PRA (CP17/24) and FCA (CP24/28): Consultations on operational resilience - operational incident and third party management reporting dated 13 December 2024 (the "Consultations")
Background
The PRA and FCA are consulting in parallel on new requirements for reporting in relation to (i) operational incidents and (ii) material third party arrangements ("TPA") (including outsourcings). The proposals are a convergence of several policy objectives under the 'operational resilience' banner – basically to achieve:
- more timely, accurate and consistent reporting of certain operational incidents and notification and material TPA (outsourcing and non-outsourcings); and
- data to enable the regulators to minimise the impact of operational disruptions (such as cyber attacks or IT outages) and firms’ increasing reliance on third parties.
The data in relation to TPA will also assist the regulators to identify important services providers for potential designation as "critical" under the new UK Critical Third Parties regime (similar to the EU DORA regime for ICT services providers).
Both elements of the proposals could mean a significant compliance uplift for banks and other in-scope-firms (see What does this mean for firms? below).
The Bank of England is also consulting on equivalent requirements for Financial Market Infrastructure firms (not covered in this briefing).
The response deadline is 14 March 2025.
Quick read
Operational incidents: new requirements -
- firms must report to PRA/FCA certain operational incidents which could cause or have caused harm to customers, the financial safety and soundness of the firm, market stability or harm to various other of the regulators' statutory objectives;
- three-layered reporting (initial, intermediate and final reports), with escalating data requirements; and
- mandatory report templates and data fields, broadly aligned with DORA
Material TPA: new requirements -
- firms must notify PRA/FCA before entering into, or significantly changing, "material" TPA (all must be reported to the FCA, only those which pass a risk-based test must be reported to the PRA);
- must maintain a register of information relating to "material" TPAs; and submit the register annually to the PRA/FCA;
- mandatory report / register templates and data fields, broadly aligned with DORA; and
- not applicable to smaller/lower risk FCA firms
The proposals are mostly aligned between the PRA and FCA. But there are important differences, such as the PRA only requiring reporting of material TPA's on a risk-based approach.
Existing requirements for material outsourcings (and other existing reporting/notification requirements) remain.
Possible H2 / 2026 implementation.
Key proposals at a glance
The table below is a simplified summary of the main elements of the PRA and FCA proposals; and some key differences between them.
Operational incidents
| Proposals - overview | FCA | PRA | Comments |
| Scope: which firms | FCA regulated firms; payment service providers; UK RIE; registered trade repositories; and registered credit rating agencies | UK banks; building societies; PRA designated investment firms; UK branches of third country banks (in relation to branch activity); UK Solvency II firms; Society of Lloyds; and managing agents | |
| Sources: where the new requirements will be located |
Requirements - SUP 15.18 (see draft Handbook text in Appendix 1 to CP 24/28) Data template reporting fields – see link to form in Appendix 2 to CP 24/28 |
Requirements – new Regulatory Reporting Part 24 Guidance - new supervisory statement (SS) (Operational Resilience: Incident Reporting) (see draft text in Appendix 2 to CP 17/24 Data template reporting fields – see Appendix 5 to CP 17/24 |
|
| New definitions |
"Operational incident": Either a single event or a series of linked events which disrupts the firm’s operations such that it:
|
"Operational incident": Either a single event or a series of linked events which disrupts the firm’s operations such that it:
|
Note differences between PRA and FCA definitions. FCA refers to clients as well as other external users. Examples given of potentially reportable incidents: cyber attacks, process failures, systems updates failures and infrastructure problems. |
| Reporting obligations |
Trigger: an "operational incident" which –
Factors to consider (non-exhaustive list) in determining whether threshold breached:
Three phases of report: Initial, Intermediate and Final |
Trigger: an "operational incident" which could pose a risk to:
Factors to consider (non-exhaustive list) in determining whether threshold breached:
|
Only required to report crystalised events (however, non-crystallised may still be reportable under Principle 11 / Fundamental Rule 7). Must submit Final Report even if the incident has been resolved. Payment institutions will continue to have parallel reporting obligations under Payment Services Regulations. Draft FCA rules permit single report or both. |
| Timing of reporting |
|
|
|
| Form of reporting | Prescribed form and data fields table – to be in SUP 15 Annex 15R (see link in Appendix 2 to CP 24/28) | Prescribed form and data fields (see link in Appendix 5 to CP 17/24) | |
| When will new regime come in? | TBC. FCA plans to publish final rules in H2/2025 | TBC. PRA indicate implementation no earlier than H2/2026 |
Third Party Arrangements
| Proposals - overview | FCA | PRA | Comments |
| Scope: which firms | Banks; building societies; PRA designated investment firms; enhanced scope SMCR firms; Solvency II firms; CASS large firms; UK RIE; authorised e-money institutions; authorised payment institutions; and consolidate tape providers |
UK banks; building societies; PRA designated investment firms; UK branches of third country banks (in relation to branch activity); UK Solvency II firms; Society of Lloyds; and managing agents |
FCA: generally larger firms only. But applies all PSI and EMI regardless of size. |
| Sources: where the new requirements will be located |
Requirements – SUP 13.9, SUP 15.19 and SUP 16.33 (see draft Handbook text in Appendix 1 to CP 24/28) Data template reporting fields – see link to form in Appendix 3 to CP 24/28 |
Requirements – new Regulatory Reporting Part 25 (register) and Notifications Part 2.3B-D (notifications) Guidance - amendments to SS2/21 (Outsourcing and third-party risk management) – see draft text in Appendix 3 to CP 17/24 Data template reporting fields – see Appendix 6 to CP 17/24 |
|
| New definitions |
