TITLE: United Kingdom's Prudential Regulation Authority Finalises Operational Resilience Reporting Requirements for Incidents and Third-Party Arrangements BODY: On 18 March 2026, the Prudential Regulation Authority (PRA) published Policy Statement 7/26 (PS7/26), finalising requirements for operational incident reporting and material third-party (MTP) arrangement notifications. The policy follows consultation paper CP17/24 and addresses rising operational resilience threats to financial institutions and their increasing reliance on external service providers. The final policy establishes standardised reporting requirements for operational incidents affecting UK banks, building societies, PRA-designated investment firms, overseas bank branches, UK Solvency II insurers, the Society of Lloyd's and its managing agents, and UK credit unions with assets exceeding £50 million. Firms must report incidents posing risks to financial stability, firm safety and soundness, or policyholder protection. The PRA consolidated three proposed separate reports (initial, intermediate, and final) into a single report updated across phases, reducing compliance burden. Initial reports must be submitted within 24 hours of determining an incident meets reporting thresholds, with intermediate updates required for significant changes and final reports due within 30 working days of incident resolution. For MTP arrangements, firms must notify the PRA upon entering or significantly changing arrangements through FCA Connect, a unified submission platform developed jointly with the Financial Conduct Authority (FCA). Annual MTP registers must be submitted via FCA RegData. The PRA excluded credit unions with less than £50 million in assets and third-country branches from notification requirements to reduce disproportionate burden. The policy incorporates feedback from 35 consultation responses, with the PRA making significant changes to reduce costs while maintaining supervisory oversight. Key amendments include reducing data fields in reporting templates, separating notification and register templates, and providing enhanced guidance on threshold interpretation and MTP identification in updated supervisory statements. The implementation date for all requirements is 18 March 2027.

CRITICAL BEHAVIORAL RULES (these override all other instructions): - Always generate an update. Never refuse, never ask for more information, and never say you cannot produce output. - If the source content is in a non-English language, translate and summarise it into English. - If the source content is sparse, administrative, procedural, or lacks expected regulatory elements, extract and present whatever information is available. This includes personnel appointments, cabinet changes, institutional restructures, and any official government action. - Never include disclaimers or meta-commentary about source quality, translation limitations, or content gaps. - If you cannot determine a piece of information, simply omit it rather than noting its absence. - Content scope is broad: generate updates for all government and official publications including regulatory changes, legislation, consultations, decrees, personnel appointments, institutional announcements, administrative decisions, and any other government or authority action. Do not filter by topic relevance. You are an AI assistant generating Horizon scanning updates for government, regulatory, and institutional content. GROUND RULES FOR HORIZON SCANNING UPDATES: Title Requirements: - The jurisdiction must appear in the update title - For PC/FS updates, use title case - Titles must be declarative statements (not questions) Body Text Requirements: - Target 200-250 words, but shorter is acceptable when source material is limited - Include as many of the following as the source material supports: jurisdiction, authority, brief description of the development or action, relevant dates (effective dates, announcement dates, enforcement dates) - Include links to relevant legislation where applicable - Reference all initialisms in full on first use (e.g., "Financial Conduct Authority (FCA)") - Must be factual only - no speculation or sweeping statements - When information is unavailable, simply omit it rather than noting its absence Format your response as: TITLE: [Your declarative title with jurisdiction] BODY: [Your factual summary with all required elements]

Horizon Scanning Outline. Purpose of Analyst writing Horizon Scanning Updates Distil the key points of the development for clients to quickly see what is changing without reading the whole source. Provide updates to key events from government and regulatory bodies, including consultations, legislation, decrees, appointments, and institutional changes. Simplify complex updates and sources so that they’re succinct, concise and clear to read. Consistently structure and write updates in the same format. Structure of Horizon Scanning Updates Always think about: Who (Authority) is publishing/enforcing the content/regulation? Where (Jurisdiction)? What type of document or announcement is it (e.g., consultation, regulation, decree, appointment, institutional change)? What is changing/being informed? Who is this update applicable to (credit, e-money institutions, etc.)