New FCA rules on operational incident reporting: What enhanced SMCR firms need to know

The firms in scope of enhanced incident reporting are listed in SUP 15.18.3R and comprise enhanced scope SMCR firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, payment service providers, UK RIEs, registered trade repositories, and registered credit rating agencies.  Enhanced reporting applies to a much smaller subset of firms, described as the most strategically important FCA firms, with standard reporting covering approximately 90% of FCA-regulated firms.  Firms should confirm their classification as a matter of priority.

An operational incident is defined as either a single event or a series of linked events which disrupts the firm's operations such that it disrupts the delivery of a service to an end user external to the firm, or impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.  There are two recognised types: a 'disruption' incident (affecting service delivery) and a 'data loss' incident (affecting the availability, authenticity, integrity or confidentiality of end user information or data).

A 'series of linked events' includes events with a cumulative impact that disrupts a firm's operations, including connected events that often share the same root cause, for example, an incident beginning with a third party failure causing downstream impacts, or multiple disruptions triggered by the same issue.  When determining whether an event constitutes an operational incident, a firm must assess whether the event affects an end user external to the firm, these end users should be identifiable and may include consumers, business customers, market participants, other legal entities, trustees, supervisory authorities or members of its group.

The reporting obligation is triggered where a firm reasonably believes an operational incident poses a risk of:

• causing intolerable levels of harm to consumers from which consumers cannot easily recover;
• a risk to the safety and soundness of the firm and/or other market participants; or
• a risk to market stability, market integrity or confidence in the UK financial system

Referred to respectively as the consumer harm, safety and soundness, and market stability thresholds.

The FCA does not intend to introduce quantitative thresholds, as they would need to apply to firms of vastly differing scale and nature; however, firms may set their own internal quantitative thresholds as part of their operational risk management procedures, provided these are consistent with the FCA's outcomes-focused approach.

The FCA does not require firms to align their internal incident severity levels to its thresholds, but firms must not omit to report relevant incidents solely because they do not meet an internal severity threshold.  If a firm escalates its internal response significantly, for example by involving a Senior Manager Function (SMF) holder and activating crisis management procedures, this could indicate that an incident meets FCA reporting thresholds.

Enhanced incident reporting is more detailed, with firms reporting in three phases over the life cycle of an incident: 'initial', 'intermediate', and 'final'.  Once a firm has created an incident report and submitted the initial phase, it can access the report again to provide a substantial update during the intermediate phase if necessary; once the incident is resolved, the firm closes the report by completing the final phase, usually within 30 working days.

Under SUP 15.18.6R and SUP 15.18.7G, a firm must submit the initial phase as soon as practicable, the FCA expects this to be within 24 hours of determining that an incident meets any of the thresholds, and the 24-hour clock runs from the moment the firm makes that determination, not from when the incident was first detected.  This does not mean firms should default to waiting 24 hours to report, early reporting is expected where information is available.

Firms must provide one or more updates if there are significant changes to the status of an operational incident, including noting that the incident is resolved, and must do so as soon as practicable after each significant change in circumstances.  Examples of changes triggering an intermediate update include identifying the origin of the incident, the impact becoming significantly more severe, the incident meeting another supervisory authority's reporting threshold, the firm activating a business continuity or disaster recovery plan, or the firm resolving the operational incident.

At the final phase, firms must describe the key findings from their post-incident review including lessons identified, and for each lesson must provide an overview of remediation actions and estimated completion dates.  A firm must provide the final update within 30 working days of the operational incident being resolved unless there are exceptional circumstances, in which case the maximum timeframe is 60 working days, and the firm must inform the FCA of the reason and expected timeline if it cannot meet the 30-day deadline.

Customer and transaction data fields (fields 25–29 of the enhanced form) are not visible at the initial phase; they become optional at the intermediate phase and are mandatory at the final phase for all enhanced reporting firms.  Only one report per incident is required, even where multiple services are affected, and if relevant a firm can list multiple affected services in the relevant field of the reporting form.

The Connect platform recognises submissions at the entity level, not the group level; as the rules apply to each individual firm, firms must submit an incident report for each firm in a group that is experiencing an incident which meets the thresholds.  Each report should describe the specific impact on a firm's operations, customers, and market exposure even where the root cause is shared, as the consequences of an incident may differ from firm to firm despite having the same root cause due to factors such as firm size, structure, and resilience measures.

Under SUP 15.18, firms only need to report an operational incident that has crystallised and met one or more of the thresholds; firms do not need to use the SUP 15.18 process to report near-misses such as a potential incident that was thwarted, or a crystallised incident that was prevented or otherwise contained and did not meet the thresholds.  However, a firm should consider whether it should notify the FCA of such an event under the general notification requirements in SUP 15.3.1R and Principle 11, with such notifications made through the firm's usual supervisory channel rather than through the SUP 15.18 mechanism.

All firms will use the FCA's Connect platform to submit incident reports, choosing either the enhanced or standard form, and Connect was chosen as most firms are already familiar with the platform.  To simplify the process, as many fields as possible will be pre-populated using information a firm has submitted in a previous phase, and firms will be able to update pre-populated fields as appropriate.

• Confirm your firm's classification under SUP 15.18.3R.
• Ensure operational and compliance teams understand that the 24-hour deadline runs from the point the firm determines thresholds are met, not from first detection of the incident.
• Develop or adapt internal incident assessment frameworks so that the mandatory fields for the initial phase can be completed promptly without diverting key resources from incident resolution.
• Establish governance arrangements for intermediate updates, designate who is responsible for identifying significant changes in circumstances that trigger an intermediate submission.
• Plan for the final phase requirements: post-incident review processes should be capable of producing lessons identified and remedial actions within 30 working days of resolution.
• Consider how near-miss events will continue to be handled through supervisory notification channels under Principle 11, distinct from the formal SUP 15.18 enhanced reporting mechanism.
• Review third party arrangements, to enable you make reports

TLT’s Financial Services Regulatory team can help you to assess your readiness and implement a robust, compliant operational incident reporting framework ahead of the March 2027 deadline.

Different requirements apply to you, please see our tailored summaries for dual regulated firms and payment firms.