Schedule 2 Business Activities - The Proceeds of Crime (Amendment No. 6) (Jersey) Order 2022 (Amendment No. 6) came into force today, Monday 30 January 2023.

Consultation on revisions to the Outsourcing Policy

Issued:30 June 2022
Consultation on revisions to the Outsourcing Policy

A consultation on changes to the current JFSC OSP and Guidance Notes

The Jersey Financial Services Commission (JFSC) invites comments on this consultation. Comments should reach Jersey Finance Limited by 31 August 2022.

Responses should be sent to:

Joanna McAviney, Legal and Technical Manager

Jersey Finance Limited
4th Floor
Sir Walter Raleigh House
48-50 Esplanade
St Helier
Jersey
JE2 3QB

Direct Line: +44 (0) 1534 836028
Office Line: +44 (0) 1534 836000
Email: Joanna.McAviney@jerseyfinance.je

Alternatively, responses may be sent directly to us by 31 August 2022. If you require any assistance, clarification or wish to discuss any aspect of the proposal before formulating a response, please contact us.

Caroline McGrath, Senior Manager Policy

Jersey Financial Services Commission
PO Box 267
14-18 Castle Street
St Helier
Jersey
JE4 8TP

Telephone: +44 (0) 1534 822000
Email: C.Mcgrath@jerseyfsc.org

It is our policy to provide the content of responses for inspection unless specifically requested otherwise.

It is the policy of Jersey Finance Limited (unless otherwise requested or agreed) to collate all responses and share them verbatim with us on an anonymised basis (with reference made only to the type of respondent, e.g. individual, law firm, trust company, etc.) This collated, anonymised response will, typically, be placed in JFL’s permanent electronic archive which is currently open to all JFL members.

Glossary

Alternative Investment Fund (or AIF)	an Alternative Investment Fund within the meaning of the AIF Regulations
[AML/CFT Handbook] *link to be inserted following AML Handbook Consolidation	the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism
Business	any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons
Category A permit holder	has the same meaning given to the term under the Insurance Business Law and the Code of Practice for Insurance Business
Certified Fund	a fund issued with a certificate by us pursuant to the Collective Investment Funds Law
Cloud Services	a range of IT services (such as data storage or computing power) provided in various formats over the internet. This incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
Codes of Practice (or Codes)	collectively, the › the Code of Practice for Deposit-taking Business › the Code of Practice for Certified Funds › the Code of Practice for Fund Services Business › the Code of Practice for General Insurance Mediation Business › the Code of Practice for Investment Business › the Code of Practice for Insurance Business › the Code of Practice for Money Service Business › the Code of Practice for Trust Company Business › the Codes of Practice included as part of the AML/CFT Handbook
Commission Law	Financial Services Commission (Jersey) Law 1998, as amended
Cyber Security Services	Distributed Denial of Service (DDoS) mitigation, security information event management, vulnerability intelligence, ethical penetration testing, security operations centre, incident response, and threat intelligence or other services designed to prevent or mitigate the risk of cyber-attacks
Data Centre Services	on or off premise data storage solutions which are located in Jersey; all commonly known as and considered to be utilities
Fund	an AIF, Certified Fund, a JPF, any legacy private fund (very private fund, private placement fund or COBO only fund), or a Recognized Fund
Fund Services Business (or FSB)	the Regulated Activity, involving the provision of services described in Article 2(10) of the FSJL
Group	a body corporate that would be defined as a “subsidiary”, “wholly-owned subsidiary” or “holding body” of another body corporate, under the Companies (Jersey) Law, 1991 irrespective of the jurisdiction of the company › The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)
Group Outsourcing	an arrangement between a Business and Group Service Provider by which the Group Service Provider performs Outsourced Activity that would otherwise be undertaken by the Business itself
Insurance Business	the Regulated Activity, involving the provision of insurance business described in Article 5 of the Insurance Business Law
JFL	Jersey Finance Limited
JFSC (us, we)	Jersey Financial Services Commission
Jersey Private Fund (or JPF)	a Jersey Private Fund within the meaning of the Jersey Private Fund Guide
Key Person	has the same meaning given to the term under the Regulatory Laws and covers individuals fulfilling any one of the following three roles; Compliance Officer, Money Laundering Compliance Officer, and Money Laundering Reporting Officer
Managed Trust Company Business (or MTCB)	› a Business which provides TCB services under the FSJL and which operates in Jersey as a managed entity utilising the services of a Manager
Manager	› a Business which has been registered by us to conduct Class N of TCB under the FSJL
Manager of a Managed Entity (or MoME)	› a Business which has been registered by us to conduct Class ZK of FSB under the FSJL
Network Services	fibre broadband, managed firewalls, and carrier services which provide the infrastructure to enable such services; all commonly known as and considered to be utilities
Outsourced Activity	activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself
Outsourcing	an arrangement between a Business and a Service Provider by which: › a Service Provider performs Outsourced Activity; and › where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt or impact upon the continuing compliance of that Businesses’ Regulated Activity
Outsourcing Notification	a notification as detailed in paragraph 6 of the revised OSP and as required by Core Principle 6 of the revised OSP
Person	any natural or legal person (including a body of persons corporate or unincorporated)
Recognized Fund	a fund in respect of which there is a recognized fund certificate issued by us under the Collective Investment Funds (Recognized Funds) (General Provisions) (Jersey) Order 1988
Regulated Activity	activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/consent must be held. In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund
Regulatory Laws	collectively, the: › Alternative Investment Funds (Jersey) Regulations, 2012 (AIF Regulations) › Banking Business (Jersey) Law, 1991 › Collective Investment Funds (Jersey) Law, 1988 (Collective Investment Funds Law) › Control of Borrowing (Jersey) Order, 1958 (CoBO) › Financial Services (Jersey) Law, 1998 (FSJL) › Insurance Business (Jersey) Law, 1996 (Insurance Business Law) and › Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008 (Supervisory Bodies Law)
Service Provider	a Person who performs Outsourced Activity on behalf of a Business
Sub-Outsourcing	an arrangement between a Service Provider and a Sub-Contractor by which the Sub-Contractor performs Outsourced Activity that would otherwise be undertaken by the Service Provider on behalf of a Business
Supervised Person	has the same meaning given to the term within Article 1 of the Supervisory Bodies Law
Telecommunication Services	has the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes; Network Services, Voice Services, Data Centre Services and/or Cyber Security Services
Trust Company Business (or TCB)	the Regulated Activity, involving the provision of services described in Article 2(4) of the FSJL
Voice Services	fixed telephone lines and video conferencing facilities

Consultation

Basis for consultation

We are issuing this consultation in accordance with Article 8(3) of the Commission Law, under which the JFSC “may, in connection with the carrying out of its functions […] consult and seek the advice of such persons or bodies whether inside or outside Jersey as it considers appropriate”.

Who will be affected by the proposed changes?

The proposed changes to the current JFSC Outsourcing Policy and Guidance Notes, issued March 2017 and revised last December 2020 (the Current OSP and Guidance Notes) in the form of a revised OSP (the Revised OSP) will affect any person to whom the provisions of the Revised OSP apply.

