On 18 March 2026, the following Policy Statements were issued:

FCA PS26/2

In PS26/2 the FCA sets out its final rules and policies on which it consulted on in Consultation Paper 24/28 (CP24/28). It has also published Finalised Guidance (FG) 26/3 and FG 26/4 to help firms with the requirements. These policies cover reporting serious incidents that impact FCA statutory objectives and reporting material third parties that underpin firms’ operations.

As regards operational incident reporting, the FCA’s final rules:

  • Define what an operational incident is.
  • Set out the thresholds for when firms must report an incident.
  • Introduce a standardised reporting process so all firms make a single submission regardless of the regulator(s) the report is for.
  • Set out how firms will submit standard or enhanced incident reports.

In chapter 2 of PS26/2 the FCA summarises feedback to CP24/28 and sets out its final position as regards incident reporting. In summary the FCA has:

  • Created a single FCA, PRA and BoE regulatory regime, comprising: (i) a single incident definition; (ii) a single reporting portal so all firms make one submission regardless of which regulator(s) a report is for; (iii) identical timelines for reporting (except for payment service providers (PSPs), which will retain their existing reporting timelines); and (iv) a single approach to thresholds for reporting, tied to each regulator’s statutory objectives.
  • Reduced the overall number of questions for all firms: (i) for the majority of FCA solo-regulated firms as well as credit unions, the FCA has significantly reduced the information requirements by moving to a single short form with 10 required questions; (ii) for the remaining most strategically important FCA firms, the FCA has changed its approach from three reporting forms per incident to one form, updated during the incident cycle. The FCA has reduced the information required in the initial phase of reporting and overall for reporting an incident.
  • Subsumed existing incident reporting regimes for PSPs and registered credit rating agencies to avoid duplication.
  • Made various requested clarifications to make its intentions and firms’ responsibilities clearer. For example, the FCA has amended its reporting thresholds to reassure firms that this reporting policy is only for serious incidents.

As regards third party reporting the FCA’s final rules:

  • Define what a material third party arrangement is.
  • Require firms to notify the FCA of any new, or any significant changes to material third party arrangements.
  • Require firms to maintain a register for their material third party arrangements, and to submit it to the FCA annually.

In chapter 3 of PS26/2 the FCA summarises feedback to CP24/28 and sets out its final position as regards third party reporting. In summary the FCA has:

  • Created a unified FCA, PRA and BoE regime, comprising: (i) a single third party arrangement definition; (ii) a single approach to defining a material third party arrangement, based on each regulators’ statutory objectives; (iii) a single notification template and a single register template; and (iv) a single portal so firms make one submission regardless of which regulator(s) a report is for.
  • Reduced the scope of the requirements by: (i) excluding third country branches from the notification obligations (but not the annual register); and (ii) only requiring material intra-group arrangements, or for ring-fenced bodies, arrangements where the provider is a permitted supplier, to be reported where there is an external third party dependency. The exception is UK recognised investment exchanges (UK RIEs).

The new rules in PS26/2 will come into force on 18 March 2027.

Firms affected should read the FCA’s rules and guidance in PS26/2 and the accompanying Finalised Guidance. During the 12 months that firms have to prepare, the FCA will engage with firms to support them in adapting to the rules and reporting technologies. Two years after implementation, the FCA will review the policies to assess if they meet both its needs and those of firms.

PRA PS7/26

In December 2024, the PRA issued Consultation Paper 17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting (CP17/24). In CP17/24 the PRA proposed to establish a policy for the timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party (MTP) arrangements.

In PS7/26 the PRA addresses the responses to CP17/24 and sets out its final policy, as follows:

  • Amendments to the Reporting Part of the PRA Rulebook (Appendix 1).
  • Amendments to the Notifications Part of the PRA Rulebook (Appendix 1).
  • PRA’s new Supervisory Statement (SS) 1/26 – Operational resilience: Incident reporting (Appendix 2).
  • Updated SS2/21 – Outsourcing and third party risk management (Appendix 3).

The sections of PS7/26 that deal with operational incident reporting are relevant to all UK banks, building societies, PRA-designated investment firms and branches of overseas banks, and UK Solvency II firms, and the Society of Lloyd’s and its managing agents. The final policy dealing with outsourcing and third-party reporting is relevant to all PRA-regulated firms.

The PRA reports that the key changes it has made in light of the responses to CP17/24 are:

  • Updating and clarifying the approach to MTP reporting policy through amending the rule on notification.
  • Amending the scope of MTP notification requirements to exclude credit unions with less than £50 million in assets and all third country branches.
  • Reduced reporting burden by updating and refining the MTP reporting templates to ensure full alignment across supervisory authorities. The register and notification templates have been separated to provide firms with further flexibility and the number of data fields in the reports reduced. To support easier submission, the PRA and the FCA have developed a single platform for notification, FCA Connect.
  • Updated and refined the incident report to limit the reporting burden by merging the three proposed initial, interim and final incident reports into one report. The new single report has been fully aligned across supervisory authorities and with international standards. The report has been simplified further by removing a number of fields and making more fields optional.
  • The PRA has further clarified how firms should identify MTP arrangements by setting out further expectations and examples in SS2/21 – Outsourcing and third party risk management.
  • Further clarity provided on operational incident reporting by improving guidance on the interpretation of the reporting thresholds, timings for reporting and minor policy changes to ensure further alignment across supervisory authorities.

The implementation date for final rules and policy materials in PS7/26 is 18 March 2027.

BoE Policy Statement

In its Policy Statement the BoE sets out its operational incident and outsourcing and third-party reporting (IOREP) rules for FMIs.

Having considered the responses to its earlier consultation, the BoE has made certain changes to the rule instruments (including the code of practice), the guidance in the associated supervisory statements and the reporting documents. The key changes include:

  • Furthering proportionality and reducing regulatory burden by addressing overlaps with existing incident reporting requirements. For central counterparties (CCPs), this is through the addition of a consultation on revoking Rule 4 of Recognised Clearing House Rules Instrument 2018 (see below).
  • Providing more detail on the interaction with the requirement for FMIs to disclose ‘information of which the BoE would reasonably expect notice’ within the meaning of Fundamental Rule 7, and the expectation of ongoing supervisory engagement during an incident.
  • Providing greater clarity around the operational incident reporting threshold through amendments to the rule instruments for CCPs and central securities depositories and the code of practice for recognised payment systems operators and specified service providers that relate to operational incident reporting rules, as well as through additional guidance in the associated supervisory statement.
  • Updating the operational incident Reporting Fields Document and associated guidance to present the three forms as a single form, which will be completed in three stages, remove certain form fields and change certain form fields from mandatory to optional. This will ensure FMIs prioritise submitting key information to the BoE and promote interoperability with international standards.
  • Updating the material third party reporting policy and guidance in the associated supervisory statements to support alignment across the supervisory authorities, improve clarity and reduce burden.
  • Providing separate templates for the notification of material third-party arrangements and the register of material third-party arrangements. This allows for more proportionality in the information submitted.

The IOREP rules and guidance will take effect on 18 March 2027.

Alongside the final IOREP policy, and as set out within the Policy Statement, the BoE is consulting on proposals to revoke Rule 4 of the Recognised Clearing House Rules Instrument 2018 for central counterparties, which duplicates the effect of the IOREP incident reporting rules. The consultation is open until 18 June 2026, and responses should be sent to: FMI-IOREP-CP@bankofengland.co.uk.

Next steps

The new rules in PS26/2 will come into force on 18 March 2027.

Firms affected should read the FCA’s rules and guidance in PS26/2 and the accompanying Finalised Guidance. During the 12 months that firms have to prepare, the FCA will engage with firms to support them in adapting to the rules and reporting technologies.

Two years after implementation, the FCA will review the policies to assess if they meet both its needs and those of firms.