Regulatory Round-up

CIMA’s Thematic Desk-Based Review of VASPs

The Cayman Islands Monetary Authority (CIMA) has issued its thematic review of Registered Virtual Asset Service Providers, calling for stronger governance, internal audits, complaints handling, cybersecurity, custody, and liquidity risk controls. With Phase 2 effective from 1 April 2025, VASPs should align practices to CIMA’s expectations. Maples Group supports VASPs with practical, end‑to‑end CIMA compliance advice.

By Patrick Head, Sam Short, Laura Goucke,
Published 19 Nov 2025

CIMA has released the report for its Thematic Desk-Based Review of Registered Virtual Asset Service Providers (“VASPs”). The review was conducted between September 2024 and February 2025, covering 11 regulated VASPs across a range of services.

While CIMA identifies several positive observations, the report focuses on the areas it calls out as needing improvement. These include board composition and governance succession planning, business continuity planning, internal audits, complaints handling, cybersecurity and data protection, and custody policies and procedures.

In particular, CIMA reminds VASPs to:

promptly notify/seek approval from CIMA as required (for example, around changes to key personnel, regulatory actions by other authorities, and material cybersecurity incidents);
ensure boards include individuals with a diversity of skills, background, experience, and expertise, and that director number and independence requirements are met;
establish appropriate succession plans for directors and senior management;
implement an effective and comprehensive audit of their internal control systems by operationally independent, appropriately trained, and competent staff;
develop a comprehensive business continuity plan, aligned with international best practices and recognising the particular vulnerabilities of VASPs;
ensure that all customer complaints or issues are dealt with in a timely and consistent manner, through a complaints handling policy and procedures;
enhance their cybersecurity governance, oversight, and risk management framework (including identifying responsibilities, regular risk assessments, gap analyses, and considering appropriate insurance);
conduct regular, formal, and independent cybersecurity and cyber resilience audits;
strengthen cybersecurity and data protection controls, including robust data loss prevention tools, automated real-time threat detection and monitoring solutions, and a comprehensive and tailored incident response plan;
enhance onboarding and continuous monitoring of outsourced arrangements, including due diligence, risk assessment, and exit strategies;
enhance their custody-related policies, procedures, and controls, such as around the requirements for securing customer virtual assets and performing due diligence, verifying compliance through independent audits, and appropriate disclosure and transparency with clients;
continue to strengthen their policies, procedures, and controls to adequately manage financial and liquidity risk; and
review and adhere to any ongoing VASP registration approval conditions.

The report also references CIMA’s “AML/CFT On-site and Off-site Supervision of the Virtual Asset Service Providers” from 18 September (which we have previously discussed), and states the two should be read in conjunction.

As CIMA notes, the review took place under Phase 1 of the VASP regime. We recommend that VASPs take into account these findings and reminders, and ensure these identified areas are adequately covered when reviewing and updating their practices for Phase 2, which began on 1 April 2025.

Maples Group has considerable experience advising VASPs and other CIMA-regulated entities on their compliance obligations. Please reach out if we can be of assistance.

The Regulatory 15/15 Podcast

Regulatory Calendars

AML/CFT/CPF & Sanctions Training

AEOI and Economic Substance

Legal Guides

Assistance with Regulatory Inspections

Regulatory & Compliance Solutions