Consultation Paper - Operational Resilience and Outsourcing Code – What does it mean for Commercial Insurers?

The Bermuda Monetary Authority (“BMA”) released a consultation paper, Operational Resilience and Outsourcing Code (“CP”) on 14 January 2025, which outlines standards that the BMA has designed to bolster the financial service sector's ability to pre-empt, adapt, manage, recover from, and learn from operational disruptions.  Operational disruptions refer to both internal sources within an organisation and external third-party services providers associated with an organisation. Accompanying the CP, the BMA also published a draft Operational Resilience and Outsourcing Code (“Code”) and a draft Operational Resilience and Outsourcing Guidance Notes (“GN”). The aim of the Code is to ensure that crucial services for customers remain functional without delays or interruptions, maintaining business continuity and resilience. 

Relevant Entities

The Code will apply to BMA regulated financial institutions which the BMA refers to as Relevant Entities (“REs”). The BMA determined which REs to include based on two key factors. First, the systemic importance of their industries to the local financial market. Second, the nature of their customer-facing operations within their respective sectors. A detailed list of RE’s is as follows:

• Commercial Insurers registered as Class 3A, 3B, 4, C, D and E
• Insurers registered as Class IIGB and IILT
• Persons registered as Insurance Managers, Brokers, Insurance Marketplace Providers and Agents in accordance with the Insurance Act 1978
• Digital Assets Businesses issued a Class F license
• Persons licensed to carry on a deposit-taking business in accordance with the Banks and Deposit Companies Act 1999
• Persons licensed to carry on trust business in accordance with the Trust Business Act 2001
• Persons licensed to carry on corporate service provider business in accordance with the Corporate Service Provider Business Act 2012
• Persons licensed to carry on money service business in accordance with the Money Service Business Act 2016
• Investment Businesses issued a standard licence pursuant to the Investment Business Act 2003
• Persons licensed to carry on fund administration provider business in accordance with the Fund Administration Provider Business Act 2019

It should be noted, however, that the Code will not apply to REs licensed under a regulatory sandbox or a test licence by any designation.

Transition Period

As is customary when introducing a new code, REs will be granted a transition period before adhering to the Code’s requirements. REs must be in compliance with the Code by 31 March 2028 except for RE’s licensed under the Banks and Deposit Companies Act 1999, which must be in compliance by 31 March 2026.

Proportionality

Consistent with the BMA’s overall regulatory approach, REs must be in compliance with the Code in a way that is commensurate with the nature, size, complexity, and overall risk profile of its business operations.

There are eight main requirements under the Code.

1. Important Business Services and mapping

REs must identify their Important Business Services (“IBS”) which, if disrupted, could cause significant harm to consumers, stakeholders or the financial stability of the jurisdiction, beyond mere inconvenience.  A business service is a service that an RE provides to external consumers and delivers a specific outcome.  (The Code confirms that a “consumer” includes a business in a business-to-relationship.)

This will require an RE to identify and document the following resources required to deliver each IBS:

• people
• processes
• technology systems
• information (data)
• facilities

The mapping of services to resources must be documented in sufficient detail to ensure the RE has usable information for subsequent testing, identification and remediation of vulnerabilities. The mapping exercise must be reviewed by senior management and approved by the board. It should be reviewed annually and updated after significant changes in business, services, or resources occur.

2. Impact tolerances

REs must set at least one impact tolerance metric for each IBS. Impact tolerance is the maximum level of disruption to an important business service that the RE can tolerate.

3. Outsourcing

Due to the fact that REs are increasingly reliant on third-party service providers, the Code establishes standards for managing outsourcing, including governance, risk assessment, transparency and accountability. Additionally, there will be amendments to relevant legislation requiring REs to adhere to their obligations relating to material changes in business including outsourcing of a critical activity. REs must notify the BMA of any outsourcing arrangement and wait for a ‘no objection’ reply from the BMA (which will occur within 30 days of submitting a notification) before putting it into effect. For commercial insurers, this will mean only a minor addition to the existing “material change” regime under section 30B of the Insurance Act, which requires a no-objection for certain material outsourcings.

4. Governance

The BMA acknowledges the crucial role of the board and senior management of an RE in ensuring operational resilience. The Code states that the board and senior management are responsible for the delivery of operational resilience outcomes. REs are required to show that there has been board review, approval, and continued governance of operational resilience to ensure policies, procedures, and controls concerning operational resilience main relevant.

5. Self-Assessments and Returns

The Code introduces the requirement for self-assessments which should include the methodology employed, identification of IBS, impact tolerance metrics, disruptive scenarios under consideration, outcomes from testing and any enhancements made to strengthen operational resilience.  Relevant legislation will be amended to require REs to complete a self-assessment annually. 

6. Testing

REs will be required to conduct testing of operational resilience to ensure that IBS can withstand severe but plausible disruptions annually or after significant changes.  The focus of operational resilience is on maintaining service continuity during disruptions rather than determining their likelihood. 

7. Communication Plans

Both internal and external communication plans should be prepared as part of a REs communication strategy to manage and mitigate disruptions.

8. Lessons learned

Finally, REs must incorporate all lessons learnt while implementing and adhering to the Code as well as lessons learned from any real-world disruptive event to improve operational resilience.

Conclusion

Overall, the necessity of drafting the Code was driven by the rising frequency and severity of operational disruptions, which highlight the need for REs to enhance their ability to anticipate, withstand, recover from, and adapt to such events. Please contact your usual Kennedys contact or Nick Miles if you have questions or comments regarding this CP. Comments are due by 14 March 2025.