PS26/2: Operational incident and third party reporting

Our final rules and guidance setting out requirements for reporting operational incidents and material third party arrangements.

Why we are changing

When operational incidents occur, the disruption to the services firms provide can harm consumers and the wider sector. Additionally, many of the incidents reported to us originate at third parties, with firms becoming increasingly reliant on the services they provide.

Following our consultation CP24/28 (PDF)[4], we’ve created single FCA, PRA and Bank of England regulatory regimes for operational incident and third party reporting that will apply from 18 March 2027.

Find out more if your firm is regulated by the PRA and the Bank of England[5].

Operational incident reporting

Our final rules:

Define what an operational incident is.
Set out the thresholds for when firms must report an incident.
Introduce a standardised reporting process so all firms make a single submission regardless of the regulator(s) the report is for.
Set out how firms will submit standard or enhanced incident reports.

Third party reporting

Our final rules:

Define what a material third party arrangement is.
Require firms to notify the FCA of any new, or any significant changes to material third party arrangements.
Require firms to maintain a register for their material third party arrangements, and to submit it to the FCA annually.

Who this applies to

Operational incident reporting:

All firms with a Part 4A permission
Payment service providers
UK Recognised Investment Exchanges (RIEs)
Registered trade repositories
Registered credit rating agencies

Third party reporting:

Enhanced scope Senior Managers & Certification Regime (SM&CR) firms
Banks
Designated investment firms
Building societies
Solvency II firms
Client Assets Sourcebook (CASS) large firms
UK RIEs
Authorised electronic money institutions or authorised payment institutions
Consolidated tape providers

Next steps

The new rules will come into force on 18 March 2027.

Firms affected should read our rules and guidance in this Policy Statement and the accompanying Finalised Guidance. During the 12 months that firms have to prepare, we will engage with firms to support them in adapting to the rules and reporting technologies.

Two years after implementation, we will review the policies to assess if they meet both our needs and those of firms.

Background

Threat actors are attacking the financial sector more and more frequently, and with greater sophistication. They also attack the third parties that firms increasingly rely on to boost efficiency and support their innovations. At the same time, the industry is becoming more interconnected. Each incident can have an even bigger impact – even those that don’t stem from attacks. It is more important than ever that we can quickly grasp how incidents affect firms and markets.

At the same time, third parties are now supplying their services by means of transformative technological innovations like AI. The pace of change is rapid. We need to understand how firms are using third parties so we can effectively supervise their operational resilience. We also need to understand the deepening interconnectedness of industry as a whole to identify and address systemic risk. To do all of this, we need more detailed, accurate and consistently structured data.

As well as our final rules and guidance, firms can find reporting templates in the Policy Statement to help them prepare.

First published: 18/03/2026 Last updated: 18/03/2026