The Cayman Islands Monetary Authority ("CIMA") has
recently released a Statement of Guidance ("SOG") on
Outsourcing1 for all regulated entities (excluding
regulated mutual funds2, excluded persons under the
Securities Investment Business Law (Revised) ("SIBL") and
private trust companies3). The SOG will apply inter
alia to, banks, administrators, insurance companies and SIBL
entities regulated in the Cayman Islands. It is not intended to be
prescriptive, but sets out CIMA's minimum expectations
Some of the key provisions to note include:
Intra-Group Arrangements – when
outsourcing material functions to related entities (as defined in
the SOG), the SOG sets out certain minimum requirements, including
written agreements, a business continuity plan and a process for
monitoring, reporting and oversight.
Risk Management – all regulated
entities should implement a risk policy on outsourcing, have
procedures in place to identify all material outsourcing
arrangements and establish clear responsibility for monitoring
service providers and outsourced material functions.
Assessing Service Providers –
due diligence must be carried out on all service providers before
an outsourcing agreement is entered into, and on a regular basis
thereafter, to ensure that the provider is fit and proper and can
perform the outsourced function.
Confidentiality – regulated
entities should be satisfied that service providers have policies,
procedures and physical and technological measures in place to
protect confidential information of their customers.
Accountability – the governing
body and senior management of a regulated entity are ultimately
responsible for the effective management of risks arising from the
outsourcing of material functions.
Termination and Exit Strategy –
regulated entities should ensure that there is an exit strategy in
place in the event that an outsourced material function or activity
can no longer be carried out by a service provider. Accordingly,
outsourcing agreements should include clear termination provisions
Relations with the Authority –
regulated entities should notify CIMA in writing, within a
reasonable timeframe, of any new outsourcing agreements (or the
termination of existing agreements), when a material function or
activity is being outsourced. Notifications should include details
such as the function or service that is being outsourced, the name
of the service provider and the location where the outsourced
activity will be carried out.
Regulated entities impacted by this SOG are expected to utilise
it to evaluate the risks associated with all existing and proposed
The SOG also provides that regulated entities should assess
their existing outsourcing risk management framework and address
any deficiencies within one year of issuance of the SOG.
1. Defined as "a regulated entity's use of a
third party (either an affiliated entity within a group or an
entity that is external to the corporate group) to perform
functions or activities on a continuing basis that would normally
be undertaken by the regulated entity, now or in the
2. As defined in the Mutual Funds Law
3. As defined in the Private Trust Companies Regulations
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On the 9 September 2016 the MFSA issued feedback to its consultation of the 1 April 2016 in relation to intra-group loans.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).