FCA new rules for reporting operational incidents and third parties

The Policy Statement (PS26/2) sets out the final rules intended to create a single approach for reporting operational incidents and material third party (MTP) arrangements. The new requirements build on the broader rules for operational resilience and third‑party risk management and align with international standards. The FCA also published two pieces of supporting guidance - FG26/3 (Operational Incident Reporting) and FG26/4 (Material Third Party Reporting) - to help firms interpret and implement the new requirements.

This framework is delivered jointly by the FCA, PRA, and Bank of England (referred to as ‘the regulators’ here). It will apply from 18 March 2027 with broad impacts, affecting most regulated firms. The following provides an overview of how the new reporting requirements will apply:

Operational incident reporting
Firm type	Reporting type
All firms with a Part 4A permission[1]	Standard reporting
Enhanced scope SMCR firms[2]	Enhanced reporting
Banks
Designated investment firms
Building societies
Solvency II firms
CASS large firms[3]
Payment service providers
UK RIEs[4]
Registered trade repositories
Registered credit rating agencies

Material third party reporting

Type of firms in scope:

Designated investment firms
Building societies
Solvency II firms
CASS large firms
UK RIEs
Authorised electronic money and payment institutions
Consolidated tape providers

_{*Third country branches will also be expected to submit an annual material third party register}

_{[1] Part 4A permission refers to the authorisation granted under}_{Part 4A of the Financial Services and Markets Act 2000}_{, allowing a firm to carry on one or more regulated activities in the UK.}

_{[2] Enhanced scope SMCR firms are larger or more complex FCA‑regulated firms that must comply with enhanced governance and accountability requirements under the Senior Managers and Certification Regime (SMCR).}

_{[3] CASS large firms are firms that hold large amounts of client money or custody assets and are classified as “large” under the FCA’s Client Assets Sourcebook (CASS).}

_{[4] Recognised investment exchange.}

The new rules mark a significant change in the operational resilience landscape, shifting the regulatory focus from high-level resilience planning to structured, data driven supervision. The aim is to enable the FCA to moderate and address the rising cyber threats and growing dependency on external providers.

What are the implications of PS26/2?

Though the focus of the new rules is on the operational incident and third-party reporting requirements, the impacts extend beyond simple information submissions. To satisfy the prescribed reporting templates, firms may need to reassess their understanding of third-party dependencies and the information they routinely record in their incident responses.

For many, this will require investment of resource to adjust existing incident response processes, enhance incident detection capabilities, establish clearer internal thresholds, and develop cohesive governance across Compliance, Operations, Risk, IT, Procurement, Business Continuity and Crisis Management.

In practice, the requirements are likely to be as much about improving operational awareness, decision making and resilience as they are about regulatory reporting.

For the regulators, the reports from firms should assist in enhancing the regulators’ historical oversight of firms’ incident management. Supervisory teams in the FCA and PRA have been known to use social media feeds from a service monitoring platform to monitor firms’ incidents in real-time. There has also been greater focus on data analytical capabilities. These new incident reporting requirements could be prime candidate for new internal supervisory reporting dashboards to supplement monitoring of firm performance, informing supervisory outcomes.

What are the key dates for PS26/2?

Operational incident reporting

Summary of the new rules

PS26/2 establishes a unified regulatory approach to operational incident reporting. The Policy Statement aims to simplify the incident reporting guidance between regulators and across industries. It aligns to international standards such as the Financial Stability Board’s (FSB) Format for Incident Reporting Exchange (FIRE) standard and taxonomies.

As of 18 March 2027, operational incident reports must be submitted via the FCA’s Connect platform. For dual regulated firms, this will allow a single submission to report to both regulators.

The Policy Statement provides a definition for an ‘Operational Incident’:

“either a single event or a series of linked events which disrupts the firm’s operations such that it:

1. disrupts the delivery of a service to an end user external to the firm; or

2. impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.”

