Since the introduction of the Digital Asset Business Act 2018 (DABA) and ancillary regulations related thereto (the “DAB Regime”), Bermuda has become a recognised global leader in the regulation of the fintech sector. The Bermuda government forged one of the world’s first comprehensive regulatory frameworks specifically designed to provide legal and regulatory certainty to industry participants while ensuring that business in the fintech sector is conducted in accordance with recognised international standards and best practice.

Bermuda’s legal and regulatory fintech framework is founded on two key statutes. The DABA introduced the DAB Regime for businesses conducting “digital asset business” and the Digital Asset Issuance Act 2020 (DAIA) established a regime to regulate initial coin or token offerings (the “DAI Regime”) (together with the DAB Regime, the “Digital Asset Regimes”), referred to as “digital asset issuances”.

The DABA introduced the world’s first statutory definition of “digital assets” (see 2.2 Regulatory Regime (DABA)), which encompassed all types of digital coins, tokens and assets, without differentiation. This provided a consistent and reliable interpretation of what amounted to conducting digital asset business as a regulated activity in and from Bermuda.

Since the Digital Asset Regimes were introduced, the Bermuda Monetary Authority (BMA) – Bermuda’s sole financial services regulator – has continued to enhance and update applicable rules, regulations, codes of practice, statements of principles, and guidance to extend the scope of both Digital Asset Regimes.

Further, Bermuda has strived to grow a collaborative business and regulatory culture that involves industry and government working together to create opportunities and commercial success, with a truly independent, actively engaged and globally recognised regulator maintaining the balance between the promotion of innovation and adherence to worldwide standards of regulation, compliance and good corporate governance.

As a testament to this, in response to industry developments, in 2023 the list of regulated digital asset business activities under the DABA was expanded to include a separate activity of operating as a digital asset lending or digital asset repurchase transactions service provider. The first licence for this category was issued in 2024.

In 2024, the BMA published guidance specific to single currency pegged stablecoins – one of the first regulators to do so following consultation with the industry and recognising the potential for stablecoins as a widely spread asset class. Also in 2024, the BMA initiated a consultation inviting the industry to comment on proposed changes and clarifications proposed to the DAB Regime to reflect developments  in the rapidly evolving fintech market since the DABA’s introduction in 2018. This will be the first significant general amendment to the DABA since its enactment, evidencing the benefit and longevity resulting from the DAB Regime regulating all types of digital coins, tokens and assets from its inception.

Bermuda has also been actively exploring how to legally recognise – and, if applicable, regulate – decentralised financial services (“DeFi”). Both the BMA’s fintech team and the government’s DAO Working Group have been working on proposals for introducing digital governance models, such as DeFi protocols established as decentralised autonomous organisations (DAOs), into Bermuda law and regulation.

Bermuda-regulated digital asset businesses are not restricted from using AI models and these are already being used by existing businesses. The BMA regulates the use of such models in accordance with its proportionality principles that embrace innovation and the use of innovative tools, while ensuring appropriate oversight and risk management.

The BMA has also launched a consultation paper proposing the introduction of a regulatory regime to govern digital identification service providers (DISPs). The proposals follow a similar structure to the way in which Bermuda regulates digital asset businesses and is expected to be finalised and introduced in 2025.

To promote innovation in the insurance sector, the Bermuda government introduced an insurance regulatory sandbox, which allows start-up innovators to experiment in a regulated but smaller-scale environment. In 2023, the concept and scope of a regulatory sandbox was broadened to encompass investment business, promoting the offering of innovative products and the testing of new technologies and delivery methods in the traditional financial sectors. The regulatory sandbox continues to be used by entities looking to innovate and test new models. Its success and the approach of the BMA to innovative models have also allowed innovative businesses  to skip the sandbox and successfully obtain licences specifically designed for innovation – for example, the classes of “innovative insurer (general business)” and “innovative insurer (long term)” under Bermuda’s insurance regulatory regime.

The Bermuda government has also announced its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market, which will be a Bermuda dollar-backed stablecoin using technology developed by a Bermuda business regulated under the DABA. The government has also been working on numerous other technology projects to further enhance the island’s digital infrastructure, including:

• the development of a digital ID system that meets internationally recognised standards of both privacy and AML/anti-terrorist financing (ATF) regulation; and
• the introduction of submarine cabling legislation to protect both the environment surrounding the island and the submarine cables themselves – the latter being the critical hardware infrastructure that supports the digital asset sector.

The extensive scope and flexibility of the Bermuda licensing regime supports a wide range of business models. This creates diversity and choice for industry across a range of industry sectors, including:

• digital asset payment service providers;
• digital assets and digital asset derivatives exchanges and trading platforms;
• digital asset trust service providers;
• digital asset issuers (eg, stablecoins and utility tokens);
• custodians and custodial wallet providers;
• regulatory and environmental technology;
• digital asset vendors (including market makers);
• digital asset lending or repurchase transaction service providers and yield platforms;
• investment funds, fund managers and fund administrators using digital assets;
• digital asset banks; and
• innovative insurers and insurance intermediaries (such as marketplace providers or managers).

DABA

The DABA imposes a licensing requirement on any person carrying out digital asset business. It sets out the criteria a person must meet to obtain a licence, the applicable continuing obligations thereunder, and the supervisory and enforcement powers of the BMA.

The DABA applies to any entity incorporated or formed in Bermuda that carries out digital asset business, as well as any entity incorporated or formed outside Bermuda that carries out digital asset business in or from within Bermuda.

The term “digital asset” is defined in the DABA (and has the same meaning for the purpose of the DAIA) as “anything that exists in binary format and comes with the right to use it and includes a digital representation of value that is: 

• used as a medium of exchange, unit of account, or store of value and is not legal tender, whether or not denominated in legal tender;
• intended to represent assets such as debt or equity in the promoter;
• otherwise intended to represent any assets or rights associated with such assets; or
• intended to provide access to an application or service or product by means of distributed ledger technology”.

The “digital asset business” activities regulated by the DABA are:

• issuing, selling or redeeming virtual coins, tokens or any other form of digital asset – this is intended to regulate any person providing these services to other persons, whether such person is situated in or outside Bermuda;
• operating as a payment service provider business utilising digital assets, which includes the provision of services for the transfer of funds;
• operating as a digital assets exchange;
• carrying out digital asset trust services;
• providing custodial wallet services;
• operating as a digital assets derivative exchange provider;
• operating as a digital asset services vendor; and
• operating as a digital asset lending or digital asset repurchase transactions service provider.

Exemptions

The Minister of Finance, acting on the advice of the BMA, can issue an exemption order under the DABA that grants a specified person – or a person that falls within a specified class – exemption from having to obtain a licence under the DABA. In 2023, the Bermuda government issued an exemption order excluding the following persons from registration under the DABA:

• the BMA;
• the Bermuda government and any entity owned by it;
• any public authority;
• a person providing an affinity or rewards programme, provided that notice is given to the BMA;
• a publisher issuing a token used exclusively within an online game platform, provided that notice is given to the BMA;
• a person providing data storage or security services for a DAB, provided that notice is given to the BMA;
• an undertaking providing digital asset business activity solely for the purpose of its business operations or the business operations of any group undertaking, provided that notice is given to the BMA; and
• an investment fund that has appointed an investment manager that is licensed under the Investment Business Act 2003 (IBA) or authorised by a recognised regulator, provided that notice is given to the BMA.

Similarly, the BMA can grant an exemption or modification exempting a person conducting a digital asset business from the requirement to comply with any standard applicable to it or modify the same. This may be subject to specified conditions.

Licensing requirements

There are three classes of licence available to persons conducting digital asset business activities in or from Bermuda, as follows.

• Class F licence – a Class F licence is a full licence to conduct specified digital asset business activities and is not subject to a specified period. However, the BMA has the discretion to place restrictions or conditions on a licence where they deem it appropriate in the circumstances.
• Class M licence – a Class M licence is a modified licence to conduct specified digital asset business activities, with modified restrictions and conditions. It is only valid for a specified period of time determined by the BMA.
• Class T licence – a Class T licence is designed to operate as a test licence for pilot or beta testing in relation to specified digital asset business activities. Once the BMA considers that the business has successfully achieved its testing objectives, it will accept an application to upgrade the licence to a Class M or potentially Class F licence. Class T licences are more appropriate for start-ups, owing to the relaxed approach to the minimum licensing criteria.

Minimum licensing criteria

Schedule 1 of the DABA sets out the minimum criteria for licensing, as follows.

• The controllers and officers of the licensed/authorised entity must be fit and proper persons.
• The licensed/authorised business must be conducted in a prudent manner.
• The licensed/authorised business must be carried on with integrity and with the professional skills appropriate to the nature and scale of its activities.
• The licensed/authorised entity must implement corporate governance policies and processes appropriate given the nature, size, complexity, and risk profile of the digital asset business activities (eg, a minimum of two persons to effectively direct the business and typically with at least one non-executive director).
• The position of the licensed/authorised entity within a group structure will not obstruct the conduct of consolidated supervision by the BMA.

Holders of a Class M or Class F licence must maintain a head office in Bermuda from which the business is managed and directed. Licensed persons must also demonstrate a cybersecurity programme commensurate with the nature, size and complexity of the digital asset business activities. The business must also file an annual comprehensive cybersecurity report prepared by its chief information security officer that assesses the availability, functionality and integrity of its electronic systems in each case; this is reviewed and subject to an external audit.

In 2023, the BMA issued the Digital Asset Business (Cyber Risk) Rules 2023, which replaced the Digital Asset Business (Cybersecurity) Rules 2018. It requires Class F licence holders to file cyber-risk returns with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA.

DAIA

The DAIA applies to any undertaking incorporated or formed in or outside Bermuda that conducts any digital asset issuance in or from within Bermuda. The BMA has issued the Digital Asset Issuance Rules 2020, which expand upon the requirements under the DAIA.

A “digital asset issuance” is an offer to the public, or any section of the public, to acquire digital assets or to enter into an agreement to acquire digital assets at a future date. Any undertaking seeking to conduct a digital asset issuance must obtain prior authorisation from the BMA.

Although issuers of digital assets may be regulated under the DABA, which regulates the business of issuing, selling or redeeming digital assets in general, those intending to issue digital assets as a means to raise capital or fund projects would fall under the DAIA. Those intending to issue, sell or redeem digital assets as a business (eg, continuously with the intention to capture a profit) would fall under the DABA. The DAIA grants the BMA wide-ranging powers of supervision and enforcement similar to those granted under the DABA.

Exemptions

Prior authorisation under the DAIA is not required if:

• the issuance will result in digital assets becoming available to fewer than 150 persons;
• the issuance is only to “qualified acquirers” (as defined in the DAIA); or
• the issuance is only to persons whose ordinary business involves the acquisition, disposal or holding of digital assets.

Although prior authorisation is not required, before any such transaction, an issuer or promoter must file a digital asset placement declaration form with the BMA.

Minimum authorisation requirements

The BMA may not authorise an undertaking to conduct a digital asset issuance unless it is satisfied that the undertaking fulfils certain minimum criteria set out in the DAIA. These authorisation criteria are substantially the same as the minimum licensing criteria under the DABA (see “DABA (Minimum licensing critiera)”).

Issuance document

The DAIA requires any person conducting a digital asset issuance to publish and file an issuance document with the BMA, unless the digital asset issuance falls within an exemption. The following are examples of information that must be included in the issuance document:

• details of all persons involved with the issuance(s), including the applicants directors, chief executives, senior executives, shareholder controllers, promoters, service providers, and auditors (and other such information);
• disclosure of any legal proceedings;
• the name and nature of the project;
• key features of the product or service to be developed;
• a description of the project and proposed timelines, including any milestones;
• the targeted digital asset acquirers and jurisdiction(s) (and any restrictions that apply);
• the amount of money intended to be raised;
• a description of the proposed offer, including the timing of opening and closing the offer;
• two-year financial projections;
• details and descriptions of the technologies being used;
• a description of the risks associated with the issuance (and any mitigations against such in place);
• details of the custodial arrangements in place; and
• a description of the data and privacy protections in place.

DABA licensees do not have any restrictions regarding the way in which they charge customers, if the charges are applicable to their business model and are adequately disclosed.

According to the Digital Asset Business (Client Disclosure) Rules 2018 (the “DAB Client Disclosure Rules”), at the time of entering a contract for the provision of products or services, a DABA licensee must either provide the customer with a schedule of fees and charges for any service or product being given or – if such fees and charges are not set in advance and disclosed at the time the contract is entered into – disclose the manner in which fees and charges will be calculated and the manner in which payment is to be made by the customer to the DABA licensee. Following the conclusion of the transaction with the customer, a DABA licensee must provide the customer with information relating to (among other things) the fee charged for transactions, including any charge for conversion of a digital asset to another digital asset or to fiat currency.

The regulatory model for legacy players in Bermuda (eg, insurers, investment business providers, or banks) is fundamentally the same as the fintech regulatory model. Persons conducting such activities “in or from within Bermuda” who are not exempted or excluded fall within scope of the relevant Bermuda regulatory regime and are generally required to obtain authorisation or approval from the BMA prior to conducting such activities.

The fintech regulatory regime in Bermuda – namely, the DABA, the DAIA, and the relevant regulations promulgated thereunder – apply to all persons who are conducting a digital asset issuance or digital asset business in or from within Bermuda, regardless of whether or not such persons were conducting such activities prior to the inception of each statute.

Bermuda established one of the world’s first digital asset business bank licensing regimes that provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector and – when conjoined with a licence issued under the DABA – the legal and regulatory ability to offer traditional banking services using digital assets.

Bermuda’s “regulatory sandbox” concept encompasses regulated activities across all sectors following its successful implementation under the DABA. The sandbox regime permits businesses that are seeking to be innovative or have innovative products or services to apply for a conditional sandbox licence, which – under the DABA – originally comprised the Class M licence. This was later expanded to also include a Class T licence, which was introduced specifically for persons seeking to test or run a prototype with reduced regulatory obligations commensurate with their reduced risk status.

Another example is an insurance regulatory sandbox under the Insurance Act 1978 and related regulations, each as amended (the “Insurance Act”), which allows for companies to test new technologies and offer innovative products, services, and delivery mechanisms to a specified number of policyholders for a specific period.

The BMA has the power to review applications for the applicable sandbox and determine the appropriate legislative and regulatory requirements that should be modified during the period within the sandbox.

The BMA is the sole financial services regulator and controller for foreign exchange control purposes in Bermuda.

There is no formal method whereby an entity can request the BMA to issue a “no-action” letter under the Digital Asset Regimes. However, when presented with certain fact patterns, the BMA has been willing to provide reassurance on their approach to certain business models – particularly where such business models fall outside the Digital Asset Regimes (eg, business models involving gaming tokens and proprietary trading).

The Digital Asset Business Act 2018 – Code of Practice (the “DAB Code of Practice”) provides that certain regulated functions, such as asset management, custodial services, cybersecurity, compliance and internal audit, can be outsourced to third parties. The BMA requires the disclosure of any material outsourcing arrangements and it has, through its general guidance on outsourcing as well as through the DAB Code of Practice, reiterated that the responsibility remains with the digital asset business to ensure that all legal and regulatory obligations (under the DABA and any other relevant rules and regulations) are met to the same degree as if the outsourced function was being performed internally.

Where roles have been outsourced to either external third parties or to affiliated entities of the digital asset business licensee, it is the directors of the licensee who are responsible for ensuring that there is oversight and clear accountability for each role. Any service agreement for an outsourced function must include terms on compliance with jurisdictional laws and regulations and should not prohibit co-operation with the BMA or its access to data and records in a timely manner. The directors of the licensee must assess the impact of outsourcing a role.

Where outsourcing a particular function is reasonably expected to adversely affect governance and risk management structures, excessively increase operational risk, affect the BMA’s ability to effectively supervise and regulate the entity, and/or adversely affect customer protection, that function should not be outsourced.

For the purposes of cross-border outsourcing arrangements, there is no list of approved or equivalent jurisdictions; however, it would be preferable to outsource to an entity that is regulated either by the BMA or by a regulator in another jurisdiction that applies standards that are at least equivalent to those applied in Bermuda. Any foreign entity providing outsourced functions to Bermuda-regulated entities must comply with the requirements under Bermuda’s AML/ATF laws and regulations.

In January 2025, the BMA issued a consultation paper on operational resilience, which proposes a specific outsourcing code and associated guidelines applicable to all regulated sectors in Bermuda. Final versions of the code and guidelines will be published after the 60-day consultation period.

The AML/ATF regulations imposed on DABA licensees mandate thorough onboarding (including background checks) of customers and the ongoing monitoring and reporting of suspicious activities by customers in respect of the use of the DABA licensee’s products and/or services.

A person licensed under the DABA as an electronic exchange can apply to become an “accredited digital asset exchange” under the DAIA. This accreditation effectively turns the exchange into a “gatekeeper” for digital asset issuances. This means that it can authorise digital asset issuances without the issuer being required to file an issuance document with the BMA.

The BMA has wide powers under the DABA and the DAIA in relation to enforcement, including the power to:

• compel the production of information and documents, with criminal sanctions for failing to produce such information/documentation or for making false or misleading statements;
• compel a licensee to submit to an investigation conducted by a third party appointed by the BMA, with the licensee being responsible for payment of all expenses of (and incidental to) the investigation;
• issue directions for the purpose of safeguarding the interests of a licensee’s customers where a licensee is in breach of the DABA or any other rules or regulations applicable to it;
• impose conditions and restrictions on licences, such as:
1. requiring a licensee to take certain steps or to refrain from adopting or pursuing a particular course of action;
2. restricting the scope of a licensee’s business activities in a certain way;
3. prohibiting or imposing limitations on the acceptance of business;
4. prohibiting a licensee from soliciting business, either generally or from prospective customers;
5. prohibiting a licensee from entering into any other transactions or class of transactions;
6. requiring the removal of any officer or controller; and/or
7. specifying requirements to be fulfilled otherwise than by action taken by the licensee.

In the event a licensee fails to comply with a condition, restriction or direction imposed by the BMA or with certain requirements of the DABA, the BMA has the power to:

• impose fines or civil penalties of up to USD10 million;
• seek criminal convictions to impose fines and/or imprisonment;
• issue a public censure to name and shame the licensee;
• issue a prohibition order banning a person from performing certain functions for a Bermuda-regulated entity; or
• obtain an injunction from the court.

In the more extreme cases, the BMA may revoke a licence and subsequently petition the court for the winding-up of the entity whose licence it has revoked.

Personal Information and Protection Act

Bermuda’s Personal Information and Protection Act 2016 (PIPA) is the main piece of legislation in Bermuda that regulates the use of personal information. It has been implemented in phases and came into full force and effect on 1 January 2025.

Every organisation in Bermuda that uses personal information, where such information is used either wholly or partly by automated means – or where it forms, or is intended to form, part of a structured filing system – is caught under PIPA.

