On 13 December 2024, the FCA published a consultation on proposals to enhance the ways in which firms report operational incidents and their material third-party arrangements. The proposals seek to bolster firms’ operational resilience frameworks and minimise the impact of disruptions, such as cyber-attacks or IT outages. With this, the FCA aims to establish a consistent, sufficient, and timely framework for reporting operational incidents and material third-party arrangements.
The FCA aims to gain a clearer understanding of firms’ important third-party suppliers (material third-parties) and collect information on these arrangements in a more structured way. This will allow the regulator to respond more quickly and effectively to incidents involving third parties.
All authorised firms are required to notify the regulator of operational incidents under their Principle 11 obligations, however the FCA doesn't currently define what qualifies as an operational incident or how these incidents should be reported. Through its Transforming Data Collection programme in 2022, the FCA has received feedback from industry that firms are unclear on how they should engage regarding operational incidents.
The limitations of the current approach make it more difficult for regulators and firms to collaborate effectively to manage the impact of incidents, and increases the risk of disruption and the potential for customer harm. To address these limitations, the FCA isproposing a clear definition of what constitutes an ‘operational incident’ and a standardised incident reporting process.
In addition, if a third party fails or suffers a major disruption, there are potential risks to UK financial stability. Additionally, some third parties have significant market concentration, meaning that a failure in any one of them could have a major adverse impact on the financial system. The FCA wants to improve its visibility and understanding of material third parties and is therefore proposing that firms collect and periodically submit information on an expanded range of material third-party arrangements.
Operational incidents
The consultation outlines the FCA’s formal definition of an operational incident, its proposed rules-based approach to reporting operational incidents, and sets out how and when firms should report incidents to the FCA.
The FCA proposes to define an operational incident as:
"A single event or a series of linked events that disrupts the firm’s operations, where it either:
Firms will be required to assess the impact of an operational incident against three thresholds, and if any are breached, they must report it to the FCA. It will be for firms to determine which incidents breach the thresholds. The three thresholds are as follows:
Consumer harm
The incident could cause or has caused intolerable levels of harm to consumers, and they can't easily recover as a result.
Market integrity
The incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system.
Safety and soundness
The incident could pose or has posed a risk to the safety and soundness of the firm and/or other market participants.
The FCA’s definition of an operational incident and the three outlined thresholds are broad, placing the responsibility on firms to establish internal processes to determine whether the scale and potential impact of an incident breaches any of the proposed thresholds.
Firms will also need to define what constitutes consumer harm, as well as identify incidents that could threaten market integrity, safety, and soundness.
Regarding 'consumer harm', the FCA doesn't define what constitutes 'intolerable harm' but clarifies that it's generally more severe than an inconvenience. As a result, firms will need to use their own judgements, based on their clients and services, to assess whether an incident could cause an 'intolerable' level of harm to customers.
From an incident reporting perspective, firms should report both incidents with the potential to cause 'intolerable harm' and those that have already caused it. The FCA aims to be informed of incidents before the harm materialises, as well as situations where firms are aware of an incident but are uncertain about the extent of potential harm.
The proposed rules outline when and how firms should report operational incidents to the FCA. Firms will be required to submit an initial incident report, provide updates on incident management after any significant changes, and submit a final report once the incident is resolved. In short, the FCA expects firms to deliver timely, ongoing updates on the incident’s progress, with information being as accurate as possible as the firm’s understanding evolves.
In order to make the reporting process as simple and efficient as possible, the FCA is developing an online platform for firms to submit incident reports and will provide templates for firms to complete at each stage of the incident reporting process. These are:
Initial incident report (including where the incident is resolved shortly after it occurs)
The FCA proposes that firms submit only the minimum information required to assess potential risk to its objectives to help understand the nature of the incident, the service(s) impacted and what actions are being taken to resolve the incident.
Intermediate incident reports (one or more updates on the progress of the incident, including when it's resolved)
The FCA proposes that firms submit an intermediate report as soon as is practicable after any significant change in circumstances, eg, when additional information is available which provides more context on the incident.
A final incident report
The FCA will require firms to submit a final report within 30 working days. The final report should confirm the details of the incident, provide a full impact assessment, the root cause of the incident and any lessons learned, or additional measures taken.
For a sub-set of approximately 2,200 of the largest authorised firms, the FCA is proposing to strengthen its existing third-party reporting rules.
It plans to expand the scope of its data collections from material outsourcing arrangements to include material non-outsourcing arrangements, collectively referred to as material third-party arrangements. The change will result in the introduction of the proposed definitions for 'third-party arrangement' and 'material third-party arrangement' in the FCA Handbook.
The FCA proposes to define a 'third party arrangement' as:
"An arrangement of any form between a firm and a service provider. Whether or not the product or service is:
Firms will be required to assess whether a third-party arrangement is a material third-party arrangement based on whether a disruption or failure in performance of the product or service provided by the third party could do any one or more of the following:
Firms are required to implement controls that are appropriate to the materiality of the arrangement where they deem a third-party arrangement to be ‘material’. Under the new rules, firms will also need to notify the FCA of its material third-party arrangements. The consultation paper sets out amendments to the FCA Handbook to:
The FCA will provide a template for firms to submit notifications of new material-third-party arrangements, or changes to their arrangements. They'll also require firms to maintain and submit an up-to-date register of these arrangements each year.
Firms should assess how the FCA’s proposed changes will impact their management of incidents and of third parties, including their categorisation. Firms should also consider the proposed new definitions and what they would mean for their business.
The deadline for comments on CP24/28 is 13 March 2025. The FCA will consider the feedback and publish final rules in a Policy Statement in H2 2025.
For assistance with understanding and implementing these proposed changes, contact Blandine Arzur Kean or Edward Binks.