Notification thresholds for reporting (which mirror the regulators’ objectives) are met where a firm reasonably believes that an operational incident poses a risk of intolerable consumer harm, or a risk to safety and soundness or market stability.

The notification requirements and thresholds are relatively subjective, and it will be down to individual firms to apply what they believe the FCA intended.

The requirements outline ‘standard’ and ‘enhanced’ tiers for reporting with most firms subject to the standard reporting requirements. Firms in scope for enhanced reporting are required to report on incidents in three distinct phases (‘initial’, ‘intermediate’, and ‘final’) of the incident lifecycle.

Guidance

FG26/3 builds on the Policy Statement to set out practical expectations for operational incident reporting. The guidance elaborates on the definition of an ‘operational incident’, clarifies the meaning of ‘linked events’ and ‘end users external to the firm’. It also provides further commentary on the threshold conditions for reporting; and explores the standardised reporting templates.

Reporting process

The reporting templates are designed to simplify the process and reduce the reporting burden. They can be found here: standard template and enhanced template. Firms will need to evaluate the information they currently record to make sure that they are able to satisfy the mandatory fields in the templates once the rules come to force.

Firms will be expected to submit an incident report within 24 hours of determining that an incident meets the thresholds for an ‘operational incident’. This expectation applies to the sole report for standard reporting and for the enhanced report’s initial phase.

Although the new rules prescribe a standard 24 hours for firms to respond, it is possible that supervisors may ask for this data within shorter timeframes for serious incidents. When initial ‘ad hoc’ updates from calls or supplementary communications are made, firms must ensure that information provided to the regulators is consistent with that submitted within the standardised templates. Firms will also need to be clear how the new timeline fits within their own internal incident management framework. In particular, how the firm has calibrated 'when the clock starts' for the 24-hour timeline, in line within the threshold requirement.

The publications note that firms should not rely on the breach of Impact Tolerances (ITols) to evaluate if an event constitutes an ‘operational incident’. This is partly because not all firms will be subject to the operational resilience expectation to maintain these. It is also because an incident may originate from a resource or service unrelated to a firm’s Important Business Service, the failure of which may still satisfy the threshold conditions. In addition, firms are expected to report on incidents before ITols are breached.

Executives should have a clear understanding of the information submitted in a firm’s incident reporting templates, especially when leading incident management calls with one (or both) of the regulators. Discussions may now be driven by the template’s detailed fields rather than by a firm’s own communication processes and strategies.

The incident data is also likely to feed more supervisory questions on operational resilience for firms in annual regulator meetings with executives, such as the Chief Operating Officers, Chief Risk Officers and potentially Chief Executive Officers.

Subsumed regimes

The guidance is aligned to the FCA’s goal to consolidate the Payments Systems Regulator (PSR) into the FCA by subsuming the existing incident reporting requirements for Payment Service Providers (PSPs). Credit Rating Agencies (CRAs) will also be brought into the new unified reporting framework.

The publications issue further guidance for PSPs including how the rules interact with their existing obligations to report major operational or security incidents (in SUP 15.14) and report within four hours of first detection.

Material third party reporting

Summary of the new rules

The third party reporting requirements in PS26/2 outline an annual expectation for firms to identify their third party arrangements and submit a register to the FCA using a standard template. The rules also establish a requirement for firms to notify the regulator of any planned material third party arrangements or significant changes to existing ones.

The introduction of these requirements aims to provide the regulators visibility to:

Understand market dependencies.
Assess systemic risk across the sector.
Respond more effectively to disruptions arising from critical external providers.

The registers are also anticipated to contribute to the HM Treasury’s ongoing work to designate critical third parties (CTPs).

As with the operational incident requirements, rules for material third party reporting will come into force on 18 March 2027. However, the FCA will notify in-scope firms when the 90-calendar day submission window opens for the third-party register.

The register of parties in scope will hinge on the following definitions:

Third party arrangement:

“An arrangement of any form between a firm and a person who provides a product or service to the firm, whether or not the product or service is:

a. one which would otherwise be provided by the firm itself;

b. provided directly or by a sub-contractor; or

c. provided by a person within the same group as the firm.”

Material third party arrangement:

“A third-party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:

a. cause intolerable levels of harm to the firm’s clients,

b. pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system, or

c. cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience).”

It is important to note that the third-party reporting template highlights the regulators’ wider expectations for the oversight of third parties such as materiality assessments, risk assessments, regular audits, financial due diligence, cyber risk due diligence, assurance, review and sign-off by an Senior Manager Function (SMF) holder or governance committee.

Guidance

FG26/4 sets out how the FCA expects firms to comply with the requirements for material third party arrangements. It covers how to assess materiality using the new definitions (as above), examples of material and non-material third party arrangements and completion of the reporting templates.

The FCA gives the following examples of arrangements:

Material		Not material
Services for storing sensitive information, such as data centres, cloud, hosting services or managed service providers.		Processing support services without privileged access or functions that are legally required to be performed by a service provider (for example, consultancy services, professional services, statutory audit and legal services).
Cybersecurity services built and monitored by a third-party provider (for example, distributed denial-of-service (DDoS) mitigations).		Providing basic utilities (for example, electricity, gas, water and telecommunication services).
Third party services that are key to delivering one or more of a firm’s important business services, such as:	(a) Cloud services which are required to run software and access additional processing capacity (Software-as-a-Service or SaaS).	Providing non-vital support services (for example, advice from an architect, providing a legal opinion, maintaining the firm’s premises, providing medical services to the firm’s staff, servicing company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, administrative support and switchboard operators).
	(b) Using third party services such as payments, settlements and annuities.
	(c) Using AI models for trading.	Procuring goods (for example, plastic used for credit/debit cards, card readers, office supplies and furniture).
	(d) Providing real time market data and analytics (e.g. data feeds for benchmarking or pricing funds).	Purchasing data collated by third party providers, generally known as data brokers, (for example, geospatial data or data from in-app device activity or social media).
	(e) Using a third party to provide the physical movement of cash.	Analytical tools that are built by a third party provider (for example, website traffic monitoring, employee activity monitoring and project monitoring tools).

Reporting process

Once notified that the submission window has been opened, firms will have 90 calendar days to submit their annual material third party register. While Connect will be used for notifications, firms must use RegData for the annual register. Submissions should reflect the position as at 31 December of the previous year (e.g., a 2027 submission should reflect the arrangements as at 31 December 2026).

Firms will be required to differentiate between and report on both material outsourcing and non-outsourcing arrangements. AI models are an example of non-outsourcing third party arrangements that will need to be reported if they are deemed material. Firms may need to examine their existing third-party classifications and align their internal register to the regulator’s definitions and reporting template.

The guidance outlines the expectation that intragroup third-party arrangements (products and services ‘provided by a person within the same group as the firm’) should be evaluated and should not be considered inherently any less risky than services provided outside of the group. However, firms are only expected to report on intragroup third-party arrangements where an external third-party dependency exists (with the exception of UK RIEs).

What should firms do next to prepare for PS26/2?

PS26/2 represents an important step for the regulators’ in strengthening the UK’s operational resilience framework. The approach seeks to increase consistency and clarity across the FCA, PRA and Bank of England. The improved visibility of operational incident trends and material third party dependencies is to enable supervisors to better identify systemic risks and emerging vulnerabilities. This should help supervisors focus on what matters most, rather than inquiring about lower risk incidents or third parties.

Firms may see this as simply another regulatory change to implement. It is hoped that firms will be clearer on the information that the regulators want to know rather than attempting to make separate notifications of varying quality whilst under immense pressure. But clearly these changes are not without a cost, requiring firms to evaluate their existing frameworks and potentially reframe their incident management and third-party processes to satisfy the new requirements.