UK financial regulators update reporting requirements

Regulators the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England each set out updated policy papers and guidance on both the reporting of operational incidents and the reporting of ‘material’ third party arrangements. The new rules take effect on 18 March 2027.

While the rules are set out in separate policies and each contain their own specific requirements, many aspects have been standardised, which will come as a relief to firms, said Yvonne Dunn of Pinsent Masons, who specialises in technology contracts in the financial services sector, highlighted.

In relation to incident reporting, for example, the regulators have standardised the definition of an ‘operational incident’. These will now be classed as either a single event or a series of linked events which disrupts a firm’s, or FMI’s, operations such that it disrupts the delivery of a service to an end user external to the firm, or FMI, or impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user. An incident does not have to impact an “important business service” in order to be reportable.

The regulators have confirmed that “near misses” are not reportable under the new rules, but said firms may want to report them through existing channels, such as to their supervisor.

For FCA-regulated firms, operational incidents will be notifiable if either a firm reasonably believes that an operational incident poses a risk: of causing intolerable levels of harm to consumers from which consumers cannot easily recover; to the safety and soundness of the firm and/or other market participants; or to market stability, market integrity or confidence in the UK financial system. The requirements for the PRA and Bank of England are similar.

All three regulators said they expect operational incidents triggering their thresholds to be first notified within 24 hours, with the exception of payment service providers – they will still be expected to file a report to the FCA within four hours of detecting an incident. Both the PRA and Bank of England have acknowledged that firms or FMIs subject to their regimes may need more time to report as they respond to incidents, so a degree of flexibility to the 24-hour deadline has been built into their policy statements.

The three regulators have set different rules around both the information that needs to be reported and around follow-up reporting as an incident evolves.

Certain firms will be subject to the FCA’s standard incident reporting requirements, comprising a short report which does not need to be notified. Enhanced reporting firms, which include banks, enhanced scope SMCR firms and payment service providers, must submit incident reports at an initial phase, update them during the “intermediate phase”, if necessary, and then close the incident once resolved as the “final phase”.

Both the PRA and the Bank of England have adopted this three-stage process for all notifications.

Some incidents could trigger reporting obligations to both the PRA and the FCA – including at different stages of an incident, such as cyber attacks or technology outages.

A single reporting portal has been created for firms to file their reports, regardless of which regulator they are notifying.

The regulators have also issued rules on reporting ‘material’ third party arrangements. The underlying intention is to give the regulators visibility of these arrangements, given the risk that they can cause serious incidents at firms and across the financial sector.

The regulators’ rules on reporting material third party arrangements will now apply to both outsourcing and non-outsourcing arrangements, which aligns with the trend away from focusing rules purely on outsourcing arrangements. In guidance it issued, the FCA gave examples of the third party arrangements of which it would expect to be notified. These include where firms rely on third parties for data storage or cybersecurity services, as well as where they use AI models for trading.

Notification of these third party arrangements will be on a standard template, which allows the regulators to more easily analyse the information to identify themes and to designate ‘critical third parties’ for the purposes of operational resilience rules.

The FCA said: “Threat actors are attacking the financial sector more and more frequently, and with greater sophistication. They also attack the third parties that firms increasingly rely on to boost efficiency and support their innovations. At the same time, the industry is becoming more interconnected. Each incident can have an even bigger impact – even those that don’t stem from attacks. It is more important than ever that we can quickly grasp how incidents affect firms and markets.”

“At the same time, third parties are now supplying their services by means of transformative technological innovations like AI. The pace of change is rapid. We need to understand how firms are using third parties so we can effectively supervise their operational resilience. We also need to understand the deepening interconnectedness of industry as a whole to identify and address systemic risk. To do all of this, we need more detailed, accurate and consistently structured data,” it added.

Yvonne Dunn of Pinsent Masons said: “It is helpful for firms that the three regulators have brought most of these new regulatory requirements together in a consistent way. This is especially important in the context of notifying operational incidents, where firms want to focus on resolving the incident rather than being distracted by multiple forms of regulatory notification. Firms should prepare for these new regulations to come into force in 12 months by reviewing their incident handling processes and ensuring that they align to the regulatory requirements, and by mapping their third party arrangements and classifying those that are ‘material’ so that they are prepared to add them to the register.”