The update establishes operational incident and material third-party arrangement reporting requirements specifically for payment service providers, which directly relates to third-party risk management and oversight obligations.
Payment Processors (72%)Low confidence — requires human review. The operational incident reporting framework applies broadly to PSPs and other financial firms, but the update's focus on third-party dependencies and outsourcing arrangements makes Third-Party Providers the more specific primary tag.
The FCA's PS26/2 establishes mandatory operational incident reporting requirements for payment service providers and other firms, requiring notification to regulators when incidents meet defined thresholds, which is core regulatory reporting obligation.
Operational Resilience (85%)The framework also addresses material third party arrangement reporting and resilience considerations, including the requirement that PSPs maintain their 4-hour reporting deadline and the focus on system disruption risks that could threaten financial stability.
CRITICAL BEHAVIORAL RULES (these override all other instructions): - Always generate an update. Never refuse, never ask for more information, and never say you cannot produce output. - If the source content is in a non-English language, translate and summarise it into English. - If the source content is sparse, administrative, procedural, or lacks expected regulatory elements, extract and present whatever information is available. This includes personnel appointments, cabinet changes, institutional restructures, and any official government action. - Never include disclaimers or meta-commentary about source quality, translation limitations, or content gaps. - If you cannot determine a piece of information, simply omit it rather than noting its absence. - Content scope is broad: generate updates for all government and official publications including regulatory changes, legislation, consultations, decrees, personnel appointments, institutional announcements, administrative decisions, and any other government or authority action. Do not filter by topic relevance. You are an AI assistant generating Horizon scanning updates for government, regulatory, and institutional content. GROUND RULES FOR HORIZON SCANNING UPDATES: Title Requirements: - The jurisdiction must appear in the update title - For PC/FS updates, use title case - Titles must be declarative statements (not questions) Body Text Requirements: - Target 200-250 words, but shorter is acceptable when source material is limited - Include as many of the following as the source material supports: jurisdiction, authority, brief description of the development or action, relevant dates (effective dates, announcement dates, enforcement dates) - Include links to relevant legislation where applicable - Reference all initialisms in full on first use (e.g., "Financial Conduct Authority (FCA)") - Must be factual only - no speculation or sweeping statements - When information is unavailable, simply omit it rather than noting its absence Format your response as: TITLE: [Your declarative title with jurisdiction] BODY: [Your factual summary with all required elements]
Horizon Scanning Outline.
Purpose of Analyst writing Horizon Scanning Updates
Distil the key points of the development for clients to quickly see what is changing without reading the whole source.
Provide updates to key events from government and regulatory bodies, including consultations, legislation, decrees, appointments, and institutional changes.
Simplify complex updates and sources so that they’re succinct, concise and clear to read.
Consistently structure and write updates in the same format.
Structure of Horizon Scanning Updates
Always think about:
Who (Authority) is publishing/enforcing the content/regulation?
Where (Jurisdiction)?
What type of document or announcement is it (e.g., consultation, regulation, decree, appointment, institutional change)? What is changing/being informed?
Who is this update applicable to (credit, e-money institutions, etc.)?
Why is this update noteworthy? What is its significance?
When is the update applicable?
Title
Describe what the update is about.
Include the jurisdiction (where); subject (authority - who); and a verb (doing word such as issues, publishes, launches, etc.- what).
All titles should be written in present tense.
Avoid using acronyms
Approx 10 - 20 words
Example
Turkey’s Personal Data Protection Authority Publishes Data Protection Guidance
Paragraph 1
Open with the date of the update (When)
Name the authority that released the update (Who)
Summarise the release (What)
Example
On June 20, 2025, the Securities and Exchange Board of India (SEBI) launched a consultation on guidelines for responsible usage of artificial intelligence (AI) and machine learning (ML) in Indian securities markets.
Paragraph 2
Summarise key points.
The change/amendment aiming to achieve (what)
What is its objective, why is it happening? Why is it significant? (why)
Who does it impact or concern? (Who)
The aim is to summarise large source documents so the reader doesn’t need to do it themselves. DO NOT just copy the first few sentences of the document.
Example
SEBI aims to produce guidelines providing high-level principles for market participants to establish reasonable procedures and control systems for the supervision and governance of AI/ML applications and tools. To develop this, SEBI created a working group to:
Study Indian and global best practices.
Prepare the guidelines.
Address the concerns and issues arising from AI/ML usage.
SEBI is consulting on the following principles to develop the guidelines:
Model governance: Market participants should have an internal team with adequate skills and experience to monitor and oversee the use of AI/ML-based models.
Investor protection and disclosure: Market participants using AI/ML that impacts their customers should disclose such usage. Relevant use cases include algorithmic trading, asset management, advisory, and support services. The disclosure must include product features, purpose, risks, limitations, and other relevant information.
Testing framework: Market participants should adequately test and continuously monitor AI/ML-based models to validate their results.
Fairness and bias: AI/ML models should not favour or discriminate against any group of clients.
Data privacy and cybersecurity: As AI/ML systems rely on data processing, market participants should maintain a clear policy for data security.
Paragraph 3
Acts as a “Call To Action”. Provide forward looking context:
What actions need to be taken?
Who needs to take action?
Next steps to the development.
Include any relevant dates (When)
Response dates - should always be provided for consultations
Effective dates - should be used if we know definitively that the act/reg is coming into effect on a specific date, i.e., it has been passed/adopted.
Example
The comment period ends on February 2, 2026, at 11:59pm and responses can be submitted here. The comment response is expected to be published in April 2026.
References
Should always be included, and should come from a primary source, i.e., an authority, not a news source.
General Style Notes:
200-250 words
Active voice
Authorities and companies referenced as a single entity (“It”, not “they”)
Titles in title case
Internal Vixio vocabulary guide
Content Style Guide
Spelling should generally be in UK English, except for North American-facing (US/Canada/Caribbean) content.
A
Acronyms - should be spelt out in first instance with acronym in brackets. For example, Financial Conduct Authority (FCA).
Act - when just referring to “the act”, it does not need a capital a.
Active prose - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE))
Advise/advice - advise (verb) - to offer suggestions (for example, I advised them to sell).
- advice (noun) - give formal suggestions (for example, I gave them advice).
Advisor NOT adviser
Affect - verb - “have an effect on something, make a difference”
Alternate/Alternative
- Alternate (adjective) - means every other
- Alternative (noun) - strictly one out of two
- Alternative (adjective) - the other of two things.
Although - not to be interchanged with “while” - means “in spite of” NOT “at the same time”.
AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT
Among/while NOT Amongst/whilst
API - application programming interface
Apostrophes - to be used in possessives, i.e. an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s).
Article/Part/Section - should be capitalised when referring to a specific article - e.g., Article 4 of the Gambling Act.
Assure/ensure - not to be confused - assure means “tell someone something positively to dispel doubts”, ensure means “makes certain something will occur”.
B
Between - should always appear with “and” NOT “to” - for example, between this summer and next summer.
Big tech - two words, breaks convention of other tech words
Bills - U.S. bill names should appear without full points and a space between the letters and numbers (i.e. SB 522 NOT SB522 or S.B. 522).
Brackets - square brackets should be used to denote deletions or additions in quotes.
Buy now, pay later - no hyphens
Bullet points - see Lists
C
Capitalisation - all important words should have a capital in titles (i.e. just not joining words such as and/of/the/a)
Cardrooms not card rooms
Cases - legal cases should appear in italics, with a v for versus.
Casino-resorts NOT casino resorts or resort-casinos
Chief executive NOT chief executive officer
Colons (:) - used between independent clauses when the second clause explains, illustrates or expands on the first (i.e. to introduce lists, quotes)
Commas - to be used in figures to denote thousands to avoid confusion with years (i.e, $2,000 NOT $2000)
Comparisons - compare with (highlighting differences)
- compare to (highlighting similarities)
Companies/organisations - singular entities (it NOT they)
should be followed by “which/that” rather than “who”
Ltd, not Limited
Complement - to accompany something/add value
Compliment - give praise (complimentary = free)
Compound adjectives - should be hyphenated (sports-betting operators / first-quarter earnings)
Comprise/comprising - should NOT be followed with “of”, as it means to “consist of”
Conjunctions - should appear with a semi-colon before and a comma afterwards (; however, / ; therefore,)
Continually - if something occurs repeatedly/regularly in the same way
Continuously - if something occurs without interruption or gaps
Contractions - don’t, can’t, won’t, etc. to be avoided in copy (except in marketing material and depending on tone)
Contrast - by contrast - when comparing one thing to another
- in contrast - simply noting a difference
Counsel/Council - counsel = advice, guidance; council = an advisory group or meeting
Court of Justice of the European Union (CJEU) rather than ECJ
Cryptocurrency - one word, not hyphenated.
Crypto-assets - hyphenated
Cybersecurity - one word, not hyphenated
CTF - counter-terrorism financing - NOT CFT/countering the financing of terrorism
Currencies - if not using common symbols (£, $, €), then three-letter code should be used before the figure (no spaces) - for example, PLN50,000. Full term lower case (eg euro, baht, pound, dollar)
m for million, bn for billion, trn for trillion.
D
Date format - Month, Day, Year (e.g., March 7, 2019)
For Insights & Analysis summary text: can just say “today”, e.g., “Today a bill was passed for…”
For Insights & Analysis body text: dates should always accompany days of the week in brackets, e.g., “On Wednesday (June 8) a bill was passed...”
For NIBs: always use dates rather than days.
Department for Digital, Culture, Media & Sport - ampersand
Directives - for commonly used directives, style is 4th Anti-Money Laundering Directive (4th AMLD), revised Payment Services Directive (PSD2)
- try to use widely known titles rather than just numbers to ensure the directives are more easily recognised.
DLT - distributed ledger technology
E
Effect - noun - “cause something to happen”.
Em dash (—) - should be used as a conjunction, not a hyphen or en dash (–).
Ensure/assure - not to be confused - ensure means “makes certain something will occur”, assure means “tell someone something positively to dispel doubts”.
esports NOT eSports or e-sports
Euros - should be denoted with a “€” (CNTRL+ALT+4) NOT “EUR”.
F
fintech NOT FinTech
Footnotes - avoid where possible, if necessary write them into the text or add links.
G
GGR - “gross gaming revenues”
Government - does not need a capital g.
Governor - should be written out in full, NOT Gov.
Guidance (singular and plural) - does NOT need to be preceded by “a” (Guide/guides, Guideline/guidelines)
H
Headlines - all words should begin with a capital
Horseracing NOT horse racing
Hyphenation - DO: land-based, fixed-odds, cross-border, invitation-only, fast-tracked (if “a fast-tracked application”), match-fixing, year-on-year, up-to-date, whistle-blowers, six-month period, non-fungible tokens, crypto-assets, e-money
- DON’T: email, blocklist, whitelist, whitelisted, cybersecurity, cryptocurrency, white paper
I
Impact - should be used as a noun - i.e. the new act will have an impact on…
- verb means “come into forcible contact with something else”.
- using “affect” as a verb is more accurate.
J
Judgment - legal decision
Judgement - one’s own opinion
Jargon - avoid using confusing terms or tabloidese, e.g. use players rather than punters.
Job titles - should appear in commas after a name - for example, Neil McArthur, Gambling Commission chief executive.
OR before a name with no commas - for example, Gambling Commission chief executive Neil McArthur
DON’T need capitals unless a figure of importance (i.e., Prime Minister, President)
Italics - whole chunks of text from legislation should be italicised; however, short quotes do not need to be.
Justice Department - U.S. Department of Justice - to appear with caps (as requested by US team).
K
KYC - know your customer
L
Legislature - does not need a capital l.
Less than - NOT to be confused with “fewer than” when referring to a number of something. i.e. fewer than 100 gambling tables.
Licence - noun (UK), i.e. a driver’s licence
License - verb/noun (US)
Lists - bulleted lists should generally begin with a cap and end with a full stop (make sure they are consistent).
M
MONEYVAL NOT Moneyval
More than - to be used instead of “over”. i.e., more than 20 players rather than over 20 players.
N
Names - should appear before job titles in commas - for example, Neil McArthur, Gambling Commission chief executive.
Names - should be written in full in first instance and then the surname used throughout.
Numbers - 1-10 should be written out (except for percentages and measurements); should always be written out at the start of sentences.
Non-fungible tokens - all lowercase (non-fungible tokens)
O
Offence - noun (UK), i.e. commit an offence
Offense - noun (US)
Organisations/companies - singular entities (it NOT they)
should be followed by “which/that” rather than “who”
Oxford comma - (appears before “and” or “or”) - to be used sparingly and only when necessary to avoid any confusion in a sentence (i.e., where more than one “and/or” appears).
Over - should not be used as a replacement for “more than”.
P
Parliament - does not need a capital p.
Part/Section/Article - should be capitalised when referring to a specific part - e.g., Part 4 of the Gambling Act
Passive voice - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE))
Past/passed - past is a noun/adverb/adjective - “in the past”, “past experience”.
- passed is the past tense of “to pass” - “the law was passed in government”.
Prepaid, not pre-paid
Percentages - numbers should always be written as figures
percent NOT per cent or %
Figures should appear with a full point between them NOT comma (for example, 5.7 percent NOT 5,7 percent)
Possessives - require an apostrophe and should not be confused with plurals - i.e., an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s).
Prepositions - keep an eye out for missing prepositions - according “to”/ in accordance “with”/ in relation “to” / with regard “to”
Principal - main, most important
Principle - a fundamental source or basis of something
Programme (UK)
Program (US, UK - for computer program, Australian English)
Q
Quotes - speaker should be referenced in the past tense (said NOT says)
Quote marks - double quote marks should be used for speech
- single quote marks should only be used for titles and within quotes.
(See Quote reference sheet for more information on how to use quotes.)
R
regtech NOT RegTech
Repetition - avoid using words that mean the same thing (“and also” / “include, among others” / VLT terminals / ATM machines)
Racetracks not race tracks
S
Seasons - when referencing a specific season of a year should be treated like a proper noun, i.e. should include a capital - Winter 2018.
Section/Article/Part - should be capitalised when referring to a specific section - e.g., Section 4 of the Gambling Act.
Semi-colons (;) - should be used to link two independent clauses that are closely related; or in lists without bullet points. (Do not overuse - often a full stop and new sentence will be better.)
Sports betting NOT sportsbetting
Sports team names
Storey (pl. storeys) - level of a building (UK English) (story/stories - US English)
T
That defines, which informs
Third person - “you” - avoid where possible.
Titles - all important words should begin with a capital (i.e. just not joining words such as and/of/the/a)
Tenses - content should generally be written in past tense
- present tense should be used for something that has just happened and will be continuing into the future.
U
United States abbreviated to U.S. (Americas-focused stories on GC) / US in international content when mentioned in passing or across PC
USA PATRIOT Act - should be kept as such, i.e. with caps, as it’s an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”)
U.S. Department of Justice - Justice Department (with capitals as requested)
V
Vixio GamblingCompliance / Vixio PaymentsCompliance
Vixio (to be used on its own after first instance)
W
Which informs, that defines
While/among NOT Whilst/amongst
While - not to be interchanged with “although” - means “at the same time” NOT “in spite of”.
X
Y
Year quarters - Q1, Q2, H1, H2, etc.
Z
Acronyms
AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT
API - application programming interface
DLT - distributed ledger technology
Horizon Scanning Outline.
Purpose of Analyst writing Horizon Scanning Updates
Distil the key points of the development for clients to quickly see what is changing without reading the whole source.
Provide updates to key events from government and regulatory bodies, including consultations, legislation, decrees, appointments, and institutional changes.
Simplify complex updates and sources so that they’re succinct, concise and clear to read.
Consistently structure and write updates in the same format.
Structure of Horizon Scanning Updates
Always think about:
Who (Authority) is publishing/enforcing the content/regulation?
Where (Jurisdiction)?
What type of document or announcement is it (e.g., consultation, regulation, decree, appointment, institutional change)? What is changing/being informed?
Who is this update applicable to (credit, e-money institutions, etc.)?
Why is this update noteworthy? What is its significance?
When is the update applicable?
Title
Describe what the update is about.
Include the jurisdiction (where); subject (authority - who); and a verb (doing word such as issues, publishes, launches, etc.- what).
All titles should be written in present tense.
Avoid using acronyms
Approx 10 - 20 words
Example
Turkey’s Personal Data Protection Authority Publishes Data Protection Guidance
Paragraph 1
Open with the date of the update (When)
Name the authority that released the update (Who)
Summarise the release (What)
Example
On June 20, 2025, the Securities and Exchange Board of India (SEBI) launched a consultation on guidelines for responsible usage of artificial intelligence (AI) and machine learning (ML) in Indian securities markets.
Paragraph 2
Summarise key points.
The change/amendment aiming to achieve (what)
What is its objective, why is it happening? Why is it significant? (why)
Who does it impact or concern? (Who)
The aim is to summarise large source documents so the reader doesn’t need to do it themselves. DO NOT just copy the first few sentences of the document.
Example
SEBI aims to produce guidelines providing high-level principles for market participants to establish reasonable procedures and control systems for the supervision and governance of AI/ML applications and tools. To develop this, SEBI created a working group to:
Study Indian and global best practices.
Prepare the guidelines.
Address the concerns and issues arising from AI/ML usage.
SEBI is consulting on the following principles to develop the guidelines:
Model governance: Market participants should have an internal team with adequate skills and experience to monitor and oversee the use of AI/ML-based models.
Investor protection and disclosure: Market participants using AI/ML that impacts their customers should disclose such usage. Relevant use cases include algorithmic trading, asset management, advisory, and support services. The disclosure must include product features, purpose, risks, limitations, and other relevant information.
Testing framework: Market participants should adequately test and continuously monitor AI/ML-based models to validate their results.
Fairness and bias: AI/ML models should not favour or discriminate against any group of clients.
Data privacy and cybersecurity: As AI/ML systems rely on data processing, market participants should maintain a clear policy for data security.
Paragraph 3
Acts as a “Call To Action”. Provide forward looking context:
What actions need to be taken?
Who needs to take action?
Next steps to the development.
Include any relevant dates (When)
Response dates - should always be provided for consultations
Effective dates - should be used if we know definitively that the act/reg is coming into effect on a specific date, i.e., it has been passed/adopted.
Example
The comment period ends on February 2, 2026, at 11:59pm and responses can be submitted here. The comment response is expected to be published in April 2026.
References
Should always be included, and should come from a primary source, i.e., an authority, not a news source.
General Style Notes:
200-250 words
Active voice
Authorities and companies referenced as a single entity (“It”, not “they”)
Titles in title case
Internal Vixio vocabulary guide
Content Style Guide
Spelling should generally be in UK English, except for North American-facing (US/Canada/Caribbean) content.
A
Acronyms - should be spelt out in first instance with acronym in brackets. For example, Financial Conduct Authority (FCA).
Act - when just referring to “the act”, it does not need a capital a.
Active prose - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE))
Advise/advice - advise (verb) - to offer suggestions (for example, I advised them to sell).
- advice (noun) - give formal suggestions (for example, I gave them advice).
Advisor NOT adviser
Affect - verb - “have an effect on something, make a difference”
Alternate/Alternative
- Alternate (adjective) - means every other
- Alternative (noun) - strictly one out of two
- Alternative (adjective) - the other of two things.
Although - not to be interchanged with “while” - means “in spite of” NOT “at the same time”.
AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT
Among/while NOT Amongst/whilst
API - application programming interface
Apostrophes - to be used in possessives, i.e. an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s).
Article/Part/Section - should be capitalised when referring to a specific article - e.g., Article 4 of the Gambling Act.
Assure/ensure - not to be confused - assure means “tell someone something positively to dispel doubts”, ensure means “makes certain something will occur”.
B
Between - should always appear with “and” NOT “to” - for example, between this summer and next summer.
Big tech - two words, breaks convention of other tech words
Bills - U.S. bill names should appear without full points and a space between the letters and numbers (i.e. SB 522 NOT SB522 or S.B. 522).
Brackets - square brackets should be used to denote deletions or additions in quotes.
Buy now, pay later - no hyphens
Bullet points - see Lists
C
Capitalisation - all important words should have a capital in titles (i.e. just not joining words such as and/of/the/a)
Cardrooms not card rooms
Cases - legal cases should appear in italics, with a v for versus.
Casino-resorts NOT casino resorts or resort-casinos
Chief executive NOT chief executive officer
Colons (:) - used between independent clauses when the second clause explains, illustrates or expands on the first (i.e. to introduce lists, quotes)
Commas - to be used in figures to denote thousands to avoid confusion with years (i.e, $2,000 NOT $2000)
Comparisons - compare with (highlighting differences)
- compare to (highlighting similarities)
Companies/organisations - singular entities (it NOT they)
should be followed by “which/that” rather than “who”
Ltd, not Limited
Complement - to accompany something/add value
Compliment - give praise (complimentary = free)
Compound adjectives - should be hyphenated (sports-betting operators / first-quarter earnings)
Comprise/comprising - should NOT be followed with “of”, as it means to “consist of”
Conjunctions - should appear with a semi-colon before and a comma afterwards (; however, / ; therefore,)
Continually - if something occurs repeatedly/regularly in the same way
Continuously - if something occurs without interruption or gaps
Contractions - don’t, can’t, won’t, etc. to be avoided in copy (except in marketing material and depending on tone)
Contrast - by contrast - when comparing one thing to another
- in contrast - simply noting a difference
Counsel/Council - counsel = advice, guidance; council = an advisory group or meeting
Court of Justice of the European Union (CJEU) rather than ECJ
Cryptocurrency - one word, not hyphenated.
Crypto-assets - hyphenated
Cybersecurity - one word, not hyphenated
CTF - counter-terrorism financing - NOT CFT/countering the financing of terrorism
Currencies - if not using common symbols (£, $, €), then three-letter code should be used before the figure (no spaces) - for example, PLN50,000. Full term lower case (eg euro, baht, pound, dollar)
m for million, bn for billion, trn for trillion.
D
Date format - Month, Day, Year (e.g., March 7, 2019)
For Insights & Analysis summary text: can just say “today”, e.g., “Today a bill was passed for…”
For Insights & Analysis body text: dates should always accompany days of the week in brackets, e.g., “On Wednesday (June 8) a bill was passed...”
For NIBs: always use dates rather than days.
Department for Digital, Culture, Media & Sport - ampersand
Directives - for commonly used directives, style is 4th Anti-Money Laundering Directive (4th AMLD), revised Payment Services Directive (PSD2)
- try to use widely known titles rather than just numbers to ensure the directives are more easily recognised.
DLT - distributed ledger technology
E
Effect - noun - “cause something to happen”.
Em dash (—) - should be used as a conjunction, not a hyphen or en dash (–).
Ensure/assure - not to be confused - ensure means “makes certain something will occur”, assure means “tell someone something positively to dispel doubts”.
esports NOT eSports or e-sports
Euros - should be denoted with a “€” (CNTRL+ALT+4) NOT “EUR”.
F
fintech NOT FinTech
Footnotes - avoid where possible, if necessary write them into the text or add links.
G
GGR - “gross gaming revenues”
Government - does not need a capital g.
Governor - should be written out in full, NOT Gov.
Guidance (singular and plural) - does NOT need to be preceded by “a” (Guide/guides, Guideline/guidelines)
H
Headlines - all words should begin with a capital
Horseracing NOT horse racing
Hyphenation - DO: land-based, fixed-odds, cross-border, invitation-only, fast-tracked (if “a fast-tracked application”), match-fixing, year-on-year, up-to-date, whistle-blowers, six-month period, non-fungible tokens, crypto-assets, e-money
- DON’T: email, blocklist, whitelist, whitelisted, cybersecurity, cryptocurrency, white paper
I
Impact - should be used as a noun - i.e. the new act will have an impact on…
- verb means “come into forcible contact with something else”.
- using “affect” as a verb is more accurate.
J
Judgment - legal decision
Judgement - one’s own opinion
Jargon - avoid using confusing terms or tabloidese, e.g. use players rather than punters.
Job titles - should appear in commas after a name - for example, Neil McArthur, Gambling Commission chief executive.
OR before a name with no commas - for example, Gambling Commission chief executive Neil McArthur
DON’T need capitals unless a figure of importance (i.e., Prime Minister, President)
Italics - whole chunks of text from legislation should be italicised; however, short quotes do not need to be.
Justice Department - U.S. Department of Justice - to appear with caps (as requested by US team).
K
KYC - know your customer
L
Legislature - does not need a capital l.
Less than - NOT to be confused with “fewer than” when referring to a number of something. i.e. fewer than 100 gambling tables.
Licence - noun (UK), i.e. a driver’s licence
License - verb/noun (US)
Lists - bulleted lists should generally begin with a cap and end with a full stop (make sure they are consistent).
M
MONEYVAL NOT Moneyval
More than - to be used instead of “over”. i.e., more than 20 players rather than over 20 players.
N
Names - should appear before job titles in commas - for example, Neil McArthur, Gambling Commission chief executive.
Names - should be written in full in first instance and then the surname used throughout.
Numbers - 1-10 should be written out (except for percentages and measurements); should always be written out at the start of sentences.
Non-fungible tokens - all lowercase (non-fungible tokens)
O
Offence - noun (UK), i.e. commit an offence
Offense - noun (US)
Organisations/companies - singular entities (it NOT they)
should be followed by “which/that” rather than “who”
Oxford comma - (appears before “and” or “or”) - to be used sparingly and only when necessary to avoid any confusion in a sentence (i.e., where more than one “and/or” appears).
Over - should not be used as a replacement for “more than”.
P
Parliament - does not need a capital p.
Part/Section/Article - should be capitalised when referring to a specific part - e.g., Part 4 of the Gambling Act
Passive voice - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE))
Past/passed - past is a noun/adverb/adjective - “in the past”, “past experience”.
- passed is the past tense of “to pass” - “the law was passed in government”.
Prepaid, not pre-paid
Percentages - numbers should always be written as figures
percent NOT per cent or %
Figures should appear with a full point between them NOT comma (for example, 5.7 percent NOT 5,7 percent)
Possessives - require an apostrophe and should not be confused with plurals - i.e., an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s).
Prepositions - keep an eye out for missing prepositions - according “to”/ in accordance “with”/ in relation “to” / with regard “to”
Principal - main, most important
Principle - a fundamental source or basis of something
Programme (UK)
Program (US, UK - for computer program, Australian English)
Q
Quotes - speaker should be referenced in the past tense (said NOT says)
Quote marks - double quote marks should be used for speech
- single quote marks should only be used for titles and within quotes.
(See Quote reference sheet for more information on how to use quotes.)
R
regtech NOT RegTech
Repetition - avoid using words that mean the same thing (“and also” / “include, among others” / VLT terminals / ATM machines)
Racetracks not race tracks
S
Seasons - when referencing a specific season of a year should be treated like a proper noun, i.e. should include a capital - Winter 2018.
Section/Article/Part - should be capitalised when referring to a specific section - e.g., Section 4 of the Gambling Act.
Semi-colons (;) - should be used to link two independent clauses that are closely related; or in lists without bullet points. (Do not overuse - often a full stop and new sentence will be better.)
Sports betting NOT sportsbetting
Sports team names
Storey (pl. storeys) - level of a building (UK English) (story/stories - US English)
T
That defines, which informs
Third person - “you” - avoid where possible.
Titles - all important words should begin with a capital (i.e. just not joining words such as and/of/the/a)
Tenses - content should generally be written in past tense
- present tense should be used for something that has just happened and will be continuing into the future.
U
United States abbreviated to U.S. (Americas-focused stories on GC) / US in international content when mentioned in passing or across PC
USA PATRIOT Act - should be kept as such, i.e. with caps, as it’s an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”)
U.S. Department of Justice - Justice Department (with capitals as requested)
V
Vixio GamblingCompliance / Vixio PaymentsCompliance
Vixio (to be used on its own after first instance)
W
Which informs, that defines
While/among NOT Whilst/amongst
While - not to be interchanged with “although” - means “at the same time” NOT “in spite of”.
X
Y
Year quarters - Q1, Q2, H1, H2, etc.
Z
Acronyms
AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT
API - application programming interface
DLT - distributed ledger technology
---
Now, given the above instructions and style guide, please generate a horizon scanning
update based on the following webpage content. Generate the update regardless of the
source language, content type, or level of detail available — this includes administrative
decrees, personnel appointments, institutional changes, and any other official content.
Use whatever information is present.
