As business and commerce grow there is a need for primary service providers to rely on and use secondary service providers to support their business needs from an operational perspective. Essentially, outsourcing is a business practice in which businesses use external providers to assist with carrying out business processes that would otherwise be handled internally.
Under both the British Virgin Islands (BVI) and Cayman Islands regulatory regimes, outsourcing is a recognised practice. However, entities that are subject to the regime in both jurisdictions need to be conscious of the parameters within which they are allowed to operate their business while using and relying on outsourced practices.
Below is a comparison of the outsourcing rules in the BVI and the Cayman Islands.
Should you require any assistance with legal advice, reviewing or drafting outsourcing agreements, putting in place any outsourcing policies and procedures, etc please feel free to get in touch with the author or your usual Harneys contact.
Description |
British Virgin
|
Cayman
|
---|---|---|
Legal
|
In the BVI, the regulatory rules on outsourcing are primarily contained in sections 50 to 54 of Division 5 of the Regulatory Code 2009 (the RC09). These rules would primarily apply to entities that are licensed or registered under the:
|
In the Cayman Islands, the regulatory rules on outsourcing are contained in the Cayman Islands Monetary Authority's (CIMA) Statement of Guidance: Outsourcing Regulated Entities 2023 (the SOG). The SOG applies to all entities regulated by CIMA including controlled subsidiaries within the Banks and Trust Companies Act (Revised) (BTCA). For these purposes, a regulated entity is an entity that s regulated by CIMA in accordance with the:
The SOG does not apply to regulated mutual funds as defined in the Mutual Funds Act (Revised), private trust companies as defined in the Private Trust Companies Regulations (Revised), and private funds as defined in the Private Funds Act (Revised). The SOG applies regardless of whether the outsourcing arrangement established by a regulated entity is with a related or unrelated entity. |
Considerations |
Typically, under BVI law, a licensee should not outsource an activity unless they act in accordance with the requirements of the RC09. To this extent, a licensee should not outsource:
For these purposes, the following would be considered as core management functions:
|
A regulated entity should assess the materiality of its outsourcing arrangements, and without limiting the scope of its assessments, should consider:
|
Policies and
|
Where a licensee chooses to outsource specific business functions, it would need to establish a comprehensive outsourcing policy with respect to the activities that are being outsourced (ie the relevant activities). The outsourcing policy should:
The outsourcing policy should, on a risk-based approach, take into account the extent to which the activity to be outsourced is material to its regulated business. |
Where an outsourcing arrangement will be put in place, the regulated entity should ensure that the arrangements meet the following minimum criteria:
A regulated entity should at a minimum:
|
Responsibility |
Even though an activity is outsourced to a third-party provider, the board of directors of the licensee should:
in accordance with the licensee's outsourcing policy. |
The governing body and senior management of a regulated entity are ultimately responsible for the effective management of risks arising from the outsourced material functions. |
Risk
|
It is important that a licensee that outsources any activities should establish and maintain appropriate and adequate systems and controls to manage any outsourcing risks inherent to the type of business being conducted. The outsourcing management risk systems and controls should:
|
A regulated entity should assess the following types of risks in relation to any outsourcing:
|
Due diligence |
Before entering into any outsourcing arrangement, the licensee should undertake appropriate due diligence with respect to the third-party service provider who will be undertaking the service in order to assess:
|
A regulated entity should perform in writing and maintain as part of its record a due diligence assessment of the service provider before entering into the initial outsourcing agreement and on a regular basis (at least annually) in order to ensure that the service provider is fit and proper and can effectively perform the outsourced material function or activity. The due diligence should consist of:
|
Written
|
The outsourcing of an activity should be governed by a written contract with the service provider that:
|
A regulated entity should have a detailed written agreement containing:
|
Contingency
|
The licensee should also establish and maintain a contingency plan for each outsourcing agreement that it enters into. |
A regulated entity should be satisfied that the service provider has in place policies and procedures and physical and technological measures to protect information that a customer of the regulated entity might reasonably expect to be confidential. A regulated entity should ensure that the service provider can identify conflicts of interests and ensure that preventative measures are taken to manage any such conflicts. The regulated entity should ensure that there is a termination or exit strategy in the event that a service provider can no longer perform the outsourced function, a breach occurs or if the nature of the agreement has changed. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.