Whilst the pandemic has continued to present major challenges for the business world, Fintech has gained tremendous momentum and indeed become essential for many financial institutions and companies in this new era. The Hong Kong Fintech Week 2020 was held as a fully virtual event during 2-6 November 2020 and saw a range of topics being explored, including development of central bank digital currencies, virtual asset regulations, virtual banking and related Fintech applications. Most offshore jurisdictions have already seen significant developments in the laws and regulations in these areas, particularly as the pace of technological change accelerates.
Appleby’s 2021 Offshore Technology and Innovation Guide provides a detailed overview of the current legal and regulatory position across a number of different technology sectors in eight of the world’s largest offshore jurisdictions. With quick-linked answers to some of the most business critical issues, the guide also has an “At a Glance” matrix to help with identifying the most suitable offshore jurisdiction for specific technological projects. A copy is available here.
Digital Asset Business Act
The Digital Asset Business Amendment Act 2020 (Bill) was tabled on 6 November 2020 following a period of consultation which ended in September 2020. This seeks to amend the Digital Asset Business Act 2018 to introduce a new class of licence, to refine the definition of digital asset exchange, digital asset derivative exchange and digital asset services vendor and to revise the power of the Bermuda Monetary Authority (BMA) to exempt any undertaking from the payment of any fee imposed under the Bermuda Monetary Authority Act 1969 in relation to digital asset businesses, or to reduce such fees. In particular, after its first complete year of fintech operation, the BMA undertook a review of its licensing procedure and came to the view that whilst the current availability of classes M and F licences may seem appropriate, the BMA considers the addition of a new class T (“test”) licence to be useful in certain cases for testing of a minimum viable product/service via beta testing or piloting. Further updates will be provided when the amendments come into force in due course.
The BMA has announced on 29 October 2020 that, as part of its ongoing work with the Global Financial Innovation Network (GFIN), it will be taking part in GFIN’s invitation to participate in cross-border testing. GFIN is comprised of more than 60 international organisations with a mission to support financial innovation in the interest of consumers. It aims to create a new framework for co-operation between financial services regulators on innovation related topics, sharing different experiences and approaches. It also includes a pilot for firms wishing to test innovative products, services or business models across more than one jurisdiction. Firms interested in applying to participate in the cross-border testing should, first, review the list of participating regulators and their respective Regulatory Compendiums, and then submit an application on the GFIN website no more than the end of 2020. More details can be found here.
Personal Information Protection Act
We have previously reported the appointment of Mr. Alexander McD White as Bermuda’s first Privacy Commissioner, who took office on 20 January 2020. The role of his office is to (among others) regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes. As part of his duty to oversee the implementation and roll-out of the Personal Information Protection Act 2016 (PIPA), the Privacy Commission introduced a new data protection “sandbox” to reflect new and innovative technologies in responsible structures in data protection. The Privacy innovation and Knowledge-sharing (“Pink”) Sandbox will serve as a formal mechanism to allow the Privacy Commission to engage with organisations early, so that issues and risks may be identified to avoid missteps and build privacy into their products or services as a default setting. The benefit to participants is that they will have access to the guidance and expertise of the Privacy Commissioner to enable them to devise their product or service and their organizational approach to privacy issues, and generally to get themselves ready for PIPA (expected to become fully effective in 2021).
British Virgin Islands
The new fintech sandbox introduced in the British Virgin Islands (BVI) was opened for application on 31 August 2020. The sandbox encourages technological innovation in financial services under a lighter touch regulatory regime, allowing specific provisions of the regulatory legislation and regulatory code to be “disapplied” to participants in the sandbox. It looks to reduce the regulatory burden on start-ups so they can focus on customer experience, whilst maintaining regulatory oversight. Participants will work with the BVI regulatory, the Financial Services Commission (FSC), to agree any deviation from regulatory requirements on a bespoke basis. The sandbox is open to any BVI incorporated companies and limited partnerships, as well as non-BVI companies who wish to conduct business in the BVI, whose proposed business model involves innovative Fintech. There is no requirement to establish a physical presence in the BVI by virtue of being a participant in the sandbox.
Data Protection Law
On 7 August 2020, the Office of the Ombudsman of the Cayman Islands (Ombudsman) issued what is believed to be the first enforcement order (Order) issued by the Ombudsman under the Data Protection Law, 2017 (DPL) against the Registrar of Companies (Registrar). The Order followed an investigation into a complaint asserting that the Registrar requested personal information requested via the Registrar’s online payment platform about individuals who were 1% shareholders in a company when it did not have a legal basis to do so, as these individuals would not have constituted registrable persons with respect to beneficial ownership register in accordance with the Companies Law (2020 Revision). The Order noted that the complaint’s argument that, under the DPL, personal data must only be obtained for one or more specified lawful purposes and must not be further processed in any incompatible manner. The Order concluded that the Registrar did not have a legal basis for processing personal data of non-registrable individuals in a blanket fashion and must cease gathering and further processing such data. The Order also requires that the Registrar (i) make available a privacy notice to inform individuals who submit personal data using its online platform of the purpose for which this information will be processed and (ii) develop policies and procedures for requesting information and make them available to the public.
On 28 October 2020, the Cayman Government announced that the Virtual Asset (Service Providers) Law, 2020 (VASP Law) will come into force in two phases, with phase one commencing on 31 October 2020 and phase two expected to commence in June 2021. The VASP Law aims to promote the use of new technology and innovative enterprise in Cayman whilst complying with newly adopted international standards set by the Financial Action Task Force. An overview of the VASP Law was included in our previous update which can be accessed here.
Phase one focuses on anti-money laundering and countering the financing of terrorism compliance, supervision and enforcement. Entities engaged in or wishing to engage in virtual asset services must now be registered with the Cayman Islands Monetary Authority (CIMA) under the VASP Law by 31 January 2021, after which provisions of the VASP Law relating to enforcement, penalties or offences will apply. Applications for registration or notification will need to be submitted via CIMA’s Regulatory Enhanced Electronic Forms Submission online platform. CIMA have advised that for registrations to be completed in time, applicants are encouraged to apply before 12 December 2020.
Phase two will bring into force the licencing requirements relating to virtual asset custodians and trading platform operators, as well as the sandbox licensing regime. Certain sections of the Monetary Authority (Amendment) (No.2) Law, 2020 and the Securities Investment Business (Amendment) Law, 2020 will also be brought into force at phase two to empower CIMA to waive (or impose additional) regulatory requirements applicable to a sandbox licence issued under the VASP Law and generally relating to the virtual asset trading platform introduced under the VASP Law. Relevant entities are required to register with CIMA in phase one, and proceed to apply for licences when phase two commences.
Further updates will be provided when CIMA issues further principles and guidance for the conduct of virtual asset activities in or from Cayman.