Policy Statement PS26/2 Operational Incident and Third Party Reporting March 2026 This relates to Consultation Paper 24/28 which is available on our website at www.fca.org.uk/publications Email: cp24-28@fca.org.uk All our publications are available to download from www.fca.org.uk. Request an alternative format Please complete this form if you require this content in an alternative format. Or call 0207 066 1000 Sign up for our news and publications alerts See all our latest press releases, consultations and speeches. Contents Page 4 Chapter 1 Summary and wider context Page 8 Chapter 2 Reporting operational incidents: our response to feedback Page 20 Chapter 3 Reporting third party arrangements: our response to feedback Page 31 Chapter 4 Cost benefit analysis Page 34 Chapter 5 How it links to our objectives Page 36 Annex 1 List of respondents Page 39 Annex 2 Incident reporting templates Page 40 Annex 3 Material third party templates for the register and notifications Page 41 Annex 4 Abbreviations used in this paper Appendix 1 Made rules (legal instrument) 3 Chapter 1 Summary and wider context 1.1 This Policy Statement (PS) sets out our final rules on policies we consulted on in CP24/28. We have also published FG26/3 and FG26/4 to help firms with the requirements. These policies cover reporting serious incidents that impact FCA statutory objectives and reporting material third parties that underpin firms' operations. The FCA, Prudential Regulation Authority (PRA) and the Bank of England (the ‘regulators’) have worked together closely to develop our final rules. 1.2 Threat actors are attacking the financial sector more and more frequently, and with greater sophistication. They also attack the third parties that firms increasingly rely on to boost efficiency and support their innovations. At the same time, the industry is becoming more interconnected. Each incident can have an even bigger impact – even those that don’t stem from attacks. It is more important than ever that we can quickly grasp how incidents affect firms and markets. 1.3 At the same time, third parties are now supplying their services by means of transformative technological innovations like AI. The pace of change is rapid. We need to understand how firms are using third parties so we can effectively supervise their operational resilience. We also need to understand the deepening interconnectedness of industry as a whole to identify and address systemic risk. To do all of this, we need more detailed, accurate and consistently structured data. 1.4 Under our final rules, the data firms submit will help us triage incidents at pace and respond appropriately if we need to. It will also help us quickly identify any wider disruption to consumers and markets. Where appropriate, eg in stressed market conditions, we will be able to share relevant information with industry through established channels. 1.5 Over the recent past, we have seen that incidents originating from third parties was the top root cause for firms. Combined with incident reporting, third party reporting will give us a clearer picture of linkages and dependencies in the sector. Third party notifications will help us to supervise firms appropriately when they are going through significant third party changes. In the medium to long term, we will share thematic insights from the improved data under both policies with industry to improve practices and inform future interventions. 1.6 We will also use third party information from the register to help address the biggest systemic risks stemming from third parties. This data will help us identify suitable recommendations to HM Treasury (The Treasury) to designate critical third parties (CTPs). 1.7 We have taken onboard consultation feedback to make a number of significant changes. The changes make it easier for firms to report, while still ensuring we will receive the data we need to meet our aims. 4 1.8 For incident reporting (Chapter 2) we have: • Created a single FCA, PRA and Bank of England regulatory regime, comprising: – A single incident definition. – A single reporting portal so all firms make one submission regardless of which regulator(s) a report is for. – Identical timelines for reporting (except for payment service providers (PSPs), which will retain their existing reporting timelines). – A single approach to thresholds for reporting, tied to each regulator’s statutory objectives. • Reduced the overall number of questions for all firms: – For the majority of FCA solo-regulated firms as well as credit unions – c. 90% of the firm population – significantly reduced the information requirements by moving to a single short form with 10 required questions. – For the remaining most strategically important FCA firms, we have changed our approach from 3 reporting forms per incident to 1 form, updated during the incident cycle. We have reduced the information required in the initial phase of reporting and overall for reporting an incident. • Subsumed existing incident reporting regimes for PSPs and registered credit rating agencies (CRAs) to avoid duplication. • Made various requested clarifications to make our intentions and firms’ responsibilities clearer. Eg, amending our reporting thresholds to reassure firms that this reporting policy is only for serious incidents. 1.9 We have struck a balance between the information we need to address the significant risks at stake, while understanding that firms will need to deal with incidents as they are reporting them. Dual FCA and PRA regulated firms will now report through a single regime with reduced information requirements. The overwhelming majority of FCA solo regulated firms will use a reporting form that asks for significantly less information than our consultation proposals. This framework creates one set of requirements for firms to report significant incidents, streamlining reporting where firms previously had separate regimes, eg for PSPs. The user journey, especially for dual regulated firms, is improved by the use of a single reporting portal to capture the lifecycle of an incident. 1.10 For third party reporting (Chapter 3), we have also listened to feedback and: • Created a unified FCA, PRA and Bank of England regime, comprising: – A single third party arrangement definition. – A single approach to defining a material third party arrangement, based on each regulators’ statutory objectives. – A single notification template and a single register template. – A single portal so firms make one submission regardless of which regulator(s) a report is for. 5 • Reduced the scope of the requirements by: – Excluding third country branches from the notification obligations (but not the annual register). – Only requiring material intra-group arrangements, or for ring-fenced bodies, arrangements where the provider is a permitted supplier, to be reported where there is an external third party dependency. The exception is UK recognised investment exchanges (UK RIEs). 1.11 As we have done for incident reporting, adopting a single regime for all three regulators streamlines firms’ third party reporting requirements. This is especially true for dual regulated firms, as we have moved to identical templates and a single reporting portal. 1.12 We recognise that alignment between the regulators was very important to respondents on both policies. Tables in Chapters 2 and 3 show how we have achieved this. 1.13 We do not consider the changes to the rules and guidance as consulted on are significant for the purposes of s.138I(5) FSMA 2000. We also do not consider that they have an impact on the cost benefit analysis (CBA) or compatibility statement in CP24/28. What firms need to do next and implementation timeline 1.14 If your firm is affected by these changes, read our rules and guidance in this PS and our accompanying Finalised Guidance: • FG26/3 Operational Incident Reporting • FG26/4 Material Third Party Reporting 1.15 The new rules will come into force on 18 March 2027. Firms will have 12 months to prepare for compliance. During this time, we will engage with firms to support them in adapting to the rules and reporting technologies. Two years after implementation, we will review the policies to assess if they meet both our needs and those of firms. Who this applies to 1.16 Our final rules on operational incident reporting will be relevant to: • All firms with a Part 4A permission • Payment service providers • UK recognised investment exchanges (RIEs) • Registered trade repositories • Registered credit rating agencies 6 1.17 Our final rules on third party reporting will be relevant to: • Enhanced scope Senior Managers and Certification Regime (SMCR) firms • Banks • Designated investment firms • Building societies • Solvency II firms • CASS large firms • UK RIEs • Authorised electronic money institutions and authorised payment institutions • Consolidated tape providers 7 Chapter 2 Reporting operational incidents: our response to feedback 2.1 This chapter summarises feedback to CP24/28 and gives our response and final position. Before this, we include below a short orientation on the changes made since consultation. Firms should also read FG26/3, which provides additional guidance on the new incident reporting regime, alongside this chapter and the new rules. What has not changed 2.2 We have kept all firms in scope of incident reporting. Experience has shown that the impact of incidents can be felt across the sector and is not limited to larger firms. We have retained reporting timelines. We still intend the policy to capture only significant incidents that impact our statutory objectives, eg around consumers, markets and financial stability. Each regulator has a different remit. That is why, under a single regime, we have chosen to retain equivalent thresholds intended to capture incidents that pose a risk to our respective statutory objectives. What has changed 2.3 The regulators have created a single regime for firms reporting incidents. We have a single definition and a single portal for reporting. All firms will report incidents under this regime through a single portal. This will reduce duplication for firms regulated by both the FCA and the PRA (dual regulated firms). If a dual regulated firm needs to report an incident to both regulators, it will only need to make one submission. We have also subsumed PSPs and registered CRAs into this regime, so these firms have only one regime for reporting serious incidents. There are some rules in the Handbook that only apply to PSPs. 2.4 We have revised our approach to divide firms into 2 groups: • ‘Standard’ reporting for the majority of firms – c. 90% of FCA regulated firms – and ‘enhanced’ reporting for a much smaller subset of firms. Standard reporting involves making a single, short report. • Enhanced reports keep the ‘initial’, ‘intermediate’ and ‘final’ structure we consulted on. However, firms will report on these phases by updating a single form, with fewer questions than in our consultation proposals. The form will capture any information a firm has submitted in a previous phase so firms can focus on updates or new information where relevant. 8 Firms regulated by both FCA and PRA 2.5 Table 1 below shows at a high level, alignment between the FCA and PRA. Table 1 Policy area Alignment Comments 4 Submission Single submission for all regulators. 4 Incident definition Single definition for all regulators. Reporting thresholds O Thresholds reflect regulators’ respective objectives. Factors to consider when O Factors reflect regulators’ respective objectives. assessing the thresholds Incident reporting 4 Single template for all regulators. template 4 Single timeline for reports to all regulators. Timing of submission *For PSPs only, existing FCA timelines continue to apply. 7 FCA requires standard incident notification due to Credit unions in scope consumer protection objective. 4 7 aligned O aligned to respective objectives not aligned; we explain why Definition of an operational incident 2.6 In CP24/28, we defined an operational incident as: • Either a single event or a series of linked events which disrupts the firm’s operations such that it: – disrupts the delivery of a service to the firm’s clients or a user external to the firm; or – impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm. 2.7 We asked: Question 2: Do you agree with the proposed definition of an operational incident? Summary of feedback 2.8 We received 61 responses to this question. About two-thirds of respondents agreed with our definition and agreed with our policy intention to provide certainty to firms on which incidents to report. However, feedback included: 9 • Concerns about the differences between the FCA’s and the PRA’s proposed definitions. They argued that closer alignment would help reduce the regulatory burden. • Requests to clarify aspects of our proposed definition to make our expectations clearer including requests to clarify the meaning of a ‘user external to the firm’ and ‘a series of linked events’. • Requests for ‘near misses’ to be explicitly excluded from the definition and for a higher reporting threshold specific to data loss incidents. • Suggesting changes to the definition to clarify its scope of application. These respondents thought the policy should focus on ‘unplanned disruption’ to avoid capturing other types of disruption like routine maintenance or planned system updates. Our response The differences in wording of the definition in the FCA’s and PRA’s consultations were not intended to reflect a diverging policy intent. In response to feedback, we have aligned our requirements as far as possible, while fulfilling our respective statutory objectives. The FCA and PRA now share a single definition of an operational incident, which is either a single event or a series of linked events which disrupts the firm’s operations such that it: 1. disrupts the delivery of a service to an end user external to the firm; or 2. impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user. The requirements apply to operational incidents which meet one or both criteria above and meet our thresholds (discussed below), not a potential or uncrystallised event. Firms do not have to report near-misses. When deciding if an event constitutes an operational incident, a firm must assess whether the event impacts an end user external to the firm. It could be a retail customer, business customer, other legal entity, trustee, market participant, supervisory regulator or a member of its group. A series of linked events are those with a cumulative effect which disrupt the firm’s operations. This could include an event having cascading effects or multiple events originating from the same root cause. These changes align FCA and PRA definitions, and the additional examples provide further clarity on our expectations. The definition does not extend to a temporary, controlled interruption to a service. For example, a routine system update carried out according to plan. However, if such a controlled interruption goes wrong and the resulting impact meets our thresholds, the firm should report under these rules. We have also maintained data loss as a sub-type of incident. Data loss can significantly affect consumers and firms so we cannot 10 see a justification for applying a higher threshold to these incidents. The revised thresholds set a high bar for reporting incidents generally, and firms must report a data loss only if it meets the reporting thresholds. We remind firms that these rules only apply to incidents that meet the thresholds (see below). Firms should continue to consider if they need to report other matters, including ‘near misses’ through existing channels. For example, to their supervisor, the Supervision Hub or via the SUP15 form. We include more guidance and examples in FG26/3 chapter 3. Thresholds for reporting 2.9 In CP24/28, we proposed that firms report an operational incident when they think the incident meets 1 or more of the 3 thresholds aligned to the FCA’s statutory objectives: 1. Consumer harm: the incident could cause or has caused intolerable levels of harm to consumers from which consumers cannot easily recover. 2. Market integrity: the incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system. 3. Safety and soundness: the incident could pose or has posed a risk to the safety and soundness of the firm and/or other market participants. 2.10 We proposed requirements for firms to assess the impact of an operational incident against these thresholds. 2.11 We asked: Question 3: Do you agree with the thresholds for firms to apply when considering reporting an operational incident to us? Are there other factors firms should consider when reporting operational incidents? Summary of feedback 2.12 Sixty-five respondents answered this question. The feedback was split: around 57% agreed, around 43% disagreed. Feedback included: • That some of the terms used in the thresholds were unclear or too broad, which could lead to over-reporting of minor incidents and inconsistent interpretations. • Concerns that the thresholds relied on firms making subjective judgements. These respondents suggested that providing clear metrics, for example quantitative thresholds, would help provide consistency in deciding whether to report an incident. However, other respondents requested more flexibility to use their judgment to determine the severity of an incident and whether to report it. 11 • Asking if they needed to report incidents that could have caused harm but were successfully mitigated before there was any impact. Some respondents who do not have direct contact with consumers were unclear how the ‘consumer harm’ threshold applied to them and asked for clarity. • Requests for guidance on how to report incidents that escalate over time. They highlighted that some incidents may not initially meet the thresholds but can evolve over time, becoming more serious until they do. • Suggestions that we align our thresholds with important business services (IBSs) and impact tolerance thresholds which we introduced in PS21/3 Building Operational Resilience. • Requesting clarity on how the proposals are consistent with other incident reporting frameworks such as the EU’s Digital Operational Resilience Act (DORA) and the Financial Stability Board (FSB) Format for Incident Reporting Exchange (FIRE). • Concerns about inconsistencies in threshold definitions and reporting expectations if the FCA and PRA frameworks were not sufficiently aligned. • Agreement with the factors to consider when assessing thresholds, while highlighting concerns assessing harm that occurs downstream. For example, to third parties or clients of their clients. • Concerns that the ‘reputational harm’ and the ‘legal and regulatory obligations’ factors were highly subjective and could lead to overreporting of issues that do not materially affect services. • Requests for more information on how we will use incident data. Our response Reporting thresholds We intend our reporting thresholds to capture only incidents with a significant impact on our objectives. We agree it is important that these thresholds are clear so that firms know when to report an incident. We have clarified this in the updated rules. The threshold for reporting is met where a firm reasonably believes that an operational incident poses a risk: 1. of causing intolerable levels of harm to consumers from which consumers cannot easily recover. 