PS7/26 – Operational resilience: Operational incident and third-party reporting

1: Overview

1.1 In December 2024, the Prudential Regulation Authority (PRA) published its consultation paper (CP) 17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting. In light of rising threats to operational resilience at firms and their growing reliance on externally supplied services, the CP proposed to establish a policy for the timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party (MTP) arrangements.

1.2 The final policy contained in this policy statement addresses responses to the consultation and collectively significantly reduces firm burden while still meeting the aim of enhancing firms’ operational resilience. This approach will help the PRA gain better oversight of risks arising from operational incidents and the use of third parties. The collection of operational incident and third-party data will allow the PRA to work with firms to prioritise the mitigation of operational incident impacts and potential key vulnerabilities. It will also support the identification of critical third parties (CTPs) and assess where critical nodes of failure could arise.

1.3 Consultation responses demonstrated clear support for the PRA’s policy aims and proposals to standardise data collection for operational incidents and MTPs. Respondents supported the proposed alignment of reporting requirements with international practice and standards such as the EU Digital Operational Resilience Act (DORA) and the Financial Stability Board’s (FSB) Format for Incident Reporting Exchange (FIRE). Respondents also requested alignment between the UK authorities’ approaches where this would reduce burden.

1.4 The policy was developed jointly with the Financial Conduct Authority (FCA) and the Bank of England (the Bank) in its capacity as a supervisor of financial market infrastructure firms (FMIs) (collectively, the supervisory authorities).

1.5 In feedback to specific responses, the PRA has made changes to the proposed policy and reporting templates, which it considers provide greater proportionality and reduce compliance burden for firms. The key changes are:

• Updating and clarifying the approach to MTP reporting policy through amending the rule on notification.
• Amending the scope of MTP notification requirements to exclude credit unions with less than £50 million in assets and all third country branches.
• Reduced reporting burden by updating and refining the MTP reporting templates to ensure full alignment across supervisory authorities. The register and notification templates have been separated to provide firms with further flexibility and the number of data fields in the reports reduced. To support easier submission, the PRA and the FCA have developed a single platform for notification, FCA Connect.
• Updated and refined the incident report to limit reporting burden by merging the three proposed initial, interim and final incident reports into one report. The new single report has been fully aligned across supervisory authorities and with international standards. The report has been simplified further by removing a number of fields and making more fields optional.
• The PRA has further clarified how firms should identify MTP arrangements by setting out further expectations and examples in supervisory statement (SS) 2/21 – Outsourcing and third party risk management.
• Further clarity provided on operational incident reporting by improving guidance on the interpretation of the reporting thresholds, timings for reporting and minor policy changes to ensure further alignment across supervisory authorities.

1.6 This PS provides detailed feedback to responses the PRA received to the consultation. It also contains the PRA’s final policy, as follows:

• amendments to the Reporting Part of the PRA Rulebook (Appendix 1);
• amendments to the Notifications Part of the PRA Rulebook (Appendix 1);
• PRA’s new SS1/26 – Operational resilience: Incident reporting (Appendix 2); and
• updated SS2/21 – Outsourcing and third party risk management (Appendix 3).

1.7 The sections of this PS that deal with operational incident reporting are relevant to all UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’), and UK Solvency II firms, and the Society of Lloyd’s and its managing agents (‘insurers’). The section of this PS that deals with outsourcing and third-party reporting is relevant to all PRA-regulated firms.

Background

1.8 Currently, firms are required to notify the PRA of certain incidents and material outsourcing arrangements in accordance with PRA Fundamental Rule 7, and the General Notification Requirements in Chapter 2 of the Notification Part of the PRA Rulebook. Under SS2/21, banks are expected to maintain a register of their outsourcing arrangements. In CP17/24, the PRA proposed to:

• Introduce new requirements and expectations for the reporting of certain operational incidents to the PRA. These set thresholds above which an operational incident must be reported, introduced a three-phased approach to reporting, and set out the information a firm would be required to provide in each phase.
• Amend the scope of Notifications Rule 2.3(1)(e) to capture notifications of firms’ MTP arrangements and amend Notifications Rule 2.3(1)(e) and Notifications Rule 2.3(1) to reflect that not all MTP arrangements may be considered a ‘restructuring, reorganisation or business expansion’. 
• Set out new rules and expectations for firms to maintain and submit to the PRA a structured register of information on MTP arrangements.
• Introduce standardised reports for the submission of MTP notifications and the register.

1.9 In determining its final policy, the PRA considers representations received in response to CP17/24, publishing an account of them and the PRA’s feedback. Details of any significant changes are also published.

Summary of responses

1.10 The PRA received 35 responses to the CP. The names of respondents to the CP who consented to their names being published are set out at Appendix 9. As well as those who consented, the PRA received responses from 12 respondents who did not consent to the PRA publishing their names.

Changes to the draft policy

1.11 The PRA has made a number of changes to the final policy following responses to the consultation, where doing so reduces burden on firms while continuing to advance the safety and soundness of firms, policyholder protection and financial stability.

