VASP FAQs: Key Information for Cayman Islands Virtual Asset Service Providers

Virtual Asset Service Providers (VASPs) play a crucial role in the digital asset ecosystem in the Cayman Islands. Governed by the Virtual Asset (Service Providers) Law, 2020, VASPs include companies, partnerships, and other entities that provide virtual asset services as a business in or from within the Cayman Islands. These services encompass a wide range of activities, including virtual asset custody, trading platforms, and issuance services. This page provides a thorough guide to the most frequently asked questions concerning VASPs.

1. What is a Virtual Asset?

The VASP Act defines “Virtual Assets” as digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes.

Digital representations of fiat currencies (which is effectively legal tender) and virtual service tokens are not considered Virtual Assets.

2. What is Blockchain?

Blockchain is a decentralised digital ledger technology that records transactions across multiple computers with the aim of ensuring that the relevant recorded data is secure, transparent, and cannot be altered. Each record, known as a “block”, contains transaction data, a timestamp, and a unique cryptographic signature, known as a “hash”. These blocks are linked together in a chain, making the history of transactions traceable and immutable.

This traceability and the immutable nature of blockchain is a key feature of the technology, combined with the fact that most blockchains are also inherently transparent and publicly accessible.

The primary desirable aspect of blockchain is that it is decentralised and no single person or entity can control it. Instead, blockchain requires a network of participants, known as “nodes”, to validate and record new transactions. In this way, blockchain is often described as a ‘trustless’ technology, meaning that participants in the network do not need to place their trust in a central authority or intermediary to ensure the integrity of transactions (such as the way they would trust a traditional bank).

The overall transparent and secure features of blockchain technology makes it useful for various applications, including storage and transfer of cryptocurrencies, operation of smart contracts and supply chain management.

3. What are the applicable legal and regulatory instruments?

1. Virtual Asset (Service Providers) Act (As Revised) (the VASP Act);
2. The Virtual Asset (Service Providers) Regulations (the VASP Regulations);
3. Regulatory Policy, Registration or Licensing of Virtual Asset Service Providers (the VASP Policy); and
4. Applicable rules issued by the Cayman Islands Monetary Authority relating to prudential conduct of business matters (see relevant link to CIMA website) (CIMA Rules).

4. What is a Virtual Asset Service?

A “Virtual Asset Service” is defined as

1. the issuance of virtual assets to the public or
2. the business of providing one or more of the following services or operations for or on behalf of a natural or legal persons or a legal arrangement:
   a) exchange between virtual assets and fiat currencies;
   b) exchange between one or more other forms of convertible virtual assets;
   c) transfer of virtual assets;
   d) virtual asset custody services; or
   e) participation in, and provision of, financial services related to a virtual asset issuance or the sale of a virtual asset; or
3. a person who operates a Virtual Asset Trading Platform.

5. What is a Virtual Asset Trading Platform?

A centralised or decentralised digital platform:

a) which facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and

b) which —

(i) holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or

(ii) purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer,

and includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

With respect to the term ‘operator’, this means a person or group of persons that exerts effective control over the activities of a virtual asset trading platform. However, in the absence of a single entity or group that exerts effective control over the platform, the operator shall be considered to be the owner of the entity under which the platform operates.

6. Who is considered a VASP?

For the purposes of the VASP Act, a VASP is any person that is a:

a) company incorporated under the Companies Act (2023 Revision);
b) general partnership established under the Partnership Act (2024 Revision);
c) limited partnership registered under the Partnership Act (2024 Revision);
d) exempted limited partnership registered under the Exempted Limited Partnership Act (2021 Revision);
e) foreign company registered under Part IX of the Companies Act (2023 Revision);
f) limited liability company formed and registered under the Limited Liability Companies Act (2023 Revision); or
g) limited liability partnership formed and registered under the Limited Liability Partnership Act (2023 Revision),

and provides a Virtual Asset Service as a business or in the course of business in or from within the Cayman Islands. Any such person will need to seek registration or licencing as described further below.

7. What does a VASP need to do?

If an entity proposes to provide Virtual Asset Services in or from the Cayman Islands, they will be required to seek regulatory authorisation from CIMA in the form of either a registration or licence prior to undertaking such activity.

8. When is Registration required?

Registration is required where any VASP undertakes issuance, exchange or transfer of virtual assets or where a person provides financial services in respect of an issuance/sale of virtual asset and is an in-scope entity for the VASP Act.

Whether a VASP is required to seek Registration or Licence will depend on the exact nature of the services provided and activity engaged in by the VASP.

9. When is Licencing required?

Licencing is required where a person undertakes virtual asset custody services or operates a virtual asset trading platform.

10. Is the Cayman Islands Licencing Regime active yet?

The Licencing regime has not yet been activated and any person proposing to undertake any Virtual Asset Service is expected to seek registration from CIMA. Following such, a person proposing to undertake custody or operate a trading platform must seek registration with CIMA and ultimately upgrade to a licence when the regime is activated.

While there has been no formal confirmation, the latest indications are that the licencing regime under the VASP Act will be activated in late 2024/early 2025.

11. What does Registration entail?

CIMA assesses the following criteria when considering whether to approve a VASP:

1. fitness and propriety of the shareholders, proposed directors and senior officers;
2. quality of business plan;
3. group track record;
4. the level of the applicant’s transparency;
5. the robustness of the applicant’s risk management, internal controls and cyber security measures including IT or Blockchain infrastructure; and
6. systems for combating money laundering and terrorist financing, proliferation financing and sanctions monitoring. VASPs will also be required to appoint an anti-money laundering compliance officer, money laundering reporting officer, and deputy money laundering reporting officer who will also be assessed for fitness and probity.

