A Practical, Real-World Guide for Exchanges, Custodians, Brokers, Payments Firms, and Stablecoin Issuers

There’s a moment most crypto founders reach, usually right after the first serious institutional conversation.

A bank asks: “Are you licensed?”
A custodian asks: “Which regulator supervises you?”
An investor asks: “What’s your compliance posture?”

And suddenly the company realizes: the product isn’t the bottleneck.

Regulatory readiness is.

Bermuda is one of the few jurisdictions that offers a full, institutionally credible licensing regime designed specifically for digital assets. But the pathway to approval is not guesswork. It is structured, and if you follow the sequence, you dramatically improve approval probability.

This article gives you a step-by-step regulatory roadmap to obtain a Bermuda Digital Asset Business (DAB) licence under the Digital Asset Business Act 2018, written for founders and executives who want clarity without the fluff.

The Three Licence Targets (Before You Start)

Before you take a single step, you must know which “door” you’re trying to enter:

  • Class T — Testing licence (sandbox / proof-of-concept)
  • Class M — Modified licence (transitional commercial operation)
  • Class F — Full licence (institutional-scale operation)

The entire roadmap, documents, timelines, and intensity, depends on this choice.

If you choose the wrong licence class, you lose time.

The Roadmap in 10 Steps

Step 1: Define Your Regulated Activities (Correctly)

Objective: Confirm whether your services fall within “digital asset business” and which activities the BMA will treat as high-risk.

You should document (clearly):

  • Are you an exchange, custodian, broker, payments provider, lender, or issuer?
  • Will you hold client assets?
  • Will you touch fiat rails?
  • Will you offer derivatives, staking, or yield products?
  • Will you issue a single-currency pegged stablecoin?

Regulators don’t approve vague models.

A precise activity scope is the foundation of the application.

Step 2: Choose the Licence Class Based on Readiness (Not Ambition)

Objective: Align your operational maturity with the correct regulatory pathway.

Ask yourself:

  • Is the product still being tested? → Class T
  • Is it operational but still evolving? → Class M
  • Is it mature, institutional-grade, and ready for full supervision? → Class F

Regulatory success is rarely about how impressive the product is.

It’s about how ready the institution is.

Step 3: Build a Bermuda Substance Strategy (The “Mind & Management” Test)

Objective: Demonstrate that the company will be genuinely managed from Bermuda, not merely registered there.

The regulator expects evidence of:

  • Bermuda-based Senior Representative
  • Board governance and decision-making accessibility
  • Operational oversight and accountability in Bermuda

If you treat Bermuda as a “letterbox,” the application will be delayed or rejected.

Step 4: Lock Down Ownership Transparency and Source of Funds

Objective: Remove the single fastest way applications fail: unclear ownership.

You must prepare:

  • Shareholding chart (including parent entities)
  • Ultimate beneficial owners (UBOs)
  • Controller disclosures (who exercises control)
  • Source of funds and (where needed) source of wealth narrative

If the regulator cannot identify who controls the company, the process stops.

Step 5: Design the Governance Structure Like a Financial Institution

Objective: Show the company can be supervised and held accountable.

A strong structure typically includes:

  • Board of directors with relevant financial services competence
  • Governance documents (board charter, delegation of authority, committee structure)
  • Clear separation between: (i) business operations (ii) risk oversight, and (iii) compliance oversight

Regulators are not looking for founders who “promise compliance.”

They are looking for institutions built for oversight.

Step 6: Build the Compliance & AML/ATF Framework (Before You Apply)

Objective: Demonstrate operational capacity to prevent financial crime and comply with sanctions.

Your package should include:

  • AML/ATF policy and procedures
  • Risk-based CDD/EDD framework
  • Transaction monitoring methodology (systems + escalation)
  • Sanctions screening controls (customers + transactions)
  • Suspicious activity reporting process
  • Record-keeping framework and retention

The regulator will look for how it works operationally, not just what the policy says.

Step 7: Define Custody and Client Asset Protection (If You Touch Client Assets)

Objective: Show exactly how client assets will be protected, segregated, and reconciled.

You must document:

  • Whether you custody in-house or outsource custody
  • Asset segregation approach (legal + operational)
  • Private key management controls
  • Wallet architecture (hot/warm/cold)
  • Reconciliation controls
  • Incident response in case of compromise
  • Client disclosures and legal terms

For exchanges and custodians, this is often the most scrutinized component.

Step 8: Build the Cybersecurity & Operational Resilience Pack

Objective: Prove you can survive cyber incidents and operational shocks.

The regulator expects:

  • Cyber risk governance at board level
  • Security programme overview
  • Incident response plan and reporting triggers
  • Access controls and privileged access management
  • Vendor security management
  • Pen testing approach and remediation cycle

If your cybersecurity posture is weak, it signals systemic risk.

And systemic risk is what regulators are built to prevent.

Step 9: Prepare Financial Projections + Capital Strategy

Objective: Demonstrate solvency, sustainability, and prudential strength.

You should include:

  • 3–5 year projections (revenue, expenses, cash flow)
  • Capital plan (initial capital + contingency)
  • Liquidity plan (how withdrawals and redemptions are supported)
  • Stress-testing narrative (especially for custody/exchange/stablecoin models)

Capital isn’t merely a threshold.

It’s a signal of resilience.

Step 10: Submit the Application and Manage the Regulatory Review Process

Objective: Submit a regulator-ready pack and respond professionally to queries.

After submission, expect:

  • Assignment of a case officer
  • Completeness checks
  • Requests for additional information (RFIs)
  • Clarification meetings (if needed)
  • Conditions precedent or staged approvals (common)

Many applications fail not because they are rejected outright—but because companies mishandle regulatory questions.

The review phase is where regulatory trust is built.

Realistic Timelines (What Companies Actually Experience)

While each application differs, typical timelines are:

  • Class T: 2–4 months
  • Class M: 3–6 months
  • Class F: 4–9 months (or longer for complex exchange/custody/stablecoin models)

Your speed depends on readiness.

Regulators move faster when applicants submit complete and well-structured packages.

The Most Important Truth: Licensing Is an Institutional Upgrade

A Bermuda DAB licence is not something you “get.”

It’s something you earn by demonstrating that your company is safe to operate within the regulated financial system.

If your company is structured like a startup, regulators will treat it like a startup.

If it is structured like a financial institution, regulators will engage with it like one.

How CRYPTOVERSE Can Help

CRYPTOVERSE Legal Consultancy supports digital asset businesses through the full Bermuda licensing lifecycle—from strategy and structuring to submission and approval.

We assist with:

  • Licence classification (T vs M vs F) and regulatory strategy
  • Ownership transparency and controller structuring
  • Governance framework design (board, committees, control functions)
  • AML/ATF and sanctions framework drafting
  • Cyber and operational resilience documentation
  • Custody and client asset protection structuring
  • Full application drafting, packaging, and submission
  • Regulatory engagement and RFI response management

Our focus is simple: maximize approval probability and minimize regulatory delays.

Captivating CTA: Turn Your Crypto Company into a Licensed Institution

If your company is serious about institutional growth—banking access, investor confidence, enterprise clients—the licensing decision is not optional.

It is the line between operating outside the financial system and operating within it.

Contact CRYPTOVERSE Legal Consultancy to build your Bermuda licensing roadmap, structure your application for approval, and secure your Digital Asset Business licence with institutional confidence.

The future of crypto will belong to regulated institutions.

Start building yours now.

FAQs

1. Who needs a Bermuda DAB licence?

Businesses offering regulated digital asset services such as exchanges, custodians, brokers, payment providers, and certain stablecoin issuers may require a Bermuda DAB licence.

2. What are Class T, Class M, and Class F licences?

Class T is for testing, Class M is for growing businesses, and Class F is for fully established digital asset firms.

3. How long does a Bermuda DAB licence take?

 Most applications take between 2 and 9 months, depending on the licence class and application readiness.

4. What documents are needed for a DAB licence?

Key documents include a business plan, governance framework, AML/ATF policies, ownership disclosures, cybersecurity policies, and financial projections.

5. Why are DAB licence applications delayed?

Delays are usually caused by incomplete documentation, weak compliance frameworks, unclear ownership, or slow responses to regulator queries.