ARTICLE
31 January 2025

An Overview Of Outsourcing In The BVI And The Cayman Islands

H
Harneys

Contributor

Harneys logo

Harneys is a full-service offshore law firm offering expert legal advice on the laws of jurisdictions including the British Virgin Islands, Cayman Islands, Luxembourg, and more. Established in 1960, the firm has grown to 11 global locations with over 180 lawyers, serving top law firms, financial institutions, investment funds, and high-net-worth individuals. Harneys provides comprehensive legal support across transactional, contentious, and private client matters, often in collaboration with Harneys Fiduciary, which delivers corporate and wealth management services. Known for its role in shaping offshore jurisprudence, the firm also advises on legislative developments and excels in handling complex cross-border transactions and disputes.

Explore Firm Details
As business and commerce grow there is a need for primary service providers to rely on and use secondary service providers...
Worldwide Corporate/Commercial Law
Mirza Manraj
Your Author LinkedIn Connections

As business and commerce grow there is a need for primary service providers to rely on and use secondary service providers to support their business needs from an operational perspective. Essentially, outsourcing is a business practice in which businesses use external providers to assist with carrying out business processes that would otherwise be handled internally.

Under both the British Virgin Islands (BVI) and Cayman Islands regulatory regimes, outsourcing is a recognised practice. However, entities that are subject to the regime in both jurisdictions need to be conscious of the parameters within which they are allowed to operate their business while using and relying on outsourced practices.

Below is a comparison of the outsourcing rules in the BVI and the Cayman Islands.

Should you require any assistance with legal advice, reviewing or drafting outsourcing agreements, putting in place any outsourcing policies and procedures, etc please feel free to get in touch with the author or your usual Harneys contact.

Description

British Virgin
Islands

Cayman
Islands

Legal
provisions

In the BVI, the regulatory rules on outsourcing are primarily contained in sections 50 to 54 of Division 5 of the Regulatory Code 2009 (the RC09). These rules would primarily apply to entities that are licensed or registered under the:

  • Banks and Trust Companies Act 1990 (general, restricted Class I and restricted Class II banking licences together with Class I, II, and III trust licences and restricted Class II and III trust licences);
  • Insurance Act 2008 (Category A, B, C, and D licences together with insurance managers and insurance intermediaries licences);
  • Company Management Act 1990 (company management licences);
  • Financing and Money Services Act 2009 (Class A, B, C, D, E, and F licences);
  • Securities and Investment Business Act 2010 (investment business licences); and
  • Virtual Asset Service Providers Act 2022.

In the Cayman Islands, the regulatory rules on outsourcing are contained in the Cayman Islands Monetary Authority's (CIMA) Statement of Guidance: Outsourcing Regulated Entities 2023 (the SOG). The SOG applies to all entities regulated by CIMA including controlled subsidiaries within the Banks and Trust Companies Act (Revised) (BTCA). For these purposes, a regulated entity is an entity that s regulated by CIMA in accordance with the:

  • BTCA;
  • Building Societies Act (Revised);
  • Companies Management Act (Revised);
  • Cooperative Societies Act (Revised);
  • Development Bank Act (Revised);
  • Insurance Act (Revised);
  • Money Services Act (Revised);
  • Directors Registration and Licensing Act (Revised);
  • Securities Investment Business Act (Revised).

The SOG does not apply to regulated mutual funds as defined in the Mutual Funds Act (Revised), private trust companies as defined in the Private Trust Companies Regulations (Revised), and private funds as defined in the Private Funds Act (Revised).

The SOG applies regardless of whether the outsourcing arrangement established by a regulated entity is with a related or unrelated entity.

Considerations

Typically, under BVI law, a licensee should not outsource an activity unless they act in accordance with the requirements of the RC09. To this extent, a licensee should not outsource:

  • the compliance function or a core management function; or
  • an activity if the outsourcing of that activity would:
    • impair the BVI Financial Services Commission's ability to supervise the licensee; or
    • affect the rights of a customer against the licensee, including the right to obtain legal redress;

For these purposes, the following would be considered as core management functions:

  • the setting and approval of the licensee's risk management and other strategies;
  • the oversight of the licensee's policies, systems and controls; and
  • the responsibility for the delivery of services to the licensee's customers.

A regulated entity should assess the materiality of its outsourcing arrangements, and without limiting the scope of its assessments, should consider:

  • the impact of the outsourcing arrangements on its finance, reputation and operations, or a significant business line, particularly if the service provider, or group of affiliated service providers should fail to perform over a given period of time depending on the nature of the outsourced function/service;
  • its ability to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems;
  • the cost of the outsourcing arrangement;
  • the risk of potential loss, temporary or permanently, of access to important data; and
  • the degree of difficulty and time required to find an alternative service provider or to bring the business activity "in-house".

Policies and
arrangements

Where a licensee chooses to outsource specific business functions, it would need to establish a comprehensive outsourcing policy with respect to the activities that are being outsourced (ie the relevant activities). The outsourcing policy should:

  • consider the potential effects of outsourcing on the compliance function;
  • include an evaluation of whether, and the extent to which the relevant activities are appropriate for outsourcing;
  • specify criteria for making outsourcing decisions, including how, and to whom, particular types of relevant activities should be outsourced; and
  • provide for outsourcing only as permitted by and in accordance with the RC09.

The outsourcing policy should, on a risk-based approach, take into account the extent to which the activity to be outsourced is material to its regulated business.

Where an outsourcing arrangement will be put in place, the regulated entity should ensure that the arrangements meet the following minimum criteria:

  • a written outsourcing agreement that details, the scope of the arrangement, the service to be supplied, the nature of the relationship between the regulated entity and the service provider; and procedure governing the sub-contracting of services;
  • an appropriate business continuity plan that is designed to handle foreseeable risks;
  • an appropriate process for monitoring, reporting and oversight;
  • an exit strategy;
  • location of books and records; and
  • be subject to appropriate internal and external audit and risk controls.

A regulated entity should at a minimum:

  • implement a policy on outsourcing approved by the governing body;
  • have proper procedures in place to identify all outsourcing arrangements;
  • establish and document an adequate risk management framework, systems etc to monitor its outsourcing arrangements;
  • establish clear responsibility in-house for monitoring the conduct of the service provider;
  • establish feasible contingency plans in the event that outsourcing fails;
  • ensure that limits regarding the level or authority that enables the approval of the outsourcing of material functions or activities is governed by appropriate policies and procedures giving regard to the level of risk surrounding the outsourcing.

Responsibility

Even though an activity is outsourced to a third-party provider, the board of directors of the licensee should:

  • approve the licensee's outsourcing policy and keep it under review;
  • be responsible for ensuring that:
    • outsourcing decisions are taken; and
    • outsourced activities are undertaken,

in accordance with the licensee's outsourcing policy.

The governing body and senior management of a regulated entity are ultimately responsible for the effective management of risks arising from the outsourced material functions.

Risk
assessment

It is important that a licensee that outsources any activities should establish and maintain appropriate and adequate systems and controls to manage any outsourcing risks inherent to the type of business being conducted. The outsourcing management risk systems and controls should:

  • provide for the monitoring and controlling of the licensee's outsourcing arrangements; and
  • take full account of the key outsourcing risks.

A regulated entity should assess the following types of risks in relation to any outsourcing:

  • strategic risk;
  • reputation risk;
  • compliance risk;
  • operational risk;
  • exit strategy risk;
  • counterparty risk;
  • country risk;
  • contractual risk;
  • access risk; and
  • concentration and systemic risk.

Due diligence

Before entering into any outsourcing arrangement, the licensee should undertake appropriate due diligence with respect to the third-party service provider who will be undertaking the service in order to assess:

  • the service provider's capacity and ability to perform the outsourced activities; and
  • the risks associated with outsourcing the proposed activities to the service provider.

A regulated entity should perform in writing and maintain as part of its record a due diligence assessment of the service provider before entering into the initial outsourcing agreement and on a regular basis (at least annually) in order to ensure that the service provider is fit and proper and can effectively perform the outsourced material function or activity. The due diligence should consist of:

  • human, financial and technical resources (including IT systems) to effectively undertake the outsourced tasks;
  • ability, capacity, and any authorisation required by law to perform the outsourced material functions or activities in a reliable and professional manner;
  • ability to safe-guard the confidentiality, integrity, and availability of information entrusted;
  • corporate governance, risk management, security, internal controls, reporting, and monitoring processes;
  • reputation, complaints, or pending litigation;
  • business continuity arrangements and contingency plans;
  • reliance on and success in dealing with sub-contractors;
  • policies in general, business culture and how they align with the regulated entity's own policies; and
  • knowledge of the Cayman Islands framework.

Written
agreement
or contract

The outsourcing of an activity should be governed by a written contract with the service provider that:

  • clearly specifies all material aspects of the outsourcing arrangements including:
    • the activities to be outsourced;
    • the rights and responsibilities of the parties;
    • the protection by the service provider of confidential information relating to the licensee or its customers; and
  • gives the licensee and, if relevant, its auditor access to all documents and information relevant to the outsourced activity, at all times.

A regulated entity should have a detailed written agreement containing:

  • scope of arrangement, including but not limited to services to be provided, rights, responsibilities and expectations of all parties, reporting requirements etc;
  • nature of relationship;
  • obligation of the service provider to identify, disclose, monitor and manage conflicts of interest;
  • remuneration terms under the agreement;
  • contingency plans and business continuity plans;
  • obligation of the service provider to maintain appropriate insurance coverage;
  • dispute and remedy process;
  • obligation to notify the regulated entity in the event of any breaches; and
  • procedure governing sub-contracting.

Contingency
plan

The licensee should also establish and maintain a contingency plan for each outsourcing agreement that it enters into.

A regulated entity should be satisfied that the service provider has in place policies and procedures and physical and technological measures to protect information that a customer of the regulated entity might reasonably expect to be confidential.

A regulated entity should ensure that the service provider can identify conflicts of interests and ensure that preventative measures are taken to manage any such conflicts.

The regulated entity should ensure that there is a termination or exit strategy in the event that a service provider can no longer perform the outsourced function, a breach occurs or if the nature of the agreement has changed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mirza Manraj
Mirza Manraj
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More