2018
DABA enacted
Bermuda establishes a dedicated licensing regime for digital asset business.
Bermuda Crypto Regulations in 2026
Bermuda crypto regulations are built around the Digital Asset Business Act 2018 (DABA), the Digital Asset Issuance Act 2020 (DAIA), and BMA supervision. If a company carries on regulated digital asset business in or from Bermuda, it generally needs a Bermuda Monetary Authority licence. If it conducts a public digital asset issuance, it generally needs prior BMA authorisation under DAIA. The practical analysis turns on activity, client asset handling, issuance structure, AML exposure, and whether the model fits Class F, Class M, or Class T licensing.
Bermuda crypto regulations are built around the Digital Asset Business Act 2018 (DABA), the Digital Asset Issuance Act 2020 (DAIA), and BMA supervision. If a company carries on regulated digital asset business in or from Bermuda, it generally needs a Bermuda Monetary Authority licence. Read more Hide
If it conducts a public digital asset issuance, it generally needs prior BMA authorisation under DAIA. The practical analysis turns on activity, client asset handling, issuance structure, AML exposure, and whether the model fits Class F, Class M, or Class T licensing.This page is a legal-practical overview for 2026 and is not legal, tax, or regulatory advice. Bermuda scope analysis depends on the exact activity, token design, customer base, and operating model.
Disclaimer
This page is a legal-practical overview for 2026 and is not legal, tax, or regulatory advice. Bermuda scope analysis depends on the exact activity, token design, customer base, and operating model.At a glance
Executive Snapshot
Key regulatory facts, timeline markers, and practical next steps for a fast initial read.
At a Glance
- Main regulator
- Bermuda Monetary Authority (BMA) supervises licensed digital asset business and authorises public digital asset issuances.
- Primary licensing law
- DABA 2018 regulates carrying on digital asset business, including exchange, custody, payments, lending, derivatives, and certain digital asset service activities.
- Issuance law
- DAIA 2020 applies to public digital asset issuances and is the key 2026 issuance regime; older ICO references are not enough on their own.
- Licence classes
- Class F is the full licence, Class M is a modified licence, and Class T is a test licence for pilot or beta-stage models.
- AML overlay
- DABA and DAIA sit on top of Bermuda AML/ATF laws, including POCA 1997, the 2008 AML/ATF Regulations, sanctions controls, suspicious activity reporting, and Travel Rule-type transfer obligations.
- 2024-2025 changes
- Key updates include the Digital Asset Business (Cyber Risk) Rules 2023 effective 1 January 2024, Single Currency Pegged Stablecoin Guidance from November 2024, and Digital Asset Business (Custody of Client Assets) Rules 2025.
- Tax nuance
- Bermuda is still generally tax-light for digital asset structures, but the blanket statement 'no corporate income tax' is no longer complete because a 15% corporate income tax regime applies to certain multinational groups above €750,000,000 revenue from 1 January 2025.
Mini Timeline
2020
DAIA enacted
Public digital asset issuances move into a dedicated authorisation framework.
1 Jan 2024
Cyber Risk Rules effective
The 2023 cyber risk regime replaces older cybersecurity references in current compliance analysis.
Nov 2024
Stablecoin guidance
BMA issues single-currency pegged stablecoin guidance with reserve, attestation, redemption, and resilience expectations.
2025
Custody Rules and tax change
Custody of client assets becomes more prescriptive; Bermuda corporate income tax applies to in-scope MNE groups.
Quick Assessment
- Holding crypto for your own treasury is not, by itself, the same as carrying on regulated digital asset business.
- A token launch and an exchange or custody business are different regulatory questions; founders often need a DABA/DAIA split analysis before filing.
- Bermuda is strongest for operators willing to run a real compliance stack, not for founders seeking a zero-touch offshore label.
- Stablecoin, custody, and payment models now face more detailed prudential expectations than many older articles reflect.
Short answer
Bermuda crypto regulations in 2026: the short answer
Bermuda crypto regulations are mature, statute-based, and unusually specific by offshore standards. The short answer is that DABA governs regulated digital asset business, DAIA governs public digital asset issuances, and the BMA is the central supervisory authority. If you operate an exchange, custody platform, payment rail, lending desk, derivatives venue, or another in-scope digital asset business in or from Bermuda, you should assume a licence analysis is required. If you are offering your own digital assets to the public, you should assume a DAIA authorisation analysis is required. The main practical mistake in this area is treating Bermuda crypto regulation as a single concept; in reality, Bermuda separates business activity, issuance, AML/ATF, cyber risk, custody of client assets, disclosures, and stablecoin prudential controls. Another common mistake is relying on pre-2024 summaries that omit the Cyber Risk Rules 2023, the 2025 custody rules, and the 2024 stablecoin guidance. In 2026, Bermuda remains one of the more credible jurisdictions for institutional-grade crypto businesses, but the trade-off is clear: the jurisdiction expects governance, substance, reporting, and operational controls that can withstand BMA scrutiny.
