Webinar: Are financial services firms ready for the new reporting rules?

InsightsWebinars and events

Updates for financial services firms with PS 26/2

New rules for operational incident and third-party reporting, are financial services firms ready?

On 18 March 2026, the FCA released its policy statement and final guidance on Operational Incident and Material Third Party Reporting.

 

In the webinar, our insurance experts covered the key points to be aware of following the release of the PRA‘s Policy Statement 26/2 and FCA’s Policy Statement 7/26, the supporting guidance and the FCA webinar: “Operational resilience 1 year on, incident and third-party reporting requirements”. They also reflected on the changes and what they mean for the financial services sector. They considered any areas where things aren’t necessarily clear cut and judgement will be needed. Finally, discussing how firms can best prepare for the new rules before they take effect in March 2027

Key takeaways 

The new Operational Incident and Material Third Party reporting requirements, due to come into force in March 2027, mark a significant step in regulators’ focus on operational resilience, incident management and third-party dependency risk. While the FCA and PRA have stressed that firms do not need to overhaul existing processes, they will need to ensure their procedures, governance and reporting frameworks are aligned to the new definitions, thresholds and templates. 

For operational incidents, firms must be able to identify, assess and escalate crystallised events quickly, with initial notification required as soon as practicable and within 24 hours of determining that reporting thresholds have been met. The distinction between standard and enhanced reporting is important, but firms should not assume that optional fields, such as root cause, will be irrelevant to supervisory scrutiny. 

Material third-party reporting will require firms to notify regulators of new or materially changed arrangements and submit an annual register of all material third-party dependencies. This will give regulators a clearer view of concentration risk across the sector, particularly around cloud, managed service, technology and emerging AI-related providers. 

Firms should revisit decision trees, reporting triggers, third-party classifications, systems and data capture, and test their ability to complete templates under pressure. Boards and senior managers will need clear oversight, with documented rationale for classification decisions and assurance over reporting quality. 

Q&A  

How do the operational incident reporting thresholds relate to the operational resilience rules for important business services and impact tolerances?  

Firstly, important business services (IBS) and their associated impact tolerances define the firm’s operational resilience standard. They articulate the level of disruption a firm is willing and able to withstand before causing intolerable harm to customers, the firm’s safety and soundness, or broader market stability.  

By contrast, operational incident reporting thresholds serve a different function. They are intended to ensure that the PRA receives timely visibility of significant operational incidents as they arise. These thresholds are therefore reactive and supervisory in nature, focusing on when an incident becomes sufficiently serious to warrant regulatory notification. 

The key question is how these two frameworks interact in practice, specifically, whether a breach (or potential breach) of an impact tolerance should determine when an incident is reported. A pragmatic interpretation to this question is that a breach of an impact tolerance (ITOL) should be viewed as a strong indicator that an incident is likely to be reportable, given that it signals disruption at a level the firm has already defined as intolerable. However, it should not be treated as the sole or definitive trigger. Firms should avoid an overly mechanistic linkage between ITOL breaches and reporting decisions. For example, an incident may still be reportable even where: 

  • it does not affect a defined important business service; or 
  • it has not yet breached an established impact tolerance. 

Instead, the decision to notify the regulator should be grounded in a broader judgement from the firm’s prior experience/learnings, namely whether it reasonably believes that the incident poses a risk of: 

  • intolerable harm to consumers, 
  • a threat to the safety and soundness of the firm, or 
  • adverse impacts on market integrity or financial stability. 

In summary, while breaches of impact tolerances are highly relevant and should form an important part of the assessment, they should be treated as a consideration rather than a determinative trigger for incident reporting. Firms should maintain a holistic, risk-based approach that aligns with the overarching purpose of regulatory notification, ensuring prompt supervisory awareness of potentially significant operational disruptions. 

What sort of quantitative reporting thresholds have you seen firms set or are planning to set for operational incidents?  

During the consultation, there was call for the regulators to set clear metrics or quantitative thresholds to help firms decide whether to report an incident. The FCA did not agree and explained that such metrics would need to apply across lots of different types of firms, so could become too complicated. They said that firms could instead set their own internal thresholds as part of operational risk management procedures.  

Interestingly in the FCA webinar, it was stated that “harm can’t be reduced down to numbers”. However, firms will need to quantify the impact to understand whether an incident is isolated versus a wider systemic issue.   

We have seen firms seek to quantify the impact of incidents based on customer impact (the number of customers affected, vulnerable customers affected, the financial detriment to customers, spikes in complaint volumes), then also the financial impact (or likely remediation costs), duration of the outage, transaction failure rates, to name a few.  

The key thing to remember is that you can’t solely base the decision on numbers, but these factors can (and probably should) be part of the assessment. 

How do you see the 24-hour reporting working over weekends etc. For example, if it is determined the threshold is met on a Friday? 

It is worth remembering that the reporting thresholds for operational incidents are intentionally high. This restricts reporting to only capture incidents with a significant impact on the Regulators’ objectives. In their webinar, the FCA stated that they received about a thousand reports of incidents a year; of these, we anticipate that only a fraction will meet the threshold conditions.   

For incidents that do satisfy the thresholds, we suspect that the Regulators will expect firms to commit the necessary resource, irrespective of when it has been determined to meet threshold conditions.  

Therefore, if a firm identifies an incident on a Friday, it will likely be expected to submit their standard/initial report on Saturday at the latest. Following submission, they would be expected to allocate the appropriate resource to enable response and recovery. This may mean bringing in resource over the weekend where there is a significant impact. 

Firm’s may receive some comfort in a reminder that following consultation, the Regulators have reduced the reporting detail at the standard/initial phase. The final publications also reflect that reporting at this phase should not be exceptionally burdensome:  

“As we have reduced the information required at the initial stages of an incident, firms should be able to report promptly.” (FCA FG26/3) 

“The initial phase has been designed to gather only essential information, which can be updated with additional information during the intermediate and final phases” (PRA PS7/26) 

Contact us

+44 20 7063 4000
Meet our local team
Discover our offices
Or use our contact form