Revised Outsourcing Policy 2022 Appendix B for consultation

Appendix B Outsourcing Policy

This is our draft revised Outsourcing Policy relating to our consultation.

Read our consultation and give us your feedback

Consultation Outsourcing Policy No 6 June 2022

Issued: 1 March 2017,

Revised: 21 December 2020 and 29 June 2022

Glossary

Alternative Investment Fund

(or AIF)

an Alternative Investment Fund within the meaning of the AIF Regulations

[AML/CFT Handbook] *link to be inserted following AML Handbook Consolidation

the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism

Business

any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons

Category A permit holder

has the same meaning given to the term under the Insurance Business Law and the Code of Practice for Insurance Business

Certified Fund

a fund issued with a certificate pursuant to the Collective Investment Funds Law

Client

a customer, investor or other Person in respect of whom a Business is permitted to provide products or services

Cloud Services

a range of IT services (such as data storage or computing power) provided in various formats over the internet. This incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)

Codes of Practice
(or Codes)

collectively, the

›   the Code of Practice for Deposit-taking Business

›   the Code of Practice for Certified Funds

›   the Code of Practice for Fund Services Business

›   the Code of Practice for General Insurance Mediation Business

›   the Code of Practice for Investment Business

›   the Code of Practice for Insurance Business

›   the Code of Practice for Money Service Business

›   the Code of Practice for Trust Company Business

›   the Codes of Practice included as part of the AML/CFT Handbook

Cyber Security Services

Distributed Denial of Service (DDoS) mitigation, security information event management, vulnerability intelligence, ethical penetration testing, security operations centre, incident response, and threat intelligence or other services designed to prevent or mitigate the risk of cyber-attacks

Data Centre Services

on or off premise data storage solutions which are located in Jersey; all commonly known as and considered to be utilities

E-ID

electronic identification and verification measures

Fit and Proper

that a Person would at all times meet the standards required to be ‘fit and proper’ within the meaning of applicable Regulatory Laws

Fund

an AIF, Certified Fund, a JPF, any legacy private fund (very private fund, private placement fund or COBO only fund) or a Recognized Fund

Fund Services Business (or FSB)

the Regulated Activity, involving the provision of services described in Article 2(10) of the FSJL

Governing Body

the body within a Business that is considered to exercise ultimate control over it. Generally, this will be (i) the directors of a company, protected cell company or the relevant cells of an incorporated cell company; (ii) the trustee of a unit trust; (iii) the general partner of a limited partnership, separate limited partnership or incorporated limited partnership; or the partners of a limited liability partnership. In the case of a sole trader, the Governing Body will be the sole trader

Group

a body corporate that would be defined as a “subsidiary”, “wholly-owned subsidiary” or “holding body” of another body corporate, under the Companies (Jersey) Law, 1991 irrespective of the jurisdiction of the company

The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)

Group Outsourcing

an arrangement between a Business and Group Service Provider by which the Group Service Provider performs Outsourced Activity that would otherwise be undertaken by the Business itself

Group Service Provider

a Service Provider which forms part of the same Group as the Business

Insurance Business

the Regulated Activity, involving the provision of insurance business described in Article 5 of the Insurance Business Law

JFSC (us, we)

the Jersey Financial Services Commission

Jersey Private Fund

(or JPF)

a Jersey Private Fund within the meaning of the Jersey Private Fund Guide

Key Person

has the same meaning given to the term under the Regulatory Laws and covers individuals fulfilling any one of the following three roles; Compliance Officer, Money Laundering Compliance Officer, and Money Laundering Reporting Officer.

Managed Trust Company Business (or MTCB)

a Business which provides TCB services under the FSJL and which operates in Jersey as a managed entity utilising the services of a Manager

Manager

a Business which has been registered by us to conduct Class N of TCB under the FSJL

Manager of a Managed Entity (or MoME)

a Business which has been registered by us to conduct Class ZK of FSB under the FSJL

Network Services

fibre broadband, managed firewalls, and carrier services which provide the infrastructure to enable such services; all commonly known as and considered to be utilities

No Objection

our written confirmation that we have no objection to the Outsourcing arrangement proposed by a Business in an Outsourcing Notification

Offer Document

a prospectus or other offering document inviting a Person to become an investor of a fund

