Consultation Paper - Virtual Currency Business Bermuda April 13 2018
Consultation Paper - Virtual Currency Business Bermuda April 13 2018
Consultation Paper - Virtual Currency Business Bermuda April 13 2018
CONSULTATION PAPER
APRIL 2018
1
Contents
Objective 3
Background 4
Composition of Virtual Currency Sector and Associated Risk 5
Regulatory Developments 9
Scope of Proposed Regime 9
Licensing Regime 12
Minimum Criteria 14
Provisions relating to Controllers, Shareholder Controllers, Directors and Officers 15
Risk Management 15
Custody and Protection of Customer Assets 18
Senior Representative and Principal Office 18
Prudential Return and Supervision 19
Power to obtain Information and Reports 20
Power of Directions/Conditions/Restrictions/Revocation 21
Enforcement 22
Consequential Amendments 22
Conclusion 22
The views of our industry partners and other interested persons on the
proposals set out in this paper are invited. Comments and suggestions are
welcome and should be sent to the Authority, addressed to policy@bma.bm by
2nd May 2018.
2
Objective
1. The objective of this paper is to provide an outline for the effective regulation of
service providers within the virtual currency business industry (virtual currency
business service providers or (VCBs)) in Bermuda. For the purposes of this paper,
virtual currency is used as defined by the Financial Action Task Force (FATF) in its
June 2014 report on Virtual Currencies – Key Definitions and Potential AML/CFT
Risks.
Virtual currency is a digital representation of value that can be digitally traded and
functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a
store of value, but does not have legal tender status (i.e., when tendered to a creditor,
is a valid and legal offer of payment) in any jurisdiction. It is not issued or
guaranteed by any jurisdiction, and fulfils the above functions only by agreement
within the community of users of the virtual currency.
Virtual currency is distinguished from fiat currency (a.k.a. “real currency,” “real
money,” or “national currency”), which is the coin and paper money of a country
that is designated as its legal tender; circulates; and is customarily used and accepted
as a medium of exchange in the issuing country.
Digital currency can mean a digital representation of either virtual currency (non-
fiat) or e-money (fiat) and thus is often used interchangeably with the term “virtual
currency”.
3
Background
2. The issue of VCB regulation has recently been at the forefront of discussion both
globally and in Bermuda. The discussion has become linked to the regulatory
practices already in place for securities, and the regulatory gap that exists for the
relatively new and evolving virtual currency marketplace which involves virtual
currency, and other associated activities such as digital wallets and the issuance of
digital coins and tokens.
3. Leaders in the emerging virtual currency industry are claiming that the rapid growth
of virtual currencies represent new opportunities for the use of the virtual currencies
and the enabling technology behind them. According to information on
CoinMarketCap’s website, the market cap for virtual currencies peaked in December
2017 at $653 billion. That market cap has since fallen significantly. However,
enthusiasts have also stated their belief that the industry will grow to one trillion
dollars by the end of 2018 and that virtual currencies represent opportunities to
improve on, and develop, new payment systems. Whilst Bermuda is keen to embrace
the potential offered by the virtual economy, it is recognised that the sector presents
tremendous risk that requires robust prudential and Anti-Money Laundering/Anti-
Terrorism Financing (AML/ATF) regulation.
4. In spite of its growing popularity, in many quarters, the virtual currency sector still
faces an image problem arising from its use on the dark web, association with recent
ransomware attacks, virtual currency thefts, and a number of high profile frauds and
other money laundering/terrorism funding cases. It is well-known that the pseudo-
anonymity or anonymity associated with some of the technology poses a significant
challenge for both law enforcement and regulators. Much of the space remains
unregulated.
5. Although VCBs are not currently regulated in most countries, the international focus
on AML/ATF obligations has added additional relevance to the local debate given
Bermuda’s desire to remain a responsible global citizen and a credible financial
centre. Bermuda is also scheduled to undergo an international mutual evaluation by
the FATF. The FATF is an inter-governmental body which conducts mutual
4
evaluations of its members’ levels of implementation of the FATF Recommendations
on an ongoing basis. These are peer reviews, where members from different countries
assess another country. A mutual evaluation report provides an in-depth description
and analysis of a country’s system for preventing criminal abuse of the financial
system as well as focused recommendations to the country to further strengthen its
system.
6. Mutual evaluations are strict and a country is only deemed compliant if it can prove
ongoing compliance to the other members. In other words, the onus is on the assessed
country to demonstrate that it has an effective framework to protect the financial
system from abuse.
7. FATF’s 2015 Guidance reflected the understanding at the time by FATF’s members
of virtual currencies and of the risks associated with their use. It recognised that not
all virtual currencies function the same way or pose the same risks. Also important
was FATF’s emphasis on employing a risk-based approach to AML/ATF risk
involving virtual currencies.
8. Although there are not yet any internationally defined standards relating to the
regulation of VCBs, it has been suggested that certain areas of the evolving virtual
currency industry should be the focus of regulatory efforts, including the need for
effective:
a. regulatory supervision over public disclosure requirements;
b. AML/ATF;
c. fraud prevention;
d. valuation (or price) manipulation;
e. integrity of owners.
5
a. Initial coin offerings (ICOs) issuers: Token issuance is generally used to
fund a start-up business. ICO activity has commonly been associated with
insufficient investor information, fraud, money laundering, and failed projects;
b. Virtual currency exchange providers and traders: A facility for exchanging or
trading fiat currency for virtual currency, or one virtual currency for another.
This activity has commonly been associated with insider trading, price
manipulation scandals, money laundering, and computer hacking theft;
c. Custodial wallet providers: Storage services for virtual currencies. This
activity has commonly been associated with computer hacking theft and
money laundering. There are also developers of wallets who do not provide
custodial services, which are not the focus of the VCBA;
d. Virtual currency miners: A process to confirm records, generally to a
distributed ledger (generally a blockchain), thus allowing completion of
transactions. Mining has tended to present an environmental risk on account
of the enormous energy required for the mining rigs;
10. While virtual currency can be used for legal purposes, the pseudo-anonymous (or
anonymous) nature of transactions is well suited for a number of illegal activities.
Observed activities include tax evasion, financing terrorism, money laundering
schemes, avoiding sanctions, black market transactions, and enabling ransomware
payments.1
11. Arguably, many virtual currencies are more transparent than cash because the
transactions are recorded on a public distributed ledger, or blockchain. However,
traceability is limited given that users are only known by their public address or
addresses. Bitcoin is the most popular virtual currency. Oliver Wyman has noted
that “Bitcoin users have been tracked through various matching techniques and
blockchain analysis combined with transaction ‘metadata’ from Bitcoin address reuse
and IP address monitoring.” To combat the detection arising from this law
enforcement analysis, another participant has entered the market: tumblers (or
mixers). Mixers swap one virtual currency for another with a different transaction
1
Oliver Wyman, “Cryptocurrencies and Public Policy Key Questions and Answers”, February 2018
6
history, effectively reproducing the laundering layering process. 2 This brings
anonymity. While Bitcoin remains the most commonly used virtual currency for
cybercriminals, mixing activities are becoming more sophisticated, challenging
identity detection. Further, “a new generation of Anonymity-Enhanced Virtual
currencies (AECs)” have been observed, such as ZCash and Monero.3 Unlike with
Bitcoin, an owner of these virtual currencies may opt for the product to be
anonymous via a setting.
12. Accordingly, virtual currencies present a significant challenge for regulators and
regulation. In providing guidance to regulators, the FATF recommended in its June
2014 virtual currencies report that regulators, for the time being, focus efforts on
convertible virtual currencies (i.e. virtual currencies that can be converted into and
out of fiat currencies). The FATF assessed these as having the highest money
laundering risk. Further, the FATF recommended:
13. The FATF’s guidance has shaped the Authority’s view in the selection of VCB
regulatory scope by identifying the participants that meet the FATF’s criteria. All
2
Ibid.
3
Financial Action Task Force
4
Financial Action Taskforce, “Guidance for a Risk-based Approach, Virtual Currencies”, June 2015
7
participants mentioned in paragraph 9, except virtual currency miners and
developers, meet the FATF criteria, and thus will be brought within regulatory scope.
The Authority will cast its regulatory net wide enough to also include service
providers holding custodial or power of attorney rights over customer virtual
currencies because these activities also appear to meet the FATF criteria.
14. As the sole Bermuda financial services regulator, the Authority is best suited to the
task of providing oversight for much of this new industry. In addition to AML/ATF
regulation, the Authority has decided to apply prudential regulation to VCBs, given
the significant consumer protection issues arising from virtual currencies. In an
effort to create an effective regulatory regime, the Authority has attempted to
construct a framework that addresses the issues raised in paragraphs 9 and 10 above.
ICO regulation in Bermuda as a funding mechanism for one’s own business will be
undertaken by the Bermuda Government’s Registrar of Companies (Government
ROC), and so is not covered in this Consultation Paper. But, the Authority will
regulate companies that, as a business, conduct ICOs for other companies. Further,
while the Authority will undertake the supervision and regulation of AML/ATF for
the aforementioned companies that are within scope, a detailed description of
AML/ATF requirements will be included in a separate Consultation Paper.
15. It is difficult to raise the VCB topic without also considering the underlying
technology (distributed ledger technology, generally a blockchain). In the event
Bermuda decides to enact any regulation in this area, it might be necessary to have
more than one regulator to cover the entire scope of a proposed technology-driven
industry. The Authority believes that it is beyond its regulatory remit to regulate the
use of technology in the financial services industry.
8
Regulatory Developments
16. Much of the virtual currency sector remains unregulated in most jurisdictions so
Bermuda will be one of the trailblazers, implementing a dedicated comprehensive
virtual currency prudential and AML/ATF regulatory framework. For example, up to
October 2017, Canada, United Kingdom and a number of continental European
countries had not implemented a prudential regulatory framework for virtual
currency exchanges; however, some had subjected exchanges to AML/ATF
regulation, or were making plans to achieve this. Japan and the United States
regulate virtual currency exchanges as money transmitters. Further, the United States
had drafted a Uniform Regulation of Virtual Currency Business Act in 2017 that
would appear to capture a wide range of VCBs, but it has not been implemented.
Separately, New York has implemented its BitLicense regulatory framework
covering businesses that hold customer virtual currencies, such as exchanges and
wallet service providers. Switzerland recently rolled out a virtual currency regulatory
framework.
17. In identifying the components of its VCB prudential regulatory framework, the
Authority reviewed developments in the above and other major jurisdictions, as well
as looked to effective regulatory tools in its existing sectors, and selected what it
considered to be most appropriate to address the issues, such as those raised in
paragraphs 8 and 9.
18. It is intended that VCBs be regulated under a new Virtual Currency Business Act
2018 (VCBA or the Act), underpinned as needed by Rules, Regulations, Codes of
Practice, Statements of Principles and Guidance similar to the legislative frameworks
in place for other financial services regulated by the Authority.
19. The scope of VCB activities to be included in the VCBA, as mentioned earlier, was
informed by the FATF’s recommended criteria. The VCBA defines “virtual currency
9
business” (for which it seeks to regulate) as the provision of the following activities
to the general public as a business—
i. Issuing, selling or redeeming virtual coins, tokens or any other form of virtual
currency
This includes any business (incorporated or not) that provides these services to
other businesses or individuals. This would include an ICO business on behalf of
customers, but not ICO activities to fund one’s own company or project. An
example of the former that will be subject to the VCBA is a company that
operates a facility to assist its clients to launch ICOs. This includes assistance
with coin or token design and administering the ICO process. An example of the
latter that will not be subject to the VCBA is a company that wishes to issue its
own ICO for its online gaming website or other business operations. The latter, as
noted above, will be regulated by the Government ROC.
10
iv. Provision of virtual currency custodial wallet services
A virtual currency wallet is a software programme that stores private and public
keys and interacts with various blockchain to enable users to send and receive
digital currency and monitor their balance. Virtual currency itself is not actually
“stored” in a wallet. Instead, a private key (secure digital code known only to the
user and the wallet) is stored as proof of ownership of a public key (a public
digital code connected to a certain amount of currency). By the wallet storing
private and public keys, it allows the user to send and receive coins, and also acts
as a personal ledger of transactions.
20. It should be recognised that the description of activities captured within the VCBA
are based on general definitions used by other jurisdictions. It is intended only to
license those companies or persons who carry out the above activities as a
commercial activity, i.e. services provided to independent third parties for profit.
21. Additionally, given the rapidly evolving virtual currency sector, to ensure flexibility
and rapid response, the VCBA provides an option for the Minister of Finance, after
consultation with the Authority, by order, to be able to amend the Act by adding new
activities, or by amending, suspending, or deleting any of the VCB activities caught
under the VCBA. An order made under this section is subject to the negative
resolution procedure.
22. To assist with keeping abreast of VCB developments, the Authority will appoint a
panel to advise it in relation to VCB activities. In particular, the panel may advise on
anything referred to it by the Authority.
23. The panel will consist of one or more persons, who in the Authority’s opinion
represents the interests of Bermuda financial sectors, and the impact that VCB could
have on the non-VCB sectors; one or more persons, who in the Authority’s opinion
11
have expertise in law relating to the financial systems of Bermuda; one or more
persons, who in the Authority’s opinion has expertise in any or all of the VCB
activities caught under the VCBA; and/or one or more persons, holding such
qualifications as the Authority deems appropriate.
24. It is intended that the right to conduct the above-specified activities, would be limited
to licensees under the Act, and there would be a prohibition on those activities being
conducted by unlicensed persons.
Licensing Regime
25. The licensing process is a very important one. Through this process, the Authority
fulfils the gatekeeper role for the financial sector, protecting customers and
Bermuda’s reputation as a quality financial centre. The licensing regime outlined in
the VCBA is intended to be an appropriately proportionate regime, designed to
encourage both confidence and innovation in the sector, while affording adequate
protection for customers. In anticipation of a variety of businesses seeking to be
licensed as VCBs, the Authority will implement a tiered licensing structure, based on
criteria such as the applicant’s previous experience (given the critical nature of
consumer protection) and novelty (i.e. whether the business concept is proven).
26. The Authority will issue two classes of license: Class F which will be a full license
and class M which would be a defined period license.
27. It is intended that a Class M license will be an intermediate license type which is
designed to facilitate a regulatory sandbox for novelty start-up businesses,
particularly those businesses desirous of testing new products and or services (proof
of concept). These licenses will have modified requirements and certain restrictions.
In an effort to protect consumers, the Authority would issue a class M license in
cases where it believes it appropriate to do so regardless of the class of license
applied for. The normal robust standards of fitness and propriety will also apply.
12
28. A class M license is intended to be valid for a specified period, at which point the
licensee must cease conducting business, or make application for either an extension
to the initial time or transition to a full class F license. The initial period (and any
subsequent extensions) will be determined by the Authority on a case by case basis.
29. The class F licensee will be a full license not subject to a specified period. With
consumer protection the paramount goal, the class F license would still be subject to
restrictions if the Authority deemed it appropriate to do so.
30. The goal of this tiered license structure is to validate novelty start-ups engaging in
VCB with a prudential regulatory regime that largely mitigates regulatory
uncertainties and provides some flexibility by taking a phased approach to regulation
which will assist companies to enter into business to engage in proof of concept or
establish a proven track record before eventually graduating to a full license. The
class M license, while encouraging innovation, will be restricted to ensure adequate
consumer protection. The restrictions will depend upon the business model and
associated risks, but will minimally include requirements relating to disclosures to
prospective customers that the company has a class M license, limitations on
business volume, and other protective measures as the Authority deems appropriate.
31. The VCBA will make provision for the Authority to grant a license (regardless of
class) to undertake one or more of the activities in paragraph 19 above. For example,
a license could be restricted to the provision of custodial wallet services only.
32. It is intended that the right to conduct the above-specified activities, would be limited to
licensees under the Act, and there would be a prohibition on those activities
being conducted by unlicensed persons. The Act will identify conducting
business without the requisite licence as a criminal offence and provide for
penalties for such behaviour.
13
Minimum Criteria
33. While hoping to encourage innovation, the Authority appreciates the need to
maintain high standards as the gatekeeper for Bermuda’s financial sector.
Accordingly, prior to issuing either a class M or class F license, the Authority must
be satisfied that the applicant would be able to satisfy the Minimum Criteria
requirement. The Minimum Criteria applicable in the VCBA is consistent with the
Minimum Criteria of all other financial sectors regulated by the Authority. It
includes provisions to ensure that a VCB has practices and procedures in place to
ensure that the activities are carried out in a prudent manner that both affords
adequate consumer protection and does not bring Bermuda into disrepute as a
financial centre.
