Updates on Regulation of the Investment Business Act 2003

The BMA has issued a number of consultation papers with suggested enhancements to the investment business regime in Bermuda. These changes will see significant amendments to the legislation, codes of conduct, rules and statement of principles and are expected to be effective in the latter half of 2022. At a high level, the amendments will require that entities either register as a Class A, Class B or Non Registrable Person and will require any entity that is incorporated or formed in Bermuda that is carrying on investment business activities to be licensed by the BMA, regardless of whether the entity is carrying on the investment business activities from a place of business, where it employs staff and pays salaries. Also proposed is a new sandbox license for investment business related innovation, which will be introduced in the form of Class T and Class F license categories. Certain license classes will also be required to appoint a Senior Representative.

Continued updates to digital asset regulatory framework

As a leading fintech and digital assets sector jurisdiction, Bermuda continues to enhance its regulatory framework in connection with digital assets. The BMA continue to ensure that the digital asset legislative framework is fit for purpose and keep pace with the digital asset business environment, which continues to evolve rapidly. Proposed changes to the Digital Asset Business Act 2018 seek to provide further clarity to applicants and to facilitate more effective administration of the legislative framework.

Personal Information Protection Act 2016

The Bermuda Privacy Commissioner has appointed an Assistance Commissioner of Operations, as well as an Assistant Commissioner of Policy and Engagement and has been active in developing guidance notes and training platforms to assist organisations in Bermuda to meet their obligations under the Personal Information Protection Act 2016 ("PIPA"). There is still no confirmed date for the substantive provisions of PIPA to be operative, however, we anticipate PIPA to be introduced by the end of 2022 with a phased approach for entities to be compliant. We recommend organisations in Bermuda to review their current handling of personal information now and ensure that they are ready to satisfy the obligations of PIPA when it comes into force.

Regulatory trends in Bermuda's AML regime

The BMA issued a series of consultations papers on proposed enhancements to the general guidance notes and sector specific guidance notes for anti-money laundering and anti-terrorist financing purposes (the "AML Guidance Notes"). The proposed changes to the AML Guidance Notes do not propose any material changes that would affect the operations of a regulated financial institution, however there are enhancements that regulated financial institutions should be aware of, such as who the BMA will regard as 'fit and proper' to conduct the statutory independent audit.

As a result of a change to the definition of 'occasional transaction' digital asset businesses are now required to conduct customer due diligence on single transactions or a series of linked transactions where the threshold of such transactions meets USD1,000. This brings Bermuda fully into compliance with the FATF requirements and maintains Bermuda's reputation as a reputable jurisdiction.

The BMA continue to conduct on-sites of regulated financial institutions and issue enforcement actions, which has resulted in a significant increase in independent audit instructions as well as legal and regulatory advice, to ensure that on an ongoing basis, regulated financial institutions are operating within the laws and regulations of Bermuda.

Introduction of cyber reporting requirements

All financial sectors licensed, registered and supervised by the BMA are required to comply with the Operational Cyber Risk Management Code of Conduct, which was first implemented for registered insurers and insurance intermediaries. There is also the requirement to report to the BMA any 'cyber reporting events' that are suffered by a Bermuda regulated entity or where a Bermuda entity is implicated in a 'cyber reporting event' of its global operations. As a result of these new requirements, there has been a significant increase in the number of instructions in relation to legal and regulatory reviews of cyber and information security policies and procedures as well as assisting entities with reporting to the BMA, where necessary.

This article is taken from the Bermuda Insights: Trends and Opportunities 2022 white paper, available here:

Bermuda Trends 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.