In the recent consultation paper titled Operational Resilience and Outsourcing Code — which is supported by related guidance notes — the BMA proposes specific operational resilience standards designed to strengthen financial service providers’ capacity to prevent, adapt, manage and recover from operational disruptions, whether from within or caused by a third-party service provider.

The proposed code introduces the elevated concept of operational resilience, which the BMA asserts “should not be mistaken for operational risk [that] … focuses on identifying, assessing and managing risks that could disrupt normal business operations”.

Conversely, the BMA explains that “operational resilience emphasises an organisation’s ability to anticipate, withstand, recover from and adapt to disruptions” — and that “financial regulators have observed that traditional operational risk management approaches are inadequate for today’s complex challenges”.

The BMA’s revised emphasis on operational resilience has been preceded by a series of outsourcing and related operational cyber-risk management prescriptions that have been applied through various codes of conduct.

In 2019, the BMA issued outsourcing guidance notes for banks, trust companies, the Bermuda Stock Exchange, investment businesses, corporate service providers and fund administrators, among others, which took effect in May 2020.

In 2020, the BMA issued its operational cyber-risk management code of conduct for the insurance sector, which included prescriptions for the management of outsourcing and third-party service agreement risk.

Then, in 2022, the BMA revised the same code of conduct for corporate service providers, trust companies and investment businesses, among others, which also included prescriptions to manage outsourcing and third-party service risk by those registrants.

Also in 2022, the BMA revised the insurance code of conduct, which includes an entire section devoted to the management of outsourcing transaction risk by insurance registrants.

Notwithstanding that succession of operational risk management improvements by the BMA, the necessity for financial services to operate 24-7 across tightly interconnected global networks has increased the pace of operational and security threats to that sector.

In response to those relentlessly developing risks, the BMA is now turning its attention to critical service continuity, operational resilience and sustainability in the face of not only possible, but expected service disruption.

Addressing categories of financial services that include, among others, specified types of insurance enterprises, banks and deposit companies, trust businesses, corporate service providers, fund administrators and investment businesses, the BMA’s proposed code is a response to the demands of consumer trust and the heightened need for relevant registrants to develop capabilities of operational resilience, which will ensure critical service continuity in the face of disruptive events.

The BMA’s proposed focus on operational resilience, including in the context of outsourcing transactions, is echoed by many of its international counterparts.

For example, in 2023, Canada’s Superintendent of Financial Institutions issued a revised version of its previously titled outsourcing guidelines as OSFI’s third-party risk management guideline with a profound focus on operational resilience, especially in the context of operational “criticality”.

The Bank of England’s recent pronouncements on why operational resilience is essential for financial services is consistent with the proposed code, as is the Financial Conduct Authority’s operational resilience rules, which come into full force in Britain on March 31.

The operational resilience prescriptions of the BMA, OSFI and the FCA have much in common, including (in part):

  • The concept of “resilience by design”
  • Assessing each registrant’s disruption tolerance
  • The necessity for increased operational planning, due diligence and testing of service resilience
  • An increased focus on business continuity, disaster or disruption recovery and solutions
  • The increased attention on service disruption remediation and resolution

The proposed code advances various prescriptions designed to enhance and foster the operational resilience of Bermuda’s financial institutions, perhaps because, as noted by Jean Chatzky, financial editor of NBC’s Today show, “resilience isn’t a single skill. It is a variety of skills and coping mechanisms … to bounce back from”.

The BMA has invited feedback to the proposed code and policies to be submitted to [email protected] by March 14, with a view to code finalisation this year and for adherence by banks and deposit companies by March 31, 2026 and by all other relevant entities by March 31, 2028.

First Published in The Royal Gazette, Legally Speaking column, February 2025

Locations

Bermuda

Services

Corporate

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Dispute Resolution
25 Feb 2025

Bermuda: An Introduction to Dispute Resolution 2025

The stable, competitive regulatory and legal regime in Bermuda continues to ensure its place as a hu...

John Wasty
Sam Riihiluoma
Claire van Overdijk KC
James Batten
John Wasty, Sam Riihiluoma, Claire van Overdijk KC, James Batten
Appleby-Website-Banking-and-Financial-Services
19 Feb 2025

Recent Updates on BVI, Cayman and Bermuda laws

Entities incorporated or registered in the British Virgin Islands (BVI), Cayman Islands and Bermuda ...

Fiona Chan
Angelina Wong
Fiona Chan, Angelina Wong
Appleby-Website-Employment-and-Immigration
18 Feb 2025

Fostering Respect: the Importance of Bullying and Sexual Harassment Policies in Bermuda (Part 2)

Under the Employment Act 2000 (EA), it is a requirement for an employer to not only have a compliant...

Theodora Hand
Theodora Hand
Technology and Innovation
31 Jan 2025

Bermuda Monetary Authority’s 2025 Tech Commitment

A focus on the crucial and enabling role that technology plays across all financial service sectors ...

Duncan Card
Duncan Card
Fund Finance
29 Jan 2025

Fund Finance Laws and Regulations 2025 – Bermuda

The Bermuda fund industry sees investment predominantly from North America and Europe, and therefore...

Matthew Ebbs-Brewer
Arielle DeSilva
Matthew Ebbs-Brewer, Arielle DeSilva
Employment-and-Immigration
23 Jan 2025

Fostering Respect: the Importance of Bullying and Sexual Harassment Policies in Bermuda (Part 1)

Under the Employment Act 2000 (EA), it is a requirement for an employer to not only have a compliant...

Theodora Hand
Theodora Hand
Appleby-Website-Insurance-and-Reinsurance
21 Jan 2025

Bermuda: Chambers Insurance & Reinsurance Guide 2025

This guide provides the latest information on sources of insurance and reinsurance law, overseas-bas...

Brad Adderley
Matthew Carr
Max Tetlow
Cathryn Minors
Josephine Noddings
Brad Adderley, Matthew Carr, Max Tetlow, Cathryn Minors, Josephine Noddings
Technology and Innovation
20 Jan 2025

Bermuda: Insurance industry is going through a ‘profound’ tech transformation

One of the most pressing demands on insurers, and their leadership, is coping with the accelerating ...

Duncan Card
Duncan Card
Technology and Innovation
17 Jan 2025

Augmented Advocacy Series (Bermuda): AI and Legal Privilege

The dramatic rise in the use of artificial intelligence in the legal sector raises issues around leg...

Ligaya Sanchez-Wilson
Ligaya Sanchez-Wilson
Appleby-Website-Insurance-and-Reinsurance
2 Jan 2025

Bermuda: Expect a Crazy Start to 2025 After Another Record Year

Brad Adderley
Brad Adderley