AML/CFT On-site and Off-site Supervision of the Virtual Asset Service Providers

Supervisory Information Circulars

Date: Thu, 18 September 2025

Introduction

This supervisory circular (the “Circular”) describes how the Cayman Islands Monetary Authority (“CIMA” or the “Authority”) monitors the Virtual Asset Service Providers’ (“VASPs”) compliance with anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (collectively, “AML/CFT”) regulatory requirements within the Cayman Islands. All financial service providers (“FSPs”) may also find this publication helpful in strengthening aspects of their respective AML/CFT compliance programmes.

Background:

The Authority was designated as the supervisor for VASPs with the commencement of the Virtual Asset (Service Providers) Act in 2020 (now 2024 Revision) (the “VASPA”). As of 31 July 2025, the Authority has 19 registered VASPs under the VASPA. The VASPs that are registered by CIMA carry out virtual asset service business in or from within the Cayman Islands. This includes the transfer of virtual assets, custody services, issuance of virtual assets, exchange of virtual assets for fiat currency or other virtual assets, or the provision of financial services relating to the sale of virtual assets.

The Authority takes a risk-based approach (“RBA”) in determining the frequency and focus of on-site and off-site AML/CFT supervision of VASPs. A range of supervisory activities are used to ensure effective and efficient supervision. Key examples include on-site inspections and desk-based reviews.

This RBA considers the AML/CFT risks and mitigation measures associated with registered VASPs. This is aided by the requirement for VASPs to submit returns for specific AML/CFT information, namely the annual AML Return (formally known as the AML Survey), and the quarterly Travel Rule Return, which, amongst other things, allows the Authority to analyse data of cross-border transactions conducted by VASPs. The results are processed by Strix, a SupTech software, to automate the collection, analysis, and scoring of AML inherent risk and controls data from regulated entities. Strix maintains a live risk rating tool, which impacts our supervision. The rating also considers factors such as adverse media, intelligence received, and the nature of findings relating to inspections (as well as remediation). This is an example of how the Authority continues to enhance and leverage technology to automate routine processes and free up valuable supervisory resources to focus on tasks that require human judgement, expertise and experience.

The RBA also considers the inherent AML/CFT risks identified for the sector through the Cayman Islands’ National Risk Assessment.

AML/CFT On-site Inspection and Desk Based Reviews of VASPs:

In 2023, the Authority commenced its risk-based AML/CFT On-site Inspections of the VASPs to assess their AML/CFT policies, procedures, systems, and controls. The Authority conducted AML/CFT On-site Inspections to determine whether VASPs met the requirements of the Anti-Money Laundering Regulations (“AMLRs”), the Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (2020 Revision) (the “AML Guidance Notes”) (now in their 2024 Revision), as well as other applicable legislation and accepted standards of best practice. This included assessment of compliance with the Travel Rule— the requirement for VASPs to obtain and hold originator and beneficiary information on virtual asset transfers.

From 2023 to date, the Authority has continued its risk-based approach to AML/CFT supervision of VASPs to assess their compliance with their AML/CFT obligations and compliance with the applicable laws and regulations. From September 2024 to February 2025, the Authority conducted a targeted Desk-based Review (the “Review”) pursuant to section 6(1)(b) of the Monetary Authority Act (2020 Revision) (as amended) (the “MAA”) and section 24(1)(c) of the VASPA.

The AMLRs and AML Guidance Notes require all VASPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses. The Authority noted the following key findings and observations from the Inspections and Reviews conducted to date:

Assessing Risk and Applying a RBA

Regulation 8 of the AMLRs, and Part II Section 3 and Part IX Section 1.C-D of the AML Guidance Notes outline to VASPs how to assess risk and apply a RBA relative to their identified AML/CFT risks.

The Authority noted instances where customer risk assessments were either not documented or did not demonstrate that all relevant risk factors had been considered and kept up to date.

The Authority noted instances where business risk assessments and customer risk assessments were not adequately documented, or kept up to date, and not all relevant risk factors were considered from key categories, namely customers, jurisdiction of operation, transactions, and delivery channels.

Reliance on technology solutions for AML/CFT Compliance

Regulation 8 of the AMLRs, and Part II Section 3.D.13-17, 3.G and 16.E.14 of the AML Guidance Notes outline the factors that VASPs should consider when relying on technology solutions for their AML/CFT Compliance.

