What CIMA expects and how to document it
CIMA’s Statement of Guidance: Outsourcing – Regulated Entities applies to all CIMA-regulated entities (including controlled subsidiaries), with specific exceptions for regulated mutual funds, private funds and private trust companies. It sets minimum expectations for outsourcing material functions and makes clear that the governing body and senior management remain ultimately responsible for outsourced activities and for regulatory compliance.
Core expectation 1 — Treat outsourcing like any other material function
A regulated entity must maintain the same level of oversight and accountability over a material function when outsourced as when performed in-house. Client obligations must not change, and outsourcing must not create a “shell” or “letter-box” entity; books and records for outsourced activities must remain readily accessible to CIMA.
Document it: keep a brief note in the outsourcing file showing where the books/records are held and how CIMA access will be provided, and record the internal owner accountable for day-to-day oversight.
Core expectation 2 — Policy, materiality and a live risk assessment
CIMA expects a board-approved outsourcing policy, procedures to identify material outsourcing, and an outsourcing risk management framework covering identification, control and monitoring. Risks to consider explicitly include strategic, reputational, compliance, operational, exit, counterparty, country, contractual, access and concentration/systemic risks. Risk assessments must be done before entering an arrangement and reviewed at least annually (and more often as risk dictates). Where the provider is overseas, do a jurisdiction risk assessment. Maintain a centralised log of all material outsourcing.
Document it: include (i) a completed pre-contract risk assessment (with the risk categories above ticked off), (ii) the jurisdiction assessment (if elsewhere), (iii) annual reviews with any changes noted, and (iv) an entry in the centralised outsourcing log.
Core expectation 3 — Due diligence on the service provider
Carry out written due diligence and keep it on file. CIMA highlights capability, financial soundness, governance/controls, reporting and monitoring processes, complaints/litigation, business continuity, use of sub-contractors, policy alignment and knowledge of Cayman law, as well as insurance coverage.
Document it: retain a checklist with evidence (e.g., reports where available, insurance certificates, BCP summaries) and an approval memo referencing the due diligence outcome.
Core expectation 4 — A contract with the right controls
There must be a written outsourcing agreement for all material arrangements, related-party or not. The agreement should, at a minimum,
(a) allocate responsibilities clearly;
(b) set reporting requirements;
(c) require the provider to identify and manage conflicts;
(d) deal with remuneration;
(e) require contingency/BCP and insurance;
(f) set out dispute/remedy processes (including governing law);
(g) provide for regular reviews and reporting;
(h) require the provider to disclose developments that could affect performance/compliance;
(i) give the regulated entity access to systems/documents and audit rights (including for sub-contractors);
(j) ensure ready access to data and to premises for CIMA inspections;
(k) include performance metrics; and
(l) require approval for sub-outsourcing (or set standing consent conditions).
Document it: add a short contract control schedule to your template with tick-boxes for access/audit rights, sub-outsourcing approval, performance metrics, BCP/insurance, conflict management and notification triggers. Keep evidence of periodic reporting against those metrics.
Core expectation 5 — Continuity and exit
Maintain contingency plans and a business continuity plan appropriate to the risks, and have a termination/exit strategy (including triggers such as liquidation, change of ownership or poor performance) with the ability to transition to an alternative provider.
Document it: keep (i) the provider’s BCP summary and test evidence; (ii) your own fallback plan and data-repapering checklist; and (iii) a completed exit playbook (roles, timelines, data returns, cut-over tests).
Core expectation 6 — Intra-group and branch arrangements aren’t exempt from oversight
CIMA recognises lower risk may arise intra-group, but still expects (at minimum) a written agreement, BCP, monitoring/reporting, exit strategy, books/records location suitable for CIMA review, and equivalent audit/risk controls. Branches covered by head-office arrangements should obtain written confirmation of key details (scope, provider, location, expiry, DD completed, CIMA access to client records, and confirmation that an appropriate outsourcing risk framework is in place) and keep a local log.
Document it: keep the head-office confirmation letter, the branch log, and evidence of local monitoring/escalation.
Core expectation 7 — Board and senior management accountability
The governing body must approve and review outsourcing policies; review the log of material arrangements; approve material outsourcing after verifying risk assessment has been done; receive regular performance reports; ensure roles/responsibilities are clear in the contract; set assessment frequency and thresholds; and take action if a provider is underperforming or non-compliant. Senior management must evaluate materiality and risk, implement policies/controls, periodically review effectiveness, and ensure clear communication channels with providers. Separately, under the Corporate Governance Rule, the board cannot abrogate responsibility for delegated functions and must retain overall responsibility for internal control and risk management.
One-page “evidence pack” you should be able to produce on request
- Board-approved outsourcing policy
- Outsourcing log.
- Pre-contract risk assessment (including jurisdiction risk if offshore) and the most recent review.
- Service-provider due diligence file (governance/controls, BCP, insurance, litigation checks).
- Executed outsourcing agreement.
- Any incident notifications and board reporting minutes.
- Your contingency plan and exit playbook.
