The Bermuda Monetary Authority has published a consultation paper setting out a proposed regulatory framework to license and supervise Digital Identity Service Provider Businesses (DISPs) operating in or from Bermuda under a planned Digital Identity Service Provider Business Act, including a prohibition on carrying on the regulated activities without a licence. The proposal would make licensing mandatory where a provider performs both (i) identity proofing and enrolment with initial binding and credentialing and (ii) authentication and life-cycle management of issued digital identities, while excluding digital identity used solely for a firm’s own customers and its own purposes. The regime would introduce three licence classes (Class F full, Class M modified for a defined period, and Class T test for pilot or beta activity) and give the Authority discretion to determine the appropriate class and apply conditions, as well as powers to restrict, suspend or revoke licences. Proposed requirements include a Bermuda principal place of business, an Authority-approved senior representative physically present in Bermuda with specified reporting triggers, pre-notification and potential objection for new or increased control at 10% voting shares or more (with a 90-day review period), minimum net asset thresholds (Class T $10,000 and Class M/Class F $100,000), annual audited financial statements and quarterly prudential returns, and an annual Certificate of Compliance due within four months of the financial year-end (with a $1,000 late fee). The framework also contemplates civil penalties up to $10,000,000 for contraventions, a schedule of application and annual fees, controls around outsourcing (including advance notification of material arrangements), secure maintenance and access to client records, and restrictions on the use of the term “digital identity service provider business” by unlicensed entities. Comments are requested by 2 September 2025, and the Authority indicates that additional secondary instruments will be developed and consulted on separately following this consultation.
Bermuda Monetary Authority 2025-07-21
Bermuda Monetary Authority consults on a tiered licensing and prudential regime for Digital Identity Service Provider businesses
The Bermuda Monetary Authority has released a consultation paper proposing a regulatory framework for licensing and supervising Digital Identity Service Provider Businesses under a new Act. It mandates licensing for identity proofing and authentication, introduces three licence classes, and sets requirements including a Bermuda principal place of business, minimum net asset thresholds, and annual compliance certifications. Civil penalties up to 10 million USD and restrictions on unlicensed use of the term "digital identity service provider business" are also proposed.