An old adage says that the only things in life that are certain are death and taxes. We think regulatory changes can surely be added to that list. A number of regulatory updates will affect Bermuda entities this year, and we have set out a summary to help our clients stay up to date with their regulatory requirements and ahead of any filing, compliance or administrative obligations.
Cyber Risk Management Code of Conduct
The BMA published the revised Operational Cyber Risk Management Code of Conduct (the "Cyber Risk Code") for corporate service providers, trust companies, money services businesses, investment businesses and fund administration providers, banks and deposit companies (together, the "Relevant Legal Institutions") on 26 September 2022. All Relevant Legal Institutions must be compliance with the Cyber Risk Code as of 15 February 2023.
The Cyber Risk Code requires the board of directors and senior management team to have oversight of cyber risks, and for the board to approve, at least annually, a cyber risk policy. Relevant Legal Institutions are also required to appoint a Chief Information Security Officer to oversee and implement its cyber risk programme and enforce the cyber risk policies.
Investment Business Act: Expiry of Transition Period
The Investment Business Act 2003 (the "Investment Business Act") was significantly amended in 2022, with the amendments becoming operative on 27 July 2022. A transition period of 12 months was granted to either register or be licensed under the Investment Business Act. That transition period will expire in July 2023, so any entity now caught under the amended legislation needs to start processing their applications as soon as possible. Previously, only entities which carried on investment business from a physical place of business in Bermuda where they employed staff were caught within the scope of the Investment Business Act. In addition, there were a number of exemptions which entities which carried on investment business within Bermuda were able to use to exempt them from licensing requirements. The amendments mean that (i) entities formed or incorporated in Bermuda but carrying on investment business outside Bermuda and (ii) entities formed outside Bermuda but carrying on "investment business" (a defined term) in or from Bermuda are now caught under the legislation. Unfortunately "in or from Bermuda" is not defined. In addition, most of the exemptions no longer apply, although an updated Order was passed to clarify that certain entities (mostly those already regulated under other legislation in Bermuda, such as investment funds, insurance companies and entities licenced under the Digital Business Act 2018) were deemed to be "non-registrable persons" and therefore out of scope of the Investment Business Act. As such, all caught entities must apply to either be registered as a Class A Registered Person or a Class B Registered Person or to be licenced. Please see our latest compendium of Bermuda Investment Business Act 2003 updates for more information.
Personal Information Protection Act
The Personal Information Protection Act ("PIPA") was passed in 2016 but has not yet been fully enacted. However, the Bermuda Government has announced that PIPA will be implemented in 2023 in a phased approach. To date, guidance and regulations have not yet been published, but they are expected within the near future. PIPA, when fully in force, will impose specific obligations on the processing of personal information, including the requirement for organisations to adopt suitable measures and policies to give effect to the rights of individuals as set out in PIPA. For the purposes of compliance with PIPA, organisations will also be required to appoint privacy officers who have the responsibility for communicating with the Privacy Commissioner. Organisations should begin planning to ensure they are prepared when PIPA does become fully operative. Contact the Conyers Regulatory team for assistance.
Economic Substance
Bermuda's economic substance regime continues to mature and evolve. Companies with a financial year end of 31 December are now preparing for their fourth annual declarations. "Fund managers" will be reminded that a change which came into effect for 1 January 2022 amended the definition of the relevant activity of "fund management" such that an entity will be carrying on the relevant activity of "fund management" simply by managing investments for an investment fund. The change meant that all fund managers were required to satisfy the economic substance regime requirements in 2022, and those with a year end of 31 December should be preparing to make their economic substance declarations for the 2022 financial year by 30 June 2023.
The Registrar of Companies (the "ROC") has stepped up enforcement of the economic substance regime. Over the summer of 2022, the ROC sent out requests for information and also began conducting on-site inspections of certain records of entities. Subsequently, in the fall of 2022 the ROC again issued certain entities with Warning Notices for their failure to comply with the economic substance regime requirements. The ROC appears to be preparing to issue fines for failure to comply.
As the ROC begins enforcing the economic substance regime and fining entities not in compliance, it becomes more important for entities to ensure they are filing correctly and on time. The ROC has noted that specific care should be taken by entities who believe themselves to be carrying on the relevant activity of pure equity holding entity to ensure that they are not carrying on another relevant activity under which they should be filing instead. A simple example is if an entity has an intercompany loan on which there is interest payable (regardless of how nominal), such entity is carrying out the relevant activity of "finance and leasing" so should be doing a filing under that category rather than as a "holding entity".
Insurance Code of Conduct
The Bermuda Insurance Code of Conduct (the "Code of Conduct") was revised last year, with the revisions to the Code of Conduct coming into force on 1 September 2022. There were various changes made to the Code of Conduct in order to enhance the governance and risk management of insurers. In addition, the Bermuda Monetary Authority recognized that environment and social change continues to be a global threat, and as such "Sustainability Risk" was included as a material risk that should be considered in the development of policies and risk management strategies for all material risks.
Registrants under the Code of Conduct are required to be compliant with the revisions to the Code of Conduct by 1 September 2023 with respect to Sections 1 through 7. With respect to Section 8 – Conduct of Business, registrants are required to be in compliance much sooner—by 1 March 2023. Please see our recent alert for addition information.
Potential Changes for Entities Formed by Private Act
In October 2022 the Bermuda Monetary Authority issued a policy paper for consultation in relation to requiring every legal person that was incorporated pursuant to a Private Act to register with the ROC and to comply with the requirements of the Companies Act 1981 (the "Companies Act"). The reason for this proposal arose from Financial Action Task Force (the "FATF") Recommendation 24 and IO5, which focus on transparency and beneficial ownership. The rationale is that in order to effectively prevent the misuse of corporate structures for money laundering and terrorist financing, the local regulator should have access to accurate and timely information on the beneficial ownership and control of companies and other legal persons. The ROC determined that there were a number of legal persons formed by Private Act who are not registered on the Register of Companies. The inability of the ROC to account for the unregistered Private Act entities was identified as a gap by the Caribbean Financial Action Task Force (the "CFATF") in Bermuda's effectiveness in respect of the transparency of the beneficial ownership regime. The CFAFT recommended that Private Act companies be obligated to provide accurate beneficial ownership information. The consultation paper also includes proposals that, in addition to the beneficial ownership requirements, such entities should also have to comply with other provisions of the Companies Act, such as the requirements to update the Register of Directors, file extracts of their bye-laws and maintain quarterly financial accounts.
Of note is the proposal that there will only be a six-month transition period from the date of enactment for such entities to comply. The consequence of non-compliance with the registration requirement would be the statutory repeal of the Private Act which established the entity in the first place.
A practical issue with the proposals is that there are many entities formed by Private Act, such as churches and charities, which do not meet the traditional corporate structure. Many charities in Bermuda are already registered with the Charities Commission and are subject to anti-money laundering(AML)/anti-terrorist financing (ATF) requirements as a result thereunder. This new proposal could result in double regulation. Submissions have been made in response to the policy paper, and Conyers will continue to monitor the progress of the initiative.
Bermuda Sanctions Regime
As a British Overseas Territory, Bermuda implements the same sanctions as the United Kingdom. In response to the war in Ukraine, the UK has implemented a sanctions regime relating to Russia which is enforced pursuant to the Bermuda sanctions regime. The Bermuda sanctions regime applies to all individuals and legal entities that are within or undertake activities in Bermuda, regardless of whether such entity is also a "regulated financial institution" under the AML/ATF regime. Individuals and entities must ensure that they do not run afoul of the Bermuda sanctions regime as the liability is strict and the penalties can be severe.
In the UK, HM Treasury maintain a "Consolidated List" of individuals and entities which are subject to financial sanctions. In practice, entities in Bermuda should be screening against the Consolidated List of designated or listed persons on an ongoing basis to ensure they are not doing business with sanctioned persons.
In addition, the sanctions themselves should be reviewed regularly as many are sector specific and do not necessarily name designated individuals or entities. An example is the Russia (Sanctions) (EU Exit) (Amendment) (No. 17) Regulations 2022 which came into force in mid-December 2022. Of particular note are the amendments to Regulation 16 imposing a ban on dealing (directly or indirectly) with a transferable security if it is issued on or after 16 December 2022 by a person not connected with Russia for the purposes of an activity in Regulation 18B(2), i.e. new investment in a person connected with Russia. Any corporate service provider should therefore be making enquiries to ensure they understand the purpose behind new issues of shares or securities to ensure there is not a Russian connection further down the corporate chain.
These new regulations also introduced the anticipated ban on trust services to or for the benefit of "a person connected with Russia". Trust services are broadly defined to include the creation of a trust; the provision of a registered office, business address, etc.; the operation or management of a trust; and acting as trustee or arranging for another person to act as trustee. Services pursuant to an ongoing arrangement in place before 16 December 2022 are excluded. Trust companies in Bermuda should take careful note to ensure compliance.
In addition, they expanded the existing bans on providing certain services to a person connected with Russia to also include advertising services, architectural services, auditing services, engineering services and IT consultancy and design services.
[View source.]