1.12 The following changes have been made to the draft rules and related policy materials:

• changes to the Notification Part to reflect the decision to amend the scope of the policy as it applies to credit unions, to require firms to submit notifications on all MTPs and to exclude intragroup arrangements that do not involve an external provider (with the exception of ring-fenced bodies);
• changes to the Reporting Part to reflect the decision to require firms to submit a single report and update or submit further information over the intermediate and final phases;
• changes to Chapter 5 of SS2/21 to reflect the changes to the Notification Part and provide clarity on how firms are expected to identify MTPs, including further guidance and examples;
• changes to SS1/26 to:
  • amend the phased approach to reflect the change from three individual incident reports to a single report;
  • clarify terms within the Operational Incident definition including ‘end user external to the firm’ and ‘a series of linked events’;
  • improve guidance on the interpretation of the reporting thresholds; and
  • provide further examples of an operational incident that would meet the PRA’s thresholds;
• changes to the incident reporting fields document and MTP templates; and
• minor changes to the definition of ‘third-party arrangement’ in the Glossary.

2: Feedback to responses

2.1 This chapter sets out the PRA’s feedback to the representations received in response to the CP, and its final decisions.

2.2 The PRA’s feedback to responses has been grouped as follows:

• policy aims and objectives;
• Cost Benefit Analysis (CBA);
• operational incident reporting; and
• material third-party arrangements.

Policy aims and objectives

Operational incident reporting

2.3 Respondents generally supported the policy aims and objectives and the proposed approach to operational incident reporting. They welcomed alignment with international standards, such as the FSB’s FIRE, and interoperability with the approach in EU’s DORA, and efforts to standardise data collection.

2.4 Several respondents emphasised the value of sharing thematic reports and data analysis on reported incidents and lessons learned across industry. Three respondents suggested that the PRA should leverage thematic analysis already conducted across a variety of industry bodies as it would not be proportionate to divert resources dedicated to incident management for the purpose of data collection.

2.5 The PRA confirms that it plans to use the data collected to understand operational resilience vulnerabilities and risks at both individual firm and industry levels more fully. The PRA will, where appropriate, share anonymised aggregated findings on industry-wide trends. The PRA considers that is it appropriate to use the data both to monitor and respond to potential risks arising from operational incidents and for the purposes of thematic analysis.

2.6 Respondents requested clarification on how the CTP incident reporting requirements interact with the operational incident reporting requirements for firms and how supervisory authorities would respond to the disruption of a CTP, or other third party, with systemic implications. In such cases, the PRA would engage individually with the CTP and the individual firms to effectively monitor and supervise the incident. Under the requirements, in the event that an operational incident occurs at a CTP, the PRA would receive reports from both individual firms, when they assess the operational incident has met the reporting thresholds, and the CTP. The PRA expects that both the CTP and the affected firms would have unique information and insights about the incident.^{footnote [1]}

Material third-party reporting

2.7 In the CP, the PRA proposed to expand the scope of existing data collections on third-party arrangements. The PRA proposed to use data collected to aid better identification of risks posed by third-party service providers and support its recommendation of potential CTPs to be designated by HMT.

2.8 Respondents welcomed the PRA’s aims to standardise the collection of MTP arrangements and formalise requirements for the register. They supported intentions to improve consistency and clarity. Additionally, the PRA received broad support on its proposal to use MTP data to aid CTP designation recommendations to HMT. Respondents also broadly supported the PRA’s proposals to align, where possible, with international regimes, including the EU’s DORA. In feedback to responses, the PRA has made a number of changes to the policy to provide further proportionality and reduce burden on firms.

Cost Benefit Analysis (CBA)

2.9 The PRA received 19 responses regarding its CBA of the proposals. Respondents generally agreed that there were benefits to the reporting requirements. However, several respondents questioned whether the benefits of the policy as proposed would outweigh the costs, which they thought could be higher than estimated. A number noted the need for new systems while others raised concerns about ongoing triage and governance costs. Some respondents noted that implementation costs for EU DORA were much higher than the PRA’s estimated costs of its policy proposals, and others contended that costs would be high for small firms.

2.10 Having considered responses to the consultation, while the PRA recognises concerns about costs (and has taken significant steps outlined in this PS to reduce them), it considers its methodology and assumptions for the CBA to be sound. Estimates for costings have been based on historical reporting costs as well as information provided by a random sample of firms that would be in scope of the policy. Respondents did not provide new quantitative evidence that would enable the PRA to revise the CBA.

2.11 The PRA maintains that the benefits of the policies are significant and should outweigh the costs of implementation. It considers that this is now by a greater margin than envisaged in the original proposals, given the cost reductions resulting from the changes in the final policy. These include:

• Excluding credit unions with less than £50 million in assets from the MTP notification requirements.
• Reducing the amount of information firms need to provide in the incident reporting and MTP templates by removing some data fields, and through greater use of tools such as pre-population in FCA Connect and RegData.
• Further aligning the definitions of operational incidents and MTPs between the supervisory authorities and the FSB’s FIRE.
• Clarifying and aligning the PRA’s approach for the reporting of intragroup arrangements.
• Aligning technology platforms among the supervisory authorities. This allows MTP notifications, in addition to operational incident reports and the MTP register, to be shared automatically, eliminating the need for firms to make multiple submissions.
• Clarifying that the ‘factors to consider’ for operational incident reporting are to aid firms in understanding the reporting thresholds.
• Clarifying that firms can use existing internal processes to help assess whether it meets the PRA’s thresholds for reporting. 

2.12 Benefits are expected to arise from the PRA’s enhanced ability to identify and understand operational resilience threats to individual firms and the broader financial sector. Moreover, the PRA will have an improved understanding of potential systemic vulnerabilities arising from concentrated use of third-party suppliers. The PRA can use the data to work with firms to prioritise the mitigation of operational incident impacts and potential key vulnerabilities. Third-party data would be used to support the identification of CTPs and assess where critical nodes of failure could arise.

Operational incident reporting

Scope

2.13 The scope of operational incident reporting will be retained as initially proposed. Three respondents noted that proposed UK regulatory requirements for the reporting of operational incidents with regards to credit unions varied across the supervisory authorities, increasing the complexity of compliance. In feedback to the responses, the PRA has decided to maintain the scope as consulted upon. The FCA has revised its policy to remove credit unions from the scope of its enhanced operational incident reporting requirements.

Definition

2.14 The PRA proposed to define an operational incident as either a single event or a series of linked events, which disrupts the firm’s operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or
• impacts the availability, authenticity, integrity, or confidentiality of information or data relating or belonging to such an end user.

2.15 Eight respondents supported the proposed definition of an operational incident, suggesting it is proportionate and aligned with their systems. A few respondents commented on the differences between the PRA and FCA definitions in their respective consultation papers, suggesting alignment to reduce costs for firms. Ten respondents also asked whether the PRA and FCA are aligned on ‘near-misses’ and whether firms should only report incidents having a crystalised impact.

2.16 In feedback to the response, in its final policy, the FCA has aligned its definition with the PRA’s. The FCA and PRA are also aligned on the approach to ‘near misses’: firms would not be expected to report potential or uncrystallised events. The PRA has clarified its expectations in paragraph 2.8 of SS1/26.

2.17 Eight respondents asked the PRA to define the term ‘end user external to the firm’. Respondents noted that the term was not clear, or that it is not currently in use in the PRA Rulebook. The PRA has opted to not define the term in the Rulebook and has instead included a description of end user external to the firm in paragraph 2.4 of SS1/26. This approach is consistent with expectations set out in SS1/21 – Operational resilience: impact tolerances for important business services.

2.18 Four respondents asked the PRA to define the term ‘a series of linked events’ and requested examples. The PRA has updated its guidance in paragraph 2.3 of Chapter 2 in SS1/26 and included a description of a series of linked events and relevant examples. The PRA removed the reference to the PRA thresholds initially provided in CP17/24 as firms should consider separately whether an incident meets the definition of an operational incident and reporting thresholds.

2.19 Respondents asked the PRA to consider adding the term ‘unplanned’ disruption to the definition of an operational incident. The PRA has decided to not include ‘unplanned’ in its definition given the high threshold for reporting. The operative issue for the PRA is whether an incident is material enough to pose a risk to its objectives. That said, it considers that planned disruptions – where services are temporarily interrupted but risks are adequately managed – are generally unlikely to meet the threshold for being a reportable operational incident.

Important business services

2.20 In CP17/24, the PRA noted it would require firms to report incidents meeting the thresholds set out in the PRA rules, even if these have not yet breached the firm’s impact tolerances or affected any important business services.

2.21 Seven respondents requested that the PRA change the definition of an operational incident as a material disruption affecting important business services. One respondent noted that there could be two different regimes: one related to important business services for firms in scope of operational resilience requirements and one for firms out of scope of operational resilience.

2.22 The PRA has considered responses and whether changing the definition would contribute to reducing the burden on firms. However, a focus only on important business services would risk limiting supervisory oversight. An operational incident could affect a service not classified as an important business service and still pose a risk to the PRA’s objectives. To clarify its approach, the PRA has updated its guidance in paragraphs 2.6 and 2.7 of SS1/26, including examples of reportable incidents.

Reporting thresholds

2.23 The PRA proposed that firms (where the firm is a systemically important institution or where the firm is a relevant Solvency II firm) would be required to submit a report once an operational incident poses a risk to:

• the stability of the UK financial sector;
• the safety and soundness of the firm; and/or
• (for insurers) the appropriate degree of policyholder protection.

2.24 Firms may use their internal processes to assess whether an incident meets the thresholds and may consider a range of factors to make the assessment, as listed in the draft SS.

2.25 The PRA received 12 responses on interpreting the reporting thresholds and the factors listed in SS1/26. Several respondents expressed concerns that using internal processes to assess whether an incident is reportable might be subjective and lead to over-reporting. They suggested prescriptive thresholds, aligned with the EU DORA. By contrast, other respondents noted that the judgement should be left entirely to firms and their metrics, and the PRA should consider removing the factors entirely.

2.26 Respondents asked for clarification on the interpretation of certain threshold factors. Some argued that legal and regulatory obligations and reputation were too speculative, and firms could not assess their long-term impacts. Others suggested removing operational and financial contagion as it would require extensive knowledge of the incident’s operational impact on other firms. Respondents also asked for further alignment between the FCA and PRA on threshold factors. A few asked the PRA to provide additional examples.

2.27 Having considered this response, the PRA has decided to maintain the current approach to assessing the reporting thresholds and the factors. The PRA considers that flexibility is important as the same operational incident may have varying impacts and scale across regulated firms. This will likely depend on the size, business model, and services or customer base of the firm.

2.28 Acknowledging respondents’ concerns, the PRA has provided further guidance on the interpretation of the reporting thresholds. The PRA has amended its expectations to clarify that the factors are simply guidance on how firms may interpret the thresholds and do not constitute an exhaustive or prescriptive list. This has been added in paragraph 3.4 of SS1/26.

2.29 Furthermore, the PRA has amended its guidance relating to the threshold factors from the draft SS. This includes clarifying expectations for how firms should approach considering operational and financial contagion, as well as assessing reputational impact.

2.30 The PRA recognises that, in the early stages of incident response, a firm may not have a complete view of the incident’s long-term implications. The threshold assessment should be based on the information available at the time. The PRA has clarified this expectation in paragraph 3.5 of SS1/26.

2.31 The PRA considers operational and financial contagion are key indicators of risks to financial stability. The PRA expects other systemically important institutions and relevant Solvency II firms to assess the risk to financial stability following a disruption to a business service. This specifically applies where there is potential to cause knock-on effects for counterparties under operational resilience expectations. The PRA has also clarified that it does not expect firms to have a complete view of the wider systemic impact when assessing the impact of an operational disruption. This guidance has been added under paragraph 3.9 of SS1/26.

2.32 In feedback to the responses, the PRA has clarified that informing the firm’s senior management of ongoing high-priority incidents is considered good practice, but it would not constitute a high level of internal escalation. The PRA has also clarified its expectations on the interpretation of the factor under paragraph 3.21 of SS1/26.

2.33 The PRA considers the examples given to be general guidance of what could be considered reportable; however, this should be considered on a case-by-case basis by firms. The PRA has included additional examples for some threshold factors under paragraphs 3.10, 3.13, 3.16 and 3.22 of SS1/26.

Phased approach

2.34 The PRA proposed that, when an operational incident meets the thresholds, firms would be required to submit an initial report, one or more intermediate reports if there is a significant change in the circumstances of the incident, and a final report.

2.35 To reduce duplication and streamline user experience on FCA Connect, the supervisory authorities have revised the reporting approach. In place of three reports, firms will be required to submit a report at the initial phase and update the report across the intermediate and final phases of an incident. The timings for each phase remain as consulted upon. The PRA has set out its expectations for phased reporting in SS1/26.

2.36 One respondent asked for clarification on the notification requirements and whether this will affect engagement with supervisory teams. Operational incident reporting does not replace the notification requirements under Fundamental Rule 7 and the General Notification requirements in Chapter 2 of the Notification Part. The PRA has amended paragraph 4.4 of the SS to clarify that incident reporting may not replace all supervisory engagement, and direct communication may still be needed depending on the incident.

2.37 One respondent asked for clarification on enforcement, and the consequences of failing to report an incident within the specified timeframes. The PRA confirms it takes a proportionate approach to enforcement and will consider the individual circumstances of each firm and incident.

Initial phase

2.38 Eight respondents asked the PRA to confirm firms will not be expected to divert resources from response operations for incident reporting. These respondents also asked if firms could submit a single incident report to both the PRA and FCA where it meets both regulators’ thresholds. A few noted that the reporting fields document only allowed firms to make a single selection for the report to be relevant to the FCA, PRA or the Bank and asked to amend to reduce burden.

2.39 While recognising the need to inform the supervisory authorities promptly, the PRA expects firms to prioritise actions to resolve and recover from operational incidents. The initial phase has been designed to gather only essential information, which can be updated with additional information during the intermediate and final phases. This approach enables firms to prioritise resolving the incident. Firms can submit a report to the PRA and FCA jointly to reduce the reporting burden, if they assess both the respective thresholds have been met. To improve guidance for firms, the PRA and FCA have included joint examples of reportable incidents meeting both supervisory authorities’ thresholds. This has been added under paragraph 3.7 of SS1/26.

2.40 Four respondents requested clarification on the alignment between the PRA and FCA’s initial report timelines. Four respondents commented that there were circumstances where longer than 24 hours would be needed to submit an initial report because data may not be available, for example, where this is reliant on third parties.

2.41 The PRA and FCA are aligned on the timelines for the submission of the report in the initial phase. Firms are required to submit a report as soon as reasonably practicable and expect this to be within 24 hours of the firm determining an operational incident has met the threshold. The PRA acknowledges that, in circumstances where an incident requires all the firm’s resources to address the incident, a firm may take longer than 24 hours to submit a report, as outlined in paragraph 4.5 of SS1/26.

Intermediate phase

2.42 Four respondents suggested that the requirement to potentially submit multiple reports at the intermediate phase may be too onerous. Other respondents suggested amending the examples of significant changes, including removing some examples. Four respondents disagreed with some of the proposed examples to describe what constitutes a significant change and suggested removing examples such as the activation of a business continuity plan or the incident breaching another supervisory authority’s reporting thresholds.

2.43 The PRA recognises that firms may, in some circumstances, have to submit new or updated information during the intermediate phase multiple times. However, the PRA wishes to clarify that, the bar for the submission of new or updated information during the intermediate phase remains high. The PRA considers that the use of a single report, rather than three individual reports, should reduce firm burden by making it clearer where updates or changes are required. The PRA also notes that the examples listed under paragraph 4.9 of SS1/26 are intended to be high-level guidance and are not prescriptive. Firms may consider these examples when assessing whether to submit an intermediate report, but this may vary on a case-by-case basis.

Final phase

2.44 Several respondents expressed concerns about the required timeframe for submitting a final incident report. Six respondents indicated that the 30-working day deadline may not provide sufficient time to complete post-incident reviews, and four noted that even a possible extension to 60 working days could be insufficient.

2.45 The PRA has decided to maintain the timeframe for the submission of the final report as consulted upon noting that this will now take the form of an update rather than a new report. The PRA expects firms to submit the required information for the final phase within 30 working days of resolving the incident unless there are circumstances that mean additional time is required. Such instances could include where an incident is of such complexity that additional time is required to substantiate the root cause of an incident, or where the firm is reliant on another party to provide the required information, as outlined in paragraphs 4.14 and 4.15 of SS1/26. The PRA considers that, where additional time is required, a further 30 working days, (60 working days in total) is sufficient.

Operational incident data

2.46 Six respondents commented that the data requested in the initial report was extensive and burdensome, and asked for some fields to be moved to the intermediate report. To address these responses, the PRA has reduced the number of required fields at the initial phase of the incident. In addition, a number of fields have been removed entirely from the incident report. Further detail can be found in Appendix 4: Reporting fields document.

2.47 Some respondents asked the PRA to confirm it was acceptable for firms to provide updated and more detailed information as an incident progressed and whether firms may use best-efforts or estimates. The PRA considers that information may be imprecise at the initial phase of an incident but increase in quantity and accuracy in the intermediate and final phases. The PRA has clarified its expectations under paragraph 4.7 of SS1/26, indicating that a firm should take reasonable steps to collect the best available data at the time of submission, and may gain a more accurate view as the incident progresses.

2.48 The PRA has amended the Reporting Fields Document in feedback to responses and to reflect the final FIRE report published in April 2025. The amendments are listed by initial, intermediate and final phases in Appendix 4: Reporting fields document.

Governance

2.49 One respondent requested clarification on the proposals for operational incident reporting and its interaction with the Senior Managers and Certification Regime. They asked if the SMF24 would have responsibility for meeting the outcomes of the policy and how the senior manager would be capable of discharging their duties. One respondent suggested that all incident reports should require the approval from the Senior Management Function (SMF) 24.

2.50 In feedback to the response, the PRA has outlined expectations for governance under Chapter 5 of SS1/26. The PRA would expect the Chief Operations SMF24 to hold overall responsibility for implementing the outcomes of the PRA’s incident reporting requirements and expectations. Where a firm does not have an SMF24, a firm should clearly allocate these responsibilities to a suitable SMF or SMFs. The PRA has also clarified that it does not expect the SMF24 to approve the submission of incident reports, and firms should structure oversight in the most effective manner for their business.

Material third-party arrangements

Scope

2.51 Three respondents noted that proposed UK regulatory requirements for the reporting of MTPs with regards to credit unions varied across the supervisory authorities, increasing the complexity of compliance. The PRA proposed in the consultation to exclude credit unions with less than £50 million in assets from the MTP register requirements, considering this unduly burdensome.

2.52 To take a more proportionate approach to supervising risk arising from the use of third parties and limit reporting burden, the PRA has amended the policy to exclude smaller credit unions from the requirement to notify the PRA of MTP arrangements given the relatively lower risk they pose to the broader financial system. The PRA has therefore amended the scope of the notification requirements to apply to only those credit unions with more than £50 million in assets.

2.53 The PRA has also amended the policy to exclude third country branches from the notification requirements given the PRA’s policy is to only allow branches to operate where it has effective cooperation and information sharing with the home state supervisors. Nonetheless, branches remain responsible for the risks associated with services provided by the groups to which they belong, and should be able to provide sufficient information on risks in the group as set out in Box 1 of SS5/21.

2.54 The scope of the MTP register reporting will be retained as initially proposed, which excludes third country branches. The FCA will share data from the registers it collects from third country branches with the PRA. This will allow both authorities to understand the third-party landscape and help to inform CTP designation recommendations.

Definitions

2.55 As part of its proposal to expand the scope of its data collections from material outsourcing arrangements to all MTP arrangements, the PRA proposed to introduce definitions for ‘third-party arrangement’ and ‘material third-party arrangement’ in the PRA Rulebook.

2.56 Twelve respondents agreed with the definition of a ‘third-party arrangement’. A few respondents requested minor changes or the removal of references to third-party arrangements within group structures or subcontractors. The PRA and FCA have made some minor amendments to the third-party arrangement definition in the Glossary to further align and provide consistency for firms. The PRA considers that the use of products or services from within the group constitute a third-party arrangement, as do those supplied by subcontractors, and therefore has retained the reference in the definition.

2.57 One respondent asked for clarification on whether the focus of the third-party arrangement definition is on the service provider itself, rather than the use of a business referral. The PRA can confirm that business referrals would not be included in the definition of a third-party arrangement.

2.58 Five respondents asked the PRA and FCA to further align their respective definitions of MTP arrangements. Three respondents suggested that the PRA’s definition of MTP arrangement was too broad. Having considered feedback, the PRA has decided to maintain the materiality criteria within the definition as consulted upon. The PRA and FCA consider that while the materiality criteria must remain specific to each supervisory authority, the respective policies and definitions are aligned in substance. The design and goals of the respective policies are the same, while respecting the different objectives and legal frameworks.

2.59 Six respondents asked for the PRA to provide further clarity through guidance and examples for how firms should identify MTPs. One respondent did not agree with the proposal for firms to make the judgement as to whether an arrangement is material. Following feedback, the PRA has amended Chapter 5 of SS2/21 to provide clarity on how it expects firms to identify MTPs, including by providing further guidance and examples. The PRA considers that is more proportionate to give firms the flexibility to take responsibility and ownership of this judgement as opposed to prescribing detailed requirements for materiality. This approach should also help ensure that firms do not submit reports on third parties that they do not consider to be material.

2.60 Four respondents requested clarity on intragroup arrangements and whether these arrangements should be classified as material. Two of these noted that the PRA and FCA diverged on this issue in the consultation proposals and asked for the supervisory authorities to align. In feedback to the consultation responses, the PRA has amended the Notification Part and the Reporting Part to state that intragroup arrangements do not need to be notified or included in the register submission unless the person providing the intragroup arrangement has entered into an arrangement with a person outside the group for the provision of that product or service to the firm. Where the firm is a ring-fenced body, this applies only if the person providing the product or service is a permitted supplier. This approach has been aligned with the FCA’s. The PRA considers this approach to be proportionate while also ensuring it has sufficient oversight of risks posed by these arrangements to its objectives.

2.61 Two respondents requested further clarity on non-core services and how to consider these as part of the materiality assessments. The PRA can clarify that non-core services should not be considered material, as they are those that, when disrupted, would not result in a service being significantly impacted, interrupted or damaged. Hence, the disruption can be resolved quickly and with minimal impact on the service. Further detail on non-core services can be found in paragraph 5.13 of SS2/21.

2.62 Two respondents noted that expanding reporting requirements to include MTPs could result in a considerable burden for firms, with one stating that arrangements should only be classified as material if they support an important business service. The PRA confirms that firms are only required to submit information on third parties they assess pose significant risk to the PRA’s objectives. The PRA considers this approach balanced giving firms the flexibility to determine their own MTP arrangements, in line with provided guidance, while also promoting clarity and consistency with a standardised template.

2.63 One respondent was concerned that the proposed MTP arrangement rules might overlap with outsourcing requirements. The PRA can clarify that the notification requirements for MTP arrangements will supersede those for material outsourcing notifications.

2.64 One respondent noted that the proposal for third-party arrangements to be considered material, if they pose a risk to policyholder protection (in the case of insurers), overlooks the shared responsibility model. The PRA considers it important to clarify that the risk to policyholder protection lies with the firm, and that the firm must take this into account when entering third-party arrangements.

Notification

2.65 The PRA proposed to amend the scope of the Notifications Part to capture material non-outsourcing third-party arrangements as well as material outsourcing arrangements. The CP set out proposals on where firms would be required to submit notifications upon entering, or significantly changing, an MTP arrangement which, due to the risks, necessitates a high degree of due diligence, risk management or governance by the firm.

2.66 Three respondents supported the PRA’s approach to MTP notifications. Ten respondents requested that the PRA and FCA align their approach to notifications due to the complexity of complying with differing requirements. Of these, four respondents asked that the PRA align its approach with the FCA, while one asked for the FCA to align with the PRA.

2.67 Following these responses, the PRA considers that it would improve consistency and reduce burden on firms to align with the FCA by requiring firms to submit notifications when entering into or significantly changing an MTP arrangement. Accordingly, the PRA has amended Rule 2.3B of the Notifications Part and Chapter 5 of SS2/21. To further limit reporting burden on firms, the PRA has worked with the FCA to establish a single platform for notification submissions. Firms must now submit MTP notifications to the PRA through FCA Connect. This approach ensures greater consistency and minimises the burden of submitting notifications to both the PRA and the FCA.

2.68 Two respondents requested that the PRA clarify timelines for reviewing notification submissions and issuing a response. Another respondent requested clarity regarding when firms should submit notifications. As set out in paragraph 5.23 of SS2/21, firms are expected to assess the materiality of planned third-party arrangements sufficiently early to notify the PRA, to enable the PRA to follow up if required. Firms should provide additional information regarding the arrangement if requested to do so and implement follow-up action if needed. As the framework is new to both firms and the PRA, the PRA is not setting specific timelines for firms to submit notifications or when the PRA will review them.

2.69 The PRA also wishes to clarify that the notification process is not an approval process. The PRA is unlikely to respond to submissions where the PRA does not need additional information or for the firm to implement follow-up action as set out in Chapter 5 in SS2/21.

2.70 One respondent asked whether the notification requirements apply solely to new or changing arrangements, or retrospectively to existing arrangements. Another asked the PRA to clarify whether they will need to resubmit the whole MTP register each time a notification is required. The PRA can confirm that the notification requirements would only apply to new or changing arrangements and does not expect firms to submit the register each time a notification is required. Firms are only required to submit the register on an annual basis.

2.71 One respondent requested that the requirement for firms to notify a significant change in an arrangement be removed as such changes could vary widely. Three respondents requested clearer guidance of when to notify supervisory authorities when there has been a 'significant change'. The PRA considers that the notification requirement for a significant change in an MTP arrangement is proportionate and ensures that the PRA has oversight of potential risks arising from significant changes to an arrangement. The PRA has set out further guidance and provided examples of a significant change in paragraph 5.8 of SS2/21.

Register

2.72 The PRA proposed that firms submit a register of all their material third-party arrangements on an annual basis via FCA RegData.

2.73 Two respondents expressed concerns regarding the potential burden of completing and submitting the register on an annual basis. The policy seeks to ensure firms have adequate time to review and update data without risking it becoming outdated. The PRA considers that updating the register at least once a year achieves this balance.

2.74 Two respondents asked for clarification on how to submit the register to FCA RegData. The PRA can confirm that firms will be required to complete the template and upload it to FCA RegData on an annual basis.

2.75 One respondent requested firms be given a transitional period to complete the register. The PRA can confirm that firms will have until March 2027 before the requirements come into force.

2.76 One respondent asked if the register requirements apply to all third-party arrangements or just those classified as material. The PRA can clarify that only MTP arrangements need to be submitted via the register, though firms may keep registers of all third-party arrangements if they choose.

2.77 One respondent questioned whether the register requirements applied at the holding company level. The PRA can confirm that the individual entity is responsible for the register requirements.

Information to be submitted to the PRA

Template

2.78 CP17/24 proposed a reporting template to be used by firms for the notifications and register submissions. To provide consistency and reduce reporting burden on firms, the PRA developed the templates to be interoperable where possible with similar regimes, such as the EBA Outsourcing Guidelines and Article 28 of the EU’s DORA.

2.79 The PRA received broad support from firms regarding the introduction of standardised reporting templates. Respondents also supported efforts to align the templates with similar regimes as much as possible.

2.80 Five respondents requested that the PRA and FCA align the MTP reporting templates. One respondent asked for clarity on whether there is a single template between supervisory authorities or different templates. The PRA can confirm that the supervisory authorities have fully aligned reporting templates for all firms in scope of the policy.

2.81 A respondent requested clarification on whether the same template would be used for both notifications and the register. Some indicated that using a single template could present difficulties, as firms might not have all necessary data at the time of notification. The PRA has reviewed the responses and has revised the policy to provide two separate templates: one for notification and one for the register. Although the data fields are consistent across both templates, some fields in the notifications template are now optional. Additional information is available in Appendix 8: Changes to the material third party reporting templates.

2.82 A respondent sought clarification on which third-party relationships should be included in the template, specifically outsourcing versus non-outsourcing. The PRA clarifies that all MTP arrangements – outsourcing or non-outsourcing – must be listed in the register. Further details on assessing materiality are provided in Chapter 5 of SS2/21.

2.83 Three respondents considered the templates were too burdensome to complete due to the amount of data being requested and the requirement for a new row for each entry. One respondent suggested the creation of a cross industry subject expert group to agree a reporting template along with accompanying guidance to ensure compliance. The PRA has removed numerous data fields to reduce reporting burden and amended the templates and guidance to improve clarity. Regarding rows, the PRA has decided to maintain its current approach to ensure that firms can submit consistent data on each arrangement. While the PRA supports industry cooperation, it does not consider that an industry developed template would be appropriate due to the supervisory authorities’ needs to collect certain data to achieve their policy aims.

2.84 Four respondents expressed concern over the requirement to provide a Legal Entity Identifier (LEI) number. Following feedback, the PRA has provided firms with the option to choose ‘N/A’ if an MTP does not have an LEI number. The PRA considers this provides firms with more flexibility while also ensuring consistency for the purpose of identifying the third-party provider.

2.85 One respondent expressed concern that firms may be limited in the information they can obtain from third parties, which may mean they cannot complete the templates. Another stated that open field questions may cause firms to speculate on the level of detail required. The PRA considers it important to clarify that a firm must take reasonable steps to obtain information from third parties to complete the templates. It also states that a small number of open field questions are required to allow firms to provide further detail and contextual information.

2.86 One respondent stated that the taxonomies proposed were not relevant for PRA-regulated firms that are not subject to DORA. While taxonomies proposed in the templates have been aligned with DORA to provide consistency for firms subject to these requirements, the PRA considers that the taxonomies are also relevant to those that are not subject to these requirements.

2.87 Six respondents sought clarification about the process for ranking the supply chain and requested additional guidance. Three respondents did not agree with the proposal for firms to rank the supply chain. Having considered the responses, the PRA has decided to retain the ranking requirements and notes that the approach is aligned with DORA as much as possible. Firms are increasingly using third parties to support important business services and many of these arrangements rely on multiple third parties. The Rank columns also allow the PRA to identify critical nodes within the supply chain.

2.88 Further comments regarding specific data fields within the reporting templates have been addressed in Appendix 8: Changes to the material third party reporting templates.

Reporting solution

2.89 The PRA received broad support for the proposal for firms to submit their register using FCA RegData. Respondents noted that it would reduce duplicative reporting between supervisory authorities.

2.90 One respondent asked whether all information for the register would need to be submitted on FCA RegData and whether information will be shared across supervisory authorities. The PRA can confirm that the register must be submitted via FCA RegData and where appropriate, will be shared across supervisory authorities.

2.91 One respondent expressed concerns about the security of FCA RegData, suggesting that the use of a single point of submission would create a vulnerability. The FCA implements and maintains robust technical and organisational measures to protect the confidentiality, integrity, and availability of information in line with its statutory obligations under the Financial Services and Markets Act 2000 (FSMA). These measures are aligned with recognised security frameworks, including ISO 27001 and the NIST Cybersecurity Framework, and are subject to regular review and assurance. Controls include, but are not limited to, access management, encryption, monitoring, and incident response. 

2.92 One respondent asked for clarity as to whether the register collection on BEEDs would continue alongside FCA RegData. The PRA can confirm that the BEEDs collection would not continue once the register requirements come into effect.

3: Accountability framework and implementation

Accountability framework

3.1 When making rules, the PRA is required to comply with several legal obligations. In CP17/24, the PRA published its explanation of why the proposed rules were compatible with its objectives and with its duty to have regard to the regulatory principles.^{footnote [2]}

3.2 In addition, when making CRR rules or rules applying to certain holding companies, the PRA must publish a summary of the purpose of the proposed rules.^{footnote [3]} The purpose of the rules included in the Notifications Part and the Reporting Part (Appendix 1) is to set out clear notification and reporting requirements for the reporting of operational incidents and MTP arrangements.

3.3 Where the final rules differ from the draft in the CP in a way that the PRA considers is significant, the Financial Services and Markets Act 2000 (FSMA)^{footnote [4]} requires the PRA to publish:

• details of the differences together with an updated cost benefit analysis;
• a statement setting out in the PRA’s opinion whether or not the impact of the final rules on mutuals is significantly different from the impact that the draft rules would have had on mutuals; or
• the impact that the final rules will have on other PRA-authorised firms.

3.4 Additionally, in carrying out its policymaking functions, the PRA is required to have regard to various matters. In CP17/24, the PRA explained how it had regard to the most relevant of these matters in relation to the proposed policy.

3.5 The PRA considers that the changes to its draft policy on operational incident and MTP reporting do not significantly alter its consideration of its objectives or the matters to which it must have regard, or the impact of its proposals on mutual societies. The PRA considers that the changes made in its final policy are likely to meaningfully reduce costs relative to the benefits from the policy.

Implementation and next steps

3.6 The implementation date for final rules and policy materials reflecting policy changes set out in this PS is 18 March 2027.

3.7 References related to the UK’s membership of the EU in SS2/21 covered by the policy in this PS have been updated as part of this PS to reflect the UK’s withdrawal from the EU. Unless otherwise stated, any remaining references to EU or assimilated legislation refer to the version of that legislation which forms part of assimilated law.^{footnote [5]}