03 · VASP Act 2024 · Phase 2 from 01.04.2025

CIMA VASP License —
institutional
crypto regime.

Cayman is the global standard for crypto funds and regulated VASP. Phase 2 licensing took effect April 1, 2025: custody providers and trading platforms must now obtain full license. Sandbox, DAO foundations, tokenized funds — separate tracks.

Start licensing →License types

★ Full article · 25 min read

VASP License CIMA: Phase 2 from April 1, 2025 — Complete Guide →

Читать →

License types

Six tracks for
crypto business

VASP Act 2024 (Revision) and 2025 amendments set clear categories. Risk level determines: registration or full license, capital requirements, directors and compliance.

VASP REGISTRATION

VASP Registration (Phase 1)

For VASP activities other than custody and trading platform: issuance, transfer, advisory. CIMA registration, AML/CFT compliance, no custodial risk.

Low risk

FULL VASP LICENSE

Full VASP License (Phase 2)

Mandatory from 01.04.2025 for custody and trading platform. Min 3 directors (1 independent), $100k capital, on-island AML officer, expanded compliance framework.

Custody · Exchange

SANDBOX LICENSE

Sandbox License

12-month regime for innovative business models not fitting standard categories. Then transition to permanent license or registration. Direct CIMA oversight.

Innovation

DAO FOUNDATION

DAO Foundation Company

Foundation Company as legal wrapper for DAO. Protection of members from personal liability, treasury management, token issuance. 1,700+ registered.

DeFi · DAO

TOKENISED FUND

Tokenised Fund

Fund under MFA/PFA with tokenized interests. Exempt from VASP regime if crypto activity incidental to fund operations. 2026 legislative update provides clarity.

Web3-funds

CRYPTO HEDGE FUND

Crypto Hedge Fund

Fund investing in crypto assets. Under MFA or PFA. Not VASP per se. Cayman #1 for crypto funds: 58% of global market registered here.

Investment funds

Phase 2 · what changed

From April 1, 2025 —
new regime

Before 2025, VASP providers could operate under simplified registration. Phase 2 tightens rules for two highest-risk categories: custody providers and trading platforms.

!
Custody = License mandatory
Any crypto asset custodial services: hot/cold wallets, multi-sig custody, key management.
Phase 2
!
Trading Platform = License mandatory
Exchanges, OTC desks with order matching, marketplaces, any P2P crypto trading infrastructure.
Phase 2
3
Minimum 3 directors
Including 1 independent, unaffiliated with business. All pass CIMA fit & proper.
governance
$
$100k minimum capital
Paid-up share capital must be paid at application submission. Documentally confirmed by auditor.
capital
⚙
Expanded compliance framework
AML/CFT, cybersecurity, business continuity plan, customer protection, segregation of client assets.
framework

VASP by numbers · 2026

VASP registered (February 2026): 19 active
Crypto Foundations: 1,700+
Crypto hedge funds (global share): 58%
Regulator: CIMA · est. 1997
Base law: VASP Act (2024 Revision)
Application fee (registration): $1,000
Annual fees: $5,000 — $200,000 KYD
Min. paid-up capital: $100,000
Minimum directors (License): 3 (1 independent)
Review timeline: 4–10 months

VASP License process

4 phases —
from scoping to approval

Realistic timeline for a Full VASP License — 6–10 months. Main bottlenecks: preparing the cybersecurity framework, agreeing the Business Continuity Plan and director due diligence.

Phase I · Weeks 1–3

Scoping

Analysis of the business model, classification (Phase 1 vs Phase 2), incorporation of an Exempted Company, director KYC.

Phase II · Weeks 4–12

Documentation

Business Plan, Risk Assessment, AML/CFT Manual, Cybersecurity Policy, Business Continuity Plan, Customer Protection.

Phase III · Weeks 12–28

REEFS submission

Filing via the CIMA REEFS portal. Fit & Proper for all directors. Capital evidence. Responses to CIMA RFIs.

Phase IV · ongoing

Post-licensing

Annual returns, Travel Rule compliance, audited financial statements, on-site CIMA inspections, banking introductions.

Applications

What the
VASP regime covers

The regulator takes a broad view: anything involving the movement, storage or exchange of virtual assets on a commercial basis. Simple NFT mints without secondary trading are not regulated.

Crypto Exchange

Spot and derivatives exchanges, P2P marketplaces. Order book matching, holding client funds, brokerage and dealing functions.

Crypto Custody

Custodial wallets (hot/cold), holding private keys or multi-sig. Institutional custodians, mass-market wallet providers.

OTC Desk

Over-the-counter crypto trading between clients or as principal. Regulated as a trading platform where there is order matching.

Token Issuance

Issuance of utility / security tokens via ICO / IDO / IEO. Public issuance only — private placement to accredited investors falls under a separate regime.

Crypto Payments

Payment processors with crypto ↔ fiat conversion. VASP required, plus alignment with traditional banking partners.

Investment Advisory

Advisory services on purchase / sale of virtual assets. Phase 1 registration. SIBA license required for advisory on security tokens.

FAQ

VASP — no guesswork

Can I launch a crypto project without a VASP license?

Yes, in three cases. First — if you do not provide VASP services (for example, you build a non-custodial wallet or smart contract where the user manages their own keys). Second — a crypto fund under MFA/PFA where the crypto activity is incidental to fund operations. Third — a DAO foundation without commercial activity (just a governance wrapper). Custody, exchange and token issuance to the public must be licensed.

How much does a Full VASP License cost?

CIMA government fees: $1,000 application fee + annual fee ranging from KYD 5,000 to KYD 200,000 depending on service type. Professional support (lawyers, AML consultants, cybersecurity audit): $80,000 — $150,000 for the full package. Local AML officer: $40,000 — $60,000 per year. Local office space: $24,000+ per year. First-year total: $150–250k for a fully operational VASP.

Is the VASP license recognized in other jurisdictions?

A Cayman VASP is an institutionally recognized Tier-1 license. Major banks (Goldman, JP Morgan, BNY Mellon) and prime brokers work with licensed Cayman VASPs. For EU retail passporting, a separate MiCA CASP license is required (Cyprus, Malta, Lithuania and Germany are the most common). For the US — separate state money transmitter licenses plus potentially the New York BitLicense. Cayman + Cyprus MiCA is a common parallel construct for institutional players.

What is CARF and when does it take effect?

CARF (Crypto-Asset Reporting Framework) is a new OECD standard for automatic exchange of crypto-asset information between tax authorities — a CRS analog for crypto. Cayman implemented CARF on January 1, 2026. VASPs must identify the tax residence of clients and report transactions annually. This materially changes the landscape for privacy coins and anonymous VASPs.

Can we register a DAO without a VASP license?

Yes, as a Foundation Company under the Foundation Companies Act 2017. It is the most popular legal wrapper for DAOs worldwide — over 1,700 registered. A Foundation Company can hold a treasury, issue governance tokens, enter into contracts. A VASP license is NOT required where the DAO does not provide paid custody / exchange services to third parties. Where a DAO operates as a protocol with its own AMM, the position must be analyzed for the specific scenario.

Launching a VASP?

Start with a scoping session

Describe your business model — we will determine if you need registration, License or sandbox. Free session, under NDA, no obligations.

Request scoping →+1 345 949 7000

CIMA VASP License —institutionalcrypto regime.