Home Blog Cayman Islands
Jurisdiction Guide · Cayman Islands · CIMA

AML/CFT Compliance in the Cayman Islands: CIMA, POCA 2008, and the 2026 Regulatory Landscape

RegMantle Editorial · 16 April 2026 · 13 min read

The Cayman Islands’ AML/CFT regime is under intense scrutiny after its removal from the FATF grey list in October 2023. CIMA has signalled that any lapse in controls will be met with swift enforcement, as demonstrated by a series of fines totalling more than US$1 million in 2025-2026. For banks, fund administrators, VASPs and other obliged entities, the rulebook has become more detailed, more prescriptive, and more actively monitored than at any point since the Proceeds of Crime Act was first amended in 2020.

Key Facts at a Glance

Primary regulator
CIMA (Cayman Islands Monetary Authority)
Primary AML law
Proceeds of Crime Act (2020 Revision) (POCA)
Regulatory detail
Anti-Money Laundering Regulations (2023 Revision) (AMLR)
Counter-terrorism law
Terrorism (Prevention of Financing) Act 2018 (Revised)
FIU
Financial Reporting Authority (FRA)
Beneficial-ownership regime
Beneficial Ownership Transparency Act 2023
VASP framework
Virtual Asset Service Providers Act 2020 (VASP Act)
Recent enforcement
US$270,000+ in fines (Sept 2025), US$1.1 m total (2025-2026)

The Regulatory Landscape

At the core of the Cayman Islands’ AML/CFT architecture sits POCA, which criminalises the acquisition, use or concealment of proceeds of crime (Section 2) and creates a civil forfeiture regime (Section 4). The 2023 Revision of the AMLR translates POCA’s broad provisions into detailed obligations for “obliged entities” under Part II, Sections 10-15, covering customer due diligence, record-keeping, and reporting.

Complementing POCA, the Terrorism (Prevention of Financing) Act 2018 (as revised in 2022) defines the offence of financing terrorism (Section 3) and imposes a duty to report suspicious transactions that may relate to designated terrorist entities. The Act also incorporates United Nations Security Council resolutions through the “UN Sanctions List” provision in Section 6.

The Beneficial Ownership Transparency Act 2023 introduced a statutory register for certain entities, requiring the identification of natural persons who ultimately own or control a legal person (Section 5). While the register is not publicly accessible, the information must be supplied to CIMA on request, and failure to do so attracts a civil penalty of up to CI$100,000 (Section 12).

The Virtual Asset Service Providers Act 2020 created a licensing regime for crypto-asset exchanges, custodians and wallet providers. The Act mandates a risk-based AML program (Section 9), ongoing transaction monitoring (Section 11) and the filing of SARs to the FRA using the “VASP-SAR” portal introduced in January 2025.

CIMA Guidance Notes and Thematic Inspections

In February 2025 CIMA released a suite of sector-specific Guidance Notes, each aligned with the AMLR. The Banking Guidance Note (BN-2025-01) clarifies expectations for KYC file retention (minimum ten years under POCA Section 5) and for the segregation of client funds. The Insurance Guidance Note (IN-2025-02) adds a requirement to conduct enhanced due diligence on high-value life-insurance policies exceeding CI$5 million.

The Investment Fund Guidance Note (FN-2025-03) expands on the “beneficial-owner verification” process introduced by the 2023 Transparency Act, insisting that fund administrators maintain a “beneficial-owner matrix” updated at least annually. The VASP Guidance Note (VN-2025-04) requires the use of blockchain analytics tools that can trace the provenance of wallet addresses, and it sets a maximum “investigation window” of 30 days for suspicious wallet activity.

CIMA’s 2025 thematic inspection programme focused on fund administrators and trust-company service providers (TCSPs). The inspection report released in August 2025 highlighted three recurring deficiencies: incomplete beneficial-owner registers, delayed SAR filing (average 12-day lag), and inadequate staff training records. The report concluded with a “notice of breach” to three firms, each fined CI$250,000, CI$300,000 and CI$350,000 respectively.

Customer Due Diligence and KYC

Under AMLR Part II, Section 10, CIMA expects a “risk-based” approach to customer due diligence. For natural persons, the required data set includes full name, date of birth, nationality, residential address, and a government-issued identification document (e.g., passport or driver’s licence). Verification must be performed using a “reliable and independent source” before the business relationship commences (Section 10(2)).

