Bermuda Monetary Authority Consults on Operational Resilience and Outsourcing Code

The Bermuda Monetary Authority (BMA) unveiled a consultation paper, the Operational Resilience and Outsourcing Code (CP), on January 14, 2025. This document lays out the standards the BMA intends to implement to strengthen the financial services sector’s capacity to anticipate, adapt to, manage, recover from, and learn from operational disruptions.

Accompanying the CP, the BMA has also published a draft Operational Resilience and Outsourcing Code (the “Code”) and draft Operational Resilience and Outsourcing Guidance Notes (GN). The primary goal of the Code is to ensure that essential customer services continue without delay or interruption, thereby maintaining business continuity and resilience.

Relevant Entities

The Code will apply to BMA-regulated financial institutions, referred to as Relevant Entities (REs). The BMA determined which entities to include based on two primary factors:

The systemic importance of their industries to the local financial market.
The nature of their customer-facing operations within their respective sectors.

A detailed list of the REs includes:

Commercial Insurers registered as Class 3A, 3B, 4, C, D and E
Insurers registered as Class IIGB and IILT
Persons registered as Insurance Managers, Brokers, Insurance Marketplace Providers, and Agents in accordance with the Insurance Act 1978
Digital Assets Businesses issued a Class F license
Persons licensed to carry on a deposit-taking business in accordance with the Banks and Deposit Companies Act 1999
Persons licensed to carry on trust business in accordance with the Trust Business Act 2001
Persons licensed to carry on corporate service provider business in accordance with the Corporate Service Provider Business Act 2012
Persons licensed to carry on money service business in accordance with the Money Service Business Act 2016
Investment Businesses issued a standard license pursuant to the Investment Business Act 2003
Persons licensed to carry on fund administration provider business in accordance with the Fund Administration Provider Business Act 2019

It is important to note that the Code will not apply to REs licensed under a regulatory sandbox or a test license by any designation.

Transition Period

In keeping with standard practice when introducing a new code, REs will be given a transition period to comply with the requirements. These entities must be in compliance by March 31, 2028. However, REs licensed under the Banks and Deposit Companies Act 1999 must be in compliance by March 31, 2026.

Proportionality

Consistent with the BMA’s overall regulatory approach, REs must comply with the Code in a manner proportionate to the nature, size, complexity, and overall risk profile of their business operations.

There are eight main requirements under the Code.

Important Business Services and Mapping: REs must identify their Important Business Services (IBS), which, if disrupted, could significantly harm consumers, stakeholders, or the financial stability of Bermuda, extending beyond mere inconvenience. A business service is defined as a service provided by an RE to external consumers. This will require an RE to identify and document the following resources needed to deliver each IBS:
- People
- Processes
- Technology systems
- Information (data)
- Facilities

The mapping of services to resources must be documented in sufficient detail to ensure the RE has usable information for subsequent testing, identification, and remediation of vulnerabilities. Moreover, the mapping exercise must be reviewed by senior management and approved by the board. It should be reviewed annually and updated after significant changes in business, services, or resources occur.

Impact Tolerances: REs must set at least one impact tolerance metric for each IBS. Impact tolerance defines the maximum disruption level an RE can withstand for an important business service.
Outsourcing: Recognizing the growing reliance of REs on third-party service providers, the Code establishes standards for managing outsourcing, including governance, risk assessment, transparency, and accountability. Amendments to relevant legislation will require REs to adhere to their obligations related to material changes in business, including outsourcing of a critical activity. REs must notify the BMA of any outsourcing arrangement and await a “no objection” response, which will occur within 30 days of notification, before implementing it. For commercial insurers, this will mean a minor addition to the existing “material change” regime under section 30B of the Insurance Act, requiring a no-objection for certain material outsourcings.
Governance: The BMA acknowledges the crucial role of the board and senior management in ensuring operational resilience. The Code explicitly states that they are responsible for delivering operational resilience outcomes. REs are required to demonstrate board review, approval, and ongoing governance of operational resilience to ensure that policies, procedures, and controls remain relevant.
Self-Assessments and Returns: The Code introduces the requirement for self-assessments, which should include the methodology employed, identification of IBS, impact tolerance metrics, disruptive scenarios under consideration, outcomes from testing, and any enhancements made to strengthen operational resilience. Relevant legislation will be amended to require REs to complete a self-assessment annually.
Testing: REs will be required to conduct operational resilience testing annually or after significant changes to ensure that IBS can withstand severe but plausible disruptions. The focus is on maintaining service continuity during disruptions rather than determining their likelihood.
Communication Plans: Both internal and external communication plans should be prepared as part of an RE’s communication strategy to manage and mitigate disruptions.
Lessons Learned: REs must incorporate all lessons learned while implementing and adhering to the Code, as well as lessons learned from any real-world disruptive event, to improve operational resilience.

Conclusion

Ultimately, the need for drafting the Code was prompted by the increasing frequency and severity of operational disruptions. These disruptions underscore the need for REs to improve their ability to anticipate, withstand, recover from, and adapt to such events. Comments on the CP are due by March 14, 2025.

What's Hot

Lucid Diagnostics Announces First Commercial Insurance Coverage for EsoGuard® Esophageal DNA Test

The Farting Dog: Navigating the Murky Waters of TPD Insurance

Mergers Proposed to Revitalize Bangladesh’s Troubled Insurance Sector

Lucid Diagnostics Announces First Commercial Insurance Coverage for EsoGuard® Esophageal DNA Test

The Farting Dog: Navigating the Murky Waters of TPD Insurance

Mergers Proposed to Revitalize Bangladesh’s Troubled Insurance Sector

Lucid Diagnostics Announces First Commercial Insurance Coverage for EsoGuard® Esophageal DNA Test

The Farting Dog: Navigating the Murky Waters of TPD Insurance

Mergers Proposed to Revitalize Bangladesh’s Troubled Insurance Sector

Insurtech Firm Empathy Redefines Life Insurance with Bereavement Support

Lucid Diagnostics Announces First Commercial Insurance Coverage for EsoGuard® Esophageal DNA Test

The Farting Dog: Navigating the Murky Waters of TPD Insurance

Mergers Proposed to Revitalize Bangladesh’s Troubled Insurance Sector

Insurtech Firm Empathy Redefines Life Insurance with Bereavement Support

New

Montana Eyes Workers’ Comp for First Responders with PTSD

Best Home and Auto Insurance Deals for Veterans

Pennsylvania Insurance Department: Protecting Consumers and Regulating the Insurance Market

Lucid Diagnostics Announces First Commercial Insurance Coverage for EsoGuard® Esophageal DNA Test

Subscribe to Updates

What's Hot

Bermuda Monetary Authority Consults on Operational Resilience and Outsourcing Code

Relevant Entities

Transition Period

Proportionality

Conclusion

Related Posts