2. to the safety and soundness of the firm and/or other market participants. 3. to market stability, market integrity or confidence in the UK financial system. We refer to these as the consumer harm, safety and soundness, and market stability thresholds, respectively. We have replaced ‘could cause,’ which respondents felt was too broad, adopting ‘poses a risk to’ instead. This is consistent with the PRA’s proposed thresholds. We have also incorporated the concept of reasonable belief. This reflects that we expect firms to use their judgement and act in a reasonable way based on the circumstances and available information. Firms should be familiar with this, as it is an established concept in the FCA Handbook. 12 We do not agree that it would be practicable to have quantitative thresholds. They would need to apply to firms of vastly differing scale and nature, so could become overly complex. This would also be inconsistent with our outcomes-focused approach. A firm, as part of its own operational risk management procedures could set its own internal thresholds, some of which could be quantitative. We expect firms to use a degree of judgement under the rules. A firm needs to be able to understand the impact of an incident on its business. This is not a change to the current position, and a firm is best placed to consider its individual circumstances. Incident escalation Initially, a firm may not believe an incident meets the reporting thresholds. This could change if an incident escalates. The rules require a firm to report an incident as soon as practicable after it reasonably believes the incident meets a threshold. Accordingly, firms will not be penalised for notifying us after such an escalation. Similarly, a firm may determine that an incident it has reported does not in fact meet the thresholds and want to withdraw its report. Standard reporting firms should contact their supervisor or the contract centre to withdraw the report. Enhanced reporting firms can withdraw an incident report by finalising their report. Application of thresholds Not all the thresholds will be equally relevant to all firms. For example, if a firm does not have direct consumer relationships it may be less likely to meet the consumer harm threshold. Similarly, some firms would be much less likely to experience an incident that could threaten the UK financial system and would be unlikely to meet the market integrity threshold. As our rules apply to firms of vastly different scale and nature, the thresholds focus on incident outcomes in relation to our statutory objectives. Alignment with relevant frameworks Where proportionate and appropriate, we have aligned with DORA and FIRE and our operational resilience rules. However, we have chosen not to use the same thresholds as for IBSs and impact tolerances. This is because an incident that does not affect an important business service could still be relevant to our objectives and impact tolerances and IBSs are not relevant to all firms. For example, data loss may not impact an IBS but could still be used by threat actors to harm consumers. We provide examples and guidance in FG26/3 3.7 and 3.8. We are maintaining the proposed outcomes-based approach. While we are broadly aligned with incident reporting under DORA, that legislation has a different scope and it would not be appropriate for us to replicate it exactly. 13 Using internal thresholds We do not require firms to align their internal incident severity levels to our thresholds. But they must not omit to report relevant incidents solely because they do not meet an internal severity threshold. If a firm escalates its internal response significantly this could indicate an incident meets our thresholds. For example, involving senior management such as a Senior Manager Function (SMF) and activating crisis management procedures. However, firms must use their judgement. Assessing indirect impacts We agree that firms may not be fully aware of all indirect / downstream impacts and may not be able to collect the information required to report this to us. We no longer include indirect impact as an example factor for firms to consider. How we will use incident data We previously found that many firms were reporting incidents to us several days after they were first detected. Under the new framework, firms will need to report basic information promptly in a structured format. Getting better data more quickly will help us to triage incidents across the sector more effectively and respond where needed. In 2025, over 40% of cyber incidents reported to us involved a third party, which can have a sector-wide impact. The new framework will help us to quickly identify such instances where many firms are affected, and we will be able to quickly share helpful information through established channels. In the medium to long-term, we will also be able to develop thematic analysis to identify trends and insights. We will feed this back to the industry to improve practices and inform future interventions. Interaction with Principle 11 Principle 11 states that firms ‘…must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice’. A firm can meet its Principle 11 by reporting under these rules and disclosing the appropriate information. Our rules apply to incidents of a nature serious enough to meet our thresholds. This sets a high bar for using this process – it is intended for serious incidents. A firm may experience lower impact incidents that it should continue to report under Principle 11, via its normal supervisory channels. We acknowledge that Principle 11 may not apply to all firms. However, as part of an honest and open dialogue, we encourage all firms to report anything relevant through their normal supervisory channels. 14 Standardised format for incident reporting and collecting data on operational incidents 2.13 In CP24/28, we proposed standardising the information needed for an incident report by using templates. We proposed a 3-stage process aligned with equivalent international frameworks, consisting of an initial, intermediate and final report. To make the reporting process as straightforward and efficient as possible, we proposed using tools such as auto-population and conditional field logic based on information we hold. 2.14 We asked: Question 4: Do you agree with the proposed approach to standardise the formats of incident reports? Question 5: Do you agree that we are being proportionate and are collecting the right information at the right time to meet our objectives? Is there other information that should also be collected for a better understanding of an operational incident? Summary of feedback 2.15 We received 60 responses to Question 4. Almost 90% of respondents agreed with our proposals, though most provided additional comments. There were 58 responses to Question 5, of which 55% agreed with our proposals, with many respondents providing additional comments. Feedback included: • Agreement from most respondents with our proposals to standardise the format of incident reporting, but with several concerns about the information requested. • Concerns the initial report required information that might be unknown when first identifying and reporting an incident, and that this could lead to firms speculating rather than reporting facts. For example, ‘estimated resolution time’ and ‘pre- emptive root cause’. • Concerns about duplicating reporting incidents captured under other frameworks. For example, incidents affecting PSPs subject to the Payment Services Regulations 2017 (PSRs) and registered CRAs. • Concerns about the sensitivity of some information, fearing it could expose weaknesses and make firms vulnerable to threats by malicious actors. • Views that the 30-day limit for submitting a final report was insufficient. For example, for complex incidents or when firms may need to rely on third parties for relevant information. These respondents suggested we extend or provide flexibility around the deadline for submitting a final report. 15 2.16 Respondents also asked: • For clarity on how to report incidents that affect multiple services. • How to report incidents that affect multiple legal entities in the same group. • Whether each affected firm should submit an individual incident report when the same event impacts multiple firms in the industry. • For data entered in the initial report to be pre-populated in subsequent reports. • Who will have access to the reporting platform and what training will be provided. Our response: As summarised in Chapter 1 and as we set out below, we have made some significant revisions to our proposals. This includes changes to the reporting forms we proposed in consultation. We understand that firms need to focus attention on resolving incidents. The revised forms require less information, especially at the initial phase to help minimise the time required to report, allowing firms to balance reporting and addressing an incident. We provide more guidance on reporting processes in FG26/3 chapters 6 and 7. Reporting forms We have divided firms into 2 groups, submitting either standard or enhanced incident reports, explained further in FG26/3 chapters 5, 6 and 7. Standard incident reporting Standard reporting, which applies to most FCA solo-regulated firms, is now a single form, with a small number of questions. Firms can use this short report to provide basic information about an operational incident in structured way. Firms do not have to update this report after submission, although they may need to contact us under general notification requirements if further information about an operational incident emerges. Enhanced incident reporting A smaller cohort of firms listed in SUP 15.18.3R will have to submit an ‘enhanced’ report. This report requires more information than the standard reporting form, but less than the forms we consulted on. We have reduced the number of questions overall by c. 20% with much of this at the initial phase. Despite moving to 1 a single form, we have maintained the 3-phase process (initial, intermediate and final). Firms will update this form to provide significant updates if necessary. This includes to indicate an incident has been resolved. Firms will have 30 working days after the incident has been resolved to finalise the incident report unless there are exceptional circumstances. We provide more guidance on this in FG26/3 7.9 – 7.11. 16 Other changes We have also amended some questions in the forms to address feedback and to better align with the FSB’s final FIRE report published in April 2025. These changes aim to reduce the burden on firms, clarify expectations, and promote alignment with international standards. Changes to the forms are in Annex 3. When to report Standard reporting and enhanced reporting initial phase We understand concerns that the need to report at the start of an incident may divert resources from addressing the impact. For both standard and enhanced reports, at the initial reporting phase we ask for information that firms would reasonably be expected to know at the early stages of an incident. Firms should not divert resources away from incident resolution to find optional information. This initial information is to help us triage efficiently. We have also clarified expectations to make sure firms can submit the initial phase of a report promptly, without needing to speculate or delay while gathering complex data. A firm must submit an initial phase of its incident report as soon as practicable. We expect this to be, at the very most, within 24 hours of determining that it meets 1 or more of our thresholds. We understand that firms need to balance the need to prioritise resolution and recovery with the need to report. However, as we have reduced the information required at the initial stages of an incident, firms should be able to report promptly. Note that PSPs must continue to report within 4 hours of first detecting an incident. The sooner firms report to us, the quicker we can identify any market-wide stresses and where relevant third party disruptions and take appropriate action. We have tried to balance receiving enough information at an early stage to help us meet our objectives and avoiding firms diverting resources away from dealing with incidents. Enhanced reporting: intermediate and final phase Firms may gain a more accurate view of the impact of disruption while working towards resolving an incident. In line with this, enhanced reporting firms should update their submission with material updates answering the questions in the intermediate phase of the form. We do not need a running commentary on all changes. Firms will need to use their judgement to give material updates.We provide some examples of changes that should be reported this way in FG26/3 7.9 – 7.12. Firms in scope of enhanced reporting must provide a final update within 30 working days of the incident being resolved. If a firm is unable to submit the report in time, it should tell us why and the expected timeframe for submission. Even in this case, the firm must submit the final phase as soon as is practicable and not more than 60 working days after resolving the incident. 17 Submission of incident reports All firms will use the FCA’s Connect platform to submit incident reports, choosing either enhanced or standard. We have chosen Connect as most firms are familiar with the platform. If a firm needs to report to both the FCA and the PRA, it will submit a single report in Connect that will be shared with both regulators. We also recognise concerns around the sensitivity of the information requested. We implement and maintain robust technical and organisational measures to protect the confidentiality, integrity, and availability of information in line with our statutory obligations under the Financial Services and Markets Act 2000 (FSMA). These measures are aligned with recognised security frameworks, including ISO 27001 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and are subject to regular review and assurance. Controls include, but are not limited to, access management, encryption, monitoring, and incident response. We only require 1 report per incident, even where multiple services are affected. If relevant, a firm can list multiple affected services in the ‘name(s) of the business service(s) affected’ field in the reporting form. The Connect platform recognises submissions at the entity level, not the group level. As the rules apply to each individual firm, firms must submit an incident report for each firm in a group that is experiencing an incident which meets our thresholds. Each report should describe the specific impact on a firm’s operations, customers, and market exposure even where the root cause is shared (for example, a third party service failure). Consequences of an incident may differ from firm to firm despite having the same root cause due to factors such as firm size, structure, and resilience measures. To simplify the incident reporting process, as many fields as possible will be pre-populated using information a firm has submitted in a previous phase of the report. Firms will be able to update pre-populated fields as appropriate. Payment Services Providers (PSPs) We note respondents’ concerns that our proposals would require some firms to report incidents under different regimes. To reduce the burden, we have disapplied the EBA’s Guidelines on Incident reporting under the Payment Services Directive as issued on 27 July 2017 (EBA/GL/2017/10) (EBA Guidelines). Under SUP 15.14.18CD, PSPs will now only need to submit notifications in line with the regime set out in this document to meet their obligation under regulation 99(1) of the PSRs. Under SUP 15.14.18BG, when assessing whether there is a major operational or security incident that requires notification under regulation 99(1) of the PSRs, PSPs should now have regard to the definition of operational incident and the notification thresholds under the regime set out in this document. PSPs should also have regard to the factors in 18 FG26/3 4.6 when assessing whether the incident meets the notification thresholds. The factors cover broadly similar matters to those in the EBA Guidelines. However, in line with the outcomes-focused nature of the regime, PSPs need to consider these factors for their own businesses as they are best placed to do this. This is especially important for the consumer harm threshold. Firms will need to consider the characteristics of their customers and what might meet this threshold in their specific case. We explained in CP24/28 that intolerable harm is not defined, and firms should assess it in their specific contexts. This means we have not assigned absolute proportions or values in the rules. PSPs fall under the scope of enhanced incident reporting, and these firms must continue to report within the existing 4-hour deadline, which is now set out in SUP 15.14.18DD. This is to maintain current supervisory visibility of incidents in this sector where incidents are especially time sensitive. PSPs will meet this 4-hour deadline by submitting the initial part of their incident report. The intermediate and final stages are completed later. Changes to the reporting process for PSPs will be reflected in the Payment Services and Electronic Money Approach Document as set out in Annex 5. We include case studies in FG26/3 4.7 to illustrate the sorts of incidents we would expect a PSP to report under these rules and directions. Registered credit rating agencies (CRAs) For registered CRAs, the expectations to report IT and information security incidents under Item 38 of the ‘Guidelines on the submission of periodic information to ESMA by Credit Rating Agencies‘ will be replaced by this new framework. 19 Chapter 3 Reporting third party arrangements: our response to feedback 3.1 This chapter summarises feedback to CP24/28 and sets out our response. Where possible, the regulators have aligned with each other. We have also published FG26/4 to support firms with assessing the materiality of their third parties, and with the practicalities of notifying us of material third parties and submitting their annual register. What has not changed 3.2 The final rules are broadly similar to those we consulted on. We have maintained a definition of ‘material third party arrangement’ that covers both outsourcing and non- outsourcing, with an obligation to notify us of new material third party arrangements and significant changes to existing ones, and the submission of an annual register. We have retained the obligation for firms to look down their supply chain (ranking) while working to streamline the template and providing clarity to support firms filling it out. What has changed 3.3 The FCA, PRA and Bank of England have agreed a single regime including a single template for third party notifications and a single template for the register. Firms regulated by the FCA and PRA (dual-regulated firms) will make a single notification or register submission that will be shared with both regulators. 20 Firms regulated by both the FCA and PRA 3.4 Table 2 below shows at a high level alignment between the FCA and PRA. Table 2 Policy area Alignment Comments 4 Single submission for all regulators for both Submission notifications and register. Third party arrangement 4 Single definition for all regulators. definition Material third party O Definitions reflect regulators’ respective objectives. arrangement definition Register and notification 4 Single template and submission portal for all templates regulators. For all firms except UK RIEs, intragroup arrangements (or for ring-fenced bodies, Application to intragroup 4 arrangements where the provider is a permitted arrangements supplier) in scope only where there is an external third party dependency. In scope for register, but excluded from notifications Application to third 4 *The FCA will share dual FCA and PRA regulated * country branches branches’ register submissions with the PRA as the PRA did not consult on this. Credit unions submit the 4 *The PRA requires this for credit unions that meet a * register materiality threshold of £50m in assets. 4 7 aligned O aligned to respective objectives not aligned; we explain why Definition of third party arrangements and material third party arrangements 3.5 In CP24/28, we proposed to expand the scope of existing outsourcing notifications to include both material outsourcing and non-outsourcing arrangements. We also proposed definitions for ‘third party arrangement’ and ‘material third party’. 3.6 We proposed to define a ‘third party arrangement’ as: • An arrangement of any form between a firm and a service provider, whether or not the product or service is: – One which would otherwise be provided by the firm itself; – Provided directly or by a sub-contractor; or – Provided by a person within the same group as the firm. 3.7 We defined ‘material third party arrangement’ as: 21 • A third party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could: – Cause intolerable levels of harm to the firm’s clients; – Pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or – Cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the FCA’s Principles for Business, or under SYSC 15A (operational resilience). Third party arrangement definition 3.8 We asked: Question 6: Do you agree with the proposed definition of third party arrangements? Summary of feedback 3.9 We received 43 responses, 32 agreed, albeit with qualifications or comments. Eleven disagreed. Feeback included: • Noting that our definition of a third party arrangement differed to the PRA’s and calling for more alignment between the regulators. Respondents highlighted differences between FCA and PRA language, questioning whether this indicated a difference in policy. For example, whether there was any difference between the FCA reference to ‘service provider’ and the PRA’s reference to ‘person’. • Proposing that the third party arrangement definition should only capture products or services provided on a recurrent or ongoing basis, in line with the FSB Toolkit and DORA requirements. • Suggesting we expand the definition to capture arrangements supported by a sub-contractor. • Asking for clarity on the scope of a third party arrangement, giving specific products and services as examples. Our response Having considered the feedback, we have agreed a common definition across regulators. Our final rules define a third party arrangement as: An arrangement of any form between a firm and a person who provides a product or service to the firm, whether or not the product or service is: • One which would otherwise be provided by the firm itself. • Provided directly or by a sub-contractor. • Provided by a person within the same group as the firm. 22 We have now used ‘person’, which is a defined FCA Handbook term, throughout the definition. A ‘person’ includes corporate or unincorporate bodies and encompasses all types of entities. This also aligns FCA and PRA definitions. We think limiting the definition to arrangements which are provided ‘on a recurrent or ongoing basis’ would add unnecessary complexity. Firms must decide whether a product or service is material based on the risk it poses, regardless of whether it is provided on an ongoing basis or one- off basis. We have not included the suggested wording of ‘supported by a sub-contractor’ as it is captured under the proposed definition. We provide guidance on identifying a material third party arrangement in FG26/4 chapter 3. This includes examples of arrangements that could be material, as well as arrangements we do not generally expect to be in scope of this policy. Due to the broad and varied nature of third party arrangements these examples are non-exhaustive, and we expect firms to consider the link between the products and services provided to them by third parties and their operations. Material third party arrangements definition 3.10 We asked: Question 7: Do you agree with the proposed definition of material third party arrangements? Summary of feedback 3.11 We received 45 responses. Thirty-one respondents agreed with the definition, some with comments or qualifications. Thirteen respondents disagreed. Feedback included: • Requests to align our definition of material third party arrangement with the PRA’s. Respondents expressed concern that an arrangement could be material for one regulator but not the other. • Requests to replace ‘pose a risk’ with ‘materially impair’ in the definition. This would capture arrangements that could have a tangible impact, rather than theoretical potential for harm. • Requests for further guidance on what we consider ‘material’, requesting examples of what constitutes ‘intolerable levels of harm’ and ‘cast serious doubt’; suggesting monetary thresholds would be clearer. • The view that firms would not be able to speculate on whether a disruption or failure in performance of a product or service could pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system. 23 • Requests that we limit the definition of materiality to definitions in SYSC 15 such as ‘important business service’ and ‘impact tolerances’. • A suggestion that intra-group arrangements should not be treated as material. Our response We have retained the proposed definition of a material third party arrangement in our final rules. The difference between the regulators’ definitions of a material third party arrangement reflects our respective statutory objectives. The design and goals of the regulators’ respective polices remain the same. As set out in the consultation, we want to avoid unnecessary burden, so firms will only need to make a single submission of a material third party notification or register, which will be automatically distributed to the relevant regulator(s). We have not replaced ‘pose a risk’ with ‘materially impair’ in the second limb of the definition of risks to the UK financial system. This is because we want to remain aligned with the definitions used in the operational resilience rules in SYSC 15A and PS21/3 Building Operational Resilience. Where possible, we want to use consistent language to help provide certainty for firms. Firms will need to use judgement about risks to external parties. We expect firms to be able to assess whether disruption impacts external parties (for example firms and consumers) and the UK financial system. We have defined ‘material third party arrangement’ in the Handbook. Firms should develop their own processes for assessing materiality as part of their third party risk management policy. Firms are responsible for assessing the materiality of their third party arrangements on a case-by-case basis. We have provided additional guidance in FG26/4 3.12 – 3.20. This sets out the factors a firm may wish to consider when assessing materiality which may help provide consistency across firms’ assessments. However, firms must assess materiality against the definition in the Handbook. Firms in scope of our operational resilience requirements under SYSC 15A in the Handbook will be familiar with applying the concept of intolerable levels of harm to consumers in their assessment of important business services. As in PS21/3, we will not define ‘intolerable harm’ as this will vary across firms and sectors. To identify intolerable harm, firms should have regard to the various factors and examples in PS21/3. We have not introduced a monetary threshold to define materiality. Such quantitative thresholds would need to apply to firms of vastly differing scale and nature. This would be unduly complicated and prescriptive and is not consistent with our outcomes-focused approach. 24 We have not limited the definition of materiality to third party arrangements affecting an important business service. Even arrangements that are not directly linked to an important business service could have a significant impact if disrupted. We have not excluded intragroup arrangements from being considered as material. A disruption to an intragroup arrangement can still pose a risk that meets one of our thresholds. However, most firms must report a material intragroup arrangement, or for ring-fenced bodies, an arrangement where the provider is a permitter supplier, only where it involves an external dependency. The exception is UK RIEs where they must report material intragroup arrangements including where there is no external third party dependency. This is because many UK RIEs are set up such that their intragroup arrangements are integral to supporting their operations, activities and services. Notifications 3.12 In CP24/28, we proposed new rules standardising and providing a template for firms’ notifications of entering a new material third party arrangement or making significant changes to these arrangements. 3.13 We asked: Question 8: Do you have any comments on our proposed notification requirements including the impact on the number of arrangements that will be reported? Summary of feedback 3.14 We received 31 responses. Twenty-three respondents agreed with some comments or qualifications and 8 disagreed. Feedback included: • Arguments that since non-outsourcing arrangements will be in scope of the proposals, the volume of reporting will increase. Respondents also raised concerns that the additional reporting would take resources away from other operational activities. They suggested only including arrangements that have a direct impact on important business services. • Requests for clarity on what constitutes a significant change and a request to remove the requirement to report a significant change. • Asking whether a firm would have to resubmit the register every time a new notification is required. • Views that third country branches of international banks should be excluded from the requirements. These respondents said this would require notification of changes at the level of the parent legal entity and would be burdensome as it would subject them to requirements in 2 jurisdictions. 25 • Requests for a common reporting solution of material third party notifications across regulators, similar to the approach adopted for the register, to avoid unnecessary burden on firms. • Requests for the FCA to align with the PRA’s position of not collecting information on intragroup arrangements that do not involve a third party external to the group. One respondent preferred the FCA’s proposals to collect this information. Our response Our proposals are proportionate and will help make sure firms have properly considered risks posed by the third party arrangements that are most fundamental to their operational resilience. We have not limited notifications to third party arrangements affecting an important business service. Even arrangements that are not directly linked to an important business service could have a significant impact if disrupted. For example, a firm could engage a new third party to manage a secondary data centre that has not gone through the required review and approval process, which results in customer data being compromised through a cyber incident. While this may not impact an important business service, it could result in consumer harm. This is a key element in the definition of materiality and closely relates to FCA statutory objectives. We have not prescribed timelines for submitting or reviewing notifications. But we do expect a firm to notify us at an early stage and submit the notification before making any internal or external commitments. The notification process is not, however, an approval mechanism. So, while this data will inform work like thematic and industry-wide analysis, we may not respond to every submission. We will require firms to notify us if there is a new or significant change to the arrangement. A significant change is a change that materially alters the nature, scale or complexity of the risks inherent in the material third party arrangement. See FG26/4 4.5 – 4.8 for guidance including examples of changes that could qualify as significant. We do not expect firms to resubmit the register each time a notification is required. Firms are required to submit the register on an annual basis and only once we notify them that the submission window is open. We have excluded third country branches of international firms from the notification requirements given that when authorising branches, the FCA would have taken account of the extent and effectiveness of supervisory cooperation with the relevant home state regulators as part of its assessment of whether it could supervise the firm effectively. Branches remain responsible for the risks associated with services provided by the groups to which they belong in line with wider FCA requirements. Many third country branches can have a significant impact on UK markets and consumers. Completely excluding them from material third party reporting rules would leave a gap in our understanding and oversight of firms’ third party risks. We have therefore kept them in scope of our 26 requirement to submit a material third party register annually. See our response to Question 9. To reduce the burden on firms, we have developed a single reporting solution on FCA’s Connect platform for firms to notify us of changes to their material third party arrangements. This will distribute notifications automatically to the relevant regulator(s). On collecting information on intragroup arrangements, we note that these can still expose firms to considerable risk. Balanced against the need for proportionality, we have decided for most firms to align with the PRA’s position and collect this information only where the intragroup arrangement, or for ring-fenced bodies, the arrangement where the provider is a permitted supplier, has an external third party dependency. However, the FCA considers that we need to receive information on all intragroup arrangements for UK RIEs due to the risks of these arrangements to our objectives. Submitting and updating the structured register of firms’ material third party arrangements 3.15 In CP24/28, we proposed a template for firms to maintain a structured register of their material third party arrangements, submitted annually. 3.16 We asked for views on the proposed information and data submission method for the material third party arrangement reporting process. 3.17 We asked: Question 9: Do you think the mechanism to submit and update the structured register of firms’ material third party arrangements is proportionate? Summary of feedback 3.18 We received 38 responses to this question. Twenty-eight respondents broadly agreed with our proposals, 10 disagreed. Feedback included: • A question whether the reporting template is optional or mandatory. • Broad agreement that the proposals were proportionate but also suggested changes or clarifications to the requirements. One respondent felt additional work would be required from firms to submit information and keep the register up to date and argued this was not proportionate. • Welcoming the regulators’ joint approach to submitting via a common platform. Respondents requested the register template remain in a commonly used format, for example Microsoft Excel. 