14
35. In determining whether a VCB is in compliance with the Minimum Criteria
requirement, the Authority would have regard for applicable Codes of Practice that it
will publish. The Codes of Practice will contain detailed requirements in relation to
governance and risk management proportionate to the nature, size, complexity, and
risk profile of a VCB.
36. The VCBA will provide definitions for controllers, shareholder controllers and
officers consistent with these definitions in the Acts of the other financial sectors
regulated by the Authority. Given the importance of these roles in “setting the tone
at the top” and encouraging a culture of compliance, and regard for the welfare of
customers, the VCBA will contain a number of provisions pertaining to these roles.
These will include a requirement to notify the Authority upon changes in directors or
officers, ability of the Authority to object to and prevent new or increased ownership
of shareholder controllers, and ability to remove controllers and officers who are no
longer fit and proper to fulfil the role. The VCBA will make provisions for due
process prior to the Authority taking final action.
Risk Management
37. It is well known that VCBs may pose high risks to consumers due to their highly
speculative and disruptive nature. Several G20 countries along with the International
Monetary Fund (IMF), the FATF and others have issued public warnings5 regarding
VCBs and have attributed certain risks to this sector including:
a. extreme volatility and bubble risk
b. absence of protection
c. lack of exit options
d. lack of price transparency
e. potential for operational disruptions due to cyber security risk
f. misleading and incomplete information; and
5
https://www.iosco.org/library/ico-statements/Europe%20-%20ESA%20-
%20ESMA,%20EBA%20and%20EIOPA%20warn%20consumers%20on%20the%20risks%20of%20Virtual%2
0Currencies.pdf
15
g. overall limited usability
38. While the Authority recognises the potential offered by the virtual economy, there is
also a need to introduce measures to tackle virtual economy-based risk including
money laundering and financing of terrorism, fraud, inadequate information
disclosures, poor risk management and practices leading to loss of customer assets.
39. In order to address the AML/ATF concerns arising from this new industry, the
Authority is of the view that the best way forward is for Bermuda to leverage the
existing AML/ATF framework. This includes amending the Proceeds of Crime Act
(POCA) 1997 in section 42A in the definition of “AML/ATF regulated financial
institution”, to add VCBs as being subject to that Act. Similar amendments would
also be required in the Anti-Terrorism (Financial and Other Measures) Act 2004,
section 2 in the definition of “AML/ATF regulated financial institution”, paragraph
(f) and the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist
Financing Supervision and Enforcement) Act 2008 in section 2(1).
40. As noted above, while the Authority believes that Bermuda’s existing AML/ATF
legislative framework is adequate for VCBs (just a matter of extending those
provisions to this sector), Bermuda will require new VCB AML/ATF guidelines to
support the existing legislative framework. The Authority will draft these guidelines,
in consultation with the National Anti-Money Laundering Committee (NAMLC) and
Bermuda Government, and publish the proposals in a separate Consultation Paper
prior to the enactment of the VCBA.
41. In order to assist the public’s ability to make good decisions regarding whether to get
involved with a VCB, the Authority will establish obligations for the dissemination
of certain key information by all VCB licensed entities. The legislation will require
VCBs to disclose the following to potential customers before entering into a business
relationship (inter alia):
16
c. whether it has insurance against loss of customer assets arising from theft
(including cyber theft)
d. normal irrevocability of a transfer or exchange of virtual currency and any
exception to irrevocability
e. liability for an unauthorised, mistaken, or accidental transfer or exchange
42. The fact that the VCB industry is totally transacted via the internet exposes it to
technology related risk such as systems failure and hacking. To mitigate this risk, the
Authority will require companies to have a comprehensive crisis management,
including cybersecurity, programme that is commensurate to the nature, size,
complexity and risk profile of the VCB. It is envisaged that a VCB may need to
engage the cybersecurity services of third parties to supplement the strength of its
own computer security systems. Where such is outsourced, the VCB will still be
held responsible for ensuring that risks are appropriately managed.
43. At a minimum, the VCB’s crisis management programme will be required to satisfy
five core functions:
a. identify internal and external risks
b. protect licensee electronic systems and the information stored on those
systems
c. detect system intrusions, and breaches
d. respond to detected event to mitigate negative effects; and
e. recover from operational disruption to normal course of business
44. Succinctly, the VCBA will require VCBs to establish and maintain an effective cyber
security programme to ensure the availability and functionality of the VCB’s electronic
systems, and to protect both those systems and any sensitive data stored on those
systems (including customer assets) from unauthorised access, use, or tampering. The
programme will also need to address risks arising from third-party vendors where there
is system connectivity, and include policies related to hot and cold customer private
key storage.
17
45. Cyber is only one of the key risks facing VCBs. VCBs will be required to develop
policies, processes, and procedures to assess its material risks and self-determine
appropriate strategies needed to address the risks in accordance with its risk appetite.
The Authority will expect the assessment to occur annually and be reported in the
prudential filing. The assessment should be guided by the proportionality principle
(i.e. nature, size, complexity and risk profile of the respective VCB). The VCB will
also be required to maintain transaction records (originator and beneficiary) and assess
the risks arising from its customers. Moreover, the VCBs will be required to have
conflicts policies (including the coverage of insider trading) and conduct annual
independent controls audits, similar to an AICPA SOC2 assessment, to be reported to
the Authority.
46. The VCBA will require VCBs to have in place and maintain a surety bond, trust
account, indemnity insurance or another arrangement for the benefit of its customers
in such form and amount as is acceptable to the Authority for the protection of its
customers.
47. Further, the aforementioned trust account must be maintained with a qualified
custodian. A qualified custodian is defined in the VCBA as being “a bank (as such is
defined under the Banks and Deposit Companies Act 1999) or an undertaking
licensed under the Trusts (Regulation of Trust Business) Act 2001; or any other
person recognized by the Authority for such purpose”.
48. Additionally a VCB must maintain books of account and other records such that
customer assets are kept segregated from those of the VCB and can be readily
identified at any time. In this regard, VCBs will be required to hold all customer
funds in a dedicated segregated account clearly identified as customer funds.
18
Senior Representative and Principal Office
49. To regulate and supervise appropriately, the Authority recognises the importance of
having a VCB representative who is knowledgeable about the VCB, its strategy, risk
appetite and overall risk profile resident in Bermuda. Accordingly, the VCBA
establishes a requirement for the VCB to appoint a senior representative to be
approved by the Authority. The senior representative must be sufficiently
knowledgeable about the VCB and the industry more generally. The Authority will
expect that VCBs maintain a physical presence in Bermuda that is commensurate
with the nature, size, complexity and risk profile of the business. The VCBA will
also require the senior representative to report to the Authority, within a specified
time period, the following:
a. that in his/her view there is a likelihood of the VCB becoming insolvent
b. failure by the VCB to comply substantially with a condition imposed upon the
VCB’s license by the Authority
c. failure by the VCB to comply with a modified provision, or with a condition,
arising from a direction issued by the Authority
d. involvement of the VCB in any criminal proceedings whether in Bermuda or
abroad
e. a material change
f. material cyber breach; and
g. the VCB has ceased carrying on virtual currency business
50. To further facilitate appropriate supervision and regulation, the VCBA will impose
an obligation on VCBs to maintain records in Bermuda as specified in the supporting
Rules.
51. The Authority’s supervisory toolkit will include the ability, where the Authority
requires, for the Authority to either operate a node on the VCB’s platform, e.g.
blockchain, (giving the Authority real-time auditability into the platform’s
operations) or set interoperability requirements so that the platform can provide
information to the Authority on an automated basis. The toolkit will also comprise
on-site examinations, off-site examinations, prudential visits, and industry
monitoring. Off-site examinations will largely be used to guide the scope of on-site
19
examinations and prudential visits, which collectively will facilitate the
determination of supervisory intensity for any given VCB. Accordingly, the VCBA
will require VCBs to file with the Authority annual prudential returns, with
provisions to empower the Authority, where required in the interest of consumer
protection, to modify and require more frequent filings or additions to the filing. The
standard prudential return will include the following information:
a. business strategy and risk appetite
b. products and services (including transaction volume by virtual currency type
in the case of exchanges and traders)
c. number of customer accounts, and in the aggregate composition of customer
balances (both in the aggregate fiat currency/securities and by virtual
currency)
d. geographical profile of clients by account and account balance (i.e. territories
where they reside)
e. risk self-assessment, risk management policies, and independent internal
controls audit report
f. cyber security policies, including policy in relation to customer private key
storage
g. compliance certificate
h. audited financial statements; and
i. outsourced functions and partners, including third parties or affiliates
performing customer asset storage, cyber security, compliance, asset custody
and other key functions.
52. The VCBA will grant the Authority general powers to require the production of any
information or documents as the Authority may reasonably require for the
performance of its functions under the Act. The Authority will also have the power
to compel the provisions of documents that it may reasonably require for ensuring
that the VCB is complying with the provisions of the Act and any code of practice,
and for safeguarding the interests of customers and potential customers. This power
20
would be used for the purposes of on-site and desk-based reviews and will be
supported by a power to investigate suspected contraventions of the licensing regime.
53. The VCBA will include as a criminal offence making false or misleading statements
to the Authority for which there will be penalties.
Power of Directions/Conditions/Restrictions/Revocation
54. In the event the Authority has concerns about a VCB, or there is non-compliance,
the VCBA grants the Authority powers to place conditions and restrictions on
licenses, as well as revoke licenses. Restrictions provided for in the VCBA include:
a. require a VCB to take certain steps or to refrain from adopting or pursuing a
particular course of action, or to restrict the scope of its business activities in a
particular way
b. impose limitations on the acceptance of virtual currency business
c. prohibit a VCB from soliciting business either generally or from persons who
are not already its customers
d. prohibit a VCB from entering into any other transactions or class of
transactions; and
e. require removal of any officer or controller
55. The VCBA would also empower the Authority to issue directions to a VCB as appear
to the Authority to be desirable for safeguarding the interests of the VCB’s customers
or potential customers. The Authority is even empowered to revoke a VCB’s license.
The VCBA provides for due process before the Authority takes final action.
56. The Authority plans to apply its robust VCB regime in a pragmatic way.
Accordingly, the VCBA makes provision for the Authority to modify requirements
where supervisory intensity needs to increase to address a situation, for example
more frequent prudential filing or additions to filed information. The VCBA also
21
provides for the Authority to exempt (or partially exempt) a VCB from certain
requirements where it is pragmatic in the Authority’s opinion to do so. An example
could be granting a partial exemption from filing where a VCB has not taken on
customers or no longer has customers. The VCBA specifies that the Authority shall
not grant an exemption or modification unless it is satisfied that it is appropriate to do
so having regard to the obligations of the VCB towards its customers.
Enforcement
60. Where a VCB fails to comply with a condition, restriction, direction or certain
requirements of the Act, the VCBA provides the Authority with the power to take
enforcement action. Such action includes imposing civil penalties (up to $10,000,000
per breach), public censure (name and shame), prohibition order (banning a person
from performing certain functions for a Bermuda regulated entity), and injunction
(cease and desist order from the Court). The Authority will issue guidance in the form
of a statement of principles to outline how it plans to use these enforcement powers.
Consequential Amendments
61. Given that the VCB activities inherently contain money laundering and terrorist
financing risks, the AML/ATF legislation will need to be amended at the earliest
opportunity in order to include VCBs as AML/AFT regulated institutions.
Conclusion
62. The Authority is of the view that the VCB prudential proposed in this Consultation
Paper is appropriate for the nature of VCB as we know it today. It provides
flexibility, and makes provision for modifications where supervisory intensity needs
to increase or the Authority is presented with new and evolving business models
with varying risk profiles.
63. While the Authority believes that Bermuda’s existing AML/ATF legislative
framework is appropriate for VCBs, the current guidance supporting the
22
legislative framework likely is not. Accordingly, prior to the enactment of the
VCBA, the Authority plans to draft, in consultation with NAMLC and the
Bermuda Government, AML/ATF guidance for the VCB sector and publish in
another Consultation Paper.
***
23
VIRTUAL CURRENCY (CYBER SECURITY) RULES 2018
BERMUDA
BR / 2018
TABLE OF CONTENTS
1 Citation
2 Interpretation
3 Annual Cybersecurity Report
The Bermuda Monetary Authority (the Authority), in exercise of the powers conferred
by section 7of the Act, makes the following Rules—
Citation
1 These Rules may be cited as the Virtual Currency (Cybersecurity) Rules 2018
Interpretation
2 In these Rules—
“Act” means the Virtual Currency Business Act 2018;
“Chief Information Security Officer” means the senior executive appointed by the
licensed undertaking to oversee and implement its cyber security program and enforce
its cyber security policies.
(2) The cyber security program shall include but is not limited to, the audit functions
VIRTUAL CURRENCY (CYBER SECURITY) RULES 2018
set forth below—
(i) track and maintain data that allows for the complete and accurate
reconstruction of all financial transactions and accounting;
(ii) protect the integrity of data stored and maintained as part of the
audit trail from alteration or tampering;
(iii) protect the integrity of hardware from alteration or tampering,
including by limiting electronic and physical access permissions to
hardware and maintaining logs of physical access to hardware that
allows for event reconstruction;
(iv) log system events including but not limited to access and
alterations made to the audit trail systems;
(v) maintain records produced as part of the audit trail.
(3) Every licensed undertaking shall engage a qualified independent party to audit
its systems and provide a written opinion to the Authority that the licensed undertaking’s
controls cyber security program is suitably designed and operating effectively to meet the
requirements of these Rules.
Chairman
The Bermuda Monetary Authority
BERMUDA
BR / 2018
TABLE OF CONTENTS
1 Citation
2 Interpretation
3 Annual return
4 Declaration
SCHEDULE
Matters to be Included in Annual Return
Citation
1 These Rules may be cited as the Virtual Currency Business (Prudential
Standards) (Annual Return) Rules 2018.
Interpretation
2 In these Rules—
“the Act” means the Virtual Currency Business Act 2018;
“financial year” , means the period not exceeding fifty- three weeks at the
end of which the balance of the virtual currency business accounts is
struck or, if no such balance is struck or if a period in excess of fifty-three
weeks is employed, then calendar year;
Annual return
3 (1) A licensed undertaking shall file with the Authority an annual return in
accordance with the requirements of section 7 of the Act.
(2) The annual return shall contain information in respect of the matters set
out in the Schedule, as such matters stood when the annual return is filed.
Declaration
4 A licensed undertaking shall, at the time of filing its annual return, file with the
Authority a declaration signed by two directors or a director and a senior executive,
that to the best of their knowledge and belief, the information in the annual return is
fair and accurate.
SCHEDULE
(section 7)
(i) official name and any given or used names where appropriate;
(i) official name and any given or used names where appropriate;
(ii) confirmation of primary residence;
(iii) role or job title
(k) copies of cyber security program policy and customer private key
storage policy;
Chairman
The Bermuda Monetary Authority
BERMUDA
BR/ 2018:
TABLE OF CONTENTS
PART 1
PRELIMINARY
1. Citation
2. Interpretation
3. Meaning of "director", "controller", "senior executive" and "associate"
4. Carrying on business of virtual currency business in Bermuda
5. Authority’s statement of principles and guidance provision
6. Codes of practice
7. Prudential and other returns
8. Authority may exempt or modify prudential standards or requirements or take
necessary actions
9. Advisory Panel
PART 2
LICENSING
10. Restriction on carrying on virtual currency business without a licence
11. Exemption order
Page 1 of 90
12. Virtual currency business licence
13. Grant and refusal of applications
14. Determination of class of licence
15. Display and registration of licence
16. Fees
17. Separate Accounts
18. Custody and protection of client assets
19. Senior representative
20. Senior representative to report certain events
21. Head office
22. Material change to business
23. Restriction of licence
24. Revocation of licence
25. Winding up on petition from the Authority
26. Notice of restriction or revocation of licence
27. Restriction in cases of urgency
28. Directions to protect interests of clients
29. Notification and confirmation of directions
30. Surrender of licence
PART 3
ACCOUNTS AND AUDIT
31. Duty to prepare annual financial statements and accounts
32. Appointment of auditors
33. Auditor to communicate certain matters to Authority
PART 4
OBJECTIONS TO SHAREHOLDER CONTROLLERS
34. Notification of new or increased control
Page 2 of 90
35. Objection to new or increased control
36. Objection to existing controller
37. Contraventions by controller
38. Restriction on sale of shares
PART 5
DISCIPLINARY MEASURES
39. Power to impose civil penalties for breach of requirements
40. Civil penalties procedures
41. Public censure
42. Public censure procedure
43. Prohibition orders
44. Prohibition orders: procedures
45. Applications relating to prohibition orders: procedures
46. Determination of applications for variation, etc.
47. Injunctions
PART 6
RIGHTS OF APPEAL
48. Rights of appeal
49. Constitution of tribunals
50. Determination of appeals
51. Costs, procedure and evidence
52. Further appeals on a point of law
PART 7
NOTICES AND INFORMATION
53. Warning notices
54. Decision notices
Page 3 of 90
55. Notices of discontinuance
56. Publication
57. Notification of change of controller or officer
58. Power to obtain information and reports
59. General power to require production of documents
60. Right of entry to obtain information and documents
PART 8
INVESTIGATIONS
PART 9
CERTIFICATE OF COMPLIANCE
66. Certificates of compliance
PART 10
RESTRICTION ON DISCLOSURE OF INFORMATION
67. Restricted information
68. Disclosure for facilitating the discharge of functions of the Authority
69. Disclosure for facilitating the discharge of functions by other authorities
70. Information supplied to the Authority by relevant overseas authority
Page 4 of 90
PART 11
MISCELLANEOUS AND SUPPLEMENTAL
71. False documents or information
72. Offences
73. Prohibition on use of words "virtual currency business"
74. Notices
75. Service of notice on Authority
76. Civil debt and civil penalties
77. Regulations
78. Transitional
79. Consequential amendments
_____________________________________________________________________
SCHEDULE 1
Minimum Criteria for Licensing
SCHEDULE 2
Consequential Amendments
__________________________________________________________________
WHEREAS it is expedient to make provision for the
Bermuda Monetary Authority to regulate persons carrying on
virtual currency business and for the protection of the interests of
clients or potential clients of persons carrying on the business of
virtual currency business; and for purposes connected with those
matters:
PART 1
PRELIMINARY
Citation
1 This Act may be cited as the Virtual Currency Business Act 2018.
Interpretation
2 (1) In this Act, unless the context requires otherwise—
Page 8 of 90
on behalf of a client for the purposes of:
(a) issuing, selling or redeeming virtual coins, tokens or any other form
of virtual currency;
(b) operating as a payment service business utilising virtual currency
which includes the provision of services for the transfer of funds;
(c) operating as an electronic exchange;
(d) providing custodial wallet services;
(e) operating as a virtual currency services vendor.
(3) The Minister may, after consultation with the Authority, by order amend
subsection (2) by adding new provisions, or by amending suspending, or deleting any
of the virtual currency activities set out thereunder.
(4) An order made under this section is subject to the negative resolution
procedure.
(a) includes an alternate director and any person who occupies the
position of director, by whatever name called; and
Page 11 of 90
company of which it is such a subsidiary; or
(ii) the trustees of any settlement under which that person has a life
Page 12 of 90
interest in possession;
(c) if that person has with any other person an agreement or arrangement
with respect to the acquisition, holding or disposal of shares or other
interests in that company or under which they undertake to act
together in exercising their voting power in relation to it, that other
person.
(9) For the purpose of subsection (8), “settlement” includes any disposition
or arrangement under which property is held in trust.
(3) The Minister, acting on the advice of the Authority, may make an
order specifying the circumstances in which a person is to be regarded for the
purpose of this section as—
(4) This Act shall not apply to any entity owned by the Bermuda government.
(a) in interpreting the minimum criteria and the grounds for revocation
specified in section 24;
(2) If the Authority makes a material change to the principles, it shall publish
Page 14 of 90
a statement of the change or the revised statement of principles in the same manner
as it published the statement under subsection (1).
(3) The Authority may from time to time give guidance on the application of
this Act and rules or regulations made under it.
Codes of practice
6 (1) The Authority may issue codes of practice in connection with the manner
by which licensed undertakings shall carry on virtual currency business.
(2) Without prejudice to the generality of subsection (1), the Authority may
issue codes of practice for the purpose of providing guidance as to the duties, requirements
and standards to be complied with, and the procedures (whether as to identification,
recordkeeping, internal reporting and training or otherwise) and sound principles to be
observed by persons carrying on virtual currency business.
(3) Before issuing a code of practice, the Authority shall publish a draft of that
Code in such manner as it thinks fit and shall consider any representations made to it about the
draft.
(4) Every licensed undertaking shall in the conduct of its business have regard
to any code of practice issued by the Authority.
Page 15 of 90
(b) risk management;
(c) custody of client assets;
(d) cybersecurity;
(e) financial statements;
(f) statutory returns
which shall be complied with by all licensed undertakings.
(2) The Authority may in such Rules or statutory returns prescribe standards
that impose different requirements to be complied with by licensed undertakings in
different situations or in respect of different activities.
(4) Not later than four months after the close of its financial year every
licensed undertaking shall file with the Authority any applicable Rule or statutory
return required to be prepared by it under this section.
(5) Every licensed undertaking shall keep a copy of the most recent Rule or
return filed with the Authority at its head office for a period of not less than five years
beginning with its filing date under subsection (4).
(7) Sections 6, 7 and 8 of the Statutory Instruments Act 1977 shall not apply
Page 16 of 90
8 (1) The Authority may where it has made a determination or on the
application of a licensed undertaking, exempt it from the requirement to comply with any
prudential standard or requirement applicable to it under this Act or modify any such
prudential standard or requirement.
(6) A licensed undertaking served with a notice under subsection (5) may
within a period of 28 days from the date of the notice make written representations to the
Authority and where such representations have been made, the Authority shall take them
into account in deciding whether to revoke its approval.
(7) Without prejudice to its powers under subsection (1), the Authority where it has
made a determination, may take any action necessary or desirable to protect the public,
clients or potential clients of the licensed undertaking.
(8) Before taking any such action under subsection (7), the Authority shall
serve notice on the license undertaking giving its reasons therefor.
(9) A licensed undertaking served with a notice under subsection (8) may,
within a period of 28 days from the date of the notice, make written representations to the
Authority; and where such representations are made, the Authority shall take them into
account in deciding whether to take the proposed action.
Page 17 of 90
(10) The Authority shall notify a license undertaking of any actions it has
taken.
Advisory Panel
9 (1) The Authority may appoint a panel to advise it in relation to the effect of
virtual currency business on—
(a) persons licensed or registered under the Insurance Act 1978; Banks
Deposit Companies Act 1999; Trusts (Regulation of Trust Business)
Act 2001; Investment Business Act 2003; Investment Funds Act
2006; Credit Unions Act 2010; Corporate Service Business Provider
Act 2012 and Money Service Business Act 2016.
(b) persons who conduct business with licensed or registered persons
under subsection (a);
(c) the economy of Bermuda; and
(d) virtual currency business regulation.
(2) In particular, the panel may advise the Authority about anything referred
to it by the Authority.
(3) The panel shall be appointed by the Authority and consist of—
(a) one or more persons, who in the Authority’s opinion represents the
interests of those persons under subsection 9 (1) (a);
(b) one or more persons, who in the Authority’s opinion have expertise in
law relating to the financial systems of Bermuda;
(c) one or more persons, who in the Authority’s opinion has expertise in
any or all of the virtual currency business activities set out under
Page 18 of 90
section 2 (2); or
(d) one or more persons, holding such qualifications as the Authority
deems appropriate.
PART 2
LICENSING
(2) The Authority may license an undertaking to carry on one or more of the following
virtual currency business activities for the period specified in the licence—
(a) issuing, selling or redeeming virtual coins, tokens or any other form of
virtual currency;
(b) operating as a payment service business utilising virtual currency which
includes the provision of services for the transfer of funds;
(c) operating as an electronic exchange;
(d) providing custodial wallet services;
(e) operating as a virtual currency services vendor.
(3) A person who contravenes this section is guilty of an offence and liable—
Page 19 of 90
Exemption order
11 (1) Section 10 shall not apply to any person exempted by or under an
exemption order issued in terms of this section.
(2) The Minister acting on the advice of the Authority may issue an
exemption order, which shall provide for—
(a) in respect of all virtual currency business activities under section 2(2);
(5) The following activities shall not constitute virtual currency business for
the purposes of section 10 (1)—
Page 20 of 90
(6) In subsection (3) (c), “specified” means specified by the exemption
order.
(7) An order made under this section is subject to the negative resolution
procedure.
(2) An application shall state the class of virtual currency business licence
required.
(a) class F licence, under which a person shall be licensed to provide any
or all of the virtual currency business activities under the definition of
virtual currency business; or
(b) class M licence, under which a person shall be licensed to provide
any or all of the virtual currency business activities under the
definition of virtual currency business for a defined period determined
by the Authority.
Page 21 of 90
and shall be accompanied by—
(a) a business plan setting out the nature and scale of the virtual
currency business activity which is to be carried on by the applicant;
(2) The Authority shall not grant an application unless it is satisfied that
the minimum criteria set out in Schedule 1 are fulfilled with respect to the applicant.
(3) A licence issued under this section may be subject to such limitations on
the scope of the virtual currency business activity or the manner of operating the virtual
Page 22 of 90
currency business as the Authority may determine to be appropriate having regard to the nature
and scale of the proposed business.
(6) The Minister, acting on the advice of the Authority, may by order
amend Schedule 1 by adding new criteria or by amending or deleting the criteria for the time
being specified in the Schedule.
(2) The Authority shall publish a list of every licenced undertaking and the
class of licence issued to it on its website.
Fees
Page 23 of 90
16 (1) A licensed undertaking shall pay such fee as may be determined by the
Authority and prescribed under the Bermuda Monetary Authority Act 1969—
(b) annually, before the 31st of March in every year following the year in
which it was licensed under section 12; of such amount;
(3) For each week or part of a week that a licensed undertaking fails to comply
with a requirement imposed on it by subsection (1), it shall be liable to a civil penalty
not exceeding $5,000.
(4) The Authority, if satisfied that payment of the annual fee in whole or in
part is inappropriate after taking into account the diminution in the level of virtual currency
business activity, may—
(a) defer payment of all or part of the annual fee otherwise due, to such date in
the future as it considers appropriate; or
(b) remit all or part of the annual fee otherwise due, on such terms and
conditions as it considers appropriate.
Separate accounts
17 A licensed undertaking holding client assets shall keep its accounts in
respect of such assets separate from any accounts kept in respect of any other business.
Page 24 of 90
Custody and protection of client assets
18 (1) A licensed undertaking holding client assets shall maintain a surety
bond or trust account, or indemnity insurance for the benefit of its clients in such form and
amount as is acceptable to the Authority for the protection of its clients or such other
arrangements as the Authority may approve.
(2) To the extent a licensed undertaking maintains a trust account in
accordance with this section; such trust account must be maintained with a qualified
custodian.
(3) A licensed undertaking that has control of one or more virtual
currencies for one or more clients must maintain in its control a sufficient amount of each type
of virtual currency in order to meet its obligations to clients.
(4) For the purposes of this section, “virtual currency” referred to is that which
is —
(a) held by the licensed undertaking for the client entitled to the virtual
currency;
(b) not property or virtual currency of the licensed undertaking; and
(c) is not subject to the claims of creditors of the licensed undertaking.
Senior representative
19 (1) Every licensed undertaking shall appoint a senior representative that satisfies the
requirements of (2).
(2) The senior representative shall be a person approved by the Authority to act in
such capacity on behalf of the licensed undertaking.
(4) At the time of licensing, the licensed undertaking shall provide written notice to
the Authority of the—
Page 25 of 90
altered, the licensed undertaking shall give particulars of the alteration in writing within
fourteen days of the date the alteration was made.
20 (1) A senior representative shall forthwith notify the Authority, in such manner
as it may direct,—
(2) Within fourteen days of such notification, the senior representative shall
furnish the Authority with a report in writing setting out all the particulars of
the case that are available to him.
(3) As respects any senior representative, this section applies to the following
events, being events in which the licensed undertaking for which he acts as senior
representative is involved, that is to say—
(a) failure by the licensed undertaking to comply substantially with a
condition imposed upon the licensed undertaking by the Authority;
(b) failure by the licensed undertaking to comply with a modified
provision, or with a condition, being a provision or condition specified
in a direction given to the licensed undertaking by the Authority;
(c) involvement of the licensed undertaking in any criminal proceedings
Page 26 of 90
whether in Bermuda or abroad;
(d) the licensed undertaking ceasing to carry on virtual currency business
in or from within Bermuda;
(e) a material change to the business of the licensed undertaking;
(f) a cyber security event.
Head office
(2) The virtual currency business of the licensed undertaking must be directed and
managed from Bermuda and, in determining whether the licensed undertaking complies
with this requirement, the Authority shall consider, inter alia, the factors set out in
subsection (3).
(a) where the strategy, risk management and operational decision making of the
licensed undertaking occurs;
(b) whether the presence of senior executives who are responsible for, and
involved in, the decision making related to the virtual currency business of
the licensed undertaking are located in Bermuda;
(c) where meetings of the board of directors of the licensed undertaking occur.
(4) Notwithstanding the considerations set out in subsection (3), the Authority
(a) the location where management of the licensed undertaking meets to effect
policy decisions of the licensed undertaking;
(b) the residence of the officers or employees of the licensed undertaking; or
(c) the residence of one or more directors of the licensed undertaking in
Bermuda.
(2) An application under this section shall be in such form, shall contain
such information and shall be accompanied by such documents as the Authority may
require.
Restriction of licence
23 (1) Subject to section 26, the Authority may restrict a licence—
Page 28 of 90
(c) in connection with the revocation of a licence—
(ii) at any time after such notice has been given to the licensed
undertaking; or
(d) at any time after the licensed undertaking has served a notice
surrendering its licence with effect from a later date.
(a) require the licensed undertaking to take certain steps or to refrain from
adopting or pursuing a particular course of action or to restrict the
scope of its business activities in a particular way;
(d) prohibit the licensed undertaking from accepting new virtual currency
business;
(e) prohibit the licensed undertaking from entering into any other
transactions or class of transactions;
(3) Any condition imposed under this section may be varied or withdrawn by
the Authority.
(4) The Authority may where it has made a determination on its own or on the
Page 29 of 90
application of a licensed undertaking, vary any condition imposed on its licence.
(5) The fact that a condition imposed under this section has not been
complied with shall, where the restriction has been imposed pursuant to paragraphs (a) or
(b)of subsection (1), be a ground for the revocation of the licence in question but shall
not invalidate any transaction.
Revocation of licence
24 Subject to section 25, the Authority may revoke the licence of a licensed
undertaking if the Authority is satisfied that—
(a) any of the minimum criteria is not or has not been fulfilled, or may not
be or may not have been fulfilled, in respect of the licensed
undertaking;
(b) the licensed undertaking has failed to comply with any obligation
imposed on it by or under this Act or is carrying on business in a
manner not authorised by its licence;
Page 30 of 90
Winding up on petition from the Authority
25 (1) On a petition presented by the Authority by virtue of this section, the
Court may wind up a licensed undertaking which is a company in respect of which a licence
is revoked, if the Court is of the opinion that it is just and equitable that the undertaking be
wound up.
(2) Part XIII (Winding Up) of the Companies Act 1981 shall apply to the
winding up of a licensed undertaking under this section.
the Authority shall give to the licensed undertaking concerned a warning notice under
section 53.
(2) Where—
the Authority shall give that person a copy of the warning notice but the Authority may omit
from such copy any matter which does not relate to him.
(3) After giving a notice under subsection (1) and taking into account
any representations made under section 53(2), the Authority shall decide whether—
Page 31 of 90
(a) to proceed with the action proposed in the notice;
(4) Once the Authority has made a decision under subsection (3), it shall
forthwith provide either a decision notice under section 54 or a notice of discontinuance under
section 55, as the case may be.
(5) The Authority shall publish in the Gazette, in such form as it thinks fit,
notice of every revocation of a licence under the Act.
(2) In any such case, the Authority may by written notice to the licensed
undertaking impose or vary the restriction.
(3) Any such notice shall state the reason for which the Authority has acted
and particulars of the rights conferred by subsection (5) and section 48.
(4) Section 23(2) shall apply to a notice under subsection (2) imposing or
(5) A licensed undertaking to which a notice is given under this section of the
Page 32 of 90
imposition or variation of a restriction and a person who is given a copy of it by virtue of
subsection (4) may within the period of 14 days beginning with the day on which the
notice was given make representations to the Authority.
(6) After giving a notice under subsection (2) imposing or varying a restriction
and taking into account any representations made in accordance with subsection (5),
the Authority shall decide whether—
(7) The Authority shall within the period of 28 days beginning with the day
on which the notice was given under subsection (2) give the licensed undertaking
concerned written notice of its decision under subsection (6) and, except where the
decision is to rescind the original decision, the notice shall state the reason for the decision.
