International Sanctions Requirements for Virtual Asset Service Providers: a Cayman Perspective

Nov 2024

As the war continues to rage on the Eastern front between Russia and Ukraine, the financial sanctions resulting from the initial invasions and ongoing conflict seem likely to continue to play a significant part in the global financial markets. However, financial sanctions related to Russia are not the only ones in force. As a British overseas territory, the Cayman Islands implements the international sanctions obligations of the United Kingdom (UK). There are currently 34 sanctions measures in force the Cayman Islands which include trade bans, travel bans and financial sanctions measures (Sanctions).

Sanctions apply to all persons in the Cayman Islands and those most exposed to sanctions risk are financial service providers. Virtual asset services providers (VASPs) are considered higher risk institutions in the financial market given their use of and engagement with novel technology and the potential for this technology to be used to evade financial sanctions if the proper screening and controls are not in place. This risk is compounded by the globally integrated nature of blockchain technology not typically seen on a mass scale in other financial industries.

Cayman Islands Sanctions Regime

As a British Overseas Territory, the sanctions regime in force in the Cayman Islands broadly mirrors that imposed in the UK (the Sanctions Regime). Measures in force pursuant to the Sanctions Regime and related regulations are extended to the Cayman Islands through Orders in Council made by the UK Privy Council (the “Sanctions Orders”).

The current sanctions list applicable in the Cayman Islands can be found on the Financial Reporting Authority’s website here (the “Sanctions List”). While there are Sanctions relating to a number of persons and jurisdictions, none have impacted global finance to such a degree as those relating to Russia. In the Cayman Islands, the Russia (Sanctions) (EU Exit) Regulations 2019 (as amended) are extended pursuant to the Russia (Sanctions) (Overseas Territories) Order 2020 (as amended) (the “Russian Sanctions Regulations”).

The Russian Sanctions Regulations provide for the freezing of funds and economic resources of certain persons, entities or bodies involved in destabilising Ukraine or undermining or threatening the territorial integrity, sovereignty or independence of Ukraine, or obtaining a benefit from or supporting the Government of Russia. In the weeks shortly after Sanctions were placed on Russia and Russian persons, there were concerns that virtual assets were being utilised as a transfer mechanism for avoiding such Sanctions.

VASPS versus Traditional Financial Institutions

VASPs regulated by the Cayman Islands Monetary Authority (CIMA) are expected to integrate Sanctions compliance procedures including screening measures into customer and vendor onboarding and transaction monitoring processes. The Sanctions Regime is ever evolving, with new Sanctions being issued on an intermittent basis often in line with swaying geopolitical tensions. As a result, it is vital that Sanctions screening and compliance measures are performed throughout the lifecycle of a business relationship and not just at the point of onboarding.

While VASPs are under the same legal and regulatory obligations as traditional financial institutions, there are unique challenges relating to the technologies employed that set them apart in the global financial markets. Below are some key considerations that all CIMA regulated VASPs should be aware of when conducting their business operations:

1. Sanctions Screening and Customer Due Diligence

Like traditional financial institutions, VASPs must ensure that they do not facilitate transactions involving sanctioned individuals, entities, or countries. This means implementing robust customer due diligence (CDD) practices to properly identify all customers and ensure that all customers are properly screened against the Cayman Islands Sanctions List initially and on an ongoing basis.

While CDD measures remain unchanged (generally encompassing personal identification, proof of address etc.), Sanction screening is made considerably more difficult for VASPs given the pseudonymous nature of many virtual assets in addition to the ability for any person to establish virtual asset wallets both on multiple third party exchanges (some of which do not perform CDD) and entirely independent wallets on local devices (known as “Hard Wallets”).

Traditional banking and payments institutions typically operate and facilitate payments between account holders who are properly identified in line with local legal and regulatory obligations (which generally operate within a globally accepted minimum standard). There are however no globally or even continentally accepted minimum standards with regard to the establishment of virtual asset wallets – persons (do not even require a financial institution to acquire one (i.e. Hard Wallets). VASPs therefore have a heightened risk of encountering persons who are utilising wallets that are not directly linked to their identities. This increases the susceptibility of the industry being used as a means of evading financial sanctions.

2. Blockchain and Transaction Monitoring

The processes and technology for monitoring transactions in the traditional finance world have long been in place and have undergone decades of testing and ongoing improvement. While the principles remain the same for virtual asset transfers, adhering to these principles leads to unique technological challenges. While blockchain transactions are transparent and generally traceable, which is of course a major benefit of the technology, it is possible for the participants behind those transactions to remain pseudonymous.

To mitigate risks of illicit activity on their platforms, VASPs increasingly rely on blockchain analytics experts and service providers who are typically engaged on a third party basis to track and analyse transactions across the blockchain. These tools can help identify wallet addresses associated with sanctioned entities or high-risk jurisdictions, even if the identities behind the addresses are unknown.

While these are helpful tools and services, VASPs must ensure that proper due diligence and risk assessments are undertaken on all material third party service providers in accordance with the Statement of Guidance on Outsourcing for Regulated Entities in the Cayman Islands. This requires a degree of technological competence not typically required in traditional financial institutions.

