Opinion

Operational incident reporting: UK financial regulators propose new rules

Published Date
Jan 8 2025
Related people

The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England are consulting on proposals to require firms to report operational incidents and material third party arrangements. In the face of increasing threats to organisations’ ability to remain operationally resilient, regulators are looking at how they can help firms to monitor and minimise the impact of operational disruptions such as cyber-attacks or IT outages.

Why now?

Operational resilience is a key risk area being monitored by the UK regulators. It was brought sharply into focus in 2024 when a widely relied upon IT service provider released an update containing a defect that caused widespread systems-outages. The UK regulators have shared their lessons learned from this significant operational incident and are now focusing on how to strengthen the operational resilience framework applicable to regulated financial services firms by clarifying or enhancing regulatory reporting requirements.  

Enforcement action relating to operational incidents has been relatively rare. However, in the past two years the FCA and PRA announced two significant enforcement outcomes against firms and individuals for operational resilience failings, with one fine reaching GBP48.5 million.

The FCA, in particular, is establishing itself as a data-led regulator. Clarifying what it considers to be a reportable operational incident should provide it, and the other regulators, with better data on what is happening, where, and enable it to intervene at an early stage to strengthen resilience and prevent harm. However, this is also likely to make it easier for the FCA and PRA to take enforcement action against firms who fail meet these new or clarified expectations, especially where an operational incident results in significant customer harm. 

Proposals for incident reporting

The FCA and PRA receive notifications concerning operational incidents from authorised firms pursuant to their overarching Principle 11 and Fundamental Rule 7 obligations. However, the PRA and FCA rules do not currently specify what constitutes an operational incident, when one should be reported, what information should be included, or how to submit such reports. The FCA consultation paper suggests firms may currently be underreporting incidents.

Both regulators are now proposing to define an operational incident as:

A single event or a series of linked events that disrupts the firm’s operations, where it either: 

  • disrupts the delivery of a service to the firm’s clients or a user external to the firm; or
  • impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm”.

Firms would be required to submit standardised reports on ‘operational incidents’ that breach one or more of the following thresholds:

  1. Risk of harm to consumers or policyholders: The incident could cause or has caused intolerable levels of harm to consumers, and they cannot easily recover as a result or, for insurers, the incident poses a risk to the appropriate degree of policyholder protection. 
  2. Market Integrity: The incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system. 
  3. Safety and Soundness: The incident could pose or has posed a risk to the safety and soundness of the firm and/or other market participants.

There is likely to be some overlap between the proposed incident reporting rules and the new operational resilience rules that firms need to have implemented by 31 March 2025. For example, for the incident reporting threshold relating to consumer harm, the FCA proposes to replicate the concept of intolerable harm, introduced with the new operational resilience rules. But firms will need to exercise caution because although the proposed criteria for identifying reportable operational incidents are similar to the criteria for identifying ‘important business services’, under the new operational resilience rules, they are not identical and this could cause some confusion.

The regulators will not be providing a definitive list of reportable incidents. Determining which operational incidents meet the reporting thresholds will be a matter of judgement for firms, who will be expected to consider all relevant factors, including:

  • the direct and indirect impact on the firm’s clients or the wider sector;
  • the direct and indirect impact on the firm’s consumers;
  • the firm’s ability to provide adequate services;
  • the firm’s or the sector’s reputation;
  • the firm’s ability to meet its legal and regulatory obligations; and
  • the firm’s ability to safeguard the availability, authenticity, integrity or confidentiality of data or information relating or belonging to a client or user.

The FCA does also provide detail on additional elements to consider when assessing each of the three thresholds. Helpfully, the FCA also goes on to set out ten case study examples to put the concept of operational resilience and when to report an operational incident into context, such as where an outage at one firm may trigger reporting obligations for itself, but also on other firms. We recommend that firms work through the thresholds and case studies, and assess them against their existing reporting frameworks to identify potential gaps and overlaps, (especially in light of the incident reporting requirements under the EU’s new Digital Operational Resilience Act (DORA) regime). If a reportable incident occurs, the regulators propose to require firms to submit at least three reports.

  • An Initial Incident Report, even if an incident is resolved shortly after it occurs. This should be done as soon as practical to do so. 
  • One or more subsequent Intermediate Incident Reports updating on the progress of the incident, including when it is resolved. 
  • A Final Incident Report, within 30 working days after the incident is resolved. 

Wider reporting obligations

Firms need to consider these proposals alongside existing reporting obligations that may also be triggered by an operational incident. For example, a cyber attack that only impacts employee personal data would not trigger a report under the FCA’s proposals, but may still trigger reporting obligations, under the UK GDPR, to the Information Commissioner’s Office. While the FCA explains that the proposed rules are designed to align with other incident reporting regimes and international standards, such as the Financial Stability Board (FSB’s) Format for Incident Reporting Exchange (FIRE) and DORA, firms will still need to assess each obligation independently. 

Third Party reporting

In light of firms’ increasing reliance on third parties to provide their services, the FCA proposes to require a sub-set of firms that “have the biggest consumer and market impact” (namely banks) to also report their material third party arrangements to the FCA. 

The proposals for third party reporting include:

  • expanding the scope of existing outsourcing notifications, covering both material outsourcing and material non-outsourcing arrangements (collectively referred to as ‘material third party arrangements’) for in-scope firms;
  • providing a template for firms to submit notifications of new arrangements and changes to existing arrangements; and 
  • requiring firms to maintain and submit a register of these arrangements to the FCA, ensuring this is up to date annually.

The FCA is proposing to only collect information on firms’ ‘material third party arrangements’, being highly important third party arrangements, where a disruption or failure in performance of the product or service provided, could do any one or more of the following: 

  • cause intolerable levels of harm to the firm’s clients;
  • pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; and/or
  • cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the FCA’s Principles for Business, or under SYSC 15A (operational resilience).

If a firm deems a third party arrangement to be ‘material’, it is expected to implement controls that are appropriate to the materiality of the arrangement. 

Once again, the FCA makes reference to the fact that these rules are designed to align with DORA’s various requirements on third party risk management and reporting, as appropriate. Indeed to “reduce the regulatory burden on firms”, the proposed list of information to be provided to the FCA aligns with the EU’s DORA Final Report on draft ITS on Register of Information Annex III Type of ICT services taxonomy, but is modified to include additional relevant non-ICT services.  

What firms should do now

It is clear that operational resilience will be a key focus for the UK’s financial regulators in 2025. Firms should therefore ensure it is also top of their 2025 agenda by taking account of these reporting proposals alongside their preparations for compliance with the new UK operational resilience rules and DORA. If the proposals are implemented, the regulators will have the ability to take enforcement action against firms who fail meet these new or clarified expectations, in circumstances where operational outages are being widely and critically reported on at present.

The consultation closes on 13 March 2025 and a policy statement is expected in the second half of 2025.

Related capabilities