The fintech market in the Cayman Islands has continued to develop significantly over the past 12 months.

Technology Talent Pool

The Cayman Islands has cultivated a technology talent pool of experienced professionals and service providers. Its increasingly mature technology industry is playing a pivotal role in strengthening the financial services sector. The availability of skilled professionals has facilitated the growth of fintech companies and their innovative solutions.

Attractiveness for Fintech and Crypto Businesses

The Cayman Islands has positioned itself as an emerging hub for both fintech and crypto businesses. Its well-regarded financial services framework, coupled with robust technology infrastructure, attracts companies worldwide to domicile in the Cayman Islands.

Stable Political Environment and Tax Neutrality

The Cayman Islands’ stable political environment provides a conducive backdrop for fintech ventures. Its tax neutrality further enhances its appeal as a business-friendly destination for fintech start-ups and established players.

Challenges

While the fintech market in the Cayman Islands continues to make significant strides, there are several challenges which may impact it in the next 12 months:

• regulatory compliance – as the industry evolves, staying compliant with global standards (including anti-money laundering and counterterrorist financing regulations) remains crucial;
• cybersecurity – fintech companies must fortify their cybersecurity measures to protect customer data and maintain trust;
• market competition – increased competition from other offshore jurisdictions and emerging fintech hubs may require the Cayman Islands to continue to innovate and differentiate;
• global political economic trends – the fintech market’s trajectory has always been influenced by broader economic shifts and geopolitical events, particularly as the world adjusts to the new administration in the US; and
• technological advancements – keeping pace with technological advancements and adopting them effectively will be essential.

AI

Artificial intelligence models continue to be regarded as a highly disruptive influence in financial services and associated processes, as investors and developers pursue innovation in this field. Adapting legal regimes to tailor specifically to the challenges and opportunities of AI would be a positive step to set responsible development and deployment parameters.

There are a number of verticals for new and legacy players, which include the following.

• Virtual asset trading platforms – the Cayman Islands hosts a number of regulated virtual asset trading platforms that facilitate the trading of a wide variety of virtual assets. These trading platforms play a crucial role in the global crypto market and attract investors seeking liquidity and exposure to virtual assets.
• Custodial services – certain custodians in the Cayman Islands provide secure storage and management of virtual assets on behalf of clients. They ensure the safekeeping of private keys and assist institutional investors, investment funds, and high net worth individuals. Custodial services are essential for maintaining the integrity and security of digital assets.
• Token offerings – the Cayman Islands has been a popular jurisdiction for launching token offerings. Companies raise proceeds by issuing tokens (often utility or governance tokens) to purchasers in exchange for cryptocurrencies or fiat currency.
• Blockchain and Web3 innovators – the Cayman Islands is home to innovators working on centralised and decentralised technologies. These include blockchain projects, decentralised applications (DApps), and Web3 solutions. These innovators drive technological advancements and contribute to the global fintech ecosystem.
• Alternative investment funds – the Cayman Islands is the leading domicile for alternative investment funds, including venture capital, private equity, hedge and crypto funds. These funds often invest in virtual assets, tokens, and related ventures. The jurisdiction’s regulatory clarity and tax neutrality attract investment funds, fund managers and investors.
• Regulatory compliance services – given the evolving regulatory landscape, compliance services have become crucial. Fintech companies rely on legal and compliance experts to navigate AML/CFT regulations, data privacy laws, and licensing requirements.
• Decentralised finance (DeFi) – while still emerging, DeFi protocols and platforms are gaining traction in the Cayman Islands. These include lending, borrowing, yield farming, and liquidity provision. DeFi projects leverage smart contracts and blockchain technology to create decentralised financial services.
• Payment solutions and remittances – fintech players in the Cayman Islands explore payment solutions and remittance services. These aim to improve cross-border transactions, reduce fees, and enhance financial inclusion. Legacy players also adapt to digital payment trends.
• Digital identity and KYC solutions – with increased focus on security and compliance, fintech companies work on digital identity solutions and KYC processes. These technologies streamline onboarding, enhance security, and prevent fraud.
• Regulatory technology (regtech) – regtech firms in the Cayman Islands develop tools and platforms to assist financial institutions in meeting regulatory requirements. These solutions automate compliance processes, monitor transactions, and ensure adherence to reporting standards.

The financial services sector in the Cayman Islands is regulated primarily by CIMA. Key regulatory laws provide for a registration or licensing process whereby entities and individuals conducting regulated activity are required to obtain a registration or a licence from CIMA.

The key regulatory laws of the Cayman Islands (as amended, in each case) that could apply to an industry participant include:

• Anti-Money Laundering Regulations;
• Banks and Trust Companies Act;
• Companies Management Act;
• Data Protection Act;
• FATCA and CRS Regulations (noting that the Cayman Islands also intends to implement the Crypto-Asset Reporting Framework);
• Insurance Act;
• International Tax Co-operation (Economic Substance) Act;
• Mutual Funds Act;
• Private Funds Act;
• Proceeds of Crime Act;
• Securities Investment Business Act (SIBA); and
• Virtual Asset (Service Providers) Act (the “VASP Act”).

