The next chapter in UK operational resilience: operational incident and third-party reporting

The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England have published final rules establishing a unified regulatory framework for reporting:

• operational incidents; and
• material third party arrangements.

This new regime represents a significant milestone in the UK's approach to operational resilience. It fundamentally changes how firms report serious incidents and critical third party dependencies, whilst giving regulators improved real-time visibility of threats across the financial sector.

The rules come into force on 18 March 2027, giving firms a 12-month implementation period from publication. The regulators have committed to reviewing the policies two years after implementation to assess whether they meet both regulatory and industry needs.

This briefing focuses on the FCA and PRA reporting rules. However, similar requirements apply to firms within the Bank of England's remit, including CCPs and CSDs. While these rules share common themes, they are not identical, and firms should carefully consider the specific requirements applying to them.

1. Operational incident reporting

Who is in scope?

The operational incident reporting rules apply broadly across the financial services sector, including:

• All firms with a Part 4A permission
• Banks (UK banks, branches of overseas banks and building societies)
• Payment service providers (PSPs)
• UK recognised investment exchanges (RIEs)
• Registered trade repositories
• Registered credit rating agencies

When must an incident be reported?

The FCA and PRA have aligned on a single definition of an "operational incident", being either a single event or a series of linked events which disrupts the firm's operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or
• impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.

Firms are only required to report incidents where they reasonably believe the incident poses a risk to one or more of the identified thresholds. The FCA has, for example, set these thresholds as:

• Consumer harm: the incident poses a risk of causing intolerable levels of harm to consumers from which they cannot easily recover.
• Market integrity: the incident poses a risk to market stability, market integrity, or confidence in the UK financial system.
• Safety and soundness: the incident poses a risk to the safety and soundness of the firm and/or other market participants.

Firms may use their existing internal risk frameworks to assess whether an incident meets these thresholds. However, they must not omit to report relevant incidents solely because they do not meet an internal severity threshold. This is a key point: firms' own escalation criteria should not be used to avoid reporting incidents that meet the regulatory thresholds.

Two-tier reporting: standard and enhanced

The framework operates on a two-tier basis:

Standard reporting: applies to the majority of FCA solo-regulated firms. It involves submitting a single, short report of around 10 questions, with no obligation to update the report after submission. However, firms may still need to notify the regulator under general notification requirements (Principle 11 or SUP 15.3) if material information emerges.

Enhanced reporting: applies to a smaller cohort of more systematically important firms referred to as "enhanced reporting firms" (including, but not limited to, enhanced scope SMCR firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, PSPs, and UK RIEs). Enhanced reporting requires more detailed information in three phases - initial, intermediate and final - submitted as a single report that is updated during the incident lifecycle.

Reporting timeframes

Standard reporting and enhanced reporting initial phase (for enhanced reporting firms): must be submitted as soon as practicable after determining that an incident meets the thresholds outlined above but, at the very most, within 24 hours of making such a determination. However, PSPs must continue to report within their existing deadline of reporting an incident within 4 hours of first detecting the incident.

Intermediate phase: enhanced reporting firms must provide updates when there are significant changes in circumstances. The regulators have emphasised this is not intended to be a running commentary-firms should use their judgement to identify genuinely material updates, such as escalation to crisis management or the incident meeting additional reporting thresholds.

Final phase: enhanced reporting firms must submit a final update within 30 working days of the incident being resolved. Where this is impracticable (for example, due to incident complexity or reliance on third parties for information), firms have up to 60 working days but should notify the regulator of the delay.

2. Material Third-Party Reporting

The material third-party (MTP) arrangements reporting obligation expands the previous outsourcing notification requirements to cover both material outsourcing and material non-outsourcing arrangements.  This reflects the increasing importance of firms' reliance on third parties to deliver and support their activities and aligns with the global regulatory shift away from outsourcing.

Who is in scope?

The MTP reporting requirements apply to:

• Enhanced scope SMCR firms
• Banks
• Designated investment firms
• Building societies
• Solvency II firms
• CASS large firms
• UK RIEs
• Authorised electronic money institutions and authorised payment institutions
• Consolidated tape providers

Third country branches are in scope of the annual register requirement but are excluded from the notification obligations.

What qualifies as a material third-party arrangement?

The definition of a "third-party arrangement" is deliberately broad, covering any arrangement where a person provides a product or service to the firm - whether or not it constitutes an outsourcing, whether provided directly or through a sub-contractor, and whether intragroup or external.

An arrangement is "material" for the purposes of the FCA's rules if a disruption or failure in its performance could: (a) cause intolerable levels of harm to the firm's clients; (b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or (c) cast serious doubt on the firm's ability to meet its regulatory obligations, including under the operational resilience rules in SYSC 15A.

Notification requirements

Firms must notify regulators when entering, or significantly changing, a MTP arrangement. Notifications should be submitted early, before making internal or external commitments. Importantly, this is not an approval mechanism - firms may proceed after submission without waiting for a response.

All firm will use the single reporting solution on FCA's Connect platform to submit notifications.

Annual register

Firms are required to maintain and annually submit a register of their MTP arrangements to the FCA (via FCA RegData). The FCA will notify firms when the annual submission window opens, and firms will have 90 calendar days to make their submission.

3. Key Considerations

Practical implementation planning

With the rules coming into force on 18 March 2027, firms have until then to prepare for compliance. Firms that implemented DORA will be familiar with the preparatory work involved-and will recall the time and resources required. While the UK framework is broadly aligned with international standards including DORA and the FSB's FIRE framework, there are important differences in scope, thresholds and templates that firms should identify early.

We recommend the following key priorities:

1. Gap analysis: assess current operational incident handling processes, third-party risk management frameworks and governance structures for external reporting, against the new regulatory expectations.
2. Incident identification and escalation: uplift policies, processes and systems to identify reportable operational incidents and escalate them within the required timeline.
3. Map third-party arrangements: review existing arrangements - both outsourcings and non-outsourcings - to determine which qualify as "material" and prepare to complete the comprehensive register.

Firms should also take this time to embed the operational incident and material third party reporting obligations into their broader operational resilience frameworks - these are not one-off compliance exercises.

Other considerations

• Dual-regulated firms: Dual-regulated firms will welcome the significant benefits of the aligned approach: a single definition of operational incident, a single portal for submissions (the FCA will share submissions with the PRA and Bank of England where relevant) and a single template for notifications and the register. This should materially reduce the compliance burden by eliminating the need for multiple reports to different regulators.
• Group incident reporting: Where multiple firms in a group are affected by the same incident, each firm must submit its own incident report describing the specific impact on its operations, customers and market exposure, even where the root cause is shared.
• Payment service providers and credit rating agencies: The separate incident reporting frameworks that previously applied to PSP and registered credit rating agencies will be replaced by this unified regime, reducing duplicative reporting obligations.

Other author: Arnav Gupta, Associate