JFSC off -the fence about OUTSOURCING and using the CLOUD – they say you MUST notify if using the cloud
The JFSC has been silent up to now on whether using the cloud for IT is outsourcing. Many firms have erred on the side of caution and notified them, but many have not.
For those that have not, I’m afraid you must now act as the JFSC has said
- A BUSINESS MUST STILL NOTIFY US ABOUT ITS PRIMARY CLOUD SERVICE PROVIDER,
This statement is found in the JUNE 2022 JFSC consultation and proposed revision to current Outsourcing Policy (OSP) and Guidance Notes.
And specifically in the following section[s]
- CLOUD SERVICES – IS OUTSOURCING
- 1.3.1 There is no consistent definition of ‘Cloud Services’ within the International community and, as a result, its meaning can be open to different interpretations.
- For the Revised OSP we have adopted the same definition currently used by the UK FCA (which is broadly consistent with the National Institute of Standards and Technology, U.S. Department of Commerce definition).
- 1.3.2 We considered amending the Revised OSP to provide that where a Service Provider performs Outsourced Activity in the form of Cloud Services on behalf of a Business as part of its non-Regulated Activity, such Outsourced Activity would not be caught.
- However, due to the associated concentration risks and the fact that this option would not be in line with international standards we opted instead, to provide tailored guidance and provisions in the revised OSP to where a Service Provider performs Outsourced Activity in the form of Cloud Services.
- 1.3.3 Taking into account the complex supply chains and nuances associated with Cloud Services, the Revised OSP provides an exception to the rule in terms of the Sub-Outsourcing of Cloud Services.
- Whilst a Business MUST STILL NOTIFY US ABOUT ITS PRIMARY CLOUD SERVICE PROVIDER, it does not have to with any Sub-Outsourcing Cloud Services arrangement.
Online Outsourcing Notifications
- The JFSC will no longer accept paper submissions for Outsourcing Notifications.
- From 29 June 2020, businesses must submit their Outsourcing Notifications via the myJFSC portal. While the requirements for submitting Outsourcing Notifications have not changed, the move to digital submissions should make it easier for businesses to provide us with their information and supporting documents.
- To ensure you are set up for online submissions, you need to make sure you have a user on your portal account who can complete the Outsourcing Notification on behalf of your business.
- You will also need an Authorised Portal User who can submit a notification. If you need to set up a portal user, you can send your request to the Regulatory Maintenance team: RegulatoryMaintenance@jerseyfsc.org
TO READ THE FULL UPDATE ON THE CONSULTATION PLEASE READ ON
JFSC consultation and proposed revision to current Outsourcing Policy (OSP) and Guidance Notes.
Summary of proposed key changes:
- Where a Service Provider performs outsourced activity in the form of telecommunication services on behalf of a business, such outsourced activity is not caught
- Specific guidance is provided where a service provider performs outsourced activity in the form of Cloud Services
- Managed Trust Company Business is now exempt from the application of the Revised OSP
More detailed information on each key change is set out in the JFSC consultation.
- Consultation on revisions to the Outsourcing Policy https://www.jerseyfsc.org/industry/consultations/consultation-outsourcing-policy-no-6-june-2022/
Who will the Revised OSP impact?
- The Revised OSP will impact any person to whom the provisions of the Revised OSP apply. The requirement for all Supervised Persons to comply with the Revised OSP represents a change of policy insofar as only regulated persons carrying on regulated business have had to comply with the current OSP and Guidance Notes to date.
- Close Wednesday 31 August 2022.
- Following the JFSC consultation, we will publish feedback and issue a final form Revised OSP in October.
- There will then be a three-month transition period for compliance with the Revised OSP – January 2023