CIMA holds significant supervision powers within the financial services industry across a number of key aspects.

• Regulation and supervision – CIMA’s primary role is to regulate and supervise the financial services sector in the Cayman Islands. It ensures compliance with relevant laws, regulations and international standards.
• Monitoring compliance – CIMA monitors compliance with AML and CFT regulations. It oversees financial institutions’ adherence to these critical standards.
• Currency management – CIMA manages the issuance and redemption of the Cayman Islands currency. It also oversees the management of currency reserves.
• Advisory role – CIMA provides advisory services to the Cayman Islands government on financial services regulatory matters. Its expertise informs policy decisions and regulatory frameworks.
• Regulatory measures – CIMA issues regulatory handbook measures in the form of policies, procedures, rules and statements of principle and guidance. These measures set detailed standards and give guidance to industry on compliance.

There are no restrictions in the Cayman Islands on the compensation models that industry participants are allowed to use to charge customers. Compensation must be clearly disclosed to customers and not be charged in a manner that is misleading or deceptive.

The underlying regulatory regime for fintech industry participants is substantially the same as it is for legacy players.

The Cayman Islands offers a time-limited (up to one year) regulatory sandbox licence for both virtual asset service providers and fintech companies. This sandbox allows innovative services to be tested with certain restrictions without requiring a full licence. The primary aim of the regulatory sandbox is to facilitate innovation in a safe and responsible manner. It allows companies to experiment with new products, services, solutions, technologies, business models and policies. By providing a controlled space for testing, it encourages creativity and the development of cutting-edge solutions. CIMA assesses, monitors and supervises the innovative service, technology or method of delivery of a sandbox licensee with a view to ensuring that:

• the service, technology or method of delivery complies with the principles of honesty, integrity, fair treatment of customers, and the protection of customer data and assets;
• the service, technology or method of delivery improves the provision of financial services in the Cayman Islands;
• the service, technology or method of delivery complies with global standards and best practices for combating money laundering, terrorist financing and proliferation financing;
• the adoption of new financial services practices and technologies within the Cayman Islands is facilitated; and
• best practices and guidance are developed for the virtual asset service sector.

CIMA is the primary regulator in the Cayman Islands and has broad regulatory oversight of regulated entities in the Cayman Islands.

In performing this regulatory function, CIMA shall:

• endeavour to promote and enhance market confidence, consumer protection and the reputation of the Cayman Islands as a financial centre;
• endeavour to reduce the possibility of financial services business or relevant financial business being used for the purpose of money laundering or other crime; and
• recognise the international character of financial services and markets and the necessity of maintaining the competitive position of the Cayman Islands, from the point of view of both consumers and suppliers of financial services, while conforming to internationally applied standards insofar as they are relevant and appropriate to the circumstances of the Cayman Islands.

In addition, the Department for International Tax Co-operation is a department in the Ministry of Financial Services and Commerce. It is responsible for administering all of the Cayman Islands’ legal frameworks for international co-operation in tax matters, and for carrying out the functions of the Tax Information Authority, the Cayman Islands’ competent authority. The Tax Information Authority’s function is to collect information on tax matters and exchange that information with other Competent Authorities pursuant to relevant international agreements. Broadly speaking it covers supervision of:

• the Common Reporting Standard, which is the global standard for the automatic exchange of financial account information for tax purposes;
• the Foreign Account Tax Compliance Act, which is the mechanism for reporting information on financial accounts held by US persons to the US Internal Revenue Service (IRS);
• the Cayman Islands Economic Substance Act which contains the rules for satisfying the international standard for substantial activities requirements;
• Country-by-Country Reporting which implements the requirements of Action 13 of the OECD/G20 BEPS actions and country-by-country reporting requirements that are filed by certain multinational enterprises with domestic tax authorities; and
• the Exchange of Information on Request which takes place when the tax authority of a requesting jurisdiction asks for particular information from the competent authority of a partner jurisdiction.

Finally, the Office of the Ombudsman is the supervisory authority for data protection-related matters and is empowered to investigate, mediate and decide complaints under the Data Protection Act.

CIMA does not currently issue “no-action” letters.

While outsourcing is permitted to regulated or unregulated entities, CIMA emphasises that responsibility and accountability for effective oversight of all regulated activities, whether outsourced or not, rests with the governing body and senior management of the regulated entity. The recent Statement of Guidance (April 2023) applies to most entities regulated by CIMA. The Guidance applies regardless of whether the outsourcing arrangement established by a regulated entity is with a related or unrelated entity.

