Top ‘take-aways’ from the Mourant Cayman Regulatory Conference 2026

On 21 May 2026, Mourant held its annual Cayman Regulatory Conference at the Hotel Indigo, Grand Cayman. The conference hosted speakers from OSAIF, CIMA and the FRA, with discussions on preparations for the CFATF Fifth Round Mutual Evaluation, updates to AEOI regimes, sanctions and directors’ and liquidators’ duties.

1   FATF’s Fifth Round Mutual Evaluation – expectations for technical compliance

Duwayne Lawrence, Head of Regulatory Policy and Legislation at the Office for Strategic Action on Illicit Finance (OSAIF) gave an update on preparations for the Cayman Islands’ fifth round Mutual Evaluation Review (MER) by the Caribbean Financial Action Task Force (CFATF). The onsite inspection will take place in December 2027. However, technical compliance and effectiveness assessments are expected to begin well in advance, with submissions to be made in May 2027.

The upcoming CFATF assessment will have a more focussed technical compliance review. This will include consideration of changes to the Financial Action Task Force (FATF) Standards since last review and any material changes to the Cayman Islands’ legal or operational framework. The Cayman Islands will need to demonstrate effective implementation and enforcement in practice.

Particular attention will be paid to areas where the FATF standards have changed, such as:

• risk assessments, including expanded obligations to assess proliferation financing risks;
• increased emphasis on encouraging simplified due diligence, where appropriate;
• strengthened requirements around beneficial ownership information, including:
  • requirements for competent authorities to have timely access to beneficial ownership information on foreign-created legal persons that present ML/TF risks and have sufficient links to the Cayman Islands;
  • greater transparency around the use of nominee arrangements (shareholders or directors); and
  • ensuring competent authorities have timely access to basic and beneficial ownership information on trusts which is adequate, accurate and up-to-date.

The preparations include ongoing national risk assessments, gap analyses and proposed legislative and regulatory updates to align with the revised FATF standards. Industry guidance and outreach are expected once preparatory work progresses further.

2   AEOI update – regulatory developments

Gavin Maher, Tax Manager at Mourant Governance Services presented an update on recent developments in automatic exchange of information (AEOI) reporting regimes, including the revised Common Reporting Standard (CRS 2.0) and the Crypto-Asset Reporting Framework (CARF).

CRS 2.0 – major reform of reporting regime

CRS 2.0 came into force on 1 January 2026. The key changes were the extension of the CRS regime to cover crypto and digital assets, enhanced due diligence requirements and additional reporting obligations. The amendments mean that Relevant Crypto-Assets will now be within scope under CRS 2.0.

Additional Cayman-specific changes introduced by CRS 2.0 include the requirement for a Cayman-based Principal Point of Contact (PPoC) and revised registration and reporting deadlines. It was noted that CRS 2.0 introduces automatic penalties for missed deadlines.

The following upcoming CRS 2.0 deadlines were highlighted:

• 31 July 2026 – Deadline to submit CRS Returns using OECD XML schema v2.0 or Nil Returns and Filing Declaration (for 2025 calendar year)
• 15 September 2026 – Compliance form submission deadline (for 2025 calendar year)
• 31 January 2027 –
  • Extended deadline to appoint Cayman-based PPoC (for existing ‘Financial Institutions’)
  • Registration deadline (for entities which became ‘Financial Institutions’ in 2026)
• 30 June 2027 – Full reporting deadline (for 2026 calendar year)
• 30 June 2028 – Transitional period ends – full reporting deadline (for 2027 calendar year)

The new self-certification forms were issued in May 2026 and require expanded data collection. Previous exceptions for non-reportable jurisdictions have been removed and full data collection is required for all controlling persons. This includes details of date and place of birth and tax identification numbers.

Crypto-Asset Reporting Framework

CARF introduced a new reporting regime for crypto-assets with effect from 1 January 2026. It applies to Reporting Crypto-Asset Service Providers (RCASPs) resident in the Cayman Islands and Cayman Islands branches of RCASPs not resident in the Cayman Islands.

An RCASP includes any individual or entity that, as a business, provides a service effectuating exchange transactions for and on behalf of customers, including by acting as a counterparty or intermediary to such transactions, or by making an exchange platform available. The OECD guidance notes specifically carve out investment funds for CARF. As mentioned above, investment funds with Relevant Crypto-Assets will be in scope under CRS 2.0.

The registration deadline for existing RCASPs is 31 January 2027. The first reports will be due in June 2027 with respect to the 2026 reporting year.