Responding to the consultation

We invite comments, in writing, from interested parties on the content of this consultation. Where comments are made by an industry body or association, that body or association should also provide a summary of the type of individuals and/or institutions that it represents.

A questionnaire has been published alongside this consultation. Respondents are requested to use this form when responding to questions posed and providing any comments to support their answers. The use of this form will assist both JFL and ourselves in collating and considering the responses provided.

Comments on the draft Revised OSP should be received no later than 31 August 2022.

Next steps

Following this consultation, we will publish feedback and issue a final version of the Revised OSP. We anticipate this will be published by the beginning of October 2022.

There will be a three-month transition period, commencing on the date we issue the final Revised OSP.

The JFSC

Overview

We are a statutory body corporate established under the Commission Law. We are responsible for the supervision and development of financial services provided in or from within Jersey.

Our functions

Article 5 of the Commission Law prescribes that we are responsible for:

› the supervision and development of financial services provided in or from within Jersey;

› providing the States of Jersey, any Minister or any other public body with reports, advice, assistance and information in relation to any matter connected with financial services;

› preparing and submitting to the Minister recommendations for the introduction, amendment or replacement of legislation appertaining to financial services, companies and other forms of business structure;

› such functions in relation to financial services or such incidental or ancillary matters:

› as are required or authorised by or under any enactment, or

› as the States may, by Regulations, transfer; and

› such other functions are conferred on the JFSC by any other Law or enactment.

Guiding principles

Article 7 of the Commission Law provides that in exercising our functions, we may take into account any appropriate matter, but that we should consider:

› the reduction of the risk to the public of financial loss due to dishonesty, incompetence or malpractice by, or the financial unsoundness of, persons carrying on the business of financial services in or from within Jersey;

› the protection and enhancement of the reputation and integrity of Jersey in commercial and financial matters;

› the best economic interests of Jersey;

› the need to counter financial crime in both Jersey and elsewhere.

1 Proposals for Revised OSP

1.1 Executive summary

1.1.1 In 2021, we were presented with some suggested ‘Quick Wins’ for Industry. One of the Quick Wins proposed was a revision to the Current OSP and Guidance Notes, to:

1.1.1.1 include a list of “exempt” Outsourcing matters inclusive of certain IT outsourcing arrangements (‘Telecommunications Services’ and ‘Cloud Services’); and,

1.1.1.2 more generally, clarify, simplify and update its content and format.

1.1.1.3 Accordingly, one of our 2021/2022 deliverables was to (in the form of a Revised OSP):

1.1.1.4 simplify and update the Current OSP and Guidance notes to give clarity on exempt matters; and,

1.1.1.5 take account of feedback from internal and external stakeholders concerning the Current OSP and Guidance Notes.

1.1.2 Having due regard to potential risk(s) involved and to International standards, we have produced a draft Revised OSP, attached under Appendix B which, subject to this consultation, will be effective from 3 months after the final Revised OSP is issued, the anticipated date for which is the beginning of October 2022.

1.1.3 The key changes to the Revised OSP are as follows (more detailed information on each key change is set out below):

1.1.3.1 Where a Service Provider performs Outsourced Activity in the form of Telecommunication Services on behalf of a Business, such Outsourced Activity is not caught;

1.1.3.2 Specific guidance is provided where a Service Provider performs Outsourced Activity in the form of Cloud Services;

1.1.3.3 All Supervised Persons must comply with the Revised OSP in accordance with the new consolidated AML/CFT Handbook;

1.1.3.4 Managed Trust Company Business (MTCB) is now exempt from the application of the Revised OSP;

1.1.3.5 the provisions of and corresponding guidance within the Revised OSP have been amended to read more clearly and simply and to reflect our current regulatory framework.

1.1.4 A working group was established through March and April 2022 to review the draft Revised OSP (the Revised OSP WG) before going out for wider public consultation. A list of the organisations that put forward representatives to sit on the Revised OSP WG is attached under Appendix C and included representatives from a range of different sectors (Banking, TCB, FSB, Legal and Digital). The collective feedback of the Revised OSP WG, together with our response to the same is attached under Appendix D.

1.2 Telecommunication Services

1.2.1 Telecommunication Services often form part of a Business’ IT infrastructure supply chain and may include: Network Services, Voice Services, Data Centre Services, and/or Cyber Security Services. Network Services and Voice Services are commonly known as and considered to be utilities and are captured by the definition of ‘Telecommunications Services’ within the Telecommunications (Jersey) Law 2002.

1.2.2 All Telecommunications Services may impact a Business’ ability to meet its regulatory requirements, but carry different profiles concerning whether a Business would be expected to retain specialist knowledge in-house, and whether standard contracts of service would be available for negotiation.

1.2.3 The Revised OSP provides that “Where a Service Provider provides Telecommunication Services to a Business, such Outsourced Activity is not caught.”

1.2.4 Question 1: Have you identified any unintended consequences of exempting Telecommunication Services from the application of the Revised OSP?

1.3 Cloud Services

1.3.1 There is no consistent definition of ‘Cloud Services’ within the International community and, as a result, its meaning can be open to different interpretations. For the Revised OSP we have adopted the same definition currently used by the UK FCA (which is broadly consistent with the National Institute of Standards and Technology, U.S. Department of Commerce definition).

1.3.2 We considered amending the Revised OSP to provide that where a Service Provider performs Outsourced Activity in the form of Cloud Services on behalf of a Business as part of its non-Regulated Activity, such Outsourced Activity would not be caught. However, due to the associated concentration risks and the fact that this option would not be in line with International standards we opted instead, to provide tailored guidance and provisions in the revised OSP to where a Service Provider performs Outsourced Activity in the form of Cloud Services.

1.3.3 Taking into account the complex supply chains and nuances associated with Cloud Services, the Revised OSP provides an exception to the rule in terms of the Sub-Outsourcing of Cloud Services. Whilst a Business must still notify us about its primary Cloud Service Provider, it does not have to with any Sub-Outsourcing Cloud Services arrangement.

1.3.4 Question 2: Do you consider the specific guidance in the Revised OSP in relation to where a Service Provider performs Outsourced Activity in the form of Cloud Services to be adequate? If not, please provide further detail in the comments section of this question.

1.3.5 Question 3: Have you identified any unintended consequences of a Business not being required to notify us of any of its Cloud Services Sub-Outsourcing arrangement(s)?

1.4 Supervised Persons

1.4.1 The Revised OSP provides that all Supervised Persons are subject to the principles of the Revised OSP in accordance with the new consolidated AML/CFT Handbook which makes adherence to the Current OSP and Guidance Notes a Code for all Supervised Persons. To support this position the Revised OSP now includes the Supervisory Bodies Law under its definition of Regulatory Laws and the Codes of Practice included as part of the AML/CFT Handbook under its definition of Codes of Practice.

1.4.2 Requiring all Supervised Persons to comply with the Revised OSP represents a change of policy insofar as only regulated persons carrying on regulated business have had to comply with the Current OSP and Guidance Notes to date.

