Cayman Financial Services Enforcement Review 2025

Key takeaways

• Anti-money laundering counter-terrorist financing and proliferation financing (AML/CFT/CFP) remains the main focus of inspections, and CIMA has demonstrated a clear readiness to take enforcement action where deficiencies are identified. However, it continues to broaden the scope of inspections, reviews and enforcement beyond AML/CFT/CFP.

• CIMA has cancelled numerous director registrations indicating that many registered directors should no longer be registered. CIMA introduced a one-time amnesty scheme for non-compliant directors.

• The DITC has increased its enforcement activity in relation to Common Reporting Standard (CRS) and economic substance filings, particularly missed deadlines and inconsistent or incorrect classifications, and is showing less tolerance towards failings.

Summarising recent Cayman Islands regulatory enforcement actions, including inspections, penalties and outcomes.

Introduction

This note summarises recent enforcement developments in the Cayman Islands, involving the Cayman Islands Monetary Authority (CIMA) and the Department for International Tax Cooperation (DITC) enforcement outcomes, inspections and administrative penalties.

CIMA enforcement outcomes

Between March and October 2025, CIMA published eight decision notices involving the cancellation of registrations under the Mutual Funds Act and the Virtual Asset (Service Provider) Act (the VASP Act) and director registrations under the Directors Registration and Licensing Act (DRLA). These actions were taken for reasons including failures to:

• pay prescribed annual fees (and any accrued penalties);
• submit audited accounts;
• maintain a registered office;
• file annual declarations; and
• maintain the minimum two directors.

Trends in CIMA inspections

In May 2025, CIMA published a supervisory information circular setting out its Key Findings on Onsite Inspections of Registered Persons.

In the past three years, there has been an increased number of prudential inspections (examining the general compliance of the regulated entity) as well as thematic reviews (inspecting a cross section of different licence types but focused on a specific area). AML/CFT/CFP remains a key area of regulatory concern. According to the circular, CIMA has noted progress in AML/CFT/CPF compliance since 2022, particularly in training, oversight, and risk-based controls. However, gaps remain with regard to:

• customer due diligence procedures and ongoing monitoring;
• sanctions compliance; and
• the effectiveness of independent audit functions.

CIMA also identified weaknesses in AML/CFT/CPF policies and procedures, especially with regard to risk-based approach, customer identification, verification and ongoing monitoring and sanctions compliance systems and controls.

Beyond AML/CFT/CFP, CIMA is also focusing on outsourcing, cybersecurity, and corporate governance. CIMA has indicated that VASPs are a priority and that it will be conducting more inspections in this sector.

Given the increased scope and importance of inspections, failing to engage constructively with CIMA is not an option. Consequences can include a lengthy remediation process, heightened regulatory scrutiny, and, in more serious cases, enforcement action such as fines, restrictions on business, or even licence revocation. This is especially important for regulated entities that are supervised by more than one division within CIMA, as it could be facing inspections from both divisions.

CIMA findings from VASP inspections and desk-based reviews

In September 2025, following a series of risk-based inspections in 2023 and a targeted desk-based review conducted between 2024 and 2025, CIMA issued a circular on its VASP supervision framework under the AML/CFT/CFP regime.

In this circular, CIMA noted good compliance in many areas but also identified the following issues:

• weak or outdated Business Risk Assessments, or lack of evidence of applying them properly;
• inadequate customer due diligence, including lack of enhanced due diligence, ongoing monitoring, scrutiny of transactions, and the escalation of deficiencies;
• inadequate client risk assessments, including failure to maintain or document risk ratings correctly and insufficient consideration of risk factors;
• failing to conduct risk assessments or inadequate reviews of technology solutions for AML/CFT/CFP compliance;
• lack of, or adequate policies and procedures relating to sanctions applicable to the Cayman Islands and inadequate record keeping of name matches or rationale for clearing or dismissing alerts;
• inadequate board oversight of the AML/CFT/CFP Compliance function;
• lack of outsourcing agreements;
• AML/CFT/CFP audits not being conducted or not being conducted by an operationally independent person;
• AML/CFT/CFP training failing to cover the regulatory framework relevant to the Cayman Islands; and
• inadequate records or a lack of record management systems, and failure to submit the quarterly travel rule returns.