Under PIPA, an organisation can only use personal information where there is a lawful basis for that use. Such lawful bases include:

• when the organisation has the knowing consent of the individual to that use;
• where the individual would not reasonably be expected to object to that use (except in relation to sensitive personal information);
• where using that information is necessary for the performance of a contract to which the individual is a party;
• where the use is authorised or required by law; and
• where the use is necessary in the context of an individual’s employment relationship with the organisation.

In order to comply with the provisions of PIPA, those organisations that are caught under it (including those in the fintech sector) will need to:

• adopt suitable measures and policies that take into account the nature, scope, context and purposes of the use of personal information, as well as the risk to individuals that results from the use of such information;
• ensure that any third party whose services are engaged (by contract or otherwise) in connection with the use of personal information complies with PIPA at all times;
• designate a privacy officer who will have primary responsibility for communicating with the privacy commissioner;
• ensure that all personal information they hold is accurate, up to date, adequate, relevant, and proportionate to the purposes for which it is to be used and ensure that all personal information is only kept as long as is necessary for its use;
• implement safeguards (proportionate to the likelihood and severity of harm, the sensitivity of the personal information, and the context in which the information is held) to protect personal information against risks of unauthorised access, destruction, use, modification or disclosure; and
• provide a “privacy notice” to each individual before or at the time their personal information is collected, which should be clear and easily accessible and which must provide the individual with details of the organisation’s practices and policies in relation to personal information.

Where an organisation transfers personal information to a third party (overseas or otherwise), it must assess the level of protection provided by the overseas transferee and will nonetheless remain responsible for PIPA compliance in relation to that personal information.

If an organisation does not believe that the protection provided by an overseas third party will be comparable to the level required under PIPA, that organisation must choose to employ contractual mechanisms, corporate codes of conduct, or other means by which to ensure that the overseas third party provides a comparable level of protection.

The privacy laws of other jurisdictions may have extraterritorial effect (eg, the EU General Data Protection Regulation (GDPR)) and organisations in Bermuda may also be subject to these.

Cybersecurity

The Digital Asset Business (Cyber Risk) Rules 2018 (the “Cybersecurity Rules”) and the Digital Asset Business Operational Cyber Risk Management Code of Practice (January 2024) (the “Cybersecurity Code”) apply specific cybersecurity rules to persons licensed to conduct digital asset business. The BMA has a team dedicated to the supervision of persons conducting digital asset business when it comes to their cybersecurity programmes. Every Class F licence holder is required to file a cyber-risk return with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA. Every entity licensed under the DABA must appoint a senior executive whose responsibility it is to oversee and implement its cybersecurity programme and enforce its cybersecurity policies.

An application for a licence under the DABA must include information in relation to:

• the applicant’s proposed cybersecurity risk management policies;
• how those policies interact with each other;
• how the applicant implements the “three lines of defence” model, including:
1. risk management;
2. internal audit; and
3. compliance functions.

AML/ATF

Persons licensed under the DABA are “regulated financial institutions” under the Proceeds of Crime Act 1997 (POCA). This means that they will be required to comply with all Bermuda legislation applicable to “regulated financial institutions” (ie, banks, long-term life insurance companies, investment funds and investment fund administrators), including Bermuda՚s AML/ATF legislation and regulations (collectively, the “AML/ATF Rules”). The BMA has also published sector-specific guidance notes for DABA licensees (Annex VIII – Sector-Specific Guidance Notes (SSGN) for Digital Asset Business) to assist with compliance with applicable AML/ATF obligations.

Under the AML/ATF Rules, DABA licensees must:

• adopt a risk-based approach to obtaining adequate due diligence on and verifying the identity of their customers;
• support ongoing monitoring; and
• report any suspicious activities.

There are also specific rules applicable to companies that are conducting public offerings of digital assets. Specifically, these companies:

• must identify and verify participants in the offer;
• must comply with the AML/ATF requirements set out in the Digital Asset Issuance Rules 2020; and
• if unable to comply with any relevant AML/ATF Rules, are prohibited from opening an account or issuing a digital asset to any person and must terminate the business relationship.

In contrast, a company that is offering shares to the public is only subject to these requirements if it is a “regulated financial institution”, as prescribed under the AML/ATF Rules.

Sanctions

The UK extends sanctions measures to Bermuda by way of Overseas Territories Orders in Council (“OT Orders”). However, not all OT Orders extend to Bermuda (owing to policy reasons) and are therefore brought into force under the International Sanctions Act 2003 (ISA).

The Bermuda sanctions regulatory regime applies to all individuals and legal entities who are within or who undertake activities within Bermuda.

OT Orders have a broad reach and apply to persons in Bermuda, as well as to any person not in Bermuda but who is a British citizen, a citizen of a British overseas territory, a British subject, an overseas British national or a British protected person ordinarily resident in Bermuda. Any person on board of a ship or aircraft that is registered in Bermuda is also caught by financial sanctions.

As “regulated financial institutions”, DABA licensees have an obligation to report to Bermuda’s Financial Sanctions Implementation Unit as soon as practicable if they know – or have reasonable cause to suspect – that a person:

• is a designated or listed person; or
• has committed an offence under the licensing, contravention or circumvention provisions of the sanctions.

DABA licensees are also required to:

• establish and maintain risk-sensitive policies and procedures that include:
1. the application of customer due diligence (enhanced customer due diligence is required where a person or a transaction is from or in a country subject to international sanctions);
2. ongoing monitoring of the customer relationship; and
3. maintaining adequate records of their customers and their business activities against sanctions lists applicable to Bermuda; and
• maintain records for any potential matches to names and sanctions lists, whether the match turns out to be true or a false positive.

If a DABA licensee has outsourced this function to a service provider, steps should be taken to verify that the service provider is also fully compliant with the Bermuda sanctions regime, as ultimate responsibility for compliance remains with the DABA licensee.

Anti-Bribery

Under Bermuda’s Bribery Act 2016, the following offences are applicable to both individuals and corporations:

• an offence of bribing (offering, promising or giving a financial or other advantage);
• an offence of being bribed (requesting, agreeing to receive or accepting a financial or other advantage); and
• an offence of bribing foreign public officials.

In addition, there is also a corporate offence of failing to prevent bribery that applies to corporate bodies and partnerships incorporated and formed in Bermuda. This is a strict liability offence, with only one possible defence – the organisation will have to prove that it had “adequate procedures” in place designed to prevent persons who are associated with it from bribing. The Bermuda government has published the Bribery Act 2016 Guidance, in which the principles concerning what amounts to “adequate procedures” are set out.