1.4.3 Question 4: Have you identified any unintended consequences or unusual results due to the requirement for all Supervised Persons to comply with the Revised OSP?

1.5 Managed Trust Company Business (MTCB)

1.5.1 In line with the treatment of MoME business for the Current OSP and Guidance Notes, the Revised OSP also provides a carve out from its application for MTCB. Specifically, it provides that “where a Service Provider, which is a Manager performs Outsourced Activity of behalf of a MTCB (e.g. the provision of corporate directors to the MTCB’s Clients), where such services are consistent with the standards set out in the Guidance Note: ‘Managed Trust Company Business’, the Outsourced Activity is not caught by the Revised OSP.”

1.5.2 Question 5: Have you identified any unintended consequences of Managed Trust Company Business (MTCB) being exempt from the application of the Revised OSP?

1.6 Clarification, simplification and updates

1.6.1 More generally, the Revised OSP has been amended to;

1.6.1.1 remove all reference to the previous out of date transitional provisions;

1.6.1.2 use simpler, clearer and less ambiguous language;

1.6.1.3 re-structure the document so that it reads more easily and is more ‘user-friendly’;

1.6.1.4 take account of our current regulatory framework by reference to AIFs, AIF Regulations, JPF, legacy private funds (very private funds, private placement funds or COBO only funds), Key Persons and Principal Persons, etc.;

1.6.1.5 make it clear that Category A permit holders for Insurance Business are not required to comply with the Revised OSP per the Insurance Business Code; and

1.6.1.6 provide specific guidance on each Core Principle, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process.

1.6.2 Question 6: Do you consider the revised OSP to read more clearly, easily and simply, therefore making it more ‘user-friendly’ than the Current OSP and Guidance Notes?

1.6.3 Question 7: Do you consider the specific guidance in the Revised OSP in relation to each Core Principle, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process to be adequate? If not, please provide further detail in the comments section of this question.

1.7 Transition Period

1.7.1 The Revised OSP will be effective from three months after the final Revised OSP is issued (the Transition Period). The date of issue of the final Revised OSP is anticipated to be the beginning of October 2022.

1.7.2 Question 8: Do you consider the Transition Period to be appropriate and proportionate? If not, please provide further detail in the comments section of this question.

2 Summary of questions

Question 1: Have you identified any unintended consequences of exempting Telecommunication Services from the application of the Revised OSP?

Question 2: Do you consider the specific guidance in the Revised OSP in relation to where a Service Provider performs Outsourced Activity in the form of Cloud Services to be adequate? If not, provide further detail in the comments section of this question.

Question 3: Have you identified any unintended consequences of a Business not being required to notify us of any of its Cloud Services Sub-Outsourcing arrangement(s)?

Question 4: Have you identified any unintended consequences or unusual results due to the requirement for all Supervised Persons having to comply with the Revised OSP?

Question 5: Have you identified any unintended consequences of Managed Trust Company Business (MTCB) being exempt from the application of the Revised OSP?

Question 6: Do you consider the revised OSP to read more clearly, easily and simply, therefore making it more ‘user-friendly’ than the Current OSP and Guidance Notes?

Question 7: Do you consider the specific guidance in the Revised OSP in relation to each Core Principle, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process to be adequate? If not, provide further detail in the comments section of this question.

Question 8: Do you consider the Transition Period to be appropriate and proportionate? If not, provide further detail in the comments section of this question.

3 Appendix A - List of representative bodies and other persons who have been sent this consultation paper

› Jersey Association of Trust Companies

› Jersey Banker’s Association

› Jersey Compliance Officer’s Association

› Jersey Estate Agents Association

› Jersey Finance Limited

› Jersey Funds Association

› Jersey International Insurance Association

› Jersey Society of Chartered and Certified Accountants

› Law Society of Jersey

› Society of Trust and Estate Practitioners (STEP), Jersey branch

4 Appendix B – Draft Revised OSP

View our draft Revised OSP.

Revised Outsourcing Policy 2022 Appendix B

5 Appendix C – A list of organisations that put forward representatives to sit on the Revised OSP WG

› Apex

› Barclays

› Carey Olsen

› Crestbridge

› Domus

› Government of Jersey

› HSBC

› IQEQ

› JTC

› Lloyds

› Mourant Governance Services

› RBSI

› Standard Bank

› Vaiie

› Warm Solutions

6 Appendix D – Feedback from the Revised OSP Working Group and JFSC response

A working group was established through March and April 2022 to review the draft Revised OSP (the Revised OSP WG) before going out for wider public consultation. These are their comments anmd the JFSC response.

In order to use this feedback, refer to our draft Revised OSP.