(8) Where the notice under subsection (7) is of a decision to take the
action specified in subsection (6)(b), the notice under subsection (7) shall have the
effect of imposing the restriction or making the variation specified in the notice with effect
from the date on which it is given.
(2) Directions under this section shall be such as appear to the Authority to be
desirable for safeguarding the interests of the licensed undertaking’s clients or
proposed clients.
(2) A direction under section 28(1), except one varying a previous direction
shall—
(a) state the reasons for which it is given and give particulars of the
licensed undertaking’s rights under subsection (3) and section 48 where
appropriate ; and
(b) cease to have effect at the end of any period which may be set out by
the Authority in the notice.
(2) A surrender shall take effect on the date of the giving of approval by
the Authority.
PART 3
Page 34 of 90
AUDITED ACCOUNTS
Appointment of auditors
32 (1) Every licensed undertaking shall annually appoint an approved auditor
to audit its financial statements.
Page 35 of 90
(2) If a licensed undertaking fails to appoint an approved auditor as required
by subsection (1) or, at any time, fails to fill a vacancy for such auditor, the Authority may
appoint an approved auditor and shall fix the remuneration to be paid by that virtual currency
business to such auditor.
(4) A licensed undertaking which fails to comply with this section shall be
guilty of an offence and shall be liable on summary conviction to a fine of $25,000.
(5) For the purposes of this Part, “approved auditor” means an auditor who is
a person entitled to practise as a public accountant and is a member of a professional body
approved by the Authority for the purposes of this Act.
(4) An auditor who fails to comply with subsection (1) shall be guilty of an
offence and shall be liable on summary conviction to a fine of $25,000.
PART 4
(a) he has served on the Authority a written notice stating that he intends
to become such a controller of the licensed undertaking; and
(b) either the Authority has, before the end of the period of three
months beginning with the date of service of that notice, notified him in
writing that there is no objection to his becoming such a controller
of the licensed undertaking, or that period has elapsed without the
Authority having served him under section 29 a written notice of
objection to his becoming such a controller of the licensed
undertaking.
(4) Where additional information or documents are required from any person
by a notice under subsection (3), the time between the giving of the notice and the receipt of
the information or documents shall be added to the period mentioned in subsection (1)(b).
(a) that the person concerned is a fit and proper person to become a
controller of the description in question of the licensed undertaking;
(b) that the interests of clients and potential clients of the licensed
undertaking would not be in any manner threatened by that person
becoming a controller of that description of the licensed undertaking;
and
(c) without prejudice to paragraphs (a) and (b), that, having regard to
that person’s likely influence on the licensed undertaking as a
controller of the description in question, the criteria in Schedule 1
would continue to be fulfilled in the case of the licensed undertaking
or, if any of those criteria is not fulfilled, that that person is likely to
undertake adequate remedial action.
(2) Before serving a notice of objection under this section, the Authority shall
serve the person concerned with a preliminary written notice stating that the Authority
is considering service on that person of a notice of objection and that notice—
(a) shall specify which of the matters mentioned in subsection (1)the Authority
is not satisfied with and, subject to subsection (5), the reasons for which it
is not satisfied; and
Page 38 of 90
(b) shall give particulars of the rights conferred by subsection (3).
(3) A person served with a notice under subsection (2) may, within a period
of 28 days beginning with the day on which the notice is served, make written
representations to the Authority; and where such representations are made the Authority shall
take them into account in deciding whether to serve a notice of objection.
(a) specify which of the matters mentioned in subsection (1) the Authority
is not satisfied with and, subject to subsection (5), the reasons for
which it is not satisfied; and
(5) Subsections (2)(a) and (4)(a) shall not require the Authority to specify
any reason which would in its opinion involve the disclosure of confidential information the
disclosure of which would be prejudicial to a third party.
(7) The period mentioned in section 34(1)(b) (with any extension under
subsection (4) of that section) and the period mentioned in subsection (6) shall not expire, if
they would otherwise do so, until 14 days after the end of the period within which
representations can be made under subsection (3).
(2) Before serving a notice of objection under this section, the Authority shall
serve the person concerned with a preliminary written notice stating that the Authority
is considering service on that person of a notice of objection and that notice shall—
(a) subject to subsection (5), specify the reasons for which it appears to
the Authority that the person in question is not or is no longer a fit and
proper person as mentioned in subsection (1); and
(3) A person served with a notice under subsection (2) may, within a period of
28 days beginning with the day on which the notice is served, make written representations to
the Authority; and where such representations are made the Authority shall take them into
account in deciding whether to serve a notice of objection.
(a) subject to subsection (5), specify the reasons for which it appears to
the Authority that the person in question is not or is no longer a fit and
proper person as mentioned in subsection (1); and
(5) Subsections (2)(a) and (4)(a) shall not require the Authority to specify
any reason which would in its opinion involve the disclosure of confidential information
the disclosure of which would be prejudicial to a third party.
Contraventions by controller
37 (1) Subject to subsection (2), any person who contravenes section 34 by—
(a) failing to give the notice required by subsection (1)(a) of that section;
or
Page 40 of 90
applies before the end of the period mentioned in subsection (1)(b) of
that section in a case where the Authority has not served him with a
preliminary notice under section 35(2), shall be guilty of an offence.
(2) A person shall not be guilty of an offence under subsection (1) if he shows
that he did not know of the acts or circumstances by virtue of which he became a controller
of the relevant description; but where any person becomes a controller of any such description
without such knowledge and subsequently becomes aware of the fact that he has become
such a controller he shall be guilty of an offence unless he gives the Authority written notice of
the fact that he has become such a controller within 14 days of becoming aware of the fact.
(4) A person guilty of an offence under subsection (1) or (2) shall be liable
on summary conviction to a fine of $25,000.
(2) The Authority may by notice in writing served on the person concerned
direct that any specified shares to which this section applies shall, until further notice, be
subject to one or more of the following restrictions—
(a) any transfer of, or agreement to transfer, those shares or, in the case
of unissued shares, any transfer of or agreement to transfer the right
to be issued with them, shall be void;
(3) The Court may, on the application of the Authority, order the sale of any
specified shares to which this section applies and, if they are for the time being subject to
Page 42 of 90
any restrictions under subsection (2), that they shall cease to be subject to those restrictions.
(4) No order shall be made under subsection (3) in a case where the notice of
objection was served under section 36 or 37—
(a) until the end of the period within which an appeal can be brought
against the notice of objection; and
(5) Where an order has been made under subsection (3), the Court may, on
the application of the Authority, make such further order relating to the sale or transfer of the
shares as it thinks fit.
(6) Where shares are sold in pursuance of an order under this section, the
proceeds of sale, less the costs of the sale, shall be paid into the Court for the benefit of the
persons beneficially interested in them; and any such person may apply to the Court for the
whole or part of the proceeds to be paid to him.
(a) to all the shares in the licensed undertaking of which the person in
question is a controller of the relevant description which are held by
him or any associate of his and were not so held immediately before he
became such a controller of the licensed undertaking; and
(8) A copy of the notice served on the person concerned under subsection (2)
shall be served on the licensed undertaking or company to whose shares it relates and, if it
relates to shares held by an associate of that person, on that associate.
Page 43 of 90
PART 5
DISCIPLINARY MEASURES
(3) The Authority shall not impose a civil penalty where it is satisfied that
the person concerned took all reasonable steps and exercised all due diligence to ensure that
the requirement would be complied with.
(2) If the Authority decides to impose a civil penalty, it must give the
licensed undertaking concerned a decision notice.
Public censure
41 (1) If the Authority considers that a licensed undertaking has contravened a
requirement imposed on it by or under this Act, the Authority may publish a statement to
that effect.
(2) After a statement under this section is published, the Authority shall send
a copy of it to the licensed undertaking.
Prohibition orders
43 (1) Subsection (2) applies if it appears to the Authority that an individual is
not a fit and proper person to perform functions in relation to a regulated activity carried on
by a person who is licensed by the Authority under this Act (‘a regulated person’).
(2) The Authority may make a prohibition order prohibiting the individual
from performing a specified function, any function falling within a specified description, or
any function.
(7) The Authority shall publish a prohibition order that is in effect, and
every variation of such order, in such manner as it considers appropriate to bring the order
Page 45 of 90
to the attention of the public.
(2) If the Authority decides to make a prohibition order, it must give the
individual concerned a decision notice.
(2) If the Authority decides to grant the application, it must give the applicant
written notice of its decision.
(3) If the Authority decides to refuse the application, it must give the
applicant a decision notice.
(2) In deciding that question, the Authority may have regard (among other
things) to whether the applicant—
(a) that there is a reasonable likelihood that any person will contravene a
relevant requirement; or
(b) that any person has contravened a relevant requirement and that there
is a reasonable likelihood that the contravention will continue or be
repeated, the Court may make an order restraining the contravention.
(b) that there are steps which could be taken for remedying the
contravention, the Court may make an order requiring that person,
Page 47 of 90
and any other person who appears to have been knowingly concerned
in the contravention, to take such steps as the Court may direct to
remedy it.
(3) If, on the application of the Authority, the Court is satisfied that any
person may have—
the Court may make an order restraining such person from disposing of, or
otherwise dealing with, any of his assets which it is satisfied the person is reasonably likely to
dispose of or otherwise deal with.
PART 6
RIGHTS OF APPEAL
Rights of appeal
48 (1) A licensed undertaking granted a Class F license which is aggrieved by a
decision of the Authority—
Page 48 of 90
(b) to revoke its licence;
(2) Where—
(a) the ground or a ground for a decision within subsection (1)(a) or (b) is
that mentioned in section 26(2)(a); or
(4) Any individual in respect of whom a prohibition order has been made
under section 43 may appeal to the tribunal.
(5) Any person in respect of whom a decision notice has been issued refusing
a revocation or variation of a prohibition order may appeal to the tribunal.
Page 49 of 90
(a) until the end of the period within which the appeal can be brought; and
Constitution of tribunals
49 (1) A tribunal shall be constituted in accordance with this section, where an
appeal is brought under section 48, to determine the appeal.
(2) The tribunal shall consist of a chairman, or, in his absence, a deputy
chairman and two other members.
(3) The chairman and the deputy chairman shall be appointed by the Minister
for a term not exceeding three years, and shall be barristers and attorneys of at least seven
years’ standing.
(4) The two other members of the tribunal shall be selected by the chairman
or, in his absence, the deputy chairman, from a panel of members appointed by the
Minister under subsection (6), who shall be persons appearing to the chairman or, as the case
may be, the deputy chairman, to have relevant experience.
(5) During any period of time when the chairman or deputy chairman is
absent from Bermuda or is for any other reason unable to act, the Minister may appoint
another person to act in his place for the period of his absence or inability to act.
(6) The Minister shall appoint a panel of not less than nine persons with
relevant experience to serve as members of appeal tribunals.
Determination of appeals
50 (1) On an appeal made under section 48, the question for the determination of
the tribunal shall be whether, for the reasons adduced by the appellant, the
Page 50 of 90
decision was unlawful or not justified by the evidence on which it was based.
(2) On any such appeal, the tribunal may confirm or reverse the decision
which is the subject of the appeal but shall not have power to vary it except that—
(a) where the decision was to impose or vary any restriction, the tribunal
may direct the Authority to impose different restrictions or to vary
them in a different way; or
(b) where the decision was to revoke a licence, the tribunal may direct
the Authority to restrict it instead.
(2) The Minister may make regulations with respect to appeals and those
regulations may in particular make provision—
(a) as to the period within which and the manner in which such appeals are
to be brought;
(g) for taxing or otherwise settling any costs or expenses which the
tribunal directs to be paid and for the enforcement of any such
direction;
(3) Regulations made under subsection (2) shall be subject to the negative
resolution procedure.
(4) A person who, having been required in accordance with regulations
made under this section to attend and give evidence, fails without reasonable excuse to attend
or give evidence, shall be guilty of an offence and liable on summary conviction to a fine of
$10,000.
PART 8
Warning notices
53 (1) A warning notice must—
(2) The warning notice must specify a reasonable period (which may not be
less than 14 days) within which the person to whom it is given may make representations to the
Authority; and where such representations are made, the Authority shall take them into
account in deciding whether to give a decision notice.
(3) The Authority may extend the period specified in the notice.
Page 53 of 90
(5) A warning notice given under section 53 must set out the terms of the
prohibition.
Decision notices
54 (1) A decision notice must—
(a) be in writing;
(b) give reasons for the Authority’s decision to take the action to which
the notice relates;
(d) give an indication of the right to appeal the decision to the tribunal
under section 48.
(2) A decision notice shall be given within 90 days beginning with the day on
which a warning notice under section 53 was given; and if no decision notice under
subsection(1) is given within that period, the Authority shall be treated as having at the end of
that period given a notice of discontinuance under section 55.
(3) A decision notice about the imposition of a civil penalty under section 39
must state the date of payment.
(b) give details of the manner in which, and the date on which, the
statement will be published.
(5) A decision notice about a prohibition order made under section 43(2)
must—
Page 54 of 90
(6) A decision notice shall state the day on which it is to take effect.
(7) The Authority may, before it takes the action to which a decision notice
(“the original notice”) relates, give the person concerned a further decision notice which
relates to different action in respect of the same matter.
(8) The Authority may give a further decision notice as a result of subsection
(7) only if the person to whom the original notice was given consents.
(9) If the person to whom a decision notice under subsection (1) is given had
the right to refer the matter to which the original decision notice related to the tribunal, he has
that right as respects the decision notice under subsection (7).
Notices of discontinuance
55 (1) Subject to section 54(2), if the Authority decides not to take the action
proposed in a warning notice it must give a notice of discontinuance to the person to whom
the warning notice was given.
Publication
56 (1) Subject to sections 26, 41, 43, the Authority may publish such information
about a matter to which a decision notice relates as it considers appropriate.
(2) The Authority must not publish a decision notice under subsection (1)—
Page 55 of 90
undertaking.
(2) A notice required to be given under subsection (1) shall be given before the
end of the period of 14 days beginning with the day on which the licensed undertaking
becomes aware of the relevant facts.
(3) A licensed undertaking which fails to give a notice required by this section
shall be liable to a civil penalty calculated in accordance with subsection (4).
(4) For each week or part of a week that a licensed undertaking fails to comply
with a requirement imposed under subsection (1), it shall be liable to a civil penalty not
exceeding $5,000.
(a) require the undertaking to provide the Authority (or such person acting
on behalf of the Authority as may be specified in the notice), at such
time or times or at such intervals or in respect of such period or periods
as may be so specified, with such information as the Authority may
reasonably require for ensuring that the undertaking is complying with
the provisions of this Act and any code of practice, and for
safeguarding the interests of clients and potential clients of the
undertaking;
(b) require the undertaking to provide the Authority with a report, in such
form as may be specified in the notice, by the undertaking’s auditor or
by an accountant or other person with relevant professional skill in, or
on any aspect of, any matter about which the Authority has required
or could require the undertaking to provide information under
paragraph (a).
Page 56 of 90
required under subsection (1)(b) shall forthwith give written notice to the Authority of any
factor matter of which he becomes aware which is likely to be of material significance for
the discharge, in relation to the licensed undertaking, of the functions of the Authority under
this Act.
(2) Where, by virtue of subsection (1), the Authority or any officer, servant or
agent of the Authority has power to require the production of any documents from a
licensed undertaking, the Authority or that officer, servant or agent shall have the like
power to require the production of those documents from any person who appears to be in
possession of them; but where any person from whom such production is required claims
alien on documents produced by him, the production shall be without prejudice to the lien.
(3) The power under this section to require a licensed undertaking or other
person to produce any documents includes power—
Page 57 of 90
undertaking in question, to provide an explanation of any of them;
and
(b) if the documents are not produced, to require the person who was
required to produce them to state, to the best of his knowledge and
belief, where they are.
(5) The Authority may by notice in writing served on any person who is or is
to be a controller or officer of a licensed undertaking require him to provide the Authority,
within such time as may be specified in the notice, with such information or documents as
the Authority may reasonably require for determining whether he is a fit and proper person to
hold the particular position which he holds or is to hold.
(6) Any person who without reasonable excuse fails to comply with a
requirement imposed on him under this section shall be guilty of an offence and liable on
summary conviction to a fine of $10,000 or to imprisonment for six months or to both such
fine and imprisonment.
PART 9
INVESTIGATIONS
Page 59 of 90
(b) the ownership or control of the undertaking, and the Authority shall
give written notice of any such appointment to the undertaking
concerned.
(2) If a person appointed under subsection (1) thinks it necessary for the
purposes of the investigation he is appointed to carry out, he may also investigate the business
of any company which is or has at any relevant time been—
(3) Where a person appointed under subsection (1) decides to investigate the
business of any company by virtue of subsection (2), he shall give it written notice to that
effect.