Electronic Transactions Act 1999

The Electronic Transactions Act 1999 introduced – among other benefits – a statutory recognition of the validity of digital/electronic records and, subject to certain criteria being met, signatures applied to such records.

Traditional financial service industry sectors in Bermuda have all been actively involved in the development and implementation of complimentary financial and non-financial services to the growing fintech sector. 

Banking

Bermuda’s banking laws were amended in 2018, with the introduction of the Banks and Deposit Companies Amendment Act 2018 (the “Banks Amendment Act”), which sought to open up the banking market by providing relief from certain local banking requirements (eg, retail banking services) in return for restricting services to the fintech sector. This provided a balance between positive new competition and the protection of existing traditional retail banking services.

Financial Auditing

DABA licensees must have their financial statements audited annually. The BMA is cognisant of the influence of global events on the appetite of the established audit firms for auditing this sector and, as such, financial audits may be conducted by regulated audit firms registered in Bermuda or in other jurisdictions that are recognised as following the same or similar accounting standards as approved by the BMA.

Other Service Providers

Bermuda has seen an increased interest in persons seeking to provide all manner of financial and non-financial services to the fintech sector, including AML/ATF compliance, accounting, custodial, fund management and administration, legal and corporate services.

DABA licensees or issuers authorised under the DAIA are not expressly prohibited from conducting unregulated business. However, in each case, the licensed/authorised entity must ensure that its regulated business is conducted in a prudent manner. Accordingly, any unregulated activities will need to be assessed from the perspective of how they affect the regulated activities of the DABA licensee or issuer.

See 2.11 Implications of Additional, Non-Financial Services Regulations.

Bermuda is a member of the Caribbean Financial Action Task Force (CFATF) – an associate member of the Financial Action Task Force (FATF) – and has committed to implementing FATF standards and mandates.

Bermuda’s AML/ATF legislation and regulations have been subsequently amended in 2015, 2016, 2017 and 2018 following an International Monetary Fund review of Bermuda’s AML/ATF regime in 2007, a Mutual Evaluation Review by CFATF in 2018, and revisions to the FATF Recommendations in 2012 and subsequent years. The amendments to Bermuda’s AML/ATF regime broadened the range of persons subject to these requirements and granted additional powers to the BMA and other supervisory authorities to enforce compliance.

The DABA applies to any entity incorporated or formed in Bermuda that carries out digital asset business and any entity incorporated or formed outside Bermuda that carries out digital asset business in or from within Bermuda. Additionally, the DAIA applies to any undertaking incorporated or formed in or outside Bermuda that conducts any digital asset issuance in or from within Bermuda.

Provided that the relevant digital asset business activities and/or issuance activities are ultimately conducted and provided from outside Bermuda following a “reverse solicitation” request, a licence would not be needed for the entity to conduct the relevant digital assets services.

Although “robo-advice” or other types of automated advice are not specifically regulated by the BMA, DABA licensees and digital asset issuers that adopt robo-advice will need to consider the regulation of providing “advice” more broadly.

Under the IBA, the giving or offering of investment advice to customers or potential customers in respect of “investments” may constitute investment business, which cannot be conducted in or from Bermuda without being licensed or registered under the IBA (subject to any applicable designation as a non-registrable person by Bermuda’s Minister of Finance). What constitutes an “investment” under the IBA is broadly defined, and includes assets ranging from shares and debentures to options and futures, and therefore can capture digital asset derivatives.

The use of robo-advice as a low-cost alternative advice model has been considered by legacy players in the Bermuda market to give locals access to more affordable advice, particularly by the banking and government sectors. Bermuda’s first robo-adviser platform, known as “iInvest”, was set up by Clarien (a regulated financial services group that includes Clarien Bank Limited). However, the use of robo-advisers in respect of digital assets has not yet been widely adopted by such legacy players.

Licensed investment managers need to comply (and ensure that any robo-adviser or other technology it adopts complies) with the Code of General Business Conduct and Practice. This code recommends that an investment provider does not transact business for a customer on worse terms than it would expect to obtain for itself, making allowances for the size of the transaction (and other allowances).

The BMA has not published any specific guidance on best execution for regulated digital asset business entities. However, the BMA will consider the method(s) for execution and settlement as part of the licensing application process.

The BMA regulates the business of lending fiat under the Banks and Deposit Companies Act 1999 and relevant regulations (collectively, the “Banks Act”). Under the Banks Act Code of Conduct, licensed banks and deposit-taking companies are required to identify and implement policies and procedures to accommodate and afford reasonable care to an individual who is identified as vulnerable or who discloses these needs to the institution. Otherwise, the Banks Act does not differentiate between the business of lending to individuals, small businesses, or others.

Additionally, in 2023, operating as a digital asset lending provider and operating as a digital asset repurchase transactions service provider were included as separate regulated digital asset activities under the DABA. These categories (respectively) encompass circumstances where:

• a person facilitating, either as principal or agent, digital asset lending transactions by which a counterparty transfers or lends digital assets to a borrower subject to a commitment that the borrower will return equivalent digital assets with or without interest or premium on a future date or when requested to do so by the lender; and
• a person facilitating, either as principal or agent, digital asset repurchase transactions by which a person transfers digital assets to a counterparty subject to a commitment to repurchase such digital assets (or substituted digital assets of the same description) from that counterparty at a specified price with or without premium on a future date specified or to be specified.

The counterparty in the above-mentioned circumstances can be any type of person or entity.

As mentioned in 2.4 Variations Between the Regulation of Fintech and Legacy Players, Bermuda also introduced one of the world’s first digital asset business bank licensing regimes that provides for a banking licence to be issued to persons seeking to provide traditional banking services to the digital asset sector.

There are no additional requirements for the underwriting of digital assets, other than compliance with regulations under the DABA and the Banks Amendment Act mentioned in 2.12 Review of Industry Participants by Parties Other than Regulators, as applicable (assuming the underwriting process does not fall within scope of the Insurance Act). A person conducting digital asset lending will be required to deliver details of risk management and controls to the BMA. Additionally, to the extent the assets transferred to an underwriter constitute equity securities, the Exchange Control Act 1971 of Bermuda will apply.

Bermuda’s legal and regulatory landscape – in particular, the regulation of lending or repurchase transactions under the DABA – does not distinguish between the sources of funds for loans. An entity lending either fiat or digital assets will be required to submit its credit risk management framework and controls to the BMA with its licensing application and as part of its ongoing regulatory monitoring and reporting obligations.

DABA licensees, banks and deposit-taking companies are prescribed as AML/ATF-regulated financial institutions and must comply with relevant AML/ATF regulations, which may include requirements to verify source of funds of customers.

The syndication of loans involving Bermuda obligors is not uncommon. Typically, the syndication of loans takes place on a cross-border basis involving lenders and counterparties overseas, where documentation is usually subject to the laws of a foreign jurisdiction, and is not otherwise directly captured under current regulation (subject to bespoke conditions such as minimum capitalisation requirements for DABA licensees or regulated insurtech entities in Bermuda).

Payment processors are not required to use existing payment rails under Bermuda law, nor are they precluded from creating or implementing new payment rails. However, creating or implementing a new payment rail for the purposes of advancing digital asset business may prompt the licensing requirements under the DABA.

A payment processor (excluding an entity licensed under the Banks Act) may also require a licence under Bermuda’s Money Service Business Act 2016 (unless subject to an exemption under the Guidance Notes – Money Service Business Act 2016) if it conducts any of the following money service business activities:

• money transmission services;
• cashing cheques that are made payable to customers, as well as guaranteeing cheques;
• issuing, selling or redeeming drafts, money orders or traveller’s cheques for cash;
• payment services business; or
• operating a bureau de change whereby cash in one currency is exchanged for cash in another currency.

Any purchases of foreign fiat currency made by a Bermuda resident in Bermuda dollars from an institution licensed under the Banks Act will be subject to a foreign currency purchase tax of 1.25%, which must be withheld by the applicable institution and thereafter remitted to the Bermuda Tax Commissioner.

Cross-border payments and remittances using digital assets are separately regulated under the DAB Regime, but are not subject to the foreign currency purchase tax.

Digital Asset Exchange/Digital Asset Derivative Exchange

Digital asset exchanges and digital asset derivative exchanges are permissible and the operation of both are regulated under the DABA. There are no material differences between the requirements applicable under the DABA to these two different types of platforms.

A digital asset exchange is a centralised or decentralised electronic marketplace used for digital asset issuances, distributions, conversions and trades (including primary and secondary distributions) with or without payment. These may include digital asset conversions and trades entered into by the electronic marketplace as principal or agent.

A digital asset derivative exchange means a centralised or decentralised marketplace used for digital asset derivative issuances, distributions and trades with or without payment, which may include digital asset derivatives trades entered into by the marketplace as principal or agent. A digital asset derivative means an option, a swap, a future, a contract for difference or any other contract or instrument whose market price, value or delivery or payment obligations are derived from, referenced to or based on a digital asset underlying interest.

Insurance Marketplace Provider

The Insurance Act also licenses the operation of a platform, of any type, established for the purpose of buying, selling or trading contracts of insurance. Such licensed activities may be done in a traditional manner or through the insurtech sandbox as an innovative insurance marketplace provider.

Bermuda Stock Exchange

In relation to the general trading of securities of publicly listed companies in Bermuda, the Bermuda Stock Exchange (“BSX”) is the primary trading platform. Traditional securities of all types can be listed on the BSX, provided they meet the application and maintenance requirements of the BSX Listing Regulations.

See 6.1 Permissible Trading Platforms.

See 6.1 Permissible Trading Platforms.

Traditional securities that are listed on the BSX must meet the standards and requirements set out in the BSX Listing Regulations. The principal function of the BSX is to provide a fair, orderly and efficient market for the trading of securities of both domestic and foreign issuers and the BSX is itself regulated by the BMA.

In contrast, digital asset exchanges and digital asset derivative exchange providers are all regulated under the DABA and are required to conduct their business in a prudent manner. Specifically, in relation to the listing of digital assets and digital asset derivatives, there are no definitive regulatory criteria for exchanges to adhere to other than in relation to seeking BMA approval to introduce a new product or service. The standards by which each licensed entity chooses to list different products will be set and maintained by that licensed entity as part of their application for a licence. The general overview of such standards must be included in and approved by the BMA upon the entity’s initial application for licensing or as part of a notification or application to introduce new listings. The BMA has also issued the Digital Asset Business Act 2018 – Product Due Diligence Guidance Notes, which outlines the BMA’s expectation in relation to the diligence conducted on products and services (including digital assets listed on a Bermuda exchange) introduced by a DABA licensee.

See 6.4 Listing Standards.

Peer-to-peer trading platforms that offer services to the public as a business in and from within Bermuda and allow the trading of digital assets are generally captured under the DABA and subject to the same regulatory requirements and scrutiny as operators of a digital asset exchange or digital asset derivative exchange. There is still open discussion and consideration as to how a DAO would be treated if providing such services; however, for the time being and in most instances, there would need to be a legal person or organisation with a nexus to Bermuda in order for the DAO to be captured.

See 6.4 Listing Standards.

The BSX has a clear set of principles concerning the market integrity expected of a traditional securities exchange within its Listing Regulations.

The BMA has published the DAB Code of Practice, the DAB Client Disclosure Rules, the Cybersecurity Rules and AML Sector-Specific Guidance Notes for Digital Assets, among other publications – all of which include principles governing the conduct of digital asset business generally and which supplement the principles and regulations found within the primary legislation.

Under these codes and rules, DABA licensed entities are required to observe principles such as ethical corporate behaviour, customer protection and security, business integrity and prudence, and regulatory and legal compliance. Within the relevant rules and codes, as well as the DABA, the BMA is granted authority to review, monitor and enforce the relevant requirements.

Currently, there are no specific regulations exclusively for the creation and use of digital assets in high-frequency and algorithmic trading. Such activities may fall under either the DABA and/or IBA licensing regimes, depending upon the type of asset being traded and whether such activity falls within proprietary trading or operating as a business to the public.

The DABA specifically includes market making activities within the scope of “digital asset service vendors”. A licence is required for such operations from or within Bermuda. Within the DABA’s framework, a market maker is defined as someone who – as part of their business – engages in trading digital assets by providing bid-and-ask prices to profit from spreads, fulfilling customer orders, or hedging positions resulting from these activities.

However, individuals trading solely on a principal basis (eg, proprietary traders) are likely to fall outside the scope of the definition of market makers under the DABA. A thorough examination of agreements between these individuals and trading platforms or exchanges is essential to determine their classification in each case.

