The Cayman Islands Monetary Authority ("CIMA") has recently released a Statement of Guidance ("SOG") on Outsourcing1 for all regulated entities (excluding regulated mutual funds2, excluded persons under the Securities Investment Business Law (Revised) ("SIBL") and private trust companies3). The SOG will apply inter alia to, banks, administrators, insurance companies and SIBL entities regulated in the Cayman Islands. It is not intended to be prescriptive, but sets out CIMA's minimum expectations regarding outsourcing.
Some of the key provisions to note include:
Intra-Group Arrangements – when outsourcing material functions to related entities (as defined in the SOG), the SOG sets out certain minimum requirements, including written agreements, a business continuity plan and a process for monitoring, reporting and oversight.
Risk Management – all regulated entities should implement a risk policy on outsourcing, have procedures in place to identify all material outsourcing arrangements and establish clear responsibility for monitoring service providers and outsourced material functions.
Assessing Service Providers – due diligence must be carried out on all service providers before an outsourcing agreement is entered into, and on a regular basis thereafter, to ensure that the provider is fit and proper and can perform the outsourced function.
Confidentiality – regulated entities should be satisfied that service providers have policies, procedures and physical and technological measures in place to protect confidential information of their customers.
Accountability – the governing body and senior management of a regulated entity are ultimately responsible for the effective management of risks arising from the outsourcing of material functions.
Termination and Exit Strategy – regulated entities should ensure that there is an exit strategy in place in the event that an outsourced material function or activity can no longer be carried out by a service provider. Accordingly, outsourcing agreements should include clear termination provisions and processes.
Relations with the Authority – regulated entities should notify CIMA in writing, within a reasonable timeframe, of any new outsourcing agreements (or the termination of existing agreements), when a material function or activity is being outsourced. Notifications should include details such as the function or service that is being outsourced, the name of the service provider and the location where the outsourced activity will be carried out.
Regulated entities impacted by this SOG are expected to utilise it to evaluate the risks associated with all existing and proposed outsourcing arrangements.
The SOG also provides that regulated entities should assess their existing outsourcing risk management framework and address any deficiencies within one year of issuance of the SOG.
1. Defined as "a regulated entity's use of a third party (either an affiliated entity within a group or an entity that is external to the corporate group) to perform functions or activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future".
2. As defined in the Mutual Funds Law (Revised).
3. As defined in the Private Trust Companies Regulations (Revised)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.