FCA consults on new reporting obligations for (i) incidents and (ii) third party arrangements

On 13 December 2024, the FCA published consultation paper CP24/28 (the CP) on proposals for firms to report on operational incidents and, separately, on material third party arrangements. The CP mirrors similar proposals put forward by the PRA and Bank of England on the same day and is designed to align with current international standards (e.g. the EU Regulation on digital operational resilience (DORA)).  

Operational incident reporting

Firms are currently required to notify the FCA of operational incidents under Principle 11 and SUP15.3. However, the FCA notes that some firms are unclear on when to report incidents and that reporting is often inconsistent as there is no standardised template. The proposals in the CP aim to introduce a consistent, sufficient, and timely reporting framework. The FCA has also aligned these proposals with other incident reporting regimes (e.g. DORA and the Financial Stability Board's FIRE) where possible.

These proposals apply to (regulated) firms, payment service providers, UK Recognised Investment Exchanges, registered trade repositories and registered credit rating agencies.

The FCA proposes that an "operational incident" be defined as a single event (or series of linked events) that disrupts the firm's operations where it either: (i) disrupts the delivery of a service to the firm's clients or a user external to the firm; or (ii) impacts the availability, authenticity, integrity or confidentiality of information or data relating to or belonging to the firm's clients or a user external to the firm.

Firms would be required to report on operational incidents that breach one or more of the following thresholds:

• Consumer harm: the incident could cause or has caused intolerable levels of harm to consumers, and they cannot easily recover as a result.
• Market integrity: the incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system.
• Safety and soundness: the incident could pose or has posed a risk to the safety and soundness of the firm or other market participants.

Firms would be required to assess for themselves whether an incident has met these thresholds. The FCA does not intend to introduce specific metrics or an exhaustive list of incident types. However, it has provided the following factors for firms to take into account:

• the direct and indirect impact on the firm's clients or the wider sector;
• the direct and indirect impact on the firm's consumers;
• the firm's ability to provide adequate services;
• the firm's or the sector's reputation;
• the firm's ability to meet its legal and regulatory obligations; and
• the firm's ability to safeguard the availability, authenticity, integrity or confidentiality of data or information relating to or belonging to a client or user.

Firms that must report an operational incident will be required to provide an initial incident report, (where relevant) intermediate incident reports to update the FCA on progress, and a final incident report. Reports are to be submitted on an online FCA platform to be developed and following a standardised template. The categories of data required to complete the various reports are set out in Appendix 2 of the CP. The FCA has also included a proposed process for reporting summarised in the figure below:

Source: FCA Consultation CP24/28, section 3.28

Third party arrangements reporting

The FCA also aims to improve its visibility of material third party arrangements and expects that this additional information will assist in identifying systemic risks. The FCA has said that it will use this information to help it identify critical third parties under the separate Critical Third Parties oversight regime (see RPC summary here).

The proposals in the CP apply to a smaller sub-set of firms comprising: (i) enhanced scope Senior Managers & Certification Regime firms; (ii) banks; (iii) PRA-designated investment firms; (iv) building societies; (v) Solvency II firms; (vi) Client Assets Sourcebook large firms; (vii) UK recognised investment exchanges; (viii) authorised electronic money institutions or authorised payment institutions; and (ix) consolidated tape providers.

Firms are currently only required to notify the FCA of material outsourcing arrangements under SUP 15. However, the FCA has found the information provided to be limited and inconsistent. It also considers that the distinction between outsourcing and non-outsourcing third party arrangements is no longer useful as the latter may be just as critical as the former.

As a result, the FCA proposes to include two new definitions in the Handbook:

"third party arrangement" is any arrangement for products or services between a firm and service provider, and includes both outsourcing and non-outsourcing arrangements as well as intra-group arrangements

"material third party arrangement" is any third party arrangement where a disruption or failure in performance could do one or more of the following: (i) cause intolerable levels of harm to the firm's clients; (ii) pose a risk to the soundness, stability, resilience, confidence, or integrity of the UK financial system; or (iii) cast serious doubt on the firm's ability to satisfy the threshold conditions (under the Handbook) or meet its obligations under the FCA's Principles for Business or under SYSC 15A (operational resilience).

When determining the materiality of a third party arrangement, firms would be required to consider the following factors:

• direct connection to the performance of a regulated activity;
• size and complexity of the business area/function supported by the third party arrangement;
• the potential impact of a disruption, failure, or inadequate performance of the third party arrangement on the firm;
• the firm's ability to scale up the third party service; and
• the firm's ability to substitute the service provider or bring the service in-house.

The FCA has clarified that basic utilities (e.g. electricity) and functions that are statutorily required to be performed by a service provider (e.g. audits) are out of scope of this framework.

Firms would be required to notify the FCA of any material third party arrangement prior to entering into or significantly changing the material third party arrangement. The FCA has proposed templates for notifications (in Appendix 3 of the CP) which have been aligned, as far as possible, with other requirements e.g. the EBA Outsourcing Guidelines and DORA. Firms would also have to maintain and submit a register of material third party arrangements annually using an FCA platform..

The existing definition of "material outsourcing" remains as is. Firms which are caught by this new reporting framework would only need to notify material outsourcings under the new rules, so will not need to notify the FCA twice. Firms which are not caught by the new reporting framework would still need to notify the FCA of material outsourcings under SUP 15. 

Finally, there is reference in the CP (section 4.13) to firms being required to implement "controls that are appropriate to the materiality" of a third party arrangement. The FCA states (in the consultation) that these controls would not have to be the same that apply to outsourcings under SYSC 8 (SYSC 13.9 for insurers) but does not otherwise explain what is expected of firms in this regard.

Next steps

The deadline for comments is 13 March 2025. The FCA will consider feedback and publish finalised rules in H2 2025.