Introduction

This Guidance Note sets out the registration and continuing obligations of a virtual asset service provider registered with, or licensed by, the Cayman Islands Monetary Authority (“CIMA”) under the Virtual Asset (Service Providers) Act, (2022 Revision) (the “VASPA”).

Registration & Licensing

All virtual asset service providers (a “VASP entity”) are required to register with, or be licenced by, CIMA. Virtual asset service providers must not conduct any virtual asset business without such registration or licensing in place subject to penalty. Registrations must be made through CIMA’s Regulatory Enhanced Electronic Forms Submission (“REEFs”) web portal. Stuarts has access to REEFs and will attend to registration/licensing and ongoing
filings for our clients.

In order to register with CIMA, a VASP entity is required to file with CIMA the items set out in the Appendix to this Guide.

VASPA is being introduced in stages. Phase 1 of VASPA is in effect. Phase 1 includes the provisions of VASPA which relate to ‘registration’, enforcement, penalties and offences. Phase 2 of VASPA is expected to commence in 2022 and will bring into force the remaining provisions of the VASPA, including the ‘licensing’ requirement for virtual asset custodians and trading platform operators, the sandbox licensing regime and other elements of VASPA.
As Phase 2 in not yet in effect, entities which will be subject to the licensing regime will need to complete the registration process with CIMA in the first instance and then complete the licensing process once in effect.

Ongoing Obligations

Annual Fee. There is an annual fee payable to CIMA in each year. The amount of the fee payable will be within the prescribed range and determined by CIMA based on, but not limited to, the nature, size, scope and complexity of the virtual asset service or fintech service set out in the application less the assessment fee. Such fee must be paid by 15 January in each year subject to penalties.

Updated Information. A registrant, applicant for a registration, licensee or an applicant for a licence that makes any changes to the information submitted to CIMA as part of its application, must within 15 days after making the change, file with CIMA the details of the changes. A person who contravenes this requirement is liable on summary conviction to a US$25,000 fine.

Beneficial Owners. A VASP entity must ensure that its beneficial owners are fit and proper persons to have such control and ownership. No shares totalling 10% or more of the total shares in a VASP entity shall be issued, and no issued shares or interests shall be voluntarily transferred or disposed of, without the prior approval of CIMA. A person who contravenes this requirement is liable on summary conviction to a US$25,000 fine.

Senior/AML Officers. A VASP entity must ensure that its senior officers/trustees, as applicable, and beneficial owners are fit and proper persons for such positions or to have such control and ownership. A VASP entity must not appoint a senior officer, trustee or an AML compliance officer without the prior approval of CIMA. A person who contravenes this requirement is liable on summary conviction to a fine of US$25,000 fine.

Transfer of Shares. A VASP entity must not transfer shares of 10% or more of its issued shares/interests, and no issued shares or interests shall be voluntarily transferred or disposed of, without the prior approval of CIMA. A person who contravenes this requirement is liable on summary conviction to a fine of US$25,000.

Annual Audit. VASP ‘registered’ entities are not obligated to appoint an auditor but CIMA does have the power to require the VASP to provide an auditor’s report, if it deems this to be necessary. VASP ‘licensees’ are required to appoint a CIMA approved auditor and file audited accounts with CIMA within six months of its year-end in each year. VASP entities are required to make the accounts available for inspection upon request by CIMA. A licensee
who fails to file its audit on time is subject to a late filing fee of US$61 per day.

AML Obligations. A VASP entity is required to comply with the Anti-Money Laundering Regulations (2020 Revision) (the “AML Regulations”) and CIMA’s Guidance Notes (Amendment) (No. 5): Virtual Asset Service Providers, February 2020 and other Cayman Islands laws, rules and regulation relating to anti- money laundering (“AML”), combating terrorist financing (“CTF”) and proliferation financing (“PF”) and targeted financial sanctions (“TSF”). The VASP entity must establish AML systems and procedures for the purpose of
complying with the AML Regulations. The VASP entity must also designate employees to fulfil the roles of AMLCO, MLRO and DMLRO that have the responsibility for procedures with responsibility for the procedures for combating AML/CFT/PF/TSF and undertake audits of its AML systems and procedures at the request of CIMA. A VASP entity is also required to comply with the ‘AML Travel Rules’ as more particularly described in our Guide on Travel Rules.

Compliance and Reporting. VASP entities are required to establish and implement cyber security policies, data protection and internal safeguards, risk management methodologies, AML/CFT/PF/ TSF policies, safeguards asset protection and business model descriptions. VASP entities must take steps to protect and secure personal data of clients and ensure communications relating to virtual assets are accurate. VASP entities are required to maintain a registered office in the Cayman Islands.

Auditor’s Report. CIMA may, at the VASP entity’s expense, require a virtual asset service provider to provide an auditor’s report, prepared by an independent auditor, on the antimoney laundering systems and procedures for compliance with the AML Regulations.

Licensees. Additional requirements will apply to a licensee that provides virtual asset custody services or operates a virtual asset trading platform when the relevant sections of the VASPA come into effect as part of Phase 2.

Penalties. VASPA provides for extensive penalties up to US$122,000 as well as criminal penalties. VASPA provides that a person who carries on, or purports to carry on, virtual asset service in or from within the Islands for which registration or licensing is required who is not a registered person or licensed person or the holder of a waiver under VASPA, commits an offence and is liable on summary conviction to a fine of US$31,000 or US$122,000, as
applicable, imprisonment for one year and a US$12,000 per day penalty for each day the offence continues after conviction. VASPA provides that a person who knowingly or recklessly provides any information to CIMA which is false or misleading in a material respect commits an offence and is liable on summary conviction to a fine of US$12,000 and imprisonment for six months. In the event CIMA provides directions to a person and that person fails to comply, such person commits an offence and is liable — (a) on summary
conviction, to a fine of US$61,000 and imprisonment for one year; or (b) on conviction on indictment, to a fine of US$122,000 and imprisonment for five years, and if the offence continues after conviction, the person shall be liable to a fine of US$12,000 for every day on which the offence continues. In addition, CIMA has extensive power to impose a significant administrative fine of up to US$1.2 million for a breach of the AML Regulations.

