EST · MMXXVI
Home/Jurisdictions/Digital-Asset Licensing in Bermuda: What Businesses Need to Know
Licensing & Registration

Digital-Asset Licensing in Bermuda: What Businesses Need to Know

Digital-Asset Licensing in Bermuda: What Businesses Need to Know. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. T

Operating a digital-asset business without the right regulatory authorisation in Bermuda exposes a company to enforcement action, disrupted banking relationships and the prospect of a forced wind-down – often at the worst possible moment in a fundraise or expansion cycle. Bermuda was among the first common-law jurisdictions to enact a purpose-built statutory regime for digital-asset businesses, and that early-mover positioning continues to attract exchanges, custodians, token issuers and institutional funds seeking a credible offshore address. The analysis below sets out the regulatory structure, the licence categories, the cross-border considerations an inbound operator must resolve and the factors that distinguish Bermuda from comparable hubs.

The Regulatory Regime: BMA and the DABA Framework

Bermuda's digital-asset businesses are regulated primarily under the Digital Asset Business Act (DABA), administered by the Bermuda Monetary Authority (BMA). The BMA operates as the single prudential and conduct supervisor for financial services on the island, which gives it both the institutional depth and the supervisory precedent that newer, ring-fenced crypto-only regulators in competing jurisdictions sometimes lack. DABA was enacted in 2018, and subsequent regulatory updates have refined the licence-class structure, AML/CFT requirements and the expectations around technology governance. That legislative maturity is one of the core commercial arguments for Bermuda: the BMA has now reviewed applications across multiple market cycles, giving the regime operational clarity that a pure policy document cannot replicate.

Alongside DABA, the Digital Asset Issuance Act governs the public offering of digital assets in or from Bermuda, establishing a separate but related authorisation track for token issuers. Operators running both an exchange and an issuance programme therefore face a dual-authorisation question from the outset. In our practice, clients frequently underestimate this layering: they plan for one approval process and encounter a second before launch.

The BMA also supervises Bermuda's AML/CFT framework, which aligns with the FATF Recommendations – including Recommendation 15 on virtual assets and the Travel Rule (the obligation to pass originator and beneficiary data with a transfer). Compliance infrastructure is a condition of licence, not an afterthought assessed at renewal.

What Licence Categories Does Bermuda Offer?

DABA establishes a tiered licence structure calibrated to the scope and risk profile of the applicant's intended activities. The principal classes cover: Class F (full service, the most comprehensive); Class M (modified, for businesses operating within defined parameters); and the recently consolidated Class T (transitional/technology-linked service providers), with additional category distinctions for custody-specific businesses and for operators conducting ancillary digital-asset activities alongside a primary regulated function.

The practical consequence of this tiering is significant. An exchange operator planning to add custody services to its product set does not automatically extend its Class F permission – it must assess whether an additional authorisation is required or whether the custody activity falls within the scope already granted. We have advised operators who built their technical infrastructure for a combined offering and then encountered an authorisation gap during pre-launch BMA review. That gap costs time and, often, a conditional launch rather than a clean one.

For token issuers, the Digital Asset Issuance Act requires a prospectus-equivalent document and BMA approval before a public offering. The issuer authorisation is distinct from any exchange licence the business may hold. A token issuer that is not also conducting exchange, custody or transfer activities may not require a DABA licence at all – but that boundary question requires precise legal analysis, not an assumption.

The cross-border angle surfaces immediately at the categorisation stage. Where a Bermuda-licensed entity serves users in the European Union, the MiCA (Markets in Crypto-Assets Regulation) framework administered by ESMA and national competent authorities imposes its own requirements. A Bermuda DABA licence does not substitute for a MiCA CASP authorisation. Operators targeting EU users therefore face a multi-hub authorisation stack, with Bermuda as one node rather than a global permission.

For a scoped assessment of your licence category and any layered authorisation requirements, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base geography and the banking – change the analysis materially.

Who Needs a DABA Licence in Bermuda?

Any business carrying on digital-asset business in or from Bermuda requires authorisation under DABA unless a specific exemption applies. The trigger is activity-based: what the business does, not merely where it is incorporated. The BMA's published guidance identifies the following activities as requiring a licence: issuing, selling or redeeming digital assets; operating a digital-asset exchange; providing custodial wallet services; operating a digital-asset derivatives exchange; and providing digital-asset payment services, among others.

