FCA PS26/2: Operational Incident and Third-Party Reporting

The Financial Conduct Authority (“FCA”), together with the Prudential Regulation Authority (“PRA”) and the Bank of England, have published Policy Statement (PS26/2), setting out final rules on reporting serious operational incidents and material third party arrangements.

These rules create a single, streamlined regime across the three regulators to improve visibility of risks that could impact consumers, markets and financial stability. As threat actors grow more sophisticated and firms rely increasingly on third parties, timely, structured data is essential for effective supervision and systemic risk oversight. Firms will have 12 months to prepare ahead of the rules coming into force on 18 March 2027.

Key Developments

A Single, Unified Reporting Regime

The regulators have aligned their requirements into one regime for all firms:

A single definition of an operational incident and a single definition of a material third party arrangement.
A single reporting portal (FCA Connect) so firms make one submission, regardless of which regulator(s) it is for.
Identical templates and timelines (with limited exceptions for payment service providers).

Simplified Incident Reporting

In scope firms are divided into two reporting groups:

Standard reporting: A single short form with only 10 required questions.
Enhanced reporting (for strategically important firms): A single form updated across the incident lifecycle (initial, intermediate, final)

Reporting is now limited to serious incidents that meet clear, outcomes-focused thresholds tied to each regulator’s statutory objectives. Near-misses and routine interruptions are explicitly excluded.

Streamlined Third Party Reporting

Firms must notify the regulators of new material third party arrangements and significant changes and submit an annual register. Key simplifications include:

Exclusion of third country branches from notification obligations (but not the annual register).
Intra-group arrangements (or permitted supplier arrangements for ring-fenced bodies) are reportable only where there is an external third-party dependency (except for UK RIEs).
A single notification template and a single register template, submitted via one portal.

Regulatory Implications and Compliance Considerations

The final rules under PS26/2 should be read alongside FG26/3 (Operational Incident Reporting) and FG26/4 (Material Third Party Reporting). The rules sit within the existing Handbook (primarily SUP 15 – Notifications to the FCA) and do not create new obligations beyond what was consulted on.

They apply on top of firms’ existing operational resilience, outsourcing, and Principle 11 (Relations with regulators) requirements. Firms in scope must ensure they have processes in place to identify, assess, and report incidents and material third party arrangements accurately and promptly.

PS26/2 signals a clear shift towards more efficient, data-driven supervision. Key lessons for firms include:

Review and update internal policies to align with the new single definitions and thresholds.
Adapt existing systems and processes to use the Connect/RegData portals and the simplified templates for incident reporting.
Train relevant teams on the revised reporting timelines and what constitutes a “serious” incident or “material” third party arrangement.
Assess third party dependencies (including supply chain ranking) and ensure the annual register can be populated accurately.

With cyber threats and third-party dependencies on the rise, the ability to report serious incidents and material arrangements quickly and consistently is now a regulatory priority.

How Complyport Can Help

Complyport offers tailored solutions to help firms implement the new operational incident and third-party reporting regime efficiently. Our services include:

Gap analyses and policy updates for incident and third-party reporting;
Enterprise-Wide Risk Assessments;
Staff training on operational resilience, business continuity, outsourcing and incident reporting thresholds, definitions and reporting processes; and
Ongoing compliance monitoring.

Book a Meeting with a Complyport SME

To ensure your firm is fully prepared for the new FCA, PRA and Bank of England reporting regime under PS26/2, book a consultation with a Complyport Subject Matter Expert today.

Ask ViCA, your Virtual Compliance Assistant. Access instant answers on regulatory changes.