Section	Comment	JFSC Response
Glossary
Business	We understand it to be the case that previously the liability was restricted to the registered person, is the intent now that anyone is potentially responsible/liable? A definition of 'conducting' would be useful.	The definition of ‘Business’ in the Glossary extends beyond that of ‘Registered Person’ for the purpose of the current OSP. It now includes ‘any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons’. Reference to “conducting” in the ‘Business’ definition has been changed to “performing”.
Cyber Security Services	This is possibly only a small proportion of potential outsourced services examples – that is not a concern, but is the intention to keep this fairly narrow? Possibly consider removing ‘behavioural analytics’ and adding in ethical penetration testing and security operations centre.	‘Cyber Security’ definition amended per suggested revision.
Group	I agree with the concerns raised regarding the definition of “Group” for the reasons given during the session: i) proportionality in respect of outsourcing arrangement between different legal entities within a Group and ii) need to expressly include “branch”. I understand you have already considered some suggested amends to take account of the concerns raised so I won’t say anything further on this.	On the proportionality point in relation to Group, the latest draft revised OSP incorporates new paragraphs 3.2.7, 3.3.3 and 3.5.6 which provide as follows: 3.2.7 “Where a Business forms part of a Group, the Business may rely on the due diligence (including any financial due diligence), materiality assessments and/or risk assessments of any Service Provider or Sub-Contractor undertaken by the Group.” 3.3.3 “Where a Business forms part of a Group, the Outsourcing Agreement may be between the relevant Service Provider and the Group.” 3.5.6 “Where a Business forms part of a Group, the Business may rely upon Group contingency plans.” Branches are not considered to have a separate legal personality in many jurisdictions including Jersey. As such, branches (where they form part of the same legal person) are out of the scope of the OSP. ‘Group’ definition amended to include the following caveat: “The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)”.
Group	Could this be too narrow – possibly consider expanding to allow for sister companies or ‘associated company’ as used in 6.5.9 of the FSB Code?	‘Group’ definition remains the same as that set out in the Companies (Jersey) Law 1991. An extension to include ‘associated companies’ would be out of our risk appetite in terms of our Group Outsourcing guidance.
Licence	This appears potentially inconsistent with the definition used in the Licensing Policy in respect of those activities that require registration under the Financial Services (Jersey) Law 1998 . Is there a desire to align?	All references to ‘Licence’ and ‘Licensed’ have now been removed. There is a desire to align the definitions in the revised OSP with other JFSC policy and guidance and work is currently underway regarding the consolidation and update to the current three Licensing Policies published by the JFSC.
JFSC	Is the informality intentional here…?	Yes. This is consistent with other recent JFSC publications, however we have amended the reference from “us” to “the JFSC” under Core Principle No.1.
Manager of a Managed Entity (MoME)	This doesn’t align with TCB Class N definition above – is that intentional?	No, this in an error. ‘MoME’ definition now amended to “a Business which has been granted a Licence to conduct Class ZK of FSB under the FSJL.”
Outsourcing	‘Would materially impair’ - Can this wording be tightened? Does materially impair mean prevent? Without a definitive definition it may continue to be subjective as to whether an activity would fall in scope	All references to “materially impair” have been amended to “materially prevent, disrupt or impact upon”.
Outsourcing	We can see that the reference to ‘with the requirements of the Regulatory Laws” has been removed as used previously. Is there a reason for this?	Yes, the revised definition of ‘Outsourcing’ includes reference to the new definition ‘Regulated Activity’ which means “activity conducted by a Business pursuant to the Regulatory Laws for which authorisation or registration by us has been granted”.
Supervised Person	Supervised person – suggest definition of a Supervised Person is included in the definitions table of the OSP for ease of reference.	Amended to include a definition of ‘Supervised Person’ in the Glossary by tying the meaning back to the meaning within Article 1 of the Supervisory Bodies Law.
Regulated Activity	Large expansion of entities in scope?	Yes, the extension of the scope of the Policy is intentional. All Supervised Persons must comply with the OSP in accordance with the new consolidated AML/CFT Handbook (which makes adherence to the OSP a Code for all Supervised Persons). The Supervisory Bodies Law is included under the definition of ‘Regulatory Laws’ and, the Codes of Practice included as part of the AML/CFT Handbook are included under the ‘Codes of Practice’ definition. Express reference now made to the newly defined term ‘Supervised Person’ when referring to those Businesses captured under Jersey’s AML/CFT Regime under paragraph 2, ‘Application of the OSP’. If a Business is using a Service Provider to meet its regulatory obligations or statutory obligations, it is captured by the OSP. We have amendment to previously numbered paragraph 2.1.2.3, now paragraph 2.1.4.1 to deal with this point. More generally, the meaning of ‘Regulatory Laws’ has been updated to take account of our current regulatory landscape by reference to the ‘AIF Regulations’
Regulated Activity/Regulatory Laws	Expansion former: Means the Banking Law, the Collective Investment Funds Law, the FSJL, and the Insurance Law. Is the intention to capture a much larger range of entities? While I appreciate the intent here, referring out to other regulations and statute complicates the document as users now have to refer to other sources of information to fully understand the requirements. Further, reference to the regulation/statute in its entirety means there is potential for activity to be caught that may have not been intended for– Is there a simpler or clearer way to achieve your aims here? Could the specific regulated activity that you are looking to cover be detailed or listed in an appendix?
Regulatory Laws	Query whether the intention here is that any entity issued a COBO now has to comply e.g. SPV holdco corporate vehicle…? Seems potentially very broad unless 2.2 can be expanded or the COBO can be limited to COBO / JPF funds only? If all COBO entities are caught will there be an impact on the lead in time for entities caught in the expansion? Will the JFSC need to allocate additional resource to increased volumes of submissions…?	We had not intended to capture all entities issued with a CoBO consent and intend to limit the application of the OSP to CoBO consents granted in connection with Funds only. As such, the definition of ‘Regulated Activity’ has been amended to include the following caveat: “In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund”.
Sub-Contractor	Include “of the Service Provider”	Amended per suggestion.
Sub-Outsourcing	‘Sub-Contractor performs Outsourced Activity’ - To what degree does the sub-contactor need to be performing the outsourced activity to be considered in scope? If the activity is a small admininstrative part of the overall process and the failure would not be considered to 'materially impair', would the JFSC agree that the sub-contracting element would not be in scope?	Yes we would agree that the circumstances described would not be sufficiently ‘material’ to trigger the application of the OSP. All references to “materially impair” have been amended to “materially prevent, disrupt or impact upon”.
1: Introduction
Core Principles	‘Core Principle No. 5’ - Amended from “must put in place arrangements that allow it to terminate its Outsourcing arrangements without undue delay and manage the consequences of any such termination appropriately.” Is this change intentional?	Yes, this change was intentional to simplify and clarify Core Principle No.5. The corresponding guidance in relation to Core Principle No.5 provides further details of our expectations in this regard.
Core Principles	‘Core Principle No.6’ - Please expand the definition of ‘material change’. Presently we have defined this for ourselves internally as to what we would consider material (a change of location within an entity to a site that has previously performed the same type of work would not be considered material, but a change to location out of the same entity, would be considered material, irrespective of previous experience. Given that materiality is of significant importance to the UK PRA, a closer definition of what constitutes a material change that requires re-notification, would be appreciated.	Each Business operates differently and will be Outsourcing different Outsourced Activity, as such, it should remain the responsibility/ be at the discretion of the relevant Business to decide what amounts to a ‘material change’ to Outsourced Activity. We don’t want to be too prescriptive.
2: Application of the OSP
