Feedback paper on consultation No. 6 2022 and follow-on consultation on Revised Outsourcing Policy (OSP)

A feedback paper relating to a consultation on proposals regarding changes to the current JFSC OSP and Guidance Notes and a follow-on consultation on the revised OSP

Consultation feedback and follow-on consultation on revised OSP

This paper reports on responses received by the JFSC to the Consultation Paper No. 6 2022 published by the JFSC on 30 June 2022 and invites comments on this follow-on consultation.

We invite comments on this consultation paper by 28 February 2023. If you require assistance, clarification or wish to discuss any aspect of the proposals prior to formulating a response, it is of course appropriate to contact us.

Further enquiries concerning the consultation may be directed to:

Caroline McGrath

Senior Adviser, Policy

Jersey Financial Services Commission

PO Box 267

14-18 Castle Street

St Helier

Jersey

JE4 8TP

Telephone:+44 (0) 1534 822000

Email:C.McGrath@Jerseyfsc.org

Alternatively, Jersey Finance Limited (JFL) is coordinating an Industry response that will incorporate any matters raised by local businesses.  Comments should be submitted to JFL by 28 February 2023.

The JFL contact is:

Lisa Springate

Head of Legal and Technical

Jersey Finance Limited

4th Floor, Sir Walter Raleigh House

48-50 Esplanade

St. Helier

Jersey

JE23QB

Telephone: +44(0) 1534 836029

Email: Lisa.Springate@jerseyfinance.je

Glossary of Terms

Defined terms are indicated throughout this document as follows:

AIF Regulations	the Alternative Investment Funds (Jersey) Regulations, 2012
Alternative Investment Fund (or AIF)	an Alternative Investment Fund within the meaning of the AIF Regulations
AML/CFT/CPF Handbook	Handbook for the prevention and detection of money laundering and the countering of terrorist financing and proliferation financing
AMLSP	Anti-Money Laundering Services Provider – a financial service business which is registered by the JFSC to carry on one or more of the following classes of business in accordance with the Financial Services (Jersey) Law 1998 and which is not a Managed Entity, Managed Trust Company Business or a natural person: ›              Trust Company Business – Classes G, H, L, OA and OB ›              Fund Services Business – Classes U, V, ZG, ZH, ZI and ZJ
AMLSP Direct Customer	a Supervised Person who is provided with AMLSP services by an AMLSP
AMLSP services	services provided by an AMLSP to an AMLSP Direct Customer that enable the AMLSP Direct Customer to fulfil its AML/CFT/CPF obligations
Business	any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons
Category A permit holder	has the same meaning given to the term under the Insurance Business Law and the Code of Practice for Insurance Business
Certified Fund	a fund issued with a certificate pursuant to the CIF Law
CIF Law	the Collective Investment Funds (Jersey) Law, 1988
Client	a customer, investor, or other Person in respect of whom a Business is permitted to provide products or services
Cloud Services	a range of IT services (such as data storage or computing power) provided in various formats over the internet. This incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)
Codes of Practice (or Codes)	collectively, the ›        the Code of Practice for Deposit-taking Business ›        the Code of Practice for Certified Funds ›        the Code of Practice for Fund Services Business ›        the Code of Practice for General Insurance Mediation Business ›        the Code of Practice for Investment Business ›        the Code of Practice for Insurance Business ›        the Code of Practice for Money Service Business ›        the Code of Practice for Trust Company Business ›        the Codes of Practice included as part of the AML/CFT/CPF Handbook
CoBO	the Control of Borrowing (Jersey) Order, 1958
Cyber Security Services	Distributed Denial of Service (DDoS) mitigation, security information event management, vulnerability intelligence, ethical penetration testing, security operations centre, incident response, and threat intelligence or other services designed to prevent or mitigate the risk of cyber-attacks
Data Centre Services	on or off premise data storage solutions which are located in Jersey; all commonly known as and considered to be utilities
E-ID	electronic identification and verification measures
Fit and Proper	that a Person would meet the standards required to be ‘fit and proper’ within the meaning of applicable Regulatory Laws
FSJL	the Financial Services (Jersey) Law, 1998
Fund	AIF, Certified Fund, NDF, Unregulated Fund, JPF, any legacy private fund (very private fund, private placement fund or COBO only fund) or a Recognized Fund
Fund Services Business (or FSB)	the Regulated Activity, involving the provision of services described in Article 2(10) of the FSJL
Governing Body	the body within a Business that is considered to exercise ultimate control over it. Generally, this will be (i) the directors of a company, protected cell company, incorporated cell company, or the incorporated cells of an incorporated cell company; (ii) the trustee of a trust; (iii) the general partner of a limited partnership, separate limited partnership or incorporated limited partnership; or the partners of a limited liability partnership (iv) the manager or, if no manager, the managing members of a limited liability company (v) the council of a foundation. In the case of a sole trader, the Governing Body will be the sole trader
Group	any entity in common ownership or common control with the Person concerned The meaning of ‘Group’ does not include the same legal person (see sub-paragraph 2.2.3.1 of the OSP)
Group Outsourcing	an arrangement between a Business and Group Service Provider by which the Group Service Provider performs Outsourced Activity that would otherwise be undertaken by the Business itself
Group Service Provider	a Service Provider which forms part of the same Group as the Business
Insurance Business	the Regulated Activity, involving the provision of insurance business described in Article 5 of the Insurance Business Law
Insurance Business Law	the Insurance Business (Jersey) Law, 1996
JFSC (us, we)	the Jersey Financial Services Commission
Jersey Private Fund (or JPF)	a Jersey Private Fund within the meaning of the Jersey Private Fund Guide
Key Person	has the same meaning given to the term under the Regulatory Laws and covers individuals fulfilling any one of the following three roles; Compliance Officer, Money Laundering Compliance Officer, and Money Laundering Reporting Officer.
Managed Trust Company Business (or MTCB)	a Business which provides TCB services under the FSJL and which operates in Jersey as a managed entity utilising the services of a Manager
Manager	a Business which has been registered by us to conduct Class N of TCB under the FSJL
Manager of a Managed Entity (or MoME)	a Business which has been registered by us to conduct Class ZK of FSB under the FSJL
NDF	Non-Jersey Domiciled Collective Investment Fund
Network Services	fibre broadband, managed firewalls, and carrier services which provide the infrastructure to enable such services; all commonly known as and considered to be utilities
No Objection	our written confirmation that we have no objection to the Outsourcing arrangement proposed by a Business in an Outsourcing Notification
Offer Document	a prospectus or other offering document inviting a Person to become an investor of a Fund
Original CP	JFSC Consultation No.6 2022 Revised Outsourcing Policy (OSP) – A consultation on changes to the current JFSC OSP and Guidance Notes, Issued: June 2022
Outsourced Activity	activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself
Outsourcing	an arrangement between a Business and a Service Provider by which: ›        a Service Provider performs Outsourced Activity; and ›        where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt, or impact upon the continuing compliance of that Business’ Regulated Activity
Outsourcing Agreement	a written, legally binding agreement between a Business and a Service Provider that reflects the risk, size and complexity of the Outsourced Activity
Outsourcing Notification	a notification as required by Core Principle 6 of the OSP
Person	any natural or legal person (including a body of persons corporate or unincorporated)
Principal Person	has the same meaning given to the term under the Regulatory Laws and includes: a director, a shareholder controller, a manager, a senior officer, and a chief executive
Supervisory Bodies Law	the Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008
Recognized Fund	a fund in respect of which there is a recognized fund certificate issued by us under the Collective Investment Funds (Recognized Funds) (General Provisions) (Jersey) Order 1988 or the Collective Investment Funds (Recognized Funds) (Rules) (Jersey) Order 2003
Regulated Activity	activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/consent must be held. In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund.
Regulatory Laws	collectively, the: ›        Alternative Investment Funds (Jersey) Regulations, 2012 (AIF Regulations) ›        Banking Business (Jersey) Law, 1991 ›        Collective Investment Funds (Jersey) Law, 1988 (CIF Law) ›        Control of Borrowing (Jersey) Order, 1958 (CoBO) ›        Financial Services (Jersey) Law, 1998 (FSJL) ›        Insurance Business (Jersey) Law, 1996 (Insurance Business Law) and ›        Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008 (Supervisory Bodies Law)
Service Provider	a Person who performs Outsourced Activity on behalf of a Business
Specialised Central Support Functions	where a Group Service Provider performs specific Outsourced Activity (for example, IT, Finance, Compliance, or other Central Support functions) on behalf of other Businesses in the Group
Sub-Contractor	a third-party sub-contractor of the Service Provider
Sub-Outsourcing	an arrangement between a Service Provider and a Sub-Contractor by which the Sub-Contractor performs Outsourced Activity that would otherwise be undertaken by the Service Provider on behalf of a Business
Supervised Person	has the same meaning given to the term within Article 1 of the Supervisory Bodies Law
Telecommunication Services	has the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes Network Services and Voice Services but does not include Data Centre Services and/or Cyber Security Services
Trust Company Business (or TCB)	the Regulated Activity, involving the provision of services described in Article 2(4) of the FSJL
Unregulated Fund	has the same meaning given to the term within the Collective Investment Funds (Unregulated Funds) (Jersey) Order 2008
Voice Services	fixed telephone lines and video conferencing facilities

