Regulators confirm operational incident and third-party reporting regime

What does this mean?

The final rules simplify the reporting framework, but they will require firms to make faster, clearer and more joined-up judgements on incidents and third-party risk, supported by more robust data on third-party arrangements. 

Feedback from firms was broadly supportive of greater alignment between the regulators, but concerns on proportionality, duplication, threshold clarity and reporting burden led to several simplifications in the final framework.

In this section, we cover the scope of the regime, firms’ key obligations, and the main changes from the proposals set out in the consultation papers.

Firms in scope

Incident reporting

• PRA regulated firms: UK banks, building societies, and PRA-designated investment firms, UK branches of overseas banks, UK Solvency II firms, the Society of Lloyd's, and its managing agents.

• FCA-regulated firms (not including those within PRA scope above): Other firms with a Part 4A permission not captured above, Payment service providers (PSPs), UK recognised investment exchanges (RIEs), registered trade repositories, registered credit rating agencies.

Outsourcing and third-party risk management

• PRA regulated firms: UK banks, building societies, and PRA-designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd's and managing agents, UK branches of overseas banks and insurers (third-country branches), credit unions and non-directive firms (NDFs) - certain requirements only.

• FCA-regulated firms (not including those within PRA scope above): Enhanced scope SM&CR firms not otherwise captured above, client assets sourcebook large firms, RIEs, authorised electronic money institutions and authorised payment institutions, consolidated tape providers.

BoE supervised FMIs 

• Recognised UK central counterparties (CCPs), recognised UK central securities depositories (CSDs), recognised payment system operators (RPSOs), and specified service providers (SSPs). The requirements also extend to third-country CSDs and systemic overseas CCPs at the point at which BoE rules are applied to these entities. For RPSOs or SSPs incorporated outside the UK, the BoE will determine on a case-by-case basis whether they are subject to the requirements, taking into account factors such as systemic importance in the UK and the extent to which the ‘home-country’ regulatory and supervisory framework delivers an equivalent outcome.

Expectations on firms

Operational incident reporting

Firms must report operational incidents that meet one or more of the notification thresholds - namely incidents posing a risk to:

• consumer harm from which consumers cannot easily recover

• safety and soundness of the firm and/or market participants

• market stability, market integrity, or confidence in the UK financial system.

Firms need to submit an initial report as soon as practicable and, in the FCA regime, within 24 hours of determining that an incident meets a threshold. PSPs must continue to report within four hours of first detecting a major operational or security incident. Near-misses and uncrystallised events do not need to be reported.

Enhanced reporting firms must provide updates where there is a significant change in circumstances and must submit the final phase within 30 working days of resolution, extendable to 60 working days where this is impracticable. Firms are expected to use their own internal processes and judgement, based on the information available at the time, rather than applying fixed quantitative thresholds.

Third-party arrangements (not limited to outsourcing)

Firms must notify the FCA and PRA when entering or significantly changing a material third-party (MTP) arrangement. This regime extends beyond outsourcing and applies to both outsourcing and non-outsourcing arrangements. A significant change is one that materially alters the nature, scale or complexity of the risks inherent in the arrangement. Notifications should be submitted before making internal or external commitments, though the process is not an approval mechanism and firms need not wait for a response. 

Firms must also maintain and submit an annual register of their MTP arrangements. Materiality remains a firm judgement based on the risk posed by disruption or failure of the service, including potential harm to clients, risks to the UK financial system, or serious doubt about the firm’s ability to meet threshold conditions or regulatory obligations. The regime is not limited to arrangements supporting important business services, even though impact on a firm's operational resilience remains an important driver of materiality.

Governance

The SMF24 (Chief Operations) is expected to hold overall responsibility for implementing the outcomes of the PRA's incident reporting requirements. Or, where no SMF24 exists, a suitable alternative SMF should be allocated. However, firms are not required to have SMF24 approval for individual incident report submissions.

The FCA also published guidance on both incident reporting and third-party reporting. It gives firms practical direction on reporting processes, thresholds and assessing materiality for third-party arrangements. 

The PRA also provides firms with scenarios on cyber attacks, service outages, failed IT changes and incident escalation across regulators, helping firms translate the rules into practical reporting decisions in practice.

