Sep 2024
As the global financial landscape continues to evolve, the rapid growth of virtual assets and use of blockchain technology has prompted governments worldwide to reassess their legal and regulatory frameworks. The emergence of cryptocurrencies and blockchain technologies has opened up near boundless opportunities for innovation but has also brought with it significant risks, particularly those relating to money laundering, fraud, and consumer protection (among others).
In response, the Cayman Islands introduced a comprehensive regime to govern the provision of virtual asset services back in 2020, with the aim of ensuring that the sector’s growth aligns with broader financial stability and consumer protection goals (the “Regime”). This Regime came in the form of the Virtual Asset (Service Providers) Act (the “Act”) as supplemented by the Virtual Asset (Service Providers) Regulations (the “Regulations”). The Regime marked a pivotal shift in the regulatory landscape, setting the stage for a more secure and transparent virtual asset market while fostering confidence among investors and the general public.
The Regime is designed to regulate market participants in the industry and tasks the Cayman Islands Monetary Authority (CIMA) with overseeing virtual asset services providers (VASPs). As a result, any market participants looking to operate as a VASP are required to either seek registration or licence (depending the nature of the business activities) from CIMA prior to providing same.
Since the introduction of the Regime, CIMA has accepted applications for registration. Recently CIMA’s VASP & Fintech Innovation Unit helpfully held a VASP Industry Outreach Session (the “Session”) with market participants and services providers in order to better inform all current and future relevant stakeholders on matters ranging from the application process to ongoing compliance expectations for VASPs and CIMA’s overall role as a regulatory body.
Key Points and Topics
CIMA opened the Session by highlighting that the information provided in the Session was not to be construed as legal advice, that all market participants should seek independent legal advice where appropriate and that the Session was designed to assist market participants and service providers on what steps can be taken to ensure that business and innovation are undertaken with proper risk and compliance considerations in mind.
For the benefit of all current and future VASPs, CIMA:
1. encourages all applicants to partake in a “Pre-Application Meeting” with the authority:
Applicants are strongly encouraged to meet with CIMA prior to submitting an application in order to discuss their proposed business services and the overall application process and expectations of CIMA.
2. advises all applicants to seek a legal opinion in respect of their proposed business services:
CIMA stated that all potential market participants should seek specific legal advice on their proposed business, activities and structure and have this formally documented in order to ensure that they are adequately informed of their legal standing and associated obligations when operating in or from the Cayman Islands.
3. highlighted the assessment criteria for VASP applicants:
CIMA highlighted that it evaluates all applications based on several key factors, including the fitness and propriety of shareholders and directors, the soundness of business plans, and the strength of risk management, cybersecurity, and IT systems.
CIMA emphasised that comprehensive assessments will be carried out on all risk management procedures to ensure full compliance with regulatory standards.
4. emphasised the common challenges faced by applicants during the application process:
CIMA highlighted the frequency with which it has encountered incomplete, insufficient, or inconsistent applications, demonstrating a general lack of thoroughness.
CIMA also explained the importance of registered office providers fully understanding their client’s structure and business operations, highlighting that there have been a number of cases where a lack of reasonable knowledge about the business being presented has led to challenges during the approval process. This understanding is crucial for ensuring the submission of accurate and comprehensive applications.
5. explained that all VASPs should be ready to commence operations immediately or within a reasonable timeframe post-approval:
CIMA highlighted that once an application has been approved by CIMA, applicants have one year to commence business operations. If the applicant fails to commence business within this period, CIMA reserves the right to withdraw the approval. This underscores the importance of applicants being fully prepared to begin operations within the specified timeframe.
6. confirmed that dual-licencing applies where a VASP also undertakes other regulated activities under the (for example) the Securities Investment Business Act (as revised) (SIBA):
It was confirmed that where a VASP also undertakes regulatory activity falling within another regime (such as SIBA), that an applicant will be required to seek authorisation under both applicable regimes.
CIMA also highlighted that no de-minimis threshold exists in this regard and any activity (regardless of nature or degree) that falls in scope of a secondary regime, will require a separate registration / licence from CIMA.
7. explained its regulatory risk-based approach (RBA) to monitoring and supervision of VASPs and its anti-money laundering and countering of terrorist (AML / CFT) financing plan:
CIMA confirmed that it adopts an RBA in determining the frequency and intensity of on-site and off-site inspections and general overall supervision of VASPs. As such, the inherent risk of all VASP entities will be taken into account and any change to or additional business activity will alter the level and degree of supervision implemented by CIMA.
In a positive example of technological adoption by the regulatory authority, CIMA confirmed that it will be focused on enhancing and leveraging technology to automate routine processes when implementing its RBA to supervision. This will assist CIMA in determining the scope, frequency, and intensity of its on-site and off-site inspections for VASPs. This automation will free up resources, enabling the authority to concentrate on tasks that require human judgment and expertise which represents an overall positive step for the industry and the VASPs that it supervises.
8. highlighted the importance of complete information when submitting VASP Returns:
CIMA confirms that it gathers data through the AML Survey – VASP Form, and the VASP Travel Rule Form. However, key challenges have been identified by CIMA as part of these submissions, particularly relating to missing information, especially with respect to business activities and inaccuracies in the data provided.
CIMA emphasised the importance of ensuring complete and accurate data and how essential it is for ensuring effective monitoring and regulation of VASP entities.
9. summarised the key themes and observations of failures among active VASPs in the market:
CIMA has identified four significant themes and observations regarding failures in VASP operations post-registration, namely:
(i) corporate governance – there has been a failure to properly document and maintain policies and procedures, as well as inadequate succession plans;
(ii) regulatory non-compliance – regulatory non-compliance issues revealed a common theme of non-commencement of operations and a failure to file necessary filings and returns with CIMA;
(iii) conduct of business – CIMA encountered multiple occasions where complaint handling procedures were not properly documented and client account agreements were deemed insufficient; and
(iv) internal controls – there was a lack of proper monitoring across a number of industry participants, along with deficiencies in the frameworks, policies, and procedures required to ensure effective oversight of internal operations. Significant weaknesses were identified relating to a lack of oversight, undocumented board minutes and or board minutes that failed to include AML/CFT policies / reviews for approval by the board.
10. set out its key findings from recent on-site inspections for registered VASPs:
CIMA highlighted that it has recently identified several issues in the application of risk-based approach procedures by VASPs in the market. It was noted that customer due diligence was either not being updated or failing to account for all necessary requirements. In addition, customer risk assessments often lacked proper documentation of the risk process and were not being updated to account for new transactions and activity.
Furthermore, CIMA identified trends of customers not being consistently scanned against the applicable Cayman sanctions list sanctions procedures not being updated to account for same. There have been instances of accounts not being frozen as required under the Cayman Islands sanction regime.
There were also notable absences of outsourcing agreements and training programmes were deemed insufficient, often not covering Cayman regulatory requirements. Risk assessments often lacked regular reviews to ensure operational effectiveness, further compromising the integrity of the VASP’s risk management process.
Regarding adherence to the Cayman Island’s Travel Rule, CIMA observed multiple occasions of absences in the verification process, indicating that proper checks were not being carried out.
Finally, record-keeping practices were also found to be deficient, with a lack of effective management systems and delays in providing records when requested by CIMA.
Importance of the Session
CIMA’s outreach Session demonstrates a further important step in its prerogative to regulate the VASP industry in the Cayman Islands. By engaging directly with stakeholders, the Session provided clarity on regulatory expectations, compliance requirements, and the practical steps necessary for firms to operate within the Regime.
This proactive approach fosters transparency, reduces uncertainty, and ensures that market participants are well-equipped to navigate the regulatory landscape, ultimately promoting industry-wide adherence and mitigating potential risks associated with virtual asset services.
Licencing Regime Update
By way of reminder, under the current VASP Regime, market participants undertaking virtual asset issuance, exchange, transfer on behalf of customers, and the provision of financial services related to virtual asset issuance or sale are required to seek registration with CIMA where this activity is performed in or from the Cayman Islands.
Despite being provided for in the VASP Act, the Cayman Islands has not yet activated this licencing regime. However, this is expected to come into force shortly upon which all market participants intending to undertake virtual asset custody services, such as wallet solutions, or those proposing to operate virtual asset trading platforms (commonly referred to as cryptocurrency exchanges) will be required to seek and acquire a licence from CIMA prior to engaging in these services.
CIMA helpfully confirmed in a Q&A towards the end of the Session that any market participants intending to undertake custody or trading platform activity, prior to the licencing regime coming into force, will be permitted to seek a registration in the first instance and subsequently undergo an assessment and ultimately transition to a licence once the regime becomes applicable.