Outsourcing in the BVI - when can a licensee outsource and what limits apply?

On occasion, it is commercially more efficient for financial services businesses to outsource one or more of their business functions, whether intra-group or to a third- party provider, rather than to do it themselves.

While this enables businesses to derive efficiency gains and utilise resources not available in-house, the pitfall of outsourcing  is that it creates the potential for the transfer of risk and management outside the regulated entity. This can impact the ability of regulators to effectively regulate these businesses and operations - and therefore pose systemic risk.

The Regulatory Code

The Regulatory Code, 2009 (the Regulatory Code) provides detailed requirements around what licensees can and cannot outsource and, where it does choose to outsource one or more activities, what needs to be put in place to enable the licensee to retain oversight of the outsourced activities. This is of consequence for BVI entities holding one or more of the following licences:

• a banking licence under the Banks and Trust Companies Act, 1990 (the BTCA)

• an insurance licence under the Insurance Act, 2008 (the Insurance Act)

• an insurance intermediary licence under the Insurance Act

• an insurance manager's licence under the Insurance Act

• a trust licence under the BTCA

• a company management licence under the Company Management Act, 1990

• a money services licence under the Financing and Money Services Act, 2009

• an investment business licence under the Securities and Investment Business Act, 2010 (SIBA)

Limits to outsourcing

Under the Regulatory Code, a licensee is unable to outsource either:

• the compliance function or a core management function, or

• an activity if the outsourcing of that activity would either impair the FSC's ability to supervise the licensee or affect the rights of a customer against the licensee, including the right of redress

For these purposes:

• a licensee's "compliance function" is defined fairly broadly to encompass the function of having responsibility for ensuring compliance by the licensee of its regulatory obligations, so extends beyond simply dealing with a licensee's AML obligations, and

• a licensee's "core management functions" includes (i) the setting and approval of the risk management and other strategies; (ii) the oversight of the licensee's policies, systems and controls; and (iii) the responsibility of the delivery of services to the licensee's customers

Requirements for outsourcing

Assuming that the proposed outsourced functions do not infringe upon the above restrictions, where a licensee chooses to outsource one or more of its business functions, the following considerations apply.

1. Outsourcing policy

A licensee must establish a comprehensive outsourcing policy with respect to the activities to be outsourced.

This outsourcing policy must (i) consider the potential effects of the outsourcing on the compliance function; (ii) include an evaluation of whether, and to the extent to which, the relevant activities are appropriate for outsourcing; (iii) specify the criteria for outsourcing decisions, including how, and to whom, particular types of activities should be outsourced; and (iv) provide for outsourcing only as permitted by and in accordance with the Regulatory Code.

The outsourcing policy may also, on a risk-based basis, take into account the extent to which the activity to be outsourced is material to the licensee's regulated business. In this regard, it should take into account the following:

• whether the activity is of such importance that any weakness or failure in the provision of the activity could have a significant effect on the licensee's ability to meet its regulatory obligations or to continue its business

• whether the activities are important to the delivery by the licensee of services to the customer

• whether the activity is a regulated activity, and

• whether the activity has a significant impact on the licensee's risk management

Having formulated an outsourcing policy, the licensee's board of directors must approve the outsourcing policy and keep it under review. The licensee's board of directors are also responsible for ensuring that each of the outsourcing decisions taken and outsourced activities undertaken are in accordance with the outsourcing policy.

2. Due diligence

Before entering into any outsourcing arrangements, a licensee is required to undertake due diligence with respect to the service provider to whom the activities will be outsourced. This enables the licensee to assess the service provider’s capability and ability to undertake the outsourced activity and the risks associated with outsourcing the proposed activities to that service provider.

3. Outsourcing agreement

All outsourcing arrangements are required to be governed by a written contract between the licensee and the service provider which must:

• clearly specify all material aspects of the outsourcing arrangements, including activities to be outsourced, the rights and responsibilities of the parties, and the protection by service providers of confidential information relating to the licensee or its customers,

• give the licensee (and its auditor and / or actuary) access to all documents and information relevant to the outsourced activity

The guidance notes to the Regulatory Code stipulate that the outsourcing agreement should cover:

• service and performance levels
• arrangements for the continuous monitoring and assessment by the licensee of the service provider
• a termination clause, minimum periods to execute a termination provision and terms providing for the consequences of termination
• provisions providing for the possible insolvency of the service provider
• choice of law and provisions specifying how a dispute will be dealt with
• whether the service provider can sub-contract any of its responsibilities and if so, the extent to which it may do so and the conditions applicable to sub-contracting arrangements

4. Risk management

Where a licensee outsources any activities, it is required to establish and maintain appropriate systems and controls to manage its outsourcing risks, which must:

• provide for the monitoring and controlling of the licensee's outsourcing arrangements, and

• take full account of the key outsourcing risks identified within the Regulatory Code, being for these purposes strategic risk; reputation risk; compliance risk; operational risk; exit strategy risk; counterparty risk; country risk; contractual risk; access risk; concentration and systemic risk

5. Contingency plans

For each outsourced activity, a licensee is required to establish and maintain a contingency plan.

6. Subcontracting outsourced activities

Where a service provider is entitled to sub-contract any of its responsibilities, this must be expressly provided for within the outsourcing agreement, including the conditions applicable to any sub-contracting arrangements.

The guidance notes to the Regulatory Code stipulate that the service provider should normally be required to seek the consent of the licensee before entering into a sub-contract arrangement with respect to any outsourced activity.

Conclusion

While outsourcing can offer significant commercial efficiencies for financial services businesses operating in the BVI, for those which are regulated, it is essential for licensees who decide to outsource to ensure that in so doing, they comply with the requirements for this under the Regulatory Code. Where they do so, a licensee must establish robust outsourcing policies, conduct thorough due diligence, and maintain comprehensive outsourcing agreements to manage the risks effectively.

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice