Written by: Iris, Bai Qin
Since the release of the 2020 VASP regulatory framework "Virtual Asset (Service Providers) Regulations, 2020", the popular offshore destination Cayman Islands has successively issued four key decrees and documents, gradually building a complete VASP compliance system covering registration and licensing, anti-money laundering, governance structure, regulatory enforcement and other dimensions, including:
Transitional regulations after the implementation of the VASP Act 2020 (Virtual Asset (Service Providers) (Savings and Transitional) Regulations, 2021)
Virtual Asset (Service Providers) (Amendment) (No.2) Act, 2023 (Commencement) Order, 2024
A comprehensive revised version of the VASP regulatory bill that has been revised several times since 2020: the Virtual Asset (Service Providers) Act (2024 Revision)
The latest amendment to the VASP Act, the Virtual Asset (Service Providers) (Amendment) Act, 2024, was released at the end of 2024.
The Cayman virtual asset compliance system has moved from the construction of a basic framework to the stage of deepening governance. It has also sent a clear signal to all Web3 project parties, funds and virtual asset service providers that hope to land in the Cayman Islands and expand into the international market: the compliance threshold has been raised, the governance requirements have been upgraded, and false compliance "edge balls" will no longer have room to survive.
Now it is 2025. The Cayman Islands will implement revised cryptocurrency licensing regulations from April 1, requiring all virtual asset service providers (VASPs) (including trading platforms and custody services) to obtain a license issued by the Cayman Islands Monetary Authority (CIMA), and existing virtual asset service providers to submit a license application before June 29, 2025.
So, what is the core of this document?
Compared with previous policies, what further strengthenings have been made?
After this series of revisions, will there be a shift in the VASP regulatory policy of the Cayman Islands, once one of the most popular overseas destinations?
For Web3 entrepreneurs who are interested in settling in Cayman, how should they adjust their strategies?
Attorney Mankiw will sort them out for you one by one below.
Cayman VASP latest amendment bill
The Virtual Asset (Service Providers) (Amendment) Act, 2024 was issued on December 19, 2024, aiming to further improve and strengthen the regulatory system for virtual asset service providers (VASPs). Overall, the amendments cover six core areas:
1. Industry definition
New terms and definitions include "Convertible Virtual Asset" and "Senior Officer". At the same time, the definitions of "Director" and "Shareholder" are refined, and definitions such as related party shareholdings and requirements for identifying beneficial owners are added.
In addition, outdated terms and definitions such as "existing licensee", "fintech service", and "operator" have been deleted.
For example, in the Sandbox license application, the applicant is the "Supervised Person" and the old term "existing licensee" is no longer used; the fee name is clarified and unified as "prescribed sandbox licence fee".
2. Registration and licensing
The amendment first clarifies that natural persons can no longer register or hold licenses, and all VASP applicants must be legal entities.
Secondly, the amendments refine the dual-track division of registration and licensing. Low-risk businesses, such as non-custodial wallet services and basic technology providers, can choose to register for filing, while high-risk businesses, such as custody, transaction matching, platform operation, and issuance services, must apply for a full license.
In addition, entities that are not registered or licensed by CIMA are not allowed to claim that they are regulated by CIMA. Failure to do so will constitute an illegal act.
In addition, all application fees, annual fees, and license fees are non-refundable regardless of whether the application is approved. After the VASP application is approved, the applicant must pay the fees within 30 days, otherwise the approval will be void.
3. Operation requirements
In terms of governance structure, the amendment requires that each licensed VASP must have at least three directors, at least one of whom must be an independent director, in order to prevent internal conflicts of interest and enhance the independence and transparency of the board of directors.
In terms of business activities, VASPs must strictly follow the approved business plan. If they want to add or adjust the scope of business (such as adding custody services, trading products, etc.), they must obtain CIMA's written approval in advance, and they may not expand the scope of services without permission. In addition, VASPs, especially shares of companies or partnerships, may not be issued or transferred without CIMA's written approval.
At the same time, the amendment also requires VASPs to establish and maintain an effective risk management system covering anti-money laundering, technical security, customer identity verification, market manipulation prevention, etc. Under certain conditions, CIMA can force VASPs to submit audit reports and has the right to designate auditors.
For custodial VASPs, the amendment further refines the protection of customer assets, such as ensuring that customer assets are held in separate custody, setting up trust or bankruptcy segregated accounts, and ensuring clear asset accounting; custodial services must have an internal control system, including asset audit processes, dual signature management, and third-party audit arrangements.
4. Anti-money laundering and customer information collection
The amendment details the virtual asset transfer information that VASPs need to collect, including the name, account address, virtual asset address, and identification information of the originator; the name, account address, and virtual asset address of the beneficiary; and the specific types and amounts of assets involved in the transaction.