A regulated entity should assess the materiality of its outsourcing arrangements, and without limiting the scope of its assessments, should consider:

• the impact of the outsourcing arrangement on its finances, reputation and operations, or a significant business line, particularly if the service provider, or group of affiliated service providers, should fail to perform over a given period of time depending on the nature of the outsourced function/service;
• its ability to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems;
• the cost of the outsourcing arrangement;
• the risk of potential loss, temporarily or permanently, of access to important data; and
• the degree of difficulty and time required to find an alternative service provider or to bring the business activity in-house.

The extent to which fintech providers are deemed to be “gatekeepers” will depend on the nature of the platform. If, for example, the platform is unregulated and is merely a venue to share information, then it is expected that there would be little in the way of “gatekeeper” responsibility. If, however, the information being shared on the platform amounts to investment advice (either from the platform provider or between users of the platform) then the platform may be subject to licensing or registration requirements under SIBA.

CIMA may take action to enforce the requirements of the regulatory laws and other relevant legislation. Enforcement options available to CIMA include: (i) suspension of the licence of a licensee and preservation of its records, (ii) revocation of the licence of a licensee, (iii) requiring the substitution of a director, operator, senior officer, general partner, promoter, insurance manager or shareholder of the licensee (as applicable), (iv) appointing a person to assume control of the affairs of the licensee, (v) appointing a person to advise the licensee on the proper conduct of its affairs, (vi) applying to the Grand Court of the Cayman Islands for orders directing the winding up of the relevant entity, and (vii) the imposition of administrative fines.

There have been a number of enforcement actions in the recent past, including:

• cancellation of the registration of two individual directors in accordance with Section 6(2) of the Directors’ Registration and Licensing Act for failure to provide information and pay licensing fees;
• cancellation of the registration of a company as a Securities-Registered Person in accordance with Section 17(2A)(a) of SIBA for failing to provide information, give declarations, pay fees and to have qualifying directors;
• revocation of the banking licence of a company in accordance with Section 18(5)(b) of the Banks and Trust Companies Act for entering into provisional liquidation; and cancellation of a mutual fund registration pursuant to Section 30(3)(a) of the Mutual Funds Act for failing to submit audited accounts for four consecutive years and failing to pay annual fees for two consecutive years; and
• levying of administrative fines on regulated entities for AML infractions and failure to maintain prescribed capital.

In relation to virtual asset service providers in particular, an action was commenced in January 2023 by Nexo Capital Inc. (“Nexo”) challenging the decision of CIMA to deny Nexo’s application for VASP registration. This dispute remains ongoing and is being closely monitored as the only action brought under the VASP Act thus far.

Key areas include the following.

• Anti-Money Laundering Regulations – an entity that conducts “relevant financial business” must comply with the AML/CFT regime in the Cayman Islands. Recent amendments to the regime in 2020 brought virtual asset service providers into scope.
• Data Protection Act – the Data Protection Act requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf under a written contract. In addition, the Data Protection Act also deals with data security, data breaches and the rights of individual data subjects, including providing a privacy notice.
• Cybersecurity – CIMA has published its Rule and Statement of Guidance relating to Cybersecurity for Entities Regulated by the Authority requiring regulated entities to develop, implement and monitor robust cybersecurity frameworks. These regulations aim to reduce the threat of cyber-attacks, protect sensitive data, and enhance recovery from cybersecurity incidents.
• Social media – the use of social media and similar tools is currently not specifically regulated, apart from indirectly under legislation such as the Data Protection Act, the Penal Code and the Contracts Act.

Certain regulated entities (such as investment funds and licensed service providers) are required to appoint a local auditor and have their audited financial statement filed with CIMA on an annual basis.

While certain fintech businesses may not be doing “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) they may determine to apply certain AML/CFT provisions to their business as a matter of best commercial practice although there is no regulatory oversight of those voluntary regimes for unregulated entities.

Generally, unregulated business lines would be separated from regulated business lines and run through separate legal entities. This is done:

• as a risk-mitigation tool to ring-fence the risk of regulated business from the risk of unregulated business;
• to streamline operations of regulated businesses and avoid the complexity, cost and supervisory oversight of running unregulated business within the same legal entity as a regulated business;
• for increased flexibility in the scaling of both the regulated and unregulated business lines; and
• to ensure maximum flexibility on a potential exit of the businesses (which could be done at different times to different purchasers on different deal terms and – in the case of the unregulated business – without regulatory scrutiny of the purchaser of the business.       

Virtual asset service providers will be doing “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) and will be required to comply with AML and sanctions rules. This requires them to perform KYC identity verification and (in some instances) source-of-funds checks on their customers. In traditional financial services industries, this has been the norm for many years – while for fintech companies this could impose significant additional regulatory costs, a loss of market share to unregulated entities in the Cayman Islands or in other jurisdictions, and a tension with their proposed business model and/or customer base. In addition, care should be taken with affiliates of virtual asset service providers, such as those facilitating real world asset tokenisation, as they may also be subject to anti-money laundering and sanctions rules even if they are not regulated as virtual asset service providers because they are deemed to conduct “relevant financial business”.

