Regulatory & Risk Advisory Review: Cayman Islands – January To March 2026

Welcome to the first Regulatory & Risk Advisory Review of 2026. This edition provides a targeted update on recent regulatory, supervisory and policy developments affecting the Cayman Islands’ legal and compliance framework. The aim of this review is to support informed regulatory and risk management decision making by providing concise, practical analysis of current developments.

Should you require further clarification on any of the topics covered, please contact a member of the Regulatory & Risk Advisory team or your usual Conyers contact.

The following topics are covered in this issue:

• Increases to Annual Fees
• Department for International Tax Cooperation (DITC)
• Legislation Update
• Cayman Islands Monetary Authority (CIMA)
• CIMA Rules, Statements of Guidance and General Industry Notices
• Tokenised Funds – Ministry of Financial Services & Commerce Response
• Financial Action Task Force (FATF)
• The Legal Services Act and The Legal Services Supervisory Authority
• Conyers Website Articles & Alerts

A series of legislative amendments introducing targeted fee adjustments across several regulated sectors took effect on 1 January 2026. The amendments, approved by Cabinet and published on 19 December 2025, are intended to ensure that regulatory resources remain proportionate, support alignment with international supervisory standards, and enhance administrative efficiency. Key changes include the introduction of consolidated annual fees for mutual funds and private funds (replacing the previous dual-payment structure of an annual fee and a separate annual return fee), a 10 percent increase to the annual fees applicable to Class B(i), (ii), and (iii) insurers (generally comprising captive insurers), and the establishment of a tiered annual fee structure for banks and trust companies based on total assets under management, with incremental increases to be phased in over the period 2026 to 2028.

Penalties will commence from 16 February 2026, and all regulated entities are expected to review the relevant legislative amendments and take the necessary steps to ensure full compliance within the prescribed timelines.

Department for International Tax Cooperation (DITC)

The Cayman Islands Department for International Tax Cooperation (DITC) issued an Industry Advisory dated 21 January 2026 confirming that the Tax Information Authority (TIA) is extending the deadline for submission of certain information under the Amended Common Reporting Standard. Under the Tax Information Authority (International Tax Compliance) (Common Reporting Standard) (Amendment) Regulations, 2025 (the “CRS Amendment Regulations”), a Cayman Financial Institution (Cayman FI) (other than an exempted body) that became an FI in 2025 is required to register on the DITC Portal by 30 April 2026; however, the Authority is extending the deadline to 31 January 2027 in respect of two specific items: (i) the appointment of a Principal Point of Contact (PPoC) in the Islands, and (ii) the date on which the Cayman FI became an FI. The extended deadline for these two items applies to all Cayman FIs. A PPoC is a person located in the Cayman Islands and authorised by a Cayman FI to act as its primary contact with the Authority (via the DITC) for CRS compliance purposes, and may be either a natural person with a physical address in the Cayman Islands or a legal person incorporated, registered or established, and maintaining a physical address, in the Cayman Islands. The PPoC requirement is intended to ensure that the Authority has a locally reachable point of contact and the DITC Portal will require sufficient PPoC contact details to allow the Authority to communicate directly with the PPoC and to reasonably expect timely receipt of, and response to, official communications. FIs should ensure PPoC details are submitted and kept current via the DITC electronic portal using the prescribed registration or change form.

Alongside the CRS Amendment Regulations, the Tax Information Authority (International Tax Compliance) (Crypto-Asset Reporting Framework) Regulations, 2025 also came into force on 1 January 2026. Please see our memo titled ‘The Common Reporting Standard and Crypto-Asset Reporting Framework in the Cayman Islands’ for more information on these regulations.

