Error Message… incident imminent, more reporting needed.
Strengthening Operational Resilience: key requirements from the FCA’s proposed rules for Incident and Third-Party Reporting
The UK’s Financial Conduct Authority (FCA), alongside the Bank of England’s Prudential Regulation Authority (PRA), has recently unveiled a series of proposed rules aimed at enhancing operational resilience in financial services. These proposals, detailed in consultation papers CP24/28, CP17/24, and a dedicated paper for Financial Market Infrastructures (FMIs), introduce significant changes to the reporting requirements for operational incidents and third-party arrangements. Here, we break down the key aspects of these proposals, their implications for financial firms, and the steps organisations should take to prepare.
Overview of the Proposals
The FCA’s CP24/28 focuses on operational incident reporting and third-party arrangement oversight for a wide range of regulated entities, including payment service providers, UK Recognised Investment Exchanges (RIEs), registered trade repositories, registered credit rating agencies, and other firms under the Senior Managers and Certification Regime (SM&CR). Meanwhile, the PRA’s CP17/24 expands reporting requirements for PRA-regulated firms such as banks, building societies, and designated investment firms.
These proposals aim to:
• Enhance the quality and consistency of information received regarding operational incidents and third-party arrangements.
• Introduce standardised reporting templates to improve data quality and facilitate effective regulatory oversight.
• Address risks associated with significant reliance on third-party services, including non-outsourcing arrangements.
• Align with broader policy objectives for operational resilience and third-party risk management.
Operational Incident Reporting
Defining Operational Incidents
The FCA defines an operational incident as a single event or a series of linked events that disrupt a firm’s operations. These incidents either:
• Interrupt the delivery of services to the firm’s clients or external users.
• Compromise the availability, authenticity, integrity, or confidentiality of client data or information.
Thresholds for Reporting
To ensure proportionate reporting, firms are required to assess incidents against three thresholds:
1. Consumer Harm: the incident has caused or could cause significant harm to consumers, making recovery difficult.
2. Market Integrity: the incident poses or has posed risks to market stability, integrity, or confidence in the UK financial system.
3. Safety and Soundness: the incident threatens the safety and soundness of the firm or other market participants.
Firms must consider factors such as the direct and indirect impact on clients, consumers, and the wider sector, as well as reputational damage and compliance obligations. Once thresholds are breached, an initial report should be submitted promptly, followed by updates as the situation evolves and a final report upon resolution.
Addressing current reporting limitations
The proposals aim to resolve inconsistencies in the current reporting process. Key challenges identified include:
• Lack of clarity on what constitutes an operational incident and when to report it.
• Significant delays in incident reporting, with over 20% of reports submitted more than 11 days after incidents began.
• Inconsistent information due to the absence of a standardised template.
By standardising incident definitions and reporting processes, the FCA aims to enhance regulators’ ability to promptly review and respond to incidents while enabling thematic analysis and feedback to the industry.
Third-Party Arrangement Reporting
Expanding the Scope
Recognising the growing complexity of firms’ operations and their reliance on third-party services, the FCA proposes to expand reporting requirements to include material non-outsourcing arrangements alongside traditional outsourcing. A ‘third-party arrangement’ is broadly defined as any agreement between a firm and a service provider, regardless of whether the service is typically provided in-house, through subcontractors, or by entities within the same corporate group.
Material Third-Party Arrangements
To focus on significant risks, the FCA proposes to collect information only on ‘material third-party arrangements.’ These are arrangements where disruptions could:
• Cause intolerable harm to clients.
• Threaten the stability or integrity of the UK financial system.
• Impair the firm’s ability to meet regulatory obligations or maintain operational resilience.
Firms must implement proportionate controls for these arrangements, reflecting their materiality and potential impact. These controls need not mirror those for outsourcing arrangements but should be tailored to the specific risks involved.
Notification and Register Requirements
Firms will be required to:
• Submit notifications ahead of entering or significantly altering material third-party arrangements using a standardised template.
• Maintain a comprehensive register of all material third-party arrangements, updated and submitted annually.
The proposed templates align with incident reporting processes, enabling interoperability and improved analysis of firms’ third-party supply chains. Firms must also rank service providers within their supply chains to identify critical dependencies.
Operational Resilience Objectives
The FCA’s proposals align with its broader policy objectives of enhancing operational resilience and managing third-party risks. By collecting consistent, high-quality data on incidents and third-party arrangements, regulators aim to:
• Identify systemic risks and dependencies across the sector.
• Support quicker and more effective responses to operational disruptions.
• Enhance firms’ ability to manage risks associated with third-party dependencies.
• Provide greater clarity and consistency for firms in meeting regulatory expectations.
Implications for Financial Firms
Assessing Current Processes
Firms must evaluate their existing incident reporting and third-party risk management processes to identify gaps and align with the proposed rules. This includes reviewing current definitions, thresholds, and reporting timelines.
Resource and System Requirements
Implementing these proposals may require:
• Upgrades to internal systems and processes to support new reporting templates and data management requirements.
• Training staff on the updated rules and expectations.
• Allocating resources for ongoing compliance and reporting activities.
Interoperability with other frameworks
The FCA’s proposals are designed to align with existing and forthcoming regulatory frameworks, such as the European Banking Authority’s Outsourcing Guidelines and the EU’s Digital Operational Resilience Act (DORA). Firms already complying with these standards may find the transition less burdensome.
Next Steps for Firms
Engage with the Consultation: firms are encouraged to respond to the consultation papers, providing feedback on the practicality and potential impact of the proposals. This input can help shape the final rules. The deadline is Thursday 13 March 2025.
Prepare for implementation: preliminary planning should include:
Identifying necessary changes to systems, processes, and governance structures.
Assessing resource needs and budgeting for compliance activities.
Familiarising staff with the new templates and reporting expectations.
Enhance data management: firms should ensure they have robust systems in place to manage and submit accurate data on incidents and third-party arrangements. This includes maintaining up-to-date registers and adopting standardised taxonomies.
Strengthen Third-Party Risk Management: given the expanded scope of third-party reporting, firms must enhance their oversight of material third-party arrangements, ensuring that controls are proportionate to the associated risks.
Firms should act now to assess the implications of these changes, engage with the consultation process, and lay the groundwork for successful implementation. Find out how Shapes First can help you do this.
