Rule - Obligations for the provision of virtual asset services - Virtual Asset Custodians and Virtual Asset Trading Platforms - February 2026

Page 1 of 17 RULE Obligations for the provision of virtual asset services - Virtual Asset Custodians and Virtual Asset Trading Platforms FEBRUARY 2026 Page 2 of 17 Table of Contents List of Acronyms Introduction Statement of Objectives Statutory Authority Scope of Application Definitions Governance Conduct of Business Prudential Risk Management

Effective Date Page 3 of 17 List of Acronyms IT Information Technology MAA Monetary Authority Act VASP Virtual Asset Service Provider Page 4 of 17 Introduction 1.1. This document establishes the Cayman Islands Monetary Authority’s (the “Authority”) rules for virtual asset custodians and virtual asset trading platforms (“the Rule”) regulated under the Virtual Asset (Service Providers) Act (as amended) (the “Act”). Statement of Objectives 2.1. To set out the Authority’s rules applicable to custodians and trading platforms for the provision of virtual asset services, pursuant to the Monetary Authority Act (“MAA”). 2.2. The measure is consistent with the Authority’s statutory objectives as prescribed in the MAA, including to regulate and supervise financial services business carried on in or from within the Islands in accordance with the MAA and the regulatory acts and to promote and maintain a sound financial system in the Islands. Statutory Authority 3.1. Section 34(1)(a) of the MAA provides that: After private-sector consultation and consultation with the Minister charged with responsibility for Financial Services, the Authority may - issue or amend rules or statements of principle or guidance concerning the conduct of licensees and their officers and employees, and any other persons to whom and to the extent that the regulatory laws may apply; 3.2. This Rule should be read in conjunction, where applicable, with all acts and regulatory measures addressing, anti-money laundering, the conduct of virtual asset services, ownership and control, fitness and propriety, internal controls, cybersecurity, business continuity management, corporate governance, outsourcing, nature, accessibility and retention of records, securities investment business, banks and trusts and any other relevant acts and regulatory instruments issued by the Authority from time to time. 3.3. In this document, references to any Act or Regulation shall be construed as references to those provisions as commenced, amended, modified, re-enacted or replaced from time to time. Scope of Application 4.1. This Rule applies to virtual asset custodians and virtual asset trading platforms that are regulated by the Authority under the Act. Page 5 of 17 4.2. This Rule outlines the ongoing regulatory obligations of virtual asset custodians and virtual asset trading platforms in their conduct of virtual asset services. Definitions 5.1. The following definitions are provided for the purpose of this Rule: “bank” means a person carrying on banking business, as defined under the Banks and Trust Companies Act (as amended); “client” means a legal or natural person to whom virtual asset services are provided; “governing body” of a regulated entity1 means the Board of Directors where the entity is a corporation, the General Partner where the entity is a partnership, the manager (or equivalent) where the entity is a Limited Liability Company, and the Board of Trustees where the entity is a trust business. “independent third party” means a party who, to the best of the governing body’s knowledge, information and belief having made all reasonable enquiries, are independent of, and not connected with, the regulated entity or any of its connected persons; “senior officer” has the same meaning as defined in the Act; “virtual asset custodian”, hereafter referred to as “custodian”, has the same meaning as defined in the Act; “virtual asset custody service” has the same meaning as defined in the Act; and “virtual asset trading platform” hereafter referred to as “trading platform”, has the same meaning as defined in the Act. Governance 6.1. The custodian or trading platform must be led by a governing body made up of individuals who are suitably qualified and have the requisite skills, knowledge, and expertise for the role and which have been assessed by the Authority as being fit and proper. 6.2. The governing body must: a) establish and implement governance arrangements to effectively oversee and operate the custodian or trading platform; b) promote and contribute to the implementation of appropriate culture, corporate values, and behaviours within the custodian or trading platform; 1 A regulated entity refers to any natural person(s) or arrangement(s) that has been licensed or registered under the Act. Page 6 of 17 ensure that it has appropriately considered and documented the roles and responsibilities of directors and senior officers in relation to succession planning, governing body composition, and capacity; d) undertake an assessment of the performance, practical and professional experience, and suitability of directors and senior officers at least on an annual basis; e) remain ultimately responsible for all outsourced functions or activities, and all legal and regulatory requirements; and f) ensure that all employees have relevant experience and are suitably qualified, where appropriate, to carry out their respective roles. 6.3. The governing body must ensure that the custodian or trading platform performs periodic risk assessments considering all appropriate risks, including but not limited to, cybersecurity, AML/CFT, sanctions, custody, data protection and client protection or any other risks the governing body deems appropriate, and as required by law. 6.4. The number of individuals appointed to the governing body must be commensurate to the size, nature, and complexity of the custodian or trading platform operations, provided that this number meets the minimum required under the Act. 6.5. Changes to the ownership (legal or beneficial), directors and senior officers require the Authority’s prior written approval and are subject to an assessment of fitness and proprietary. 6.6. The governing body must oversee and be accountable for governance arrangements that ensure effective and prudent management of the custodian or trading platform, including appropriate segregation of duties to prevent conflicts of interest, manipulation of financial data, or misappropriation of assets. 6.7. The governing body must document and undertake a regular review of the roles and responsibilities of senior management and other key employees in relation to the controls governing the segregation of duties. 6.8. The custodian or trading platform must implement a governance framework that includes policies and practices on remuneration which promote sound and effective risk management, and not create incentives to relax risk standards. Page 7 of 17 Conduct of Business Conflicts of interest 7.1. The custodian or trading platform must maintain and implement effective policies to prevent, identify, manage, and disclose conflicts of interest. Treating clients fairly 7.2. The custodian or trading platform must act honestly, fairly, and professionally in accordance with the best interests of their clients and prospective clients. 7.3. The custodian or trading platform must implement documented policies and procedures to ensure they are acting in the best interests of clients. 7.4. In dealing with clients and potential clients, the custodian or trading platform must act ethically and with integrity at all times. Client communications and full disclosure 7.5. The custodian or trading platform must provide clients with information that is fair, clear, and not misleading. 7.6. The custodian or trading platform must not, deliberately or negligently, mislead a client in relation to the real or perceived benefits of any virtual assets or any services carried out by the custodian or trading platform. 7.7. The custodian or trading platform must provide full and proper disclosure of their operations including disclosure of: a) the capacity they are acting in (in relation to a relevant transaction); b) the quantity, value, or arrangements for the payment or provision of commissions or other inducements; the schedule of fees, including any changes to those fees, the manner in which fees can be amended, and any associated or indirect costs; and d) where applicable, provisions for custodial or other third-party arrangements. 7.8. The custodian or trading platform must ensure that their fee and commission structures are transparent, fair, and non-discriminatory. 7.9. The custodian or trading platform must disclose fees and commissions within their terms of business for the services they provide before any transactions take place. Any changes to fees, commissions, or terms of service must be brought to the attention of the client in a clear and timely manner. 7.10. Any disclosure of conflicts of interest must be in written form and include sufficient detail, taking into account the nature of the client, to enable the client to take or make an informed decision with respect to the product or service in the context of which the conflict of interest arises. Page 8 of 17 7.11. Every director and senior officer must disclose any conflicts of interest to the governing body on at least an annual basis. Where new conflicts arise, directors and senior officers must declare these and recuse themselves from decisions where a conflict of interest exists. 7.12. Disclosure requirements, within this Rule, must be observed at all times as it is an ongoing obligation. Risk warnings 7.13. The custodian or trading platform must make appropriate, timely, and prominent disclosures to clients regarding risks associated with the products or services offered, to ensure that clients can make well-informed decisions. Disclosure of risks must be continually assessed and updated to reflect evolving risks. 7.14. The custodian or trading platform must also disclose all internal safeguards in place to mitigate risks, including the methods of access to virtual assets held, and any insurance arrangements to cover against theft or loss of assets. Complaints handling 7.15. A custodian or trading platform must: a) establish and maintain adequate policies and procedures for the handling of client complaints in a fair and consistent manner; b) address client complaints in a timely and fair manner and communicate the outcome of complaints within a reasonable timeframe; maintain a log of client complaints and resolution for operational risk purposes, which must be made available to the Authority; and d) report to the Authority any client complaints or set of client complaints that represent a material risk to clients or are indicative of a material failure of the custodian’s or trading platform’s control environment. Marketing & promotions 7.16. The custodian or trading platform must ensure that any marketing communications of their products or services are fair, clear, and not misleading, and are clearly identifiable as marketing or advertising. 