Operational resilience: operational incident reporting for FMIs

Supervisory statement
- ## Related links Related links

• Outsourcing and third party risk management Supervisory Statement: CCPs (until 18 March 2027)
• Operational resilience: operational incident and third-party reporting for FMIs

---

Published on

18 March 2026

---

The Bank of England has published its supervisory statement for operational incident reporting for financial market infrastructures (FMIs). This supervisory statement provides guidance to support FMIs in meeting the operational incident reporting rules contained in the Bank’s operational incident and outsourcing and third-party reporting (IOREP) policy for FMIs. It sets out how FMIs should interpret the definition of operational incident, understand the relationship with existing incident reporting and disclosure requirements, comply with the operational incident reporting thresholds, and follow the phased approach to incident reporting through the Financial Conduct Authority (FCA) Connect platform. The Bank is following a joint approach with the Prudential Regulation Authority and FCA. The IOREP rules and guidance will take effect on 18 March 2027.

1: Introduction

1.1 This SS sets out the Bank’s expectations of how recognised UK central securities depositories (CSDs), recognised UK central counterparties (CCPs) and recognised payment system operators (RPSOs) and specified service providers (SSPs) should comply with the Bank’s requirements for reporting an operational incident.

1.2 These requirements seek to support the operational resilience of the UK financial sector by collecting information from FMIs on operational incidents which could disrupt an FMIs’ provision of its important business services (IBS) or pose a risk to UK financial stability. Further, the aim of the operational incident reporting policy is to set out clear and consistent reporting requirements and expectations for FMIs for when they experience an operational incident.

1.3 The rules underpinning these supervisory expectations apply to recognised UK CCPs, recognised UK CSDs, RPSOs and SSPs . In respect of an RPSO or SSP that is incorporated outside of the UK, the Bank will determine on a case-by-case basis whether this RPSO or SSP will be subject to the Bank’s requirements and expectations, taking into account factors such as systemic importance in the UK and the extent to which the local (home-country) regulatory and supervisory framework delivers equivalent outcomes in terms of operational incident and outsourcing and third-party reporting for FMIs. Where the Bank determines that an RPSO or SSP that is incorporated outside of the UK should not be subject to the Bank’s requirements and expectations, the Bank expects to issue a direction to that RPSO or SSP under section 191 of the Banking Act 2009 disapplying the relevant requirements.

1.4 The expectations set out in this SS should be read in conjunction with:

• Notifications and Regulatory Reporting rules for CCPs/CSDs.
• The Operational Resilience and Notifications and Regulatory Reporting parts of the Code of Practice (CoP) for RPSOs/SSPs.
• The Bank’s supervisory statements on ‘Operational resilience: impact tolerances for important business services’. 1.5 FMIs are expected to comply with the expectations in this supervisory statement from 18 March 2027.

Structure of this supervisory statement

• Section 2 – sets out the relationship with existing incident reporting and disclosure requirements
• Section 3 – sets out how an FMI should interpret the operational incident definitions.
• Section 4 – sets out how an FMI should comply with the operational incident reporting threshold requirements.
• Section 5 – sets out how an FMI should comply with the phased approach to operational incident reporting.

---

2: Relationship with existing incident reporting and disclosure requirements

2.1 The Bank notes that operational incident reports received from CSDs in line with the requirements and expectations set out in this policy are considered to meet CSDs’ obligations to notify the Bank of certain operational incidents in accordance with Article 45(6) of the UK Central Securities Depositories Regulation (UK CSDR).

2.2 However, as noted above, the operational incident report does not replace or curtail the requirement for FMIs to disclose to the Bank incidents within the meaning of Fundamental Rule 7 of the Bank’s Fundamental Rules for FMIs. [1] Consistent with current supervisory practice, the Bank expects this may include, where appropriate, email or phone notification of near-misses, and emerging or evolving incidents. The Bank expects to hold iterative discussions with individual FMIs regarding their implementation of this requirement, alongside the operational incident reporting requirements contained in this supervisory statement. This includes how FMIs should provide prompt notifications, calibrated to take into account guidance from the relevant supervisory teams.

---

3: Definitions

Important business services

3.1 ‘Important business services’ is defined in the glossary of the FMI Rulebook for CCPs and CSDs and section 1.3 in Part 2 of the Code of Practice for RPSOs and SSPs. For CCPs and CSDs, it means a service which, if disrupted for a prolonged period, would pose a risk to the stability of the UK financial system by significantly disrupting the orderly functioning of a market to which a CCP or CSD provides that service.

3.2 For RPSOs it means a service provided to an end user which, if disrupted, could threaten the transfer of payments or safety and efficiency of a payment system. For SSPs, it means, a service provided by a SSP to a RPSO which, if disrupted, could threaten the transfer of payments or safety and efficiency of the RPSO.

Operational incident

3.3 The Bank defines an operational incident in the glossary of the FMI Rulebook for CCPs and CSDs and section 1.3 in Part 4 of the Code of Practice for RPSOs and SSPs as ‘either a single event or a series of linked events which disrupts the FMI’s operations such that it:

1. disrupts the delivery of a service to an end user external to the FMI; or
2. impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such end user’. 3.4 The Bank would consider a ‘series of linked events’ to include those whose cumulative impact results in a disruption to the FMI’s operations. This could include an event having cascading effects or multiple events originating from the same root cause. Examples may include but are not limited to:

• A third-party cloud service provider’s data centre suffers an outage due to a pre-existing technical fault. This causes an FMI’s business service platform hosted by a cloud service provider to go offline. The FMI is unable to fail over to another vendor to resume provision of services. The FMI’s end users cannot use digital applications, view their balances, or make payments. The linked events are the technical fault at the third party; and the FMI’s failure to fail over to another vendor.
• A technology analyst uploads an incorrect configuration or reference data file during end-of-day processing. As a result, reconciliation and validation controls fail to identify discrepancies between participant submissions. The FMI subsequently issues incorrect or incomplete instructions to participants, causing widespread transaction failures or delays across multiple end users. Corrected instructions must then be issued manually, leading to further delays in participants’ access to funds or their ability to manage risk. The linked events are a configuration or reference data error and failure of reconciliation or validation controls. 3.5 FMIs should consider whether the end user external to the FMI is identifiable, in line with the Bank expectations in its supervisory statements on operational resilience for FMIs. [2] End users may include FMIs’ participants, retail customers, business customers, other legal entities, trustees, market participants, the supervisory authorities or other members of a regulated entity’s group.

3.6 The Bank requires an FMI to assess whether an incident meets the definition of an operational incident regardless of whether the incident impacts an important business service, or the data is associated with an important business service.

3.7 The Bank requires FMIs to submit a report if an incident meets either one or both criteria in the definition of an operational incident, and if it meets the operational incident reporting thresholds. A potential or uncrystallised event, which does not result in a disruption to a service or result in data loss to an end user external to the firm, would be considered a near-miss and fall outside the scope of operational incident reporting. However, prompt disclosure may still be required of ‘information of which the Bank would reasonably expect notice’ within the meaning of Fundamental Rule 7 of the Bank’s Fundamental Rules for FMIs.

---

4: Operational Incident reporting thresholds

4.1 This section sets out the Bank’s expectations for how FMIs should interpret the thresholds set out in the Notifications and Regulatory Reporting Part of the CCP and CSD rulebook, and in the Notifications and Regulatory Reporting Part of the Code of Practice for RPSOs and SSPs.

4.2 FMIs must submit an operational incident report in the event that the FMI reasonably believes that an operational incident poses a risk of disruption to the provision of an important business service for a prolonged period or otherwise poses a risk to the stability of the UK financial system. The Bank expects FMIs to interpret ‘prolonged period’ conservatively within their agreed impact tolerances and taking into account the nature of the activities that form part of their specific important business services.

4.3 When assessing whether an operational incident meets the threshold and must be reported to the Bank, the Bank would expect FMIs to consider a range of factors. These could include, but are not limited to:

• The FMI’s internal assessment and classification of the incident.
• Operational and financial contagion.
• The FMI’s ability to deliver its important business services.
• The FMI’s ability to meet its legal and regulatory obligations.
• The FMI’s ability to safeguard the availability, authenticity, integrity or confidentiality of data or information relating or belonging to an end user external to the FMI.
• The FMI’s or the sector’s reputation. 4.4 These factors are covered in more detail in the following sub-sections. The above list is not exhaustive and provides guidance on how firms may interpret the threshold.

