Since the introduction of the Digital Asset Business Act 2018 (DABA) and ancillary regulations related thereto (the “DAB Regime”), Bermuda has become a recognised global leader in the regulation of the fintech sector. The Bermuda government forged one of the world’s first comprehensive regulatory frameworks specifically designed to provide legal and regulatory certainty to industry participants while ensuring that business in the fintech sector is conducted in accordance with recognised international standards and best practice.
Bermuda’s legal and regulatory fintech framework is founded on two key statutes. The DABA introduced the DAB Regime for businesses conducting “digital asset business” and the Digital Asset Issuance Act 2020 (DAIA) established a regime to regulate initial coin or token offerings (the “DAI Regime”) (together with the DAB Regime, the “Digital Asset Regimes”), referred to as “digital asset issuances”.
The DABA introduced the world’s first statutory definition of “digital assets” (see 2.2 Regulatory Regime (DABA)), which encompassed all types of digital coins, tokens and assets, without differentiation. This provided a consistent and reliable interpretation of what amounted to conducting digital asset business as a regulated activity in and from Bermuda.
Since the Digital Asset Regimes were introduced, the Bermuda Monetary Authority (BMA) – Bermuda’s sole financial services regulator – has continued to enhance and update applicable rules, regulations, codes of practice, statements of principles, and guidance to extend the scope of both Digital Asset Regimes.
Further, Bermuda has strived to grow a collaborative business and regulatory culture that involves industry and government working together to create opportunities and commercial success, with a truly independent, actively engaged and globally recognised regulator maintaining the balance between the promotion of innovation and adherence to worldwide standards of regulation, compliance and good corporate governance.
As a testament to this, in response to industry developments, in 2023 the list of regulated digital asset business activities under the DABA was expanded to include a separate activity of operating as a digital asset lending or digital asset repurchase transactions service provider. The first licence for this category was issued in 2024.
In 2024, the BMA published guidance specific to single currency pegged stablecoins – one of the first regulators to do so following consultation with the industry and recognising the potential for stablecoins as a widely spread asset class. Also in 2024, the BMA initiated a consultation inviting the industry to comment on proposed changes and clarifications proposed to the DAB Regime to reflect developments in the rapidly evolving fintech market since the DABA’s introduction in 2018. This will be the first significant general amendment to the DABA since its enactment, evidencing the benefit and longevity resulting from the DAB Regime regulating all types of digital coins, tokens and assets from its inception.
Bermuda has also been actively exploring how to legally recognise – and, if applicable, regulate – decentralised financial services (“DeFi”). Both the BMA’s fintech team and the government’s DAO Working Group have been working on proposals for introducing digital governance models, such as DeFi protocols established as decentralised autonomous organisations (DAOs), into Bermuda law and regulation.
Bermuda-regulated digital asset businesses are not restricted from using AI models and these are already being used by existing businesses. The BMA regulates the use of such models in accordance with its proportionality principles that embrace innovation and the use of innovative tools, while ensuring appropriate oversight and risk management.
The BMA has also launched a consultation paper proposing the introduction of a regulatory regime to govern digital identification service providers (DISPs). The proposals follow a similar structure to the way in which Bermuda regulates digital asset businesses and is expected to be finalised and introduced in 2025.
To promote innovation in the insurance sector, the Bermuda government introduced an insurance regulatory sandbox, which allows start-up innovators to experiment in a regulated but smaller-scale environment. In 2023, the concept and scope of a regulatory sandbox was broadened to encompass investment business, promoting the offering of innovative products and the testing of new technologies and delivery methods in the traditional financial sectors. The regulatory sandbox continues to be used by entities looking to innovate and test new models. Its success and the approach of the BMA to innovative models have also allowed innovative businesses to skip the sandbox and successfully obtain licences specifically designed for innovation – for example, the classes of “innovative insurer (general business)” and “innovative insurer (long term)” under Bermuda’s insurance regulatory regime.
The Bermuda government has also announced its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market, which will be a Bermuda dollar-backed stablecoin using technology developed by a Bermuda business regulated under the DABA. The government has also been working on numerous other technology projects to further enhance the island’s digital infrastructure, including:
The extensive scope and flexibility of the Bermuda licensing regime supports a wide range of business models. This creates diversity and choice for industry across a range of industry sectors, including:
DABA
The DABA imposes a licensing requirement on any person carrying out digital asset business. It sets out the criteria a person must meet to obtain a licence, the applicable continuing obligations thereunder, and the supervisory and enforcement powers of the BMA.
The DABA applies to any entity incorporated or formed in Bermuda that carries out digital asset business, as well as any entity incorporated or formed outside Bermuda that carries out digital asset business in or from within Bermuda.
The term “digital asset” is defined in the DABA (and has the same meaning for the purpose of the DAIA) as “anything that exists in binary format and comes with the right to use it and includes a digital representation of value that is:
The “digital asset business” activities regulated by the DABA are:
Exemptions
The Minister of Finance, acting on the advice of the BMA, can issue an exemption order under the DABA that grants a specified person – or a person that falls within a specified class – exemption from having to obtain a licence under the DABA. In 2023, the Bermuda government issued an exemption order excluding the following persons from registration under the DABA:
Similarly, the BMA can grant an exemption or modification exempting a person conducting a digital asset business from the requirement to comply with any standard applicable to it or modify the same. This may be subject to specified conditions.