Recent updates
Bermuda’s 2024-2026 regulatory delta
The key 2026 point is that Bermuda crypto regulation is no longer accurately described by older summaries focused only on DABA, AML, and the former ICO narrative. The current picture includes a newer cyber regime, a more prescriptive client asset custody framework, stablecoin-specific guidance, and a tax environment that now requires group-level analysis for large multinational structures.
| Topic | Legacy Approach | Current Approach |
|---|---|---|
| Cybersecurity compliance | Older articles often cite Digital Asset Business (Cybersecurity) Rules 2018 as if they remain the operative standard. | Current analysis should refer to the Digital Asset Business (Cyber Risk) Rules 2023, effective 1 January 2024, together with the operational cyber risk management code. |
| Client asset custody | Custody was often described in general terms or through draft-code references. | In 2026, custody analysis should include the Digital Asset Business (Custody of Client Assets) Rules 2025, including segregation, reconciliation, pooling, and third-party oversight expectations. |
| Stablecoin treatment | Many summaries treated stablecoins as just another token category under general DABA concepts. | The Single Currency Pegged Stablecoin Guidance issued in November 2024 adds reserve, attestation, redemption, governance, and operational resilience expectations. |
| Issuance regime | Some market commentary still over-relies on the older ICO framework. | For 2026 public issuances, DAIA 2020 is the central authorisation regime and should be the primary reference point. |
| Tax messaging | Older pages often say Bermuda has no corporate income tax, full stop. | That is incomplete after 1 January 2025 because a 15% Bermuda corporate income tax regime applies to certain multinational enterprise groups above €750,000,000 revenue. |
Topic
Cybersecurity compliance
Legacy Approach
Older articles often cite Digital Asset Business (Cybersecurity) Rules 2018 as if they remain the operative standard.
Current Approach
Current analysis should refer to the Digital Asset Business (Cyber Risk) Rules 2023, effective 1 January 2024, together with the operational cyber risk management code.
Topic
Client asset custody
Legacy Approach
Custody was often described in general terms or through draft-code references.
Current Approach
In 2026, custody analysis should include the Digital Asset Business (Custody of Client Assets) Rules 2025, including segregation, reconciliation, pooling, and third-party oversight expectations.
Topic
Stablecoin treatment
Legacy Approach
Many summaries treated stablecoins as just another token category under general DABA concepts.
Current Approach
The Single Currency Pegged Stablecoin Guidance issued in November 2024 adds reserve, attestation, redemption, governance, and operational resilience expectations.
Topic
Issuance regime
Legacy Approach
Some market commentary still over-relies on the older ICO framework.
Current Approach
For 2026 public issuances, DAIA 2020 is the central authorisation regime and should be the primary reference point.
Topic
Tax messaging
Legacy Approach
Older pages often say Bermuda has no corporate income tax, full stop.
Current Approach
That is incomplete after 1 January 2025 because a 15% Bermuda corporate income tax regime applies to certain multinational enterprise groups above €750,000,000 revenue.
Core statutes
The legal framework: DABA, DAIA, AML laws, and BMA supervision
Bermuda crypto regulation is a layered framework, not a single crypto law. DABA 2018 is the licensing statute for carrying on digital asset business. DAIA 2020 is the authorisation regime for public digital asset issuances. On top of both sits Bermuda’s AML/ATF architecture, including the Proceeds of Crime Act 1997, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations 2008, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008, and the Anti-Terrorism (Financial and Other Measures) Act 2004. The BMA supervises prudential, conduct, cyber, and client protection obligations, while other statutes can become relevant depending on structure, including the Companies Act 1981, Electronic Transactions Act 1999, Investment Business Act 2003, Investment Funds Act 2006, and Personal Information Protection Act 2016.
| Law / Regime | Scope | Applies To | Why It Matters |
|---|---|---|---|
| Digital Asset Business Act 2018 (DABA) | Licensing and supervision of digital asset business activities carried on in or from Bermuda. | Exchanges, custodians, payment providers, lending businesses, derivatives venues, and certain digital asset service vendors. | This is the core answer to the question 'do I need a Bermuda crypto licence?' |
| Digital Asset Issuance Act 2020 (DAIA) | Prior BMA authorisation for public digital asset issuances. | Undertakings seeking to conduct a public token or digital asset issuance in or from Bermuda, subject to exclusions and non-public thresholds. | DAIA is separate from DABA; founders often confuse launching a token with operating a regulated business. |
| POCA 1997 and 2008 AML/ATF Regulations | AML/CFT compliance, customer due diligence, monitoring, recordkeeping, sanctions controls, and suspicious activity reporting. | Licensed digital asset businesses and other regulated entities within Bermuda’s AML perimeter. | A DABA or DAIA analysis is incomplete without AML governance, Travel Rule operations, and reporting controls. |
| Digital Asset Business (Client Disclosure) Rules 2018 | Client-facing disclosures on risks, terms, conflicts, complaints, and operational matters. | DABA licensees dealing with clients or customer assets. | Bermuda treats disclosure as a conduct obligation, not just a contractual afterthought. |
| Digital Asset Business (Cyber Risk) Rules 2023 | Cyber governance, risk assessment, incident handling, testing, and reporting. | DABA licensees and applicants expected to maintain an operational cyber risk framework. | Cyber is now a supervisory pillar and directly affects application quality and ongoing compliance. |
| Digital Asset Business (Custody of Client Assets) Rules 2025 | Protection of client assets, segregation, reconciliation, pooling conditions, and third-party custody controls. | Custodians and other DABA licensees that hold or control client digital assets. | This is one of the most important 2025 updates for exchanges and custodians. |
| Single Currency Pegged Stablecoin Guidance | Prudential expectations for single-currency pegged stablecoin arrangements. | Stablecoin issuers and related operators within the Bermuda digital asset perimeter. | Bermuda now addresses reserve quality, attestations, redemption, and resilience more explicitly. |
Law / Regime
Digital Asset Business Act 2018 (DABA)
Scope
Licensing and supervision of digital asset business activities carried on in or from Bermuda.
Applies To
Exchanges, custodians, payment providers, lending businesses, derivatives venues, and certain digital asset service vendors.
Why It Matters
This is the core answer to the question 'do I need a Bermuda crypto licence?'
Law / Regime
Digital Asset Issuance Act 2020 (DAIA)
Scope
Prior BMA authorisation for public digital asset issuances.
