In 2025, the new regulatory rules for VASP in the Cayman Islands will take effect, marking the beginning of a deepening governance phase for virtual asset compliance in the Cayman Islands.
Written by: Iris, Bai Zhen
Since the release of the VASP regulatory framework "Virtual Asset (Service Providers) Regulations, 2020" in 2020, the popular offshore destination of the Cayman Islands has successively issued four key legislative documents, gradually constructing a complete VASP compliance system covering registration and licensing, anti-money laundering, governance structure, regulatory enforcement, and other dimensions, specifically including:
The transitional provisions "Virtual Asset (Service Providers) (Savings and Transitional) Regulations, 2021" following the implementation of the 2020 VASP Act.
The implementation order for the second amendment of the VASP Act "Virtual Asset (Service Providers) (Amendment) (No.2) Act, 2023 (Commencement) Order, 2024".
The comprehensive revised version of the VASP regulatory act, which has been amended multiple times since 2020, "Virtual Asset (Service Providers) Act (2024 Revision)".
The latest amendment to the VASP Act released at the end of 2024, "Virtual Asset (Service Providers) (Amendment) Act, 2024".
The Cayman virtual asset compliance system has moved from the construction of a basic framework to a deepening governance phase, sending a clear signal to all Web3 projects, funds, and virtual asset service providers wishing to establish and expand in the international market through the Cayman Islands: compliance thresholds are raised, governance requirements are upgraded, and the space for false compliance "gray areas" will no longer exist.
As of April 1, 2025, the Cayman Islands will implement revised cryptocurrency licensing regulations, requiring all virtual asset service providers (VASPs) (including trading platforms and custodial services) to obtain a license issued by the Cayman Islands Monetary Authority (CIMA). Existing virtual asset service providers must submit their license applications by June 29, 2025.
So, what is the core of this document?
What further enhancements have been made compared to previous policies?
After this series of revisions, will the VASP regulatory policy of the Cayman Islands, once one of the most popular offshore destinations, undergo a shift?
For Web3 entrepreneurs intending to settle in the Cayman Islands, how should they adjust their strategies?
Mankun Lawyers will outline these points for you below.
Cayman VASP Latest Amendment Act
The "Virtual Asset (Service Providers) (Amendment) Act, 2024" was released on December 19, 2024, aiming to further improve and strengthen the regulatory system for virtual asset service providers (VASPs). Overall, the amendments cover six core areas:
1. Industry Definitions
New terms and definitions such as "Convertible Virtual Asset" and "Senior Officer" have been added; at the same time, the definitions of "Director" and "Shareholder" have been refined, adding requirements for related party shareholding and beneficial ownership identification.
Additionally, outdated terms and definitions such as "existing licensee," "fintech service," and "operator" have been removed.
For example, in the Sandbox license application, the applicant is referred to as "Supervised Person," no longer using the old term "existing licensee"; the fee name has been clarified and standardized as "prescribed sandbox licence fee."
2. Registration and Licensing
The amendment first clarifies that natural persons can no longer register or hold licenses; all VASP applicants must be legal entities.
Secondly, the amendment refines the dual-track division of registration and licensing. Low-risk businesses, such as non-custodial wallet services and basic technology infrastructure providers, may choose to register; while high-risk businesses, such as custodial services, trading matching, platform operations, and issuance services, must apply for a full license.
Moreover, entities that are not registered or licensed by CIMA are prohibited from claiming to be regulated by CIMA, and violations constitute illegal behavior.
Additionally, regardless of approval status, all application fees, annual fees, and license fees are non-refundable. Once a VASP application is approved, the applicant must pay all fees within 30 days; otherwise, the approval will be void.
3. Operational Requirements
In terms of governance structure, the amendment requires each licensed VASP to have at least three directors, with at least one being an independent director, aimed at preventing internal conflicts of interest and enhancing board independence and transparency.
Regarding operational activities, VASPs must strictly adhere to the approved business plan. If they wish to add or adjust their business scope (such as adding custodial services or trading varieties), they must obtain prior written approval from CIMA; unauthorized expansion of service scope is prohibited. Additionally, shares of VASPs, especially those of companies or partnerships, must not be issued or transferred without CIMA's written approval.
At the same time, the amendment requires VASPs to establish and maintain effective risk management systems covering anti-money laundering, technical security, customer identity verification, and market manipulation prevention. Under certain conditions, CIMA may require VASPs to submit audit reports and has the authority to designate auditors.
For custodial VASPs, the amendment specifies customer asset protection, such as ensuring customer assets are held separately, establishing trust or bankruptcy isolation accounts, and ensuring clear asset accounting; custodial services must have internal control systems, including asset audit processes, dual-signature management, and third-party audit arrangements.
4. Anti-Money Laundering and Customer Information Collection
The amendment specifies the virtual asset transfer information that VASPs need to collect, including the name, account address, virtual asset address, and identity verification information of the originator; the name, account address, and virtual asset address of the beneficiary; as well as the specific types and amounts of assets involved in the transaction.
In addition to collecting and recording, VASPs must retain customer and transaction records for no less than five years and submit them within 48 hours upon request from CIMA or law enforcement agencies.
In terms of anti-money laundering and counter-terrorism, VASPs' obligations have been further strengthened—complying with all provisions of the current Cayman "Anti-Money Laundering Regulations," including KYC, identity verification, suspicious transaction reporting (STR), and ongoing monitoring; once any customer or transaction is suspected of terrorist financing, money laundering, or having a high-risk background, it must be reported to CIMA promptly and cooperate with investigations.
5. Auditing and Regulation
Licensed VASPs must commission a CIMA-approved certified public accountant for annual audits and submit complete financial statements. Furthermore, CIMA has the authority to specify the audit time, scope, and content. If CIMA believes that a VASP has misleading or false financial information, it may directly designate an auditor for a special audit, with costs borne by the VASP.
The amendment also refines the responsibilities of auditors, including that auditors must perform their duties independently, without conflicts of interest or dishonest behavior. If auditors discover significant risks within a VASP, they must proactively report to CIMA. If auditors are negligent, CIMA has the authority to revoke their qualifications and prohibit the VASP from re-employing them.
Additionally, the amendment strengthens CIMA's regulatory and enforcement powers, such as the authority to enter VASP offices at any time, search electronic records, devices, and account information, directly access books and customer transaction records, and require technical personnel to assist in system reviews; the authority to revoke virtual asset licenses/registrations; appoint consultants to assist in rectification; if serious violations occur, apply to the court for the liquidation of the VASP; and directly issue "cease and desist orders" to unlicensed operations or falsely claiming to be regulated VASPs.
6. Transition Period Arrangements
From the date the amendment officially takes effect, existing VASPs will be given a 90-day transition period. During this period, existing VASPs need to complete their license or registration applications and adjust to meet all operational, anti-money laundering, board structure, and custodial requirements outlined above.
For applicants who submitted applications before the amendment was published but have not yet been approved, they are allowed to apply for refunds under the old law and may re-submit applications that comply with the new regulations.
Cayman VASP Regulatory Trend Analysis
It can be said that this amendment not only upgrades regulatory details in a "gap-filling" manner but also reflects the comprehensive requirements of the Cayman regulatory authorities for market transparency, governance standardization, and anti-money laundering responsibilities. In the future, the compliance entry threshold and ongoing operational costs for the virtual asset service industry will be at a relatively high level globally.
Through this amendment, we can clearly see the distinct trends in the development of the Cayman Islands VASP regulatory system:
1. Regulatory boundaries continue to expand, with applicable subjects and virtual asset types being comprehensively included.
From the addition of the definition of "Convertible Virtual Asset" to the removal of outdated terms such as "existing licensee," the regulatory scope is clearer, incorporating more small service providers and emerging virtual asset categories that were previously in gray areas. This means that in the future, whether traditional trading platforms, custodians, or infrastructure developers, as long as they provide virtual asset services, they may fall under the VASP regulatory scope, clarifying the industry's compliance boundaries.
2. Governance structure standardization, with transparency and actual control identification becoming core.
Through the refinement of board structure and beneficial ownership disclosure, the requirements for the number of directors and the configuration of independent directors have been clarified, raising the standards for governance transparency for VASPs. Especially for projects with multiple shareholders, multi-signatures, multi-layer structures, or DAO governance models, the actual controlling entity must be clearly identifiable, eliminating issues of hidden shareholders and shadow directors.
3. Compliance and entry thresholds are comprehensively raised, with layered management of high and low-risk businesses.
High-risk businesses (such as trading matching, custodial services, and issuance) must apply for a full license, accompanied by compliance requirements for capital, internal controls, anti-money laundering, and financial audits, significantly increasing establishment and operational costs. In contrast, low-risk businesses (such as non-custodial wallets and infrastructure) can still complete registration through a registration system, but CIMA's requirements for information disclosure and governance structure are equally clear, eliminating the space for regulatory arbitrage.
4. AML/CFT requirements benchmark against international standards, and technical systems must support the "travel rule."
Refining the collection of customer identity, source of funds, and transaction details, extending data retention periods, submitting responses within 48 hours, and clarifying high-risk customer management requirements. At the same time, cross-VASP transfer processes must interface with technical systems to complete the transmission of originator and beneficiary information, corresponding to the FATF "travel rule," further raising the technical compliance threshold.
5. Financial Transparency and Audit System Strengthened, Enhancing CIMA's Substantive Regulatory Capacity.
CIMA not only requires designated accountants to conduct financial audits annually but can also directly appoint special audits when false disclosures or significant risks are discovered, with costs borne by the VASP. Changes in shareholder equity, adjustments to business scope, and business expansions require prior written approval, with regulation intervening throughout the entire process from entry to ongoing operations, significantly increasing the cost of violations.
6. Strengthened On-Site Law Enforcement and Business Suspension Powers, Leaving No Room for False Compliance.
This amendment empowers CIMA with stronger enforcement powers, including on-site searches, asset freezes, license revocations, and direct applications for liquidation procedures, maintaining a high-pressure stance against unlicensed operations, false advertising, and violations of anti-money laundering obligations, effectively blocking regulatory arbitrage operations.
7. Compressed Transition Period, Existing Projects Face Time Window Challenges.
Existing VASPs have only 90 days to complete governance structure adjustments, audit arrangements, and anti-money laundering system rectifications; institutions that fail to complete these in a timely manner will face direct revocation risks. Additionally, project parties that have submitted applications but have not yet been approved must quickly supplement materials or resubmit, leaving a very limited window for market rectification.
Mankun Lawyers' Recommendations
The implementation of the new Cayman VASP regulatory rules in 2025 marks the beginning of a deepening governance phase for virtual asset compliance in the Cayman Islands.
For Web3 project parties looking to leverage the Cayman Islands to enter international markets, possessing a license is just the foundation; more importantly, the governance structure, asset custody, board transparency, and anti-money laundering systems must withstand in-depth regulatory scrutiny.
In this regard, Mankun Lawyers recommends that various Web3 project parties develop detailed compliance strategies based on their business nature, complete structural reshaping and risk control construction in advance, and respond robustly to the regulatory challenges following the formal implementation of the new regulations in 2025.
1. For High-Risk Businesses
Complete governance structure adjustments as soon as possible: Ensure the board is equipped with at least three directors and one independent director, with the independent director's qualifications being genuine and capable, avoiding related party dual roles.
Review capital strength: Supplement capital reasonably based on business scale, reserving sufficient funds to meet regulatory reporting and risk mitigation needs.
Improve the custodial compliance system: For service providers involved in customer asset custody, implement asset bankruptcy isolation, separate custody accounts, dual-signature mechanisms, and third-party audits to avoid time pressure from subsequent constructions.
Plan business expansion paths in advance: If planning to add new trading varieties, cross-chain custody, or token issuance in the future, prior approval processes must be planned with CIMA to avoid compliance obstacles caused by blind expansions.
Building a compliance team: Internally, qualified AML/CFT compliance officers, financial heads, and technical risk control personnel should be equipped, and third-party consulting firms should be hired to assist in establishing anti-money laundering and system compliance frameworks when necessary.
2. For Low-Risk Businesses
Reasonably utilize the registration and filing system: The current registration system has relatively low costs, suitable for infrastructure-type project parties to obtain Cayman compliance endorsement through filing.
Also pay attention to information disclosure and governance requirements: Although licensing is not required, ensure that the board and actual controller information is disclosed truthfully and transparently, avoiding excessive exaggeration of the regulatory scope in promotional materials.
Be mindful of technical compliance interfaces: For cross-VASP service functions (such as payment routing and bridging services), assess in advance whether they will be classified as high-risk services due to their interconnections.
3. For Existing Applicants or VASPs in the Transition Period
Immediately review submitted materials: Check the board structure, AML system, custodial account arrangements, etc., against the new regulations, and if necessary, choose to withdraw old applications and resubmit after filling compliance gaps.
Initiate a 90-day transition period rectification plan: Clearly define the completion timeline for governance adjustments, system supplements, audit arrangements, KYC system optimizations, etc., to ensure that "timing" during the transition period does not lead to enforcement risks.
At the same time, for all VASPs, it is also necessary to pay attention to: external promotion of compliance self-inspection, audit and data system pre-layout, and the improvement of high-risk customer identification systems.
In response to the urgent rectification needs during the 90-day transition period before and after the effectiveness of the "Virtual Asset (Service Providers) (Amendment) Act, 2024," Mankun Lawyers, who have long focused on Web3 offshore and virtual asset compliance, have established a comprehensive compliance service system to assist project parties in quickly completing governance structure adjustments, anti-money laundering system supplements, board configuration optimizations, and license or registration application submissions, ensuring a smooth transition to the new regulatory requirements.
We welcome Web3 entrepreneurs, funds, and virtual asset service providers interested in establishing a presence in the Cayman Islands to contact us for customized compliance solutions to seize the compliance initiative.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