3.1 Legislative Consolidations

New revisions and amendments were released during the first quarter of 2026 for certain Acts and Regulations. These include:

• Banks and Trust Companies (Licence Applications and Fees) Regulations (2026 Revision)
• Beneficial Ownership Transparency (Amendment) (No. 2) Act (2025)
• Beneficial Ownership Transparency Regulations (2026 Revision)
• Beneficial Ownership Transparency (Legitimate Interest Access) (Amendment) Regulations, 2026
• International Tax Co-operation (Economic Substance) Act (2026 Revision)
• Mutual Funds (Annual Returns) Regulations (2026 Revision)
• Mutual Funds (Fees) Regulations (2026 Revision)
• Private Funds (Annual Returns) Regulations (2026 Revision)
• Private Trust Companies Regulations (2026 Revision)
• Securities Investment Business (Conduct of Business) Regulations (2026 Revision)
• Securities Investment Business (Licence Applications and Fees) Regulations (2026 Revision)
• Securities Investment Business (Registration and Deregistration) Regulations (2026 Revision)
• Trade and Business Licensing Act (2026 Revision)

These revisions incorporate various amendments and updates into a revised and consolidated up to date version of each Act. A number of the amendments reflect increases in certain regulatory and corporate fees applied by authorities in relation to their services. Each revised Act should be reviewed for details on any core substantive changes.

3.2 Amendments to the Cayman Islands Mutual Funds Act and Private Funds Act

In March 2026, the Cayman Islands passed targeted amendments to the Mutual Funds Act and the Private Funds Act, together with complementary changes to the Virtual Asset (Service Providers) Act, to establish a clear statutory framework for tokenised fund structures. The amendments introduce definitions for “digital equity tokens” and “digital investment tokens” respectively, each representing the whole of an investor’s equity or investment interest in a mutual fund or private fund, respectively. Transferability of tokenised interests is expressly subject to operator approval in accordance with the relevant offering document, and offering documents must now disclose technology-specific risks — including cybersecurity and transferability considerations — and explain how those risks are mitigated. The amendments also clarify that a regulated fund’s issuance of tokenised interests does not constitute a “virtual asset issuance” under the Virtual Asset Service Provider (VASP) regime, although separate virtual asset services remain within VASP’s scope.

Enhanced recordkeeping and supervisory obligations are a central feature of the changes. Operators will be required to confirm annually to the Cayman Islands Monetary Authority (CIMA) that all records relating to the issuance, creation, sale, transfer and ownership of tokenised interests have been properly kept and maintained. Administrators or funds must be able to provide these records to CIMA within specified timeframes. CIMA’s supervisory toolkit is also expressly extended to tokenised activity, empowering it to impose restrictions on token characteristics, request additional information, require periodic reporting, monitor ongoing compliance, and carry out inspections of both the underlying technology and token transactions. Fund operators and advisers should review these amendments carefully to assess any impact on existing or planned tokenised fund structures.

Cayman Islands Monetary Authority

4.1 Enforcement Manual – Regulatory Handbook Volume 2

In March 2026, CIMA published an updated version of the Enforcement Manual as Volume 2 of its Regulatory Handbook (the “Manual”), replacing and repealing both the June 2025 Enforcement Manual and the Regulatory Procedure – Publication of Enforcement Actions Taken by the Authority (July 2005). The Manual applies to all parties subject to CIMA’s powers to impose enforcement action and administrative fines. It establishes the framework governing CIMA’s enforcement regime with respect to non-compliance with Regulatory Acts by Authorised Persons, consolidating certain procedures including but not limited to enforcement actions and fines. It is organised in four parts:

Part I sets out the policies and procedures for enforcement actions, including the criteria CIMA will apply when determining whether enforcement action is warranted and the range of actions available to it — from supervisory letters and the suspension or revocation of licences and registrations, through to the appointment of controllers and advisors, fitness and propriety assessments and, ultimately, referrals to prosecutorial authorities. Part I also details the warning notice and decision notice procedure, which affords affected parties the opportunity to make representations to CIMA before enforcement decisions are finalised.

Part II addresses the administrative fines regime, setting out the framework for investigating breaches, classifying them as minor, serious or very serious, and calculating the applicable fine through a prescribed five-step process that accounts for matters including disgorgement, aggravating and mitigating factors, and adjustment for guiding principles. It also introduces an early settlement and discount mechanism under which parties may negotiate reduced fines of up to 40% at CIMA’s discretion.

Part III establishes the criteria and procedures for discretionary publication of enforcement actions and administrative fines, balancing public interest and market confidence considerations against confidentiality, while Part IV addresses the procedures CIMA will follow when there are issues of non-compliances and it has lost contact with an authorised person.

Authorised persons should familiarise themselves with the Manual, which does not impose new regulatory obligations but serves as an important guide to how CIMA intends to exercise its enforcement and administrative fines powers in practice. In particular, regulated entities should ensure that their compliance and governance frameworks account for the enforcement criteria, the structured fines methodology and the procedural safeguards outlined in each part of the Manual.

4.2 AML/CFT Activity Report 2024

In February 2026, CIMA published its AML/CFT Activity Report for 2024, providing a detailed overview of the Authority’s supervisory activities, inspection outcomes, enforcement actions, and outreach activities across the financial services sector. During 2024, CIMA conducted 83 AML/CFT onsite inspections of regulated entities, of which 72 had been completed at the date of the report. Of those concluded with deficiencies, 367 requirements were issued, 324 of which were classified as Matters Requiring Immediate Attention. Nineteen inspections resulted in letters with no findings. CIMA continued to apply a risk-based approach to determining the frequency and focus of onsite and off-site AML/CFT supervision, utilising its Strix platform for entity-level risk assessments alongside data from onsite inspections, competent authority disclosures, screening results, and quarterly returns (to name a few).

The report highlights persistent areas of concern identified through the 2024 inspection programme. Risk-based approach deficiencies accounted for 31% of all deficiencies identified through onsite inspections, with common issues including undocumented or incomplete customer risk ratings, gaps in policies and procedures for identifying and assessing money laundering and terrorism financing risks, and failures to conduct periodic customer file reviews within required timeframes. Sanctions programme deficiencies accounted for 13% of deficiencies identified, though CIMA noted an improvement from the prior year, with 49% of inspected entities identified as having TFS-related deficiencies compared to 65% in 2023. Further recurring themes included deficiencies in customer due diligence (12%), internal controls (13%), ongoing monitoring (8%), policies and procedures (9%), and record-keeping (8%). CIMA also continued to supervise the virtual asset sector, issuing 24 directions to entities potentially operating without VASP registration, and commenced a targeted desk-based review of VASP compliance with the AMLRs.

Looking ahead, CIMA confirmed it will continue to promote and safeguard the integrity of the financial services industry by further expanding its data-led supervisory capabilities, tracking deficiencies and remediation to assess compliance with supervisory findings, and ensuring prompt escalation to enforcement where necessary. The Authority will focus on identifying trends, systemic issues, and areas of risk, together with close collaboration with other regulatory and law enforcement authorities, to support timely and appropriate supervisory action.The jurisdiction is now preparing for the FATF 5th Round Mutual Evaluation, with the onsite phase expected to commence in late 2027.

4.3 Thematic Review on Outsourcing

In January 2026, CIMA published its Thematic Review on Outsourcing, presenting the findings of a cross-sector review conducted in 2025 on sixteen regulated entities spanning the insurance, fiduciary, investment, securities and banking industries. The review assessed the effectiveness of governance structures, risk assessment practices and oversight controls relating to outsourcing arrangements, benchmarked against the Statement of Guidance – Outsourcing Regulated Entities (April 2023) (the “SOG – Outsourcing”) and applicable regulatory legislation.

The review identified good practices and weaknesses across eleven thematic areas, with the most significant weaknesses concentrated in four categories: outsourcing agreements (34%), accountability (33%), risk management (10%) and assessment of service providers (8%), together accounting for 85% of the findings. Common shortcomings of outsourcing arrangements included missing contractual provisions (such as performance monitoring metrics, conflict of interest clauses and supervisory access rights), with insufficient board-level review of policies and procedures, inadequate risk assessments and due diligence scope and methodology. CIMA also noted areas of good practice among a number of the entities reviewed, including documented risk management frameworks, board engagement, feasible contingency planning and comprehensive confidentiality protections in service level agreements.

Regulated entities are encouraged to use the findings as a prompt to review and ensure that their outsourcing framework is commensurate with the size, complexity, structure, nature of business and risk profile of their operations. In particular, entities should confirm that outsourcing agreements contain all minimum provisions required under the SOG – Outsourcing, that risk and materiality assessments are conducted prior to entering into arrangements and regularly thereafter, and that appropriate notification procedures are in place with respect to CIMA. The full Thematic Review Report is accessible via CIMA’s website.

