On 18 September 2025, the Cayman Islands Monetary Authority (CIMA) released a Supervisory Information Circular outlining its approach to anti-money laundering (AML), counter-terrorist financing (CFT), counter-proliferation financing (CPF), and targeted financial sanctions supervision for Virtual Asset Service Providers (VASPs). The circular provides detailed insights into how CIMA conducts both on-site inspections and off-site monitoring, while also disclosing findings of deficiencies and enforcement actions taken against VASPs. CIMA’s risk-based supervisory methodology, provides for the integration of supervisory technology, and the obligations that all registered VASPs must meet under the Virtual Asset (Service Providers) Act (2024 Revision) and the Anti-Money Laundering Regulations (AMLRs).
The Circular serves as a regulatory guide and supervisory disclosure, describing how CIMA monitors AML/CFT compliance of VASPs. As of 31 July 2025, 19 VASPs are registered in the Cayman Islands to provide services including transfers of virtual assets, custody, issuance, and exchange. CIMA applies a risk-based approach (RBA) in determining supervisory focus and frequency, relying on both on-site inspections and desk-based reviews.
A key feature of the supervisory model is the use of Strix, a SupTech system that automates data collection and analysis, generating live AML risk ratings based on AML Returns and Travel Rule Returns submitted by VASPs. This technology-enabled supervision allows CIMA to streamline routine processes and allocate resources to matters requiring human oversight.
The Circular also discusses outcomes of supervisory inspections conducted since 2023, identifying systemic deficiencies in VASP compliance frameworks, and describes enforcement measures including the cancellation of one VASP registration in June 2025.
Chronological Timeline of Supervisory Actions
- 2020: The Virtual Asset (Service Providers) Act came into force, designating the Cayman Islands Monetary Authority (CIMA) as the primary regulator for VASPs.
- 2023: CIMA commenced risk-based on-site AML/CFT inspections of VASPs to evaluate compliance with the Anti-Money Laundering Regulations (AMLRs) and the AML Guidance Notes (2020 Revision).
- September 2024: February 2025 – CIMA conducted desk-based reviews under the Monetary Authority Act (2020 Revision) and the VASP Act, targeting specific AML/CFT risk areas such as the Travel Rule, sanctions compliance, and governance.
- 31 July 2025: CIMA confirmed that 19 VASPs were registered and active within the jurisdiction, providing services ranging from custody and issuance to exchanges and transfers.
- 5 June 2025: CIMA cancelled the registration of a VASP following severe AML/CFT deficiencies, including failures in customer due diligence, governance, and audit obligations.
- 18 September 2025: CIMA published its AML/CFT Supervisory Circular, disclosing findings from inspections, outlining observed deficiencies, and reiterating expectations for remediation.
Findings from AML/CFT Inspections
CIMA’s inspections and reviews uncovered areas of weakness across the VASP sector. These include:
Risk Assessments
CIMA observed instances where VASPs failed to adequately document business and customer risk assessments, omitting critical factors such as jurisdictional risks, transaction types, and delivery channels.
Reliance on Technology Solutions
The Circular notes failures to conduct assurance reviews of AML-related technology solutions, including sanctions screening tools, e-KYC processes, transaction monitoring systems, and on-chain analytics.
Customer Due Diligence and Enhanced Due Diligence
Deficiencies were identified in basic customer due diligence (CDD), verification of legal persons, and lack of enhanced due diligence (EDD) in cases involving politically exposed persons or clients from high-risk jurisdictions.
Sanctions Compliance
CIMA found incomplete sanctions policies, inadequate ongoing screening, and poor record-keeping of alerts. Some VASPs failed to address high-risk on-chain transaction alerts effectively.
Corporate Governance and Oversight
Boards of directors in some VASPs failed to review or approve AML policies, and AML Compliance Officers lacked independence and authority.
Outsourcing Risks
Instances were observed where VASPs outsourced compliance functions without adequate agreements, breaching obligations to retain ultimate responsibility for AML/CFT compliance.
Independent Audit Functions
Some VASPs had no AML audits, while others relied on auditors lacking operational independence, contrary to regulatory requirements.
Employee Training
Training materials were sometimes generic, not tailored to the Cayman Islands’ AML/CFT legal framework, and excluded local regulatory references.
Record Keeping and Travel Rule
Deficiencies included incomplete customer due diligence records, delayed submission of Travel Rule Returns, and inadequate originator and beneficiary verification on transfers.
(Source: https://www.cima.ky/amlcft-on-site-and-off-site-supervision-of-the-virtual-asset-service-providers)