Legal-entity verification relies on a recent (not older than six months) certificate of incorporation, a register of directors, and, where applicable, a beneficial-owner declaration in accordance with the Beneficial Ownership Transparency Act (Section 5). Where the entity is a “exempted company”, the declaration must be filed with the Registrar of Companies and a copy supplied to CIMA within 30 days of receipt.

Enhanced due diligence (EDD) is triggered by high-risk indicators listed in AMLR Section 12, such as politically exposed persons (PEPs), high-value transactions (CI$10 million or more), or customers located in high-risk jurisdictions identified by FATF. EDD requires additional verification steps, source-of-wealth documentation, and a senior-management sign-off before onboarding.

Sanctions Screening

CIMA obliges all obliged entities to screen customers and transactions against three core lists: the UN Consolidated Sanctions List, the EU Consolidated List (as incorporated by the Cayman Islands Sanctions (EU) Regulations 2022), and the US OFAC Specially Designated Nationals (SDN) List. The AMLR Section 13 mandates that screening be performed at onboarding and on an ongoing basis, with any match reviewed within 48 hours.

The FRA’s “Sanctions Screening Guidance” (SSG-2024-01) recommends a two-tiered approach: an automated first-pass screen using a commercial database, followed by a manual “risk-based” review of potential hits. Failure to block a sanctioned transaction within the 48-hour window can result in a civil penalty of up to CI$500,000 per breach (Section 14 of the AMLR).

SAR/STR Reporting

Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) must be filed electronically via the FRA’s “goFRA” portal. The reporting deadline is “without undue delay” - interpreted by CIMA as the same business day for high-risk alerts and the next business day for routine alerts (Section 15 AMLR). The report must contain the customer’s identification details, a description of the suspicious activity, and any supporting documentation.

The FRA’s “Reporting Manual” (RM-2025-02) clarifies that a “high-risk SAR” - for example, a transaction involving a sanctioned entity - must be escalated to the FRA’s senior analyst within four hours of detection. The manual also outlines the “stand-still” provision (Section 16 AMLR) that prohibits the execution of a transaction once a SAR has been filed, unless the FRA provides written clearance.

⚠ Practical Note

The “stand-still” rule under Section 16 AMLR is absolute. If a transaction proceeds after a SAR has been filed without FRA approval, both the institution and the individual signatory may face criminal prosecution under POCA Section 9.

Risk-Based Approach

CIMA requires each obliged entity to maintain a documented risk-assessment framework (AMLR Section 4). The framework must be reviewed annually and whenever a material change occurs, such as the onboarding of a new high-risk client or the launch of a new product line. The risk-assessment report must identify the entity’s risk profile across three dimensions: customer risk, product/service risk, and geographic risk.

The 2025 CIMA “Risk-Management Guidance” (RMG-2025-01) introduces a “risk-scoring matrix” that assigns a numeric score (1-5) to each dimension. Entities scoring a cumulative total of 12 or higher must implement “enhanced monitoring” measures, including daily transaction reviews and mandatory senior-management sign-off for any transaction exceeding CI$1 million.

Crypto-Assets: VASP Act and AMLR Integration

The VASP Act 2020, as amended in 2024, requires licensed crypto-asset exchanges and custodians to adopt AML programs that meet the same standards as traditional financial institutions. Section 9 of the Act obliges VASPs to retain transaction logs for a minimum of five years, while Section 11 mandates real-time monitoring of wallet-to-wallet transfers that exceed CI$100,000.

In February 2025 the FRA launched the “VASP-SAR” portal, a dedicated channel for crypto-related suspicious reports. The portal requires the submission of blockchain-analysis screenshots, wallet-address provenance reports, and a narrative explanation of the suspicious pattern. Failure to use the VASP-SAR portal for crypto-related alerts can result in a fine of up to CI$250,000 per breach (Section 15(3) AMLR).

Recent Enforcement

CIMA’s enforcement activity has accelerated since the FATF delisting. The table below summarises the most significant actions taken between 2024 and 2026.

DateEntityPenaltyRegulatory Basis
Sept 2025Maples Group (fund administrator)US$270,000Failure to maintain up-to-date beneficial-owner register (BO Transparency Act Section 5) and delayed SAR filing (AMLR Section 15)
Oct 2025Global Trust Services Ltd.CI$350,000Inadequate EDD on PEP client, breach of AMLR Section 12
Jan 2026CryptoExchange Cayman (VASP)CI$250,000Non-use of VASP-SAR portal and insufficient blockchain analytics (VASP Act Section 9, AMLR Section 15(3))
Mar 2026Island Bank Ltd.CI$500,000Systemic SAR latency - average 14-day delay (AMLR Section 15, FRA Enforcement Manual 2026)
May 2026Secure Asset Management (TCSP)CI$300,000Failure to file beneficial-owner information and inadequate staff training (BO Transparency Act Section 12, AMLR Section 6)

Beyond the headline fines, CIMA issued “notice of breach” letters to an additional 12 firms for deficiencies in record-keeping, transaction monitoring and staff-training programmes. The regulator also announced a series of “targeted supervisory visits” for the offshore banking sector in Q3 2026, signalling that enforcement will remain a priority.

Practical Compliance Checklist for Cayman Entities

Core Documentation Required Under POCA 2008 and AMLR 2023

  1. Board-approved AML/CFT risk-assessment report (AMLR Section 4), refreshed annually and after material change.
  2. Internal controls manual covering customer due diligence, ongoing monitoring, sanctions screening, record-keeping and reporting (AMLR Section 6).
  3. Standard operating procedures for KYC, including verification of identity documents and beneficial-owner matrices (BO Transparency Act Section 5).
  4. Enhanced-due-diligence policy for PEPs, high-value transactions and high-risk jurisdictions (AMLR Section 12).
  5. Sanctions-screening policy that references the UN, EU and OFAC lists, with documented matching logic and false-positive review workflow (AMLR Section 13).
  6. SAR/STR filing procedures aligned with FRA “goFRA” platform, including the 48-hour filing rule and stand-still protocol (AMLR Section 15-16).
  7. VASP-specific AML program (if applicable), covering blockchain analytics, wallet-address provenance and VASP-SAR reporting (VASP Act Section 9, AMLR Section 15(3)).
  8. Beneficial-ownership register maintenance schedule and submission log (BO Transparency Act Section 5-12).
  9. Designation of a senior AML Officer and deputy, with contact details filed with CIMA (AMLR Section 7).
  10. Annual staff-training curriculum, with attendance records and training-material sign-off (AMLR Section 6(2) No 6).
  11. Outsourcing register that records all third-party service providers and the oversight mechanisms applied (AMLR Section 6(7)).
  12. Incident-response plan for data-breach or cyber-theft events that could affect AML controls (CIMA Guidance Note BN-2025-01).

Common Pitfalls

First, many firms still treat SAR filing as a quarterly exercise. CIMA’s enforcement actions in 2025-2026 demonstrate that “without undue delay” is interpreted as a same-day or next-day requirement for most alerts. Institutions that rely on a weekly compliance committee risk systematic breach and heavy fines.

Second, fragmented governance continues to attract regulator attention. When AML investigations are split across multiple subsidiaries or service-provider contracts, CIMA views the lack of a single point of accountability as a breach of AMLR Section 6. The Global Trust Services case highlighted how separate “risk-assessment” files for each business line led to inconsistent conclusions and ultimately a CI$350,000 penalty.

Third, over-reliance on commercial screening tools without documented methodology is a recurring weakness. CIMA expects firms to retain evidence of the data-source, matching algorithm, and false-positive thresholds used. The CryptoExchange Cayman fine illustrated that a “black-box” vendor approach does not satisfy the AMLR Section 13 requirement for a documented screening process.

Looking Ahead

In 2027 CIMA plans to introduce a “digital-identity” verification framework that will integrate with the FRA’s goFRA portal. Entities should begin evaluating biometric KYC solutions now, as the new framework will become mandatory for all new client onboarding from July 2027. Additionally, the FRA is expected to publish a revised “VASP-SAR” template in Q4 2026, which will tighten the evidentiary standards for crypto-related suspicious reports.

How RegMantle Helps

RegMantle produces Cayman-specific AML/CFT documentation that references POCA 2008, the 2023 AMLR, the Beneficial Ownership Transparency Act 2023, and the VASP Act 2020 directly in the text. The platform generates a CIMA-ready AML manual, a full set of KYC/CDD procedures, a sanctions-screening policy aligned with UN, EU and OFAC lists, and a FRA-format SAR template that meets the 48-hour filing requirement. Each document is exportable as a branded DOCX file, ready for board approval and CIMA inspection.

Generate your Cayman AML documentation in minutes

Stop paying for costly consultancy templates. RegMantle delivers audit-ready, POCA-compliant documentation in under ten minutes.

Start Free →