Strengthening oversight: new reporting requirements for operational incidents and material third party arrangements

Supervisory authorities are introducing new reporting requirements for operational incidents and material third party arrangements in response to growing concerns about the frequency and impact of operational incidents, often involving third parties. 

Recent outages and incidents have demonstrated the potential for significant disruption to firms’ services, potentially harming consumers, affecting market confidence, and disrupting the UK financial system. Supervisory authorities require timely and structured information on significant incidents to assess their impact, monitor firms’ responses, and determine if further action is necessary.

Recent incidents have underscored the need for supervisory authorities to have visibility across all material third party arrangements, both outsourcing and non-outsourcing, that could lead to serious incidents within firms or the wider sector. This requirement builds on UK regulatory developments over recent years relating to operational resilience, outsourcing, third party risk management and critical third parties and follows international best practices, including the Financial Stability Board (FSB) toolkit, Basel Committee on Banking Supervision (BCBS) principles for third party risk management, and the EU’s Digital Operational Resilience Act (DORA) requirements for ICT services.

The Bank of England has published specific Supervisory Statements detailing the specific requirements of the operational incident reporting and third party risk management regime for Financial market infrastructures and updated the previously published Supervisory Statements relating to third party risk management specifically for Central Counterparties, Central securities depositories and Recognised payment system operators and specified service providers. This summary does not focus on these specific supervisory statements – but if you would like more information on any of them, please do get in touch. 

Firms in scope

There are 2 tiers for incident reporting, Standard and Enhanced. 

Most firms with Part 4A permissions are subject to the Standard reporting requirements, with the firms listed below subject to the Enhanced reporting requirements:

• Enhanced scope SMCR firms 
• Banks 
• Designated investment firms 
• Building societies 
• Solvency II firms 
• CASS large firms 
• Payment service providers 
• UK RIEs 
• Registered trade repositories 
• Registered credit rating agencies

Approach

• The regulatory regime is formed around a single definition of an operational incident: 

“Either a single event or a series of linked events which disrupts the firm’s operations such that it:

(1) disrupts the delivery of a service to an end user external to the firm; or 

(2) impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user."

• All in scope firms will utilise Connect as the single portal for reporting incidents regardless of regulator.
• A single set of notification thresholds has been established. These thresholds reflect each regulators statutory objectives. 

Notification thresholds and considerations

Firms will need to report if the firm reasonably believes that an operational incident meets one or more of the notification thresholds – namely, that it poses a risk: 

• of causing intolerable levels of harm to consumers from which consumers cannot easily recover; 
• to the safety and soundness of the firm and/or other market participants; 
• to market stability, market integrity or confidence in the UK financial system.

Firms must consider a range of factors when determining whether an incident meets any of the thresholds, including:

• the direct impact on the end users or the wider sector, including its counterparties and other market participants; 
• the reputation of the firm or the financial sector; 
• the firm’s ability to meet its legal and regulatory obligations; 
• the firm’s ability to provide adequate services; 
• the firm’s ability to safeguard the availability, authenticity, integrity or confidentiality of information or data of an end user external to the firm; 
• the firm’s internal assessment and classification of the incident.

Reporting requirements

Standard reporting - single report: Firms must submit a report as soon as practicable after a reportable incident occurs and at least within 24 hours

Enhances reporting - across 3 phases: 

• Initial report - *Firms must submit a report as soon as practicable after a reportable incident occurs and at least within 24 hours
• Intermediate reporting - Firms must provide an update as soon as practicable after there has been a significant change in the status of the operational incident.
• Final report - Firms must provide a final update within 30 working days of the operational incident being resolved unless there are **exceptional circumstances.

*Payment Service Providers should note the following:

1) EBA’s Guidelines on Incident reporting under the Payment Services Directive as issued on 27 July 2017 (EBA/GL/2017/10) (EBA Guidelines) have been disapplied. Under SUP 15.14.18CD, PSPs will now only need to submit notifications in line with the regime set out in within PS26/2 to meet their obligation under regulation 99(1) of the PSRs. 