Unregulated companies providing technology services will generally not be doing “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) and will therefore not be required to comply with the AML rules, however, the sanctions regimes will still apply and so some form of KYC is generally undertaken.

The anti-money laundering and sanctions rules in the Cayman Islands generally follow the standards imposed by the Financial Action Task Force (FATF). All Cayman Islands persons are required to observe Cayman Islands sanctions provisions (which are essentially the same as the sanctions provisions in the United Kingdom) extended to the Cayman Islands by statutory instruments. The list of sanctions regimes currently in force in the Cayman Islands is available on the Financial Reporting Authority website.

Under Cayman Islands law, there is no explicit reverse solicitation safe harbour, but as a general principle, the regulatory regime will only capture persons that have a Cayman Islands nexus (ie, either they are Cayman Islands persons or they are foreign persons soliciting business or marketing their business in the Cayman Islands). 

Cayman Islands law does not expressly contemplate or regulate robo-advisers, although they could be regulated depending on how they are implemented. For example, if a robo-adviser platform was set up in order to provide investment advice on securities to its customers then it would be regulated as a securities adviser under SIBA.

It is difficult to determine whether legacy players are implementing solutions introduced by robo-advisers. However, it is not uncommon for crypto funds and high-frequency and algorithmic trading funds to be managed by entities that rely on proprietary robo-advice algorithms or licensed software.

This is not applicable in the Cayman Islands.

As a general matter, Cayman Islands law does not specifically regulate lending to individuals or otherwise, so there are no significant differences which vary with the nature of the borrower, save that the provision of lending business would likely fall within the scope of the AML Regulations as “relevant financial business” and which will consequently result in AML/CFT obligations on the lender. Such AML Regulations do not apply differently based on the category of the borrower. It is also important to note that lending could be considered a financing and leasing business under the economic substance regime of the Cayman Islands unless an exemption applies, and the jurisdiction does have laws regulating deposit-taking business (which could be used by some banking models as a source of funds for loans, see 4.3 Sources of Funds for Fiat Currency Loans for more detail).

The underwriting process is not currently dictated by regulation in the Cayman Islands. To the extent a lender is participating in underwriting under the laws of another jurisdiction, CIMA is likely to require such lender to be in compliance with the laws of such jurisdiction in relation to such underwriting.

The classic retail banking model of accepting deposits to fund lending is one of a number of different ways to raise funds. As there are no general prohibitions on the method a participant uses to fund its lending in the Cayman Islands, any method of raising capital could theoretically be possible (including through entering into or executing digital asset transactions, structured arrangements or more traditional financing methods).

P2P Lending

Peer-to-peer lending is not currently regulated in the Cayman Islands. Digital platforms offering decentralised finance operated by Cayman Islands entities are not regulated in the Cayman Islands (assuming that there is no exchange, transfer or custodying of virtual assets on such platforms).

Lender-Raised Capital

Borrowing through debt is not regulated in the Cayman Islands, although all entities should be aware of and comply with applicable sanctions regimes when receiving funds. Cayman Islands entities are also free to raise funds through issuing investment interests such as through shares (in the case of a company) or membership or partnership interests (in the case of a limited liability company or exempted partnership), although Cayman Islands entities should take advice on whether such arrangements are caught by the Private Funds Act or Mutual Funds Act of the Cayman Islands.

Capital Markets/Securitisations

The issuance of debt instruments (eg, bonds, notes and commercial paper) by a Cayman Islands entity is not a regulated activity in and of itself in the Cayman Islands. There are, however, other ancillary regulations which may apply including in relation to AML, data protection and sanctions.

Deposit Taking

Banking business in the Cayman Islands (which in summary is defined to mean the business of receiving and holding on deposits or other similar account money which is repayable and may be invested by way of advances to customers or otherwise) is regulated in the Cayman Islands and may require a licence under the Banks and Trust Companies Act under the supervision of CIMA.

At present, there is not a substantial market for the syndication of loans in the Cayman Islands, although as a general matter there is no regulation, prohibition or restrictions on loan syndication. The jurisdiction would welcome more syndication of loans in the future as more and more Cayman Islands lenders are established.

There are no specific prohibitions under Cayman Islands law on creating or implementing new payment rails. That being said, as further described in 5.2 Regulation of Cross-Border Payments and Remittances, payment processing is likely to be a regulated activity requiring licensing and supervision by CIMA. A grant of such licence involves CIMA approving the licensee’s proposed accounting processes and systems of business and may be subject to such conditions and requirements as CIMA may require (including in relation to the payment rails intended to be used by the payment processor). Any material change to the application and business plan approved by CIMA could trigger the necessity for prior consent and/or a re-examination by CIMA of the licensee’s business model. CIMA may refuse to grant or renew a licence if it is of the opinion that the person applying for the licence would fail to fulfil the obligations of a licensee under the law.