1 Executive Summary

1.1 Overview

1.1.1   On 30 June 2022 the JFSC issued the Original CP which sought views on proposals regarding changes to the current JFSC OSP and Guidance Notes, issued March 2017 and revised last December 2020 (the Current OSP and Guidance Notes), in the form of a revised OSP (the Revised OSP).

1.1.2   The purpose of this paper is to:

1.1.1.1 provide feedback on the responses received to the Original CP; and

1.1.1.2 consult further on the latest draft of the proposed Revised OSP, attached under Appendix A.

1.2 Original CP feedback received

1.2.1   Respondents provided comments either directly to us or indirectly via Jersey Finance.

1.2.2   Jersey Finance provided us with ten responses, one of which was also sent directly to us. Responses were received from a cross section of businesses including a bank, trust company businesses, investment businesses, fund services businesses, family offices and a law firm.

1.2.3   Except for the one respondent that responded to both Jersey Finance and to us, one other respondent provided comments directly to us. A full list of respondents is given in Appendix B.

1.2.4   Section 2 of this paper presents a summary of the substantive comments received and the JFSC’s response.

1.2.5   The JFSC is grateful to respondents for taking the time to consider and comment on the proposals.

1.3 Follow-on consultation

1.3.1   Taking account of the responses received to the Original CP, we are issuing this follow-on consultation on the latest draft of the proposed Revised OSP (the Follow-on CP).

1.3.2   Feedback on the draft Revised OSP appended to the Follow-on CP should be received no later than 28 February 2023.

1.3.3   We will then consider any further feedback on the Revised OSP with the aim of publishing a final Revised OSP in April 2023.

1.3.4   There will be a three-month transition period, commencing on the date we issue the final Revised OSP.

2 CP feedback

2.1 Feedback received

2.1.1   This section summarises the substantive comments received in response to the Original CP. While not every comment received is individually listed, this section contains summaries of the key common and pertinent comments in relation to each question posed and, as appropriate, the JFSC’s response to those comments.

2.1.2   The comments that were received can be split into those responding to a specific question posed in the CP and those on other matters. This section is structured on those lines.

2.2 Question 1: Have you identified any unintended consequences of exempting Telecommunication Services from the application of the Revised OSP?

2.2.1   “The specific exemption for Telecommunication Services provides welcome clarity for this commodity. However, it is noted that the exemption for Data Centre Services applies to data storage solutions located in Jersey only. Is this intended?”

JFSC response No, this was not intended. The meaning of ‘Telecommunication Services’ for the purpose of the Revised OSP has been amended to have “the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes Network Services and Voice Services but does not include Data Centre Services and/or Cyber Security Services.” Data Centre Services and/or Cyber Security Services are not exempt activities for the purpose of the Revised OSP and where such activity is outsourced by a Business to a Service Provider, the requirements of the Revised OSP will apply.

2.3 Question 2: Do you consider the specific guidance in the Revised OSP in relation to where a Service Provider performs Outsourced Activity in the form of Cloud Services to be adequate? If not, please provide further detail in the comments section of this question.

2.3.1   “In respect to the first point under 3.5.5, it states that exit/termination arrangements should be “tested” including how data will be removed and transitioned to the new service provider. How is data to be “removed” if a new provider is not in place? Similarly, you would only engage a new provider if there was a business need so you cannot test the “transition”. Technology continues to evolve at a rapid pace and decisions will ultimately be made on a new provider at the time one is required and following an appropriate beauty parade. Surely a better approach is to document how the data can be exported from the current provider, in what format and over what time-period?”

JFSC response Re-numbered sub-paragraph 3.5.5.1 has been amended to provide as follows: “having in place, well understood exit/termination arrangements which, amongst other things, should provide for how data can be exported from the current Service Provider, in what format and over what time- period and, where a new Service Provider is to be appointed, how data will be transitioned across to the new Service Provider.” Previous reference to “testing” has been removed and it has been made clear that a new Service Provider will not necessarily be appointed where there is no business need on the exit/termination of the current Service Provider.

2.3.2   “The drafting of the consultation seems to indicate the JFSC appear to have more concerns about cloud storage than businesses undertaking IT in house. Our experience suggests the concern should, if anything, be the other way around. Businesses who undertake IT in house must face greater risk than an effectively implemented cloud solution. In many respects cloud providers have evolved to the point where they are no different to utility providers, which are not within scope of the CP. We would suggest the JFSC regard running and managing IT infrastructure is not part of the business of a financial services firm. It is required as a substructure to run a modern business and external providers of this structure are not outsource partners. We encourage the JFSC to support the use of expertise and at the least do not create barriers to the adoption of technology that lowers risk. In fact, there is a strong argument that internally run IT poses threats by virtue of running outdated systems which could have impaired security to externalised systems. At the very least we encourage the JFSC does not create a two-tier approach which hinders technology innovation and security. Further, if all financial services businesses tried to run internal departments, there would be insufficient IT resources on the Island to be able to undertake this, so we are concerned that by the JFSC promoting an outdated methodology it becomes contrary to the best economic interests of Jersey.”

JFSC response Whilst it is not the case that we “have more concerns about cloud storage than businesses undertaking IT in house”, as noted in the Original CP in relation to Cloud Services, we considered amending the Revised OSP to provide that where a Service Provider performs Outsourced Activity in the form of Cloud Services on behalf of a Business as part of its non-Regulated Activity, such Outsourced Activity would not be caught. However, due to the associated concentration risks and the fact that this option would not be in line with international standards we opted instead, to provide tailored guidance and provisions in the revised OSP to where a Service Provider performs Outsourced Activity in the form of Cloud Services.

2.3.3   “In addition to this, as currently drafted the JFSC require the right to visit outsourced providers. Thinking practically, does the JFSC propose to visit providers such as Microsoft and Amazon Web Services? These are some of the ultimate providers of the systems that are adopted by industry. Do the Supervision team believe they have the knowledge and experience to make material determinations in respect to these providers? This is what the current CP suggests is required?”

JFSC response In terms of our right to visit Service Providers, the JFSC will be proportionate in its response depending on the level of risk and the resources available to mitigate the risk.  The key point here is that regardless of who the Service Provider is, we should not be prevented from performing our functions under the law and in some cases, to understand how the Business is managing its Cloud Services Outsourcing arrangement in the context of its overall business and risk profile, we may need to visit a Service Provider.

2.3.4   "Query re section 3.4.5. of the Appendix D draft OSP - bullet point 3 - reference to the ‘Service Provider’ ‘having sufficient skill and resource to oversee outsources activity, appears to be an error should this be ‘the Business’? As a general observation on this point there has been and there continues to be an accelerated move toward externally hosted IT services, and Cloud services in particular. As recognised within the consultation, this is a very specialist area and there is an argument that in many cases an assessment of the fitness and propriety of a service provider will come down to referrals and in some cases past experiences with a provider, and of course suitable industry standard ISO certification standards. While due diligence questionnaires and checklists might provide the raw data on which an assessment might be based there is a risk that the ability to understand, assess and more importantly effectively challenge the information provided by the service provider will be limited. To the extent a business chooses to outsource IT services and hosting means that in all likelihood there is insufficient or reduced expertise/capability or capacity to provide the services in house, therefore the ability to adequately test and monitor the outsourced services may also be compromised and while Service providers assurance reports may be useful, they may be perceived as self-certification. In such cases the answer might be to engage an alternative external provider to monitor and test the outsourced services, (again therefore potentially outsourcing that oversight obligation). However, aside from the inevitable cost implications, such an arrangement would potentially result in conflicting interests on the part of the third-party adviser and, given the limited number of providers in the Island and continued consolidation in that space, would result in a further narrowing of the pool of available service providers. An approved, or ideally regulated, pool of cloud service providers would be desirable (albeit unlikely) particularly in view of increasing industry standardisation. It is recognised that faced with a largely shared data infrastructure, it is possible that issues affecting service delivery or data security might impact multiple businesses and individuals (regulated, supervised or not) at the same time, and result in a downward chain of diverse and in some cases simultaneous data protection and regulatory reporting obligations (of varying quality/consistency) all predicated by the same event.”

JFSC response Reference to “whether the [Service Provider] has sufficient skill and resources to oversee and test the Outsourced Activity and to identify, monitor and mitigate against all associated risks” under new sub-paragraph 3.4.5.3 is correct and should not be to the ‘Business’ in this context. This ties back to Core Principle No.1 “A Business is responsible for and accountable to the JFSC for any Outsourced Activity” and Core Principle No.2 “A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper at all times.”

2.3.5   "JFSC approach now provides welcome clarity. In relation to cloud specifically, additional examples would be helpful e.g. does a service that acts a container for large volumes of customer data qualify by virtue of the role it plays fulfilling GDPR obligations or, is this only in scope if it supports downstream critical services.”

JFSC response Both examples outlined, i.e.  (i) Cloud Service that acts as a container for large volumes of customer data; and (ii) downstream critical Cloud Service, would most likely fall within ‘Cloud Services’ for the purpose of the revised OSP. In relation to the first example, we recommend for any Business procuring the services of a Cloud Service Provider, that it firstly considers Principle 3 of the relevant Code of Practice and Section 10 of the AML/CFT Handbook which both relate to record keeping requirements.  Regarding the second example, should the Business be unable to act with due care, skill, and diligence without the support of its downstream critical Cloud Service provider, the revised OSP will apply.

2.4 Question 3: Have you identified any unintended consequences of a Business not being required to notify us of any of its Cloud Services Sub-Outsourcing arrangement(s)?

2.4.1   “Para 3.6.5 – states that a Service Provider can sub-outsource Cloud Services to a Sub Contractor. In such circumstances, the Business is not required to complete and upload an Outsourcing Notification or wait for a No Objection before the Sub-Contractor starts to perform the Outsourcing Activity. That said, the Business is still required to complete and upload an Outsourcing Notification and await a No-Objection from the JFSC in respect of its primary Service Provider. Can you clarify how the JFSC envisage this working in practice? For an Outsourcing Arrangement that has not previously been notified, are you suggesting a cloud service that has been sub contracted can go-live without waiting for a no objection in relation to the primary Service Provider? We would expect them both to go live at the same time. Are you simply trying to confirm that sub-outsourcing will not in-and-of-itself trigger a notification, either because of the above, or through the revised wording of the OSP that requires notification if there is a “material change to the outsourcing activity”? i.e. you do not deem a new, or change to a, sub-outsource to a cloud service provider a material change?”

JFSC response Sub-Outsourcing in the context of Cloud Services often involves a multitude of Service Providers on the supply chain who can be swapped ‘in and out’ depending on the location and services at short notice. Taking account of these complex supply chains and nuances associated with Cloud Services, the Revised OSP provides an exception to the rule in terms of the Sub-Outsourcing of Cloud Services.   Sub-paragraph 3.6.5 of the Revised OSP provides that “Where a Service Provider Sub-Outsources the performance of Outsourced Activity in the form of Cloud Services to any Sub-Contractor(s), the Business is not required to complete and upload an Outsourcing Notification or wait for us to issue it with a No-Objection before the Sub-Contractor(s) can start performing the Outsourced Activity. The Business is still however required to complete and upload an Outsourcing Notification and await a No-Objection from us in respect of the proposed Outsourcing arrangement with its primary Service Provider.”  For the avoidance of doubt, a Service Provider who Sub-Outsources the performance of Outsourced Activity in the form of Cloud Services to any Sub-contractor must not do so until such time as a No-Objection has been issued by us in respect of the primary Cloud Services Outsourcing arrangement between itself and the Business.

2.4.2   “There is the potential that the approach may serve to erode the due diligence cloud services consumers undertake on the Cloud service provider and undermine other requirements in the OSP (e.g. the requirement to understand where data resides and how it is processed if this is undertaken by sub-contractors)."

JFSC response The provisions of the Revised OSP, apply in full where a Service Provider Sub-Outsources the performance of Outsourced Activity in the form of Cloud Services to any Sub-Contractor(s), the only exception being that the Business is not required to complete and upload an Outsourcing Notification or wait for us to issue it with a No-Objection before the Sub-Contractor(s) can start performing the Outsourced Activity provided that a No-Objection has been issued by us in respect of the primary Cloud Services Outsourcing arrangement between Service Provider and the Business. To reaffirm this point, amended sub-paragraph 4.3.1 expressly provides that “A Business must carry out adequate due diligence and risk assessment of each Service Provider and Sub-Contractor under the Sub-Outsourcing arrangement.”

2.4.3   "The proposed approach isn't consistent with the approach taken by other regulators so Businesses with multi-jurisdictional presence will need to take care to maintain local compliance.”

JFSC response We note and agree that Business’ with multi-jurisdictional presence will need to take care to maintain local compliance.

2.5 Question 4: Have you identified any unintended consequences or unusual results due to the requirement for all Supervised Persons to comply with the Revised OSP?

2.5.1   “The key concern from a funds industry perspective is to mitigate the impact of the changes on the numerous businesses, previously exempt from regulation, which will find themselves, in short order, (i) subject to direct AML/CFT obligations under the Money Laundering (Jersey) Order 2008 (the MLO) as a result of changes to Schedule 2 to the Proceeds of Crime (Jersey) Law 1999, and (ii) in scope of the Revised OSP, which now extends to all Supervised Persons, in tandem with the recent changes to the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008 (the SBL). These businesses are generally SPVs which rely on the services of a JFSC-regulated trust company business service provider (the TCBSP) to comply with their statutory obligations.

2.5.2   The ease of use of these SPVs within fund structures (and other private, non-fund structures) is a fundamental element of Jersey's attraction to international business. It is therefore imperative that we minimise any impact on these businesses, including by (i) being absolutely clear the limited extent to which the Revised OSP will apply to them and (ii) making it as straightforward as possible for them to comply with the Revised OSP, in reliance on the TCBSP, without requiring extensive additional filings or delay in doing business."

2.5.3   We would strongly suggest that the Revised OSP is recast so as to make clear that Businesses which rely on the services of a TCBSP to enable them to comply with AML/CFT requirements are subject to a similar carve-out as applies for managed entities which rely on a MoME to enable them to comply with the regulatory framework.

2.5.4   In each case, the onus remains on the regulated Business itself to comply, but in the case of Managed Entities the JFSC is comfortable with these arrangements falling outside the scope of both the Current OSP and the Revised OSP, on the basis that the service providers (ie. MoMEs) are registered under the Financial Services (Jersey) Law 1998 and themselves subject to the outsourcing policy (as well as other more extensive regulatory oversight by the JFSC). The Revised OSP also applies a similar approach to Managed Trust Company Business. We would ask that the same approach be applied where a TCBSP provides AML/CFT support to a Business.

2.5.5   Providing a blanket carve-out will also avoid the unusual result whereby a Business of this kind would need to file a Sub-Outsourcing Notification where the TCBSP delegates its services. Service agreements with TCBSPs often contain clauses permitting delegation to group entities in Jersey or elsewhere, without prior consent of (and, in some cases, without notification to, the Business to which services is provided). In these circumstances, for Businesses to comply with Sub-Outsourcing requirements would require amendments to the terms of the service provider agreements, which would be a massively disruptive exercise. We note that, in theory, the exemption for funds (at sub-paragraph 3.2.2.5 of the Current OSP and now under the fifth bullet point of sub-paragraph 2.2.3 of the Revised OSP) could apply to a number of these vehicles.

2.5.6   However, this is not sufficient to assuage the above concerns because (i) not all of the affected entities now in scope are funds (for example, general partners of non-fund limited partnerships) so the exemption would not apply to them, (ii) private funds often do not have Offer Documents or equivalents that might contain any disclosures of the kind required, and (iii) in any event it would be highly unusual for an Offer Document to disclose risks connected to the outsourcing of AML/CFT services or for any changes in those arrangements to be disclosed to investors.

2.5.7   A blanket carve-out of the kind we suggest above would appear to be the most straightforward approach to minimising the impact on private fund and non-fund structures, while ensuring the JFSC has oversight of any outsourcing (i) by those structures to non-TCBSPs or (ii) by the TCBSPs themselves. It is essential that the limited scope of the Revised OSP is clear, and that compliance with the requirements should be made as straightforward as possible. Failure to do so, or the presence of any ambiguity in the Revised OSP, will cause uncertainty and risk damaging Jersey's attractiveness for private fund and non-fund structures.”

JFSC response The Revised OSP provides under new sub-paragraph 2.2.3.9 that “The following Outsourced Activity is also not caught by the OSP…… where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of an AMLSP Direct Customer where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance notes for AMLSPs in the AML/CFT/CPF Handbook.”

2.5.8   “Per sub-paragraph 2.1.3 of the Revised OSP, we understand it's intended that any Business now in scope solely as a result of the above changes should only have to comply with the Revised OSP in respect of their AML/CFT obligations. However, we note sub-paragraph 2.1.3 applies to Supervised Persons who are ""not subject to any other Regulatory Laws"" other than the SBL. We anticipate that these persons will also be in possession of (at least) a consent under the Control of Borrowing (Jersey) Order 1958, which is also a ""Regulatory Law"". As such, it is unclear in what circumstances the carve-out in 2.1.3 would apply. We suggest making this clearer by: " (i) Removing reference to the Control of Borrowing (Jersey) Order 1958 (COBO) from the definition of Regulatory Laws (or, if there are specific articles of that Order which would bring a holder of a consent within scope of the Revised OSP irrespective of its status under the SBL, referring specifically to those articles). The reference to COBO implies that the matters for which COBO consent is required (such as issuing interests or circulating an offer) are Regulated Activity subject to the Revised OSP. We do not believe this should be the case (or else the Revised OSP will have vastly extended scope, which would be highly undesirable); (iii) In section 2.2, including an example specifically covering a private fund structure or non-fund SPV where the Business is only in scope of the Revised OSP as a result of being a Supervised Person under the SBL, clarifying that in that case AML/CFT obligations would be subject to the Revised OSP but specifically referring to other activities of the Business as being non- Regulated Activity.”

JFSC response In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a ‘Fund’ within the meaning of the OSP. Please see the Revised OSP definition of ‘Regulated Activity’ meaning “activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/consent must be held.  In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund.” Notably private fund structures are included within the meaning of ‘Fund’ for the purpose of the Revised OSP. Sub-paragraph 2.1.3 has been amended to include the below underlined wording: “For a Supervised Person who is not subject to any other Regulatory Laws other than the Supervisory Bodies Law, the application of the OSP is limited to Outsourced Activity arising from its obligations pursuant to the Supervisory Bodies Law (for example, in the case of a Supervised Person which is a non-Fund special purpose vehicle not subject to any Regulatory Laws (within the meaning of the OSP) other than the Supervisory Bodies Law, its obligations under the OSP are limited to any Outsourced Activity arising from its AML/CFT/CPF obligations only). These obligations are explained in detail within the AML/CFT Handbook and/or the Money Laundering (Jersey) Order 2008.”

2.6 Question 5: Have you identified any unintended consequences of Managed Trust Company Business (MTCB) being exempt from the application of the Revised OSP?

2.6.1   Only positive feedback received.

JFSC response Thank you for the positive feedback.

2.7 Question 6: Do you consider the revised OSP to read more clearly, easily and simply, therefore making it more ‘user-friendly’ than the Current OSP and Guidance Notes?

2.7.1   "Regarding layout, particularly in part 3, it might help the reader to reinforce / repeat in the sub section headings the core Principles to which they relate, for example ""3.1. Core Principle 1 – A Business is Responsible for ...."" I raise this only because when navigating the 22 page document (there is a blank at page 11) it would be useful to remind readers what they're reading – and specifically the importance of the section.”

JFSC response Accepted. Latest draft Revised OSP amended to factor in this feedback.

2.7.2   “It would have been useful, faster for review purposes, if possible, to provide a redline to track changes introduced."

JFSC response Due to the extent of the changes made to the Current OSP and Guidance notes in the form of the Original Revised OSP, it was not possible to produce a redline.

2.7.3   "We would ask that the sub-paragraphs in the Revised OSP are all numbered (as in the OSP), rather than presented as bullet points. This will assist with referencing, and make it easier for Businesses to track how their policies and procedures comply with each applicable paragraph.”

"Could clarity be given please to the following, in the section Group, the JFSC Response makes reference to “The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)” there is no 2.2.3.1.

JFSC response All sub-paragraphs in the Revised OSP are now numbered, including sub-paragraph 2.2.3.1.

2.7.4   “We also suggest the various Regulatory Laws are defined in the Glossary where referred to elsewhere (for instance, ""AIF Regulations"" is used in the definition of Alternative Investment Fund, but not defined).”

JFSC response The Glossary has been amended to take account of this feedback.

2.7.5   “Paragraphs 2.2.1 and 2.2.2 are not clear. Paragraph 2.2.2 begins ""Specifically"", suggesting it is a continuation of the more general statement in 2.2.1. If this is the case, could paragraph 2.2.2 be amended to clarify that it is a non-exhaustive list. Alternatively, if 2.2.2 is to be read separately to 2.2.1 (ie. as a specific list of activities that in all circumstances are not caught by the Revised OSP) then 2.2.2 should begin with ""In addition"" or similar.”

JFSC response 2.2.2 is to be read separately to 2.2.1 (i.e. as a specific list of activities that in all circumstances are not caught by the Revised OSP). “Specifically” has been replaced with “In addition” at the beginning of sub-paragraph 2.2.1.

2.7.6   “We strongly suggest that the fourth bullet point under paragraph 2.2.3 (covering exemption for MoME services) is replaced with the simpler wording used in paragraph 3.2.2.6 of the Current OSP regarding ""MoME Arrangements"". We are not aware that there is any intention to change the basis on which MoME arrangements are exempt. However, the wording appearing in the Revised OSP is more confusing and will cause concern that each Managed Entity will need to reassess."

JFSC response The basis on which MoME arrangements are exempt remain the same for the purpose of the Revised OSP. This sub-paragraph is consistent with sub-paragraphs 2.2.3.3. and 2.2.3.9. The following wording has been removed from sub-paragraph 2.2.3.4 “to enable that Person (the managed entity) to comply with a material part of the regulatory framework” and should now read more easily.

2.7.7   “If we propose to make a material change to an existing Outsourced Activity, are we required to complete an Outsourcing Notification (using the template) or notify in free form? If the former, I’m not sure the specific details covered in 6.1.1 (embodied within the template) are tailored to this scenario. When a material amendment is proposed, are the timing restrictions supposed to be applicable – i.e. do the JFSC expect a Business to wait before a no objection is received before agreeing to the material change? On the wording of the policy, this does not appear to be its intention as it suggests we could enter into a material amendment and then following such change, notify the JFSC. Clarity on the position would be appreciated.”

JFSC response Please see new section 6.4 of the Revised OSP that refers to the new Material Change to Outsourcing Notification form that will be made available and must be made via myJFSC in the event of material change(s) to an existing Outsourcing arrangement for which a No Objection has been granted. The submission of a Material Change to Outsourcing Notification will be a straight-through process and will not require a further No Objection from us unless there has been a change to the nature of the Outsourced Activity itself (in which case, a further No Objection will be required).

2.8 Question 7: Do you consider the specific guidance in the Revised OSP in relation to each Core Principle, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process to be adequate? If not, please provide further detail in the comments section of this question.

Group

2.8.1   "I would like to seek clarity in respect to the definition of ""Group"" as intended in the Companies (Jersey) Law, 1991, with reference to 'subsidiary' and 'holding body'. This would imply or indicate that only corporates can be a group for this purpose, however, the definitions in the consolidated AML handbook appear much wider.”

“The draft OSP references all Supervised Persons must comply with the Revised OSP in accordance with the new consolidated AML/CFT Handbook, the definition of ""Group"" as defined in the AML Handbook is much wider and differs to that of the Companies (Jersey) Law.”

2.8.2   “The OSP in its current draft does not allow for Groups such as ours which comprises of common law partnerships. The definition in the consolidated handbook allows us to consider ourselves a Group, please could the definition in the draft OSP be amended to reflect what is in the consolidated AML/CFT Handbook?”

2.8.3   “The definition of Group is overly narrow because it relates only to subsidiaries or holding bodies of bodies corporate. This would exclude group structures in which non-bodies corporate (such as limited partnerships) are holding entities. The definition is also linear (ie. catches subsidiaries and their holding companies, but does not clearly extend to fellow subsidiaries of a common holding entity). Please extend this definition to capture any entity in common ownership or common control with the person concerned.”

JFSC response ‘Group’ for the purpose of the Revised OSP definition now means "any entity in common ownership or common control with the Person concerned".

Sub-Outsourcing

2.8.1   "Section 2.2.3.5 of the OSP states that where a Service Provider performs Outsourced Activity on behalf of a Fund, it is not caught by the OSP where certain conditions are met. We believe that this would include where a Fund has employed an administrator to undertake the Customer Due Diligence (CDD) on the investors in the Fund (where it is duly disclosed in the Fund’s offer documents etc). In the event that the administrator then contracts with an E-ID provider or a customer AML screening provider for instance (as part of its CDD processes, which would include investor CDD), would this be considered Sub-Outsourcing and subject to the OSP, even though the original Outsourced Activity is not subject to the OSP? If that is the intention, we believe that further guidance will be required in the OSP on how the Fund, which would normally have no employees of its own and is reliant upon the administrator to undertake all operational activities on its behalf, would be able to comply with all of the Core Principles of the OSP."

2.8.2   "We propose that the outsourcing policy could be clearer regarding the treatment of instances where a Jersey FSB may provide services for a “Fund” and that Fund may have SPVs which are not domiciled in Jersey and which, although the main contract is with the Jersey FSB, may also need to “delegate” necessary work to a local service provider to perform the local filing requirements (registered office, statutory filings, etc). It should be clear that this type of arrangement is outside of the scope of the outsourcing policy and any instances, if any, where it would come into scope of the outsourcing policy. Background – [the Business] provides services to a fund and underlying SPVs in relation to which services are delegated to a Singapore-based third-party financial services provider because we are not able to perform those tasks in Jersey (both due to Singapore requirements and due to inability). [The Business] believes that the outsourcing policy could be clearer as to whether such arrangements are in scope or out of scope by necessity (ie the services cannot be undertaken in Jersey and the work needs to be performed locally in a different jurisdiction so is not subject to oversight).

JFSC response The first point to note is that there is now an exemption from the Revised OSP where a Service Provider provides automated third-party AML/CFT/CPF screening systems to a Business (see new sub-paragraph 2.2.3.10). More generally, in the circumstances where a Fund has met the conditions under sub-paragraph 2.2.3.5 and is exempt from the application of the Revised OSP, any Outsourcing or Sub-Outsourcing arrangement the Fund is party in relation to it, or an underlying special purpose vehicle, is also exempt. An example of this is where a Fund engages the services of an administrator to fulfil its (the Fund’s) obligations under the Money Laundering (Jersey) Order 2008, who then subsequently employs a Sub-Contractor (such as an E-ID provider) to meet these obligations. Sub-paragraph 2.2.3.5 has been amended to make this position clear. Where however, the administrator is regulated by the JFSC under one or more of the Regulatory Laws and employs for example an E-ID provider to meet its (the administrator’s) own regulatory requirements, this Outsourcing arrangement will be subject to the requirements of the Revised OSP and will require a No-Objection from us.

2.8.3   "While the OSP does not go to the same level of detail as other regulators equivalent guidance. We believe the guidance to be generally adequate. However, if smaller legal entities place over reliance on due diligence assessments undertaken by much larger entities within the same Group, it may serve to mask locally material risks associated only with the smaller legal entity or where due diligence may be outdated etc. It would be beneficial to qualify what elements of the diligence can be leveraged (or cannot) and the circumstances under which this can happen (e.g. if completed within the last 1 or 2 years) and any additional considerations in these circumstances.

JFSC response We note the concern over the potential risk of smaller legal entities placing over reliance on due diligence assessments undertaken by much larger entities within the same Group, where due diligence may be outdated etc. but, ultimately, it is for each Business to make a risk assessment on what elements of the diligence can be leveraged (or cannot) and the circumstances under which this can happen (e.g. if completed within the last 1 or 2 years) and any additional considerations in these circumstances.

2.8.4   “A number of Service Providers will not necessarily be required to be regulated in their home jurisdiction. They should not as a result automatically be deemed not to be Fit and Proper under the first bullet point of paragraph 3.2.1. Please clarify that a Service Provider may still be Fit and Proper for the performance of Regulated Activity in these circumstances (or that the JFSC may require additional information in the Outsourcing Notification to outline why the Business still deems the Service Provider to be Fit and Proper). This reflects the approach taken in the Expert Fund guide, for instance (paragraphs 2.7.4.1 and 2.7.4.2 of that guide).”

JFSC response Sub-paragraph 3.2.1.1 has been amended to provide that “A Business should conduct suitable and proportionate due diligence to satisfy itself that: where a Service Provider performs Outsourced Activity as part of the Business’ Regulated Activity, the Service Provider is itself regulated for the performance of the Regulated Activity and complies with all applicable Regulatory Laws (this does not apply where the Outsourced Activity is non-Regulated Activity or where the relevant Service Provider is not required to be regulated for the Outsourced Activity in its home jurisdiction)”

2.8.5   “Please provide clarity on how Businesses can ensure Service Providers are Fit and Proper ""at all times"", ie. that they may comply with this by having policies and procedures in place for regular monitoring of the Service Provider's status, and identifying service level disruption when it occurs. If the ongoing evaluation of a Service Provider's fitness and propriety is to be covered under Core Principle No. 4, then we would suggest the words ""at all times"" are deleted from Core Principle No. 2.”

JFSC response Reference to “at all times" has been deleted from Core Principle No. 2 and sub-paragraph 3.4.6 has been amended to provide as follows: “By having policies and procedures in place for regular monitoring of the Service Provider's status, and identifying service level disruption when it occurs, at all times, a Business should be able to demonstrate to us that a Service Provider’s performance of any Outsourced Activity on its behalf is effective, reliable, robust and, complies with the OSP.”

2.8.6   “In the first bullet point of paragraph 3.2.4, please replace ""its staff"" with ""its personnel"". This will avoid the implication that the human resources are limited to the employees of the business itself (rather than, for instance, directors or partners, or employees of related businesses engaged in the activities of the Service Providers though not directly employed by it).”

JFSC response Reference to “staff" in sub-paragraph 3.2.4.1 has been replaced with "personnel".

2.8.7   “Please consider deleting the words ""legally binding"" from Core Principle No. 3, on the basis that these words are already included in the definition of Outsourcing Agreement itself.”

JFSC response The words "legally binding" have been removed from Core Principle No. 3.

2.8.8   “Regarding sub-paragraph 4.3.2, we are concerned that in many cases (especially concerning the Outsourcing of non-Regulated Activity, and where services are provided on standard terms and conditions) it may not be practicable to require prior approval of a Business to sub-outsourcing. Please could the JFSC consider a more flexible approach to this (such as the ability of the Business to file a post-event Outsourcing Notification and terminate the Service Provider's appointment if a Sub-Contractor is not acceptable).”

JFSC response To address this concern, sub-paragraph 4.3.2 has been amended to provide as follows “Generally, a Business should put in place an Outsourcing Agreement between it and the Service Provider which states, amongst other things, that Sub-Outsourcing is permitted provided that the Business has prior knowledge of the Sub-Outsourcing arrangement and has granted its approval (to be granted only once the Business has properly considered all associated risks). It may not however, be practical to always obtain the prior approval of the relevant Business to the Sub-Outsourcing arrangement. Typically, this will be because the Sub-Outsourced Activity is provided on standard terms and conditions. In these very limited circumstances, we would expect a Business to carefully manage the relationship with its primary Service Provider and to file a post-event Outsourcing Notification as soon as it is on notice of the Sub-Outsourcing arrangement detailing why it was not possible to make an Outsourcing Notification prior to the commencement of the Sub-Outsourced Activity. Where a No Objection is not granted, the relevant Business must terminate its relationship with the primary Service-Provider as soon as reasonably practicable.

2.8.9   “In relation to the exemption for Outsourced Activity performed for a Fund (set out under the fifth bullet point of paragraph 2.2.3), please consider whether it might be appropriate to extend this exemption to situations where, rather than disclosing a specific Service Provider, an Offer Document may disclose that services will be obtained from a defined group of service providers (such as, in the case of outsourcing by an investment advisor, obtaining advice from a 'network' of unnamed advisory entities within a particular group structure). Provided the 'pool' of service providers (and associated information required under this bullet point) can be defined with sufficient clarity to enable investors to understand the broad class of service provider that may be engaged, this should provide sufficient disclosure for the investors' purposes. Taking this pragmatic approach will mean that Funds are not troubled to issue regular updates to Offer Documents in such circumstances, and that investors are presented with all necessary information at the outset.”

JFSC response Sub-paragraph 2.2.3.5 has been amended to include reference to a “defined Group of Service Providers”

2.8.10   “Please ensure that it is possible for Outsourcing Notifications to be prepared in draft (including, for instance, by legal advisers to a structure who are not Platform Users), saved, and shared for comment using a medium that is easily reviewable outside of the myJFSC platform. If an Outsourcing Notification is not capable of being viewed (and compared / edited) on Word, it is significantly harder for advisers and other stakeholders to provide input.”

JFSC response The myJFSC portal has the ability to download saved (but not submitted) applications to enable collaboration between relevant parties. It should however be noted that a Business should be aware of and understand the contents of each Notification as it is ultimately responsible for signing the declarations.

2.8.11   “We suggest that regulated TCB administrators are able to file Outsourcing Notifications on behalf of the entities they administer (rather than requiring individual Businesses each to set up myJFSC user profiles).”

2.8.12   “We have serious concerns that the vast increase in Outsourcing Notifications and Sub- Outsourcing Notifications will create service level issues on the JFSC's side, relating to those notifications and other application timescales. Any failure to meet these timescales will have a direct and adverse effect on businesses (and therefore on the Jersey funds and wider finance industry). How will the Commission process Outsourcing Notifications and Sub-Outsourcing Notifications on a timely basis on top of existing demands?”

2.8.13   “Linked to the previous point, please consider including a list of scenarios where Outsourcing Notification and Sub-Outsourcing Notification itself is sufficient (ie. No Objection not necessary) or where it will be provided on an expedited basis.”

JFSC response The new exemptions from the application of the Revised OSP: “Where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of an AMLSP Direct Customer where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance notes for AMLSPs in the AML/CFT/CPF Handbook”; and “Where a Service Provider provides automated third-party AML/CFT/CPF screening systems to a Business.” should go some way to alleviating this concern. Besides the exception to the rule in terms of the Sub-Outsourcing of Cloud Services there is no scenario where a No Objection will not be required where the Outsourced Activity falls within the scope of the Revised OSP.

2.8.14   “Please confirm that no fee will be charged in respect of Outsourcing or Sub-Outsourcing Notifications.”

JFSC response No fee will be charged in respect of any Outsourcing Notification.

2.8.15   “In paragraph 6.3.4, please amend the words "following the published timeframes" to read "in line with the published timeframes". Where a Fund is being established, the published timeframes for that Fund type should apply. This reflects the approach taken in the Current OSP (see paragraph 4.6.6). Please also replicate the undertaking, also from paragraph 4.6.6 of the Current OSP, for Outsourcing arrangements concerning a Fund or FSB to be dealt with on an expedited basis.”

JFSC response The word "following” in sub-paragraph 6.3.4 has been substituted with the words "in line with” and the following sentence has been added to sub-paragraph 6.3.4 “Where the Outsourced Activity is not exempt and concerns a Certified Fund or a Fund Services Business, the JFSC will endeavour to respond within 10 business days of receipt of the Outsourcing Notification.”

2.9 Question 8: Do you consider the Transition Period to be appropriate and proportionate?  If not, please provide further detail in the comments section of this question.

2.9.1   "As noted above, the impact of the Revised OSP on Businesses should be considered in tandem with the extension in scope of Jersey's AML/CFT regime. Some Businesses will now potentially have direct obligations under the MLO as a result of the latter. We understand that how these are, in practice, discharged is the subject of further discussion and industry working groups (i.e. the ongoing discussions in connection with the JFSC's PESP/DSP proposals), with the aim of finding a pragmatic approach that acknowledges direct obligations on the entities concerned but also reflects that these functions are in the main discharged by the JFSC-regulated administrators rather than the Businesses themselves. Given that many entities now in scope of the Revised OSP will be the same entities grappling with the extended scope of the MLO, we suggest that the Revised OSP comes into force only after the approach to AML/CFT compliance has been settled. This will ensure that Businesses may simultaneously consider and implement their new arrangements from both an MLO and a Revised OSP perspective. Any transitional period under the Revised OSP should be calculated to ensure Businesses may implement any new arrangements to comply with the MLO prior to any JFSC filings being required under the Revised OSP. This will ensure no Business is put in a position of possible non-compliance with the MLO as a result of any delay in the JFSC approving Outsourcing Notifications.”

JFSC response The new exemption under sub-paragraph 2.2.3.9 of the Revised OSP for where an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of its AMLSP Direct Customer, provided certain conditions are met, should alleviate some of the concern here.  Further, the Revised OSP will now only come into force on the ending of the transitional period in relation to the extension of scope of Jersey’s AML/CFT/CPF regime (currently anticipated for July 2023). Taking account of the above timeframe, we anticipate publishing feedback on the follow-up consultation on the Revised OSP and issuing a final version of the Revised OSP in April 2023. There will then be a three-month transition period, commencing on the date we issue the final Revised OSP.

2.9.2   “It is not clear from the documentation whether existing outsourcing arrangements which have been approved by the JFSC will need to be re-submitted in line with the new policy. Will a subjective judgement be required to determine if there is a “material” difference between the legacy requirements and the new requirements?”

JFSC response The Revised OSP is not retrospective and will only apply from the date it is effective (we currently anticipate this being from July 2023). In relation to existing Outsourcing arrangements, please see our response to question 2.9.3 below.

2.9.3   “Please also consider clarifying: (a) how existing arrangements are to be handled where these have not previously required an Outsourcing Notification; (b) that no amendments to such agreements will be required until such point as the agreements fall to be revised in the ordinary course of business; and (c) that Outsourcing Notifications made under the Current OSP will be sufficient to comply with the Revised OSP (until such time as a material change requires further notification).”

JFSC response No amendments to existing Outsourcing agreements will be required until such point as the agreements fall to be revised in the ordinary course of business. Outsourcing Notifications made under the Current OSP will be sufficient to comply with the Revised OSP (until such time as a material change requires further notification).

2.9.4   “The significant expansion in scope of the OSP to all Supervised Persons is likely to have a major impact, particularly on Businesses not previously captured. It is acknowledged that the JFSC has hosted a briefing event on the new OSP, however we believe that further training and outreach is required, with potentially a longer transition period for Businesses not previously subject to the OSP.”

JFSC response Has been noted in terms of further training and outreach.  Whilst the transitional period will be the same for all Businesses, we will be proportionate in our response to any early breaches by Persons not previously caught by the current OSP.

2.10  Other comments

2.10.1   "We have today submitted feedback utilising the form provided. Sadly this does not allow for comments on each question, which is disappointing.”

JFSC response We apologise that our form did not allow for comments on each question on this occasion. We have arranged for comment boxes to be included within the form for this follow-on consultation.

2.11  Sanctions Screening Tools

2.11.1   “It is puzzling the JFSC now feel the need to include screening tools within outsourcing. Surely the JFSC are already aware of the key players in the market, World-Check etc. and so collecting information first on the platforms being used by industry would make sense, rather than swamping the JFSC with needless outsourcing requests (which industry also have to waste time/valuable resourcing preparing) that will then need to be processed. This approach will then enable the JFSC to target unfamiliar platforms and request additional information as required. As highlighted by the recent GFSC thematic paper on sanctions/screening, the systems are only as good as the implementation/filter parameters, the testing and internal systems and controls. We believe this will also be highlighted in the upcoming JFSC Thematic on sanctions. This will not necessarily be covered by the outsourcing application. In their purest form, these platforms are data collation services for information already on the internet and no different to market data providers. Surely it is better to improve the regulation and guidance in respect to sanctions/screening to ensure better outcomes? In addition to this will key systems, such as NavOne, now be considered to be outsourcing, as registered persons have not developed their “own” platform? The definition “otherwise be undertaken by the Business itself” remain too subjective as highlighted above.”

2.11.2   “In Appendix D (feedback from the OSP working Group) the JFSC would seem to infer that the use of 3rd party screening systems (Sanctions/PEPs/Regulatory watchlists) could be considered outsourcing. We do not believe that this could be considered outsourcing, rather that this is more akin to standardised services such as market information. The systems used merely compare names to the client database of a firm and highlight where a match may occur. No decision is made by the system, merely the strength of the match subject to certain parameters. The inference is that the JFSC want to be aware “of any Service Provider which is being utilised by a Business to meet its statutory or regulatory obligations. The ultimate decision to confirm the match as positive or negative (and any resulting action) rests with a human – in our case an employee – and it is that decision that constitutes compliance with Jersey AML regulatory obligations, not the provision of match strength. Therefor we do not consider the screening service provider to be an outsource provider. "

2.11.3   “To the extent businesses have in place and will effectively already be outsourcing certain services as contemplated in 2.1.4. some clarity re the treatment of existing processes for example automated screening provided for example by World-check, Risk Screen or similar (which it appears from the consultation (page 22) fall to be captured in the revised OSP) would be useful.”

2.11.4   "The requirement of the OSP to require an Outsourcing Notification to be completed by all Businesses (including those newly in scope), in advance of appointing a Service Provider for all Outsourced Activity is potentially significant. For example, Businesses tend to use a very limited pool of customer public information screening tools (e.g. WorldCheck, RiskScreen) where all customer acceptance and risk-based decision making is made by the relevant Business. Therefore, the JFSC is likely to receive significant numbers of Outsourcing Notifications that are very similar or identical in nature, about a very small number of screening service providers. We believe that there is scope to consider the use of screening systems and similar as “standardised services” (it is a similar activity to the receipt of market information and price feeds, which is exempt) and therefore non-Regulated Activity under section 2.2.2 of the OSP. An alternative may be that screening activity is at least exempt from the strict OSP notification requirements. This approach would be more efficient for the JFSC as well as Business."

JFSC response On the basis that a customer risk assessment should be completed by a Business prior to the procurement of screening tools, such tools are now out of scope of the Revised OSP. The Revised OSP provides under new sub-paragraph 2.2.3.10 that “The following Outsourced Activity is also not caught by the OSP …….. Where a Service Provider provides automated third-party AML/CFT/CPF screening systems to a Business.”

2.12  Electronic Identification Measures (Digital ID Systems)

2.12.1   “The definition of “Outsourced Activity” states “activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself”. In respect to eID, we do not see how this can possibly fall under this definition as the Business is doing nothing different to when it receives wet ink CDD. When collecting CDD through a suitable certifier, it is the certifier that is authenticating the document and sending it to the Business or the client sends it after certification takes place. This is no different to an eID digital certifier collecting the CDD and delivering it to the Business. In both cases an authenticated document arrives and copies of the CDD are not retained by either the suitable certifier or the eID provider. The business is not undertaking the process “itself”. Any decision to accept the client is based on comprehensive CDD information and documentation collected by the supervised person as per the change in regulation from KYC to CDD back in 2008. It is not solely based on an ID document whether eID or wet ink. Therefore either both are outsourcing or neither are. As previously advised to the JFSC under the Digital ID CP, suitable certifiers are flawed, can be corrupted and wet ink is easily forged presenting greater risk to Jersey as a well respect international financial centre. Therefore please remove this barrier to the adoption of technology from the CP and truly support the adoption of technology.

2.12.2   It appears from paragraph 2.1.4 that some Digital ID solutions may be within scope of the Revised OSP by virtue of supporting the performance of Regulated Activity (compliance with the MLO and AML/CFT Handbook). More guidance needs to be provided on the outsourcing of the collection and verification of evidence of the identity of clients, including the degree to which the Revised OSP will apply to any external support with collating identification evidence.

2.12.3   We note the JFSC's comment at page 22 of the Consultation Paper that wide-access tools should be caught (presumably including ID services such as Credas and screening tools such as Worldcheck). We echo the initial respondent's query here as to whether the JFSC will have the resources to handle the volumes of applications arising, and strongly suggest the JFSC prepares lists of acceptable Service Providers that can be subject to expedited (or, ideally, automatic) approval upon filing of an Outsourcing Notification. In this way, the JFSC will be aware of the use of any such systems, but no delays will result.

2.12.4   “We note the JFSC's comment in the Consultation Paper (at page 23) that the inclusion of E-ID service providers specifically relates to Article 3(4) of the MLO (including the requirement to obtain evidence of identification). We would suggest that a distinction should be drawn by reference to where the decision to accept the evidence as being adequate is made. Drawing the distinction here will avoid anomalous application of the Revised OSP and minimise the number of unnecessary Outsourcing Notifications made. This will ensure JFSC resources are maintained to handle applications with greater impact on the decision making that underpins MLO compliance.”

JFSC response Comparisons between the safe harbours of E-ID and Suitable Certifiers are inappropriate, each providing their own benefits, risks and controls which are distinctly different from one another and which each need to be carefully managed. There are a number of Digital ID System Providers in the Jersey market providing services to Businesses, each have different profiles for the collection and verification of information required to comply with Article 3(4) of the MLO. We consider the collection of evidence of identity as a service being offered by Digital ID System Providers and want to know who is collecting this information through the application of the Revised OSP in such circumstances.

2.13  Materially prevent, disrupt or impact upon

2.13.1   “The term “materially prevent, disrupt or impact upon” is subjective and therefore will result in anomalous results across industry. Additional guidance is required, not just 2 examples, in order to provide clarity to industry when making a determination. Otherwise this will lead to endless debates during supervisory engagement over whether something is material or not. The JFSC must have sufficient data on what activities have already being outsourced and further data will be available to the JFSC as industry adapts to the new requirements. This should be an ample to issue better guidance.”

JFSC response In terms of what is meant by ‘materially prevent, disrupt or impact upon’, we purposefully do not want to be too prescriptive.  Ultimately, it is for a Business to determine what this means in relation to its own Outsourced Activity. The following example of how Regulated Activity would materially prevent, disrupt or impact upon a Business’ continuing compliance is now included under new sub-paragraph 2.1.2.3 “where a Fund Services Business (FSB) or an Investment Business (IB) outsources distribution functions (the Outsourced Activity) to a Service Provider as part of its Regulated Activity (e.g. producing and circulating periodic Client statements of account in compliance with the relevant Code), a failure by the Service Provider to perform those distribution functions properly would result in the FSB or IB failing to properly conduct its Regulated Activity.”

2.14  Regulated Activity and non-Regulated Activity

2.14.1   "We believe that there is still scope for confusion in respect of what is regarded as Regulated Activity and non-Regulated Activity. The OSP states that Regulated Activity is “activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/consent must be held”. The JFSC has also made the following comment in Appendix D of the Consultation Paper (pages 18 and 20): “If a Business is using a Service Provider to meet its regulatory obligations or statutory obligations, it is captured by the OSP.

2.14.2   Section 2.2.2 of the OSP provides the following in relation to what is regarded as non-Regulated Activity: “Specifically, where a Service Provider performs Outsourced Activity as part of a Business’ non-Regulated Activity, the following Outsourced Activity is not caught by the OSP:

2.14.2.1 legal advice

2.14.2.2 investment advisory services (provided investment advice is not part of the Business’ Regulated Activity)

2.14.2.3 staff training

2.14.2.4 billing services

2.14.2.5 premises and staff security

2.14.2.6 standardised services (including market information and price feeds)

2.14.3   In considering the above, we are interested to understand whether the following activities would be considered non- Regulated Activity and therefore not caught by the OSP:

2.14.4   Where Businesses seek the services of a professional services firm (e.g. a regulatory compliance consultancy company) to assist them in meeting their compliance obligations. Typically, such consultancy firms provide the following services:

2.14.4.1 One-off training presentations on AML/CFT matters such as suspicious activity reporting or other compliance related subjects. Such training may be relied upon by Businesses to assist them in meeting their employee training obligations.

2.14.4.2 Ad hoc advice on compliance-related matters – interpretation of regulatory requirements and how to comply with them.

2.14.4.3 Undertaking compliance-related reviews and assessments (e.g. board and compliance effectiveness assessments that assist Businesses in meeting specific Code of Practice requirements).

2.14.5   Typically, such activities are one-off engagements of extremely limited duration. For example, a training presentation or the provision of ad hoc advice may be completed in a matter of hours. Regulatory compliance consultancy firms may also provide Businesses with ongoing compliance support during periods of shortage in compliance staff or pending the appointment of a senior resources, further to relevant provisions of the Codes and Handbook. Such assignments may be several months in duration. Is it the JFSC’s intention to regard such arrangements as subject to the OSP? If so, we believe that guidance will be required to address engagements of this nature, particularly where they are of very limited duration."

JFSC response Where a Business seeks the services of a professional services firm (e.g. a regulatory compliance consultancy company) to assist it with meeting its compliance obligations, this would result in a Service Provider performing “Outsourced Activity as part of the Business’ Regulated Activity” however, for such Outsourced Activity to be caught by the OSP, the “Service Provider’s failure to perform or inadequate performance of the Outsourced Activity” would have to have the effect of “materially prevent[ing], disrupt[ing] or impact[ing] upon the continuing compliance of that Business’ Regulated Activity.” In relation to “one-off engagements” or “engagements with limited duration” it is less likely that the second limb of the test for whether Outsourced Activity is caught by the OSP would be met.  Ultimately, it is for the relevant Business to make its own risk assessment of the relevant facts to determine whether an Outsourcing Notification is required to be made in such circumstances.

 

3 Follow-on consultation

3.1 Basis for follow-on consultation

3.1.1   We are issuing this follow-on consultation in accordance with Article 8(3) of the Commission Law, under which the JFSC “may, in connection with the carrying out of its functions […] consult and seek the advice of such persons or bodies whether inside or outside Jersey as it considers appropriate”.

3.2 Who will be affected by the proposed changes?

3.2.1   The proposed changes to the current JFSC Outsourcing Policy and Guidance Notes, issued March 2017 and revised last December 2020 (the Current OSP and Guidance Notes) in the form of a revised OSP (the Revised OSP), the latest draft of which can be found under Appendix A, will affect any person to whom the provisions of the Revised OSP apply.

3.3 Responding to the follow-on consultation

3.3.1   We invite comments, in writing, from interested parties on the content of this follow-on consultation. Where comments are made by an industry body or association, that body or association should also provide a summary of the type of individuals and/or institutions that it represents.

A questionnaire has been published alongside this follow-on consultation. https://www.smartsurvey.co.uk/s/RevisedOSP/

3.3.2   Respondents are requested to use this form when responding to questions posed and providing any comments to support their answers. The use of this form will assist both JFL and us in collating and considering the responses provided.

3.3.3   Comments on the latest draft Revised OSP should be received no later than 28 February 2023.

3.4 Next steps

3.4.1   Following this follow-on consultation, we will publish feedback and issue a final version of the Revised OSP. We anticipate this will be published in April 2023. There will be a three-month transition period, commencing on the date we issue the final Revised OSP.

 

4 Proposed changes to latest version of the Revised OSP

4.1 Executive Summary

4.1.1   The key changes to the latest draft Revised OSP relate to the following (more detailed information on each key change is set out below):

4.1.1.1 Non-Jersey Domiciled Collective Investment Funds (NDFs) and Unregulated Funds

4.1.1.2 Data Centre Services and/or Cyber Security Services

4.1.1.3 AMLSP and AMLSP Direct Customer

4.1.1.4 automated third-party AML/CFT/CPF screening systems services.

4.2 NDF and Unregulated Fund

4.2.1   NDFs and Unregulated Funds are now included within the meaning of ‘Fund’ for the purpose of the Revised OSP.

Question 1: Have you identified any unintended consequences of including NDFs and Unregulated Funds within the meaning of ‘Fund’ for the purpose of the Revised OSP?

4.3 Data Centre Services and/or Cyber Security Services

4.3.1   In accordance with the provisions of the Telecommunications (Jersey) Law, 2002, ‘Data Centre Services’ and/or ‘Cyber Security Services’ do not fall within the meaning of ‘Telecommunication Services’ and therefore, for the purpose of the Revised OSP are not exempt Outsourced Activity under sub-paragraph 2.2.3.7.

Question 2: Have you identified any unintended consequences of no longer giving a blanket exemption for Data Centre Services and/or Cyber Security Services for the purpose of the Revised OSP?

4.4 AMLSP Direct Customer

4.4.1   New sub-paragraph 2.2.3.9 provides that “Where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of an AMLSP Direct Customer where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance Notes for AMLSPs in the AML/CFT/CPF Handbook” the Outsourced Activity is not caught by the Revised OSP.

Question 3: Have you identified any unintended consequences of providing an exemption where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of its AMLSP Direct Customer provided the stipulated conditions are met (i.e. where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance notes for AMLSPs in the AML/CFT/CPF Handbook)?

4.5 Automated third-party AML/CFT/CPF screening systems services

4.5.1   New sub-paragraph 2.2.3.10 provides an exemption where a Service Provider provides automated third-party AML/CFT/CPF screening services to a Business.

Question 4: Have you identified any unintended consequences of providing an exemption where a Service Provider provides automated third-party AML/CFT/CPF screening services to a Business?

4.6 Transition Period

4.6.1   The latest draft Revised OSP will be effective from three months after the final Revised OSP is issued (the Transition Period). The date of issue of the final Revised OSP is anticipated to be July 2023 to tie in with the end of the transition period for the amended AML/CFT/CPF regime.

Question 5: Do you consider the Transition Period to be appropriate and proportionate?

5 Summary of follow-on consultation questions

No.	Detail
Question 1:	Have you identified any unintended consequences of including NDFs and Unregulated Funds within the meaning of ‘Fund’ for the purpose of the Revised OSP?
Question 2:	Have you identified any unintended consequences of no longer giving a blanket exemption for Data Centre Services and/or Cyber Security Services for the purpose of the Revised OSP?
Question 3:	Have you identified any unintended consequences of providing an exemption where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of its AMLSP Direct Customer provided the stipulated conditions are met (i.e. where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance Notes for AMLSPs in the AML/CFT/CPF Handbook)?
Question 4:	Have you identified any unintended consequences of providing an exemption where a Service Provider provides automated third-party AML/CFT/CPF screening services to a Business?
Question 5:	Do you consider the newly proposed Transition Period to be appropriate and proportionate?

Appendix A – Latest draft Revised OSP (in clean and tracked changes)

Revised Outsourcing Policy – Clean

Revised Outsourcing Policy – Tracked Changes

Appendix B – List of respondents to the Original CP

Name of Respondent	Type of Business
Affinity Private Wealth	Trust company business and investment business
Jersey Funds Association (JFA) Technical Committee	Trade body

The remainder of responses were received via Jersey Finance Limited from a cross-section of businesses that wish to remain anonymous, but which included a bank, trust company businesses, investment businesses, fund services businesses, family offices and a law firm.