Since the introduction of the Digital Asset Business Act 2018 (DABA) and ancillary regulations related thereto (the “DAB Regime”), Bermuda has become a recognised global leader in the regulation of the fintech sector. The Bermuda government forged one of the world’s first comprehensive regulatory frameworks specifically designed to provide legal and regulatory certainty to industry participants while ensuring that business in the fintech sector is conducted in accordance with recognised international standards and best practice.

Bermuda’s legal and regulatory fintech framework is founded on two key statutes. The DABA introduced the DAB Regime for businesses conducting “digital asset business” and the Digital Asset Issuance Act 2020 (DAIA) established a regime (the “DAI Regime”) to regulate initial coin or token offerings (“digital asset issuances”) (collectively, the “Digital Asset Regimes”) .

The DABA introduced the world’s first statutory definition of “digital assets” (see below), which encompassed all types of digital coins, tokens and assets, without differentiation. This provided a consistent and reliable interpretation of what amounted to conducting digital asset business as a regulated activity in and from Bermuda.

Bermuda also established one of the world’s first digital asset business bank licensing regimes that provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector and, when conjoined with a licence issued under the DABA, the legal and regulatory ability to on- and off-ramp between fiat and digital assets.

Since the Digital Asset Regimes were introduced, the Bermuda Monetary Authority (BMA) ‒ Bermuda’s sole financial services regulator ‒ has continued to enhance and update applicable rules, regulations, codes of practice, statements of principles, and guidance to extend the scope of both Digital Asset Regimes.

To promote innovation in the insurance sector, the Bermuda government introduced an insurance regulatory sandbox, which allows start-up innovators to experiment in a regulated but smaller-scale environment. In 2023, the concept and scope of a regulatory sandbox was broadened to encompass investment business, thereby promoting the offering of innovative products and testing of new technologies and delivery methods in the traditional financial sectors.

The Bermuda government has also announced its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market, which will be a Bermuda dollar-backed stablecoin using technology developed by a Bermuda business regulated under the DABA. The government has also been working on numerous other technology projects to further enhance the island’s digital infrastructure, including:

• the development of a digital ID system that meets internationally recognised standards of both privacy and AML/CTF regulation; and
• the introduction of submarine-cabling legislation to protect both the environment surrounding the island and the submarine cables themselves, which are the critical hardware infrastructure that supports the digital asset sector.

Bermuda has strived to grow a collaborative business and regulatory culture that involves industry and government working together to create opportunities and commercial success, with a truly independent, actively engaged and globally recognised regulator maintaining the balance between the promotion of innovation and adherence to worldwide standards of regulation, compliance and good corporate governance.

The extensive scope and flexibility of the Bermuda licensing regime supports a wide range of business models. This creates diversity and choice for industry across a range of industry sectors, including:

• digital asset payment service providers;
• digital assets and digital asset derivatives exchanges and trading platforms;
• digital asset trust service provider;
• custodians and custodial wallet providers;
• digital asset vendors (including market makers);
• digital asset lending or repurchase transaction service providers;
• investment funds, fund managers and administrators;
• digital asset banks;
• digital asset issuers; and
• innovative insurers and insurance intermediaries (such as marketplace providers or managers).

DABA

Regulated activity

The DABA imposes a licensing requirement on any person carrying on a digital asset business. It sets out the criteria a person must meet to obtain a licence, as well as applicable continuing obligations and the supervisory and enforcement powers of the BMA.

The DABA applies to any entity incorporated or formed in Bermuda that carries on a digital asset business. It also applies to any entity incorporated or formed outside Bermuda that carries on a digital asset business in or from within Bermuda.

The term “digital asset” is defined in the DABA (and has the same meaning for the purpose of the DAIA) as “anything that exists in binary form and comes with the right to use it, and includes a digital representation of value that is: 

• used as a medium of exchange, unit of account, or store of value and is not a legal tender, whether or not denominated in legal tender;
• intended to represent assets such as debt or equity in the promoter;
• otherwise intended to represent any assets or rights associated with such assets; or
• intended to provide access to an application of service or product by means of distributed ledger technology”.

The “digital asset business” activities regulated by the DABA are:

• issuing, selling or redeeming virtual coins, tokens or any other form of digital asset (this is intended to regulate any person providing these services to other persons, whether such person is situated in or outside of Bermuda);
• operating as a payment service provider business utilising digital assets, which includes the provision of services for the transfer of funds;
• operating as a digital assets exchange;
• carrying on digital asset trust services;
• providing custodial wallet services;
• operating as a digital assets derivative exchange provider;
• operating as a digital asset services vendor; and
• operating as a digital asset lending or digital asset repurchase transaction service provider.

Exemptions

The Minister of Finance, acting on the advice of the BMA, can issue an exemption order under the DABA that grants a specified person (or a person that falls within a specified class) exemption from having to obtain a licence under the DABA.

In 2023, the Bermuda government issued an exemption order excluding the following persons from registration under the DABA:

• the BMA;
• the Bermuda government and any undertaking owned by it;
• any public authority;
• a person providing an affinity or rewards programme, provided that notice is given to the BMA;
• a publisher issuing a token used exclusively within an online game platform, provided that notice is given to the BMA;
• a person providing data storage or security services for a DAB, provided that notice is given to the BMA;
• an undertaking providing digital asset business activity solely for the purpose of its business operations or the business operations of any group undertaking, provided that notice is given to the BMA; and
• an investment fund that has appointed an investment manager who is licensed under the Investment Business Act (IBA) or authorised by a recognised regulator, provided that notice is given to the BMA.

Similarly, the BMA can grant an exemption or modification exempting a person conducting a digital asset business from the requirement to comply with any standard applicable to it or modify the same, which may be subject to specified conditions.

