FCA and PRA publish final rules on operational incident reporting: firms have to ready by 18 March 2027

The new rules apply to all regulated solo regulated, dual regulated and payment services providers (PSPs).

Key points to note:

• Dual regulated firms and solo regulated enhanced SMCR firms and PSPs will be enhanced reporting firms
• PSPs have additional reporting requirements
• Other solo regulated firms will be standard reporting firms

The FCA and PRA have aligned their definition of ‘operational incident’ to include either a single event or a series of linked events that disrupts the firm’s operations such that one or more of the following occurs:

• the delivery of a service to an end user external to the firm is disrupted; or
• the availability, authenticity, integrity, or confidentiality of information or data relating or belonging to such an end user is impacted.

Firms are not expected to report on potential or uncrystallised events.

Key points:

• The definition covers single events or a series of linked events, including cascading failures and third-party incidents.
• An incident does not need to affect an Important Business Service to be reportable.
• Near misses are not reportable under this regime but may still need notifying under Principle 11 or general notification rules.
• Firms must use judgement, based on information available at the time; thresholds are not prescriptive or quantitative
• End user can be retail or business customers, other legal entities, trustees, market participants, supervisory regulators, and members of the firm’s group.

Firms must report when they reasonably believe an incident poses a risk to one or more statutory objectives:

• Consumer harm (FCA): risk of intolerable harm from which consumers cannot easily recover.
• Safety and soundness (FCA and/or PRA).
• Market stability, integrity or confidence in the UK financial system (FCA).
• Policyholder protection (PRA, for insurers).
• the stability of the UK financial system (PRA). This only applies to CRR firms that are Other Systemically Important Institutions
• PSPs - Under the Payment Services Regulations, PSPs must report a "major operational or security incident." Under the new regime, these concepts are mapped directly to the FCA's framework i.e. an operational or ‘security incident' would be an operational incident that must be reported

Key points:

• Even though the reporting thresholds are broadly aligned between the FCA and PRA, they are not identical. As such, dual-regulated firms will need to assess the FCA and PRA threshold independently
• The PRA and FCA provide guidance on factors that firms could consider when assessing what their threshold would be. The factors are not exhaustive or prescriptive but rather examples, which may help firms calibrate the threshold for reporting.
• PSPs, when considering the threshold for reporting an operational incident, are also expected to consider:
  
  • the proportion of transactions affected;
  • the proportion and nature of payment service users affected;
  • the service downtime; and
  • the impact on their distribution channels.

The FCA has disapplied the EBA's Guidelines on Incident Reporting under the Payment Services Directive for PSPs.

Firms should not forget that Principle 11 (FCA) and Fundamental Rule 7 (PRA) still apply i.e. they must disclose to the FCA and/or PRA anything relating to the firm that either regulator would expect notice of. Therefore, incidents below the threshold may be reportable - not via this incident reporting arrangement but rather via the firm’s normal supervisory contact.

Firms must submit reports via FCA Connect, irrespective of whether they are a standard or enhanced reporting firm or dual regulated

Standard reporting:

• Firms must submit the notification within 24 hours of having determined that the incident meets the thresholds.
• Firms subject to standard reporting will not have to update their submission. Occasionally, the FCA may engage further with a firm depending on the quality of the information submitted, or the severity of the incident. Firms are not required to update a standard incident report once it has been submitted.

Enhanced reporting requires updates across the lifecycle:

Initial phase

• Reports made as soon as practicable, generally within 24 hours of threshold determination.
• PSPs must report within 4 hours of detection.

Intermediate phase

• Firms must submit updates where there is a significant change (e.g. worsening impact, third party origin identified, BCP activation).

Final phase

• Firms must submit within 30 working days of resolution (up to 60 in exceptional circumstances); and
• include root cause, lessons learned and remediation actions.

Firms should develop or adapt internal incident assessment frameworks to map against the relevant regulatory thresholds that apply to you.

• For PRA regulated firms, overall responsibility for the incident reporting framework is expected to sit with SMF24 (Chief Operations) or an equivalent SMF.
• SMF approval of individual incident reports is not required, but senior management oversight must be demonstrable.
• Incident reporting does not replace supervisory engagement; firms may still need to contact supervisors directly in serious cases.

In practical terms, firms should:

• determine or recalibrate incident criteria that must be escalated;
• map incident management processes to the new threshold tests and timelines;
• identify whether they are standard or enhanced reporting firms;
• confirm internal accountability, escalation and sign off structures;
• prepare systems and data to support Connect reporting;
• test playbooks for third-party incidents and cascading failures, especially where PSPs or critical suppliers are involved.