The pace of regulatory change at the end of 2019 was fast and furious which resulted in a raft of legislative changes that became operative during the first quarter of 2020. In addition to grappling with the challenges presented by the COVID-19 pandemic, Bermuda entities are also having to navigate this new regulatory landscape.
Key amongst the recent changes is the enhanced regulatory oversight and registration requirements resulting from the amendments to the Investment Funds Act, which bring into scope for the first time closed ended funds and certain overseas funds.
The EU announced in February 2020 that Bermuda had moved to the "whitelist" following efforts over the previous 12 months to implement legislative changes that comply with the EU's tax governance principles. These legislative changes included refinement of the Economic Substance Regulations, which required numerous entities to reassess the scope and applicability of the regime during the first half of this year to ensure they were ready to make their first economic substance filings in June 2020.
The Government of Bermuda confirmed its commitment to international best practice with respect to corporate transparency by announcing in July 2020 its intention to make beneficial ownership information accessible to the public.
The Privacy Commissioner responsible for regulating the Personal Information Protection Act 2016 took office on 20 January 2020. There will now be a transitional period to allow for the preparation and adoption of any necessary secondary legislation and the issuance of draft guidance, to enable Bermuda organisations to achieve compliance.
The Government's commitment to ensuring Bermuda is a leader in the Fintech sector has also resulted in further changes to the regulatory and supervisory framework and the regulator has proposed amendments to the legislation governing digital asset business.
Further commentary in relation to the current status of these legislative changes can be found below.
Investment Fund Act
Effective from January 2020 the requirements for registration of certain funds operating in or from within Bermuda, changed. The changes, brought about the by amendments made to the Investment Funds Act 2006 (IFA), mean that certain types of fund that were previously excluded from the requirement to be authorised or registered pursuant to the IFA are no longer so excluded. This includes closed-ended investment funds and certain overseas funds.
The changes to the IFA follow the enactment and enhancement of the Bermuda economic substance regime which was introduced as a response to global pressures on jurisdictions to implement enhanced supervisory and regulatory requirements in certain regulated sectors, including the funds sector.
One of the changes to the IFA is the amendment of the definition of "Investment Fund" so that it includes a closed-ended investment fund (meaning an arrangement in which the participants are not, at their election, entitled to have their units redeemed). As a result closed-ended investment funds now need to apply to be registered under the IFA by the Bermuda Monetary Authority.
There are a number of different classifications of fund that a closed-ended investment fund could apply to be registered or authorised as, the appropriate classification will depend upon the nature of the fund in question.
The changes to the IFA means that the business of an overseas investment fund (being an investment fund incorporated or established in a jurisdiction outside Bermuda) cannot be managed, carried on, or promotion in or from within Bermuda unless the fund has been designated as an Overseas Fund by the BMA. A fund can qualify for designation as an overseas fund if is an overseas investment fund and it complies with the applicable rules and requirements of the overseas regulatory authority in the country or territory in which it is incorporated or established. It must also comply with any applicable provisions of the IFA and any conditions placed on it by the BMA.
So, what does this mean for existing funds?
While the changes became effective on 1 January 2020, a person operating a closed-ended fund or an overseas investment fund prior to that date had a transitional period of 6 months to determine whether the changes to the IFA were applicable and, if so, take steps to comply with the same. During this transitional period, which ended on 30 June 2020, the fund could continue to operate without the fund being authorised, registered or designated under the IFA for a period of 6 months.
As the transitional period has not expired, all existing closed-ended fund or an overseas investment fund should have taken steps to ensure compliance with the amended IFA, to the extent that they have not they should do so immediately.
Failure to comply with the IFA could lead to the fund being wound up, criminal convictions and/or fines.
The Registrar of Companies launched the online electronic portal for submission of economic substance declarations on 1 May 2020 ahead of the first filing deadline of 30 June 2020 for those entities with a 31 December 2019 financial year end. The Registrar and his team are currently reviewing and assessing the declarations for compliance with the regime.
In July 2013, Bermuda's government committed to review and updated the mechanisms in Bermuda for domestic and international cooperation and compliance with international standards, including in relation to the timely and effective exchange of beneficial ownership information.
Over the last seven years Bermuda's government has acted on that commitment by implementing a central beneficial ownership registry along with taking steps to ensure Bermuda's compliance with (a) various standards and reports issued by the Financial Action Task Force, the Organisation for Economic Co-operation and Development, and the European Union and (b) the Exchange of Notes between Bermuda and the United Kingdom's National Crime Agency entered into on 9 April 2016.
