The Cayman Islands Monetary Authority ("CIMA") has issued comprehensive guidance on the outsourcing of material functions and regulatory requirements by regulated entities (the "Guidance"). This requires regulated entities that fall within the Guidance's scope to review (and potentially revise) existing outsourcing arrangements and, where functions are to be outsourced, to put in place certain internal procedures. Notably, CIMA may, on a case-by-case basis, impose additional requirements on a regulated entity where an outsourcing arrangement has a potential negative impact on the entity or its customers. The Guidance reflects good business practice and it is expected that regulated entities' existing policies and procedures should, on the whole, be reflective of the Guidance.
While CIMA recognises the potential benefits from outsourcing (for example, to take advantage of economies of scale or specialist expertise), the Guidance has been issued to ensure that the outsourcing of functions by a regulated entity does not expose that entity to greater strategic, reputational and operational risk and that customers remain adequately protected.
Entities regulated by CIMA (with the exception of regulated mutual funds, excluded persons under the Securities Investment Business Law and private trust companies) ("Regulated Entities") will be subject to the Guidance. The Guidance applies to all outsourcing arrangements where a Regulated Entity utilises a third party service provider (whether an affiliate or an entity external to the corporate group) to perform functions or activities on a continuing basis that would normally be undertaken by the Regulated Entity ("Service Provider"). Accordingly, while the Guidance may not technically apply to a Cayman branch outsourcing arrangements within the same legal entity, CIMA expects the Cayman branch to adhere to certain fundamental principles.
The Guidance is not exhaustive and sets out CIMA's minimum expectations as to the protections and procedures that should be put in place to ensure that a Regulated Entity's level of risk does not materially increase as a result of outsourcing. The Guidance also contains factors for consideration in determining the materiality of outsourced functions (e.g. management oversight functions). Further, the Guidance is clear that, where functions are outsourced, the Regulated Entity remains responsible for those functions and any connected regulatory requirements.
Regulated Entities are required to implement a risk policy with respect to outsourcing. This will require putting in place procedures to, among other things, identify all material outsourcing arrangements and to control and monitor such arrangements. Further, contingency plans will need to be put in place to cover off the potential failure of a Service Provider. This will require ensuring that there is a clear termination and/or exit strategy in the event that, among other things, a material function that has been outsourced can no longer be carried out by the Service Provider.
The governing body and senior management of the Regulated Entity will be ultimately responsible for the effective management of risks arising from the outsourcing of material functions. The governing body must set (and keep under review) clear outsourcing policies, and provide clear guidance of such policies to senior management.
Written due diligence assessments are required for all Service Providers before an outsourcing agreement is entered into and then, going forward, at least annually. This is to ensure that the Service Provider is, at the outset, fit and proper and can effectively perform the material outsourced function (and that this remains the case throughout the course of the outsourcing arrangement).
Legally binding written agreements are required for all material outsourcing arrangements irrespective of whether such arrangements are with related or unrelated parties. This agreement should contain, among other things, a clear allocation of responsibilities between the Service Provider and the Regulated Entity and the level of performance required from the Service Provider. Such agreements are required to be reviewed regularly.
Regulated Entities should ensure that Service Providers have in place policies, procedures and physical and technological measures to protect the confidential information of customers. All books and records relating to the outsourcing and related transactions must remain readily accessible to CIMA. Notably, where a Regulated Entity decides to outsource a material function, unless the terms and conditions between the Regulated Entity and customer allow for outsourcing and disclosure to third parties, the Regulated Entity should notify customers that information relating to them is to be transmitted to the Service Provider.
Regulated Entities are therefore encouraged to check that their terms and conditions contain such permissions and, if not, consider amending their terms and conditions accordingly.
Service Providers should be assessed to identify any conflicts of interests and, if such conflicts exist, preventative measures must be put in place to manage such conflicts.
While recognising that an outsourcing agreement with a related entity may present fewer risks, when outsourcing material functions to related entities certain minimum requirements must still be complied with. These include written agreements, a business continuity plan and a process for monitoring, reporting and oversight.
Communication with CIMA
Regulated Entities are required to notify CIMA in writing, within a reasonable timeframe, of any new outsourcing agreement concerning a material function, or where existing agreements that concern a material function have been terminated. Specific information must be included in such notice.
What is required from Regulated Entities?
In order to ensure compliance with the Guidance, Regulated Entities should undertake a review of their policies concerning outsourcing (and existing outsourcing agreements). Any deficiencies in risk management policies should be addressed by August 2016. Deficiencies in existing outsourcing agreements should be addressed when the outsourcing arrangement is renewed or extended.
Importantly, where significant deficiencies are identified, CIMA will expect interim risk mitigation measures to be put in place. There is no information in the Guidance on what would amount to a significant deficiency and so, if a Regulated Entity has concerns that there may be a significant deficiency, legal advice should be sought.
As the Guidance recommends the adoption of various written policies and procedures, or the review of outsourcing terms to align with the new standards, please contact us for assistance or further advice.