7.17. The custodian or trading platform must ensure that advertising or marketing communications do not, deliberately or negligently, mislead a client in relation to the real or perceived advantages of virtual assets or any services carried out by the custodian or trading platform. Client protection 7.18. The custodian or trading platform should ensure that their products and services, offered to each client, are suitable having regard to the client’s needs, Page 9 of 17 objectives and financial situation, risk tolerance, knowledge, experience and understanding of the risks involved. 7.19. Where a custodian or trading platform decides to cease any virtual asset services, it must notify and provide a plan to the Authority, for its approval. Custodians and trading platforms must ensure that any outstanding business is properly completed with minimum disruption to clients. Client Agreement 7.20. A custodian or trading platform must have a written agreement in place with all clients, which should include, at a minimum, the requirements set out in the Act. 7.21. A custodian or trading platform must provide clients with written confirmation upon execution of a transaction that includes all relevant details of the transaction. Outsourcing 7.22. A custodian or trading platform must develop and implement a comprehensive outsourcing policy to guide the assessment of whether any activity can be appropriately outsourced. The policy must include initial due diligence assessment at the selection of third parties, periodic review of the third party’s performance, contingency plans and exit strategies. 7.23. A custodian or trading platform must ensure that the Authority’s supervisory functions and legal obligations are not hindered by the outsourcing of any material function or activity. 7.24. Whenever a custodian or trading platform decides to outsource any of its activities, its governing body must maintain responsibility for every outsourced function. The governing body must ensure that requirements in relation to each outsourced activity are being complied with and that the activities are carried out to the same standard as if these were performed by the custodians or trading platforms. 7.25. A custodian or trading platform must: a) take reasonable steps to avoid additional operational risks arising from any outsourcing arrangements; b) enter into a written agreement with all outsourcing providers which specifies each parties’ rights and obligations; and have appropriate resources to assess the quality of the service provided by the outsourced service provider. 7.26. A custodian or trading platform must make available to the Authority, upon request, all information necessary to assess compliance with this Rule in relation to any outsourced activity. Compliance with this Rule must be consistent with the Rule and Statement of Guidance on Outsourcing. Data protection Page 10 of 17 7.27. A custodian or trading platform must have systems and procedures in place to safeguard the security, integrity, and confidentiality of information. Record-keeping 7.28. A custodian or trading platform must: a) keep and maintain orderly records of their business and internal organisation in a manner that promotes accessibility, retention, and appropriate security; b) keep available for review, the relevant data relating to all orders and transactions in virtual assets which are undertaken through their systems and all information obtained through client due diligence measures; keep and maintain a record of all interactions with clients including all agreements entered into; and d) have in place a record-keeping system that is held in an auditable format and that allows for information to be made available to the Authority upon request. Notifications and Prior Approvals 7.29. A custodian or trading platform must notify and/or seek prior approvals from the Authority as required under the Act. These include, but are not limited to changes in business plans, issue or transfer of shares and appointment of senior officers. Prudential Regulatory capital 8.1. A custodian or trading platform must, at all times, have in place capital in the form of the higher of: a) the risk-based capital as determined pursuant to sections 8.2 below; or b) the amount equal to six months fixed overheads of the custodian or trading platform; or such amount as determined by the Authority. 8.2. Risk based capital must be determined having regard to the size, scope, complexity and nature of the activities and operations of the custodian or trading platform and the type and level of risks the custodian or trading platform is exposed to. 8.3. A custodian or trading platform must hold any additional capital buffer as required by the Authority. Page 11 of 17 8.4. Custodians or trading platforms must review the adequacy of their capital at least on an annual basis, or when there has been a material change to the business. 8.5. A custodian or trading platform must notify the Authority of any breaches in regulatory capital. Recovery plan 8.6. The custodian or trading platform must assess and document scenarios that could lead to a breach of the capital requirement and address these scenarios in a recovery plan which should aim to preserve critical functions and detail steps to capital recovery. 