CIMA highlights compliance challenges for VASPs in the Cayman Islands
02 Dec 2025
|
The Cayman Islands Monetary Authority (CIMA) released a desk-based review of the Virtual Asset Service Providers (VASPs) to assess compliance with the Virtual Assets (Service Providers) Act (VASP Act) and related regulations in November 2025. The review, covering 11 entities, focussed on corporate governance, internal controls, cybersecurity, financial stability, and virtual asset custody arrangements.
Key findings:
- Corporate governance: Gaps in board composition and succession planning were identified. Boards lacked diversity and independent directors, contrary to regulatory requirements.
- Internal controls: Deficiencies in business continuity planning, internal audits, and complaints handling were noted. Many entities lacked comprehensive policies and regular reviews.
- Cybersecurity: Weaknesses included inadequate governance, risk management, and data protection measures. Many entities failed to conduct regular audits or implement robust cybersecurity frameworks.
- Virtual asset custody: Policies for managing virtual asset custody and private keys were insufficient. Over 80 per cent of entities had not conducted independent audits of custody platforms.
Recommendations:
- Strengthen governance by ensuring board diversity and formal succession plans.
- Enhance internal controls, including business continuity plans and regular audits.
- Improve cybersecurity frameworks, conduct regular risk assessments, and secure insurance against cyber risks.
- Develop robust policies for virtual asset custody, including independent audits and client disclosures.
Regulatory reminders:
VASPs must promptly notify CIMA of changes in key personnel, cybersecurity incidents, or operational changes. Compliance with the VASP Act, AML regulations, and other legal obligations is critical.
For more information CIMA’s desk-based review can be found here
