Regulation & Compliance15 min read

Willemstad Beat Kingston to the Punch: The First Caribbean Central Bank to Put AI Risk in Writing

By Nicholas Dunkley·Jul 15, 2026
TLDR
  • The Centrale Bank van Curaçao en Sint Maarten (CBCS) published its Financial Stability Report 2026 on 19-20 May 2026, and it is the first official document from a Caribbean central bank to name AI-generated deepfakes as a financial-stability risk in writing.
  • CBCS says it is developing new guidance and supervisory measures covering cybersecurity, third-party technology providers, operational resilience, and artificial intelligence within its banks, insurers, and pension funds. No implementation date has been published.
  • As of mid-2026, the Bank of Jamaica, the Central Bank of Trinidad and Tobago, and the Eastern Caribbean Central Bank have not published a standalone AI supervisory document of their own, even though all three sit over financial systems larger than the Curaçao and Sint Maarten union.
  • Curaçao itself is only an associate member of CARICOM, a status it acquired in 2024, one rung short of the full membership held by Jamaica, Trinidad and Tobago, and Barbados. The jurisdiction with the smaller seat at the CARICOM table moved first on paper.
  • Sumsub's identity fraud data for 2025-2026 recorded a 255% year-over-year rise in deepfake fraud across Latin America and the Caribbean, against a global cybercrime cost CBCS itself cites at roughly $10.3 trillion in 2025. The urgency is not hypothetical; the guidance that would answer it is still unwritten almost everywhere in the region.
Turquoise Caribbean coastal waters, representing the Dutch Caribbean monetary union of Curacao and Sint Maarten

Photo via Unsplash

On 19 May 2026, the Centrale Bank van Curaçao en Sint Maarten released its Financial Stability Report 2026. Its headline finding, reported the next day in local Papiamentu-language coverage, was reassuring: banks, insurers, and pension funds across the monetary union remain resilient despite rising global uncertainty. Buried inside that reassurance is a sentence no other Caribbean central bank has yet put into an official publication. CBCS named "growing concerns over AI-generated deepfakes and other technologies that can be used to manipulate identities, financial transactions, and communications" as a live threat to financial stability, and said it is developing new guidance and supervisory measures covering cybersecurity, third-party technology providers, operational resilience, and artificial intelligence across the institutions it supervises. That is a small paragraph in a routine annual report. It is also the first time a Caribbean regulator has committed, on the record, to writing AI-specific rules for the institutions that hold the region's deposits and pay its pensions.

What Willemstad Actually Published on 19 May

CBCS is the joint central bank for Curaçao and Sint Maarten, two constituent countries of the Kingdom of the Netherlands that share a monetary union and a single financial regulator. Its Financial Stability Report is the standard annual instrument central banks use to assess whether the banking, insurance, and pension sectors under their supervision can absorb shocks: capital ratios, liquidity buffers, non-performing loan trends. The 2026 edition concludes the union's banks, insurers, and pension funds remain resilient despite headwinds. What sets it apart is that CBCS President Richard Doornbosch used the same report to say the institution will continue strengthening its regulatory and supervisory framework in direct response to cyber and AI risk, work already underway rather than a future aspiration. The report cites global cybercrime costs of approximately $10.3 trillion in 2025, large enough that CBCS treats cybercrime broadly as one of the top financial-stability risks facing the union. AI-generated deepfakes are named as a specific mechanism inside that threat, capable of manipulating identities, financial transactions, and communications, the three functions a bank, an insurer, and a pension administrator each depend on getting right every day.

What the report does not yet contain is a timeline. CBCS says the new guidance is in development, covering cybersecurity, third-party technology providers, operational resilience, and AI, but does not say when it will be finalised, what form it will take, or which institutions will be first in scope. That is a real gap, and this article returns to it below. But naming the risk in an official supervisory document, with a president willing to put his name to a commitment to act on it, is itself a step no other Caribbean central bank has taken publicly.

Why a Financial Stability Report Is the Right Place for This Sentence

It would be easy to read CBCS's move as a bureaucratic footnote. It is not. A financial stability report is not a speech; it is the instrument a central bank uses to tell markets, depositors, and its own board what keeps it up at night, and it typically becomes the basis for the supervisory actions that follow in the next reporting cycle. Naming AI-generated deepfakes there, rather than in a conference remark, signals that CBCS intends to treat AI risk the way it treats capital adequacy or liquidity risk: supervised, not merely discussed. A speech can be forgotten. A line item in a financial stability report tends to generate a follow-up examination.