Licensing requirements
There are three classes of licence available to persons conducting digital asset business activities in or from Bermuda, as follows.
Minimum licensing criteria
Schedule 1 of the DABA sets out the minimum criteria for licensing, as follows.
Holders of a Class M or Class F licence must maintain a head office in Bermuda from which the business is managed and directed. Licensed persons must also demonstrate a cybersecurity programme commensurate with the nature, size and complexity of the digital asset business activities. The business must also file an annual comprehensive cybersecurity report prepared by its chief information security officer that assesses the availability, functionality and integrity of its electronic systems in each case; this is reviewed and subject to an external audit.
In 2023, the BMA issued the Digital Asset Business (Cyber Risk) Rules 2023, which replaced the Digital Asset Business (Cybersecurity) Rules 2018. It requires Class F licence holders to file cyber-risk returns with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA.
DAIA
The DAIA applies to any undertaking incorporated or formed in or outside Bermuda that conducts any digital asset issuance in or from within Bermuda. The BMA has issued the Digital Asset Issuance Rules 2020, which expand upon the requirements under the DAIA.
A “digital asset issuance” is an offer to the public, or any section of the public, to acquire digital assets or to enter into an agreement to acquire digital assets at a future date. Any undertaking seeking to conduct a digital asset issuance must obtain prior authorisation from the BMA.
Although issuers of digital assets may be regulated under the DABA, which regulates the business of issuing, selling or redeeming digital assets in general, those intending to issue digital assets as a means to raise capital or fund projects would fall under the DAIA. Those intending to issue, sell or redeem digital assets as a business (eg, continuously with the intention to capture a profit) would fall under the DABA. The DAIA grants the BMA wide-ranging powers of supervision and enforcement similar to those granted under the DABA.
Exemptions
Prior authorisation under the DAIA is not required if:
Although prior authorisation is not required, before any such transaction, an issuer or promoter must file a digital asset placement declaration form with the BMA.
Minimum authorisation requirements
The BMA may not authorise an undertaking to conduct a digital asset issuance unless it is satisfied that the undertaking fulfils certain minimum criteria set out in the DAIA. These authorisation criteria are substantially the same as the minimum licensing criteria under the DABA (see “DABA (Minimum licensing critiera)”).
Issuance document
The DAIA requires any person conducting a digital asset issuance to publish and file an issuance document with the BMA, unless the digital asset issuance falls within an exemption. The following are examples of information that must be included in the issuance document:
DABA licensees do not have any restrictions regarding the way in which they charge customers, if the charges are applicable to their business model and are adequately disclosed.
According to the Digital Asset Business (Client Disclosure) Rules 2018 (the “DAB Client Disclosure Rules”), at the time of entering a contract for the provision of products or services, a DABA licensee must either provide the customer with a schedule of fees and charges for any service or product being given or – if such fees and charges are not set in advance and disclosed at the time the contract is entered into – disclose the manner in which fees and charges will be calculated and the manner in which payment is to be made by the customer to the DABA licensee. Following the conclusion of the transaction with the customer, a DABA licensee must provide the customer with information relating to (among other things) the fee charged for transactions, including any charge for conversion of a digital asset to another digital asset or to fiat currency.
The regulatory model for legacy players in Bermuda (eg, insurers, investment business providers, or banks) is fundamentally the same as the fintech regulatory model. Persons conducting such activities “in or from within Bermuda” who are not exempted or excluded fall within scope of the relevant Bermuda regulatory regime and are generally required to obtain authorisation or approval from the BMA prior to conducting such activities.
The fintech regulatory regime in Bermuda – namely, the DABA, the DAIA, and the relevant regulations promulgated thereunder – apply to all persons who are conducting a digital asset issuance or digital asset business in or from within Bermuda, regardless of whether or not such persons were conducting such activities prior to the inception of each statute.
Bermuda established one of the world’s first digital asset business bank licensing regimes that provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector and – when conjoined with a licence issued under the DABA – the legal and regulatory ability to offer traditional banking services using digital assets.
Bermuda’s “regulatory sandbox” concept encompasses regulated activities across all sectors following its successful implementation under the DABA. The sandbox regime permits businesses that are seeking to be innovative or have innovative products or services to apply for a conditional sandbox licence, which – under the DABA – originally comprised the Class M licence. This was later expanded to also include a Class T licence, which was introduced specifically for persons seeking to test or run a prototype with reduced regulatory obligations commensurate with their reduced risk status.
Another example is an insurance regulatory sandbox under the Insurance Act 1978 and related regulations, each as amended (the “Insurance Act”), which allows for companies to test new technologies and offer innovative products, services, and delivery mechanisms to a specified number of policyholders for a specific period.
The BMA has the power to review applications for the applicable sandbox and determine the appropriate legislative and regulatory requirements that should be modified during the period within the sandbox.
The BMA is the sole financial services regulator and controller for foreign exchange control purposes in Bermuda.
There is no formal method whereby an entity can request the BMA to issue a “no-action” letter under the Digital Asset Regimes. However, when presented with certain fact patterns, the BMA has been willing to provide reassurance on their approach to certain business models – particularly where such business models fall outside the Digital Asset Regimes (eg, business models involving gaming tokens and proprietary trading).