(4) It shall be the duty of every person who is or was a controller, officer,
employee, agent, banker, auditor or barrister and attorney of a licensed undertaking which is
under investigation (whether by virtue of subsection (1) or (2)), or any person appointed to
make a report in respect of that undertaking under section 58(1)(b)—
(a) to produce to the persons appointed under subsection (1), within such
time and at such place as they may require, such documents, or
documents of such description, as may be specified, being documents
the production of which may be reasonably required for the
investigation, which are in his custody or power;
(b) to attend before the persons so appointed at such time and place as
Page 60 of 90
they may require and answer questions relevant to the investigation
as the persons appointed under subsection (1) may require; and
(5) For the purpose of exercising his powers under this section, a person
appointed under subsection (1) may enter any premises occupied by a licensed
undertaking which is being investigated by him under this section; but he shall not do
so without prior notice in writing.
(7) Unless the Authority otherwise directs, the licensed undertaking under
investigation shall pay to the Authority all expenses of, and incidental to, the investigation.
(c) without reasonable excuse, fails to answer any question which is put
to him by persons so appointed with respect to a licensed undertaking
which is under investigation or a company which is being investigated
by virtue of subsection (2); or
(d) an individual may not be a fit and proper person to perform functions
in relation to a regulated activity within the meaning of section 37.
(a) business carried on at any time when the undertaking was licensed
under this Act; or
Page 62 of 90
(a) to provide, at such place as may be specified in the notice and
either forthwith or at such time as may be so specified, such
information as the Authority may reasonably require for the purpose
of the investigation;
(c) to attend at such place and time as may be specified in the notice
and answer questions relevant to the enquiry as the Authority may
require.
(2) The Authority may by notice in writing require every person who is or
was a controller, officer, employee, agent, banker, auditor or barrister and attorney of an
undertaking which is under investigation by virtue of subsection (1)—
(a) to produce to the Authority, within such time and at such place as the
Authority may require, such documents, or documents of such
description, as may be specified, being documents the production of
which may be reasonably required for the investigation, which are in
his custody or power;
(b) to attend before the Authority at such time and place as the Authority
may require and answer questions relevant to the investigation as the
Authority may require; and
(c) to take such actions as the Authority may direct in connection with
the investigation.
Page 63 of 90
required evidence of his authority, enter any premises occupied by a person on whom a
notice has been served under subsection (1) for the purpose of obtaining there the
information or documents required by the notice, putting the questions referred to in
paragraph (c) of that subsection or exercising the powers conferred by subsection (3).
(5) Any person who without reasonable excuse fails to comply with a
requirement imposed on him under this section or intentionally obstructs a person in the
exercise of the rights conferred by subsection (4) shall be guilty of an offence and liable
on summary conviction to a fine of $10,000 or to imprisonment for six months or to both
such fine and imprisonment.
(8) For the purposes of this section, a person is connected with the person
under investigation if such person is or has at any relevant time been—
(a) a person has failed to comply with a notice served on him under
section 64;
(b) that there are reasonable grounds for suspecting the completeness of
any information provided or documents produced by the person in
response to a notice served on him under section 63; or
Page 64 of 90
(c) that there are reasonable grounds for suspecting that if a notice were
served on the person under section 63 it would not be complied with
or that any documents to which it would relate would be removed,
tampered with or destroyed.
(2) A warrant under this section shall authorise any police officer not below
the rank of inspector, together with any other person named in the warrant and any other
police officers—
(3) A warrant under this section shall continue in force until the end of the
period of one month beginning with the day on which it is issued.
(4) Any documents of which possession is taken under this section may be
retained—
Obstruction of investigations
65 (1) A person who knows or suspects that an investigation is being or is likely
to be carried out—
PART 10
Page 66 of 90
CERTIFICATE OF COMPLIANCE
Certificates of compliance
66 (1) Every licensed undertaking shall, within four months from the end of
its financial year, deliver to the Authority a certificate of compliance, signed by an officer of
the undertaking, made up to the end of its financial year, certifying that the undertaking has
complied with the minimum criteria and codes of practice.
PART 11
Restricted information
67 (1) Except as provided by sections 68, 69 and 70, no person who—
(a) under or for the purposes of this Act, receives information relating to
the business or other affairs of any person; and
(2) This section does not apply to information which at the time of the
disclosure is or has already been made available to the public from other sources or to
information in the form of a summary or collection of information so framed as not to enable
Page 67 of 90
information relating to any particular person to be ascertained from it.
(3) Any person who discloses information in contravention of this section
commits an offence and is liable—
(b) its functions under the Bermuda Monetary Authority Act 1969.
(2) Section 70 does not preclude the disclosure of information for the
purpose of enabling or assisting an authority in a country or territory outside Bermuda to
exercise functions corresponding to the functions of the Authority under this Act.
(b) with a view to the undertaking of, or otherwise for the purposes of,
any criminal proceedings, whether under this Act or any other Act;
(c) in connection with any other proceedings arising out of this Act.
(5) Section 61does not preclude the disclosure by the Authority to the Director
of Public Prosecutions or a police officer not below the rank of inspector of information
obtained pursuant to section 62, 64 or 65 or of information in the possession of the
Authority as to any suspected contravention in relation to which the powers conferred by
those sections are exercisable.
(a) for the purpose of enabling or assisting the Authority to discharge its
functions under this Act; or
(b) with a view to the undertaking of, or otherwise for the purpose of,
criminal proceedings, whether under this Act or any other Act.
Page 69 of 90
(3) In this section—
PART 13
Page 70 of 90
(3) It shall be a defence for a person charged with an offence under subsection
(1) to prove—
(b) if not an individual, that every person acting on such person’s behalf
had no such knowledge, and took every such reasonable precaution,
as aforesaid.
Offences
72 (1) Where an offence under this Act committed by a licensed undertaking is
proved to have been committed with the consent or connivance of, or to be attributable to
neglect on the part of, any officer of the licensed undertaking, or any person who was
purporting to act in any such capacity, he, as well as the licensed undertaking, shall be guilty
of that offence and be liable to be proceeded against and punished accordingly unless such
person shows that he took all reasonable steps to avoid the commission of an offence.
Notices
Page 71 of 90
74 (1) This section has effect in relation to any notice, direction or other
document required or authorised by or under this Act to be given to or served on any person
other than the Authority.
(2) Any such document may be given to or served on the person in question
by—
(3) Any such document may in the case of a company be given to or served
by—
(2) Subject to subsection (1), such notice may be given by facsimile or other
similar means which produces a document containing the text of the communication.
(2) When a person is liable to a civil penalty imposed by or under this Act,
Page 72 of 90
such person shall not also be charged with an offence under this Act in relation to the
same matters.
(3) A civil penalty levied pursuant to this Act may be recovered by the
Authority as a civil debt.
Regulations
77 (1) The Minister may, after consulting with the Authority, make regulations
prescribing anything which may be prescribed under this Act and generally for the
implementation of this Act.
(2) Without prejudice to the generality of subsection (1), regulations may
in particular provide with respect to any of the following matters—
(4) Regulations made under this Act shall be subject to the negative
resolution procedure.
Transitional
78
Page 73 of 90
(1) An undertaking carrying on virtual currency business prior to the
commencement of this Act shall be required to submit an application to the Authority
in accordance with section 12 within three months of the date of commencement of this
Act.
(2) An undertaking shall be liable to pay the fee prescribed by virtue of
section 12 on the issue of its licence under subsection (1), and shall be liable to pay
the fee prescribed thereby on or before 31 March and annually thereafter, and the
provisions of section 12(2) shall apply in relation to failure to pay such fee.
Consequential amendments
79 Schedule 2 which amends the Bermuda Monetary Authority Act 1969, the Anti-
Terrorism (Financial and Other Measures) Act 2004, Proceeds of Crime (Anti-Money
Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008 and the
Proceeds of Crime Act 1997 has effect.
SCHEDULE 1
(Section 13)
Page 74 of 90
MINIMUM CRITERIA FOR LICENSING
(d) engaged in or has been associated with any other business practices or
Page 75 of 90
otherwise conducted himself in such a way as to cast doubt on
his competence and soundness of judgement.
(b) any applicable law, including the provisions of the law pertaining to
anti-money laundering and anti-financing of terrorism as provided
in the Proceeds of Crime Act 1997, the Anti-Terrorism (Financial
and Other Measures) Act 2004 and the Proceeds of Crime (Anti-
Money Laundering and Anti-Terrorist Financing) Regulations 2008;
Page 76 of 90
(5) Those records and systems shall not be regarded as adequate unless they
are such as to enable the business of the licensed undertaking to be prudently
managed and the licensed undertaking to comply with the duties imposed on it by or
under this Act or other provisions of law.
Corporate governance
4 (1) The licensed undertaking shall implement corporate governance policies
and processes as the Authority considers appropriate given the nature, size, complexity
and risk profile of the licensed company.
Page 77 of 90
Consolidated supervision
5 The position of the licensed undertaking within the structure of any group to
which it may belong shall be such that it will not obstruct the conduct of effective
consolidated supervision.
SCHEDULE 2
(Section 79)
CONSEQUENTIAL AMENDMENTS
Page 78 of 90
(a) equals $450,000; and
(b) equals the higher of $15,000 and 0.00075
multiplied by client receipts.
(4) Exemption or modification of rules or requirements
pursuant to section 8 $5,000
(5) Extension of Class M licence under section 12 (6)
$10,000
(6) Variation of a condition under section 20 $5,000
Page 79 of 90
(a) in the definition of “AML/ATF regulated financial institution”, by
inserting the following subsection after subsection “(i)” and
substituting the following—
Page 80 of 90
EXPLANATORY MEMORANDUM
The purpose of this Act is to introduce a supervisory framework for the Bermuda
Monetary Authority to regulate persons carrying on virtual currency business and for
the protection of the interests of clients or potential clients of persons carrying on the
business of virtual currency business.
Page 81 of 90
to require such to be filed by licensed undertakings; keep a copy of the most recent
Rules or returns at its head office and file such with the Authority no later than four
months after the end of its financial year.
Clause 8 makes provision for the Authority to modify or exempt licensed
undertakings from the requirements of Act, prudential standards and statutory returns
and empowers the Authority to take necessary or other actions in relation to the
business or operations of licensed undertakings.
Clause 9 makes provision for the establishment of an Advisory Panel to
the Authority.
Clause 10 prohibits any person from carrying on virtual currency business
unless that person is licensed by the Authority or exempted under clause 11.
Clause 11 empowers the Minister to make orders exempting specified
persons from the requirement to hold a licence. The Minister may, acting on the
advice of the Authority, issue an exemption order.
Clause 12 provides a procedure for making applications to the Authority
for licences. An application must be accompanied by a business plan, application fee
prescribed under the Bermuda Monetary Authority Act 1969 and such other
information or documents as the Authority may require.
Clause 13 empowers the Authority to grant or refuse applications for
licences. The Authority must refuse an application unless it is satisfied that the
minimum criteria are fulfilled with respect to the applicant. The Minister is
empowered to amend Schedule 1 that sets out the minimum criteria by order.
Clause 14 empowers the Authority to determine that an undertaking
should be licensed in a class otherwise than it applied for.
Clause 15 requires licences to be displayed. The Authority is required to
publish a list of all licensed undertakings on its website.
Clause 16 provides for fees to be prescribed under the Bermuda Monetary
Authority Act 1969. It provides for the fees to be payable on the grant of the licence
and thereafter annually on or before 31 March. Where a licensed undertaking fails to
submit such fee in time, it shall be liable to a civil penalty.
Page 82 of 90
Clause 17 makes provision for a licensed undertaking to hold client assets
separate from those of its business.
Clause 18 makes provision for an obligation to be imposed on an
undertaking to maintain either a surety; obtain insurance or place assets in a trust to
cover losses by the licensed undertaking which may arise in relation to client assets.
Clause 19 imposes an obligation on all licensed undertakings to appoint a
senior representative with an office in Bermuda.
Clause 20 makes provision for every senior representative to report certain
events to the Authority.
Clause 21 introduces a requirement for every licensed undertaking to
maintain a head office in Bermuda. The intent of this clause is to ensure that every
undertaking licensed has a “physical presence” on island.
Clause 22 provides for licensed undertakings to apply to the Authority in
respect of “material changes” to its business.
Clause 23 empowers the Authority to restrict the licence of an undertaking
where inter alia; a licensed undertaking fails to satisfy the minimum criteria; it
contravenes a provision of the Bill or fails to meet an obligation imposed by or under
the Bill - but in circumstances not to justify revocation of the licence. The Authority’s
objective in restricting a licence is to protect clients or potential clients of an
undertaking.
Clause 24 provides for the revocation of a licence and the grounds for
revocation are set out under paragraphs (a) to (f).
Clause 25 provides for the winding-up of a licensed undertaking that has
had its licence revoked, if it is just and equitable to wind it up.
Clause 26 requires the Authority to give notice to a licensed undertaking
where it proposes to restrict, vary a restriction or revoke its licence. The Authority is
required to give the undertaking a warning notice in writing which must state the
action it proposes to take and give reasons for the proposed action. The licensed
undertaking is given the opportunity to make representations to the Authority. The
Authority after considering representations made to it by the licensed undertaking can
Page 83 of 90
decide to either proceed with its proposed action or take no further action. It can also,
where it has proposed revoking a licence, restrict it instead; and where it has proposed
restricting or varying the licence in a certain manner, restrict or vary it in a different
manner. Once the Authority has made its decision it must provide a decision notice in
writing which shall set out the reasons for its decision and where appropriate, an
indication of the right to appeal to a tribunal. Where the Authority decides not to take
the action proposed in a warning notice it must give a notice of discontinuance,
identifying the action which is being discontinued.
Clause 27 provides for the imposition of restrictions in cases of urgency
by the Authority. In such cases, the Authority is not required to give a licensed
undertaking notice under clause 26 (1) of its intention to impose a restriction. A
licensed undertaking may also make representations to the Authority and a Class F
licensed undertaking only can appeal a decision of the Authority under this clause.
Clause 28 provides for the giving of directions by the Authority to a
licensed undertaking following the revocation or surrender of its licence- where such
directions as appear to the Authority desirable for safeguarding the interests of the
clients. Failure to comply with directions is a criminal offence.
Clause 29 provides for the notification and confirmation of directions
given by the Authority to licensed undertakings under clause 28. The Authority is
required to give directions by notice in writing and is empowered to vary a direction
by a further direction. The Authority may also revoke a direction by notice in writing
by exercise of its powers under this clause. Further, a direction given shall cease to
have effect at the end of 28 days unless it is confirmed by a further notice given by
the Authority to the licensed undertaking.
Clause 30 provides for the surrender of a licence by an undertaking. The
surrender of a licence is irrevocable, unless it is expressed to take effect at a future
date, and before that date the Authority by notice in writing allows it to be withdrawn.
Clause 31 makes provision for every licensed undertaking to prepare
annual financial statements or accounts; keep a copy of the most recent accounts at its
head office along with the auditor’s report, and file such with the Authority no later
Page 84 of 90
than four months after the end of its financial year.
Clause 32 requires every licensed undertaking to annually appoint an
auditor approved by the Authority to audit its financial statements or accounts. A
licensed undertaking which fails to do so is guilty of an offence and liable on
summary conviction to a fine of $25,000.
Clause 33 imposes an obligation on appointed auditors to communicate
certain matters to the Authority, including his resignation, his intention to not seek re-
appointment and a decision to include a modification in his report. An auditor who
fails to comply with any requirement imposed on him under this section shall be
liable on summary conviction to a fine of $25,000.
Clause 34 requires any person who proposes to become a 10%, majority
shareholder controller or a partner of a licensed undertaking to obtain the prior
approval of the Authority by notice in writing. Such person shall only become a
shareholder controller if the Authority does not object or respond within a specified
period.
Clause 35 provides for the Authority to object to any person who seeks to
become a new controller of; or to increase his shareholding in a licensed undertaking.
Provision is further made for the time frame of notices to be submitted to the
Authority and the Authority to respond to same, accordingly. Persons receiving any
notice from the Authority under this section may also make representations to the
Authority which it has to take into account in its determinations.
Clause 36 provides for the Authority to object to an existing controller
who it considers is no longer a fit and proper person. Provision is made for the giving
of notices and for the making of representations by the person concerned.
Clause 37 provides for contraventions by a controller of various
requirements under the Bill. Contraventions are committed, in particular, with respect
to the failure by a person to notify the Authority as required that the person is to
become a 10% or majority controller of a licensed undertaking or where a person fails
to comply with notices of objection to him being a controller given by the Authority.