The phrase "in or from Bermuda" is where many operators misjudge their position. A company incorporated in Bermuda but directing all its marketing and operations at users outside the island is not automatically exempt from DABA. The BMA assesses the nexus of the business – where decisions are made, where the technology is operated from and where contractual relationships are formed. Incorporation alone does not determine whether the licence threshold is crossed.

Exemptions exist for intra-group digital-asset transfers and for certain technology infrastructure providers, but these are narrowly drawn. Relying on an exemption without a formal legal assessment is a risk that enforcement history in comparable regimes – including across the common-law offshore world – demonstrates is not academic. In our cross-border practice, we regularly advise businesses that assumed an exemption applied and subsequently received a BMA inquiry requiring them to demonstrate that assumption with documented evidence.

How Does the BMA Licence Application Process Work?

The BMA application process for a DABA licence is structured around a detailed submission covering the business model, financial projections, AML/CFT framework, technology architecture, key-person fitness and propriety, and the corporate structure of the applicant group. The BMA operates a pre-application engagement model: for complex or novel business models, an early-stage meeting with the regulator can surface issues before the formal file is submitted, reducing the risk of a requests-for-information cycle that extends the timeline materially.

The BMA assesses applicants against both prudential and conduct standards. Minimum capital requirements apply and vary by licence class; these figures are set by BMA policy and updated periodically, so any specific number must be confirmed against the current BMA guidance rather than taken from secondary sources. The BMA does not operate on a publicly committed turnaround target in the same manner as some newer licensing regimes, but applications that arrive complete, with experienced compliance infrastructure evident, generally progress more efficiently than those requiring multiple clarification rounds.

Key-person vetting is substantive. Controllers, directors and senior management positions all require BMA approval. The fitness and propriety assessment covers professional history, regulatory record across all jurisdictions and any adverse legal history. For internationally structured groups, this means assembling clearance documentation from multiple jurisdictions – a task that benefits from coordinated management to avoid sequential delays.

A micro-matter illustrates the practical dynamic. In a recent licensing matter, a custodian operating under an existing Class M Bermuda DABA authorisation sought to expand its services to include institutional digital-asset derivatives settlement. Pre-application engagement with the BMA identified that the proposed activity sat outside the Class M boundary. We structured the application to upgrade the authorisation to Class F, addressing the capital and governance implications in parallel, and the revised licence was granted without interrupting the client's existing operations.

AML, the Travel Rule and Ongoing Compliance

Ongoing DABA compliance extends well beyond the initial authorisation: the BMA's AML/CFT regime imposes continuous obligations that align with FATF standards, including the Travel Rule requirement to pass originator and beneficiary data on qualifying virtual-asset transfers. Bermuda's Travel Rule implementation mirrors the FATF Recommendation 15 framework, and the BMA expects licensed businesses to demonstrate technical readiness to collect, screen and transmit the required data at the point of licence rather than as a post-licence project.

Technology governance is a second ongoing compliance pillar. The BMA has published technology governance statements applicable to digital-asset businesses, covering key-management practices, custody safeguarding, business continuity and cybersecurity. These expectations are operationally demanding: a business that meets them at application but allows them to drift post-authorisation faces a supervisory finding rather than a clean annual review.

For operators whose Bermuda entity is one node in a multi-jurisdiction structure, the AML/CFT compliance architecture must address each jurisdiction's requirements independently while maintaining group-wide coherence. Where a Bermuda entity shares a compliance function with an affiliate licensed under MiCA or the MAS Payment Services Act in Singapore, the policies and procedures must satisfy the most demanding standard applicable across the group – or be separately calibrated for each jurisdiction.

How Does Bermuda Sit Within a Cross-Border Structure?

Bermuda functions most effectively as a regulated operating entity or holding node within a multi-jurisdiction structure rather than as a standalone global licence. Its common-law legal system, the depth of the Bermuda Court as a commercial forum, and the BMA's recognition among counterpart regulators in the US, UK and EU mean that a Bermuda-licensed entity carries institutional credibility in banking, counterparty and investor diligence conversations.

The tax dimension is material. Bermuda levies no income tax, capital gains tax or withholding tax on entities. This makes the jurisdiction attractive for holding structures and for treasury functions. However, operators serving users in high-tax jurisdictions must assess transfer pricing, permanent establishment risk and, for entities with EU nexus, the implications of EU substance requirements for preferential regimes. A Bermuda structure that looks clean at the entity level can create unexpected tax exposure at the group level if the substance and governance analysis has not been worked through carefully.

