When the Bank of Jamaica (BoJ) introduced its Cyber-Resilience Principles in December 2023, it was the first signal that cyber risk had moved from IT departments into the regulatory spotlight. What was less evident at the time was just how closely cyber maturity and AML effectiveness would become intertwined in the years that followed. Two years later, that connection is clear.  

These ten principles, ranging from board accountability to third-party risk and security-by-design, are now enforced across all financial institutions, not just the large commercial banks.  

In tandem: 

• Jamaica exited the FATF grey list on 28 June 2024, a milestone that raised the bar for sustained compliance across all sectors. 

• BOJ is launching the Cyber Incident and Information Sharing Initiative (CIISI-JM) in Q3 2025, enabling real-time threat intel sharing across the entire financial system. 

This alignment of cyber and AML regulation reflects a deeper message: from now on, cyber maturity will be assessed alongside AML performance in supervisory exams. 

Smaller Institutions Face the Highest Pressure 

This convergence is especially consequential for the smaller, community-anchored institutions that serve most Jamaicans. Credit unions, cambios, microfinance lenders, and remittance providers play a vital role in financial inclusion, yet many operate with legacy platforms, lean security budgets, and fragmented vendor ecosystems. The result is a landscape where the regulatory bar continues to rise, but the capacity to meet it varies widely. 

Let's examine the ground reality across Jamaica's smaller regulated entities: 

At the enforcement level, the Financial Investigations Division (FID) remains under-resourced: 

• Just 83 staff out of a required 230, and  

• Only 11 prosecutions and 8 convictions recorded in 2024 to date. 

Why AML & Cyber Risk Must Move in Lockstep 

Four shifts underscore why these domains are no longer separable: 

1.     Cyber telemetry can surface financial crime 
Login anomalies and digital fingerprints may reveal mule accounts faster than transaction monitoring. 
 

2.     Incident timelines are compressing 
BoJ requires cyber incident reporting within 72 hours; POCA mandates STRs within 15 days. Regulatory scrutiny will cut across both. 
 

3.     Outsourcing doesn't reduce accountability 
Principle 10 demands "security-by-design" across all digital relationships, including outsourced core banking, FX processing, and agent networks. 
 

4.     Board-level liability is rising 
Directors face personal penalties if system-wide lapses allow laundering or fraud, mirroring global DORA-style frameworks. 
 

The Gap Map: What Smaller FIs Are Still Missing  

Where smaller institutions are still exposed: 

Five Steps to Compliance Resilience in 2026 

Addressing each gap does not require a full-scale transformation. It requires prioritisation. Even without big-bank budgets, smaller institutions can close critical gaps with focus and structure: 

1.     Board-level Cyber Briefing 
Begin with a 2-hour session linking each BoJ principle to AML risks. 
 

2.     Cyber/AML Joint Risk Assessment 
Use BoJ's maturity model to map gaps in processes, staff, and tech. 
 

3.     Vendor Prioritisation 
Triage all third-party dependencies, start with transaction-processing partners. 
 

4.     Analytics Quick Layer 
Use rule-based tools to catch geographic anomalies, credential stuffing, or unexpected transaction velocity. 
 

5.     Simulation and Drills 
Pen tests and CIISI-JM-based table-top exercises should be logged and reported annually. 
 

Mind the Gap. Own the Edge 

 Cyber resilience is no longer optional, nor is it just an IT issue. It's a governance issue. A compliance issue. A regulatory expectation. 

Institutions that treat cyber as a pillar of AML can move faster, build trust with regulators, reassure correspondents, and attract younger, more digital-first customers. This is not just about compliance. It's about confidence. 

If you're in the compliance seat of a credit union, cambio, or MFI, the next BoJ exam won't just ask about STR logs. It will ask how your board responds to a ransomware event, how you score vendor controls, and how quickly you can shut down a mule ring using cyber signals, not just KYC forms. 

2026 is here. The gap is real. But so is your opportunity to lead.  

Let's build your next phase of resilience together. Schedule a Consultation Session. 

Sources 

1.     Jamaica Observer – “BOJ orders review of POS terminals after J$400M fraud exposed” (May 2025) 
https://www.jamaicaobserver.com/latest-news/boj-orders-review-of-pos-terminals-after-j400m-fraud-exposed/ 
 

2.     Bank of Jamaica – “Annual Supervisory Report 2024/25” (March 2025) 
https://boj.org.jm/wp-content/uploads/reports/supervision/BoJ_Supervisory_Report_2025.pdf 
 

3.     Bank of Jamaica – “Standard of Sound Practice: Cyber Risk Management Principles” (December 2023) 
https://boj.org.jm/wp-content/uploads/2023/12/Standard-of-Sound-Practice-Cyber-Risk-Management.pdf 
 

4.     FATF – “Jamaica Removed from Grey List” (28 June 2024) 
https://www.fatf-gafi.org/en/publications/High-risk-and-other-monitored-jurisdictions/Jamaica-delisting-june-2024.html 
 

5.     Bank of Jamaica – “CIISI-JM Framework Consultation Document” (January 2025) 
https://boj.org.jm/wp-content/uploads/2025/01/CIISI-JM-Framework-Consultation-Document.pdf 
 

6.     Jamaica Cooperative Credit Union League (JCCUL) – Annual Report 2023 
https://www.jccul.com/uploads/Annual_Report_2023.pdf 
 

7.     Bank of Jamaica – List of Licensed Cambios (as of 11 June 2025) 
https://boj.org.jm/wp-content/uploads/2025/06/List-of-Licensed-Cambios-June-11-2025.pdf 
 

8.     Jamaica Gleaner – “Staffing Shortfalls Undermine FID’s Effectiveness” (October 2024) 
https://jamaica-gleaner.com/article/news/20241015/fid-short-staffed-slowing-aml-convictions 
 

9.     Bank of Jamaica – “Guidance on Cybersecurity Breach Notification” (2024) 
https://boj.org.jm/wp-content/uploads/2024/01/BOJ-Guidance-on-Cybersecurity-Breach-Notification.pdf 
 

10. Bank of Jamaica – “Cybersecurity Toolkit – Appendix B4: Third-Party Risk Questionnaire” 
https://boj.org.jm/wp-content/uploads/2024/01/BOJ-Cybersecurity-Toolkit-Appendix-B4.pdf 
 

European Commission – “Digital Operational Resilience Act (DORA)” 
https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/digital-operational-resilience_en