Complied out of business

Published: 1 Jul 2026
Type: Insight

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Primary Contact

Jarion Richardson

Regulatory, Governance & Compliance Advisory Lead
Bermuda

T +1 441 298 3267
E [email protected]

John Wasty

Partner & Head of Dispute Resolution
Bermuda

T +1 441 298 3232
E [email protected]


Faced with increasing regulatory expectations, the instinct has been to add more controls, more checks and more process. In doing so, many firms have created frameworks that are heavier, slower and less effective. Those controls were once suitable. Yet the supervisory environment has changed.

The BMA is becoming increasingly data-driven, technology enabled and continuously engaged. Supervision can no longer be assumed to be periodic, document based and retrospective. It is now faster, more granular and more comparative across firms. The BMA is building the capability to collect, aggregate and interrogate information across time and market actors.

At the same time, the demands on compliance functions are expanding in both scope and intensity. Sanctions updates are more frequent and more complex, often driven by daily geopolitical developments that require immediate interpretation and implementation. Data requests are broader, more detailed and increasingly extending beyond traditional AML metrics into beneficial ownership, governance structures and operational characteristics. Thematic reviews require firms to explain how risk is identified, assessed and managed across the business. Supervisory engagement is more persistent and focused, with increasing emphasis on how decisions are made in practice.

The cumulative effect is clear. There is more to do and it must be done more quickly.

Earlier model compliance programmes struggle to adapt. Accumulated controls, complex though unclear systems, slow processing and reduce responsiveness to clients and to the regulator.

Resources are absorbed responding to activity rather than determining which activity to undertake. What begins as a support function gradually becomes the defining operation of the business.

Also at that point, compliance is no longer managing risk. It is creating it.

Although risk-based AML and sanctions language and intention is widely adopted, in practice, many compliance programmes do not reduce workload by specifically addressing their own risks.

The AML-sanctions framework requires more than reacting to any given risk indicator. It requires determining what that indicator means in context and calibrating the response accordingly. The distinction is reflected directly in the legislation. Firms are required to determine the extent of customer due diligence measures on a risk-sensitive basis, taking into account the customer, the transaction, the product and the geographic exposure.

The applicability becomes clearer when considering how higher-risk jurisdictions are treated in practice. The AML-ATF Ministerial Advisory 1/2026 draws a deliberate line.

In a limited number of cases, such as DPRK and Iran, firms are directed to treat the risk as high and apply countermeasures and enhanced due diligence measures. The response is effectively predetermined.

For all other higher-risk jurisdictions, the instruction is different. Firms are required to ‘take appropriate action to minimise the associated risks, which may include enhanced due diligence’. This is supported by the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations, Regulation 11 which requires a deliberate assessment of risk (or relevance) prior to applying enhanced due diligence. In other words, the outcome is not prescribed – it is determined. That difference is critical.

It confirms that a risk signal, even one labelled ‘high-risk’, is not in itself a conclusion. It is an input into a broader assessment. The nature of the activity, the purpose of the transaction, the structure through which it is conducted and its consistency with the customer’s profile must all be considered before determining the appropriate response.

In practice, however, this step is often compressed. A high-risk jurisdiction becomes enhanced due diligence. A politically exposed person becomes a risk committee meeting. A monitoring alert becomes painstaking workflow. The potential for risk is treated as if the risk occurred.

The result is a framework that is reactive but imprecise, often creating more work without reducing risk.

A true risk-based approach requires differentiation. Risk indicators vary in relevance, severity and extent. A connection to a higher-risk jurisdiction may reflect meaningful exposure in one case and limited or incidental exposure in another. A politically exposed person may present material risk in one context and minimal risk in another.

Also, the consequences are cumulative. As signals increase, controls increase. As controls increase, systems become more complex. Complexity reduces clarity and resources are directed toward managing ever expanding processes.

The commercial impact follows. Onboarding slows. Transactions are delayed. Costs rise. Teams focus on completing steps rather than making decisions. What begins as an effort to strengthen compliance gradually constrains the ability of the business to operate.

Businesses are, quite simply, complying themselves out of business.

To operate effectively in the modern regulatory environment, businesses must confront the instinct that has driven most compliance programmes to date: when in doubt, add a control. That instinct is understandable. It feels safe, prudent and defensible. In the current environment, however, it is no longer effective.

The issue is not that firms have too few controls. It is that they have too many broad, untargeted controls. Controls which are imprecise and unsupported by clear reasoning. This raises an important question: what does a risk-based approach actually require in practice?

Take higher-risk jurisdictions as examined earlier. In many cases, these are treated as automatic triggers for enhanced due diligence. Yet the regulatory framework requires firms to ‘apply on a risk-sensitive basis enhanced due diligence’ where ‘higher risk’ is present. So not, ‘higher risk equals enhanced due diligence’ but ‘higher risk equals assessment’, which may lead to enhanced due diligence. Even then, the enhanced due diligence must be ‘specific and adequate’, which provides flexibility to suit the specific circumstance.

The same applies to politically exposed persons. Where PEP status is an automatic escalation, it reduces the inherent complexity which the ‘risk-sensitive’ permissions are designed to accommodate. Some use the criteria ‘a PEP is a PEP is a PEP’ meaning that the condition is absolute and perpetual. That quickly runs into the inherent realities such as PEPs that have very limited authority or abilities. Does the individual have influence over state or international resources? Are they connected to the transaction, or are they ancillary? Are they even aware the transaction is taking place? The answers to those questions determine the control response – not just that they are a PEP.

The distinction is subtle but important. The framework requires assessment, not absolutism.

Trigger-based controls are understandable. Supervisory engagement often focuses on whether enhanced measures have been applied in higher-risk situations and on-site findings frequently highlight gaps where such measures were not evidenced or consistently applied. Over time, this creates an operational bias toward applying controls defensively rather than proportionately.

The result is a framework that is consistent but not precise. Also, the absence of precision creates, ironically, additional compliance obligations and regulatory risks. In other words, a local police inspector gets treated the same as a foreign Cabinet Minister before the courts.

In a data-driven, analytical and nearly real-time supervisory environment, a lack of precision means a compliance programme will not be able to withstand its own weight. What begins as a conservative approach ultimately handcuffs the business to wildly inappropriate actions.

An AML and sanctions programme built on precision will apply customer due diligence, ongoing monitoring, suspicious activity reporting and related obligations in a way that is necessary, proportionate and clearly linked to defined risks.

Businesses that introduce precision into their AML-sanctions compliance will thrive as the Authority becomes more exacting, data-driven and persistent. A distinct competitive advantage.

First Published In the Bermuda Business Review 2026-2027 – June 2026

Share
More publications
Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.

Economic Substance
27 Apr 2026

Economic substance regime now falls under Cita

Recent amendments to Bermuda’s economic substance regime have transferred regulatory responsibility from the Registrar of Companies to the Corporate Income Tax Agency.

Appleby-Website-Private-Client-and-Trusts-Practice
22 Apr 2026

Regulation, Regulation, Regulation

The article discusses updates to global trust guidance and regulation, as well as beneficial ownership and the regulatory burden on trustees that comes with increased transparency.

Appleby-Website-Private-Client-and-Trusts-Practice-1905px-x-1400px
15 Apr 2026

Purpose trusts: Bermuda’s answer to modern asset structuring

Purpose trusts represent a notable development in modern trust law, particularly within offshore financial jurisdictions such as Bermuda. Unlike traditional private trusts, which are established for the benefit of identifiable beneficiaries, purpose trusts are created to achieve specific objectives or purposes. Historically, common law jurisdictions were reluctant to recognise such arrangements due to the absence of beneficiaries capable of enforcing the trust. However, legislative reforms in Bermuda have significantly expanded the scope of trust law by expressly validating noncharitable purpose trusts. Through the enactment of the Trusts (Special Provisions) Act 1989 (‘the 1989 Act’), Bermuda introduced a statutory framework that allows trusts to exist for defined purposes, provided certain legal requirements are satisfied. This innovation has made Bermuda a leading jurisdiction for the establishment of purpose trusts, particularly in the fields of international finance, corporate structuring and private wealth management. This article examines the legal foundations of purpose trusts under Bermuda law, focusing on their historical development, statutory framework, requirements for validity, enforcement mechanisms and practical applications.

Website-Code-Bermuda-1
10 Apr 2026

Bermuda Regulatory Update – Economic Substance Amendment Act 2026

On 31 March 2026, the Economic Substance Amendment Act 2026 and the Economic Substance Amendment Regulations 2026 (together, the “2026 Amendments”) came into force, enacting changes to the Economic Substance Act 2018 (“ES Act”) and Economic Substance Regulations 2018.