Jan 2026
Regulators in key offshore centres are actively engaging Web3 structures. The Cayman Islands Monetary Authority (CIMA) has begun issuing supervisory letters to Cayman foundation companies. In parallel, the British Virgin Islands Financial Services Commission (BVI FSC) has increased supervisory engagement with entities operating, or appearing to operate, virtual asset services in or from within the BVI under the Virtual Assets Service Providers Act (BVI VASP Act). Across both jurisdictions, authorities are increasingly directing entities to confirm whether their business activities are in scope of local licensing or registration requirements, to take specified next steps and/or to address “purporting” or “holding out” risks in public-facing materials. This alert outlines the legal frameworks, key risk issues and immediate action points for Cayman foundation companies and BVI Web3 entities.
Why This Matters Now
Foundation companies and other Web3 vehicles are increasingly positioned at the intersection of governance, treasury and ecosystem support, where activities may fall within or be perceived to fall within regulated perimeters. In Cayman, where activities are, or appear to be, in scope under the Virtual Asset (Service Providers) Act (as revised) (Cayman VASP Act), entities must upon the direction of CIMA either provide a written explanation with evidence, apply via REEFS to register or license, or cease and confirm cessation. In the BVI, entities carrying on, or purporting to carry on, any virtual asset services are expected to obtain registration under the BVI VASP Act, or to demonstrate why they are out of scope and amend disclosures to avoid holding out. Unauthorised conduct in either jurisdiction can attract criminal and administrative penalties, referrals to law enforcement and supervisory directions, making contemporaneous documentation of the legal position at inception essential.
Legal Frameworks and Scope
A rigorous scoping analysis should be undertaken to map out contemplated and reasonably foreseeable activities against the applicable virtual asset regimes and any other potentially relevant regulatory frameworks (which may include securities regulation, money services regulation, and AML and sanctions compliance in particular).
In Cayman, the Cayman VASP Act provides that a person “shall not carry on, or purport to carry on, virtual asset services in or from within the Islands” unless appropriately registered or licensed, a waiver is available, or if operating within a sandbox, and clarifies that “purporting” includes online “holding out” or using terminology connoting such services. Particular care is required to avoid “purporting” to carry on regulated activity: public-facing materials, websites, whitepapers, social channels and contractual descriptions should be reviewed to ensure there is no holding out as providing virtual asset services or any other regulated activities unless duly authorised.
In the BVI, the BVI VASP Act establishes a comparable perimeter for persons carrying on (or holding out as carrying on or being able to carry on) virtual asset services in or from within the BVI, with a registration requirement administered by the BVI FSC. As with Cayman, substance and presentation both matter: entities should assess whether treasury operations, token issuance support, governance facilitation, staking, custody, exchange or brokerage-like activities, or fee streams linked to such activities could fall within scope, and they should ensure that descriptions in websites, documentation and social channels do not amount to holding out as a VASP absent authorisation.
Where activities could be in scope in either jurisdiction, boards should establish escalation protocols to engage with the relevant regulator (CIMA or BVI FSC), prepare the required applications (including via REEFS in Cayman), or promptly cease and formally document such cessation. If a supervisory letter is received, boards should promptly coordinate a response, assemble the written explanation and legal analysis, determine whether to apply for a licence or registration or cease activities, and meet any stated deadlines.
Governance, Documentation and Enforcement Risk
Boards should commission and retain a written legal advice memorandum from expert local counsel at inception that clearly documents the regulatory perimeter assessment for the relevant activities and jurisdiction (and any cross-border interfaces), evidences the factual and legal basis for the analysis, and sets periodic review triggers. Contemporaneous board minutes and supporting materials should be maintained to substantiate positions communicated to CIMA in Cayman or to the BVI FSC in the BVI. Boards should also conduct at least annual monitoring of actual activities, key service agreements and public-facing materials (including websites) to confirm nothing has changed that may potentially bring activities in scope or that could amount to “purporting” or “holding out” to conduct a regulated activity. Failure to obtain authorisation where required—or to cease “purporting” or “holding out” conduct, could result in significant criminal and/or administrative penalties and referrals to investigative authorities in both Cayman and the BVI. A pre-emptive, considered and disciplined approach to regulatory compliance analysis would go a long way in materially mitigating such risks.