2.1 Outsourced Activity caught by the OSP	It is a much more accessible document than previous – which can only be a good thing – but the effect was that it seemed to be wider in scope. Was it intentional to widen the scope or a by-product of it having been shortened?	Yes, the extension of the scope of the Policy is intentional. All Supervised Persons must comply with the OSP in accordance with the new consolidated AML/CFT Handbook (which makes adherence to the OSP a Code for all Supervised Persons). The Supervisory Bodies Law is included under the definition of ‘Regulatory Laws’ and, the Codes of Practice included as part of the AML/CFT Handbook are included under the ‘Codes of Practice’ definition. Express reference now made to the newly defined term ‘Supervised Person’ when referring to those Businesses captured under Jersey’s AML/CFT Regime under paragraph 2, ‘Application of the OSP’. If a Business is using a Service Provider to meet its regulatory obligations or statutory obligations, it is captured by the OSP. We have amended previously numbered paragraph 2.1.2.3, now paragraph 2.1.4. to deal with this point: “2.1.4An example of how non-Regulated Activity would materially prevent, disrupt or impact upon a Supervised Person’s continuing compliance includes: 2.1.4.1where a Supervised Person outsources the collection and verification of evidence of identity of its Clients (the Outsourced Activity) to an E-ID Service Provider that are critical in supporting the performance of its Regulated Activity, a failure by the Service Provider to perform the Outsourced Activity would result in the Supervised Person failing to properly conduct its Regulated Activity.”
2.1 Outsourced Activity caught by the OSP	I queried what scoping has been done vis-à-vis widening the OSP to Supervised Persons to ascertain unintended consequences? As you will recall, we discussed this during the course of the meeting and you agreed that further work is likely needed in this area to fully understand what businesses and persons will be caught by this.
2.1.1 and 2.1.2.	Has there been any consideration of providing more clarity on the definition of materially impair? I.e. length of outage/scale ?	All references to “materially impair” have been amended to “materially prevent, disrupt or impact upon” however, each Business operates differently and will be Outsourcing different Outsourced Activity. As such, it should remain the responsibility/ be at the discretion of the relevant Business to decide what amounts to a ‘materially prevent, disrupt, or impact upon’ the continuing compliance of the Business’ Regulated Activity. We don’t want to be too prescriptive and for that reason, have not provided specific guidance beyond this on length of outage/scale etc.
2.1.1	Essentially this seems to be suggesting that the scope is any type of activity that could affect Regulated activity. For a business who's primary function is Banking, a highly regulated Function, this would indicate that all activity could be linked to Regulated activity. If the primary driver for considering an activity in scope of the OSP is actually materiality, then with a closer definition of material impairment, it would be easier to determine whether an activity is in scope. Without a closer definition of material impairment, this will continue to remain subjective.
2.1.2.3 (now new paragraph 2.1.4)	We have specific comment/question re 2.1.2.3 and E-ID Service Providers, firstly, we welcome clarity and the pro-technology stance from the regulator but have concern that the definition is too binary. Some E-ID providers provide intelligent technologies that support firms in making their own risk-based decisions, who do not accept liability for decisions made by supervised parties and their solutions are focused on providing faster and more accurate dossiers of information to support the on-boarding process by the supervised party. In this scenario, do the JFSC this type of E-ID provider as an outsourced activity service provider? If so, in the event of any service outage the supervised party would simply ‘insource’ by reverting back to today’s most common practice of paper and wet ink, while this is disruptive for the business, as per today’s regulatory environment we believe it does not present any increased risk unless the JFSC are of a view that E-ID is or is about to become a more reliable standard.	‘E-ID’ meaning has been added to the Glossary. Not all E-ID providers offer the same level and type of service. The reason we included this paragraph was to remove some of the ambiguity previously experienced by some Businesses when making a determination of whether these services would amount to Outsourcing or not. We considered that as the collection and verification of identity is a statutory obligation under the Money Laundering (Jersey) Order 2008 (Article 3(2)(a)), how a Business does this is relevant to them being able to demonstrate compliance with that Order. The decision which is made subsequently by a Business as to whether to take on that Client is a separate matter. Our intention is to make it easier for a Business to understand when to submit an Outsourcing Notification.
2.1.2.3 (now new paragraph 2.1.4)	E-ID – Maybe some more guidance in relation to this. Some institutions will outsource fully, but, there may be hybrid situations. I.e. hosting the E-ID system internally but maintenance of the system and upgrades are done by a service provider.
2.1.2.3 (now new paragraph 2.1.4)	Also what about use of screening systems i.e. overnight data searches re Sanctions, PEPs, Financial crime etc.	Yes, we want to be aware of any Service Provider which is being utilised by a Business to meet its statutory or regulatory obligations. JFSC resource is currently under internal review.
2.1.2.3 (now new paragraph 2.1.4)	Does this mean that utilising a 3rd party screening solution or any utilisation of external data sources per 4.3.4 of the AML Handbook is outsourcing? Will the JFSC be equipped to handle the increased volumes associated?
2.1.2.3 (now new paragraph 2.1.4)	We welcome the JFSC’s inclusion of E-ID Service Providers in the revised policy, said clarity is beneficial for the adoption of RegTech in Jersey and we would not wish for the reference to E-ID Service Providers to be removed in later versions of the policy. We recognise and share the JFSC’s view that they should not and cannot police the use of RegTech solutions, especially so given the variety and complexity of solutions available. However: › Many solutions including but not limited to [our] solution do not undertake decision making on behalf of the Supervised Person › In the scenario where the Supervised Person is ultimately undertaking risk based decision, we are of the view that the technology used is an enabling tool to enhance decision making We believe there to be a significant difference based on the impact of the failure of E-ID technology tools: › Where a tool enables decision making within a Supervised Person, any outages or failures of the E-ID Service Provider or their technology tools allow the Supervised Person to revert to current manual processes which despite enhanced technology capabilities of E-ID Service Providers currently have the same regulatory treatment › In the event of the E-ID Service Provider making the decision for and on behalf of a Supervised Person outages or failures of an E-ID Service Provider or their tools present greater operational risk to the Supervised Person who may not have the capacity to maintain service levels or regulatory requirements It is our opinion that a more balanced approach is to determine whether the requirement to notify the JFSC of outsourcing in the context of E-ID Service Providers is based on where the decision-making lies. Put simply, it is our ask of the JFSC to consider an alternative whereby if the Service Provider retains the ultimate decision-making power, then an outsourcing notification is not required. We acknowledge and respect the views of the JFSC and welcome the approach which is clear and consistent for all industry participants. However, we believe that when it comes to the outsourcing notification of E-ID Service Providers a small change could make a significant impact to industry and the wider adoption of RegTech in Jersey.	The reason why we have taken the approach to include reference to E-ID providers specifically is in relation to Article 3(4) of the Money Laundering (Jersey) Order 2008: identification of a person means – (a) finding out the identity of that person, including that person’s name and legal status; and (b) obtaining evidence, on the basis of documents, data or information from a reliable and independent source, that is reasonably capable of verifying that the person to be identified is who the person is said to be and satisfies the person responsible for the identification of a person that the evidence does establish that fact. This requirement within the MLO does not have any component of decision making – but for whether or not a regulated entity would accept the evidence being collected in line with their own policies and procedures (i.e. satisfies the business that the evidence establishes a person is who they say they are). We are not sure where or how we could draw a regulatory line between what is caught and what is not when looking at this requirement? To help us to better understand, does the decision making you refer to relate to (a) a Business’ willingness to accept the evidence as collected by an E-ID provider, or (b) a Business’ willingness to accept the customer?
2.2.2	Is this section stating that the service categories detailed are always not caught by the OSP?	Provided that the Service Provider performs the categories of Outsourced Activity specified in paragraphs 2.2.2.1 to 2.2.2.6 as part of a Business’ non-Regulated Activity, the Outsourced Activity is not caught. The Outsourced Activity must not form part of the Business’ Regulated Activity in order for the exemption from the application of the OSP to kick in. Blanket exemptions (which are not contingent on whether the Outsourced Activity is Regulated Activity or non-Regulated Activity) are contained under paragraph 2.2.3. Notably, Telecommunication Services are now included under paragraph 2.2.3
2.2.2.7 (now 2.2.3.7)	Telecommunication services – We appreciate the attempt to provide greater clarity on the position regarding this service category. Can further clarity be provided on the position detailed with regard to Telecoms services as part of non-regulated activity vs regulated? In our experience Telecoms are contracted for at an organisational level underpinning all activity. Or, are you saying that for the purposes of the OSP Telecomms is part of a business’ non-regulated activity and is specifically excluded?	Our intention was to exclude ‘Telecommunication Services’ from the application of the OSP irrespective of whether this service was integral and material to a Business’ Regulated or non- Regulated Activities. As such, Telecommunication Services have been removed from paragraph 2.2.2 and are now included under paragraph 2.2.3
2.2.2.7 (now 2.2.3.7)	Would Internet service providers fall into this type of service category? If so, in the modern digital world ISP’s may be ‘material’ service providers – is that the intention or, regardless of materiality, are 2.2.2.1 – 2.2.2.7 excluded from the OSP?	The definition of ‘Telecommunication Services’ expressly refers to the inclusion of ‘Network Services’ which includes Internet access services. On that basis ISPs fall into this category and are expressly excluded from the scope of the OSP, together with all the other categories included under para 2.2.3. In relation to 2.2.2.1 to 2.2.2.6, this exemption from the OSP only works provided that the Service Provider performs this type of Outsourced Activity as part of the relevant Business’ non-Regulated Activity (not a blanket exemption unlike 2.2.3).
2.2.3.2	I didn’t understand this point. Do you have an example?	Paragraph 2.2.3.2 has been amended to provide as follows: “Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund).” Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to more than one trust structure, for example in relation to the whole of all its Client base, this Outsourced Activity would be caught by the OSP. A ‘TCB’ meaning has been added to the Glossary.
2.2.3.2	As the key point is whether the SP has been engaged by the TCB or directly by a trust structure, rather than the number of trust structures, therefore it would be better to amend the wording to ‘Where a SP has been engaged to perform Outsourced Activity by an individual trust structure’. For example, if two small trust structures managed by the same TCB engage the same SP this should not automatically bring the activity within scope of the revised OSP. However, if a TCB has engaged a SP to provide services to a single large trust structure then this could be within scope.	The current OSP provides under 3.2.2.4 that “Based on the JFSC’s existing working practice in relation to Trust Company Business where a Trustee regulated for Trust Company Business appoints a third party to act in relation to an individual Trust (save for where the Trust is a Certified Fund or a Recognized Fund where the provisions of paragraph 3.2.2.5 below apply) this Policy does not apply.” The latest draft revised OSP provides under 2.2.3.2 as follows, “The following Outsourced Activity is also not caught by the OSP: Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund).” We are not clear on the point that you are making? For the blanket exemption to the application of the OSP to work, a TCB has always been required to appoint a Service Provider to act on its behalf in relation to an individual/single trust structure? On this basis, we are minded to retain paragraph 2.2.3.2 as it is currently drafted unless we have fundamentally misunderstood something?
General	Cloud Services – re: 2.2. Can I clarify that the materiality threshold applies for cloud services – i.e. where a Service Provider performs Outsourced Activity in the form of Cloud Services on behalf of a Business as part of its non-Regulated Activity, it is caught by the OSP only if it would materially impair the continuing compliance of that Business’ Regulated Activity?	Yes this is correct.
3.1: Core Principle 1
3.1	A Business is responsible for, and accountable to us - Can we change “us” to the JFSC	We have amended the reference from “us” to “the JFSC” under Core Principle No.1.
3.1.1	Can we be clear on the Governing body which can form a group of senior leaders in a branch as opposed to a board	Paragraph 2.2.3.1 expressly provides that: “Where a Service Provider performs Outsourced Activity on behalf of the same legal person; e.g. a branch on behalf of its head office or vice-versa or, a branch on behalf of a branch, such Outsourced Activity is not caught by the OSP. This is a blanket exemption for branches (where they form part of the same legal person) from the application of the OSP. On that basis, whilst we don’t disagree that the Governing Body of a branch can be its group of senior leaders as opposed to a board, we have not felt it necessary to expand the OSP definition of ‘Governing Body’ to include this language.
3.1.1.	‘Governing Body’ - Can this term be revised to allow interpretation by different sized businesses, or is this expected to always be at board level	We think the meaning of ‘Governing Body’ in the Glossary is sufficiently wide to take account of different sized businesses (i.e. not expected to always be at board level).
3.1.3	This term re Letter Box is also in the previous 2017 version is possible to build wording to cover the point that post the UK SRP some banks will have a Group service company which maintains and provides services to recipients across a wider group	We don’t want to make direct reference the UK SRP in the OSP. We would expect Group Outsourcing to take into account the specific guidance as contained within Paragraph 5 (Guidance on Group Outsourcing).
3.2: Core Principle 2
3.2.1	Can concession be allowed for Due Diligence on Group entities which are themselves regulated	No, because regardless of whether the Group entity is regulated or not the Business, in compliance with Core Principle No.2 must ensure that the Group entity performing the Outsourced Activity is Fit and Proper at all times. The Business should do this by: “conducting suitable and proportionate due diligence on its Group Service Provider to satisfy itself that the Group Outsourcing is: › compliant with relevant Regulatory Laws or other regulatory requirements which apply to its Regulated Activity; and › appropriate in the circumstances and does not give rise to any material risks for its Clients.” Taking account of your concern, we have added the word “proportionate” in paragraphs 3.2.1 and 5.3.1 as we acknowledge that the level of due diligence conducted by a Business on a member of the same Group may be less than that undertaken in relation to an independent Person.
3.2.1.1	How does this work for AML activities and 3rd party vendors in the AML space that may not be regulated?	Paragraph 3.2.1.1. expressly “does not apply where the Outsourced Activity is non-Regulated Activity”. If however the Outsourced Activity does form part of the Business’ Regulated Activity the Service Provider must also be “regulated for the performance of the Regulated Activity” and comply “with all applicable Regulatory Laws”.
3.2.3	Perhaps include Regulatory/AML/TF/Cyber Risk	As suggested, paragraph 3.2.3 has been amended to include: › “regulatory risks; › money laundering, terrorist financing and proliferation financing risks; and › cyber security risks”.
3.2.5	Can a concession be made where the Due Diligence has been undertaken by part of the group that this then does not have to be repeated locally by a branch	The latest draft revised OSP incorporates a new paragraph 3.2.7 which provides that “Where a Business forms part of a Group, the Business may rely on the due diligence (including any financial due diligence), materiality assessments and/risk assessments of any Service Provider or Sub-Contractor undertaken by the Group.”
3.2.6	If a concession is granted to non-incorporated organisations can the group due diligence that is conducted on a service provider be relied upon
New 3.2.7.	Is there opportunity to provide more clarity on expectations across the core principals where businesses are consuming Outsourcing from third parties that is agreed at group level. Specifically, clarity on whether businesses, in line with the concept of proportionality, can rely on due diligence, materiality assessments of third parties undertaken by and on behalf of the whole group and audits of external third party service providers performed by or on behalf of the whole group as long as they provide the business with the appropriate assurance and information to comply?