The Authority may impose penalties which range from $25,000 to $50,000.
Page 85 of 90
Clause 38 makes provision for the Authority to impose certain restrictions
on the shares of a controller. The Authority may also apply to the court for an order
for the sale of specified shares.
Clause 39 proposes to empower the Authority to impose civil penalties of
up to $10,000,000 for failure to comply with any requirement, or contravention of
any prohibition, imposed by or under the Bill.
Clause 40 makes provision for Authority must give a warning notice first,
followed by a decision notice where it intends to impose a civil penalty.
Clause 41 makes provision for public censure of a licensed undertaking by
the publication of a statement by the Authority that such undertaking has contravened
a requirement imposed by or under the Bill.
Clause 42 sets out the public censure procedure.
Clause 43 proposes to empower the Authority to make prohibition orders
depending on the circumstances of each particular case and after an assessment of the
qualities of the individual concerned. A person who performs or agrees to perform a
function in breach of the order would be liable to a civil penalty.
Clause 44 proposes to introduce the procedure for the making of
prohibition orders by the Authority. The Authority must first give a warning notice
followed by a decision notice.
Clause 45 establishes a procedure for the making of applications to vary or
revoke a prohibition order.
Clause 46 makes provision for the Authority to grant an application under
section 45 to revoke or vary a prohibition order if it is satisfied that a person in
respect of whom an order had been made is now fit and proper.
Clause 47 makes provision for the Authority to apply to the Supreme
Court to issue of three types of injunction orders as required.
Clause 48 provides for appeals to a tribunal against decisions of the
Authority in certain circumstances by Class F license holders only.
Clause 49 provides for the constitution of appeal tribunals. A tribunal
comprises a chairman, or deputy chairman to act in his absence, who must be a
Page 86 of 90
barrister and attorney of at least seven years standing; and two other members with
virtual currency business experience. The chairman and deputy chairman of the
tribunal are appointed by the Minister. The other members are appointed by the
chairman, or, in his absence, by the deputy chairman from a panel.
Clause 50 provides for the jurisdiction and powers of the tribunal in the
determination of appeals.
Clause 51 provides for costs, procedure and evidence related to any party
to the appeal.
Clause 52 provides for further appeals by a licensed undertaking or other
person against the decisions of the tribunal to lie to the Supreme Court on questions
of law only.
Clause 53 makes provision for the process of the issuance of warning
notices by the Authority. The warning notice must set out the proposed action and
the reasons for it and also gives an indication of whether or not the Authority
proposes to publish its decision. The notice provides a period of not less than 14 days
to enable the licensed undertaking or person concerned to make representations. The
Authority could extend this period on application.
Clause 54 makes provision for the process by the Authority to issue a
decision notice. The decision notice must provide the particulars of the decision and
the reasons for the action and an indication of whether or not the Authority intends to
publish the decision. It shall also inform the person concerned of its right to appeal to
the tribunal. The Authority is required to make a determination within 90 days after
issuance of a warning notice and if no decision notice is given within that period, it
shall be treated as having discontinued the action. Provision is also made for the
Authority to take a different action in accordance with certain requirements.
Clause 55 makes provision for the Authority to give a notice of
discontinuance to the person concerned if, following the issue of a warning notice the
Authority decides not to proceed with the proposed action.
Clause 56 makes provision for the Authority to decide what information
should be published about a decision and prohibits the Authority from publishing a
Page 87 of 90
decision unless it has first notified the person concerned, and pending the outcome of
any appeal that might have been made.
Clause 57 requires a licensed undertaking to notify the Authority of any
change in its controllers or officers. Where an undertaking fails to comply, it shall be
liable to a civil penalty.
Clause 58 makes provision for the Authority to obtain information and
reports from a licensed undertaking. A report requested by the Authority under this
clause may be prepared by a licensed undertaking’s auditor, accountant or other
person.
Clause 59 provides for the production of documents for examination by
the Authority. The Authority may also require, amongst other matters, for the parent
or a subsidiary company of a licensed undertaking to produce documents for its
examination, if it appears to it to be desirable in the interests of clients.
Clause 60 makes provision for any officer, servant or agent of the
Authority to enter into premises occupied by a licensed undertaking to obtain
information or documents in certain circumstances.
Clause 61 makes provision for the Authority to investigate the virtual
currency business conducted by a licensed undertaking. Such investigations may be
conducted by third parties on behalf of the Authority; all expenses of which are
payable by the licensed undertaking under investigation unless otherwise directed by
the Authority. The Authority may launch an investigation into the nature, conduct or
state of the business of a licensed undertaking or any particular aspect of it; or into the
ownership and control of a licensed undertaking. Various powers are given to the
investigator to enable him to carry out his duties. Various offences are created in
connection with the failing of a licensed undertaking or other relevant persons to
assist in or in obstructing an investigation.
Clause 62 makes provision for the Authority to investigate suspected
contraventions of fundamental requirements in the Bill and other requirements
imposed by or under the Bill, regulations, rules or orders for purposes of the Bill.
Clause 63 makes provision for a power to be exercised by the Authority to
Page 88 of 90
require a person under investigation or any person connected to the person under
investigation to provide information, produce documents or attend for questioning.
Clause 64 makes provision for the issuance of search warrants by a
magistrate in cases where a person is suspected of removing, tampering or destroying
documents required by the Authority for its functions, or in cases where a person
under investigation or any person connected to the person under investigation refuses
to provide the information or documents requested by the Authority.
Clause 65 makes it an offence for a person who knows or suspects that an
investigation is likely to be carried out in certain circumstances, to obstruct
investigations.
Clause 66 makes provision for a licensed undertaking to within four
months from the end of its financial year, deliver to the Authority a certificate signed
by an officer of the licensed undertaking, certifying that the licensed undertaking has,
(with respect to the preceding financial year) complied or failed to comply with the
minimum criteria for licensing under Schedule 1 and codes of practice; and that it has
observed any limitations imposed on it by the Authority under its license (if
applicable).
Clause 67 prohibits the disclosure of information relating to the business
or other affairs of persons coming into the possession of any person exercising
functions under the Act.
Clause 68 authorises the disclosure of information in clause 67 if it is
necessary for facilitating the discharge of the functions of the Authority.
Clause 69 authorises disclosure to the Minister and to other authorities in
Bermuda by the Authority for the purpose of enabling or assisting them to discharge
their regulatory functions. Disclosure may be made to overseas regulators who
exercise functions corresponding to the functions of the Authority, provided that such
overseas regulators are subject to similar restrictions on further disclosure.
Information may be disclosed for the purposes of criminal proceedings and may be
disclosed to the Director of Public Prosecutions or a police officer not below the rank
of inspector.
Page 89 of 90
Clause 70 imposes similar restrictions on the disclosure of information
supplied to the Authority by an overseas authority
Clause 71 creates offences in connection with false documents or
information.
Clause 72 provides for offences committed by a licensed undertaking in
certain circumstances.
Clause 73 proposes to prohibit the use of the words "virtual currency
business" by persons not holding a licence.
Clause 74 provides the procedure for the giving and serving of notices to a
licensed undertaking.
Clause 75 provides that a notice required under the Bill to be given or
served on the Authority shall not be regarded as given or served until it is received by
the Authority.
Clause 76 makes provision that where a person is convicted of an offence
under the Bill no civil penalty can be imposed relative to the same matter.
Clause 77 makes provision for the Minister after consulting with the
Authority to make regulations prescribing any matter which may be prescribed and in
general to implement the requirements of the Act.
Clause 78 makes provision for transitional arrangements relating to
persons already carrying on virtual currency business prior to commencement of the
Act to make an application to the Authority within three months of the date of
commencement or cease conducting business. Any person who makes such an
application within the requisite timeframe may carry on conducting business until
such time their application is approved or declined by the Authority or withdrawn by
them.
Clause 79 provides for consequential amendments to the Bermuda
Monetary Act 1969 and Anti- Terrorism and Proceeds of Crime laws to bring it into
conformity with the Bill.
Page 90 of 90
VIRTUAL CURRENCY (CLIENT DISCLOSURE) RULES 2018
BERMUDA
BR / 2018
TABLE OF CONTENTS
1 Citation
2 Interpretation
3 Disclosures and other protections for clients
The Bermuda Monetary Authority (the Authority), in exercise of the powers conferred
by section 7of the Act, makes the following Rules—
Citation
1 These Rules may be cited as the Virtual Currency (Client Disclosure) Rules 2018.
Interpretation
2 In these Rules—
“Act” means the Virtual Currency Business Act 2018;
(2) A disclosure required by sub-section (1) must be made separately from any other
information provided by the licensed undertaking to the client and shall be provided in a
manner which allows for the client to record the disclosure.
(5) At the time of entering into an agreement to provide products and services to a
client, each licensed undertaking shall disclose to such client to the extent such matters are
applicable to the product or service to be provided—
(b) a schedule of fees and charges for any service or product to be provided by the
licensed undertaking; the manner in which fees and charges will be calculated
by the licensed undertaking if such are not set in advance and disclosed at the
time the agreement is entered into and the manner in which payment is to be
made by the client to the licensed undertaking in respect of any fee or charge
payable;
(c) whether the licensed undertaking has obtained insurance to address losses
which may arise as a result of the provision of any service or product it may
offer; which includes but is not limited to, insurance cover for cyber or any
other type of theft;
(f) at the conclusion of a transaction with a client, the licensed undertaking shall
provide to the client by confirmation in writing the following information—
Chairman
The Bermuda Monetary Authority
BERMUDA MONETARY AUTHORITY
CODE OF PRACTICE
APRIL 2018
1
Contents
I. INTRODUCTION ............................................................................................................................... 3
II. PROPORTIONALITY PRINCIPLE ........................................................................................................ 3
III. CORPORATE GOVERNANCE......................................................................................................... 3
The Board ............................................................................................................................................ 4
Oversight Responsibilities of the Board .............................................................................................. 5
Responsibility of the Chief and Senior Executives .............................................................................. 6
VI. SENIOR REPRESENTATIVE .................................................................................................................. 6
V. RISK MANAGEMENT FRAMEWORK............................................................................................. 7
Risk Management Function ................................................................................................................ 7
VI. CLIENT DUE DILIGENCE ............................................................................................................... 8
VII. INTEGRITY AND ETHICS ............................................................................................................... 8
VIII. DISCLOSURE OF INFORMATION .................................................................................................. 8
IX. INTERNAL MANAGEMENT CONTROLS ........................................................................................ 9
Segregation and Protection of Client Assets....................................................................................... 9
Competent and Effective Management............................................................................................ 10
Delegation ......................................................................................................................................... 10
Accounting and other Record Keeping ............................................................................................. 10
Adequate Personnel.......................................................................................................................... 10
Cybersecurity Program ..................................................................................................................... 10
Internal Audit Function ..................................................................................................................... 12
Compliance Function ........................................................................................................................ 12
Self-Assessment ................................................................................................................................ 13
Fees ................................................................................................................................................... 13
Client Agreements ............................................................................................................................ 14
Responsibility to Clients and Client Complaint Procedures .............................................................. 14
Conflicts of Interest ........................................................................................................................... 14
X. OUTSOURCING ............................................................................................................................. 15
XI. COOPERATION WITH REGULATORY AUTHORITIES ................................................................... 15
2
I. INTRODUCTION
1. This Code of Practice (the “Code”) is made pursuant to section 6 of the Virtual
Currency Business Act 2018 (the “Act”). Section 6 requires the Bermuda Monetary
Authority (the “Authority”) to publish in such manner as it thinks fit a code that
provides guidance on the duties, requirements, procedures, standards and sound
principles to be observed by persons carrying on virtual currency business. Failure to
comply with provisions set out in the Code will be a factor taken into account by the
Authority in determining whether a licensed virtual currency business service
provider (“VCB”) is meeting its obligation to conduct its business in a sound and
prudent manner.
2. The Code should be read in conjunction with the Virtual Currency Business Statement
of Principles issued under section 5 of the Act.
4. Accordingly, the Authority will assess the VCB’s compliance with the Code in a
proportionate manner relative to its nature, scale, and complexity. These
elements will be considered collectively, rather than individually (e.g. a VCB could
be relatively small in scale, but carry out extremely complex business and therefore
would still be required to maintain a sophisticated risk management framework). In
defining these elements:
(a) Nature includes the relationship between the client entity and the VCB or
characteristics of the service provided (e.g. a VCB that takes custody of a
clients’ assets versus one that does not, etc.);
(b) Scale includes size aspects such as volume of business conducted or size
of the balance sheet in conjunction with materiality considerations (e.g. an
assessment of the impact of a VCB’s failure); and
(c) Complexity includes items such as organisational structures and product
design.
5. In assessing the existence of sound and prudent business conduct, the Authority will
have regard for both its prudential objectives and the appropriateness of each Code
provision for the VCB, taking into account that VCB’s nature, scale, and complexity.
3
framework, which provides for appropriate oversight of the VCB’s business
and adequately recognises and protects the interests of clients. The framework
should have regard for international best practice on effective corporate
governance. Corporate governance includes principles on corporate
discipline, accountability, responsibility, compliance, and oversight.
8. The ultimate responsibility for sound and prudent governance and oversight of the
VCB rests with its board of directors or equivalent governing body (“the board”).
In this regard, the board is responsible for ensuring corporate governance policies
and practices are developed and applied in a prudent manner that promotes the
efficient, objective and independent judgment and decision making by the board.
The board must also have adequate powers and resources to be able to
discharge its duties fully and effectively.
The Board
9. The Authority recognises that the board plays a critical role in the successful
operation of a VCB. The board is chiefly responsible for setting corporate strategy,
reviewing and monitoring managerial performance and determining an acceptable
level of risk. Therefore, the effectiveness of the VCB’s board is a basic tenet of the
Authority’s risk-based supervisory approach. Pragmatically, the board will likely
delegate tasks; however, delegation of authority to board committees, chief and
senior executives, employees, or external parties does not absolve the board from its
ultimate responsibilities.
10. The board must ensure that the business is effectively directed and managed, and
conducted in a professional manner with appropriate integrity, and due care. It is the
responsibility of the board to ensure that processes exist to assess and document the
fitness and propriety of its members, controllers, and officers. The board must also
take into account the fact that conflicts, or potential conflicts of interest, may on
occasion preclude the involvement of specific individual members on particular
issues or decisions.
11. To effectively discharge its duties, the board must have an appropriate number and
mix of directors to ensure that it has requisite experience, knowledge, skills and
expertise commensurate with the nature, scale and complexity of the VCB’s
business.
(a) act in good faith, honestly and reasonably exercise due care and diligence;
(b) ensure the interests of clients are protected;
(c) exercise independent judgment and objectivity in his/her decision
making; and
(d) ensure appropriate policies and procedures exist to effectively deal with
conflicts of interest.
4
Oversight Responsibilities of the Board
13. As the VCB’s governing body, a key board responsibility is setting appropriate
strategies and overseeing the implementation. This includes ensuring that senior
executives establish a framework to implement the VCB’s strategic business
objectives.
14. The board is also responsible for providing suitable oversight of the VCB’s
governance, risk management and internal controls frameworks, including any
activities and roles that are delegated or outsourced. A list of oversight
responsibilities that the board must consider when establishing and assessing the
effectiveness of the corporate governance framework include ensuring the existence
of:
5
relevant, and timely information to enable it to carry out its duties and
functions, including the monitoring and review of the performance and risk
exposures of the VCB and the performance of senior executives.
15. The board must ensure that great care is taken in the selection of the chief and senior
executives given the important role these play. In addition to supporting the board, the
chief and senior executives are also responsible for the prudent administration of the
VCB. Such responsibilities include:
• Manage and execute the day-to-day operations of the VCB, subject to the
mandate established by the board and the laws and regulations in the operating
jurisdiction;
• Assist the board to develop and implement an appropriate control environment
including those around reporting and security systems;
• Provide recommendations on strategic plans, objectives, key policies, and
procedures to the board for evaluation and authorisation;
• Assist the board with its oversight responsibilities by ensuring that the board has
accurate and timely information, allowing the board to conduct robust and candid
discussions on operational performance, strategy, and major policies, and to
appraise the performance of management;
• Support oversight of both internal control functions (e.g. risk management,
internal audit, compliance) and external third-party services;
• Ensure that key functions assigned corporate governance responsibilities are
supported with adequate resources to execute and discharge their duties; and
• Ensure that external service providers, including approved auditors, have
adequate resources and information to fulfil their role, including access to timely
and accurate internal and outsourced records.
