Changeflow GovPing Securities & Markets FCA Final Rules: Operational Incident and Third...

Priority review Rule Added Final

FCA Final Rules: Operational Incident and Third Party Reporting

FCA Publications

Published March 18th, 2026

Detected March 18th, 2026

Summary

The FCA has published final rules and guidance for operational incident and material third party reporting. These rules, which will apply from 18 March 2027, aim to standardize reporting processes and enhance oversight of critical third-party arrangements within the financial sector.

View original document View source feed page

What changed

The Financial Conduct Authority (FCA) has issued final rules and accompanying guidance (PS26/2, FG26/3, FG26/4) establishing new regulatory regimes for operational incident and material third party reporting. These rules define what constitutes an operational incident and a material third party arrangement, set reporting thresholds, and introduce standardized reporting processes. The new framework aims to improve the FCA's ability to grasp the impact of incidents on firms and markets, particularly given increasing reliance on third-party services and the sophistication of cyber threats. The rules are a result of consultation CP24/28 and align with similar regimes from the PRA and Bank of England.

The new requirements will come into force on 18 March 2027, giving affected firms approximately 12 months to prepare. Firms must familiarize themselves with the definitions, thresholds, and reporting procedures outlined in the policy statement and finalised guidance. This includes maintaining a register of material third-party arrangements and submitting it annually, as well as reporting new or significantly changed arrangements. The FCA will engage with firms during the preparation period to support adaptation. Two years post-implementation, the FCA will review the policies' effectiveness.

What to do next

Review FCA Policy Statement PS26/2 and Finalised Guidance FG26/3 and FG26/4.
Develop and implement processes for defining, reporting, and managing operational incidents according to new thresholds and standards.
Establish a register for material third party arrangements and a process for annual submission and notification of changes.

Source document (simplified)

PS26/2: Operational incident and third party reporting

Consultation published 13/12/2024 Consultation closed 13/03/2025 Policy Statement published 18/03/2026 18/03/2026

Policy statements First published:

18/03/2026

Last updated: 18/03/2026
Our final rules and guidance setting out requirements for reporting operational incidents and material third party arrangements.

Why we are changing

When operational incidents occur, the disruption to the services firms provide can harm consumers and the wider sector. Additionally, many of the incidents reported to us originate at third parties, with firms becoming increasingly reliant on the services they provide.

Following our consultation CP24/28 (PDF), we’ve created single FCA, PRA and Bank of England regulatory regimes for operational incident and third party reporting that will apply from 18 March 2027.

Find out more if your firm is regulated by the PRA and the Bank of England.

Operational incident reporting

Our final rules:

Define what an operational incident is.
Set out the thresholds for when firms must report an incident.
Introduce a standardised reporting process so all firms make a single submission regardless of the regulator(s) the report is for.
Set out how firms will submit standard or enhanced incident reports.

Third party reporting

Our final rules:

Define what a material third party arrangement is.
Require firms to notify the FCA of any new, or any significant changes to material third party arrangements.
Require firms to maintain a register for their material third party arrangements, and to submit it to the FCA annually.

Who this applies to

Operational incident reporting:

All firms with a Part 4A permission
Payment service providers
UK Recognised Investment Exchanges (RIEs)
Registered trade repositories
Registered credit rating agencies
Third party reporting:
Enhanced scope Senior Managers & Certification Regime (SM&CR) firms
Banks
Designated investment firms
Building societies
Solvency II firms
Client Assets Sourcebook (CASS) large firms
UK RIEs
Authorised electronic money institutions or authorised payment institutions
Consolidated tape providers

Next steps

The new rules will come into force on 18 March 2027.

Firms affected should read our rules and guidance in this Policy Statement and the accompanying Finalised Guidance. During the 12 months that firms have to prepare, we will engage with firms to support them in adapting to the rules and reporting technologies.

Two years after implementation, we will review the policies to assess if they meet both our needs and those of firms.

Background

Threat actors are attacking the financial sector more and more frequently, and with greater sophistication. They also attack the third parties that firms increasingly rely on to boost efficiency and support their innovations. At the same time, the industry is becoming more interconnected. Each incident can have an even bigger impact – even those that don’t stem from attacks. It is more important than ever that we can quickly grasp how incidents affect firms and markets.

At the same time, third parties are now supplying their services by means of transformative technological innovations like AI. The pace of change is rapid. We need to understand how firms are using third parties so we can effectively supervise their operational resilience. We also need to understand the deepening interconnectedness of industry as a whole to identify and address systemic risk. To do all of this, we need more detailed, accurate and consistently structured data.

As well as our final rules and guidance, firms can find reporting templates in the Policy Statement to help them prepare.

Was this page useful? Yes No What can we do to improve pages like this? What did you find helpful? Submit Feedback

Request an alternative format

Please complete this form if you require this content in an alternative format.

Related changes

FCA Consultation on Regulation for SME Access to Finance

Priority review Mar 18, 2026 • FCA Publications • Securities & Markets

FCA Consultation on Modernising the Redress System

Priority review Mar 16, 2026 • FCA Publications • Securities & Markets

FCA Mortgage Charter Uptake Data

Routine Mar 14, 2026 • FCA Publications • Securities & Markets

Union Financial Corporation - Mortgage Enforcement Order

Priority review Mar 18, 2026 • ID DOF Admin Actions • Banking & Finance

Arque Advisors, LLC - Consent Order

Urgent Mar 18, 2026 • VT DFR Bulletins & Orders • Banking & Finance

Binance.US Consent Order - Cease Money Transmission in North Dakota

Urgent Mar 18, 2026 • ND DFI News • Banking & Finance

Source

FCA Publications fca.org.uk/publications/rss.xml

Securities & Markets

Analysis generated by AI. Source diff and links are from the original.

Classification

Agency

FCA

Published

March 18th, 2026

Compliance deadline

March 18th, 2027 (365 days)

Instrument

Rule

Legal weight

Binding

Stage

Final

Change scope

Substantive

Who this affects

Applies to

Banks Financial advisers Insurers

Geographic scope

Taxonomy

Primary area

Financial Services

Operational domain

Compliance

Topics

Cybersecurity Consumer Protection

Get Securities & Markets alerts

Weekly digest. AI-summarized, no noise.