In the BVI, the regulatory rules on outsourcing are primarily contained in sections 50 to 54 of Division 5 of the Regulatory Code 2009 (the RC09). These rules would primarily apply to entities that are licensed or registered under the:

• Banks and Trust Companies Act 1990 (general, restricted Class I and restricted Class II banking licences together with Class I, II, and III trust licences and restricted Class II and III trust licences);
• Insurance Act 2008 (Category A, B, C, and D licences together with insurance managers and insurance intermediaries licences);
• Company Management Act 1990 (company management licences);
• Financing and Money Services Act 2009 (Class A, B, C, D, E, and F licences);
• Securities and Investment Business Act 2010 (investment business licences); and
• Virtual Asset Service Providers Act 2022.

In the Cayman Islands, the regulatory rules on outsourcing are contained in the Cayman Islands Monetary Authority’s (CIMA) Statement of Guidance: Outsourcing Regulated Entities 2023 (the SOG). The SOG applies to all entities regulated by CIMA including controlled subsidiaries within the Banks and Trust Companies Act (Revised) (BTCA). For these purposes, a regulated entity is an entity that s regulated by CIMA in accordance with the:

• BTCA;
• Building Societies Act (Revised);
• Companies Management Act (Revised);
• Cooperative Societies Act (Revised);
• Development Bank Act (Revised);
• Insurance Act (Revised);
• Money Services Act (Revised);
• Directors Registration and Licensing Act (Revised);
• Securities Investment Business Act (Revised).

The SOG does not apply to regulated mutual funds as defined in the Mutual Funds Act (Revised), private trust companies as defined in the Private Trust Companies Regulations (Revised), and private funds as defined in the Private Funds Act (Revised).

The SOG applies regardless of whether the outsourcing arrangement established by a regulated entity is with a related or unrelated entity.

Typically, under BVI law, a licensee should not outsource an activity unless they act in accordance with the requirements of the RC09. To this extent, a licensee should not outsource:

• the compliance function or a core management function; or
• an activity if the outsourcing of that activity would:
• impair the BVI Financial Services Commission’s ability to supervise the licensee; or
• affect the rights of a customer against the licensee, including the right to obtain legal redress;

For these purposes, the following would be considered as core management functions:

• the setting and approval of the licensee’s risk management and other strategies;
• the oversight of the licensee’s policies, systems and controls; and
• the responsibility for the delivery of services to the licensee’s customers.

A regulated entity should assess the materiality of its outsourcing arrangements, and without limiting the scope of its assessments, should consider:

• the impact of the outsourcing arrangements on its finance, reputation and operations, or a significant business line, particularly if the service provider, or group of affiliated service providers should fail to perform over a given period of time depending on the nature of the outsourced function/service;
• its ability to maintain appropriate internal controls and meet regulatory requirements, particularly if the service provider were to experience problems;
• the cost of the outsourcing arrangement;
• the risk of potential loss, temporary or permanently, of access to important data; and
• the degree of difficulty and time required to find an alternative service provider or to bring the business activity “in-house”.

Where a licensee chooses to outsource specific business functions, it would need to establish a comprehensive outsourcing policy with respect to the activities that are being outsourced (ie the relevant activities). The outsourcing policy should:

• consider the potential effects of outsourcing on the compliance function;
• include an evaluation of whether, and the extent to which the relevant activities are appropriate for outsourcing;
• specify criteria for making outsourcing decisions, including how, and to whom, particular types of relevant activities should be outsourced; and
• provide for outsourcing only as permitted by and in accordance with the RC09.

The outsourcing policy should, on a risk-based approach, take into account the extent to which the activity to be outsourced is material to its regulated business.

Where an outsourcing arrangement will be put in place, the regulated entity should ensure that the arrangements meet the following minimum criteria:

• a written outsourcing agreement that details, the scope of the arrangement, the service to be supplied, the nature of the relationship between the regulated entity and the service provider; and procedure governing the sub-contracting of services;
• an appropriate business continuity plan that is designed to handle foreseeable risks;
• an appropriate process for monitoring, reporting and oversight;
• an exit strategy;
• location of books and records; and
• be subject to appropriate internal and external audit and risk controls.