Outsourced Activity

activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself

Outsourcing

an arrangement between a Business and a Service Provider by which:

›   a Service Provider performs Outsourced Activity; and

›   where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt or impact upon the continuing compliance of that Businesses’ Regulated Activity

Outsourcing Agreement

a written, legally binding agreement between a Business and a Service Provider that reflects the risk, size and complexity of the Outsourced Activity

Outsourcing Notification

a notification as detailed in paragraph 6 and as required by Core Principle 6 of the OSP

Person

any natural or legal person (including a body of persons corporate or unincorporated)

Principal Person

has the same meaning given to the term under the Regulatory Laws and includes: a director, a shareholder controller, a manager, a senior officer, and a chief executive

Recognized Fund

a fund in respect of which there is a recognized fund certificate issued by us under the Collective Investment Funds (Recognized Funds) (General Provisions) (Jersey) Order 1988

Regulated Activity

activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/consent must be held.  In relation to activity conducted by a Business pursuant to CoBO, this is limited to where the Business is a Fund.

Regulatory Laws

collectively, the:

›   Alternative Investment Funds (Jersey) Regulations, 2012 (AIF Regulations)

›   Banking Business (Jersey) Law, 1991

›   Collective Investment Funds (Jersey) Law, 1988 (Collective Investment Funds Law)

›   Control of Borrowing (Jersey) Order, 1958 (CoBO)

›   Financial Services (Jersey) Law, 1998 (FSJL)

›   Insurance Business (Jersey) Law, 1996 (Insurance Business Law) and

›   Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008 (Supervisory Bodies Law)

Service Provider

a Person who performs Outsourced Activity on behalf of a Business

Specialised Central Support Functions

where a Group Service Provider performs specific Outsourced Activity (for example, IT, Finance, Compliance or other Central Support functions) on behalf of other Businesses in the Group

Sub-Contractor

a third party sub-contractor of the Service Provider

Sub-Outsourcing

an arrangement between a Service Provider and a Sub-Contractor by which the Sub-Contractor performs Outsourced Activity that would otherwise be undertaken by the Service Provider on behalf of a Business

Supervised Person

has the same meaning given to the term within Article 1 of the Supervisory Bodies Law

Telecommunication Services

has the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes; Network Services, Voice Services, Data Centre Services and/or Cyber Security Services

Trust Company Business (or TCB)

the Regulated Activity, involving the provision of services described in Article 2(4) of the FSJL

Voice Services

fixed telephone lines and video conferencing facilities

 

1 Introduction

1.1 Purpose

› The purpose of the Outsourcing Policy (OSP) is to help Businesses identify if we must be notified of an activity that they outsource.

› Compliance with the OSP is a requirement under the Codes.

› The OSP explains the Core Principles that a Business must comply with where a Service Provider performs Outsourced Activity for it.

1.2 Core Principles

No. 1

A Business is responsible for and accountable to the JFSC for any Outsourced Activity

No. 2

A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper at all times

No. 3

A Business must put in place a legally binding Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

No. 4

A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper

No. 5

A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason

No. 6

Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection, and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware

No. 7

A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

1.3 Guidance

› The OSP contains general guidance on the Core Principles, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process. The OSP also provides specific guidance where a Service Provider performs Outsourced Activity in the form of Cloud Services.

› The guidance contained within the OSP is provided to help a Business to demonstrate compliance with the OSP and the relevant Codes.

 

2 Application of the OSP

2.1 Outsourced Activity caught by the OSP

2.1.1   Where a Service Provider performs Outsourced Activity as part of a Business’ Regulated Activity or non-Regulated Activity and, where the Service Provider’s failure to perform or inadequate performance of the Outsourced Activity would materially prevent, disrupt or impact upon the continuing compliance of that Business’ Regulated Activity, such Outsourced Activity is caught by the OSP.

2.1.2   Examples of how non-Regulated Activity would materially prevent, disrupt or impact upon a Business’ continuing compliance include:

› where a Trust Company Business outsources accounting functions (the Outsourced Activity) to a Service Provider that are critical in supporting the performance of its Regulated Activity (e.g. the valuation of Client assets), a failure by the Service Provider to perform those accounting functions properly would result in the TCB failing to properly conduct its Regulated Activity

› where a Money Service Business outsources IT functions (the Outsourced Activity) to a Service Provider that are critical in supporting the performance of its Regulated Activity (e.g. facilitating the transfer of funds by electronic means), a failure by the Service Provider to perform those IT functions properly would result in the MSB failing to properly conduct its Regulated Activity.