Currently, Bermuda's beneficial ownership regime requires that, with the exception of those entities that are exempted, beneficial ownership information is disclosed to the Bermuda Monetary Authority (BMA) at the time of incorporation of a company, or formation of a limited liability company or partnership (Regulated Entities) and within 14 days of a Regulated Entity becoming aware of any change in its beneficial ownership. Regulated Entities must maintain a beneficial ownership register at its registered office (or with the Registrar of Companies' (RoC) permission a place in Bermuda convenient for inspection by the RoC). A Regulated Entity's beneficial ownership register is not publically available.
On 12 July 2020, the Bermuda government announced its commitment to, within 12 months of the EU's publication of its Implementation Review of the Fifth Anti-Money Laundering Directive (Fifth AML Directive), bring forward proposals to establish public access to the central beneficial ownership register held by the BMA. The commitment was also influenced by the UK Sanctions and Anti-Money Laundering Act (UK Act) which requires the UK Secretary of State to draft an order in council compelling all British Overseas Territories (including Bermuda) to establish public beneficial ownership registers by the end of 2023.
While any legislation regarding public access to beneficial ownership information is likely two to three years away, the Fifth AML Directive gives some indications of what such legislation might contain.
The Fifth AML Directive requires that the central registry of EU member states contain all beneficial owner's name, month and year of birth, country of residence and nature and extent of the interest held and that such information be available to the general public. Public access to registers of trusts will be restricted to those with a 'legitimate interest' but for companies and other legal entities it is to be mainly open. Member states will be able to use domestic legislation to require a viewer of the register to register online for access, which may require a fee. Member states may also build in restrictions to access in cases where granting public access presents a disproportionate risk, such as fraud or kidnapping.
The form and impact of any public access to the BMA's central beneficial ownership remains to be seen. Appleby is actively monitoring the beneficial ownership space and will provide further updates as material changes and announcements occur.
The Personal Information Protection Act 2016
The Personal Information Protection Act 2016 (PIPA) is the first dedicated data protection legislation in Bermuda. PIPA's initial operative provisions came into force in December 2016 to enable the establishment and appointment of a Privacy Commissioner (Commissioner). The remaining substantive provisions were placed on hold, pending the appointment of a Commissioner. A Commissioner has now been appointed and took office on 20 January 2020. There will now be a transitional period to allow for the preparation and adoption of any necessary secondary legislation and the issuance of draft guidance, to enable Bermudian organisations to achieve compliance. As at the date of publication of this Bulletin, the Commissioner has not yet issued any substantive guidance and PIPA remains only partially effective. It is expected that the legislation will become fully effective later this year or early next. The Association of Bermuda Insurers and Reinsurers (ABIR) announced on 20 August 2020 the formation of the new ABIR Data and Privacy Taskforce (ADAPT) to help ensure Bermuda meets international requirements regarding the use of personal data. The taskforce will work directly with Bermuda's Privacy Commissioner to facilitate the implementation of PIPA
PIPA applies to every individual, entity, or public authority that uses personal information in Bermuda. It does not distinguish between organisations incorporated under Bermuda law and overseas entities that have a business presence, such as an office, in Bermuda.
The legislation is drafted around a set of EU-style "data protection principles" with the express intention of securing EU "adequacy" status to enable personal information to move freely between the EU and Bermuda. It is anticipated that the Commissioner will in time make an application to the EU for "adequacy" status.
Data protection principles
PIPA provides that organisations which use personal information in Bermuda must do so lawfully and fairly and in accordance with the following key principles:
Use personal information only where one or more of the specified lawful conditions for use are met (Conditions of Use);
Provide individuals with a privacy notice containing certain information about the organisation's use of their personal information (Transparency);
Use personal information only for the specific purposes and ensure that personal information is adequate, relevant, and not excessive in relation to the purpose of its use (Purpose Limitation and Proportionality);
Ensure that personal information is not kept for longer than is necessary for that use (Data Retention);
Protect personal information with appropriate safeguards against risk (Information Security).