4.2 AML/CFT Activity Report 2024

In February 2026, CIMA published its AML/CFT Activity Report for 2024, providing a detailed overview of the Authority’s supervisory activities, inspection outcomes, enforcement actions, and outreach activities across the financial services sector. During 2024, CIMA conducted 83 AML/CFT onsite inspections of regulated entities, of which 72 had been completed at the date of the report. Of those concluded with deficiencies, 367 requirements were issued, 324 of which were classified as Matters Requiring Immediate Attention. Nineteen inspections resulted in letters with no findings. CIMA continued to apply a risk-based approach to determining the frequency and focus of onsite and off-site AML/CFT supervision, utilising its Strix platform for entity-level risk assessments alongside data from onsite inspections, competent authority disclosures, screening results, and quarterly returns (to name a few).

The report highlights persistent areas of concern identified through the 2024 inspection programme. Risk-based approach deficiencies accounted for 31% of all deficiencies identified through onsite inspections, with common issues including undocumented or incomplete customer risk ratings, gaps in policies and procedures for identifying and assessing money laundering and terrorism financing risks, and failures to conduct periodic customer file reviews within required timeframes. Sanctions programme deficiencies accounted for 13% of deficiencies identified, though CIMA noted an improvement from the prior year, with 49% of inspected entities identified as having TFS-related deficiencies compared to 65% in 2023. Further recurring themes included deficiencies in customer due diligence (12%), internal controls (13%), ongoing monitoring (8%), policies and procedures (9%), and record-keeping (8%). CIMA also continued to supervise the virtual asset sector, issuing 24 directions to entities potentially operating without VASP registration, and commenced a targeted desk-based review of VASP compliance with the AMLRs.

Looking ahead, CIMA confirmed it will continue to promote and safeguard the integrity of the financial services industry by further expanding its data-led supervisory capabilities, tracking deficiencies and remediation to assess compliance with supervisory findings, and ensuring prompt escalation to enforcement where necessary. The Authority will focus on identifying trends, systemic issues, and areas of risk, together with close collaboration with other regulatory and law enforcement authorities, to support timely and appropriate supervisory action.The jurisdiction is now preparing for the FATF 5th Round Mutual Evaluation, with the onsite phase expected to commence in late 2027.

4.1 Enforcement Manual – Regulatory Handbook Volume 2

In March 2026, CIMA published an updated version of the Enforcement Manual as Volume 2 of its Regulatory Handbook (the “Manual”), replacing and repealing both the June 2025 Enforcement Manual and the Regulatory Procedure – Publication of Enforcement Actions Taken by the Authority (July 2005). The Manual applies to all parties subject to CIMA’s powers to impose enforcement action and administrative fines. It establishes the framework governing CIMA’s enforcement regime with respect to non-compliance with Regulatory Acts by Authorised Persons, consolidating certain procedures including but not limited to enforcement actions and fines. It is organised in four parts:

Part I sets out the policies and procedures for enforcement actions, including the criteria CIMA will apply when determining whether enforcement action is warranted and the range of actions available to it — from supervisory letters and the suspension or revocation of licences and registrations, through to the appointment of controllers and advisors, fitness and propriety assessments and, ultimately, referrals to prosecutorial authorities. Part I also details the warning notice and decision notice procedure, which affords affected parties the opportunity to make representations to CIMA before enforcement decisions are finalised.

Part II addresses the administrative fines regime, setting out the framework for investigating breaches, classifying them as minor, serious or very serious, and calculating the applicable fine through a prescribed five-step process that accounts for matters including disgorgement, aggravating and mitigating factors, and adjustment for guiding principles. It also introduces an early settlement and discount mechanism under which parties may negotiate reduced fines of up to 40% at CIMA’s discretion.

Part III establishes the criteria and procedures for discretionary publication of enforcement actions and administrative fines, balancing public interest and market confidence considerations against confidentiality, while Part IV addresses the procedures CIMA will follow when there are issues of non-compliance and it has lost contact with an authorised person.

Authorised persons should familiarise themselves with the Manual, which does not impose new regulatory obligations but serves as an important guide to how CIMA intends to exercise its enforcement and administrative fines powers in practice. In particular, regulated entities should ensure that their compliance and governance frameworks account for the enforcement criteria, the structured fines methodology and the procedural safeguards outlined in each part of the Manual.

4.3 Thematic Review on Outsourcing

In January 2026, CIMA published its Thematic Review on Outsourcing, presenting the findings of a cross-sector review conducted in 2025 on sixteen regulated entities spanning the insurance, fiduciary, investment, securities and banking industries. The review assessed the effectiveness of governance structures, risk assessment practices and oversight controls relating to outsourcing arrangements, benchmarked against the Statement of Guidance – Outsourcing Regulated Entities (April 2023) (the “SOG – Outsourcing”) and applicable regulatory legislation.

The review identified good practices and weaknesses across eleven thematic areas, with the most significant weaknesses concentrated in four categories: outsourcing agreements (34%), accountability (33%), risk management (10%) and assessment of service providers (8%), together accounting for 85% of the findings. Common shortcomings of outsourcing arrangements included missing contractual provisions (such as performance monitoring metrics, conflict of interest clauses and supervisory access rights), with insufficient board-level review of policies and procedures, inadequate risk assessments and due diligence scope and methodology. CIMA also noted areas of good practice among a number of the entities reviewed, including documented risk management frameworks, board engagement, feasible contingency planning and comprehensive confidentiality protections in service level agreements.

Regulated entities are encouraged to use the findings as a prompt to review and ensure that their outsourcing framework is commensurate with the size, complexity, structure, nature of business and risk profile of their operations. In particular, entities should confirm that outsourcing agreements contain all minimum provisions required under the SOG – Outsourcing, that risk and materiality assessments are conducted prior to entering into arrangements and regularly thereafter, and that appropriate notification procedures are in place with respect to CIMA. The full Thematic Review Report is accessible via CIMA’s website.

CIMA Rules, Statements of Guidance and General Industry Notices

5.1 Reporting Schedule

The CIMA 2026 Reporting Schedule sets out the full calendar of prudential reports, statistical returns, and financial information filings required from regulated entities for the period 1 January 2026 to 31 December 2026. The schedule covers annual, semi-annual, quarterly, and monthly reporting obligations applicable to a broad range of CIMA-regulated institutions, including banks and trust companies, development banks, credit unions, building societies, money services businesses, investment licensees and registrants (encompassing mutual funds and private funds), securities investment business licensees, company managers, trusts, insurance companies (together with managers, agents, and brokers), and VASPs. For each reporting obligation, the schedule specifies the relevant form, the applicable submission deadline, any maximum extension periods available, and the responsible CIMA division to which enquiries should be directed. Notable filings include audited financial statements, AML/CFT returns, fund annual returns, quarterly returns, and various self-declarations. Reporting institutions are reminded to submit all forms promptly and to seek formal extensions from the relevant divisional owner within the stipulated application periods where a foreseen difficulty in meeting a deadline arises.

5.2 New Rule and Statement of Guidance on Market Conduct for VASPs

CIMA published a new Rule and Statement of Guidance on Market Conduct for VASPs (the “RSOG”) in February 2026, establishing minimum requirements and guidance for VASPs in relation to market conduct. The RSOG is wide-ranging, addressing matters of integrity and conflicts of interest, client asset safeguards, insurance, marketing and communications, client onboarding and agreements, complaints handling, public disclosures, cross-border transactions, proprietary trading, and additional obligations for Virtual Asset Trading Platforms (VATPs) and virtual asset custodians. CIMA has confirmed that it will assess compliance with the RSOG in a manner that is proportionate to the size, complexity, structure, nature of business, and risk profile of a regulated entity’s operations. Regulated entities forming part of a group may rely on the wider group’s policies in respect of certain market conduct matters, provided the Governing Body is satisfied that such frameworks meet Cayman Islands legal and regulatory requirements and are commensurate with the entity’s own profile; where gaps are identified, a tailored framework must be implemented.

The RSOG imposes a duty on regulated entities to act with honesty, integrity, and conduct its business with due skill, care, and diligence and act in a manner that safeguards the integrity of the market and prioritises the best interests of their clients. Regulated entities must establish and maintain written policies and procedures addressing conflicts of interest, including maintaining a register of potential and existing conflicts of interest and ensuring adequate segregation of duties across critical functions. All marketing, advertising, and promotional materials must be fair, clear, and not misleading, and must disclose material risks; regulated entities are also prohibited from making exaggerated claims or assurances of gains. In respect of client onboarding, a written client agreement must be executed before any virtual asset service is provided, and must clearly specify the nature of the services, all applicable fees and charges, key risk disclosures (presented in plain language), and dispute resolution mechanisms. The RSOG also introduces specific requirements regarding the fairness of limitation of liability and indemnification clauses, stipulating that such terms must not be one-sided to an unreasonable extent.