In November 2025, CIMA released a report detailing the key issues identified through the desk-based review. In addition to highlighting AML/CFT/CFP issues, CIMA identified issues with:

• corporate governance: Gaps in Board of Directors composition and lack of or inadequate succession planning;
• internal controls: Inadequate Business Continuity Planning, absence of regular internal audit reviews and gaps in complaints handling;
• cybersecurity: deficiencies in cybersecurity governance and oversight, inadequate cybersecurity risk management framework, deficiencies in data protection controls, inadequate oversight of outsourced arrangements;
• virtual asset custody arrangements: Lack of/inadequate policies and procedures, absence of periodic independent audits; and
• financial position: Supplementary information was required to show that the VASP was a going concern, where a VASP had not yet achieved profitability.

CIMA has encouraged VASPs to carefully review the findings from the circular and the report on the desk-based review to ensure their policies, procedures, systems, and controls align with CIMA's regulatory expectations and the applicable acts and guidance.

In addition to inspections and desk-based reviews, CIMA seeks to identify trends and risks in relation to the movement of virtual assets by reviewing information provided in the VASP Travel Rule Return. Further information can be found in our advisory note.

CIMA's one-time amnesty scheme for directors from 16 September to 15 October 2025

CIMA also issued a wave of director cancellations, many following unsuccessful attempts to contact individuals. These actions highlight that a significant number of registered directors are failing to pay annual fees, but are also not deregistering.

In response, CIMA introduced a one-time amnesty scheme for non-compliant directors, running from 16 September to 15 October 2025. The amnesty allowed certain directors to return to good standing by settling outstanding annual fees and penalties at a discounted rate. More information on the scheme can be found in our release.

CIMA's message is that registration under the DRLA is not a 'one and done' process. In an industry notice issued the day after the scheme closed, directors were warned that being in arrears in fees or penalties is a breach of the DRLA, and ongoing non-compliance may lead to enforcement action. With this in mind, directors must proactively ensure and must be able to demonstrate their ongoing fitness and propriety whenever called upon to do so.

Recent enforcement: CIMA and DITC

CIMA

A recent example of CIMA's approach is the administrative fines imposed on two entities in the Blacktower Group. In September 2025, CIMA issued an administrative fine of CI$230,038.72 on Blacktower Financial Management (International) Limited, a Securities Investment Business Licensee and CI$85,043.84 on Blacktower (Cayman) Ltd, Securities Investment Business Licensee and Insurance Agent. This enforcement action was triggered by an on-site inspection, which uncovered deficiencies in AML transaction monitoring, record-keeping and performing enhanced due diligence.

CIMA also found that Blacktower Financial Management (International) Limited had failed to ensure that clients were provided with sufficient and timely disclosure regarding any other matter reasonably to be regarded as necessary to enable the client to make informed decisions, in accordance with its obligations under the Securities Investment Business Act.

In taking this action, CIMA emphasised that regulated entities must have the necessary frameworks in place before receiving an inspection notice. It has therefore become more important than ever for regulated entities to take pre-emptive steps before receiving an inspection notice. This would include:

• ensuring policies and procedures, ongoing monitoring and employee training are up-to-date;
• putting processes in place to monitor compliance functions; and
• making sure key personnel are ready to engage with CIMA and respond to queries.

DITC

There has also been a material increase in enforcement action by the DITC in relation to failings under the CRS and economic substance regimes, typically in relation to missed deadlines, incorrect or inconsistent classifications or other footfalls. Initial fines typically range from CI$10,000 to almost CI$50,000. A well-reasoned response, together with prompt remediation, if necessary, can assist in reducing proposed fines in part or entirely.

Looking forward to 2026 and beyond

With the Cayman Islands preparing for the Financial Action Task Force's (FATF) 5th Round Mutual Evaluation, CIMA is expected to make a concerted effort to continue to identify and address AML/CFT/CFP risk. In addition to focusing on the effectiveness of AML/CFT/CFP frameworks adopted by regulated entities, we anticipate increased attention on what FATF terms the emerging risks arising from the criminal exploitation of virtual assets. This will likely result in more inspections and greater enforcement activity. Please see our advisory note for more detail on this.

We also expect CIMA to continue to monitor VASPs through off-site inspections. As part of its enhanced supervisory approach, on 1 December 2025, CIMA released the VASP Financial Returns Form, introducing a quarterly financial reporting obligation for VASPs. Ultimately, all regulated entities should be prepared for some form of enquiry, document request or formal inspection in the year ahead. In addition, certain unregulated entities operating in the decentralized space may also receive queries from CIMA.

We anticipate continued DITC enforcement activity, including a strong focus on timely, accurate CRS and economic substance filings, and less patience from the DITC on failings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.