27 • Highlighting the difficulty of getting information on supply chains beyond their direct contractual counterparts. Respondents also asked for clarity on ranking the supply chain. • A request for clarity on how firms should keep their own internal register of third parties. • Disagreement with including third country branches in scope of submitting the register. Particularly, as they are not in scope of our operational resilience rules in SYSC 15A. Our response The material third party reporting requirements are mandatory for the firms in scope. They will help us understand and oversee firms’ third party risks. To address feedback asking for clarity on the information required in the template, we have included guidance on how to complete the templates under FG26/4 chapter 6. See Annex 4 for a summary of the changes made since consultation. The regulators have jointly developed the reporting templates which must be submitted using the relevant portal (FCA Connect for notifications and FCA RegData for the annual register). We will share these submissions with the relevant regulators. The reporting format for the template will remain Microsoft Excel. We are, however, exploring additional formats. The regulators will retain the supply chain ranking requirements. Firms are increasingly using third parties to support important business services and many of these arrangements rely on multiple service providers. The supply chain ranking allows us to identify critical nodes in a firm’s supply chain with more accuracy. We have updated the template guidance in FG26/4 6.7 to make this clearer. We do not mandate the specific tools firms should use for their internal record keeping. In line with FCA Handbook requirements, firms should have appropriate systems and controls to keep records of their material third party arrangements and submit it when requested. Firms should continue to maintain orderly records of their business in line with their general record-keeping requirements. Firms may be subject to requests for information from the FCA about their third party arrangements through our statutory information-gathering powers. In response to feedback that third country branches should not be in scope of our register requirements, we note that many significant firms operate as branches in the UK. We need visibility of their third party dependencies since, if disrupted, these could have a significant impact on the UK financial system. This is why third country branches remain in scope of the annual register requirement. 28 Firms’ register submissions will help the regulators understand systemic third-party risk and give insights into incidents originating at third parties, particularly where these affect the wider industry. As the PRA has excluded third country branches from their scope of material third party register collection, we will share data collected from dual-regulated branches with the PRA. This will allow both authorities to understand the third party landscape and help to inform CTP designation recommendations. 3.19 We asked: Question 10: Do you have any comment on the template which includes the information on third party arrangements to be shared with us? Summary of feedback Material third party reporting template 3.20 Sixty-five respondents commented on the proposed template, with most feedback falling into 5 categories: • Requests to align the template across regulators, both UK and internationally. • Requests to reduce the number of data fields, especially citing proportionality, but also as compared to other regulatory frameworks. • Requests for further clarification of various data fields. • Comments on the structure and functionality of the template. For example, requesting the ability to select multiple options. • Requests to expand the unique identifier for service providers beyond Legal Entity Identifier (LEI) as not all service providers may have one. Our response The regulators have agreed a common template, as well as ensuring broad alignment with similar regimes (such as the EU’s DORA), where relevant. We have reduced the number of data fields in the templates by 20%. See Annex 4 for a summary of the changes. Post consultation, we have split the MTP Register and Notification templates into separate files to reflect that the 2 templates serve different purposes. We explain this further in FG26/4 6.3. 29 For data validation reasons, it is not possible to multi-select in the templates. However, we have expanded some taxonomies to help firms give the most accurate description of their contractual arrangements. Where relevant, we have given firms the choice to select a grouped response option from the dropdown (for example ‘All of the above’ or ‘Most IBSs’). See Annex 4 for a full view of changes. We have kept LEI as the unique third party identifier. Many companies have a LEI, and the annual re-validation requirement will help ensure information is up to date. We know that not all third parties will have an LEI, but there is no unique identifier that will cover every single one. To cover this, we have added a ‘not applicable’ option. 30 Chapter 4 Cost benefit analysis 4.1 In this chapter we summarise our response to the feedback on our cost benefit analysis (CBA). In the CBA, we estimated that the proposals for both incident and third party reporting would lead to a 10-year net present value (NPV) of -£16.51m to -£24.69m, with an Equivalent Annualised Net Direct Cost to Business (EANDCB) of £1.92m to £2.87m. This comprised: • £12.63m in one-off familiarisation and gap analysis costs to all firms. • £6.51m to £14.08m in one-off costs and £0.04m to £0.12m in ongoing annual costs to firms in scope of third party reporting. • £0.27m in ongoing annual benefits to firms from incident reporting efficiencies. 4.2 We asked: Question 1: Do you have any comments on the CBA including on our assumptions, assessment of costs and benefits to firms, consumers, the market and third parties? Summary of feedback and our response 4.3 We received comments from 48 respondents. Firms and trade bodies suggested our incident reporting requirements were duplicative and would result in additional cost, particularly where there are differences between FCA and PRA rules. Other respondents felt a lack of alignment with FSB’s Format for Incident Reporting Exchange (FIRE) would cause unnecessary costs. Some respondents said we had overstated the benefits of our proposals and the breadth of information we asked firms to provide was disproportionate to the benefits. Our response Incident reporting In the CBA, we estimated costs primarily using our Standardised Cost Model in conjunction with data collected by regulators. These costs accounted for firms familiarising themselves with our proposals and assessing them against their current processes. We determined that our proposals would not lead to additional ongoing costs for firms, as they are already required to report all eligible incidents under current rules. We accounted for a period of adjustment as firms adapt to gathering the required information for the initial incident report. The efficiency benefit arising from reduced follow-up time is offset by an equivalent one-off cost in year 1. This replaces the current process of gathering what they 31 can, submitting it, and engaging with the regulators in follow-up to collect further information. We acknowledge respondents consider costs may be higher than set out in our CBA. We engaged with respondents, but they did not provide alternative costings. Following feedback, we have made some changes to the final rules and guidance. These changes include: • Moving from 3 incident reporting forms to 1 dynamic form. • Segmenting the firm population. Most firms are subject only to baseline reporting requirements, while a smaller group of more systemic firms are subject to enhanced reporting requirements. • Removing duplicative reporting for PSPs, so that they report incidents only under a single framework. • Replacing the existing incident reporting regime for registered CRAs. This will result in fewer reportable incidents and reduced duplication. • Reducing the amount of information firms need to provide at the initial stages of an incident and consolidating information fields to minimise duplication. • Further aligning our definitions of operational incidents with those used by other regulators and FIRE. • Clarifying that the ‘factors to consider’ are intended to guide firms and removing the indirect impact factor for incident reporting. • Clarifying that firms can use existing risk frameworks to triage incidents. The revised rules and guidance remove some duplicative burden. For example, information that was required in all 3 forms is required only once now. As all firms still need to familiarise themselves with our proposals and use FCA Connect, the CBA costs remain valid. Overall, without new evidence, and as the revised proposals do not lead to additional costs over those estimated for the CP, we consider the costs estimated in the CBA remain valid. Third party reporting In the CBA, we estimated costs using estimates from a sample of firms that will be in scope of the third party reporting requirements, supplemented by historic reporting and our Standardised Cost Model. These costs accounted for firms setting up the new arrangements register and updating it annually. Following feedback, we have made some changes to the final rules and guidance to make third party reporting more efficient for firms. These changes include: • Removing third country branches from the scope of requirements to notify us of new or changes to non-outsourcing arrangements. • Removing the requirement for firms to report intragroup arrangements, or for ring-fenced bodies, arrangements where the provider is a permitted supplier, that do not have an external third party dependency (except for UK RIEs). 32 • Reducing the number of data fields in the third party register through greater use of tools such as pre-population where we already hold this data. • Further aligning our definitions of Third Party with PRA and Bank of England. • Aligning technology platforms across regulators. This will enable material third party notifications to be shared automatically and remove the need for firms to make multiple submissions. These revisions benefit firms by making third party reporting more efficient. However, as these changes do not generate material savings, we consider the cost estimates in our CBA remain valid. Overall conclusions We remain of the view that the benefits of our rules and guidance are likely to outweigh the costs. Our rules and guidance on incident reporting aim to provide a structure around reporting, making it clearer how firms should report, what information to include and when to do so. A more efficient way for firms to report incidents to us will help regulators to respond in a timely way and better identify risk. A clearer understanding of individual firms’ third party risk and a cross- sectoral view of third parties that firms rely on will help us identify risks and make timely interventions. Also, over time we can draw insights from this data to share with industry. 33 Chapter 5 How it links to our objectives Market integrity 5.1 Operational disruptions can undermine the operation of markets and potentially the soundness, stability and resilience of the UK financial system. Incidents affecting firms directly, and via third parties, are significant causes of operational disruptions. Our rules and guidance clarify what firms must report and when. This reporting helps us identify threats to market confidence and identify systemic third parties and third party concentration risk. It will also enable us to engage earlier with firms. In turn, helping firms respond appropriately to incidents and make suitable arrangements when changing important third parties. Ultimately, minimising market disruption. Consumer protection 5.2 Orderly markets provide a more stable environment for firms and their consumers. Our final rules should help us engage with firms in a more timely and effective way when incidents occur and better understand the effect on consumers. Structured data on firms’ third party arrangements will help us identify risks that may affect consumers and engage earlier with firms to manage those risks. Competition 5.3 Resilient firms can promote effective competition. Our final rules will enable us to collect consistent and structured data on both operational incidents and third party concentration risk. This will help us to identify and respond to risks in a timely manner. This will improve the sector’s overall operational resilience and provide consumers a broader selection of resilient services. Secondary international competitiveness and growth objective (SICGO) 5.4 We need timely, accurate information to help us quickly understand risks and decide if we need to take action. However, we also recognise that reporting imposes a burden on firms. We believe that in listening to feedback, we have landed on policies that strike a balance between the needs of industry and the FCA, by: • Creating a single regime with the PRA and Bank of England for each policy while remaining aligned to international standards, helping firms that need to report to multiple regulators and jurisdictions. 34 • Ensuring PSPs and registered CRAs report incidents under one regime, avoiding duplication. • Reducing the scope of full reporting and reducing data requirements more generally. 5.5 Both policies and the actions we will be able to take using the information firms report are designed to improve operational resilience at firms and in markets as a whole. As this will contribute the stability of and confidence in UK financial services markets, we believe the changes are compatible with the SICGO objective. Measuring success 5.6 To measure our success, 2 years after implementation we will consider: • The timeliness, accuracy, and usefulness of the operational incident information reported to us. • The thematic insights drawn from both incident and material third party reporting. • The timely identification of concentration in third parties servicing firms that pose systemic risk to the UK’s financial system. 5.7 We will monitor compliance with reporting requirements and address any breaches through our supervisory channels. Equality and diversity considerations 5.8 We do not consider the changes will negatively impact any of the groups with protected characteristics under the Equality Act 2010. Environmental, social & governance considerations 5.9 We do not consider the proposals relevant to contributing to net-zero targets. 35 Annex 1 List of respondents We are obliged to include a list of the names of respondents to our consultation who have consented to the publication of their name. That list is as follows: Association of British Credit Unions Ltd (ABCUL) Association of British Insurers (ABI) ABN AMBRO Aegon UK Association of Foreign Banks (AFB) Association of Financial Mutuals (AFM) Association for Financial Markets in Europe (AFME) Alternative Investment Management Association (AIMA) Amazon Web Services (AWS) British Insurance Brokers’ Association (BIBA) Building Societies Association (BSA) UK Private Capital Capita The City of London Law Society (CLLS) Centrus Financial Advisors Ltd Commerzbank AG London Cynergy Bank Plc DTCC Derivatives Repository Plc (DDRL) Electronic Money Association (EMA) Future Industry Association (FIA) Fidelity International Gallagher Google Cloud 36 Hargreaves Lansdown HSBC Investment Association (IA) ICE Futures Europe & ICE Clear Europe Interactive Investor (ii) Investment & Life Assurance Group (ILAG) International Underwriting Association (IUA) KBRA Legal & General (L&G) Lloyds Banking Group (LBG) London & International Insurance Brokers’ Association (LIIBA) Lloyds (Market) Lloyd’s Market Association (LMA) London Stock Exchange Group (LSEG) Mastercard OB Services UK Moody’s Nationwide Building Society OneFamily Oric International PayPal Phoenix Group Personal Investment Management & Financial Advice Association (PIMFA) Qatar National Bank Regis-TR UK Ltd Revolut S&P Global Ratings Santander 37 Simplybiz St. James’s Place TheCityUK ThreeSixty Services LLP The Investing and Saving Alliance (TISA) TransUnion International UK Ltd UK Finance Wise 38 Annex 2 Incident reporting templates The final incident reporting templates and a list of changes to the templates we consulted on can be found here: • Enhanced reporting template • Standard reporting template • Changes to the operational incident reporting template Amendments to “Payment Services and Electronic Money – Our Approach” following incident reporting changes for PSPs • Amendments to Approach document 39 Annex 3 Material third party templates for the register and notifications The final material third party reporting templates and a list of changes to the templates we consulted on can be found here: • Material third party notifications template • Material third party register template • Changes to the material third party reporting templates 40 Annex 4 Abbreviations used in this paper Abbreviation Description AI Artificial intelligence CASS Client Assets Sourcebook CBA Cost benefit analysis CP Consultation paper CRA Credit rating agency CTP Critical third party DORA Digital Operational Resilience Act EU European Union FCA Financial Conduct Authority FIRE Format for Incident Reporting Exchange FMI Financial Market Infrastructure FSB Financial Stability Board FSMA Financial Services and Markets Act 2000 IBS Important business service LEI Legal Entity Identifier PRA Prudential Regulation Authority PS Policy statement PSP Payment service provider PSRs Payment Services Regulations 2017 RIE Recognised investment exchange SUP Supervision manual SYSC Senior Management Arrangements, Systems and Controls UK United Kingdom 41 Appendix 1 Made rules (legal instrument) FCA 2026/6 NOTIFICATION OF THIRD PARTY ARRANGEMENTS AND OPERATIONAL INCIDENT REPORTING INSTRUMENT 2026 Powers exercised A. The Financial Conduct Authority (“the FCA”) makes this instrument in the exercise of the following powers and related provisions in or under: (1) the following sections of the Financial Services and Markets Act 2000 (“the Act”), including as applied by paragraph 3 of Schedule 6 of the Payment Services Regulations 2017 (SI 2017/752) (“the PSRs”) and paragraph 2A of Schedule 3 to the Electronic Money Regulations 2011 (SI 2011/99) (“the EMRs”): (a) section 137A (The FCA’s general rules); and (b) section 137T (General supplementary powers); (2) the following sections of the Act: (a) section 139A (Power of the FCA to give guidance); (b) section 247 (Trust scheme rules); (c) section 261I (Contractual scheme rules); (d) section 293 (Notification requirements); and (e) section 300H (Rules relating to investment exchanges and data reporting service providers); (3) regulation 6 (FCA rules) of the Open-Ended Investment Company Regulations 2001 (SI 2001/1228); (4) regulation 11 (FCA rules) of the Financial Services and Markets Act 2000 (Recognition Requirements for Investment Exchanges, Clearing Houses and Central Securities Depositories) Regulations 