It has been two years since the Cayman Islands Monetary Authority (CIMA) introduced its Rule on Corporate Governance for Regulated Entities (the “Corporate Governance Rule”), and a year and a half since it came into force. This Corporate Governance Rule applies to all CIMA-regulated entities, including registered mutual funds and private funds (Funds), and sets out clear expectations regarding governance, oversight, and risk management.

By way of detailed update, please refer to our publication on the Cayman Islands’ Corporate Governance Rule and Internal Controls Guidance and Rule. Further insights can also be found in our previous publication on the Seminar on Corporate Governance & Risk Management for Cayman Islands Directors: Key Takeaways.

CIMA previously issued a Statement of Guidance on Outsourcing for Regulated Entities (the “Outsourcing SoG”). While registered mutual and private funds are expressly exempt from the requirements of this instrument, CIMA’s Statement of Guidance on Corporate Governance for Mutual Funds and Private Funds does impose obligations on the governing body / operators of mutual and private funds (Operators) to oversee service providers (Service Providers). Funds, as unstaffed vehicles, will often engage Outsourced Service Providers for various functions, including fund administrators, investment managers, audit providers, compliance service providers etc. As such, understanding and implementing appropriate due diligence and oversight measures for material third party (and group level) Service Providers is essential to ensure good corporate governance and overall compliance with applicable requirements.

Outsourcing Requirements for Funds

Unlike the Outsourcing SoG, there is no exemption for Funds under the Corporate Governance Rule, which includes the following requirement:

At all times, the Governing Body must effectively manage any outsourced operations including outsourced management functions, as applicable.”

It is not stated what exactly is expected of Funds in this regard given that they are not obligated to consider the Outsourcing SoG, although the Corporate Governance Rule applies in a proportionate manner depending on the nature, scale and complexity of the relevant regulated entity.

Therefore, the absence of other guiding material from CIMA, it is prudent to consider the contents of the Outsourcing SoG and apply the guidance in a proportionate manner taking into consideration the nature of Funds as non-operational pooling vehicles. A core focus for Funds should be to ensure that outsourcing arrangements do not diminish the Operators’ ability to discharge its fiduciary duty or maintain control over the Fund’s key operations. The key expectations for Funds can be summarized as follows:

  1. Policies and Procedures: Operators should address outsourcing in their policy and procedure documents in a manner which is proportionate to the size, nature, and complexity of the Fund. It may not be necessary to implement a standalone policy and the relevant provisions could form part of the Fund’s wider corporate governance framework (for more information on this, see our previous publication linked at the outset of this publication). Outsourcing policies and procedures should set out how outsourcing arrangements are assessed, managed and monitored on an ongoing basis.
  2. Due Diligence of Service Providers: When engaging a Service Provider, Operators should conduct a risk assessment to determine the potential impact of outsourcing arrangements. This should include considerations such as AML / CFT and sanctions measures, business continuity, data protection, and other compliance arrangements within the Service Provider to determine capability and appropriateness of the Service Provider to undertake the relevant outsourced arrangement.
  3. Active Oversight of Service Providers: There should be an established framework to monitor Service Providers on an ongoing basis. This includes assessing performance at least annually, ensuring that the relevant outsourced task is being conducted in a manner compliant with regulatory obligations and identifying any relevant emerging risks.
  4. Comprehensive Agreements: All Service Provider relationships should be governed by written agreements that clearly define roles, responsibilities, performance metrics, reporting requirements, and termination provisions. Ideally these agreements should be drafted in compliance with the Outsourcing SoG and should also outline mechanisms for facilitating review and audits, data access and retention, dispute resolution and contingency.
  5. Regular Reviews, Reporting and Operator Meetings: Operators should ensure that Service Provider performance is regularly reviewed and monitored to ensure that it meets expected metrics. Operators should also ensure that they meet at least annually, during which Service Providers report to the Operator members (either by way of a written report or attendance at the relevant meeting). This process ensures accountability and enables Operators to consider the ongoing appropriateness of the Outsourcing arrangement and take appropriate action where necessary.

Summary of Proposed Compliance Measures

To ensure compliance with the Corporate Governance Rule, Operators should:

  1. Maintain a documented outsourcing policy and procedure tailored to the nature, scale and complexity of the relevant Fund. Such policy and procedure documents can also be produced on an omnibus basis to cover larger Fund groups;
  2. Implement comprehensive agreements for all Outsourcing relationships;
  3. Conduct periodic due diligence on Service Providers to assess their capabilities and adherence to regulatory expectations;
  4. Establish clear reporting lines and escalation procedures for addressing any issues with outsourcing arrangements;
  5. Keep detailed records of all Service Provider reviews, Operator meetings and decisions taken by the Operator in respect of Outsourcing arrangements.

Looking Ahead

As the regulatory framework in the Cayman Islands continues to evolve, Funds must ensure they remain aligned with CIMA’s expectations. While the Outsourcing SOG does not apply directly to Funds, the obligations under the Corporate Governance Rule reinforce the importance of robust Service Provider oversight to manage outsourced management functions. Operators should take proactive steps to strengthen their governance frameworks and ensure they can demonstrate compliance with these requirements in the event of regulatory enquiry or scrutiny.

If you require any assistance with your legal or compliance obligations in the Cayman Islands, please do not hesitate to contact any member of the Regulatory and Risk Advisory Team at Conyers.

This update serves as a crucial reminder to stay ahead of your compliance obligations to avoid any regulatory or enforcement issues for your funds.