The VASP Act Explained: Why It Matters Now

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Annie: Hello, everyone. Welcome to today's webinar, "The VASP Act Explained: Why It Matters Now." My name is Annie Triboletti, and I will be your host for today.

So we have a great lineup of speakers joining us today. You'll be hearing from Richard Munden, who is a partner at Carey Olsen, and Samit Ghosh, who is the Director of Capital Markets at CSC. And also guiding us through the session today as our moderator is Jonathan Hanly, who is the Managing Director for Global Capital Markets at CSC. So without further ado, I'm going to hand things off to Jonathan to get us started and to introduce our speakers.

Jonathan: Great. Thank you, Annie. Delighted to be here and very excited for today's webinar on virtual asset service providers and particularly focusing on the Cayman Islands. I guess from our perspective very timely and very opportune for a couple of reasons.

So we've recently seen Phase 2 of the implementation of the regulatory framework in Cayman. And that appears to have driven a lot of activity or additional activity in the Cayman Islands in the VASP space. And from that perspective, we both have Richard and Samit, who are in a position to provide us some very practical advice just in terms of what's required in terms of setting up and running a compliant entity.

So Richard, really from your perspective, just to get us going, I thought it'd be useful just to give a fairly broad question, but just some background. Can you give us a brief overview of the VASP Act and what it means?

Richard: Yeah. Sure, Jonathan. I mean, firstly, thanks very much for inviting me on to talk with you = and Samit about this. It's an area of law that's kept us very busy for the last five years.

So to kick off, what is the VASP Act? The VASP Act is the Virtual Asset Service Providers Act. It's a piece of legislation that came into effect in the Cayman Islands in 2020. There's been some amendments to the Act since, you already touched on that, around Phase 1 and Phase 2 implementation. We'll get into that a little bit later. But broadly what it seeks to do is to provide a regulatory framework within which businesses engaged in virtual asset services will be subject to the oversight of the Cayman Islands Monetary Authority, which is the regulator in the Cayman Islands that already regulates other financial services sectors, including funds, insurance, securities investment business.

The starting point really for any conversation on the VASP Act is what is it that is regulated, and I think the kickoff point to understand is it regulates virtual assets. And virtual assets have a specific definition, and it doesn't cover every single type of token that might be out there in the world at the moment with which people interact. So a virtual asset is effectively a subset of that universe of tokens, and it's defined as being a digital representation of value that can be used for payment or investment purposes.

And so there are tokens out there in the world that, for example, just allow a holder of the token access to some service or product, commonly known as sort of say a utility token. That kind of token often falls outside the scope of the VASP Act as not being a virtual asset. Conversely, the sort of tokens people will commonly hear spoken about, cryptocurrencies, for instance, say Bitcoin obviously is the most famous example, that is something that can be used for payment or investment. And so that would fall within the Act.

So once you're dealing with a token that has the characteristics of a virtual asset, as set out in the Act, then you need to look at the business or the activities being undertaken to see whether you come within the parameters of the Act. And then the types of activity that are regulated by the Act are the business of transferring or providing a transfer service for virtual assets, so transferring virtual assets on behalf of the customer from a wallet to another wallet. The business of exchange, so that would be, for example, facilitating the purchase by somebody of Bitcoin. So somebody may pay fiat currency, U.S. dollars in exchange for Bitcoin, and that is an exchange. Or they may use one virtual asset to buy another virtual asset. So, for instance, a stablecoin used to buy another kind of virtual asset. So a virtual asset for virtual asset exchange is covered as well.

Custody services is another type of virtual asset services regulated. So that is holding custody of a customer's virtual assets. And then the Act also speaks to financial services provided with respect to the issuance of a virtual asset. And finally, an issuance itself, or it's sort of an issuance of tokens to the public broadly is what we should talk about. There's a little bit of nuance there. But broadly, if you are a Cayman entity looking to issue tokens, then in many cases that would also be something caught by the Act.