The Digital Asset Business Act 2018 – Code of Practice (the “DAB Code of Practice”) provides that certain regulated functions, such as asset management, custodial services, cybersecurity, compliance and internal audit, can be outsourced to third parties. The BMA requires the disclosure of any material outsourcing arrangements and it has, through its general guidance on outsourcing as well as through the DAB Code of Practice, reiterated that the responsibility remains with the digital asset business to ensure that all legal and regulatory obligations (under the DABA and any other relevant rules and regulations) are met to the same degree as if the outsourced function was being performed internally.
Where roles have been outsourced to either external third parties or to affiliated entities of the digital asset business licensee, it is the directors of the licensee who are responsible for ensuring that there is oversight and clear accountability for each role. Any service agreement for an outsourced function must include terms on compliance with jurisdictional laws and regulations and should not prohibit co-operation with the BMA or its access to data and records in a timely manner. The directors of the licensee must assess the impact of outsourcing a role.
Where outsourcing a particular function is reasonably expected to adversely affect governance and risk management structures, excessively increase operational risk, affect the BMA’s ability to effectively supervise and regulate the entity, and/or adversely affect customer protection, that function should not be outsourced.
For the purposes of cross-border outsourcing arrangements, there is no list of approved or equivalent jurisdictions; however, it would be preferable to outsource to an entity that is regulated either by the BMA or by a regulator in another jurisdiction that applies standards that are at least equivalent to those applied in Bermuda. Any foreign entity providing outsourced functions to Bermuda-regulated entities must comply with the requirements under Bermuda’s AML/ATF laws and regulations.
In January 2025, the BMA issued a consultation paper on operational resilience, which proposes a specific outsourcing code and associated guidelines applicable to all regulated sectors in Bermuda. Final versions of the code and guidelines will be published after the 60-day consultation period.
The AML/ATF regulations imposed on DABA licensees mandate thorough onboarding (including background checks) of customers and the ongoing monitoring and reporting of suspicious activities by customers in respect of the use of the DABA licensee’s products and/or services.
A person licensed under the DABA as an electronic exchange can apply to become an “accredited digital asset exchange” under the DAIA. This accreditation effectively turns the exchange into a “gatekeeper” for digital asset issuances. This means that it can authorise digital asset issuances without the issuer being required to file an issuance document with the BMA.
The BMA has wide powers under the DABA and the DAIA in relation to enforcement, including the power to:
In the event a licensee fails to comply with a condition, restriction or direction imposed by the BMA or with certain requirements of the DABA, the BMA has the power to:
In the more extreme cases, the BMA may revoke a licence and subsequently petition the court for the winding-up of the entity whose licence it has revoked.
Personal Information and Protection Act
Bermuda’s Personal Information and Protection Act 2016 (PIPA) is the main piece of legislation in Bermuda that regulates the use of personal information. It has been implemented in phases and came into full force and effect on 1 January 2025.
Every organisation in Bermuda that uses personal information, where such information is used either wholly or partly by automated means – or where it forms, or is intended to form, part of a structured filing system – is caught under PIPA.
Under PIPA, an organisation can only use personal information where there is a lawful basis for that use. Such lawful bases include:
In order to comply with the provisions of PIPA, those organisations that are caught under it (including those in the fintech sector) will need to:
Where an organisation transfers personal information to a third party (overseas or otherwise), it must assess the level of protection provided by the overseas transferee and will nonetheless remain responsible for PIPA compliance in relation to that personal information.
If an organisation does not believe that the protection provided by an overseas third party will be comparable to the level required under PIPA, that organisation must choose to employ contractual mechanisms, corporate codes of conduct, or other means by which to ensure that the overseas third party provides a comparable level of protection.
The privacy laws of other jurisdictions may have extraterritorial effect (eg, the EU General Data Protection Regulation (GDPR)) and organisations in Bermuda may also be subject to these.
Cybersecurity
The Digital Asset Business (Cyber Risk) Rules 2018 (the “Cybersecurity Rules”) and the Digital Asset Business Operational Cyber Risk Management Code of Practice (January 2024) (the “Cybersecurity Code”) apply specific cybersecurity rules to persons licensed to conduct digital asset business. The BMA has a team dedicated to the supervision of persons conducting digital asset business when it comes to their cybersecurity programmes. Every Class F licence holder is required to file a cyber-risk return with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA. Every entity licensed under the DABA must appoint a senior executive whose responsibility it is to oversee and implement its cybersecurity programme and enforce its cybersecurity policies.
An application for a licence under the DABA must include information in relation to:
AML/ATF
Persons licensed under the DABA are “regulated financial institutions” under the Proceeds of Crime Act 1997 (POCA). This means that they will be required to comply with all Bermuda legislation applicable to “regulated financial institutions” (ie, banks, long-term life insurance companies, investment funds and investment fund administrators), including Bermuda՚s AML/ATF legislation and regulations (collectively, the “AML/ATF Rules”). The BMA has also published sector-specific guidance notes for DABA licensees (Annex VIII – Sector-Specific Guidance Notes (SSGN) for Digital Asset Business) to assist with compliance with applicable AML/ATF obligations.
Under the AML/ATF Rules, DABA licensees must:
There are also specific rules applicable to companies that are conducting public offerings of digital assets. Specifically, these companies:
In contrast, a company that is offering shares to the public is only subject to these requirements if it is a “regulated financial institution”, as prescribed under the AML/ATF Rules.
Sanctions
The UK extends sanctions measures to Bermuda by way of Overseas Territories Orders in Council (“OT Orders”). However, not all OT Orders extend to Bermuda (owing to policy reasons) and are therefore brought into force under the International Sanctions Act 2003 (ISA).
The Bermuda sanctions regulatory regime applies to all individuals and legal entities who are within or who undertake activities within Bermuda.
OT Orders have a broad reach and apply to persons in Bermuda, as well as to any person not in Bermuda but who is a British citizen, a citizen of a British overseas territory, a British subject, an overseas British national or a British protected person ordinarily resident in Bermuda. Any person on board of a ship or aircraft that is registered in Bermuda is also caught by financial sanctions.
As “regulated financial institutions”, DABA licensees have an obligation to report to Bermuda’s Financial Sanctions Implementation Unit as soon as practicable if they know – or have reasonable cause to suspect – that a person:
DABA licensees are also required to:
If a DABA licensee has outsourced this function to a service provider, steps should be taken to verify that the service provider is also fully compliant with the Bermuda sanctions regime, as ultimate responsibility for compliance remains with the DABA licensee.
Anti-Bribery
Under Bermuda’s Bribery Act 2016, the following offences are applicable to both individuals and corporations:
In addition, there is also a corporate offence of failing to prevent bribery that applies to corporate bodies and partnerships incorporated and formed in Bermuda. This is a strict liability offence, with only one possible defence – the organisation will have to prove that it had “adequate procedures” in place designed to prevent persons who are associated with it from bribing. The Bermuda government has published the Bribery Act 2016 Guidance, in which the principles concerning what amounts to “adequate procedures” are set out.
Electronic Transactions Act 1999
The Electronic Transactions Act 1999 introduced – among other benefits – a statutory recognition of the validity of digital/electronic records and, subject to certain criteria being met, signatures applied to such records.
Traditional financial service industry sectors in Bermuda have all been actively involved in the development and implementation of complimentary financial and non-financial services to the growing fintech sector.
Banking
Bermuda’s banking laws were amended in 2018, with the introduction of the Banks and Deposit Companies Amendment Act 2018 (the “Banks Amendment Act”), which sought to open up the banking market by providing relief from certain local banking requirements (eg, retail banking services) in return for restricting services to the fintech sector. This provided a balance between positive new competition and the protection of existing traditional retail banking services.
Financial Auditing
DABA licensees must have their financial statements audited annually. The BMA is cognisant of the influence of global events on the appetite of the established audit firms for auditing this sector and, as such, financial audits may be conducted by regulated audit firms registered in Bermuda or in other jurisdictions that are recognised as following the same or similar accounting standards as approved by the BMA.
Other Service Providers
Bermuda has seen an increased interest in persons seeking to provide all manner of financial and non-financial services to the fintech sector, including AML/ATF compliance, accounting, custodial, fund management and administration, legal and corporate services.
DABA licensees or issuers authorised under the DAIA are not expressly prohibited from conducting unregulated business. However, in each case, the licensed/authorised entity must ensure that its regulated business is conducted in a prudent manner. Accordingly, any unregulated activities will need to be assessed from the perspective of how they affect the regulated activities of the DABA licensee or issuer.
See 2.11 Implications of Additional, Non-Financial Services Regulations.
Bermuda is a member of the Caribbean Financial Action Task Force (CFATF) – an associate member of the Financial Action Task Force (FATF) – and has committed to implementing FATF standards and mandates.
Bermuda’s AML/ATF legislation and regulations have been subsequently amended in 2015, 2016, 2017 and 2018 following an International Monetary Fund review of Bermuda’s AML/ATF regime in 2007, a Mutual Evaluation Review by CFATF in 2018, and revisions to the FATF Recommendations in 2012 and subsequent years. The amendments to Bermuda’s AML/ATF regime broadened the range of persons subject to these requirements and granted additional powers to the BMA and other supervisory authorities to enforce compliance.
The DABA applies to any entity incorporated or formed in Bermuda that carries out digital asset business and any entity incorporated or formed outside Bermuda that carries out digital asset business in or from within Bermuda. Additionally, the DAIA applies to any undertaking incorporated or formed in or outside Bermuda that conducts any digital asset issuance in or from within Bermuda.
Provided that the relevant digital asset business activities and/or issuance activities are ultimately conducted and provided from outside Bermuda following a “reverse solicitation” request, a licence would not be needed for the entity to conduct the relevant digital assets services.
Although “robo-advice” or other types of automated advice are not specifically regulated by the BMA, DABA licensees and digital asset issuers that adopt robo-advice will need to consider the regulation of providing “advice” more broadly.
Under the IBA, the giving or offering of investment advice to customers or potential customers in respect of “investments” may constitute investment business, which cannot be conducted in or from Bermuda without being licensed or registered under the IBA (subject to any applicable designation as a non-registrable person by Bermuda’s Minister of Finance). What constitutes an “investment” under the IBA is broadly defined, and includes assets ranging from shares and debentures to options and futures, and therefore can capture digital asset derivatives.
The use of robo-advice as a low-cost alternative advice model has been considered by legacy players in the Bermuda market to give locals access to more affordable advice, particularly by the banking and government sectors. Bermuda’s first robo-adviser platform, known as “iInvest”, was set up by Clarien (a regulated financial services group that includes Clarien Bank Limited). However, the use of robo-advisers in respect of digital assets has not yet been widely adopted by such legacy players.
