Insights ¦ Consultation Paper CP24/28 Operational Incident and Third Party Reporting December 2024

Key Take Aways

1. The FCA is consulting on a comprehensive framework for operational incident and third-party reporting, targeting improved resilience and risk management across financial services firms.

2. Proposed definitions clarify what constitutes an ‘operational incident’ and ‘material third-party arrangement’, aiming to standardise understanding and reporting criteria.

3. Incidents will be reported through a structured process involving initial, intermediate, and final reports, with specific timelines to enhance timeliness and completeness of data.

4. A standardised template and online platform will support incident reporting, reducing ambiguity and improving data quality for efficient supervisory oversight.

5. The proposals will only require firms to report incidents breaching specified impact thresholds related to consumer harm, market integrity, and firm safety and soundness.

6. The FCA intends to extend the scope of incident reporting to cover both major incidents and ‘near misses’ potentially causing intolerable harm before they escalate.

7. For third-party arrangements, firms will be mandated to maintain and annually submit a structured register of ‘material third parties’, covering both outsourcing and non-outsourcing relationships.

8. This registration process is designed to improve visibility on supply chains, concentration risks, and systemic dependencies, supporting early intervention and systemic risk reduction.

9. Data collected will be aligned with international standards, including those from the Financial Stability Board (FIRE), EU’s DORA, and PRA requirements, facilitating cross-border cooperation.

10. The cost benefit analysis estimates total one-off costs for incident and third-party reporting actions between £19.14 and £26.71 million, with ongoing annual costs of £0.04 to £0.12 million, offset by benefits such as risk mitigation and operational efficiencies.

11. Regulatory burden is considered proportionate, with measures tailored to firm size and scope, and digital tools designed to reduce administrative overhead over time.

12. FCA will monitor the implementation and effectiveness of the framework through metrics such as incident reporting timeliness, completeness of reports, and the number of third-party designations for systemic oversight.

Key Statistics

• Since 2018, over 20% of operational incident reports submitted by firms arrived more than 11 days after the incident started.

• About 2 to 2.5% of regulated firms reported operational incidents, suggesting significant underreporting.

• The one-off cost for implementing incident and third-party reporting proposals is estimated between £19.14 million and £26.71 million, with annual ongoing costs of £0.04–£0.12 million.

• The average cost per incident for firms to report is approximately £1,000.

• Approximately 46 firms responded to PRA outreach on setting up a material third-party register, with the average setup effort estimated at 31 FTE days.

• The total estimated cost of setting up a third-party register across firms is between £6.51 million and £14.08 million.

• The estimated benefit from reduced follow-up time for incident reports is approximately £2.90 million over 10 years in present value.

• The average number of incidents reported from 2018-2023 has grown annually at around 6%.

• The proposed incident reporting thresholds focus on harm with significant impact, aligned to FCA objectives for consumer protection, market integrity, and firm safety.

• Data collection on third-party dependencies will include detailed fields such as legal entity identifiers and type of services, supporting systemic risk monitoring.

• The formalisation of incident thresholds and process aims to reduce reporting delays and improve regulator responsiveness.

• FCA plans to strengthen oversight by creating tailored governance and risk management expectations for critical third-party providers.

Key Discussion Points

• The importance of standardising incident definitions and reporting templates to enhance data consistency and supervisory efficiency.

• Balancing proportionate regulation to ensure small firms are not overburdened while maintaining strong oversight of systemic risks.

• The role of a structured, centralised register of material third-party arrangements in improving supply chain resilience and early risk detection.

• The international alignment of incident and third-party reporting standards, including compatibility with FIRE, DORA, and PRA regimes, to facilitate cross-jurisdictional cooperation.

• The benefits of the new framework in enabling faster, more informed responses to operational incidents, thereby reducing consumer harm and market disruption.

• The estimated costs of £19.14m–£26.71m across the sector, offset by potential operational savings and risk mitigation benefits.

• The emphasis on collecting impact-based thresholds related to consumer harm, market integrity, and legal safety, rather than exhaustive incident lists.

• The phased approach to incident and third-party reporting, with clear timelines for initial, intermediate, and final reporting stages.

• The incorporation of supplementary information such as lessons learned, root causes, and remedial actions to improve incident analysis over time.

• The strategic intent to identify ‘Critical Third Parties’ for designation under HM Treasury’s oversight regime, reducing systemic dependencies.

• The use of continuing monitoring and evaluation metrics to assess the framework’s success, including incident reporting timeliness, completeness, and risk identification.

• An overarching aim to support the UK’s international competitiveness by fostering operational resilience, transparency, and systemic risk management in financial services.

Document Description

This article outlines the FCA’s consultation on new rules for operational incident and third-party reporting within financial services. It details proposed definitions, process frameworks, data collection requirements, and governance standards aimed at bolstering operational resilience. The framework seeks to improve timely risk identification, facilitate systemic oversight, and align with international standards, all while maintaining proportionate burdens for firms across the UK financial sector.