The fintech market in the Cayman Islands has continued to develop significantly over the past 12 months.

Technology Talent Pool

The Cayman Islands has cultivated a technology talent pool of experienced professionals and service providers. Its increasingly mature technology industry is playing a pivotal role in strengthening the financial services sector. The availability of skilled professionals has facilitated the growth of fintech companies and their innovative solutions.

Attractiveness for Fintech and Crypto Businesses

The Cayman Islands has positioned itself as an emerging hub for both fintech and crypto businesses. Its well-regarded financial services framework, coupled with robust technology infrastructure, attracts companies worldwide to domicile in the Cayman Islands.

Stable Political Environment and Tax Neutrality

The Cayman Islands’ stable political environment provides a conducive backdrop for fintech ventures. Its tax neutrality further enhances its appeal as a business-friendly destination for fintech start-ups and established players.

Challenges

While the fintech market in the Cayman Islands continues to make significant strides, there are several challenges which may impact it in the next 12 months:

• regulatory compliance – as the industry evolves, staying compliant with global standards (including anti-money laundering and countering the financing of terrorism regulations (AML/CFT)) remains crucial;
• cybersecurity – fintech companies must fortify their cybersecurity measures to protect customer data and maintain trust;
• market competition – increased competition from other offshore jurisdictions and emerging fintech hubs may require the Cayman Islands to continue to innovate and differentiate;
• global political economic trends – the fintech market’s trajectory has always been influenced by broader economic shifts and geopolitical events, particularly as the world continues to adjust to the current administration in the US;
• technological advancements – keeping pace with technological advancements and adopting them effectively will be essential; and
• macroeconomic conditions and financial headwinds.

AI

Artificial intelligence models continue to be regarded as a highly disruptive influence in financial services and associated processes, as investors and developers pursue innovation in this field. Adapting legal regimes to tailor specifically to the challenges and opportunities of AI would be a positive step to set responsible development and deployment parameters.

There are a number of verticals for new and legacy players, which include the following.

• Virtual asset trading platforms – the Cayman Islands hosts a number of regulated virtual asset trading platforms that facilitate the trading of a wide variety of virtual assets. These trading platforms play a crucial role in the global crypto market and attract investors seeking liquidity and exposure to virtual assets.
• Custodial services – certain custodians in the Cayman Islands provide secure storage and management of virtual assets on behalf of clients. They ensure the safekeeping of private keys and assist institutional investors, investment funds, and high net worth individuals. Custodial services are essential for maintaining the integrity and security of digital assets.
• Token offerings – the Cayman Islands has been a popular jurisdiction for launching token offerings. Companies raise proceeds by issuing tokens (often utility or governance tokens) to purchasers in exchange for cryptocurrencies or fiat currency.
• Blockchain and Web3 innovators – the Cayman Islands is home to innovators working on centralised and decentralised technologies. These include blockchain projects, decentralised applications (DApps), and Web3 solutions. These innovators drive technological advancements and contribute to the global fintech ecosystem.
• Alternative investment funds – the Cayman Islands is the leading domicile for alternative investment funds, including venture capital, private equity, hedge and crypto funds. These funds often invest in virtual assets, tokens, and related ventures. The jurisdiction’s regulatory clarity and tax neutrality attract investment funds, fund managers and investors.
• Regulatory compliance services – given the evolving regulatory landscape, compliance services have become crucial. Fintech companies rely on legal and compliance experts to navigate AML/CFT regulations, data privacy laws, and licensing requirements.
• Decentralised finance (DeFi) – while still emerging, DeFi protocols and platforms are gaining traction in the Cayman Islands. These include lending, borrowing, yield farming, and liquidity provision. DeFi projects leverage smart contracts and blockchain technology to create decentralised financial services.
• Payment solutions and remittances – fintech players in the Cayman Islands explore payment solutions and remittance services. These aim to improve cross-border transactions, reduce fees, and enhance financial inclusion. Legacy players also adapt to digital payment trends.
• Digital identity and KYC solutions – with increased focus on security and compliance, fintech companies work on digital identity solutions and KYC processes. These technologies streamline onboarding, enhance security, and prevent fraud.
• Regulatory technology (regtech) – regtech firms in the Cayman Islands develop tools and platforms to assist financial institutions in meeting regulatory requirements. These solutions automate compliance processes, monitor transactions, and ensure adherence to reporting standards.

The financial services sector in the Cayman Islands is regulated primarily by CIMA. Key regulatory laws provide for a registration or licensing process whereby entities and individuals conducting regulated activity are required to obtain a registration or a licence from CIMA.

The key regulatory laws of the Cayman Islands (as amended, in each case) that could apply to an industry participant include:

• Anti-Money Laundering Regulations;
• Banks and Trust Companies Act;
• Beneficial Ownership Transparency Act;
• Beneficial Ownership Transparency Regulations;
• Companies Management Act;
• Data Protection Act;
• FATCA and CRS Regulations
• Tax Information Authority (International Tax Compliance) (Crypto-Asset Reporting Framework) Regulations;
• Insurance Act;
• International Tax Co-operation (Economic Substance) Act;
• Mutual Funds Act;
• Private Funds Act;
• Proceeds of Crime Act;
• Securities Investment Business Act (SIBA); and
• Virtual Asset (Service Providers) Act (the “VASP Act”).