2.1.3   For a Supervised Person who is not subject to any other Regulatory Laws, the application of the OSP is limited to Outsourced Activity arising from its obligations pursuant to the Supervisory Bodies Law. These obligations are explained in detail within the AML/CFT Handbook and/or the Money Laundering (Jersey) Order 2008.

2.1.4   An example of how non-Regulated Activity would materially prevent, disrupt or impact upon a Supervised Person’s continuing compliance includes:

› where a Supervised Person outsources the collection and verification of evidence of the identity of its Clients (the Outsourced Activity) to an E-ID Service Provider that are critical in supporting the performance of its Regulated Activity, a failure by the Service Provider to perform the Outsourced Activity would result in the Supervised Person failing to properly conduct its Regulated Activity.

2.2 Outsourced Activity not caught by the OSP

2.2.1   Where a Service Provider performs Outsourced Activity as part of a Business’ non-Regulated Activity and, where the Service Provider’s failure to perform or inadequate performance of the Outsourced Activity would not materially prevent, disrupt or impact upon the continuing compliance of that Business’ Regulated Activity, such Outsourced Activity is not caught by the OSP.

2.2.2   Specifically, where a Service Provider performs Outsourced Activity as part of a Business’ non-Regulated Activity, the following Outsourced Activity is not caught by the OSP:

›   legal advice

›   investment advisory services (provided investment advice is not part of the Business’ Regulated Activity)

›   staff training

›   billing services

›   premises and staff security

›   standardised services (including market information and price feeds)

2.2.3   The following Outsourced Activity is also not caught by the OSP:

Where a Service Provider performs Outsourced Activity on behalf of the same legal person; e.g. a branch on behalf of its head office or vice-versa or, a branch on behalf of a branch.

› Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund).

› Where a Service Provider, which is a Manager, performs Outsourced Activity on behalf of a MTCB (e.g. the provision of corporate directors to the MTCB’s Clients), where such services are consistent with the standards set out in the Guidance Note: Managed Trust Company Business.

› Where a Service Provider, which is a MoME, performs Outsourced Activity (i.e. management services) on behalf of another Person registered to conduct FSB under the FSJL to enable that Person  (the managed entity) to comply with a material part of the regulatory framework, where such services are consistent with the standards set out in the Guidance Note: for a Manager of a Managed Entity (MoME) and certain managed entities.

Where a Service Provider performs Outsourced Activity on behalf of a Fund, provided that the following conditions are met:

› the Service Provider must be disclosed to us and the Fund’s investors in the Fund’s Offer Document (or any equivalent document) before the Service Provider starts to perform the Outsourced Activity

› where the approval of the Fund’s investors is required for any change to the Service Provider, such approval must be sought and obtained and the Fund’s Offer Document (or equivalent document) must be updated to reflect the change. Alternatively, where the approval of the Fund’s investors is not required for any change to the Service Provider and the Fund’s Offer Document (or an equivalent document) is not updated to reflect the change, the Fund’s investors must be notified in writing of the change

› in all cases, it must be made clear to us and the Fund’s investors the nature of the Outsourced Activity to be performed by the new Service Provider, any material risks connected with the Outsourced Activity (including any conflicts of interest, concentration risk, and/or jurisdiction risk); and any circumstances in which the Fund’s investors must deal directly with the new Service Provider.

› Where a Service Provider performs Outsourced Activity in the form of custodian and/or prime broker services on behalf of a Group Service Provider to a Fund (i.e. delegation of Outsourced Activity by a Fund custodian to any Group sub-custodians).

› Where a Service Provider provides Telecommunication Services to a Business. 

› Where a Service Provider performs Outsourced Activity on behalf of an Insurance Business which is a Category A permit holder.

3 Core Principles

3.1 A Business is responsible for and accountable to the JFSC for any Outsourced Activity

Guidance

› The Governing Body of a Business is responsible for Outsourced Activity and cannot delegate its responsibilities under Regulatory Laws to a Service Provider.

› The Governing Body of a Business is accountable to us for Outsourced Activity and cannot delegate accountability under Regulatory Laws to a Service Provider.

› The OSP is based on an understanding that a Business remains fully responsible and accountable to us for any Outsourced Activity performed by a Service Provider for it. A Business should not become devoid of its functions to the extent that it becomes a ‘letter box’ entity.

3.2 A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper at all times

Guidance

3.2.1   A Business should conduct suitable and proportionate due diligence to satisfy itself that:

›   where a Service Provider performs Outsourced Activity as part of the Business’ Regulated Activity, the Service Provider is itself regulated for the performance of the Regulated Activity and complies with all applicable Regulatory Laws (this does not apply where the Outsourced Activity is non-Regulated Activity)

›   a Service Provider has adequate capacity and resources

›   adequate measures have been taken to counter any material risks relating to the Outsourced Activity.

3.2.2   In deciding what amounts to “adequate capacity and resources”, “adequate measures” or “material risks”, a Business should consider any factors that may adversely impact its finances, reputation, operations or its Clients.

3.2.3   Factors that should be considered by a Business when deciding what amounts to “material risks” include:

›   conflict of interest risks

›   concentration risks

›   jurisdiction risks

›   regulatory risks

›   money laundering, terrorist financing, and proliferation financing risks

›   cyber security risks.

3.2.4   Factors that should be considered by a Business when deciding whether a Service Provider has “adequate capacity and resources to perform the Outsourced Activity” include:

›   Human resources (i.e. the substance and reputation of the Service Provider and whether its staff are suitably qualified, experienced, well-trained and resourced)

›   Technical resources (i.e. whether effective, reliable and robust systems and controls are in place to monitor and control the volume of anticipated Outsourced Activity and deal with the complexity and nature of the Outsourced Activity)

›   Financial resources (i.e. whether the Service Provider is solvent and in good standing, has appropriate insurance and has sufficient access to capital or credit).

3.2.5   Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its due diligence and risk assessment of the Service Provider the Business should consider:

›   whether or not the Outsourced Activity is suitable, taking account of the relative risks of using one type of service over another (for example, public versus private)

›   Industry good practice including data and information security management system requirements and cyber risks

›   International standards applied to the Service Provider and Outsourced Activity. External assurance may be helpful such as:

›   Service Provider’s compliance with well-understood standards (such as the ISO 27000 series)

›   scope of the Service Provider’s assurance report being specific to the Outsourced Activity the Business proposes to use (for example, the assurance report is against the data centre specified within a Business’ proposed contractual arrangements, not a similar centre located elsewhere)

›   data storage location; is data stored in a jurisdiction that may inhibit access for either the Business or us. Consideration should be given to the wider political and security stability of the jurisdiction, as well as to the following:

›   laws in force governing data protection

›   International obligations of the jurisdiction; particularly with regard to memorandum of understandings with Jersey regulatory authorities

›   law enforcement provisions.

3.2.6   On request by us, a Business should be able to evidence that suitable due diligence has been undertaken on its Service Provider.

3.2.7   Where a Business forms part of a Group, the Business may rely on the due diligence (including any financial due diligence), materiality assessments and/or risk assessments of any Service Provider or Sub-Contractor undertaken by the Group.

3.3 A Business must put in place a legally binding Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

Guidance

3.3.1   We would normally expect the Outsourcing Agreement to include enforceable and clearly defined provisions covering the following terms of engagement:

› the level of services of the Outsourced Activity

› the rights, obligations and liabilities of all parties to the Outsourcing Agreement

› whether Sub-Outsourcing is permitted and if so, under what circumstances

› the performance standards the Service Provider should meet

› what the Service Provider should report to the Business in relation to:

› its obligations under the Outsourcing Agreement

› any breaches, errors events or other relevant information that may impact its performance of the Outsourced Activity

› an annual review (at a minimum) of the Outsourced Activity

› how the Outsourcing Agreement should be terminated

› access rights for us, the Business and any other relevant third parties (such as auditors) to information (including records) relating to the Outsourced Activity

› data protection standards that comply with any applicable legal or regulatory requirements

› protection of the confidential and other proprietary information or materials of the Business and, where relevant, that of its Clients.

3.3.2   Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its contractual relationship with the Service Provider, a Business should consider:

› a data residency policy with the Service Provider, which sets out the locations (namely regions or countries) where the Outsourced Activity will be provided, inclusive of where data will be processed and stored, and the conditions to be met, including a requirement to notify the Business if the Service Provider proposes to change the locations

› provisions regarding information security and personal data segregation (as appropriate)

› the right of the Business to monitor the Service Provider’s performance of the Outsourced Activity on a regular basis

› the agreed service levels, which should include, quantitative and qualitative performance targets in order to allow for timely monitoring, so that appropriate corrective actions can be taken without delay if agreed service levels are not met

› the reporting obligations of the Service Provider to the Business and, as appropriate, the obligations to upload reports relevant for the security function and key functions, such as reports prepared by the internal audit function of the Service Provider

› provisions for the management of incidents by the Service Provider, including the obligation for the Service Provider to report to the Business without delay incidents that have affected the operation of the Business’ contracted service

› whether the Service Provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested

› the requirements for the Service Provider to implement and test business continuity and disaster recovery plans

› the requirement for the Service Provider to grant the Business, us, other competent authorities and any other Person appointed by the Business or by us the right to access (access rights) and to inspect (audit rights) the relevant information, premises, systems and devices of the Service Provider to the extent necessary to monitor the Business’ compliance with the applicable regulatory and contractual requirements

› provisions to ensure that the data that the Service Provider processes or stores on behalf of the Business can be accessed, recovered and returned to the Business as required.

3.3.3   Where a Business forms part of a Group, the Outsourcing Agreement may be between the relevant Service Provider and the Group.

3.4 A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper

Guidance

3.4.1   On request by us, a Business should be able to evidence that they have or, another Group entity has:

› effective policies and procedures to monitor and assess the performance of the Outsourced Activity by a Service Provider

› adequate capacity and resources (aligned to Core Principle No. 2) to implement all necessary policies and procedures.

3.4.2   A Business should periodically test whether its policies and procedures comply with the Core Principles of the OSP. This should be completed as part of its ongoing monitoring. The frequency of this testing will depend on the circumstances of the Business and should reflect the size, risk and complexity of the Outsourced Activity.

3.4.3   Since the Governing Body is ultimately responsible for the management and conduct of a Business we would expect to see upon request:

› board meeting minutes of the Governing Body evidencing that it had carefully considered any Outsourced Activity performed by a Service Provider

› any reports received by the Governing Body regarding any issues of non-compliance with the OSP (for example, exceptions identified as a result of the ongoing monitoring and assessment of a Service Provider required by Core Principle No. 4) which we would then expect to see tabled and considered in the board meeting minutes.

3.4.4   It may be sufficient for a Governing Body to approve a general Outsourcing arrangement and delegate the handling of specific Outsourced Activity to particular individuals or to a Specialised Central Support Function. In such a case, we would still expect to see minutes of the Governing Body evidencing that it had carefully considered the Outsourced Activity the particular individuals or committees perform on behalf of the Business.

3.4.5   Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its continuous compliance monitoring of the Service Provider the Business should consider:

› the need to introduce new policies and procedures or amend existing policies and procedures tailored to this type of Outsourced Activity

› how it will effectively monitor the Service Provider under the contractual terms described in Core Principle 3, including escalation

› whether the Service Provider has sufficient skill and resources to oversee and test the Outsourced Activity and to identify, monitor and mitigate against all associated risks.

3.4.6   At all times, a Business should be able to demonstrate to us that a Service Provider’s performance of any Outsourced Activity on its behalf is effective, reliable, robust and, complies with the OSP.

3.5 A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason

Guidance

3.5.1   A Business should have and maintain appropriate contingency plans in the event that the Outsourced Activity ends suddenly or unexpectedly or, there is a significant interruption to the service. We consider a “significant interruption” to be any interruption that has a material impact on the performance of any Outsourced Activity (for example, a natural disaster or, a major failure of the IT network).

› A Businesses should refer to relevant sections of the Codes (in particular Principle 3 and Section 2.4 of the AML/CFT Handbook) when determining the adequacy of its contingency plans.

3.5.2   Contingency plans should be documented and, where appropriate, include provisions that allow the Business or a Group Service Provider to take over the day-to-day control of any Outsourced Activity or transfer the performance of the Outsourced Activity on the Business’ behalf to another Service Provider.

3.5.3   The specific timeframe of the contingency plans will depend on the facts of each case, but a Business should have the ability to implement its contingency plans as quickly and as reasonably as possible.

3.5.4   A Business should periodically test its contingency plans. This should be completed as part of its ongoing monitoring. The frequency of this testing will depend on the circumstances of the Business and should reflect the size, risk and complexity of the Outsourced Activity. We may request or review the results of such testing on a supervisory examination.

3.5.5   Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its contingency planning should the Service Provider’s performance of the Outsourced Activity suffer a material disruption or end for any reason (i.e. non-payment of fees by the Business to the Service Provider, the voluntary or involuntarily winding up of the Service Provider, etc.), the Business should consider:

› the need to plan for and manage a transfer between Service Providers by having in place, well understood and tested exit/termination arrangements which, amongst other things provide for how it will remove its data from the retiring Service Provider and transition the data across to the new Service Provider 

› how to ensure that its contractual (or operational) relationships with the retiring Service Provider are not overly complicated or present a barrier to the Outsourced Activity being wound down and/or transitioned to a new Service Provider (as necessary)

› our ability to visit the Service Provider’s business premises during normal business hours, at a time specified by the Service Provider, or with reasonable notice, except in an emergency or crisis situation if it is necessary and required under applicable legal and regulatory requirements.

3.5.6   Where a Business forms part of a Group, the Business may rely upon Group contingency plans.

3.6 Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection; and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware

Guidance

3.6.1   Using an Outsourcing Notification, a Business should notify us in advance of a proposal to appoint a Service Provider to perform Outsourced Activity on its behalf.  Should we have any concerns with the proposals, we may object to the proposals or, require further action and/or information. For example, we might require a Business to provide its Clients, or us, with further information about the Outsourced Activity, the Service Provider or other aspects of the proposed Outsourcing arrangement.

3.6.2   A Business should provide us with sufficient time in advance of any Outsourced Activity being performed by a Service Provider to review and assess the possible regulatory implications of the proposed Outsourced Activity. We will respond to Outsourcing Notifications in line with paragraph 6.3 of the OSP.

3.6.3   Factors that may be relevant when deciding what amounts to “sufficient time”, include:

› the size, risk and complexity of the proposed Outsourced Activity

› the Service Provider

› the jurisdictions where the Outsourced Activity will take place

› the Business’ ability to comply with the OSP should the proposals be implemented.

3.6.4   Where a Service Provider’s performance of Outsourced Activity should suffer a material disruption or end suddenly or unexpectedly causing the Business to put in place its Outsourcing contingency plans, in such circumstances, it may not always be possible for the Business to notify us in advance. Where the Business is unable to notify us in advance, it should, as soon as it becomes aware, notify us in writing of the following: 

› the reason why the Outsourced Activity has ended or has been significantly interrupted

› whether it intends to undertake the Outsourced Activity itself or enter into a new Outsourcing arrangement with another Service Provider

› where a new Service Provider will be appointed the timeframe for when we should expect to receive a new Outsourcing Notification in respect of the newly proposed Outsourcing arrangement.

3.6.5   Where a Service Provider Sub-Outsources the performance of Outsourced Activity in the form of Cloud Services to any Sub-Contractors, the Business is not required to complete and upload an Outsourcing Notification or wait for us to issue it with a No-Objection before the Sub-Contractors can start performing the Outsourced Activity. The Business is still however required to complete and upload an Outsourcing Notification and await a No-Objection from us in respect of the proposed Outsourcing arrangement with its primary Service Provider.

3.7 A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

Guidance

3.7.1   A Business should ensure that any Outsourced Activity that is performed by a Service Provider does not defeat the purpose of regulation. Whatever the nature of any Outsourced Activity, a Business should ensure that:

› the provisions of any Regulatory Laws or other regulatory requirements which applied to the Business’ Regulated Activity prior to any Outsourcing, continue to apply

› we are able to exercise our supervisory and other regulatory functions effectively. In order to facilitate this requirement, a Business should ensure that we are able to access, promptly upon request, any books, records or other sources of information relevant to our regulatory oversight of the Business.

3.7.2   Where the Outsourced Activity involves a foreign jurisdiction, we have to be able to continue to effectively supervise the Outsourcing. Our ability to do this might be impaired by factors such as increased supervision costs, data protection, secrecy or other laws. In such circumstances, a Business should ensure that we are not prevented from obtaining information and it may be necessary to establish whether we have entered into a mutual co-operation agreement with the relevant regulatory authorities in the foreign jurisdiction to facilitate our supervisory responsibilities.

3.7.3   Where financial records or other information which we might need to obtain in order to exercise our supervisory or enforcement powers is transferred to a jurisdiction which has secrecy laws, a Business should take adequate steps to ensure that such laws will not be used to prevent us from accessing this information and should periodically test whether these measures are effective.

3.7.4   In accordance with Core Principle No.1, a Business remains accountable to us for any breach in respect of their Regulated Activity regardless of any Outsourcing Activity being performed by a Service Provider on its behalf in any jurisdiction.

4 Guidance on Sub-Outsourcing

4.1.1   Where any Sub-Outsourcing takes place, a Business should adhere to the Core Principles of the OSP having particular regard to:

4.2 Core Principle No. 1

4.2.1   A Business cannot delegate accountability or responsibility for Outsourced Activity and this includes Sub-Outsourcing arrangements.

4.3 Core Principles No. 2 and No. 3

4.3.1   A Business should adequately risk assess each Service Provider and Sub-Contractor under the Sub-Outsourcing arrangement and should have the ability to object to any Service Provider or Sub-Contractor should it not meet the required standards of compliance or oversight (as assessed by the Business).

4.3.2   A Business should put in place a legally binding Outsourcing Agreement between it and the Service Provider which states, amongst other things, that Sub-Outsourcing is permitted provided that the Business has prior knowledge of the Sub-Outsourcing arrangement and has granted its approval (to be granted only once the Business has properly considered all associated risks).

4.3.3   For any Sub-Outsourcing of Cloud Services, a Business should:

› review any Sub-Outsourcing relevant to the Business’ Regulated Activity to assess whether such Sub-Outsourcing would enable the Business to continue to comply with all applicable Regulatory Laws or other regulatory requirements which apply to its Regulated Activity  

› consider the nature of the information or data being stored, managed or transmitted by the Sub-Contractor and whether the due diligence and risk assessment of the Service Provider and/or the Sub-Contractor would support this arrangement.

4.3.4   If the Business is not satisfied on any of the above, it should have the ability to object and prevent the Sub-Outsourcing Arrangement from going ahead.

4.4 Core Principle No.5

4.4.1   A Business remains fully responsible for ensuring that suitable contingency plans are in place where there is Sub-Outsourcing. 

4.5 Core Principle No.7

4.5.1   Any Sub-Outsourcing should not prevent or restrict our legal or regulatory powers in respect of the Business or the Outsourced Activity.  Nor should it restrict the Business’ ability to conduct ongoing compliance monitoring of the Outsourced Activity by the Service Provider and/or Sub-Contractor with applicable Regulatory Laws or other regulatory requirements which apply to its Regulated Activity.

5 Guidance on Group Outsourcing  

5.1.1   Where Group Outsourcing takes place, a Business should adhere to the Core Principles of the OSP having particular regard to:

5.2 Core Principle No.1

5.2.1   A Business cannot delegate accountability or responsibility for Outsourced Activity and this includes Group Outsourcing.

5.3 Core Principle No.2

5.3.1   A Business should conduct suitable and proportionate due diligence on a Group Service Provider to satisfy itself that the Group Outsourcing is:

› compliant with relevant Regulatory Laws or other regulatory requirements which apply to its Regulated Activity

› appropriate in the circumstances and does not give rise to any material risks for its Clients.

5.4 Core Principle No.3

5.4.1   Where a Group Service Provider performs Specialised Central Support Functions, in the absence of a written, legally binding agreement that covers the specific nature of the Group Outsourcing, we would still expect the Business to be able to evidence to us that:

› the Group Outsourcing complies with all of the requirements of the other Core Principles of the OSP

› the Group Outsourcing complies with applicable Regulatory Laws or other regulatory requirements

› clearly documented and robust procedures relating to the Group Outsourcing are in place to protect the interests of its Clients.

