Service notice – myRegistry and our Security Interests Register will be unavailable due to scheduled maintenance from 10:00am until 6:00pm on Saturday 29 November and 6:00pm on Tuesday 2 December until 2:00am on Wednesday 3 December.

Outsourcing policy

Issued:01 March 2017
Effective from:01 January 2024
Last revised:01 December 2023
Outsourcing policy

Glossary

AIF Regulations	the Alternative Investment Funds (Jersey) Regulations, 2012
Alternative Investment Fund (or AIF)	an Alternative Investment Fund within the meaning of the AIF Regulations
AML/CFT/CPF Handbook	Handbook for the prevention and detection of money laundering and the countering of terrorist financing and proliferation financing
Anti-Money Laundering Services Provider (or AMLSP)	an Anti-Money Laundering Services Provider appointed in accordance with Article 9A of the Money Laundering (Jersey) Order 2008
AMLSP Direct Customer	a Supervised Person who is provided with AMLSP services by an AMLSP
AMLSP services	services provided by an AMLSP to an AMLSP Direct Customer that enable the AMLSP Direct Customer to fulfil its AML/CFT/CPF obligations
Business	any Person performing Regulated Activity which, for the avoidance of doubt, includes Supervised Persons
Category A permit holder	has the same meaning given to the term under the Insurance Business Law and the Code of Practice for Insurance Business
Certified Fund	a fund issued with a certificate pursuant to the CIF Law
CIF Law	the Collective Investment Funds (Jersey) Law, 1988
Client	a customer, investor, or other Person in respect of whom a Business is permitted to provide products or services
Cloud Services	a range of IT services (such as data storage or computing power) provided in various formats over the internet. This incorporates private, public or hybrid cloud, as well as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)
Codes of Practice(or Codes)	collectively, the the Code of Practice for Deposit-taking Business the Code of Practice for Certified Funds the Code of Practice for Fund Services Business the Code of Practice for General Insurance Mediation Business the Code of Practice for Investment Business the Code of Practice for Insurance Business the Code of Practice for Money Service Business the Code of Practice for Trust Company Business the Codes of Practice included as part of the AML/CFT/CPF Handbook
CoBO	the Control of Borrowing (Jersey) Order, 1958
Cyber Security Services	Distributed Denial of Service (DDoS) mitigation, security information event management, vulnerability intelligence, ethical penetration testing, security operations centre, incident response, and threat intelligence or other services designed to prevent or mitigate the risk of cyber-attacks
Data Centre Services	on or off premise data storage solutions in Jersey; all commonly known as and considered to be utilities
Digital ID	electronic identification and verification measures
Fit and Proper	that a Person would meet the standards required to be ‘fit and proper’ within the meaning of applicable Regulatory Laws
FSJL	the Financial Services (Jersey) Law, 1998
Fund	Alternative Investment Fund (or AIF), Certified Fund, Jersey Private Fund (or JPF), Legacy Private Fund, Recognized Fund, Unregulated Fund or Non-Domiciled Fund (or NDF)
Fund Services Business (or FSB)	the Regulated Activity, involving the provision of services described in Article 2(10) of the FSJL
Governing Body	the body within a Business that is considered to exercise ultimate control over it. Generally, this will be (i) the directors of a company, protected cell company, incorporated cell company, or the incorporated cells of an incorporated cell company; (ii) the trustee of a trust; (iii) the general partner of a limited partnership, separate limited partnership or incorporated limited partnership; or the partners of a limited liability partnership (iv) the manager or, if no manager, the managing members of a limited liability company (v) the council of a foundation. In the case of a sole trader, the Governing Body will be the sole trader
Group	any entity in common ownership or common control with the Person concerned The meaning of ‘Group’ does not include the same legal person (see paragraph 2.2.3.1 of the OSP)
Group Outsourcing	an arrangement between a Business and Group Service Provider by which the Group Service Provider performs Outsourced Activity that would otherwise be undertaken by the Business itself
Group Service Provider	a Service Provider which forms part of the same Group as the Business
Insurance Business	the Regulated Activity, involving the provision of insurance business described in Article 5 of the Insurance Business Law
Insurance Business Law	the Insurance Business (Jersey) Law, 1996
JFSC (us, we)	the Jersey Financial Services Commission
Jersey Private Fund (or JPF)	a Jersey Private Fund within the meaning of the Jersey Private Fund Guide
Key Person	has the same meaning given to the term under the Regulatory Laws and covers individuals fulfilling any one of the following three roles; Compliance Officer, Money Laundering Compliance Officer, and Money Laundering Reporting Officer.
Legacy Private Fund	a Very Private Fund, a Private Placement Fund or a CoBO Only Fund
Managed Trust Company Business (or MTCB)	a Business which provides TCB services under the FSJL and which operates in Jersey as a managed entity utilising the services of a TCB Manager
Manager of a Managed Entity (or MoME)	a Business which has been registered by us to conduct Class ZK of FSB under the FSJL
Non-Domiciled Fund (or NDF)	A public or private non-Jersey domiciled Fund with its governing body and management and control in Jersey (through for example, having its general partner or trustee in Jersey)
Network Services	fibre broadband, managed firewalls, and carrier services which provide the infrastructure to enable such services; all commonly known as and considered to be utilities
No Objection	our written confirmation that we have no objection to the Outsourcing arrangement proposed by a Business in an Outsourcing Notification
Offer Document	a prospectus or other offering document inviting a Person to become an investor of a Fund
Outsourced Activity	activity that is performed by a Service Provider that would otherwise be undertaken by a Business itself
Outsourcing	an arrangement between a Business and a Service Provider by which: a Service Provider performs Outsourced Activity; and where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt, or impact upon the continuing compliance of that Business’ Regulated Activity with the applicable Regulatory Laws
Outsourcing Agreement	a written, legally binding agreement between a Business and a Service Provider that reflects the risk, size and complexity of the Outsourced Activity
Outsourcing Notification	a notification as required by Core Principle 6 of the OSP
OSP	this Outsourcing Policy
Person	any natural or legal person (including a body of persons corporate or unincorporated)
Principal Person	has the same meaning given to the term under the Regulatory Laws
Supervisory Bodies Law	the Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008
Recognized Fund	a fund in respect of which there is a recognized fund certificate issued by us under the Collective Investment Funds (Recognized Funds) (General Provisions) (Jersey) Order 1988 or the Collective Investment Funds (Recognized Funds) (Rules) (Jersey) Order 2003
Regulated Activity	activity conducted by a Business pursuant to the Regulatory Laws for which a licence/registration/permit/certificate/consent must be held
Regulatory Laws	collectively, the: Alternative Investment Funds (Jersey) Regulations, 2012 (AIF Regulations) Banking Business (Jersey) Law, 1991 Collective Investment Funds (Jersey) Law, 1988 (CIF Law) Financial Services (Jersey) Law, 1998 (FSJL) Insurance Business (Jersey) Law, 1996 (Insurance Business Law) and Proceeds of Crime (Supervisory Bodies) (Jersey) Law, 2008 (Supervisory Bodies Law)
Service Provider	a Person who performs Outsourced Activity on behalf of a Business
Specialised Central Support Functions	where a Group Service Provider performs specific Outsourced Activity (for example, IT, Finance, Compliance, or other Central Support functions) on behalf of other Businesses in the Group
Sub-Contractor	a third-party sub-contractor of the Service Provider
Sub-Outsourcing	an arrangement between a Service Provider and a Sub-Contractor by which the Sub-Contractor performs Outsourced Activity that would otherwise be undertaken by the Service Provider on behalf of a Business
Supervised Person	has the same meaning given to the term within Article 1 of the Supervisory Bodies Law
Telecommunication Services	has the same meaning given to the term within the Telecommunications (Jersey) Law, 2002 and includes Network Services and Voice Services but does not include Data Centre Services and/or Cyber Security Services
Trust Company Business (or TCB)	the Regulated Activity, involving the provision of services described in Article 2(4) of the FSJL
TCB Manager	a Business which has been registered by us to conduct Class N of TCB under the FSJL
Unregulated Fund	has the same meaning given to the term within the Collective Investment Funds (Unregulated Funds) (Jersey) Order 2008
Voice Services	fixed telephone lines and video conferencing facilities