4.5 The Bank expects FMIs to leverage the information collected through their existing internal incident reporting processes and incorporate consideration of the operational incident threshold alongside existing metrics to assess whether an incident is reportable. The Bank recognises that, in the early stages of incident response, an FMI may not have a complete view of the incident’s impact or its long-term implications. The threshold assessment can only be based on the information available at the time and judgement will be required.

4.6 Examples of operational incidents which the Bank would expect FMIs to report include, but are not limited to:

Cyber attacks, such as:

• A phishing attack on an FMI which compromises the confidentiality of sensitive or critical data belonging to an end user external to the FMI.
• A large-scale distributed denial of service (DDoS) attack on a cloud service provider which causes significant disruption to the delivery of one or more of an FMI’s services. Process failures which significantly disrupt the delivery of a service, for example, in the case of a CCP, the prevention or delay in issuing settlement instructions or registering trades. Alternatively, this could include a system failure that requires a manual workaround, which could in turn lead to a greater possibility of error in the processes being delivered.

System update failures which result in significant disruption of one or more services, for example, in the case of payment systems, the FMI being unable to process a significant number of transactions. This could also capture an update that allows an important business service to continue functioning but increases its vulnerability to cyber attacks.

Infrastructure problems, including extended power outages or infrastructure damage from extreme weather, which results in an FMI being unable to provide one or more of its services. For example, a physical break in a fibre connection at a site resulting in an FMI’s online services being unavailable.

The FMI’s internal assessment and classification of the incident

4.7 An FMI must submit an operational incident report where the operational incident meets the threshold set by the Bank. Where an FMI has assessed an operational incident as high priority according to its own internal procedures, this may be indicative that the Bank’s threshold has been met. Additionally, where an operational incident has resulted in formal escalation, such as, to the Board, this is also likely to be indicative that the Bank’s threshold has been met.

4.8 Examples include but are not limited to an FMI activating its crisis management arrangements, or an FMI categorising an operational incident as a ‘Priority’ critical incident, according to its own internal classification methodology.

Operational and financial contagion

4.8 FMIs are required to submit an operational incident report when an operational incident could pose a risk to financial stability. As set out in the FPC’s macroprudential approach to operational resilience, when determining the potential impact on financial stability, FMIs are expected to consider whether there is a risk of operational contagion or financial contagion.

4.9 The Bank expects FMIs to consider operational contagion, where an operational incident could cause operational disruption elsewhere in the financial system or the real economy. An operational incident affecting the services of an FMI could leave them unable to transact with other FMIs or participate in financial markets. This could have knock-on impacts to the ability of the disrupted FMI’s counterparties to undertake their own activities.

4.10 FMIs should also consider whether an operational incident could result in further financial impacts on the FMI or the financial sector. This includes, but is not limited to, an impact on liquidity flows, access to funding sources, price discovery in certain markets or for particular assets, or an FMI’s ability to make margin payments to a CCP, triggering default proceedings. It may include consideration of whether an operational incident could lead to loss of confidence, for example, through a widespread disruption in retail payments affecting consumers’ confidence in the financial system and real economy.

The FMI’s ability to deliver its important business services

4.11 Section 4 of the Notifications and Regulatory Reporting Part for CCPs and CSDs and Rule 4 of the Notifications and Regulatory Reporting part of the CoP for RPSOs and SSPs requires FMIs to submit an operational incident report where an operational incident could disrupt their delivery of its important business services for a prolonged period. An FMI is expected to consider whether disruption arising from an operational incident is such that its ability to deliver its important business services adequately may be called into question, leading to potential loss of business and damaging revenues.