Although the IBA and Investment Funds Act 2006 (IFA) specifically differentiate between funds and dealers of traditional investments, the DABA does not. Typically, an investment fund falls outside the scope of the DABA unless it engages in digital asset business activities. Also, an investment fund that has appointed an investment manager that is licensed under the IBA or authorised by a recognised regulator is exempted from needing to apply for a DABA licence, provided it gives prior notice to the BMA.

Meanwhile, a licensed digital asset business entity is explicitly excluded from the definitions of an investment fund under the IFA.

The BMA takes a strict approach in relation to investment funds that invest in digital assets. In this regard, care will need to be taken to consider the overall structure of the business and the rights, powers and obligations of participants, as well as the overarching objective, in order to properly assess whether a business or other arrangement is captured under the Digital Asset Regimes.

The activity of developing and creating trading algorithms and other electronic trading tools is not regulated. However, if the benefit or use of such services is offered directly to the public as part of that business, such activities may be captured under the DABA and/or the IBA – depending on the asset type being traded.

The underwriting process for traditional insurers is currently regulated by the Insurance Act. An insurer will be required to submit a detailed description of its underwriting strategy to the BMA. The underwriting process may be conducted by the insurer or outsourced with the prior approval of the BMA. Although not expressly provided for in the statute, it is typical for the BMA to require a proportionately similar process for innovative insurers.

There are various classes and types of (re)insurers and insurance intermediaries regulated under the Insurance Act – all of which will attract different regulatory treatment by the BMA. However, the lines of insurance business are only statutorily divided between general business and long-term business. There is also a robust captive industry, which is regulated differently under the Insurance Act, as well as the innovative classes of insurance and insurance intermediaries who operate within the insurtech sandbox.

There are no legislative or regulatory provisions governing the design, provision or delivery of regulatory technology. Persons who use the technology may be caught by any one of Bermuda’s regulatory regimes, including those created under the DABA or the DAIA, if the business activity that they are conducting using the technology is itself a regulated activity.

Financial service providers in Bermuda will seek and expect contractual terms based on international market practice. It is the financial service provider using the technology that will be expected to ensure the technology helps or permits the financial service provider to comply, and does not prohibit the financial service provider from complying, with the legal and regulatory obligations of the financial services provider.

Traditional financial service providers in Bermuda have benefited from the country’s early adoption of sector-specific legislation and regulation through the inevitable and rapid education of the workforce around the use of blockchain technology. All industry sectors have been involved in the consideration of the potential implementation of blockchain as a technological solution to existing infrastructure demands.

What has been clearly evident is the traditional financial sector’s willingness to co-operate with new entrepreneurial businesses that are offering novel ways to conduct traditional business using innovative technology, including blockchain. As an example, NAYMS is a Bermuda digital insurance marketplace that uses blockchain technology for the conduct of brokering insurance contracts and has secured some of the oldest names in the industry as participants. There are also numerous other projects involving both the public sector and the private sector that have secured funding and gained traction in developing blockchain solutions, often involving professional service companies such as law firms to assist in building both the digital and regulatory infrastructure to ensure solutions are as legally sound as they are technically robust.

Notably, with regard to the Bermuda government and blockchain, the government has indicated its intention to launch a blockchain-based stimulus token for use in Bermuda’s retail market. As mentioned in 1.1 Evolution of the Fintech Market, such token is intended to be a Bermuda dollar-backed stablecoin and employ technology developed by a DABA-regulated entity.

Demonstrating its role as an active, engaged and responsive regulator, the BMA and the Bermuda government regularly consult with industry with a view to the continued improvement of the digital asset regulatory framework, including its effective administration and enforcement. The BMA and industry stakeholders continually review and monitor this framework (including the DABA and the DAIA) to ensure that it continues to meet or exceed applicable international standards – for example, with regard to regulation, compliance, and transparency – and that it continues to be fit for purpose.

Please refer to 2.2 Regulatory Regime for details of how “digital assets” are defined and treated. The Digital Asset Regimes do not differentiate between the different types of digital assets that exist or can be created and they are agnostic when it comes to the underlying technology. The Digital Asset Regimes seek to regulate the business and service activities surrounding digital assets in a manner that recognises the unique factors of the technology, as opposed to seeking to fit the different types of digital assets within existing legal and regulatory definitions.

However, this has not precluded the BMA from recognising and providing guidance to businesses utilising known-use cases for specific digital assets. In 2024, the BMA consulted industry stakeholders and published guidance specific to issuers of single currency pegged stablecoins (see 1.1 Evolution of the Fintech Market).

Please refer to 2.2 Regulatory Regimes for the broad definition of “digital assets” in the DABA and the DAIA and their application to issuers. The DAIA requires regulatory permission to conduct a digital asset issuance that is conducted for the purposes of raising funds for a specific project, whereas the DABA is a licensing regime focused on regulating digital asset issuances as a service and digital asset issuances that have an ongoing business element to them.

Blockchain asset trading platforms that are offered to the public and operate as a “digital asset exchange” or a “digital asset derivative exchange provider” (each as defined under the DABA) are regulated under the DABA as “digital asset businesses” and must be licensed thereunder.

Peer-to-peer trading, when conducted in a proprietary manner, is not specifically regulated. However, the DABA includes a broad spectrum of activities that might appear to be proprietary trading but – owing to the way in which they are conducted – are deemed to be digital asset business activities, including the provision of intermediary services.

The BMA applies a broad interpretation to the list of digital asset business activities contained in 2.2 Regulatory Regime and legal advice should be sought on any proposed digital asset transaction or activities in or from within Bermuda. Even if the transaction is intended to be proprietary in nature, there can be nuances to an arrangement that could bring the transaction within the scope of the DABA.

Depending on the circumstances, the provision of staking services relating to digital assets may be caught under the DAB Regime. Staking services that involve conducting digital asset transactions on behalf of another person would, for example, be considered a digital asset business activity under the DABA. However, if the staking services are conducted in a proprietary manner, it is unlikely to be considered a regulated activity (see 10.5 Regulation of Blockchain Asset Trading Platforms).

The provision of lending services relating to digital assets is regulated in Bermuda. In 2023, operating as a digital asset lending and operating as a digital asset purchase transaction service provider were added as separate regulated digital asset business activities under the DABA. The entity facilitating the digital asset lending, either as principal or agent (ie, the entity providing the platform or avenue through which digital assets are loaned), is required to be licensed under the DABA.

Similarly, in the context of traditional lending services, Bermuda also provides for a digital asset business bank licensing regime – under which, a banking licence may be issued to persons seeking to provide traditional banking (including lending) services to digital asset businesses. Please see 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities for details on the lending-related regulations in Bermuda regarding digital assets and in general.