1 Introduction

1.1 Purpose

1.1.1 The purpose of the Outsourcing Policy (OSP) is to set Core Principles and Guidance in relation to Outsourced Activity and to help Businesses identify if we must be notified of an activity that they outsource.

1.1.2 Compliance with the OSP is a requirement under the Codes.

1.1.3 The OSP explains the Core Principles that a Business must comply with where a Service Provider performs Outsourced Activity for it.

1.2 Core Principles

No. 1	A Business is responsible for and accountable to the JFSC for any Outsourced Activity
No. 2	A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper
No. 3	A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity
No. 4	A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper
No. 5	A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason
No. 6	Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection, and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware
No. 7	A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

1.3 Guidance

1.3.1 The OSP contains general guidance on the Core Principles, Sub-Outsourcing, Group Outsourcing and the Outsourcing Notification process. The OSP also provides specific guidance where a Service Provider performs Outsourced Activity in the form of Cloud Services.

1.3.2 The guidance contained within the OSP is provided to help a Business to demonstrate compliance with the OSP and the relevant Codes.

2 Application of the OSP

2.1 Outsourced Activity caught by the OSP

2.1.1 Where a Service Provider performs Outsourced Activity as part of a Business’ Regulated Activity or non-Regulated Activity and, where the Service Provider’s failure to perform or inadequate performance of the Outsourced Activity would materially prevent, disrupt or impact upon the continuing compliance of that Business’ Regulated Activity, such Outsourced Activity is caught by the OSP.

2.1.2 Examples of how non-Regulated and Regulated Activity would materially prevent, disrupt or impact upon a Business’ continuing compliance include:

2.1.2.1 where a Trust Company Business (TCB) outsources accounting functions (the Outsourced Activity) to a Service Provider that are critical in supporting the performance of its Regulated Activity (e.g. the valuation of Client assets), a failure by the Service Provider to perform those accounting functions properly would result in the TCB failing to properly conduct its Regulated Activity

2.1.2.2 where a Money Service Business (MSB) outsources IT functions (the Outsourced Activity) to a Service Provider that are critical in supporting the performance of its Regulated Activity (e.g. facilitating the transfer of funds by electronic means), a failure by the Service Provider to perform those IT functions properly would result in the MSB failing to properly conduct its Regulated Activity

2.1.2.3 where a Fund Services Business (FSB) or an Investment Business (IB) outsources reporting distribution functions (the Outsourced Activity) to a Service Provider as part of its Regulated Activity (e.g. producing and circulating periodic Client statements of account in compliance with the relevant Code), a failure by the Service Provider to perform those reporting distribution functions properly would result in the FSB or IB failing to properly conduct its Regulated Activity.

2.1.3 For a Supervised Person who is not subject to any other Regulatory Laws other than the Supervisory Bodies Law, the application of the OSP is limited to Outsourced Activity arising from its obligations pursuant to the Supervisory Bodies Law (for example, in the case of a Supervised Person which is a non-Fund special purpose vehicle not subject to any of the Regulatory Laws (within the meaning of the OSP) other than the Supervisory Bodies Law, its obligations under the OSP are limited to any Outsourced Activity arising from its AML/CFT/CPF obligations only). These obligations are explained in detail within the AML/CFT/CPF Handbook and/or the Money Laundering (Jersey) Order 2008 but to help illustrate the type of Outsourced Activity that may be relevant to such a Supervised Person, the following example is provided:

2.1.3.1 where a Supervised Person outsources AML/CFT/CPF compliance services such as Client onboarding due diligence, monitoring etc. to a Service Provider (such as a TCB administrator) who is not its AMLSP. (N.B. this example does not include the AML/CFT/CPF screening systems which are excluded from the OSP under paragraph 2.2.3.10).

2.1.4 An example of how non-Regulated Activity would materially prevent, disrupt or impact upon a Supervised Person’s continuing compliance includes:

2.1.4.1 where a Supervised Person outsources the collection and verification of evidence of the identity of its Clients (the Outsourced Activity) to a Digital ID Service Provider. Such Outsourced Activity is critical in supporting the performance of the Supervised Person’s Regulated Activity. Therefore, a failure by the Service Provider to perform the Outsourced Activity would result in the Supervised Person failing to properly conduct its Regulated Activity.

2.2 Outsourced Activity not caught by the OSP

2.2.1 Where a Service Provider performs Outsourced Activity as part of a Business’ non-Regulated Activity and, where the Service Provider’s failure to perform or inadequate performance of the Outsourced Activity would not materially prevent, disrupt or impact upon the continuing compliance of that Business’ Regulated Activity, such Outsourced Activity is not caught by the OSP.

2.2.2 In addition, where a Service Provider performs Outsourced Activity as part of a Business’ non-Regulated Activity, the following Outsourced Activity is not caught by the OSP:

2.2.2.1 legal advice

2.2.2.2 investment advisory services (provided investment advice is not part of the Business’ Regulated Activity)

2.2.2.3 training of personnel

2.2.2.4 billing services

2.2.2.5 security of premises and personnel

2.2.2.6 standardised services (including market information and price feeds)

2.2.3 The following Outsourced Activity is also not caught by the OSP:

2.2.3.1 Where a Service Provider performs Outsourced Activity on behalf of the same legal person; e.g. a branch on behalf of its head office or vice-versa or, a branch on behalf of another branch of the same legal person.

2.2.3.2 Where a Service Provider performs Outsourced Activity on behalf of a TCB in relation to a single trust structure (which is not a Fund).

2.2.3.3 Where a Service Provider, which is a TCB Manager, performs Outsourced Activity on behalf of a MTCB (e.g. the provision of corporate directors to the MTCB’s Clients), where such services are consistent with the standards set out in the Guidance Note: Managed Trust Company Business.

2.2.3.4 Where a Service Provider, which is a MoME, performs Outsourced Activity (i.e. involving the provision of management services) on behalf of another Person registered to conduct FSB under the FSJL, where such services are consistent with the standards set out in the Guidance Note: for a Manager of a Managed Entity (MoME) and certain managed entities.

2.2.3.5 Where a Service Provider performs Outsourced Activity on behalf of a Fund, provided that the following conditions are met:

the Service Provider or a defined Group of Service Providers (its Group) must be disclosed to us and the Fund’s investors in the Fund’s Offer Document (or any equivalent document) before the Service Provider or its Group starts to perform the Outsourced Activity

where the approval of the Fund’s investors is required for any change to the Service Provider or its Group, such approval must be sought and obtained and the Fund’s Offer Document (or equivalent document) must be updated to reflect the change. Alternatively, where the approval of the Fund’s investors is not required for any change to the Service Provider or its Group, and the Fund’s Offer Document (or an equivalent document) is not updated to reflect the change, the Fund’s investors must be notified in writing of the change

in all cases, it must be made clear to us and the Fund’s investors the nature of the Outsourced Activity to be performed by the new Service Provider or its Group, any material risks connected with the Outsourced Activity (including any conflicts of interest, concentration risk, and/or jurisdiction risk); and any circumstances in which the Fund’s investors must deal directly with the new Service Provider or its Group.

In the circumstances where a Fund has met the conditions under this paragraph 2.2.3.5 and is not caught by the OSP, any Outsourcing or Sub-Outsourcing arrangement for or on behalf of the Fund is also not caught by the OSP. It should be noted however that in such circumstances, unless provided otherwise, the OSP will still apply to any Service Provider to the Fund which is subject to any Regulatory Law(s).

2.2.3.6 Where a Service Provider performs Outsourced Activity in the form of custodian and/or prime broker services on behalf of a Group Service Provider to a Fund (i.e. delegation of Outsourced Activity by a Fund custodian to any Group sub-custodians).

2.2.3.7 Where a Service Provider provides Telecommunication Services to a Business.

2.2.3.8 Where a Service Provider performs Outsourced Activity on behalf of an Insurance Business which is a Category A permit holder.

2.2.3.9 Where a Service Provider which is an AMLSP, performs Outsourced Activity (i.e. AMLSP services) on behalf of an AMLSP Direct Customer where the relevant AMLSP Direct Customer is registered as a Supervised Person pursuant to the Supervisory Bodies Law, and where, such AMLSP services are consistent with the standards set out in the Codes and Guidance Notes for AMLSPs in the AML/CFT/CPF Handbook.

2.2.3.10 Where a Service Provider provides third-party AML/CFT/CPF Client or employee screening systems to a Business other than Digital ID Services, provided that, the decision to take on the prospective Client/employee on the analysis of the screening output from the Service Provider sits with the Business (and not with the relevant Service Provider).

2.2.3.11 Where a Service Provider performs Outsourced Activity on behalf of a non-Jersey domiciled fund with its governing body and management and control outside of Jersey and where only administration services to the non-Jersey domiciled fund are provided by a Jersey FSB and/or TCB, noting that whilst the OSP in such circumstances does not apply to the non-Jersey domiciled fund itself, the OSP will still apply to its Jersey Service Provider(s) (N.B. non-Jersey domiciled funds looking only to circulate an offer in Jersey pursuant to CoBO and without Jersey management and control are therefore not subject to the OSP).

2.2.3.12 Where a Service Provider provides Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365.

3 Core Principles

3.1 Core Principle No.1 - A Business is responsible for and accountable to the JFSC for any Outsourced Activity

Guidance in relation to Core Principle No.1

3.1.1 The Governing Body of a Business is responsible for Outsourced Activity and cannot delegate its responsibilities under Regulatory Laws to a Service Provider.

3.1.2 The Governing Body of a Business is accountable to us for Outsourced Activity and cannot delegate accountability under Regulatory Laws to a Service Provider.

3.1.3 The OSP is based on an understanding that a Business remains fully responsible and accountable to us for any Outsourced Activity performed by a Service Provider for it. A Business should not become devoid of its functions to the extent that it becomes a ‘letter box’ entity.

3.2 Core Principle No.2 - A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper

Guidance in relation to Core Principle No.2

3.2.1 A Business should conduct suitable and proportionate due diligence to satisfy itself that:

3.2.1.1 where a Service Provider performs Outsourced Activity as part of the Business’ Regulated Activity, the Service Provider is itself regulated for the performance of the Regulated Activity and complies with all applicable Regulatory Laws (this does not apply where the Outsourced Activity is non-Regulated Activity or where the relevant Service Provider is not required to be regulated for the Outsourced Activity in its home jurisdiction)

3.2.1.2 a Service Provider has adequate capacity and resources

3.2.1.3 adequate measures have been taken to counter any material risks relating to the Outsourced Activity.

3.2.2 In deciding what amounts to “adequate capacity and resources”, “adequate measures” or “material risks”, a Business should consider any factors that may adversely impact its finances, reputation, operations or its Clients.

3.2.3 Factors that should be considered by a Business when deciding what amounts to “material risks” include:

3.2.3.1 conflict of interest risks

3.2.3.2 concentration risks

3.2.3.3 jurisdiction risks

3.2.3.4 regulatory risks

3.2.3.5 money laundering, terrorist financing, and proliferation financing risks

3.2.3.6 cyber security risks.

3.2.4 Factors that should be considered by a Business when deciding whether a Service Provider has “adequate capacity and resources to perform the Outsourced Activity” include:

3.2.4.1 Human resources (i.e. the substance and reputation of the Service Provider and whether its personnel are suitably qualified, experienced, well-trained and resourced)

3.2.4.2 Technical resources (i.e. whether effective, reliable and robust systems and controls are in place to monitor and control the volume of anticipated Outsourced Activity and deal with the complexity and nature of the Outsourced Activity)

3.2.4.3 Financial resources (i.e. whether the Service Provider is solvent and in good standing, has appropriate insurance and has sufficient access to capital or credit).

3.2.5 Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its due diligence and risk assessment of the Service Provider the Business should consider:

3.2.5.1 whether or not the Outsourced Activity is suitable, taking account of the relative risks of using one type of service over another (for example, public versus private)

3.2.5.2 Industry good practice including data and information security management system requirements and cyber risks

3.2.5.3 International standards applied to the Service Provider and Outsourced Activity. External assurance may be helpful such as:

Service Provider’s compliance with well-understood standards (such as the ISO 27000 series)

scope of the Service Provider’s assurance report being specific to the Outsourced Activity the Business proposes to use (for example, the assurance report is against the data centre specified within a Business’ proposed contractual arrangements, not a similar centre located elsewhere)

data storage location; is data stored in a jurisdiction that may inhibit access for either the Business or us. Consideration should be given to the wider political and security stability of the jurisdiction, as well as to laws in force governing data protection, International obligations of the jurisdiction; particularly with regard to memoranda of understanding with Jersey regulatory authorities, and law enforcement provisions.

3.2.6 On request by us, a Business should be able to evidence that suitable due diligence has been undertaken on its Service Provider.

3.2.7 Where a Business forms part of a Group, the Business may rely on the due diligence (including any financial due diligence), materiality assessments and/or risk assessments of any Service Provider or Sub-Contractor undertaken by the Group.

3.3 Core Principle No.3 - A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

Guidance in relation to Core Principle No.3

3.3.1 We would normally expect the Outsourcing Agreement to include enforceable and clearly defined provisions covering the following terms of engagement:

3.3.1.1 the level of services of the Outsourced Activity

3.3.1.2 the rights, obligations and liabilities of all parties to the Outsourcing Agreement

3.3.1.3 whether Sub-Outsourcing is permitted and if so, under what circumstances

3.3.1.4 the performance standards the Service Provider should meet

3.3.1.5 what the Service Provider should report to the Business in relation to:

its obligations under the Outsourcing Agreement

any breaches, errors events or other relevant information that may impact its performance of the Outsourced Activity

3.3.1.6 an annual review (at a minimum) of the Outsourced Activity

3.3.1.7 how the Outsourcing Agreement should be terminated

3.3.1.8 access rights for us, the Business and any other relevant third parties (such as auditors) to information (including records) relating to the Outsourced Activity

3.3.1.9 data protection standards that comply with any applicable legal or regulatory requirements

3.3.1.10 protection of the confidential and other proprietary information or materials of the Business and, where relevant, that of its Clients.

3.3.2 Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its contractual relationship with the Service Provider, a Business should consider:

3.3.2.1 a data residency policy with the Service Provider, which sets out the locations (namely regions or countries) where the Outsourced Activity will be provided, inclusive of where data will be processed and stored, and the conditions to be met, including a requirement to notify the Business if the Service Provider proposes to change the locations

3.3.2.2 provisions regarding information security and personal data segregation (as appropriate)

3.3.2.3 the right of the Business to monitor the Service Provider’s performance of the Outsourced Activity on a regular basis

3.3.2.4 the agreed service levels, which should include, quantitative and qualitative performance targets in order to allow for timely monitoring, so that appropriate corrective actions can be taken without delay if agreed service levels are not met

3.3.2.5 the reporting obligations of the Service Provider to the Business and, as appropriate, the obligations to upload reports relevant for the security function and key functions, such as reports prepared by the internal audit function of the Service Provider

3.3.2.6 provisions for the management of incidents by the Service Provider, including the obligation for the Service Provider to report to the Business without delay incidents that have affected the operation of the Business’ contracted service

3.3.2.7 whether the Service Provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested

3.3.2.8 the requirements for the Service Provider to implement and test business continuity and disaster recovery plans

3.3.2.9 the requirement for the Service Provider to grant the Business, us, other competent authorities and any other Person appointed by the Business or by us the right to access (access rights) and to inspect (audit rights) the relevant information, premises, systems and devices of the Service Provider to the extent necessary to monitor the Business’ compliance with the applicable regulatory and contractual requirements

3.3.2.10 provisions to ensure that the data that the Service Provider processes or stores on behalf of the Business can be accessed, recovered and returned to the Business as required.

3.3.3 Where a Business forms part of a Group, the Outsourcing Agreement may be between the relevant Service Provider and the Group.

3.4 Core Principle No.4 - A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper

Guidance in relation to Core Principle No.4

3.4.1 On request by us, a Business should be able to evidence that they have or, another Group entity has:

3.4.1.1 effective policies and procedures to monitor and assess the performance of the Outsourced Activity by a Service Provider

3.4.1.2 adequate capacity and resources (aligned to Core Principle No. 2) to implement all necessary policies and procedures.

3.4.2 A Business should periodically test whether its policies and procedures comply with the Core Principles of the OSP. This should be completed as part of its ongoing monitoring. The frequency of this testing will depend on the circumstances of the Business and should reflect the size, risk and complexity of the Outsourced Activity.

3.4.3 Since the Governing Body is ultimately responsible for the management and conduct of a Business we would expect to see upon request:

3.4.3.1 board meeting minutes of the Governing Body evidencing that it had carefully considered any Outsourced Activity performed by a Service Provider

3.4.3.2 any reports received by the Governing Body regarding any issues of non-compliance with the OSP (for example, exceptions identified as a result of the ongoing monitoring and assessment of a Service Provider required by Core Principle No. 4) which we would then expect to see tabled and considered in the board meeting minutes.

3.4.4 It may be sufficient for a Governing Body to approve a general Outsourcing arrangement and delegate the handling of specific Outsourced Activity to particular individuals or to a Specialised Central Support Function. In such a case, we would still expect to see minutes of the Governing Body evidencing that it had carefully considered the Outsourced Activity the particular individuals or committees perform on behalf of the Business.

3.4.5 Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its continuous compliance monitoring of the Service Provider, the Business should consider:

3.4.5.1 the need to introduce new policies and procedures or amend existing policies and procedures tailored to this type of Outsourced Activity

3.4.5.2 how it will effectively monitor the Service Provider under the contractual terms described in Core Principle 3, including escalation

3.4.5.3 whether the Service Provider has sufficient skill and resources to oversee and test the Outsourced Activity and to identify, monitor and mitigate against all associated risks.

3.4.6 By having policies and procedures in place for regular monitoring of the Service Provider's status, and identifying service level disruption when it occurs, at all times, a Business should be able to demonstrate to us that a Service Provider’s performance of any Outsourced Activity on its behalf is effective, reliable, robust and, complies with the OSP.

3.5 Core Principle No.5 - A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason

Guidance in relation to Core Principle No.5

3.5.1 A Business should have and maintain appropriate contingency plans in the event that the Outsourced Activity ends suddenly or unexpectedly or, there is a significant interruption to the service. We consider a “significant interruption” to be any interruption that has a material impact on the performance of any Outsourced Activity (for example, a natural disaster or, a major failure of the IT network).

3.5.1.1 A Businesses should refer to relevant sections of the Codes (in particular, Section 2.4 of the AML/CFT/CPF Handbook and Principle 3 of the other Codes) when determining the adequacy of its contingency plans.

3.5.2 Contingency plans should be documented and, where appropriate, include provisions that allow the Business or a Group Service Provider to take over the day-to-day control of any Outsourced Activity or transfer the performance of the Outsourced Activity on the Business’ behalf to another Service Provider.

3.5.3 The specific timeframe of the contingency plans will depend on the facts of each case, but a Business should have the ability to implement its contingency plans as quickly and as reasonably as possible.

3.5.4 A Business should periodically test its contingency plans. This should be completed as part of its ongoing monitoring. The frequency of this testing will depend on the circumstances of the Business and should reflect the size, risk and complexity of the Outsourced Activity. We may request or review the results of such testing on a supervisory examination.

3.5.5 Where a Service Provider performs Outsourced Activity in the form of Cloud Services, as part of its contingency planning should the Service Provider’s performance of the Outsourced Activity suffer a material disruption or end for any reason (i.e. non-payment of fees by the Business to the Service Provider, the voluntary or involuntarily winding up of the Service Provider, etc.), the Business should consider:

3.5.5.1 having in place, well understood exit/termination arrangements which, amongst other things, should provide for how data can be exported from the current Service Provider, in what format and over what time- period and, where a new Service Provider is to be appointed, how data will be transitioned across to the new Service Provider

3.5.5.2 how to ensure that its contractual (or operational) relationships with the retiring Service Provider are not overly complicated or present a barrier to the Outsourced Activity being wound down and/or transitioned to a new Service Provider (as necessary).

3.5.6 Where a Business forms part of a Group, the Business may rely upon Group contingency plans.

3.6 Core Principle No.6 - Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection; and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware

Guidance in relation to Core Principle No.6

3.6.1 Using an Outsourcing Notification, a Business should notify us in advance of a proposal to appoint a Service Provider to perform Outsourced Activity on its behalf. Should we have any concerns with the proposals, we may object to the proposals or, require further action and/or information. For example, we might require a Business to provide its Clients, or us, with further information about the Outsourced Activity, the Service Provider or other aspects of the proposed Outsourced Activity.

3.6.2 A Business should provide us with sufficient time, with a minimum of one month’s notice, in advance of any Outsourced Activity being performed by a Service Provider to review and assess the possible regulatory implications of the proposed Outsourced Activity. We will respond to Outsourcing Notifications in line with paragraph 6.3 of the OSP.

3.6.3 Factors that may be relevant when deciding what amounts to “sufficient time”, include:

3.6.3.1 the size, risk and complexity of the proposed Outsourced Activity

3.6.3.2 the Service Provider

3.6.3.3 the jurisdictions where the Outsourced Activity will take place

3.6.3.4 the Business’ ability to comply with the OSP should the proposals be implemented.

3.6.4 Where a Service Provider’s performance of Outsourced Activity should suffer a material disruption or end suddenly or unexpectedly causing the Business to put in place its Outsourcing contingency plans, in such circumstances, it may not always be possible for the Business to notify us in advance. Where the Business is unable to notify us in advance, it should, as soon as it becomes aware, notify us in writing of the following:

3.6.4.1 the reason why the Outsourced Activity has ended or has been significantly interrupted

3.6.4.2 whether it intends to undertake the Outsourced Activity itself or enter into a new Outsourcing arrangement with another Service Provider

3.6.4.3 where a new Service Provider will be appointed the timeframe for when we should expect to receive a new Outsourcing Notification in respect of the newly proposed Outsourcing arrangement.

3.6.5 Where a Business Outsources the performance of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services to a Service Provider, whilst the relevant Business must still submit an Outsourcing Notification in respect of such Outsourced Activity, it will not require a No Objection. (N.B. per paragraph 2.2.3.12, no Outsourcing Notification will be required in respect of Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365).

3.6.6 Where a Service Provider Sub-Outsources the performance of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services to any Sub-Contractor(s), the Business is not required to complete and upload an Outsourcing Notification or wait for us to issue it with a No-Objection before the Sub-Contractor(s) can start performing the Outsourced Activity. The Business is still however required to complete and upload an Outsourcing Notification in respect of the proposed Outsourcing arrangement with its primary Service Provider in accordance with paragraph 3.6.5.

3.7 Core Principle No.7 - A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

Guidance in relation to Core Principle No.7

3.7.1 A Business should ensure that any Outsourced Activity that is performed by a Service Provider does not defeat the purpose of regulation. Whatever the nature of any Outsourced Activity, a Business should ensure that:

3.7.1.1 the provisions of any Regulatory Laws or other regulatory requirements which applied to the Business’ Regulated Activity prior to any Outsourcing, continue to apply

3.7.1.2 we are able to exercise our supervisory and other regulatory functions effectively. In order to facilitate this requirement, a Business should ensure that we are able to access, promptly upon request, any books, records or other sources of information relevant to our regulatory oversight of the Business.

3.7.2 Where the Outsourced Activity involves a foreign jurisdiction, we have to be able to continue to effectively supervise the Outsourcing. Our ability to do this might be impaired by factors such as increased supervision costs, data protection, secrecy or other laws. In such circumstances, a Business should ensure that we are not prevented from obtaining information and it may be necessary to establish whether we have entered into a mutual co-operation agreement with the relevant regulatory authorities in the foreign jurisdiction to facilitate our supervisory responsibilities.

3.7.3 Where financial records or other information which we might need to obtain in order to exercise our supervisory or enforcement powers is transferred to a jurisdiction which has secrecy laws, a Business should take adequate steps to ensure that such laws will not be used to prevent us from accessing this information and should periodically test whether these measures are effective.

3.7.4 In accordance with Core Principle No.1, a Business remains accountable to us for any breach in respect of their Regulated Activity regardless of any Outsourcing Activity being performed by a Service Provider on its behalf in any jurisdiction.

4 Guidance on Sub-Outsourcing

4.1.1 Where Sub-Outsourcing takes place, a Business should adhere to the Core Principles of the OSP having regard to:

4.2 Core Principle No. 1 - A Business is responsible for and accountable to the JFSC for any Outsourced Activity

4.2.1 A Business cannot delegate accountability or responsibility for Outsourced Activity and this includes Sub-Outsourcing.

