABA. These criteria are similar to those applied in respect of other regulated entities in Bermuda (such as insurance, insurance manager, investment business and fund management entities) and include the following requirements:
- the 'controllers' (managing directors, CEOs, shareholder controllers (owning or controlling more than 10%) and persons in accordance with whose instructions or directions the applicant in accustomed to acting (shadow directors)) must be 'fit and proper';
- the business must be conducted in a prudent manner (taking into account any failure to comply with the provisions of DABA, AML/ATF requirements, Codes of Practice issued by the BMA and international sanctions measures), including a requirement for the maintenance of minimum net assets of $100,000 or such other amount as the BMA may direct taking into account the nature, size and complexity of the licensed undertaking);
- the business must have in place appropriate insurance to cover inherent risks or such other risk mitigation measures as the BMA may approve;
- maintenance of adequate accounting records, control systems and policies and procedures and implementation of appropriate corporate governance policies;
- the business of the licensed undertaking must be effectively directed by at least two directors and under the oversight of such number of non-executive directors as the BMA considers appropriate given the nature, size, complexity and risk profile of the licensed undertaking;
- the position of the licensed undertaking within the structure of any group to which it may belong should be such that it will not obstruct the conduct of effective consolidated supervision.
Any undertaking that is licensed in Bermuda for the purpose of conducting digital assets business ("licensed undertaking") is required to maintain a head office in Bermuda from where it will be directed and managed. When deciding if the 'head office requirement' has been met, the BMA shall consider factors including where the presence of senior executives are, where meetings of the board of directors are held and where operational decisions are being made.
Internal Management Controls
In accordance with DABA, a licensed undertaking must ensure that any assets belonging to its clients are held separately from its own assets. Licensed undertakings may allow clients funds to comingle in a separate account from its own, however accounts must be administered to accurately allocate each holding to the respective clients.
A licensed undertaking must also demonstrate a comprehensive cybersecurity program that is commensurate to the nature, scale and complexity of its business and will be expected to have a written cyber security policy which is reviewed at least annually. An external audit of its cybersecurity program must also be conducted on an annual basis.
Anti-Money Laundering and Anti-Terrorist Financing
Licensed undertakings will become regulated financial institutions for the purposes of Bermuda/s anti-money laundering and anti-terrorist financing legislation and will be required to comply with such legislation. The BMA has recently issued sector specific guidance on AML/ATF applicable to digital asset businesses, which requires the licensed undertaking to apply a risk-based approach to obtaining adequate due diligence on and verifying the identity of its clients and to conduct ongoing monitoring and report any suspicious activity. We can provide further guidance on the application of these requirements to your business.
Enforcement of DABA
The BMA are granted enforcement powers under DABA to impose civil penalties of up to $10,000,000, issue prohibition orders, public censures and injunctions. In addition, the BMA have the ability to demand production of any information or documents they so require and can restrict and revoke licenses where there is any non-compliance with the regime.
Code of Practice and Statement of Principles etc
The BMA has published the following pursuant to DABA, further details of which can be provided by any member of our team.
- Code of Practice - providing guidance on the duties, requirements, procedures, standards and sound principles to be observed by digital asset businesses including with respect to proportionality, corporate governance, board oversight and the responsibilities of the chief and senior Executives, the risk management framework and internal systems and controls.
- Statement of Principles - relating to the BMA's interpretation of the minimum criteria for licensing and its approach to supervision.
- Cybersecurity Rules - requiring the filing of an annual cybersecurity report written by the senior executive appointed by the licensed undertaking to oversee and implement its cybersecurity programme and an independent audit of such programme confirming that it is suitably designed and operating effectively to meet the requirements of the Cybersecurity Rules.
- Application Process - information concerning the process for application for a license under DABA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.