Mary V Ward February 20 2020 Blockchain and cryptocurrency regulation 2020 Carey Olsen | Private Client & Offshore Services - Bermuda Mary V Ward Private Client & Offshore Services Government attitude and definitionCryptocurrency regulationDABAICO regulationSales regulationTaxationMoney transmission laws and AML requirementsPromotion and testingOwnership and licensing requirementsMiningBorder restrictions and declarationReporting requirementsEstate planning and testamentary successionGovernment attitude and definitionThe current government was elected in 2017, having undertaken to create new economic pillars in Bermuda, identify new opportunities for economic diversification and seek local and overseas investment to develop new local industry and thereby create jobs in Bermuda. Since its election, the government has enthusiastically embraced the fintech sector and the potential that it offers and has repeatedly expressed its intention for Bermuda to be a significant centre for this industry.In furtherance of this goal, the government has implemented a comprehensive regulatory regime aimed at providing legal certainty to industry participants and ensuring that business in the sector conducted in or from Bermuda is done in a properly regulated matter, in accordance with the highest international standards. This regulatory regime is described in more detail below but, in summary:the Digital Asset Business Act (DABA) comprises a regulatory framework for fintech businesses operating in or from Bermuda; andalthough not covered by DABA, initial coin and security token offerings are regulated under a separate regime.In addition, the government:has announced that fintech businesses wishing to set up in Bermuda will benefit from a relaxed work permit policy;offers, through the Bermuda Business Development Agency, a concierge service for businesses wishing to establish operations on the island; andhas signed a number of memoranda of understanding (MOUs) with fintech businesses, under which such businesses have committed to establishing operations and creating jobs in Bermuda.Although digital asset offerings and businesses are regulated in the manner described in this article, no Bermudian legislation or legal provisions officially or legally recognise any cryptocurrency or other digital asset or confer on them equivalent status with any fiat currency. Further, neither the government nor the Bermuda Monetary Authority (BMA) – the jurisdiction's financial regulator and the issuer of its national currency – have backed any cryptocurrency, and the Bermuda dollar remains the territory's legal tender.Cryptocurrency regulation While both the government and the BMA are on record as being keen to embrace the potential offered by fintech, both recognise that the industry presents tremendous risk, requiring prudent regulation. Bermuda has, accordingly, led the way in introducing a regulatory framework for digital asset business and coin and token offerings.DABADABA came into force in September 2018. Since then, the BMA has promulgated rules, regulations, codes of practice, statements of principles and guidance in order to supplement DABA, with the result that it operates in a similar manner to the regulatory frameworks in place for other financial services regulated by the BMA.In summary, DABA:specifies the digital asset-related activities to which it applies;imposes a licensing requirement on any person carrying on any of those activities;sets out the criteria that a person must meet before it can obtain a licence;imposes (and permits the BMA to impose) certain continuing obligations on any licence holder; andgrants the BMA supervisory and enforcement powers over regulated digital asset businesses.At the time of writing, the BMA was engaged in a consultation exercise with a view to amending certain provisions of DABA to give greater clarity to certain sections and make other changes that are intended to facilitate more effective administration of its provisions.DABA's scopeDABA applies to any entity incorporated or formed in Bermuda and carrying on digital asset business (irrespective of the location from which the activity is carried out) and to any entity incorporated or formed outside Bermuda and carrying on digital asset business in or from within Bermuda. The legislation defines 'digital asset' widely enough to capture:cryptocurrencies;representations of debt or equity in the promoter;representations of other rights associated with such assets; andother representations of value that are intended to provide access to an application, service or product by means of distributed ledger technology.For the purposes of DABA, a 'digital asset business' includes:businesses which issue, sell or redeem virtual coins, tokens or any other form of digital asset to the general public. This is intended to regulate any business which provides these services to other businesses or individuals. It does not include initial coin offerings or security token offerings (collectively, ICOs) to fund the issuer's or promoter's own business or project. Instead, ICOs are regulated under a separate regime (see below);businesses which operate as payment service provider businesses for the general public and use digital assets, which includes the provision of services for the transfer of funds. The term 'payment service provider' is used globally in anti-money laundering and anti-terrorist financing (AML/ATF) laws, regulations and guidance and is defined in the Proceeds of Crime (Anti-money Laundering and Anti-terrorist Financing) Amendment Regulations 2010 as "a person whose business includes the provision of services for the transfer of funds". The aim here is to ensure that businesses involved in the transfer of digital assets fall within DABA's ambit;businesses which operate as an electronic exchange. This category captures online exchanges which allow customers to buy and sell digital assets, whether payments are made in fiat currency, bank credit or another form of digital asset. Exchanges facilitating the offer of new coins or tokens through ICOs are also caught;businesses which provide custodial wallet services. This covers any business whose services include storing or maintaining digital assets or a virtual wallet on behalf of a client; andbusinesses which operate as digital asset services vendors. This category regulates persons that:can, under an agreement as part of their business, undertake a digital asset transaction on behalf of another person or have power of attorney over another person's digital asset; oroperate as a market-maker for digital assets.This category is intended to capture any other business which provides specific digital asset-related services to the public, such as operating as a custodian of digital assets.In addition to the above categories, DABA includes an option for the minister of finance, after consultation with the BMA, to be able to add new categories or amend, suspend or delete any of the categories listed above by order.DABA specifically provides that the following activities do not constitute digital asset business:contributing connectivity software or computing power to a decentralised digital asset or a protocol governing transfer of the digital representation of value (this category exempts mining from DABA's scope);providing data storage or security services for a digital asset business, so long as the enterprise is not otherwise engaged in digital asset business activity on behalf of other persons; andproviding any digital asset business activity by an undertaking solely for the purpose of its business operations or the business operations of any of its subsidiariesLicensing requirement DABA requires persons carrying on digital asset business to obtain a licence before doing so, unless that person is subject to an exemption order issued by the minister of finance. At the time of writing, the minister had not issued or proposed any exemption orders.Two classes of licence are available for applicants:The Class M licence is a restricted form of sandbox licence, with modified requirements and certain restrictions, which is valid for a specified period, the duration of which will be determined by the BMA on a case-by-case basis. Following the expiry of this specified period, it is generally expected that the licensee will either have to apply for a Class F licence (described in further detail below) or cease carrying on business, although the BMA will have discretion to extend the specified period.The Class F licence is a full licence not subject to any specified period, although it may still be subject to restrictions as deemed appropriate by the BMA in any given case.The intention behind this tiered licensing regime is to allow start-ups which engage in digital asset business to do so in a properly supervised regulatory environment and engage in proof of concept and develop a track record before obtaining a full licence. The restrictions to which a licensee will be subject will depend on its business model (and the risks associated therewith), but will almost invariably include an obligation to disclose to prospective customers the fact that it holds a Class M licence and certain limitations on the volume of business which it is permitted to conduct, along with other restrictions as the BMA may deem necessary on a case-by-case basis.A prospective licensee may not necessarily receive the licence for which it applies: an applicant for a Class F licence may receive a Class M licence if the BMA decides that a Class M licence would be more appropriate in the circumstances. A licence will further specify the category (or categories) of digital asset business in which the licensee is permitted to engage.Carrying on digital asset business without a licence is a criminal offence punishable by a fine of up to US$250,000, up to five years' imprisonment or both.Criteria to be met by licensees Under DABA, the BMA cannot issue a licence unless it is satisfied that the applicant fulfils certain minimum criteria addressing the fitness and propriety of directors and officers, ensuring that business is conducted in a prudent manner, the business's management has the required integrity and skill and standards of corporate governance are observed by the (prospective) licensee. This is consistent with the position under other regulatory laws applicable to other sectors and is intended to ensure that the BMA maintains high standards for the conduct of regulated business. The BMA has also published a code of practice detailing requirements as to, among other things, governance, risk management and internal controls applicable to licensees. However, the BMA recognises that licensees have varying risk profiles arising from the nature, scale and complexity of the business, so assesses a licensee's compliance with this code in a proportionate manner relative to the business's nature, scale and complexity.DABA requires licensees to notify the BMA on changes in directors or officers, and the BMA has powers to, among other things, object to and prevent new or increased ownership of shareholder controllers and remove controllers, directors and officers who are no longer fit and proper to carry on their role.Continuing obligations of licence holders Persons holding a licence issued under DABA are subject to several ongoing obligations.Client disclosure rulesThe BMA has used powers conferred to it under DABA to promulgate the Digital Asset Business (Client Disclosure) Rules 2018 in order to mitigate the high degree of risk for consumers owing to the highly speculative and volatile nature of digital assets. These rules require licensees, before entering into any business relationship with a customer, to disclose to that customer:the class of licence that it holds;a schedule of its fees and the manner in which fees will be calculated if not set in advance;whether it has insurance against loss of customer assets arising from theft (including cybertheft);the extent to which a transfer or exchange of digital assets is irrevocable and any exceptions;governance or voting rights regarding client assets if the licensee is to hold client assets;the extent to which it will be liable for an unauthorised, mistaken or accidental transfer or exchange; andvarious other matters.The rules also oblige licensees to confirm certain information regarding transactions with clients at the conclusion of each such transaction.Cybersecurity rulesAlongside the client disclosure rules described above, the BMA has promulgated the Digital Asset Business (Cybersecurity) Rules 2018 (Cybersecurity Rules). Under the Cybersecurity Rules, licensees must file an annual cybersecurity report prepared by their chief information security officer assessing:the availability, functionality and integrity of their electronic systems;any identified cyber-risk arising from any digital asset business carried on or to be carried on by the licensee; andthe cybersecurity programme implemented and proposals for steps to redress any inadequacies identified.The cybersecurity programme itself must include the following audit functions:penetration testing of its electronic systems and a vulnerability assessment of those systems (conducted at least quarterly); andaudit trail systems that:track and maintain data that allows for the complete accurate reconstruction of all financial transactions and accounting;protect the integrity of data stored and maintained as a part of the audit trail from alteration or tampering;protect the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction;log system events (including access and alterations made to the audit trail systems) and cybersecurity events; andmaintain records produced as part of the audit trail.Licensees must engage a qualified independent party to audit their systems and provide a written opinion to the BMA that the cybersecurity programme and controls are suitably designed and operate effectively to meet the requirements of the Cybersecurity Rules and applicable codes of practice.Custody and protection of consumer assets Licensees which hold client assets must have in place and maintain a surety bond, trust account or indemnity insurance for the benefit of their customers. Any such trust account must be maintained with a 'qualified custodian', defined in DABA as a licensed Bermuda bank or trust company or any other person recognised by the BMA for this purpose. In addition, licensees must maintain books of account and other records sufficient to ensure that customer assets are kept segregated from those of the licensee and can be identified at any time. All customer funds must be held in a dedicated separate account and clearly identified as such.Senior representative DABA imposes an obligation on licensees to appoint a senior representative. Senior representatives must be:approved by the BMA;resident in Bermuda; andsufficiently knowledgeable about both the licensee itself and the industry in general.Senior representatives have a duty to report certain significant matters to the BMA, including:a likelihood of the licensee becoming insolvent;breaches by the licensee of any conditions imposed by the BMA;involvement of the licensee in criminal proceedings, whether in Bermuda or elsewhere; andother material developments.Head officeDABA requires licensees to maintain a head office in Bermuda and direct and manage their digital asset business from Bermuda. The relevant section lists a number of factors that the BMA will consider in determining whether a licensee satisfies this requirement, together with a number of additional factors to which the BMA may (but need not) have regard.Annual prudential return Licensees must file with the BMA an annual prudential return, with the BMA being granted the power to require more frequent filings or additions to a filing if required in the interest of consumer protection. The annual prudential return should be accompanied by a copy of the licensee's audited financial statements and business plan for the following year, and include information relating to, among other things:business strategy and risk appetite;products and services;the number, risk rating and geographical profile of customer accounts;information on risk and cybersecurity (including a risk self assessment and policies in these areas);AML/ATF controls;corporate governance;audited financial statements; anddetails on any outsourcing to third parties.BMA's supervision and enforcement powers DABA grants the BMA wide-ranging powers of supervision and enforcement, such as the power to:compel the production of information and documents (with criminal penalties for non-production or making false or misleading statements);issue any directions to safeguard the interests of a licensee's clients where a licensee is in breach of DABA or applicable rules or regulations; andimpose conditions and restrictions on licences.For example, the BMA may:require a licensee to take certain steps or refrain from adopting or pursuing a particular course of action or restrict the scope of its business activities in a particular way;impose limitations on the acceptance of business;prohibit a licensee from soliciting business, either generally or from prospective clients;prohibit a licensee from entering into any other transactions or class of transactions;require the removal of any officer or controller; andspecify requirements to be fulfilled otherwise than by action taken by the licensee.In more extreme cases, the BMA may revoke a licence altogether and, if it so elects, subsequently petition the court for the entity whose licence it has revoked to be wound up.If a licensee fails to comply with a condition, restriction or direction imposed by the BMA or with certain requirements of DABA, the BMA can impose fines of up to US$10 million. Alternatively, it may:issue a public censure ('naming and shaming');issue a prohibition order banning a person from performing certain functions for a Bermuda regulated entity; orobtain an injunction from the court.The BMA will use these enforcement powers in a manner consistent with the Statement of Principles and Guidance on the Exercise of Enforcement Powers published in September 2018, which contains general guidance applicable to all regulated sectors on the BMA's approach to the use of its enforcement powers and the factors that it will consider in assessing whether to exercise those powers.ICO regulation As noted above, DABA does not apply to any ICO intended to finance the issuer's or promoter's own business. Instead, the Companies Act 1981 and the Limited Liability Company Act 2016 (collectively, the company legislation) were amended in 2018 to include a regulatory framework for ICOs.The company legislation defines an ICO as an offer by a company or a limited liability company to the public to purchase or otherwise acquire digital assets and designates any ICO as a 'restricted business activity', requiring consent from the minister of finance before any ICO may be made to the public. Private sales and offers of further coins or tokens to existing holders of coins or tokens of the same class are exempted, as are issuances where the offer is made to a limited number of persons (the actual limit depends on what type of company or limited liability company the issuer is, and is 35 in most cases). Regulations published under the company legislation set out key information required to be included with the application for consent, including:details of the proposed project to be funded by the ICO and the persons involved;information on the coin or token proposed to be offered and its transferability; andinformation on compliance features intended to be included in the issuer's systems.In addition to obtaining consent from the minister of finance, a prospective ICO issuer will also have to publish, in electronic form, an offering document and file this with the Bermuda Registrar of Companies. The offering document must contain:details regarding any promoter, including its registered or principal office and details of its officers;the business or proposed business of the issuer company or limited liability company;a description of the project to be funded by the ICO and the proposed timeline for the project, including any proposed project phases and milestones;the amount of money that the ICO intends to raise;disclosure as to the allocation of the amounts intended to be raised among the classes of any issuance (eg, pre-sale or post-ICO);any rights or restrictions on the digital assets that are being offered;the date and time of the opening and closing of the ICO offer period;a statement as to how personal information will be used; anda general ICO risk warning containing:information regarding any substantial risks to the project which are known or reasonably foreseeable;information as to a person's rights or options if the project which is the subject of the ICO in question does not go forward;a description of the rights (if any) in relation to the digital assets that are being offered; andinformation regarding any disclaimer in respect of guarantees or warranties in relation to the project to be developed or any other asset related to the ICO.If an ICO issuer offers digital assets to the public over a period and any of the particulars in its offering document cease to be accurate in a material respect, the issuer must publish supplementary particulars disclosing the material changes and file these with the registrar.The promoter must provide an electronic platform to facilitate communication with prospective investors. The legislation also grants investors a cooling-off period during which they can withdraw an application to purchase the digital assets offered.Any person who makes or authorises the making of a false statement in an ICO offering document is guilty of an offence punishable with a fine of up to US$250,000, up to five years' imprisonment or both, unless the person proves that the statement was immaterial or that they had reasonable grounds to believe that it was true at the time that it was made. Officers of the issuer and promoters of the ICO will also incur civil liability to any person who suffers loss as a result of false statements in the offering document, subject to certain defences.Sales regulation The issuance, sale and redemption of cryptocurrencies are regulated under DABA if carried on as a business and ICOs are regulated under the company legislation (in each case in the manner described above).Taxation There are no income, capital gains, withholding or other taxes imposed in Bermuda on digital assets or on any transactions involving them (see "Border restrictions and declaration" for a discussion on the potential application of Bermuda's foreign currency purchase tax). Further, exempted companies or limited liability companies carrying on digital asset business, including ICO issuers, may apply for, and are likely to receive, an undertaking from the minister of finance to the effect that – in the event that Bermuda enacts any legislation imposing tax computed on profits or income or computed on any capital asset, gain or appreciation – the imposition of any such tax will not apply to such company or any of its operations.Money transmission laws and AML requirements Operating a payment service business which uses cryptocurrency or other digital assets (including the provision of services for the transfer of funds) or operating a digital exchange constitutes a 'regulated activity' for the purposes of DABA (see above).Bermuda has a long-established and well-earned reputation as an international financial centre and a crucial aspect of this is its robust AML/ATF regime. The jurisdiction made further enhancements to this regime ahead of its fourth-round mutual evaluation by the Financial Action Task Force in 2018.DABA amended certain provisions of Bermuda's existing AML/ATF laws and regulations in order to ensure that the AML/ ATF regime applies expressly to the carrying on of digital asset business, with the BMA subsequently issuing new AML/ATF guidance notes relating specifically to the conduct of digital asset business.In short, digital asset businesses must establish policies and procedures to prevent money laundering and terrorist financing. These policies and procedures must cover:customer due diligence;ongoing monitoring;the reporting of suspicious transactions;record keeping;internal controls;risk assessment and management; andthe monitoring and management of compliance with, and internal communication of, these policies and procedures.Promotion and testingAs noted at the beginning of this article, the government is enthusiastic about the potential offered by fintech for the territory's economy and has launched, or is in the process of developing, numerous initiatives aimed at promoting investment by fintech businesses in Bermuda.The government has appointed a specialist fintech team with a remit to promote the sector in Bermuda and bring more fintech business to the island. Among its initial success stories is that of Omega One, an agency brokerage for cryptocurrencies, which has opened an office in Bermuda (and received the first licence granted under DABA). Omega One has committed to hiring at least 20 Bermudians over the next three years and donating 10% of a planned token sale to philanthropic causes (with 10% of the amount donated going to sports and community clubs in Bermuda).A further government initiative is a tailored immigration policy for fintech businesses, which allows companies which operate in the fintech space and are new to Bermuda to receive immediate approval of up to five work permits for non-Bermudian staff within the first six months of obtaining their business permit. In order to benefit from this, a business must present a plan for the hiring, training and development of Bermudians in entry-level or trainee positions. However, businesses cannot apply for work permits under this policy in respect of any job categories which are:closed (ie, reserved exclusively for Bermudians, their spouses and permanent resident certificate holders);restricted (in respect of which a permit may be obtained for only one year); orentry-level, graduate or trainee positions.The government has also entered into a series of MOUs with various digital asset businesses, which provide as follows:Binance Holdings Limited – the