A comprehensive guide to the BMA's proposed new Operational Resilience and Outsourcing Code

• In response to the increasing interconnectedness of financial service providers across global networks, the BMA is proposing to implement a new Operational Resilience and Outsourcing Code for regulated entities across all sectors to enhance their ability to effectively respond to operational disruptions. 

• Specific focus is on promoting a 'resilience by design' mentality within organisations where resilience is embedded throughout all operational levels.

• The BMA is seeking feedback on its proposals by close of business on 14 March 2025, with the new Code to be implemented by banks and deposit companies by 31 March 2026, and by all other regulated entities by 31 March 2028.

The Bermuda Monetary Authority (the 'BMA') has issued a consultation paper on a proposed new Operational Resilience and Outsourcing Code (the 'Code').  The BMA is seeking feedback on the extensive proposals by the close of business on 14 March 2025.

Scope

The Code will apply to all BMA-regulated financial institutions ('Relevant Entities').  As is usual practice, the BMA will apply the proportionality principle by assessing compliance with the Code with reference to the nature, size, complexity, and overall risk profile of a Relevant Entity's business operations. 

Important business services

To ensure adherence with Operational Resilience, the BMA proposes that Relevant Entities must identify (and regularly review and update) their 'Important Business Services', which, if disrupted, could cause significant harm to consumers, stakeholders or the financial stability of the jurisdiction, beyond mere inconvenience. Various factors should be considered in the identification process, including services provided by related third parties.

Mapping of resources

The BMA proposes that Relevant Entities must identify and document the following 'resources' (enablers) required for the delivery of Important Business Services:

a) people
b) processes
c) technology Systems (IT Systems)
d) information (Data)
e) facilities (Premises)

These resources must be mapped for each service and in sufficient detail to ensure a Relevant Entity has the required information to use for testing and identifying vulnerabilities, etc. The BMA highlights the importance of comprehensively mapping the resources necessary to deliver Important Business Services, whether provided internally, as part of intra-group arrangements, or externally though third-party providers. This mapping exercise should be reviewed annually or in the event of a material change to a Relevant Entity's business or resources.

Outsourcing

The BMA has identified that Relevant Entities increasingly outsource essential functions. This introduces several risks, such as potential service disruptions, security vulnerabilities and challenges in maintaining consistent delivery of critical activities. 

The Code emphasises expected standards for managing outsourcing, including governance, risk assessment, transparency and accountability. Specifically, a Relevant Entity's board must oversee and approve a risk management process (including adequate vendor evaluation and monitoring) and approve a policy for assessing and reviewing service providers. 

The BMA proposes a requirement for Relevant Entities to inform the BMA about outsourcing arrangements before putting them into effect (in respect of which the BMA has up to 30 days to serve a notice of objection). 

Governance

The BMA views the board and senior management of a Relevant Entity as crucial in ensuring Operational Resilience. It is the BMA’s expectation that the board and senior management of a Relevant Entity oversee and review the Business Continuity Plans and Disaster Recovery Plans to maintain their effectiveness. 

Regular reporting on Operational Resilience measures should also be integrated into the Relevant Entity’s risk management framework to enable real-time monitoring of potential disruptions.

Outsourcing due diligence, risk management and agreements

A Relevant Entity’s board-approved outsourcing policy will be required to contain a process for sharing risk assessments and reports on all outsourcing arrangements with the board and contain procedures for the ongoing assessment of service providers’ performance. A Relevant Entity should also be able to satisfactorily demonstrate that it has adequate oversight of all its outsourcing arrangements on an ongoing basis.

The Relevant Entity and the outsourcing service provider must execute a legally binding written agreement setting out the contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement.

Self-assessments and returns

The BMA is proposing to introduce a requirement for Relevant Entities to complete an annual (board approved) self-assessment to demonstrate compliance with the Code. The Code outlines the minimum areas that the self-assessment should cover including the methodology employed, identification of Important Business Services, impact tolerance metrics, disruptive scenarios under consideration, outcomes from testing and any enhancements made to strengthen resilience. 

Testing

The focus of Operational Resilience is on maintaining service continuity during disruptions rather than assessing their likelihood. Testing of resilience should ensure that Important Business Services can withstand severe but plausible disruptions, with test plans reviewed annually or after significant changes. Even when outsourced, it is the BMA’s expectation that Relevant Entities will validate test results and maintain oversight of third-party arrangements, including intra-group arrangements. It is the BMA’s expectation that identified vulnerabilities are addressed promptly. 

Impact tolerance

Impact tolerance is the maximum level of disruption to one of the Important Business Services that a Relevant Entity can tolerate. It is measured by length of time, in addition to other metrics. The BMA assumes that disruption to Relevant Entities will occur. Pursuant to the code, a Relevant Entity must set at least one impact tolerance metric for each of its Important Business Services. The minimum mandatory impact tolerance metric is Maximum Tolerable Period of Disruption ('MTPD').  

Relevant Entities may also use other metrics in addition to time, as long as the impact tolerance metrics and their purpose are clearly stated. It is suggested that Relevant Entities set different MTPDs for different outcomes as, for example, the MTPD impacting a customer will differ to that of a counterparty. 

Relevant Entities must notify the BMA within 24 hours of when they fail to keep Important Business Services within impact tolerance and review their services' impact tolerance annually and when there is a material change to an Relevant Entity's business or one of their Important Business Services.

Communication plans

The BMA is advising that Relevant Entities should create a communication strategy to manage and mitigate disruptions, with tailored internal and external plans for severe but plausible scenarios impacting their Important Business Services.  These plans should include clear escalation paths, the decision-makers and the methods for timely stakeholder updates, including indirect channels such as website notifications. Regular testing, including key vendor participation, is crucial to ensure readiness and effectiveness during disruption.

How we can help

Walkers' Regulatory and Risk team has extensive experience advising on outsourcing policies and procedures, third-party due diligence and agreements. 

Get in touch with Walkers' Bermuda office to raise questions and discuss these changes with Bermuda's subject-matter experts.