Banks are involved in cross-border payments in the ordinary course, but in addition, cross-border payments would constitute a “money services business” which is a regulated activity in the Cayman Islands pursuant to the Money Services Act. Money services business is defined as the business of providing any or all of the following services:

• money transmission;
• cheque cashing;
• currency exchange;
• the issuance, sale or redemption of money orders or traveller’s cheques; and
• such other services as the governor in the Cabinet may specify by notice published in the Gazette; or
• the business of operating as an agent or franchise holder of a business offering any or all of the services listed above.

Section 4(a)(i) of the Stock Exchange Company Law provides that the Cayman Islands Stock Exchange has the sole and exclusive right to operate one or more securities markets in the Cayman Islands.

In contrast, a marketplace, exchange and trading platform for virtual assets is likely to be a “virtual asset trading platform” and regulated under the VASP Act.

Marketplaces, exchanges and trading platforms for securities versus virtual assets will be regulated in a different manner.

A securities trading platform is likely to be regulated under SIBA – although careful consideration would be needed as Section 4(a)(i) of the Stock Exchange Company Law provides that the Cayman Islands Stock Exchange has the sole and exclusive right to operate one or more securities markets in the Cayman Islands.

In contrast, a marketplace, exchange and trading platform for virtual assets is likely to be a “virtual asset trading platform” and regulated under the VASP Act.

The VASP Act came into effect in October 2020, and established a framework for regulating businesses providing virtual asset services (VASPs) in the Cayman Islands. This includes cryptocurrency exchanges which are regulated as Virtual Asset Trading Platforms under the VASP Act. VASPs need to register or obtain a licence depending on their business activities.

VASPs are also subject to AML and CTF regulations, which are designed to ensure transparency and combat financial crime. In addition, depending on the structure and activities of the exchange, other laws such as SIBA or the Mutual Funds Act might also apply.

The question of whether a decentralised (ie, DeFi) exchange will be regulated under the VASP Act depends on whether it falls into the definition of a “Virtual Asset Trading Platform”, which means a centralised or decentralised digital platform:

• which facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and
• which:
1. holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or
2. purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer, and includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers, and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

Having regard to the above, and given the fact that most decentralised exchanges do not hold custody of or control of virtual assets on behalf of clients to facilitate an exchange, it is generally expected that most decentralised exchanges will not be regulated under the VASP Act.

In relation to virtual asset trading platforms, the authority has the ability under the VASP Act to impose listing standards for virtual assets and has issued proposed listing rules in the context of a proposed conduct of business Rule (not yet finalised). Further, the VASP Act provides that a virtual asset trading platform is to assure itself that a virtual asset to be traded on the platform is not fraudulent or deceitful and is required to carry out reasonable due diligence on such virtual assets and their issuers.

In the context of a virtual asset trading platform, there are no detailed order handling rules. What governs are general requirements concerning fair treatment of clients (including disclosure rules).

In the case that a virtual asset service provider is a licensee under SIBA, it will be subject to various additional rules under SIBA and the Statement of Guidance relating to Client Understanding, Suitability, Dealing and Disclosure for Securities Investment Business. The Securities Investment Business Regulations establish guidelines for interactions with clients, necessitating that client agreements encompass specific details, such as transaction execution methods, and mandating the issuance of a contract note to the client under certain post-transaction scenarios. The Statement of Guidance complements the Regulations by providing additional directives for client interactions, safeguarding client order priority, prohibiting actions that may disadvantage client transactions, and enforcing fair and prompt allocation, along with timely and optimal execution.

Generally speaking, the VASP Act excludes platforms that merely connect buyers and sellers and do not hold custody of or control virtual assets. Nonetheless, peer-to-peer trading platforms can impact traditional market participants in various ways, such as through:

• reduced market share – increased access and ease of peer-to-peer trading could attract users away from traditional financial institutions and exchanges;
• new opportunities – traditional players could adapt by integrating peer-to-peer functionalities into their offerings or collaborating with such platforms; and
• forced innovation – traditional players need to adapt and offer similar features or partner with P2P platforms to remain competitive.

In addition, peer-to-peer trading platforms can impact fintech participants in various ways, such as through:

• increased competition – peer-to-peer platforms could compete directly with existing fintech solutions for trading and financial services; and
• collaboration opportunities – fintech players could integrate with peer-to-peer platforms or offer complementary services, like asset management or education.

Regulatory challenges can include:

• AML/CTF compliance – ensuring peer-to-peer platforms comply (to the extent applicable) with AML/CTF regulations is difficult due to the decentralised nature of transactions;
• consumer protection – protecting users from fraud, scams and market manipulation in a peer-to-peer environment poses challenges;
• financial stability – peer-to-peer platforms could potentially impact financial stability if large-scale transactions occur outside regulated systems;
• data privacy concerns – integrating with P2P platforms might raise data privacy issues that need careful handling; and
• effective regulation might require international co-operation due to the borderless nature of P2P platforms.

There are no specific rules relating to payment for order flow. The default is to the rules discussed in 6.5 Order Handling Rules.       