In addition, regulated entities must maintain effective complaints-handling procedures, including written acknowledgement of receipt of complaints, the maintenance of a complaints and resolutions log, and reporting to CIMA of any complaints indicative of a material risk to clients or of a material failure in the entity’s control environment. Where applicable, regulated entities must maintain insurance protections covering, among other things, professional liability of senior officers, theft or loss of client assets held in custody, business interruption and cybersecurity; where such insurance is unavailable, the entity must notify CIMA.

CIMA may then permit the use of alternative risk mitigation measures. Public disclosures must be made readily available across all communication channels as appropriate, including information on licensing or registration status, corporate governance structures, and material operational changes.

The RSOG further sets out additional obligations for VATPs and virtual asset custodians. VATPs must implement systems and procedures to monitor, detect, and prevent suspicious transactions and market abuse. VATPs must immediately report any suspicions of market abuse or unfair trading practices to CIMA. Pricing policies must be easily accessible and publicly available and must be implemented to prevent unfair trading activities and market abuse, with fee structures disclosed in full prior to the execution of any transaction. In relation to proprietary trading, regulated entities must implement and maintain effective systems, controls and procedures to prevent market manipulation, insider trading and other abusive trading practices. Such systems should include real time surveillance capabilities and regular internal reviews. Crucially, proprietary trading must not compromise the trading conditions or create unfair trading advantages. Virtual asset custodians must ensure clear identification and segregation of client assets from proprietary assets, implement robust security measures (including multi-factor authentication, secure key management protocols, and ongoing threat monitoring) and provide clients with clear information regarding storage methods used for their virtual assets. Any breaches or unauthorised access to custody systems must be reported to CIMA within 72 hours of discovery, with affected clients notified promptly thereafter. Timely and consistent reconciliation of client asset balances is required, and custodians must provide clients with verification mechanisms to confirm their balances or positions. The RSOG takes effect upon publication in the Gazette and CIMA’s Enforcement Manual will apply in addition to any other powers contained in the relevant legislation in respect of any breach of the rules contained therein.

As part of the updated Market Conduct regime for VASPs, CIMA has simultaneously updated the existing Rule and Statement of Guidance for Virtual Asset Custodians and Virtual Asset Trading Platforms.

5.3 Update: Importance of a Comprehensive Crisis Management Framework and CIMA’s Commitment to Implementation

On 2 March 2026, CIMA published an industry circular reaffirming its commitment to developing and implementing a comprehensive crisis management framework for the Cayman Islands financial system. The circular provides a status update on several key initiatives, including the evolution of the Authority’s approach to recovery and resolution planning following its public consultation in January 2025, an IMF Technical Assistance Mission conducted in March 2025, and a subsequent refined proposed Rule and Statement of Guidance focused specifically on Recovery Planning, issued in November 2025. Notably, following industry feedback and the IMF Mission’s recommendations, CIMA has separated its recovery planning requirements from its resolution planning requirements and narrowed the scope of application of recovery planning to deposit-taking institutions, ie banks, credit unions, and development banks.

Looking ahead, CIMA intends to review and finalise all feedback received on the proposed Rule and Statement of Guidance during the first quarter of 2026, with the intention of publishing the final version, to become effective within twelve months of being gazetted. Thereafter, the Authority has indicated that it will seek to expand the scope of application for recovery planning beyond deposit-taking institutions and continue its engagement with stakeholders to promote awareness on the broader legislative and regulatory framework necessary to support a forward looking crisis management framework. The circular underscores CIMA’s strategic objective of enhancing the resilience and stability of the Cayman Islands’ financial system and reinforcing its standing as a robust international financial centre.

Tokenised Funds – Ministry of Financial Services & Commerce Response

The Ministry of Financial Services & Commerce has published its summary of responses to the industry consultation on the proposed regulatory framework for tokenised funds. The Ministry has confirmed that tokenised mutual funds and tokenised private funds will be regulated in the same manner as traditional funds under the Mutual Funds Act and the Private Funds Act, and that tokenisation does not alter the regulatory classification of a fund. Importantly, a digital equity token or digital investment token is to be treated as a digital representation of the whole of an equity or investment interest (respectively) in a tokenised mutual fund or tokenised private fund (as applicable), rather than a new asset class or standalone instrument, and the issuance of such tokens is expressly excluded from the scope of the Virtual Asset (Service Providers) Act.

