Practical implications of the JFSC's revised outsourcing policy – an overview and FAQs
The Jersey Financial Services Commission's (“JFSC's”) revised outsourcing policy (the “Policy”) became effective on 1 January 2024.
Overview
It is likely that a significant number of entities will be newly caught by the Policy. Those entities will need to seek no objections from the JFSC in respect of existing and new outsourcing arrangements, to the extent that those arrangements meet the materiality threshold and do not fall within an exemption or concession.
Where an arrangement includes sub-outsourcing, both the originator and the primary service provider will need to consider whether the Policy gives rise to any new notification and compliance obligations.
To assist administrators and in-scope entities to determine if a person is in scope for the purposes of the Policy, our online tool is available here.
For further information or advice on any specific circumstances, please email or call one of the key contacts listed.
Frequently asked questions
1. What has changed?
The Policy has been expanded to capture:
- Schedule 2 entities, i.e. entities which are registered (or deemed registered) under Jersey’s proceeds of crime legislation (see FAQ 3); and
- Funds which hold a certificate under the Alternative Investment Funds (Jersey) Regulations 2012 (“AIFs”).
Other areas of change:
- tighter provisions regarding IT and cloud services (but concessions have been made in respect of the notification and no objection requirements for such services);
- additional exemptions have been included (e.g. telecommunications services and managed trust company business are out of scope);
- the “funds exemption” has been narrowed.
2. When does the Policy apply?
The Policy will apply where (a) a regulated business outsources any activity (including unregulated activity) and (b) the “Materiality Threshold” is met, namely that the service provider’s failure to perform or inadequate performance of the outsourced activity would materially prevent, disrupt or impact upon the continuing compliance of the business’ regulated activity (section 2.1.1).
3. Do Schedule 2 entities need to comply with the Policy in full?
An entity which is registered pursuant to Jersey’s AML/CFT/CPF legislation is required to comply with the Policy, but only in respect of its activities arising from its AML/CFT/CPF obligations and only to the extent that these activities are not carried on by an anti-money laundering service provider (“AMLSP”) in accordance with Jersey’s AML/CFT/CPF regime (sections 2.1.3 and 2.2.3.9).
4. Is sub-outsourcing caught by the Policy?
Yes. Sub-outsourcing could give rise to obligations under the Policy (including notification obligations and prior no objection requirements) both for the original outsourcing entity and the primary service provider which has appointed the third party sub-contractor (section 4).
5. Does the Policy apply to the outsourcing of IT services by an in-scope entity?
Yes. This could include cloud services, data centre services, cyber security services and electronic identification and verification measures. “Cloud Services” is very widely defined includes IT services such as data storage or computing power which are provided in various formats over the internet and incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (“IaaS”), Platform as a Service (“PaaS”) and Software as a Service (“SaaS”).
The only blanket exemption for pre-packaged services is for e-mail systems such as Microsoft 365 (section 2.2.3.12). In certain limited circumstances, other standardised services (including market information and price feeds) will be out of scope (section 2.2.2.6).
In recognition of the complex supply chains and nuances associated with cloud services, while an in-scope entity must notify the JFSC about its primary cloud service provider(s) in the same way as for other types of outsourcing, the entity does not have to notify of any sub-outsourcing of cloud services.
Further, when a business outsources cloud services, data centre services, cyber security services or electronic identification and verification measures, it will not need to wait for a no objection.
The outsourcing of telecommunications services is expressly out of scope.
6. Does the Policy apply to funds and their service providers?
Funds: Subject to any available exemption (such as where the stipulated conditions relating to disclosure and (if applicable) investor approval are met (the “Fund Exemption”) (section 2.2.3.5)), the Policy applies to outsourcing by AIFs and collective investment funds (“CIFs”) but, other than with respect to AML/
CFT/CPF (which itself is subject to the AMLSP carve out – see FAQ 3), does not apply to the activities of JPFs or other funds with a CoBO consent (including non-domiciled funds and unregulated funds).
Service providers to Funds: The Policy will apply to outsourcing by a service provider which holds a trust company business (“TCB”), fund services business (“FSB”) or alternative investment funds services business (“AIFSB”) licence, regardless of the type of fund to which the outsourcing relates, provided that the Materiality Threshold is met. Again, this is subject to any available exemption.
Where the Fund Exemption is available, this will carry across to any sub-outsourcing by the service provider of the activities originally outsourced by the fund if the sub-contractor performs them on behalf of the Fund. This exemption will not, however, be available in respect of other services outsourced by the service provider to the sub-contractor (section 2.2.3.5).
7. If an entity is in scope, what does it need to do now?
It should conduct an assessment of all existing and proposed outsourcing activities against the seven core principles of the Policy and record how and to what extent the Business complies with the core principles in respect of each outsourced activity. If any gaps are identified an effective and achievable remediation plan should be implemented in order to address any areas of non-compliance.
8. Are there any practical examples of how and when the Materiality Threshold is likely to be met?
Examples of how non-regulated and regulated activity would materially prevent, disrupt or impact upon an entity’s continuing compliance include (section 2.1.2):
- where a TCB outsources accounting functions to a service provider that are critical in supporting the performance of its regulated activity (e.g. the valuation of client assets), a failure by the service provider to perform those accounting functions properly would result in the TCB failing to properly conduct its regulated activity;
- where a money service business (“MSB”) outsources IT functions to a service provider that are critical in supporting the performance of its regulated activity (e.g. facilitating the transfer of funds by electronic means), a failure by the service provider to perform those IT functions properly would result in the MSB failing to properly conduct its regulated activity; and
- where a FSB or an investment business (“IB”) outsources reporting distribution functions to a service provider as part of its regulated activity (e.g. producing and circulating periodic client statements of account in compliance with the relevant Code), a failure by the service provider to perform those reporting distribution functions properly would result in the FSB or IB failing to properly conduct its regulated activity. An example of how non-regulated activity would materially prevent, disrupt or impact upon a Schedule 2 entity’s continuing compliance is where the entity outsources AML/CFT/CPF compliance services such as client onboarding due diligence, monitoring etc. to a service provider who is not its AMLSP (section 2.1.3.1). (N.B. this example does not include AML/CFT/CPF screening systems which are excluded from the Policy under paragraph 2.2.3.10).