the central bank of cyprus (cbc) has announced the establishment of a comprehensive strategy for licensing and supervisory electronic money institutions (emis) and payment institutions (pis). to prepare the strategy, the cbc with the assistance of international consultants, conducted a thorough analysis of the sector and its associated risks. the findings were presented to the cbc board of directors on 19 december 2024. the strategy aims to: promote the sustainable growth of the sector improve licensing processes enhance supervision based on risk adopt best practices to drive these efforts, the cbc has established a dedicated directorate for the supervision of emis and pis, responsible for the prudential supervision of the sector. currently, cbc oversees 26 emis and 11 pis, with several new applications under review. this is a welcome development, responsive to the fact that the payment services industry in cyprus is going from strength to strength. the official announcement (available only in greek) can be found here.

on 13 january 2025, the bvi financial services commission (fsc) released detailed faqs addressing the implementation of the beneficial ownership (bo) regulations clarifying key compliance requirements effective 2 january 2025. it mandates identity verification for beneficial owners by licensees and registered agents, prohibits nil filings and sets a 30-day filing window for bvi business companies and limited partnerships. the faqs outline key regulatory requirements, including: enactment and application of new requirements filing requirements individual filings legal arrangement filings trust filings nominee shareholder filings non-profit organisations “npos” change in bo information who can be exempt from bo filings who will have to view bo filings ownership interest virrgin and filing processes technical issues bosss fess and penalties there is no transitional period, and filings must be completed by 30 june 2025. exemptions, thresholds, and nominee shareholder rules are defined. details on access controls, penalties, and future bulk filing functionality are also included. details are available in the faqs here. our recent article on beneficial ownership can be accessed here.

the british virgin islands government has initiated a public consultation on its proposed policy for access to the register of beneficial ownership. this consultation, launched on 17 january 2025, represents a significant step in aligning the territory with international standards for transparency and combating illicit finance. premier dr. the honourable natalio d. wheatley underscored the initiative’s importance, emphasising the bvi’s commitment to balancing financial transparency with privacy. the draft policy proposes granting access to beneficial ownership information based on a demonstrable “legitimate interest” under specified conditions. recent legislative updates, effective 2 january 2025, have enhanced the bvi’s framework for collecting beneficial ownership data via the virrgin platform. this builds on the work of the beneficial ownership secure search system (bosss), which has managed such information since 2017. the draft policy outlines a framework for accessing the register of beneficial ownership, balancing transparency with privacy rights. it introduces the concept of "legitimate interest," allowing specific stakeholders, including certain financial institutions, regulated non-financial businesses, media personnel, civil society organisations, and academic institutions, to access beneficial ownership information under defined circumstances. provisions are also made for exemptions to protect individuals who may face serious risks, such as kidnapping or fraud, minors or legally incapacitated persons, if their information is disclosed. stakeholders are invited to provide feedback on key questions, such as defining “legitimate interest” and determining exemptions, by submitting written responses by 28 february 2025. the bvi government’s official press release can be found here and the draft policy here. our main guide on the reforms to the bvi beneficial ownership regime can be found here.

the bvi has implemented changes to its beneficial ownership framework as relevant to companies and limited partnership, with key changes effective from 2 january 2025. in this q&a, we break down and summarise the new requirements relating to the changes, and what these mean for owners and operators of bvi entities and registered agents operating within the jurisdiction. our main guide on these developments can be found here. q: what significant changes to bvi company law took effect from 2nd january 2025? a: the changes to the bvi business companies act and related regulations focus on enhancing record-keeping, filing obligations, and compliance with global standards to combat financial crime. similar changes have also been made to the limited partnerships act. these changes align global best practices for combating financial crime and fulfilling commitments made to the uk by its overseas territories. they also address recommendations from the 2024 caribbean financial action task force’s mutual evaluation report of 2024. q: what changes were made regarding beneficial ownership information? a: amendments passed in september 2024 establish a new framework for beneficial ownership collection and filing. the boss system will be replaced by the virrgin system used for the main company registry. the new rules require companies to: collect, keep, and maintain accurate and up-to-date beneficial ownership information in accordance with the new regime (this would have been previously collected for the purposes of boss and of course, for anti-money laundering oversight by registered agents). file information within 30 days of incorporation for new entities or by the end of the transition period for existing entities. report changes within 30 days. q: what are the key amendments to the bvi business companies act? a: aside from the above, key amendments include: filing a company’s register of members with the registrar of corporate affairs (private and non-searchable). new registration requirements for companies with “nominee” shareholders and licensed professional directors. restrictions on companies seeking continuation out of the jurisdiction to prevent regulatory or litigation avoidance. express duty for companies to cooperate with regulators, with enhanced enforcement powers granted to the registrar. the ability for impacted persons to apply for court rectification of a company’s register of directors. a 14-day window for restored companies to comply with record-keeping and filing obligations. q: is there a transitional period for existing companies to comply with the new provisions? a: yes, existing companies have a six-month transitional period until june 2024 to file the register of members and details of nominee shareholders and professional directors. an additional six-month extension may be granted, although the financial services commission (fsc) expects it will not be necessary. q: how is a beneficial owner defined under the new framework? a: in line with pre-existing bvi law, a beneficial owner is a natural person who owns or controls 10 per cent or more of a company or exercises control over its management. this definition includes both economic and legal ownership as well as voting rights. while the beneficial ownership definition threshold is set at 10 per cent, exchange of information under the new regime only applies in respect of interests of 25 per cent or more, in line with fatf standards. q: are there exceptions to identifying beneficial owners? a: yes, exceptions apply to: bvi-regulated entities and fund vehicles (eg, private, professional, public funds) where information is maintained by a bvi-licensed administrator or representative. this also applies in respect of affiliated entities. entities listed on recognised stock exchanges. entities managed or administered by regulated trust companies in the bvi. q: what new data fields are required for beneficial ownership information? a: in addition to previously collected data, new fields include the beneficial owner’s gender, occupation, and capacity (ie, how they qualify as a beneficial owner). q: who will have access to beneficial ownership information? a: while fully public registers are not planned, access will be granted to parties demonstrating a legitimate interest, especially in fighting financial crime. a consultation on access rules was released on 20 january 2025 and is due to close on 28 february 2025. q: what is the current status of annual financial return requirements? a: bvi companies must file a simple annual return with their registered agent. for entities with a december 2023 year-end, the deadline has been extended to 30 june 2025. q: what are the requirements for obtaining a certificate of good standing? a: a company must: file its register of directors and members submit beneficial ownership information ensure its annual return is compliant. certificates will now include an expiry date q: what should companies do next to comply with the changes? a: directors and controllers should: confirm beneficial ownership information with registered agents update systems for new record-keeping requirements monitor communications from registered agents to ensure timely compliance q: what are the implications for registered agents and regulators? a: registered agents and regulators will need to update systems and software to meet the new technical requirements. resources our main article is here our previous blog posts can be found here and here bvi fsc’s circular 45 – beneficial ownership regulations guidelines can be found here bvi fsc’s circular 46 - guidelines for beneficial ownership obligations under the anti-money laundering regulations and anti-money laundering and terrorist financing code of practice can be found here

the european securities and markets authority (esma) has recently issued a statement on transitional measures and a list of grandfathering periods under regulation 1114/2023 on markets in crypto-assets (micar). these transitional periods are critical for crypto asset service providers (casps) already operating before 30 december 2024, offering them a limited timeframe to obtain a licence under mica. content headings-paste as plain text under article 143(3) of micar, casps active before 30 december 2024, may continue providing services until 1 july 2026, or until they receive or are denied micar authorisation, whichever comes first. however, individual member states may reduce or waive this transitional period, depending on their existing national frameworks. grandfathering periods by jurisdiction the duration of the transitional regime varies, with some member states opting for shorter periods to enhance market stability and investor protection. below is a summary of the grandfathering periods: member state grandfathering period member state grandfathering period belgium tba lithuania 5 months bulgaria 12 months luxembourg 18 months czechia 18 months hungary 6 months denmark 18 months malta 18 months germany tba netherlands 6 months estonia 18 months austria 12 months ireland 12 months poland 6 months greece 12 months portugal tba spain 12 months romania 18 months france 18 months slovenia 6 months croatia 18 months slovakia 12 months italy 12 months finland 6 months cyprus 18 months sweden 9 months latvia 6 months european economic area (eea) countries eea country grandfathering period iceland 18 months liechtenstein tba norway 12 months note: some periods reflect current expectations and may not yet be formalised in national law. specific requirements also apply, such as early application deadlines to benefit from grandfathering. compliance challenges and recommendations the divergence in timelines in each member state create complex compliance requirements for casps operating across multiple jurisdictions. for example, if a casp secures micar authorisation in a member state with a longer transitional period but serves clients in a state with a shorter one, a compliance gap could arise. this scenario may disrupt services and impact market participants. to address these challenges, esma advises casps to: apply for micar authorisation as early as possible engage proactively with national competent authorities (ncas) in each jurisdiction implement robust strategies to avoid service disruptions and ensure compliance ncas should coordinate closely across borders to streamline authorisation processes and prevent market disruptions. early and continuous dialogue between home and host member states is essential to safeguarding market integrity and client interests. micar’s transitional measures and country-specific grandfathering periods pose significant operational challenges for casps. timely applications, strategic planning and regulatory engagement are crucial to ensuring compliance and uninterrupted service. esma’s statement can be found here and the official list of grandfathering periods as decided by member states can be accessed here. if you are unsure whether micar may apply to you, you can use our mica assessment tool to obtain a free preliminary assessment here.

on 12 december 2024, the cyprus house of representatives approved the implementation of a global minimum tax law in cyprus (the gmt law) for multinational enterprise groups (mnes) and large domestic groups, aligning with the eu pillar two directive 2022/2523 (pillar 2 directive). the gmt law establishes a minimum effective tax rate of 15 per cent for mnes with annual consolidated revenues exceeding €750 million. the gmt law is currently in force as it was published in the official gazette of the republic of cyprus on 18 december 2024. the gmt law introduces the income inclusion rule (iir) effective from 2024 as well as the under-taxed profits rule (utpr) and domestic minimum top-up tax (dmtt) which will become effective in 2025. while cyprus corporate income tax (cit) remains unchanged, these new rules will apply alongside existing cit for applicable groups, ensuring compliance with global tax reform standards. mnes within the scope of the gmt law must notify the cyprus tax department of their status within 15 months following the last day of the applicable fiscal year or 18 months with respect to the transition year (eg, for 2024 by 30 june 2026). the gmt law provides for penalties on late filings and payments, aligning with cyprus’ general tax compliance rules. however, no fines will be imposed for fiscal years ending before 30 june 2028, if the mne can demonstrate that it took all the relevant steps to comply with the gmt law. the official text of the gmt law (available only in greek) can be found here and the pillar 2 directive can be accessed here.

the cyprus securities and exchange commission (cysec) published a document outlining key aspect of the implementation of the eu package on a digital operational resilience framework for the financial sector. this regulatory framework is aimed at strengthening the digital resilience of the financial sector. dora framework the digital operational resilience framework (dora framework) consists of: digital operational resilience act (eu 2022/2554): a regulation that sets the framework for digital operational resilience, amending several eu regulations (dora). dora amending directive (eu 2022/2556): amends various eu directives concerning digital resilience in the financial sector. regulatory & implementing technical standards (rts & its): developed by the european supervisory authorities (esas), these standards provide detailed guidelines for ict risk management. scope the dora framework applies to a wide range of financial entities, including: banks, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings and insurance, reinsurance, and ancillary intermediaries. entities such as trading venues, trade repositories, central securities depositories, central counterparties, institutions for occupational retirement provision, credit rating agencies. managers of alternative investment funds, management companies, securitisation repositories, administrators of critical benchmarks. crypto-asset service providers, account information service providers, data reporting service providers, ict third-party service providers, crowdfunding service providers. rationale behind the dora framework the dora framework addresses the need for a unified approach to digital resilience across the eu’s financial sector. while the sector has robust regulations for traditional risks, digital resilience had not been consistently addressed. by strengthening oversight of ict risk, the dora framework ensures that financial institutions can withstand digital disruptions and protect market integrity, with ict risk management becoming as critical as other financial regulatory standards. key areas of the dora act ict risk managementfinancial entities must implement a sound ict risk management framework, internal governance and control framework, to address and mitigate digital risks, ensuring a high level of operational resilience. this includes maintaining up-to-date ict systems, clear documentation of ict assets and comprehensive business continuity policies. ict-related incidents entities must have processes to manage ict-related incidents, including detection, reporting and root cause analysis. major incidents must be reported to cysec for further assessment. digital operational resilience testing financial entities (excluding microenterprises) must establish, maintain, and review a comprehensive digital operational resilience testing programme. this programme is designed to identify weaknesses, assess preparedness, and implement corrective measures. advanced testing through threat-led penetration testing (tlpt) is required every three years for entities with significant ict risks, such as central securities depositories, trading venues and certain large financial firms (excluding microenterprises, small and non-interconnected investment firms, payment institutions exempted under directive (eu) 2015/2366; institutions exempted under directive 2013/36/eu, electronic money institutions exempted under directive 2009/110/ec and small institutions for occupational retirement provision). managing ict third-party risk dora requires financial entities to manage risks associated with third-party ict providers and risk management framework. this includes maintaining full responsibility for compliance with dora’s provisions, regardless of outsourcing arrangements. financial entities must assess and manage third-party risks based on the criticality and potential impact on their operations. additionally, entities are required to keep a register of ict service contracts and report annually on their ict third-party relationships. information sharing financial entities are encouraged to share cyber threat intelligence, including indicators of compromise and cybersecurity alerts, with one another to enhance sector-wide resilience. participation in these information-sharing arrangements must be reported to the relevant competent authorities. oversight of critical third-party providers the esas will designate critical third-party ict service providers after assessing their systemic importance and appoint a lead overseer for each service provider responsible for overseeing these providers, ensuring proper regulatory supervision. delegated acts and upcoming developments in march 2024, the esas published several delegated acts covering topics such as oversight fees charged by the lead overseer for critical third-party providers, criteria for classifying major ict incidents and detailed ict risk management policies. further updates are expected, particularly regarding the classification of major incidents and simplified ict frameworks. entry into force and application dora applies fully from 17 january 2025. the deadline for transposing the provisions of the dora amending directive into local legislation was also on 17 january 2025. it is relevant to note here that cyprus, as well as a number of other eu member states, have yet to publish legislation in this respect. cysec’s document summarising the provisions of the dora framework can be found here.

on 10 december 2024, the european supervisory authorities, consisting of the eba, eiopa, and esma (the esas) introduced joint guidelines (the guidelines) to standardise the regulatory classification of crypto-assets under the markets in crypto-assets regulation (micar). these guidelines aim to harmonise industry practices and supervisory approaches, ensuring a consistent and fair regulatory environment across the eu. key highlights of the guidelines standardised classification test: a uniform test has been introduced to classify crypto-assets and determine their regulatory status under micar. this ensures that market participants and regulators apply a consistent framework when assessing crypto-assets. templates for legal opinions and explanations: the guidelines include templates for the regulatory classification of: asset-referenced tokens (arts): white papers would be accompanied by a legal opinion explaining why an art is not an electronic money token (emt) and why it is not excluded from the scope of micar. other crypto-assets: white papers must include explanations which clarify the reasons that the crypto-asset is not an emt, art, or a crypto-asset excluded from micar. promoting regulatory convergence: these measures aim to reduce regulatory arbitrage, enhance consumer and investor protection, and establish a level playing field in the crypto-asset market. the guidelines will be translated in all official eu languages and take effect three months after the publication of the translations on the esa’s websites. these efforts mark a crucial step toward a more transparent and regulated crypto-asset landscape. micar, which regulates the issuance and trading of arts, emts, and other crypto-assets, seeks to ensure market integrity and financial stability while providing robust protections for consumers and investors. by harmonising classification practices, the esas aim to streamline the application of micar. for more details, the eba’s press release can be found here and the guidelines here.

on 24 december 2024, the bvi published general licence no. 8 (2024), allowing payments for reasonable professional legal fees and expenses related to designated persons under the russia and belarus sanctions regimes. this new licence, valid for six months, replaces earlier licences no. 3, no. 5 and no. 6, with important updates to fee caps and reporting requirements. key updates increased fee caps legal fees: up to us$2,400,000 expenses: 10 per cent of legal fees (capped at us$240,000) caps now apply per legal practitioner rather than per designated person across all legal matters. reporting obligations notification: inform the attorney general before engaging in activities covered by the licence. reporting: submit a report to the virgin islands sanctions unit within seven days of any payment, using forms available on the bvi financial services commission website. email submissions are preferred at sanctions@gov.vg. record keeping: maintain records for six years. legal practitioners must carefully review the licence terms before use to ensure compliance. licence no. 8 of 2024 can be found here and bvi’s general licences page can be accessed here.

on 2 december 2024, the bermuda monetary authority (bma) released several key documents to guide insurance entities in their year-end reporting and compliance obligations. these publications are essential for ensuring adherence to regulatory standards and for maintaining the integrity of bermuda's insurance sector. year-end filing requirements the bma has outlined specific filing requirements for various classes of insurers: class 3a insurers: detailed instructions are provided to assist in the preparation and submission of year-end financial statements and related documents. class 4 and class 3b insurers: tailored guidelines to provide the necessary steps for accurate and timely filings. class c insurers: specific directives to ensure compliance with reporting standards. class d and e insurers: comprehensive instructions to cover all aspects of year-end reporting. insurance groups: group-level filing requirements to facilitate consolidated reporting. instruction handbooks to further aid insurers, the bma has published several handbooks: general business handbook: offers a thorough overview of reporting procedures and standards for general business insurers. insurance group instructions handbook: provides detailed guidance for insurance groups on compliance and reporting obligations. long-term instructions handbook: addresses the specific needs of long-term insurers, ensuring clarity in reporting processes. stress and scenario testing instructions recognising the importance of robust risk management, the bma has issued stress and scenario testing instructions: class 3a insurers: guidelines to assess financial resilience under various stress scenarios. class 4, 3b and insurance groups: comprehensive instructions for conducting stress tests pertinent to their operations. class c, d and e insurers: specific scenarios to evaluate potential vulnerabilities and response strategies. bermuda solvency capital requirement (bscr) models the bma has updated the bscr models for various classes, reflecting the latest regulatory expectations: class 3a, 3b, 4, c, d, e, collateralised insurers and groups: each class has an updated bscr model to ensure accurate solvency assessments. for more information the official bma’s legislative documents can be found here. insurance entities are encouraged to review these documents thoroughly to ensure full compliance with bermuda's regulatory standards. aml/atf ministerial advisory in addition to insurance-specific documents, the bma released the aml/atf ministerial advisory 3 2024 on 2 december 2024. this advisory highlights risks associated with jurisdictions lacking robust anti-money laundering and counter-terrorist financing systems. the advisory mandates enhanced due diligence for transactions and relationships involving high-risk jurisdictions as identified by international standards, such as those set by the financial action task force. the ministerial advisory 3 can be found here.

on 8 january 2025, the eu general court (the court) ruled in favour of a german citizen in bindl v commission (case t-354/22), ordering the european commission to pay €400 in damages for unlawfully transferring personal data to the us. facts of the case mr bindl registered for an event via an eu commission website using the “sign in with facebook” option. this action led to his ip address and other personal data being transmitted to meta platforms, inc. (facebook) in the us. the transfer to the us took place during the period after the invalidation of the eu-us privacy shield but prior to the introduction of its successor, the eu-us data protection framework. that is to say, the previous adequacy decision was invalid, leading the court to make a finding that there were otherwise no legal arrangements in place to legitimise the transfer. specifically, the court noted that the commission "neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause" to lawfully facilitate the transfer. commentary for accuracy’s sake, it is worth pointing out that the case turned on the legal provisions of regulation 2018/1725, which regulates the treatment of personal data by the european institutions. this regulation is however essentially equivalent to the gdpr and the widely agreed expectation is that the repercussions of this decision will apply equally for the gdpr. there are a number of conclusions in the decision which can be picked apart, and the commission retains the option to appeal the ruling before the court of justice of the european union. the key take-away from this decision however is that for the first time, the door has been opened to award damages to individuals with respect to unlawful transfers of personal data. this means that beyond regulatory fines, operators may also need to contend with the possibility of paying damages to individuals. despite the rather minimal damages of €400 ordered to be paid in the present case, its significance becomes rather monumental when considering its possible application in the context of multiple data subjects/class action style lawsuits. the court’s judgment can be found here and the official press release can be accessed here.

the seminar hosted by the cayman islands compliance association (cica) and the department for international tax cooperation (ditc) in november 2024, provided important updates and valuable insights into the cayman islands’ tax transparency initiatives, compliance priorities and regulatory developments. one of the seminar’s focal points was the announcement of upcoming crs comprehensive reviews. these audit-style reviews will evaluate financial institutions' (fis) crs classifications, governance structures, and compliance histories. reviews are expected to last four to six months, during which fis will provide documentation and participate in meetings with the ditc, either on-site or virtually. the ditc encourages proactive disclosure of any breaches during these reviews to minimise penalties. the ditc emphasised several compliance priorities, including the accurate and timely reporting of critical data such as tins, dates of birth, and full addresses. inconsistencies in year-on-year reporting, missing account closures and discrepancies between crs filings and compliance forms were flagged as key areas of concern. fis are urged to ensure that all reportable accounts are identified, and that compliance with crs obligations is robust. to ensure compliance, fis should collect valid self-certifications during account onboarding, verify data accuracy, and maintain consistency between filings. the ditc stressed the importance of responding promptly to compliance queries, ensuring clear communication, and including relevant references in all correspondence. looking ahead, the ditc highlighted the implementation of the crypto-asset reporting framework (carf) and crs 2.0, set to begin in 2027. these frameworks will introduce enhanced due diligence and reporting requirements, signalling a more rigorous compliance environment. increased enforcement activity for both crs and economic substance obligations is also anticipated. the seminar reinforced the critical role of accurate reporting, timely compliance, and proactive governance in safeguarding the cayman islands' reputation. the seminar’s key takeaways published by cica can be found here.

in june 2024, the english court of appeal’s judgment in celestial aviation services ltd v unicredit bank ag (london branch) [2024] ewca civ 628 overturned a high court ruling that raised concerns over the obligations of contracting parties under sanctions. the case addressed the extent to which sanctions legislation affects payment obligations under letters of credit (lcs), particularly where parties face obstacles due to international sanctions regimes. the dispute resulted from a number of lcs issued in relation to leases of aircraft by celestial and other entities to russian airlines. when sanctions were imposed in march 2022 following the termination of these leases, unicredit, the confirming bank, claimed it could not process payments due to sanctions restrictions; which in effect meant that the sanctions had retrospective effect. although licences were later granted by uk and eu authorities for the principal amounts, other issues, including interest and costs, remained unresolved. key issues and findings broad application of regulation 28 of the uk sanctions the court of appeal held that regulation 28(3) of the russia (sanctions) (eu exit) regulations 2019 prohibits payments under lcs where they are "in connection with" prohibited arrangements, regardless of whether the leases had been terminated. it emphasised the broad language of the regulation, which aims to cast a wide net over objectionable arrangements. this overturned the high court's interpretation, which limited the scope to prospective arrangements only. the court of appeal clarified that the licensing regime exists to address unintended consequences of sanctions and that parties should proactively obtain licences to mitigate risks. objective assessment of reasonable belief (samla section 44) citing section 44 of the sanctions and anti-money laundering act 2018 (samla), unicredit argued it acted reasonably in believing that making payment would breach uk sanctions. the court of appeal upheld that while unicredit’s belief was subjectively held, whether it was a "reasonable" required objective assessment. the court of appeal acknowledged that unicredit’s interpretation of new legislation was reasonable, but this did not exempt unicredit from interest claims. limits on alternative payment methods the high court suggested unicredit could have made payment in cash or other currencies to bypass us sanctions, but the court of appeal rejected this reasoning in obiter. it reinforced the freedom to contract and strict compliance with lc terms, which required payment by us$ bank transfer. the court of appeal noted that cash payments were neither contemplated by the contracts nor demanded by the beneficiaries. this finding aligns with recent decisions, reinforcing that parties cannot unilaterally alter performance terms to address sanctions issues. efforts to obtain licences the court of appeal criticised unicredit for failing to take “reasonable efforts” to secure a us licence, citing errors in how the application was framed. instead of seeking permission to fulfil lc payment obligations, unicredit focussed on receiving funds from sberbank, undermining its ability to rely on the ralli bros principle (which protects parties from performing contracts illegal at the place of performance). key elements this judgment provides critical guidance for financial institutions and corporates navigating the intersection of sanctions and contractual obligations: broad scope of sanctions: sanctions regulations may apply retrospectively, capturing arrangements even after their termination. proactive licensing is crucial to mitigate risks. strict compliance with contracts: parties cannot deviate from agreed terms (eg, currency or payment method) under the guise of avoiding sanctions. objective reasonableness standard: beliefs about compliance with sanctions will be assessed objectively, even if held in good faith. reasonable efforts in licensing: applications to sanctions authorities must be clear and correctly framed to demonstrate compliance with local laws. this case reinforces the need for meticulous drafting of contracts, vigilant compliance with sanctions regimes, and careful navigation of payment obligations under complex international laws. the court of appeal judgment can be found here.

on 2 december 2024, the bermuda ministry of justice issued aml-atf ministerial advisory 3/2024, emphasising the need for vigilance against money laundering and terrorist financing risks in specific jurisdictions. this advisory provides guidance for financial institutions and relevant entities in bermuda on applying enhanced customer due diligence (edd) for transactions involving high-risk countries. this advisory replaces all previous advisory notices issued by the minister of justice on this subject. key takeaways legislative mandate: the proceeds of crime (aml-atf) regulations 2008 mandate enhanced due diligence for: countries identified as high-risk by the financial action task force (fatf) or the caribbean financial action task force (cfatf). jurisdictions linked to money laundering, corruption, terrorist financing, or international sanctions. high-risk jurisdictions: fatf’s october 2024 publication lists high-risk jurisdictions requiring edd. these include iran, north korea, myanmar, and others such as nigeria, south africa, and the philippines. the advisory also highlights countries under fatf's increased monitoring (commonly referred to as the "grey list"). ministerial guidance: the advisory urges institutions to: treat transactions with these jurisdictions as high-risk. apply edd measures, such as enhanced monitoring and countermeasures, proportional to the risks involved. sanctions and compliance: countries like north korea and iran are subject to international sanctions. firms must adhere to the international sanctions regulations which require additional compliance measures. relevant links for further guidance are provided in the advisory. why enhanced due diligence matters edd helps safeguard against financial crimes that undermine economic stability and security. institutions must: evaluate and mitigate risks associated with high-risk jurisdictions. enhance policies and controls to detect unusual or suspicious transactions. ensure compliance with international and domestic regulations. call to action all entities governed by bermuda’s aml-atf framework (financial institutions, real estate brokers, casino operators, and dealers in high-value goods) must: familiarise themselves with fatf assessments. integrate these risk considerations into their anti-money laundering strategies. for more details on the advisory and sanctioned jurisdictions, see here.

recent judgments from the court of justice of the european union (cjeu) and the luxembourg district court have clarified vat obligations for luxembourg board members. on 11 december 2024, the luxembourg vat administration issued circular 781-2 to address the implications of these rulings confirming that directors who do not act on their own responsibility and do not bear the risk of the activity exercised should not be considered as a vat taxable person. here is what you need to know: key points from the circular economic activity defined: a board member’s role qualifies as an “economic activity” if they provide services for payment on a permanent basis with foreseeable remuneration. independence criteria: board members should not be considered independent if they don’t bear personal responsibility or economic risk for their activity. vat liability: services provided by board members who do not act should not fall within the scope of luxembourg vat. administrative implications self-assessment: directors and managers must evaluate their status to determine vat liability. adjustment opportunities: non-independent directors and managers registered as vat taxpayers can apply for vat adjustments for non-prescribed years (including 2018 and 2019). a streamlined process for adjustments will be available via lu during the first half of 2025. expense deduction: the administration will not challenge minor expense deductions, though significant investments may be reviewed. special cases foreign directors: directors residing outside luxembourg are exempt from adjustments; the client company is responsible for any corrections. circular n°781 reinstated: obligations under circular n°781 (suspended in 2023) are reinstated for directors qualifying as vat taxpayers. impact on companies these rulings reinforce the need for clarity on vat obligations for board members and their companies. directors should assess their roles carefully, leveraging the streamlined adjustment process to address past liabilities. these updates underline the importance of clarity regarding vat obligations for directors and their companies. the streamlined procedures offer a clear path for directors and businesses to rectify past vat issues efficiently. for further details, the circular 781-2 (in french) can be found here or visit myguichet.lu.

the virgin islands have enacted the financial investigation agency (amendment) act, 2024, an essential piece of legislation aimed at strengthening financial integrity and combating illicit financial activities. this act, gazetted on 5 december 2024, introduces significant updates to the financial investigation agency act, revised edition 2020, reflecting the territory's commitment to global standards in financial regulation and security. the financial investigation agency (fia) plays a vital role in ensuring compliance with laws designed to combat money laundering, terrorist financing, and proliferation financing. recent legislative updates provide a detailed framework for the fia’s powers, responsibilities and the obligations of designated non-financial businesses and professions (dnfbps) and non-profit organisations (npos). here is an overview: inspection powers of the fia under section 5m, fia is empowered to: inspect premises and systems: fia can examine procedures, systems, and controls of dnfbps and npos, whether within or outside the territory. review assets and documents: inspections include the ability to assess assets and make copies of documents related to the operations of dnfbps or npos. request information and explanations: officers, employees, and representatives of dnfbps and npos must provide fia with necessary information, either verbally or in writing, during any stage of the inspection process. inspection purposes inspections may be conducted for: monitoring compliance: ensuring adherence to anti-money laundering, counter-terrorism financing, and proliferation financing laws, regulations, and guidelines. investigative support: assisting in inquiries into matters under fia’s jurisdiction or supporting domestic and international investigations. notice and participation notification protocols: fia typically provides reasonable notice before an inspection. however, it may conduct unannounced inspections when circumstances warrant. collaborative oversight: domestic competent authorities or foreign financial investigation agencies may participate in inspections if their involvement is necessary and does not compromise confidentiality. confidentiality of reports inspection reports are strictly confidential and shared only: internally: with dnfbps or npos for compliance purposes. externally: with approved parties, including foreign financial investigation agencies or law enforcement, when necessary. unauthorised disclosure of these reports can lead to significant penalties, including fines. determining inspection frequency the frequency of inspections depends on: the risk profile of the dnfbp or npo. trends or typologies in financial crime. fia’s assessment of the entity’s compliance culture, controls, and operational changes. fia may also conduct reviews whenever concerns arise about a dnfbp or npo’s operations or risk management practices. obligations of dnfbps and npos entities under fia’s supervision must: fully cooperate with inspections by providing accurate information, documents, and materials. ensure compliance with anti-money laundering regulations, including preparing and submitting risk assessments. adhere to directives issued by fia, with failure to comply resulting in penalties. amendments to the principal act the recent updates also amend schedule 1 of the principal act, extending the applicability of certain provisions to dnfbps and npos, thereby aligning their obligations with those of financial institutions. dnfbps and npos are encouraged to maintain strong compliance systems and engage proactively with regulatory authorities to meet these obligations effectively. the financial investigation agency (amendment) act, 2024 can be found here.

on 29 november 2024, the european commission published on its official gazette the commission implementing regulation (eu) 2024/2984 which outlines regulatory technical standards for the preparation of forms, formats, and templates for the preparation of crypto-asset white papers. these new regulatory technical standards are part of the broader regulation (eu) 2023/1114 market in crypto-assets (micar), aiming to maximise transparency, investor protection, and market integrity. we summarise the key points below. key highlights: 1. standardised templates for white paperscrypto-asset issuers must follow specific templates to present their projects clearly and uniformly, covering different types of crypto-assets like asset-referenced tokens (arts) and e-money tokens (emts). 2. machine-readable format using xbrlwhite papers must be in xhtml format and use inline xbrl for data fields. this ensures machine-readability, enabling automated analysis and making information easier to compare across projects. 3. legal entity and service provider identifiersissuers must include their legal entity identifier (lei), and a crypto-asset service provider identifier (caspi) is required to enhance transparency and ensure proper identification of entities involved. 4. use of digital token identifiers (dtis)if available, dtis will allow issuers to skip repetition of certain details about the crypto-asset, reducing redundancy and streamlining the process. 5. human readable white paperswhile promoting machine-readability, white papers must also be accessible to retail investors, ensuring they are easy to read without specialised software. 6. xbrl taxonomy filesesma will publish xbrl taxonomy files which would guide issuers in preparing their white papers, ensuring compliance with all their legal and technical obligations. 7. compliance timelinethe regulation takes effect on 23 december 2025, giving issuers time to transition to the new requirements. the new regulatory technical standards on crypto-asset white papers aim to enhance transparency, reduce fraud, and facilitate easier comparison of crypto-assets, benefiting both investors and issuers. crypto projects will need to adopt the new standards, making their white papers more accessible and standardised across the market. issuers have time to prepare before these new regulatory technical standards come into force, allowing them to streamline compliance and improve their market presence. the commission implementing regulation (eu) 2024/2984 can be found here.

on 29 november 2024, the european commission adopted new regulatory technical standards to supplement the eu regulation 2023/1114 on markets in crypto-assets (micar). these regulatory technical standards specify the content and format of order book records for crypto-asset service providers (casps) operating crypto-asset trading platforms (catps). the move comes as part of the eu’s broader effort to regulate the rapidly growing crypto-asset market and ensure greater transparency and consumer protection. the new regulatory technical standards outline detailed requirements for catps, specifically related to requirements of maintaining records for crypto-asset orders. these records must be made available to competent authorities, ensuring that data related to crypto-asset transactions is accessible for regulatory oversight. key provisions include: order data: catps must provide to the competent authority detailed data on all orders, including information on parties involved, trading capacity, order types, pricing, and strategy. identity verification: there is a requirement for catps to identify both natural persons and legal entities using designated identifiers, ensuring transparency regarding the person performing trading. keeping records: catps must accurately keep records of matters relating to crypto-asset orders. data access: the new regulatory technical standards promote the use of standardised electronic and readable formats, developed under the iso 20022 methodology, providing efficient and secure data sharing between platforms and competent authorities. identification codes: there is an obligation for catps to keep an individual identification code (iic) for crypto-asset orders as well as trading transaction identification codes (ttics). the new regulatory technical standards will now undergo examination by the council of the eu and the european parliament. if there are no objections, it will be published in the official journal of the eu and will come into force 20 days later, marking an important step in the implementation of micar. the new regulatory technical standards can be found here.

on 4 december 2024, the bermuda monetary authority (bma) proposed significant amendments to the insurance act 1978 to enhance its regulatory framework for group supervision. these proposals aim to improve the oversight of insurance groups, ensuring that bermuda maintains its reputation as a robust international financial centre. below, we explore the key proposals and their potential impact on bermuda’s insurance industry. 1. mandatory group supervision for bermuda-based groups the bma would require mandatory supervision of insurance groups with ultimate parent entities incorporated in bermuda. this ensures comprehensive oversight of such groups’ global operations. groups will be notified, and representations considered before supervision begins. consultation question: do you have concerns about mandatory supervision for bermuda-based groups? 2. withdrawal as group supervisor the bma proposes clearer rules for stepping down as group supervisor when criteria, such as the location of the ultimate parent, are no longer met. this ensures seamless transitions without regulatory gaps. consultation question: are there challenges with the proposed withdrawal process? 3. defining and registering insurance holding companies the term "insurance holding company" would be formally defined, and the bma would register and designate key holding entities for group supervision. registration will involve no fees, with names published for transparency. consultation question: do you support the definition and registration of insurance holding companies? 4. supervisory powers over holding companies the bma seeks direct powers to supervise designated holding companies, including imposing penalties, objecting to officer appointments, and managing compliance. proportional enforcement ensures fairness for groups of varying complexity. consultation question: are the proposed powers sufficient and appropriate? 5. oversight of shareholder changes the bma would require prior notification of shareholder control changes or major structural adjustments like mergers. this oversight ensures group stability and policyholder protection. consultation question: are there concerns about notification requirements for material changes? 6. transition period and amendments in addition to the proposals above, the bma has suggested consequential amendments to various statutory instruments, including replacing references to 'designated insurer' with 'designated insurance holding company.' existing structures will not be grandfathered, but a one-year transition period will be provided to allow insurance groups and the bma to prepare for these enhancements. the industry is invited to provide feedback on the proposals by 15 january 2025. the consultation paper can be found here.

on 22 november 2024, the european commission updated its frequently asked questions on sanctions against russia and belarus (the faqs). the update explains the "best efforts" obligation under article 8a of council regulation (eu) no 833/2014 (regulation 833) on the eu sanctions compliance obligations of eu operators and entities outside the eu, including those in russia, that such operators own or control. this places a critical responsibility on eu operators to prevent any actions outside the eu that could undermine the prohibitions outlined in regulation 833. the "best efforts" obligation the obligation aims to ensure that eu operators take necessary actions to prevent violations of the prohibitions under regulation 833. it applies to eu operators and entities owned or controlled by eu operators but located outside the eu, including those in russia. since 24 june 2024, article 8a of regulation 833 (which can be accessed here), has explicitly stated that: "natural and legal persons, entities and bodies shall undertake their best efforts to ensure that any legal person, entity or body established outside the union that they own or control does not participate in activities that undermine the restrictive measures provided for in this regulation." (emphasis added). this reinforces the obligation of eu operators to take proactive steps to ensure compliance by their controlled entities outside the eu. key points responsibility of eu operators: eu operators must take appropriate steps such that their non-eu entities comply with regulation 833, as relevant and consistent with the best efforts obligation. they must also take all reasonable steps to prevent activities which undermine eu sanctions. meaning of "best efforts": operators are expected to take all suitable and necessary actions based on their size, nature, and specific factual circumstances. such factual circumstances include the level of effective control over the entity located outside the eu and available compliance resources. the eu operator’s nature and size include among others its market sector, risk profile, turnover and number of staff. however, it is acknowledged that situations may arise where local laws in third countries make it impossible for an eu operator to exercise control. in such cases, the "best efforts" obligation should take into account the specific challenges posed by the operator’s environment, such as the degree of control over the entity and any external factors beyond their influence. the guidance focusses on cases where a loss of control over the non-eu entity is caused (or engineered) by the eu operator or where the eu operator contributed in the loss of control. suggested measures implementing compliance programmes providing sanctions training establishing mandatory reporting systems proactive management of risks maintenance of awareness of their non-eu entities’ activities public commitments to uphold eu sanctions circulating newsletters and sanctions advisories proactively address any known or suspected violations by controlled entities reporting any sanctions violations to the eu operator that has ownership or control to meet the "best efforts" obligations, businesses should assess risks, adopt appropriate measures, and report breaches. distinction between circumvention and undermining: interestingly a distinction has emerged between circumvention on the one hand which is described as deliberately bypassing sanctions (eg, exploiting legal loopholes) and a newer concept of “undermining” sanctions on the other which are actions achieving outcomes that sanctions are meant to prevent (eg, restricted goods or services indirectly benefiting sanctioned economies). liability risks for eu operators: if an eu operator knows that a controlled entity violates sanctions and does not take any action, they could be held accountable. failing to act on awareness of sanction breaches by controlled entities can result in liability. operators may face penalties if their entities outside the eu produce or trade restricted goods benefiting sanctioned economies. the faqs on "best efforts" obligation are available here.