Country-by-Country Reporting

All Cayman entities should assess whether they are part of an MNE group for Country-by-Country Reporting (CbCR) purposes. The CbCR framework applies to: ultimate parent entities of MNE groups resident in the Cayman Islands with revenue of US$850 million or more in the preceding fiscal year; or surrogate parent entities resident in the Cayman Islands, where the ultimate parent entity is not required to file in its jurisdiction or where there is no automatic exchange agreement in place. The standard filing deadline is 12 months after the last day of the reporting fiscal year.

The CbCR Portal has been migrated to the centralised reporting portal for FATCA, CRS and economic substance and new MNE Groups should be registered on this portal.

DITC enforcement activity

The Mourant team have seen an increase in compliance actions taken by the Department for International Tax Cooperation (DITC) around CRS and economic substance. We expect this trend will continue, with an increase in CRS enforcement activity.  Where there has been a breach, remediation will be significantly easier if issues are addressed promptly before any penalty notice is issued. The DITC has continued to show flexibility but this diminishes once penalties are formally applied.

3   Discussion on sanctions with the Financial Reporting Authority

Renée Willams, Senior Manager at Mourant Governance Services discussed the evolving sanctions and financial intelligence landscape with RJ Berry, Director of the Financial Reporting Authority (FRA). They considered the impact of geopolitical developments (including an uptick in sanctions on Iran) and the increasing use of AI to perpetrate fraud. The FRA’s central role in the mutual evaluation process was also highlighted, particularly through its contribution to national risk assessments and financial intelligence.

Suspicious activity reports (SARs) remain the primary source of financial intelligence and they are key to assessing risks and threats. SARs received are mainly driven by fraud, international corruption and money laundering indicators. As such, it is crucial to ensure good quality comprehensive SAR filings.

The introduction of the Defence Against Money Laundering/Consent Regime (DAML) has resulted in changes in how the FRA processes SARs. This is because DAML SARs have strict timelines and require increased interaction between the FRA and law enforcement. It was noted that businesses should have measures in place to deal with scenarios where consent is refused following a DAML SAR. This should include internal guidance on what can and cannot be said during the 30-day moratorium period.

The Industry Advisory on the DAML regime will in time be replaced by regulations, with a consultation process to take place first. This is likely to include provisions to allow law enforcement to extend the moratorium period.

The discussion also covered annual frozen asset reporting which has been extended from the UK to the Cayman Islands. All persons that hold or control funds or economic resources owned, held or controlled by a designated person are required to comply with the annual reporting requirement, including where an entity has previously submitted a compliance reporting form relating to frozen assets.

4   Fireside chat with CIMA

Sara Galletly, Regulatory Partner at Mourant hosted a fireside chat with Abubakar Nyanzi, Deputy Head of Division, AML/CFT Division at the Cayman Islands Monetary Authority (CIMA), which provided insights into lessons learned from the fourth round MER and outlined supervisory priorities ahead of the next assessment cycle.

Key lessons learnt from the fourth round MER

• Risk assessment is critical: authorities and regulated entities must clearly identify, assess, and understand their money laundering, terrorist financing and proliferation financing risks. The risk assessments should be documented and kept up to date.
• Effectiveness over form: compliance frameworks must not only exist but be demonstrably effective in practice.
• Data-driven supervision: robust record keeping and the ability to evidence compliance through data are essential at both national and sectoral level.

CIMA’s supervisory approach

CIMA is increasing the use of internal and external data (including data received from AML returns, audited financial statements, disclosure from other regulatory/law enforcement authorities, complaints received, and onward disclosure from the FRA) to inform its risk-based supervision. Inter-agency coordination (with bodies such as the FRA) is also assisting CIMA to build comprehensive risk profiles.

The following were highlighted as some of the focus areas:

• Proliferation financing – increasingly central to risk assessments
• Beneficial ownership transparency
• Terrorist financing and sanctions compliance
• Risk assessments

Industry outreach is key, and CIMA would like open communication with industry participants to ensure clear expectations and promote compliance with AML/CFT requirements.

Expectations for regulated entities

Some other key themes addressed are set out below.

