Operational Resilience: Operational incident and outsourcing and third-party reporting

The FCA has published a consultation paper, CP24/28: Operational Incident and Third-Party Reporting. The FCA states that the proposals included in the consultation document aim to bolster the existing operational resilience framework by establishing a consistent, sufficient and timely framework for reporting operations incidents and material third-party arrangements.

The consultation mirrors similar proposals put forward by the PRA and Bank of England in CP17/24 and is designed to align with current international standards (e.g. the EU Regulation on digital operational resilience (DORA)). The proposals in the PRA consultation would allow the PRA to collect good quality, consistent data focusing on operational incidents and material third-party arrangements which pose the most risk to firms and the financial sector.

Chapter 2 of CP17/24 sets out proposals relating to the operational incident reporting, and the PRA’s proposed expectations and requirements are found in Appendices 1 and 2. The proposed rules set out specific operational incident reporting requirements for firms, and this includes a definition of an operational incident and clear, proportionate thresholds for reporting.

The PRA’s CP17/24 consultation closes on Friday, 14 March 2025, and the FCA’s CP24/28 consultation closes on Thursday, 13^th March 2025.

ABCUL is eager to hear our member credit unions views on the proposals and asks that all responses are received by the close of business on Friday, 7 March 2025.

Proposed Incident Reporting Framework

The PRA intends for firms to submit operational incident reports using the FCA’s Connect portal.

For credit unions with at least £50 million in total assets, the PRA also intend for these firms to use the FCA’s RegData platform to submit and update a register of their significant third-party arrangements. This must be done at least once per year, as set out in Chapter 3 of the CP and that was previously set out in CP30/19.

The operational incident reporting proposals would apply to the reporting of an ‘operational incident’, which the PRA proposes to define as either a single event or a series of linked events which disrupts the firm’s operations such that it:

1. disrupts the delivery of a service to an end-user external to the firms; or
2. impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.

The PRA also propose that firms would be required to report an operational incident when it meets one or more of the thresholds set by the PRA, Regulatory Reporting Part of the PRA Rulebook and Notification Requirements in Chapter 2 of the draft new supervisory statement in Appendix 2. A non-exhaustive list of examples of operational incidents which would breach the PRA’s incident reporting threshold have been set out in the draft new supervisory statement.

These include:

• Cyber-attacks,
• Process failures,
• System update failures, and
• Infrastructure problems

The PRA therefore proposes that firms would be required to submit an operational incident report once an operational incident poses a risk to:

• The stability of the UK financial sector and /or
• The safety and soundness of the firm

Determining which operations incidents meet the PRA’s threshold will be a matter of judgement for firms. The PRA has stated that they will not be providing a definitive list of operational incidents which meet the threshold, as the same incidents can have varying impacts on different firms for a range of reasons, such as size, business model and potential impact of an incident and see whether it meets the thresholds for reporting. The PRA would expect firms to consider a range of factors when determining whether an operational incident meets the thresholds. This could include, but is not limited to, damage to the firm or the sector’s reputation or the firm being unable to provide adequate services. Further details on the risks firms should consider are set out in the draft new SS.

Where an operational incident involves the disruption of one or more important business services, the risk of breaching an impact tolerance set by the firm would provide insight into the risk posed by that operational incident. The Operational Resilience Parts require firms to set impact tolerances for important business services at the maximum tolerable level of disruption before risking the PRA’s objectives as measured by a length of time and any other relevant metrics. In line with the expectations set out in SS1/21, the PRA would expect firms to analyse the risk of breaching an impact tolerance for each operational incident which disrupts an important business service and take prompt action to manage the potential impact and steps required to improve its operational resilience.

The PRA would expect firms to report incidents meeting the thresholds set out in the PRA rules, even if these have not yet breached the impact tolerances of any affected important business services.

Approach to reporting operational incidents

When an operational incident meets the thresholds, the PRA proposes to require firms to provide the following incident reports:

• an initial incident report;
• one or more intermediate reports if there is a significant change in the circumstances of the incident; and
• a final report

As the chart above illustrates, when an operational incident occurs, firms would be required to assess whether it has met a threshold set by the PRA.

If a threshold has been met – firms would be required to submit an initial report as soon as practicable. The PRA would expect that firms submit the report within 24 hours.

If the firm has resolved the operational incident at the time of the initial report – the firm would not need to complete the intermediate report and would instead have 30 working days to submit a final report, or where this is impracticable, as soon as is practicable but not exceeding 60 working days.

If the operational incident remains ongoing when the initial report has been submitted – the firm would be required to submit an intermediate report(s) anytime there is a significant change in the incident status or impact.

