Fintech 2025

BRITISH VIRGIN ISLANDS Law and Practice Contributed by: Chris Duncan and Katrina Lindsay, Carey Olsen

Cybersecurity The Computer Misuse and Cybercrime Act 2014 (as amended) (CMCA) aims to address various offences related to unauthorised access to com - puter systems ‒ as well as to the unauthorised interception of, or interference with, data held on computer systems ‒ where such unauthorised activities are for the purposes of causing loss or gain or for any unlawful purpose. Sanctions The UK extends sanctions measures to the BVI in the form of new Overseas Territories Sanc - tions Orders. The sanctions orders provide for the legislative framework that enables the rel - evant authorities to take the necessary action to, among other things, freeze the funds/assets of designated persons and entities. As relevant persons for the purposes of the AML Regs, VASP licensees must ensure that their compliance framework allows for effective ongo - ing client due diligence and transaction moni - toring in order to allow for immediate sanctions screening. It is expected that VASPs should be able to screen their client base within 24 hours and identify any designated persons and take appropriate measures, including freezing assets/ funds, prohibiting transactions, and reporting to the competent authorities (the Governor’s Office, the FSC and the FIA) without delay. The FSC may revoke a certificate of registra - tion issued to a VASP under the VASP Act if it forms the opinion that the VASP has committed a breach of any sanctions orders. Electronic Transactions, Transfers and Filings The Electronic Transactions Act 2021, the Elec - tronic Transfer of Funds Act 2021 and the Elec - tronic Filing Act 2021 introduced, among other benefits, a statutory recognition of the validity

• the performance of a contract to which the data subject is a party; • entering into a contract at the request of a data subject; • compliance with any legal obligation (other than an obligation imposed by contract); • the protection of the vital interests of the data subject; • the administration of justice; or • the exercise of any functions conferred on a person by or under any law. The circumstances under which sensitive per - sonal data may be processed without the data subject’s consent are more limited. In order to comply with the provisions of the DPA, data controllers will need to, among other steps: • adopt suitable measures and policies that take into account the nature, scope, context and purposes of the use of personal data and the risk to individuals posed by the use of such information; • ensure that all personal data they hold is accurate, up to date, adequate, relevant and proportionate to the purposes for which it is to be used (and is only kept as long as is necessary for its use); and • implement safeguards to protect personal data against loss, misuse, modification, unau - thorised or accidental access or disclosure, alteration or destruction. Personal data cannot be transferred outside the BVI without proof of adequate data protection safeguards or without consent from the data subject.

133 CHAMBERS.COM

Powered by