Powers of CIMA. CIMA has broad enforcement powers under VASPA. CIMA has the power to, amongst other things, (i) revoke the licence or cancel the registration; (ii) impose conditions or further conditions upon the licence or amend or revoke any such conditions; (iii) apply to the court for any order which is necessary to protect the interests of clients or creditors of the licensee or registered person; (iv) at the expense of the virtual asset service provider, require the licensee or registered person to obtain an auditor’s report on the licensee’s AML systems and procedures for compliance with the AML Regulations; (v) require the substitution of any senior officer or trustee of the VASP entity whenever appointed, or the divestment of ownership or control; (vi) at the expense of the licensee, appoint a person to advise the licensee on the proper conduct of its affairs and to report to CIMA thereon; or (vii) at the expense of the licensee, appoint a person who shall be known as CIMA’s
appointed controller, to assume control of the licensee’s affairs who shall, subject to necessary modifications, have all the powers of a person appointed as a receiver or manager of a business appointed under section 18 of the Bankruptcy Act (Revised).

CIMA Regulatory Measures. In addition to the requirements set out under VASPA, a VASP entity is subject to the general regulatory oversight of CIMA which includes the requirement to comply with CIMA’s rules, statements of guidance, policies and procedures. Of note, a virtual asset service provider must comply with the Statements of Principles on Conduct of Virtual Asset Services and Corporate Governance and Nature, Accessibility and Retention of Records each of which can be accessed by clicking on the relevant foregoing link here.

AEOI. Where a virtual asset service provider is a ‘financial institution’ for FATCA or CRS purposes it must comply with the automatic exchange of information requirements. Financial institutions must have written policies and procedures in place. Please see our Guidance Note on the Automatic Exchange of Information for further information and see CRS Enforcement Guidelines here.

AML. All virtual asset service providers must comply with the anti-money laundering regime in the Cayman Islands including the travel rules applicable specifically to virtual asset service providers.

Data Privacy. The Cayman Islands Data Protection Act, 2017 (“DPA“), came into force on 30 September 2019. A virtual asset service provider is a ‘data controller’ and must comply with the data protection principles set out in the DPA when processing personal data. It must also ensure those principles are complied with where the personal data is processed on behalf of the data controller (e.g., by the administrator of the fund). Please see our Guidance
Note on Data Protection for further information.

If you would like further information, please contact:
Chris Humphries
Managing Director
Tel: +1 (345) 814-7911
[email protected]

Jonathan McLean
Partner
Tel: +1 (345) 814-7930
[email protected]

Megan Wright
Partner
Tel: +1 (345) 814-7904
[email protected]

Simon Orriss
Senior Associate
Tel: +1 (345) 814-7931
[email protected]


Appendix
An Applicant for Registration as a VASP Entity will need to provide the following to CIMA as part of the Application Process:

(1) CIMA Forms:
(i) VA Declaration;
(ii) REEFs Application Form (APP-101-84);
(iii) REEFs AML/CFT Inherent Risk Form (AIR 157-84);
(iv) Personal Declaration (for each director/senior officer); and
(v) Personal Declaration (for each shareholder who holds over 10%).

(2) Consent Letter:
(i) Auditor Consent Letter (as applicable).

(3) Policies:
(i) Cyber Security Policy;
(ii) Data Protection / Internal Safeguards;
(iii) Risk Management Methodology;
(iv) AML/CFT/PF/TSF Policy; and
(v) Business Plan and Safeguards Asset Protection Policy.

(4) Corporate Documents:
(i) Certificate of Incorporation/Registration;
(ii) Register of Members; and
(iii) Register of Directors.

(5) Resumes:
(i) AML Officers Resumes/CVs;
(ii) CV (for each director/member/partner/senior officer); and
(iii) CV (for chief information officer/chief information security officer).

(6) Reference Letters (for each director/10%+ shareholder/senior officer):
(i) Academic and Professional Qualifications (certified copies);
(ii) CV (up to date and comprehensive);
(iii) Professional/Personal Reference Letter x 2 (see sample);
(iv) Bank Reference Letter x 1 (see sample);
(v) Police Clearance Certificate x1 (see sample); and
(vi) For 10%+ shareholders only – Declaration of Source of Funds (see
sample) with supporting evidence.

(7) Additional information:
(i) List of the Applicant’s Blockchain addresses (separated by coin);
(ii) Transaction flow charts;
(iii) Details of outsourced arrangements and related agreements;
(iv) A comprehensive full group companies structure chart, including UBOs;
(v) Details of regulated status of entities within the group the relevant regulated
services and jurisdictions; and
(vi) Details of services provided by any related entity to the VASP.

(8) Fees:
(i) Application Fee – CI$ 1,000.00; and
(ii) Registration Fee – variable – an additional fee of between CI$ 1,000 and
CI$ 15,000 will be payable depending on the type of virtual asset services
and, if applicable, CIMA’s assessment of other factors including the
nature, size and complexity of the services.

Guidance Note
This publication is for general guidance and is not intended to be a substitute for specific legal advice. Specialist advice should be sought about specific circumstances.

More from Stuarts Humphries