CIMA holds significant supervision powers within the financial services industry across a number of key aspects.

• Regulation and supervision – CIMA’s primary role is to regulate and supervise the financial services sector in the Cayman Islands. It ensures compliance with relevant laws, regulations and international standards.
• Monitoring compliance – CIMA monitors compliance with AML and CFT regulations. It oversees financial institutions’ adherence to these critical standards.
• Currency management – CIMA manages the issuance and redemption of the Cayman Islands currency. It also oversees the management of currency reserves.
• Advisory role – CIMA provides advisory services to the Cayman Islands government on financial services regulatory matters. Its expertise informs policy decisions and regulatory frameworks.
• Regulatory measures – CIMA issues regulatory handbook measures in the form of policies, procedures, rules and statements of principle and guidance. These measures set detailed standards and give guidance to industry on compliance.

There are no specific restrictions under Cayman Islands law on the compensation models that industry participants are allowed to use to charge customers. However, industry participants will need to comply with all applicable CIMA rules and regulations with respect to, amongst other things: client communications, full and proper disclosure and treating clients fairly.

The underlying regulatory regime for fintech industry participants is substantially the same as it is for legacy players.

The Cayman Islands has not yet implemented a regulatory sandbox.

The VASP Act does provide a framework for CIMA to offer a time-limited (up to one year) regulatory sandbox licence for both virtual asset service providers and fintech companies, however these provisions have not yet commenced. We expect to see further developments in this area over the next 12 months.

CIMA is the primary regulator in the Cayman Islands and has broad regulatory oversight of regulated entities in the Cayman Islands.

In performing this regulatory function, CIMA shall:

• endeavour to promote and enhance market confidence, consumer protection and the reputation of the Cayman Islands as a financial centre;
• endeavour to reduce the possibility of financial services business or relevant financial business being used for the purpose of money laundering or other crime; and
• recognise the international character of financial services and markets and the necessity of maintaining the competitive position of the Cayman Islands, from the point of view of both consumers and suppliers of financial services, while conforming to internationally applied standards insofar as they are relevant and appropriate to the circumstances of the Cayman Islands.

In addition, the Department for International Tax Co-operation is a department of the Ministry of Financial Services and Commerce. It is responsible for administering all of the Cayman Islands’ legal frameworks for international co-operation in tax matters, and for carrying out the functions of the Tax Information Authority, the Cayman Islands’ competent authority. The Tax Information Authority’s function is to collect information on tax matters and exchange that information with other Competent Authorities pursuant to relevant international agreements. Broadly speaking it covers supervision of:

• the Common Reporting Standard, which is the global standard for the automatic exchange of financial account information for tax purposes;
• the Foreign Account Tax Compliance Act, which is the mechanism for reporting information on financial accounts held by US persons to the US Internal Revenue Service (IRS);
• the Crypto-Asset Reporting Framework, which is the global standard developed by the OECD, working with G20 countries, to promote tax transparency and address tax evasion with respect to digital assets;
• the Cayman Islands Economic Substance Act which contains the rules for satisfying the international standard for substantial activities requirements;
• Country-by-Country Reporting which implements the requirements of Action 13 of the OECD/G20 BEPS actions and country-by-country reporting requirements that are filed by certain multinational enterprises with domestic tax authorities; and
• the Exchange of Information on Request which takes place when the tax authority of a requesting jurisdiction asks for particular information from the competent authority of a partner jurisdiction.

Finally, the Office of the Ombudsman is the supervisory authority for data protection-related matters and is empowered to investigate, mediate and decide complaints under the Data Protection Act.

CIMA does not currently issue “no-action” letters.

While outsourcing is permitted to regulated or unregulated entities, CIMA emphasises that responsibility and accountability for effective oversight of all regulated activities, whether outsourced or not, rests with the governing body and senior management of the regulated entity. The recent Statement of Guidance – Outsourcing Regulated Entities (April 2023) applies to most entities regulated by CIMA. The Guidance applies regardless of whether the outsourcing arrangement established by a regulated entity is with a related or unrelated entity.

A regulated entity should assess the materiality of its outsourcing arrangements, and without limiting the scope of its assessments, should consider:

• the impact of the outsourcing arrangement on its finances, reputation and operations, or a significant business line, particularly if the service provider, or group of affiliated service providers, should fail to perform over a given period of time depending on the nature of the outsourced function/service;
• its ability to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems;
• the cost of the outsourcing arrangement;
• the risk of potential loss, temporarily or permanently, of access to important data; and
• the degree of difficulty and time required to find an alternative service provider or to bring the business activity in-house.

The extent to which fintech providers are deemed to be “gatekeepers” will depend on the nature of the platform. If, for example, the platform is unregulated and is merely a venue to share information, then it is expected that there would be little in the way of “gatekeeper” responsibility. If, however, the information being shared on the platform amounts to investment advice (either from the platform provider or between users of the platform) then the platform may be subject to licensing or registration requirements under SIBA.

CIMA may take action to enforce the requirements of the regulatory laws and other relevant legislation. Enforcement options available to CIMA include: (i) suspension of the licence of a licensee and preservation of its records, (ii) revocation of the licence of a licensee, (iii) requiring the substitution of a director, operator, senior officer, general partner, promoter, insurance manager or shareholder of the licensee (as applicable), (iv) appointing a person to assume control of the affairs of the licensee, (v) appointing a person to advise the licensee on the proper conduct of its affairs, (vi) applying to the Grand Court of the Cayman Islands for orders directing the winding up of the relevant entity, and (vii) the imposition of administrative fines.

There have been a number of enforcement actions in the recent past, including:

• cancellation of the registration of two individual directors in accordance with Section 6(2) of the Directors’ Registration and Licensing Act for failure to provide information and pay licensing fees;
• cancellation of the registration of a company as a Securities-Registered Person in accordance with Section 17(2A)(a) of SIBA for failing to provide information, give declarations, pay fees and to have qualifying directors;
• revocation of the banking licence of a company in accordance with Section 18(5)(b) of the Banks and Trust Companies Act for entering into provisional liquidation; and cancellation of a mutual fund registration pursuant to Section 30(3)(a) of the Mutual Funds Act for failing to submit audited accounts for four consecutive years and failing to pay annual fees for two consecutive years;
• levying of administrative fines on regulated entities for AML infractions and failure to maintain prescribed capital; and
• cancellation of the virtual asset service provider registration held by an entity where CIMA had reasonable grounds to believe that:
1. the registrant was carrying on business fraudulently or otherwise in a manner detrimental to the public interest, to the interest of its clients or to the interest of its creditors;
2. the registrant had contravened the VASP Act and AML regulations;
3. the registrant has not conducted the direction and management of its business in a fit and proper manner; and
4. the registrant’s majority shareholder was not a fit and proper person.

Key areas include the following.

• Anti-Money Laundering Regulations – an entity that conducts “relevant financial business” must comply with the AML/CFT regime in the Cayman Islands. Recent amendments to the regime in 2020 brought virtual asset service providers into scope.
• Data Protection Act – the Data Protection Act requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf under a written contract. In addition, the Data Protection Act also deals with data security, data breaches and the rights of individual data subjects, including providing a privacy notice.
• Cybersecurity – CIMA has published its Rule and Statement of Guidance relating to Cybersecurity for Entities Regulated by the Authority requiring regulated entities to develop, implement and monitor robust cybersecurity frameworks. These regulations aim to reduce the threat of cyber-attacks, protect sensitive data, and enhance recovery from cybersecurity incidents.
• Social media – the use of social media and similar tools is currently not specifically regulated, apart from indirectly under legislation such as the Data Protection Act, the Penal Code and the Contracts Act.

Under the VASP Act, every licensee (and every registered person who is so directed by CIMA) is required to have its accounts audited annually (or at such other times as CIMA may require) by an auditor who is a chartered accountant, certified public accountant or other professionally qualified accountant approved by CIMA.

While certain fintech businesses may not be carrying out “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) they may nevertheless choose to apply certain AML/CFT provisions to their business as a matter of best commercial practice, although there is no regulatory oversight of such voluntary measures operated by unregulated entities.

Generally, unregulated business lines would be separated from regulated business lines and run through separate legal entities. This is done:

• as a risk-mitigation tool to ring-fence the risk of regulated business from the risk of unregulated business;
• to streamline operations of regulated businesses and avoid the complexity, cost and supervisory oversight of running unregulated business within the same legal entity as a regulated business;
• for increased flexibility in the scaling of both the regulated and unregulated business lines; and
• to ensure maximum flexibility on a potential exit of the businesses (which could be done at different times to different purchasers on different deal terms and – in the case of the unregulated business – without regulatory scrutiny of the purchaser of the business).

Virtual asset service providers will be carrying out “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) and will be required to comply with AML rules. This requires them to perform KYC identity verification and (in some instances) source-of-funds checks on their customers. In addition, care should be taken with affiliates of virtual asset service providers, such as those facilitating real world asset tokenisation, as they will be subject to AML rules even if they are not regulated as virtual asset service providers if they are conducting “relevant financial business”.

All Cayman Islands persons are required to observe Cayman Islands sanctions provisions (which are essentially the same as the sanctions provisions in the United Kingdom) extended to the Cayman Islands by statutory instruments. The list of sanctions regimes currently in force in the Cayman Islands is available on the Financial Reporting Authority website.

Unregulated companies providing technology services will generally not be carrying on “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Services Regulations) and will therefore not be required to comply with the AML rules, however, the sanctions regimes will still apply and so some form of KYC is generally undertaken.

The AML and sanctions rules in the Cayman Islands generally follow the standards imposed by the Financial Action Task Force (FATF).

Under Cayman Islands law, there is no explicit reverse solicitation safe harbour, but as a general principle, the regulatory regime will only capture persons that have a Cayman Islands nexus (ie, either they are Cayman Islands persons or they are foreign persons soliciting business or marketing their business in the Cayman Islands). 

Cayman Islands law does not expressly contemplate or regulate robo-advisers, although they could be regulated depending on how they are implemented. For example, if a robo-adviser platform was set up in order to provide investment advice on securities to its customers then it would be regulated as a securities adviser under SIBA.

It is difficult to determine whether legacy players are implementing solutions introduced by robo-advisers. However, it is not uncommon for crypto funds and high-frequency and algorithmic trading funds to be managed by entities that rely on proprietary robo-advice algorithms or licensed software.

This is not applicable in the Cayman Islands.

As a general matter, Cayman Islands law does not specifically regulate lending to individuals or otherwise, so there are no significant differences depending on the nature of the borrower.

It is important to note that: (i) the provision of lending business would likely fall within the scope of the AML Regulations as “relevant financial business” and would consequently result in AML/CFT obligations applicable to the lender; (ii) lending could be considered a financing and leasing business under the economic substance regime of the Cayman Islands unless an exemption applies; and (iii) the jurisdiction does have laws regulating deposit-taking business (which could be used by some banking models as a source of funds for loans, see 4.3 Sources of Funds for Fiat Currency Loans for more detail).

The underwriting process itself is not currently dictated by regulation in the Cayman Islands, however underwriting may constitute participation in, or provision of, financial services related to a virtual asset issuance or the sale of a virtual asset. Entities carrying on underwriting in or from within the Cayman Islands may therefore be carrying on a virtual asset service for which registration under the VASP Act is required.

To the extent a lender is participating in underwriting under the laws of another jurisdiction, CIMA is likely to require such lender to be in compliance with the laws of such jurisdiction in relation to such underwriting.

The classic retail banking model of accepting deposits to fund lending is one of a number of different ways to raise funds. As there are no general prohibitions on the method a participant uses to fund its lending in the Cayman Islands, any method of raising capital could theoretically be possible (including through entering into or executing digital asset transactions, structured arrangements or more traditional financing methods).

P2P Lending

Peer-to-peer lending is not currently regulated in the Cayman Islands.

Lender-Raised Capital

Borrowing through debt is not regulated in the Cayman Islands, save that: (i) no invitation (whether directly or indirectly) may be made to the public in the Cayman Islands to subscribe for debt securities unless the debt securities are listed on the Cayman Islands Stock Exchange; and (ii) all Cayman Islands entities must comply with applicable sanctions regimes when receiving funds.

Cayman Islands entities are also free to raise funds through issuing investment interests such as shares (in the case of a company) or membership or partnership interests (in the case of a limited liability company or exempted partnership), although Cayman Islands entities should take advice on whether such arrangements are caught by the Private Funds Act or Mutual Funds Act of the Cayman Islands.

Capital Markets/Securitisations

The issuance of debt instruments (eg, bonds, notes and commercial paper) by a Cayman Islands entity is not a regulated activity in and of itself in the Cayman Islands. There are, however, other ancillary regulations which may apply including in relation to AML, data protection and sanctions.

Deposit Taking

Banking business in the Cayman Islands (which in summary is defined to mean the business of receiving and holding on deposits or other similar account money which is repayable and may be invested by way of advances to customers or otherwise) is regulated in the Cayman Islands and may require a licence under the Banks and Trust Companies Act under the supervision of CIMA.

At present, there is not a substantial market for the syndication of loans in the Cayman Islands, although as a general matter there is no regulation, prohibition or restrictions on loan syndication. The jurisdiction would welcome more syndication of loans in the future as more Cayman Islands lenders are established.

There are no specific prohibitions under Cayman Islands law on creating or implementing new payment rails. That being said, as further described in 5.2 Regulation of Cross-Border Payments and Remittances, payment processing is likely to be a regulated activity requiring licensing and supervision by CIMA under the Money Services Act. A grant of such licence will be subject to such conditions and requirements as CIMA may require (including in relation to the payment rails intended to be used by the payment processor).

Banks are involved in cross-border payments in the ordinary course, but in addition, the business of providing cross-border payments services could constitute a “money services business” which is a regulated activity in the Cayman Islands pursuant to the Money Services Act. Money services business is defined as the business of providing any or all of the following services:

• money transmission;
• cheque cashing;
• currency exchange;
• the issuance, sale or redemption of money orders or traveller’s cheques; and

such other services as the governor in the Cabinet may specify by notice published in the Gazette.

Section 4(a)(i) of the Stock Exchange Company Act provides that the Cayman Islands Stock Exchange has the sole and exclusive right to operate one or more securities markets in the Cayman Islands.

In contrast, operating (i) an exchange between virtual assets and fiat currencies or between one or more other forms of convertible virtual assets; or (ii) a “virtual asset trading platform”, in or from within the Cayman Islands, is likely to be a virtual asset service requiring registration or licensing (respectively) under the VASP Act.

Marketplaces, exchanges and trading platforms for securities versus virtual assets will be regulated in a different manner.

A securities trading platform is likely to be regulated under SIBA – although careful consideration would need to be given to any such proposal as Section 4(a)(i) of the Stock Exchange Company Act provides that the Cayman Islands Stock Exchange has the sole and exclusive right to operate securities markets in the Cayman Islands.

In contrast, an exchange or trading platform for virtual assets is likely to be regulated under the VASP Act, whereas a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner, remains outside of the VASP Act.