parent company of the Binance Group, the world's largest digital exchange – has committed to developing its global compliance base in Bermuda, creating at least 40 jobs, and developing a digital asset exchange in Bermuda. It has also undertaken to sponsor university scholarships for Bermudians in blockchain technology development and regulatory compliance and to make capital available for investment in new Bermuda-based blockchain companies.Medici Ventures LLC, a subsidiary of 'overstock.com' (the world's first major enterprise to accept bitcoin), will:create at least 30 jobs in Bermuda over three years;develop a security token trading platform in Bermuda;support the training of Bermudians in software development; andcollaborate with the government, the BMA and other stakeholders in developing and improving Bermuda's legal and regulatory framework applicable to digital asset businesses.Shyft, a blockchain AML/ATF and identity start-up, will invest up to US$10 million over the next three years into Bermuda's economy, support the training of Bermudians in blockchain technology and software development and collaborate in the development and improvement of Bermuda's digital asset legal and regulatory framework. Shyft has also signed a separate MOU with Trunomi, a Bermuda-based consent and data rights platform, which aims to leverage Shyft's blockchain technology with Trunomi's expertise in consumer consent frameworks to support Bermuda in the implementation of an electronic ID scheme.Ownership and licensing requirements Under current Bermuda law, and under the ICO Act and DABA, no licensing requirements are imposed on any person merely by virtue of that person holding any form of digital asset, unless that person does so in the course of its business and on behalf of another, in which case that person will likely be regarded as a digital asset services vendor and thus subject to regulation under DABA. The BMA is consulting on proposals to require Bermuda trust companies which hold digital assets as trust property to obtain a licence to do so under DABA.An investment fund incorporated or formed in Bermuda which proposes to deal in digital assets as part of its investment strategy or programme may fall within the ambit of the Investment Funds Act 2006. This requires open-ended funds to apply to the BMA for authorisation prior to commencing business and subjects such funds to ongoing supervision by the BMA. It does not apply to closed-ended funds, such as private equity funds.Mining Mining is specifically exempted from the scope of DABA. It therefore remains an unregulated activity. Although mining is not prohibited by any Bermuda law and is not subject to regulation under DABA, Bermuda's high energy costs are expected to operate as a practical deterrent to the establishment of any mining operations in Bermuda.Border restrictions and declaration Bermuda imposes a foreign currency purchase tax of 1% whenever a Bermuda resident purchases a foreign currency from a Bermuda-based bank. This tax will not apply to most (if not all) purchases of cryptocurrency or other digital assets, on the grounds that these are purchased almost exclusively from digital exchanges, whereas the foreign currency purchase tax applies only to purchases from banks in Bermuda. This renders immaterial the question of whether foreign currency in this context would include a cryptocurrency (to date, the BMA has not expressed a view in this regard).There are no other border restrictions on cryptocurrencies or other digital assets; the only obligation to make a customs declaration in respect of any form of money arises in respect of cash or negotiable instruments in excess of US$10,000.Reporting requirements Digital asset businesses and their senior representatives are subject to certain reporting obligations under DABA, as described above. DABA imposes no reporting requirements in respect of individual digital asset payments, irrespective of their value, although licensees must include anonymised details on transaction volume, value and geographical spread in their annual returns.Estate planning and testamentary succession No particular regime under Bermuda law deals specifically with the treatment of cryptocurrencies or other digital assets on the death of an individual holding them. This means that, in principle, digital assets will be treated in the same way as any other asset and may be bequeathed to beneficiaries in a will. If a person dies intestate, their digital assets will be dealt with under the Succession Act 1974.The main potential difficulty that may arise is practical and by no means unique to Bermuda – namely, anyone inheriting any kind of digital asset can, on the face of it, access that digital asset only if they have or can obtain the private key to the wallet in which it is stored. Although most exchanges have policies in place to transfer digital assets to next of kin, these policies, and the transfer requirements, vary between exchanges.For further information on this topic please contact Mary V Ward at Carey Olsen Bermuda by telephone (+1 441 542 4500) or email ([email protected]). The Carey Olsen Bermuda website can be accessed at www.careyolsen.com.An earlier version of this article was published in Global Legal Insights.