Licensed investment managers need to comply (and ensure that any robo-adviser or other technology it adopts complies) with the Code of General Business Conduct and Practice. This code recommends that an investment provider does not transact business for a customer on worse terms than it would expect to obtain for itself, making allowances for the size of the transaction (and other allowances).
The BMA has not published any specific guidance on best execution for regulated digital asset business entities. However, the BMA will consider the method(s) for execution and settlement as part of the licensing application process.
The BMA regulates the business of lending fiat under the Banks and Deposit Companies Act 1999 and relevant regulations (collectively, the “Banks Act”). Under the Banks Act Code of Conduct, licensed banks and deposit-taking companies are required to identify and implement policies and procedures to accommodate and afford reasonable care to an individual who is identified as vulnerable or who discloses these needs to the institution. Otherwise, the Banks Act does not differentiate between the business of lending to individuals, small businesses, or others.
Additionally, in 2023, operating as a digital asset lending provider and operating as a digital asset repurchase transactions service provider were included as separate regulated digital asset activities under the DABA. These categories (respectively) encompass circumstances where:
The counterparty in the above-mentioned circumstances can be any type of person or entity.
As mentioned in 2.4 Variations Between the Regulation of Fintech and Legacy Players, Bermuda also introduced one of the world’s first digital asset business bank licensing regimes that provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector.
There are no additional requirements for the underwriting of digital assets, other than compliance with regulations under the DABA and the Banks Amendment Act mentioned in 2.12 Review of Industry Participants by Parties Other than Regulators, as applicable (assuming the underwriting process does not fall within scope of the Insurance Act). A person conducting digital asset lending will be required to deliver details of risk management and controls to the BMA. Additionally, to the extent the assets transferred to an underwriter constitute equity securities, the Exchange Control Act 1971 of Bermuda will apply.
Bermuda’s legal and regulatory landscape – in particular, the regulation of lending or repurchase transactions under the DABA – does not distinguish between the sources of funds for loans. An entity lending either fiat or digital assets will be required to submit its credit risk management framework and controls to the BMA with its licensing application and as part of its ongoing regulatory monitoring and reporting obligations.
DABA licensees, banks and deposit-taking companies are prescribed as AML/ATF-regulated financial institutions and must comply with relevant AML/ATF regulations, which may include requirements to verify source of funds of customers.
The syndication of loans involving Bermuda obligors is not uncommon. Typically, the syndication of loans takes place on a cross-border basis involving lenders and counterparties overseas, where documentation is usually subject to the laws of a foreign jurisdiction, and is not otherwise directly captured under current regulation (subject to bespoke conditions such as minimum capitalisation requirements for DABA licensees or regulated insurtech entities in Bermuda).
Payment processors are not required to use existing payment rails under Bermuda law, nor are they precluded from creating or implementing new payment rails. However, creating or implementing a new payment rail for the purposes of advancing digital asset business may prompt the licensing requirements under the DABA.
A payment processor (excluding an entity licensed under the Banks Act) may also require a licence under Bermuda’s Money Service Business Act 2016 (unless subject to an exemption under the Guidance Notes – Money Service Business Act 2016) if it conducts any of the following money service business activities:
Any purchases of foreign fiat currency made by a Bermuda resident in Bermuda dollars from an institution licensed under the Banks Act will be subject to a foreign currency purchase tax of 1.25%, which must be withheld by the applicable institution and thereafter remitted to the Bermuda Tax Commissioner.
Cross-border payments and remittances using digital assets are separately regulated under the DAB Regime, but are not subject to the foreign currency purchase tax.
Digital Asset Exchange/Digital Asset Derivative Exchange
Digital asset exchanges and digital asset derivative exchanges are permissible and the operation of both are regulated under the DABA. There are no material differences between the requirements applicable under the DABA to these two different types of platforms.
A digital asset exchange is a centralised or decentralised electronic marketplace used for digital asset issuances, distributions, conversions and trades (including primary and secondary distributions) with or without payment. These may include digital asset conversions and trades entered into by the electronic marketplace as principal or agent.
A digital asset derivative exchange means a centralised or decentralised marketplace used for digital asset derivative issuances, distributions and trades with or without payment, which may include digital asset derivatives trades entered into by the marketplace as principal or agent. A digital asset derivative means an option, a swap, a future, a contract for difference or any other contract or instrument whose market price, value or delivery or payment obligations are derived from, referenced to or based on a digital asset underlying interest.
Insurance Marketplace Provider
The Insurance Act also licenses the operation of a platform, of any type, established for the purpose of buying, selling or trading contracts of insurance. Such licensed activities may be done in a traditional manner or through the insurtech sandbox as an innovative insurance marketplace provider.
Bermuda Stock Exchange
In relation to the general trading of securities of publicly listed companies in Bermuda, the Bermuda Stock Exchange (“BSX”) is the primary trading platform. Traditional securities of all types can be listed on the BSX, provided they meet the application and maintenance requirements of the BSX Listing Regulations.
See 6.1 Permissible Trading Platforms.
See 6.1 Permissible Trading Platforms.
Traditional securities that are listed on the BSX must meet the standards and requirements set out in the BSX Listing Regulations. The principal function of the BSX is to provide a fair, orderly and efficient market for the trading of securities of both domestic and foreign issuers and the BSX is itself regulated by the BMA.
