On February 18th the European Union added the Cayman Islands to its tax haven blacklist. While this has not made the news in the security token industry, it has had major implications. Due to the strict demands of AML & KYC in many jurisdictions, regulators are focusing more resources on beneficial ownership, tax transparency, and enforcement.
For companies raising capital, the blacklisting means you should not take money from a Cayman fund if you’re a European issuer. In the EU, a lot of the investment in security tokens, real estate, and private equity comes from or through Cayman fund structures. Cayman is also where a large portion of American VC funds are domiciled.
The current tax haven blacklist also includes American Samoa, Fiji, Guam, Oman, Palau, Panama, Samoa, Trinidad and Tobago, US Virgin Islands, Vanuatu, and Seychelles.
Any company taking funds from a Cayman domiciled fund, or working with a platform/issuer/bank in that market should be aware that being associated with a blacklisted country could create significant new risk exposure for your project, and possibly yourself. These changes are effective immediately. Until recently, most firms could fly under the radar but the EU is also rolling out a public registry of corporate ownership. This will not only make non-compliance much easier to spot but also increases the ability for regulators in the EU to investigate and enforce.
The regulation could impact people working at (including directors, officers, or significant shareholders) a company that received funding from a Cayman source after the blacklist date. Enforcement severity changes by country but can include criminal charges, company seizure, and known associates may end up on a variety of sanctions and watch lists. Not to mention the reputational damage.
This is a good example of why a good AML program does not only consist of face matching a document and pinging an API to name match a sanctions list – you are opening up your venture, and most likely yourself, to massive liability. Your legal and regulatory obligation is to take a risk based approach. What that looks like can change by country, transaction value, activity history, etc., so AML program needs to be dynamic, robust, and comprehensive enough to catch things like narrative sanctions.
For example: The most popular security token platforms today only use KYC for digital onboarding of natural persons – not corporate entities. However, when you look at the investors in their previous token issuances you can see that most of the funds are coming from corporate accounts, corporation owned wallets, but the on-chain transaction and KYC is done by an individual. These platforms are missing the technical capabilities to spot transactions coming through blacklisted jurisdictions such as Grand Cayman.
iComply recently helped a virtual asset exchange pass the audits needed to offer their users the ability to spend virtual assets, such as Bitcoin and Ethereum, with a Visa card. This process involved independent audits from Visa, their banks, and regulators – each wanted to see the client demonstrate how they would be able to identify these risks and fulfill the requirements of a whole web of regulations.
Now that they have passed the audit, they are first to market with a very compelling offer compared to their competition who still have months of development on their AML systems before their applications will go through. Using iComply to get ahead of the regulations has also put them ahead of their competition.
We can expect the same for the security token market. Token issuers need to pay close attention to their AML compliance – Telegram had to refund over $1B USD over AML, has spent millions in court with the SEC, and the OCC has not even started with them yet…after that, how many of their “not investors” will be ready to jump onto an investor class action lawsuit? We have already seen this with the recent OCC case against MYSB in New York, or with the SEC and AirFox in Boston.