Applies To
Undertakings seeking to conduct a public token or digital asset issuance in or from Bermuda, subject to exclusions and non-public thresholds.
Why It Matters
DAIA is separate from DABA; founders often confuse launching a token with operating a regulated business.
Law / Regime
POCA 1997 and 2008 AML/ATF Regulations
Scope
AML/CFT compliance, customer due diligence, monitoring, recordkeeping, sanctions controls, and suspicious activity reporting.
Applies To
Licensed digital asset businesses and other regulated entities within Bermuda’s AML perimeter.
Why It Matters
A DABA or DAIA analysis is incomplete without AML governance, Travel Rule operations, and reporting controls.
Law / Regime
Digital Asset Business (Client Disclosure) Rules 2018
Scope
Client-facing disclosures on risks, terms, conflicts, complaints, and operational matters.
Applies To
DABA licensees dealing with clients or customer assets.
Why It Matters
Bermuda treats disclosure as a conduct obligation, not just a contractual afterthought.
Law / Regime
Digital Asset Business (Cyber Risk) Rules 2023
Scope
Cyber governance, risk assessment, incident handling, testing, and reporting.
Applies To
DABA licensees and applicants expected to maintain an operational cyber risk framework.
Why It Matters
Cyber is now a supervisory pillar and directly affects application quality and ongoing compliance.
Law / Regime
Digital Asset Business (Custody of Client Assets) Rules 2025
Scope
Protection of client assets, segregation, reconciliation, pooling conditions, and third-party custody controls.
Applies To
Custodians and other DABA licensees that hold or control client digital assets.
Why It Matters
This is one of the most important 2025 updates for exchanges and custodians.
Law / Regime
Single Currency Pegged Stablecoin Guidance
Scope
Prudential expectations for single-currency pegged stablecoin arrangements.
Applies To
Stablecoin issuers and related operators within the Bermuda digital asset perimeter.
Why It Matters
Bermuda now addresses reserve quality, attestations, redemption, and resilience more explicitly.
Supervisory map
Who regulates crypto in Bermuda
The BMA is the central regulator for Bermuda digital asset regulation, but a full compliance map usually involves more than one authority. The BMA handles licensing, prudential supervision, conduct standards, cyber oversight, enforcement, and public issuance authorisation. The Minister of Finance appears in the legislative architecture for certain orders, exemptions, and policy functions. The Financial Intelligence Agency (FIA) is relevant for suspicious activity reporting and intelligence channels. The Registrar of Companies matters for entity formation and corporate filings. The Supreme Court of Bermuda becomes relevant in insolvency, enforcement, injunction, and asset recovery contexts.
Bermuda Monetary Authority (BMA)
Role
Primary supervisor for DABA licensing, DAIA authorisation, prudential oversight, cyber risk, custody, client protection, and enforcement.
Typical trigger
Any application to carry on digital asset business, public issuance authorisation, material business change, supervisory reporting, or enforcement issue.
Minister of Finance
Role
Policy and statutory role in certain orders, exemptions, and broader financial services framework decisions.
Typical trigger
Questions involving exemption orders, legislative amendments, or policy-level regulatory changes.
Financial Intelligence Agency (FIA)
Role
Receives suspicious activity reports and supports Bermuda’s AML/ATF intelligence framework.
Typical trigger
Suspicious transaction patterns, sanctions concerns, or AML escalation events.
Registrar of Companies
Role
Corporate registration and company filing interface for Bermuda legal entities.
Typical trigger
Entity incorporation, corporate maintenance, and statutory company changes.
Supreme Court of Bermuda
Role
Judicial forum for insolvency, winding up, injunctions, proprietary claims, and certain enforcement outcomes.
Typical trigger
Liquidation, contested asset ownership, recovery proceedings, or court-backed regulatory action.
Bermuda Business Development Agency (BDA)
Role
Ecosystem and jurisdictional support body, not the licensing authority.
Typical trigger
Market entry planning, jurisdictional orientation, and ecosystem navigation.
Scope test
Which crypto activities require a Bermuda licence
The direct answer is that Bermuda regulates activities, not mere passive ownership. If a company carries on digital asset business in or from Bermuda, it generally needs a DABA licence unless a specific exemption applies. The regulated perimeter is broad enough to capture exchange, custody, payment, lending, derivatives, and certain service-vendor models, including acting as a market maker or benchmark administrator. The practical test is not what the product is called, but what the firm actually does for clients or the market.
Operating a digital asset exchange
Usually requires authorisation
Providing custodial wallet services or holding client keys/assets
Usually requires authorisation
Providing digital asset payment services
Usually requires authorisation
Issuing, selling, or redeeming digital assets as a business to the general public
Usually requires authorisation
Operating a digital asset lending or repo business
Usually requires authorisation
Operating a digital asset derivative exchange provider business
Usually requires authorisation
Acting as a digital asset services vendor, including market maker or benchmark administrator
Usually requires authorisation
Holding crypto solely for own balance sheet or treasury
Needs case-by-case analysis
| Business Model | MiCA Relevance | Adjacent Regimes | Practical Answer |
|---|---|---|---|
| Centralised exchange matching third-party orders | Not applicable; Bermuda uses DABA, not MiCA. | AML/ATF, cyber risk, custody, client disclosure, sanctions. | Usually in scope under DABA and generally requires a Bermuda licence. |
| Custody platform controlling client private keys | Not applicable; Bermuda uses DABA and custody rules. | Custody of Client Assets Rules 2025, cyber risk, disclosures, insurance or equivalent risk mitigation. | Usually in scope and subject to heightened prudential scrutiny. |
| Treasury company holding BTC or ETH for itself only | Not applicable. | Corporate, tax, accounting, sanctions, internal governance. | Often outside DABA if there is no client-facing regulated business, but facts still matter. |
| Project issuing its own token to the public to fund development | Not applicable; this is a Bermuda issuance question. | DAIA, AML, disclosure, corporate law, data/privacy, possible DABA overlay if the issuer also operates regulated services. | Usually a DAIA analysis first; may also require DABA analysis if the business model includes regulated activities. |
| OTC desk dealing as principal or on behalf of others | Not applicable. | AML, sanctions, market conduct, custody if client assets are held. | Often in scope depending on execution and intermediation model. |
| Software vendor providing non-custodial infrastructure only | Not applicable. | Contracting, IP, data protection, sanctions screening by counterparties. | May fall outside DABA if it does not carry on regulated business, but boundary analysis is fact-specific. |
Business Model
Centralised exchange matching third-party orders
MiCA Relevance
Not applicable; Bermuda uses DABA, not MiCA.
