After approval is granted by CIMA, VASPs have certain ongoing statutory obligations, which are in addition to any event-driven filings e.g. VASPs are required to submit an annual AML Return and quarterly Travel Rule Return to CIMA. CIMA leverages software to automate both (1) the collection and analysis of data relating to the cross-border transactions conducted by VASPs and (2) the scoring of inherent risks and controls in relation to VASPs.

CIMA commenced its risk-based AML/ CTF on-site inspections of VASPs to assess their AML/CTF policies, procedures, systems and controls in 2023 – in particular, for compliance with the requirements of the Anti-Money Laundering Regulations, the CIMA Guidance Notes on the Prevention and Detection of AML/ CTF and CPF and the Travel Rule.

Since then, CIMA has conducted a Thematic Desk-based Review of 11 regulated VASPs from September 2024 to February 2025 (“Desk-Top Review”), including a mixture of both virtual asset exchanges and virtual asset custody service providers – the key findings of the Desk-Top Review were published in November 2025. The most important learning point from the Desk-Top Review is that as the VASP regime is nascent, VASPs must continue to regularly monitor changes and take proactive steps to remain compliant with ongoing regulatory obligations.

In addition to the Desk-Top Review, CIMA has also published a separate Supervisory Circular on 18 September 2025 relating to more specific AML/ CTF related considerations (“AML/ CTF Review”).

A summary of the key findings of both the Desk-Top Review and AML/ CTF Review (together, the “CIMA Reviews”) are set out below:

1. Corporate governance deficiencies – while the VASP Act has been amended since first enactment, so that now three (3) Directors are required (including at least one independent Director with no vested interest in the VASP), CIMA still noted that 27% of VASPs reviewed did not meet this requirement and 36% were operating without any formal succession planning for the governing body and key senior management.
2. Inadequate cybersecurity governance – the Desk-Top Review showed that 27% of VASPs had not appointed a qualified CISO or CIO and had insufficient documentation on IT and cybersecurity audits. A staggering 82% of VASPs reviewed lacked any cybersecurity insurance. Further deficiencies were identified in data protection, IT controls and in the oversight of outsourced arrangements.
3. Inadequate virtual asset custody policy – while the Rule and Statement of Guidance – Virtual Asset Custodians and Virtual Asset Trading Platforms was only published by CIMA in December 2024 and CIMA acknowledged in the Desk-Top Review that VASPs would need more time to comply, CIMA found that 40% of the VASPs reviewed had inadequate policies for virtual asset custody services.
4. Deficiencies in business continuity planning – the Desk-Top Review showed inadequate business continuity planning, including examples of Business Continuity Plans (“BCP”) not in compliance with the applicable Statement of Guidance and no board approval, testing or independent review of the BCP.
5. Inadequate risk assessments. Customer risk assessments that are not up-to-date, not adequately documented or do not demonstrate that all risk factors (e.g. jurisdiction of operation, transactions and delivery channels) have been considered.
6. Inadequate assessment of technology solutions. Inadequate assurance reviews for technology solutions to ensure systems are operating effectively e.g. screening for sanctions and adverse media, e-KYC and on-chain analytic tools.
7. Missing KYC. Missing customer due diligence and absence of verification on customer files (e.g. failure to maintain constitutional documents for customers who are legal persons) and failure to appropriately categorize higher risk customers e.g. PEPs as high-risk customers requiring EDD.
8. No ongoing monitoring. Some instances were identified in the AML/ CTF Review of no ongoing monitoring of business relationships, on either a timely basis, or at all.
9. Employee issues. Lack of escalation and staff understanding of a VASP’s transaction monitoring system. In addition, examples of only very generic employee training, which did not cover the regulatory framework relevant to the Cayman Islands and gaps in the maintenance of records to demonstrate adequate AML/ CTF/ CPF training had been provided to employees were stated in the AML/ CTF Review.
10. Inadequate sanctions compliance. Failure to carry out ongoing sanctions screening after onboarding, inadequate record keeping of name matches and of the rationale for clearing or dismissing alerts. In addition, the AML/ CTF Review found a failure of policies and procedures to set out a clear path for handling on-chain transactions alerts, by not setting out who at the VASP can approve transactions related to higher-risk exposure and for treatment of exposure to sanctions entities and jurisdictions.
11. Oversight of the compliance function. Inadequate board oversight of the VASP’s AML/ CTF compliance function e.g. board packs and minutes not indicating any discussion of AML/ CTF issues, lack of evidence of board approval of AML policies and procedures and lack of outsourcing agreements.
12. No AML/CTF audit. CIMA found instances of no internal audit function having been established and AML/ CTF audits not being conducted at all/ not conducted by an operationally independent person.
13. Gaps in record keeping. Poor record management systems to ensure the timely provision of information to CIMA e.g. CDD, transactions records or sanctions screening.
14. Financial position. In instances where VASPs had not yet achieved profitability, supplementary information is required to be submitted to CIMA to support the assessment that it remains as a going concern with sufficient resources to meet its financial obligations as required. This means that in practice, VASPs must develop robust policies, procedures and control to adequately manage financial and liquidity risk.
15. Failure to notify CIMA of key changes. CIMA noted instances where changes to key personnel or business operations of a VASP had not been communicated in a timely manner to CIMA/ approval sought where required. For example, (i) appointments of senior officers require the prior approval of CIMA, (ii) any penalties imposed, enforcement action or litigation proceedings brought against the VASP in another jurisdiction must be reported to CIMA within 30 days, and (iii) any cybersecurity incident must be reported to CIMA within 30 days.