Licensing requirements

There are three classes of licence available to persons conducting digital asset business activities in or from Bermuda.

Class F licence

A Class F licence is a licence to conduct specified digital asset business activities and is not subject to a specified period. However, the BMA has the discretion to place restrictions or conditions on a licence where they deem it appropriate in the circumstances.

Class M licence

A Class M licence is a licence to conduct specified digital asset business activities with modified restrictions. Conditions will only be valid for a specified period of time determined by the BMA.

Class T licence

A Class T licence is designed to operate as a test licence for pilot or beta testing in relation to specified digital asset business activities. Once the BMA considers that the business has successfully achieved its testing objectives, it will accept an application to upgrade the licence to a Class M or potentially Class F licence. Class T licences are more appropriate for start-ups, owing to the relaxed approach to the minimum licensing criteria.

Minimum licensing criteria

Schedule 1 of the DABA sets out the minimum criteria for licensing, which includes:

• the controllers and officers of the licensed/authorised entity must be fit and proper persons;
• the licensed/authorised business must be conducted in a prudent manner;
• the licensed/authorised business must be carried on with integrity and the professional skills appropriate to the nature and scale of its activities;
• the licensed/authorised entity must implement appropriate corporate governance policies and processes based on the nature, size, complexity, and risk profile of the digital asset business activities (eg, a minimum of two persons to effectively direct the business and typically at least one non-executive director); and
• the position of the licensed/authorised entity within in a group structure will not obstruct the conduct of consolidated supervision by the BMA.

Holders of a Class M or Class F licence must maintain a head office in Bermuda from which the business is managed and directed. Licensed persons must also demonstrate a cybersecurity programme commensurate with the nature, size and complexity of the digital asset business activities. Licensed persons must also file an annual comprehensive cybersecurity report prepared by their Chief Information Security Officer that assesses the availability, functionality, and integrity of their electronic systems in each case. This must be reviewed and subject to an external audit.

In 2023, the BMA issued the Digital Asset Business (Cyber Risk) Rules 2023, which replaced the Digital Asset Business (Cybersecurity) Rules 2018 (the “Cybersecurity Rules”). The new rules require Class F licence holders to file cyber-risk returns with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA.

DAIA Regime

Regulated activity

The DAIA applies to any undertaking incorporated or formed in or outside Bermuda that conducts any digital asset issuance in or from within Bermuda. The BMA has issued the Digital Asset Issuance Rules 2020, which expand upon the requirements under the DAIA.

A “digital asset issuance” is an offer to the public, or any section of the public, to acquire digital assets or to enter into an agreement to acquire digital assets at a future date. Any undertaking seeking to conduct a digital asset issuance must obtain prior authorisation from the BMA.

Although issuers of digital assets may be regulated under the DABA (which regulates the business of issuing, selling or redeeming digital assets), in general, those intending to issue digital assets as a means to raise capital would fall under the DAIA. Those intending to issue, sell or redeem digital assets as a business (eg, continuously with the intention to capture a profit) would fall under the DABA. The DAIA grants the BMA wide-ranging powers of supervision and enforcement similar to those granted under the DABA.

Exemptions

Prior authorisation under the DAIA is not required if:

• the issuance will result in digital assets becoming available to less than 150 persons;
• the issuance is only to “qualified acquirers” (as defined in the DAIA); or
• the issuance is only to persons whose ordinary business involves the acquisition, disposal or holding of digital assets.

Although prior authorisation is not required, an issuer or promoter must file a digital asset placement declaration form with the BMA before any such transaction.

Minimum authorisation requirements 

The BMA may not authorise an undertaking to conduct a digital asset issuance unless it is satisfied the undertaking fulfils certain minimum criteria set out in the DAIA. These authorisation criteria are substantially the same as the above-mentioned minimum licensing criteria under the DABA.

Issuance document

The DAIA requires that any person conducting a digital asset issuance must publish and file an issuance document with the BMA, unless it falls within an exemption. The following are examples of information that must be included in the issuance document:

• details of the registered or principal office of the promoter and the officers of the promoter;
• details of all persons involved with such issuances, including the applicant’s directors, chief executives, senior executives, shareholder controllers, promoters, service providers, auditors and other such information;
• disclosure of any legal proceedings;
• the name and nature of the project;
• key features of the product or service to be developed;
• a description of the project and proposed timelines, including any milestones;
• the targeted digital acquirers and jurisdictions (and any restrictions that apply);
• the amount of money intended to be raised;
• a description of the proposed offer, including the timing of opening and closing the offer;
• two-year financial projections;
• details and descriptions of the technologies being used;
• a description of the risks associated with the issuance and any mitigations in place;
• details of the custodial arrangements in place; and
• a description of the data protection and privacy in place.

Digital asset businesses do not have any restrictions regarding the way in which they charge customers, if the charges are applicable to their business models and are adequately disclosed.

According to the Digital Asset Business (Client Disclosure) Rules 2018 (“DAB Client Disclosure Rules”), at the time of entering a contract for the provision of products or services, a DABA licencee must provide the client with information including (but not limited to):

• the class of licence it holds;
• description of any voting rights;
• whether the entity has obtained any insurance cover such as cyber or theft to address losses that may arise as a result of the provision of the products or services offered; and
• a schedule of fees and charges for any service or product to be provided by the DAB licensee.

The fintech regulatory regime in Bermuda – namely, the DABA, the DAIA, and the relevant regulations promulgated thereunder – apply to all persons who are conducting a digital asset issuance or a digital asset business in or from within Bermuda, regardless whether or not such persons were conducting such activities prior to the inception of each statute.

