Fintech 2025

CAYMAN ISLANDS Law and Practice Contributed by: Jason Ta, Ben Magahy, Paul Walters and Gemma Walters, Travers Thorp Alberga

ing into provisional liquidation; and cancel - lation of a mutual fund registration pursuant to Section 30(3)(a) of the Mutual Funds Act for failing to submit audited accounts for four consecutive years and failing to pay annual fees for two consecutive years; and • levying of administrative fines on regulated entities for AML infractions and failure to maintain prescribed capital. In relation to virtual asset service providers in particular, an action was commenced in January 2023 by Nexo Capital Inc. ( “Nexo” ) challenging the decision of CIMA to deny Nexo’s applica - tion for VASP registration. This dispute remains ongoing and is being closely monitored as the only action brought under the VASP Act thus far. 2.11 Implications of Additional, Non- • Anti-Money Laundering Regulations – an entity that conducts “relevant financial busi - ness” must comply with the AML/CFT regime in the Cayman Islands. Recent amendments to the regime in 2020 brought virtual asset service providers into scope. • Data Protection Act – the Data Protection Act requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those princi - ples are complied with in relation to personal data processed on the data controller’s behalf under a written contract. In addition, the Data Protection Act also deals with data security, data breaches and the rights of individual data subjects, including providing a privacy notice. • Cybersecurity – CIMA has published its Rule and Statement of Guidance relating to Cyber - security for Entities Regulated by the Author - Financial Services Regulations Key areas include the following.

ity requiring regulated entities to develop, implement and monitor robust cybersecurity frameworks. These regulations aim to reduce the threat of cyber-attacks, protect sensitive data, and enhance recovery from cybersecu - rity incidents. • Social media – the use of social media and similar tools is currently not specifically regu - lated, apart from indirectly under legislation such as the Data Protection Act, the Penal Code and the Contracts Act. 2.12 Review of Industry Participants by Parties Other than Regulators Certain regulated entities (such as invest - ment funds and licensed service providers) are required to appoint a local auditor and have their audited financial statement filed with CIMA on an annual basis. While certain fintech businesses may not be doing “relevant financial business” (see 2.11 Implications of Additional, Non-Financial Ser - vices Regulations ) they may determine to apply certain AML/CFT provisions to their business as a matter of best commercial practice although there is no regulatory oversight of those volun - tary regimes for unregulated entities. 2.13 Conjunction of Unregulated and Regulated Products and Services Generally, unregulated business lines would be separated from regulated business lines and run through separate legal entities. This is done: • as a risk-mitigation tool to ring-fence the risk of regulated business from the risk of unregu - lated business; • to streamline operations of regulated busi - nesses and avoid the complexity, cost and supervisory oversight of running unregulated

152 CHAMBERS.COM

Powered by