3.3: Core Principle 3
General	My only question relates to principle no. 3 - A Business must put in place a legally binding Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity. Is it the intention that this agreement must be in place before the outsourcing notification? I assume at least a draft version must be in place to allow for the notification to be completed successfully.	Paragraph 6.1.3 now provides: “Together with a duly completed Outsourcing Notification, a Business must submit either a copy of the draft Outsourcing Agreement or a copy of the signed final form Outsourcing Agreement effective from the date of receipt of a No Objection.”
General	Also agree the legally binding outsourcing agreement is a chicken and egg situation. A draft should be sufficient until the “No Objection” is received
3.3	Can we have a statement for Branch which allows the parent to conduct this activity	Branches are not considered to have a separate legal personality in many jurisdictions including Jersey. As such, branches (where they form part of the same legal person) are out of the scope of the OSP.
3.3.1.6	If it is a branch can the parent complete the review with the results fed into the Branch
3.3.1.6	The policy should be explicit as to what is expected to be considered as part of the annual review. Is it a full review of the outsourcing notification to see if everything remains as notified? As above, what would be considered to be a material change that could impact whether as a result of the annual review, the JFSC needs to be re-notified/updated.	The annual review should include a full review of the Outsourced Activity and should not be limited to a review of the Outsourcing Notification by itself. Each Business operates differently and will be Outsourcing different Outsourced Activity, as such, it should remain the responsibility/ be at the discretion of the relevant Business to decide what amounts to a ‘material change’ to Outsourced Activity. We don’t want to be too prescriptive.
3.3.2	Certain provisions contained within this section may be difficult for businesses to achieve with cloud providers who often only contract on their terms.	Extensive research has been conducted in relation to what a Business should consider as part of its engagement with a Cloud Service Provider. We have used this research to devise this section and it is based upon what we believe to be reasonable and possible in Jersey and market practice elsewhere in the world when dealing with regulated entities. Please do let us know if you have any specific comments in this regard.
3.3.2.3	For Cloud service as a branch of a wider group can it be the group level monitoring of the service provider’s performance that is noted here	Branches (where they form part of the same legal person) are out of scope of the OSP per paragraph 2.2.3.1. We would expect Group Outsourcing to take into account the specific guidance as contained within Paragraph 5.
3.3.2.7	You say extensive research has been done in respect of Cloud Services. As part of this, I assume you know that the requisite insurance is available to such Service Providers, but it would be helpful if this could be confirmed? Also, what “certain risks” did you have in mind for mandatory insurance? Appreciate you don’t want to be too prescriptive as every business will be different but is there sufficient guidance in the OSP to enable Businesses and Service Providers to know what you want here?	Paragraph 3.3.2.7 is one of a number of things a Business should consider when entering into a written agreement with a Service Provider. It should be understood between the parties who is responsible for putting in place adequate insurance measures for a myriad of things in relation to the Cloud Services Outsourcing arrangement. To provide all users of Cloud with more comfort, insurance policies are available commercially to provide both Service Providers and their users with financial protection and risk management in the event of an unforeseen issue. Cloud insurance policies may cover things such as compensation for business lost whilst a cloud service is unavailable, unintentional data loss, security breaches, data back-up provisions, as well as the more traditional insurance against damage, physical security etc. of the server location. The reason why we have not included examples is that each insurance policy is different (much like the limitation of liability of each provider) and therefore a Business should be aware to look out for what their liability is and is not, and to make provision if they are not comfortable with the level of risk retained.
New 3.3.3.	Is there opportunity to provide more clarity on expectations across the core principals where businesses are consuming Outsourcing from third parties that is agreed at group level. Specifically, clarity on whether businesses, in line with the concept of proportionality, can rely on due diligence, materiality assessments of third parties undertaken by and on contractual arrangements between third parties and the whole firm group?	The latest draft revised OSP incorporates a new paragraph 3.3.3 which provides that “Where a Business forms part of a Group, the Outsourcing Agreement may be between the relevant Service Provider and the Group.”
3.4: Core Principle 4
3.4.2	‘periodically test’ - 3.4.2 is not explicit enough and as a result could be subjectively assessed. This should include an expectation of the frequency of the testing, and a scale to assist with determining how to define the 'size/risk and complexity'.	Per paragraph 3.4.2, the ongoing frequency of a Business’ periodic testing and monitoring will depend upon its relevant circumstances and “should reflect the size, risk and complexity of the Outsourced Activity. Each Business operates differently. As such, it should remain the responsibility/ be at the discretion of the relevant Business in terms of the requirement under Core Principle 4 to “periodically test whether its policies and procedures comply with the Core Principles of the OSP”. We don’t want to be too prescriptive. References to “In certain circumstances” and “In such circumstances” have been deleted from paragraph 3.4.4 but again it will be the responsibility/at the discretion of the relevant Business to decide whether it would be appropriate for it to enter into “a general Outsourcing arrangement to particular individuals or to a Specialised Central Support Function.
3.4.4	‘certain circumstances’ - Guidance would be useful with examples as to the types of circumstances.
3.5: Core Principle 5
3.5	Do you expect contingency plans to exist at a Service provider level or be part of a wider business contingency plan?	Contingency Plans should be in place in relation to each Outsourced Activity given that these are bespoke and have different impact on the Business. “Suitable contingency plans” could be located within Group Policy.
3.5.4	For Cloud service as a branch of a wider group can it be the group level monitoring of the service provider’s performance that is noted here	Branches (where they form part of the same legal person) are out of scope of the OSP per paragraph 2.2.3.1. We would expect Group Outsourcing to take into account the specific guidance as contained within Paragraph 5. This may include Group compliance monitoring.
3.5.4	What is the definition of 'periodically'. If an outsourced activity has been deemed in scope of the OSP, and an annual review of the activity is expected, is there an expectation that the contingency would be tested in line with that annual review, or more or less frequently?	Per paragraph 3.4.2, paragraph 3.5.4 has been amended to provide that the ongoing frequency of a Business’ periodic testing and monitoring of its contingency plans will depend upon its relevant circumstances and “should reflect the size, risk and complexity of the Outsourced Activity. Each Business operates differently. As such, it should remain the responsibility/ be at the discretion of the relevant Business in terms of the requirement under Core Principle 5 to “periodically test its contingency plans”. A Business may choose to periodically test its contingency plan at the same time as it conducts its annual or more frequent review of the Outsourced Activity. We don’t want to be too prescriptive.
New 3.5.6	Is there opportunity to provide more clarity on expectations across the core principals where businesses are consuming Outsourcing from third parties that is agreed at group level. Specifically, clarity on whether businesses, in line with the concept of proportionality, can rely on group-wide business continuity plans and exit strategies.	The latest draft revised OSP incorporates a new paragraph 3.5.6 which provides that “Where a Business forms part of a Group, the Business may rely on Group contingency plans.”
3.6: Core Principle 6