In relation to virtual asset trading platforms, the authority has the ability under the VASP Act to impose market integrity standards and has issued proposed standards in the context of a proposed conduct of business Rule (not yet finalised). These standards go to the prevention of insider dealing, market manipulation and unfair trading practices.

As it stands, SIBA has two main focuses when it comes to upholding market integrity principles: preventing the creation of a false or misleading market and preventing insider trading. Committing either of these is an offence under SIBA. SIBA will apply to the provision of virtual asset securities if it falls under the category of “securities investment business” as defined by SIBA.

The creation of high-frequency and algorithmic trading strategies is not itself regulated – but the manner in which they are used could be regulated. As an example, a proprietary trader that has created and deploys their own high-frequency or algorithmic trading strategy will not be regulated – however if that same strategy is deployed by an investment fund it will be regulated – as a result of being an investment fund – rather than as a result of the investment fund deploying a high-frequency or algorithmic trading strategy.

A crypto market maker operating in a principal capacity will generally be outside the scope of the VASP Act.

Investment funds will generally be regulated pursuant to the Mutual Funds Act or the Private Funds Act, whereas dealers are generally regulated under SIBA.

The Cayman Islands regulatory regime does not regard investment funds as market makers.

Generally speaking, programmers who develop and create trading algorithms and other electronic trading tools will not be regulated – see for example 7.1 Creation and Usage Regulations. The manner in which the trading algorithms and other electronic trading tools are deployed will determine whether the activity is regulated – see again for example 7.1 Creation and Usage Regulations.

At present, there are no specific and material insurtech underwriting initiatives or developments in the Cayman Islands, but conditions are conducive for this to change given the efficiencies achieved in banking and financial services generally through utilising blockchain technology. It may only be a matter of time before the insurance sector also starts involving itself – the Cayman Islands has a significant insurance sector and a growing number of reinsurers are being licensed in the Cayman Islands.

In general, the Cayman Islands’ supervisory and legislative framework adopts international standards, but also has in-built flexibility to enable CIMA and licensees to apply requirements according to the nature, size and risk profile of licensees.

It may be useful to note that CIMA adopts a risk-based approach to regulating the insurance sector in the Cayman Islands. In particular, the Cayman Islands has elected not to seek Solvency II equivalency, which gives CIMA discretion to apply risk-based prudential standards, thus allowing insurers and reinsurers to implement their own internal regulatory capital model and structure their capital efficiently according to their risk profile.

The primary classes of insurance and reinsurance available in the Cayman Islands consist of (i) general insurance (which includes motor property damage and liability; crime; general liability; healthcare; hospital professional liability and physicians’ liability; marine and aviation; medical malpractice liability; product liability; professional liability; property; surety bonds; and worker’s compensation) and (ii) long-term insurance (which includes life; annuity; accident and health; and deferred variable annuities).

Any person carrying on insurance business, reinsurance business or business as an insurance agent, insurance broker or insurance manager in or from the Cayman Islands is required to hold a valid licence issued for that purpose under the Insurance Act. Amongst other things, each class of licence will have its own regulatory capital and liquidity requirements (which may be adjusted by CIMA following their assessment of the business model of the licensee).

Regtech providers may be regulated depending on their activities and whether they fall within the scope of a regulatory law in the Cayman Islands.

As an example, a regtech provider focusing on identity verification may not be regulated, but if that technology is deployed in the course of that provider performing an activity that is regulated (eg, mutual fund administration), then the regtech activity will be regulated.

Clear obligations with respect to timing of deliverables from the technology provider remain the key area of focus. Financial services firms seek to impose indemnification and liquidated damages provisions to assure performance and accuracy. These are primarily driven by industry custom.

In the financial services industry, there are a number of approaches being taken to implement blockchain – including:

• proof-of-concepts and pilots – many traditional players are starting with small-scale projects to explore the potential of blockchain in specific areas, such as trade finance, payments or regulatory compliance;
• consortium-based initiatives – collaborations between multiple institutions which offers a less risky way to explore and develop blockchain solutions and share overall R&D costs;
• investments and acquisitions – some players are investing in or acquiring blockchain start-ups to gain expertise and access to technology rather than building the technology internally;
• experimentation in blockchain outside of their regulated activities as a profile-raising initiative – for example, exploring the issue of tokens or other blockchain initiatives which are not connected to their traditional financial services provision.; and
• adopting blockchain technology and use of artificial intelligence to reduce operating costs and reduce overheads; and
• the opportunity to get investment and funding from a new class of investors interested in transacting with tokens or digital assets as opposed to shares and other traditional finance assets and in some cases, benefiting from cheaper funding by doing so.

The Cayman Islands was an early adopter of the FATF requirements for a virtual asset service provider regime.

Not all blockchain assets in the Cayman Islands will be regulated financial instruments.