8.7. The custodian or trading platform must have defined financial and non-financial triggers in place that will alert to the need for the execution of the recovery plan. Stress testing 8.8. When calculating the amount of capital to be held, a custodian or trading platform must undertake stress testing of scenarios and conditions as well as sensitivity analysis and document the triggers needed to identify such situations. Insurance 8.9. Where appropriate, a custodian or trading platform must maintain insurance protections to the satisfaction of the Authority, including the following: a) professional liability of senior officers; b) loss of client assets held in custody; business interruption; and d) cyber security. Risk Management 9.1. The custodian or trading platform must employ forward-looking risk management practices and always consider risks to clients and the reputation of the Cayman Islands, in addition to risks to their own business. 9.2. In conducting business activities, a custodian or trading platform must act with due skill, care, and diligence, in the best interests of their clients and the integrity of the market. Internal controls 9.3. A custodian or trading platform must establish, implement, and maintain sound internal controls appropriate to the size, complexity, and nature of its activities. Page 12 of 17 9.4. Internal controls, strategies, policies, and procedures must be approved by the governing body of the custodian or trading platform. 9.5. A custodian or trading platform must take the necessary steps to monitor its internal controls and provide internal control reports to its governing body. IT and Cybersecurity 10.1. The IT and cyber security strategies of a custodian or trading platform must be reviewed and approved by the entity’s governing body annually. 10.2. The custodian or trading platform must, on an annual basis, review the cybersecurity and IT risks they face and assess their cybersecurity framework to ensure it continues to be appropriate to manage adverse impacts of the cyber risks and IT risks. 10.3. The custodians or trading platform must have in place adequate and documented policies around: a) cybersecurity; b) incident response and recovery; and disaster recovery (including backups) and business continuity. 10.4. The custodian or trading platform must ensure that roles and responsibilities are well defined within the organisation. Individuals responsible for general IT controls, information security/cyber security and private key management must be identified and made known to the rest of the organisation. Virtual Asset Custody Service 11.1. A custodian or trading platform that provide virtual asset custody services must: a) take all reasonable steps to protect client assets and ensure that client assets are clearly identified and segregated from proprietary assets, as well as assets of its group entities; b) establish a custody policy with internal rules and procedures to ensure the safekeeping or the control of such virtual assets, or the means of access to the virtual assets; and ensure that virtual assets and fiat funds belonging to clients are protected from third party creditors. Segregation of virtual assets 11.2. A custodian or trading platform that provide virtual asset custody services must maintain a register of positions in the name of each client, reflecting the value and client ownership of the virtual assets. The custodian or trading platform must, on this register, maintain an ongoing record of any movement in client positions, and evidence of corresponding transactions. Page 13 of 17 11.3. A custodian or trading platform holding virtual assets on behalf of clients must ensure that client assets are adequately segregated in compliance with the relevant requirements under the Act, including, but not limited to, use of clearly identifiable segregated wallets. 11.4. A custodian or trading platform outsourcing custody of client virtual assets to third parties must ensure that the third parties are, at all times, in compliance with the relevant requirements under the Act, this Rule and other applicable regulatory measures. Segregation of fiat funds 11.5. A custodian or trading platform holding fiat currencies on behalf of clients must ensure that client funds are kept safe and are held with a licensed bank or other similar institution acceptable to the Authority, clearly segregated, in compliance with the relevant requirements under the Act. Reconciliation 11.6. The custodian or trading platform that provide virtual asset custody services must: a) take reasonable steps to ensure that client account balances are accurate; b) perform frequent reconciliation of client virtual assets and fiat balances; and reconcile internally calculated balances to the expected balance on the relevant distributed ledger and investigate any discrepancies. Management of private keys 11.7. The custodian or trading platform that provide virtual asset custody services must: a) implement industry best practices for the generation, storage and usage of private keys; b) implement backup procedures for all private keys which are in line with industry best practices; implement a Key Compromise Protocol which is tested and reviewed at least annually; d) have controls in place to meet liquidity and other demands; and e) arrange for security audits to be performed on a regular basis by an independent third party. Naming and schema 11.8. The custodian or trading platform that provide virtual asset custody services must ensure that naming conventions and schema for information used to Page 14 of 17 identify and protect client assets allow for the custodian or trading platform, the Authority, or any mandated third-party, to manage the custodian or trading platform and client assets, as required. Virtual Asset Trading Platforms Market integrity 12.1. Virtual asset trading platforms must implement systems and procedures to monitor and detect market abuse and to promote the best interests of clients and the integrity of the market. Any suspicions indicating that market abuse or other unfair trading practices are being, have been, or are likely to be committed, must be reported to the Authority immediately. 12.2. Virtual asset trading platforms must undertake regular assessments to identify the inherent risks in relation to insider dealing and market manipulation and determine any measures necessary to mitigate such risks. 12.3. Virtual asset trading platforms must have systems in place to allow the freezing of client accounts and the suspension of trading of virtual assets when financial crime or market abuse are suspected, or when the virtual asset no longer complies with the trading platform’s rules. 12.4. For high-risk products or services offered, virtual asset trading platforms must take appropriate steps to ensure that clients are aware of, and have acknowledged, the risks associated with these products or services. 12.5. Virtual asset trading platforms must ensure that they have documented and recorded the client’s understanding of the products or services and the client’s acknowledgement of the associated risks. 12.6. Virtual asset trading platforms must advise clients of the option to seek third party custodian services to assist in the protection of client assets and record the client’s acknowledgement of this notification. 12.7. Virtual asset trading platforms must establish appropriate and effective systems and procedures to ensure their platforms are robust and can adapt to market stress. Platforms should also be able to reject orders that exceed predetermined volumes or price thresholds, or transactions involving a particular sender/receiver. Clearing and settlement 12.8. Virtual asset trading platforms must establish procedures for the efficient clearing and settlement of virtual asset and fiat currency transactions. Provision of financing to purchase virtual assets (leveraged trading) 12.9. Virtual asset trading platforms that provide financing to clients must disclose the terms of the agreement as well as the risks involved. 12.10. Virtual asset trading platforms that provide financing to clients must put in place: Page 15 of 17 a) measures to ensure client losses are limited; and b) internal or commercially obtained insurance, where appropriate, to cover risks associated with losses or market movements. Pricing 12.11. Virtual asset trading platforms must make their pricing policies, including information on price discovery mechanisms, easily accessible, publicly available and prominently displayed on their website. 12.12. Virtual asset trading platforms must implement pricing policies and procedures that prevent unfair trading activities and market abuse. Listing rules 12.13. Virtual asset trading platforms must establish a set of rules to determine whether or not to admit virtual assets to be listed on their platforms. The rules must establish the requirements, due diligence, and approval process to admit virtual assets to the platform. 12.14. Virtual asset trading platforms must not admit to the platform virtual assets with inbuilt anonymisation features unless they are able to easily identify the holders and transaction history of such assets. 12.15. When determining whether or not to accept virtual assets to be listed on their platform, a virtual asset trading platform must consider the nature and features of the virtual asset, taking into account the experience, track record, and reputation of the issuer and its development team. 12.16. Virtual asset trading platforms must develop policies and procedures setting out platform participants’ ongoing obligations and defining the following: a) criteria to participate in trading activities; b) rules and requirements for fair and orderly trading; and conditions for suspension. Reporting Regulatory reporting 13.1. The Authority may, where relevant, prescribe reporting requirements to which the custodian or trading platform must adhere to. 13.2. The custodian or trading platform must establish a framework setting out their reporting obligations to the relevant authorities in accordance with the Act, including the process by which any new reporting obligations are flagged and acted upon. Enforcement Page 16 of 17 14.1. Whenever there has been a breach of this Rule, the Authority’s policies and procedures as contained in its Enforcement Manual will apply, in addition to any other powers provided in the Act and the MAA, as amended. Effective Date 15.1 This Rule will come into effect upon commencement of the relevant sections of the Act relating to licencing of virtual asset custodians and virtual asset trading platforms. Early adoption of this Rule is encouraged. Page 17 of 17