Crypto businesses operating under Bermuda's Digital Asset Business Act (DABA) regime face a precise legal obligation: sanctions screening is not a checkbox – it is a regulated function that the Bermuda Monetary Authority (BMA) audits for design, coverage and real-time effectiveness. A gap in screening against OFAC, UN Security Council or UK FCDO consolidated lists can freeze correspondent banking, trigger licence review and, in the worst cases, generate personal liability for compliance officers. The BMA has made clear that digital asset business (DAB) licensees carry the same financial-crime obligations as deposit-taking institutions, with the added complexity that transactions settle in minutes and remediation windows are narrow.
This page sets out the sanctions-screening obligations that apply to a DABA-licensed entity, the practical process for building a compliant programme, and the cross-border interactions with banking, the Travel Rule (the obligation to pass originator and beneficiary data alongside a virtual-asset transfer) and inbound business structures. It is written for general counsel and compliance officers who need the legal answer, not a summary of the rules.
What is the regulated basis for sanctions screening under Bermuda's DABA regime?
Bermuda's digital-asset business framework imposes sanctions-screening obligations through two interlocking instruments: the Proceeds of Crime Act (as amended) and the BMA's AML/ATF programme requirements embedded in DABA. Every DAB licensee is required to maintain a risk-based AML/CFT programme, and sanctions compliance is explicitly part of that programme. The BMA, as the primary prudential and AML supervisor, has stated that failure to screen against applicable sanctions lists constitutes a material deficiency in a licensee's financial-crime controls.
The relevant lists a Bermuda DABA licensee must monitor include the OFAC Specially Designated Nationals (SDN) list, UN Security Council consolidated sanctions lists, the UK FCDO financial sanctions list and, depending on the shareholder and business profile of the entity, the EU consolidated list. The BMA expects real-time or near-real-time screening, not batch-file checks. For a crypto exchange or custodian settling transactions on-chain in seconds, this standard is demanding. A daily screening cadence will not satisfy the regulator's expectations for transaction-level controls.
The obligation extends beyond counterparty name-matching. Under the DABA AML programme requirements, a licensee must screen wallet addresses against known sanctioned addresses – a function that pure name-based sanctions lists do not cover on their own. In our practice, we advise clients to layer on-chain address screening (using recognised blockchain analytics tools) on top of standard entity screening to close this gap. The BMA has signalled awareness of this technical dimension in its supervisory communications.
CTA #1If you are building or reviewing a sanctions-screening programme for a Bermuda DAB licence, the design must align with the BMA's current supervisory expectations – not a generic template. The process above describes the standard path. Your facts – the entity, the user base, the banking – change the analysis. Map your options.
Who needs a DAB licence – and who is captured by the screening obligation?
The DABA licence requirement in Bermuda applies to any person who, from or within Bermuda, carries on digital asset business as defined by the Act. The defined activities include issuing, selling or redeeming digital assets; operating as an exchange or marketplace; providing custody or trust services for digital assets; and operating as a principal or agent in digital-asset transactions. A business does not need to be Bermuda-incorporated to fall within the scope. If the business is conducted from a Bermuda office or by Bermuda-resident personnel, the licence obligation attaches.
This matters for sanctions screening because the obligation to screen follows the licence. An entity that is DAB-licensed must screen all counterparties, not only Bermuda-resident clients. A Bermuda-licensed crypto exchange with a global user base must apply its sanctions programme to every user, every transaction and every affiliated wallet. The geographic footprint of the user base does not reduce the screening obligation – it increases the complexity of delivery.
Firms that had previously operated under the lighter-touch registration pathway available in some jurisdictions have found, on entering the Bermuda regime, that the BMA's expectations sit closer to those of the FCA or MAS than to a simple AML-registration regime. That is a deliberate policy choice. Bermuda has positioned itself as a reputable mid-shore centre for institutional digital-asset business, and the BMA's rigour on sanctions is part of that positioning.
How should a DABA licensee design its sanctions-screening programme?
A compliant sanctions programme under the BMA's expectations has five operational components that must each be documented and testable on examination.
The first is list management: the entity must subscribe to current-version feeds for each applicable sanctions list, with a documented update cadence. Where the business has US-nexus clients, US-dollar settlement rails or US investors, OFAC list coverage is essential – and OFAC can designate a person or entity on any calendar day. Manual list downloads are not adequate. Automated feed integration is the baseline.
The second is entity screening: every new client, beneficial owner, authorised signatory and material counterparty is screened at onboarding, and the screening is repeated on a trigger-based schedule (sanctions-list update, material transaction, periodic review). The BMA expects screening to cover full legal names, known aliases and transliterations. A match management process – distinguishing true matches from false positives – must be documented and operated consistently.
The third is on-chain address screening: this is the component that distinguishes a crypto-specific sanctions programme from a standard financial-institution programme. OFAC has published designated wallet addresses as part of its SDN listings, and BMA supervisory practice expects licensees to check sending and receiving addresses against those designations before transactions are executed or settled. Blockchain analytics providers make this technically feasible; the legal question is which provider's coverage is adequate and how the firm documents its reliance on that data.
The fourth is transaction monitoring integration: sanctions screening at the point of a transaction must interact with the broader transaction-monitoring system. A transaction from a non-sanctioned counterparty to a sanctioned wallet should be blocked. The handoff between the sanctions module and the AML transaction-monitoring layer is an audit target.
The fifth is governance and escalation: the programme requires a designated senior officer responsible for sanctions compliance, documented escalation paths for potential matches, and a clear process for filing with the Bermuda Police Service Financial Intelligence Unit (FIU) and notifying the BMA where a prohibited transaction is identified or suspected.
How does the Travel Rule interact with sanctions screening in Bermuda?
The Travel Rule and sanctions screening are distinct obligations, but they share data infrastructure in a way that makes them practically inseparable. Under the FATF Recommendation 16 framework – which Bermuda has incorporated into the DABA AML programme requirements – a VASP (virtual asset service provider) transferring virtual assets above the applicable threshold must pass originator and beneficiary information to the receiving VASP. That information – name, account number, physical address or other identifying data – is also precisely the data needed to run a sanctions screen on both sides of the transfer.
In our practice, we have seen firms build their Travel Rule transmission layer before they build their sanctions-screening protocol, and then discover that the two systems need to exchange data in real time. Retrofitting that integration is expensive. The correct sequence is to design the onboarding/KYC data model, the Travel Rule data-field map, and the sanctions screening logic as a unified programme from the outset. The BMA's AML/CFT examination will test whether these layers communicate.
A practical complication arises at the intersection of the Travel Rule and address screening: the receiving VASP may not disclose its full beneficiary information before the transaction is broadcast, depending on the protocol used. The FATF guidance on sunrise issues and the BMA's supervisory practice on this point require documented interim controls where full Travel Rule data is not available pre-transaction. A hold-and-screen approach – where the transaction is queued pending Travel Rule data receipt – is the safest design. Whether that is technically feasible depends on the network and the asset.
Cross-border transfers introduce a further dimension. A Bermuda DABA licensee sending to or receiving from a VASP in a jurisdiction with no equivalent Travel Rule obligation creates a regulatory asymmetry. The BMA does not excuse the Bermuda licensee from its obligations because the counterpart jurisdiction has not adopted the rule. The licensee must obtain what data it can and document its efforts when full compliance is structurally impossible.
How does sanctions compliance affect banking and cross-border operations for a Bermuda crypto firm?
A sanctions gap is the fastest way to lose a banking relationship. US correspondent banks, which sit at the clearing layer of most USD-denominated crypto business regardless of the entity's jurisdiction, conduct their own due diligence on the AML/sanctions programmes of their respondent institutions. A Bermuda DABA licensee whose sanctions programme does not meet US correspondent-bank standards will face account closure – irrespective of BMA licence status.
In practice this creates a dual compliance standard: the licensee must satisfy both the BMA and the programme expectations of its banking counterparties. Where those standards differ – and US correspondent banks often apply OFAC guidance more broadly than the BMA formally requires – the more demanding standard governs for banking-access purposes. We routinely advise clients to stress-test their sanctions programme against the internal standards of their target bank, not only against the BMA rulebook.
The Bermuda regime's cross-border dimension extends to custody structures. A DABA licensee that custodies assets for clients domiciled in OFAC-sanctioned countries has an obligation that travels with the asset, not with the counterparty's jurisdiction. A client who was not a sanctioned person at onboarding may become a designated person during the custody relationship. The screening programme must be live and continuous, not a point-in-time check at account opening.
Tax reporting and banking KYC also overlap with the sanctions data stack. A Bermuda entity with US taxable persons as investors or clients will have FATCA disclosure obligations that run parallel to the sanctions-screening data set. In our cross-border practice, we structure the KYC/AML data model to serve all three reporting regimes – sanctions, FATCA and CRS – from a single source of truth, reducing the cost of compliance and the risk of inconsistent data.
If a prior application stalled or a banking relationship was closed, a gap in the sanctions programme is frequently the structural reason. A second read can surface the root cause and the route back. Map your options.
Anonymized practice example
In a recent mandate, a mid-market digital-asset exchange holding a DABA licence approached us after its primary banking partner initiated a de-risking review. The bank had identified that the exchange's sanctions programme relied on a weekly batch screen of customer names, with no wallet-address screening and no automated list-update feed. We conducted a rapid programme assessment, rebuilt the screening architecture around real-time entity feeds and on-chain address screening, and produced a written programme certification for the bank's correspondent compliance team. The banking relationship was preserved. The full remediation took several weeks. Had the matter reached a formal BMA supervisory notice, the timeline and cost would have been substantially higher.
Which operator profile most acutely needs a dedicated sanctions-screening review?