The key classifications of blockchain assets cover:

• securities – if a blockchain asset meets the definition of a security under SIBA, a relevant person engaging in “securities investment business” will need to be registered or licensed by CIMA (or qualify for a specific exclusion) – however, most forms of blockchain assets are unlikely to be a security under Cayman Islands law;
• virtual assets – the VASP Act defines a “virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include a digital representation of fiat currencies. Most forms of fungible blockchain assets will fall within this definition of a “virtual asset”; and
• virtual service tokens – the VASP Act defines a “virtual service tokens” as a digital representation of value which is not transferable or exchangeable with a third party at any time and includes digital tokens whose sole function is to provide access to an application or service or to provide a service or function directly to its owner. Virtual service tokens are not regulated under the VASP Act.

The complexity and challenges in classification include (by way of example):

• blockchain technology and assets are constantly evolving, making it difficult to create static regulatory frameworks;
• the definition of “security” in the Cayman Islands is narrow and would not capture many forms of blockchain assets;
• differentiating between tokens designed for utility within a specific ecosystem and those intended primarily for investment purposes poses challenges; and
• decentralisation versus centralised control – the level of centralisation surrounding the issuance and management of the asset could also influence its classification.

Issuances by investment funds will generally be subject to regulation pursuant to the Mutual Funds Act or the Private Funds Act.

No invitation (whether directly or indirectly) may be made to the public in the Cayman Islands to subscribe for debt securities unless the debt securities are listed on the Cayman Islands Stock Exchange.

The Cayman Islands, while considered progressive in this space, has a nuanced regulatory framework for “blockchain assets” and their issuance/sale.

The key legislation is:

• Virtual Assets (Service Providers) Act – this core legislation regulates businesses providing services related to virtual assets, including issuance and sale; and
• SIBA – depending on the nature of the blockchain asset and its offering, specific provisions of SIBA might apply.

Under the VASP Act an “issuance of virtual assets” or “virtual asset issuance” means the sale of newly created virtual assets to the public in or from within the Cayman Islands in exchange for fiat currency, other virtual assets or other consideration, but does not include the sale of virtual service tokens. A “virtual service token” is narrowly defined as a digital representation of value which is not transferrable or exchangeable with a third party at any time and includes digital tokens whose sole function is to provide access to an application or service or to provide a service or function directly to its owner.

Having regard to the above – generally speaking – most fungible blockchain assets will fall within the definition of a virtual asset service provider which will require the issuer – if formed in the Cayman Islands – to be regulated under the VASP Act. Additionally, if the blockchain asset meets the definition of a “security” under SIBA, additional SIBA licensing and prospectus requirements might apply. This requires careful analysis of the asset’s features and function.

The VASP Act regulates “virtual asset trading platforms” which means a centralised or decentralised digital platform:

• which facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and
• which:
1. holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or
2. purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer, and
• includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

If the secondary market trading of blockchain assets amounts to a “virtual asset service” under the VASP Act then it will not be regulated.

As noted in the definition of “virtual asset trading platforms” – trading in a peer-to-peer manner is not regulated.

The Cayman Islands does not currently impose any specific restrictions on staking per se. However, staking generally involves the process of depositing or locking up virtual assets and in return, participants earn rewards, which can be in the form of additional virtual assets or otherwise as may be agreed.

Where staking is undertaken by a person for their own account, it is unlikely to fall under a regulatory regime. However, if a person provides staking as a service to other persons, then they would need to carefully consider whether they fall within a virtual asset service under the VASP Act – in particular, the provision of custodial services or the provision of financial services related to a virtual asset issuance.

Additionally, the staking arrangement must be carefully assessed to ensure it cannot be characterised as a securities investment business under SIBA or relevant financial business under the Proceeds of Crime Act which could trigger AML/CFT regulations.

The nature of the tokens, the types of rewards being earned and delivered and whether the issuer of the tokens provides or delivers such rewards on its own tokens or if the rewards are provided by a third party or independent protocol could all be relevant to the assessment.

As a general matter, Cayman Islands law does not specifically regulate lending as a standalone activity, so there are no significant specific regulations applying to lending services relating to cryptocurrencies. However, the provision of lending business would likely fall within the scope of the AML Regulations as “relevant financial business” and which will consequently result in AML/CFT obligations on the lender. Lending can also be considered a financing and leasing business under the economic substance regime of the Cayman Islands unless an exemption applies.

Offering derivatives denominated or settled in cryptocurrencies that meet the test of a “security” under SIBA may be regulated if other requirements of SIBA are met and no exemption applies.

Virtual assets representing or convertible into derivatives could also be subject to SIBA.

The question of whether a decentralised (ie, DeFi) exchange will be regulated under the VASP Act depends on whether it falls into the definition of a “virtual asset trading platform” which means a centralised or decentralised digital platform:

• which facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and
• which:
1. holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or
2. purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer, and
• includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

Having regard to the above, and given the fact that most decentralised exchanges do not hold custody of or control of virtual assets on behalf of clients to facilitate an exchange, it is generally expected that most decentralised exchanges will not be regulated under the VASP Act.