A regulated entity should at a minimum:

• implement a policy on outsourcing approved by the governing body;
• have proper procedures in place to identify all outsourcing arrangements;
• establish and document an adequate risk management framework, systems etc to monitor its outsourcing arrangements;
• establish clear responsibility in-house for monitoring the conduct of the service provider;
• establish feasible contingency plans in the event that outsourcing fails;
• ensure that limits regarding the level or authority that enables the approval of the outsourcing of material functions or activities is governed by appropriate policies and procedures giving regard to the level of risk surrounding the outsourcing.

Even though an activity is outsourced to a third-party provider, the board of directors of the licensee should:

• approve the licensee’s outsourcing policy and keep it under review;
• be responsible for ensuring that:
• outsourcing decisions are taken; and
• outsourced activities are undertaken,

in accordance with the licensee’s outsourcing policy.

The governing body and senior management of a regulated entity are ultimately responsible for the effective management of risks arising from the outsourced material functions.

It is important that a licensee that outsources any activities should establish and maintain appropriate and adequate systems and controls to manage any outsourcing risks inherent to the type of business being conducted. The outsourcing management risk systems and controls should:

• provide for the monitoring and controlling of the licensee’s outsourcing arrangements; and
• take full account of the key outsourcing risks.

A regulated entity should assess the following types of risks in relation to any outsourcing:

• strategic risk;
• reputation risk;
• compliance risk;
• operational risk;
• exit strategy risk;
• counterparty risk;
• country risk;
• contractual risk;
• access risk; and
• concentration and systemic risk.

Before entering into any outsourcing arrangement, the licensee should undertake appropriate due diligence with respect to the third-party service provider who will be undertaking the service in order to assess:

• the service provider’s capacity and ability to perform the outsourced activities; and
• the risks associated with outsourcing the proposed activities to the service provider.

A regulated entity should perform in writing and maintain as part of its record a due diligence assessment of the service provider before entering into the initial outsourcing agreement and on a regular basis (at least annually) in order to ensure that the service provider is fit and proper and can effectively perform the outsourced material function or activity. The due diligence should consist of:

• human, financial and technical resources (including IT systems) to effectively undertake the outsourced tasks;
• ability, capacity, and any authorisation required by law to perform the outsourced material functions or activities in a reliable and professional manner;
• ability to safe-guard the confidentiality, integrity, and availability of information entrusted;
• corporate governance, risk management, security, internal controls, reporting, and monitoring processes;
• reputation, complaints, or pending litigation;
• business continuity arrangements and contingency plans;
• reliance on and success in dealing with sub-contractors;
• policies in general, business culture and how they align with the regulated entity’s own policies; and
• knowledge of the Cayman Islands framework.

The outsourcing of an activity should be governed by a written contract with the service provider that:

• clearly specifies all material aspects of the outsourcing arrangements including:
• the activities to be outsourced;
• the rights and responsibilities of the parties;
• the protection by the service provider of confidential information relating to the licensee or its customers; and
• gives the licensee and, if relevant, its auditor access to all documents and information relevant to the outsourced activity, at all times.

A regulated entity should have a detailed written agreement containing:

• scope of arrangement, including but not limited to services to be provided, rights, responsibilities and expectations of all parties, reporting requirements etc;
• nature of relationship;
• obligation of the service provider to identify, disclose, monitor and manage conflicts of interest;
• remuneration terms under the agreement;
• contingency plans and business continuity plans;
• obligation of the service provider to maintain appropriate insurance coverage;
• dispute and remedy process;
• obligation to notify the regulated entity in the event of any breaches; and
• procedure governing sub-contracting.

The licensee should also establish and maintain a contingency plan for each outsourcing agreement that it enters into.

A regulated entity should be satisfied that the service provider has in place policies and procedures and physical and technological measures to protect information that a customer of the regulated entity might reasonably expect to be confidential.

A regulated entity should ensure that the service provider can identify conflicts of interests and ensure that preventative measures are taken to manage any such conflicts.

The regulated entity should ensure that there is a termination or exit strategy in the event that a service provider can no longer perform the outsourced function, a breach occurs or if the nature of the agreement has changed.