Key changes

A more unified reporting framework

The regulators have created a more unified framework across the PRA, FCA and BoE, with a single operational incident definition, a single reporting portal for incident submissions, and a common approach to thresholds tied to each regulator’s statutory objectives. Dual-regulated firms will now make a single submission through FCA Connect, which is automatically shared with the relevant regulators. Reporting timelines are also aligned, although PSPs retain their existing four hour reporting deadline.

For FMIs, the BoE has also sought to reduce duplication with existing incident-reporting requirements, including by consulting on revoking Rule 4 of the Recognised Clearing House Rules Instrument 2018 for CCPs and clarifying that, for CSDs, reporting operational incidents in accordance with the operational incident and outsourcing and third-party reporting definition, threshold and format will be considered to meet the existing incident-reporting requirement under Article 45(6) of the UK CSDR.

Streamlined incident reporting

The three separate incident reports - initial, intermediate, and final - have been consolidated into a single report that firms update across three phases. The overall number of questions has been reduced - by approximately 20% for enhanced reporting firms - with much of the reduction at the initial phase. For around 90% of FCA solo-regulated firms, a significantly simplified 'standard' short-form report with only 10 mandatory questions now applies. 

Reduced third-party reporting burden

For MTP reporting, the notification and register templates have been separated and aligned across regulators, with fewer data fields than originally proposed. Firms in scope must notify the regulators when entering into or significantly changing an MTP arrangement and maintain and submit an annual register of their MTP arrangements. Notifications will be submitted through FCA Connect and annual registers through FCA RegData.

For FMIs, the BoE’s final policy similarly formalises notification of new or significatnly changed changed MTP arrangements and an annual register for those arrangements, with submissions made through FCA platforms.

Scope adjustments

The final rules narrow parts of the original scope. Credit unions with less than £50 million in assets are excluded from MTP notification requirements. Third-country branches are excluded from MTP notification obligations, although they remain in scope for the annual register under the FCA framework. Intragroup arrangements that do not involve an external third-party dependency are also excluded in most cases, subject to limited exceptions such as UK recognised investment exchanges and certain ring-fenced body scenarios.

Further alignment with international standards

To support interoperability, the definitions, reporting templates and overall structure have been aligned, where appropriate, with international frameworks, including the EU's DORA regime and the Financial Stability Board’s Format for Incident Reporting Exchange. While the UK regime is aligned with DORA in structure and terminology, it gives firms more discretion on reporting thresholds and more flexibility in reporting timelines.

What do firms need to do?

For firms, the main implication is not simply a new reporting regime, but the need to tighten the end-to-end operating model for incident and third-party risk management. 

On incident reporting, firms will need to make faster and more consistent threshold assessments, using existing internal risk and escalation processes, but applying the regulators’ common incident definition and statutory-objective-based thresholds. That means reviewing incident triage criteria, escalation routes and reporting playbooks so that reportable incidents are identified quickly and submitted through FCA.

Connect within the required timeframe, without distracting from containment and recovery. The regulators have emphasised that during a live incident the resource allocation priority should be on incident resolution over regulatory reporting, indicating that they may apply a degree of forbearance for late reports in cases where teams had focused first on resolution. Firms should also ensure teams understand that an incident does not need to affect an important business service to be reportable, and that near-misses remain out of scope.

On third-party arrangements, firms will need to ensure that their materiality assessments cover both outsourcing and non-outsourcing arrangements, that all MTP arrangements are captured in their registers and reported annually, and that any new or significantly changed MTPs are notified. In practice, this will require firms to refresh third-party inventories, identify external dependencies in intragroup arrangements, map the required data fields, and confirm governance ownership across procurement, operations, resilience, compliance and relevant SMF accountabilities.

Firms should also consider how their implementation approach aligns with other international requirements, including DORA, so that reporting, third-party inventories, materiality assessments and governance are designed to reduce duplication and friction across jurisdictions.

Next steps

These new rules will apply from 18 March 2027. The FCA will host a webinar on 29 April 2026 for firms which have questions about the new regime. The BoE is consulting on revoking Rule 4 of the Recognised Clearing House Rules Instrument 2018 for CCPs, as it duplicates the operational incident and outsourcing and third-party reporting rules. This consultation closes on 18 June 2026.