Conditions of Use
Subject to certain limited exceptions, such as where the use is necessary to comply with a court order, organisations can only collect or otherwise use personal information where one of the lawful conditions of use is met. These conditions include:
The personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented;
Except in relation to sensitive personal information (see below), a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use should not begin or should cease, and the use does not prejudice the individual's rights;
The use of the personal information is necessary for the performance of a contract to which the individual is a party or for taking steps at the individual's request with a view to entering into a contract;
The use of the personal information is necessary in the context of an individual's present, past or potential employment relationship with the organisation.
An organisation must also provide individuals with a clear and easily accessible "privacy notice" detailing its personal information practices and policies, including certain prescribed details, such as the purposes for which the personal information is or might be used and the identity and types of individuals or organisations to whom personal information might be disclosed. Organisations must take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection, or, where that is not possible, as soon thereafter as is reasonably practicable.
Purpose Limitation and Proportionality
Subject to certain limited exceptions, organisations must only use personal information for the specific purposes set out in their privacy notices or for purposes related to the stated purposes, unless the individual consents. An organisation that uses personal information must also ensure that the personal information is adequate, relevant, and not excessive in relation to the purpose or purposes for which it is used. It will be important for an organisation to audit its use of personal information to ensure it complies with these requirements.
Organisations must ensure that the personal information they hold is accurate, kept up to date and is not retained longer than necessary to fulfil the original collection purpose. PIPA does not specify prescribed data retention periods and so an analysis will need to be undertaken to determine how long personal information is legally required to be kept under other applicable legislation, as well as how long it should be retained in accordance with the "necessity of purpose" test. Similarly, it will be important to evaluate how personal information can be securely purged in accordance with PIPA once the purposes for holding it have been fulfilled by the organisation.
PIPA requires organisations to safeguard all personal information they hold against risk, including the risk of loss or unauthorised access, destruction, use, modification or disclosure. These safeguards must be subject to periodic review and reassessment.
Currently, the Commissioner has not published any guidance to assist organisations in understanding their obligations in this respect. However, it is likely that if an organisation is already compliant with internationally-recognised security standards (such as are required under GDPR), this will be considered by the Commissioner to be adequate for the purposes of PIPA.
Sensitive Personal Information
Sensitive personal information benefits from enhanced protection, so additional conditions must be satisfied before the information is processed. This might involve obtaining separate consent or only using the information for specific purposes, such as for the performance of an employment contract or as part of legal proceedings. "Sensitive personal information" includes information relating to an individual's racial or ethnic origin, colour, sexual orientation, political opinions, religious beliefs, trade union membership, physical or mental health, medical data, family status, and biometric or genetic information.
Individuals have certain rights in relation to their personal information which an organisation uses, including the right to request access to that personal information. Individuals are also entitled to correct their personal information and to request that their personal information is not used for advertising, direct marketing or public relations.
Third Party Transfers
Where an organisation engages the services of a third party in connection with the use of personal information (whether domestic or overseas), the organisation remains responsible for ensuring compliance with PIPA at all times.
Where the third party is overseas, before the personal information is transferred the organisation must assess the level of protection provided by the third party. If the organisation is not satisfied that the third party can provide a comparable level of protection, it is required to employ contractual mechanisms, corporate codes of conduct or other means to protect the personal information. The Government, on the recommendation of the Commissioner, may designate any jurisdiction as providing a comparable level of protection to PIPA, but no such designations have yet been made.
PIPA requires organisations to designate a "privacy officer", who will have primary responsibility for communicating with the Commissioner. A group of organisations under common ownership or control may appoint one privacy officer, if that officer is accessible from each organisation. The privacy officer may also delegate their duties to one or more individuals.
Data Breach Notification
PIPA requires organisations to provide notice of any security breach leading to loss, unlawful destruction, or unauthorised disclosure of or unauthorised access to personal information that is likely to adversely affect an individual, without undue delay, to the Commissioner and any individual(s) affected by the breach.
The notification to the Commissioner must describe the nature of the breach, the breach's likely consequences for the affected individual(s) and the organisation's current or future measures to address the breach, so as to allow the Commissioner to determine whether it should order the organisation to take further steps, and to allow a record of the beach and the remedial measures taken to be maintained.
Enforcement and penalties
The Commissioner can issue guidance on compliance requirements, investigate complaints of breaches of PIPA and initiate investigations of its own volition. The Commissioner will also be responsible for liaising with domestic and foreign law enforcement agencies and regulators in connection with PIPA. Under PIPA, the approach to enforcement is generally administrative and consultative but criminal sanctions are also available. The Commissioner can also publish a finding or decision in full, thereby "naming and shaming" offending organisations.
An individual who commits an offence is liable on summary conviction to a fine, not exceeding BMD$25,000, or to imprisonment, not exceeding two years, or to both; and in the case of a person other than an individual, is liable on conviction on indictment to a fine not exceeding BMD$250,000.
Where an offence is committed by a body corporate, and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of any director, manager, secretary, or similar officer of the body corporate then they, as well as the body corporate, commits that offence and are liable to prosecution.
The Government of Bermuda set the stage for developing the island's Fintech sector in early 2018 by announcing its agenda to develop a legal and regulatory framework that creates a welcoming and stable environment for the globally evolving Fintech area.
Government proceeded to prudently enact the Digital Asset Business Act 2018 (DABA), which created a framework to regulate digital asset businesses, and the initial coin offering (ICO) regime, which was embedded in Bermuda's Companies Act and limited liability company legislation, and allowed for companies registered in Bermuda to issue digital assets to the public.
Government's commitment to ensuring Bermuda is a leader in the Fintech sector has been emphasised by proposed updates to DABA and recent changes to the ICO regime.
The Fintech sector is a new and rapidly evolving space. As such, it is important that Bermuda's regulatory and supervisory framework keeps pace with the rapid growth and ever changing landscape within the sector, and remain fit for purpose. In order to keep pace, the Bermuda Monetary Authority (BMA) has presently proposed to amend DABA, and has issued a consultation paper setting out the proposed amendments (2020 Amendments). The purpose of the 2020 Amendments is to create greater clarity around certain sections of DABA and make change that are intended to facilitate the development of the Fintech sector in Bermuda, and a more effective administration of DABA. The 2020 Amendments include, but are not limited to:
- Amending definitions to clarify the BMA's intent in certain sections
- Creating a requirement to notify the BMA regarding change to exemption conditions
- Extending the BMA's ability to modify applicable fees
Beyond the above noted amendments, and potentially more importantly, the BMA intends to create a new DABA license class called a Class T. A Class T license will be a testing license, which will allow Bermuda's digital asset business regime support and foster all stages of innovation in the evolving digital asset business sector. The purpose of the Class T is for the testing of a minimum viable product/service via beta testing or piloting. It is proposed that applicants must: (i) develop success criterion for the test, (ii) list their pre-identified or targeted customers or counterparties, (iii) hold a minimum capital of at least $10,000, and (iv) ensure that appropriate risk disclosures for potential counterparties are in place.
If the 2020 Amendments are approved, as is, then Bermuda will have a natural progression of regulatory complexity and supervisory intensity. This tiered licensing system will facilitate the regulation and participation of businesses at various stages of their development, by creating an application process and licensing system which is proportionate to the nature, scale, and complexity of the applicant.
On May 6, Government enacted the Digital Asset Issuance Act 2020 (DAIA), which replaces the ICO regime as the primary legislation for all digital asset offerings in or from Bermuda.
Previously, digital asset offerings to the public from Bermuda required the consent of the Minister of Finance. However, under DAIA, digital asset issuance will be regulated by the BMA and will no longer fall under the purview of the Ministry of Finance.
Another new requirement is that all undertakings authorised to launch a digital asset issuance in or from Bermuda are required to appoint a local representative. The person appointed must receive the approval of the BMA, and as such, the local representative must be identified in the digital asset issuance application. Furthermore, the local representative is required to maintain an office in Bermuda.
Bermuda's continued monitoring, analysis, and assessment of what is needed in the Fintech sector, both globally and domestically, has help foster a systematic regulatory framework that is conducive to a stable industry. This new framework will ensure that companies authorised to conduct digital asset issuances and digital asset business in or from Bermuda are of a high calibre, which in turn will bring investors comfort and security in their investments. Bermuda continues to lead the way in regulatory developments.
What are the significant changes in the pipeline?
- We expect Bermuda to continue to enhance its reputation as a leader in the fight against financial crime by further updating the AML/ATF Guidance Notes which we expect to be released later this year.
- The BMA issued a consultation paper on proposed amendments to the Third Schedule of the Banks and Deposit Companies Act 1999, (BDCA 1999) to further support a viable restricted bank model in Bermuda.
- The BMA issued a consultation paper on 19 August 2020 to explore consumer protection by regulating the business conduct of financial services sectors it regulates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.