Satisfying the BMA’s regulatory requirements

Published: 13 Apr 2017
Type: Insight

In a recent article, we discussed the importance of licensed entities having a plan to ensure regulatory compliance rather than risking penalties being imposed because of deficiencies uncovered following a visit from the Bermuda Monetary Authority (BMA).

Here, we will discuss the means employed by the BMA to ensure that licensed entities have their house in order, including prudential meetings and on-site visits.

To recap, regulated entities (including those licensed under the Investment Business Act 2003, the Investment Funds Act 2006 and the Insurance Act 1978) must meet certain minimum criteria. Such entities must make an annual filing with the BMA, certifying that the entity has met these minimum criteria. Consequently, entities should evaluate the minimum criteria regularly (at least annually) and create a plan and timeline for any deficiencies found by their internal review or audit.

The minimum criteria include (but are not limited to):

  • Fit and proper person test.
  • Corporate governance.
  • Whether business is conducted in a prudent manner.

In addition, certain regulated entities may be required to:

  • Have a policy of insurance to cover risks inherent in the operation of its business of an amount that is commensurate with the nature and scale of operations.
  • Maintain adequate accounting and other records of its business and systems of control of its business and records.
  • Maintain minimum net asset, capital and liquidity requirements.

To ensure that regulatory requirements are being satisfied, senior management should audit and periodically test the entity’s policies, procedures and controls for effectiveness and must be made aware of the potential personal liability if legal obligations are not being met. Senior management must address in a timely manner any shortcomings revealed by the independent internal audit.

An independent audit function should include:

  • An evaluation of the Anti-Money Laundering / Anti-Terrorist Financing (AML/ATF) risk rating the entity assigns with respect to its size, customers, products, services, transactions, delivery channels, outsourcing arrangements and geographical connections.
  • An assessment of the adequacy of its policies, procedures and controls.
  • A testing of compliance with relevant laws and regulations.
  • A review of any outsourced activities.
  • An assessment of the adequacy of employee training and awareness.
  • Sample testing.

The audit should be documented and retained, and the results should be reported to senior management and the board. The results of each audit should be used to guide any improvements that the policies, procedures and controls require.

The BMA supervises licensed entities on an ongoing basis to evaluate whether they satisfy the minimum criteria for licensing — and reviews the nature of the provider’s business, the quality of management, the effectiveness of its controls and compliance, the fairness of its treatment of customers and its financial viability. This is designed to ensure that minimum standards are being maintained.

To evaluate a licensed entity, the BMA holds regular prudential meetings with senior management of the entity, scrutinises financial information and performs regular on-site compliance visits of the entity’s premises.

Prudential meetings are generally scheduled annually and provide an opportunity for the BMA to discuss with senior management the development of the licensed entity’s business including past performance and future direction for the business. Topics that are likely to be discussed include internal control issues, adequacy of procedure manuals, planned changes to the business strategy and operational changes.

On-site supervision enables the BMA to review compliance with policies and procedures as well as the processes that management has put in place to monitor and control key risks in the business. This will involve interviews with management and staff, reviews of a selection of documentation of files and a review of customer due diligence and record-keeping measures.

On-site visits are normally scheduled on a three-year rolling basis but may be more frequent depending on the BMA’s assessment of the degree of risk in the business and the effectiveness of the investment provider’s personnel, systems and controls for monitoring risk.

The BMA will generally request information prior to the on-site visit including a staff chart, job descriptions for key personnel, the entity’s questionnaire regarding AML/ATF compliance and copies of policies, procedures, as well as the staff training plan and disaster recovery plan.

Breaches uncovered by the BMA’s prudential meetings and on-site visits may result in a request to remediate or, if a breach is more serious, could result in severe fines, restrictions placed on the licence or even revocation of licence. The BMA may also publish details of any serious breaches and fines levied.

All regulated entities should take a pro-active approach, ensuring that they create a clear and consistent plan of action to evaluate their ability to meet the minimum criteria of licensing under the relevant legislation. It is better to plan than to wait for prudential meetings and/or on-site visits to reveal deficiencies

Share
More publications
Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.

Economic Substance
27 Apr 2026

Economic substance regime now falls under Cita

Recent amendments to Bermuda’s economic substance regime have transferred regulatory responsibility from the Registrar of Companies to the Corporate Income Tax Agency.