The VASP Act establishes a framework for regulating businesses providing virtual asset services (VASPs) in the Cayman Islands, including cryptocurrency exchanges.

The business of providing one or more of the following services or operations for or on behalf of a customer requires registration (as opposed to licensing) under the VASP Act:

• exchange between virtual assets and fiat currencies;
• exchange between one or more other forms of convertible virtual assets;
• transfer of virtual assets; and
• participation in, and provision of, financial services related to a virtual asset issuance or the sale of a virtual asset.

Public issuances of virtual assets also require registration under the VASP Act.

Provision of the following virtual asset services requires licensing (as opposed to registration) under the VASP Act:

• virtual asset custody service; and
• operation of a virtual asset trading platform.

A “virtual asset trading platform” means a digital platform:

• which provides a virtual asset service and facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and
• which:
1. holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or
2. purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer,

and includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

In each case, a careful assessment of the activities undertaken by the cryptocurrency exchange will be required in order to determine the appropriate classification for the purpose of the VASP Act.

In relation to virtual asset trading platforms, the authority has the ability under the VASP Act to impose requirements for the listing of virtual assets and has issued listing rules in the Rule – Obligations for the Provision of Virtual Asset Services – Virtual Asset Custodians and Virtual Asset Trading Platforms (December 2024).

Further, the VASP Act provides that a licensee that operates a virtual asset trading platform shall not allow a virtual asset to be traded on its platform unless it has assured itself that the virtual asset is not presented in a deceiving manner or in a manner that is meant to defraud holders of funds or value. The licensee is also required to carry out reasonable due diligence on virtual assets and their issuers that are listed on the platform.

In the context of a virtual asset trading platform, there are no detailed order handling rules. What governs are general requirements concerning fair treatment of clients (including disclosure rules).

In the case that a virtual asset service provider is a licensee under SIBA, it will be subject to various additional rules under SIBA and the Statement of Guidance relating to Client Understanding, Suitability, Dealing and Disclosure for Securities Investment Business. The Securities Investment (Conduct of Business) Regulations establish guidelines for interactions with clients, necessitating that client agreements encompass specific details and mandating the issuance of a contract note to the client under certain post-transaction scenarios. The Statement of Guidance complements those Regulations by providing additional directives for client interactions, safeguarding client order priority, prohibiting actions that may disadvantage client transactions, and enforcing fair and prompt allocation, along with timely and optimal execution.

Generally speaking, the VASP Act excludes platforms where parties trade in a peer-to-peer manner. Nonetheless, peer-to-peer trading platforms can impact traditional market participants in various ways, such as through:

• reduced market share – increased access and ease of peer-to-peer trading could attract users away from traditional financial institutions and exchanges;
• new opportunities – traditional players could adapt by integrating peer-to-peer functionalities into their offerings or collaborating with such platforms; and
• forced innovation – traditional players need to adapt and offer similar features or partner with P2P platforms to remain competitive.

In addition, peer-to-peer trading platforms can impact fintech participants in various ways, such as through:

• increased competition – peer-to-peer platforms could compete directly with existing fintech solutions for trading and financial services; and
• collaboration opportunities – fintech players could integrate with peer-to-peer platforms or offer complementary services, like asset management or education.

Regulatory challenges can include:

• AML/CTF compliance – ensuring peer-to-peer platforms comply (to the extent applicable) with AML/CTF regulations is difficult due to the decentralised nature of transactions;
• consumer protection – protecting users from fraud, scams and market manipulation in a peer-to-peer environment poses challenges;
• financial stability – peer-to-peer platforms could potentially impact financial stability if large-scale transactions occur outside regulated systems;
• data privacy concerns – integrating with P2P platforms might raise data privacy issues that need careful handling; and
• effective regulation might require international co-operation due to the borderless nature of P2P platforms.

There are no specific rules relating to payment for order flow. The default is to the rules discussed in 6.5 Order Handling Rules.       

CIMA has imposed market integrity standards under the Rule – Obligations for the Provision of Virtual Asset Services – Virtual Asset Custodians and Virtual Asset Trading Platforms (December 2024). These standards go to the prevention of insider dealing, market manipulation and unfair trading practices.

As it stands, SIBA has two main focuses when it comes to upholding market integrity principles: preventing the creation of a false or misleading market and preventing insider trading. Committing either of these is an offence under SIBA. SIBA will be relevant where virtual assets represent or can be converted into one of the securities listed in the schedule to SIBA.

The creation of high-frequency and algorithmic trading strategies is not itself regulated – but the manner in which they are used could be regulated. As an example, a proprietary trader that has created and deploys their own high-frequency or algorithmic trading strategy will not be regulated – however if that same strategy is deployed by an investment fund it will be regulated – as a result of being an investment fund – rather than as a result of the investment fund deploying a high-frequency or algorithmic trading strategy.

A crypto market maker operating in a principal capacity will generally be outside the scope of the VASP Act.

Investment funds will generally be regulated pursuant to the Mutual Funds Act or the Private Funds Act, whereas dealers are generally regulated under SIBA.

The Cayman Islands regulatory regime does not regard investment funds as market makers.