Adjacent Regimes
AML/ATF, cyber risk, custody, client disclosure, sanctions.
Practical Answer
Usually in scope under DABA and generally requires a Bermuda licence.
Business Model
Custody platform controlling client private keys
MiCA Relevance
Not applicable; Bermuda uses DABA and custody rules.
Adjacent Regimes
Custody of Client Assets Rules 2025, cyber risk, disclosures, insurance or equivalent risk mitigation.
Practical Answer
Usually in scope and subject to heightened prudential scrutiny.
Business Model
Treasury company holding BTC or ETH for itself only
MiCA Relevance
Not applicable.
Adjacent Regimes
Corporate, tax, accounting, sanctions, internal governance.
Practical Answer
Often outside DABA if there is no client-facing regulated business, but facts still matter.
Business Model
Project issuing its own token to the public to fund development
MiCA Relevance
Not applicable; this is a Bermuda issuance question.
Adjacent Regimes
DAIA, AML, disclosure, corporate law, data/privacy, possible DABA overlay if the issuer also operates regulated services.
Practical Answer
Usually a DAIA analysis first; may also require DABA analysis if the business model includes regulated activities.
Business Model
OTC desk dealing as principal or on behalf of others
MiCA Relevance
Not applicable.
Adjacent Regimes
AML, sanctions, market conduct, custody if client assets are held.
Practical Answer
Often in scope depending on execution and intermediation model.
Business Model
Software vendor providing non-custodial infrastructure only
MiCA Relevance
Not applicable.
Adjacent Regimes
Contracting, IP, data protection, sanctions screening by counterparties.
Practical Answer
May fall outside DABA if it does not carry on regulated business, but boundary analysis is fact-specific.
DABA vs DAIA
DABA vs DAIA: the decision boundary most founders get wrong
The core classification point is simple: DABA is about carrying on digital asset business, while DAIA is about conducting a public digital asset issuance. Bermuda does not treat every token question as a licensing question. A token can be part of an issuance analysis, a business activity analysis, an investment or fund analysis, or several at once. The right approach is to classify the activity, the offer, the customer relationship, and the asset-control model separately.
| Category | Core Feature | Typical Trigger |
|---|---|---|
| Digital asset business activity | A business provides exchange, custody, payments, lending, derivatives, issuance/redemption to the public as a business, or another in-scope service. | Primary trigger is DABA licensing. |
| Public digital asset issuance | An undertaking offers digital assets to the public in or from Bermuda. | Primary trigger is DAIA authorisation. |
| Non-public issuance | An issuance may fall outside the public perimeter where statutory thresholds or qualified acquirer concepts are met. | Requires careful DAIA analysis; not every issuance is public. |
| Passive holding | A company or individual simply acquires or holds digital assets for its own account. | Usually not a DABA trigger by itself. |
| Hybrid model | The same group issues a token, operates a platform, and holds client assets. | Often requires parallel DABA, DAIA, AML, corporate, tax, and privacy analysis. |
Category
Digital asset business activity
Core Feature
A business provides exchange, custody, payments, lending, derivatives, issuance/redemption to the public as a business, or another in-scope service.
Typical Trigger
Primary trigger is DABA licensing.
Category
Public digital asset issuance
Core Feature
An undertaking offers digital assets to the public in or from Bermuda.
Typical Trigger
Primary trigger is DAIA authorisation.
Category
Non-public issuance
Core Feature
An issuance may fall outside the public perimeter where statutory thresholds or qualified acquirer concepts are met.
Typical Trigger
Requires careful DAIA analysis; not every issuance is public.
Category
Passive holding
Core Feature
A company or individual simply acquires or holds digital assets for its own account.
Typical Trigger
Usually not a DABA trigger by itself.
Category
Hybrid model
Core Feature
The same group issues a token, operates a platform, and holds client assets.
Typical Trigger
Often requires parallel DABA, DAIA, AML, corporate, tax, and privacy analysis.
Yes: Start with DAIA authorisation analysis and issuance document review.
No: Move to the next activity question.
Yes: Start with DABA licensing analysis.
No: Move to the next scope question.
Yes: Expect custody, disclosure, cyber, and prudential controls to become central.
No: You may still be in scope, but the prudential burden may differ.
Yes: The model may be outside DABA, subject to fact-specific review.
No: Assume a fuller Bermuda regulatory analysis is needed.
Regulatory delta
What changed between the older Bermuda narrative and the 2026 position
Bermuda did not move from no regulation to regulation overnight; it evolved from an early digital asset framework into a more granular supervisory model. The practical transition for 2026 readers is not a single grandfathering deadline but a shift from broad statutory permissioning to more detailed operational supervision around cyber, custody, stablecoins, and cross-border payment models.
2018
DABA establishes a dedicated digital asset business licensing regime.
Bermuda becomes one of the first jurisdictions with a bespoke crypto business statute.
