In the recent consultation paper titled Operational Resilience and Outsourcing Code — which is supported by related guidance notes — the BMA proposes specific operational resilience standards designed to strengthen financial service providers’ capacity to prevent, adapt, manage and recover from operational disruptions, whether from within or caused by a third-party service provider.

The proposed code introduces the elevated concept of operational resilience, which the BMA asserts “should not be mistaken for operational risk [that] … focuses on identifying, assessing and managing risks that could disrupt normal business operations”.

Conversely, the BMA explains that “operational resilience emphasises an organisation’s ability to anticipate, withstand, recover from and adapt to disruptions” — and that “financial regulators have observed that traditional operational risk management approaches are inadequate for today’s complex challenges”.

The BMA’s revised emphasis on operational resilience has been preceded by a series of outsourcing and related operational cyber-risk management prescriptions that have been applied through various codes of conduct.

In 2019, the BMA issued outsourcing guidance notes for banks, trust companies, the Bermuda Stock Exchange, investment businesses, corporate service providers and fund administrators, among others, which took effect in May 2020.

In 2020, the BMA issued its operational cyber-risk management code of conduct for the insurance sector, which included prescriptions for the management of outsourcing and third-party service agreement risk.

Then, in 2022, the BMA revised the same code of conduct for corporate service providers, trust companies and investment businesses, among others, which also included prescriptions to manage outsourcing and third-party service risk by those registrants.

Also in 2022, the BMA revised the insurance code of conduct, which includes an entire section devoted to the management of outsourcing transaction risk by insurance registrants.

Notwithstanding that succession of operational risk management improvements by the BMA, the necessity for financial services to operate 24-7 across tightly interconnected global networks has increased the pace of operational and security threats to that sector.

In response to those relentlessly developing risks, the BMA is now turning its attention to critical service continuity, operational resilience and sustainability in the face of not only possible, but expected service disruption.

Addressing categories of financial services that include, among others, specified types of insurance enterprises, banks and deposit companies, trust businesses, corporate service providers, fund administrators and investment businesses, the BMA’s proposed code is a response to the demands of consumer trust and the heightened need for relevant registrants to develop capabilities of operational resilience, which will ensure critical service continuity in the face of disruptive events.

The BMA’s proposed focus on operational resilience, including in the context of outsourcing transactions, is echoed by many of its international counterparts.

For example, in 2023, Canada’s Superintendent of Financial Institutions issued a revised version of its previously titled outsourcing guidelines as OSFI’s third-party risk management guideline with a profound focus on operational resilience, especially in the context of operational “criticality”.

The Bank of England’s recent pronouncements on why operational resilience is essential for financial services is consistent with the proposed code, as is the Financial Conduct Authority’s operational resilience rules, which come into full force in Britain on March 31.

The operational resilience prescriptions of the BMA, OSFI and the FCA have much in common, including (in part):

  • The concept of “resilience by design”
  • Assessing each registrant’s disruption tolerance
  • The necessity for increased operational planning, due diligence and testing of service resilience
  • An increased focus on business continuity, disaster or disruption recovery and solutions
  • The increased attention on service disruption remediation and resolution

The proposed code advances various prescriptions designed to enhance and foster the operational resilience of Bermuda’s financial institutions, perhaps because, as noted by Jean Chatzky, financial editor of NBC’s Today show, “resilience isn’t a single skill. It is a variety of skills and coping mechanisms … to bounce back from”.

The BMA has invited feedback to the proposed code and policies to be submitted to [email protected] by March 14, with a view to code finalisation this year and for adherence by banks and deposit companies by March 31, 2026 and by all other relevant entities by March 31, 2028.

First Published in The Royal Gazette, Legally Speaking column, February 2025

Locations

Bermuda

Services

Corporate

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
14 Apr 2025

M&A transactions under PIPA (Bermuda)

Mergers and business acquisitions are among the many different types of business transactions that r...

Duncan Card
Karim Creary
Duncan Card, Karim Creary
Appleby-Website-Insurance-and-Reinsurance
1 Apr 2025

Bermuda: With everything growing, all of the ILS world will rise together

It’s been an exceptionally busy and record start to the year for the catastrophe bond sector, and ...

Brad Adderley
Brad Adderley
Appleby-Website-Employment-and-Immigration
27 Mar 2025

Entering and Exiting Bermuda for Visa-Controlled Nationals

As it stands, with direct commercial flights to and from Bermuda only going from the United Kingdom,...

Theodora Hand
Theodora Hand
Appleby-Website-Corporate-Practice
27 Mar 2025

How foreign companies become Bermuda companies

Bermuda, renowned as a global business hub, offers a robust legal and regulatory framework that attr...

Milaun Perott
Milaun Perott
Appleby-Website-Insurance-and-Reinsurance
24 Mar 2025

Bridging the USD51 trillion gap: asset-intensive reinsurance in Bermuda

In this article we examine the rise and regulatory landscape of Asset-Intensive Reinsurance (AIR) in...

Brad Adderley
Max Tetlow
Brad Adderley, Max Tetlow
Appleby-Website-Privacy-and-Data-Protection
20 Mar 2025

PIPA Guidance on Financial Services (Bermuda)

This month, the Privacy Commissioner of Bermuda released his Financial Services Guidance Notes: Fin...

Duncan Card
Duncan Card
IWD Grid Capture
8 Mar 2025

International Women’s Day 2025 roundtable: Rights. Equality. Empowerment.

As we recognise International Women’s Day 2025, we are reminded that gender equality is not just a...

Dispute Resolution
25 Feb 2025

Bermuda: An Introduction to Dispute Resolution 2025

The stable, competitive regulatory and legal regime in Bermuda continues to ensure its place as a hu...

John Wasty
Sam Riihiluoma
Claire van Overdijk KC
James Batten
John Wasty, Sam Riihiluoma, Claire van Overdijk KC, James Batten
Appleby-Website-Banking-and-Financial-Services
19 Feb 2025

Recent Updates on BVI, Cayman and Bermuda laws

Entities incorporated or registered in the British Virgin Islands (BVI), Cayman Islands and Bermuda ...

Fiona Chan
Angelina Wong
Fiona Chan, Angelina Wong
Appleby-Website-Employment-and-Immigration
18 Feb 2025

Fostering Respect: the Importance of Bullying and Sexual Harassment Policies in Bermuda (Part 2)

Under the Employment Act 2000 (EA), it is a requirement for an employer to not only have a compliant...

Theodora Hand
Theodora Hand