Bermuda Crypto License 2025: How to Launch and Operate a Digital Asset Business Under the BMA

Why Bermuda – and why now?

Bermuda has built one of the most mature, supervisor-led digital asset regimes in the world. The Bermuda Monetary Authority (BMA) regulates Virtual Asset/“Digital Asset” Businesses (DABs) under the Digital Asset Business Act 2018 (DABA), complemented by detailed Codes of Practice and rules spanning governance, custody, disclosures, and cyber risk. The framework is principle-based yet prescriptive where it matters most – client asset protection, technology risk, and market conduct – making Bermuda a credible home for exchanges, custodians, tokenization studios, brokers, and payment platforms.

Below is a practitioner’s guide – written for founders, GCs, and compliance leads – on what it takes to obtain and maintain a Bermuda DAB licence in 2025.

1) Who regulates crypto in Bermuda?

Regulator: Bermuda Monetary Authority (BMA).
Primary statute: Digital Asset Business Act 2018 (DABA).
Supervisory instruments:

• Code of Practice (April 2023) – governance, risk, conduct, outsourcing, client asset segregation.
• Operational Cyber Risk Management Code of Practice (Jan 2024) – board-level cyber governance, CISO role, incident reporting, controls for DLT/smart contracts.
• Client Disclosure Rules 2018 – pre-contract and transaction-level disclosures.
• Prudential Standards (Annual Return) Rules 2018 – annual return content, business plan, audited financials, sanctions controls.
• Digital Asset Custody Code of Practice (2019) – deep operational standards for key management, segregation, PoR, BCP/DR.

Key definitions: “Digital asset” is broadly defined (payment, investment-type, or utility tokens), subject to carve-outs (e.g., closed-loop rewards, in-game value).

2) Marketing crypto services in Bermuda

Bermuda treats promotions as conduct-of-business: advertising must be fair, clear, and not misleading, with appropriate risk warnings and product due-diligence before launch. The DAB Code of Practice dedicates Section IX to Advertising & Promotions, Sales Practices, Communications, Disclosure, Suitability, Internet business, Complaints – expect the BMA to benchmark your sales and onboarding journeys to these standards.

Separately, Client Disclosure Rules 2018 require pre-transaction disclosures of material risks, licence class, fee schedules/methods, insurance posture, transfer irrevocability, governance/voting rights over custodied assets, liability and redress, and 30-day notice of material T&Cs changes – issued separately and in a recordable form. Confirmation receipts must capture core transaction details and fees; cyber reporting events that expose client data must be disclosed to affected clients.

3) Which activities are regulated?

You need a DAB licence if you carry on any of the following in or from within Bermuda (including via Bermuda-based mind and management): (a) issuing, selling, or redeeming digital assets; (b) operating a payment service business that uses digital assets (incl. money transmission, merchant acquisition, issuance/sale/redemption of stored value); (c) operating a digital asset exchange; (d) providing digital asset custodial wallet services; (e) digital asset services vendor (executing transactions for clients or operating as a market maker).

The Minister (on BMA advice) can define what is – or isn’t – deemed to be carrying on digital asset business in Bermuda.

4) Paid-up capital and licensing fees

Capital: DABA is principle-based on capital adequacy – there is no single fixed “paid-up capital” number. The BMA assesses whether your business is conducted “in a prudent manner”, including adequacy of financial resources (capital, liquidity, and – where appropriate – insurance). Expect capital to be tied to your risk profile, client money exposure, leverage (if any), and operational complexity.

Fees: Bermuda uses a transparent, scale-sensitive model:

• Application fees: Class T: US$1,000; Class M: US$2,266; Class F: US$2,266.
• Licence grant fee: equal to the annual fee for that year.
• Annual fee: lower of US$450,000 or 0.00075 × estimated client receipts (with minimums by business type, e.g., custody of client private keys: US$150,000; other services: US$15,000).

What this means in practice: high-volume businesses with significant client receipts pay more – but the cap and minimums provide budget certainty during planning.

5) Mandatory licensing requirements (people, place, systems)

1. Mind & Management / Head Office. The BMA expects “mind and management” in Bermuda. The Head Office Guidance details how strategic direction, risk, finance, compliance, and key decision-making should be effectively exercised in Bermuda – not merely outsourced or nominal.
2. Senior Representative. All licensees must appoint a Senior Representative (SR) in Bermuda – your first-line liaison who must escalate certain notifiable events to the BMA. (See DABA Part 2 headings for SR and SR reporting.)
3. Governance. The Code of Practice requires a competent Board, robust risk framework, internal controls, segregation/protection of client assets, and effective compliance and internal audit functions – applied proportionately to your nature/scale/complexity.
4. Custody & Client Asset Protection. DABA and the Digital Asset Custody Code mandate segregation of client assets, sufficient holdings to meet obligations, and firm-grade operational standards across key generation/storage, multi-sig, incident response, and BCP/DR. The 2025 Custody of Client Assets Rules further tighten recordkeeping, reconciliations, segregation, and control obligations.
5. Cybersecurity. The Operational Cyber Risk Management Code (2024) and Cyber Risk Rules 2023 require Board-led cyber governance, CISO ownership, incident reporting, MFA, DLP, secure SDLC, smart-contract and DLT security reviews, and periodic penetration testing – superseding the 2018 cyber rules from 1 Jan 2024.
6. Ongoing reporting. Expect an Annual Return (with audited financials, business plan, sanctions compliance attestations), and a Certificate of Compliance within 4 months of financial year-end.