When presented with a VASP licencing application, CIMA will also consider whether:

1. an approval is against the public interest;
2. the applicant has complied with other requirements under the VASP Act upon CIMA’s request.

CIMA also requires evidence of the organisational structure of an applicant to include:

1. a comprehensive full group companies structure chart, including the ultimate beneficial owners;
2. details of regulated status of entities within applicant’s group, the relevant regulated services and jurisdictions; and
3. details of services provided by any entity related to the applicant.

12. What documents need to be submitted to CIMA?

CIMA expects the following documentation to be provided in support of an application:

1. a completed application form;
2. a comprehensive business plan;
3. list of the applicant’s blockchain addresses;
4. details of all shareholders with more than 10% shareholding together with a completed CIMA personal questionnaire;
5. evidence of fitness and probity on all senior officers;
6. copies of cybersecurity policies;
7. copies of anti-money laundering and countering of terrorist financing policies;
8. transaction flow charts;
9. details of outsourced arrangements and related agreements; and
10. application fee.

13. What pre-application matters should applicants consider?

Pursuant to the Regulatory Policy, CIMA strongly encourages prospective applicants to schedule a meeting to discuss their prospective application in advance of submitting an application for registration or licencing. Conyers can assist with the pre-discussion review and analysis, and with facilitating an introduction and attending the meeting with the relevant CIMA contacts.

The Policy also recommends that prospective applicants obtain a formal independent legal opinion to support the application on how it meets the requirement for registration or licence under the VASP Act.

For further detail on pre-licensing conditions, please read our publication on the recent CIMA outreach session.

14. Can CIMA impose post-approval requirements and conditions?

Yes, CIMA has discretion to impose specific certain post-approval requirements on the registration or licence.

Where imposed, the Company would be obligated to satisfy such requirements or conditions within a timeframe specified by CIMA. Where no timeframe is specified, such conditions would need to be satisfied within 6 months of the date of the approval.

15. Can CIMA reject an application?

Yes, CIMA will reject an application where an application is incomplete and where the applicant and/or its management or shareholders are not fit and proper.

CIMA may also reject an application where the applicant does not meet the requirements prescribed in the VASP Act, VASP Regulations, the criteria set out in the VASP Policy or where CIMA believes that approving registration or issuing a licence would not be in the best interests of the public, proposed shareholders, customers, or creditors, or if it is not in line with CIMA’s risk appetite.

16. What is a Sandbox Licence?

A sandbox licence is a temporary licence granted for a period of up to one year and is for VASPs that utilise a particularly innovative service, technology or method of delivery and where a traditional VASP licence is deemed inadequate.

The purpose of providing a Sandbox Licence, as opposed to a full licence, is to allow CIMA to monitor and supervise the service until such time as CIMA is comfortable to allow the business to operate under a full licence. A VASP Sandbox licence allows CIMA to assess and regulate the relevant service whereby CIMA may exempt a Sandbox Licence holder from certain obligations that would otherwise apply or impose additional requirements tailored to the specific activities.

17. Are Stablecoins treated differently from typical virtual assets?

Whether or not a stablecoin will be treated different to more typical virtual assets such as bitcoin and etherium from a legal and regulatory perspective will depend on the structure and underlying asset(s) that the stablecoin is pegged against.

For further detail on this, see our publication on Stablecoins in the Cayman Islands.

18. What is the Travel Rule?

This Travel Rule, which aligns with the Financial Action Task Force (FATF) guidelines, aims to enhance transparency, prevent money laundering, and combat the financing of terrorism in the cryptocurrency space.

The Travel Rule requires all VASPs to share certain customer information when conducting virtual asset transfers on behalf of a third party.
For further details on the Travel Rule, please see our publication on the Travel Rule.

19. What happens if the VASP Act is breached?

It is a criminal offence to provide Virtual Asset Services without a licence/registration or otherwise in contravention of the VASP Act.

The VASP Act provides for penalties up to US$120,000 and imprisonment of one year with additional potential daily fines of US$12,000 for each day that the breach persists.

20. What anti-money laundering and countering of terrorist financing obligations do VASPs have?

Virtual Asset Services are considered “relevant financial business” under schedule 6 of the Proceeds of Crime Act (as revised) and are required to implement processes and procedures to prevent money laundering, terrorist financing and proliferation financing.

In particular, it should be noted that the Cayman Islands Anti Money Laundering Regulations (as revised) (AML Regulations) provide that a person carrying out “relevant financial business” must not form a business relationship in the course of such business without first complying with the AML Regulations (which impose a number of regulatory obligations on entities including the requirement to implement detailed policies and procedures, appoint money laundering reporting officers and monitor customers and transactions).

21. Do sanctions apply to VASPs?

Yes, like other traditional financial institutions, VASPs are expected to integrate sanctions compliance procedures including screening measures into customer and vendor onboarding and transaction monitoring processes.

For further detail on the applicability of Cayman Islands Sanctions requirements to VASPs, see our publication here.

22. Are VASPs subject to the same shareholder notification requirements as other regulated financial institutions?

Yes, the prior approval of CIMA is required if the VASP intends to issue shares (or equivalent ownership interests) in a VASP where such issuance represents 10% or more of the total shares (or equivalent ownership interests in that VASP) or the voluntary transfer or disposal of shares (or equivalent ownership interests) in a VASP.

23. What if a VASP is also providing services triggering another regulatory regime (such as securities legislation)?

CIMA has confirmed that dual-licencing will apply in such circumstances and all VASPs conducting activity requiring registration or licence under a separate regulatory regime will be required to apply for regulatory approval in addition to a VASP registration/licence.

[View source.]