"Third party arrangement": an arrangement of any form between a firm and a service arrangement provider, whether or not the product or service is: (a) one which would otherwise be provided by the firm itself; (b) provided directly or by a sub-contractor; or (c) provided by a person within the same group as the firm. (Glossary) "Material third party arrangement": a third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could: (a) cause intolerable levels of harm to the firm’s clients; (b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or (c) cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience). |
"Third party arrangement": any arrangement whereby a person provides to a firm a product or service, whether or not the product or service: (1) is one which would otherwise be provided by the firm itself; (2) is provided directly or by a sub-contractor; or (3) is provided by a person within the same group as the firm "Material third party arrangement": a third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could: (1) pose a risk to: (a) the firm's safety and soundness; (b) in the case of an insurer, an appropriate degree of protection for those who are or may become the firm's policyholders; or (c) where the firm is, or is controlled by, an O-SII, or is a relevant Solvency II firm, the stability of the UK financial system; or (2) cast serious doubt upon the firm's ability to satisfy the threshold conditions, the Fundamental Rules, the Operational Resilience Part, Insurance – Operational Resilience Part or the Operational Continuity Part of the PRA Rulebook. |
Similar definitions, but with different elements reflecting the regulators' different statutory objectives. Existing definitions and requirements in relation to "outsourcings" will remain in place. "Product" could include, for example, software. |
| Reporting obligations |
Trigger: when entering into, or significantly changing, a material third party arrangement Factors to consider (non-exhaustive list) in determining whether "material" and reportable: examples given - (1) direct connection to performance of regulated activities etc; (2) size and complexity of business areas or functions supported by TPA; (3) potential impact of a disruption or failure in performance of TPA on: (a) firm’s business continuity, operational resilience and operational risk (b) firm’s ability to comply with legal and regulatory requirements (c) firm’s ability to conduct appropriate audits of the relevant function, service or service provider (d) firm’s ability to identify, monitor and manage all risks (e) firm’s obligations under the FCA Handbook (f) firm’s obligations in relation to protection of data (g) firm’s clients or counterparties (4) firm’s ability to scale up the third party service; and (5) firm’s ability to substitute the service provider or bring the outsourced service back in-house. |
Trigger: when entering into, or significantly changing, a material and reportable third party arrangement which, due to the risks, necessitates a high degree of due diligence, risk management or governance by the firm Factors to consider (non-exhaustive list) in determining whether "material": risk to or materially impair – (1) UK financial stability (Solvency II forms only); (2) firm's ability to meet threshold conditions; Fundamental Rules; relevant legislation and PRA rules; (3) firm's safety and soundness (including financial resilience and operational resilience); (4) (Insurance only) ability to provide appropriate degree of protection for policyholders; and requirement not to undermine continuous and satisfactory service to policy holders; and (5) OCIR and resolvability |
PRA's trigger is risk-based and proportionate. The FCA's is not.
PRA factors are based on the existing factors for identifying "material outsourcing" in current SS 2/21. |
| Timing of reporting | Pre-notification: "before making any internal or external commitments" | No specific timing. Notification Part applies | |
| Form of reporting | Prescribed form and data fields table – to be in SUP 15 Annex 16R (see Appendix 3 to CP 24/28) | Prescribed form and data fields (see link to draft material TPA template in Appendix 6 to CP 17/24) | |
| Register obligations |
Firm must:
|
Firm (except third county firm, non-directive firm or small credit union) must:
|
|
| Form of register | Prescribed form and data fields – to be in SUP 16 Annex 59R (see Appendix 3 to CP 24/28) | Prescribed form and data fields – see Appendix 6 to CP 17/24) | Similar data fields to EU DORA equivalent register. |
| When will the new regime come in? | TBC. FCA plans to publish final rules in H2/2025 | TBC. PRA indicate implementation no earlier than H2/2026 |
What does this mean for firms?
If these proposals go ahead, actions for in-scope firms to consider include:
- Operational incidents: gap analysis to identify how the new operational incident data and reporting requirements fit with existing processes. Including:
- How operational incidents are identified, assessed and notified (or not) to regulators
- What data (including root cause analysis) is gathered for operational incidents and whether that will meet the new obligations
- How the proposed reporting templates will integrate with existing processes. For some firms, existing processes will have been recently engineered to meet DORA standards
- TPA: gap analysis to identify how the new material TPA register and reporting requirements fit with existing processes. Including:
- How TPAs are identified, assessed as "material" and notified (or not) to regulators
- What data is gathered on TPAs and whether that will meet the new obligations
- How the proposed reporting templates will integrate with existing processes. For some firms, existing processes will have been recently engineered to meet DORA standards
- For dual regulated firms, consider:
- How the new requirements fit with existing requirements (and processes) in relation to material outsourcing and OpRes
- How to navigate the different tests (PRA versus FCA) for "material" TPA
- Contracts with service providers: check whether terms allow the firm to receive sufficient information about operational incidents to enable the firm to comply with the new reporting requirements. To ensure timely reporting that aligns with FCA/PRA expectations, the terms should include notification thresholds that meet the operational incident definition, notification timelines to facilitate phased reporting (initial, intermediate and final) and provision of information on any root cause analysis carried out. These terms should also be considered in the context of the broader regulatory frameworks, such as the EU’s DORA regime and the UK’s Critical Third Parties oversight regime.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.