If you're caught by the Act because you're doing one of those activities with respect to a virtual asset, then the Act provides for two regimes. One is a requirement to be registered with the regulator, and the other is a requirement to be licensed with the regulator.

I'll just pause there, Jonathan, because that's quite a lot of information I think. But it does set the scene.

Jonathan: Yeah. No, that's really useful. Okay. Thank you for that. So Samit, I guess on the basis that we fall within Richard's definitions, both from a token perspective and from a business perspective or the activities the business is undertaking, in practical terms, what is required in order to establish a VASP? And potentially just talk us through just local establishment and then that registration and licensing process. Can you give us a sense of what's required there?

Samit: Sure. Yeah, so to carry on from where Richard left off, so once it has been established that the activities are captured within the VASP parameters, then the next step is to look at it as a CIMA-regulated and registered entity, which, as Richard alluded to, is not very different from what a fund or an insurance product would look like.

So here, the foundation of the structure would essentially be a company, more than likely than any other form of corporate entity. So a company used for offshore structures in Cayman is typically called an exempted company, which is exempted from doing business in Cayman. So that company should now have a registered office provider. It should have directors, and it should have a raft of service providers, which are mandated under the CIMA rules. And also, there could be other service providers for good governance or other reasons.

It would be very prudent on the part of whoever is looking to register themselves under the VASP Act and arrange and organize a business in Cayman, that they go to a reputable law firm and then seek out a set of service providers, registered office providers, custodians, auditors, and anything else that is required to make the fund whole. Now, obviously, between a law firm, such as Carey Olsen, and CSC, we would typically find ourselves being a first stop, where an exploratory conversation is had, and then we can assist in finding other service providers and getting the ball rolling.

Then the next step would be the actual application. And here it is very important that we manage our clients', if you are our client, your expectations around the application process, how long it's likely to take. And in our experience, this is a new law, but speaking from our experience of having registered literally thousands of funds and other CIMA-registered entities, it's very important that the application is done correctly and like all the boxes are ticked. Otherwise, there is an unnecessary delay, which often translates into not just a bad experience for the arranger, but also translates into opportunity lost.

Jonathan: Very good. And I guess that raises an interesting question. We've had sight of some of the registration volumes and the different business activities being undertaken by people who've gone ahead and registered for VASP with CIMA. Richard, I'm assuming you've seen quite a few come through your law firm. I'm just curious, and I think it would be interesting to understand what are the challenges that some of those applicants have seen and what have you learned through that process. I mean, can you talk us through some of those?

Richard: Yeah, absolutely. I mean, look, I think you touch on a point that Samit also touched on. I mean, look, it is a relatively new law. We can see from the public data that CIMA makes available that currently there's only actually 18 registered entities under the VASP Act. Our team here at Carey Olsen, we have close to sort of 25% of that slate and are working on these on an ongoing basis.

I mean, look, the most common issue that people encounter, frankly, is the processing time by the regulator. At the moment, we advise clients we work with that it's unlikely they will get the application approved in quicker than perhaps eight months from the point of submission. Now how applicants can help themselves is to make sure that the data or the information they're providing at the point of submission is comprehensive and in the form required by the regulator. And there are standards established by the regulator with respect to, for example, authentication and certification of documents that get submitted. There's just no leeway really with those.

There is a standard we need to get to. And our role in working with clients is to make sure everything that is coming in is going to meet those standards. And that goes both to form and to substance. So on the substance side, there are a number of policies that must be submitted together with the application, and those policies need to cover all the points that we believe the regulator will be looking for. Now the regulator has published quite a useful sort of library of materials with statements of guidance and rules and so on and so forth as to how to comply with the regulatory requirements. And part of our process as counsel working with clients is making sure that the submission that goes in shows clearly to the regulator that the way the business is set up and the way the business will be managed, once approved, is going to be compliant.

What tends to happen is, post-submission, the regulator will come back with effectively a range of questions based on the information it's received. And clearly the volume of those questions and the complexity and time it will take to answer those questions is going to be directly correlated to the quality of the information that's been provided upfront.

So in terms of trying to get the optimal timeline and the smoothest process, to me, that all tees off the quality of the preparation of the documents going in. Another thing we commonly do with clients to help streamline the process is have effectively a pre-meeting with the regulator, where we will go in and the founder team, together with advisors, will meet with the regulator, explain the business, and effectively sort of tee up the type of information that is then going to be submitted in the formal application.

Jonathan: Very good. Samit, a topic that keeps coming up in every structure globally, and we even saw it earlier this month when President Trump signed into law the GENIUS Act, is KYC, AML, and counterterrorist financing. Can you talk us, firstly, sort of what the requirements are from a VASP perspective and how best to manage those? I think it's just an interesting topic to cover.

Samit: Sure. So from our understanding, the VASP regime would look at the Cayman company, which is providing the services and which is going to be registered as a registrable entity. The typical requirement is if it is in scope of AML, which it most likely will be, there are requirements for three officers. There is a requirement for a compliance officer, a money laundering reporting officer (MLRO), and a DMLRO, which is the deputy money laundering reporting officer. We obviously provide all of these services.

There is an expectation that this service would be outsourced by the arranger or the sponsor of the vehicle to a Cayman service provider, who has experience with providing these services and who understands the pains that Cayman has gone through over the years to come to where we are today. And one of the keys to the success of our fund and insurance business, which we are known for, is our regulatory regime and how it is widely accepted as robust. In the world of regulations, this regulatory certainty and the fact that you can have three AML officers and have a policy and procedure and say and do the things that you're saying you will do in your policy, then it gives the regulatory certainty that was missing. You mentioned the GENIUS Act. Prior to the GENIUS Act, there was considerable lack of certainty around how the SEC would look at something and so on.

So over here, at CSC in Cayman, we are able to definitely assist with the outsourcing of the AML officers, putting together a team of service providers. And our AML officers can liaise with the fund administrators, make sure that the rules that are described are being followed, particularly in terms of how the assets are being transferred through the system, who the originators are of the digital assets, and who are the beneficiaries, and how the thing is traveling through the system, also known as travel routes.

Jonathan: Okay, that's really helpful. Thank you. Quite a bit in there to unpack. The other role we're seeing more and more demand for, and I guess it's a very particular role, is the independent director and a suitably qualified independent director in the Cayman Islands. Can you give us a sense of how important that role is and what typical profile you see of someone who's suitably qualified to act on a vehicle that's registered and ultimately licensed by CIMA?

Samit: Right. So I will let Richard speak on the recent legislation, which has been hardcoded and hardwired into the law, of the need for an independent director. But to first address your question about the quality of the director and what is it that we can offer, so we obviously have a team of qualified professionals here, who sit on boards of funds and other vehicles that are registered with CIMA. They are registered with CIMA as a CIMA-registered director under the applicable law in Cayman. They are members of various professional and other boards, industry boards. Most of our directors have 10 plus years of experience with funds. So we are very experienced. Even though the digital assets itself is an evolving phenomena, we are used to dealing with auditors, custodians, exchanges, and so on. I will let Richard speak on the requirement for directors and the legislation around that, that came into effect recently.

Richard: Yeah, sure. And thanks. Thanks, Samit. And I think just before I jump into that, just picking up one point because it's a little bit thematic to what we've been talking about. I mean, Samit spoke to AML compliance and the AML framework is something that's very, very well known to anybody in the financial services industry in the Cayman Islands. Continually evolving and continually improving to align with global standards. And as Samit was alluding to, there's this bedrock of knowledge that has come from effectively the funds industry in the Cayman Islands over the last three to four decades. And a lot of that skill set on the AML side is immediately transferable to working with digital assets clients. There's also the additional layer on top that goes with the different asset class, but the bedrock is there.

And the thematic point I wanted to touch on is that when making the application to the regulator for the license or registration, one of the things you do have to demonstrate is how AML will be dealt with, who the AML officers are. And we know firsthand that CIMA does look generally positively on people using outsourced professionals who have this depth of knowledge in working within the AML regime in the Cayman Islands, be that for funds, be that for other product types. But it, again, is immediately transferable to virtual assets.

Conversely, we've worked with clients who have tried to or have put up to CIMA that they will solve the AML framework and the ongoing AML compliance using professionals from other jurisdictions. And CIMA has raised questions around how those people are trained as to Cayman law standards. And in those examples, you often have to demonstrate how training will be delivered to sort of close the gap.

Sorry that's not answering the question Samit asked me to go to. So just on the point of independent directors, I touched on at the top of the call that even in the short lifespan of the legislation, there's been a few rounds of amendments already. The most recent wave of amendments took effect from 1 April this year, 2025. So that's why this seminar is pretty topical.

In April, what came into effect were certain amendments that were published back in December 2024. Amongst those amendments was a hard requirement that a virtual asset service provider, which encompasses both registered and licensed entities, is required to have a minimum of three directors, including at least one independent director without a vested interest in the business. And so what we now have as a hard requirement of the law is this need for an independent director.

Prior to that law coming in, we had dialogue on a number of cases with CIMA in which CIMA suggested it would be good for the corporate governance of a vehicle to have an independent director involved. And we have seen applications in which CIMA frankly indicated that that would be a condition to approval. But now, with the new law coming in or the amendments coming into effect from April, it's black letter law a requirement for at least one independent director.

Similarly, I would argue to what I just spoke about around AML officers. Whilst there isn't a firm requirement that the independent be a professional independent director based in the Cayman Islands, I think it's an easy jump to expect CIMA to be able to get comfortable with an independent director with a long track record in the Cayman Islands working on regulated activities compared to an independent director from another jurisdiction. I think it'd be natural to expect CIMA to perhaps place greater scrutiny on an independent director from another jurisdiction, on the basis that CIMA, probably quite reasonably, would assume that that person doesn't have a comparable level of understanding of the Cayman regulatory framework as a director that's worked in the jurisdiction for several years, albeit on a slightly different asset class.

Jonathan: Okay. No, that makes absolute sense. Okay. Well, look, I think that gives us some sense of the licensing and registration process and some of those key requirements or sort of more fundamental requirements. Once registered and licensed, Richard, what, from your perspective, are the key risks of someone operating a VASP in the Cayman Islands? I guess that's a question people would like to consider.

Richard: Yeah, sure. I mean, I think there are two ways of looking at it. I think one is general business risk, and one is let's say regulatory risk. Let me take the second one first because, obviously, that's more my area as counsel to registered entities.

I mean, I think it needs to be understood that this isn't sort of a one-and-done process. It's not apply, become registered and licensed, and then you're away to the races. There is an ongoing relationship with the regulator, and there will be ongoing supervision by CIMA, which is likely to involve either on-site inspections of a regulated entity, or what they call desk reviews, which is effectively sort of a remote inspection, whereby CIMA runs the rule over the registered entity's compliance with the policies that it presented to CIMA and which CIMA reviewed, raised questions on, and ultimately approved.

So there will be this ongoing oversight of the entity. The entity needs to appreciate that CIMA will, frankly, open all the cupboards and open all the drawers and understand what's going on within the business. And if they find things they are unhappy with, as with any other regulated sector, there is potential for fines to be imposed, remedial action to be taken within deadlines set by the regulator. So I think people just need to be mindful of that. It's not talking the talk in terms of what the policy says, but it's walking the walk, delivering on those policies, and understanding that CIMA will be staying on top of regulated entities to make sure they are compliant.

Stepping away from the regulatory oversight, I mean, I think it's somewhat common sense. The digital asset sector has particular risks around I guess the common word we would use is a hack risk, but that's effectively sort of a data security risk or a coding risk with whatever code is used within the business. It depends a little bit on the nature of the business. And one of the points that the regulator is very keen on is understanding cybersecurity policies, audits of cybersecurity policies on an ongoing basis, that the registered applicant will basically continually assess whether it is adopting the right measures as technology advances, which obviously it does very, very quickly.

