Cayman Islands – CIMA’s Review of VASPs

After approval is granted by CIMA, VASPs have certain ongoing statutory obligations, which are in addition to any event-driven filings e.g. VASPs are required to submit an annual AML Return and quarterly Travel Rule Return to CIMA. CIMA leverages software to automate both (1) the collection and analysis of data relating to the cross-border transactions conducted by VASPs and (2) the scoring of inherent risks and controls in relation to VASPs.

CIMA commenced its risk-based AML/ CTF on-site inspections of VASPs to assess their AML/CTF policies, procedures, systems and controls in 2023 – in particular, for compliance with the requirements of the Anti-Money Laundering Regulations, the CIMA Guidance Notes on the Prevention and Detection of AML/ CTF and CPF and the Travel Rule.

Since then, CIMA has conducted a Thematic Desk-based Review of 11 regulated VASPs from September 2024 to February 2025 (“Desk-Top Review”), including a mixture of both virtual asset exchanges and virtual asset custody service providers – the key findings of the Desk-Top Review were published in November 2025. The most important learning point from the Desk-Top Review is that as the VASP regime is nascent, VASPs must continue to regularly monitor changes and take proactive steps to remain compliant with ongoing regulatory obligations.

In addition to the Desk-Top Review, CIMA has also published a separate Supervisory Circular on 18 September 2025 relating to more specific AML/ CTF related considerations (“AML/ CTF Review”).

A summary of the key findings of both the Desk-Top Review and AML/ CTF Review (together, the “CIMA Reviews”) are set out below:

1. Corporate governance deficiencies – while the VASP Act has been amended since first enactment, so that now three (3) Directors are required (including at least one independent Director with no vested interest in the VASP), CIMA still noted that 27% of VASPs reviewed did not meet this requirement and 36% were operating without any formal succession planning for the governing body and key senior management.
2. Inadequate cybersecurity governance – the Desk-Top Review showed that 27% of VASPs had not appointed a qualified CISO or CIO and had insufficient documentation on IT and cybersecurity audits. A staggering 82% of VASPs reviewed lacked any cybersecurity insurance. Further deficiencies were identified in data protection, IT controls and in the oversight of outsourced arrangements.
3. Inadequate virtual asset custody policy – while the Rule and Statement of Guidance – Virtual Asset Custodians and Virtual Asset Trading Platforms was only published by CIMA in December 2024 and CIMA acknowledged in the Desk-Top Review that VASPs would need more time to comply, CIMA found that 40% of the VASPs reviewed had inadequate policies for virtual asset custody services.
4. Deficiencies in business continuity planning – the Desk-Top Review showed inadequate business continuity planning, including examples of Business Continuity Plans (“BCP”) not in compliance with the applicable Statement of Guidance and no board approval, testing or independent review of the BCP.
5. Inadequate risk assessments. Customer risk assessments that are not up-to-date, not adequately documented or do not demonstrate that all risk factors (e.g. jurisdiction of operation, transactions and delivery channels) have been considered.
6. Inadequate assessment of technology solutions. Inadequate assurance reviews for technology solutions to ensure systems are operating effectively e.g. screening for sanctions and adverse media, e-KYC and on-chain analytic tools.
7. Missing KYC. Missing customer due diligence and absence of verification on customer files (e.g. failure to maintain constitutional documents for customers who are legal persons) and failure to appropriately categorize higher risk customers e.g. PEPs as high-risk customers requiring EDD.
8. No ongoing monitoring. Some instances were identified in the AML/ CTF Review of no ongoing monitoring of business relationships, on either a timely basis, or at all.
9. Employee issues. Lack of escalation and staff understanding of a VASP’s transaction monitoring system. In addition, examples of only very generic employee training, which did not cover the regulatory framework relevant to the Cayman Islands and gaps in the maintenance of records to demonstrate adequate AML/ CTF/ CPF training had been provided to employees were stated in the AML/ CTF Review.
10. Inadequate sanctions compliance. Failure to carry out ongoing sanctions screening after onboarding, inadequate record keeping of name matches and of the rationale for clearing or dismissing alerts. In addition, the AML/ CTF Review found a failure of policies and procedures to set out a clear path for handling on-chain transactions alerts, by not setting out who at the VASP can approve transactions related to higher-risk exposure and for treatment of exposure to sanctions entities and jurisdictions.
11. Oversight of the compliance function. Inadequate board oversight of the VASP’s AML/ CTF compliance function e.g. board packs and minutes not indicating any discussion of AML/ CTF issues, lack of evidence of board approval of AML policies and procedures and lack of outsourcing agreements.
12. No AML/CTF audit. CIMA found instances of no internal audit function having been established and AML/ CTF audits not being conducted at all/ not conducted by an operationally independent person.
13. Gaps in record keeping. Poor record management systems to ensure the timely provision of information to CIMA e.g. CDD, transactions records or sanctions screening.
14. Financial position. In instances where VASPs had not yet achieved profitability, supplementary information is required to be submitted to CIMA to support the assessment that it remains as a going concern with sufficient resources to meet its financial obligations as required. This means that in practice, VASPs must develop robust policies, procedures and control to adequately manage financial and liquidity risk.
15. Failure to notify CIMA of key changes. CIMA noted instances where changes to key personnel or business operations of a VASP had not been communicated in a timely manner to CIMA/ approval sought where required. For example, (i) appointments of senior officers require the prior approval of CIMA, (ii) any penalties imposed, enforcement action or litigation proceedings brought against the VASP in another jurisdiction must be reported to CIMA within 30 days, and (iii) any cybersecurity incident must be reported to CIMA within 30 days.

The registration of a VASP (AC Holding Limited) was recently cancelled by CIMA on 5 June 2025 for multiple deficiencies by the VASP to provide documents to CIMA, for failing to put into place AML systems and procedures, in addition to breaches of other CIMA Rules e.g. Rule on Corporate Governance and Rule on Internal Controls.

This enforcement action underscores CIMA’s serious approach to regulatory compliance and its readiness to take decisive action where breaches are not remedied.

View Full PDF