31 Oct Outsourcing without Oversight

Posted at 10:26h in News & Insights by

Many Guernsey firms, regulated and unregulated, outsource discrete activities to address local capacity constraints, access specialist capability, achieve cost efficiency and keep internal teams focused on core business. Outsourcing is more than a change of delivery route; it requires deliberate design, clear accountability and ongoing oversight.

Whatever the label — ‘smart sourcing’, managed services, co-sourcing or out-tasking (onshore/nearshore/offshore) — if a third party performs the work, it is an outsourcing arrangement. The Board remains responsible and must ensure adequate due diligence, an appropriately framed contract and continuing monitoring, including of any sub-outsourcing.

This article provides Boards with practical guidance on outsourcing and effective oversight of outsourced functions.

Why Outsourcing Oversight Matters

Boards may outsource activities but, in both regulatory and real terms, they remain accountable for outcomes. The Guernsey Financial Services Commission’s recent Public Statement on ITI Trade Ltd illustrates the point: extensive outsourcing of onboarding and monitoring (very core functions for a licensed firm), coupled with insufficient oversight, led to breaches across the customer lifecycle, including financial crime and sanctions controls.

Beyond Commission-imposed criticism and sanctions, weaknesses in a firm’s functions (whether or not outsourced) risk client harm, reputational damage, unplanned remediation costs and diversion of management attention.

Robust outsourcing controls can provide numerous benefits to the business:

  • Customer protection and firm value — reduces errors, complaints and redress.
  • Service continuity and quality — fewer outages and missed agreed service levels; more consistent outcomes.
  • Cost and execution discipline — avoids rework and unbudgeted remediation; preserves benefits.
  • Regulatory permissions — protects the firm’s licences, approvals and counterparty confidence.
  • Data governance and records readiness — ensures complete, timely retrieval for audits and investigations.
  • Change and scalability — enables predictable migrations, scaling and tested exit/contingency execution.

What the GFSC expects

Across sectors, the GFSC requirements point to a consistent set of expectations for firms outsourcing activities. The obligations on the Board when outsourcing can be summarized as follows:

  • Accountability: The Board retains responsibility for any outsourced activity. While activities or functions can be outsourced, the Board’s obligations cannot be.
  • Materiality and register: Decide if the arrangement is material/critical to firm functions or its licence obligations and keep a live register of service providers (including for sub-outsourcing).
  • Approve and plan: For material or critical functions, Board approval must be obtained, the risks documented, and contingency/exit plans set.
  • Due diligence: Review the outsourced provider’s competence, capacity, financial soundness, controls, data location/jurisdictions, and undertake the same checks for any sub-providers.
  • Contract the controls: Tightly define scope and SLAs/MI of outsourced functions. In the contractual arrangements ensure the firm has access through the chain to necessary underlying information and documents in a timely manner, set incident timelines, change control notifications, and exit/transition help.
  • Monitor performance with evidence: Assign owners to oversight of outsourced functions. Ensure that regular MI is requested and received, challenge and track actions and commission periodic independent assurance.
  • Resilience: Set impact tolerances, test business continuity and disaster recovery (BCP/DR) on a regular basis, and require go-live/rollback assurance for material changes.
  • Board reporting: Regular Board reports should give a clear picture of the firm’s outsourcing including any new or changed arrangements; key provider staff turnover; performance and monitoring data (hits, misses, and near-misses); notable incidents and emerging patterns; findings from periodic or independent reviews; developments in the jurisdictions where services are delivered; and confirmation that records remain readily accessible.

Case study: ITI Trade Ltd – what went wrong

In July 2025, the Commission issued a public statement concerning ITI Trade Ltd, a licensee under the POI Law. The Commission found that the firm had outsourced critical control functions – including client onboarding, transaction monitoring, and ongoing due diligence – to a sister entity in Russia. The Guernsey board failed to:

  • Demonstrate sufficient knowledge of how AML/CFT obligations were being discharged by the provider.
  • Maintain oversight of the customer lifecycle, particularly for high‑risk clients.
  • Ensure timely escalation and reporting of suspicious activity.

The GFSC concluded that these failings constituted breaches of licensing conditions and the Handbook on Countering Financial Crime. Sanctions included a public censure of the firm and action against a director. The case reinforces that outsourcing to group entities in higher‑risk jurisdictions requires enhanced scrutiny, not reduced vigilance.

Board summary: 12 questions for your next meeting

  1. Do we have an up-to-date inventory of all outsourcing and sub-outsourcing?
  2. Have we mapped each arrangement to licence obligations and AML/financial crime controls?
  3. Are audit/access rights contractually enforceable across the chain (including sub-outsourcing)?
  4. What are our impact tolerances for key services and how does the provider evidence staying within them?
  5. Do we receive MI that allows us to challenge quality and timeliness of SAR escalations?
  6. Are we testing exit and contingency plans at least annually?
  7. Is there a live register of incidents, findings and remediation with owners and due dates?
  8. Do we have clear triggers for GFSC notifications and pre-agreed internal escalation?
  9. Are independent reviews of outsourced files revealing systemic issues? If yes, how fast do we close them?
  10. What is our exposure to high-risk jurisdictions via outsourcing or client book, and how is it mitigated?
  11. For material changes (e.g., IT migrations), do we require independent go-live assurance and rollback rehearsals?
  12. Could we explain our outsourcing model to the GFSC tomorrow and demonstrate control with evidence?

How can ConsultGC assist?

ConsultGC helps Boards discharge their responsibilities for outsourced functions. We conduct independent reviews of outsourcing arrangements, complementing internal checks and providing objective assurance over control design and effectiveness. Our work evidences proportionate oversight to the GFSC, surfaces weaknesses and drift (including in sub-outsourcing chains), and confirms record access and operational resilience — reducing regulatory, operational and reputational risk.