Bermuda’s “regulatory sandbox” concept encompasses regulated activities across all sectors following its successful implementation under the DABA. The sandbox regime permits businesses that are seeking to be innovative or have innovative products or services to apply for a conditional sandbox licence, which under the DABA originally comprised the Class M licence. This was later expanded to also include a Class T licence, which was introduced specifically for persons seeking to test or run a prototype with reduced regulatory obligations commensurate with their reduced risk status.

Another example is under the Insurance Act 1978 (the “Insurance Act”), whereby an insurance regulatory sandbox allows for companies to test new technologies and offer innovative products, services and delivery mechanisms to a specified number of policyholders for a specific period.

The BMA has the power to review applications for the applicable sandbox and determine the appropriate legislative and regulatory requirements that should be modified during the period within the sandbox.

The BMA is the sole financial services regulator and controller for foreign exchange control purposes in Bermuda.

The DABA and the Digital Asset Business ‒ Code of Practice (the “DAB Code of Practice”) provides that certain regulated functions, such as asset management, custodial services, cybersecurity, compliance and internal audit, can be outsourced to third parties. The BMA requires the disclosure of any material outsourcing arrangements and it has, through its general guidance on outsourcing as well as through the DAB Code of Practice, reiterated that the responsibility remains with the digital asset business to ensure that all legal and regulatory obligations (under the DABA and any other relevant rules and regulations) are met to the same degree as if the outsourced function was being performed internally.

Where roles have been outsourced to either external third parties or to affiliated entities of the digital asset business licensee, it is the directors of the licensee who are responsible for ensuring that there is oversight and clear accountability for each role. Any service agreement for an outsourced function must include terms on compliance with jurisdictional laws and regulations and should not prohibit co-operation with the BMA or its access to data and records in a timely manner. The directors of the licensee must assess the impact of outsourcing a role.

Where outsourcing a particular function is reasonably expected to adversely affect governance and risk management structures, excessively increase operational risk, affect the BMA’s ability to effectively supervise and regulate the entity, and adversely affect client protection, that function should not be outsourced.

For the purposes of cross-border outsourcing arrangements, there is no list of approved or equivalent jurisdictions; however, it would be preferable to outsource to an entity that is regulated either by the BMA or by a regulator in another jurisdiction that applies standards that are at least equivalent to those applied in Bermuda. Any foreign entity providing outsourced functions to Bermuda regulated entities must comply with the requirements under Bermuda’s AML/CTF laws and regulations.

A person licensed under the DABA as an electronic exchange can apply to become an “accredited digital asset exchange” under the DAIA. This accreditation effectively turns the exchange into a “gatekeeper” for digital asset issuances. This means that it can authorise digital asset issuances without the issuer being required to file an issuance document with the BMA.

The BMA has wide powers under the DABA and the DAIA in relation to enforcement, including the power to:

• compel the production of information and documents, with criminal sanctions for failing to produce such information/documentation or for making false or misleading statements;
• issue directions for the purpose of safeguarding the interests of a licensee’s clients where a licensee is in breach of the DABA or any other rules or regulations applicable to it;
• impose conditions and restrictions on licensees, such as:
1. requiring a licensee to take certain steps or to refrain from adopting or pursuing a particular course of action;
2. restricting the scope of a licensee’s business activities in a certain way;
3. imposing limitations on the acceptance of business;
4. prohibiting a licensee from soliciting business, either generally or from prospective clients;
5. prohibiting a licensee from entering into any other transactions or class of transactions;
6. requiring the removal of any officer or controller; and/or
7. specifying requirements to be fulfilled other than by action taken by the licensee.

In the event that a licensee fails to comply with a condition, restriction or direction imposed by the BMA or with certain requirements of the DABA, the BMA has the power to:

• impose fines of up to USD10 million;
• issue a public censure to name and shame the licensee;
• issue a prohibition order banning a person from performing certain functions for a Bermuda regulated entity; or
• obtain an injunction from the court.

In the more extreme cases, the BMA may revoke a licence and subsequently petition the court for the winding-up of the entity whose licence it has revoked.

Personal Information and Protection Act

Bermuda’s Personal Information and Protection Act 2016 (PIPA) is the main piece of legislation in Bermuda that regulates the use of personal information. It has been implemented in phases and the Bermuda government has recently announced that all remaining provisions will come into effect on 1 January 2025.

PIPA applies to every organisation in Bermuda that uses personal information either wholly or partly by automated means and to the use other than by automated means of personal information that form, or are intended to form, part of a structured filing system.

Under PIPA, an organisation can only use personal information where there is a lawful basis for that use. Such lawful bases include:

• when the organisation has the knowing consent of the individual to that use;
• where the individual would not reasonably be expected to object to that use (except in relation to sensitive personal information);
• where using such information is necessary for the performance of a contract to which the individual is a party;
• where the use is authorised or required by law; and
• where the use is necessary in the context of an individual’s employment relationship with the organisation.

In order to comply with the provisions of PIPA, those organisations that are caught under it (including those in the fintech sector) will need to:

• adopt suitable measures and policies that take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals posed by the use of such information;
• ensure that any third party whose services are engaged (by contract or otherwise) in connection with the use of personal information complies with PIPA at all times;
• designate a privacy officer who will have primary responsibility for communicating with the privacy commissioner;
• ensure that all personal information they hold is accurate, up to date, adequate, relevant, and proportionate to the purposes for which it is to be used (and is only kept as long as is necessary for its use);
• implement safeguards (proportionate to the likelihood and severity of harm, the sensitivity of the personal information, and the context in which the information is held) to protect personal information against risks of unauthorised access, destruction, use, modification or disclosure; and
• provide a “privacy notice” to each individual before or at the time their personal information is collected, which should be clear and easily accessible and provide the individual with details of the organisation’s practices and policies in relation to personal information.