2020
DAIA creates a dedicated regime for public digital asset issuances.
Issuance analysis becomes more distinct from operating a regulated digital asset business.
1 Jan 2024
Cyber Risk Rules 2023 take effect.
Applicants and licensees need to align cyber governance and reporting with the newer framework, not legacy 2018 references.
Nov 2024
BMA issues Single Currency Pegged Stablecoin Guidance.
Stablecoin structures face clearer reserve, attestation, redemption, and resilience expectations.
2025
Custody of Client Assets Rules 2025 and Bermuda corporate income tax regime for in-scope MNEs become part of the operating reality.
Custody models and group tax analysis require more front-loaded planning.
2025-2026
Payment services reform discussions continue, including the possibility of adjacent or dual regulation for some payment models.
Payment and wallet businesses should monitor whether a DABA-only analysis remains sufficient.
There is no simple ‘old regime to new regime’ shortcut for Bermuda in 2026. The real transition issue is whether your compliance materials still rely on outdated assumptions about cybersecurity, custody, stablecoins, or the tax position.
Application path
How the Bermuda licensing process works in practice
The licensing path starts with scope analysis, not form completion. A credible Bermuda filing usually begins by mapping the exact activity against DABA and DAIA, selecting the right licence class, and building a governance package that the BMA can test against prudential and conduct expectations. In practice, the BMA focuses less on marketing language and more on whether the applicant has a coherent operating model, fit and proper controllers, real risk ownership, workable AML controls, and a defensible custody and cyber architecture.
1
1-3 weeks
1. Map the regulated activity
Define whether the business is exchange, custody, payments, lending, derivatives, issuance, or a hybrid. This step determines whether the filing is DABA, DAIA, or both.
2
1-2 weeks
2. Choose the licence path
Assess whether the applicant should seek Class T, Class M, or Class F under DABA, or prior authorisation under DAIA for a public issuance.
3
1-4 weeks
3. Form the Bermuda structure
Incorporate the entity and align shareholding, governance, outsourcing, and local representation with the intended application model.
4
4-10 weeks
4. Build the application pack
Prepare the business plan, financial model, governance map, AML/CFT policies, sanctions controls, cyber framework, custody controls, client disclosures, and senior management information.
5
Variable; depends on complexity and application quality
5. Submit and engage with the BMA
File the application, pay the applicable fee, and respond to BMA questions on risk, controls, outsourcing, technology, and client protection.
6
Variable
6. Address conditions or restrictions
The BMA may impose restrictions, require remediation, or steer the applicant toward a modified or test licence before full authorisation.
7
Ongoing
7. Operationalise post-approval compliance
Approval is the start of supervision. The licensee must implement reporting, audit, cyber, custody, disclosure, and AML workflows immediately.
Application Pack
Core Documents and Evidence Trail
The file should read like one operating model, not like disconnected policy appendices.
| Document | Purpose | Owner |
|---|---|---|
| Detailed business plan | Explains the model, services, target markets, revenue logic, risk profile, and operational design. | Founders with legal and compliance input |
| Governance and management arrangements | Shows board oversight, senior management accountability, committees, and control ownership. | Board / company secretary / legal |
| AML/CFT and sanctions framework | Demonstrates CDD, EDD, transaction monitoring, SAR escalation, sanctions screening, and recordkeeping controls. | MLRO / compliance |
| Cyber risk framework | Sets out information security governance, incident response, testing, access control, resilience, and reporting. | CISO / technology risk lead |
| Custody and client asset controls | Explains wallet architecture, segregation, reconciliation, third-party controls, and asset movement approvals. | Operations / custody lead |
| Financial statements and projections | Supports prudential assessment and shows whether the applicant can operate sustainably. | Finance |
| Fit and proper information | Allows the BMA to assess controllers, officers, and key function holders. | Legal / HR / founders |
Document
Detailed business plan
Purpose
Explains the model, services, target markets, revenue logic, risk profile, and operational design.
Owner
Founders with legal and compliance input
Document
Governance and management arrangements
Purpose
Shows board oversight, senior management accountability, committees, and control ownership.
Owner
Board / company secretary / legal
Document
AML/CFT and sanctions framework
Purpose
Demonstrates CDD, EDD, transaction monitoring, SAR escalation, sanctions screening, and recordkeeping controls.
Owner
MLRO / compliance
Document
Cyber risk framework
Purpose
Sets out information security governance, incident response, testing, access control, resilience, and reporting.
Owner
CISO / technology risk lead
Document
Custody and client asset controls
Purpose
Explains wallet architecture, segregation, reconciliation, third-party controls, and asset movement approvals.
Owner
Operations / custody lead
Document
Financial statements and projections
Purpose
Supports prudential assessment and shows whether the applicant can operate sustainably.
Owner
Finance
Document
Fit and proper information
Purpose
Allows the BMA to assess controllers, officers, and key function holders.
Owner
Legal / HR / founders
Review Risk
Common Delays and Bottlenecks
- The business model is described at a high level but the actual client journey, asset flow, and control points are unclear.
- The applicant has AML policies but no credible transaction monitoring, sanctions, or Travel Rule operating design.
- Custody arrangements rely on third parties without proper diligence, contractual control, or incident allocation.
- The governance structure is nominal and does not show real accountability for compliance, cyber, and client asset protection.
- The group wants a Bermuda licence while key operations remain elsewhere and the head office logic is underdeveloped.