4.12 This could include, but is not limited to:

• the FMI being unable to provide an important business service (or services) for an extended period of time;
• the FMI being unable to complete or process a significant number of transactions;
• a disruption causing mounting detriment or actual harm to participants or counterparties. 4.13 FMIs should also consider whether to report those operational incidents that pose a risk to delivery of its other services, including where these could impact on its ability to deliver its important business services adequately, thereby impacting UK financial stability.

The FMI’s ability to meet its legal and regulatory obligations

4.14 The Bank expects an FMI to submit an incident report where an operational incident could result in the FMI failing to meet its legal and regulatory obligations.

4.15 In judging whether to submit an incident report, FMIs are expected to consider whether the operational incident would lead to heightened regulatory monitoring, formal regulatory action, or authority intervention.

The FMI’s ability to safeguard the availability, authenticity, integrity or confidentiality of data or information relating or belonging to an end user external to the FMI

4.16 The Bank expects an FMI to submit an operational incident report where an operational incident could compromise the FMI’s ability to safeguard information and data belonging to an end user external to the FMI. This would include data or information:

• becoming temporarily or permanently inaccessible or unusable;
• having questionable authenticity, for example, a data source becoming untrustworthy;
• becoming inaccurate or incomplete;
• being accessed by or disclosed to an unauthorised party or system. 4.17 Examples include, but are not limited to, unauthorised access to data or a loss in sensitive data belonging to an end user external to the FMI, a cyber-attack on the FMI, or an internal service error resulting in a loss of data belonging or relating to an end user external to the FMI.

The FMI’s or the sector’s reputation

4.18 FMIs are expected to submit an operational incident report where an operational incident risks its own reputation or the reputation of the financial sector, therefore impacting financial stability.

4.19 FMIs should consider whether an operational incident could result in a loss of confidence in the FMI itself or the wider financial sector. This could include, where an operational incident causes an FMI’s participants or financial counterparties to revise their view of the FMI, the riskiness of the FMI, its ability to manage its risks and the risks to its business model, or the strength of the financial market.

4.20 Examples may include, but are not limited to:

• a technology outage preventing participants from accessing the FMI’s services resulting in negative sentiment in the media, which has knock-on impacts to confidence in the resilience of access across the sector;
• a third-party process failure, resulting in the corruption of critical data belonging to an end user external to the FMI, leading to negative sentiment in the media and prompting participants to seek to stop using the FMI.

---

5: Approach to phased incident reporting

5.1 When an operational incident meets the prescribed threshold, as set out under the respective Rule 4.1 of the Notifications and Regulatory Reporting Parts for CCPs and CSDs and the Regulatory Reporting Part of the Code of Practice for RPSOs and SSPs, an FMI is required to submit the following incident reports to the Bank:

• the information specified at the initial phase in the Reporting Fields Document, as soon as is practicable after the occurrence;
• the information specified at the intermediate phase in the Reporting Fields Document as soon as is practicable after any significant change in circumstances from that described in the initial phase; and
• the information specified at the final phase in the Reporting Fields Document within 30 working days or, where this is impracticable, as soon as is practicable but not exceeding 60 working days of the operational incident being resolved. 5.2 Under the respective Rules 4.1–4.5, an FMI is required to complete specified information at each reporting phase. While not required, the Bank expects FMIs to provide optional information in the report, where this is available. If an incident originates at a third party, the Bank expects an FMI to take reasonable steps to obtain information regarding the root cause of the incident from the third party.

5.3 An FMI must submit the relevant incident report to the Bank, as stated in the respective Rules 4.1–4.3. FMIs are expected to use the FCA Connect platform to complete the submission.

5.4 Operational incident reporting should not replace all supervisory engagement between an FMI and the Bank **** during an incident, and direct communication with supervision teams may still be needed depending on the scale and type of the incident. The Bank would expect an FMI to disclose to the Bank promptly, and in line with guidance from the supervision team, following the identification of an event falling under the notification requirement that is part of Fundamental Rule 7 of the Bank’s Fundamental Rules for FMIs. This may include, where appropriate, email or phone notification of near misses, and emerging or evolving incidents.

Initial phase

5.5 The Notifications and Regulatory Reporting Parts require FMIs to submit the information specified in the Reporting Fields Document as soon as practicable after an operational incident has occurred and meets one or both of the thresholds in the respective Rule 4.1, as described in Section 3 of this supervisory statement. The Bank would expect an FMI to submit a report within 24 hours of determining an operational incident has met a threshold. The Bank acknowledges that where an operational incident requires all the FMI’s resources to address the incident, the FMI may take longer than 24 hours to submit a report.

5.6 An FMI should balance the need to submit an incident report to the Bank with prioritising the necessary actions to resolve and recover from the operational incident.

5.7 An FMI should take reasonable steps to collect the best available data at the time of submission. The Bank acknowledges that an FMI may gain a more accurate view of the impact of disruption as the incident progresses.

Intermediate phase

5.8 The Notifications and Regulatory Reporting Parts of the respective rules require an FMI to submit the additional information specified in the Reporting Fields Document as soon as practicable after there has been a significant change in circumstances from that described in the last submission. Under Rule 4.2, FMIs are required to submit the information to keep the Bank informed of any significant changes to an operational incident in a timely manner and provide further details on the incident as well as any actions the FMI is taking to resolve or remediate the impact of it.

5.9 A significant change in the incident could include a change in impact or the status of the incident. Examples of where FMIs should update the report at the intermediate phase include, but are not limited to:

• The FMI identifying the origin ofthe incident;
• The impact of an operational incident becoming significantly more severe;
• The activation of a business continuity plan, disaster recovery plan or making other significant changes to the resolution strategy of the operational incident;
• The FMI resolving the operational incident. 5.10 As set out above, an FMI is required to submit the information specified for the intermediate phase each time a significant change occurs. This means that FMIs may be required to provide further information more than once. An FMI is required to submit information at the intermediate phase at least once to inform the Bank that it has resolved the operational incident.

5.11 In the event that an FMI has resolved an operational incident prior to submitting an initial report, an update in the intermediate phase may not be necessary. An FMI can indicate it has resolved the incident in the initial phase and move straight to the final phase.

5.12 An FMI’s update to the report should only include new information or data not previously submitted to the Bank in the intermediate phase, prioritising significant changes to the circumstances of an operational incident.

5.13 An FMI should balance the need to submit an incident report to the Bank with prioritising the necessary actions to resolve and recover from the operational incident.

Final phase

5.14 An FMI must submit the information specified at the final phase in the Reporting Fields Document to the Bank within 30 working days after the operational incident has been resolved or, where this is not practicable, as soon as is practicable but not exceeding 60 days after the operational incident has been resolved.

5.15 The Bank expects an FMI to submit the final update within 30 working days after the operational incident has been resolved unless there are circumstances which would necessitate further time to collect all the information required in the final report. Reasons for such a delay could include where an incident is so complex that the FMI does not immediately know the root cause, or where the FMI relies on a third party for the necessary information.

5.16 FMIs are expected to inform the Bank when it is impracticable to submit the final update ~~~~ within 30 working days after the operational incident has been resolved, explaining the reason as to why it is impracticable and the expected timeframe for the submission of the final report update.

1. The Fundamental Rules for FMIs take effect on 19 July 2026.
2. Bank of England policy on Operational Resilience of FMIs.

Related links

• Outsourcing and third party risk management Supervisory Statement: central counterparties
• Operational resilience: operational incident and outsourcing and third-party reporting for FMIs
• Updated outsourcing and third-party risk management: central counterparties
• Updated outsourcing and third-party risk management: central securities depositories
• Updated outsourcing and third-party risk management: recognised payment system operators and specified service providers

---

Convert this page to PDF

---

Other publications

Publication // Supervisory statement

18 March 2026

Updated outsourcing and third-party risk...

Updated outsourcing and third-party risk management: recognised payment system operators and specified... Publication // Supervisory statement

18 March 2026

Updated outsourcing and third-party risk...

Updated outsourcing and third-party risk management: central securities depositories Publication // Supervisory statement

18 March 2026

Operational resilience: operational incident...

Operational resilience: operational incident reporting for FMIs Publication // Supervisory statement

18 March 2026

Updated outsourcing and third-party risk...

Updated outsourcing and third-party risk management: central counterparties View more

---

Back to top