The Authority noted instances where risk assessment and adequate assurance reviews for technology solutions were lacking to ensure they were operating effectively. Examples of such technological solutions include screening for sanctions and adverse media, e-KYC, transaction monitoring, and on-chain analytic tools.

Customer Due Diligence and ongoing monitoring programmes

Regulations 10–28 of the AMLRs, and Part II Sections 4-6, 16 and Part IX Sections 1.E-F of the AML Guidance Notes outline customer identification, verification, and ongoing monitoring.

The Authority noted instances of missing customer due diligence and the absence of verification on customer files using reliable, independent source documents, data and information. This included a failure to maintain the constitutional documents as part of identification and verification procedures for customers that are legal persons.

A lack of enhanced customer due diligence (“EDD”) was identified in circumstances when it was required not only under the AMLRs and AML Guidance Notes, but also under the VASP’s policies and procedures. The Authority also observed a lack of documented procedures for EDD and for the identification and verification of beneficial owners of customers, and of directors that control its customers, who were legal persons.

For some VASPs, a group of customers were not subjected to EDD despite them being politically exposed persons, and for another group, despite the identification of unusual or suspicious activity. EDD was also not conducted for a further group of customers despite originating from a country identified by credible sources (e.g. the Financial Action Task Force and the World Bank) as having serious deficiencies in its AML/CFT regime or a prevalence of corruption.

The Authority observed occasions where the ongoing monitoring of business relationships was not monitored on a timely basis (or at all), evidence of the scrutiny of transactions was missing, and a lack of escalation and staff understanding of a VASP’s transaction monitoring system was also noted. A lack of procedures was also observed for the scrutiny of fiat currency transactions during a business relationship to ensure they were consistent with the VASP’s knowledge of the customer.

Sanctions compliance

Regulation 5(a)(v) and (viiib) and Part II Sections 13-15 and Part IX Section 1.H of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.

The Authority found instances of policies and procedures relating to sanctions risks either missing or not being those applicable to the Cayman Islands. Procedures were also identified that failed to include the obligation in certain circumstances to freeze funds and to report to the Financial Reporting Authority.

Inadequate evidence was observed that sanctions screening had been conducted on all customers at onboarding and on an ongoing basis. Inadequate record keeping of name matches and of the rationale for clearing or dismissing alerts was also observed. In some instances, policies and procedures were noted as inadequate for handling on-chain transaction alerts by failing to set out who can approve transactions related to higher-risk exposure and for the treatment of exposure to sanctioned entities and sanctioned jurisdictions.

Oversight of the compliance function

Regulations 3(1) and 5(e) of the AMLRs, and Part II Section 2(C), (2) and (5) of the AML Guidance Notes outline the requirements to designate a person at the managerial level as the Anti-Money Laundering Compliance Officer (“AMLCO”) who periodically reports directly to the Board of Directors (the “Board”) or equivalent.

The Authority observed occasions of inadequate board oversight of the VASPs’ AML/CFT Compliance Function. For example, from Board meeting packages and meeting minutes that did not indicate discussion of AML/CFT issues, and evidence was lacking that the Board had approved or reviewed AML policies and procedures.

Outsourced AML/CFT compliance functions

Regulation 3(2) of the AMLRs and Part II Sections 2(C), (9)-(14) and Section 10(C) of the AML Guidance Notes set out the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the VASPs' AML/CFT Compliance Function, including for intergroup arrangements.

A lack of outsourcing agreements was observed, which would have demonstrated the requirement that they retain ultimate responsibility for compliance with their AML/CFT obligations.

Independent AML/CFT audit function

Regulation 5(a)(ix) of the AMLRs and Part II Section 10(B) and Part IX Section 1.D of the AML Guidance Notes outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits to evaluate AML/CFT systems or controls.

The Authority observed instances where AML/CFT audits were not being conducted, as well as instances where the audits were not conducted by an operationally independent person.

Employee training and awareness

Regulation 5(c) and 5(d) of the AMLRs and Part II Section 10(E) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirements.

The Authority noted that AML/CFT training did not always cover the regulatory framework relevant to the Cayman Islands. For example, AML/CFT training material was sometimes generic in its application or referred to other jurisdictions.