Ongoing burden
Ongoing compliance after licensing: the real Bermuda burden
The main cost in Bermuda is not only the filing fee; it is the ongoing compliance stack. A Bermuda digital asset licence creates continuing obligations around prudential reporting, audit, governance, cyber risk, client disclosures, custody controls, AML monitoring, sanctions, and regulatory engagement. That is why Bermuda tends to suit operators with institutional ambitions rather than lightly governed retail experiments.
| Cost Bucket | Low Estimate | High Estimate | What Drives Cost |
|---|---|---|---|
| Application and regulatory filing fees | Verify current BMA schedule | Verify current BMA schedule | Publicly cited comparative figures often mention BMD 1,000 for Class T and BMD 2,266 for Class M/F applications, and USD 2,266 for DAIA applications, but applicants should confirm the live BMA fee schedule before filing. |
| Legal structuring and regulatory analysis | Fact-specific | Fact-specific | Costs rise sharply for hybrid models involving issuance, custody, payments, or cross-border operations. |
| Compliance staffing and control functions | Moderate | High | MLRO, compliance, risk, internal control, and governance functions are recurring rather than one-off. |
| Cybersecurity and resilience | Moderate | High | The 2023 cyber risk regime makes testing, monitoring, incident response, and governance more substantive. |
| Custody and client asset protection | Moderate | High | Exchanges and custodians should budget for segregation, reconciliation, wallet controls, third-party oversight, and insurance or equivalent risk mitigation. |
| Audit, reporting, and annual returns | Moderate | High | Annual prudential returns, audited financials, and periodic supervisory requests create recurring reporting costs. |
Cost Bucket
Application and regulatory filing fees
Low Estimate
Verify current BMA schedule
High Estimate
Verify current BMA schedule
What Drives Cost
Publicly cited comparative figures often mention BMD 1,000 for Class T and BMD 2,266 for Class M/F applications, and USD 2,266 for DAIA applications, but applicants should confirm the live BMA fee schedule before filing.
Cost Bucket
Legal structuring and regulatory analysis
Low Estimate
Fact-specific
High Estimate
Fact-specific
What Drives Cost
Costs rise sharply for hybrid models involving issuance, custody, payments, or cross-border operations.
Cost Bucket
Compliance staffing and control functions
Low Estimate
Moderate
High Estimate
High
What Drives Cost
MLRO, compliance, risk, internal control, and governance functions are recurring rather than one-off.
Cost Bucket
Cybersecurity and resilience
Low Estimate
Moderate
High Estimate
High
What Drives Cost
The 2023 cyber risk regime makes testing, monitoring, incident response, and governance more substantive.
Cost Bucket
Custody and client asset protection
Low Estimate
Moderate
High Estimate
High
What Drives Cost
Exchanges and custodians should budget for segregation, reconciliation, wallet controls, third-party oversight, and insurance or equivalent risk mitigation.
Cost Bucket
Audit, reporting, and annual returns
Low Estimate
Moderate
High Estimate
High
What Drives Cost
Annual prudential returns, audited financials, and periodic supervisory requests create recurring reporting costs.
The common misconception is that Bermuda is expensive only at entry. In reality, the more important budget question is whether the business can sustain a regulated operating model after approval. That includes annual prudential returns, audited financial statements, future business planning, cyber reporting, client disclosure maintenance, and custody governance. A second misconception is that a Bermuda licence removes the need for foreign compliance analysis; in practice, cross-border marketing, sanctions, tax, and local law exposures remain live.
AML controls
AML, sanctions, and the Travel Rule in Bermuda
Bermuda treats AML/ATF as an operating system, not a box-ticking exercise. DABA licensees are expected to maintain customer due diligence, beneficial ownership checks, sanctions screening, transaction monitoring, suspicious activity reporting, recordkeeping, governance escalation, and risk-based enhanced due diligence. For digital asset transfers, Bermuda’s AML framework also incorporates transfer-information expectations aligned with the FATF Travel Rule logic. The commonly cited threshold is USD 1,000, but that threshold does not eliminate general AML duties below the line.
Control Stack
Risk-based customer due diligence and beneficial ownership verification before onboarding.
Sanctions and PEP screening at onboarding and on an ongoing basis.
Transaction monitoring calibrated to wallet behaviour, typologies, and blockchain analytics inputs.
Suspicious activity escalation and SAR filing procedures linked to the FIA.
Travel Rule data collection and transmission workflows for in-scope digital asset transfers.
Enhanced due diligence for high-risk jurisdictions, unusual patterns, non-face-to-face onboarding, or complex ownership structures.
Recordkeeping, governance oversight, and periodic AML control testing.
Operational Controls That Must Exist Before Launch
Workflow
Where AML and Travel Rule Controls Sit in the Operating Flow
| Workflow Step | Control | Owner |
|---|---|---|
| Onboarding | Collect identity, beneficial ownership, source-of-funds indicators, sanctions and PEP screening results. | Compliance / onboarding team |
| Transfer initiation | Determine whether the transfer is in scope for originator and beneficiary information requirements. | Operations / AML operations |
| Travel Rule handling | Capture and transmit required originator and beneficiary data where applicable; resolve missing or inconsistent data. | AML operations / payments operations |
| Ongoing monitoring | Review transaction patterns, blockchain exposure, sanctions proximity, and unusual activity. | Transaction monitoring team |
| Escalation | Investigate alerts, apply EDD where needed, and determine whether a suspicious activity report is required. | MLRO / compliance |
| Governance reporting | Report material AML issues, breaches, and trends to senior management and the board. | MLRO / board risk committee |
Workflow Step
Onboarding
Control
Collect identity, beneficial ownership, source-of-funds indicators, sanctions and PEP screening results.
Owner
Compliance / onboarding team
Workflow Step
Transfer initiation
Control
Determine whether the transfer is in scope for originator and beneficiary information requirements.
Owner
Operations / AML operations
Workflow Step
Travel Rule handling
Control
Capture and transmit required originator and beneficiary data where applicable; resolve missing or inconsistent data.
