FCA PS26/2: Operational incident and third party reporting

1. Overview of PS26/2: What the FCA Is Changing and Why It Matters

PS26/2 sets out the final rules from the FCA, developed jointly with the PRA and the Bank of England, on how firms should report operational incidents and significant third party risks. The package introduces two new reporting regimes:

• Operational incident reporting (SUP 15.18)
• Material third party reporting (SUP 15.19 and SUP 16.33)

These rules follow consultation paper CP24/28 and are supported by Finalised Guidance FG26/3 and FG26/4. They also create aligned definitions of operational incidents, third party arrangements and material third party arrangements, and they introduce shared reporting portals and templates across all three regulators.

2. Why the Regulators Are Acting Now

PS26/2 begins by explaining the drivers for reform. Firms are experiencing:

• Increasingly frequent and sophisticated attacks, often through their supply chains
• Greater interconnectedness across the financial sector, meaning disruptions can spread quickly
• Rapid expansion of AI enabled services, which creates new types of dependencies

Regulators need timely, structured and comparable data in order to understand how incidents affect firms and consumers, identify concentration risks in third party supply chains, and support HM Treasury in identifying potential Critical Third Parties (CTPs).

3. Key Features of the New Reporting Framework

3.1 Operational Incident Reporting

The FCA, PRA and Bank of England have agreed a shared structure based on:

• A single definition of an operational incident
• A single reporting portal (FCA Connect) and unified templates
• A two-tier reporting model

Standard reporting applies to most firms. This includes all credit unions, which will use a single short form.

And Enhanced Reporting.

3.2 Third Party Reporting

The rules introduce a shared definition of a third-party arrangement and an aligned definition of material third-party arrangements. Key elements include:

• One notification template and one register template
• One route for notifications through FCA Connect
• One route for annual register submissions through RegData

There are some scope adjustments. Third country branches only submit the annual register, not notifications. Most intragroup arrangements are excluded unless there is an external dependency.

4. Implementation Timeline

The rules take effect on 18 March 2027. Firms then have 12 months to prepare. Regulators will engage with firms during this period to support implementation and will conduct a post implementation review two years after the regime goes live.

5. What This Means for Credit Unions

5.1 Operational Incidents

Credit unions are fully in scope for operational incident reporting. They will follow the standard reporting process and use the short form in FCA Connect.

5.2 Third Party Reporting

Credit unions are not directly listed among firms required to submit third party notifications or annual registers. However, the PRA has confirmed that credit unions with assets of 50 million pounds or more must submit the annual material third party register. This brings larger credit unions into scope for the full regime.

6. Reporting Thresholds and Proportionality

PS26/2 confirms that the thresholds are deliberately high level and outcome focused. Firms must report incidents that they reasonably believe pose a risk of:

1. Intolerable consumer harm
2. Safety and soundness concerns for the firm or wider market participants
3. Risks to market stability, integrity or confidence

The language has been refined so that firms report when an incident poses a risk, not when it could cause harm. Firms may rely on reasonable belief based on the information they have at the time. There are no universal numerical triggers, but firms may create internal metrics to help apply the thresholds consistently.

7. What Counts as an Operational Incident

FG26/3 expands on the Glossary definition. An operational incident may be a single event or a set of linked events with a shared cause. It must disrupt the firm’s services or compromise the security of end-user data (i.e Member data)

Planned maintenance is not reportable unless it fails. Near misses are not captured under SUP 15.18, although other supervisory obligations may still apply.

8. What Credit Unions Must Include in a Standard Incident Report

Credit unions must submit reports through FCA Connect using the standard template. Core fields include:

• Incident status
• The trigger for reporting
• An incident description and severity rating
• Time of detection
• Actions taken and planned
• Time of resolution if known

Optional fields cover cause analysis, external involvement and attachments.
Where incidents affect multiple legal entities, each entity must make its own submission.

9. Material Third Party Arrangements: Definition and Assessment

FG26/4 provides further detail on definition and assessment –  a material arrangement is one where disruption could cause severe client harm, risks to the stability or resilience of the financial system, or concerns about the firm’s ability to meet regulatory obligations.

Typically, material services include cloud hosting, data centres, managed cyber services, payment systems and certain AI models. Services such as utilities, office services and some professional services are generally less likely to be material. Firms are expected to build their own assessment framework aligned to the Handbook definition.

10. Notifications and Annual Register Requirements

In scope firms must notify the FCA when entering into or significantly changing a material third party arrangement. They must also maintain an internal register and submit it annually through RegData. The required fields cover provider identity, service characteristics, data locations, risk assessments, due diligence, governance approvals, impact tolerances and substitutability.

The templates are Excel-based. If a field requires multiple entries, firms must create multiple rows.