The registration of a VASP (AC Holding Limited) was recently cancelled by CIMA on 5 June 2025 for multiple deficiencies by the VASP to provide documents to CIMA, for failing to put into place AML systems and procedures, in addition to breaches of other CIMA Rules e.g. Rule on Corporate Governance and Rule on Internal Controls.

This enforcement action underscores CIMA’s serious approach to regulatory compliance and its readiness to take decisive action where breaches are not remedied.

View Full PDF

获得CIMA批准后，VASP 需履行某些持续的法定义务，这些义务是对任何事件驱动型申报的补充，例如，VASP 必须向 CIMA 提交年度反洗钱申报表和季度旅行规则申报表。CIMA 利用软件自动完成以下两项工作：(1) 收集和分析与 VASP 进行的跨境交易相关的数据；(2) 对 VASP 的固有风险和控制措施进行评分。

2023 年，CIMA 开始对 VASP 进行基于风险的反洗钱/反恐融资现场检查，以评估其反洗钱/反恐融资政策、程序、系统和控制措施——特别是评估其是否符合反洗钱条例、CIMA 关于预防和检测反洗钱/反恐融资及反扩散融资的指导说明以及旅行规则的要求。

此后，CIMA于2024年9月至2025年2月期间，对11家受监管的VASP开展了专题桌面审查（“桌面审查”），其中包括虚拟资产交易所和虚拟资产托管服务提供商。桌面审查的主要结论已于2025年11月发布。桌面审查最重要的启示是，由于VASP监管体系尚处于起步阶段，VASP必须持续定期监测变化，并采取积极措施，以确保符合现行监管义务。

除了桌面审查之外，CIMA 还于 2025 年 9 月 18 日发布了一份单独的监管通函，涉及更具体的反洗钱/反恐融资相关考虑因素（“反洗钱/反恐融资审查”）。

下面概述了桌面审查和反洗钱/反恐融资审查（统称“CIMA审查”）的主要调查结果：

1. 公司治理缺陷——尽管自首次颁布以来，《虚拟资产（服务提供商）法》已进行修订，现在要求三 (3) 名董事（包括至少一名与虚拟资产服务提供商无直接利益的独立董事），但CIMA仍然注意到，在审查的虚拟资产服务提供商中，有 27% 不符合此要求，36% 的虚拟资产服务提供商在运营时没有任何针对管理机构和关键高级管理层的正式继任计划。
2. 网络安全治理不足 ——桌面审查显示，27%的虚拟资产服务提供商（VASP）未任命合格的首席信息安全官（CISO）或首席信息官（CIO），且缺乏足够的IT和网络安全审计文档。令人震惊的是，82%的受访VASP没有任何网络安全保险。此外，数据保护、IT控制以及外包安排的监管方面也存在其他缺陷。
3. 虚拟资产托管政策不足 ——尽管CIMA 于 2024 年 12 月才发布了《虚拟资产托管人和虚拟资产交易平台规则和指导声明》，并且 CIMA 在桌面审查中承认VASP 需要更多时间来遵守，但 CIMA 发现，在接受审查的 VASP 中，有 40% 的 VASP 的虚拟资产托管服务政策不足。
4. 业务连续性计划存在缺陷 —— 桌面审查显示业务连续性计划不足，包括一些业务连续性计划（“BCP”）不符合适用的指导声明，且未经董事会批准、测试或独立审查。
5. 风险评估不足。客户风险评估未及时更新、记录不完整或未能证明已考虑所有风险因素（例如运营管辖区、交易和交付渠道）。
6. 技术解决方案评估不足。对技术解决方案的保障审查不足，无法确保系统有效运行，例如制裁和负面媒体筛查、电子身份验证和链上分析工具。
7. 缺少 KYC。缺少客户尽职调查，缺乏对客户档案的核实（例如，未能保存法人客户的章程文件），以及未能将高风险客户（例如，政治公众人物）适当分类为需要加强尽职调查的高风险客户。
8. 缺乏持续监控。反洗钱/反恐融资审查中发现，部分企业对业务关系缺乏持续监控，要么监控不及时，要么根本没有监控。
9. 员工问题。缺乏升级机制，员工对虚拟资产服务提供商 (VASP) 的交易监控系统缺乏了解。此外，反洗钱/反恐融资审查报告中指出，员工培训内容非常笼统，未涵盖开曼群岛的相关监管框架，且缺乏记录来证明已向员工提供充分的反洗钱/反恐融资/反扩散融资(AML/CTF/CPF) 培训。
10. 制裁合规性不足。未在用户注册后持续进行制裁筛查，未充分记录名称匹配情况以及清除或驳回警报的理由。此外，反洗钱/反恐融资审查发现，相关政策和程序未能明确链上交易警报的处理路径，例如未明确虚拟资产服务提供商 (VASP) 中哪些人员有权批准涉及高风险敞口的交易，以及如何处理涉及制裁实体和司法管辖区的风险敞口。
11. 合规职能的监督不足。董事会对虚拟资产服务提供商 (VASP) 的反洗钱/反恐融资合规职能的监督不足，例如，董事会文件和会议记录未显示任何关于反洗钱/反恐融资问题的讨论，缺乏董事会批准反洗钱政策和程序的证据，以及缺乏外包协议。
12. 未进行反洗钱/反恐融资审计。CIMA 发现存在未建立内部审计职能，且根本没有进行反洗钱/反恐融资审计，或者审计工作并非由独立于运营的人员进行的情况。
13. 记录保存方面的漏洞。记录管理系统不完善，无法确保及时向CIMA提供信息，例如客户尽职调查 (CDD)、交易记录或制裁筛查。
14. 财务状况 。对于尚未实现盈利的虚拟资产服务提供商 (VASP)，需向开曼群岛金融管理局 (CIMA) 提交补充信息，以支持对其持续经营能力的评估，证明其拥有足够的资源履行其财务义务。这意味着，VASP 实际上必须制定健全的政策、程序和控制措施，以充分管理财务和流动性风险。
15. 未及时通知CIMA关键变更。CIMA 注意到，部分虚拟资产服务提供商（VASP）未能及时将关键人员或业务运营的变更告知CIMA，或在需要时未寻求批准。例如：(i) 高级管​​理人员的任命需事先获得CIMA批准；(ii) VASP在其他司法管辖区受到的任何处罚、执法行动或诉讼程序必须在30天内报告给CIMA；以及(iii) 任何网络安全事件必须在30天内报告给CIMA。

2025年6月5日，CIMA取消了虚拟资产服务提供商（AC Holding Limited）的注册资格。原因是该VASP存在多项缺陷，包括未能向CIMA提供所需文件、未能建立反洗钱（AML）系统和程序，以及违反了CIMA的其他规则，例如公司治理规则和内部控制规则。

此次强制措施凸显了CIMA对监管合规的严肃态度，以及在违规行为未得到纠正时采取果断行动的决心。

查看全文