Where the organisation transfers personal information to a third party (overseas or otherwise), it will remain responsible for PIPA compliance in relation to that personal information.

If an organisation does not believe that the protection provided by an overseas third party will be comparable to the level required under PIPA, that organisation may choose to employ contractual mechanisms, corporate codes of conduct, or other means to ensure that the overseas third party provides a comparable level of protection.

The privacy laws of other jurisdictions may have extraterritorial effect (eg, the EU General Data Protection Regulation (GDPR)) and organisations in Bermuda may also be subject to these.

Cybersecurity

The Cybersecurity Rules and the DAB Operational Cyber Risk Management Code of Practice (the “Cybersecurity Code”) apply specific cybersecurity rules to persons licensed to conduct a digital asset business. The BMA has a team dedicated to the supervision of persons conducting digital asset business in relation to their cybersecurity programmes. Every entity licensed under the DABA must appoint a senior executive whose responsibility it is to:

• oversee and implement its cybersecurity programme;
• enforce its cybersecurity policies;
• report regularly to the digital asset business’ board of directors; and
• provide an annual report in relation to cybersecurity.

An application for a licence under the DABA must include information in relation to:

• its proposed cybersecurity risk management policies;
• how those policies interact with each other;
• how the applicant implements the “three lines of defence” model, including:
1. risk management;
2. internal audit; and
3. compliance functions.

AML/CTF

Persons licensed under the DABA are “regulated financial institutions” under the Proceeds of Crime Act 1997 (POCA). This means that they will be required to comply with all Bermuda legislation applicable to “regulated financial institutions” (ie, banks, long-term life insurance companies, investment funds and fund administrators), including Bermuda՚s AML/CTF legislation and regulations (collectively, the “AML/CTF Rules”). The BMA has also published sector-specific guidance notes for DABA licensees (Annex VIII – Sector-Specific Guidance Notes (SSGN) for Digital Asset Business) to assist with compliance with applicable AML/CTF obligations.

Under the AML/CTF Rules, DABA licensees must:

• adopt a risk-based approach to obtaining adequate due diligence on and verifying the identity of their clients;
• support ongoing monitoring; and
• report any suspicious activities.

There are also specific rules applicable to companies that are conducting public offerings of digital assets – specifically, these companies:

• must identify and verify participants in the offer;
• comply with the AML/CTF requirements set out in the Digital Asset Issuance Rules 2020; and
• are prohibited from opening an account or issuing a digital asset to any person and must terminate the business relationship if unable to comply with any relevant AML/CTF Rules.

In contrast, a company that is offering shares to the public is only subject to these requirements if it is a “regulated financial institution”, as prescribed under the AML/CTF Rules.

Sanctions

The UK extends sanctions measures to Bermuda by way of Overseas Territories Orders in Council (“OT Orders”). However, not all OT Orders extend to Bermuda (owing to policy reasons) and are therefore brought into force under the International Sanctions Act 2003 (the “ISA Act”). The Bermuda sanctions regulatory regime applies to all individuals and legal entities that are within or that undertake activities within Bermuda.

OT Orders have a broad reach and apply to persons in Bermuda, any person not in Bermuda but who is a British citizen, a citizen of a British overseas territory, a British subject, an overseas British national or a British protected person ordinarily resident in Bermuda. Any person on board a ship or aircraft that is registered in Bermuda is also caught by financial sanctions.

As regulated financial institutions, DABA licensees have an obligation to report to Bermuda’s Financial Sanctions Implementation Unit as soon as practicable if they know, or have reasonable cause to suspect, that a person:

• is a designated or listed person; or
• has committed an offence under the licensing, contravention or circumvention provisions of the sanctions.

DABA licensees are also required to:

• maintain records for any potential matches to names and sanctions lists, whether the match turns out to be true or a false-positive; and

• establish and maintain risk-sensitive policies and procedures that include the application of:
1. customer due diligence (enhanced customer due diligence is required where a person or a transaction is from or in a country subject to international sanctions);
2. ongoing monitoring of the customer relationship; and
3. maintaining adequate records of their clients and their business activities against sanctions lists applicable to Bermuda.

If a DABA licensee has outsourced this function to a service provider, steps should be taken to verify that the service provider is also fully compliant with the Bermuda sanctions regime, as ultimate responsibility for compliance remains with the DABA licensee.

Anti-bribery

Under Bermuda’s Bribery Act 2016, the following offences are applicable to both individuals and corporations:

• an offence of bribing (offering, promising or giving a financial or other advantage);
• an offence of being bribed (requesting, agreeing to receive or accepting a financial or other advantage); and
• an offence of bribery of foreign public officials.

In addition, there is also a corporate offence of failing to prevent bribery, which is applicable to corporate bodies and partnerships incorporated and formed in Bermuda. This is a strict liability offence, with only one possible defence ‒ the organisation will have to prove that it had “adequate procedures” in place designed to prevent persons who are associated with it from bribing. The Bermuda government has published the Bribery Act 2016 Guidance, in which the principles around what amounts to “adequate procedures” are set out.

Electronic Transactions Act 1999

The Electronic Transactions Act 1999 introduced – among other benefits – a statutory recognition of the validity of digital/electronic records and, subject to certain criteria being met, signatures applied to such records.

Traditional financial service industry sectors in Bermuda have all been actively involved in the development and implementation of complimentary financial and non-financial services to this growing fintech sector. 

Banking

Bermuda’s banking laws were amended in 2018 with the introduction of the Banks and Deposit Companies Amendment Act 2018 (the “Banks Amendment Act”), which sought to open up the banking market by providing relief from certain local banking requirements (eg, retail banking services) in return for restricting services to the fintech sector. This provided a balance between positive new competition and the protection of existing traditional retail banking services.

