BMA requires greater operational resilience

Previously the domain of business continuity programmes and disaster recovery policies, the Resilience Code takes the governance and operational requirements of business continuity to an entirely new level of compliance.

The code applies, in part, to banks and deposit companies, insurance enterprises, investment businesses and digital-asset businesses, and it addresses all operational circumstances of disruption even though the title of the Resilience Code may misleadingly suggest that outsourcing transactions are the primary focus of attention.

The BMA will require registrants to proactively adopt measures to avoid, minimise, recover from and respond to operational disruptions from all causes to enhance their ability to operate in the face of such disruptions by March 31, 2028, although banks and deposit companies must be compliant by January 1, 2027.

Bermuda is not alone in this regulatory development.

Born from the recognition that financial services are essential and critical to national interests, in July the Bank of England announced very similar operational resiliency requirements further to the work it began on this topic in 2021 with its policy paper Bank of England Policy on Operational Resilience of FMIs.

The Bank of England then published a consultation paper on operational resilience and outsourcing in 2024, which led to the issuance this year of Britain’s Insurance Operational Resilience: Prudential Authority Handbook, among other related guidance.

The BMA’s counterpart in Canada, the Superintendent of Financial Institutions, issued its first guidance on this topic in 2016, which was revised in stages from 2021 through 2024, before the publication of E-21, Operational Risk and Resilience this year.

The Resilience Code includes, in part, the following requirements for operational resilience implementation and ongoing governance:

• The adoption, implementation and adherence to OpRes governance measures and programmes that reflect the operational principles of “resilience by design”, “operational resilience” and “continuous improvement”
• The board of directors must approve the OpRes programme, including the determination of disruption risk tolerances
• The nature, scale and complexity of the OpRes programme, and each registrant’s compliance with the Resilience Code, will be assessed on a proportional-risk basis to ensure they conduct business in a sound and prudent manner
• OpRes programmes must include and document (including resource mapping): the most relevant business services to avoid harm; all personnel; all OpRes processes, technology, facilities, information and other related resources
• Internal and external communications plans, which may include communication plans with the BMA
• Define and establish a remediation programme for implementation and testing, with a self-assessment and “lessons learnt” improvements
• Manage all outsourcing arrangements prudently and as operationally specified in the Resilience Code, including the board, management and committee access to relevant performance data
• The board of directors are ultimately responsible for, and must govern, the OpRes programme and all outsourcing arrangements
• Part VIII of the Resilience Code addresses the requirements for outsourcing agreements, which are elaborated on in the BMA’s Resilience Code guidance notes

It will be interesting to see if the pending policy directions, codes of practice and performance standards for critical infrastructure that are awaited under the Cybersecurity Act 2024 will focus as robustly on resilience, including with regard to outsourced services.

Whereas many multinational affiliates have too often documented their intercompany outsourcing transactions as mere transfer pricing arrangements, the BMA’s existing outsourcing guidance and the Resilience Code arguably places tremendous regulatory pressure on registrants to elevate the nature, scope and quality of those outsourcing agreements to the standards of arms-length commercial outsourcing agreements.

Notwithstanding the BMA’s outsourcing prescriptions, robust contractual provisions to comprehensively address outsourcing resiliency and continuity (including service-level agreements and key performance indicators) have been a material part of outsourcing transaction best practices for more than two decades.

Regardless, there are some very onerous and complex governance requirements that the BMA sets out in the Resilience Code’s 20 pages, and it is likely that most subject registrants will require the full amount of time allotted to ensure their compliance readiness.

Given the pervasive imposition of operational resiliency by financial service regulators internationally, and taking into account the steeply increasing business disruption threats faced by financial enterprises, the BMA’s prescriptions to enhance business continuity simply constitute one more reason why governance leaders must be more threat and operationally savvy than ever.

First Published in The Royal Gazette, Legally Speaking column, October 2025