And then the other limb to that, we are seeing now with the advent of the licensing regime in Phase 2, is CIMA asking for evidence of a segregation of any client assets that an entity may hold, if they provide custody, along proper fiduciary/credentialed principles you'd see in other sectors. But also, then they're now asking for evidence of insurance policies to perhaps protect against loss of client assets or other losses that clients may suffer as a direct consequence of some issue around cybersecurity affecting the platform. And that is a 2025 sort of development with Phase 2 licensing.

Jonathan: Yeah, clear learnings from the past there. So interesting. Samit, I guess just quickly, are there any other pitfalls that you would see in terms of running a VASP? So I mean Richard has kind of particularly run through the cybersecurity risk and I guess the regulatory side. But just from your experience, any other pitfalls worth touching on?

Samit: Yeah, sure. So coming back to the point of the director and having the independent director, I think that that is a key rule, and we can certainly assist by providing CSC-employed directors. We look at that as the directors providing confidence to the VASP structures, investors, and arrangers by having the ability to deal with funds. Like Richard said, it's a transferable trade in dealing with custodians, exchanges, decentralized finance structures, because that is in our DNA as providing directors, that we make sure that the fund is or the CIMA-registered entity is actually doing what it says it will do.

Then there is at the operational level we all know that we now live in a world of administrative fines. So it's very important that all of the deadlines related to annual returns, audits, whatever reporting deadlines that are applicable to the VASP Act is done and done on time. And most importantly, if we feel that a deadline is about to be missed, then rather than be subject to a penalty, ask for an extension, and we do have appropriate channels through which we can solve those problems.

The most important problem that I think we can solve is in our experience there is almost no CIMA-registered entity which is not required to have an audit. So there will be a requirement for an audit more than likely for VASP structures. We've spoken in general terms with a senior partner of a major accounting and audit firm, and what we found out was that, at the moment, the audit firms are hesitant to offer their services because they're not 100% sure as to what the valuation would look like, what the custody arrangements would look like, and whether they would be able to give a clean opinion or whether they will end up with a qualified opinion.

So these are conversations that we routinely have with auditors in other spheres, for example open-ended and close-ended funds, questions around valuation, questions around custody arrangements. So we can definitely assist the arranger of the VASP structure with those conversations and hooking up with the right service providers, the right auditors, the right accountants, the right fund accounting firms, who can assist with what is still an evolving sphere I would say.

Jonathan: Very good. Very, very good. Just wrapping up, I guess a couple of things just to touch on. So we touched on very quickly, Richard, the publication of registration and licensing numbers on the CIMA website. And they do publish information just in terms of the businesses or the business areas that people are looking at in terms of custody, trading, exchange, and so on and so forth. On the basis of what we've seen to date and accepting it's kind of limited information, just sort of the 18 or 19 entities, any clear trends emerging, and I guess based on your ongoing conversations with existing applicants?

Richard: I mean, I think it's a great question, and I don't know how much we can extrapolate really from what CIMA publishes. I mean, I think the way I would answer that question is that there's a whole myriad of different uses for virtual assets, and sometimes those uses bring you within the Virtual Asset Service Providers Act. I mean, obviously, if someone is setting up an exchange, great, that's clearly within the parameters. And it's very easy to think of virtual asset exchanges, and you think of the headline names, you see them emblazoned on Formula One cars and on Premier League jerseys and so on and so forth, right? So everybody knows about exchanges. They're firmly within.

But there are a lot of other businesses that will engage with virtual assets that may need to come within the scope of the Act. My mind goes to potentially RWA, real world asset structures, which involve the issuance of a token and that token represents an investment in an underlying asset broadly. As we touched on before, if you are issuing that from a Cayman entity, that is probably within the scope of the Act.

We have looked carefully at some structures where, for instance, you invest in a collective investment vehicle, and you put in fiat as an investment. So you put in U.S. dollars, sorry, to just keep it easy. But if you have a right to redeem out and receive say Bitcoin, for sake of argument, should that be considered being in the business of exchange because an exchange happens? But you would, I guess, try and argue, well, maybe that's not the business of exchange. You're providing an investment structure. You're not providing exchange per se, but there is an exchange happening.

So we've seen other examples, for example, where people will use a credit card linked to a virtual asset wallet. Now what happens in the background there is if you go into Starbucks and you buy a coffee on that credit card, Starbucks is receiving dollars, but the client has ultimately used virtual assets from his wallet. So there's an exchange happening there. So again, depending on the transaction flows, what the customer thinks they're getting, and so on and so forth, you may or may not have an argument that that comes within the Act.

Video games as well, we see massive multiplayer games that have an in-game currency and potentially in-game NFTs around weapons, skins, or whatever it may be. If those can come outside of the closed loop of the game and be traded in the open market on exchanges or peer-to-peer, again, there's a question there. Is anything that that game provider doing perhaps an issuance? If you use that in-game currency to buy NFTs in the in-game shop, is that an exchange?

So I don't think we can extrapolate from what we see on those listed entities. I mean, obviously, some of those names are straightforward to understand. I look at that list, and I see liquidity providers, I see exchanges, I see stablecoin issuers, I see custodians. But I dare say there are others on that list that do some more interesting stuff that fall outside of those headlines, but have elements of it. And that's part of the role that we go through with our clients, is working out whether what the client wants to do, are you within the parameters of the Act, and it's not always black and white. It's a very interesting process.

Jonathan: Yeah, it's very interesting, very interesting. I hadn't appreciated the breadth of it. Very good. We're almost to time, and I'm very conscious of time. And we've had quite a few questions come through. There are a couple of themes, and I was just going to pick out two before we wrap up.

People are commenting clearly on the GENIUS Act, given it was only signed into legislation in the middle of this month. Accepting that you guys are very much Cayman based and this is a Cayman-focused webinar, but I guess it does beg the question, from your perspective, what do you think all of this activity and frankly some of the greater clarity in this space will mean just generally in the industry and specifically for the Cayman Islands? So I'd like either of you to answer that question.

Richard: I'll go. I'll jump in. I mean, look, I think the GENIUS Act, I think MiCA in Europe, I think the approval of ETFs in Bitcoin and other developments in America, to me, it's all encouraging a more widespread adoption of the use of virtual assets, not only across businesses, but at the retail level. So I think what that is just going to drive is a growth of the market generally globally. And I just think that can only be a net positive ultimately for Cayman because there are reasons people use Cayman, stepping away from the fact that we have regulatory certainty around digital assets under the VASP regime. That of itself is not the only reason people use Cayman. So those other factors come into play. And as I say, greater use of virtual assets around the place is going to be the tide that raises all ships across many jurisdictions.

Jonathan: Very good. Very good. Samit, I don't know if you . . .

Samit: Yeah. So yeah, the three bills, including the GENIUS Act that was passed last week and the MiCA rules in Europe, as he alluded to, Richard, from what I've read in financial press is already the world of digital assets has crossed $4 trillion just by the announcement without clarity on what the AML and the travel rules around originator and beneficiary reporting would look like.

The other thing that is worth mentioning is that there were other jurisdictions in the so-called tax haven world, which created sandbox structures and so on. And I think Cayman hasn't gone in that direction. We have come into the game with a set of rules with regulatory certainty. So hopefully, by all indications, Cayman will be a jurisdiction of choice for virtual assets and digital assets, Web3, etc. industry because it looks like we are not repeating the mistakes that some of the other jurisdictions outside of U.S. and Europe have made and fell into the bad books of the regulators.

Jonathan: Very good. Thank you both to Richard and Samit. I think that was really interesting. As I say, really timely. Seems to be a lot going on in the space, and we're beginning to see some activity in Cayman. And it's been a really good time just to pause and consider what it means for other people, particularly as they look into the registration and licensing process.