Banking is the operational friction point that many operators discover late. Bermuda has a developed local banking sector, but the correspondent-banking relationships that allow a Bermuda-licensed entity to access USD rails and to process fiat on- and off-ramp flows require the entity to demonstrate a clean compliance posture to its banking counterparts. Banks operating correspondent relationships for digital-asset businesses apply their own due-diligence standards, which frequently exceed the minimum required by the regulator. In our practice, we have seen technically compliant DABA-licensed entities face account closure or refused correspondent banking because their compliance documentation was written for the regulator rather than for a bank's own risk team. Those are different audiences, and the documentation must address both.

For operators sitting between Bermuda and a second licensing hub – a common structure pairing a Bermuda Class F with a European MiCA CASP or a Singapore MAS licence – the question of which entity faces which user base, and through which contractual chain, determines the regulatory perimeter for each authorisation. That analysis must precede the licence application, not follow it.

To map the licence, banking and tax stack for your Bermuda structure before you commit, write to OBOLUS at info@oboluslaw.com. If a prior application stalled or a banking relationship closed, a second read can surface the structural reason and the route back.

How Does Bermuda Compare for an Inbound Operator?

Bermuda is not the only common-law offshore jurisdiction with a purpose-built digital-asset regime, and an inbound operator should assess it against alternatives with precision rather than reputation alone. The BVI VASP Act 2022, administered by the BVI Financial Services Commission, offers a lighter-touch registration framework that may suit a business primarily needing a compliant holding or fund vehicle rather than an operating exchange or custodian. The Cayman Islands CIMA regime, operating under the Virtual Asset (Service Providers) Act, provides a comparable institutional environment with strong fund-law infrastructure – a relevant consideration for asset-management structures.

Bermuda's differentiation is the BMA's depth as a prudential supervisor and the jurisdiction's track record with institutional counterparties. Where an operator's commercial strategy requires demonstrating regulatory credibility to tier-one banks, institutional investors or regulated exchange counterparties in the US or EU, Bermuda's regulatory history carries more weight than a newer or lighter regime. That is a commercial argument, not a universal conclusion: the right jurisdiction depends on the operator's specific activity set, user base, capital structure and banking relationships.

A common assumption in the market is that a single offshore licence provides a global permission to serve clients without further regulatory engagement. That assumption is incorrect. DABA authorises activities in or from Bermuda; it does not displace the licensing requirements of any other jurisdiction in which the business operates or serves users. An operator with EU users faces MiCA; one serving US persons faces SEC, CFTC and FinCEN obligations at the federal level, plus applicable state money-transmitter licensing requirements; one in Singapore faces the MAS Payment Services Act. Bermuda is a credible, well-regulated node – it is not a substitute for the jurisdiction-by-jurisdiction analysis that cross-border digital-asset operations require.

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

Timelines vary by jurisdiction and by the completeness of the application at submission. In Bermuda, the BMA does not publish a fixed statutory determination period. Applications supported by complete documentation, experienced compliance infrastructure and a straightforward business model tend to progress in a matter of months; more complex structures or incomplete submissions extend that timeline materially. Pre-application engagement with the BMA can reduce the risk of a prolonged requests-for-information cycle.

Which jurisdiction is best for licensing my crypto business?

There is no universal answer. The right jurisdiction depends on the operator's activity set, the geographic profile of its user base, its banking requirements, capital structure and investor expectations. Bermuda suits operators prioritising institutional credibility, common-law legal infrastructure and a mature prudential supervisor. Other hubs – including the BVI, Cayman, Singapore and MiCA-qualifying EU jurisdictions – suit different profiles. A jurisdiction selection analysis should map all of those variables before an application is filed.

Do I need a separate custody licence?

In Bermuda, custody of digital assets is a regulated activity under DABA. Whether a standalone custody licence is required or whether custody falls within a broader Class F authorisation depends on the specific scope of the applicant's activities. An operator holding assets on behalf of clients as an ancillary function to exchange services will have different authorisation needs from a pure custodian. This is a categorisation question that requires legal analysis against the BMA's current guidance before the structure is finalised.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance obligations that sit around them. We map the licence stack across operating, custody and payment layers before you commit – so that the structure you file is the structure you can execute. We advise crypto exchanges, custodians, token issuers and funds across more than seventy licensing jurisdictions. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialist in multi-hub digital-asset licence strategy, BMA authorisation processes and cross-border VASP registration.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours