Skip to main content

Preparing for an AML/ATF onsite visit from the Bermuda Monetary Authority

Oct 28, 2024

Advisory
A sleek black pen with 'Walkers' branding lies atop a closed notebook, both featuring raised 'Walkers' logos.

Key takeaways

  • The Bermuda Monetary Authority conducts AML/ATF onsite supervisory visits on regulated entities across all sectors. 
  • It is important to be prepared for an onsite, understand the process and ensure common pitfalls are avoided.  Breaches of AML/ATF requirements can and do lead to enforcement action. 
  • We anticipate an increased level of onsite reviews and potentially, an increase in enforcement action in the lead up to Bermuda's next mutual evaluation by the Caribbean Financial Action Task Force due to commence in 2026. 

Introduction 

The Bermuda Monetary Authority ("BMA") routinely conducts on-site inspections on regulated entities. These onsite visits are conducted across all financial services sectors on an increasing basis. Digital asset businesses, investment businesses, and insurance and banking sector clients need to be ready to have the AML/ATF policies, procedures, and controls in place scrutinised. If those controls are deemed not to meet regulatory requirements, there is a strong possibility of enforcement action. It is important to be prepared and understand the process.  

Pre-inspection process 

A regulated entity will receive a notification of the inspection in a written notice from the BMA, together with a request for a list of documentation to be provided by a certain date, ordinarily 2-3 weeks from the date of the notice. 

Regulated entities should expect to be asked to provide information and documentation such as:

  • evidence of oversight and governance, including board minutes and board meeting agendas;
  • a description of the products and services offered;
  • the most recent business plan;
  • AML/ATF and sanctions policies and procedures;
  • the most recent AML/ATF and sanctions business risk assessment and risk appetite statements;
  • structure and organisation charts;
  • details relating to the Money Laundering Reporting Officer ("MLRO") and Compliance Officer;
  • detailed reports regarding matters such as the number of politically exposed person ("PEP") customers, the number of high-risk customers and the number of internal and external suspicious activity reports filed;
  • audit reports;
  • staff training logs and training materials; and 
  • a client list. 

The information obtained during the onsite inspection process remains confidential between the regulated entity and the BMA.

Onsite inspection process 

The process will commence with a kick-off meeting, where the BMA will describe the process that they will be going through. In addition, senior management of the regulated entity will have the opportunity to present to the BMA in relation to matters such as senior management personnel and expertise, the licence held, activities performed, business model, the business plan, its AML/ATF and sanctions programme and any outsourcing or reliance arrangements. The kick-off meeting should be seen as an opportunity to set the scene for a positive onsite review.

Following this, the BMA will likely conduct interviews of the MLRO, Compliance Officer, directors, and certain front-line staff. This will be to test personnel knowledge and understanding of the AML/ATF programme. 

A senior member of staff should be appointed to coordinate the meetings and should be available at all times to respond to BMA requests. 

File review

From the client list, the BMA will request a random selection of client files for review. Files will be reviewed to ensure clients were onboarded to Bermuda standards and to the standards set out in the entity's policies (if higher). In particular, the BMA will be looking to ensure all standard customer due diligence requirements are met, simplified due diligence is only applied within the statutory perimeters and that enhanced due diligence has been applied to high-risk clients, including PEPs. In addition, the BMA will review the customer risk rating, looking at whether this is appropriate, and whether the level of due diligence is commensurate with the risk rating. 

Post-inspection process 

The inspection team will provide the regulated entity with a list of findings following the review. The entity will typically have 2-4 weeks to respond.  

How we can help

Walkers has extensive experience in assisting regulated entities to prepare for an inspection. We support clients with compliance and with responding to regulatory enforcement action. We offer mock onsite reviews to allow clients to be prepared ahead of the regulator visiting. This includes:

  • interview preparedness sessions, so the regulator interview and the questions asked do not come as a surprise to any individual. 
  • reviewing written policies and procedures and advising on whether they meet legal and regulatory requirements.
  • reviewing a sample of files to check the customer risk rating and due diligence is adequate; and 
  • assisting with preparing for a well-run kick-off meeting.
     
 

Authors

Key contacts

Get in touch with our team

Get the latest insights and expertise in your inbox 

Fluid ink image
Sign up