

UK: operational resilience – FCA and PRA publish proposals for firms to report operational incidents and their material third party arrangements
The FCA and PRA have published parallel consultation papers (CP24/28 and CP17/24 respectively) outlining their latest proposals for firms’ operational resilience, which clarify what constitutes a notifiable “operational incident” and outline new reporting requirements in respect of firms’ third party arrangements.
The proposals form part of the regulators’ drive to improve the operational resilience of firms, and seek to ensure that firms submit consistent and good quality reporting of incidents and material third party arrangements. In particular, the proposals aim to address the current gap in the regulatory requirements as to what constitutes an operational incident, when one should be reported, what information should be included, and how to submit such reports (firms currently submit notifications of operational incidents to the regulators pursuant to the general obligation to deal with the regulators in an open and cooperative way under FCA Principle 11 and PRA Fundamental Rule 7). The proposals also introduce material third party reporting rules, which cover outsourcing and non-outsourcing arrangements for a sub-set of firms that have the biggest consumer and market impact.
Scope of the proposals
The regulators’ proposals are relevant to the following firms:
Proposals | Applicable firms |
---|---|
FCA operational incident reporting (see Chapter 3 of CP24/28) |
|
FCA third party reporting (see Chapter 4 of CP24/28) |
|
PRA operational incident reporting (see Chapter 2 of CP17/24) |
|
PRA outsourcing and third party reporting (see Chapter 3 of CP17/24) | PRA-regulated firms (certain firms, including third country branches, are excluded from the material third party register proposals) |
Operational incident reporting
The consultations define a notifiable operational incident as “a single event or a series of linked events that disrupts the firm’s operations, where it either:
- disrupts the delivery of a service to the firm’s clients or a user external to the firm; or
- impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm.”
Firms will be required to report an incident when it meets or exceeds one or more of the thresholds set out in the table below. The consultations include case studies to guide firms in applying these thresholds to real-world scenarios.
FCA reporting thresholds | PRA reporting thresholds |
---|---|
The incident could cause or has caused intolerable levels of harm to consumers, and they cannot easily recover as a result. |
(For insurers) the incident poses a risk to the appropriate degree of policyholder protection. |
The incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system. |
(Where the firm is an O-SII/where the firm is a relevant Solvency II firm (as defined in the PRA Rulebook)) the incident poses a risk to the stability of the UK financial sector. |
The incident could pose or has posed a risk to the safety and soundness of the firm and/or other market participants. |
The incident poses a risk to the safety and soundness of the firm. |
In the event of an operational incident that breaches one of the above thresholds, firms will be required to submit the following standardised reports:
- Initial incident report: Submitted promptly after the incident occurs, even if it is resolved quickly.
- Intermediate incident reports (if the incident is not resolved prior to submitting the initial report): Ongoing updates on the incident’s progress, including details of any significant changes in the circumstances described in the most recent submitted report.
- Final incident report: A comprehensive report within 30 working days after the incident has been fully resolved.
Third party reporting
The third party reporting proposals introduce the following key requirements:
- Expansion of outsourcing notifications: Firms will need to notify the regulators of both material outsourcing and material non-outsourcing arrangements (material third party arrangements).
- Submission of notification templates: Firms will need to submit a template notification when there are changes to, or the creation of, new material third party arrangements.
- Annual register of arrangements: Firms will need to maintain and submit a register of material third party arrangements, ensuring that it is up-to-date annually.
Additionally, while retaining the definition of material outsourcing as outlined in the FCA Handbook and the PRA Rulebook, the regulators propose the following definition for a “third party agreement”:
“An arrangement of any form between a firm and a service provider. Whether or not the product or service is:
- one which would otherwise be provided by the firm itself
- provided directly or by a sub-contractor
- provided by a person within the same group as the firm”
Firms will only need to report on material third party arrangements. These are arrangements of such importance where a breach, disruption or failure in the performance of the product or service provided to the firm could result in the circumstances set out in the table below.
FCA criteria | PRA criteria |
---|---|
Cause intolerable levels of harm to the firm’s clients. |
In the case of an insurer, pose a risk to the appropriate degree of protection for those who are or may become the firm’s policyholders. |
Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system. |
Pose a risk to:
|
Cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the FCA’s Principles for Business, or under SYSC 15A (operational resilience). |
Cast serious doubt upon the firm’s ability to satisfy the threshold conditions, the Fundamental Rules, the Operational Resilience Part, Insurance – Operational Resilience Part or the Operational Continuity Part of the PRA Rulebook. |
Determining which third party arrangements are material will be a matter of judgement for firms. The regulators do not propose to introduce a definitive list of material third party arrangements.
Implementation timetable
Comments can be made on the consultations until 13 March 2025 (in respect of the FCA’s CP24/28) or 14 March 2025 (in respect of the PRA’s CP17/24). The regulators expect to publish policy statements summarising responses and making finalised rules in the second half of 2025.
The proposed implementation date for the proposals in the consultations is no earlier than the second half of 2026.