In contrast, digital asset exchanges and digital asset derivative exchange providers are all regulated under the DABA and are required to conduct their business in a prudent manner. Specifically, in relation to the listing of digital assets and digital asset derivatives, there are no definitive regulatory criteria for exchanges to adhere to other than in relation to seeking BMA approval to introduce a new product or service. The standards by which each licensed entity chooses to list different products will be set and maintained by that licensed entity as part of their application for a licence. The general overview of such standards must be included in and approved by the BMA upon the entity’s initial application for licensing or as part of a notification or application to introduce new listings. The BMA has also issued the Digital Asset Business Act 2018 – Product Due Diligence Guidance Notes, which outlines the BMA’s expectation in relation to the diligence conducted on products and services (including digital assets listed on a Bermuda exchange) introduced by a DABA licensee.
See 6.4 Listing Standards.
Peer-to-peer trading platforms that offer services to the public as a business in and from within Bermuda and allow the trading of digital assets are generally captured under the DABA and subject to the same regulatory requirements and scrutiny as operators of a digital asset exchange or digital asset derivative exchange. There is still open discussion and consideration as to how a DAO would be treated if providing such services; however, for the time being and in most instances, there would need to be a legal person or organisation with a nexus to Bermuda in order for the DAO to be captured.
See 6.4 Listing Standards.
The BSX has a clear set of principles concerning the market integrity expected of a traditional securities exchange within its Listing Regulations.
The BMA has published the DAB Code of Practice, the DAB Client Disclosure Rules, the Cybersecurity Rules and AML Sector-Specific Guidance Notes for Digital Assets, among other publications – all of which include principles governing the conduct of digital asset business generally and which supplement the principles and regulations found within the primary legislation.
Under these codes and rules, DABA licensed entities are required to observe principles such as ethical corporate behaviour, customer protection and security, business integrity and prudence, and regulatory and legal compliance. Within the relevant rules and codes, as well as the DABA, the BMA is granted authority to review, monitor and enforce the relevant requirements.
Currently, there are no specific regulations exclusively for the creation and use of digital assets in high-frequency and algorithmic trading. Such activities may fall under either the DABA and/or IBA licensing regimes, depending upon the type of asset being traded and whether such activity falls within proprietary trading or operating as a business to the public.
The DABA specifically includes market making activities within the scope of “digital asset service vendors”. A licence is required for such operations from or within Bermuda. Within the DABA’s framework, a market maker is defined as someone who – as part of their business – engages in trading digital assets by providing bid-and-ask prices to profit from spreads, fulfilling customer orders, or hedging positions resulting from these activities.
However, individuals trading solely on a principal basis (eg, proprietary traders) are likely to fall outside the scope of the definition of market makers under the DABA. A thorough examination of agreements between these individuals and trading platforms or exchanges is essential to determine their classification in each case.
Although the IBA and Investment Funds Act 2006 (IFA) specifically differentiate between funds and dealers of traditional investments, the DABA does not. Typically, an investment fund falls outside the scope of the DABA unless it engages in digital asset business activities. Also, an investment fund that has appointed an investment manager that is licensed under the IBA or authorised by a recognised regulator is exempted from needing to apply for a DABA licence, provided it gives prior notice to the BMA.
Meanwhile, a licensed digital asset business entity is explicitly excluded from the definitions of an investment fund under the IFA.
The BMA takes a strict approach in relation to investment funds that invest in digital assets. In this regard, care will need to be taken to consider the overall structure of the business and the rights, powers and obligations of participants, as well as the overarching objective, in order to properly assess whether a business or other arrangement is captured under the Digital Asset Regimes.
The activity of developing and creating trading algorithms and other electronic trading tools is not regulated. However, if the benefit or use of such services is offered directly to the public as part of that business, such activities may be captured under the DABA and/or the IBA – depending on the asset type being traded.
The underwriting process for traditional insurers is currently regulated by the Insurance Act. An insurer will be required to submit a detailed description of its underwriting strategy to the BMA. The underwriting process may be conducted by the insurer or outsourced with the prior approval of the BMA. Although not expressly provided for in the statute, it is typical for the BMA to require a proportionately similar process for innovative insurers.
There are various classes and types of (re)insurers and insurance intermediaries regulated under the Insurance Act – all of which will attract different regulatory treatment by the BMA. However, the lines of insurance business are only statutorily divided between general business and long-term business. There is also a robust captive industry, which is regulated differently under the Insurance Act, as well as the innovative classes of insurance and insurance intermediaries who operate within the insurtech sandbox.
There are no legislative or regulatory provisions governing the design, provision or delivery of regulatory technology. Persons who use the technology may be caught by any one of Bermuda’s regulatory regimes, including those created under the DABA or the DAIA, if the business activity that they are conducting using the technology is itself a regulated activity.
Financial service providers in Bermuda will seek and expect contractual terms based on international market practice. It is the financial service provider using the technology that will be expected to ensure the technology helps or permits the financial service provider to comply, and does not prohibit the financial service provider from complying, with the legal and regulatory obligations of the financial services provider.
Traditional financial service providers in Bermuda have benefited from the country’s early adoption of sector-specific legislation and regulation through the inevitable and rapid education of the workforce around the use of blockchain technology. All industry sectors have been involved in the consideration of the potential implementation of blockchain as a technological solution to existing infrastructure demands.
What has been clearly evident is the traditional financial sector’s willingness to co-operate with new entrepreneurial businesses that are offering novel ways to conduct traditional business using innovative technology, including blockchain. As an example, NAYMS is a Bermuda digital insurance marketplace that uses blockchain technology for the conduct of brokering insurance contracts and has secured some of the oldest names in the industry as participants. There are also numerous other projects involving both the public sector and the private sector that have secured funding and gained traction in developing blockchain solutions, often involving professional service companies such as law firms to assist in building both the digital and regulatory infrastructure to ensure solutions are as legally sound as they are technically robust.
Notably, with regard to the Bermuda government and blockchain, the government has indicated its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market. As mentioned in 1.1 Evolution of the Fintech Market, such token is intended to be a Bermuda dollar-backed stablecoin and employ technology developed by a DABA-regulated entity.
Demonstrating its role as an active, engaged and responsive regulator, the BMA and the Bermuda government regularly consult with industry with a view to the continued improvement of the digital asset regulatory framework, including its effective administration and enforcement. The BMA and industry stakeholders continually review and monitor this framework (including the DABA and the DAIA) to ensure that it continues to meet or exceed applicable international standards – for example, with regard to regulation, compliance, and transparency – and that it continues to be fit for purpose.
Please refer to 2.2 Regulatory Regime for details of how “digital assets” are defined and treated. The Digital Asset Regimes do not differentiate between the different types of digital assets that exist or can be created and they are agnostic when it comes to the underlying technology. The Digital Asset Regimes seek to regulate the business and service activities surrounding digital assets in a manner that recognises the unique factors of the technology, as opposed to seeking to fit the different types of digital assets within existing legal and regulatory definitions.
However, this has not precluded the BMA from recognising and providing guidance to businesses utilising known-use cases for specific digital assets. In 2024, the BMA consulted industry stakeholders and published guidance specific to issuers of single currency pegged stablecoins (see 1.1 Evolution of the Fintech Market).
Please refer to 2.2 Regulatory Regimes for the broad definition of “digital assets” in the DABA and the DAIA and their application to issuers. The DAIA requires regulatory permission to conduct a digital asset issuance that is conducted for the purposes of raising funds for a specific project, whereas the DABA is a licensing regime focused on regulating digital asset issuances as a service and digital asset issuances that have an ongoing business element to them.
Blockchain asset trading platforms that are offered to the public and operate as a “digital asset exchange” or a “digital asset derivative exchange provider” (each as defined under the DABA) are regulated under the DABA as “digital asset businesses” and must be licensed thereunder.
Peer-to-peer trading, when conducted in a proprietary manner, is not specifically regulated. However, the DABA includes a broad spectrum of activities that might appear to be proprietary trading but – owing to the way in which they are conducted – are deemed to be digital asset business activities, including the provision of intermediary services.
The BMA applies a broad interpretation to the list of digital asset business activities contained in 2.2 Regulatory Regime and legal advice should be sought on any proposed digital asset transaction or activities in or from within Bermuda. Even if the transaction is intended to be proprietary in nature, there can be nuances to an arrangement that could bring the transaction within the scope of the DABA.
Depending on the circumstances, the provision of staking services relating to digital assets may be caught under the DAB Regime. Staking services that involve conducting digital asset transactions on behalf of another person would, for example, be considered a digital asset business activity under the DABA. However, if the staking services are conducted in a proprietary manner, it is unlikely to be considered a regulated activity (see 10.5 Regulation of Blockchain Asset Trading Platforms).
The provision of lending services relating to digital assets is regulated in Bermuda. In 2023, operating as a digital asset lending and operating as a digital asset purchase transaction service provider were added as separate regulated digital asset business activities under the DABA. The entity facilitating the digital asset lending, either as principal or agent (ie, the entity providing the platform or avenue through which digital assets are loaned), is required to be licensed under the DABA.
Similarly, in the context of traditional lending services, Bermuda also provides for a digital asset business bank licensing regime – under which, a banking licence may be issued to persons seeking to provide traditional banking (including lending) services to digital asset businesses. Please see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities for details on the lending-related regulations in Bermuda regarding digital assets and in general.
The offering of digital asset derivatives is regulated under the DABA and overseen by the BMA. The DABA imposes requirements related to – inter alia – supervision, compliance, capital, cybersecurity, risk management, AML/ATF, and reporting.
Operating as a digital asset derivative exchange provider requires a licence under the DABA.
The DAB Regime applies to persons conducting the business of providing any or all of the specified digital asset business activities to the public. DeFi is not expressly defined under the DAB Regime; however, depending on the activities being conducted via or in relation to a DeFi platform or protocol, activities conducted could be caught under any number of the existing digital asset business categories of the DABA. The BMA takes a pragmatic yet heightened approach to regulating persons that provide services to the public using a DeFi protocol in accordance with its proportionality principles. The key question is who is legally deemed to be responsible for the activities of the protocol. Where the protocol is truly decentralised but requires contractual services (eg, treasury) to be provided by a legal entity, it is the legal entity that would fall under the DAB Regime. In such instances, the BMA will want to understand the constitutional basis for the activities of the protocol and the contractual basis for the provision of services.
In respect of DeFi protocols, developing software technology is currently unlikely to fall under any regulations in Bermuda (other than the economic substance regime that applies to all companies whose revenue is derived from IP in Bermuda). The BMA’s fintech team and the Bermuda government’s DAO Working Group, comprising the leading fintech lawyers in Bermuda, have both been working on proposals for introducing regulation specifically designed for digital governance models, such as DeFi protocols established as DAOs. The BMA recently issued a consultation paper that invites proposals for a collaborative pilot project aimed at testing embedded supervision practices within the context of DeFi, while the DAO Working Group has delivered a recommendation paper on how the existing legal and regulatory framework could be improved and adapted to recognise DAOs for the purposes of providing legal certainty and regulatory oversight.
Currently, those looking to be regulated in Bermuda and provide services to the public through a DeFi protocol should consider using a legal “wrapper” that can act on behalf of the protocol and its participants. An example would be to use a company limited by guaranteed structure whereby the company has members limited by guarantee rather than shareholders and is restricted from making any distributions to its members. Another available structure is the use of a special purpose vehicle whose shares are owned by an orphaned Bermuda trust serviced by a Bermuda-regulated trustee entity. In such an instance, the BMA would regulate the legal “wrapper” as the person responsible for the protocols’ compliance with the DAB Regime.
Any fund that is captured within the definition of “investment fund” in the IFA, including funds that deal in digital assets, will be subject to regulation under the IFA. However, pursuant to the Digital Asset Business Exemption Order 2023, an investment fund that conducts a digital asset business activity and has appointed an investment manager that is licensed under the IBA or is authorised by a “recognised regulator” (as defined in the IBA) will be exempt from licensing under the DABA as long as an annual notice is filed with the BMA. It should be noted that, even though the fund itself may be exempt, if the investment manager, custodian or administrator are based in Bermuda they may well be deemed to be conducting a digital asset business activity and require a DABA licence.
Please refer to 2.2 Regulatory Regime for the broad definition of “digital assets” in the DABA and the DAIA. Virtual currencies that meet the definition of “digital assets” are treated the same as other blockchain derived assets from a regulatory perspective.
For the purposes of Bermuda law, NFTs would constitute digital assets (see 2.2 Regulatory Regime) and a platform that facilitates the trading of NFTs would be conducting the digital asset business of operating a digital asset exchange, which requires a DABA licence.
The Bermuda government has indicated its support to the BMA “in advancing open banking standards in Bermuda to provide better services to local consumers while enabling new digital banking services to be offered”.
An entity intending to conduct open baking activities in or from within Bermuda would be required to adhere to the licensing requirements and provisions of the Banks Amendment Act as well as the provisions of the DABA where such business constitutes digital asset business activity. There is currently no express prohibition on open banking activity under the Bermuda legal regime.
To date, the concept of open banking has not been prevalent with banks operating from within Bermuda. With PIPA having come into effect on 1 January 2025 (see 2.11 Implications of Additional, Non-Financial Services Regulations), Bermuda banks may be deterred from pursuing open banking concepts in the near future owing to the increased scrutiny over the protection of personal information. However, it is anticipated that the consensual use of personal information in these optional and contractual relationships will prevail once the law has settled in and adequate protection has been implemented.
A specific body of law setting out the elements of fraud as it relates to the DAB Regime in Bermuda has not been developed. The general common-law position would apply should this be considered by Bermuda courts.
From a regulatory perspective, the BMA focuses on safeguarding customer assets by seeking to prevent or minimise the potential for fraud and misappropriation. There are multiple pieces of legislation, regulation and various codes of conduct that govern consumer protection in Bermuda. The DABA mandates the safeguarding of customer assets and sets out the provisions for establishing formal customer complaints policies and procedures. The Digital Asset Business Custody Code of Practice supplements the provisions of the DABA and specifies the requirements of segregating customer assets from those of the DABA licensee.
Among other matters, the BMA focuses on protecting customers and stakeholders, maintaining market integrity, and fostering trust in Bermuda’s digital asset business sector. Although fraud is not the singular focus of the BMA’s regulatory regime, Bermuda’s Digital Asset Regimes have been curated to combat the risk of fraud. The BMA closely monitors of the activities of regulated business for potential fraud and other corrupt activities in all sectors (and, specifically, the digital asset sector), including:
The Digital Asset Regimes do not specifically provide for liability of licensees for loss suffered by customers, other than in relation to the provision of custodial services and the requirement to have appropriate insurance or a similar arrangement in place to protect customer interests. However, under common law, there are also civil remedies available to customers in the event loss is suffered by customers as a result of a licensee’s failures (such as negligence or a breach of contract).
In the event the licensee entity is responsible for losses suffered by customers and is unable to meet that obligation out of its assets, the Bermuda insolvency regime applies to licensees under the Digital Asset Regimes and is available to customers.
The BMA’s Enforcement Guide provides that one of the most important factors the BMA will consider when assessing any civil penalty for breaches is whether there has been any loss, or risk of loss, to customers. If customers have suffered loss as a result of a breach by the licensee, then the licensee and potentially its directors/officers should expect the BMA to take this into account when developing its enforcement action.
Rosebank Centre
5th Floor
11 Bermudiana Road
Pembroke HM 08
Bermuda
+1 441 542 4525
+1 441 705 8848
steven.reesdavies@careyolsen.com www.careyolsen.com