"This preparatory work will also be useful for firms’ annual operational resilience self-assessments and scenario testing, so you should see it as a worthwhile exercise."
The FCA is currently consulting on changes to the incident reporting process and expand third-party supplier reporting requirements. The consultation paper is open to feedback until 13th March, with final rules expected in the second half of this year. This consultation, coupled with the new rules on direct regulation of designated critical third parties, suggests the FCA is focused on tightening up the operational resilience of the UK financial services sector.
What is proposed in the new consultation?
Currently, firms have a general requirement to notify the regulator of any matters which have a serious regulatory impact, but there are no specific reporting requirements for operational incidents. A notification requirement also exists for material outsourcing arrangements before sign-off or when making significant changes. The FCA’s proposed rules bring changes and enhancements to both these requirements.
Reporting incidents
Currently, the regulations are not clear on which events the FCA would classify as operational incidents and when to report. The proposed rules aim to bring greater clarity by defining ‘operational incident’ as an operationally disruptive event that disrupts the delivery of an externally facing service, or “impacts the confidentiality, availability, authenticity or integrity of data”. In addition, there are definitions for the reporting thresholds based on consumer harm, market integrity and the firm’s safety and soundness criteria.
The FCA has also attempted to clarify the notification process by introducing requirements to submit four reports: an initial report, interim report(s) on progress, a final report and a lessons learned report (within certain timeframes). There are specific formats used for each type of submission and each requires a comprehensive data submission. It is therefore likely to take firms some time to understand and get used to the new rules, but once they do, it should be a more efficient process.
The consultation paper explains the four categories of information to report: reporting details, incident details, impact assessment and incident closure, which are in line with Financial Stability Board and EU standards.
Reporting material third party arrangements
The rules also propose that a smaller subset of firms (notably including banks, large CASS firms and e-money and payment institutions) must notify the FCA of material third party arrangements, including non-outsourcing arrangements. This will bring purchases of software, hardware and on-premise IT platforms within the scope of regulatory notification requirements. The purpose of this is to ensure that the regulators have sufficient information for identification of Critical Third Parties (CTPs), which may be software providers whose services are not necessarily classified as outsourcing.
The consultation paper also provides for a template for firms to submit notifications, which includes a comprehensive set of data points and is in line with the template used by the Digital Operational Resilience (DORA) framework from the EU, which many firms will be familiar with.
What should firms be doing now?
There are only expected to be minor changes to the rules as set out in this consultation paper, with the majority of rules coming into effect in the second half of 2025. Firms should therefore consider preparing now, including conducting a gap analysis against current and proposed rules. This should cover responsibilities and processes for reporting operational incidents internally and externally.
Firms should also ensure that they have a complete register of outsourcing and third-party arrangements capturing relevant data, along with up-to-date risk and materiality assessments in place.
This preparatory work will also be useful for firms’ annual operational resilience self-assessments and scenario testing, so you should see it as a worthwhile exercise.