6) The application procedure (what to prepare, how to position)

Licence classes:

• Class T (Testing) – sandbox-style permissions under limits;
• Class M (Modified) – restricted scope/conditions;
• Class F (Full) – unrestricted within authorised activities. (Fees per class above.)

Process & dossiers: The BMA’s Information Bulletin (Feb 2024) outlines the pathway and dossier expectations. You’ll compile a comprehensive pack covering: corporate structure and controllers; business plan and financial model; governance map; risk, compliance and AML/ATF framework; technology architecture and security; outsourcing/third-party controls; client asset arrangements; insurance; and key policies and procedures.

Foundational artifacts CRYPTOSTART-ready applicants bring to first contact:

• Business plan with activity mapping to DABA Section 2(2) and revenue drivers.
• Governance charter – Board terms, committees, SR charter, delegated authorities.
• Risk & compliance framework – risk taxonomy, RCSAs, KRIs, compliance monitoring plan.
• Client asset model – segregation mechanics, reconciliations, insolvency protections, surety/insurance.
• Cyber programme – policy suite, CISO mandate, incident runbooks, vendor/DLT security, PT/VAs cadence.
• Client disclosures – risk statements, fee schedule/methods, irrevocability, liability/redress, 30-day notice protocol.

Head Office test: Be prepared to evidence head-office substance – people, premises, decision logs – in Bermuda. The BMA will look through outsourcing to confirm “mind & management” sits locally.

Timing: Class T can move quickest; Class F takes longer due to scale/complexity. (Timelines are business-specific; the BMA engages iteratively via queries and clarifications.)

7) Documents you will need

Expect to deliver (non-exhaustive; mapped to Bermuda instruments):

• Corporate & controllers: org charts; controller notices; fit-and-proper files (per Schedule 1 “Minimum Criteria for Licensing”).
  
• Governance & SR: Board/committee charters; SR appointment/mandate; conflicts policy; internal audit and compliance charters.
  
• Policies/controls: client asset protection policy; custody controls (key management, multi-sig, reconciliations, PoR); BCP/DR.
  
• Cyber & tech: cyber policy suite; CISO role description; incident/“cyber reporting event” playbooks; secure SDLC; smart-contract/DLT testing evidence.
  
• Conduct & disclosures: advertising/marketing approvals, risk disclosures, fee schedules/methods, complaints handling SOP.
  
• Financials & reporting: projected client receipts (fee calculation); audited financials (once operating); annual return data pack and compliance certificate.

8) How Bermuda compares (and when it’s the right choice)

Bermuda’s regime is technology-aware (explicit DLT/smart-contract control expectations), client-protection-heavy (granular disclosures; custody standards), and substance-driven (mind & management on-island). For institutions seeking regulatory clarity without stifling innovation, the balance of principles + codes works well – especially for exchanges, prime brokers, tokenization platforms, and custodians that want a supervisor comfortable with complex market infrastructure.

9) Common pitfalls – and how we mitigate them

• Marketing drift: Global materials must meet Bermuda’s “fair, clear, not misleading” standard, with consistent risk warnings. We perform a promotions gap-analysis against the Code’s Section IX before go-live.
  
• Under-evidenced Head Office: Outsourcing is fine; outsourcing decision-making is not. We help anchor decision records, senior exec presence, and SR workflows in Bermuda.
  
• Custody shortcuts: We align your KMS, signing policies, reconciliations, and contingency insurance with the Custody Code and 2025 Rules.
  
• Cyber under-resourcing: We implement a CISO-led cyber programme that meets the Operational Cyber Risk Code: MFA, PT/VA cadence, secure SDLC, DLT controls, and timely incident reporting.

10) How CRYPTOVERSE Legal gets you licensed – end-to-end

1. Strategic structuring. We map your product to DABA activities and licence class (T/M/F), size the fee envelope (0.00075 × estimated client receipts; caps/minimums), and design a Bermuda-credible Head Office footprint.
2. Policy & controls build-out. We draft and operationalize your governance suite, client asset protection model, promotions & disclosure framework, cyber/DLT controls, and outsourcing oversight – each cross-walked to the Code, Custody Code, Client Disclosure Rules, and Operational Cyber Code.
3. Licence dossier & regulator engagement. We assemble the application pack per the 2024 Bulletin, project manage RFI cycles with the BMA, and prepare the Board/SR/CISO for supervisory interviews.
4. Operational readiness & first-year compliance. We stand up your Annual Return data spine and Certificate of Compliance workflows, then calibrate MI/KPIs so the Board can evidence “prudent conduct of business.”

Final word (and important disclaimer)

Bermuda’s framework rewards firms that treat regulation as an operating system, not an afterthought. If you can demonstrate real substance in Bermuda, verifiable client-asset safeguards, and a CISO-owned cyber stack, you’ll find the BMA pragmatic, technical, and aligned with institutional expectations.

This article is for general information only and does not constitute legal advice. Specific matters turn on their facts and on evolving BMA guidance; always seek tailored counsel before making structuring or licensing decisions.

If you’re ready to explore a Class T, Class M, or Class F licence – or to convert a sandbox build into a fully regulated platform – CRYPTOVERSE Legal can lead the process end-to-end, from feasibility and fee modeling to dossier submission and day-one compliance.

Speak to a crypto lawyer

FAQs: