PS26/2: Operational incident and third party reporting

Read PS26/2 (PDF)

Read FG26/3: Operational Incident Reporting (PDF)

Read FG26/4: Material Third Party Reporting (PDF)

Why we are changing

When operational incidents occur, the disruption to the services firms provide can harm consumers and the wider sector. Additionally, many of the incidents reported to us originate at third parties, with firms becoming increasingly reliant on the services they provide.

Following our consultation CP24/28 (PDF), we’ve created single FCA, PRA and Bank of England regulatory regimes for operational incident and third party reporting that will apply from 18 March 2027.

Find out more if your firm is regulated by the PRA and the Bank of England.

Operational incident reporting

Our final rules:

• Define what an operational incident is.
• Set out the thresholds for when firms must report an incident.
• Introduce a standardised reporting process so all firms make a single submission regardless of the regulator(s) the report is for.
• Set out how firms will submit standard or enhanced incident reports.

Third party reporting

Our final rules:

• Define what a material third party arrangement is.
• Require firms to notify the FCA of any new, or any significant changes to material third party arrangements.
• Require firms to maintain a register for their material third party arrangements, and to submit it to the FCA annually.

Who this applies to

Operational incident reporting:

• All firms with a Part 4A permission
• Payment service providers
• UK Recognised Investment Exchanges (RIEs)
• Registered trade repositories
• Registered credit rating agencies

Third party reporting:

• Enhanced scope Senior Managers & Certification Regime (SM&CR) firms
• Banks
• Designated investment firms
• Building societies
• Solvency II firms
• Client Assets Sourcebook (CASS) large firms
• UK RIEs
• Authorised electronic money institutions or authorised payment institutions
• Consolidated tape providers

Next steps

The new rules will come into force on 18 March 2027.

Firms affected should read our rules and guidance in this Policy Statement and the accompanying Finalised Guidance. During the 12 months that firms have to prepare, we will engage with firms to support them in adapting to the rules and reporting technologies.

Two years after implementation, we will review the policies to assess if they meet both our needs and those of firms.

Background

Threat actors are attacking the financial sector more and more frequently, and with greater sophistication. They also attack the third parties that firms increasingly rely on to boost efficiency and support their innovations. At the same time, the industry is becoming more interconnected. Each incident can have an even bigger impact – even those that don’t stem from attacks. It is more important than ever that we can quickly grasp how incidents affect firms and markets.

At the same time, third parties are now supplying their services by means of transformative technological innovations like AI. The pace of change is rapid. We need to understand how firms are using third parties so we can effectively supervise their operational resilience. We also need to understand the deepening interconnectedness of industry as a whole to identify and address systemic risk. To do all of this, we need more detailed, accurate and consistently structured data.

As well as our final rules and guidance, firms can find reporting templates in the Policy Statement to help them prepare.