PRA, BoE and FCA material third-party reporting requirements

PRA‑regulated firms:

• The PRA’s outsourcing and third‑party reporting rules apply to all PRA‑regulated firms, including UK banks and building societies. The only exception is UK branches of overseas banks, which are not in scope of the PRA’s requirements.

FCA‑regulated firms:

The FCA’s rules on third‑party reporting (SUP 15.19 and SUP 16.33) apply to the following firms:

• Dual‑regulated firms
• Enhanced‑scope SMCR firms
• CASS large firms
• Authorised electronic money institutions
• Authorised payment institutions
• Consolidated tape providers
• UK Recognised Investment Exchanges (UK RIEs)
• UK branches of overseas banks  (FCA annual register only applies not notification)

An arrangement of any form between a firm and a person who provides a product or service to the firm, regardless of whether the product or service is:

• something the firm would otherwise provide itself;
• provided directly or through a sub‑contractor; or
• provided by an entity within the same group as the firm.

This regime covers both outsourcing and non‑outsourcing arrangements.

A firm is typically outsourcing where it enters into an arrangement with a service provider to perform a process, service or activity that the firm would otherwise carry out itself.

However, third parties may also provide services that do not amount to outsourcing. Examples of non‑outsourcing third‑party arrangements include:

• Designing and building an on‑premise IT platform.
• Purchasing data collated by third‑party providers (e.g., geospatial data, or data from in‑app device activity or social media).
• Advanced analytics models, including AI and machine‑learning tools.
• For insurers: the use of aggregators such as price comparison websites and delegated underwriting arrangements

PRA:

An arrangement is considered material where its disruption or failure could pose a risk to the firm’s safety and soundness, or cast serious doubt on the firm’s ability to:

• meet its threshold conditions;
• comply with the Fundamental Rules; or
• meet relevant operational resilience and operational continuity requirements.

The PRA definition therefore focuses on prudential risk and operational resilience impacts, reflecting the PRA’s statutory objectives.

FCA:

A material third party arrangement is one where a disruption or failure in the provision of the product or service could:

• cause intolerable harm to the firm’s clients;
• pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or
• cast serious doubt on the firm’s ability to meet the threshold conditions or comply with the Principles or SYSC 15A (Operational resilience).

• When notification is required? - A firm must notify the PRA and/or FCA when it enters into or makes a significant change to a material third‑party arrangement.
• What constitutes a “significant change”? - A change is considered significant where it materially alters the nature, scale or complexity of the risks associated with a material third‑party arrangement. This includes changes such as:
  
  • alterations to the scope of services;
  • changes to how sensitive data is handled or accessed;
  • relocation of data storage or processing locations;
  • material changes in the provider’s ownership, financial position or structure;
  • replacing the provider or a key sub‑contractor.

• Timing of notification
  
  • Firms are expected to assess materiality early enough in the process to allow notification before any internal or external commitments are made. This means notification should occur during decision‑making, before the firm becomes contractually or operationally committed.
  • Both regulators confirm that the notification process is not an approval mechanism.
  • Firms do not need to wait for a response before proceeding. Regulators may choose not to respond where no further information is required.
  • Neither regulator specifies a formal timeline for when notifications must be submitted or when they may respond.
  • Firms subject to the notification requirements do not need to submit separate notifications for material outsourcing arrangements; a single notification is sufficient.

• Firms, including UK branches of overseas banks, must maintain a register containing information on all material third‑party arrangements and submit it to the FCA once a year.
• The FCA does not expect firms to resubmit the register each time a notification is made.
• The register is submitted annually only, during the official submission window.
• The regulators will notify firms when the annual submission window opens.
• Firms will then have 90 calendar days to complete and submit the register.
• The information in the register must be accurate as at 31 December of the preceding year.

Firms are required to report only material third‑party arrangements.

Each firm must therefore develop its own internal process for assessing materiality as part of its third‑party risk‑management framework.

Materiality must be assessed case‑by‑case, based on the nature, scale and risk profile.

The regulators expect firms to consider the following factors when determining whether a third‑party arrangement is material:

• Direct connection to the firm’s regulated and ancillary activities. The extent to which the arrangement directly supports the firm’s performance of:
  
  • regulated activities;
  • ancillary activities;
  • MiFID ancillary services or equivalent third‑country business;
  • collective portfolio management;
  • provision of payment services;
  • data‑reporting services provided by a consolidated tape provider.
• Size and complexity - The scale and complexity of the business areas or functions supported by the third‑party arrangement. Larger or more complex dependencies are more likely to be material.
• Potential impact of disruption or failure. The severity and breadth of impact on the firm if the arrangement were to fail or be disrupted, including effects on:
  
  • business continuity;
  • operational resilience;
  • operational risk;
  • the firm’s ability to comply with legal and regulatory requirements;
  • its ability to conduct appropriate audits;
  • its ability to identify and manage risks;
  • obligations under the PRA Rulebook or FCA Handbook;
  • obligations to protect data;
  • clients or counterparties.

A third‑party arrangement may be indicative of being material where it requires an unusually high level of scrutiny. This includes situations where:

• the decision to enter into the arrangement, or to make significant changes to it, must be escalated to senior management, the executive committee, or the board for approval; or
• the firm determines that the arrangement meets its internal thresholds for enhanced oversight, such as significant due diligence, heightened ongoing monitoring, or more robust business‑continuity and contingency planning.

If an arrangement triggers this level of internal attention, it is a strong indicator that the arrangement should be treated as material.

Regulators generally expect the following types of third‑party arrangements to be treated as material:

• Services involving the storage of sensitive information, such as data centres, cloud infrastructure, hosting services and managed service providers.
• Third‑party‑built and monitored cybersecurity services, including defensive security tools and threat‑monitoring solutions.
• Cloud‑based services required to operate key software, including Software‑as‑a‑Service (SaaS) platforms.
• Third‑party services that are critical to the delivery of important business services, such as payments, settlements and annuities.
• Advanced technology services, including AI models used for trading, real‑time market data and analytics, and the physical movement of cash.

A non-exhaustive list of arrangements the Regulators would not generally expect to be material includes:

• processing support services without privileged access (such as consultancy, statutory audit, and legal services);
• basic utilities (electricity, gas, water, and standard telecommunications);
• non-vital support services (maintenance, catering, travel, post-room services);
• procuring standard goods (office supplies, furniture, card readers);
• purchasing data from data brokers (geospatial data, social media data); and
• analytical tools such as website traffic monitoring and project monitoring tools

An intragroup third‑party arrangement arises where a firm enters into an arrangement with another company within the same group, including parent or sibling companies located outside the UK. Regulators expect firms to apply the same standards and level of scrutiny to intragroup arrangements as to external third‑party arrangements when assessing operational risks.

Firms should not assume that an intragroup arrangement is automatically less risky or less likely to be material.

However, intragroup arrangements are excluded from third‑party notification requirements in the following circumstances:

• No external third‑party dependency: An intragroup arrangement without any external third‑party dependency is excluded from notification (except for UK RIEs).
• Ring‑fenced bodies: For ring‑fenced bodies, an intragroup arrangement is only excluded if the provider is a permitted supplier under the PRA Rulebook.

• Governance accountability: Firms must record whether the arrangement was reviewed and approved by an SMF holder, or, if not, identify the governance committee responsible and the date on which approval was granted.
• Ongoing assurance and due diligence:
  
  • Firms are expected to undertake regular risk assessments, financial due diligence, and cyber due diligence.
  • The dates and outcomes of these activities must be captured in the register.
• Operational resilience and impact tolerance: The templates require firms to record impact tolerance information, reflecting obligations under SYSC 15A. This ensures firms can evidence how each arrangement relates to, and may affect, the delivery of important business services.

The FCA, PRA and Bank of England use a single, common template. Firms only need to submit one material third‑party notification and one register entry to the FCA via the online reporting portal; the FCA will then transfer the submission to the PRA and the Bank of England where applicable.

Below are the full data fields included in both templates (notification and register), grouped by section.

Section 1 — Firm identification

• Reporting date
• Submission ID
• Submission type
• Firm name
• Financial Services Register number (FRN)
• FRN of group holding company (if applicable)
• For contract renewals: details of any significant changes made

Section 2 — Contract details

• Contract arrangement reference number
• Legal name of service provider
• Legal Entity Identifier (LEI) or “N/A”
• Whether outsourcing or non‑outsourcing; type of service provided
• Cloud deployment model (if applicable)
• Short description of the product/service provided
• Supply chain ranking
• Date the contractual arrangement commenced
• Date the service commenced
• Next contract renewal date or contract end date
• Notice period for the service provider (calendar days)
• Notice period for the firm (calendar days)
• Governing law of the contractual arrangement

Section 3 — Materiality and risk profile

• Reason for materiality
• Date of the most recent materiality assessment
• Function category
• Whether the arrangement supports an important business service (IBS); if so, the specific IBS and whether the provider supports a core element
• Impact tolerances for FCA client harm and FCA market integrity (and, for dual regulated firms, PRA safety and soundness; PRA financial stability; and PRA policyholder protection — “N/A” if not PRA regulated)
• Country where data is stored
• Country from which the service is delivered
• Annual contract value in GBP

Section 4 — Due diligence and governance

• Date and outcome of the most recent risk assessment
• Optional commentary on the risk assessment
• Date and outcome of the most recent audit
• Date and outcome of financial due diligence
• Date and outcome of cyber risk (including information security) due diligence
• Whether the arrangement complies with relevant rules and requirements; if not, how any gaps will be resolved
• Whether the arrangement has been reviewed and signed off by an SMF holder (or, if not, which governance committee reviewed it), and the date of approval

Supply chain ranking

• The regulators have retained the supply chain ranking requirements. As firms increasingly rely on multiple external providers to support important business services, the ranking helps regulators identify critical nodes within a firm’s supply chain.
  
  • Intragroup arrangements should be assigned ranking 0.
  • Where a provider has a direct relationship with the firm, it should be assigned ranking 1.
  • Where a provider supports delivery through another provider (i.e., a fourth party), it should be assigned ranking 2, and so on.
• Firms are expected to identify the most critical elements of the supply chain, not every individual component.