5.5 Core Principle No. 4

5.5.1   A Business should be able to demonstrate to us that it has and maintains adequate capacity and resources to implement all necessary policies and procedures to ensure that the Group Service Provider continues to be Fit and Proper and continues to perform the Outsourced Activity to a good standard.

5.6 Core Principle No. 5

5.6.1   A Business remains fully responsible for ensuring that suitable contingency plans are in place where there is Group Outsourcing.

6 Guidance on Outsourcing Notification

6.1 Form of Outsourcing Notification

6.1.1   Each Outsourcing Notification must include the following information:

› name and address of the Service Provider

› Regulatory status of the Service Provider

› summary of the Outsourced Activity

› whether the Service Provider is a Group Service Provider or has another connection to the Business

› rationale for the Outsourcing;

› summary of how the Outsourcing impacts on the Business’ Regulated Activity including a summary of the risk assessment

› confirmation due diligence has been performed by the Business on the Service Provider (in compliance with Core Principle No. 2)

› confirmation that there are no barriers to accessing the Service Provider’s records and data

› confirmation that all data protection requirements have been fully considered

› summary of how the Outsourced Activity will be monitored by the Business on an ongoing basis

› details of the contingency plans that exist should the Service Provider’s performance of the Outsourced Activity suffer a material disruption or end suddenly or unexpectedly for any reason

› whether Sub-Outsourcing is permitted and under what circumstances

› confirmation that the Business will comply with the Core Principles under the OSP

› any other relevant information.

6.1.2   For reference, a blank Outsourcing Notification form is included under Appendix A.

6.1.3   Together with a duly completed Outsourcing Notification, a Business must submit either a copy of the draft Outsourcing Agreement or a copy of the signed final form Outsourcing Agreement effective from the date of receipt of a No Objection.

6.2 Upload of Outsourcing Notification on myJFSC

6.2.1   An Outsourcing Notification has to be made via myJFSC.

Getting Started

6.2.2   Before a Business can upload an Outsourcing Notification, it should first ensure that it has set up both a platform user and an authorised user in its myJFSC account by contacting RegulatoryMaintenance@jerseyfsc.org.

6.2.3   Platform Users complete the Outsourcing Notification and authorised users, who should either be Key or Principal Person of the Business, upload the Outsourcing Notification on behalf of the Business.

Creating an Outsourcing Notification

6.2.4   To create an Outsourcing Notification, a Business’ platform user and/or authorised user should access myJFSC and click on the services tab.

Adding documents to an Outsourcing Notification

6.2.5   Using the “upload documents” button in myJFSC, a Business’ platform user and/or authorised user can add unlimited documents to support the Outsourcing Notification.

Completing an Outsourcing Notification

6.2.6   A Business can at any time, check the status of an Outsourcing Notification by viewing “uploaded services” under the services tab.

6.2.7   Should we request further information in support of an Outsourcing Notification, a platform user and/or authorised user can add additional documentation by choosing the uploaded services tab within the services section of myJFSC and selecting the relevant notification and clicking “upload documents.”

6.3 Outsourcing Notification acknowledgement and next steps

6.3.1   Upon receipt of the Outsourcing Notification we will send confirmation of receipt including the date of receipt.

6.3.2   We aim to respond within 20 business days following receipt of an Outsourcing Notification. Our response may include:

› a request for further action to be taken such as:

› the upload of additional information and/or documentation

› confirmation that additional time is required to consider the Outsourcing Notification; or

› a No Objection.

6.3.3   An authorised user will receive an email notification directing them to visit the “my documents” section in myJFSC, where they can download a No Objection.

6.3.4   Where the Outsourcing Notification relates to Outsourced Activity which is caught by the OSP and forms part of an application to authorise a Fund or any Service Provider to a Fund, we will not send a confirmation of receipt of the Outsourcing Notification or a response in line with paragraphs 6.3.1 and 6.3.2 above.  Instead, we will review and process the Outsourcing Notification following the published timeframes for the relevant Fund and/or Service Provider to a Fund.

7 Appendix A

An Outsourcing Notification form will be included with the Revised OSP in due course, subject to the consultation.