The new JFSC outsourcing policy: are you in scope?
- private funds or other funds with a consent issued pursuant to the Control of Borrowing (Jersey) Order 1958 (“COBO”), (which could include funds not domiciled in Jersey and unregulated funds) are not caught under the Policy. However, the Policy will apply to the service providers of these funds;
- where a business outsources data centre services and/or cyber security services, the business will be required to submit an outsourcing notification to the JFSC but will not be required to obtain a ‘no objection’ from the JFSC; and
- a business registered pursuant to Jersey’s AML/CFT/CPF legislation is required to comply with the Policy only in respect of its activities arising from its obligations under Jersey’s AML/CFT/CPF legislation other than activities carried on by its AMLSP.
What is outsourcing?
Outsourcing is an arrangement between a business and a service provider by which:
- a service provider performs outsourced activity; and
- where that service provider’s failure to perform or inadequate performance of such outsourced activity would materially prevent, disrupt, or impact upon the continuing compliance of that business’ regulated activity with applicable laws.
Material amendments to the Policy
The following material amendments have been made to the Policy:
Private Funds/ COBO only funds
Under the Policy, private funds or other funds with a COBO consent, (which could include funds not domiciled in Jersey and unregulated funds) are out of scope. However, the Policy will still apply to the service providers to these funds where these service providers are regulated in Jersey and subject to legislative and/or regulatory requirements in their respective financial services sectors.
Non-domiciled Funds administered in Jersey
Where a service provider performs outsourced activity on behalf of a fund that is not domiciled in Jersey and that has its management and control outside of Jersey and where only administration services are provided by the Jersey service provider, the non-domiciled fund will be out of scope, but the Policy will apply to the Jersey provider. However, where a non-domiciled fund is only looking to circulate an offer in Jersey pursuant to a COBO consent and without any Jersey management and control it will be out of scope. To give effect to this amendment, the JFSC has amended the definition of a non-domiciled fund as follows:
“a public or private non-Jersey fund with its governing body and management and control in Jersey (through for example, having its general partner or trustee in Jersey).”
Funds’ AML/CFT/CPF obligations
Following amendments to Jersey’s AML/CFT/CPF legislation all funds or issuer(s) of securities and their service providers are now subject to registration requirements and the AML/CFT/CPF obligations under the JFSC’s AML/CFT/CPF Handbook. Accordingly, the Policy will apply to all funds and their service providers as it will do for all other Jersey financial institutions, designated non-financial businesses and professions and virtual asset service providers in relation to AML/CFT/CPF services except in relation to the appointment of an AMLSP.
Data centre services and/or cyber security services
Where a business outsources the performance of cloud services, data services, cyber security services or digital ID services, the business will be required to submit an outsourcing notification but will not be required to obtain a ‘no objection’ from the JFSC. No outsourcing notification is required in respect of cloud-based email-services which are standardised and pre-packaged such as Microsoft 365.
Where a business forms part of a group of companies and an outsourced activity has risen due to a change in the IT systems, security and/or infrastructure of the group, it may not be possible for the business to give an outsourcing notification until the service provider is appointed, in this case, the business should file a post-event outsourcing notification outlining reasons as to why it was not possible to make an outsourcing notification prior to the commencement of the outsourced activity. Where a ‘no objection’ is required but not granted, the business must terminate its relationship with the service provider as soon as reasonably practicable.
An entity which is subject to supervision under Jersey’s AML/CFT/CPF legislation (a “supervised person”) but which is not subject to any other Jersey regulatory requirements will be in scope of the Policy only in respect of its outsourcing activity arising from its AML/CFT/CPF obligations.
Where an AMLSP performs outsourced activity on behalf of a “supervised person” and where such services are compliant with the standards set out in the AML/CFT/CPF Handbook, then such outsourced activity is not caught under the Policy. However, where the services performed by an AMLSP on behalf of a “supervised person” are not compliant with the standards set out in the AML/CFT/CPF Handbook, then the “supervised person” and the AMLSP will be subject to the Policy.
The “supervised person” will need to obtain a ‘no objection’ from the JFSC before the AMLSP commences the non-AMLSP AML/CFT/CPF compliance. This is separate from the AMLSP applying for registration in respect of the “supervised person”.
All third-party AML/CFT/CPF screening systems including employee screening systems are not in scope of the Policy provided that the decision to take on the client/employee following the screening process sits with the business and not the service provider.
Changes to existing outsourcing arrangements
Where there is a material change to an existing outsourcing arrangement and where a ‘no objection’ has been granted by the JFSC or is not required, such change must be notified to the JFSC. Where a business has a new outsourced activity as opposed to no material changes to an existing outsourcing arrangement, then a new outsourcing notification must be completed and filed and a ‘no objection’ must be obtained from the JFSC. Where a business did not require a ‘no objection’ from the JFSC previously, but a ‘no objection’ is now required under the Policy, then such business needs to complete and file an outsourcing notification with the JFSC.
The Policy will impact any person to whom the provisions of the Policy apply and will be effective from 1 January 2024. Existing outsourcing arrangements should be reviewed during the transitional period to ensure continuing compliance from 1 January 2024.
Although there is a transitional period, we recommend that businesses should review their activities and identify any outsourced activity which might be in scope of the Policy to ensure that appropriate arrangements are in place, if needed, ahead of the expiry of the transitional period.
For further information or advice on any specific circumstances, please get in touch with one of the key contacts listed.
Link to article