UK: operational resilience – FCA and PRA operational incident and third party reporting requirements
The FCA and the PRA have published their final rules (PS26/2 and PS7/26 respectively) on operational incident reporting and material third party reporting, following consultation in December 2024. The new rules come into force on 18 March 2027.
The rules form part of the regulators’ drive to improve the operational resilience of firms, in light of firm’s growing reliance on third parties, an increasingly hostile cyber threat environment and rapid technological change (including the use of AI). They dovetail with the examples of good and poor practice cited in the FCA’s Operational resilience: insights and observations one year on published on 27 March 2026.
The rules seek to ensure that firms submit consistent and good quality reporting of incidents and material third party arrangements. In particular, the rules aim to address the current gap in the regulatory requirements as to what constitutes a notifiable operational incident, when one should be reported, what information should be included, and how to submit such reports (firms currently submit notifications of operational incidents to the regulators pursuant to the general obligation to deal with the regulators in an open and cooperative way under FCA Principle 11 and PRA Fundamental Rule 7). The rules also introduce material third party reporting rules, which cover outsourcing and non-outsourcing arrangements for a sub-set of firms that have the biggest consumer and market impact.
A key feature of the final rules is the regulators’ adoption of a cross-regulator approach to create a single, unified regime. The FCA and the PRA have designed a single incident reporting regime with a single definition of “operational incident”, a single set of thresholds and a single submission portal, so that dual-regulated firms make one submission reaching both regulators. Similarly, for third party reporting, a single cross-regulator regime operates with a single notification template, a single annual register template and a single submission portal, with submissions shared automatically with the relevant regulators.
Scope of the rules
The regulators’ rules are relevant to the following firms:
| Requirement | Applicable firms |
|---|---|
| FCA operational incident reporting | • All firms with a Part 4A permission • Payment service providers • UK recognised investment exchanges (RIEs) • Registered trade repositories • Registered credit rating agencies |
| FCA third party reporting | • Solvency II firms • Enhanced scope SM&CR firms • Banks • Designated investment firms • Building societies • CASS large firms • UK RIEs • Authorised e-money or payment institutions • Consolidated tape providers (Third country branches are excluded from the notification requirements. However, they are required to submit a material third party register annually) |
| PRA operational incident reporting | • UK Solvency II firms, the Society of Lloyd’s and its managing agents • UK banks, building societies, PRA-designated investment firms and branches of overseas banks |
| PRA outsourcing and third party reporting | • UK Solvency II firms, the Society of Lloyd’s and its managing agents • UK banks, building societies, PRA-designated investment firms • UK credit unions with at least £50 million in total assets (Third country branches are excluded from the notification requirements and the material third party register reporting requirements. However, the FCA will share data from the registers it collects from third country branches with the PRA) |
Operational incident reporting
The rules define a notifiable operational incident as “either a single event or a series of linked events which disrupts the firm’s operations such that it:
- disrupts the delivery of a service to an end user external to the firm; or
- impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.”
Firms will be required to report an incident when it meets or exceeds one or more of the thresholds set out in the table below. FCA FG26/3 (published alongside the rules) sets out case studies to guide firms in applying these thresholds to real-world scenarios.
| FCA reporting thresholds | PRA reporting thresholds |
|---|---|
| The incident poses a risk of causing intolerable levels of harm to consumers from which consumers cannot easily recover. | (For insurers) the incident poses a risk to the appropriate degree of policyholder protection. |
| The incident poses a risk to market stability, market integrity or confidence in the UK financial system. | (Where the firm is an O-SII/where the firm is a relevant Solvency II firm (as defined in the PRA Rulebook)) the incident poses a risk to the stability of the UK financial sector. |
| The incident poses a risk to the safety and soundness of the firm and/or other market participants. | The incident poses a risk to the safety and soundness of the firm. |
In the event of an operational incident that breaches one of the above thresholds, firms will be required to submit the following standardised reporting phases:
- Initial phase (both standard reporting and enhanced reporting firms): Submitted as soon as is practicable (the FCA expects within 24 hours of determining that a threshold is met) after the incident occurs, even if it is resolved quickly. This consists of a single short-form report which does not need to be updated after submission.
- Intermediate phase (enhanced reporting firms only and if the incident is not resolved prior to submitting the initial phase): Ongoing updates on the incident’s progress, including details of any significant changes in the circumstances described in the most recent submitted report.
- Final phase (enhanced reporting firms only): A comprehensive report within 30 working days after the incident has been fully resolved.
Which phase(s) a firm needs to submit depends on whether it is a “standard reporting” firm or an “enhanced reporting” firm – enhanced reporting firms are listed in SUP 15.18.3 R and include Solvency II firms and enhanced scope SM&CR firms.
All three reporting phases are delivered by updating a single dynamic form in FCA Connect rather than submitting three separate reports.
Third party reporting
The third party reporting rules introduce the following key requirements:
- Expansion of outsourcing notifications: Firms will need to notify the regulators of both material outsourcing and material non-outsourcing arrangements (material third party arrangements).
- Submission of notification templates: Firms will need to submit a template notification when there are changes to, or the creation of new, material third party arrangements. Notifications are submitted through FCA Connect.
- Annual register of arrangements: Firms will need to maintain and submit a register of material third party arrangements, ensuring that it is up-to-date annually. The annual register is submitted via FCA RegData.
Additionally, while retaining the definition of material outsourcing as outlined in the FCA Handbook and the PRA Rulebook, the regulators have introduced the following definition for a “third party arrangement”:
“An arrangement of any form between a firm and a person who provides a product or service to the firm, whether or not the product or service is:
- one which would otherwise be provided by the firm itself
- provided directly or by a sub-contractor
- provided by a person within the same group as the firm.”
Firms will only need to report on material third party arrangements. These are arrangements of such importance where a breach, disruption or failure in the performance of the product or service provided to the firm could result in the circumstances set out in the table below.
| FCA criteria | PRA criteria |
|---|---|
| Cause intolerable levels of harm to the firm’s clients. | In the case of an insurer, pose a risk to the appropriate degree of protection for those who are or may become the firm’s policyholders. |
| Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system. | Pose a risk to: (a) the firm’s safety and soundness; or (b) where the firm is, or is controlled by, an O-SII, or is a relevant Solvency II firm, the stability of the UK financial system. |
| Cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the FCA’s Principles for Business, or under SYSC 15A (operational resilience). | Cast serious doubt upon the firm’s ability to satisfy the threshold conditions, the Fundamental Rules, the Operational Resilience Part, Insurance – Operational Resilience Part or the Operational Continuity Part of the PRA Rulebook. |
Determining which third party arrangements are material will be a matter of judgement for firms. The regulators have not introduced a definitive list of material third party arrangements. However, FCA FG26/4 (published alongside the rules) provides detailed guidance on assessing materiality, including the factors to consider such as substitutability, operational dependency and the nature and sensitivity of the data involved.
Looking ahead
The new rules come into force on 18 March 2027. The FCA has confirmed it plans to review the regime two years after implementation.
In the meantime, firms who will be subject to the regime should (i) review and, if necessary, update their third party materiality assessment process, (ii) embed the threshold tests and applicable reporting timelines into their operational incident response procedures, (iii) consider the means of compiling the data required for the annual material third party register and (iv) familiarise themselves with the examples of good and poor practice cited in the FCA’s Operational resilience: insights and observations one year on and the Finalised Guidance (referred to above),
Related insights
