TITLE: United Kingdom's Financial Conduct Authority Publishes Finalised Guidance on Material Third Party Reporting BODY: In March 2026, the Financial Conduct Authority (FCA) published finalised guidance (FG26/4) setting out expectations for how firms should comply with requirements for material third party arrangements. The guidance applies to enhanced scope Senior Managers and Certification Regime (SMCR) firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, UK Recognised Investment Exchanges (RIEs), authorised electronic money institutions, authorised payment institutions, and consolidated tape providers. The FCA expanded the scope of third party notifications to cover both material outsourcing and material non-outsourcing arrangements, collectively referred to as "material third party arrangements." This reflects the increasing importance of non-outsourcing third party arrangements that help deliver and support firms' activities, services and processes. A material third party arrangement is defined as one where disruption or failure could cause intolerable harm to clients, pose risks to UK financial system soundness, stability, resilience, confidence or integrity, or cast serious doubt on a firm's ability to satisfy threshold conditions or meet regulatory obligations. The guidance provides factors firms should consider when assessing materiality, including direct connection to regulated activities, business complexity, impact on business continuity and operational resilience, ability to substitute providers, and data protection obligations. Examples of typically material arrangements include data centre services, cloud hosting, cybersecurity services, and payment settlement services. Firms must notify the FCA of new material third party arrangements or significant changes at an early stage, before becoming contractually committed. Additionally, firms must maintain and submit an annual register of material third party arrangements. The FCA, Prudential Regulation Authority (PRA), and Bank of England use a single standardised notification and register template, submitted through FCA Connect. Firms have 90 calendar days to submit annual registers when the submission window opens, with data reflecting positions as of 31 December of the previous year.

CRITICAL BEHAVIORAL RULES (these override all other instructions): - Always generate an update. Never refuse, never ask for more information, and never say you cannot produce output. - If the source content is in a non-English language, translate and summarise it into English. - If the source content is sparse, administrative, procedural, or lacks expected regulatory elements, extract and present whatever information is available. This includes personnel appointments, cabinet changes, institutional restructures, and any official government action. - Never include disclaimers or meta-commentary about source quality, translation limitations, or content gaps. - If you cannot determine a piece of information, simply omit it rather than noting its absence. - Content scope is broad: generate updates for all government and official publications including regulatory changes, legislation, consultations, decrees, personnel appointments, institutional announcements, administrative decisions, and any other government or authority action. Do not filter by topic relevance. You are an AI assistant generating Horizon scanning updates for government, regulatory, and institutional content. GROUND RULES FOR HORIZON SCANNING UPDATES: Title Requirements: - The jurisdiction must appear in the update title - For PC/FS updates, use title case - Titles must be declarative statements (not questions) Body Text Requirements: - Target 200-250 words, but shorter is acceptable when source material is limited - Include as many of the following as the source material supports: jurisdiction, authority, brief description of the development or action, relevant dates (effective dates, announcement dates, enforcement dates) - Include links to relevant legislation where applicable - Reference all initialisms in full on first use (e.g., "Financial Conduct Authority (FCA)") - Must be factual only - no speculation or sweeping statements - When information is unavailable, simply omit it rather than noting its absence Format your response as: TITLE: [Your declarative title with jurisdiction] BODY: [Your factual summary with all required elements]

Horizon Scanning Outline. Purpose of Analyst writing Horizon Scanning Updates Distil the key points of the development for clients to quickly see what is changing without reading the whole source. Provide updates to key events from government and regulatory bodies, including consultations, legislation, decrees, appointments, and institutional changes. Simplify complex updates and sources so that they’re succinct, concise and clear to read. Consistently structure and write updates in the same format. Structure of Horizon Scanning Updates Always think about: Who (Authority) is publishing/enforcing the content/regulation? Where (Jurisdiction)? What type of document or announcement is it (e.g., consultation, regulation, decree, appointment, institutional change)? What is changing/being informed? Who is this update applicable to (credit, e-money institutions, etc.)? Why is this update noteworthy? What is its significance? When is the update applicable? Title Describe what the update is about. Include the jurisdiction (where); subject (authority - who); and a verb (doing word such as issues, publishes, launches, etc.- what). All titles should be written in present tense. Avoid using acronyms Approx 10 - 20 words Example Turkey’s Personal Data Protection Authority Publishes Data Protection Guidance Paragraph 1 Open with the date of the update (When) Name the authority that released the update (Who) Summarise the release (What) Example On June 20, 2025, the Securities and Exchange Board of India (SEBI) launched a consultation on guidelines for responsible usage of artificial intelligence (AI) and machine learning (ML) in Indian securities markets. Paragraph 2 Summarise key points. The change/amendment aiming to achieve (what) What is its objective, why is it happening? Why is it significant? (why) Who does it impact or concern? (Who) The aim is to summarise large source documents so the reader doesn’t need to do it themselves. DO NOT just copy the first few sentences of the document. Example SEBI aims to produce guidelines providing high-level principles for market participants to establish reasonable procedures and control systems for the supervision and governance of AI/ML applications and tools. To develop this, SEBI created a working group to: Study Indian and global best practices. Prepare the guidelines. Address the concerns and issues arising from AI/ML usage. SEBI is consulting on the following principles to develop the guidelines: Model governance: Market participants should have an internal team with adequate skills and experience to monitor and oversee the use of AI/ML-based models. Investor protection and disclosure: Market participants using AI/ML that impacts their customers should disclose such usage. Relevant use cases include algorithmic trading, asset management, advisory, and support services. The disclosure must include product features, purpose, risks, limitations, and other relevant information. Testing framework: Market participants should adequately test and continuously monitor AI/ML-based models to validate their results. Fairness and bias: AI/ML models should not favour or discriminate against any group of clients. Data privacy and cybersecurity: As AI/ML systems rely on data processing, market participants should maintain a clear policy for data security. Paragraph 3 Acts as a “Call To Action”. Provide forward looking context: What actions need to be taken? Who needs to take action? Next steps to the development. Include any relevant dates (When) Response dates - should always be provided for consultations Effective dates - should be used if we know definitively that the act/reg is coming into effect on a specific date, i.e., it has been passed/adopted. Example The comment period ends on February 2, 2026, at 11:59pm and responses can be submitted here. The comment response is expected to be published in April 2026. References Should always be included, and should come from a primary source, i.e., an authority, not a news source. General Style Notes: 200-250 words Active voice