The AML/CFT/CPF Guidelines are the backbone of the VASP regime. Here is what they require — from the institution-wide risk assessment to customer due diligence, monitoring, record-keeping and reporting to the FID.

 

In short: of the three instruments in the FSC’s proposed VASP framework, the AML/CFT/CPF Guidelines carry the most weight — they are the regime’s backbone and the area FATF scrutinises most closely. They require a licensed VASP to understand its own money-laundering, terrorist-financing and proliferation-financing risks through an institution-wide risk assessment; to know its customers through risk-based due diligence; to monitor activity and keep records (generally for seven years); and to report suspicious transactions to Jamaica’s Financial Investigations Division (FID) through the goAML platform. This article walks through each obligation and what it means in practice.

Why AML/CFT is the heart of the regime

Virtual assets are attractive to money launderers for the same reasons they attract everyone else: speed, reach and a degree of pseudonymity. That is the central risk the whole regime exists to manage, and it is the reason Jamaica chose supervised licensing over a light-touch register — so that anti-money-laundering controls are not merely promised but overseen. The AML/CFT/CPF Guidelines are where that oversight becomes concrete.

The Guidelines do not sit in isolation. They translate Jamaica’s established anti-money-laundering architecture — principally the Proceeds of Crime Act (POCA), the Terrorism Prevention Act (TPA) and their regulations — into obligations tailored to virtual asset businesses, supervised by the FSC, with the FID acting as the national Financial Intelligence Unit. Layered on top is the FATF standard, whose Recommendation 15 expects countries to supervise VASPs effectively. For a jurisdiction mindful of its standing in FATF evaluations, getting this instrument right is not optional.

The institution-wide risk assessment

Everything begins with the institution-wide risk assessment. Before it worries about any individual customer, a VASP must step back and document the money-laundering, terrorist-financing and proliferation-financing risks its business as a whole faces — across its customer base, its products and services, its delivery channels, the geographies it touches, and the technologies it uses. This is the foundation of the risk-based approach that runs through the entire regime.

It matters because it drives every other control. The risk assessment determines where due-diligence thresholds are set, what circumstances trigger enhanced scrutiny, how closely transactions are monitored, and where resources are concentrated. It is not a one-off document to be filed and forgotten: it must be kept current and revisited whenever the business changes — a new product, a new market, a new customer segment.

Risk assessment first — everything else is built on it

A VASP cannot design proportionate controls until it understands its own risks. Regulators can tell within minutes whether a firm’s policies flow from a genuine, business-specific risk assessment or were copied from a template. Do this properly first, and the rest of the AML programme almost writes itself.

Customer due diligence and enhanced due diligence

Knowing your customer is the operational core of the regime. Standard customer due diligence (CDD) requires a VASP to identify and verify every customer and the beneficial owners behind them, to understand the purpose and intended nature of the relationship, and to screen customers against sanctions and politically-exposed-person (PEP) lists. Due diligence is not a one-time gate at onboarding; it continues throughout the relationship, with information kept up to date.

Enhanced due diligence (EDD) applies where risk is higher — for PEPs, customers from higher-risk jurisdictions, unusually complex or large transactions, and higher-risk counterparties, including certain activity involving unhosted (self-custodied) wallets. EDD means gathering more information, obtaining senior sign-off, and monitoring the relationship more closely. At the other end, genuinely low-risk situations may allow simplified measures, but only where the risk assessment supports it.

A note on thresholds: Jamaica’s framework requires customer identity to be verified and periodically refreshed, and it recognises limited exemptions for very small transactions unless suspicion arises. The related but distinct “Travel Rule” obligation — transmitting originator and beneficiary information with transfers — is significant enough to warrant its own treatment, and is covered in the next article in this series.

Ongoing monitoring and record-keeping

A VASP must monitor customer activity against the profile it would expect, and investigate anomalies — transactions that are unusually large, structured to avoid thresholds, inconsistent with the customer’s known behaviour, or connected to higher-risk addresses. For virtual asset businesses this monitoring reaches on-chain: blockchain analytics and wallet screening are how a VASP assesses the provenance and risk of the assets it handles, a subject taken up later in the series.

Record-keeping underpins all of it. Customer due-diligence records, transaction records and the supporting documentation behind them must be retained — generally for seven years after the relationship or transaction ends — and produced to the FSC or the FID on request. This is also where the AML obligations meet the substance requirements: those records must be accessible from Jamaica, not controlled somewhere the regulator cannot reach.

Reporting to the FID via goAML

When a VASP knows or suspects that it is dealing with criminal property, or with money laundering or terrorist financing, the duty to report is triggered. In Jamaica those reports go to the FID — the Designated Authority and national Financial Intelligence Unit — through goAML, the United Nations-developed reporting platform that the FID has operated since 2020. The main reporting obligations are summarised below.

Report / duty When it is triggered Timing & channel
Suspicious Transaction Report (STR) Knowledge or suspicion of criminal property, ML or TF As soon as practicable; within 15 days — to the FID via goAML
Threshold Transaction Report (TTR) Prescribed threshold transactions Periodically (e.g. quarterly) — to the FID via goAML
Request for consent About to handle suspected criminal property Before proceeding — to the FID via goAML
Terrorism-related report (TPA) Property linked to designated persons Promptly, as prescribed — to the FID via goAML

Two features deserve emphasis. First, the consent regime: where a VASP suspects it is about to handle criminal property, it must seek the FID’s consent before proceeding, or decline the transaction — it cannot simply carry on and report afterwards. Second, the prohibition on “tipping off”: a VASP must never alert a customer that a report has been made or that they are under suspicion, as doing so is itself an offence. Handling both correctly requires trained staff and clear internal procedures.

The Nominated Officer at the centre

At the heart of the AML programme sits the Nominated Officer — the compliance officer who owns it. This person is the firm’s point of contact with the FID, typically the administrator of its goAML account, responsible for the internal reporting line, the filing and oversight of reports, and timely responses to the FID’s communications. Because the role is so central, the regime expects the Nominated Officer to be locally based, genuinely empowered and properly resourced — which is exactly why the substance requirements insist on it. Appointing the right person, and giving them real authority and support, is the single most important AML decision a VASP makes.

Building an AML programme that holds up

Taken together, the Guidelines call for a system, not a policy document. A programme that will survive supervision has, at minimum:

  • A current, business-specific institution-wide risk assessment that drives everything else.
  • Documented, risk-based policies and procedures — not a generic template.
  • Working CDD and EDD workflows, with sanctions and PEP screening.
  • Transaction monitoring, extended on-chain through blockchain analytics and wallet screening.
  • A resourced, locally based Nominated Officer with goAML access and authority.
  • Ongoing staff training so obligations are understood and applied.
  • Independent testing or audit of the programme’s effectiveness.
  • Record retention (generally seven years) with records accessible from Jamaica.

The theme running through all of these is that AML/CFT is operational, not decorative. The FSC will look for evidence that the controls are lived rather than laminated — that the risk assessment is real, the monitoring actually flags things, and the reports actually get filed on time.

Frequently asked questions

Who do VASPs report suspicious activity to in Jamaica?

To the Financial Investigations Division (FID) — Jamaica’s Designated Authority and national Financial Intelligence Unit — through the goAML reporting platform. The Nominated Officer is typically the firm’s goAML administrator and point of contact.

How quickly must a suspicious transaction report be filed?

As soon as reasonably practicable and, in any event, within 15 days of the suspicion or reasonable grounds for suspicion arising. Where the firm is about to handle suspected criminal property, it must seek the FID’s consent before proceeding rather than reporting after the fact.

How long must AML records be kept?

Generally seven years after the customer relationship or the relevant transaction ends. Due-diligence records, transaction records and supporting documentation must be retained and produced to the FSC or FID on request — and, under the substance rules, be accessible from Jamaica.

What triggers enhanced due diligence?

Higher-risk situations — politically exposed persons, customers connected to higher-risk jurisdictions, unusually complex or large transactions, and higher-risk counterparties, including certain activity involving unhosted wallets. EDD means more information, senior approval and closer ongoing monitoring.

Can a VASP outsource its AML function?

Tools and some tasks can be outsourced — screening and analytics, for example — but accountability cannot. The Nominated Officer and the ownership of the AML programme must be local and in-house. As with substance generally, outsourcing is permitted; abdication is not.

 

How Dawgen Global can help

AML/CFT is Dawgen Global’s flagship advisory area. We build the institution-wide risk assessment, the risk-based policies and procedures, and the CDD/EDD, monitoring and reporting workflows a licensed VASP needs — and we support the Nominated Officer role, including goAML readiness and training. We are not a licence applicant and do not operate any virtual asset business — our role is advisory and assurance.

We also provide independent testing of AML programmes and, subject to independence, assurance engagements — including proof of reserves — for licensed VASPs, with a firm boundary that we do not audit systems we designed.

To build or independently test your AML/CFT programme, contact us at [email protected] or visit dawgen.global.

This article is part of The Caribbean Virtual Asset Regulation Imperative™ series by Dawgen Global, powered by DAGAF™ — the Dawgen Digital Asset Governance & Assurance Framework. It is general information based on the FSC’s consultation documents of 10 June 2026 and Jamaica’s AML/CFT framework (POCA, the TPA and their regulations), and is not legal, regulatory or investment advice. Requirements remain subject to change following consultation; confirm details against the FSC’s and FID’s published materials.

About Dawgen Global

Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.

The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.

To explore a partnership, reach out:

by Dr Dawkins Brown

Dr. Dawkins Brown is the Executive Chairman of Dawgen Global , an integrated multidisciplinary professional service firm . Dr. Brown earned his Doctor of Philosophy (Ph.D.) in the field of Accounting, Finance and Management from Rushmore University. He has over Twenty three (23) years experience in the field of Audit, Accounting, Taxation, Finance and management . Starting his public accounting career in the audit department of a “big four” firm (Ernst & Young), and gaining experience in local and international audits, Dr. Brown rose quickly through the senior ranks and held the position of Senior consultant prior to establishing Dawgen.

https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.

© 2023 Copyright Dawgen Global. All rights reserved.

© 2024 Copyright Dawgen Global. All rights reserved.