New operational incident reporting rules for payment service providers: What you need to do before March 2027

PSPs are subject to the enhanced reporting regime, which is more detailed and involves phased reporting across the life cycle of an incident.  Whilst PSPs share enhanced reporting status with other strategically important firms such as banks and designated investment firms, the PSP-specific rules –2 particularly the 4-hour deadline and the mandatory transaction data fields – apply exclusively to PSPs and not to other enhanced reporting firms.

PSPs must submit the initial phase of an incident report within four hours of first detecting the incident, and this four-hour requirement takes precedence over the 24-hour expectation that applies to all other enhanced reporting firms. This is a critical distinction: the clock starts from first detection, not from the moment the firm determines that the incident meets a threshold, PSPs must report what they know within four hours, even if the full picture is not yet clear.

Enhanced incident reporting requires firms to report in three phases – initial, intermediate, and final – across the life cycle of an incident, with firms able to return and update reports if there are significant changes to an incident's status.  The intermediate phase must be submitted as soon as practicable after each significant change in circumstances, whilst the final phase must be submitted within 30 working days of resolution, or no later than 60 working days in exceptional circumstances.

Data fields that are optional for most enhanced reporting firms become mandatory for PSPs from the intermediate phase onwards (or at the initial phase if the incident is resolved immediately), including the number of affected customers, the percentage of service users affected, the percentage and number of transactions affected, and the value of transactions affected. This reflects the FCA's view that PSP incidents are especially time sensitive given their fast and direct impact on consumers, including potentially vulnerable ones, and PSPs must additionally consider the proportion of transactions affected, the proportion and nature of payment service users affected, service downtime, and the impact on their distribution channels when assessing whether a reporting threshold has been met.

An operational incident is defined as a single event or series of linked events that disrupts the firm's operations such that it disrupts the delivery of a service to an end user external to the firm, or impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.  There are two recognised types: disruption incidents (affecting service delivery to external end users) and data loss incidents (affecting the security or integrity of end user data).

The threshold for reporting is met where a firm reasonably believes an operational incident poses:

• a risk of causing intolerable harm to consumers from which they cannot easily recover,
• a risk to the safety and soundness of the firm or other market participants, or
• a risk to market stability, market integrity, or confidence in the UK financial system

Known as the consumer harm, safety and soundness, and market stability thresholds respectively.  Intolerable harm is not defined, and firms must assess it in their specific contexts; the FCA has explicitly warned against treating the factors as a tick-box list, expecting firms to incorporate their own internal incident risk frameworks and business-model-specific metrics into the assessment.

Firms need only report operational incidents that have crystallised and met one or more of the thresholds, near-misses such as thwarted DDOS attacks, incidents contained below the thresholds, and temporary controlled interruptions such as planned system updates that go to plan, are excluded from the reporting obligation.  However, firms should separately consider whether near-miss events should be notified to the FCA under the general notification requirements in SUP 15.3.1R and Principle 11, via the firm's usual supervisory channel rather than the SUP 15.18 incident reporting mechanism.

Where a major operational or security incident is detected, a PSP is only required to submit notifications in accordance with the new SUP 15.18 regime, which simultaneously satisfies the PSP's statutory notification obligation under Regulation 99(1) of the Payment Services Regulations 2017 – no separate PSR notification is required.  PSPs must select 'Yes' to the PSR notification field on the enhanced reporting form in order to ensure the single submission serves both purposes.

To reduce the regulatory burden, the FCA has disapplied the EBA's Guidelines on incident reporting under the Payment Services Directive (EBA/GL/2017/10), and PSPs will now only need to submit notifications under the new regime to meet their obligation under Regulation 99(1) of the PSRs. The deadline is the same as before, four hours but the mechanism has changed: PSPs now report through the FCA's Connect platform using the new enhanced reporting form, and SUP 15 Annex 11D (the old PSD2 notification form) has been deleted in its entirety.

All firms must use the FCA's Connect platform to submit incident reports, with Connect chosen because most firms are already familiar with the platform; where a firm must report to both the FCA and the PRA, a single report in Connect will be shared with both regulators. The Connect platform recognises submissions at the entity level, not group level, meaning firms in a group that share a root-cause incident must each submit their own individual report where they individually meet the thresholds.

The following steps are recommended ahead of the 18 March 2027 go-live date:

• Ensure operational and compliance teams understand that the four-hour deadline runs from first detection, not from any internal severity assessment or escalation decision.
• Develop or adapt internal incident response procedures so that enough information is available within four hours to complete the mandatory initial phase fields.
• Establish internal processes for capturing the PSP-specific data points, particularly transaction volumes, proportions of users affected, service downtime, and distribution channel impacts, as these become mandatory at the intermediate phase.
• Designate who is responsible for making the Connect submission, submitting intermediate updates, and completing the final report.
• Register and ensure access to the FCA's Connect platform prior to the go-live date.
• Note that the old PSD2 notification form (SUP 15 Annex 11D) has been deleted and replaced, internal template libraries and procedures should be updated to reflect this.
• Consider how near-miss events will continue to be handled through supervisory notification channels under Principle 11.