Skip to main content

CIMA publishes supervisory information circular on on-site and off-site supervision of virtual asset service providers

Sep 30, 2025

Advisory
Shades of blue —light, medium, and dark—displayed curves and waves

Background to VASP inspections

The Cayman Islands introduced the Virtual Asset (Service Providers) Act (the VASP Act) with effect in 2020, so that any person carrying on a "virtual asset service" in the course of a business using a Cayman Islands entity or otherwise from within the Cayman Islands (each a virtual asset service provider or VASP) was approved by the Cayman Islands Monetary Authority (CIMA).

As of 31 July 2025, there were 19 VASPs registered with CIMA. Since these are relatively new regulated entities operating within a new regulatory regime, it is unsurprising that CIMA decided to embark on an inspection programme of the VASPs to verify compliance.

On 18 September 2025, CIMA published a supervisory circular reporting on its first round of VASP inspections.

CIMA's approach to the inspections

CIMA commenced on-site inspections in 2023 and, from September 2024 to February 2025, also conducted a targeted desk-based review. The inspections focused on compliance with anti-money laundering, countering the financing of terrorism, countering proliferation financing and targeted financial sanctions (collectively, AML/CFT) regulatory requirements within the Cayman Islands. 

CIMA's key findings

Assessing risk and applying a risk based approach 

  • Customer risk assessments were either not documented or did not demonstrate that all relevant risk factors had been considered and kept up to date.
  • Business risk assessments and customer risk assessments were not adequately documented, or kept up to date, and not all relevant risk factors were considered from key categories, namely customers, jurisdiction of operation, transactions, and delivery channels.

Reliance on technology solutions for AML/CFT compliance

  • Risk assessment and adequate assurance reviews for technology solutions were lacking to ensure they were operating effectively. Examples of such technological solutions include screening for sanctions and adverse media, e-KYC, transaction monitoring, and on-chain analytic tools.

Customer Due Diligence and ongoing monitoring programmes

  • Missing customer due diligence and the absence of verification on customer files using reliable, independent source documents, data and information - this included a failure to maintain the constitutional documents as part of identification and verification procedures for customers that are legal persons.
  • A lack of enhanced customer due diligence (EDD) was identified in circumstances when it was required not only under the Anti-Money Laundering Regulations (AMLRs) and  the Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing in the Cayman Islands, but also under the VASP's policies and procedures. 
  • A lack of documented procedures for EDD and for the identification and verification of beneficial owners of customers, and of directors that control its customers, who were legal persons.
  • For some VASPs, a group of customers were not subjected to EDD despite them being politically exposed persons, and for another group, despite the identification of unusual or suspicious activity. EDD was also not conducted for a further group of customers despite originating from a country identified by credible sources (e.g. the Financial Action Task Force and the World Bank) as having serious deficiencies in its AML/CFT regime or a prevalence of corruption.  
  • The ongoing monitoring of business relationships was not always monitored on a timely basis (or at all), evidence of the scrutiny of transactions was missing, and a lack of escalation and staff understanding of a VASP's transaction monitoring system was also noted. 
  • A lack of procedures was also observed for the scrutiny of fiat currency transactions during a business relationship to ensure they were consistent with the VASP's knowledge of the customer.

Sanctions compliance

  • Policies and procedures relating to sanctions risks were either missing or not those applicable to the Cayman Islands. Procedures were also identified that failed to include the obligation in certain circumstances to freeze funds and to report to the Financial Reporting Authority.
  • There was inadequate evidence that sanctions screening had been conducted on all customers at onboarding and on an ongoing basis.  There was Inadequate record keeping of name matches and of the rationale for clearing or dismissing alerts. In some instances, policies and procedures were noted as inadequate for handling on-chain transaction alerts by failing to set out who can approve transactions related to higher-risk exposure and for the treatment of exposure to sanctioned entities and sanctioned jurisdictions.

Oversight of the compliance function

  • Inadequate board oversight of the VASPs' AML/CFT Compliance Function. For example, from Board meeting packages and meeting minutes that did not indicate discussion of AML/CFT issues, and evidence was lacking that the Board had approved or reviewed anti-money laundering policies and procedures.

Outsourced AML/CFT compliance functions

  • Lack of outsourcing agreements, which would have demonstrated the requirement that they retain ultimate responsibility for compliance with their AML/CFT obligations.

Independent AML/CFT audit function

  • AML/CFT audits were not being conducted, as well as instances where the audits were not conducted by an operationally independent person.

Employee training and awareness

  • AML/CFT training did not always cover the regulatory framework relevant to the Cayman Islands. For example, AML/CFT training material was sometimes generic in its application or referred to other jurisdictions.

Record keeping and travel rule compliance

  • Gaps in the maintenance of records to demonstrate that adequate AML/CFT training had been provided to employees.
  • Lack of record management systems that would have otherwise ensured the timely provision of information to CIMA without delay, e.g. evidence of customer due diligence, transaction records or sanctions screening. An instance was also identified where the VASP had failed to maintain records of the results of any analysis undertaken as part of its ongoing monitoring of fiat currency transactions. Another VASP lacked systems and procedures to ensure compliance with the travel rule.
  • Inadequate verification of information obtained regarding originator and beneficiary information on virtual asset transfers. Delays were also noted in the submission of quarterly travel rule returns.

AML/CFT off-site monitoring of VASPs

Where CIMA had noted deficiencies through inspection and desk-based reviews, it issued reports to those VASPs requiring remedial action within specified timeframes (referred to as requirements).

In general, CIMA observed that VASPs have taken the necessary steps to meet the requirements. During the remediation process, VASPs engaged with CIMA through submission of progress reports and meetings, to provide updates on remediation progress and seek clarification of the requirements, as necessary. The VASPs recognised the level of importance of remediation, with their senior management actively involved in the process. The requirements which have been issued by CIMA for VASPs are being remediated within the set remediation timeframes, or approved extended timeframes. 

CIMA's conclusion

CIMA noted good compliance levels in many areas following the first round of inspections of VASPs. However, there were notable deficiencies, particularly around customer risk assessment, sanctions screening, due diligence, transaction monitoring and record keeping. The Authority expects VASPs to address identified deficiencies in a timely and thorough manner.

CIMA continues to expect that all VASPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.

CIMA will continue to promote its supervisory mandate through both off-site monitoring and on-site inspection processes. CIMA reminded all financial services providers that any breach of a law, regulation or rule may result in enforcement action. This may also include, or be in addition to, the imposition of an administrative fine for any breach of the AMLRs. 

How should VASPs respond to the CIMA findings?

This was the first round of CIMA inspections of VASPs. It is clear that CIMA identified a number of areas for improvement. 

Good record-keeping is essential to demonstrate compliance. CIMA expects senior management to engage actively in oversight of AML/CFT compliance, and it is not sufficient just to delegate this to AML officers without Board review. On training, large organisations will often approach this at a global level, but without sufficient localisation to take into account Cayman Islands requirements.

CIMA has enforcement tools available where deficiencies are not remedied, and as noted in the circular, CIMA cancelled the registration of one VASP in June 2025, so although the next round of inspections may not take place for some time, there is no room for complacency.

With deep experience advising VASPs on compliance and inspections, we are here to help clients navigate these requirements with confidence.

 

 
 

 

 

Authors

Key Contacts

Get in touch with our team

Get the latest insights and expertise in your inbox 

Fluid ink image
Sign up