Jersey: The New JFSC Outsourcing Policy: Overview, Impact And Actions Required

The JFSC has published the final version of its revised Outsourcing Policy, which will come into force on 1 January 2024 following a six month transitional period.

The scope of the policy has been expanded to include businesses who are regulated under a wider range of regulatory laws. Notably:

• the direct appointment of an AMLSP to fulfil AML/CFT/CPF obligations is not in scope (eg by "previously exempt supervised persons" who are now obliged to register for AML/CFT/CPF supervisory purposes under the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008)
• however, where any part of a supervised person's AML/CFT/CPF function is outsourced other than under the AMLSP regime, this is in scope of this new policy
• AIFs and AIFMs with obligations arising from the Alternative Investment Funds (Jersey) Regulations 2012 also find themselves in scope, although further guidance is expected from the JFSC on the extent of the requirements

For the avoidance of doubt, where a business is subject to AML/CFT/CPF obligations but not otherwise regulated or supervised, it is only subject to the Outsourcing Policy in respect of any AML/CFT/CPF activities that are outsourced (other than to its AMLSP).

For businesses already subject to the current Outsourcing Policy, much in the new policy will look familiar, and there are some helpful changes from a practical perspective, but existing outsourcing arrangements and other service provider appointments will still need to be reassessed against the new requirements to ensure that they will remain compliant post 1 January.

This briefing covers the key changes and summarises what businesses need to do during the six month transitional period, to prepare for the new policy coming into force.

What is outsourcing?

An outsourcing arrangement arises when a regulated or supervised business:

• appoints a service provider to perform a function which the business would otherwise perform itself
• any failure or inadequate performance by the service provider would materially impair (clarified in the new policy as meaning to prevent, disrupt or impact upon) the continuing compliance of the regulated or supervised activity with the applicable laws

As currently, the new Outsourcing Policy also extends to further appointments made by that service provider (sub-outsourcing).

As with the current policy, certain activities are expressly excluded from scope. These include the existing carveouts for funds (where specified disclosures are made concerning the arrangements), MoME appointments and the provision of investment advice (where not part of the activity for which the business is regulated).

As well as the carve-out for appointment of AMLSPs referred to above, there are further additional exclusions including, among others, provision of telecommunication services and provision of third-party AML/CFT/CPF screening systems (provided that the decision on the analysis of the screening output is made by the business not the outsourced service provider).

In relation to the carve-out for funds, helpfully, investor disclosures in order for the exemption to apply may now refer generally to service providers within the relevant group without naming specific entities (useful where networks of advisory entities may be appointed from time to time within the life of the fund), and sub-outsourcing arrangements concerning the fund are also out of scope. The definition of "group" itself has also been amended to encompass any entity in common ownership or common control with the person concerned.

Key requirements of the Outsourcing Policy

The policy sets out seven core principles, which are expanded on with guidance on how businesses may demonstrate compliance. These are similar in scope to the principles in the existing policy, save for the addition of an express statement that the relevant business shall remain responsible for and accountable to the JFSC for any outsourced functions and should not become a 'letter box' entity.

In addition the core principles require that a business which outsources activities must:

• Ensure that any service provider performing outsourced activity is fit and proper. This requires an assessment at the outset that the service provider is regulated (where it is required to be), has adequate capacity and resources, and that adequate measures have been taken to counter any material risks arising
• Put in place a written, legally binding agreement with the service provider before the activity is commenced. Agreements which satisfy the existing requirements are expected to remain compliant, save that there are specific requirements for agreements with providers of cloud services
• Maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a service provider continues to be fit and proper. Ongoing monitoring should be in place to test policies and procedures against the requirements of the Outsourcing Policy. Consideration of these, and any issues arising, should be documented in board minutes of the governing body of the business. In some circumstances it may be acceptable to delegate handling of a particular outsourced activity to particular individuals or to a specialised central support function within the group
• Maintain suitable contingency plans in case a service provider's performance suffers a material disruption, or ends unexpectedly, for any reason. Note that it is no longer essential that a business be able to terminate its outsourcing arrangements without delay, but rather that contingency plans are in place where issues arise
• Except where otherwise stated, file outsourcing notifications (and, where required, obtain confirmation that the JFSC has no objection) prior to appointing an outsourced service provider, and notify the JFSC upon becoming aware of any material change.The latter is now only a notification and will only require prior confirmation of no objection where the scope of the outsourced activity is to be extended
  
  A minimum of one month's notice is required to enable the JFSC to assess the implications of the arrangement. However, applications in the context of a fund will still be subject to expedited turnaround times, with the JFSC endeavouring to deal with these in line with the published timeframe for the fund or fund service provider or within ten business days for ongoing filings in respect of certified funds or fund services businesses.
  
  In addition, in limited circumstances where a business is part of a group and subject to a group-wide change in IT, security or infrastructure systems, any resulting outsourcing notification can be made post-event where not practicable to file this sooner. In these circumstances the JFSC may require the services to be terminated if they do object. The new policy also recognises that, where the change results from an unexpected disruption in services, businesses may be unable to notify the JFSC in advance (in which case they should do so as soon as possible after the event)

• Ensure that there is nothing in the performance of the outsourced activity that would prevent or restrict the JFSC's activities in respect of the business or the activity.The Outsourcing Policy now includes specific consideration where the service provider is located outside Jersey, including whether any factors such as secrecy laws exist which would impair their oversight, and whether a co-operation agreement exists with the relevant regulator

Digital technology and outsourcing

The new Outsourcing Policy makes specific reference to outsourcing in the form of cloud services, data centre services, cyber-security services and electronic ID systems.

The policy sets out specific guidance on how the core principles may be complied with in this context, reflecting the important part these functions play in business activity and the associated risks. However, these arrangements are subject to reduced notification and approval requirements:

• while outsourcing notifications must be submitted in most cases, these services will not require confirmation of no objection from the JFSC
• no notification at all will be required in respect of standardised, pre-packaged cloud-based email systems
• such service providers will be able to sub-outsource performance of the relevant activity without a further notification / no objection being required, reflecting the often standard terms and conditions on which such services are provided

Summary - action required

On the whole, the changes to the Outsourcing Policy are a welcome update including some practical improvements to the existing policy.

However, the changes will require all businesses which are regulated or supervised by the JFSC to assess whether any of their service provider appointments constitute outsourcing and, if so, ensure that the arrangements comply with the applicable requirements of the policy by no later than 1 January 2024.

In practice, for "previously exempt supervised persons" who are supervised for AML/CFT/CPF purposes only and not regulated for any other activity, the policy is only relevant to these obligations, and their appointment of an AMLSP is out of scope.

We suggest that businesses prepare to analyse (i) their activities to understand whether any additional service provider appointments are within scope and (ii) their existing outsourcing arrangements, including ongoing monitoring policies and procedures, to identify any gaps against the new policy that may need to be addressed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.