In addition to collection and recording, VASPs must also retain customer and transaction records for no less than 5 years and submit them within 48 hours upon request from CIMA or law enforcement authorities.
In terms of anti-money laundering and anti-terrorism, the obligations of VASPs have been further strengthened - comply with all provisions of the Cayman Islands' current Anti-Money Laundering Regulations, including KYC, identity verification, suspicious transaction reporting (STR), continuous monitoring, etc.; once a customer or transaction is found to be suspected of terrorist financing, money laundering, or a high-risk region background, it must be reported to CIMA in a timely manner and cooperate with the investigation.
5. Audit and supervision
Licensed VASPs must entrust a CIMA-approved certified public accountant to conduct an audit every year and submit complete financial statements. In addition, CIMA has the right to specify the specific audit time, scope, and content. If CIMA believes that a VASP has misleading or false financial information, it can directly designate an auditor to conduct a special audit, and the cost shall be borne by the VASP itself.
The amendment also specifies the auditors’ responsibilities, including that auditors must perform their duties independently and must not have conflicts of interest or breach of trust. At the same time, once the auditors find that VASPs have significant risks, they should proactively report to CIMA. If the auditor fails to perform his duties, CIMA has the right to cancel his qualifications and prohibit VASPs from re-employing him.
In addition, the amendment also strengthens CIMA's regulatory and law enforcement powers, such as the right to enter VASP offices at any time, search electronic records, equipment, account information, directly retrieve account books, customer transaction records, and require technical personnel to assist in reviewing the system; the right to revoke virtual asset licenses/registrations; appoint consultants to assist in rectification; in case of serious violations, apply to the court to liquidate the VASP; directly issue a "cease and desist order" to VASPs that operate without a license or falsely claim to be regulated.
6. Transitional arrangements
From the date when the amendment comes into force, existing VASPs will be given a 90-day transition period. During this period, existing VASPs need to complete the application for licensing or registration and make adjustments to meet all the above-mentioned operating, anti-money laundering, director structure, custody requirements and other terms.
Applicants whose applications were submitted before the amendment was released but have not yet been approved are allowed to apply for a refund under the old law and resubmit their applications in accordance with the new regulations.
Analysis of Cayman VASP Regulatory Trends
It can be said that this revision not only carried out a "loophole-plugging" upgrade in regulatory details, but also reflected the Cayman regulatory authorities' all-round requirements for market transparency, standardized governance, and anti-money laundering responsibilities. In the future, the compliance entry threshold and ongoing operating costs of the virtual asset service industry will be at a relatively high level globally.
Through this amendment, we can clearly see the distinct trend of the development of the Cayman Islands VASP regulatory system:
1. The regulatory boundaries continue to expand, and the applicable objects and types of virtual assets are subject to comprehensive management.
From the addition of the definition of "convertible virtual assets" to the removal of outdated terms such as "existing licensees", the scope of supervision is clearer, including more small service providers and emerging virtual asset categories that were previously in the gray area. This means that in the future, whether it is a traditional trading platform, custodian, infrastructure developer, or DAO project party, as long as they provide virtual asset services, they may be included in the VASP supervision scope, and the compliance boundaries of the industry will be clarified.
2. Standardization of governance structure, transparency and identification of actual control become the core.
By refining the board structure and disclosure of beneficial owners, clarifying the number of directors and independent directors, regulators have set higher standards for VASP governance transparency. Especially for projects with multiple shareholders, multiple signatures, multi-layer structures or DAO governance models, the actual controlling entity must be clearly identifiable to eliminate the problem of invisible shareholders and shadow directors.
3. Comprehensively improve compliance and entry barriers, and manage high- and low-risk businesses in different levels.
High-risk businesses (such as transaction matching, custody, and issuance) must apply for a complete license, with full compliance requirements for capital, internal control, anti-money laundering, and financial audits, and the establishment and operation costs are significantly increased. In contrast, low-risk businesses (such as non-custodial wallets and infrastructure) can still complete filing through the registration system, but CIMA's requirements for their information disclosure and governance structure are also clear, and there is no room for regulatory arbitrage.
4.AML/CFT requirements must be aligned with international standards, and technical systems must support the “Travel Rule”.
Refine the collection of customer identity, source of funds, and transaction details, extend the data retention period, submit responses within 48 hours, and clarify high-risk customer management requirements. At the same time, cross-VASP transfers must be connected to the technical system to complete the transmission of initiator and recipient information, corresponding to the FATF "Travel Rule", and further improve the technical compliance threshold.
5. Financial transparency and auditing systems are tightened, and CIMA's substantive regulatory capabilities are enhanced.
CIMA not only requires designated accountants to conduct financial audits every year, but also directly assigns special audits when false disclosures or major risks are found, and the costs are borne by VASPs. Changes in shareholder equity, adjustments to business scope, business expansion, etc. require prior written approval, and supervision intervenes in the entire process from access to continued operations, and the cost of violations has increased significantly.
6. The powers of on-site law enforcement and suspension of business for rectification are strengthened, leaving no room for false compliance.
The amendment authorizes CIMA to have stronger law enforcement powers, including on-site searches, freezing of assets, revoking licenses, and directly applying for liquidation procedures. It will maintain a high-pressure stance against VASPs that operate without a license, engage in false advertising, and violate anti-money laundering obligations, and basically block regulatory arbitrage operations.
7. The transition period is compressed and existing projects face time window challenges.
Existing VASPs only have 90 days to complete the rectification of governance structure, audit arrangement, and anti-money laundering system. Institutions that fail to complete the rectification in time will directly face the risk of revocation. In addition, project parties that have submitted but not yet approved applications are also required to quickly complete the materials or resubmit them, leaving the market with a very limited window for rectification.
Attorney Mankiw recommends
The implementation of new Cayman VASP regulatory rules in 2025 marks that Cayman virtual asset compliance has entered a period of deepening governance.
For Web3 project developers who want to use the Cayman Islands to enter the international market, having a license is only the basis. What is more important is whether the governance structure, asset custody, board transparency and anti-money laundering system can withstand penetrating supervision.
In this regard, Attorney Mankiw suggested that all types of Web3 project parties can formulate detailed compliance strategies based on the nature of their own business, complete the restructuring of the architecture and risk control construction in advance, and respond steadily to the regulatory challenges after the new regulations are officially implemented in 2025.
1. For high-risk businesses
Complete the adjustment of the governance structure as soon as possible: ensure that the board of directors is equipped with at least three directors and one independent director. The independent director's resume must truly reflect his or her ability to perform the duties, and avoid related parties holding concurrent positions.
Review capital strength: Based on the scale of business, reasonably supplement capital and reserve a sufficient fund pool to meet regulatory reporting and risk mitigation needs.
Improve the custody compliance system: For service providers involved in the custody of customer assets, it is necessary to implement systems such as asset bankruptcy isolation, separate custody accounts, double-signature mechanism, and third-party audits to avoid time pressure caused by subsequent reconstruction.
Plan your business expansion path in advance: If you plan to add new trading products, cross-chain custody, or coin issuance in the future, you need to plan the approval process with CIMA in advance to avoid blind expansion that may lead to compliance obstacles.
Compliance team building: The company needs to have qualified AML/CFT compliance officers, financial managers, and technical risk control personnel. If necessary, a third-party consulting company can be hired to assist in establishing an anti-money laundering and system compliance framework.
2. For low-risk businesses
Reasonable use of the registration and filing system: The current registration system has relatively low costs, which is suitable for infrastructure project parties to obtain Cayman compliance endorsement through filing.
We also attach great importance to information disclosure and governance requirements: although there is no need to hold a license, it is necessary to ensure that the information disclosed by the board of directors and actual controllers is true and transparent, and avoid exaggerating the scope of supervision in promotional materials.
Pay attention to technical compliance docking: For cross-VASP service functions (such as payment routing and bridging services), it is necessary to evaluate in advance whether they will be included in the category of high-risk services due to their relevance.
3. For existing applicants or VASPs in the transition period
Immediately review submitted materials: Check the board structure, AML system, custodial account arrangements, etc. against the new regulations. If necessary, choose to return the old application and resubmit it after filling in the compliance gaps.
Launch a 90-day transitional rectification plan: clarify the completion timetable for governance adjustments, system supplements, audit arrangements, KYC system optimization, etc., to ensure that there are no "points of entry" during the transition period that lead to law enforcement risks.
At the same time, all VASPs also need to pay attention to: external publicity of compliance self-inspection, pre-positioning of audit and data systems, and improvement of high-risk customer identification systems.
In response to the urgent rectification needs during the 90-day transition period before and after the Virtual Asset (Service Providers) (Amendment) Act, 2024 comes into effect, as a lawyer who has long been concerned about Web3 overseas expansion and virtual asset compliance, Mankiw has established a complete compliance service system that can assist project parties in quickly completing various compliance preparations such as governance structure adjustment, anti-money laundering system supplementation, director configuration optimization, and licensing or registration application submission, to ensure smooth connection with the new regulations during the transition period.
Web3 entrepreneurs, funds, and virtual asset service providers who are interested in deploying in the Cayman Islands are welcome to contact us to obtain customized compliance solutions and seize the compliance opportunities.