Owner
AML operations / payments operations
Workflow Step
Ongoing monitoring
Control
Review transaction patterns, blockchain exposure, sanctions proximity, and unusual activity.
Owner
Transaction monitoring team
Workflow Step
Escalation
Control
Investigate alerts, apply EDD where needed, and determine whether a suspicious activity report is required.
Owner
MLRO / compliance
Workflow Step
Governance reporting
Control
Report material AML issues, breaches, and trends to senior management and the board.
Owner
MLRO / board risk committee
Market access
Cross-border use of a Bermuda crypto licence
A Bermuda licence is not a global passport. It authorises activity within Bermuda’s legal framework, but it does not override foreign licensing, securities, payments, consumer protection, sanctions, tax, or marketing rules. The practical value of Bermuda is strongest where the business wants a credible home regulator and can ring-fence target markets appropriately. Cross-border analysis should therefore be done at both ends: Bermuda inbound and destination-country outbound.
Usually Allowed Scenarios
- Operating a Bermuda-licensed digital asset business from Bermuda with a clearly defined target market and a foreign law analysis for each jurisdiction served.
- Serving institutional or professional counterparties where foreign market-entry rules have been separately assessed.
- Using Bermuda as the prudential home for a business while restricting or excluding jurisdictions with incompatible local licensing rules.
- Structuring a Bermuda entity for issuance or custody while keeping marketing and customer acquisition subject to local law controls in each destination market.
Restricted or High-Risk Scenarios
- Assuming a Bermuda licence alone permits retail solicitation into the EU, UK, US, UAE, or other regulated markets.
- Onboarding clients from sanctioned or high-risk jurisdictions without enhanced controls and legal clearance.
- Using Bermuda incorporation as a substitute for local payments, securities, or money transmission analysis abroad.
- Treating non-custodial branding as enough to avoid foreign regulation where the platform still intermediates or controls transactions in substance.
Reverse solicitation should not be treated as a default cross-border strategy. In practice, regulators often test the surrounding facts, including website targeting, language, onboarding flows, referral activity, and ongoing servicing. Bermuda firms should document market-entry logic rather than rely on labels.
Penalty map
Enforcement, penalties, and what happens if you get it wrong
Bermuda has a real enforcement framework. Carrying on digital asset business without the required licence can expose a person to criminal penalties of up to US$250,000 and/or 5 years’ imprisonment under DABA. Conducting a digital asset issuance without required authorisation under DAIA can expose a person to penalties of up to US$100,000 and/or 5 years’ imprisonment. In addition, the BMA has supervisory and enforcement powers that can include restrictions, directions, public censure, revocation, injunction-related action, and significant civil penalties in certain cases, with some DABA-related fines reaching up to US$10,000,000.
Launching exchange or custody operations before licence approval
High riskLegal risk: Potential unlicensed DABA activity, criminal exposure, and immediate supervisory intervention.
Mitigation: Complete scope analysis early and avoid live client activity before authorisation.
Running a token sale as if DAIA does not apply
High riskLegal risk: Unauthorised public digital asset issuance and defective disclosure risk.
Mitigation: Perform a DAIA public/non-public analysis before marketing or accepting funds.
Holding client assets without segregation, reconciliation, or third-party oversight
High riskLegal risk: Custody rule breaches, client harm, supervisory action, and potential insolvency disputes.
Mitigation: Implement 2025 custody controls, wallet governance, and daily or periodic reconciliation processes appropriate to the model.
Weak AML monitoring or sanctions controls
High riskLegal risk: AML breaches, SAR failures, sanctions exposure, and reputational damage with the BMA.
Mitigation: Use risk-based onboarding, blockchain analytics, escalation protocols, and board-level AML oversight.
Treating Class T or Class M as a light-touch commercial licence
Medium riskLegal risk: Breach of licence conditions, supervisory dissatisfaction, and delayed progression to full status.
Mitigation: Treat restricted licences as controlled testing environments with clear milestones and disclosures.
Assuming Bermuda tax neutrality removes all tax reporting obligations
Medium riskLegal risk: Group tax misstatements, home-jurisdiction exposure, and corporate income tax misanalysis for in-scope MNEs.
Mitigation: Run Bermuda and cross-border tax analysis together.
Tax reality
Taxation of crypto businesses in Bermuda: what is true in 2026
The accurate 2026 answer is that Bermuda remains generally tax-efficient for many crypto structures, but the old one-line message ‘there is no tax’ is incomplete. Bermuda is still known for the absence of general capital gains tax and certain other taxes commonly seen elsewhere, yet from 1 January 2025 a 15% corporate income tax regime applies to in-scope multinational enterprise groups above €750,000,000 revenue. That means crypto groups need to separate Bermuda’s traditional tax position from the newer corporate income tax rules and from any home-jurisdiction tax exposure.
| Topic | Why It Matters | Responsible Team |
|---|---|---|
| Corporate income tax scope | Groups above the €750,000,000 threshold may fall into Bermuda’s 15% corporate income tax regime from 1 January 2025. | Tax / CFO / external tax counsel |
| Capital gains and trading gains characterisation | Bermuda’s domestic tax profile may be favourable, but accounting treatment and foreign tax consequences still matter. | Tax / finance |
| Cross-border tax nexus | A Bermuda entity can still create reporting or tax exposure in customer, management, or operating jurisdictions. | Tax / legal / group structuring |
| Transfer pricing and group arrangements | Intercompany IP, treasury, technology, and service arrangements can affect the global tax position even if Bermuda is the home jurisdiction. | Tax / finance / legal |
| Accounting and audit treatment of digital assets | Tax analysis depends on reliable classification, valuation, impairment, and revenue recognition data. | Finance / audit |
| Operational taxes and transaction costs | Even where direct crypto gains are not taxed domestically in the traditional sense, other taxes, duties, or indirect costs may still matter in the wider group. | Finance / tax |
Topic
Corporate income tax scope
Why It Matters
Groups above the €750,000,000 threshold may fall into Bermuda’s 15% corporate income tax regime from 1 January 2025.
Responsible Team
Tax / CFO / external tax counsel
Topic
Capital gains and trading gains characterisation
Why It Matters
Bermuda’s domestic tax profile may be favourable, but accounting treatment and foreign tax consequences still matter.
Responsible Team
Tax / finance
Topic
Cross-border tax nexus
Why It Matters
A Bermuda entity can still create reporting or tax exposure in customer, management, or operating jurisdictions.
Responsible Team
Tax / legal / group structuring
Topic
Transfer pricing and group arrangements
Why It Matters
Intercompany IP, treasury, technology, and service arrangements can affect the global tax position even if Bermuda is the home jurisdiction.
Responsible Team
Tax / finance / legal
Topic
Accounting and audit treatment of digital assets
Why It Matters
Tax analysis depends on reliable classification, valuation, impairment, and revenue recognition data.
Responsible Team
Finance / audit
Topic
Operational taxes and transaction costs
Why It Matters
Even where direct crypto gains are not taxed domestically in the traditional sense, other taxes, duties, or indirect costs may still matter in the wider group.
Responsible Team
Finance / tax
2026 launch plan
Step-by-step compliance roadmap for 2026 applicants
Pre-launch to first supervisory cycle
Medium-Priority Workstream
Medium-Priority Workstream
Sequence these after the core perimeter, governance, and launch-control decisions are stable.
Map every planned service against DABA categories and confirm whether any public issuance triggers DAIA.
Decide whether the business should pursue Class T, Class M, or Class F based on maturity, restrictions, and testing scope.
Choose the Bermuda entity structure and align controllers, board composition, and governance responsibilities.
Prepare a business plan that shows client journey, asset flow, revenue model, outsourcing, and target markets.
Build AML/CFT, sanctions, onboarding, monitoring, SAR, and Travel Rule procedures before filing.
Document wallet architecture, key management, segregation, reconciliation, and third-party custody controls.
Align cyber governance with the Cyber Risk Rules 2023 and incident reporting expectations.
If the model involves stablecoins, prepare reserve, attestation, redemption, and resilience documentation consistent with the SCPS Guidance.
Prepare for annual prudential returns, audited financial statements, future business plan submissions, and supervisory engagement after approval.
Run Bermuda tax analysis together with home-jurisdiction and customer-jurisdiction tax analysis.
Answers
Frequently Asked Questions
Open the key issues founders, compliance teams and legal leads usually need to confirm before launch.
Do you need a licence just to hold crypto in Bermuda? +
No. Mere passive holding of crypto for your own account is not usually the same as carrying on regulated digital asset business. The licensing question normally turns on whether you are operating a business such as exchange, custody, payments, lending, derivatives, or another in-scope service for others or for the public.
What is the difference between DABA and DAIA? +
DABA 2018 regulates carrying on digital asset business. DAIA 2020 regulates public digital asset issuances and requires prior BMA authorisation for in-scope public offers. A token project can trigger DAIA, DABA, both, or neither depending on the structure.
What licence classes exist in Bermuda? +
Bermuda’s DABA framework includes Class F, Class M, and Class T licences. Class F is the full licence. Class M is a modified licence, typically used where restrictions or a staged approach are appropriate. Class T is a test licence for pilot or beta-stage activity.
Does Bermuda regulate stablecoins? +
Yes. Stablecoins are addressed through Bermuda’s digital asset framework and, for single-currency pegged stablecoin models, through the BMA Single Currency Pegged Stablecoin Guidance issued in November 2024. That guidance focuses on reserve backing, attestations, redemption, governance, and operational resilience.
Is there a Bermuda Travel Rule threshold? +
Yes. The commonly cited threshold is USD 1,000 for certain transfer-information requirements. But firms should not read that as a general AML exemption below the threshold. Customer due diligence, sanctions screening, monitoring, and suspicious activity reporting obligations still remain relevant.
What are the penalties for unlicensed crypto activity in Bermuda? +
Carrying on digital asset business without the required DABA licence can lead to penalties of up to US$250,000 and/or 5 years’ imprisonment. Conducting a digital asset issuance without required DAIA authorisation can lead to penalties of up to US$100,000 and/or 5 years’ imprisonment. The BMA also has broader supervisory and enforcement powers.
Are there taxes on crypto gains in Bermuda? +
Bermuda is still generally known for not imposing a general capital gains tax in the way many other jurisdictions do, but the tax answer in 2026 is not simply ‘no tax’. A 15% corporate income tax regime applies from 1 January 2025 to certain multinational enterprise groups above €750,000,000 revenue, and foreign tax exposure can still arise.
Is Bermuda a good jurisdiction for a crypto business? +
Yes, for the right profile. Bermuda is a strong fit for serious operators that want a recognised legal framework, regulator engagement, and a credible home for exchange, custody, payments, or stablecoin activity. It is a weaker fit for founders looking for minimal compliance, no substance, or unrestricted global retail access.
Need a Practical Readout?
Need a Bermuda crypto regulatory assessment?
If your model touches exchange, custody, payments, lending, token issuance, or stablecoins, the first question is not speed but scope. We can help map whether your project fits DABA, DAIA, or a hybrid path, and identify the governance, AML, cyber, custody, and tax workstreams needed before filing.
Confidential - No obligation - Response within 24 hours
Main Services
Terms of Cooperation
Regulated United Europe