Not every DABA licensee faces the same sanctions-screening exposure. The risk profile, and the urgency of a structured review, varies materially by operator type.
A retail exchange with a global user base and high transaction volumes faces the highest nominal volume of screening decisions. The risk is in throughput and in the diversity of the counterparty network. A retail exchange serving users across many jurisdictions, some of which are subject to broad blocking sanctions regimes, must invest in automated screening infrastructure that can process thousands of transactions per day and queue suspect transactions for human review without creating settlement delays that damage the user experience.
A custody-only provider serving institutional clients faces a lower transaction volume but a higher per-client due-diligence standard. Institutional clients frequently involve layered corporate structures, nominee arrangements and beneficial-ownership chains that standard name-matching does not easily penetrate. The sanctions risk at a custody provider is concentrated at onboarding and at the point of any change in beneficial ownership.
A token issuer conducting a public or restricted offering faces a one-time but high-intensity screening obligation. Every participant in the offering must be screened before tokens are allocated and again before proceeds are released. Where the offering is structured with a Bermuda DABA-licensed issuer and US or EU investors, the OFAC, UN and FCDO lists all apply, and the programme must be documented with a formality that will satisfy both the BMA and any subsequent regulatory inquiry.
A DeFi-adjacent business – for example, an entity that provides a non-custodial interface to decentralised protocols while holding a DABA licence for related advisory or settlement services – occupies the most legally uncertain ground. The BMA has not yet published granular guidance on the sanctions obligations of entities whose principal business is non-custodial. The prudent approach, in our view, is to apply the same screening standards as a custodial entity until authoritative guidance is available.
Self-assessment: is your Bermuda sanctions programme ready for a BMA examination?
Before a BMA on-site examination or a bank's compliance review, a DABA licensee should be able to answer affirmatively to each of the following questions. These are not exhaustive, but they reflect the areas where gaps most commonly surface.
Does the firm subscribe to automated, current-version feeds for every applicable sanctions list – OFAC, UN, UK FCDO – with documented update cadence? Is every client, beneficial owner and material counterparty screened at onboarding and on a triggered-review basis? Does the programme include on-chain address screening against designated wallet addresses? Is there a documented match-management process that distinguishes true positives from false positives, with a decision audit trail? Does the sanctions module communicate with the transaction-monitoring system so that a sanctioned-wallet transaction is blocked before execution? Is there a designated senior officer responsible for sanctions, with documented authority to block transactions and escalate to the FIU? Is the full programme documented in a written policy that has been approved by the board or equivalent governance body?
A "no" answer to any of these questions is a BMA examination finding waiting to happen.
Related at OBOLUS
- AML, Travel Rule and compliance for digital-asset businesses – the full compliance mandate across licensing, Travel Rule and transaction monitoring
- Transaction monitoring setup in Guernsey – comparative Channel Islands analysis for operators structuring across offshore jurisdictions
- De-risking and account closure defence – where the legal lines are drawn when a bank exits a crypto client
FAQ
What does the Travel Rule require from a VASP?
The Travel Rule, derived from the FATF Recommendation 16 framework, requires a VASP originating a virtual-asset transfer above the applicable threshold to collect and transmit originator and beneficiary identifying information to the receiving VASP. The data typically includes the full name, account identifier and, depending on jurisdiction, a physical address or national identification number. The receiving VASP must verify the beneficiary data. Bermuda's DABA AML programme requirements incorporate this obligation for all DAB licensees. The precise data threshold varies by jurisdiction and should be confirmed against current BMA guidance.
Who must act as MLRO for a crypto firm?
A DABA licensee must designate a Money Laundering Reporting Officer (MLRO) who is a senior, fit-and-proper individual with sufficient authority and independence to discharge the role. The MLRO receives internal suspicious-activity reports, decides on disclosures to the Bermuda Police Service Financial Intelligence Unit, oversees the AML/CFT programme and serves as the primary point of contact for BMA AML supervision. The role may be filled by an executive director or a dedicated compliance officer, but it cannot be outsourced in a way that removes accountability from a senior individual within the licensee.
How do regulators audit crypto AML programs?
The BMA audits a DABA licensee's AML programme through on-site examinations and off-site reviews. Examiners typically request the written AML/CFT policy, board minutes reflecting programme approval, evidence of staff training, samples of customer due-diligence files, transaction-monitoring alert logs, sanctions-screening records and MLRO reports. For crypto-specific controls, examiners increasingly review on-chain address screening documentation and Travel Rule transmission logs. A programme that exists in policy but cannot be demonstrated through records will not satisfy the examination. The BMA may also conduct thematic reviews across the DAB licensee population on specific risk topics.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence stack across operating, custody and payment layers before you commit, and we structure licensing, banking and tax as one mandate rather than three disconnected workstreams. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com.
By Victor Olsen, Regulatory & Compliance Analyst – specialising in DABA regime compliance, BMA supervisory engagement and cross-border AML programme design for digital-asset businesses.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.