In addition to the existing fund regulatory requirements, the Ministry has confirmed that token-specific requirements will be imposed to address matters such as record-keeping, disclosure, transferability and supervisory oversight. Clarification on the requirement for operator approval of any transfer of tokenised interests, mandatory disclosure of token-specific risks (including cybersecurity risks) in the offering document, annual compliance confirmations to the Cayman Authority and the Authority’s power to impose restrictions on token characteristics and to request additional information as it sees fit to determine applications. Notably, the Ministry has also confirmed the removal of provisions that were considered duplicative of the existing supervisory and enforcement framework, ensuring that tokenised funds remain subject to the same oversight as traditional funds.

Financial Action Task Force

The Financial Action Task Force (FATF) concluded its fifth Plenary under the Mexican Presidency on 13 February 2026, delivering several outcomes of significance to the international financial services sector. The Plenary adopted mutual evaluation assessment reports for Austria, Italy and Singapore under the new, more risk-based assessments, which places greater emphasis on results in combating money laundering, terrorist financing and proliferation financing. Publication or reports is expected in April–May 2026. Kuwait and Papua New Guinea were added to the list of Jurisdictions under Increased Monitoring (the “grey list”). The British Virgin Islands remains on the grey list. The FATF also updated its public statement on high-risk jurisdictions, including Iran, reaffirming its call for members and other jurisdictions to apply countermeasures.

Of particular note for compliance teams and regulated entities, the FATF approved a paper on cyber-enabled fraud, signalling for a commitment focusing on fraud in the coming years and encouraging partners across the regime to leverage innovative approaches to fraud prevention, asset recovery and justice. Two new reports on virtual assets were also approved: one exploring the risks posed by the unregulated provision of offshore Virtual Asset Service Providers (VASPs) and a second examining risks associated with stablecoins and unhosted wallets. Finally, the Plenary appointed Mr Giles Thomson of the United Kingdom as the incoming FATF President for a two year fixed term from 1 July 2026. Delegates also discussed and agreed new strategic priorities for 2026–2028, which will be presented for FATF ministerial endorsement in April. Regulated firms in the Cayman Islands should monitor developments closely, particularly the evolving expectations around virtual asset regulation and the continued focus on demonstrable effectiveness in AML/CFT/CPF frameworks.

The Legal Services Act and The Legal Services Supervisory Authority

Full implementation of the Legal Services Act on 1 January 2026 is a significant update from Q1. It is intended to, among other things, ensure uniform regulation of all Cayman attorneys domestically and internationally and strengthen professional standards. Significantly, and although officially established in September 2025, the Legal Services Supervisory Authority (LSSA) is a new regulatory body in the Cayman Islands, following legislative amendments to the Legal Services Act, Proceeds of Crime Act and Anti-Money Laundering Regulations of 2025. Its primary purpose is to act as the dedicated anti–money laundering supervisor for the legal sector, replacing the previous Cayman Attorneys Regulation Authority (CARA). The LSSA operates under delegated authority from the Legal Services Council and forms part of broader reforms aimed at strengthening oversight of lawyers and aligning the jurisdiction with international regulatory standards.

The LSSA core role is to oversee law firms and attorneys engaged in “relevant financial business,” ensuring compliance with AML, counter-terrorist financing, and counter-proliferation financing obligations. Its responsibilities include maintaining a register of all legal firms and practitioners, ongoing monitoring and enforcement to ensure compliance with AML regulations, and issuing guidance. The LSSA’s enforcement powers include fines and penalties for breaches. The LSSA applies a risk-based approach to supervision, recognising that law firms present differing levels of risk based on their services, products, clients, geography, preventive measures and the strength of their compliance framework.

Overall, the creation of the LSSA represents a significant modernisation of Cayman’s legal regulatory framework. It is intended to enhance transparency, accountability, and professional standards while protecting the jurisdiction’s reputation as a global financial centre. The move reflects increasing international expectations particularly from bodies like the FATF that legal professionals act as key gatekeepers in preventing financial crime.