Feedback Paper on Follow-on Consultation to Consultation No.6 on Revised Outsourcing Policy (OSP)

Feedback Paper on Follow-on Consultation to Consultation No.6 on Revised Outsourcing Policy (OSP)

A Feedback Paper relating to a Follow-on Consultation on proposals regarding changes to the current JFSC OSP and Guidance Notes

Issued: 30 June 2023

Follow-on Consultation Feedback

This paper reports on responses received by the JFSC to the Follow-on Consultation to Consultation Paper No. 6 2022 published by the JFSC on 16 December 2022.

Further enquiries concerning the consultation may be directed to:

Caroline McGrath

Senior Adviser, Policy

Jersey Financial Services Commission

PO Box 267

14-18 Castle Street

St Helier

Jersey

JE4 8TP

Telephone:+44 (0) 1534 822000

Email:C.McGrath@Jerseyfsc.org

Alternatively, Jersey Finance Limited (JFL).

The JFL contact is:

Lisa Springate

Head of Legal and Technical

Jersey Finance Limited

4th Floor, Sir Walter Raleigh House

48-50 Esplanade

St. Helier

Jersey

JE2 3QB

Telephone: +44(0) 1534 836029

Email: Lisa.Springate@jerseyfinance.je

Glossary of Terms

Defined terms are indicated throughout this document as follows:

AIF Regulations

the Alternative Investment Funds (Jersey) Regulations, 2012

Alternative Investment Fund

(or AIF)

an Alternative Investment Fund within the meaning of the AIF Regulations

AML/CFT/CPF Handbook

Handbook for the prevention and detection of money laundering and the countering of terrorist financing and proliferation financing

Anti-Money Laundering Services Provider

(or AMLSP)

an Anti-Money Laundering Services Provider appointed in accordance with Article 9A of the Money Laundering (Jersey) Order 2008

AMLSP Direct Customer

a Supervised Person who is provided with AMLSP services by an AMLSP

AMLSP services

services provided by an AMLSP to an AMLSP Direct Customer that enable the AMLSP Direct Customer to fulfil its AML/CFT/CPF obligations

Business

any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons

Category A permit holder

has the same meaning given to the term under the Insurance Business Law and the Code of Practice for Insurance Business

Certified Fund

a fund issued with a certificate pursuant to the CIF Law

CIF Law

the Collective Investment Funds (Jersey) Law, 1988

Client

a customer, investor, or other Person in respect of whom a Business is permitted to provide products or services

Cloud Services

a range of IT services (such as data storage or computing power) provided in various formats over the internet. This incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)

Codes of Practice
(or Codes)

collectively, the

›          the Code of Practice for Deposit-taking Business

›          the Code of Practice for Certified Funds

›          the Code of Practice for Fund Services Business

›          the Code of Practice for General Insurance Mediation Business

›          the Code of Practice for Investment Business

›          the Code of Practice for Insurance Business

›          the Code of Practice for Money Service Business

›          the Code of Practice for Trust Company Business

›          the Codes of Practice included as part of the AML/CFT/CPF Handbook

CoBO

the Control of Borrowing (Jersey) Order, 1958

Cyber Security Services

Distributed Denial of Service (DDoS) mitigation, security information event management, vulnerability intelligence, ethical penetration testing, security operations centre, incident response, and threat intelligence or other services designed to prevent or mitigate the risk of cyber-attacks

Data Centre Services

on or off premise data storage solutions in Jersey; all commonly known as and considered to be utilities

Digital ID

electronic identification and verification measures

Fit and Proper

that a Person would meet the standards required to be ‘fit and proper’ within the meaning of applicable Regulatory Laws

FSJL

the Financial Services (Jersey) Law, 1998

Fund

Alternative Investment Fund (or AIF), Certified Fund, Jersey Private Fund (or JPF), Legacy Private Fund, Recognized Fund, Unregulated Fund or Non-Domiciled Fund (or NDF)

Fund Services Business (or FSB)

the Regulated Activity, involving the provision of services described in Article 2(10) of the FSJL

Governing Body

the body within a Business that is considered to exercise ultimate control over it. Generally, this will be (i) the directors of a company, protected cell company, incorporated cell company, or the incorporated cells of an incorporated cell company; (ii) the trustee of a trust; (iii) the general partner of a limited partnership, separate limited partnership or incorporated limited partnership; or the partners of a limited liability partnership (iv) the manager or, if no manager, the managing members of a limited liability company (v) the council of a foundation. In the case of a sole trader, the Governing Body will be the sole trader

Group

any entity in common ownership or common control with the Person concerned

The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)

Group Outsourcing

an arrangement between a Business and Group Service Provider by which the Group Service Provider performs Outsourced Activity that would otherwise be undertaken by the Business itself

Group Service Provider

a Service Provider which forms part of the same Group as the Business

Insurance Business

the Regulated Activity, involving the provision of insurance business described in Article 5 of the Insurance Business Law

Insurance Business Law

the Insurance Business (Jersey) Law, 1996

JFSC (us, we)

the Jersey Financial Services Commission

Jersey Private Fund

(or JPF)

a Jersey Private Fund within the meaning of the Jersey Private Fund Guide

Key Person

has the same meaning given to the term under the Regulatory Laws and covers individuals fulfilling any one of the following three roles; Compliance Officer, Money Laundering Compliance Officer, and Money Laundering Reporting Officer.

Legacy Private Fund

a Very Private Fund, a Private Placement Fund or a CoBO Only Fund

Managed Trust Company Business (or MTCB)

a Business which provides TCB services under the FSJL and which operates in Jersey as a managed entity utilising the services of a TCB Manager

Manager of a Managed Entity (or MoME)

a Business which has been registered by us to conduct Class ZK of FSB under the FSJL

Non-Domiciled Fund (or NDF)

A public or private non-Jersey domiciled Fund with its governing body and management and control in Jersey (through for example, having its general partner or trustee in Jersey)

Network Services

fibre broadband, managed firewalls, and carrier services which provide the infrastructure to enable such services; all commonly known as and considered to be utilities

No Objection

our written confirmation that we have no objection to the Outsourcing arrangement proposed by a Business in an Outsourcing Notification

Offer Document

a prospectus or other offering document inviting a Person to become an investor of a Fund

Outsourced Activity

activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself

Outsourcing

an arrangement between a Business and a Service Provider by which:

›          a Service Provider performs Outsourced Activity; and

›          where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt, or impact upon the continuing compliance of that Business’ Regulated Activity with the applicable Regulatory Laws

Outsourcing Agreement

a written, legally binding agreement between a Business and a Service Provider that reflects the risk, size and complexity of the Outsourced Activity

Outsourcing Notification

a notification as required by Core Principle 6 of the OSP

OSP

Outsourcing Policy

Person

any natural or legal person (including a body of persons corporate or unincorporated)

Principal Person

has the same meaning given to the term under the Regulatory Laws

Supervisory Bodies Law

the Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008

Recognized Fund

a fund in respect of which there is a recognized fund certificate issued by us under the Collective Investment Funds (Recognized Funds) (General Provisions) (Jersey) Order 1988 or the Collective Investment Funds (Recognized Funds) (Rules) (Jersey) Order 2003

Regulated Activity

activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/permit/certificate/consent must be held.

Regulatory Laws

collectively, the:

›          Alternative Investment Funds (Jersey) Regulations, 2012 (AIF Regulations)

›          Banking Business (Jersey) Law, 1991

›          Collective Investment Funds (Jersey) Law, 1988 (CIF Law)

›          Financial Services (Jersey) Law, 1998 (FSJL)

›          Insurance Business (Jersey) Law, 1996 (Insurance Business Law) and

›          Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008 (Supervisory Bodies Law)

Service Provider

a Person who performs Outsourced Activity on behalf of a Business

Specialised Central Support Functions

where a Group Service Provider performs specific Outsourced Activity (for example, IT, Finance, Compliance, or other Central Support functions) on behalf of other Businesses in the Group

Sub-Contractor

a third-party sub-contractor of the Service Provider

Sub-Outsourcing

an arrangement between a Service Provider and a Sub-Contractor by which the Sub-Contractor performs Outsourced Activity that would otherwise be undertaken by the Service Provider on behalf of a Business

Supervised Person

has the same meaning given to the term within Article 1 of the Supervisory Bodies Law

Telecommunication Services

has the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes Network Services and Voice Services but does not include Data Centre Services and/or Cyber Security Services

Trust Company Business (or TCB)

the Regulated Activity, involving the provision of services described in Article 2(4) of the FSJL

TCB Manager

a Business which has been registered by us to conduct Class N of TCB under the FSJL

Unregulated Fund

has the same meaning given to the term within the Collective Investment Funds (Unregulated Funds) (Jersey) Order 2008

Voice Services

fixed telephone lines and video conferencing facilities

1 Executive Summary

1.1 Overview

1.1.1   On 30 June 2022 the JFSC issued the Original Consultation which sought views on proposals regarding changes to the current JFSC OSP and Guidance Notes, issued March 2017 and revised last December 2020 (the Current OSP and Guidance Notes), in the form of a revised OSP (the Revised OSP).

1.1.2   On 16 December 2022 the JFSC issued the Follow-on Consultation on the Revised OSP.

1.1.3   The purpose of this paper is to:

1.1.3.1 provide feedback on the responses received to the Follow-on Consultation; and

1.1.3.2 publish the final Revised OSP, attached under Appendix A, to be effective from 1 January 2024 (providing a six-month transition period).

1.2 Follow-on Consultation feedback received

1.2.1   Respondents provided comments either directly to us or indirectly via JFL. JFL provided us with three responses, one of which was also sent directly to us.

1.2.2   Except for the one respondent that responded to both JFL and to us, eight other respondents provided comments directly to us.

1.2.3   Responses were received from a cross section of businesses including a bank, a general insurance mediation business, a trust company business, an investment business, a fund services business, a law firm, accountancy firms, regulatory consultancy firms and technology firms involved in the development and sale of Digital ID software.

1.2.4   A full list of respondents is given in Appendix B.

1.2.5   Section 2 of this paper presents a summary of the substantive comments received and the JFSC’s response.

1.2.6   The JFSC is grateful to respondents for taking the time to consider and comment on the proposals.

1.3 Next Steps

1.3.1   The final Revised OSP, attached under Appendix A, will be effective from 1 January 2024, following the end of the six-month transition period.

2 CP feedback

2.1 Feedback received

2.1.1   This section summarises the substantive comments received in response to the Follow-on Consultation. While not every comment received is individually listed, this section contains summaries of the key common and pertinent comments in relation to each question posed and, as appropriate, the JFSC’s response to those comments.

2.1.2   The comments that were received can be split into those responding to a specific question posed in the Follow-on Consultation and those on other matters. This section is structured on those lines.

2.2 Question 1: Have you identified any unintended consequences of including NDFs and Unregulated Funds within the meaning of ‘Fund’ for the purpose of the Revised OSP?

2.2.1   “Our concerns in this regard relate to activities for which a CoBO consent is obtained being brought into scope (see paragraph 2.8 under "Extent of application of Revised OSP").”

2.2.2   “Further guidance regarding the application of the OSP to Jersey Non-Domiciled Funds would be welcomed, for example, is this intended to include only NDFs which are registered under the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008 (SBL)?  In the case of a fund which only has a COBO consent, is any relevant connection to Jersey sufficient nexus, e.g. administration is wholly or partly carried on in Jersey, (but control of the governing body is not exercised here)?  If this triggered the need to follow the OSP, what are considered “regulated activities”?”

JFSC response

In response to the concern raised at Question 1 above, and the related concerns raised under paragraph 2.8. regarding the ‘extent of application of the Revised OSP to private funds or other funds with a CoBO consent’, it is no longer our intention currently for the activity of JPFs or other funds with a CoBO consent (which could include NDFs and Unregulated Funds) to be caught by the OSP in any respect other than AML/CFT/CPF (subject to the AMLSP carve-out).  Accordingly, CoBO has been deleted from the definition of ‘Regulatory Laws’ as has the sentence, “In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund” from the definition of ‘Regulated Activity’ in the final form Revised OSP. It should be noted that the OSP will still apply to that Fund’s Jersey Service Providers where those Service Provider(s) are subject to any Regulatory Law(s). 

Please note however, post the end of the transitional arrangements for the re-cast Schedule 2 of the Proceeds of Crime (Jersey) Law 1999 (30 June 2023), all Fund and security services activities (including Fund or Issuer of Securities and their Service Providers) will be subject to the requirements of the Proceeds of Crime Supervisory Bodies Law and the AML/CFT/CPF Handbook.  As a result, in relation to AML/CFT/CPF services (except in relation to an AMLSP) the Revised OSP will apply to all Funds and their Jersey Service Providers, as it will do for all other Jersey financial institutions (or FIs), designated non-financial businesses and professions (or DNFBPs) and virtual asset service providers (or VASPs).

We have also re-defined the meaning of ‘Non-Domiciled Fund (or NDF)’ in the final Revised OSP as follows: ‘A public or private non-Jersey domiciled Fund with its governing body and management and control in Jersey (through for example, having its general partner or trustee in Jersey)’ and have inserted the following new sub-paragraph 2.2.3.11:

2.2.3 The following Outsourced Activity is also not caught by the OSP:

2.2.3.11Where a Service Provider performs Outsourced Activity on behalf of a non-Jersey domiciled fund with its governing body and management and control outside of Jersey and where only administration services to the non-Jersey domiciled fund are provided by a Jersey FSB and/or TCB, noting that whilst the OSP in such circumstances does not apply to the non-Jersey domiciled fund itself, the OSP will still apply to its Jersey Service Provider(s) (N.B. non-Jersey domiciled funds looking only to circulate an offer in Jersey pursuant to CoBO and without Jersey management and control are therefore not subject to the OSP).”

 

2.3 Question 2: Have you identified any unintended consequences of no longer giving a blanket exemption for Data Centre Services and/or Cyber Security Services for the purpose of the Revised OSP?

2.3.1   “The proposed expansion of the OSP to a wider population of entities (in particular Supervised persons under the SBL and COBO only funds) coupled with the OSP encompassing Cloud Services, Data Centre Services and Cyber Security Services will likely result in significant numbers of entities falling within the OSP, which appears disproportionate to the JFSC’s regulatory remit in respect of such entities.

2.3.2   “We note that outsourced activities may include Data Centre Services and/or Cyber Security Services.

Where a firm is part of a wider Network or Group; and where decisions to make changes to IT Infrastructure and security arrangements for global systems used to meet the requirements under local ML/TF and PF laws and regulations are made centrally and then rolled out across a Network /Group, we envisage practical challenges in ensuring compliance with certain Core Principles, in particular the request for no objection for and notification of any subsequent material changes to such Outsourced Activity.

If the JFSC was to refuse to provide confirmation that it had no objection to the Outsourced Activity, a firm may not be able to refuse to adopt changes to IT systems, security and infrastructure imposed by the Network or Group; and may not be able to ‘unwind’ changes already made.

We note that in Section 4.3.2 of the revised draft Outsourcing Policy, allowances appear to be made with regards to Sub-outsourcing arrangements where provisions are as follows: ‘In these very limited circumstances, we would expect a Business to carefully manage the relationship with its primary Service Provider and to file a post-event Outsourcing Notification as soon as it is on notice of the Sub-Outsourcing arrangement detailing why it was not possible to make an Outsourcing Notification prior to the commencement of the Sub-Outsourced Activity. Where a No Objection is not granted, the relevant Business must terminate its relationship with the primary Service-Provider as soon as reasonably practicable.’

We would also recommend that a similar provision be incorporated within the Guidance on Group Outsourcing section to allow for notifications as soon as is reasonably practicable for Outsourced Activity that has arisen due to changes made under a Network or Group-led change in IT systems, security and infrastructure; and where firms within the Network or Group have not been given the opportunity to confirm prior approval for such changes.”

2.3.3   “Further clarity is required for Schedule 2 businesses (DNFBPs) where outsourcing of these [Data Centre Services and/or Cyber Security Services] has a tenuous link to their regulated activities, particularly in regard to record keeping where assessment of this reporting requirement is most likely to arise.”

JFSC response

Taking account of the feedback received to Question 2, the final Revised OSP has been amended under paragraph 3.6 to provide as follows:

“3.6.5Where a Business Outsources the performance of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services to a Service Provider, whilst the relevant Business must still submit an Outsourcing Notification in respect of such Outsourced Activity, it will not require a No Objection. As such, the submission of an Outsourcing Notification in respect of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services will be a straight-through process. N.B. no Outsourcing Notification will be required in respect of Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365.”

New sub-paragraph 5.7.1 has also been inserted into the final Revised OSP to provide as follows: “Where a Business forms part of a Group and where Outsourced Activity has arisen due to changes made under a Group-led change in IT systems, security and/or infrastructure, it may not always be practical for the Business to complete and upload an Outsourcing Notification before the relevant Service Provider is appointed.   In these very limited circumstances, we would expect the Business to file a post-event Outsourcing Notification as soon as it is on notice of the Outsourcing arrangement detailing why it was not possible to make an Outsourcing Notification prior to the commencement of the Outsourced Activity.  Where a No Objection is required but is not granted, the relevant Business must terminate its relationship with the Service provider as soon as reasonably practicable.”

The above amendments to the final form Revised OSP should alleviate most of the concerns raised under Question 2.

On the request for ‘further clarity’ for Schedule 2 businesses (DNFBPs), please cross-refer to paragraph 2.10              below on the ‘Extent of application of the Revised OSP where only AML/CFT/CPF obligations fall within scope of the Revised OSP (i.e. Schedule 2 businesses)’ and our response to similar calls for increased engagement with this sector in terms of how they may now be caught by the Revised OSP.

2.4 Question 3: Have you identified any unintended consequences of providing an exemption where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of its AMLSP Direct Customer provided the stipulated conditions are met (i.e. where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance Notes for AMLSPs in the AML/CFT/CPF Handbook)?

2.4.1   “Changes in the AML regime have resulted in the possibility of an existing TCB or FSB providing additional AML related services (as AMLSP) in respect of certain Direct Clients who are required to be registered under the SBL.  The proposed OSP exempts activities performed by an appointed AMLSP, however it is unclear whether existing (non-AMLSP) services provided by the same (or another) TCB/FSB would be subject to the OSP.   Further clarity with regard to the ancillary (non AMLSP) services would be appreciated.  In addition, if such services are considered captured by the OSP, then would the Direct Client be required to file a notification and obtain a No Objection to outsourcing prior to the AMLSP submitting an application for registration in respect of its Direct Client?” 

JFSC response

As set out under paragraph 2.1.3 of the Revised OSP, “For a Supervised Person who is not subject to any other Regulatory Laws other than the Supervisory Bodies Law, the application of the OSP is limited to Outsourced Activity arising from its obligations pursuant to the Supervisory Bodies Law.”  As such, “The Supervised Person’s obligations under the OSP are limited to any Outsourced Activity arising from its AML/CFT/CPF obligations only.” Therefore in this regard, for the purpose of the application of the OSP, we are not interested in any other services provided to a Supervised Person by a Service Provider other than those services which help the Business comply with our financial crime legislation.

The exemption under paragraph 2.2.3.9 of the Revised OSP is strictly limited to: “Where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of an AMLSP Direct Customer where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance notes for AMLSPs in the AML/CFT/CPF Handbook.”

Therefore, where a Service Provider performs Outsourced Activity (i.e. AML/CFT/CPF compliance services which are not consistent with the standards set out in the Codes and Guidance notes for AMLSPs in the AML/CFT/CPF Handbook), on behalf of a Business registered as a Supervised Person pursuant to the Supervisory Bodies Law, the Business and the Service Provider will be subject to the Revised OSP and the Supervised Person would need to obtain a No Objection from us before the Service Provider commences the non- AMLSP AML/CFT/CPF compliance.  This would be separate to the AMLSP submitting an application for registration in respect of its Direct Client.

2.4.2   “The Bank is unable to comment if unintended consequences have been identified, as the finalised Codes and Guidance Notes for AMLSPs in the AML/CFT/CPF Handbook have not yet been sighted, only the proposed draft versions which are subject to change. Whilst on initial view, no concerns have been noted, further clarity would be welcomed as to the Commission’s expectations to the testing of the effectiveness of AMLSPs (also in consideration of Articles 16 and 17 of the Money Laundering (Jersey) Order) and to whom that responsibility falls.”

JFSC response

The final Codes and Guidance notes for AMLSPs are now published.

In terms of our “expectations to the testing of the effectiveness of AMLSPs (also in consideration of Articles 16 and 17 of the Money Laundering (Jersey) Order) and to whom that responsibility falls”, there is no change and it’s business as usual.

2.5 Question 4: Have you identified any unintended consequences of providing an exemption where a Service Provider provides automated third-party AML/CFT/CPF screening services to a Business?

2.5.1   “We welcome the JFSC’s acknowledgement of the concerns of industry and the exemption offered.  However, we would like to clarify what the JFSC considers to be ‘automated’ screening systems.  We are concerned that ‘automated’ may not cover all formats of background screening that we and industry currently employ, and some we use may technically fall outside the exemption.

Our client database is matched each night against the service provider list of names, and results that meet certain match parameters are flagged and analysed next day in order to filter out false positives and to allow the firm to act on any true hits.  We consider this to meet the definition of ‘automated’ screening, as the search is programmed to be run automatically overnight.

We also use the same service provider with a slightly different application, but matching against the same name lists, to undertake ad hoc background searches.  These may take place at client acceptance (before input into client database), on trigger events, or during scheduled risk reviews among others.  These are initiated by the reviewer, so we do not consider them to be automated.

We would therefore like the JFSC to further amend the wording of 2.2.3.10 to clarify whether they include these ad hoc screening tools/applications within the exemption.

Our rationale for extending the exemption for these remains the same as for the overnight searches.

The ultimate decision to confirm any match as positive or negative (and any resulting action) rests with a human and it is that decision that constitutes compliance with Jersey AML regulatory obligations, not the provision of a potential match for analysis.”

2.5.2   “Is it intended that paragraph 2.2.3.10 would include employee screening as an Outsourced Activity/screening system not caught by the OSP (just for reference all screening output is provided by the external service provider to us in order to make our assessment – we don’t rely on them to do this for us – and so could be considered in a similar manner to other screening tools)?”

JFSC response

In response to the feedback received to Question 4, paragraph 2.2.3.10 has been amended to make it clear that all third-party AML/CFT/CPF screening systems, including employee screening systems are not in scope of the Revised OSP “provided that, the decision to take on the prospective Client/employee on the analysis of the screening output from the Service Provider sits with the Business (and not with the relevant Service Provider).”

2.6 Question 5: Do you consider the newly proposed Transition Period to be appropriate and proportionate? 

2.6.1   “We do not consider the transition period sufficient given the impact of the removal of exemptions and changes to Schedule 2 PoC combined with the proposed expansion of “regulated persons” to include those registered under the SBL and COBO.  On the assumption the revised OSP is finalised prior to the 30 June 2023, the transition period should be a minimum of 6 months from the conclusion of the registration period i.e. 31 December 2023.”

2.6.2   “A three-month transition period from the date of publication of the final revised OSP will be challenging in the context of other changes being introduced and not yet finalised in relation to the AML/CFT/CPF regime, however the greater challenge is perhaps the Commission articulating the scope, impact and urgency across all industry sectors, specifically those affected by the changes to the AML/CFT/CPF scope exemptions.”

2.6.3   “No.  We would challenge whether the JFSC is sufficiently resourced to deal with the increase of notifications this may create within the transition period.” 

JFSC response

Taking account of the feedback received, the final Revised OSP will be effective from 1 January 2024, providing industry with a six-month transition period.

2.6.4   “We are also concerned at the lack of guidance on the situation where supervised persons, not previously caught by the Outsourcing Policy, already have existing outsourced services. Should these merely be notified and acknowledged by the JFSC (not approved) as existing services or notified as and when the service provider may be changed.”

2.6.5   “We recommend that further clarity be provided on the application of the Transition Period to firms who are falling within scope of the Revised Outsourcing Policy (OSP).

Please confirm how the OSP will apply to existing outsourcing arrangements for Schedule 2 businesses now within scope of the OSP, noting the OSP is not retrospective, but that such arrangements will not have previously been notified to the JFSC under the current OSP.

Our understanding is that the Revised OSP is not retrospective. The JFSC has referred readers to 2.9.3 of the Follow-on Consultation on Revised Outsourcing Policy. This states that no amendments to existing Outsourcing agreements will be required until such point as the agreements fall to be revised in the ordinary course of business; and Outsourcing Notifications made under the Current OSP will be sufficient to comply with the Revised OSP (until such time as a material change to the OSP requires further notification). However no previous notifications may have been made by Schedule 2 entities.

We recommend that the Revised OSP confirms whether:

a)   the JFSC requires a firm to make a full Outsourcing Notification when:

The Outsourcing Agreement is revised; and/or

There is a material change to the Outsourced Activity; or

b)   whether a Material Change to Outsourcing Notification would be required under the above scenarios.

We also recommend that the Revised OSP confirms whether:

a)   any revision to an existing Outsourced Activity would trigger an Outsourcing Notification to the JFSC; or

b)   such revision would also need to be material to trigger the requirement for a Notification to be made.

We recommend that a Notification be triggered only when material changes to existing Outsourcing Arrangements pre-July 2023 (or other relevant implementation date) are to be made.”

JFSC response

Where Supervised Persons who are newly caught by the Revised OSP already have existing outsourced services, the relevant Supervised Person must make a full Outsourcing Notification on or before the expiry of the six-month transition period as such outsourcing arrangements will not have previously been notified to us under the current OSP.

Paragraph 6.4 relating to ‘Material Change to Outsourcing Notification has been amended in the final form Revised OSP to provide as follows:

“6.4.1A Material Change to Outsourcing Notification form is available and must be made via myJFSC in the event of any material change(s) to an existing Outsourcing arrangement in respect of which, either a No Objection has been granted or, in respect of which an Outsourcing Notification has been submitted but which did not require a No Objection (in accordance with paragraph 3.6.5).

6.4.2      The submission of a Material Change to Outsourcing Notification will ordinarily be a straight-through process not requiring a further No Objection. However, there may be some limited circumstances in which the material change(s) to an existing Outsourcing arrangement will, on review by us, trigger the requirement for a further No Objection. In such circumstances, we will advise the Business accordingly following receipt of the Material Change to Outsourcing Notification.

6.4.3Where there is new Outsourced Activity as opposed to any material change(s) to an existing Outsourcing arrangement, the Business will be required to complete a new Outsourcing Notification and obtain a further No Objection.

6.4.4Where a No Objection was not previously required but is now required under the OSP (for example where a Supervised Person is newly caught by the OSP in respect of its Outsourced Activity), an Outsourcing Notification will be required in all circumstances.  Only once an Outsourcing Notification in respect of the relevant Outsourced Activity has been submitted and a No Objection granted, where required, does the Material Change to Outsourcing Notification become relevant unless, as set out under paragraph 6.4.1, there is new Outsourced Activity in which case, the Business must submit a new Outsourcing Notification and obtain a further No Objection.

6.4.5For reference, a blank Material Change to Outsourcing Notification form is included under Appendix A.”

2.7 Additional comments

2.7.1   “Suggested change to the Glossary definition of “Outsourcing” to read "…continuing compliance of that Business’ Regulated Activity with the applicable Regulatory Laws". This will clarify what the "continuing compliance" in the definition relates to.”

JFSC response

The Glossary definition of “Outsourcing” in the final form Revised OSP has been amended to take account of this feedback.

2.7.2   “Suggested change to the Glossary definition of "Principal Person". Please delete all language after "has the same meaning given to the term under the Regulatory Laws". To reiterate our earlier point, we consider that reference to the statutory definition should be sufficient. The OSP should not depart from the Regulatory Laws in its definition of this term.”

JFSC response

The Glossary definition of “Principal Person” in the final form Revised OSP has been amended to take account of this feedback.

2.7.3   “Suggested change to paragraph 2.1.2.3, "…reporting distribution functions...". This will differentiate from the "distributor" class of FSB which does not appear to be what this section contemplates.”

JFSC response

Paragraph 2.1.2.3 in the final form Revised OSP has been amended to take account of this feedback.

2.7.4   “Suggested change to paragraph 2.2.3.4, "…Outsourced Activity (i.e. involving the provision of management services)…". The additional words "involving the provision of" mirror the language in the MoME Guidance Note. Paragraph 2.3 of the MoME Guidance note anticipates that a MoME will provide a Managed Entity with a pool of services not necessarily restricted to 'management'. This change aims to be consistent with that approach and with the current OSP as regards the MoME carve-out.”

JFSC response

Paragraph 2.2.3.4 in the final form Revised OSP has been amended to take account of this feedback.

2.7.5   “Suggested change to paragraph 2.2.3.5, “…any Outsourcing or Sub-Outsourcing arrangement the Fund or its Service Provider is party to…". The new language in the latest draft of the Revised OSP is helpful in clarifying that the fund carve-out in 2.2.3.5 applies equally to Sub-Outsourcing; presumably it is not a requirement that the Fund itself be directly party to the Sub-Outsourcing contract for this to apply.”

JFSC response

Per our response to Question 1 above, it should be noted that the OSP will, unless provided otherwise, apply to any Fund Service Provider who is subject to any Regulatory Law(s) notwithstanding that the OSP doesn’t apply to the Fund itself.  To make this point clear, we have revised paragraph 2.2.3.5 in the final form Revised OSP to provide as follows:

“In the circumstances where a Fund has met the conditions under this paragraph 2.2.3.5 and is not caught by the OSP, any Outsourcing or Sub-Outsourcing arrangement for or on behalf of the Fund is also not caught by the OSP. It should be noted however that in such circumstances, unless provided otherwise, the OSP will still apply to any Service Provider to the Fund which is subject to any Regulatory Law(s).”

2.7.6   “Paragraph 2.2.3.2 of the Proposed OSP excludes outsourced activity "Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund)."  Please clarify the basis for this exclusion?”

JFSC response

The current OSP provides under 3.2.2.4 that “Based on the JFSC’s existing working practice in relation to Trust Company Business where a Trustee regulated for Trust Company Business appoints a third party to act in relation to an individual Trust (save for where the Trust is a Certified Fund or a Recognized Fund where the provisions of paragraph 3.2.2.5 below apply) this Policy does not apply.” The same exemption, albeit worded differently, has been transposed in the final Revised OSP under 2.2.3.2, to provide as follows: “The following Outsourced Activity is also not caught by the OSP: Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund).”

For the blanket exemption to the application of the OSP to work, a TCB must appoint a Service Provider to act on its behalf in relation to an individual/single trust structure.  Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to more than one trust structure, for example in relation to the whole of all its Client base, this Outsourced Activity would be caught by the OSP.

2.8 Extent of application of the Revised OSP to private funds or other funds with a CoBO consent

2.8.1   “A key concern which remains centres on the reference to CoBO among the list of Regulatory Laws (see page 2 of our letter of 31 August 2022). This concern remains despite it being highlighted in the definition of Regulated Activity that references to activity conducted pursuant to CoBO are limited to where the Business is a Fund. There are two main issues.

Firstly, it seems anomalous and undesirable for the scope of the OSP to extend to fund vehicles on account of their CoBO consents in addition to any AML/CFT/CPF obligations. This is a radical departure from the current and previous OSPs.

The second issue which arises from the inclusion of CoBO among the Regulatory Laws is that the extent of the associated Regulated Activity is not clear.

The circumstances in which a CoBO consent is required include the issue of interests which are registered in Jersey and/or the raising of money in the island by the issue of such interests. These are general activities of a fund, not detailed regulatory requirements of the kind seen in the AML/CFT/CPF Handbook or the FSB Code of Practice.

It remains the strong preference from our perspective for COBO not to be introduced to the OSP.”

2.8.2   “We question whether the OSP should be applied to persons who only fall within the Supervisory Bodies Law, or COBO Law.”

“We question whether the inclusion of NDFs/ entities subject only to COBO is appropriate as COBO is aimed at investor protection.   If such entities are not regulated under the CIF Law or required to register under the SBL they are not subject to a Code of Practice and therefore the OSP cannot be a requirement under the Codes.  Can further clarification be provided as to the objective of imposing the OSP in such circumstances if that is the intention?”

JFSC response

In response to the concern raised at Question 1 above, and the related concerns raised under this paragraph 2.8. regarding the ‘extent of application of the Revised OSP to private funds or other funds with a CoBO consent’, it is no longer our intention currently for the activity of JPFs or other funds with a CoBO consent (which could include NDFs and Unregulated Funds) to be caught by the OSP in any respect other than AML/CFT/CPF (subject to the AMLSP carve-out).  Accordingly, CoBO has been deleted from the definition of ‘Regulatory Laws’ as has the sentence, “In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund” from the definition of ‘Regulated Activity’ in the final form Revised OSP. It should be noted that the OSP will still apply to that Fund’s Jersey Service Providers where those Service Provider(s) are subject to any Regulatory Law(s). 

Please note however, post the end of the transitional arrangements for the re-cast Schedule 2 of the Proceeds of Crime (Jersey) Law 1999 (30 June 2023), all Fund and security services activities (including Fund or Issuer of Securities and their Service Providers) will be subject to the requirements of the Proceeds of Crime Supervisory Bodies Law and the AML/CFT/CPF Handbook.  As a result, in relation to AML/CFT/CPF services (except in relation to an AMLSP) the Revised OSP will apply to all Funds and their Jersey Service Providers, as it will do for all other Jersey financial institutions (or FIs), designated non-financial businesses and professions (or DNFBPs) and virtual asset service providers (or VASPs).

We have also re-defined the meaning of ‘Non-Domiciled Fund (or NDF)’ in the final Revised OSP as follows: ‘A public or private non-Jersey domiciled Fund with its governing body and management and control in Jersey (through for example, having its general partner or trustee in Jersey)’ and have inserted the following new sub-paragraph 2.2.3.11:

2.2.3 The following Outsourced Activity is also not caught by the OSP:

2.2.3.11Where a Service Provider performs Outsourced Activity on behalf of a non-Jersey domiciled fund with its governing body and management and control outside of Jersey and where only administration services to the non-Jersey domiciled fund are provided by a Jersey FSB and/or TCB, noting that whilst the OSP in such circumstances does not apply to the non-Jersey domiciled fund itself, the OSP will still apply to the its Jersey Service Provider(s) (N.B. non-Jersey domiciled funds looking only to circulate an offer in Jersey pursuant to CoBO and without Jersey management and control are therefore not subject to the OSP).”

The above amendments to the final form Revised OSP should address the concern raised in response to Question 1 and the ‘extent of application of the Revised OSP to private funds or other funds with a CoBO consent’ more generally under this paragraph 2.8.

2.9 Extent of application of the Revised OSP to Digital ID Services

2.9.1   “I have been looking through the documentation on your website regarding the current consultation on revising your Outsourcing Policy. I am particularly interested in the sections relating to the activities around the use of Digital ID. Am I correct in my understanding that it is the intention that, if adopted, the new policy would mean that a regulated business would be required to notify the JFSC in advance of adopting an I-ID technology service, as it would be categorised as an outsourced activity? I am deeply concerned, that if my understanding is correct, and the use of our technology would fall under the category of outsourcing, that that this would kill this initiative stone cold at birth.”

2.9.2   “We are having a debate as to whether use of Digital ID software would constitute outsourcing under the JFSC Outsourcing Policy and therefore require notification to the Commission.  This seems to be a bit of a grey area as use of Digital ID technology to verify identify constitutes a small part of the overall AML process, also if we compare it to use of screening solutions, this isn’t generally considered to be within the scope of the Outsourcing Policy by firms.

Also, the Digital ID guidance in the Handbook already requires firms looking to adopt Digital ID solutions to conduct a risk assessment and consider the appropriateness of outsourcing.  Therefore, if the Outsourcing Policy were to apply, there would be an element of duplication when meeting both requirements.

Our general view is that if firms will be required to complete a Digital ID risk assessment, if they also have to fully comply with the Outsourcing Policy this could result in duplication of effort and may not be proportionate to the level of reliance they are placing on the solution.  That being said, this is highly dependent on the level of support being provided by the technology.  For example, if it’s just a Digital ID solution that performs validation and certification of customer ID then the Digital ID risk assessment could be sufficient.  However, if firms are also using the technology for address verification, onboarding and screening (by way of example) then this may become more material and, in those circumstances, they should apply the Outsourcing Policy.”   

JFSC response

Taking account of the feedback received, the final Revised OSP has been amended under paragraph 3.6 to provide as follows:

“3.6.5Where a Business Outsources the performance of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services to a Service Provider, whilst the relevant Business must still submit an Outsourcing Notification in respect of such Outsourced Activity, it will not require a No Objection. As such, the submission of an Outsourcing Notification in respect of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services will be a straight-through process. N.B. no Outsourcing Notification will be required in respect of Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365.”

2.10  Extent of application of the Revised OSP where only AML/CFT/CPF obligations fall within scope of the Revised OSP (i.e. Schedule 2 businesses)

2.10.1   “We question whether the OSP should be applied to persons who only fall within the Supervisory Bodies Law.”

2.10.2   “Given the increased scope of the Revised OSP we have concerns at the lack of evidence of active engagement with the DNFBP sectors and would question if there is real appreciation by many of those sectors of the new requirements placed on them.

The inclusion of Cloud Services which many in the DNFBP sector will or are likely to use for record keeping (either operationally or for contingency) means they appear to have an obligation to report due to the implications of the Codes of Practice detailed under Section 10 of the AML/CFT/CPF Handbook. 

The Revised OSP remains focused on the regulated sector with insufficient guidance and examples for the DNFBP sector where the extent of the policy is limited by the nature of the extent of the differing regulated activity.

Inconsistent use of terminology increases the challenges in interpretation of JFSC policies and guidance by the non-regulated sectors, e.g. this policy refers to regulated activity which includes activity subject to the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008, but such terminology would usually only relate to activities subject to the regulatory laws relating to financial services businesses, i.e. excluding DNFBP sectors.  This increases the chance that the DNFBP sectors will not recognise their obligations under this policy and inadvertently not meet its requirements.

We would suggest that whilst not in line with the JFSC’s current approach, it would be preferable to have a separate and clear set of targeted guidance for the DNFBP sectors rather than a requirement to interpret a policy whose origin and focus is on the regulated sectors and to which Schedule 2 DNFBP businesses have been bolted on. 

We would suggest it would be appropriate for the JFSC to suspend or remove extension of the Revised OSP to the DNFBP sectors until such time as effective engagement has been undertaken with those sectors and the application and impacts fully and properly assessed against the JFSC’s requirements to enable it to fulfil its supervisory role.  Such assessment and consequent guidance should also take into consideration requirements already in place in the DNFBP sectors through other regulatory and professional bodies and associations. As the Revised OSP currently stands, it is likely that the requirements will add to the regulatory burden and costs for the DNFBP sectors with a consequence of increased fees for the public of Jersey who are the prime users of many of the services in the DNFBP sectors.”

2.10.3   “My reading of the OSP is that if the Schedule 2 entities use digital services of provider other than via AMLSP then a notification will be needed.  A common example may be when directors use Microsoft 365 or other provider for their emails.  However, this puts us back in the scenario when every Schedule 2 entity will be required to submit an [Outsourcing Notification] due to email and online storage services used by them.  I hope that this was not the JFSC’s intention and that they could exclude such scenario by way of additional guidance within the OSP.”

JFSC response

Unless the exemption in respect of AMLSP services under paragraph 2.2.3.9 of the Revised OSP can be relied upon, all Supervised Persons are subject to the principles of the Revised OSP in accordance with the AML/CFT/CPF Handbook. 

The six-month transition period together with the position we have reached under paragraph 3.6.5 in no longer requiring a No Objection in respect of Cloud Services and there being no requirement for an Outsourcing Notification in respect of Cloud-based email services which are standardised  and pre-packed  services that are available to the general public, such as Microsoft 365, should now address most of the concerns raised under paragraph 2.10.

Taking account of the feedback received we are committed to increased stakeholder engagement through the six-month transition period (Q3 and Q4 2023) and beyond with Supervised Persons who are not subject to any other Regulatory Laws other than the Supervisory Bodies Law.

2.10.4   “Under Section 2.1.4, we recommend that further examples be provided to illustrate the specific types of Outsourcing Activities considered relevant to those businesses where only AML/CFT/CPF obligations fall within scope of the Revised OSP (i.e. Schedule 2 businesses) in addition to the existing Digital ID Service Provider example.”

JFSC response

2.10.5   Taking account of the feedback and in particular the concern around newly caught Supervised Persons who are not subject to any other Regulatory Laws other than the Supervisory Bodies Law not understanding their obligations under the Revised OSP, an example to help illustrate the type of Outsourced Activity that may be relevant to such a Businesses is now provided under paragraph 2.1.3. as follows:

“….to help illustrate the type of Outsourced Activity that may be relevant to such a Supervised Person, the following example is provided:

2.1.3.1     where a Supervised Person outsources AML/CFT/CPF compliance services such as Client onboarding due diligence, monitoring etc. to a Service Provider (such as a TCB administrator) who is not its AMLSP.”

2.11  Outsourcing Notification and Material Change to Outsourcing Notification

2.11.1   “With respect to Section 3.6.2 of the Revised OSP, we recommend that further guidance be provided on what the JFSC would consider to be “sufficient time” for the JFSC to consider an Outsourcing Notification? The JFSC confirms its commitment to a 20 Working Day turnaround. We propose that the JFSC includes a timeframe of at least 1 month for firms to submit Outsourcing Notifications before the proposed implementation date for any new simple Outsourcing Arrangement. This will create greater certainty for firms during project management and implementation planning for new Outsourcing Activity.”

JFSC response

In response to the feedback, paragraph 3.6.2 has been amended to provide as follows:

“3.6.2A Business should provide us with sufficient time, with a minimum of one month’s notice, in advance of any Outsourced Activity being performed by a Service Provider to review and assess the possible regulatory implications of the proposed Outsourced Activity. We will respond to Outsourcing Notifications in line with paragraph 6.3 of the OSP.”

2.11.2   “Under Section 6.4.2 on the Material Change to Outsourcing Notification, it states ‘the submission of a Material Change to Outsourcing Notification will be a straight-through process and will not require a further No Objection from us unless there has been a change to the nature of the Outsourced Activity itself (in which case, a further No Objection will be required).’

We recommend that a firm’s obligations in this regard are clarified, namely, whether the JFSC requires a firm to:

a)   complete a ‘new’ Outsourcing Notification where there has been a change to the nature of the Outsourced Activity which would trigger the requirement for further No Objection; or

b)   submit a Material Change to Outsourcing Notification and then wait for the JFSC to confirm it has no objection to this notification.”

JFSC response

2.11.3   As set out in our response to Question 5 above, paragraph 6.4 relating to ‘Material Change to Outsourcing Notification has been amended in the final form Revised OSP to provide as follows:

2.11.4   “6.4.1     A Material Change to Outsourcing Notification form is available and must be made via myJFSC in the event of any material change(s) to an existing Outsourcing arrangement in respect of which, either a No Objection has been granted or, in respect of which an Outsourcing Notification has been submitted but which did not require a No Objection (in accordance with paragraph 3.6.5).

2.11.5   6.4.2    The submission of a Material Change to Outsourcing Notification will ordinarily be a straight-through process not requiring a further No Objection. However, there may be some limited circumstances in which the material change(s) to an existing Outsourcing arrangement will, on review by us, trigger the requirement for a further No Objection. In such circumstances, we will advise the Business accordingly following receipt of the Material Change to Outsourcing Notification.

2.11.6   6.4.3    Where there is new Outsourced Activity as opposed to any material change(s) to an existing Outsourcing arrangement, the Business will be required to complete a new Outsourcing Notification and obtain a further No Objection.

6.4.4Where a No Objection was not previously required but is now required under the OSP (for example where a Supervised Person is newly caught by the OSP in respect of its Outsourced Activity), an Outsourcing Notification will be required in all circumstances.  Only once an Outsourcing Notification in respect of the relevant Outsourced Activity has been submitted and a No Objection granted, where required, does the Material Change to Outsourcing Notification become relevant unless, as set out under paragraph 6.4.1, there is new Outsourced Activity in which case, the Business must submit a new Outsourcing Notification and obtain a further No Objection.

6.4.5For reference, a blank Material Change to Outsourcing Notification form is included under Appendix A.”

2.12  ‘Materially prevent, disrupt or impact upon a Business’

2.12.1   “We recommend that examples of activities that would be considered to “materially prevent, disrupt or impact upon a Business’ continuing compliance” under Section 2.1.2 be provided for specific industries, e.g. Accountancy Firms; and we would welcome the opportunity to be a part of the development of industry-specific examples.”

JFSC response

In terms of what is meant by ‘materially prevent, disrupt or impact upon’, we purposefully do not want to be too prescriptive. Ultimately it is for each Business or indeed specific financial sectors to get together to determine what this means in relation to its or their own Outsourced Activity/Activities. 

Appendix A – Final draft Revised OSP (in clean and redline)

Revised Outsourcing Policy – Clean

Revised Outsourcing Policy – Tracked

Appendix B – List of respondents to the Follow-on Consultation

Name of Respondent

Type of Business

BDO Limited

Accountancy firm and regulatory consultant

Jersey Funds Association (JFA) Technical Committee

Trade body

Kroll (Channel Islands) Limited

Regulatory consultant

Oben Regulatory

Regulatory consultant

PwC

Accountancy firm and regulatory consultant

Tiller Technologies Ltd

Technology firm

Two responses were received via JFL from businesses that wish to remain anonymous, but which included a trust company business, fund services business, investment business and general insurance mediation business and a law firm.

The remaining responses were received through the online questionnaire that was published alongside the Follow-on Consultation and included responses from a general insurance mediation business and a bank.