The offering of digital asset derivatives is regulated under the DABA and overseen by the BMA. The DABA imposes requirements related to – inter alia – supervision, compliance, capital, cybersecurity, risk management, AML/ATF, and reporting.

Operating as a digital asset derivative exchange provider requires a licence under the DABA.

The DAB Regime applies to persons conducting the business of providing any or all of the specified digital asset business activities to the public. DeFi is not expressly defined under the DAB Regime; however, depending on the activities being conducted via or in relation to a DeFi platform or protocol, activities conducted could be caught under any number of the existing digital asset business categories of the DABA. The BMA takes a pragmatic yet heightened approach to regulating persons that provide services to the public using a DeFi protocol in accordance with its proportionality principles. The key question is who is legally deemed to be responsible for the activities of the protocol. Where the protocol is truly decentralised but requires contractual services (eg, treasury) to be provided by a legal entity, it is the legal entity that would fall under the DAB Regime. In such instances, the BMA will want to understand the constitutional basis for the activities of the protocol and the contractual basis for the provision of services.

In respect of DeFi protocols, developing software technology is currently unlikely to fall under any regulations in Bermuda (other than the economic substance regime that applies to all companies whose revenue is derived from IP in Bermuda). The BMA’s fintech team and the Bermuda government’s DAO Working Group, comprising the leading fintech lawyers in Bermuda, have both been working on proposals for introducing regulation specifically designed for digital governance models, such as DeFi protocols established as DAOs. The BMA recently issued a consultation paper that invites proposals for a collaborative pilot project aimed at testing embedded supervision practices within the context of DeFi, while the DAO Working Group has delivered a recommendation paper on how the existing legal and regulatory framework could be improved and adapted to recognise DAOs for the purposes of providing legal certainty and regulatory oversight.

Currently, those looking to be regulated in Bermuda and provide services to the public through a DeFi protocol should consider using a legal “wrapper” that can act on behalf of the protocol and its participants. An example would be to use a company limited by guaranteed structure whereby the company has members limited by guarantee rather than shareholders and is restricted from making any distributions to its members. Another available structure is the use of a special purpose vehicle whose shares are owned by an orphaned Bermuda trust serviced by a Bermuda-regulated trustee entity. In such an instance, the BMA would regulate the legal “wrapper” as the person responsible for the protocols’ compliance with the DAB Regime.

Any fund that is captured within the definition of “investment fund” in the IFA, including funds that deal in digital assets, will be subject to regulation under the IFA. However, pursuant to the Digital Asset Business Exemption Order 2023, an investment fund that conducts a digital asset business activity and has appointed an investment manager that is licensed under the IBA or is authorised by a “recognised regulator” (as defined in the IBA) will be exempt from licensing under the DABA as long as an annual notice is filed with the BMA. It should be noted that, even though the fund itself may be exempt, if the investment manager, custodian or administrator are based in Bermuda they may well be deemed to be conducting a digital asset business activity and require a DABA licence.

Please refer to 2.2 Regulatory Regime for the broad definition of “digital assets” in the DABA and the DAIA. Virtual currencies that meet the definition of “digital assets” are treated the same as other blockchain derived assets from a regulatory perspective.

For the purposes of Bermuda law, NFTs would constitute digital assets (see 2.2 Regulatory Regime) and a platform that facilitates the trading of NFTs would be conducting the digital asset business of operating a digital asset exchange, which requires a DABA licence.

The Bermuda government has indicated its support to the BMA “in advancing open banking standards in Bermuda to provide better services to local consumers while enabling new digital banking services to be offered”.

An entity intending to conduct open baking activities in or from within Bermuda would be required to adhere to the licensing requirements and provisions of the Banks Amendment Act as well as the provisions of the DABA where such business constitutes digital asset business activity. There is currently no express prohibition on open banking activity under the Bermuda legal regime.

To date, the concept of open banking has not been prevalent with banks operating from within Bermuda. With PIPA having come into effect on 1 January 2025 (see 2.11 Implications of Additional, Non-Financial Services Regulations), Bermuda banks may be deterred from pursuing open banking concepts in the near future owing to the increased scrutiny over the protection of personal information. However, it is anticipated that the consensual use of personal information in these optional and contractual relationships will prevail once the law has settled in and adequate protection has been implemented.

A specific body of law setting out the elements of fraud as it relates to the DAB Regime in Bermuda has not been developed. The general common-law position would apply should this be considered by Bermuda courts.

From a regulatory perspective, the BMA focuses on safeguarding customer assets by seeking to prevent or minimise the potential for fraud and misappropriation. There are multiple pieces of legislation, regulation and various codes of conduct that govern consumer protection in Bermuda. The DABA mandates the safeguarding of customer assets and sets out the provisions for establishing formal customer complaints policies and procedures. The Digital Asset Business Custody Code of Practice supplements the provisions of the DABA and specifies the requirements of segregating customer assets from those of the DABA licensee.

Among other matters, the BMA focuses on protecting customers and stakeholders, maintaining market integrity, and fostering trust in Bermuda’s digital asset business sector. Although fraud is not the singular focus of the BMA’s regulatory regime, Bermuda’s Digital Asset Regimes have been curated to combat the risk of fraud. The BMA closely monitors of the activities of regulated business for potential fraud and other corrupt activities in all sectors (and, specifically, the digital asset sector), including:

• investment fraud;
• market manipulation;
• money laundering and terrorist financing;
• insider trading;
• fraudulent exchanges and wallets; and
• cybersecurity breaches.

The Digital Asset Regimes do not specifically provide for liability of licensees for loss suffered by customers, other than in relation to the provision of custodial services and the requirement to have appropriate insurance or a similar arrangement in place to protect customer interests. However, under common law, there are also civil remedies available to customers in the event loss is suffered by customers as a result of a licensee’s failures (such as negligence or a breach of contract).

In the event the licensee entity is responsible for losses suffered by customers and is unable to meet that obligation out of its assets, the Bermuda insolvency regime applies to licensees under the Digital Asset Regimes and is available to customers.

The BMA’s Enforcement Guide provides that one of the most important factors the BMA will consider when assessing any civil penalty for breaches is whether there has been any loss, or risk of loss, to customers. If customers have suffered loss as a result of a breach by the licensee, then the licensee and potentially its directors/officers should expect the BMA to take this into account when developing its enforcement action.