Given the governance responsibilities, where requirements are imposed upon the VCB
throughout the Code, the Authority will look to, and expect, the chief and senior
executives, and ultimately the board, to ensure compliance.
16. The role of the approved senior representative is integral to the BMA’s VCB
supervisory and regulatory framework. While the VCB’s board and the chief and senior
executives have primary responsibility for the conduct and performance of the VCB,
the approved senior representative acts in an “early warning” role and monitors the
VCB’s compliance with the Act on a continuous basis in accordance with Section 20 of
the Act.
17. The Act requires every VCB to appoint a senior representative who must be resident in
Bermuda, and to maintain a head office in Bermuda. The appointed senior
representative must be knowledgeable in virtual currency business and related Bermuda
laws and regulations.
6
18. The approved senior representative would generally be a director or senior executive of
the VCB who, under Section 20 of the Act, has the legislated duty to report certain
events to the Authority.
19. The board and chief and senior executives must make arrangements to enable the
approved senior representative to undertake his/her duties pursuant to the Act in an
efficient and effective basis, including providing access to relevant records.
20. The board and the chief and senior executives should, based on their judgement, adopt
an effective risk management and internal controls framework. The framework should
have regard for international best practice on risk management and internal controls.
This includes ensuring the fitness and propriety of individuals responsible for the
management and oversight of the framework.
21. The VCB must establish a function to assist it with the oversight responsibility of the
organisation’s risk management framework. Depending on its risk profile, the function
may be headed by a Chief Risk Officer or the responsibilities assigned to, or shared
amongst, the VCB’s operational unit leaders. Regardless, there should be a mechanism
to allow direct reporting to the board or its established committees.
23. Risk management, risk identification, risk assessment, risk monitoring and risk
reporting are critical for an effective risk management framework. As such, the
VCB must implement these in an effective manner for the benefit of the VCB’s
stakeholders and to support its business objectives.
7
VI. CLIENT DUE DILIGENCE
24. Industry participants, including clients, have the potential to adversely impact a
jurisdiction’s reputation and bring harm to society at large. Accordingly, the VCB
must have procedures in place to ensure that proper due diligence is carried out before
a decision is made to act for any new client. At a minimum, the VCB needs to be able
to comply with The Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist
Financing Supervision and Enforcement) Act 2008, The Proceeds of Crime (Anti-
Money Laundering and Anti-Terrorist Financing) Regulations 2008 and the Anti-
Terrorism (Financial and Other Measures) Act 2004, together with any other relevant
legislation that may come into force from time to time.
25. The duty of vigilance includes verification, recognition and reporting of suspicious
transactions, the keeping of “know your client records”, and delivering the
appropriate Anti Money Laundering training to all staff. The VCB must ensure that
its procedures enable it to determine and verify the true identity of customers
requesting its services. Copies of photo identification such as a driver’s licence or
passport should be retained in compliance with the Proceeds of Crime Act 1997 and
relevant guidance notes and codes. The VCB must undertake due diligence checks on
clients to protect against illegal activity, including money laundering and terrorist
financing.
26. Where appropriate, measures that the VCB should consider putting in place to
minimise the risk of abuse, include (depending upon client risk ratings) appropriate
standard rules relating to maximum individual transaction sizes for its different
virtual currency services. In such cases, the VCB should have the ability to collate
and aggregate individual transactions that may form part of a larger transaction and
may be intended to avoid standard limits or reporting requirements.
27. The VCB must maintain detailed records for both sides of a transaction that include:
information to identify the parties, the public key addresses or accounts involved, the
nature and date of the transaction, and the amount transferred. The VCB must
monitor transactions for the purpose of detecting those which lack originator and/or
beneficiary information, and take appropriate measures. These measures may include
taking action to freeze an account or to prohibit conducting transactions with
designated persons and entities.
8
senior executives, employees, outsourced partners, etc.) - unless the VCB is given
relevant consent, is required by applicable law to disclose information, or provides
information in accordance with the terms of the client constitutional documents.
Accordingly, persons who have access to the VCB’s confidential information should
be advised in writing upon engagement. Further, the VCB should provide periodic
reminders thereafter of confidentiality issues.
30. To comply with its duty to uphold integrity and ethics, the VCB’s communication
with clients and prospective clients must be clear and a fair representation. This
includes marketing and promotional material. The VCB’s public platform or
materials provided to prospective clients prior to entering into an arrangement must
include details of the board, senior executive team, registered office, description of
complaints procedure, and arrangements in case of business failure. The VCB must
disclose to clients any material business changes that impact clients.
31. For transparency purposes, the VCB must also ensure that its status as a licensed
undertaking is disclosed in all advertisements and correspondence. The following
wording is suggested:
33. Section 18 (1) of the Act directs a VCB to ensure that any assets belonging to clients
are kept segregated from the VCB’s own assets. The VCB may place client assets in a
trust with a qualified custodian, or have a surety bond or indemnity insurance, or
implement other arrangements to ensure return of client assets in the event the VCB is
placed into liquidation or becomes insolvent. While remaining separate from its own,
the VCB may comingle client assets where such would benefit clients; however,
proper accounting must be in place to accurately allocate each holding to the
respective client.
34. The VCB must have mechanisms in place to assess its liquidity needs, including sums
required for trading and other client transaction types. These mechanisms must be
used to inform the VCB’s client private key storage policy. The client private key
storage policy should require that at least ninety percent of client private keys, not
required for client transactions, should be held in cold storage to mitigate against
client loss arising from cyber-attacks.
9
Competent and Effective Management
35. The VCB should have competent management commensurate with the nature, scale
and complexity of its business. The VCB must also have appropriate management
resources to control the affairs of the licensed business, including ensuring
compliance with legal obligations and standards under the Code.
Delegation
36. The board may delegate the administration and other duties to directors, chief and
senior executives, employees or committees as it deems appropriate. When doing so,
decisions should align with authorisation and signing powers outlined in policies and
procedures, and regard must also be given to risks to stakeholder protection and
applicable laws.
37. Appropriate records must be kept and preserved in Bermuda. These records will at
least include information for the VCB to effectively carry out its functions and
comply with applicable law. Systems must be in place to ensure that decision-
makers, regulators, clients and other relevant stakeholders can receive requisite
information in a timely manner. This should include the identity of shareholders,
directors, officers or business partners. In addition, records of account and client
transactions must be maintained in accordance with the laws applicable to it.
38. The VCB’s accounting and record keeping systems must support its compliance with
regulatory reporting, such as the annual statutory report, or other reporting that the
Authority may require on an ad hoc basis in fulfilment of the Authority’s regulatory
oversight responsibilities.
Adequate Personnel
39. The VCB must have available suitable numbers of staff who are appropriately trained
and competent to discharge their duties effectively. The VCB should ensure that the
responsibilities and authority of each staff member are clear and appropriate given
his/her qualifications and experience, and that staff receive the necessary training
appropriate for their roles.
40. The VCB should ensure that it has in place systems, controls, policies and procedures,
to ensure that staff members perform their duties in a diligent and proper manner. It is
important that staff understand and comply with the established systems, policies and
procedures including those dealing with new business acceptance, financial
transactions, and staff training.
Cybersecurity Program
41. In many respects, virtual currency business is susceptible to risks such as cyber
threats or systems failure. Accordingly, the VCB must have a comprehensive
cybersecurity program that is commensurate with the nature, scale and complexity of
its business. Such should include a documented cyber security policy.
10
42. The VCB must implement a written cyber security policy setting forth the VCB’s
policies and procedures for the protection of its electronic systems, and client and
counterparty data stored on those systems. The policies must be reviewed and
approved by the VCB’s board at least annually.
43. The cyber security policy must minimally address the following areas:
44. Further, the VCB must designate a qualified employee to serve as its Chief
Information Security Officer (“CISO”) responsible for overseeing and implementing
the VCB’s cyber security program and enforcing its cyber security policy.
45. The VCB must employ adequate cyber security personnel to manage its cyber
security risks and provide opportunity and resources for cyber security personnel to
stay abreast of changing cyber security threats and countermeasures. VCB’s must
require personnel to remain current.
46. An effective cyber security program should be able to ensure the availability and
functionality of the VCB’s electronic systems, and to protect both those systems and
any sensitive data stored on those systems (including customer assets) from
unauthorized access, use, or tampering. The program will also need to address risks
arising from third-party vendors where there is system connectivity, and include
policies related to hot and cold client private key storage.
47. Further, the cyber security program should outline policies surrounding how the VCB
will tackle market abuse and, where applicable, under what conditions it will halt
trading, suspend or close offending client accounts and notify relevant authorities.
11
(b) protect licensee electronic systems and the information stored on those
systems;
(c) detect system intrusions, and breaches;
(d) respond to a detected event and mitigate negative effects; and
(e) recover from operational disruption to the normal course of business.
49. A VCB must annually commission an external audit of its cybersecurity program.
The external auditor’s report must detail the review of the VCB’s business processes,
systems, policies and dependencies/relationships with the systems of third party
partners and affiliates to confirm that control measures are adequate to ensure
consistent compliance with the Act, related Rules and this Code.
50. VCBs must also be proactive in alerting the Authority to any significant
developments relevant to its staffing or to its systems and controls environment. This
includes any failure or breach of its systems that involve the loss of, or unauthorised
access to, any personal identifiable information that it holds on its clients.
51. Sound practice requires the implementation of the “Three Lines of Defence” with the
first line being risk taking, and the second being risk control and compliance. The
third critical line is internal audit. The VCB must have an internal audit function.
The internal audit function should:
Compliance Function
52. Regulatory and other requirements (such are internal policies and procedures) are
imposed for the protection of the VCB itself, clients and stakeholders more widely.
The establishment of a function focused on how well the VCB adheres to the varied
12
requirements is valuable. The VCB must develop a function to assist it to monitor
and evaluate its compliance with jurisdictional laws and regulations, internal controls,
policies, and procedures. The compliance function should also promote and sustain a
corporate culture of compliance and integrity.
• Policies, procedures and processes documenting the compliance with the risk
management framework, legal and ethical conduct, applicable laws, rules and
standards;
• System of compliance monitoring and testing, including a plan to address any
deficiencies or non-compliance that may be identified;
• Training programs for staff on compliance issues, and provide a mechanism for
staff to report confidentially concerns regarding compliance deficiencies and
breaches.
Self-Assessment
54. VCBs must have a comprehensive and integrated forward looking view of all material
reasonably foreseeable risks that arises from its business model and interaction with
the wider environment. This allows a more informed assessment of the
appropriateness of its business strategy and enhances its ability to position itself for
future success and sustainability. The VCB must therefore develop policies,
processes, and procedures to assess all its material reasonably foreseeable risks over
its forward looking planning horizon and self-determine its capital (both quality and
quantity), liquidity, and resourcing needs to inform its business strategy. The risk
self-assessment must be performed at least annually. The VCB should be guided by
the proportionality principle in establishing the risk self-assessment framework.
Minimally, the assessment should:
55. The VCB must ensure the fitness and propriety of key individuals overseeing and
performing the assessment; this includes third-party service providers, if applicable,
assisting with assessment process.
Fees
56. A VCB is expected to exhibit proper transparency in its dealings with clients and
potential clients and to act ethically and with integrity at all times. Terms of business,
including fees and commissions for its different services must be prominently
13
displayed, and any changes promptly brought to the attention of customers to ensure
that there is no misunderstanding with regard to transaction charges and other fees.
Client Agreements
57. To ensure clients are dealt with fairly and are informed, VCBs must disclose terms of
business with each prospective client, and keep a record of the terms of the agreement
with each client, including evidence of the client’s agreement to those terms. That
agreement should include, but not be limited to, the following provisions:
58. The VCB must ensure that its business is conducted in such a way as to treat its
clients fairly, both before the inception of the contractual arrangement and through to
the point at which all obligations under a contract have been satisfied. The VCB must
establish and implement policies and procedures to ensure that this occurs.
59. The VCB must ensure that client complaints are properly logged and dealt with in a
timely basis. A record of the details of the complaint, the VCB’s response and any
action taken as a result should be maintained.
Conflicts of Interest
60. Conflicts naturally arise in the course of business and may be exploited on account of
information asymmetry. The VCB must ensure it has policies and procedures to
mitigate conflicts to avoid harm to clients and stakeholders more widely, including
policies and procedures regarding disclosing relevant information. VCBs need to
implement internal rules and procedures for dealing with conflicts of interest. Where
conflicts cannot be avoided, VCBs must seek to ensure that the interests of clients are
not damaged through undisclosed conflicts of interest.
61. This includes whether the conflict arises directly in the course of its own role or, as
relevant, between the VCB and its service providers or, for example, between
different classes of investors.
62. The nature and relative market cap of the virtual currency business industry
inherently exposes it to arbitrage and market valuation manipulation. With
information asymmetry and global connectivity, the VCB’s board, officers or staff
may at times be positioned to exploit opportunities at the expense of stakeholders.
The conflict of interest policies and procedures must also include measures that
14
would prevent market manipulation such as pump and dump schemes that may bring
harm to clients.
X. OUTSOURCING
63. While a VCB may outsource certain important business roles (such as asset
management, custodial services, cyber security, compliance, and internal audit) to
third parties or affiliates, such action does not remove the responsibility from the
VCB to ensure that all the requirements of the Act and related legislation, and this
Code, are complied with to the same level as if these roles were performed in house.
64. Where the VCB outsources roles either externally to third parties or internally to
other affiliated entities, the board must ensure that there is oversight and clear
accountability for all outsourced roles as if these functions were performed internally
and subject to the VCB’s own standards on governance and internal controls. The
board should also ensure that the service agreement includes terms on compliance
with jurisdictional laws and regulations. Agreements should not prohibit
cooperation with the Authority, and the Authority’s access to data and records in a
timely manner.
65. Where the board has outsourced a role and/or is considering outsourcing a role, the
board must assess the impact or potential impact on the VCB. The board must not
outsource a role that is reasonably expected to adversely affect the VCB’s ability to
operate in a prudent manner. These considerations include where outsourcing is
reasonably expected to:
67. The VCB should also ensure that any contracts or agreements that it enters into does
not intentionally, or otherwise, frustrate the Authority’s ability to carry out its
supervisory or regulatory obligations in relation to the VCB.
***
15
THE BERMUDA MONETARY AUTHORITY
Statement of Principles
April 2018
1
Contents
I. INTRODUCTION .............................................................................................................................. 3
2
I. INTRODUCTION
a. in interpreting the minimum criteria specified in Schedule 1 to the Act and the
grounds for revocation specified in section 24;
b. in exercising its power to grant, revoke or restrict a licence;
c. in exercising its power to obtain information and reports, and to require
production of documents; and
d. in exercising other enforcement powers.
2. The Principles are of general application and seek to take into account the diversity
of virtual currency business service providers (“VCBs”) that may be licensed under
the Act and the prospect of institutional and market changes. As a consequence of
this, the Principles may likely need to be revised and further developed over time. If
the Authority makes a material change to the Principles, the Authority will publish a
revised version. The Principles should be read in conjunction with any Guidance
Notes which are issued pursuant to section 5 of the Act and that set out guidance
relating to implementing certain standards.
4. The Principles, along with the SPUEP, are relevant to the Authority’s decisions on
whether to license a VCB (company, partnership or individual) to revoke or restrict a
licence. The Authority’s interpretation of the minimum licensing criteria in Schedule
1 and the grounds for revocation in section 24 of the Act, together with these
Principles underlying the exercise of its powers, encapsulate the main standards the
Authority considers when conducting its supervision of VCBs. The functions of VCB
supervision include monitoring the ongoing compliance of VCBs with these
standards and verifying compliance with the obligations imposed under the Act, the
3
policies and procedures of the VCB and compliance with external obligations, for
example the Proceeds of Crime Act 1997, the Proceeds of Crime (Anti-Money
Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008
and the relevant Regulations.
5. If there are concerns, the Authority will consider what steps should be taken to
address the issue and where appropriate, it will seek remedial action by persuasion
and encouragement. Where persuasion and encouragement fail, the Authority may
look to stronger measures to ensure compliance. If the Authority considers that its
powers should be exercised in the public interest, it may utilise the various powers
provided in the Act including the imposition of restrictions on a licence and,
ultimately, revocation of a licence.
6. The Principles include references to various policy and guidance papers issued by the
Authority from time to time. Copies of the relevant material are generally available
from the Authority’s website www.bma.bm.
7. Section III of the Principles considers the interpretation of each of the licensing
criteria in Schedule 1 to the Act. Section IV sets out the considerations relevant to the
Authority’s exercise of its discretion to grant a licence. Section V sets out the
principles underlying the exercise of the Authority’s power to obtain information and
reports and to require the production of documents.
