On 13 December 2024, the PRA and FCA published landmark consultation papers on operational incident and third party reporting. These new proposals mark a turning point for UK banks and investment firms, setting out how to report operational disruptions and their critical external relationships.
The operational incident and third party reporting framework aims to boost sector resilience. Firms must report incidents that harm consumers, compromise market integrity, or risk financial stability. Standardised definitions and thresholds offer clarity for what to report and when, ending years of confusion around regulatory expectations. Third party reporting is expanded to cover not just outsourcing, but all material external relationships, targeting organisations with the greatest market impact.
Mandatory phased incident reporting is at the heart of this guidance. Firms will need to submit initial, ongoing, and final reports through the FCA’s Connect portal. These reports will need to focus on impact assessment, remediation, and lessons learned. Registers of material third parties will be logged at least annually, using the FCA RegData platform. The proposals reflect international standards such as DORA and FSB FIRE, supporting alignment for globally active firms.
Regulators estimate over £11m sector-wide compliance costs, but highlight benefits including better risk oversight, reduced sector vulnerabilities, and improved response to external threats. Experience shows that most incidents have a third-party dimension, especially as reliance on tech providers grows.
Compliance is now strategic, not just operational. We are advising our clients to audit incident thresholds, map material third party exposures, and ready reporting processes in advance of go-live. Early action is critical. Firms should leverage expert external support to prepare gap analyses and implement compliance roadmaps.
For bespoke advice or a readiness review, contact our team of operational resilience specialists today.