4.3 Core Principle No. 2 - A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper and Core Principle No. 3 - A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

4.3.1 A Business must carry out adequate due diligence and risk assessment of each Service Provider and Sub-Contractor under the Sub-Outsourcing and should have the ability to object to any Service Provider or Sub-Contractor should it not meet the required standards of compliance or oversight (as assessed by the Business).

4.3.2 Generally, a Business should put in place an Outsourcing Agreement between it and the Service Provider which states, amongst other things, that Sub-Outsourcing is permitted provided that the Business has prior knowledge of the Sub-Outsourcing and has granted its approval (to be granted only once the Business has properly considered all associated risks). It may not however, be practical to always obtain the prior approval of the relevant Business to the Sub-Outsourcing. Typically, this will be because the Sub-Outsourced Activity is provided on standard terms and conditions. In these very limited circumstances, we would expect a Business to carefully manage the relationship with its primary Service Provider and to file a post-event Outsourcing Notification as soon as it is on notice of the Sub-Outsourcing detailing why it was not possible to make an Outsourcing Notification prior to the commencement of the Sub-Outsourced Activity. Where a No Objection is not granted, the relevant Business must terminate its relationship with the primary Service Provider as soon as reasonably practicable.

4.3.3 For any Sub-Outsourcing of Cloud Services, a Business should:

4.3.3.1 review any Sub-Outsourcing relevant to the Business’ Regulated Activity to assess whether such Sub-Outsourcing would enable the Business to continue to comply with all applicable Regulatory Laws or other regulatory requirements which apply to its Regulated Activity

4.3.3.2 consider the nature of the information or data being stored, managed or transmitted by the Sub-Contractor and whether the due diligence and risk assessment of the Service Provider and/or the Sub-Contractor would support this arrangement.

4.3.4 If the Business is not satisfied on any of the above, it should have the ability to object and prevent the Sub-Outsourcing from going ahead.

4.4 Core Principle No.5 - A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason

4.4.1 A Business remains fully responsible for ensuring that suitable contingency plans are in place where there is Sub-Outsourcing.

4.5 Core Principle No.7 - A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

4.5.1 Any Sub-Outsourcing should not prevent or restrict our legal or regulatory powers in respect of the Business or the Outsourced Activity. Nor should it restrict the Business’ ability to conduct ongoing compliance monitoring of the Outsourced Activity by the Service Provider and/or Sub-Contractor with applicable Regulatory Laws or other regulatory requirements which apply to its Regulated Activity.

5 Guidance on Group Outsourcing

5.1.1 Where Group Outsourcing takes place, a Business should adhere to the Core Principles of the OSP having regard to:

5.2 Core Principle No.1 - A Business is responsible for and accountable to the JFSC for any Outsourced Activity

5.2.1 A Business cannot delegate accountability or responsibility for Outsourced Activity and this includes Group Outsourcing.

5.3 Core Principle No.2 - A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper

5.3.1 A Business should conduct suitable and proportionate due diligence on a Group Service Provider to satisfy itself that the Group Outsourcing is:

5.3.1.1 compliant with relevant Regulatory Laws or other regulatory requirements which apply to its Regulated Activity

5.3.1.2 appropriate in the circumstances and does not give rise to any material risks for its Clients.

5.4 Core Principle No.3 - A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

5.4.1 Where a Group Service Provider performs Specialised Central Support Functions, in the absence of a written, legally binding agreement that covers the specific nature of the Group Outsourcing, we would still expect the Business to be able to evidence to us that:

5.4.1.1 the Group Outsourcing complies with all of the requirements of the other Core Principles of the OSP

5.4.1.2 the Group Outsourcing complies with applicable Regulatory Laws or other regulatory requirements

5.4.1.3 clearly documented and robust procedures relating to the Group Outsourcing are in place to protect the interests of its Clients.

5.5 Core Principle No. 4 - A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper

5.5.1 A Business should be able to demonstrate to us that it has and maintains adequate capacity and resources to implement all necessary policies and procedures to ensure that the Group Service Provider continues to be Fit and Proper and continues to perform the Outsourced Activity to a good standard.

5.6 Core Principle No. 5 - A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly, for any reason

5.6.1 A Business remains fully responsible for ensuring that suitable contingency plans are in place where there is Group Outsourcing.

5.7 Core Principle No.6 - Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection; and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware

5.7.1 Where Group Outsourcing has arisen due to changes made under a Group-led change in IT systems, security and/or infrastructure, it may not always be practical for the Business to complete and upload an Outsourcing Notification before the relevant Group Service Provider is appointed. In these very limited circumstances, we would expect the Business to file a post-event Outsourcing Notification as soon as it is on notice of the Group Outsourcing detailing why it was not possible to make an Outsourcing Notification prior to its commencement. Where a No Objection is required but is not granted, the relevant Business must terminate its relationship with the Service provider as soon as reasonably practicable.

6 Guidance on Outsourcing Notification and Material Change to Outsourcing Notification

6.1 Outsourcing Notification

6.1.1 Each Outsourcing Notification must include the following information:

6.1.1.1 name and address of the Service Provider

6.1.1.2 regulatory status of the Service Provider

6.1.1.3 summary of the Outsourced Activity

6.1.1.4 whether the Service Provider is a Group Service Provider or has another connection to the Business

6.1.1.5 rationale for the Outsourcing

6.1.1.6 summary of how the Outsourcing impacts on the Business’ Regulated Activity including a summary of the risk assessment

6.1.1.7 confirmation due diligence has been performed by the Business on the Service Provider (in compliance with Core Principle No. 2)

6.1.1.8 confirmation that there are no barriers to accessing the Service Provider’s records and data

6.1.1.9 confirmation that all data protection requirements have been fully considered

6.1.1.10 summary of how the Outsourced Activity will be monitored by the Business on an ongoing basis

6.1.1.11 details of the contingency plans that exist should the Service Provider’s performance of the Outsourced Activity suffer a material disruption or end suddenly or unexpectedly for any reason

6.1.1.12 whether Sub-Outsourcing is permitted and under what circumstances

6.1.1.13 confirmation that the Business will comply with the Core Principles under the OSP

6.1.1.14 any other relevant information.

6.1.2 For reference, a proforma Outsourcing Notification is included under Appendix A.

6.1.3 A Business must submit together with a duly completed Outsourcing Notification, either a copy of the draft Outsourcing Agreement or a copy of the signed final form Outsourcing Agreement effective from the date of receipt of a No Objection, except that is for where the Outsourced Activity is not Regulated Activity; to include Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services.

6.2 Upload of Outsourcing Notification on myJFSC

6.2.1 An Outsourcing Notification must be made via myJFSC.

Getting Started

6.2.2 Before a Business can upload an Outsourcing Notification, it should first ensure that it has set up both a platform user and an authorised user in its myJFSC account by contacting [email protected].

6.2.3 Platform Users complete the Outsourcing Notification and authorised users, who should either be Key or Principal Person of the Business, upload the Outsourcing Notification on behalf of the Business.

Creating an Outsourcing Notification

6.2.4 To create an Outsourcing Notification, a Business’ platform user and/or authorised user should access myJFSC and click on the services tab.

Adding documents to an Outsourcing Notification

6.2.5 Using the “upload documents” button in myJFSC, a Business’ platform user and/or authorised user can add unlimited documents to support the Outsourcing Notification.

Completing an Outsourcing Notification

6.2.6 A Business can at any time, check the status of an Outsourcing Notification by viewing “uploaded services” under the services tab.

6.2.7 Should we request further information in support of an Outsourcing Notification, a platform user and/or authorised user can add additional documentation by choosing the uploaded services tab within the services section of myJFSC and selecting the relevant notification and clicking “upload documents.”

6.3 Outsourcing Notification acknowledgement and next steps

6.3.1 Following submission of an Outsourcing Notification, a message will be displayed in myJFSC saying that your Outsourcing Notification has been received.

6.3.2 We aim to respond within 20 business days following receipt of an Outsourcing Notification. Our response may include:

6.3.2.1 a request for further action to be taken such as:

the upload of additional information and/or documentation

confirmation that additional time is required to consider the Outsourcing Notification; or

6.3.2.2 a No Objection.

6.3.3 An authorised user will receive an email notification directing them to visit the “my documents” section in myJFSC, where they can download a No Objection.

6.3.4 Where the Outsourcing Notification relates to Outsourced Activity which is caught by the OSP and forms part of an application to authorise a Fund or any Service Provider to a Fund, we will not send a confirmation of receipt of the Outsourcing Notification or a response in line with paragraphs 6.3.1 and 6.3.2 above. Instead, we will review and process the Outsourcing Notification in line with the published timeframes for the relevant Fund and/or Service Provider to a Fund. Where the Outsourced Activity is not exempt and concerns a Certified Fund or a Fund Services Business, the JFSC will endeavour to respond within 10 business days of receipt of the Outsourcing Notification.

6.4 Material Change to Outsourcing Notification

6.4.1 A Material Change to Outsourcing Notification is available and must be made via myJFSC in the event of any of the following material change(s) to existing Outsourced Activity in respect of which, either a No Objection has been granted or, in respect of which an Outsourcing Notification has been submitted but which did not require a No Objection (in accordance with paragraph 3.6.5):

6.4.1.1 Material change to Service Provider/Group Service Provider

6.4.1.2 Material change to Sub-Contractor

6.4.1.3 Material disruption to or sudden or unexpected end to Outsourcing/Sub-Outsourcing/Group Outsourcing causing contingency plans to be put in place

6.4.1.4 Orderly termination of Outsourcing

6.4.1.5 Orderly termination of Sub-Outsourcing

6.4.1.6 Orderly termination of Group Outsourcing

6.4.1.7 Other material change to Outsourcing/Sub-Outsourcing/Group Outsourcing .

6.4.2 Where a Group of Businesses outsource Outsourced Activity to the same Service Provider, only one Business within the Group is required to notify us of a change of name or address of the relevant Service Provider using the Material Change to Outsourcing Notification.

6.4.3 Following submission of a Material Change to Outsourcing Notification, a message will be displayed in myJFSC saying that your Material Change to Outsourcing Notification has been received. An email acknowledgement will also be generated. A Material Change to Outsourcing Notification will ordinarily not require a further No Objection. However, there may be some limited circumstances in which material change(s) to an existing Outsourced Activity will, on review by us, trigger the requirement for a further No Objection. In such circumstances, we will advise the Business accordingly following receipt of the Material Change to Outsourcing Notification.

6.4.4 Where there is new Outsourced Activity as opposed to material change(s) to an existing Outsourced Activity, the Business must complete a new Outsourcing Notification and obtain a further No Objection.

6.4.5 Where a No Objection was not previously required but is now required under the OSP (for example where a Supervised Person is newly caught by the OSP in respect of its Outsourced Activity), an Outsourcing Notification will be required in all circumstances. Only once an Outsourcing Notification in respect of the relevant Outsourced Activity has been submitted and a No Objection granted, where required, does the Material Change to Outsourcing Notification become relevant unless, as set out under paragraph 6.4.1, there is new Outsourced Activity in which case, the Business must submit a new Outsourcing Notification and obtain a further No Objection.

6.4.6 For reference, a proforma Material Change to Outsourcing Notification is included under Appendix A.

Appendix A

Outsourcing Notification

This Outsourcing Notification is required to be submitted by a Business prior to the commencement of any new Outsourcing (to include Sub-Outsourcing and Group Outsourcing) unless where the Outsourcing Policy (OSP) provides otherwise, i.e.:

i. Paragraph 3.6.5 of the OSP provides that no Outsourcing Notification will be required in respect of Outsourced Activity in the form of Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365.

ii. Paragraph 3.6.6 of the OSP provides that no Outsourcing Notification will be required in respect of Sub-Outsourcing in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services.

iii. Paragraph 5.7.1 of the OSP provides that where Group Outsourcing has arisen due to changes made under a Group-led change in IT systems, security and/or infrastructure, it may not always be practical for the Business to complete and upload an Outsourcing Notification before the relevant Group Service Provider is appointed. In these very limited circumstances, we would expect the Business to file a post-event Outsourcing Notification as soon as it is on notice of the Group Outsourcing detailing why it was not possible to make an Outsourcing Notification prior to the commencement of the Group Outsourcing.

N.B. Paragraph 3.6.5 of the OSP provides that where a Business Outsources the performance of Outsourced Activity in the form of Cloud Services (except for Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365 and which do not require an Outsourcing Notification to be made per paragraph i. above), Data Centre Services, Cyber Security Services or Digital ID Services to a Service Provider, whilst the relevant Business must still submit an Outsourcing Notification in respect of such Outsourced Activity, it will not require a No Objection.

Question/Heading	Answer Option	Notes
Are you providing an Outsourcing Notification in respect of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services?	Yes No

Question/Heading

Answer Option

Notes

Are you providing an Outsourcing Notification in respect of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services?

Yes

Prior to submitting this Outsourcing Notification, a Business is required to have read and understood the OSP which sets the following 7 Core Principles that a Business must comply with where a Service Provider is to perform Outsourced Activity for it.

Core Principles

Core Principle No.1 - A Business is responsible for and accountable to the JFSC for any Outsourced Activity

Core Principle No.2 - A Business must ensure that any Service Provider performing Outsourced Activity is Fit and Proper

Core Principle No.3 - A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity

Core Principle No.4 - A Business must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper

Core Principle No.5 - A Business must maintain suitable contingency plans in case a Service Provider’s performance suffers a material disruption, or ends unexpectedly for any reason

Core Principle No.6 - Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider; the Service Provider must not start performing the Outsourced Activity until the Business receives a No Objection, and we must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware

Core Principle No.7 - A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict our regulatory powers in respect of the Business, or the Outsourced Activity

Details of the Service Provider

Question/Heading	Answer Option	Notes
Service Provider's Name	Free Text
Service Provider's Address	Address Postcode Search
What is the Service Provider's regulatory status?	Regulated Non-Regulated
Please provide the name(s) of the regulatory authority	Free Text	Displayed if regulatory status is regulated
Description of regulatory licence(s) or authorisation(s)	Free Text	Displayed if regulatory status is regulated

Details of the Outsourced Activity

Question/Heading	Answer Option	Notes
Proposed Outsourced Activity	List of Proposed Outsourced Activity Category
For each proposed Outsourced Activity, please provide a summary of the Outsourced Activity	Text Box
Is the Service Provider a Group Service Provider?	Yes No
Please describe the Group connection	Free text	Displayed if yes to is the Service Provider a Group Service Provider?
Does the Service Provider have any other connection to the Business?	Yes No
Please describe its connection to the Business	Free Text	Displayed if Yes to does the Service Provider have any other connection to the Business
Rationale for the Outsourcing/Group Outsourcing	Free Text
Summary of how the Outsourced Activity impacts on the Business’ Regulated Activity including a summary of the risk assessment	Free Text
Confirmation due diligence has been performed by the Business on the Service Provider/Group Service Provider (in compliance with Core Principle No.2)	Confirmation Select
Confirmation that there are no barriers to accessing the Service Provider’s/Group Service Provider’s records and data	Confirmation Select
Confirmation that all data protection requirements have been fully considered	Confirmation Select
Summary of how the Outsourced Activity will be monitored by the Business on an ongoing basis	Free Text
Details of the contingency plans that exist should the Service Provider’s/Group Service Provider’s performance of the Outsourced Activity suffer a material disruption or end suddenly or unexpectedly for any reason	Free Text
Will there be Sub-Outsourcing where Sub-Outsourcing is permitted under the Outsourcing Agreement?	Yes No

Details of the Sub-Contractor

Question/Heading	Answer Option	Notes
Is Sub-Outsourcing Permitted?	Yes No	Notes
Sub-Contractor's Name	Text Box
Sub-Contractor's Address	Address Postcode Search
What is the Sub-Contractor's regulatory status?	Regulated Non-Regulated
Please provide the name(s) of the regulatory authority	Free text	Displayed if regulated selected for what is the Sub-Contractor’s regulatory status?
Description of regulatory licence(s) or authorisation(s)	Free Text
Summary of Sub-Outsourced Activity	Free Text
Confirmation that the Sub-Outsourcing will not undermine the ability of the Business or us to monitor compliance with the OSP	Confirmation Select

Compliance with OSP and Core Principles

Question/Heading	Answer Option	Notes
Confirmation that prior to submitting this Outsourcing Notification, the Business has read and understood the OSP and has undertaken and documented an analysis of the proposed Outsourced Activity against the 7 Core Principles (to be made available to us on request) and, is satisfied that each of the 7 Core Principles will be complied with regarding the proposed Outsourced Activity	Confirmation Select
Provide any additional information that we should be made aware of as part of this Outsourcing Notification	Free Text
Document Upload	Document Upload
Confirmation all necessary documents have been uploaded	Confirmation Select

Outsourcing Agreement

Question/Heading	Answer Option	Notes
Except for where the Outsourced Activity is not Regulated Activity, to include Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services, a Business must submit either a copy of the draft proposed Outsourcing Agreement or a copy of the signed final form Outsourcing Agreement from the date of receipt of a No Objection (in accordance with paragraph 6.1.3 of the OSP)	Confirmation Select
Confirmation that if the draft proposed Outsourcing Agreement is not submitted to us together with this Outsourcing Notification, that a copy of the signed final form Outsourcing Agreement will be submitted to us as soon as possible from the date of receipt of a No Objection.	Confirmation Select
Document Upload	Document Upload
Confirmation all necessary documents have been uploaded	Confirmation Select
If the Outsourced Activity is not Regulated Activity, confirmation that the proposed Outsourcing Agreement will be made available to us on request.	Confirmation Select

Business Declarations

Question/Heading	Answer Option	Notes
We are aware that it is a criminal offence under the Regulatory Laws to knowingly or recklessly provide any information to the JFSC that is false or misleading in a material particular or to withhold relevant information	Confirmation Select
We declare that the information given in this notification is complete and correct to the best of our knowledge at the time of this Outsourcing Notification and that there are no other material facts of which the JFSC should be made aware	Confirmation Select
We understand that the JFSC may make such initial and ongoing enquiries and seek such further information or documents as it thinks fit to verify the information given in this Outsourcing Notification	Confirmation Select
This Outsourcing Notification is signed for and on behalf of the Business	Confirmation Select

Material Change to Outsourcing Notification

This Material Change to Outsourcing Notification is required to be submitted by a Business in the event of any material change(s) to an existing Outsourcing arrangement (to include Sub-Outsourcing and Group Outsourcing), in respect of which, either a No Objection has been granted or, in respect of which an Outsourcing Notification has been submitted but which did not require a No Objection under the Outsourcing Policy (OSP).

N.B. Paragraph 3.6.5 of the OSP provides that where a Business Outsources the performance of Outsourced Activity in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services to a Service Provider, whilst the relevant Business must still submit an Outsourcing Notification in respect of such Outsourced Activity, it will not require a No Objection … N.B no Outsourcing Notification will be required in respect of Cloud-based email services which are standardised and pre-packaged services that are available to the general public, such as Microsoft 365.

Where there is new Outsourced Activity as opposed to any material change(s) to an existing Outsourcing arrangement, the Business will be required to complete a new Outsourcing Notification and obtain a further No Objection (for the avoidance of doubt, this includes any new Group Outsourcing arrangement or new Sub-Outsourcing arrangement, except for where the OSP specifically provides otherwise).

N.B. Paragraph 3.6.6. of the OSP provides that no Outsourcing Notification will be required in respect of Sub-Outsourcing in the form of Cloud Services, Data Centre Services, Cyber Security Services or Digital ID Services.

Prior to submitting this Material Change to Outsourcing Notification, a Business is required to have read and understood the OSP which sets the following 7 Core Principles that a Business must comply with where a Service Provider is to perform Outsourced Activity for it.