8. The SPUEP sets out the interpretation of the various grounds for the revocation of a
licence in section 24 of the Act and the principles underlying the exercise of the
Authority’s discretion to revoke or impose restrictions on a licence (section 23 and
24 of the Act).
9. It is likely that the Authority would exercise its powers to restrict or revoke a licence,
in the context of the enforcement process. The Authority may also exercise its
discretion to utilise such powers in a supervisory context (e.g. to impose additional
reporting requirements or where an institution ceases operations or conducts limited
scope business). These powers might also be used to protect the interests of the
public, in connection with an external threat unconnected with the VCB’s conduct, in
accordance with section 8 of the Act.
Introduction
10. Before a VCB may be granted a licence, the Authority has to be satisfied that all the
criteria in Schedule 1 to the Act are, or are capable of, being fulfilled by the
applicant. Once licensed, VCBs are subject to the Authority’s continuing supervision
4
and regulation, which includes the criteria for licensing. VCBs are required to submit
information about their business at intervals determined by the Authority in
accordance with the Act and any related regulations, rules, guidance notes or codes.
Where a VCB fails to meet a criterion, the Authority can and may take action in
accordance with the powers vested under the Act and as detailed in the Principles, the
AML Principles and the SPUEP.
11. The Act sets out the framework for the minimum criteria to be met and complied
with by licensed VCBs. These criteria are interpreted and applied in the context of
the particular circumstances of individual VCBs, and developments in the sector
generally. In addition to reviewing the periodic, annual and other reporting data
received from VCBs, the Authority's supervision involves detailed prudential
discussions with the VCBs’ senior management as required. The Authority shall
determine the frequency of those discussions based on the nature, scale, complexity
and risks undertaken by the VCB and the conduct of its business. Meetings may take
place either at the Authority’s offices or at the VCB’s premises. In addition,
compliance visits are routinely made to the premises of VCBs to add to the
Authority’s understanding of the VCB’s management structures, operations, policies
and controls and to assist the Authority in satisfying itself that each VCB continues to
conduct its business prudently and in accordance with all relevant criteria. Where a
VCB becomes aware of breaches or potential breaches, it is expected that the VCB
will alert the Authority forthwith so that any necessary remedial action can quickly
be agreed. Similarly, the VCB must alert the Authority to any proposed material
change in its business. This will allow the Authority to assess whether the changes
impact the VCB’s ability to fulfil the minimum criteria.
12. This part of the Principles sets out the Authority’s interpretation of the statutory
licensing criteria.
5
Authority can assess whether the person does or will devote sufficient time and
attention to them.
14. The Authority sees the standards as being particularly high in the case of persons
with primary responsibility for the conduct of a VCB’s affairs, taking into account
the nature and scale of the VCB’s business.
15. In assessing whether a person has the relevant competence, soundness of judgment
and diligence, the Authority considers whether the person has had previous
experience with similar responsibilities, the record in fulfilling them and, where
appropriate, whether the person has suitable qualifications and training. As to
soundness of judgment, the Authority looks to the person's previous conduct and
decision taking.
16. The probity of the person concerned is very important. It is essential that a person
who is responsible for the conduct of VCB business is of high integrity. In contrast to
the fitness elements of this criterion which reflects an individual judgment relating to
the particular position that the person holds or is to hold, the judgment of probity
reflects much more of a common standard, applicable irrespective of the particular
position held.
17. Specifically, the Authority takes into account the person’s reputation and character. It
considers, inter alia, whether the person has a criminal record, convictions for fraud
or other dishonesty, which would clearly be particularly relevant. The Authority also
gives particular weight to whether the person has contravened any provision of law,
including legislation covering the trust, banking, insurance, investment sectors or
other legislation designed to protect members of the public against financial loss, due
to dishonesty, incompetence or malpractice. In addition, it considers whether the
person has been involved in any business practices appearing to the Authority to be
deceitful or oppressive or improper, or which would otherwise discredit his or her
method of conducting business. In addition to compliance with statutory provisions,
the Authority also considers a person’s record of compliance with various non-
statutory codes in so far as they may be relevant to the licensing criteria and to the
public interest.
18. The Authority also takes into consideration whether the person has been censured or
disqualified by professional or regulatory bodies, e.g. Institute of Chartered
Secretaries and Administrators; Institute of Directors; Society of Trust and Estate
Practitioners; Bermuda Bar Association; Chartered Professional Accountants of
Bermuda; Bermuda Stock Exchange; Chartered Financial Analysts (CFA) Institute;
or corresponding bodies in other jurisdictions. Those who have been censured or
disqualified are unlikely to be acceptable.
6
19. While any evidence of relevant past misconduct needs to be taken into consideration,
the Authority recognises that lapse of time, and a person's subsequent conduct, are
factors which may be relevant in assessing whether the person is now fit and proper
for a particular position.
20. Once a VCB is licensed, the Authority continues to consider the performance of the
person in exercising his or her duties. Imprudence in the conduct of a VCB’s
business, or actions which have threatened (without necessarily having damaged) the
public interest will reflect adversely on the competence and soundness of judgment
of those responsible. Similarly, failure by a VCB to conduct its business with
integrity and professional skills will reflect adversely on the probity and/or
competence and/or soundness of judgment of those responsible. This applies whether
the matters of concern have arisen from the way the persons responsible have acted
or from their failure to act in an appropriate manner. The Authority takes a
cumulative approach in assessing the significance of such actions or omissions – that
is, it may determine that a person does not fulfil the criterion on the basis of several
instances of such conduct which, if taken individually, may not lead to that
conclusion.
Shareholder Controllers
21. Shareholder controllers, as defined by sections 3(4) and 3(5) of the Act may hold a
wide variety of positions relating to a VCB, and the application of the fit and proper
criterion takes account of this. The key consideration is the likely or actual impact on
the interests of clients and potential clients of a person holding the particular position
as shareholder controller. This is viewed in the context of the circumstances of the
individual case, and of the particular position held. The general presumption is that
the greater the influence on the VCB, the higher the threshold will be for the
shareholder controller to fulfil the criterion. Thus, for example, higher standards will
generally be required of a shareholder controller owning, say, 20 per cent or more of
the shares of a VCB compared with a shareholder controller owning 5 per cent.
23. First, it considers what influence the person has or is likely to have on the conduct of
the affairs of the VCB. If the person does, or is likely to, exercise a close control over
the business, the Authority would look for evidence that he has the probity and
soundness of judgment and relevant knowledge and skills for running a VCB. On the
other hand, if the shareholder does not, or is not likely to, influence the directors and
management of the VCB on the detailed conduct of the business, it would not be
necessary to require such a level of relevant knowledge and experience.
24. The second consideration is whether the financial position, reputation or conduct of
the shareholder controller or prospective shareholder controller has damaged or is
7
likely to damage the VCB through ‘contagion’ which undermines confidence in that
VCB. For example, if a holding company, or a major shareholder, were to suffer
financial problems it could damage confidence of clients or potential clients in the
stability or financial integrity of the licensed VCB. Generally, the higher the
shareholding, the greater the risk of ‘contagion’ if the shareholder encounters
financial difficulties. The risk of contagion is not, however, confined to financial
weakness. Publicity about illegal or unethical conduct by a holding company or
another member of the group may also damage confidence in the VCB. VCBs are
expected to notify the Authority immediately if they become aware of material
concerns regarding the suitability of a shareholder controller.
25. In the case of a controller who ‘directs’ or ‘instructs’ a shareholder controller, similar
considerations apply to those relevant to assessing the fulfilment of the shareholder
controllers criterion. In other words, the standards that an indirect controller needs to
satisfy are likely to be at a minimum the standards also required of the person who is
indirectly controlled.
28. Sub-paragraphs 2 to 5 set out a number of specific requirements, each of which must
be fulfilled before a VCB may be regarded as conducting its business in a prudent
manner.
29. The Act also makes it clear that the specific requirements outlined in sub-paragraphs
2 to 5 are not exhaustive. Accordingly, the Authority takes into account a range of
other considerations in assessing whether a VCB is prudently run. These include for
example, the VCB’s management and corporate governance arrangements (such as,
in the case of a company, the composition of the board of directors and the
arrangements for the board's overall control and direction of the institution); the
VCB’s general strategy and objectives; planning arrangements; policies on
accounting, market conduct; and recruitment arrangements and training to ensure that
the VCB has adequate numbers of experienced and skilled staff in order to carry out
8
its various activities in a prudent manner. Particularly close attention is also paid to
the arrangements in place for preventing and detecting criminal activities, and for
ensuring compliance with the VCB’s legal obligations in preventing money
laundering and terrorist financing. The Authority would also expect a VCB to occupy
premises suitable for the purpose of conducting its business.
30. Failure by the VCB to comply with applicable laws in foreign jurisdictions, in which
the VCB or its subsidiaries operate, if applicable, may also affect the Authority’s
assessment of prudent conduct.
31. A VCB should have policies and procedures to enable it to comply with international
sanctions in force in Bermuda.
32. VCBs face a wide variety of potentially major financial risks in their business
although the possibility of many of these risks crystallising is, hopefully, generally
remote. Rather than explicitly requiring VCBs to hold capital against all these risks,
the Act requires VCBs more generally hold adequate capital and insurance cover. A
VCB will not be regarded as carrying on its business in a prudent manner unless it
maintains insurance cover that is appropriate to the nature and scale of its operations.
33. In judging the adequacy of insurance protection, the Authority looks to be satisfied
that the scope and scale of cover in place provides reasonable assurance of the ability
of the VCB to continue to operate in the event that it should face either major damage
to its infrastructure or material claims from clients for loss or damage sustained. It is
in the first instance for those directing the business of the licensed undertaking to
assess the level of risk they face in the business and to determine the type and extent
of coverage appropriate for that business. Relevant types of insurance include the
following: errors and omissions/professional indemnity; directors’ and officers’
liabilities; fidelity and forgery; loss of property; computer crime; computer damage;
business interruption; office contents. The Authority will review the adequacy of
cover in place, having regard to the scale, composition and complexity of the
business.
Schedule 1 Paragraphs 2 (4) and (5): “adequate accounting and record- keeping systems”
34. The Authority does not regard a VCB’s records and systems as adequate unless they
can enable its business to be prudently managed and the VCB is able to comply with
the duties imposed on it by or under the Act. In other words, the records and systems
must be such that the VCB is able to fulfil the various other elements of the prudent
conduct criterion and to identify threats to the public interest. They should also be
sufficient to enable the VCB to comply with the notification and reporting
requirements under the Act. Thus, delays in providing information or inaccuracies in
the information provided, will call into question the fulfilment of the requirement of
sub-paragraphs 2 (4) and 2 (5). The systems for client records should be sufficient to
enable the VCB to maintain its books and records with satisfactory back-up in place.
9
35. The nature and scope of the particular records and systems which a VCB should
maintain should be commensurate with its needs and particular circumstances, so that
its business can be conducted without endangering its clients and potential clients. In
determining whether a VCB’s records and systems are adequate, the Authority
considers the nature, scale and complexity of its business.
37. The integrity element of the criterion requires the VCB to observe high ethical
standards in conducting its business. Criminal offences or other breaches of statute
will obviously call into question the fulfilment of this criterion. Particularly relevant
are contraventions of any provision made by or under enactments, whether in
Bermuda or elsewhere, designed to protect members of the public against financial
loss due to dishonesty, incompetence or malpractice.
38. The Authority would expect VCBs to have a number of employees sufficient to carry
out the range and scale of its business. The Authority, in determining whether a VCB
has sufficient personnel, will take into account the human resources that the VCB
may draw upon through other arrangements, e.g. outsourcing, secondments, or other
similar arrangements as well as the methods of recruitment to ensure that the VCB
employs an adequate number of persons who are fit and proper to perform the duties
for which they are employed.
39. Staff must be provided with on-the-job training on the VCB’s internal policies,
procedures and internal controls. The VCB should ensure that adequate training is
provided specific to the roles and responsibilities that staff members perform. Such
training should be provided on an ongoing basis, including training on its AML/ATF
responsibilities.
40. A VCB shall establish procedures to ensure the adequate supervision of staff in their
dealings with clients and the management of client structures. Appropriate records
relating to the training, experience and qualifications of staff shall be maintained.
10
42. In the case of a VCB which is a company or partnership, the business should be
effectively directed by such number of individuals as the Authority considers
appropriate given the nature, scale, complexity and risk profile of the VCB. The
Authority recognises that standards of good corporate governance may differ
between VCBs according to the size and complexity of their respective businesses.
43. In the case of a VCB which is a company, the directors should include such number
(if any) of non-executive directors, as the Authority considers appropriate. The
number will depend on the circumstances of the VCB and the nature, size,
complexity and risk profile of the VCB.
44. The Authority considers that non-executive directors can play a valuable role in
bringing an outsider’s independent perspective to the running of the business and to
ensure proper challenge to the executive directors and other management. The
Authority sees non-executive directors as having, in particular, an important role as
members of a VCB’s audit committee or in performing the role which such a
committee would otherwise perform.
46. To grant a licence under the Act, the Authority needs to be satisfied that all the
minimum licensing criteria in Schedule 1 are met. In order to be so satisfied, the
applicant and any other relevant parties must first have provided all the appropriate
information requested by the Authority in connection with the application. Even
where it is satisfied that the criteria are or can be met, the Authority retains a residual
discretion not to grant a licence – notably if it sees reason to doubt that the criteria
will be met on a continuing basis or if it considers that for any reason there might be
significant threats to the public interest or the interests of clients or potential clients.
The Authority also considers, in exercising its discretion, whether it is likely that it
will receive adequate information from the VCB and relevant connected parties to
enable it to monitor the fulfilment of the criteria and to identify potential threats to
the VCB’s clients.
11
V. POWERS TO OBTAIN INFORMATION AND REPORTS
47. The Authority’s supervisory arrangements for licensed VCBs comprise three
principal elements. First, the Authority conducts certain off-site analysis and reviews,
based on regular data received from VCBs. This is supplemented by a regular
programme of prudential discussions, during which the Authority interviews senior
management on a wide range of relevant issues, including recent and current
performance, material compliance and control issues, and business development and
strategy questions. Finally, the Authority conducts routine on-site reviews during
which it assesses a VCB’s on-going compliance with aspects of the licensing criteria
and, in particular, with paragraph 2 (2) of Schedule 1 to the Act. These reviews of
compliance are intended to provide insight into the effectiveness of the internal
controls in place and the ability of management to identify, monitor and manage key
risks arising from the VCB’s operations.
48. Prudential supervision involves the receipt and analysis of a variety of regular and ad
hoc information from VCBs. The Authority’s standard reporting arrangements are
kept under review and amended from time to time in light of developments.
49. Section 58 of the Act provides formal powers for the Authority by notice in writing
to require from a VCB such information as it may reasonably require for the
performance of the Authority’s functions under the Act. The section also provides for
the Authority to require a VCB to make available a report by its auditor (or by an
accountant or other person with relevant professional skill) on any aspect of, or any
matter about which the Authority has required or could require the VCB to provide.
In the case of reports commissioned under section 58(1) (b), the Authority has agreed
that they will wherever possible be commissioned from a VCB’s own external
auditors. However, in certain circumstances, another professional firm may be used.
This would be the case, for example, where a report called for particular technical
skills or when the Authority has had previous concerns about the quality or
completeness of work conducted by the external auditor.
50. The Authority has also agreed that, as a general rule, it will limit the extent to which
it will have recourse to professional reports of this nature. Instead, the Authority’s
general policy is to use its own staff to assess directly through the on-site work,
described above, the adequacy of a VCB’s systems and controls. Nonetheless, where
particularly specialised work is required or other special considerations arise, the
Authority may commission a professional report under section 58.
51. Section 59 of the Act provides statutory powers for the Authority by written notice to
require a VCB to produce relevant documents or information. This power can also be
used to obtain relevant documents in the possession of other persons and also to
12
require information or documents from entities related to a VCB. Section 60 of the
Act provides the Authority with specific powers to enter the business premises of
persons on whom notice under sections 58 or 59 has been served for the purpose of
obtaining relevant information or documents. The Authority makes routine use of
section 58 and section 59 powers when conducting its on-site review visits to licence
holders, in order to deal with any client confidentiality issues that might arise in the
course of compliance testing.
52. Much of the information required by the Authority for its supervision of VCBs is
provided pursuant to the Authority’s statutory powers in the Act to require relevant
information and documents. In addition, the Act stipulates certain matters as being
subject to specific statutory reporting requirements – notably, the requirement for a
VCB to submit a certificate of compliance, signed by an officer, certifying that the
VCB has complied with the minimum criteria (as provided for in section 66 of the
Act).
***
13