As soon as practicable after the incident has been resolved – the firm would be required to submit an intermediate report informing the supervisory authorities of this change and would then have 30 working days to submit the final report, or where this is impracticable, as soon as is practicable but not exceeding 60 working days.

Initial Operational Incident Report

Rather than setting a minimum time, the PRA proposes to require firms to submit an initial report as soon as practicable after the operational incident has met the threshold. The new draft SS sets out expectations regarding the timing of the initial report submission, in which a firm would be expected to submit a report within 24 hours of determining an incident has met a threshold.

Intermediate Operational Incident Report

Firms would be required to submit an intermediate report as soon as practicable upon a significant change in the circumstances described in the most recent report submitted to the PRA. This could include, but is not limited to, a change in the impact of the operational incident or the status of the operational incident, such as the firm identifying the origin of the operational incident; the operational incident breaching another regulator’s threshold for submitting an operational incident report after the submission of the initial report; or the firm resolving the operational incident. A firm would be required to submit multiple intermediate reports if numerous significant changes occur. At a minimum, where an operational incident is not resolved at the time of the initial report, a firm would be required to complete one intermediate report to inform the PRA that it has resolved the operational incident.

In the event that a firm has resolved an incident prior to submitting an initial report, it would not be required to complete an intermediate report and can move straight to the final report stage.

Final Operational Incident Report

Once an operational incident has been resolved, a firm would be required to submit a final report within 30 working days or, where this is impracticable, as soon as is practicable but not exceeding 60 working days. Where it is impracticable to submit the final report within 30 working days, firms would be expected to contact the PRA explaining the reason as to why it is impracticable and the expected timeframe for the submission of the final report. The PRA proposes that the final report include a full assessment of the impact of the incident, the lessons learned and the identified root causes.

Outsourcing and Third-party reporting

Chapter 3 of the consultation sets out proposals relating to outsourcing and third-party reporting. In this chapter, the PRA is proposing to:

• Expand the scope of existing third-party arrangements data collections to cover both material outsourcing and non-outsourcing (‘material third-party’) arrangements.
• Require firms to submit material third-party Notifications in a standardised format, using a template which is aligned with the Register.
• Require firms to maintain and submit a Register to the PRA, ensuring this is up to date at least annually.

Firms are becoming increasingly reliant on third-party arrangements, both outsourcing and non-outsourcing, to support their operations. This reliance on third-party service providers brings potential benefits and opportunities for the sector but could also pose risks to the safety and soundness of firms and the financial stability of the UK. To better identify and address these risks, the regulators and the industry have highlighted the importance of collecting effective data on the use of material third-party arrangements.

The PRA proposes to define a ‘third-party arrangement’ as any arrangement whereby a person provides a product or service to a firm whether or not this would otherwise be undertaken by the firm itself, provided directly or by a sub-contractor, or provided by a person within the same group as the firm. To promote greater consistency in the materiality assessment criteria, the PRA proposes to include additional guidance in Chapter 5 of SS2/21 on how firms may be expected to consider the impact of a disruption or failure from their arrangements.

Determining which third-party arrangements are material will be a matter of judgement for firms. The PRA will not introduce a definitive list of material third-party arrangements.

Notifications – Out of scope for credit unions

The PRA proposes to remove non-directive firms (NDFs) from the scope of the Notifications requirements as it considers it would be unduly burdensome to collect this information from these firms. All other PRA-regulated firms would remain in the scope of the Notifications requirements.

Register – Only applies to credit unions with at least £50 million in total assets

The PRA proposes to require all credit unions with at least £50 million in assets to maintain and submit a structured register of information on all its material third-party arrangements to the PRA. This submission would be through the FCA’s RegData platform on at least an annual basis.

The information the PRA proposes to collect on firms’ material third-party arrangements is specified in the table below.

The PRA considers that collecting data on third-party dependencies in a consistent and structured approach will support the PRA’s objectives of promoting firms’ safety and soundness and help to avoid adverse effects on the stability of the UK’s financial sector.

Credit unions would be required to submit high-level data relating to their reporting entity details and third-party arrangements to enable the PRA to distinguish each Register or Notification submission. This data would include submission identifiers, firm reference numbers, and contractual arrangement numbers.

This submission will also allow the PRA to assess the extent of the concentrations of third-party providers supporting specific business services, e.g. platform providers, card suppliers. Those credit unions would be required to submit data relating to the types of services being performed by a third party.

Submission of Information to the PRA

The PRA has developed proposed templates for the Notifications and Register to be aligned with one another.

The data the PRA proposes to collect is summarized in the table below and the full proposed template and guidance can be found in Appendix 5 of the consultation paper.