New operational incident reporting rules for banks and CRR firms: What you need to do before March 2027

The requirements apply to UK banks, building societies, PRA-designated investment firms, and UK branches of overseas banks. Notably, SS1/26 explicitly extends the PRA's supervisory expectations to UK branches of overseas banks, making clear that branches fall within scope even where the underlying rule text is framed around CRR firms.

An operational incident is defined as either a single event or a series of linked events that disrupts a firm's operations such that it disrupts the delivery of a service to an end user external to the firm, or impacts the availability, authenticity, integrity, or confidentiality of information or data relating to such an end user.  The regulators treat "series of linked events" broadly, including those whose cumulative impact results in disruption, or events originating from the same root cause with cascading effects.

A potential or uncrystallised event which does not result in a disruption to a service or data loss to an end user external to the firm is treated as a near-miss and falls outside the scope of reporting.  Equally, a temporary, controlled interruption – such as a routine system update – is not an operational incident, but if it goes wrong and the resulting impact meets the thresholds, the firm must report; for example, a failed IT upgrade causing a mobile banking outage that poses intolerable consumer harm would trigger reporting obligations.

The regulators require firms to assess whether an incident meets the definition of an operational incident regardless of whether it impacted the delivery of an important business service (IBS) or data associated with an IBS, and firms are expected to report an incident before impact tolerances are breached.  Examples of reportable incidents not affecting an IBS include a large-scale DDoS attack on a cloud service provider causing significant disruption to the firm's services, or an IT failure in a firm's payment routing system that prevents processing of a high number of transactions, leaving the firm unable to meet contractual obligations.

Under the PRA's regime, a firm must submit an incident report where an operational incident could pose a risk to: the stability of the UK financial system (where the firm is, or is controlled by, an O-SII); or the firm's safety and soundness.  Under the FCA's regime, the threshold is met where a firm reasonably believes the incident poses a risk of intolerable levels of harm to consumers from which consumers cannot easily recover, or risks the safety and soundness of the firm and/or other market participants, or threatens market stability, market integrity, or confidence in the UK financial system.

The PRA's six factors are not exhaustive or prescriptive but serve as guidance; firms may alternatively use existing metrics from their internal processes, and threshold assessment will inevitably require judgement in the early stages of an incident when complete information is unavailable. The factors span:

• operational and financial contagion (for O-SIIs only)
• reputational risk to the firm or sector
• failure to meet legal and regulatory obligations
• inability to provide adequate services
• inability to safeguard data; and,
• the firm's own internal assessment and classification, including escalation to senior management or the Board

The concept of "reasonable belief" reflects the FCA's expectation that firms use their judgement and act reasonably based on available information; the FCA has deliberately declined to set quantitative thresholds as these would need to apply to firms of vastly differing scale and nature and would conflict with the FCA's outcomes-focused approach.  The FCA does not require firms to align their internal incident severity levels to its thresholds, but firms must not omit to report relevant incidents solely because they do not meet an internal severity threshold.

Both the PRA and FCA expect the initial report to be submitted within 24 hours of the firm determining that a threshold has been met – not from when the incident was first detected – with the 24-hour clock running from the moment of that determination.  The final report must be submitted within 30 working days of resolution, or in complex cases within 60 working days where 30 is impracticable, with firms expected to proactively inform regulators if more time is needed and explain the reason.

At the intermediate phase, a firm must submit additional information to the relevant regulator as soon as is practicable after any significant change in circumstances from the initial report, including the operational incident being resolved.  Triggering events for an intermediate update include identification of the incident's origin, a significant increase in severity, the incident meeting another supervisory authority's reporting threshold, activation of a business continuity or disaster recovery plan, or resolution of the incident.

Firms can submit a report to both the PRA and the FCA jointly to reduce the reporting burden, where they assess that both the respective thresholds have been met.  If a firm initially reports only to one authority and the incident evolves to meet the other authority's thresholds, the firm should address this by submitting an update at the intermediate phase.

The FCA Connect platform recognises submissions at the entity level, not the group level; accordingly, firms must submit an incident report for each firm in a group that is experiencing an incident which meets the thresholds.  Each report should describe the specific impact on that firm's operations, customers, and market exposure, even where the root cause is shared across the group, because consequences may differ from firm to firm due to factors such as firm size, structure, and resilience measures.

The PRA expects firms to establish clear accountability and responsibility for operational incident reporting, aligning this with the Senior Management Function framework; the Chief Operations SMF (SMF24), where it exists, should hold overall responsibility for implementing the outcomes of the PRA's incident reporting requirements and for ensuring accurate and timely reporting.  Where a firm does not have an SMF24, these responsibilities must be clearly allocated to a suitable alternative SMF or SMFs; however, the PRA does not expect the responsible SMF to personally approve each incident report submission.

Notwithstanding the phased reporting process, firms continue to be required to notify the PRA of incidents that may constitute information of which the PRA would reasonably expect notice within the meaning of Fundamental Rule 7, and operational incident reporting does not replace direct communication with supervision teams.  For lower-impact incidents that fall below the new regime's thresholds, firms must continue to report under Principle 11 via normal supervisory channels.

The final report must include a description of key findings from the post-incident review, including a summary of lessons identified, and for each lesson, an overview of the remediation actions identified together with the estimated completion date for each action.  Customer and transaction data fields – including number of affected customers, percentage of service users affected, percentage and value of affected transactions – are not required at the initial phase but become mandatory at the final phase for all enhanced reporting firms.