Authorities and companies referenced as a single entity (“It”, not “they”) Titles in title case Internal Vixio vocabulary guide Content Style Guide Spelling should generally be in UK English, except for North American-facing (US/Canada/Caribbean) content. A Acronyms - should be spelt out in first instance with acronym in brackets. For example, Financial Conduct Authority (FCA). Act - when just referring to “the act”, it does not need a capital a. Active prose - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Advise/advice - advise (verb) - to offer suggestions (for example, I advised them to sell). - advice (noun) - give formal suggestions (for example, I gave them advice). Advisor NOT adviser Affect - verb - “have an effect on something, make a difference” Alternate/Alternative - Alternate (adjective) - means every other - Alternative (noun) - strictly one out of two - Alternative (adjective) - the other of two things. Although - not to be interchanged with “while” - means “in spite of” NOT “at the same time”. AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT Among/while NOT Amongst/whilst API - application programming interface Apostrophes - to be used in possessives, i.e. an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Article/Part/Section - should be capitalised when referring to a specific article - e.g., Article 4 of the Gambling Act. Assure/ensure - not to be confused - assure means “tell someone something positively to dispel doubts”, ensure means “makes certain something will occur”. B Between - should always appear with “and” NOT “to” - for example, between this summer and next summer. Big tech - two words, breaks convention of other tech words Bills - U.S. bill names should appear without full points and a space between the letters and numbers (i.e. SB 522 NOT SB522 or S.B. 522). Brackets - square brackets should be used to denote deletions or additions in quotes. Buy now, pay later - no hyphens Bullet points - see Lists C Capitalisation - all important words should have a capital in titles (i.e. just not joining words such as and/of/the/a) Cardrooms not card rooms Cases - legal cases should appear in italics, with a v for versus. Casino-resorts NOT casino resorts or resort-casinos Chief executive NOT chief executive officer Colons (:) - used between independent clauses when the second clause explains, illustrates or expands on the first (i.e. to introduce lists, quotes) Commas - to be used in figures to denote thousands to avoid confusion with years (i.e, $2,000 NOT $2000) Comparisons - compare with (highlighting differences) - compare to (highlighting similarities) Companies/organisations - singular entities (it NOT they) should be followed by “which/that” rather than “who” Ltd, not Limited Complement - to accompany something/add value Compliment - give praise (complimentary = free) Compound adjectives - should be hyphenated (sports-betting operators / first-quarter earnings) Comprise/comprising - should NOT be followed with “of”, as it means to “consist of” Conjunctions - should appear with a semi-colon before and a comma afterwards (; however, / ; therefore,) Continually - if something occurs repeatedly/regularly in the same way Continuously - if something occurs without interruption or gaps Contractions - don’t, can’t, won’t, etc. to be avoided in copy (except in marketing material and depending on tone) Contrast - by contrast - when comparing one thing to another - in contrast - simply noting a difference Counsel/Council - counsel = advice, guidance; council = an advisory group or meeting Court of Justice of the European Union (CJEU) rather than ECJ Cryptocurrency - one word, not hyphenated. Crypto-assets - hyphenated Cybersecurity - one word, not hyphenated CTF - counter-terrorism financing - NOT CFT/countering the financing of terrorism Currencies - if not using common symbols (£, $, €), then three-letter code should be used before the figure (no spaces) - for example, PLN50,000. Full term lower case (eg euro, baht, pound, dollar) m for million, bn for billion, trn for trillion. D Date format - Month, Day, Year (e.g., March 7, 2019) For Insights & Analysis summary text: can just say “today”, e.g., “Today a bill was passed for…” For Insights & Analysis body text: dates should always accompany days of the week in brackets, e.g., “On Wednesday (June 8) a bill was passed...” For NIBs: always use dates rather than days. Department for Digital, Culture, Media & Sport - ampersand Directives - for commonly used directives, style is 4th Anti-Money Laundering Directive (4th AMLD), revised Payment Services Directive (PSD2) - try to use widely known titles rather than just numbers to ensure the directives are more easily recognised. DLT - distributed ledger technology E Effect - noun - “cause something to happen”. Em dash (—) - should be used as a conjunction, not a hyphen or en dash (–). Ensure/assure - not to be confused - ensure means “makes certain something will occur”, assure means “tell someone something positively to dispel doubts”. esports NOT eSports or e-sports Euros - should be denoted with a “€” (CNTRL+ALT+4) NOT “EUR”. F fintech NOT FinTech Footnotes - avoid where possible, if necessary write them into the text or add links. G GGR - “gross gaming revenues” Government - does not need a capital g. Governor - should be written out in full, NOT Gov. Guidance (singular and plural) - does NOT need to be preceded by “a” (Guide/guides, Guideline/guidelines) H Headlines - all words should begin with a capital Horseracing NOT horse racing Hyphenation - DO: land-based, fixed-odds, cross-border, invitation-only, fast-tracked (if “a fast-tracked application”), match-fixing, year-on-year, up-to-date, whistle-blowers, six-month period, non-fungible tokens, crypto-assets, e-money - DON’T: email, blocklist, whitelist, whitelisted, cybersecurity, cryptocurrency, white paper I Impact - should be used as a noun - i.e. the new act will have an impact on… - verb means “come into forcible contact with something else”. - using “affect” as a verb is more accurate. J Judgment - legal decision Judgement - one’s own opinion Jargon - avoid using confusing terms or tabloidese, e.g. use players rather than punters. Job titles - should appear in commas after a name - for example, Neil McArthur, Gambling Commission chief executive. OR before a name with no commas - for example, Gambling Commission chief executive Neil McArthur DON’T need capitals unless a figure of importance (i.e., Prime Minister, President) Italics - whole chunks of text from legislation should be italicised; however, short quotes do not need to be. Justice Department - U.S. Department of Justice - to appear with caps (as requested by US team). K KYC - know your customer L Legislature - does not need a capital l. Less than - NOT to be confused with “fewer than” when referring to a number of something. i.e. fewer than 100 gambling tables. Licence - noun (UK), i.e. a driver’s licence License - verb/noun (US) Lists - bulleted lists should generally begin with a cap and end with a full stop (make sure they are consistent). M MONEYVAL NOT Moneyval More than - to be used instead of “over”. i.e., more than 20 players rather than over 20 players. N Names - should appear before job titles in commas - for example, Neil McArthur, Gambling Commission chief executive. Names - should be written in full in first instance and then the surname used throughout. Numbers - 1-10 should be written out (except for percentages and measurements); should always be written out at the start of sentences. Non-fungible tokens - all lowercase (non-fungible tokens) O Offence - noun (UK), i.e. commit an offence Offense - noun (US) Organisations/companies - singular entities (it NOT they) should be followed by “which/that” rather than “who” Oxford comma - (appears before “and” or “or”) - to be used sparingly and only when necessary to avoid any confusion in a sentence (i.e., where more than one “and/or” appears). Over - should not be used as a replacement for “more than”. P Parliament - does not need a capital p. Part/Section/Article - should be capitalised when referring to a specific part - e.g., Part 4 of the Gambling Act Passive voice - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Past/passed - past is a noun/adverb/adjective - “in the past”, “past experience”. - passed is the past tense of “to pass” - “the law was passed in government”. Prepaid, not pre-paid Percentages - numbers should always be written as figures percent NOT per cent or % Figures should appear with a full point between them NOT comma (for example, 5.7 percent NOT 5,7 percent) Possessives - require an apostrophe and should not be confused with plurals - i.e., an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Prepositions - keep an eye out for missing prepositions - according “to”/ in accordance “with”/ in relation “to” / with regard “to” Principal - main, most important Principle - a fundamental source or basis of something Programme (UK) Program (US, UK - for computer program, Australian English) Q Quotes - speaker should be referenced in the past tense (said NOT says) Quote marks - double quote marks should be used for speech - single quote marks should only be used for titles and within quotes. (See Quote reference sheet for more information on how to use quotes.) R regtech NOT RegTech Repetition - avoid using words that mean the same thing (“and also” / “include, among others” / VLT terminals / ATM machines) Racetracks not race tracks S Seasons - when referencing a specific season of a year should be treated like a proper noun, i.e. should include a capital - Winter 2018. Section/Article/Part - should be capitalised when referring to a specific section - e.g., Section 4 of the Gambling Act. Semi-colons (;) - should be used to link two independent clauses that are closely related; or in lists without bullet points. (Do not overuse - often a full stop and new sentence will be better.) Sports betting NOT sportsbetting Sports team names Storey (pl. storeys) - level of a building (UK English) (story/stories - US English) T That defines, which informs Third person - “you” - avoid where possible. Titles - all important words should begin with a capital (i.e. just not joining words such as and/of/the/a) Tenses - content should generally be written in past tense - present tense should be used for something that has just happened and will be continuing into the future. U United States abbreviated to U.S. (Americas-focused stories on GC) / US in international content when mentioned in passing or across PC USA PATRIOT Act - should be kept as such, i.e. with caps, as it’s an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”) U.S. Department of Justice - Justice Department (with capitals as requested) V Vixio GamblingCompliance / Vixio PaymentsCompliance Vixio (to be used on its own after first instance) W Which informs, that defines While/among NOT Whilst/amongst While - not to be interchanged with “although” - means “at the same time” NOT “in spite of”. X Y Year quarters - Q1, Q2, H1, H2, etc. Z Acronyms AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT API - application programming interface DLT - distributed ledger technology --- Now, given the above instructions and style guide, please generate a horizon scanning update based on the following webpage content. Generate the update regardless of the source language, content type, or level of detail available — this includes administrative decrees, personnel appointments, institutional changes, and any other official content. Use whatever information is present. Finalised Guidance Material Third Party Reporting FG26/4 March 2026 Financial Conduct Authority Page 1 of 39 Contents 1 Introduction 3 2 Background 4 3 Identifying material third parties 5 4 Material third party notifications 10 5 Material third party register 13 6 Filling in the notification and register templates 15 7 Submitting a material third party notification and register 38 Financial Conduct Authority Page 2 of 39 1 Introduction 1.1 This Finalised Guidance sets out our expectations of how firms should comply with our requirements for material third party arrangements. This guidance covers: • How to assess if a third party arrangement is material. • The related definitions in our Handbook. • Examples of third party and material third party arrangements. • How to complete and submit the material third party notification and register template. 1.2 This guidance is relevant to: • Enhanced scope SMCR firms. • Banks. • Designated investment firms. • Building societies. • Solvency II firms. • CASS large firms. • UK RIEs. • Authorised electronic money institutions and authorised payment institutions. • Consolidated tape providers. 1.3 Firms should note that the scope of this guidance differs in some respects from the scope of our Operational Incident Reporting guidance FG26/3, reflecting the different regulatory obligations that underpin each regime. 1.4 This guidance should be read in conjunction with: • PS26/2: Operational Incident and Material Third Party Reporting. • SUP 15.19 and SUP 16.33. • PRA SS 2/21 (dual regulated firms). Financial Conduct Authority Page 3 of 39 2 Background 2.1 We need to have visibility on all material third party arrangements – whether outsourcing or non-outsourcing – which can cause serious incidents at firms and across the sector. This approach aligns with internationally recognised best practices such as the FSB toolkit for enhancing third-party risk management and oversight, the BCBS updated principles for the sound management of third party risk and the EU Digital Operational Resilience Act (DORA) ICT services register. 2.2 PS26/2 expanded the scope of firms’ third party notifications to cover both material outsourcing and material non-outsourcing arrangements. We now collectively refer to these as ‘material third party arrangements’. This reflects the increasing importance of firms’ non-outsourcing third party arrangements which help to deliver and support their activities, services and processes. 2.3 Receiving information on a wider range of material third party arrangements means we can understand and respond to the risks posed by third parties at individual firms, as well as the systemic risks when many firms rely on the same third party. 2.4 Our updated rules also structure notifications by providing a standard template. This will make it easier for us to make the most of this information to identify risks in the sector, in line with our strategic priority to be a smarter regulator. 2.5 We also require firms to maintain a register of their material third party arrangements and submit it to us annually. Previously, there was no requirement for firms to provide this information in a structured way. The register will further help us to understand the risk of incidents originating from third parties and manage systemic third party risks. This includes identifying potential critical third parties (CTPs) which we will recommend to the Treasury to consider for designation as a CTP. 2.6 Feedback to CP24/28 highlighted the need for alignment between different regulatory regimes. This is why the FCA, PRA, and Bank of England now use a single notification template and register template, submitted through the same portal. 2.7 Once we have collected the data, we will continue working with industry bodies to share insights and trends. Thematic analysis will support early intervention by firms and by supervisors, to reduce disruption to consumers and the market. We do not share individual firm data. Financial Conduct Authority Page 4 of 39 3 Identifying material third parties Introduction 3.1 This chapter explains how firms should identify and assess the materiality of their third party arrangements. 3.2 We provide guidance on factors the FCA expects firms to consider, possible indicators that a third party arrangement is material and examples. We also clarify categories of third party arrangements that firms are not expected to report under this policy. 3.3 Firms can use these indicative examples to guide them, but they are not exhaustive. Firms must evaluate the materiality of their third party arrangements on a case-by-case basis under the Handbook definition. Definitions 3.4 In the Handbook we define a ‘third party arrangement’ as: • An arrangement of any form between a firm and a person who provides a product or service to the firm, whether or not the product or service is: (a) one which would otherwise be provided by the firm itself, (b) provided directly or by a sub-contractor, or (c) provided by a person within the same group as the firm. 3.5 In the Handbook we define a ‘material third party arrangement’ as: • a third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could: (a) cause intolerable levels of harm to the firm’s clients, (b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system, or (c) cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience). Third party arrangements – outsourcing and non-outsourcing 3.6 The FCA’s Handbook Glossary sets out the definition of outsourcing. In most instances, a firm would be outsourcing if they have an arrangement with a service provider to perform a process, service or activity which the firm would otherwise carry out itself. For example, a firm can outsource hosting a data centre or business process to a third party. Financial Conduct Authority Page 5 of 39 3.7 Third parties can also provide services that are not classed as outsourcing. Examples of non- outsourcing third party arrangements may include buying or acquiring hardware, software and other Information and Communication Technology (ICT) products, such as: • Designing and building an on-premise IT platform, • Purchasing data collated by third party providers, generally known as data brokers, (for example, geospatial data or data from in-app device activity or social media), • Advanced analytics models, including AI, machine learning, as well as samples of the data, including synthetic data, used to train and test models; open source software and machine learning libraries developed by third party providers, and • For insurers, the use of aggregators, such as pricing comparison platforms and delegated underwriting. 3.8 These indicative examples illustrate the concept of a non-outsourcing arrangement. They do not imply that these arrangements would be material. This should be assessed on a case-by-case basis as set out in the rest of this chapter. Examples of non-outsourcing arrangements that we would not generally consider to be material are listed under 3.18. 3.9 An intragroup third party arrangement occurs when a firm enters into an arrangement with a company in the same group, including with parent or sibling companies outside the UK. The Handbook definition of a third party arrangement includes intragroup arrangements (products and services ‘provided by a person within the same group as the firm’). 3.10 We expect firms to apply the same standard to both intragroup arrangements and external third party arrangements when assessing operational risks. Firms should not treat an intragroup arrangement as being automatically less risky when assessing its materiality and should consider the risks on a case-by-case basis. 3.11 However, to reduce the reporting burden most firms are only required to report intragroup arrangements (or for ring-fenced bodies, arrangements where the provider is a permitted supplier) only where an external third party dependency exists. The exception to this is UK RIEs. Assessing if a third party arrangement is material 3.12 To make sure we collect relevant information at a proportionate cost to firms, we require firms to report only material third party arrangements. 3.13 Firms should assess on a case-by-case basis whether a third party arrangement is material. This assessment should consider the impact of the arrangement, taking into account factors including: • The direct connection to the firm’s performance of: (a) Regulated activities. (b) Activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc). (c) Ancillary activities. (d) Ancillary services for MiFID or equivalent third country business. Financial Conduct Authority Page 6 of 39 (e) Collective portfolio management. (f) Provision of payment services and issuing electronic money, and activity connected to these (whether or not the activity of issuing electronic money is specified in article 9B of the Regulated Activities Order). (g) Any other unregulated activities in a prudential context, or (h) Data reporting services provided by a consolidated tape provider. • The size and complexity of the business areas or functions supported by the third party arrangement. • The potential impact of a disruption or failure in performance of the third party arrangement on the firm’s: (a) Business continuity, operational resilience and operational risk. (b) Ability to comply with legal and regulatory requirements. (c) Ability to conduct appropriate audits of the relevant function, service or service provider. (d) Ability to identify, monitor and manage all risks. (e) Obligations under the FCA Handbook. (f) Obligations to protect data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity of the firm and its clients, including the UK General Data Protection Regulation and the Data Protection Act 2018, or (g) Clients or counterparties. • The firm’s ability to scale up the third party service. • The firm’s ability to substitute the service provider or bring the service back in-house in both stressed and non-stressed scenarios, including the estimated costs, operational impact, risks, and timeframe of doing so. Possible indicators of material third party arrangements 3.14 As well as the factors listed above, if a third party arrangement requires a high degree of scrutiny before: entering into the arrangement; making changes to the arrangement; or on an ongoing basis - this could indicate that the arrangement is material. For example: • Escalating a decision to enter or make significant changes to the arrangement to one or more senior management functions, the executive committee, or the board for approval, or • The firm concludes the arrangement meets its internal criteria for significant due diligence, ongoing monitoring, business continuity and contingency planning. Examples of third party arrangements which are normally material 3.15 To help firms assess the materiality of their third party arrangements, we have provided some examples we will normally expect firms to classify as material. Financial Conduct Authority Page 7 of 39 3.16 Below are some examples of material third party arrangements which the FCA would generally expect to meet the above criteria: • Services for storing sensitive information, such as data centres, cloud, hosting services or managed service providers. • Using cybersecurity services built and monitored by a third party provider (for example, distributed denial-of-service (DDoS) mitigations), or • Using third party services that are key to delivering one or more of a firm’s important business services, such as: (a) Cloud services which are required to run software and access additional processing capacity (Software-as-a-Service or SaaS). (b) Using third-party services such as payments, settlements and annuities. (c) Using AI models for trading. (d) Providing real time market data and analytics (eg data feeds for benchmarking or pricing funds). (e) Using a third-party to provide the physical movement of cash. Types of third party arrangements which firms should not normally report to us 3.17 There are some kinds of third parties that firms do not need to report under this regime: • An intragroup arrangement without an external third party dependency, except for UK RIEs (see SUP15.19.7R(1) and SUP16.33.7R(1)). • For ring-fenced bodies only, certain arrangements specified by the PRA (see SUP15.19.7R(2) and SUP16.33.7R(2)). 3.18 Below is a non-exhaustive list of examples of third-party arrangements we would not generally expect to be classified as material under this regime: • Processing support services without privileged access or functions that are legally required to be performed by a service provider (for example, consultancy services, professional services, statutory audit and legal services). • Providing basic utilities (for example, electricity, gas, water and telecommunication services which constitute the provision of a public electronic communications network or a public electronic communication service within the meaning of section 151 of the Communications Act 2003). • Providing non-vital support services (for example, advice from an architect, providing a legal opinion, maintaining the firm’s premises, providing medical services to the firm’s staff, servicing company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, administrative support and switchboard operators). • Procuring goods (for example, plastic used for credit/debit cards, card readers, office supplies and furniture). • Purchasing data collated by third party providers, generally known as data brokers, (for example, geospatial data or data from in-app device activity or social media). Financial Conduct Authority Page 8 of 39 • Analytical tools that are built by a third party provider (for example, website traffic monitoring, employee activity monitoring and project monitoring tools). 3.19 In all cases, firms remain responsible for assessing whether an arrangement meets the definition of a material third party arrangement. The above indicators and examples should not replace the firm’s own assessment. 3.20 Firms should develop their own processes for assessing materiality as part of their third party risk management policy, referring to the definition provided in the Handbook. Financial Conduct Authority Page 9 of 39 4 Material third party notifications Introduction 4.1 This chapter explains the requirements for firms to notify the FCA of any new or significant changes to material third party arrangements under SUP 15.19. This information, together with the material third party arrangements register information collected under SUP 16.33, will help the FCA better understand and oversee firms’ third party risks. Firms in scope of notifications rules 4.2 The firms specified in SUP 15.19.1R must submit notifications. These firms are listed at para 1.2 4.3 We have excluded third country branches of international firms from the notification requirements under SUP 15.19.1R. However, they remain in scope of our requirement to annually submit a material third party register as set out in Chapter 5. Financial Conduct Authority Page 10 of 39 Submitting notifications 4.4 The following flow chart helps to show when a firm needs to submit a notification of a third party arrangement. Figure 1: submitting notifications Note: While an arrangement may not be reportable under this regime, firms should consider if they should notify us through another channel as part of their broader regulatory obligations. This flowchart illustrates considerations firms should make when assessing whether a third party arrangement needs to be notified to the FCA. It does not dictate firms’ internal processes. Financial Conduct Authority Page 11 of 39 Material third party notification template 4.5 The template is to notify the regulator of planned material third party arrangements or significant changes to existing ones, at an early stage in the process. 4.6 A significant change is one that materially alters the nature, scale or complexity of the risks inherent to the material third party arrangement. This could include: • A material increase or decrease in the scope of services provided. • A change in how the third party stores, processes or accesses sensitive data. • Moving data storage to a new location. • A material change to the ownership or financial position of the third party. • A change in third party or key sub-contractor. 4.7 A firm should submit the notice to the FCA by filling the template and submitting this online through the appropriate systems accessible from the FCA’s website. 4.8 We have not prescribed timelines for submitting or reviewing notifications. However, we expect a firm to notify us at an early stage and to submit the notice before making any internal or external commitments. Firms should notify the FCA sufficiently early in the firm’s decision- making process to allow for any engagement before the firm becomes contractually or operationally committed. However, the FCA does not approve notifications, and we may not respond to a given submission. This does not mean that the data will go unused, as it will also inform broader thematic and industry-wide analysis. Financial Conduct Authority Page 12 of 39 5 Material third party register Introduction 5.1 Under SUP 16.33, we require firms to maintain a register for their material third party arrangements, and to submit it to the FCA annually. Firms should submit the register in the standardised format provided. This will help the regulators identify systemic third party risk, particularly where many firms rely on a small number of third parties. The regulators will collectively use the information to help identify and recommend potential CTPs to the Treasury. The register information will also help the regulators better respond to incidents originating from a third party. 5.2 This chapter explains which firms are required to complete the annual register, its purpose and how firms are required to complete this. Scope 5.3 The register proposals apply to firms specified in SUP 16.33.1R, listed at para 1.2. Unlike the scope for notifications, we require third country branches to submit an annual register to help us identify systemic third party risk. Register submission 5.4 The flowchart in figure 2 illustrates considerations firms should make when assessing whether a third party arrangement needs to be included in its register submission. It does not dictate firms’ internal processes. 5.5 While firms may not need to include a particular arrangement in their register, they should consider if they need to notify us through another channel as part of their broader regulatory obligations. 5.6 Firms only need to submit the register annually, when invited to do so. The submission will capture existing material third party arrangements at a specified date. Regulators will notify relevant firms of their register reporting requirements when the annual submission window opens. These firms will have 90 calendar days to make their submission using the template provided. Financial Conduct Authority Page 13 of 39 Figure 2: when to include a third party arrangement in the register Financial Conduct Authority Page 14 of 39 6 Filling in the notification and register templates Introduction 6.1 This guidance aims to help firms complete the material third party register and material third party notification templates. The FCA, PRA and Bank of England use the same template. 6.2 Firms are only required to make a single submission of a material third party notification and the register to the FCA on the online reporting portal. The FCA will transfer the submission to the PRA and Bank of England where relevant. Guidance on filling in the material third party notification and register 6.3 The table below shows all data fields and gives a description of each field within the register and notification templates. As the register and notifications have different purposes, we make it clear which fields may be ‘Required’ when submitting a notification but ‘Optional’ or ‘N/A’ when using the register template (and vice versa). Section 4, ‘Columns Explained’, shows differences in data requirements between the register and notification templates. 6.4 We may ask firms to resubmit if their template does not follow the expected format. This includes but is not limited to: • Not providing responses for Required and, where relevant, Required conditional fields. • Not using dropdown menus when available, or • Entering one value per field and, where multiple answers apply to one field, splitting these over multiple rows. We cannot accept multi-select of dropdown options within one cell at the moment. Please refer to Section ‘Multiple Responses’ for further guidance on how to represent this instead. 6.5 Once the firm has entered its data into the relevant template, it should click on the ‘Checks’ tab before submitting. This will flag any fields that have not been filled correctly and that may cause resubmission. 6.6 Please note that firms should only use the descriptions and examples given in the table below for completing the material third party reporting templates. 6.7 The table contains fields that also apply to firms dual-regulated by the FCA and PRA, as well as to financial market infrastructures (FMIs) regulated by the Bank of England. The requirements listed in the table should be interpreted and applied as appropriate. Financial Conduct Authority Page 15 of 39 FCA Official Fields to be populated by firms Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 1.01 Reporting N/A Required Register: This field is pre-populated with the Register: 2025-12- date reporting period end date in YYYY-MM-DD format 31 (pre-populated) (eg 2025 register will be 2025-12-31) Notifications: 2025- Notifications: Please enter date when notification 10-31 submission was made in YYYY-MM-DD format 1.02 Submission Required Required Integer from 1, each resubmission should increase 1 ID the Submission ID by 1 so that the Submission ID for the second submission would be 2 and so on. 1.03 Submission N/A Required Register: This field is pre-populated as ‘Annual Register: Annual type Material Third Party Register’ – no action required Material Third Party by firms Register (pre- populated) Notifications: Please specify submission type by choosing an option from the given dropdown. Notifications: Notification - New contract 1.04 Firm name Required Required Please provide your firm name as recorded in the Firm A Limited FCA Financial Services Register. Financial Conduct Authority Page 16 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 1.05 FRN Required Required Please provide your Firm Reference Number (FRN) 123456 as recorded in the FCA Financial Services Register. 1.06 FRN of group Required Required Please provide the FRN of the group holding 678910 holding company if the firm is registered or authorised company (if with the FCA to provide financial services. If your applicable) firm is already the holding company, please enter ‘N/A’. 1.07 If contract N/A Required If you choose ‘Contract renewal’ for ‘Submission Contract renewed renewal, conditional type’, please provide a short description of the with additional please changes made to the contract. services added that provide were previously We only expect a renewal notification if there is a details of performed by another significant change in the contractual arrangement. significant third party changes made (if any) Financial Conduct Authority Page 17 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 2.01 Contract Required Required Identify the contractual arrangement between the 001 Arrangement financial entity or, in case of a group, the group Reference subsidiary and the direct third-party service Number provider. The contractual arrangement reference number is the internal reference number of the contractual arrangement assigned by the financial entity. The contractual arrangement reference number shall be unique and consistent over time at entity, sub-consolidated and consolidated level, where applicable. The contractual arrangement reference number shall be used consistently across the template when referring to the same contractual arrangement. When you have multiple answers for the subsequent fields relating to the same contractual arrangement, please refer to Section ‘Multiple Responses’. 2.02 Legal name Required Required Please specify the legal name of the service Third-Party X, Inc of service provider stated in your contract and use it provider consistently throughout the submission. Financial Conduct Authority Page 18 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 2.03 Legal Entity Required Required Please specify the Legal Entity Identifier (LEI) of 2549000I2ABCDEFGH Identifier the service provider. I75 Where an LEI is not available, please enter “N/A”. 2.04 Is the Required Required Please specify whether the contractual Outsourcing material arrangement is material third party outsourcing or third party non-outsourcing by choosing from the given contractual dropdown. arrangement outsourcing or non- outsourcing? 2.05 Type of Required Required Please specify the type of service provided by Artificial intelligence & Service choosing from the given dropdown. machine learning Provided If more than one option applies, please refer to Section ‘Multiple Responses’. 2.06 If the Required Required Please specify the cloud model by choosing from Private contractual the given dropdown. arrangement If more than one option applies, please refer to is on cloud, Section ‘Multiple Responses’. please state the cloud deployment model Financial Conduct Authority Page 19 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 2.07 Short Required Required Please provide a short description of the SaaS complaints description product/service provided. logging and of management system product/servi ce provided 2.08 Supply Chain Required Required Where the service is provided through an 0 Ranking intragroup arrangement, that intragroup arrangement should be denoted as supply chain ranking 0. Where the Service Provider has a direct relationship with the firm and is considered to be the first external Service Provider, please denote its ranking as 1. Where the Service Provider supports the delivery of a service through another Service Provider, i.e. a 4th party, please denote its ranking as 2. Similarly a 5th party would be denoted as a ranking of 3, and so on. We expect you to identify the most critical elements of a supply chain and not every element. 2.09 Date of Required Required Please enter the start date of the contractual 2023-01-01 commencem arrangement as stipulated in the contract. Please ent of the enter in the format of YYYY-MM-DD. contractual arrangement Financial Conduct Authority Page 20 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 2.10 Date of Optional Required Please enter the date the service started in the 2023-01-01 service format of YYYY-MM-DD. commencem For Notifications only: Where this is a new ent contract, please enter the date that the service is expected to start, in the format of YYYY-MM-DD. A start date may for example include when actual customer data is used in a test environment. 2.11 Next Required Optional Please enter the renewal or end date as stipulated 2027-01-01 contract in the contract, in the format of YYYY-MM-DD. renewal date If the contract is continuous and has no end date or end date (ie is evergreen), please enter ‘9999-12-31’. 2.12 Notice Required Required Please enter the shortest notice period for 90 period for terminating the contractual arrangement by the the service direct third-party service provider in a business- provider as-usual case. The notice period should be expressed as number of (calendar) days from the date the request is received by the counterparty to terminate the third-party service. Please provide a numeric value only. If there is no notice period, or if it is with immediate effect, please enter ‘0’. Financial Conduct Authority Page 21 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 2.13 Notice period Required Required Please enter the shortest notice period for 90 for the firm terminating the contractual arrangement by the firm in a business-as-usual case. The notice period should be expressed as number of (calendar) days from the date the request is received by the counterparty to terminate the third-party service. Please provide a numeric value only. If there is no notice period, or if it is with immediate effect, please enter ‘0’. 2.14 The Required Required Please specify the jurisdiction whose laws apply to United Kingdom governing the contractual arrangement by choosing an option law of the from the given dropdown. contractual If more than one option applies, please refer to arrangement Section ‘Multiple Responses’. 3.01 Reason for Required Required Please specify why the contract is assessed as All of the above materiality material by choosing from the given dropdown. If more than one option applies, please refer to Section ‘Multiple Responses’. If all options apply, please select 'All of the above'. 3.02 Date of the Required Required Please specify the date of the most recent 2020-10-01 most recent materiality assessment in the format of YYYY-MM- materiality DD. assessment Financial Conduct Authority Page 22 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.03 Function Required Required Please specify the function that the contractual BF: Benchmark Category arrangement supports by choosing an option from Activities: Providing the dropdown. data in relation to a regulated Benchmark You may only select ‘CF: Enterprise: Most functions or IBSs within the organisation’ from the dropdown if ‘Type of Service Provided’ is ‘Security & Identity’ or ‘Networking & Operations’. Note: CF: Central Function, for example HR or payroll BF: Business Function, for example deposit taking. 3.04 Does the Required Required Please specify whether the contractual Yes contractual arrangement supports an Important Business arrangement Service (IBS) by choosing an option from the support an given dropdown. Important Business Service? Financial Conduct Authority Page 23 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.05 If yes, which Required Required If you choose ‘Yes’ for ‘Does the contractual Make and receive a Important conditional conditional arrangement support an Important Business BACS credit transfer Business Service?’, please state the Important Business Service does Service in a short sentence. the contractual arrangement support 3.06 Does the Required Required If you choose ‘Yes’ for ‘Does the contractual Yes service arrangement support an Important Business conditional conditional provider Service?’, please specify whether the service support a provider supports a core element of the IBS by core element choosing an option from the given dropdown. of the Core support is where a disruption of the material Important third party leads to a significant disruption in the Business delivery of the IBS. In contrast, non-core means Service? the IBS would not be significantly impacted, interrupted or damaged; hence, the disruption can be resolved quickly and with minimal impact on the IBS. For example, disruption of the material third party supporting core payment flows could be regarded a core, whilst disruption of a material third party affecting ancillary payment services, such as reporting or statement productions, may not be regarded as core. Financial Conduct Authority Page 24 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.07 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 24 Tolerance - arrangement support an Important Business PRA Safety Service?’, please enter the impact tolerance in a and numeric value in hours (including weekends). If Soundness your impact tolerance is less than 1 hour, please use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not a PRA- regulated firm. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. 3.08 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 48 Tolerance - arrangement support an Important Business PRA Service?’, please enter the impact tolerance in a Financial numeric value in hours (including weekends). If Stability your impact tolerance is less than 1 hour, please use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not a PRA- regulated firm. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. Financial Conduct Authority Page 25 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.09 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 48 Tolerance - arrangement support an Important Business PRA Policy Service?’, please enter the impact tolerance in a holder numeric value in hours (including weekends). If Protection your impact tolerance is less than 1 hour, please use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not a PRA- regulated firm. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. 3.10 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 12 Tolerance - arrangement support an Important Business FCA - Client Service?’, please enter the impact tolerance in a harm numeric value in hours (including weekends). If your impact tolerance is less than 1 hour, please use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not an FCA- regulated firm. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. Financial Conduct Authority Page 26 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.11 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 48 Tolerance - arrangement support an Important Business FCA - Market Service?’, please enter the impact tolerance in a integrity numeric value in hours (including weekends). If your impact tolerance is less than 1 hour, please use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not an FCA- regulated firm. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. 3.12 Impact Required Required If you choose ‘Yes’ for ‘Does the contractual 48 Tolerance – arrangement support an Important Business Bank as FMI Service?’, please enter the impact tolerance in a regulator numeric value in hours (including weekends). If (Only applies your impact tolerance is less than 1 hour, please to FMIs) use decimals. You should enter ‘N/A’ if you choose ‘No’ for ‘Does the contractual arrangement support an Important Business Service?’, and/or if you are not an FMI. For Notifications only: If you have not set the impact tolerance, please enter ‘Not done’. Financial Conduct Authority Page 27 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.13 Country Required Required Please select the country where data is stored at United Kingdom where the rest from the dropdown menu. data is If multiple countries apply, limit your selection to stored those with the greatest impact on the firm’s operations under this contract—typically the 5 to 10 most significant countries. If more than one option applies, please refer to Section ‘Multiple Responses’. 3.14 Country Required Required Please select the country where the service is Australia where the delivered from, from the dropdown menu. service is If multiple countries apply, limit your selection to delivered those with the greatest impact on the firm’s from operations under this contract—typically the 5 to 10 most significant countries. If more than one option applies, please refer to Section ‘Multiple Responses’. Financial Conduct Authority Page 28 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 3.15 Annual Required Required Please specify the annual cost or budget in GBP for 200000000 Contract the use of the product or service under the Value contractual arrangement. This is different from the total cost or budget. For example, if the total budget for the contract is £1bn over 5 years, this should be apportioned over the 5 years by dividing by 5, equalling 200 million. Please enter ‘200000000’ in this case. If your contractual arrangement spans across multiple rows, please enter the Annual Contract Value again on each row. Firms with material third party contracts denominated in foreign currency (eg USD, Euro) should use the exchange rate prevailing at the reporting period end date. 4.01 Date of the Required Required Please provide the date of the most recent risk 2025-12-31 most recent assessment in the format of YYYY-MM-DD. risk If you choose 'Ongoing' for 'Outcome of the most assessment recent risk assessment', please enter the date that the assessment started. If you choose 'Not done', please enter ‘9999-01-01’. Financial Conduct Authority Page 29 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 4.02 Outcome of Required Required Please specify the outcome of the most recent risk Non-satisfactory the most assessment by choosing an option from the given recent risk dropdown. assessment The outcome of the risk assessments should align with the risk presented to your own governance forums. 4.03 Commentary Optional Optional Please highlight any key areas where the risk Material findings box for risk assessment of the contractual arrangement is identified across assessment ‘Non-satisfactory’ or any other relevant remarks. information security and business continuity 4.04 Date of the Required Required Please specify the date of the most recent audit in 2025-08-31 most recent the format of YYYY-MM-DD. audit Audits include any appropriate method (for example, internal, external, pooled audits, etc) that enables firms to meet their legal, regulatory, operational resilience, and risk management obligations, amongst others. If you choose 'Ongoing' for 'Outcome of the most recent audit', please enter the date that the audit started. If you choose 'Not done', please enter ‘9999-01-01’. Financial Conduct Authority Page 30 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 4.05 Outcome of Required Required Please specify the outcome of the most recent Satisfactory the most audit by choosing an option from the given recent audit dropdown. If the contractual arrangement has not been audited, please select 'Not done' 4.06 Date of Required Required Please provide the date of the most recent 2025-08-31 financial due financial due diligence. diligence If you choose 'Ongoing' for 'Outcome of financial due diligence', please enter the date that the assessment started. If you choose 'Not done', please enter ‘9999-01-01’. 4.07 Outcome of Required Required Please provide the outcome of the financial due Ongoing financial due diligence by choosing an option from the given diligence dropdown. 4.08 Date of Required Required Please provide the date of the most recent cyber 2025-08-31 cyber risk risk (including information security) due diligence. due diligence If you choose 'Ongoing' for 'Outcome of cyber risk due diligence', please enter the date that the assessment started. If you choose 'Not done', please enter ‘9999-01-01’. 4.09 Outcome of Required Required Please provide the outcome of the cyber risk Ongoing cyber risk (including information security) due diligence by due diligence choosing an option from the given dropdown. Financial Conduct Authority Page 31 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 4.10 Does the Required Required Please specify whether the contractual Yes contractual arrangement complies with the relevant arrangement Regulatory rules and expectations as of the comply with reporting date. the relevant The expectations include but are not limited to: rules and the FCA Principles of Business; Outsourcing and requirements Operational Resilience Parts of the FCA Handbook; (eg FCA ; the Outsourcing Parts and Operational Resilience rules such as Parts of the PRA Rulebook; and the expectations PS21/3, PRA set out in the PRA SS2/21 Outsourcing and third rules such as party risk management. SS2/21 and FMI rules etc.) 4.11 Please Required Required If you choose ‘No’ for ‘Does the contractual Short text summarise conditional conditional arrangement comply with the relevant rules and how future requirements’, please provide a short description assurance is of how any compliance gaps will be resolved, or obtained any necessary remarks. and, if any gaps are identified, please specify when and how these will be resolved. Financial Conduct Authority Page 32 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 4.12 Has this Required Required Please specify whether an SMF or an accountable Yes contractual person - either a board member and/or senior arrangement executive of an FMI - has reviewed and signed off been on the contractual arrangement by choosing an reviewed option from the given dropdown. and signed off by an SMF holder or an accountable person of an FMI? If not, which Required Required If you choose ‘No’ for ‘Has this contractual Senior Risk governance conditional conditional arrangement been reviewed and signed off by an Committee 4.13 committee SMF holder or an accountable person of an FMI?’, reviewed it? please specify which governance committee or body has reviewed the contractual arrangement. 4.14 Date of Required Required Please specify the date that the contractual 2021-12-31 Governance arrangement was approved in the format of YYYY- Approval MM-DD. Financial Conduct Authority Page 33 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 5.01 Substitutabili Required Required Please specify your firm's ability to substitute the Not substitutable ty of the service provider by choosing an option from the service given dropdown. provider The chosen value should be as per the firm’s own process and rating methods. This should be assessed independently of the response to the assessment of the product or service's reintegration and the impact of discontinuing the contractual arrangement. 5.02 Ability of Required Required Please specify the firm's ability to reintegrate the Impossible reintegration product or service provided back in-house, or of the within another entity in the Group, by choosing an service option from the given dropdown. The chosen value should be as per the firm’s own process and rating methods. This should be assessed independently of the response to the assessment of the service provider's substitutability and the impact of discontinuing the contractual arrangement. Financial Conduct Authority Page 34 of 39 Sample Response (Please refer to Requirement Requirement ID Name Description taxonomy for full – Register – Notifications list) 5.03 The impact Required Required Please specify the impact on the firm if the High of contracted product or service is discontinued. discontinuing The chosen value should be as per the firm’s own the process and rating methods. contractual arrangement This should be assessed independently of the response to the assessment of the service provider's substitutability and product or service reintegration. Financial Conduct Authority Page 35 of 39 Multiple Responses 6.8 Where a firm has more than one response for a data field, it should enter each of the additional responses in a separate row, keeping other (Required) columns constant where applicable. Firms can refer to Section 4 ‘Columns Explained’ to see which columns are Required. 6.9 In the worked example of a correct approach below, the firm has one contractual arrangement that supports multiple Function Categories. Since there is more than one response for the ‘Function Category’ field, each additional response has been input as a new row, using the drop- down and keeping other Required columns constant where applicable. Worked example: If yes, which Does the Does the important service contractual Contractual business provider arrangement Arrangement Function service does support a core support an Reference category the element of the important Number contractual Important business arrangement Business service? support Service? BF: Payments: Electronic A001 Payment Yes Yes Payments In services BF: Capital Markets & Investment: Asset management Client A001 Yes No such as payments out activities related to Recognised Investment Exchanges BF: Clearing, Custody & Clear & Settle A001 Settlement: Yes transactions at No Settlement CREST services BF: Wholesale Collateral Funding margin & A001 Markets: Yes No valuation Securities services financing 6.10 Common errors that could lead firms to need to resubmit include: • Merging multiple responses into one row – eg the ‘Function Category’ column below. • Leaving Required fields blank – refer to Section 4 ‘Columns Explained’ to see which columns are Required. • Overwriting the dropdown menus provided with a custom value. Financial Conduct Authority Page 36 of 39 • Summarising responses with vague statements such as ‘All Important Business Services’. • Referring to values in previous rows with statements such as ‘see above’. Required details if the response chosen is “Other” 6.11 It is possible to choose ‘Other’ from the dropdown menu for the following data fields: • Function Category • Type of Service Provided 6.12 For Function Category please make sure to describe ‘Other’ using the following columns: • ‘Short description of product/service provided’; and • ‘If yes then which important business service does the contract support?’ 6.13 If the taxonomy of Function Categories or Type of Service Provided do not contain a value that accurately covers your activity, and you would like to suggest an addition, please do so via your supervisory contact. Financial Conduct Authority Page 37 of 39 7 Submitting a material third party notification and register Mechanisms for submitting third party notification template 7.1 Firms are required to notify the FCA of planned material third party arrangements, or significant changes to existing ones. We have not prescribed a timeline but expect to be notified at an early stage in the process. 7.2 Firms should submit their notification to the FCA using our online reporting portal (‘FCA Connect’). Where relevant the FCA will transfer the submission to the PRA and Bank of England. 7.3 We do not expect firms to resubmit their register of material third party arrangements each time they make a notification to us. Mechanisms for submitting the structured register of firms’ material third party arrangements 7.4 The FCA will notify firms in scope of register reporting requirements when the annual submission window opens, and they will have 90 calendar days to make their submission via FCA’s material third party register reporting platform (‘FCA RegData’). 7.5 The data submitted should be accurate as of 31 December of the previous year. For example, a register submission made in 2027 would reflect the period ending 31 December 2026. Financial Conduct Authority Page 38 of 39 Policy References FCA • SYSC 8 Outsourcing • SYSC 13 Operational risk: systems and controls for insurers • SYSC 15A Operational resilience • SUP 15 Notifications to the FCA • SUP 16 Reporting Requirements • PRIN 2.1 The Principles PRA • SS2/21 Outsourcing and third party risk management • Operational Resilience Parts of the PRA Rulebook • SS1/21 Operational resilience: Impact tolerances for important business services • Operational Continuity Part of the PRA Rulebook • Notification Parts of the PRA Rulebook • Regulatory Reporting Parts of the PRA Rulebook • PRA Fundamental Rules Bank Of England • The Bank of England’s policy on outsourcing and third party risk management for FMIs • FMI Rulebook: Notification of third-party arrangements and operational incident reporting rules for UK CCPs and UK CSDs • Operational resilience and Notifications and Regulatory Reporting Parts of the Payment Systems Code of Practice • The Bank of England policy on operational resilience of FMIs Financial Conduct Authority Page 39 of 39

FG26/4: Material Third Party Reporting

Classification

Pipeline Progress

🔄 Pipeline Journey

🤖 How this summary was made

Full AI Instructions