Generally speaking, programmers who develop and create trading algorithms and other electronic trading tools will not be regulated – see for example 7.1 Creation and Usage Regulations. The manner in which the trading algorithms and other electronic trading tools are deployed will determine whether the activity is regulated – see again for example 7.1 Creation and Usage Regulations.

At present, there are no specific and material insurtech underwriting initiatives or developments in the Cayman Islands, but conditions are conducive for this to change given the efficiencies achieved in banking and financial services generally through utilising blockchain technology. It may only be a matter of time before the insurance sector also starts involving itself – the Cayman Islands has a significant insurance sector and a growing number of reinsurers are being licensed in the Cayman Islands.

In general, the Cayman Islands’ supervisory and legislative framework adopts international standards, but also has in-built flexibility to enable CIMA and licensees to apply requirements according to the nature, size and risk profile of licensees.

It may be useful to note that CIMA adopts a risk-based approach to regulating the insurance sector in the Cayman Islands. In particular, the Cayman Islands has elected not to seek Solvency II equivalency, which gives CIMA discretion to apply risk-based prudential standards, thus allowing insurers and reinsurers to implement their own internal regulatory capital model and structure their capital efficiently according to their risk profile.

The primary classes of insurance and reinsurance available in the Cayman Islands consist of (i) general insurance (which includes motor property damage and liability; crime; general liability; healthcare; hospital professional liability and physicians’ liability; marine and aviation; medical malpractice liability; product liability; professional liability; property; surety bonds; and worker’s compensation) and (ii) long-term insurance (which includes life; annuity; accident and health; and deferred variable annuities).

Any person carrying on insurance business, reinsurance business or business as an insurance agent, insurance broker or insurance manager in or from the Cayman Islands is required to hold a valid licence issued for that purpose under the Insurance Act. Amongst other things, each class of licence will have its own regulatory capital and liquidity requirements (which may be adjusted by CIMA following their assessment of the business model of the licensee).

Regtech providers may be regulated depending on their activities and whether they fall within the scope of a regulatory law in the Cayman Islands.

As an example, a regtech provider focusing on identity verification may not be regulated, but if that technology is deployed in the course of that provider performing an activity that is regulated (eg, mutual fund administration), then the regtech activity will be regulated.

Clear obligations with respect to timing of deliverables from the technology provider remain the key area of focus. Financial services firms seek to impose indemnification and liquidated damages provisions to assure performance and accuracy. These are primarily driven by industry custom.

In the financial services industry, there are a number of approaches being taken to implement blockchain – including:

• proof-of-concepts and pilots – many traditional players are starting with small-scale projects to explore the potential of blockchain in specific areas, such as trade finance, payments or regulatory compliance;
• consortium-based initiatives – collaborations between multiple institutions which offers a less risky way to explore and develop blockchain solutions and share overall R&D costs;
• investments and acquisitions – some players are investing in or acquiring blockchain start-ups to gain expertise and access to technology rather than building the technology internally;
• experimentation in blockchain outside of their regulated activities as a profile-raising initiative – for example, exploring the issue of tokens or other blockchain initiatives which are not connected to their traditional financial services provision;
• adopting blockchain technology and use of artificial intelligence to reduce operating costs and overheads; and
• the opportunity to get investment and funding from a new class of investors interested in transacting with tokens or digital assets as opposed to shares and other traditional finance assets and in some cases, benefiting from cheaper funding by doing so.

The Cayman Islands was an early adopter of the FATF requirements for a virtual asset service provider regime.

Not all blockchain assets in the Cayman Islands will be regulated financial instruments.

The key classifications of blockchain assets cover:

• securities – if a blockchain asset meets the definition of a security under SIBA, a relevant person engaging in “securities investment business” will need to be registered or licensed by CIMA (or qualify for a specific exclusion) – however, most forms of blockchain assets are unlikely to be a security under Cayman Islands law;
• virtual assets – the VASP Act defines a “virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include a digital representation of fiat currencies. Most forms of fungible blockchain assets will fall within this definition of a “virtual asset”; and
• virtual service tokens – the VASP Act defines a “virtual service token” as a digital representation of value which is not transferable or exchangeable with a third party at any time and includes digital tokens whose sole function is to provide access to an application or service or to provide a service or function directly to its owner. Virtual service tokens are not regulated under the VASP Act.

The complexity and challenges in classification include (by way of example):

• blockchain technology and assets are constantly evolving, which means the regulatory framework is constantly evolving and cannot remain static;
• the same products may be classified differently in different jurisdictions. The definition of “security” in the Cayman Islands is narrow and would not capture many forms of blockchain assets, which would instead be regulated under the VASP Act regime;
• differentiating between tokens designed for utility within a specific ecosystem and those intended primarily for investment purposes poses challenges; and
• decentralisation versus centralised control – the level of centralisation surrounding the issuance and management of the asset could also influence its classification.

Issuances by investment funds will generally be subject to regulation pursuant to the Mutual Funds Act or the Private Funds Act. A tokenised fund may also be regulated by the VASP Act. Legal advice should be taken as to the precise legal nature of the tokenisation to determine whether authorisation under the VASP Act is also required. CIMA may also impose additional conditions on a tokenised fund. Further amendments to the legislation and regulatory regime in this area are expected within the next 12 months.