Subject to limited exemptions, such funds will either be regulated as a mutual fund under the Mutual Funds Act (for open-ended funds) or as a private fund under the Private Funds Act (for closed ended funds).

While virtual currencies are not defined in the VASP Act – the VASP Act does define a “virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include a digital representation of fiat currencies. Having regard to the above, a digital representation of a fiat currency (essentially, legal tender) is excluded from the definition of a “virtual asset”, however, creating a cryptocurrency may be “relevant financial business” and an issuer of such an asset is likely to be subject to the AML/CFT regime in the Cayman Islands.

The VASP Act regulates a “virtual asset” – which means a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes, but does not include a digital representation of fiat currencies. Generally speaking, an NFT will fall outside this definition although that will depend on the features and characteristics of the NFT itself. As an example, an NFT of a cartoon ape will (generally speaking) not be a “virtual asset” although an NFT of a bearer bond or other security is likely to be regulated not as a “virtual asset” but as a security under SIBA.

The same analysis applies to NFT platforms – in that a trading platform for cartoon ape NFTs will not be regulated, while a trading platform for NFT-wrapped securities will be regulated.

There are currently no regulations in the Cayman Islands with respect to open banking.

Banks and technology providers are subject to the Data Protection Act – although it does not specifically regulate open banking. Accordingly, banks and technology providers may look to collaborate to develop and implement best practices for data security and privacy in open banking.

In the Cayman Islands, the elements of common law fraud align with those recognised in England and other common law jurisdictions and generally include:

• dishonesty – fraud requires a dishonest act or representation. The defendant must intentionally deceive another party, leading to a false belief or action;
• false representation or concealment – the defendant makes a false representation (oral or written) or conceals material information. The representation can be about facts, intentions or future events;
• intent to cause gain or loss – the defendant acts with the intent to (i) gain something (eg, money, property, advantage); or (ii) cause loss to another party (eg, financial harm, deprivation);
• reliance by the victim – the victim relies on the false representation or concealment;
• their reliance leads to a detrimental consequence (eg, financial loss);
• causation – the defendant’s fraudulent act directly causes the victim’s loss or harm;
• materiality – the false representation or concealment must be material – meaning it significantly affects the victim’s decision-making process; 
• knowledge or recklessness – the defendant must either knowingly make the false representation or act recklessly (ie, not caring whether it is true or false); and
• civil and criminal aspects – common law fraud can lead to both civil (compensation, restitution) and criminal (penalties, imprisonment) consequences.

As an example, Section 255(1) of the Penal Code provides that a person who dishonestly, with a view to gain for themselves or another or with intent to cause loss to another (a) destroys, defaces, conceals or falsifies any account or any record or document made or required for any accounting purpose; or (b) in furnishing information for any purpose, produces or makes use of any account, or any such record or document as aforesaid, which to that person’s knowledge is or may be misleading, false or deceptive in a material particular, commits an offence and is liable to imprisonment for seven years.

In addition, knowingly or wilfully supplying false or misleading information to the Cayman Islands Tax Information Authority (TIA) is an offence.

While CIMA does not publicly rank specific types of fraud in order of priority, there are several areas where it has demonstrably focused its efforts:

• money laundering – this is a primary concern due to the Cayman Islands’ position as a global financial centre. CIMA actively collaborates with law enforcement and international bodies to combat money laundering, emphasising robust AML/CTF regulations for financial institutions;
• virtual asset fraud – with the rise of blockchain and cryptocurrencies, CIMA enacted the VASP Act to address potential fraud risks associated with virtual asset activities like trading, custody and issuance;
• cybersecurity threats – recognising the increasing sophistication of cybercriminals, CIMA emphasises cybersecurity preparedness and incident response capabilities for financial institutions;
• investment funds - investment funds will generally be regulated (and subject to additional requirements) pursuant to the Mutual Funds Act or the Private Funds Act; and
• sanctions – all Cayman Islands persons are required to observe Cayman Islands sanctions provisions.

Additionally, CIMA works closely with industry participants to stay informed about emerging fraud trends and adapt their regulatory approach accordingly, and they actively engage in public education initiatives to raise awareness about common financial scams and empower individuals to protect themselves. In addition, CIMA collaborates with international counterparts to share information and best practices in combating financial crime.

The extent to which a fintech service provider would be responsible for losses suffered by a customer would depend on a mix of applicable regulation, contractual provisions, and the circumstances in which the customer’s loss was suffered. The legal position for damages closely follows that of English law.

Service providers typically seek to place contractual limits on their liability in agreements with customers, often excluding any losses caused by the customer themselves or by third parties, and imposing a financial cap. Losses caused by the fraud of a third party will usually (whether expressly or implicitly) be caught within the exclusion of losses caused by third parties.

A service provider typically will not seek to exclude liability arising from its own fraud (or those acting on its behalf), but depending on the service may well seek to exclude all other types of liability.