The proposals aim to drive more consistency in operational incident reporting and greater visibility in the use of material third-party services.
By Rob Moulton and Charlotte Collins
On 13 December 2024, the FCA and the PRA published linked Consultation Papers on operational incident and third-party reporting (FCA CP24/28 and PRA CP17/24). The consultations aim to create a structured framework for financial services firms to report operational incidents and material third-party relationships. The proposals will help standardise the information that the regulators receive and enable them to identify systemic problems related to incident and third-party risk management.
Operational Incident Reporting
The FCA proposes defining an operational incident as any single event or series of linked events that disrupt a firm’s operations, which either:
- disrupt the delivery of a service to the firm’s clients or a user external to the firm; or
- impact the availability, authenticity, integrity, or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm.
Notably, the proposed PRA definition focuses only on the end user that is external to the firm, but this divergence does not appear to be substantial.
An operational incident will need to be reported to the FCA if a threshold is breached, namely if there is an actual or potential risk: (i) of causing consumer harm; (ii) to the safety and soundness of the firm and/or other market participants; or (iii) to market integrity, market stability, or confidence in the UK financial system.
The PRA proposes that firms would be required to submit an operational incident report once an operational incident poses a risk to: (i) (where the firm is an O-SII or relevant Solvency II firm) the stability of the UK financial sector; (ii) the safety and soundness of the firm; or (iii) (for insurers) the appropriate degree of policyholder protection.
The regulators have compiled a non-exhaustive list of factors to assist firms in determining if an incident should be reported. Examples include incidents that impact:
- the firm’s clients, consumers, or the wider sector;
- the firm’s ability to provide adequate services, meet regulatory requirements, or safeguard confidential information; and
- the reputation of the firm or the financial sector as a whole.
The FCA provides case study illustrations applying the examples, which include cyber-attacks, process update failures, and infrastructure problems. Notably, the FCA provides six case studies which emphasise “intolerable harm” to consumers as crucial in determining if a threshold is breached. These include: (i) major disruption to a third-party cloud service provider used to host banking services; and (ii) IT systems preventing clients from accessing their bank accounts and causing delays to processing client transactions overnight. Conversely, the FCA explains that a power outage preventing a sole director and employee from having client meetings would not need to be reported, if it only impacted a small number of clients. The PRA takes a similar approach by providing some illustrative examples in the proposed Supervisory Statement on Operational Resilience: Operational Incident Reporting in Appendix 2 of the PRA Consultation Paper.
The regulators plan to create a new incident reporting framework, as illustrated in the diagram below:
In essence, when a threshold is breached, an initial report should be submitted to the regulator(s) as soon as practicable. In the initial report, firms would only be required to submit a limited amount of information related to the nature of the incident, the service(s) impacted, and what actions the firm may take, or has taken, to resolve the incident.
If the issue is immediately resolved, then the firm should submit a final report within 30 working days. If the operational incident remains unresolved at the time of the initial report, then the firm would need to complete intermediate reports about any significant changes in the incident’s status or impact. Once the incident is resolved, a firm should submit an intermediate report followed by a final report within 30 working days, or as soon as practicable, but not exceeding 60 days. The final report should confirm details of the incident, provide a full impact assessment, the root cause of the incident and any lessons learned, or additional measures taken.
Standard forms would be available to use for these reports. Notably, the reporting form would be partially auto-populated with information held by the regulator, and using conditional field logic. Firms would have the opportunity to submit further information in free text boxes and provide additional attachments.
Third-Party Reporting
The third-party reporting proposal applies only to a subset of firms which the regulators consider have the biggest consumer and market impact. These include banks, enhanced scope SMCR firms, PRA-designated investment firms, and Solvency II firms. Currently, the regulators only receive notifications about material outsourcing arrangements. The proposals plan to expand these notifications to capture non-outsourcing arrangements by requiring firms to report “material third party arrangements”, as well as creating new rules and guidance requiring firms to inform the regulators of when they enter into or significantly change an outsourcing arrangement. This would enable the regulators to have more visibility on third-party relationships across the sector.
The regulators plan to define “third-party arrangement” as any arrangement whereby a person provides a product or service to a firm whether or not it would otherwise be undertaken by the firm itself, provided directly or by a sub-contractor, or provided by a person within the same group as the firm. If a firm identifies a third-party arrangement as “material”, it should implement controls appropriate to the materiality of the arrangement.
The regulators have prepared a non-exhaustive list of factors to help firms identify what is material, including a direct connection to the performance of a regulated activity, and the potential impact of a disruption on business continuity, operational resilience, and operational risk. Also relevant in determining materiality would be the ability to scale up the third-party’s service and the availability of a substitute service provider. The regulators clarify that certain third-party relationships are out of scope, including those required by statute and basic utilities. However, telecommunication and internet service providers would be within scope.
The regulators propose that firms maintain and submit to the regulator(s) a structured register of their third-party arrangements. The firm’s register would be expected to include information such as: (i) data on the firm and third parties including intra-group arrangements, as well as the services provided; and (ii) information on the supply chain and the firm’s assessment of its third-party arrangements. The information that firms submit would allow the regulators to create a central register of third-party arrangements. This register would enable the regulators to take a data-led approach in understanding how third parties operate within the financial sector and the level of reliance on certain parties. Moreover, it would help inform the regulators when identifying potential critical third parties to be recommended for designation by HM Treasury under the new framework (see this Latham blog post for more detail).
Next Steps
The consultation will close on 13 March 2025. The regulators aim to publish policy statements by the second half of 2025, and for the new rules to take effect no earlier than the second half of 2026.
This post was prepared with the assistance of Gregory Slevin in the London office of Latham & Watkins.