Regulatory Series – Cayman Islands Funds and Managers: Outsourcing

Outsourcing is the use by a regulated entity of a third party to perform functions or activities on a continuing basis, which would normally be undertaken by the regulated entity – in the context of an investment fund, the key outsourced functions are the Registrar/ NAV Calculation function and independent AML officers. For an investment manager, the AML officer roles and certain operational or back-office administrative support are typically outsourced to third party services.

The Guidance carves out purchasing contracts i.e. a purchase of services, goods and facilities (without the transfer of non-public proprietary information pertaining to clients/ business activities) from the scope of the Guidance.

1. Prepare an Outsourcing Policy

This must include all items required in accordance with the Guidance. This is not just a one-time tick the box exercise – the Directors of the regulated entity must review and approve the Outsourcing Policy, ensure it is complied with and monitor any changes which are required to be made. Any Board approval, review and amendments to the Outsourcing Policy (including approval of any risk assessment and outsourcing agreement) should be documented to create a clear audit trail of the Board’s monitoring and oversight.

Regulated entities which are part of a wider corporate group may rely on group-level governance structures – however, it is first advisable that they carry out a gap analysis to ensure these frameworks are suitable for local operations and are compliant with the Guidance.

2. Perform a Risk Assessment for each outsourcing service provider

As the regulated entity (including the Directors and Senior Management) remain fully responsible and accountable to CIMA for all outsourced material functions, it is critical that a risk assessment is carried out on all outsourced service providers OSPs before they are engaged to minimize exposure to risk.

A risk assessment should be carried out prior to engagement of the OSP and should consider:

• whether the outsourced services relate to a material function or activity (“Material OSP”). Any material OSP will need to have comprehensive insurance in place;
• the level of due diligence checks carried out on the OSP;
• the impact of the outsourcing arrangement on the finances, reputation and operations of the regulated entity;
• the ability to oversee and maintain appropriate internal controls over the OSP;
• the risk of potential loss of access to important data; and
• the degree of difficulty and time required to find an alternative service provider or to bring the business activity ‘in-house’.

3. Outsourcing agreement

The Guidance is very prescriptive as to the items which need to be covered in the written agreement with a Material OSP. For example, in addition to standard contractual provisions such as scope of work, term and remuneration, the agreement with the Material OSP must include:

• the Material OSP’s conflict of interest management policy;
• the Material OSP’s insurance coverage;
• an obligation of the Material OSP to disclose any material adverse changes, which impact its ability to carry out the outsourced function or activity
• access rights of the registered entity to relevant systems and documents maintained by the Material OSP relating to its outsourced material function or activity;
• access to data and premises of the Material OSP for the purposes of inspection by the regulated entity and/ or CIMA; and
• limitations on use of data of the regulated entity’s proprietary information by the Material OSP.

4. Ongoing monitoring

• Risk assessments and due diligence checks should be completed at least once a year on each Material OSP on an ongoing basis, or on a more frequent basis if determined by the Board (having regard to the risk and materiality of the outsourcing arrangement). Any deficiencies should be addressed promptly.
• A list of Material OSPs engaged should be maintained and approved by the Board of the regulated entity.
• The Board must ensure that there is a contingency plan and exit strategy in place in the event that a Material OSP can no longer perform the outsourced service.
• The regulated entity shall notify CIMA of the appointment of a Material OSP, including details of the location of where the outsourced activity will be carried out and the main reason for outsourcing the activity. The obligation of the regulated entity to notify CIMA also extends to the termination of any outsourcing arrangement with a Material OSP.

In 2025, CIMA conducted a thematic review of the outsourcing arrangements (“Review”) carried out by 16 cross-sector entities (including Investment and Securities) focused on evaluating the effectiveness of governance structures, risk assessment practices and oversight controls relating to outsourcing arrangements. The key findings of the Review were published in January 2026.

In particular, CIMA assessed whether the regulated entities selected implemented the Guidance in proportion to the size, complexity and risk profile of their operations and whether the outsourcing arrangements were structured so as to preserve CIMA’s ability to conduct effective supervision.

While examples of good outsourcing practices were highlighted in the Review, the Review identified the following key deficiencies in the outsourcing arrangements:

• 98% were missing required provisions in the outsourcing agreements;
• 50% did not notify CIMA of the approval or termination of outsourcing arrangements with Material OSPs;
• 45% did not evidence the due diligence assessments were conducted prior to commencing the outsourcing arrangement;
• 36% did not perform risk assessments that took into account all the minimum risks required by the Guidance – in particular, in relation to country, strategic and exit risks;
• 34% of the outsourcing agreement demonstrated deficiencies as to adequacy and effectiveness; and
• 22% conducted insufficient reviews of policies and procedures by the Board of Directors.

The Review highlights the necessity for the Directors of a Cayman Islands investment fund and manager to continually monitor the adequacy of any outsourcing arrangement entered into – from both an internal risk management and regulatory perspective.

The key takeaway of the Review is that any outsourcing agreement should be reviewed and approved by the Board at the outset, in line with the Outsourcing Policy (including any entry to the Material OSP log/ notification to CIMA, as required) and re-assessed on an ongoing basis, at least annually. Outsourcing should be a standalone item on the agenda for any board meetings of the regulated entity and any potential delinquencies promptly brought to the table to be remedied.

While the Guidance does not have the same legal status as a CIMA Rule, a finding of non-compliance with the Guidance upon a CIMA inspection is indicative that a regulated entity is not meeting the expectations of the regulator and that the Board of Directors may not be effectively monitoring the business activities of the fund or manager, which is likely to warrant further scrutiny, monitoring and follow up from CIMA.

View Full PDF

For assistance in relation to your regulated entity’s outsourcing arrangements, including drafting/ reviewing outsourcing agreements, carrying out a gap analysis, or preparedness audit in readiness for a CIMA inspection, please reach out to the Loeb Smith contact below:

This publication is not intended to be a substitute for specific legal advice or a legal opinion. If you require further advice relating to the matters discussed in this Legal Briefing, please contact:

Partner:  Elizebth Kenny
E: elizabeth.kenny@loebsmith.com
Liz is a Partner in the Corporate and Funds Group and is also Head of Regulatory and Risk in which capacity she is key thought leader on regulatory licence applications, virtual assets, crypto and fintech regulation, corporate governance reviews,  anti-money laundering compliance frameworks, regulatory audits, Corporate Governance, CIMA inspections and remediations, sanction reporting and licencing, data protection laws, regulatory enforcement notices, administrative fines and on mandatory information exchange requirements.