JFSC Requirement to Risk Assess Outsourcing Arrangements

The Jersey Financial Services Commission (JFSC)

• Mandates that regulated businesses (and certain supervised persons) must carry out a documented risk assessment as a core part of any outsourcing arrangement. This is set out in the Outsourcing Policy (OSP) (revised 1 December 2023, effective 1 January 2024).

The policy applies to Outsourced Activity (including sub-outsourcing and group outsourcing) where

• The service provider’s failure or inadequate performance could materially prevent, disrupt, or impact the business’s ability to comply with its Regulatory Laws for Regulated Activity.

Key Mandatory Requirements for Risk Assessment

1. Before entering any outsourcing arrangement
• You must carry out adequate due diligence AND a risk assessment of the proposed Service Provider (and any Sub-Contractor).
• The risk assessment must identify and address material risks relating to the outsourced activity.
• Examples of material risks to consider: conflict of interest, concentration risk, jurisdiction risk, regulatory risk, money laundering/terrorist financing/proliferation financing (ML/TF/PF) risk, cyber security risk, and any other factors that could adversely impact finances, reputation, operations, or clients.
2. Determining “materiality”
• Ask: “If the Service Provider failed or performed inadequately, could this materially impair the business’s regulated activities?”
• If yes → full OSP requirements (including risk assessment) apply.
• Non-regulated activities are only caught if they could materially affect regulated ones.
3. Cloud services
• Additional risk-assessment considerations are required: suitability of public vs private cloud, industry good practice, international standards (e.g. ISO 27000 series), data location/jurisdiction stability, and data protection compliance.
4. Group outsourcing
• You may rely on group-level due diligence, materiality assessments, and/or risk assessments, provided they are adequate for your own compliance.
5. Sub-outsourcing
• You must carry out your own due diligence and risk assessment of any sub-contractor and retain the right to object if standards are not met.
6. Ongoing monitoring
• The risk assessment is not “one-off”. You must maintain policies for ongoing monitoring and periodic assessment of the service provider’s performance (proportionate to the size, risk, and complexity of the outsourced activity).
• The governing body must receive regular reports and consider outsourcing in board minutes.
7. Notification to JFSC
• When submitting an Outsourcing Notification (required before most appointments), you must include:
• “A summary of how the Outsourced Activity impacts the Business’ Regulated Activity including a summary of the risk assessment”.
• Material changes (e.g. new sub-contractor, significant changes to terms) also require notification and may need a fresh risk assessment.

Responsibility Remains with You

• The governing body and the business itself remain fully responsible and accountable for the outsourced activity — you cannot delegate regulatory compliance to the service provider.

Official Sources (Direct Copy & Paste Links – All Current as of May 2026)

• Main Outsourcing Policy page (full details & notification forms): https://www.jerseyfsc.org/industry/guidance-and-policy/outsourcing-policy/
• Full Outsourcing Policy PDF (the complete 43-page document – recommended for exact wording): https://www.jerseyfsc.org/media/7793/pol-outsourcing-policy.pdf (Alternative mirror: https://www.jerseyfsc.org/media/7331/pol-outsourcing-policy.pdf)
• Guidance on the Revised Outsourcing Policy (Dec 2023 explanatory note): https://www.jerseyfsc.org/news-and-events/guidance-on-our-revised-outsourcing-policy/
• Slide deck on the Revised OSP (quick overview of changes): https://www.jerseyfsc.org/media/7216/outsourcing-policy-presentation-slides.pdf

These are the only official JFSC documents that set out the risk-assessment obligation.

The requirement is embedded in Core Principle 1 of the OSP and cross-references the JFSC Codes of Practice (Principle 3 – Risk Management).