Financial Auditing

DABA licensees must have their financial statements audited annually. The BMA is cognisant of the influence of global events on the appetite of the established audit firms to audit this sector and, as such, financial audits may be conducted by regulated audit firms registered in Bermuda or other jurisdictions that are recognised as following the same or similar accounting standards.

Other Service Providers

Bermuda has seen an increased interest in persons seeking to provide all manner of financial and non-financial services to the fintech sector, including AML/CTF compliance, accounting, custodial, fund management and administration, and legal and corporate services.

DABA licensees or issuers authorised under the DAIA are not expressly prohibited from conducting unregulated business. However, in each case, the licensed/authorised entity must ensure that its regulated business is conducted in a prudent manner. Accordingly, any unregulated activities will need to be assessed from the perspective of how they affect the regulated activities of DABA licencee or issuer.

Refer to 2.10 Implications of Additional, Non-financial Services Regulations.

While “robo-advice” or other types of automated advice are not specifically regulated by the BMA, DABA licensees and digital asset issuers that adopt robo-advice will need to consider regulation of providing “advice” more broadly.

Under the IBA, the giving or offering of investment advice to clients or potential clients in respect of “investments” constitutes investment business, which may not be conducted in or from Bermuda without being licensed or registered under the IBA (subject to any applicable designation by the Bermuda Minister of Finance as a non-registrable person). What constitutes an “investment” under the IBA is wide and includes assets ranging from shares and debentures to options and futures, so can therefore capture digital asset derivatives.

The use of robo-advice as a low-cost alternative advice model has been considered by legacy players in the Bermuda market to give locals access to more affordable advice, particularly by the banking and government sectors. However, the use of robo-advisers in respect of digital assets has not yet been widely adopted by such legacy players.

Licensed investment managers need to comply (and ensure that any robo-adviser or other technology it adopts complies) with the Code of General Business Conduct and Practice. This code recommends that an investment provider does not transact business for a client on worse terms than it would expect to obtain for itself, making allowances for the size of the transaction (and other allowances).

The BMA has not published any specific guidance on best execution for digital asset business regulated entities. However, the BMA will consider the method(s) for execution and settlement as part of the licensing application process.

The BMA regulates the business of lending fiat under the Banks and Deposit Companies Act 1999 and relevant regulations (collectively, the “Banks Act”). Under the Banks Act Code of Conduct, licensed banks and deposit-taking companies are required to identify and implement policies and procedures to accommodate and afford reasonable care to an individual who is identified as vulnerable or who discloses these needs to the institution. Otherwise, the Banks Act does not differentiate between the business of lending to individuals, small businesses or others.

Additionally, in 2023, operating as a digital asset lending service provider or operating as a digital asset repurchase transactions service provider were included as separate regulated digital asset activities under the DABA. These categories (respectively) encompass circumstances where:

• a person facilitates, either as principal or agent, digital asset lending transactions by which a counterparty transfers or lends digital assets to a borrower subject to commitment that the borrower will return equivalent digital assets with or without interest or premium on a future date or when requested to do so by the lender; and
• a person facilitates, either as principal or agent, digital asset repurchase transactions by which a person transfers digital assets to a counterparty subject to a commitment to repurchase such digital assets or substituted digital assets of the same description from that counterparty at a specified price with or without premium on a future date specified or to be specified.

The counterparty in the above-mentioned circumstances can be any type of person or entity.

Bermuda also introduced one of the world’s first digital asset business bank licensing regimes, which provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector.

There are no additional requirements for the underwriting of digital assets, other than compliance with regulations under the DABA and the Banks Amendment Act mentioned in 2.11 Review of Industry Participants by Parties Other than Regulators, as applicable. A person conducting digital asset lending will be required to deliver details of risk management and controls to the BMA.

Bermuda’s legal and regulatory landscape – in particular, the regulation of lending or repurchase transactions under the DABA ‒ does not distinguish between the sources of funds for loans. An entity lending either fiat or digital assets will be required to submit its credit risk management framework and controls to the BMA with its licensing application and as part of its ongoing regulatory monitoring and reporting obligations.

DABA licensees, banks and deposit-taking companies are prescribed as AML/CTF-regulated financial institutions and must comply with relevant AML/ATF regulations, which may include requirements to verify source of funds of customers.

The syndication of loans involving Bermuda obligors is not uncommon. Typically, the syndication of loans takes place on a cross-border basis involving lenders and counterparties overseas where documentation is usually subject to the laws of a foreign jurisdiction and is not otherwise directly captured under current regulation (subject to bespoke conditions such as minimum capitalisation requirements for DABA licensees or regulated insurtech entities in Bermuda).

Payment processes are not required to use existing payment rails under Bermuda law, nor are they precluded from creating or implementing new payment rails. However, creating or implementing a new payment rail for the purposes of advancing digital asset business may prompt the licensing requirements under the DABA.

A payment processor (excluding an entity licensed under the Banks Act) may also require a licence under Bermuda’s Money Service Business Act 2016 (unless subject to an exemption under the Guidance Notes – Money Service Business Act 2016) if it conducts any of the following money service business activities:

• money transmission services;
• cashing cheques that are made payable to customers and guaranteeing cheques;
• issuing, selling or redeeming drafts, money orders or traveller’s cheques for cash;
• payment services business; or
• operating a bureau de change whereby cash in one currency is exchanged for cash in another currency.

Any purchases of foreign fiat currency made by a Bermuda resident in Bermuda dollars from an institution licensed under the Banks Act will be subject to a transaction tax of 1.25%. This must be withheld by the applicable institution and thereafter remitted to the Bermuda Tax Commissioner.

Cross-border payments and remittances using digital assets are separately regulated under the DAB Regime. However, they are not subject to the foreign currency payment tax.

