Insights from the BMA’s Second Consultation Paper on Digital Identity Service Providers

The BMA has released part II of its consultation paper on the regulatory framework for licensing digital identity service providers (DISP). Part II of the consultation paper emphasizes that the proposed licensing regime is designed to encourage confidence in the sector.

The BMA’s move towards the regulation of DISPs is a logical development in Bermuda’s digital regulatory evolution and will help maintain Bermuda’s position as a trusted market leading digital hub.

Under the proposed regime companies that provide digital identity services will be regulated under a new Digital Identity Service Provider Business Act (Act) and will be required to be licensed and supervised by the BMA.

Scope of Licensing

Under the Act, the provision of both of the following digital identity service activities in or from Bermuda would be considered in scope and require a license from the BMA.

1. identity proofing and enrolment with initial binding and credentialing; and
2. authentication and life-cycle management of those digital identities once they are issued.

Similar to the supervisory regime for digital asset businesses, the BMA is proposing a three-tiered licensing regime. This is designed to encourage innovation in the industry whilst protecting consumers through customized supervision. The proposed licensing classifications are as follows:

• Class T – a defined period license granted for beta testing and piloting;
• Class M – a modified license granted to entities which have moved past testing and are transitioning to a full license allowing the licensee to conduct all DISP activities for a defined period; and
• Class F – full license allowing the licensee to conduct all DISP activities.

Key Regulatory Features

The proposed regulatory framework is expected to align with other regulated sectors in Bermuda which (amongst other requirements) will see DISPs required to:

• maintain a principal place of business in Bermuda and appoint a Bermuda based senior representative;
• maintain a minimum level of net assets which is expected to range from $10,000 (Class T) to $100,000 (Class M and Class F);
• notify the BMA of (i) changes in directors and officers, (ii) changes in shareholder controller ownership, (iii) the removal of controllers and officers, and (iv) material changes to the business activities; and
• implement and maintain robust systems and cyber security policies to protect client information from data breaches and unauthorized access.

Enforcement

In addition to the powers granted to the BMA to restrict, suspend and revoke a license of a DISP for failure to comply with the provisions of the Act, it is proposed that the BMA will also have the power to impose civil penalties of up to $10,000,000. The proposed powers emphasize that accountability is considered a key factor in maintaining security, integrity and trust in the industry.

Next Steps

Part II of the consultation paper seeks to gather further feedback from key stakeholders including in respect of potential uses for digital identity services and any perceived shortcomings. The BMA continues to demonstrate its commitment to developing a framework which is technically sound and practically viable and the more feedback it receives from the industry the sooner this will be can be achieved. The deadline for stakeholder submissions is 2 September 2025.