BERMUDA Law and Practice Contributed by: Steven Rees Davies, Kyle Masters, Charissa Ball and Alexandra Fox, Carey Olsen
Where an organisation transfers personal infor - mation to a third party (overseas or otherwise), it must assess the level of protection provided by the overseas transferee and will nonetheless remain responsible for PIPA compliance in rela - tion to that personal information. If an organisation does not believe that the pro - tection provided by an overseas third party will be comparable to the level required under PIPA, that organisation must choose to employ con - tractual mechanisms, corporate codes of con - duct, or other means by which to ensure that the overseas third party provides a comparable level of protection. The privacy laws of other jurisdictions may have extraterritorial effect (eg, the EU General Data Protection Regulation (GDPR)) and organisations in Bermuda may also be subject to these. Cybersecurity The Digital Asset Business (Cyber Risk) Rules 2018 (the “Cybersecurity Rules” ) and the Digital Asset Business Operational Cyber Risk Man - agement Code of Practice (January 2024) (the “Cybersecurity Code” ) apply specific cybersecu - rity rules to persons licensed to conduct digital asset business. The BMA has a team dedicated to the supervision of persons conducting digital asset business when it comes to their cyber - security programmes. Every Class F licence holder is required to file a cyber-risk return with the BMA on an annual basis. Class M and Class T licence holders will be required to make such filing as often as prescribed by the BMA. Every entity licensed under the DABA must appoint a senior executive whose responsibility it is to oversee and implement its cybersecurity pro - gramme and enforce its cybersecurity policies.
An application for a licence under the DABA must include information in relation to: • the applicant’s proposed cybersecurity risk management policies; • how those policies interact with each other; • how the applicant implements the “three lines of defence” model, including:
(a) risk management; (b) internal audit; and (c) compliance functions. AML/ATF
Persons licensed under the DABA are “regu- lated financial institutions” under the Proceeds of Crime Act 1997 (POCA). This means that they will be required to comply with all Bermu - da legislation applicable to “regulated financial institutions” (ie, banks, long-term life insurance companies, investment funds and investment fund administrators), including Bermuda’s AML/ ATF legislation and regulations (collectively, the “AML/ATF Rules” ). The BMA has also pub - lished sector-specific guidance notes for DABA licensees (Annex VIII – Sector-Specific Guid - ance Notes (SSGN) for Digital Asset Business) to assist with compliance with applicable AML/ ATF obligations. Under the AML/ATF Rules, DABA licensees must: • adopt a risk-based approach to obtaining adequate due diligence on and verifying the identity of their customers;
• support ongoing monitoring; and • report any suspicious activities.
There are also specific rules applicable to com - panies that are conducting public offerings of digital assets. Specifically, these companies:
92
CHAMBERS.COM
Powered by FlippingBook