Leonie Tear
Partner
Bermuda
May 1, 2025
Key Takeaways
In November 2024, the Bermuda Monetary Authority (the "BMA") released a consultation on a proposed new framework for the licensing and supervision of providers of non-governmental digital identities for individuals in Bermuda, digital identity service providers or "DISPs".
On 29 April, the BMA released a "Dear Stakeholders" letter outlining the key responses to the consultation and the resulting regulatory approach to the supervision of DISPs.
In this advisory we explain the role of DISPs, the need for regulation and the proposed new framework for DISPs' supervision.A digital identity is a body of information that allows the identity of an individual to be verified in an online environment.
A digital identity system comprises of core components:
The key role for DISPs is in the onboarding journey for consumers in financial services. Financial institutions are legally obliged to conduct customer due diligence ("CDD") to ensure they know who they are transacting with and what that person is eligible to do. Identity theft means that organisations cannot rely on a person simply claiming to be who they are, instead robust independent identity verification is required.
Increasingly, consumers expect onboarding to be online and immediate. Friction points commonly experienced by domestic customers of Bermuda financial institutions arise during an account opening when, to establish an account, a customer's identity must be verified by submitting documents that first need to be obtained and certified. Friction points also arise when customers need to interact separately with each of their financial service providers, repeating the same process. Further, they may be required on a regular basis to update their identity information as part of ongoing CDD process.
DISPs provide benefits to the CDD journey that can greatly accelerate consumer access to financial services whilst also alleviating burden on financial institutions inherent in CDD, if they can rely on the DISPs services for verification of their customers' identities.
Whilst such benefits are significant, DISPs also come with risk. The most significant risk related to DISPs is the creation of a repository of personal information that is extremely attractive to threat actors that hack, misuse and sell personal data. Introducing a regulatory regime that scrutinises the cyber security and data controls in place should assist with ensuring a high level of minimum standards are in place to sufficiently mitigate this risk and allow for the benefits described.
The BMA's consultation put forward five activities that make up the end-to-end processes in a digital identity service:
We anticipate these will inform what will become the "licensable activities" under the new regime. Further details regarding licensable activities will be set out in an illustrative draft bill and subject to appropriate consultation.
In the November consultation, the BMA asked stakeholders whether companies providing limited activities (e.g. only 2 of the 5 above), rather than the full end-to-end services, should be in scope of the new framework.
The Dear Stakeholder letter confirms that all providers engaging in licensable activities under the Act will be required to comply with the regulatory provisions, even if not providing all end-to-end services, unless they are operating solely as an outsourced service provider to a licensed DISP. This result is positive as the alternative gave rise to the risk of regulatory arbitrage.
As the above foreshadows, DISPs will be permitted to rely on outsource providers for certain activities, though with the DISP retaining full responsibility for oversight.
The consultation sought feedback on whether vetting responsibilities should be a required element of a DISP issuing a digital identity.
The proposed framework defines the role of DISPs as limited to identification and processes, which rely on official documents. Vetting responsibilities introduce CDD obligations, which the BMA considers more appropriately assigned to financial institutions and other relying parties. Given that AML/ATF requirements are risk based and differ by sector, under the regime DISPs will focus solely on issuing Digital IDs, while relying parties will determine the level of vetting required based on their regulatory compliance obligations and risk appetites.
At this stage, the BMA does not intend to prescribe specific standards regarding international best practice. Nonetheless, the framework will establish core cybersecurity standards to ensure data protection which are aligned with the existing international standards applicable to Bermuda.
A tiered licensing framework will be implemented, designed to promote responsible innovation while upholding consumer protection and security. This mirrors the digital asset business licensing model and the approach currently under consultation for payment service providers.
It was also determined that the framework will be mandatory, rather than opt-in. It is not yet clear who it will be mandatory for, in relation to jurisdictional nexus.
The BMA has determined that physical presence will continue to be a requirement to obtain a DISP licence. This requirement can be satisfied by appointing a designated senior representative in Bermuda.
The BMA confirmed that many stakeholders expressed support for a public-private partnership initiative, emphasising that a government issued Digital ID would likely encourage broader adoption and extend usage beyond financial services within Bermuda. The BMA has communicated this to Government.
The BMA will proceed with finalising the framework’s provisions and developing supporting regulatory instruments for further public consultation.
Walkers is committed to engaging in the consultation and working with digital identity service providers in applying for DISP licenses in future.
Authors
Key Contacts