Entities involved in providing fund administration provider business are required to be licensed by the BMA under the Fund Administration Provider Business Act 2019 (the “Fund Administration Act”). The Fund Administration Act describes a fund administrator as any person who provides one or more of the following services to an investment fund:

• applying the subscription monies received by a fund in accordance with its constitution and its prospectus;
• processing the issue, conversion and redemption of units of a fund;
• applying the income of a fund in accordance with its constitution and its prospectus;
• calculating the net asset value of the units, in addition to their issue, conversion and redemption price;
• maintaining the accounts of a fund;
• distributing to the participants of a fund all dividends or other distributions that may from time to time be declared and paid by it on units in a fund; and
• any other services or activities that the Minister of Finance, acting on the advice of the BMA, may specify by notice in the Gazette.

Fund advisers typically engage fund administrators by way of services agreements to assist with compliance matters, such as:

• AML/CTF requirements;
• implementing compliance and regulatory controls to support services; and
• the requirement at all times to exercise due care and diligence and to act in good faith in the performance of services under its agreement.

Although the provisions of services agreements between fund administrators and fund advisers are typically negotiated contracts, fund administrators are subject to the BMA’s Code of Practice, Statement of Principles and Corporate Governance policies for fund administrators. This offers guidance as to the duties, requirements and standards to be complied with – and the procedures and sound principles to be observed ‒ by persons carrying on fund administration provider business.

Digital Asset Exchanges/Digital Asset Derivative Exchanges

Digital asset exchanges and digital asset derivative exchanges are permissible, and the operation of both are regulated under the DABA. There are no material differences between the requirements applicable under the DABA to these two different types of platforms.

A digital asset exchange is a centralised or decentralised electronic marketplace used for digital asset issuances, distributions, conversions and trades, including primary and secondary distributions, with or without payment. This may include digital asset conversions and trades entered into by the electronic marketplace as principal or agent.

A digital asset derivative exchange means a centralised or decentralised marketplace used for digital asset derivative issuances, distributions and trades with or without payment. This may include digital asset derivatives trades entered into by the marketplace as principal or agent. A digital asset derivative means an option, a swap, a future, a contract for difference or any other contract or instrument whose market price, value or delivery or payment obligations are derived from, referenced to or based on a digital asset underlying interest.

Insurance Marketplace Provider

The Insurance Act also licenses the operation of a platform (of any type) established for the purpose of buying, selling or trading contracts of insurance. Such licensed activities may be done in a traditional manner or through the Insurtech Sandbox as an innovative insurance marketplace provider.

Bermuda Stock Exchange

When it comes to the general trading of securities of publicly listed companies in Bermuda, the Bermuda Stock Exchange (BSX) is the primary trading platform. Traditional securities of all types can be listed on the BSX, provided they meet the application and maintenance requirements of BSX Listing Regulations.

Please refer to 7.1 Permissible Trading Platforms.

Please refer to 7.1 Permissible Trading Platforms.

Traditional securities that are listed on the BSX must meet the standards and requirements set out in the BSX Listing Regulations. The principal function of the BSX is to provide a fair, orderly and efficient market for the trading of securities of both domestic and foreign issuers and is itself regulated by the BMA.

In contrast, digital asset exchanges and digital asset derivative exchange providers are all regulated under the DABA and are required to conduct their business in a prudent manner. Specifically, in relation to the listing of digital assets and digital asset derivatives, there are no definitive regulatory criteria for exchanges to adhere to other than in relation to seeking BMA approval to introduce a new product or service.

The standards by which each licensed entity chooses to list different products will be set and maintained by that licensed entity as part of their application for a licence. The general overview of such standards must be included in and approved by the BMA upon the entity’s initial application for licensing or as part of a notification or application to introduce new listings. The BMA has also issued the Digital Asset Business Act 2018 – Product Due Diligence Guidance Notes, which outline the BMA’s expectation in relation to the diligence conducted on products and services (including digital assets listed on a Bermuda exchange) introduced by a DABA licensee.

See 3.3 Issues Relating to Best Execution of Customer Trades and 7.4 Listing Standards.

Peer-to-peer trading platforms that offer services to the public as a business in and from within Bermuda and allow the trading of digital assets are generally captured under the DABA and are subject to the same regulatory requirements and scrutiny as operators of a digital asset exchange or digital asset derivative exchange. There is still open discussion and consideration as to how a decentralised autonomous organisation would be treated if providing such services, but in most instances there would need to be a legal person or organisation with a nexus to Bermuda to be captured.

See 3.3 Issues Relating to Best Execution of Customer Trades and 7.4 Listing Standards.

See 3.3 Issues Relating to Best Execution of Customer Trades and 7.4 Listing Standards.

The BSX has a clear set of principles around the market integrity expected of a traditional securities exchange within its Listing Regulations.

The BMA has produced the DAB Code of Practice, the DAB Client Disclosure Rules, the Cybersecurity Rules, and the Sector-Specific Guidance Notes (SSGN) for Digital Asset Business, among others ‒ all of which include principles governing the conduct of digital asset business generally and which supplement the principles and regulations found within the primary legislation. Under these codes and rules, DABA-licensed entities are required to observe principles including ethical corporate behaviour, client protection and security, business integrity and prudence, and regulatory and legal compliance. Within the relevant rules and codes, as well as under the DABA, the BMA is granted authority to review, monitor and enforce the relevant requirements.

Currently, there are no specific regulations exclusively for the creation and use of digital assets in high-frequency and algorithmic trading. Such activities may fall under either the DABA or IBA licensing regimes, depending upon the type of asset being traded and whether such activity falls within proprietary trading or operating as a business to the public.

The DABA specifically includes market-making activities within the scope of “digital asset service vendors”. A licence is required for such operations from or within Bermuda. Within the DABA’s framework, a market maker is defined as someone who ‒ as part of their business ‒ engages in trading digital assets by providing bid-and-ask prices to profit from spreads, fulfilling client orders, or hedging positions resulting from these activities.

However, individuals trading solely on a principal basis (eg, proprietary traders) are likely to fall outside the scope of the definition of market makers under the DABA. A thorough examination of agreements between these individuals and trading platforms or exchanges is essential to determine their classification in each case.

Although the IBA and Investment Funds Act (IFA) specifically differentiate between funds and dealers of traditional investments, the DABA does not. Typically, an investment fund falls outside the scope of the DABA unless it engages in digital asset business activities. Also, an investment fund that has appointed an investment manager who is licensed under the IBA or authorised by a recognised regulator is exempted from needing to apply for a DABA licence, provided it gives prior notice to the BMA.

Meanwhile, a licensed digital asset business entity is explicitly excluded from the definitions of an investment fund under the IFA.

The BMA will look at the overall structure of the business, the rights, powers and obligations of participants, as well as the overarching objective in order to properly assess whether a business or other arrangement is captured under the Digital Asset Regimes.

The activity of developing and creating trading algorithms and other electronic trading tools is not regulated. However, if the benefit or use of such services is offered directly to the public as part of that business, such activities may be captured under the DABA or the IBA, depending on the type of asset being traded.

The DAB Regime applies to persons conducting the business of providing any or all of the specified digital asset business activities to the public. DeFi is not expressly defined under the DAB Regime.

Depending on the activities being conducted via or in relation to a DeFi platform, activities conducted could be caught under any number of the existing digital asset business categories of the DABA. It is anticipated that, given the higher risk surrounding DeFi management, the BMA will take a heightened approach to regulating persons that provide services to the public using a DeFi protocol in accordance with its proportionality principles.

As regards DeFi protocols, developing software technology is unlikely to fall under any regulations in Bermuda (other than the economic substance regime, which applies to all companies whose revenue is derived from IP in Bermuda). Those looking to be regulated in Bermuda and provide services to the public through a DeFi protocol should consider using a legal “wrapper” that can act on behalf of the protocol and its participants. An example would be using a company limited by guarantee structure whereby the company has members limited by guarantee rather than shareholders and is restricted from making any distributions to its members. This would allow the BMA to regulate the legal “wrapper” as the person responsible for the protocol’s compliance with the DAB Regime.

There is no requirement in Bermuda for the registration of financial research platforms.

However, a person that has control over the provision of a digital asset benchmark – including administering the arrangements for determining a benchmark, collecting, analysing or processing input data for the purpose of determining a benchmark, and determining a benchmark through the application of a formula or other method of calculation or by an assessment of input data provided for that purpose ‒ will be within the scope of the DABA and required to be licensed if undertaking this activity as a business in or from Bermuda.

Also, it should be noted that the giving or offering of investment advice to clients or potential clients is a regulated activity under the IBA. The giving or offering of such advice constitutes investment business, which may not be conducted in or from Bermuda without being licensed or registered under the IBA (subject to any applicable designation by the Bermuda Minister of Finance as a non-registrable person). It should be noted that “investments” do not generally include digital assets, but may include certain types of digital asset derivatives.

The BMA monitors DABA licensees to ensure that business is being conducted in a prudent manner and in accordance with the DABA provisions. Although the provisions of the DABA do not currently provide for the direct regulation of unverified information, the BMA is empowered to take necessary actions against a DABA licensee who contravenes the requirement of prudent business conduct where such conduct poses a threat to the public, clients, or potential clients, including market manipulation as well as the dissemination and disclosure of inaccurate information where it relates to a product or services being offered.

The BMA requires prudent and ongoing monitoring of exchange activities by the DABA licensee to mitigate against the risk of “pump and dump” schemes or the illegal promotion of a particular product or service. Please also refer to 9.2 Regulation of Unverified Information.

The underwriting process for traditional insurers is currently regulated by the Insurance Act and related regulations. An insurer will be required to submit a detailed description of its underwriting strategy to the BMA. The underwriting process may be conducted by the insurer or outsourced with the prior approval of the BMA. Although not expressly provided for in the statute, it is typical for the BMA to require a proportionately similar process for innovative insurers.

There are various classes and types of (re)insurers and insurance intermediaries regulated under the Insurance Act – all of which will attract different regulatory treatment by the BMA. However, the lines of insurance business are only statutorily divided between general business and long-term business. There is also a robust captive industry, which is regulated differently under the Insurance Act, as well as the innovative classes of insurance and insurance intermediaries who operate within the Insurtech Sandbox.

There are no legislative or regulatory provisions governing the design, provision or delivery of regulatory technology. Persons who use the technology may be caught by any one of Bermuda’s regulatory regimes, including those created under the DABA or the DAIA, if the business activity that they are conducting using the technology is itself a regulated activity.

Financial service providers in Bermuda will seek and expect contractual terms based on international market practice. The financial service provider using the technology will be expected to ensure the technology assists or permits them to comply, and does not prohibit them from complying, with the legal and regulatory obligations of the financial service provider.

Traditional financial service providers in Bermuda have benefited from the country’s early adoption of sector-specific legislation and regulation through the inevitable and rapid education of the workforce around the use of blockchain technology. All industry sectors have been involved in the consideration of the potential implementation of blockchain as a technological solution to existing infrastructure demands.

What has been clearly evident is the traditional financial sector’s willingness to co-operate with new entrepreneurial businesses that are offering novel ways to conduct traditional business using innovative technology, including blockchain. As an example, NAYMS is a Bermuda digital insurance marketplace that uses blockchain technology for the conduct of brokering insurance contracts and has secured some of the oldest names in the industry as participants. There are also numerous other projects involving both the public and private sector that have secured funding and gained traction in developing blockchain solutions, often involving professional service companies (eg, law firms) to assist in building both the digital and regulatory infrastructure to ensure solutions are as legally sound as they are technically robust.