The Cayman Islands, while considered progressive in this space, has a nuanced regulatory framework for “blockchain assets” and their issuance/sale.

The key legislation is:

• the VASP Act – this core legislation regulates businesses providing services related to virtual assets, including issuance and sale; and
• SIBA – depending on the nature of the blockchain asset and its offering, specific provisions of SIBA might apply.

Under the VASP Act an “issuance of virtual assets” or “virtual asset issuance” means the sale of newly created virtual assets to the public in or from within the Cayman Islands in exchange for fiat currency, other virtual assets or other consideration, but does not include the sale of virtual service tokens. A “virtual service token” is narrowly defined (see the definition in 10.3 Classification of Blockchain Assets above).

Having regard to the above – generally speaking – most fungible blockchain assets will fall within the definition of a “virtual asset” which will require the issuer – if formed in the Cayman Islands – to be regulated under the VASP Act. Additionally, if the blockchain asset meets the definition of a “security” under SIBA, additional SIBA licensing and prospectus requirements might apply, subject to a number of exemptions. In each case there needs to be a careful analysis of the asset’s features and function as well as the relevant legislation.

The Cayman Islands regulatory regime is continually developing to accommodate the tokenisation of real-world assets in a responsible manner. Legal advice should be sought with respect to the classification of a particular product to ensure compliance with the relevant regime.

The VASP Act regulates “virtual asset trading platforms” which means a digital platform:

• which provides a virtual asset service and facilitates the exchange of virtual assets for fiat currency or other virtual assets on behalf of third parties for a fee, commission, spread or other benefit; and
• which:
1. holds custody of or controls virtual assets on behalf of its clients to facilitate an exchange; or
2. purchases virtual assets from a seller when transactions or bids and offers are matched in order to sell them to a buyer, and
• includes its owner or operator, but does not include a platform that only provides a forum where sellers and buyers may post bids and offers and a forum where the parties trade in a separate platform or in a peer-to-peer manner.

As noted in the definition of “virtual asset trading platforms” – trading in a peer-to-peer manner is not regulated.

The Cayman Islands does not currently impose any specific restrictions on staking per se. However, staking generally involves the process of depositing or locking up virtual assets and in return, participants earn rewards, which can be in the form of additional virtual assets or otherwise as may be agreed.

Where staking is undertaken by a person for their own account, it is unlikely to fall under a regulatory regime. However, if a person provides staking as a service to other persons, then they would need to carefully consider whether they fall within a virtual asset service under the VASP Act – in particular, the provision of custodial services or the provision of financial services related to a virtual asset issuance.

Additionally, the staking arrangement must be carefully assessed to ensure it cannot be characterised as a securities investment business under SIBA or relevant financial business under the Proceeds of Crime Act which could trigger AML/CFT regulations.

The nature of the tokens, the types of rewards being earned and delivered and whether the issuer of the tokens provides or delivers such rewards on its own tokens or if the rewards are provided by a third party or independent protocol could all be relevant to the assessment.

As a general matter, Cayman Islands law does not specifically regulate lending as a standalone activity, so there are no significant specific regulations applying to lending services relating to cryptocurrencies. However, the provision of lending business would likely fall within the scope of the AML Regulations as “relevant financial business” and which will consequently result in AML/CFT obligations on the lender. Lending can also be considered a financing and leasing business under the economic substance regime of the Cayman Islands unless an exemption applies.

Banking business in the Cayman Islands (which in summary is defined to mean the business of receiving (other than from a bank or trust company) and holding on current, savings, deposit or other similar account money which is repayable by cheque or order and may be invested by way of advances to customers or otherwise) is regulated in the Cayman Islands and may require a licence under the Banks and Trust Companies Act under the supervision of CIMA.

Offering derivatives denominated or settled in cryptocurrencies that meet the test of a “security” under SIBA may be regulated if other requirements of SIBA are met and no exemption applies.

Virtual assets representing or convertible into derivatives could also be subject to SIBA.

The VASP Act establishes a framework for regulating businesses providing virtual asset services in the Cayman Islands, including decentralised exchanges.

The business of providing one or more of the following services or operations for or on behalf of a customer requires registration (as opposed to licensing) under the VASP Act: 

• exchange between virtual assets and fiat currencies;
• exchange between one or more other forms of convertible virtual assets; 
• transfer of virtual assets; and
• participation in, and provision of, financial services related to a virtual asset issuance or the sale of a virtual asset. 

Public issuances of virtual assets also require registration under the VASP Act. 

Provision of the following virtual asset services requires licensing (as opposed to registration) under the VASP Act:

• virtual asset custody service; and
• operation of a virtual asset trading platform.

See the definition of “virtual asset trading platform” in 10.5 Regulation of Blockchain Asset Trading Platforms.

In each case, a careful assessment of the activities undertaken by the exchange will be required in order to determine the appropriate classification for the purpose of the VASP Act.

Subject to limited exemptions, funds will either be regulated as a mutual fund under the Mutual Funds Act (for open-ended funds) or as a private fund under the Private Funds Act (for closed ended funds).

