Sep 2024
Continued compliance with Bermuda’s anti-money laundering (AML) and anti-terrorist financing (ATF) legislation, including regulations, policies and guidance notes issued by the Bermuda Monetary Authority (the BMA or the Authority) (collectively, Bermuda’s AML/ATF Regime) remains a hot topic for Bermuda regulated entities, especially those recently registered by the BMA under the newly amended Investment Business Act 2003 (the “IBA”).
In April 2022 Bermuda passed the Investment Business Amendment Act 2022, which brought about fundamental changes to the IBA and resulted in a number of entities who were previously out of scope or subject to minimal exemption requirements under the Act finding themselves needing to submit an application to the Authority by 26 July 2023 in order to be formally registered or licensed under the IBA.
As part of these license applications, registrants were required to evidence their compliance with inter alia Bermuda’s AML/ATF Regime, including their compliance with the Proceeds of Crime Act 1997, as amended, (the “POCA”), the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations 2008, as amended, (the “POCA Regulations”) and the sector specific guidance notes issued by the Authority.
Evidencing compliance with Bermuda’s AML/ATF Regime is required for entities registering under the IBA because, under POCA, a person (including a legal person) who carries on investment business within the meaning of section 3 of the IBA is designated as an AML/ATF regulated financial institution (RFI).
Compliance with Bermuda’s AML/ATF legal and regulatory framework necessitates the adoption of AML, ATF policies and procedures (inclusive of suspicious activity reporting and sanctions). The adoption of such policies and procedures is designed to promote and enhance the efficiency and effectiveness of a RFIs monitoring, risk management and internal control systems in order to prevent and detect money laundering and financing of terrorism and where applicable report any dealings with sanctioned persons.
To ensure compliance with the standards imposed by the regulator in connection with the Bermuda AML/ATF Regime, these new registrants must evidence compliance with the processes, functions and controls set out in the POCA Regulations by way of the adoption of AML/ATF Policies and Procedures which adequately address matters related to customer due diligence and client verification processes, on-going monitoring procedures, risk assessment methodology, screening processes, appropriate AML/ATF and sanctions training methods and record keeping.
In addition to the adoption of adequate policies and procedures, entities also need to consider other steps to ensure they are seen by the regulator as properly implementing such policies and procedures in line with the requirements of the POCA Regulations, such as:
- completion of AML/ATF and sanctions training by all employees and personnel of the RFI;
- an annual independent audit undertaken by a qualified independent third party; and
- review of its AML/ATF Policies and procedures on a regular basis and certainly whenever there are legislative changes or results of national AML assessments are issued.
Records of completion of AML/ATF and sanctions training by all employees and personnel should be maintained with the books and records of the entity and available for review at the request of the regulator.
The independent audit must provide and document an independent and objective evaluation of the AML/ATF framework adopted by the RFI and the reliability, integrity and completeness of the design and effectiveness of AML/ATF risk management function, internal controls and compliance of the RFI with the Bermuda AML/ATF Regime as well as a review of the entity’s sanction compliance policies, procedures and controls. The audit results should then guide the review of the AML/ATF Policies and Procedures. Any gaps that have been identified by the audit must be addressed by the board of directors and the policy updated accordingly. The RFI is obliged to maintain evidence of compliance with the requirement for an annual audit.
As we are now in the second year of registration for entities who made application to the Authority in July 2023 to be formally registered or licensed under the IBA, we recommend that clients consider reviewing and assessing their AML/ATF Policies and Procedures and annual compliance obligations to ensure they are still appropriate and compliant. Whilst there have been no material changes to the aforementioned AML/ATF legislation, we have seen significant growth in the team charged with regulatory oversight of the Bermuda AML/ATF Regime at the BMA, resulting in more onsite reviews and requests for information relating to the application of policies and procedures adopted by RFIs on a day to day basis as well as details regarding their independent audit function and annual policy review process.
As such, we encourage our clients to consider as a matter of priority commencing the process of engaging an appropriately qualified but independent individual within their group (such as an internal auditor) or a qualified independent third party (such as Conyers) to undertake their annual audit and ensure any gaps in their policy or procedures are addressed. To the extent that an entity designated with a RFI has not yet fully adopted or implemented AML/ATF Policies and Procedures, this should be addressed on an expedited basis to avoid the BMA restricting such entity from engaging in any further business until such time as these processes and procedures have been put in place and/or levying financial penalties.
The expectation of the Authority has been and continues to be that all current and newly licensed entities under the IBA will be fully compliant with the Bermuda AML/ATF Regime at all times.