New FCA operational incident reporting rules: What core or limited SMCR firms need to do now

Standard reporting applies to all firms with a Part 4A permission that are not in scope of enhanced reporting, encompassing the vast majority of FCA solo-regulated firms including investment advisers, wealth managers, insurance intermediaries, consumer credit firms, funeral plan providers, smaller asset managers, smaller insurers, and credit unions.  Firms in the enhanced category , which sit outside the standard regime include enhanced scope SMCR firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, payment service providers, UK RIEs, registered trade repositories, and registered credit rating agencies.

An operational incident is defined as a single event or series of linked events that disrupts a firm's operations such that it either disrupts the delivery of a service to an external end user, or impacts the availability, authenticity, integrity or confidentiality of that end user's information or data.  A 'series of linked events' can include events with a cumulative impact sharing the same root cause – for example, a third party failure causing downstream operational disruption.

The reporting obligation is triggered where a firm reasonably believes an incident poses:

• a risk of causing intolerable levels of harm to consumers from which they cannot easily recover (consumer harm threshold),
• a risk to the safety and soundness of the firm and/or other market participants, or
• a risk to market stability, market integrity or confidence in the UK financial system.

Importantly, not all thresholds will be equally relevant to all firms, for example, a firm without direct consumer relationships is less likely to meet the consumer harm threshold.

The concept of reasonable belief requires firms to use their judgement and act reasonably based on the circumstances and available information.  Whilst the FCA does not require firms to align internal incident severity levels to its regulatory thresholds, firms must not omit to report relevant incidents solely because they do not meet an internal severity threshold, and a significant internal escalation (such as involving an SMF holder and activating crisis management procedures) could itself indicate that FCA thresholds are met.

Firms must report any operational incident that meets the definition and which the firm reasonably believes meets one or more of the three reporting thresholds.  Near-misses (including unsuccessful attacks that were thwarted), planned interruptions that proceed without issue, and potential or uncrystallised events are not required to be reported via the SUP 15.18 mechanism.

‍

Standard reporting consists of a single short-form report, and unlike enhanced reporting, firms subject to standard reporting will not have to update their submission after it is made.  The form (set out in SUP 15 Annex 15.2R) contains 16 fields covering matters including the incident status, trigger for reporting, incident type and title, a description of the incident, the firm's severity rating (using FSB FIRE Taxonomy ratings of low, medium or high), detection time, recovery actions planned and taken, and, where a third party is the origin then the of that third party and details.

The FCA expects a firm to submit the report within 24 hours of determining that an incident meets any of the notification thresholds, though firms should not wait 24 hours to report,  the obligation is to do so as soon as practicable.  Firms should balance the need to submit the report with the need to prioritise actions necessary to contain and respond to the incident to prevent further harm.

All firms will use the FCA's Connect platform to submit incident reports, and only one report per incident is required even where multiple services are affected.  Connect recognises submissions at entity level rather than group level, meaning that each individual firm within a group experiencing a qualifying incident must submit its own report, describing the specific impact on its own operations, customers, and market exposure – even if the root cause is shared with other group entities.

A firm can meet its Principle 11 obligation (to disclose anything to the FCA of which the regulator would reasonably expect notice) by reporting under the new SUP 15.18 rules and disclosing the appropriate information.  However, firms may experience lower-impact incidents that do not meet the SUP 15.18 thresholds but that should still be reported under Principle 11 via normal supervisory channels; and for particularly urgent or significant incidents, firms should also consider contacting their usual FCA supervisory contact directly before or alongside submitting the form.

The new rules come into force on 18 March 2027, giving firms 12 months to prepare for compliance.  Recommended preparation steps include:

• confirming your firm's classification as standard (rather than enhanced);
• establishing internal accountability for identifying threshold-meeting incidents;
• designating who will make the Connect submission;
• developing or adapting internal assessment frameworks mapped to the three FCA thresholds;
• familiarising relevant staff with the 16-field standard form; and,
• considering how near-miss events will continue to be handled through existing Principle 11 channels.