The Bermuda Monetary Authority, which well understands the operational risks associated with financial service information technology and business process outsourcing, has recently introduced the new dimension of “operational resilience” to that sector’s risk governance.

In the recent consultation paper titled Operational Resilience and Outsourcing Code — which is supported by related guidance notes — the BMA proposes specific operational resilience standards designed to strengthen financial service providers’ capacity to prevent, adapt, manage and recover from operational disruptions, whether from within or caused by a third-party service provider.

The proposed code introduces the elevated concept of operational resilience, which the BMA asserts “should not be mistaken for operational risk [that] … focuses on identifying, assessing and managing risks that could disrupt normal business operations”.

Conversely, the BMA explains that “operational resilience emphasises an organisation’s ability to anticipate, withstand, recover from and adapt to disruptions” — and that “financial regulators have observed that traditional operational risk management approaches are inadequate for today’s complex challenges”.

The BMA’s revised emphasis on operational resilience has been preceded by a series of outsourcing and related operational cyber-risk management prescriptions that have been applied through various codes of conduct.

In 2019, the BMA issued outsourcing guidance notes for banks, trust companies, the Bermuda Stock Exchange, investment businesses, corporate service providers and fund administrators, among others, which took effect in May 2020.

In 2020, the BMA issued its operational cyber-risk management code of conduct for the insurance sector, which included prescriptions for the management of outsourcing and third-party service agreement risk.

Then, in 2022, the BMA revised the same code of conduct for corporate service providers, trust companies and investment businesses, among others, which also included prescriptions to manage outsourcing and third-party service risk by those registrants.

Also in 2022, the BMA revised the insurance code of conduct, which includes an entire section devoted to the management of outsourcing transaction risk by insurance registrants.

Notwithstanding that succession of operational risk management improvements by the BMA, the necessity for financial services to operate 24-7 across tightly interconnected global networks has increased the pace of operational and security threats to that sector.

In response to those relentlessly developing risks, the BMA is now turning its attention to critical service continuity, operational resilience and sustainability in the face of not only possible, but expected service disruption.

Addressing categories of financial services that include, among others, specified types of insurance enterprises, banks and deposit companies, trust businesses, corporate service providers, fund administrators and investment businesses, the BMA’s proposed code is a response to the demands of consumer trust and the heightened need for relevant registrants to develop capabilities of operational resilience, which will ensure critical service continuity in the face of disruptive events.

The BMA’s proposed focus on operational resilience, including in the context of outsourcing transactions, is echoed by many of its international counterparts.

For example, in 2023, Canada’s Superintendent of Financial Institutions issued a revised version of its previously titled outsourcing guidelines as OSFI’s third-party risk management guideline with a profound focus on operational resilience, especially in the context of operational “criticality”.

The Bank of England’s recent pronouncements on why operational resilience is essential for financial services is consistent with the proposed code, as is the Financial Conduct Authority’s operational resilience rules, which come into full force in Britain on March 31.

The operational resilience prescriptions of the BMA, OSFI and the FCA have much in common, including (in part):

• The concept of “resilience by design”

• Assessing each registrant’s disruption tolerance

• The necessity for increased operational planning, due diligence and testing of service resilience

• An increased focus on business continuity, disaster or disruption recovery and solutions

• The increased attention on service disruption remediation and resolution

The proposed code advances various prescriptions designed to enhance and foster the operational resilience of Bermuda’s financial institutions, perhaps because, as noted by Jean Chatzky, financial editor of NBC’s Today show, “resilience isn’t a single skill. It is a variety of skills and coping mechanisms … to bounce back from”.

The BMA has invited feedback to the proposed code and policies to be submitted to policy@bma.bm by March 14, with a view to code finalisation this year and for adherence by banks and deposit companies by March 31, 2026 and by all other relevant entities by March 31, 2028.

• Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda. A copy of this column can be obtained on the Appleby website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer.