Insights ¦ Consultation Paper CP24/28 Operational Incident and Third Party Reporting December 2024

Published by: Financial Conduct Authority
Search for original: Link

Key Take Aways

  1. The FCA is consulting on enhanced incident and third-party reporting to improve operational resilience within financial services firms.

  2. Clear definitions for ‘operational incident’ and standardised reporting templates are proposed to address current ambiguities and inconsistencies.

  3. The new rules focus on reporting incidents breaching impact thresholds related to consumer harm, market integrity, and firm safety and soundness.

  4. Firms are expected to submit initial, intermediate, and final incident reports via an online platform, with specific timing and content requirements.

  5. The proposals extend to a subset of firms with significant consumer or systemic impact, including banks, Solvency II firms, recognised investment exchanges, and certain third-party providers.

  6. The FCA seeks structured, timely data on operational incidents and third-party arrangements, facilitating better oversight and risk management across the sector.

  7. The scope for third-party reporting is expanded to include non-outsourcing material third-party arrangements, supporting a comprehensive understanding of third-party risks.

  8. The proposed register of material third-party arrangements will be submitted annually, with firms required to record and maintain detailed supply chain information.

  9. The FCA’s approach aligns internationally, particularly with ESR’s FIRE format and EU’s DORA regime, to foster cross-border cooperation and transparency.

  10. Estimated total one-off costs are between £19.14 million and £26.71 million, with ongoing annual costs from £0.04 million to £0.12 million, offset by operational efficiencies.

  11. The proposals aim to reduce the duration and severity of operational disruptions, enabling earlier intervention and preventing systemic harm.

  12. These reforms are designed to support a resilient financial system, fostering consumer confidence, safeguarding market integrity, and promoting the UK’s international competitiveness.

See also  [INSIGHTS]: Financial Conduct Authority's Guidance on Consumer Duty in Retail Financial Markets

Key Statistics

  • Over 20% of operational incident reports since 2018 have been received more than 11 days after the incident’s start.

  • Approximately 2 to 2.5% of regulated firms reported an operational incident, suggesting significant underreporting.

  • The estimated net benefit of the incident reporting proposals over 10 years is between £16.51 million and £24.69 million, despite a negative net present value.

  • One-off compliance costs for firms are estimated at between £19.14 million and £26.71 million, with annual running costs of around £0.04 to £0.12 million.

  • The estimated average cost for a firm to submit an incident report is approximately £1,000.

  • For establishing a material third-party register, costs range from £6.51 million to £14.08 million, with annual update costs between £36,000 and £116,000.

  • Estimated 35 firms responded to PRA outreach, averaging 31 full-time equivalent (FTE) days to set up a third-party register.

  • 108 incidents in a sample of 306 firms cost an average of £0.77 million each, indicating potentially high financial impact.

Key Discussion Points

  • The need for standardising definitions and templates to improve incident reporting accuracy and timeliness is central to the FCA’s strategy.

  • Expanding the scope of third-party reporting to include non-outsourcing arrangements aims to enhance supply chain visibility and systemic risk assessment.

  • The sector’s reliance on third-party providers, especially in cloud, ICT, and data services, increases systemic vulnerability; better data on these relationships is critical.

  • The proposal’s proportionate approach balances the need for robust oversight with the regulatory burden on smaller firms.

  • International alignment, notably with DORA and ESR FIRE standards, supports cross-border risk mitigation and best practice sharing.

  • The phased incident reporting framework (initial, intermediate, final) aims to capture incident evolution and enable swift regulatory response.

  • The estimated costs are substantial but justified by the potential to prevent extensive harm and systemic disruption.

  • The register requirement fosters better supply chain management, risk mitigation, and early detection of third-party concentration risks.

  • The proposals are designed to improve regulatory oversight and industry engagement without unnecessarily increasing operational burden.

  • Improved incident data collection and analysis should lead to quicker intervention, reduced impact severity, and enhanced resilience.

  • Overall, these reforms aim to embed a culture of transparency, preparedness, and proactive risk management in the UK financial sector.

See also  [INSIGHTS]: Consumer Duty: The next steps, FCA, webinar

Document Description

This article outlines the FCA’s consultation on new rules for operational incident and third-party reporting within the financial services sector. It details proposed definitions, procedural requirements, scope, cost-benefit analysis, and international alignment considerations. The focus is on enhancing transparency, improving risk oversight, and bolstering operational resilience through standardised reporting templates, structured data collection, and comprehensive third-party arrangements registers. The document reflects a strategic effort to minimise sector-wide harm, ensure timely interventions, and foster a resilient UK financial system capable of adapting to emerging systemic risks.

RO-AR insider newsletter

Receive notifications of new RO-AR content notifications: Also subscribe here - unsubscribe anytime