Scale matters here too. Curaçao and Sint Maarten form one of the smaller financial systems in the wider Caribbean, built substantially around offshore financial services and a compact domestic banking sector. If a regulator overseeing a system that size judged AI-generated deepfake risk significant enough to name in its flagship report, the case for CARICOM's larger systems, Jamaica's, Trinidad and Tobago's, Barbados's, doing the same is not weaker. It is stronger, since those systems carry more depositors, more cross-border correspondent banking relationships, and more exposure to the identity-verification failures deepfakes are built to exploit.

Rows of servers in a data centre, representing the financial-sector technology infrastructure now under central bank supervisory review

Photo via Unsplash

The Comparison the Region Would Rather Skip

Set CBCS's move against the rest of the region and the gap is stark. The Bank of Jamaica publishes a regular stream of Standards of Best Practice for deposit-taking institutions, most recently a consultation paper on customer complaint resolution in April 2026 and a liquidity coverage ratio standard in March 2026. Neither is an AI document, and no dedicated AI supervisory standard from the Bank of Jamaica has been published as of this writing. The Central Bank of Trinidad and Tobago describes AI adoption in its domestic financial sector as still at an early stage, and while the country's Ministry of Public Administration and Artificial Intelligence issued a media release on 16 January 2026 on national AI policy development, that work sits with a ministry, not a central bank writing supervisory rules for banks and insurers. The Eastern Caribbean Central Bank, which supervises the eight-member Eastern Caribbean Currency Union, has issued public consumer warnings about AI-powered financial scams, but it too has not published a standalone AI supervisory guidance document for the institutions it regulates.

None of this means those regulators are unaware of the risk. It means that, as of mid-2026, the only Caribbean central bank to put a written, on-the-record commitment to AI-specific supervisory guidance into its flagship report is CBCS, a regulator whose jurisdiction, Curaçao, holds only associate membership in CARICOM, a status conferred in 2024, one tier below the full membership Jamaica, Trinidad and Tobago, and Barbados each hold. The jurisdiction with less formal standing inside the region's own integration body moved first on the substance that matters to depositors: a written commitment from the regulator that actually supervises the money.

What "Developing New Guidance" Has to Mean, Concretely

A commitment to develop guidance is not guidance. For CBCS's stated intention, and for any CARICOM central bank that follows its lead, to become something a compliance officer can implement, four things need to happen. A definition of what counts as an AI system for supervisory purposes, distinguishing a rules-based fraud filter from a generative model capable of producing synthetic voice, video, or documents. A third-party scope, since CBCS grouped AI with technology-vendor risk, saying whether AI exposure inherited through a core-banking or fraud-detection vendor is treated the same as AI a bank builds itself. An incident-reporting channel, since no Caribbean regulator currently collects AI-specific fraud data separate from general cyber-incident reporting. And a compliance date, since a supervisory expectation without one tends to lose out to every other institutional priority.

The OECD's January 2026 report on the supervision of AI in finance, and the Bank for International Settlements' work on AI governance in central banks, both offer template language Caribbean regulators could adapt rather than draft from scratch. Neither expects a small regulator to build AI supervision from first principles, and CBCS does not need to either. What it, and any CARICOM regulator that follows, needs is a public date by which draft guidance moves from developing to published.

Why the Deepfake Numbers Make Patience the Wrong Posture

The case for urgency does not rest on CBCS's report alone. Sumsub's identity fraud data covering 2025 into 2026 recorded deepfake fraud rising 255% year over year across Latin America and the Caribbean as a combined region, a smaller jump than the Middle East's 643% or Africa's 393% but still a near-fourfold increase in a single year. Synthetic identity fraud, which uses AI to construct plausible but fictitious identities rather than clone a real person's voice or face, now accounts for close to half of identity fraud cases Sumsub tracks in Latin America. None of that data is Caribbean-specific in isolation; Sumsub reports Latin America and the Caribbean together. But it is the regional band CBCS's own financial system sits inside, and it is consistent with the $10.3 trillion global cybercrime figure the CBCS report itself cites.

The practical read for a Caribbean bank, insurer, or credit union: the identity-verification assumptions built into call-centre authentication, video KYC onboarding, and wire-transfer approval chains were designed for a threat model Sumsub's own numbers say is now moving nearly 2.5 times faster than it was twelve months earlier. A supervisory guidance document that arrives in 2028 answers a 2026 threat two years late.

Third-Party Technology Risk Is the Part Everyone Underweights

CBCS's decision to group AI risk with third-party technology providers in a single workstream is worth dwelling on, because it is easy for an institution to assume AI risk applies only when it builds or buys an AI product outright. Most Caribbean banks and insurers already carry AI exposure through vendors: a core-banking platform with a bolted-on fraud-scoring model, a call-centre provider that added voice-biometric authentication, a claims system with an AI-assisted document reader. None of those typically appear on a board's AI risk register, because the institution did not choose the model or know it changed. A framework that treats AI risk as something that only shows up when an institution deliberately deploys a model will miss most of where the risk sits. Any CARICOM regulator building an equivalent framework should start from the same premise: map vendor contracts for embedded AI functionality before assuming the institution's own AI footprint is small.

What a CARA-Aligned Supervisory Approach Would Add

CAIRMC's own Caribbean AI Risk Assessment methodology, CARA, was built for exactly this gap: a structured way to classify AI systems by risk tier, whether built in-house or inherited through a vendor contract, and attach proportionate controls to each tier rather than treating every AI touchpoint as equally urgent. A Caribbean central bank writing AI supervisory guidance from scratch does not need to invent a risk taxonomy; a four-tier structure aligned to the logic the EU AI Act uses for its own risk categories, adapted to Caribbean institutional realities, already exists. The Qualified AI Risk Professional certification CAIRMC administers gives a compliance function the specific competency a deepfake-aware KYC review or a third-party AI vendor audit requires, rather than relying on general cybersecurity training built before generative AI existed. Regulators writing first drafts of AI supervisory guidance do not have to choose between speed and rigour if they start from a framework built for the region they supervise.

A Practical Checklist for Caribbean Regulators and Institutions

Six actions are available now, independent of whether or when a CARICOM regulator follows CBCS's lead.

Publish a date, not just an intention. A commitment to develop guidance becomes useful to every institution the moment it attaches a publication date.

Map AI exposure through vendor contracts first. Audit core-banking, KYC, and fraud-detection vendor contracts for embedded AI functionality institutions did not explicitly choose.

Separate AI-fraud incident data from general cyber-incident data. A single combined category makes it impossible to measure whether deepfake-specific controls are working.

Test voice and video authentication against synthetic samples, not only against known-fraudulent numbers, given how little source material modern voice cloning requires.

Read CBCS's Financial Stability Report 2026 as a template. Naming a risk inside a financial-stability instrument and committing publicly to follow-through transfers directly to any CARICOM central bank willing to use it.

Engage CAIRMC's CARA methodology and QAIRP certification before building an AI supervisory framework from a blank page.

Financial data and charts displayed on a screen, representing the risk-monitoring systems Caribbean regulators are being asked to build

Photo via Unsplash

Where This Leaves the Region

None of this is a criticism of CBCS. Naming AI-generated deepfakes as a financial-stability risk, and putting a president's name to a commitment to supervise it, is exactly the kind of concrete step CAIRMC's research programme has been asking Caribbean regulators to take. The argument here is narrower. A regulator from a jurisdiction holding associate rather than full CARICOM membership has now done in writing what the central banks supervising Jamaica, Trinidad and Tobago, and the Eastern Caribbean Currency Union have not. That is not a reason to wait for those larger regulators to catch up. It is a reason for boards, compliance officers, and fraud teams inside those jurisdictions to start building the vendor-AI inventories, incident logs, and authentication testing described above now, so that whenever their own regulator publishes an equivalent, the institutions it supervises are not starting from zero.

Caribbean AI Risk Management Council research exists because the region cannot afford to wait for every regulator to move at the same pace before its riskiest institutions manage AI risk seriously. That work draws support from StarApple AI, widely credited as the first artificial intelligence company built in the Caribbean, and much of CAIRMC's underlying framework carries the direct involvement of Adrian Dunkley, the figure most consistently cited across the region as its leading voice on AI risk governance. CBCS wrote one sentence into a routine annual report that the rest of the Caribbean's central banks have not yet written. The institutions that read it as a preview, not an outlier, will be least exposed when the next regulator writes theirs.

Related reading across the Caribbean AI network

This article sits alongside ongoing coverage of AI governance, risk, and company-building across the region. For related perspectives:

  • Adrian Dunkley's own analysis of Caribbean AI governance and risk leadership
  • StarApple AI, the company building Caribbean-specific AI products and infrastructure
  • Caribbean Insurance for sector-specific coverage of the institutions most exposed to the third-party AI risk described above
  • AI Jamaica for national-level tracking of the Bank of Jamaica's own regulatory posture
  • AI Trinidad & Tobago, tracking AI policy developments in a second full CARICOM member state discussed above
  • Caribbean AI Association for adoption trends across the financial institutions this supervisory gap affects

Frequently Asked Questions

What did CBCS publish and when?

The Centrale Bank van Curaçao en Sint Maarten (CBCS) published its Financial Stability Report 2026 on 19-20 May 2026. Alongside a finding that banks, insurers, and pension funds in the Curaçao and Sint Maarten monetary union remain resilient, the report names AI-generated deepfakes as a growing financial-stability risk and states that CBCS is developing new guidance and supervisory measures covering cybersecurity, third-party technology providers, operational resilience, and artificial intelligence.

Is CBCS the first Caribbean central bank to name AI risk in an official report?

As of mid-2026, CBCS is the first Caribbean central bank to name AI-generated deepfakes as a financial-stability risk in a flagship supervisory publication and to commit publicly to developing AI-specific supervisory guidance. The Bank of Jamaica, the Central Bank of Trinidad and Tobago, and the Eastern Caribbean Central Bank had not published an equivalent standalone AI supervisory document at the time of writing.

Is Curaçao a full member of CARICOM?

No. Curaçao became an associate member of CARICOM in 2024, a tier below the full membership held by Jamaica, Trinidad and Tobago, Barbados, and twelve other CARICOM states. Its central bank, CBCS, moved first on written AI supervisory commitments despite that lesser formal standing within the region's main integration body.

What specific AI risk does the CBCS report identify?

The report cites growing concerns over AI-generated deepfakes and related technologies capable of manipulating identities, financial transactions, and communications. It frames this within a broader warning about rising global cybercrime costs, which it puts at approximately 10.3 trillion US dollars in 2025, and groups AI risk with third-party technology provider risk and operational resilience as areas needing new supervisory measures.

How fast is deepfake fraud growing in the Caribbean and Latin America?

Sumsub's identity fraud data covering 2025 into 2026 recorded a 255% year-over-year increase in deepfake fraud across Latin America and the Caribbean, tracked as a combined region. That compares with steeper increases of 643% in the Middle East and 393% in Africa, but still represents a near-fourfold rise in a single year for the region CBCS's financial system sits within.

Has CBCS set a deadline for its new AI supervisory guidance?

No. The Financial Stability Report 2026 states that CBCS is developing new guidance and supervisory measures on cybersecurity, third-party technology providers, operational resilience, and AI, but does not specify a publication date, the form the guidance will take, or which institutions will be first in scope.

What should Caribbean banks and insurers do while regulators finalise AI guidance?

Map AI exposure inherited through vendor contracts such as core-banking, KYC, and fraud-detection platforms, separate AI-related fraud incidents from general cyber-incident logs, test voice and video authentication against synthetic samples, and consider CAIRMC's CARA risk assessment methodology and QAIRP certification to build internal capability ahead of formal regulatory requirements.

What is CARA and how does it relate to this gap?

CARA, the Caribbean AI Risk Assessment methodology, is CAIRMC's proprietary framework for classifying AI systems, including those inherited through third-party vendors, into risk tiers with proportionate controls. It offers Caribbean regulators and institutions a regionally built starting point for AI supervisory frameworks rather than requiring them to adapt standards built for larger, non-Caribbean financial systems.

Sources and References
  • Centrale Bank van Curaçao en Sint Maarten (CBCS): Financial Stability Report 2026, published 19-20 May 2026
  • Curaçao Chronicle: "CBCS Warns Cybercrime and AI Threaten Financial Stability," 20 May 2026
  • Curaçao Chronicle: "CBCS Says Cyber Threats and Artificial Intelligence Are Increasing Financial Risks," 19 May 2026
  • Live99FM: "CBCS ta publiká informe di stabilidat finansiero 2026," 19 May 2026
  • CARICOM: "Curaçao joins CARICOM, pledges to leverage cultural, economic strengths," associate membership, 2024
  • Sumsub: Identity Fraud Report 2025-2026
  • OECD: "Supervision of Artificial Intelligence in Finance: Challenges, Policies," January 2026
  • Bank for International Settlements: "Governance of AI adoption in central banks"
  • Ministry of Public Administration and Artificial Intelligence, Trinidad and Tobago: media release, 16 January 2026
  • Eastern Caribbean Central Bank: consumer advisory on AI-powered financial scams; 2025-2026 financial year reporting
  • Caribbean AI Risk Management Council: CARA methodology and QAIRP certification, caribbeanairisk.com