• AML returns – must be provided in a timely and accurate manner. CIMA uses the information provided (which should be consistent with the entity’s internal risk assessment) to understand the risks that the regulated entity is exposed to and to inform its risk-based supervisory activities.
• Risk assessments remain a key area of weakness identified in inspections. The risk assessments must be current, comprehensive and adequately documented, and should clearly set out the products and services offered, geographic exposure, inherent risks and mitigating controls. A risk assessment must be a live document which is regularly updated and supported by data.
• Governance remains a major focus area. Boards must actively oversee compliance and not merely reference it. Board minutes should demonstrate: what issues were considered; what questions were asked; and what actions were taken.
• Outsourcing does not transfer responsibility, and the board remains ultimately accountable. Oversight of outsourced functions will be a continued supervisory focus.
• Good record keeping is essential to ‘tell the story’ of the business and its risk exposure. This is important for all regulated entities but particularly important for smaller regulated entities
• Inspection readiness should be proactive and not reactive. Regulated entities should be prepared for a potential inspection, rather than failing to address deficiencies until an inspection notice is received. Repeat findings (i.e, issues previously identified during an inspection which have not been remediated) may be a key trigger for enforcement action.
• Virtual Asset Service Providers have seen increased supervisory engagement and will continue to see more outreach from CIMA. The first enforcement action against a VASP has also been taken and published.

Looking ahead to 2027

Top priorities for the year ahead include:

• demonstrating effectiveness of the implementation of policies and procedures by regulated entities;
• enhancing and updating risk assessments (especially as relates to proliferation financing risks);
• strengthening record keeping; and
• demonstrating strong governance.

CIMA also emphasised the importance of considering the findings of the National Risk Assessment, which is expected to be published once completed.

5   Liquidators’ and Directors’ Duties

Simon Dickson, Litigation Partner at Mourant moderated a panel session with Angela Barkhouse, Managing Director, Kroll, Sarah Wheeler, Director, Marfire and Victor Murray, Managing Director of MG Management Ltd and President, Cayman Islands Directors Association.

Directors’ duties in the Cayman Islands remain grounded in common law principles, such as duties of loyalty, good faith and avoiding conflicts of interest or self-dealing. The panel noted that while Cayman Islands law allows for strong indemnity protections, these do not apply where there is a breach of these core duties (eg, dishonesty or lack of good faith).

CIMA corporate governance framework

The panel discussed the growing convergence between directors’ duties and regulatory obligations under CIMA’s corporate governance framework. Both regulators and liquidators are therefore placing greater reliance on contemporaneous records – including board minutes, risk assessments and AML frameworks – to assess whether directors are actively engaged and discharging their duties appropriately. Failure to document decision-making can expose directors of regulated entities to regulatory enforcement and civil claims. Directors of non-regulated entities – eg foundations for Web3 protocols – are still subject to common law fiduciary duties and must comply with financial sanctions regimes.

Directors must evidence good governance by:

• holding regular, properly documented board meetings;
• demonstrating ongoing engagement with the business and its risks; and
• evidencing effective oversight of delegated and outsourced functions.

Emerging exposure risks

Cayman Islands courts can require directors to be formally examined, and cross-border cooperation means exposure is not limited to Cayman Islands proceedings. This increased global cooperation between regulators and courts, is reinforcing the need for robust, defensible governance practices.

Liquidators have broad powers to investigate, examine directors and pursue claims. In practice, investigations focus heavily on documentation to find evidence of decision-making, delegation and oversight. Absence of records is itself a significant risk factor as it undermines a director’s ability to demonstrate proper conduct.

The panel also considered emerging risks from AI usage noting that while directors are generally accountable for decisions supported by AI, and responsibility cannot be delegated to algorithms, if agentic AI is deployed through decentralised protocols, it may be more difficult to establish a duty of care.

Foundation companies

There has been an increase in the use of Cayman Islands foundation companies housing virtual asset protocols. The panel noted that directors must act in the best interests of the foundation company, applying similar principles to regulated entities. Governance frameworks must be clearly documented, particularly where structures are complex or unusual. The supervisor of a foundation company plays a key oversight role (similar to, but more limited than, the protector of trust) and should be independent to the director.

This rapidly evolving and high-risk area requires:

• a strong understanding of the business rationale and counterparties;
• clear transaction approval processes and segregation of duties; and
• robust record keeping.

Key practical takeaways

• Document everything – records are critical to defending decisions
• Ensure risk assessments, AML frameworks and governance processes are current and evidenced
• Maintain active board oversight, including of outsourced providers
• Be mindful of cross-border risks and regulatory coordination
• Apply a consistent, principles-based approach across traditional, foundation and virtual asset structures

Thank you to our speakers

Mourant would like to thank our external speakers for their part in making the regulatory conference such a successful event.

Please click here to read our latest regulatory updates and guides.

If you are interested in Mourant’s online AEOI Compliance Training and AML Training, please reach out to one of the contacts listed in this Update or email [email protected].