CP24/28: Operational Incident and Third Party Reporting

Read CP24/28 (PDF) 

Why we are consulting

Firms face growing challenges to remaining operationally resilient. When operational incidents do occur, the disruption to the services firms provide can harm consumers and the wider sector. This could include consumers unable to access their accounts or pay bills and disrupt markets, threatening financial stability. Additionally, many of the incidents reported to us originate at third parties, with firms becoming increasingly reliant on the services they provide.

The proposals aim to bolster our operational resilience framework for firms and supports our strategic commitment to minimise the impact of operational disruptions such as cyber-attacks or IT outages. These proposals seek to establish a consistent, sufficient, and timely framework for reporting operational incidents and material third-party arrangements.

Who this applies to

Chapter 3 of this consultation paper (CP), which covers proposals for operational incident reporting, is relevant to:

• firms
• payment service providers
• UK Recognised Investment Exchange (RIE)
• registered trade repository
• registered credit rating agencies

Chapter 4 of this CP, which covers proposals for third party reporting, is relevant to: 

• enhanced scope Senior Managers & Certification Regime (SM&CR) firm
• banks
• PRA designated investment firms
• building societies
• Solvency II firms 
• Client Assets Sourcebook (CASS) large firms 
• UK recognised investment exchange (RIE) 
• authorised electronic money institutions or authorised payment institutions 
• consolidated tape providers

Consumers may be interested in how operational resilience is being improved within firms.

Next steps

Please respond to the CP by emailing [email protected] by 13 March 2025.

Background

Operational incident reporting

We currently receive notifications of operational incidents from authorised firms based on Principle 11. However, we do not currently define what constitutes an operational incident, when one should be reported, what information should be included, or how to submit such reports. 

Feedback from industry, as part of the Transforming Data Collection programme in 2022, indicated that many firms are unclear about how and when to engage with us regarding incidents. 

As a result, we are proposing to define an operational incident, and requiring firms to submit standardised reports on incidents that breach one or more of the proposed thresholds supporting our objectives. These thresholds relate to consumer harm, market integrity, and safety and soundness.

Third party reporting

Over the years, firms’ operations have become more complex and dependent on technology, increasingly relying on a wide range of services delivered by third parties. Under current requirements, we receive limited and inconsistent data on third party arrangements relating only to firms’ outsourcing arrangements. This has resulted in gaps in our knowledge of potential risks that third parties pose to individual firms and the financial services sector. As a result, we are proposing to introduce material third party reporting rules, which includes outsourcing and non-outsourcing arrangements for a sub-set of firms that have the biggest consumer and market impact.