Revisions to Bermuda's AML-ATF Guidance Notes for Financial Institutions

On 15 February 2023, Bermuda incorporated revisions (the ‘Revisions’) to the Guidance Notes for AML-ATF Regulated Financial Institutions (August 2022 Revision).

Key changes relate to:

• Who the guidance addresses
• Board approval for policies, procedures and controls
• Periodic compliance reports
• Standard identification and verification requirements for natural persons
• Documentary verification
• Obtaining identification information
• Unincorporated partnerships and businesses
• Due diligence on service providers
• Regulatory and supervisory responsibilities in Bermuda

1.      Who does the Guidance address? 

Addition of insurance marketplace providers and private trust companies

• Section 31 of the Preface of the Guidance Notes now includes insurance marketplace providers and private trust companies.

2.      Board approval for policies, procedures and controls

Addition of requirement for approval of the policies, procedures and controls by a governing body of the Regulated Financial Institution (RFI’s)

• Senior management of all RFIs must now secure governing body (i.e., board) approval for the RFI’s policies, procedures and controls relating to its AML/ATF obligations (Senior Management’s Responsibilities & Internal Controls, Chapter 1, section 1.21.).

3.      Periodic Compliance Reports

Addition of actions and independent audit to the Periodic Compliance Report

• Additional requirements relating to the periodic report should now include the actions and outcomes of any relevant quality assurance, independent audit or internal audit reviews of the RFI’s AML/ATF processes and the outcomes of the RFI’s risk assessments (Chapter 1, Section 1.52).

4.      Standard identification and verification requirements for natural persons

Identification and verification of information options

• An RFI may accept either physical documents, electronic information and data, or a combination of both to verify details on natural persons (Chapter 4, section 4.24).

5.      Documentary Verification

Introduction of a new section on independent source documents, data or information

• Where seeking to verify an identity using documentary evidence, an RFI should use reliable, independent source documents, data or information (Chapter 4, section 4.26)

Inclusion of the option to incorporate place of birth and nationality as verification points from documents

• Where using documentary evidence to verify the identity of a natural person, an RFI is recommended to use either a valid government-issued document, such as a passport, national identity card or driver’s licence that incorporates the natural person’s full legal name, photograph and one of the following (Chapter 4, section 4.26):
• Principal residential address,
• Date of birth,
• Place of birth; or
• Nationality 

Addition of verification time frame

• Documents are intended to support the verification of a customer’s address within three months of the verification date (Chapter 4, section 4.28).

6.      Obtaining identification information

Removal of requirement for mailing address and areas of activity for customers that are trusts or other legal arrangements

• Identification information required in relation to each customer that is a trust or other legal arrangement no longer includes mailing address or areas of activity for customers (Chapter 4, section 4.108)

7.      Unincorporated partnerships and businesses

Removal of “partnership(s)” from “Unincorporated partnerships and businesses”

• Sections referring to partnerships are no longer relevant, per the updated Guidance Notes (Chapter 4, section 4.123 - 4.125)

Deletion of official identification number requirement

• Official identification numbers no longer need to be requested for unincorporated businesses (Chapter 4, section 4.126)

Addition of an assessment of the ML/TF risks associated with a customer and its business relationship to verify the identity of all Ultimate Beneficial Owners (UBOs)

• On the basis of an assessment of the ML/TF risks associated with a customer and its business relationship, RFIs must take reasonable measures to verify the identity of all persons who, directly or indirectly, own or control more than 25% or, where the RFI is a corporate service provider, 10% of the customer’s property, shares or voting rights (Chapter 4, section 4.126).

Deletion of requirement to verify identification information for some persons (Chapter 4, section 4.127)

• This includes the following persons:
  1. Persons purporting to act on behalf of the customer or by whom binding obligation may be imposed on the customer
  2. At least one natural person holding the position of chief executive or a person of equivalent or similar position.

Deletion of requirement to collect the following identification information for unincorporated businesses (Chapter 4, section 4.129):

a)    Full name;

b)    Business address;

c)     Official identification number (where applicable);

d)    Current existence of the customer;

e)    Ownership and control structure of the customer;

f)      Legal powers that regulate and bind the customer;

g)    Subject to paragraphs 4.134 and 4.135, the identity of all partners, principals, members, directors and other persons exercising control over the management of the unincorporated partnership or business;

h)    Identity of at least one natural person holding the position of chief executive or a person of equivalent or similar position; and

i)      All other persons purporting to act on behalf of the customer or by whom binding obligation may be imposed on the customer

Removal of the option to use a risk based approach to determine whose identity to verify

• Where the number of partners, principals, members, directors or other persons exercising control over management of the customer is high, RFIs can no longer use a risk based approach to determine whose identity to verify (Chapter 4, section 4.134). 

Deletion of requirement to verify natural persons who are associated with a higher risk person/business

• Where any natural person associated with the customer is assessed as higher risk, or where a business relationship is assessed as higher risk for any reason, signatories, partners and other natural persons exercising control over management of the corporate no longer need to be verified (Chapter 4, section 4.135).

Notification of material changes no longer needed (Chapter 4, section 4.136)

• An RFI no longer needs to request for customers to notify it of any material changes or maintain current information regarding:

a)    Persons who are partners, principals, members, directors, beneficial owners or other persons exercising control over management of the customer;

b)    Powers or authorities assigned to such persons; and

c)     Other changes to the control and ownership structures of the customer

8.      Due diligence on service providers

Addition of requirements for Due diligence on service providers (Chapter 5, section 5.160)

• At a minimum, RFIs carrying out due diligence with respect to a service provider should consider the following:
  • Whether the service provider can maintain the confidentiality of RFI and client information

Removal of Enhanced Due Diligence (EDD) requirement for service providers (Chapter 5, section 5.161)

• RFIs are no longer required to conduct enhanced due diligence to evaluate the service provider’s ability to maintain the confidentiality of RFI and client information.

9.      Regulatory and supervisory responsibilities in Bermuda

Additional information added re: The Bermuda Police Service, The Financial Intelligence Agency and Barristers and Accountants AML/ATF Board  (Annex V., V.2, V.3 & V.8)

Bermuda Police Service (BPS)

Bermuda’s law enforcement body responsible for detection, investigation and public education to promote public safety and crime prevention for all criminal activity in Bermuda, which includes Money Laundering (ML), acts of terrorism and Terrorist Financing (TF).

Financial Intelligence Agency (FIA)

Bermuda’s FIA is the recipient of financial information from various sources, most notably Suspicious Activity Reports (SARs), which allows them to analyse and develop financial intelligence to support law enforcement, supervisors, foreign FIA counterparts, as well as industry to effectively carry out their various functions.

Barristers and Accountants AML/ATF Board

Bermuda’s supervisory authority for relevant persons that are regulated professional firms of barristers or accountants who carry out ‘specified activities’ as defined in section 49(5) of POCA.