Notably, with regard to the Bermuda government and blockchain, the government has indicated its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market. As mentioned in 1.1 Evolution of the Fintech Market, such token is intended to be a Bermuda dollar-backed stablecoin and employ technology developed by a DABA-regulated entity.

Demonstrating its role as an active, engaged and responsive regulator, the BMA (together with the Bermuda government) regularly consults with industry with a view to the continued improvement of the digital asset regulatory framework, including its effective administration and enforcement. The BMA and industry stakeholders continually review and monitor this framework (including the DABA and the DAIA) to ensure that it continues to meet or exceed applicable international standards – including with regard to regulation, compliance and transparency – and that it continues to be fit for purpose.

See 2.2 Regulatory Regime for how “digital assets” are defined and treated. The Digital Asset Regimes do not differentiate between the different types of digital assets that exist or can be created and are agnostic when it comes to the underlying technology. The Digital Asset Regimes seek to regulate the business and service activities surrounding digital assets in a manner that recognises the unique factors of the technology, rather than seeking to fit the different types of digital assets within existing legal and regulatory definitions.

Please refer to 2.2 Regulatory Regime and the broad definition of “digital assets” in the DABA and the DAIA and their application to issuers. The DAIA requires regulatory permission to conduct a digital asset issuance that is conducted for the purposes of raising funds for a specific project, whereas the DABA is a licensing regime focused on regulating digital asset issuances that have an ongoing business element to them and regulating digital asset issuances as a service.

Blockchain asset trading platforms that are offered to the public and operate as a “digital asset exchange” or a “digital asset derivative exchange provider” (each as defined under the DABA) are regulated under the DABA as “digital asset businesses” and must be licensed thereunder.

Peer-to-peer trading, when conducted in a proprietary manner, is not specifically regulated. However, the DABA includes a broad spectrum of activities that might appear to be proprietary trading but, owing to the way in which they are being conducted are deemed to be digital asset business activities, including the provision of intermediary services.

The BMA apply a broad interpretation to the list of digital asset business activities contained in 2.2 Regulatory Regime and legal advice should be sought on any proposed digital asset transactions or activities in or from within Bermuda. Even if the transaction is intended to be proprietary in nature, there can be nuances to an arrangement that could bring the transaction within the scope of the DABA.

Any fund that is captured within the definition of “investment fund” in the IFA, including funds that deal in digital assets, will be subject to regulation under the IFA. However, pursuant to the Digital Asset Business Exemption Order 2023, an investment fund that conducts a digital asset business activity and has appointed an investment manager who is licensed under the IBA or is authorised by a “recognised regulator” (as defined in the IBA) will be exempt from licensing under the DABA – as long as an annual notice is filed with the BMA. It should be noted that, even though the fund itself may be exempt, the investment manager, custodian or administrator may well be deemed to be conducting a digital asset business activity and require a DABA licence if they are based in Bermuda.

Refer to 2.2 Regulatory Regime and the broad definition of “digital assets” in the DABA and the DAIA. Virtual currencies that meet the definition of “digital assets” are treated the same as other blockchain-derived assets from a regulatory perspective.

See 8.5 Decentralised Finance (DeFi).

For the purposes of Bermuda law, NFTs would constitute digital assets (see 2.2 Regulatory Regime). As such, a platform that facilitates the trading of NFTs would be conducting the digital asset business of operating a digital asset exchange, which requires a DABA licence.

The Bermuda government has indicated its support to the BMA “in advancing open banking standards in Bermuda to provide better services to local consumers while enabling new digital banking services to be offered”.

An entity intending to conduct open banking activities in or from within Bermuda would be required to adhere to the licensing requirements and provisions of the Banks Amendment Act, as well as the provisions of the DABA where such business constitutes digital asset business activity. There is currently no express prohibition on open banking activity under the Bermuda legal regime.

To date, the concept of open banking has not been prevalent for banks operating from within Bermuda. With PIPA coming into effect on 1 January 2025 (see 2.10 Implications of Additional, Non-financial Services Regulations), Bermuda banks may be deterred from pursuing open banking concepts in the near future, owing to the increased scrutiny concerning the protection of personal information. However, it is anticipated that the consensual use of personal information in these optional and contractual relationships will prevail once the law has settled in and adequate protection has been implemented.

A specific body of law setting out the elements of fraud as it relates to the DAB Regime in Bermuda has not been developed. The general common law position would apply should this be considered by Bermuda courts.

From a regulatory perspective, the BMA focuses on safeguarding client assets by seeking to prevent or minimise the potential for fraud and misappropriation. There are multiple pieces of legislation, regulation and various codes of conduct that govern consumer protection in Bermuda. The DABA mandates the safeguarding of client assets and sets out the provisions for establishing formal customer complaints policies and procedures. The Digital Asset Business Custody Code of Practice supplements the provisions of the DABA and specifies the requirements of segregating client assets from those of the DABA licensee.

Among other matters, the BMA focuses on protecting customers and stakeholders, maintaining market integrity and fostering trust in Bermuda’s digital asset business sector. Although fraud is not a singular focus of the BMA’s regulatory regime, the Digital Asset Regimes have been curated to combat the risk of fraud. The BMA closely monitors the activities of regulated business for potential fraud and monitors all sectors (including, specifically, the digital asset sector) for other corrupt activities, such as:

• investment fraud;
• market manipulation;
• money laundering and terrorist financing;
• insider trading;
• fraudulent exchanges and wallets; and
• cybersecurity breaches.