Record keeping and travel rule compliance

Part II Section 8 of the AML Guidance Notes outlines the general record-keeping requirements for all FSPs, including VASPs, in order to demonstrate compliance with Regulation 5 and Part VIII of the AMLRs. Regulations 31 and 49A-P of the AMLRs and Part IX Section 1.G and 1.J of the AML Guidance Notes outline the requirements for record-keeping procedures to be maintained by VASPs. Further, Regulation 31(2) of the AMLRs and Part II Section 8(E) of the AML Guidance Notes reiterates that VASPs shall ensure that those records will be available to the Authority upon request.

The Authority observed gaps in the maintenance of records to demonstrate that adequate AML/CFT/CPF training had been provided to employees.

A lack of record management systems was noted that would have otherwise ensured the timely provision of information to the Authority without delay, e.g. evidence of customer due diligence, transaction records or sanctions screening. An instance was also identified where the VASP had failed to maintain records of the results of any analysis undertaken as part of its ongoing monitoring of fiat currency transactions. Another VASP lacked systems and procedures to ensure compliance with the travel rule.

The Authority observed instances of inadequate verification of information obtained regarding originator and beneficiary information on virtual asset transfers. Delays were also noted in the submission of quarterly travel rule returns.

Additional findings

The registration of one (1) VASP was cancelled on 5 June 2025. This VASP had deficiencies in the following areas, which also breached the Rule on Corporate Governance, the Rule on Internal Controls, and the document and information request provision under the VASPA:

Corporate governance: Failure of the Board of Directors to ensure that the business of the VASP was conducted in compliance with the applicable acts, rules, regulations and regulatory measures.
Internal Reporting: Failure to ensure that all employees report unusual or suspicious activities to the Money Laundering Reporting Officer (“MLRO”), and to ensure that investigative steps undertaken by the MLRO were documented.
Source of funds: Failure to understand the customer’s source of funds in line with the VASP’s policies and procedures.
Independent audit function: Failure to maintain an independent audit function which tests the overall integrity and effectiveness of the VASP’s AML/CFT systems and controls.
Customer agreements: Failure to maintain signed customer agreements setting out the nature of the business relationship between the customer and the VASP.

AML/CFT Off-Site Monitoring of VASPs:

Where the Authority notes deficiencies through inspections and desk-based reviews, it issues a report that provides information on the deficiencies identified and includes actions to remediate the identified issues within specified timeframes set by the Authority (“Requirements”).

In general, the Authority has observed that VASPs have taken the necessary steps to meet the Requirements. During the remediation process, VASPs engaged with the Authority through submission of progress reports and meetings, to provide updates on remediation progress and seek clarification of the requirements, as necessary. The VASPs recognised the level of importance of remediation, with their senior management actively involved in the process. The Requirements which have been issued by the Authority for VASPs are being remediated within the set remediation timeframes, or approved extended timeframes.

The Authority, as previously noted, utilises Strix to collect the VASP Travel Rule Return. This provides the Authority with data relating to the incoming and outgoing transfers within the VASP sector and allows the Authority to analyse the flow of funds as it relates to the originator, the beneficiary, as well as the geographic locations of these transactions. The data collected assists the Authority with identifying trends and subsequent risks in relation to the movement/transfer of virtual assets.

In 2024, CIMA commenced sample testing of transactions based on data submitted in VASP Travel Rule Returns. The associated transaction details and supporting documents are analysed, and the counterparties to the transactions, being the originators and/or beneficiaries of transactions, are screened for TFS risk exposure, identification and verification. For 2024, CIMA reviewed 320 transactions, for among other things, testing the adequacy of customer due diligence and sanctions screening, where CIMA screened all 68 parties for targeted financial sanctions compliance.

Conclusion

The Authority noted good compliance levels in many areas following the first round of inspections of VASPs. However, there were notable deficiencies, particularly around customer risk assessment, sanctions screening, due diligence, transaction monitoring and record keeping. The Authority expects VASPs to address identified deficiencies in a timely and thorough manner.

The Authority continues to expect that all VASPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.

The Authority will continue to promote its supervisory mandate through both off-site monitoring and on-site inspection processes. All FSPs are reminded that any breach of a law, regulation or rule may result in enforcement action. This may also include, or be in addition to, the imposition of an administrative fine for any breach of the AMLRs.