2001 (SI 2001/995); (5) the following regulations of the PSRs: (a) regulation 99(2) (Incident reporting); (b) regulation 109 (Reporting requirements); and (c) regulation 120 (Guidance); (6) regulation 49 (Reporting requirements) and regulation 60 (Guidance) of the EMRs; (7) regulation 3 (Rules) and regulation 5 (Guidance) of the Credit Rating Agencies (Amendment etc.) (EU Exit) Regulations 2019 (SI 2019/266); (8) regulation 74 (Application of Part 9A of the FSMA (rules and guidance)) of the Over the Counter Derivatives, Central Counterparties and Trade Repositories (Amendment, etc., and Transitional Provision) (EU Exit) Regulations 2019 (SI 2019/335); FCA 2026/6 (9) regulation 35 (Application of Part 9A of the FSMA (rules and guidance)) of the Transparency of Securities Financing Transactions and of Reuse (Amendment) (EU Exit) Regulations 2019 (SI 2019/542); and (10) the other rule and guidance making powers listed in Schedule 4 (Powers exercised) to the General Provisions of the Handbook. B. The rule-making powers listed above are specified for the purpose of section 138G(2) (Rule-making instruments) of the Act, including that provision as applied by the EMRs and the PSRs. Commencement C. This instrument comes into force on 18 March 2027. Amendments to the Handbook D. The modules of the FCA’s Handbook of rules and guidance listed in column (1) below are amended in accordance with the Annexes to this instrument listed in column (2). (1) (2) Glossary of definitions Annex A Senior Management Arrangements, Systems and Controls Annex B sourcebook (SYSC) Supervision manual (SUP) Annex C Notes E. In the Annexes to this instrument, the notes (indicated by “Note:” or “Editor’s note:”) are included for the convenience of readers but do not form part of the legislative text. Citation F. This instrument may be cited as the Notification of Third Party Arrangements and Operational Incident Reporting Instrument 2026. By order of the Board 26 February 2026 Page 2 of 28 FCA 2026/6 Annex A Amendments to the Glossary of definitions In this Annex, underlining indicates new text and striking through indicates deleted text, unless otherwise stated. Insert the following new definitions in the appropriate alphabetical position. The text is not underlined. material third a third party arrangement which is of such importance that a disruption party or failure in the performance of the product or service provided to the arrangement firm could: (a) cause intolerable levels of harm to the firm’s clients; (b) pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or (c) cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience). operational either a single event or a series of linked events which disrupts the firm’s incident operations such that it: (a) disrupts the delivery of a service to an end user external to the firm; or (b) impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user. registered credit a credit rating agency that is registered with the FCA under Article 14 of rating agency the CRA Regulation. registered trade a trade repository that is registered with the FCA under Article 55 of the repository EMIR or Article 5 of the UK SFTR. third party an arrangement of any form between a firm and a person who provides a arrangement product or service to the firm, whether or not the product or service is: (a) one which would otherwise be provided by the firm itself; (b) provided directly or by a sub-contractor; or (c) provided by a person within the same group as the firm. Amend the following definition as shown. working day … Page 3 of 28 FCA 2026/6 (3) (in FEES 9 and, COBS 19.11 and SUP 15.18) any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom. Page 4 of 28 FCA 2026/6 Annex B Amendments to the Senior Management Arrangements, Systems and Controls sourcebook (SYSC) In this Annex, underlining indicates new text. 8 Outsourcing 8.1 General outsourcing requirements … Outsourcing critical or important operational functions … 8.1.12 G … 8.1.12A G A firm which falls within the scope of SUP 15.19 should notify the FCA of any new, or any significant changes to, material third party arrangements, which include material outsourcing arrangements, as set out in that section. … 13 Operational risk: systems and controls for insurers … 13.9 Outsourcing … 13.9.2 G Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8G(1)(e) explains, a firm should notify the FCA when it intends to enter into a material outsourcing arrangement. A firm which falls within the scope of SUP 15.19 should notify the FCA of any new, or any significant changes to, material third party arrangements, which include material outsourcing arrangements, as set out in that section. … Page 5 of 28 FCA 2026/6 Annex C Amendments to the Supervision manual (SUP) In this Annex, underlining indicates new text and striking through indicates deleted text, unless otherwise stated. 15 Notifications to the FCA 15.1 Application Who? 15.1.1 G This chapter applies to every firm except that: (1) only SUP 15.10 applies to an ICVC; and (2) SUP 15.3.22D to SUP 15.3.25D apply only to the Society.; and (3) SUP 15.19 applies only to the type of firms listed in SUP 15.1.3DR. … 15.1.3B D … 15.1.3C R In addition to firms, the rules and guidance in SUP 15.18 also apply to: (1) payment service providers; (2) UK RIEs; (3) registered trade repositories; and (4) registered credit rating agencies. 15.1.3D R The rules and guidance in SUP 15.19 apply to: (1) firms that are: (a) enhanced scope SMCR firms; (b) banks; (c) designated investment firms; (d) building societies; (e) Solvency II firms; or (f) CASS large firms; (2) UK RIEs; Page 6 of 28 FCA 2026/6 (3) authorised electronic money institutions and authorised payment institutions; and (4) consolidated tape providers. … 15.3 General notification requirements … Communication with the appropriate regulator in accordance with Principle 11 … 15.3.10 G … 15.3.10A R Any notification required under both SUP 15.3.8G(1)(e) and SUP 15.19 (Notification of material third party arrangements) must be made in accordance with SUP 15.19. 15.3.10B G The notification requirement under SUP 15.3.8G(1)(e) relates to a firm’s material outsourcing arrangements. On the other hand, SUP 15.19 relates to the notification of material third party arrangements, which include material outsourcing arrangements, although SUP 15.19 only applies to a specific group of firms (see SUP 15.19.1R). Consequently, some matters that need to be notified under SUP 15.3.8G(1)(e) may also have to be notified under SUP 15.19. In this case, there is no need to make the same notification twice but the firm concerned should make the notification in accordance with SUP 15.19. … 15.14 Notifications under the Payment Services Regulations … Notification of major operational or security incidents under regulation 99 15.14.18 G Regulation 99(1) of the Payment Services Regulations provides that, if a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the FCA. The purpose of this section is to direct the form and manner in which such notifications must be made and the information they must contain, in exercise of the power in regulation 100(2) 99(2) of the Payment Services Regulations. 15.14.18 G SUP 15.18 (Notification of operational incident) sets out the requirements A for payment service providers (as an enhanced reporting firm as defined in that section) to notify the FCA of operational incidents, including the thresholds, process, timing and content of the notification. The 24-hour expectation for submitting the report as set out in SUP 15.18.7G does not Page 7 of 28 FCA 2026/6 apply to payment service providers. Instead, they must submit the report within 4 hours of first detecting a major operational or security incident in accordance with the direction in SUP 15.14.18DD. 15.14.18 G When assessing whether there is a major operational or security incident B that requires notification under regulation 99(1) of the Payment Services Regulations, payment service providers should: (1) interpret an operational or security incident in line with the definition of operational incident; and (2) classify as major any operational incident that has met one or more of the notification thresholds in SUP 15.18.6R(1). [Note: The FCA has issued non-Handbook guidance on operational incident reporting. This includes the FCA’s expectations on what may constitute an operational incident and the factors (including those specific to payment service providers) to consider when assessing whether any of the notification thresholds are met. See [Editor’s note: insert link].] 15.14.18 D A notification required by regulation 99(1) of the Payment Services C Regulations must be submitted by the payment service provider to the FCA: (1) in accordance with the process and timescales set out in SUP 15.18.6R(1) and (2), SUP 15.18.8R and SUP 15.18.9R; and (2) online through the appropriate systems accessible from the FCA’s website, as set out in SUP 15.18.10R. 15.14.18 D A payment service provider must submit the report in SUP 15.18.6R to the D FCA within 4 hours of first detecting a major operational or security incident. 15.14.19 G The EBA has issued Guidelines on incident reporting under the Payment Services Directive that specify the criteria a payment service provider should use to assess whether an operational or security incident is major and needs to be reported to the FCA. These Guidelines also specify the format for the notification and the procedures the payment service provider should follow. [deleted] 15.14.20 D Payment service providers must comply with the EBA’s Guidelines on incident reporting under the Payment Services Directive as issued on 27 July 2017 (EBA/GL/2017/10) where they are addressed to payment service providers. [deleted] 15.14.21 D In particular, a notification required by regulation 99(1) of the Payment Services Regulations must be submitted by the payment service provider to the FCA: Page 8 of 28 FCA 2026/6 (1) within the timescales and at the frequencies specified in the EBA’s Guidelines on incident reporting under the Payment Services Directive (EBA/GL/2017/10); (2) in writing on the form specified in SUP 15 Annex 11D; and (3) by such electronic means as the FCA may specify. [deleted] … 15.14.23 G Where the electronic means of submission of notifications is known not to be available or operated at the time the incident is first detected, the notification should be sent to the FCA as soon as the electronic means of submission becomes available and operational again. Unless the FCA has informed a specific payment service provider that electronic means of submission are also available to it and operated at other times, the electronic means of submission are available and operated during normal operating hours, as specified by the FCA. 15.14.24 G The EBA’s Guidelines on incident reporting under the Payment Services Directive contain guidelines on the completion of the form specified in SUP 15 Annex 11D. Payment service providers should use the same form in all reports concerning the same incident. Payment service providers may not have sufficient information to complete all parts of the form in the initial report. They should complete the form in an incremental manner and on a best effort basis as more information becomes readily available in the course of their internal investigations. [deleted] … Insert the following new sections, SUP 15.18 and SUP 15.19, after SUP 15.17 (Notification of regulated income by limited scope SMCR benchmark firm). All the text is new and is not underlined. 15.18 Notification of operational incident Application 15.18.1 R This section applies to: (1) a firm; (2) a payment service provider; (3) a UK RIE; (4) a registered trade repository; and (5) a registered credit rating agency. Page 9 of 28 FCA 2026/6 15.18.2 R In this section, a reference to a firm includes the entities listed in SUP 15.18.1R(2) to (5). 15.18.3 R In this section, a firm is an ‘enhanced reporting firm’ if it is: (1) an enhanced scope SMCR firm; (2) a bank; (3) a designated investment firm; (4) a building society; (5) a Solvency II firm; (6) a CASS large firm; (7) a payment service provider; (8) a UK RIE; (9) a registered trade repository; or (10) a registered credit rating agency. 15.18.4 G SUP 15.18.8R and SUP 15.18.9R apply only to an enhanced reporting firm. Purpose 15.18.5 G The purpose of this section is to set out the requirements for firms to notify the FCA of operational incidents, including the thresholds, process, timing and content of the notification. The FCA’s operational incident reporting framework operates on a 2-tier basis, comprising standard and enhanced reporting. Standard reporting applies to a firm other than an enhanced reporting firm and requires submission of a report providing basic information about an operational incident. Enhanced reporting applies to an enhanced reporting firm and requires submission of a more detailed report in phases over the lifecycle of an operational incident. Notification requirements 15.18.6 R (1) A firm must submit a report to the FCA in accordance with (2) or (3), as applicable, as soon as is practicable after the occurrence of an operational incident which the firm reasonably believes meets one or more of the notification thresholds – namely, that it poses a risk: (a) of causing intolerable levels of harm to consumers from which consumers cannot easily recover; (b) to the safety and soundness of the firm and/or other market participants; or Page 10 of 28 FCA 2026/6 (c) to market stability, market integrity or confidence in the UK financial system. (2) For this initial phase of the report, an enhanced reporting firm must submit to the FCA, so far as it is aware, the information in accordance with columns (1) and (2) of the table in SUP 15 Annex 15.1R. (3) A firm other than an enhanced reporting firm must submit to the FCA, so far as it is aware, information in accordance with the table in SUP 15 Annex 15.2R. 15.18.7 G A firm must submit the report in SUP 15.18.6R as soon as practicable. The FCA expects the firm to submit the report at least within 24 hours of determining that an incident meets any of the notification thresholds. A firm should balance the need to submit the report with the need to prioritise actions necessary to contain and respond to the operational incident to prevent further harm. 15.18.8 R For the intermediate phase of the report, an enhanced reporting firm must, so far as it is aware, submit to the FCA the additional information in accordance with columns (1) and (3) of the table in SUP 15 Annex 15.1R, as soon as is practicable after any significant change in circumstances from those described in the report (including the operational incident reported under SUP 15.18.6R being resolved). 15.18.9 R For the final phase of the report, an enhanced reporting firm must submit to the FCA the additional information in accordance with columns (1) and (4) of the table in SUP 15 Annex 15.1R: (1) within 30 working days; or (2) where this is impracticable, as soon as is practicable but in any event within 60 working days, of the operational incident reported under SUP 15.18.6R being resolved. 15.18.10 R A firm must submit the information required under this section to the FCA online through the appropriate systems accessible from the FCA’s website. 15.18.11 G The FCA has issued non-Handbook guidance for firms on the reporting requirements. This includes factors that firms should consider when assessing whether any of the notification thresholds are met and guidance on how to complete the report. See [Editor’s note: insert link]. General provisions 15.18.12 R SUP 15.6.1R to SUP 15.6.6G (Inaccurate, false or misleading information) also apply to payment service providers, UK RIEs, registered trade repositories and registered credit rating agencies that are required to make notifications in accordance with this section as if a reference to firm in SUP 15.6.1R to SUP 15.6.6G were a reference to the relevant entity. Page 11 of 28 FCA 2026/6 15.18.13 G Some matters that need to be notified by a UK RIE under this section may also have to be notified under REC 3.15 (Suspension of services and inability to operate facilities). A UK RIE should make separate notifications under both sections in this situation. Further guidance for payment service providers 15.18.14 G Regulation 99(1) of the Payment Services Regulations provides that, if a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the FCA. SUP 15.14.18G to SUP 15.14.23G set out the directions and guidance on how payment service providers should comply with this requirement. 15.18.15 G Where a major operational or security incident is detected, a payment service provider is only required to submit notifications in accordance with this section, as set out in SUP 15.14.18CD. 15.18.16 G For payment service providers, the 4-hour reporting requirement for submitting the report under SUP 15.14.18DD takes precedence over the 24- hour expectation set out in SUP 15.18.7G. 15.19 Notification of material third party arrangements Application 15.19.1 R This section applies to: (1) a firm that is: (a) an enhanced scope SMCR firm; (b) a bank; (c) a designated investment firm; (d) a building society; (e) a Solvency II firm; or (f) a CASS large firm; (2) a UK RIE; (3) an authorised electronic money institution or an authorised payment institution; and (4) a consolidated tape provider. 15.19.2 R In this section, a reference to a firm includes the entities listed in SUP 15.19.1R(2) to (4). Page 12 of 28 FCA 2026/6 15.19.3 R This section does not apply to a firm which has its registered office (or, if it has no registered office, its head office) outside the United Kingdom. 15.19.4 R For the purposes of the definition of material third party arrangement, a reference to a client: (1) in relation to a UK RIE includes a person who is entitled, under an arrangement or agreement between them and that UK RIE, to use the UK RIE’s facilities; (2) in relation to a consolidated tape provider includes a person who purchases a consolidated tape for bonds from: (a) a consolidated tape provider; or (b) a data vendor; and (3) in relation to a firm carrying on the activity of managing a UK UCITS or managing an AIF includes: (a) a unitholder; and (b) an investor in an AIF. Purpose 15.19.5 G The purpose of this section is to set out the requirements for the firms specified in SUP 15.19.1R to notify the FCA of any new, or any significant changes to, material third party arrangements. This information, together with the material third party arrangements register information collected under SUP 16.33, will assist the FCA in understanding and overseeing firms’ material third party risks. Notification requirement 15.19.6 R A firm must give the FCA notice when entering into, or significantly changing, a material third party arrangement. 15.19.7 R (1) A firm (other than a UK RIE) is not required to give notice to the FCA under SUP 15.19.6R if the following conditions are met: (a) the product or service will be provided by a person within the same group as the firm; and (b) the person providing the product or service has not entered into an arrangement with a person outside the group for the provision of that product or service to the firm. (2) Where the firm is a ring-fenced body, (1) applies only if the person providing the product or service is a permitted supplier for the Page 13 of 28 FCA 2026/6 purposes of rule 2.3B(3) of the Notifications Part of the PRA Rulebook. 15.19.8 R A firm must submit the notice required in SUP 15.19.6R to the FCA: (1) by providing the information in accordance with columns (1) and (2) of the table in SUP 15 Annex 16.1R; and (2) online through the appropriate systems accessible from the FCA’s website. 15.19.9 G The FCA expects a firm to notify the FCA at an early stage and to submit the notice required in SUP 15.19.6R before making any internal or external commitments. Notification should be made sufficiently early in the firm’s decision-making process to allow for any engagement that the FCA may consider appropriate, before the firm becomes contractually or operationally committed. However, the FCA may not respond to every notification. Firms may proceed with the proposed action following submission of the notification and do not need to wait for a response from the FCA. 15.19.10 G The FCA has issued non-Handbook guidance for firms on the notification requirements. This includes factors and examples illustrating what may constitute material third party arrangements and guidance on how to complete the notification template. See [Editor’s note: insert link]. SUP 15 Annex 11D (Form Notification of major operational or security incidents – PSD2) is deleted in its entirety. The deleted text is not shown but the annex is marked [deleted] as shown below. 15 Form Notification of major operational or security incidents – PSD2 Annex [deleted] 11D Insert the following new annexes, SUP 15 Annex 15 and SUP 15 Annex 16, after SUP 15 Annex 14R (Notification Procedures for Changes to the Management Body for Non-SMF Directors). All the text is new and is not underlined. 15 Operational incident reporting fields Annex 15 [Note: The FCA has also issued non-Handbook guidance setting out the descriptions of the reporting fields in column (1) of the table and how to complete the report. See [Editor’s note: insert link]] 15 R This is the table referred to in SUP 15.18.6R(2), SUP 15.18.8R and SUP Annex 15.18.9R that applies to an enhanced reporting firm (as defined in SUP 15.1 15.18.3R). Page 14 of 28 FCA 2026/6 Column (1) Column (2) Column (3) Column (4) Reporting fields Reporting Reporting Reporting requirements requirements requirements for initial for for final phase under intermediate phase under SUP phase under SUP 15.18.9R 15.18.6R(2) SUP 15.18.8R (1) Authority Mandatory - - receiving the report (2) Status of the Mandatory - - incident (3) Trigger for Mandatory - - reporting the incident (4) Is this a Mandatory - - notification under the Payment Services Regulations? (5) Type of Mandatory - - incident (6) Incident title Mandatory - - (7) Description of Mandatory - - the incident (8) Firm/financial Mandatory - - market infrastructure (FMI) severity rating (9) Time of the Mandatory - - detection (10) Actions Mandatory - Not applicable planned to recover (11) Actions taken Mandatory - - to recover Page 15 of 28 FCA 2026/6 (12) Estimated time Optional Optional Not applicable to resolve the incident (13) Public reaction Optional Optional Mandatory to the incident (14) External Optional Optional Mandatory communication (note 2) (note 2) issued (15) Other Optional Optional Mandatory regulatory bodies notified (16) Incident Optional Mandatory - discovery (note 2) method (17) Time of the Not applicable Not Mandatory resolution (note 3) applicable (note 3) (18) Time of the Optional Optional Optional occurrence (if known) (19) Duration of the Pre-populated Pre-populated Pre-populated incident (note 4) (note 4) (note 4) (20) Name of the Optional Mandatory - business (note 2) service affected (21) Type of the Optional Mandatory - business (note 2) service affected (Function category) (22) Service Optional Mandatory - disruption type (note 2) (23) Is the affected Optional Mandatory - service (note 2) classified as an important Page 16 of 28 FCA 2026/6 business service? (24) What Optional Optional Mandatory proportion of an impact tolerance has been used? (note 5) (25) Service Not applicable Not Mandatory downtime (note 3) applicable (note 3) (26) Number of Not applicable Optional Mandatory affected (note 6) customers (27) Percentage of Not applicable Optional Mandatory service users (note 6) affected (28) Percentage of Not applicable Optional Mandatory transactions (note 6) affected (29) Value of Not applicable Optional Mandatory transactions (note 6) affected (30) Number of Not applicable Optional Mandatory transactions (note 6) affected (31) Level of Optional Mandatory - geographic (note 2) spread (32) Affected party Optional Optional Mandatory type(s) (33) Related Optional Optional Mandatory affected entities (34) Cause type Optional Optional Mandatory (35) Origin of the Optional Mandatory - incident Page 17 of 28 FCA 2026/6 (36) Third party Mandatory Mandatory - provider name (note 7) (37) Third party Mandatory Mandatory - provider legal entity identifier (note 7) (38) Time of the Not applicable Not Mandatory closure applicable (39) Type of Not applicable Not Mandatory resource applicable affected (40) Resource Not applicable Not Mandatory affected applicable properties (41) Describe the Not applicable Not Mandatory lesson applicable identified (42) Describe the Not applicable Not Mandatory remedial action applicable being taken (43) Any Optional Optional Optional supplementary documents Note 1 Where a field is marked as ‘-’ in the table, it indicates that the firm was required to submit this information in an earlier phase and it will be pre-populated with the previously submitted answer. The firm may update pre-populated information as necessary. Note 2 Where an incident is resolved during the initial or intermediate phase (as applicable), firms must complete this field as mandatory. Note 3 Where an incident is resolved during the initial or intermediate phase (as applicable), this field becomes applicable and firms must complete this field as mandatory. Note 4 This field will be calculated automatically and pre-populated for the firm. Note 5 This field is only relevant if the service is an important business service in row (23). Page 18 of 28 FCA 2026/6 Note 6 This field is mandatory for payment service providers. Note 7 This field is only relevant if the firm answers ‘third party’ to row (35). 15 R This is the table referred to in SUP 15.18.6R(3) that applies to a firm other Annex than an enhanced reporting firm. 15.2 Column (1) Column (2) Reporting fields Reporting requirements under SUP 15.18.6R(3) (1) Status of the incident Mandatory (2) Trigger for reporting the Mandatory incident (3) Type of incident Mandatory (4) Incident title Mandatory (5) Description of the incident Mandatory (6) Firm severity rating Mandatory (7) Time of the detection Mandatory (8) Actions planned to recover Mandatory (9) Actions taken to recover Mandatory (10) Estimated time to resolve the Optional incident (11) Time of the resolution Mandatory if the incident has been resolved (12) Cause type Optional (13) Origin of the incident Optional (14) Third party provider name Mandatory (note) (15) Third party provider legal entity Mandatory identifier (note) Page 19 of 28 FCA 2026/6 (16) Any supplementary documents Optional Note This field is only relevant if the firm answers ‘third party’ to row (13). 15 Data fields for material third party arrangement notification and register Annex 16 [Note: The FCA has also issued non-Handbook guidance setting out the descriptions of the data fields in column (1) of the table and how to complete the templates. See [Editor’s note: insert link]] 15 R This is the table referred to in SUP 15.19.8R and SUP 16.33.6R. Annex 16.1 Column (1) Column (2) Column (3) Data fields Requirements for Requirements notice submitted for register under SUP 15.19.8R submitted under SUP 16.33.6R 1.01 Reporting date Mandatory Pre-populated (note 1) 1.02 Submission ID Mandatory Mandatory 1.03 Submission type Mandatory Pre-populated (note 1) 1.04 Firm name Mandatory Mandatory 1.05 Firm reference Mandatory Mandatory number (FRN) 1.06 FRN of group holding Mandatory Mandatory company (if applicable) 1.07 If contract renewal, Mandatory (note 2) Not applicable please provide details of significant changes made (if any) 2.01 Contract arrangement Mandatory Mandatory reference number Page 20 of 28 FCA 2026/6 2.02 Legal name of service Mandatory Mandatory provider 2.03 Legal entity identifier Mandatory Mandatory 2.04 Is the material third Mandatory Mandatory party contractual arrangement outsourcing or non- outsourcing? 2.05 Type of service Mandatory Mandatory provided 2.06 If the contractual Mandatory Mandatory arrangement is on cloud, please state the cloud deployment model 2.07 Short description of Mandatory Mandatory product/service provided 2.08 Supply chain ranking Mandatory Mandatory 2.09 Date of Mandatory Mandatory commencement of the contractual arrangement 2.10 Date of service Mandatory Optional commencement 2.11 Next contract renewal Optional Mandatory date or end date 2.12 Notice period for the Mandatory Mandatory service provider 2.13 Notice period for the Mandatory Mandatory firm 2.14 The governing law of Mandatory Mandatory the contractual arrangement 3.01 Reason for materiality Mandatory Mandatory Page 21 of 28 FCA 2026/6 3.02 Date of the most Mandatory Mandatory recent materiality assessment 3.03 Function category Mandatory Mandatory 3.04 Does the contractual Mandatory Mandatory arrangement support an important business service? 3.05 If yes, which Mandatory Mandatory important business service does the contractual arrangement support (note 3) 3.06 Does the service Mandatory Mandatory provider support a core element of the important business service? (note 3) 3.07 Impact tolerance - Mandatory Mandatory PRA safety and soundness (note 4) 3.08 Impact tolerance - Mandatory Mandatory PRA financial stability (note 4) 3.09 Impact tolerance - Mandatory Mandatory PRA policy holder protection (note 4) 3.10 Impact tolerance - Mandatory Mandatory FCA - client harm 3.11 Impact tolerance - Mandatory Mandatory FCA - market integrity 3.12 Impact tolerance – Not applicable Not applicable Bank as financial market infrastructure (FMI) regulator 3.13 Country where the Mandatory Mandatory data is stored Page 22 of 28 FCA 2026/6 3.14 Country where the Mandatory Mandatory service is delivered from 3.15 Annual contract value Mandatory Mandatory 4.01 Date of the most Mandatory Mandatory recent risk assessment 4.02 Outcome of the most Mandatory Mandatory recent risk assessment 4.03 Commentary box for Optional Optional risk assessment 4.04 Date of the most Mandatory Mandatory recent audit 4.05 Outcome of the most Mandatory Mandatory recent audit 4.06 Date of financial due Mandatory Mandatory diligence 4.07 Outcome of financial Mandatory Mandatory due diligence 4.08 Date of cyber risk due Mandatory Mandatory diligence 4.09 Outcome of cyber risk Mandatory Mandatory due diligence 4.10 Does the contractual Mandatory Mandatory arrangement comply with the relevant rules and requirements 4.11 Please summarise how Mandatory Mandatory future assurance is obtained and, if any gaps are identified, please specify when and how these will be resolved. (note 5) 4.12 Has this contractual Mandatory Mandatory arrangement been reviewed and signed off by an SMF holder Page 23 of 28 FCA 2026/6 or an accountable person of an FMI? 4.13 If not, which Mandatory Mandatory governance committee reviewed it? (note 6) 4.14 Date of governance Mandatory Mandatory approval 5.01 Substitutability of the Mandatory Mandatory service provider 5.02 Ability of Mandatory Mandatory reintegration of the service 5.03 The impact of Mandatory Mandatory discontinuing the contractual arrangement Note 1 This field will be pre-populated for the firm. Note 2 This field is only relevant if the firm answers ‘contractual renewal’ to row 1.03. Note 3 This field is only relevant if the firm answers ‘yes’ to row 3.04. Note 4 This field is only applicable to firms which are also regulated by the PRA. Note 5 This field is only relevant if the firm answers ‘no’ to row 4.10. Note 6 This field is only relevant if the firm answers ‘no’ to row 4.12. Amend the following text as shown. 16 Reporting requirements 16.1 Application … 16.1.1F R … 16.1.1G R In addition to the type of firms listed in SUP 16.1.3R, the rules and guidance in SUP 16.33 also apply to: (1) UK RIEs; Page 24 of 28 FCA 2026/6 (2) authorised electronic money institutions or authorised payment institutions; and (3) consolidated tape providers. … Application of different sections of SUP 16 (excluding SUP 16.13, SUP 16.15, SUP 16.22 and SUP 16.26) 16.1.3 R (1) (2) Categories of firm to which (3) Applicable rules and Section(s) section applies guidance … SUP 16.32 … … SUP 16.33 A firm that is: Entire section (1) an enhanced scope SMCR firm; (2) a bank; (3) a designated investment firm; (4) a building society; (5) a Solvency II firm; or (6) a CASS large firm. … … 16.3 General provisions on reporting … Structure of the chapter 16.3.2 G This chapter has been split into the following sections, covering: … (26) financial promotion approval reporting (SUP 16.31); and Page 25 of 28 FCA 2026/6 (27) access to cash reporting (SUP 16.32).; and (28) material third party arrangements register (SUP 16.33). … Insert the following new section, SUP 16.33, after SUP 16.32 (Access to cash reporting). All the text is new and is not underlined. 16.33 Material third party arrangements register Application 16.33.1 R This section applies to: (1) a firm that is: (a) an enhanced scope SMCR firm; (b) a bank; (c) a designated investment firm; (d) a building society; (e) a Solvency II firm; or (f) a CASS large firm; (2) a UK RIE; (3) an authorised electronic money institution or an authorised payment institution; and (4) a consolidated tape provider. 16.33.2 R In this section, a reference to a firm includes the entities listed in SUP 16.33.1R(2) to (4). 16.33.3 G Unlike the requirements on notifications of material third party arrangements under SUP 15.19, this section applies to firms irrespective of the location of their registered office (or, if they have no registered office, their head office). 16.33.4 R For the purposes of the definition of material third party arrangement, a reference to a client: (1) in relation to a UK RIE includes a person who is entitled, under an arrangement or agreement between them and that UK RIE, to use the UK RIE’s facilities; Page 26 of 28 FCA 2026/6 (2) in relation to a consolidated tape provider includes a person who purchases a consolidated tape for bonds from: (a) a consolidated tape provider; or (b) a data vendor; and (3) in relation to a firm carrying on the activity of managing a UK UCITS or managing an AIF includes: (a) a unitholder; and (b) an investor in an AIF. Purpose 16.33.5 G The purpose of this section is to set out the requirements for the firms specified in SUP 16.33.1R to maintain a register for their material third party arrangements and to provide such information to the FCA in a standard format. This information, together with the material third party arrangements notification collected under SUP 15.19, will assist the FCA in understanding and overseeing firms’ material third party risks. Requirement to maintain and submit a register 16.33.6 R A firm must: (1) maintain a register of information relating to its material third party arrangements; and (2) submit the register of material third party arrangements annually to the FCA. 16.33.7 R (1) A firm (other than a UK RIE) is not required to submit the register to the FCA under SUP 16.33.6R(2) if the following conditions are met: (a) the product or service will be provided by a person within the same group as the firm; and (b) the person providing the product or service has not entered into an arrangement with a person outside the group for the provision of that product or service to the firm. (2) Where the firm is a ring-fenced body, (1) applies only if the person providing the product or service is a permitted supplier for the purposes of rule 26.1(3) of the Regulatory Reporting Part of the PRA Rulebook. 16.33.8 R The firm must submit the register of material third party arrangements specified in SUP 16.33.6R(2) to the FCA: Page 27 of 28 FCA 2026/6 (1) by providing the information in accordance with columns (1) and (3) of the table in SUP 15 Annex 16.1R; and (2) online through the appropriate systems accessible from the FCA’s website. 16.33.9 G The FCA has issued non-Handbook guidance for firms on the reporting requirements. This includes factors and examples illustrating what may constitute material third party arrangements and guidance on how to complete the register template. See [Editor’s note: insert link]. Amend the following text as shown. Sch 1 Record keeping requirements … Sch 1.2 G Handbook Subject of Contents of When record Retention reference record record must be period made … SUP … … … … 16.8.23R [FCA] [PRA] SUP Material Register of Not specified Not specified 16.33.6R(1) third party information arrangements relating to material third party arrangements Page 28 of 28 © Financial Conduct Authority 2026 12 Endeavour Square London E20 1JN Telephone: +44 (0)20 7066 1000 Website: www.fca.org.uk All rights reserved Pub ref: 2-008482 All our publications are available to download from www.fca.org.uk. Request an alternative format Please complete this form if you require this content in an alternative format. Or call 0207 066 1000 Sign up for our news and publications alerts