3. Geographical Risk and Cross-Border Nature of Virtual Assets

One of the defining elements of the virtual asset industry separating it from the traditional finance world is its globally integrated nature. Traditional banks and other financial institutions usually operate within clearly-defined jurisdictional limits and are generally regulated within similar confines by a local regulatory authority.

VASPs, on the other hand, even when providing services to a specific user base, are exposed to a much broader set of risks given the global and cross-border nature of virtual asset transfers, increasing the risk of encountering sanctioned persons in multiple jurisdictions.

4. Freezing and Blocking Assets

When any financial institution identifies that it holds or is facilitating a transaction involving a sanctioned entity, it is generally required to block or freeze the assets. This could involve freezing funds in an account / wallet or prohibiting the withdrawal or transfer of such funds.

For traditional financial institutions, freezing an account or blocking funds generally involves prohibiting access to fiat currency in a bank account or withholding the ability to redeem or interest in a fund or other vehicle. In contrast, freezing or withholding access to virtual assets (such as Bitcoin or Ethereum) may not be as straightforward. Many VASPs operate on or through decentralised infrastructure and may not always have custody of a customer’s virtual assets or direct control over individual transactions. Even where a VASP may have the capacity to freeze virtual assets / transactions, the speed and often irreversible nature of many virtual asset transactions amplifies the risk and difficulty of adhering to asset freeze orders.

Depending on the nature of its business operations, a VASP may only be in a position to block access to the customer’s account on the VASP’s own platform. However, if the user has access to their private keys or the VASP is integrated with a decentralised exchange, asset freezes become distinctly more complicated – an issue not applicable to traditional finance.

5. Ongoing Compliance and the Speed of Change

Generally speaking, changes in traditional finance tend to come slow and in reasonably foreseeable stages. Blockchain technology and the environment in which virtual assets operate in are evolving at ever accelerated rates. To this end, VASPs not only need to monitor the change of technology but also the impact that every change makes to its compliance frameworks, to ensure that it is operating in accordance with regulatory expectations.

As with all financial institutions, VASPs should maintain open lines of communication with CIMA in order to stay informed of regulatory expectations and ensure that CIMA are informed of the VASP’s operations and any changes thereto.

What Measures Should VASPs Take?

A robust sanctions compliance framework will encompass the following measures which should be carefully considered by all CIMA regulated VASPs with measures and practices tailored to their products, services and respective business models:

1. Sanctions Policy¹: Develop and maintain a comprehensive sanctions compliance policy outlining the VASP’s commitment to adhering to relevant sanctions regulations.
2. Screening Procedures: Implement robust customer and transaction screening processes to identify individuals, entities, and transactions that may be subject to sanctions.
3. Risk Assessment: Conduct regular risk assessments to identify and evaluate potential sanctions risks associated with customers, products, services, and geographic locations.
4. Training and Awareness: Provide ongoing training for employees on sanctions requirements, internal policies and procedures to ensure that staff understand their respective responsibilities.
5. Record Keeping: Maintain accurate records of all sanctions-related screening, transactions, and compliance activities for audit and regulatory purposes, including the maintenance of a sanctions log.
6. Reporting Mechanisms: Establish clear internal escalation procedures and onward reporting procedures to the Cayman Islands Financial Reporting Authority.
7. Internal Controls and Audits: Implement strong internal controls and conduct regular audits to monitor compliance with sanctions policies and procedures, identifying any gaps or weaknesses and remediating same.
8. Governance and Oversight: Ensure that senior management and the board of directors are proactively involved in overseeing the sanctions compliance program and that there is a designated compliance officer responsible for sanctions compliance.
9. Due Diligence: Perform enhanced due diligence on high-risk customers and transactions to mitigate sanctions risks effectively.

Enforcement Actions and Penalties

It is a criminal offense to violate obligations under applicable sanctions measures without proper licensing or authorisation. Penalties for sanctions violations can be extreme with individuals convicted of such offenses facing large fines, imprisonment, or both.

As such, it is vital that CIMA regulated VASPs carefully consider their obligations pursuant to the applicable sanctions regime and expend appropriate resources and time to ensure that their compliance frameworks are robust and ensure compliance with the applicable requirements.

Conclusion

While the core sanctions obligations for VASPs are distinctly similar to those faced by traditional financial institutions, VASPs operate in a unique environment that presents additional challenges. The sometimes anonymous or pseudonymous nature of virtual assets and associated transfers, the global reach of VASPs, and the use of advanced technologies make sanctions compliance particularly complex.

As a result, VASPs are required to adopt and implement more technologically advanced compliance measures, including blockchain analytics and enhanced monitoring, to meet their legal obligations and avoid facilitating prohibited transactions.

For further information on the digital asset advisory services that the Regulatory & Risk Advisory team offer, please download our VASP Service Offering factsheet below.

¹A firm’s sanctions policy often forms part of the firm’s broader anti-money laundering, countering of terrorist financial and countering of proliferation financing policy (AML/CFT/CPF). While this publication does not intend to cover AML/CFT/CPF matters in detail, a VASP should also ensure that it develops and maintains a comprehensive AML/CFT/CPF compliance policy outlining the VASP’s commitment to adhering to the relevant regulations and applicable laws.