3.6	I mentioned on the call but in case it was missed, can you clarify the position in the OSP with regard to notification and changes to outsourcing activity i.e. under what circumstances would you expect us to notify you? E.g. change of supplier etc.?	Core Principle No.6 provides that “We must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware.” Whilst the decision over what constitutes “material” will be a matter for the Business to exercise its own judgement and discretion (we don’t want to be too prescriptive), paragraph 3.6.4.3 provides that where any new Service Provider is to be appointed, we will expect to receive a new Outsourcing Notification in respect of the newly proposed Outsourcing arrangement.
3.6.1	Will there be an option for a reduced notification in the cases of material amendments or will a full notification be required?	We are considering with internal stakeholders the creation of a Material Change to Outsourced Activity Notification to be filed each time there is a material change to Outsourced Activity instead of the relevant Business having to submit a new full form Outsourcing Notification.
3.6.1 and 3.6.2	What is the JFSC’s lead-time and turnaround for review of outsourcing notifications? Will the JFSC have a list of pre-approved outsourcing providers?	The SLA for an Outsourcing Notification and No Objection is 20 business days’. At present, we have no plans to produce a list of pre-approved Outsourcing providers.
4: Guidance on Sub-Outsourcing
General	I also queried at what point a Business relying on outsourcing an activity, in particular in respect of cloud services, would have to stop carrying out due diligence on any sub-outsourcing agreements (Para 4: Guidance on Sub-Outsourcing). You suggested yesterday that as far as the JFSC is concerned the requirement to carry out due diligence on a sub-outsourcing service provider goes all the way to the end of the sub-outsourcing chain. I am not sure I articulated my point particularly well yesterday so I thought it would be useful to share it with you again. Para 4.3 states that “A Business should adequately risk assess each Service Provider and Sub-Contractor under the Sub-Outsourcing agreement and should have the ability to object to any Service Provider or Sub-Contractor should it not meet the required standards of compliance or oversight (as assessed by the Business)”. My concerns are that the more specialist technology is used in cloud based services, the greater the chances that sub-outsourcing will happen resulting in potentially lengthy and complex sub-contracting arrangements. If a Business is required to carry out due diligence on each entity within the outsourcing/sub-outsourcing chain as per the requirements set down at paragraph 3.2, it may become extremely cumbersome to the extent that businesses may find that it cannot afford to outsource the required service. I understand that if an outsourcing activity were to fail the Business is required to continue to meet its compliance obligations and that this could be done by either shifting the outsourced activity to an alternative service provider or by taking over the activity itself, however it may be that the Business cannot outsource the activity electronically and has to work using manual processes instead (inadvertently stifling innovation or growth). Has there been any scoping as to the consequences of the requirements for due diligence to be carried out on every entity within the sub-outsourcing arrangements for businesses, particularly the degree to which it could affect smaller businesses?	In compliance with Core Principle No.2, a Business must ensure that the Service Provider performing the Outsourced Activity is Fit and Proper at all times. The requirement to conduct due diligence helps to ensure this objective. In relation to Sub-Outsourcing, where Sub-Contractors are performing Outsourced Activity within the scope of the OSP, we would expect the relevant Business to be aware of how that particular Service Provider is meeting those obligations. Failure to have adequate oversight or understanding of any Service Provider which is performing a function to allow that Business to remain compliant with its regulatory obligations would not be in line with the spirit of the OSP and could suggest a failure by that Business under the relevant Code(s). This is irrespective of size, as each Business must control and manage its affairs to ensure compliance. That said, the supply chains within Cloud Outsourcing are particularly complex which is why we have removed the requirement under the OSP for a No-Objection to this type of Sub-Contracting (per paragraph 3.6.5). An Outsourcing Notification may not always be required where components of the supply-chain are with reference to non-Regulated and non-material Activity and therefore not captured by the definition of Outsourcing.
4.4.1	Reference to Group outsourcing. Is this a typo and should instead refer to sub-outsourcing?	Paragraph 4.4.1 has been amended to take account of this typo.
5: Guidance on Group Outsourcing
General	Has there been any consideration given to the concept of proportionality for group outsourcing we have seen introduced by the PRA & EBA recently? Which allows businesses to comply with some of the outsourcing requirements proportionately depending on their level of ‘control and influence’ over the entity that is providing the outsourced service. Similar to my previous point regarding proportionality for intra-group outsourcing. I wonder if there is the opportunity to provide more clarity on expectations across the core principals where businesses are consuming Outsourcing from third parties that is agreed at group level. Specifically, clarity on whether businesses, in line with the concept of proportionality, can rely on: due diligence, materiality assessments, and risk assessments of third-parties undertaken by and on behalf of the whole group contractual arrangements between third parties and the whole firm group audits of external third party service providers performed by or on behalf of the whole group as long as they provide the business with appropriate assurance and information to comply locally group-wide business continuity plans and exit strategies.	The latest draft revised OSP incorporates new paragraphs 3.2.7, 3.3.3 and 3.5.6 which provide as follows: 3.2.7 “Where a Business forms part of a Group, the Business may rely on the due diligence (including any financial due diligence), materiality assessments and/or risk assessments of any Service Provider or Sub-Contractor undertaken by the Group.” 3.3.3 “Where a Business forms part of a Group, the Outsourcing Agreement may be between the relevant Service Provider and the Group.” 3.5.6 “Where a Business forms part of a Group, the Business may rely upon Group contingency plans.”
6: Guidance on Outsourcing Notification
6.3.2	At paragraph 6.3.2 you state that you will aim to respond within 20 days to an Outsourcing Notification. Is there an ability to fast track a urgent outsourcing notification? It may be my ignorance as to how the process works but I query whether a Business can use the outsourced services whist it waits for the No Objection – I am particularly thinking where a business if already outsourcing and for example the arrangement falls down and an alternative service provider is required to be utilised (albeit I note the requirements at 6.1.1.11 re contingency plans), or services are urgently required because of a previously unforeseen business need (e.g. the likes of what the pandemic threw up for many businesses) – 20 days might be too late.	We don’t have any current plans to reduce the 20 business days’ SLA. We have retained the language relating to the circumstances upon which it may be necessary for a Business to utilise the services of a Service Provider prior to making an Outsourcing Notification or waiting for a No-Objection. This is contained within Paragraph 6.3.4 and is intended to be utilised in the scenarios described.
General	Guidance on the Outsourcing Notification – Perhaps instead put an appendix of the portal Outsourcing notification form. We have basically recreated it internally to enable us to put all the data in one place and have added boxes so we can describe how we are meeting the Core principles.	Per new paragraph 6.1.2, “For reference, a blank Outsourcing Notification form is included under Appendix A”. We are working with our Operations team to try to achieve this.
General	It would be good if there was an amendment form instead of having to put in a whole new Outsourcing form in. For example we had a change in sub outsourcing but have had to put a new notification. Maybe a reference number given to each outsourcing to make it easier to show the changes to the JFSC	We are considering with internal stakeholders the creation of a Material Change to Outsourced Activity Notification to be filed each time there is a material change to Outsourced Activity instead of the relevant Business having to submit a new full form Outsourcing Notification.
7. General comment on the Revised OSP
n/a	How close (or not) is this to the EBA requirements?	Multiple resources were used from other regulatory bodies, particularly with regard to Cloud Outsourcing, inclusive of the European Banking Authority, European Securities and Markets Authority, the Bank of England, the FCA, the GFSC, IoMFSA etc. We did not prepare a GAP analysis, but instead iterated the document over time whilst looking at the different requirements.
	I have reviewed [the draft revised OSP and this feedback document] and have no further comments to make, I think these are clear and hold all relevant information.