A tokenised fund may also be regulated by the VASP Act. Legal advice should be taken as to the precise legal nature of the tokenisation to determine whether authorisation under the VASP Act is also required. CIMA may also impose additional conditions on a tokenised fund. Further amendments to the legislation and regulatory regime in this area are expected within the next 12 months.

While virtual currencies are not defined in the VASP Act – the VASP Act does define a “virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes but does not include a digital representation of fiat currencies. Having regard to the above, a digital representation of a fiat currency (essentially, legal tender) is excluded from the definition of a “virtual asset”, however, creating a cryptocurrency may be “relevant financial business” and an issuer of such an asset is likely to be subject to the AML/CFT regime in the Cayman Islands.

The VASP Act regulates the provision of services with respect to any “virtual asset” (see the definition in 10.11 Virtual Currencies). Generally speaking, an NFT will fall outside the definition of a “virtual asset”, although that will depend on the features and characteristics of the NFT itself. Consideration must also be given to whether the NFT constitutes a security under SIBA.

The same analysis applies to NFT platforms.

The Cayman Islands does not have a separate or standalone regime for stablecoins. Stablecoins are subject to the same requirements as any other virtual asset, pursuant to the VASP Act (and in more limited circumstances, SIBA).

If a Cayman Islands entity carries on (or purports to carry on) virtual asset services with respect to stablecoins, the entity will require registration or licensing (as applicable) under the VASP Act. If the stablecoins represent or can be converted into any of the securities listed in SIBA (which includes shares, options, futures etc), the entity will require authorisation under SIBA.

There are currently no standalone regulations in the Cayman Islands with respect to open banking.

Banks and technology providers are subject to the Data Protection Act. Banks and technology providers may look to collaborate to develop and implement best practices for data security and privacy in open banking.

In the Cayman Islands, the elements of common law fraud align with those recognised in England and other common law jurisdictions and generally include:

• dishonesty – fraud requires a dishonest act or representation. The defendant must intentionally deceive another party, leading to a false belief or action;
• false representation or concealment – the defendant makes a false representation (oral or written) or conceals material information. The representation can be about facts, intentions or future events;
• intent to cause gain or loss – the defendant acts with the intent to (i) gain something (eg, money, property, advantage); or (ii) cause loss to another party (eg, financial harm, deprivation);
• reliance by the victim – the victim relies on the false representation or concealment;
• their reliance leads to a detrimental consequence (eg, financial loss);
• causation – the defendant’s fraudulent act directly causes the victim’s loss or harm;
• materiality – the false representation or concealment must be material – meaning it significantly affects the victim’s decision-making process; 
• knowledge or recklessness – the defendant must either knowingly make the false representation or act recklessly (ie, not caring whether it is true or false); and
• civil and criminal aspects – common law fraud can lead to both civil (compensation, restitution) and criminal (penalties, imprisonment) consequences.

As an example, Section 255(1) of the Penal Code provides that a person who dishonestly, with a view to gain for themselves or another or with intent to cause loss to another (a) destroys, defaces, conceals or falsifies any account or any record or document made or required for any accounting purpose; or (b) in furnishing information for any purpose, produces or makes use of any account, or any such record or document as aforesaid, which to that person’s knowledge is or may be misleading, false or deceptive in a material particular, commits an offence and is liable to imprisonment for seven years.

In addition, knowingly or wilfully supplying false or misleading information to the Cayman Islands Tax Information Authority (TIA) is an offence.

While CIMA does not publicly rank specific types of fraud in order of priority, there are several areas where it has demonstrably focused its efforts:

• money laundering – this is a primary concern due to the Cayman Islands’ position as a global financial centre. CIMA actively collaborates with law enforcement and international bodies to combat money laundering, emphasising robust AML/CTF regulations for financial institutions;
• virtual asset fraud – with the rise of blockchain and cryptocurrencies, CIMA enacted the VASP Act to, amongst other things, address potential fraud risks associated with virtual asset activities like trading, custody and issuance;
• cybersecurity threats – recognising the increasing sophistication of cybercriminals, CIMA emphasises cybersecurity preparedness and incident response capabilities for financial institutions;
• investment funds - investment funds will generally be regulated (and subject to additional requirements) pursuant to the Mutual Funds Act or the Private Funds Act; and
• sanctions – all Cayman Islands persons are required to observe Cayman Islands sanctions provisions.

Additionally, CIMA works closely with industry participants to stay informed about emerging fraud trends and adapt their regulatory approach accordingly, and they actively engage in public education initiatives to raise awareness about common financial scams and empower individuals to protect themselves. In addition, CIMA collaborates with international counterparts to share information and best practices in combating financial crime.

The extent to which a fintech service provider would be responsible for losses suffered by a customer would depend on a mix of applicable regulation, contractual provisions, and the circumstances in which the customer’s loss was suffered. The legal position for damages closely follows that of English law.

Service providers typically seek to place contractual limits on their liability in agreements with customers, often excluding any losses caused by the customer themselves or by third parties, and imposing a financial cap. Losses caused by the fraud of a third party will usually (whether expressly or implicitly) be caught within the exclusion of losses caused by third parties.

A service provider typically will not seek to exclude liability arising from its own fraud (or those acting on its behalf), but depending on the service may well seek to exclude all other types of liability.