2) Payment Service Providers (PSPs) are required to comply with enhanced incident reporting obligations, specifically maintaining a 4-hour reporting deadline as outlined in SUP 15.14.18DD. This ensures supervisory visibility due to the time-sensitive nature of incidents in this sector. PSPs fulfil the 4-hour deadline by submitting the initial part of their incident report, with intermediate and final stages to be completed subsequently.

**If a firm cannot produce a final report within 30 working days, it should provide explanation to the relevant regulator as to why and the expected timeline for submission. Example of such situations could include where the incident is particularly complex, and the cause is not easily identifiable or where there is a reliance on a third party for information. Even in such cases, the firm must submit the final phase as soon as practicable but not more than 60 working days after resolving the incident.

Firms in scope

• Enhanced scope Senior Managers and Certification Regime (SMCR) firms 
• Banks 
• Designated investment firms 
• Building societies 
• Solvency II firms 
• CASS large firms 
• UK RIEs 
• Authorised electronic money institutions and authorised payment institutions 
• Consolidated tape providers

Approach

• The approach is formed around a single definition of a third party arrangement aligned across regulators, being:

“an arrangement of any form between a firm and a person who provides a product or service to the firm, whether or not the product or service is: 

(1) one which would otherwise be provided by the firm itself; 

(2) provided directly or by a sub-contractor; or 

(3) provided by a person within the same group as the firm.”

• There will be a single template for the third party register. 
• All in scope firms will utilise Connect as the single portal for notification and the FCA RegData platform for submission of the register of material third party arrangements.
• Dual-regulated firms only need to make a single notification and register submission.
• The FCA and PRA have different definitions of “Material third party arrangement” owing to each regulator’s statutory objectives. Dual-regulated firms will need to work to both definitions in respect of both register submission and notifications.
• The FCA and PRA provide guidance and examples on how to assess whether a third party arrangement is material (FCA: FG26/4, PRA: SS2/21 March 2026).
• For all firms except UK Recognised Investment Exchanges (UK RIEs), intragroup arrangements are only considered within scope if they involve an external third party dependency. For ring-fenced bodies, arrangements with permitted suppliers are in scope only when there is such an external third party dependency.

Definition of a material third party arrangement 

FCA - A third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:

(a) cause intolerable levels of harm to the firm’s clients,

(b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system, or

(c) cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience).

PRA - A third-party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:

(1) pose a risk to:

(a) the firm’s safety and soundness;

(b) in the case of an insurer, an appropriate degree of protection for those who are or may become the firm’s policyholders; or

(c) where the firm is, or is controlled by, an O-SII, or is a relevant Solvency II firm, the stability of the UK financial system; or

(2) cast serious doubt upon the firm’s ability to satisfy the threshold conditions, the Fundamental Rules, the Operational Resilience Part, Insurance – Operational Resilience Part or the Operational Continuity Part.

Notification

In scope firms must notify the regulator of planned new material third party arrangements or significant changes to existing arrangements using the standard notification template form. 

• The form must be completed and submitted through the Connect portal. 
• No specific timelines have been set for submitting or reviewing notifications.
• Firms are expected to notify regulators at an early stage, before making any internal or external commitments.
• Notification should occur early enough in the decision-making process to allow for regulatory engagement before contractual or operational commitments are made.
• The regulator does not approve notifications and may not respond to each submission.
• Submitted data will still be used for broader thematic and industry-wide analysis.

Register

Firms need to submit the register detailing material third party arrangements annually. The FCA will inform relevant firms when the annual register reporting window opens. Firms then have 90 calendar days to submit their information via FCA RegData. The data provided must reflect the position as at 31 December of the previous year (e.g., a 2027 submission covers data up to 31 December 2026).

Firms are not required to resubmit their register of material third party arrangements every time they notify the FCA.

• FCA: PS26/2 - Operational Incident and Third Party Reporting - read the full PDF here
• FCA: FG26/3 - Operational Incident Reporting - read the full PDF here
• FCA: FG26/4 - Material Third Party Reporting - read the full PDF here
• PRA: PS7/26 – Operational resilience: Operational incident and third-party reporting - read the full policy statement here
• PRA: SS2/21 - Outsourcing and third party risk management – 18 March 2026 - read the full PDF here