JFSC Outsourcing Policy (OSP) – timely reminder about notifications

In Jersey, the Jersey Financial Services Commission (JFSC) Outsourcing Policy (OSP) sets out the notification and permission rules that apply to “Businesses”.

A “Business” includes:

• All persons registered under the Financial Services (Jersey) Law 1998 (and other regulatory laws), and
• All Schedule 2 supervised persons (i.e. every entity supervised by the JFSC under the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008, lawyers, accountants, estate agents, high-value dealers, VASPs, non-professional trustees acting as a business, etc.).

Important nuance for pure Schedule 2 supervised persons

• If your entity is only a Schedule 2 supervised person and is not registered under any other regulatory law,
• the OSP applies only to outsourcing that relates to your AML/CFT/CPF obligations. All other outsourcing by pure Schedule 2 businesses falls outside the OSP.

What falls inside AML/CFT/CPF obligations (caught by the OSP)

• The policy (and the AML/CFT/CPF Handbook obligations it refers to) means the following typical activities are caught for a pure Schedule 2 business:
• Client onboarding / Customer Due Diligence (CDD) – e.g. outsourcing the collection, verification, and risk assessment of client identity documents, source of funds/wealth checks, beneficial owner identification, etc.
• Ongoing monitoring – transaction monitoring, periodic client reviews, enhanced due diligence (EDD) processes.
• Client identity verification services – including outsourcing to a Digital ID Service Provider (explicitly called out in the policy as caught).
• Other core AML compliance functions that directly support the Money Laundering (Jersey) Order 2008 obligations, such as
• Parts of sanctions screening oversight if the service provider is actively performing the compliance work (not just supplying a tool).

Key trigger:

• The outsourcing must be of an activity that the Schedule 2 business would otherwise perform itself to meet its AML/CFT/CPF obligations, and the service provider’s failure would materially impact the business’s ability to stay compliant.

Quick test for pure Schedule 2 entities

• Ask yourself: “Is this service provider performing (or helping perform) the actual AML/CFT/CPF compliance work that I am required to do under the Money Laundering Order and Handbook?”
• → If yes → OSP applies (notification / possible No Objection required).
• → If no → outside the OSP.

AMLSP

• Appointing a registered AMLSP to carry out AML/CFT/CPF services is completely excluded from the OSP.

THE OSP

The current revised OSP took effect on 1 January 2024 (after a transitional period). The full policy, including proforma notification forms (in Appendix A), is available here:

• Main policy page: https://www.jerseyfsc.org/industry/guidance-and-policy/outsourcing-policy/
• Latest PDF (revised Dec 2023): https://www.jerseyfsc.org/media/7793/pol-outsourcing-policy.pdf

Core Rule – Core Principle 6 (the key notification/permission requirement)

“Except for where the OSP specifically provides otherwise, a Business must complete and upload an Outsourcing Notification before they appoint a Service Provider;

• The Service Provider must not start performing the Outsourced Activity until the Business receives a NO OBJECTION; and
• The JFSC must be notified of any subsequent material change to the Outsourced Activity as soon as the Business becomes aware.”

In practice, this means:

• You must submit an Outsourcing Notification via the myJFSC portal before appointing the service provider.
• The provider cannot begin the outsourced activity until you receive the JFSC’s written No Objection.
• Minimum recommended notice period:
• One month (more may be needed depending on complexity, risk, jurisdictions involved, etc.).
• JFSC response target:
• Normally within 20 business days (or faster for certain fund-related applications).

What the Outsourcing Notification must contain

The form (completed online in myJFSC) requires:

• Service provider details (name, address, regulatory status)
• Summary of the outsourced activity + rationale
• Impact/risk assessment on your regulated activity (or, for pure Schedule 2, on your AML/CFT/CPF obligations)
• Confirmation of due diligence (Core Principle 2)
• Confirmation of no barriers to JFSC access to records/data
• Data protection considerations
• Ongoing monitoring arrangements
• Contingency plans
• Whether sub-outsourcing is permitted and on what terms
• Draft or signed outsourcing agreement (usually required)

Material Changes

• Any material change to an existing outsourcing arrangement requires prompt notification via a separate Material Change to Outsourcing Notification in myJFSC as soon as you become aware of it.

Important Exceptions (where the general rule is relaxed)

1. Cloud Services, Data Centre Services, Cyber Security Services, Digital ID Services: Notification required, but no No Objection needed before the provider starts.
2. Standardised, pre-packaged cloud-based email systems (e.g. Microsoft 365): No notification at all required.
3. Sub-outsourcing of the above IT/cloud services: No additional notification/No Objection needed.
4. Group outsourcing: Same rules apply (with limited practical flexibility on timing in some cases).

Quick Checklist Before Outsourcing

1. Confirm the OSP catches the arrangement (remember, for pure Schedule 2 entities, this is limited to AML/CFT/CPF outsourcing).
2. Complete due diligence and put an outsourcing agreement in place (Core Principles 2 & 3).
3. Prepare and submit Outsourcing Notification via myJFSC (unless exempt).
4. Wait for No Objection (unless exempt).
5. Maintain ongoing monitoring, contingency plans, and notify of material changes promptly.

Note:

1. The Business remains fully responsible to the JFSC for the outsourced activity, you cannot delegate regulatory accountability.
2. For the most up-to-date or case-specific advice, refer directly to the official OSP on the JFSC website or contact the JFSC via myJFSC. The policy applies across most regulated sectors (with some sector-specific carve-outs).

Primary / Official Sources

1. Main Outsourcing Policy page (overview, status, and links) https://www.jerseyfsc.org/industry/guidance-and-policy/outsourcing-policy/
2. Full current Outsourcing Policy PDF (revised 1 December 2023, effective 1 January 2024 – this is the complete document with all Core Principles, guidance, and Appendix A notification forms) https://www.jerseyfsc.org/media/7793/pol-outsourcing-policy.pdf

Additional Useful JFSC Sources

1. Guidance on our Revised Outsourcing Policy (published December 2023) https://www.jerseyfsc.org/news-and-events/guidance-on-our-revised-outsourcing-policy/
2. Presentation slides on the Revised Outsourcing Policy (helpful summary of changes) https://www.jerseyfsc.org/media/7216/outsourcing-policy-presentation-slides.pdf

The above are the only current official sources as of April 2026. The policy has not been updated since the December 2023 revision.