On 13 December 2024, the FCA published Consultation Paper 24/28: Operational Incident and Third Party Reporting (CP24/28).

Rationale

The purpose of the proposals in CP24/28 is to give the FCA a better understanding of firms’ important third-party suppliers (material third parties) and collect information on these arrangements in a more

structured manner. This will help the regulator to respond more quickly and effectively to incidents related to third parties, which will in turn benefit firms and the financial sector.

Incident reporting

Chapter 3 of CP24/28 covers proposals for operational incident reporting and these proposals are relevant to a: firm, payment service provider, UK Recognised Investment Exchange, registered trade repository and registered credit rating agency.

The FCA proposes the following definition of an operational incident: A single event or a series of linked events that disrupts the firm’s operations, where it either: (i) disrupts the delivery of a service to the firm’s clients or a user external to the firm; or (ii) impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm.

In terms of incident reporting, the FCA is proposing to set out rules-based regulatory reporting requirements to standardise the routine reporting of operational incidents. The proposed rules specify which types of incidents firms should report to the FCA, when to report, and a standardised template for doing so is introduced. The FCA is also developing a single system which will automate the end-to-end submission of data to help ensure it can assess and respond to operational incidents in a more timely, proportionate, and informed manner. This rule will apply to all directly regulated firms; however, there are some mitigations in place to ensure that the burden on small firms is proportionate.

Third party reporting

Chapter 4 of CP24/28 covers proposals for third party reporting relevant to the following firms: enhanced scope Senior Managers & Certification Regime (SM&CR) firm, bank, PRA designated investment firm, building society, Solvency II firm, Client Assets Sourcebook (CASS) large firm, UK recognised investment exchange (RIE), authorised electronic money institution or an authorised payment institution and a consolidated tape provider.

As for third party provider (TP) reporting, the FCA is aiming to strengthen its existing notification rules around TP risk management within SUP 15 for an estimated 2,200 firms. It is proposed that Board members and Senior Management staff are required to be involved in the governance and oversight of TPs. This will clearly set out the FCA’s expectations on governance, including under the SM&CR, and on record keeping. The FCA will outline detailed TP oversight guidelines to facilitate greater resilience with the adoption of the cloud and other new technologies (FG 16/5 Guidance).

Next steps

The deadline for comments on CP24/28 is 13 March 2025.

The FCA will consider the feedback and publish final rules in a Policy Statement in H2 2025.