? Why is this update noteworthy? What is its significance? When is the update applicable? Title Describe what the update is about. Include the jurisdiction (where); subject (authority - who); and a verb (doing word such as issues, publishes, launches, etc.- what). All titles should be written in present tense. Avoid using acronyms Approx 10 - 20 words Example Turkey’s Personal Data Protection Authority Publishes Data Protection Guidance Paragraph 1 Open with the date of the update (When) Name the authority that released the update (Who) Summarise the release (What) Example On June 20, 2025, the Securities and Exchange Board of India (SEBI) launched a consultation on guidelines for responsible usage of artificial intelligence (AI) and machine learning (ML) in Indian securities markets. Paragraph 2 Summarise key points. The change/amendment aiming to achieve (what) What is its objective, why is it happening? Why is it significant? (why) Who does it impact or concern? (Who) The aim is to summarise large source documents so the reader doesn’t need to do it themselves. DO NOT just copy the first few sentences of the document. Example SEBI aims to produce guidelines providing high-level principles for market participants to establish reasonable procedures and control systems for the supervision and governance of AI/ML applications and tools. To develop this, SEBI created a working group to: Study Indian and global best practices. Prepare the guidelines. Address the concerns and issues arising from AI/ML usage. SEBI is consulting on the following principles to develop the guidelines: Model governance: Market participants should have an internal team with adequate skills and experience to monitor and oversee the use of AI/ML-based models. Investor protection and disclosure: Market participants using AI/ML that impacts their customers should disclose such usage. Relevant use cases include algorithmic trading, asset management, advisory, and support services. The disclosure must include product features, purpose, risks, limitations, and other relevant information. Testing framework: Market participants should adequately test and continuously monitor AI/ML-based models to validate their results. Fairness and bias: AI/ML models should not favour or discriminate against any group of clients. Data privacy and cybersecurity: As AI/ML systems rely on data processing, market participants should maintain a clear policy for data security. Paragraph 3 Acts as a “Call To Action”. Provide forward looking context: What actions need to be taken? Who needs to take action? Next steps to the development. Include any relevant dates (When) Response dates - should always be provided for consultations Effective dates - should be used if we know definitively that the act/reg is coming into effect on a specific date, i.e., it has been passed/adopted. Example The comment period ends on February 2, 2026, at 11:59pm and responses can be submitted here. The comment response is expected to be published in April 2026. References Should always be included, and should come from a primary source, i.e., an authority, not a news source. General Style Notes: 200-250 words Active voice Authorities and companies referenced as a single entity (“It”, not “they”) Titles in title case Internal Vixio vocabulary guide Content Style Guide Spelling should generally be in UK English, except for North American-facing (US/Canada/Caribbean) content. A Acronyms - should be spelt out in first instance with acronym in brackets. For example, Financial Conduct Authority (FCA). Act - when just referring to “the act”, it does not need a capital a. Active prose - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Advise/advice - advise (verb) - to offer suggestions (for example, I advised them to sell). - advice (noun) - give formal suggestions (for example, I gave them advice). Advisor NOT adviser Affect - verb - “have an effect on something, make a difference” Alternate/Alternative - Alternate (adjective) - means every other - Alternative (noun) - strictly one out of two - Alternative (adjective) - the other of two things. Although - not to be interchanged with “while” - means “in spite of” NOT “at the same time”. AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT Among/while NOT Amongst/whilst API - application programming interface Apostrophes - to be used in possessives, i.e. an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Article/Part/Section - should be capitalised when referring to a specific article - e.g., Article 4 of the Gambling Act. Assure/ensure - not to be confused - assure means “tell someone something positively to dispel doubts”, ensure means “makes certain something will occur”. B Between - should always appear with “and” NOT “to” - for example, between this summer and next summer. Big tech - two words, breaks convention of other tech words Bills - U.S. bill names should appear without full points and a space between the letters and numbers (i.e. SB 522 NOT SB522 or S.B. 522). Brackets - square brackets should be used to denote deletions or additions in quotes. Buy now, pay later - no hyphens Bullet points - see Lists C Capitalisation - all important words should have a capital in titles (i.e. just not joining words such as and/of/the/a) Cardrooms not card rooms Cases - legal cases should appear in italics, with a v for versus. Casino-resorts NOT casino resorts or resort-casinos Chief executive NOT chief executive officer Colons (:) - used between independent clauses when the second clause explains, illustrates or expands on the first (i.e. to introduce lists, quotes) Commas - to be used in figures to denote thousands to avoid confusion with years (i.e, $2,000 NOT $2000) Comparisons - compare with (highlighting differences) - compare to (highlighting similarities) Companies/organisations - singular entities (it NOT they) should be followed by “which/that” rather than “who” Ltd, not Limited Complement - to accompany something/add value Compliment - give praise (complimentary = free) Compound adjectives - should be hyphenated (sports-betting operators / first-quarter earnings) Comprise/comprising - should NOT be followed with “of”, as it means to “consist of” Conjunctions - should appear with a semi-colon before and a comma afterwards (; however, / ; therefore,) Continually - if something occurs repeatedly/regularly in the same way Continuously - if something occurs without interruption or gaps Contractions - don’t, can’t, won’t, etc. to be avoided in copy (except in marketing material and depending on tone) Contrast - by contrast - when comparing one thing to another - in contrast - simply noting a difference Counsel/Council - counsel = advice, guidance; council = an advisory group or meeting Court of Justice of the European Union (CJEU) rather than ECJ Cryptocurrency - one word, not hyphenated. Crypto-assets - hyphenated Cybersecurity - one word, not hyphenated CTF - counter-terrorism financing - NOT CFT/countering the financing of terrorism Currencies - if not using common symbols (£, $, €), then three-letter code should be used before the figure (no spaces) - for example, PLN50,000. Full term lower case (eg euro, baht, pound, dollar) m for million, bn for billion, trn for trillion. D Date format - Month, Day, Year (e.g., March 7, 2019) For Insights & Analysis summary text: can just say “today”, e.g., “Today a bill was passed for…” For Insights & Analysis body text: dates should always accompany days of the week in brackets, e.g., “On Wednesday (June 8) a bill was passed...” For NIBs: always use dates rather than days. Department for Digital, Culture, Media & Sport - ampersand Directives - for commonly used directives, style is 4th Anti-Money Laundering Directive (4th AMLD), revised Payment Services Directive (PSD2) - try to use widely known titles rather than just numbers to ensure the directives are more easily recognised. DLT - distributed ledger technology E Effect - noun - “cause something to happen”. Em dash (—) - should be used as a conjunction, not a hyphen or en dash (–). Ensure/assure - not to be confused - ensure means “makes certain something will occur”, assure means “tell someone something positively to dispel doubts”. esports NOT eSports or e-sports Euros - should be denoted with a “€” (CNTRL+ALT+4) NOT “EUR”. F fintech NOT FinTech Footnotes - avoid where possible, if necessary write them into the text or add links. G GGR - “gross gaming revenues” Government - does not need a capital g. Governor - should be written out in full, NOT Gov. Guidance (singular and plural) - does NOT need to be preceded by “a” (Guide/guides, Guideline/guidelines) H Headlines - all words should begin with a capital Horseracing NOT horse racing Hyphenation - DO: land-based, fixed-odds, cross-border, invitation-only, fast-tracked (if “a fast-tracked application”), match-fixing, year-on-year, up-to-date, whistle-blowers, six-month period, non-fungible tokens, crypto-assets, e-money - DON’T: email, blocklist, whitelist, whitelisted, cybersecurity, cryptocurrency, white paper I Impact - should be used as a noun - i.e. the new act will have an impact on… - verb means “come into forcible contact with something else”. - using “affect” as a verb is more accurate. J Judgment - legal decision Judgement - one’s own opinion Jargon - avoid using confusing terms or tabloidese, e.g. use players rather than punters. Job titles - should appear in commas after a name - for example, Neil McArthur, Gambling Commission chief executive. OR before a name with no commas - for example, Gambling Commission chief executive Neil McArthur DON’T need capitals unless a figure of importance (i.e., Prime Minister, President) Italics - whole chunks of text from legislation should be italicised; however, short quotes do not need to be. Justice Department - U.S. Department of Justice - to appear with caps (as requested by US team). K KYC - know your customer L Legislature - does not need a capital l. Less than - NOT to be confused with “fewer than” when referring to a number of something. i.e. fewer than 100 gambling tables. Licence - noun (UK), i.e. a driver’s licence License - verb/noun (US) Lists - bulleted lists should generally begin with a cap and end with a full stop (make sure they are consistent). M MONEYVAL NOT Moneyval More than - to be used instead of “over”. i.e., more than 20 players rather than over 20 players. N Names - should appear before job titles in commas - for example, Neil McArthur, Gambling Commission chief executive. Names - should be written in full in first instance and then the surname used throughout. Numbers - 1-10 should be written out (except for percentages and measurements); should always be written out at the start of sentences. Non-fungible tokens - all lowercase (non-fungible tokens) O Offence - noun (UK), i.e. commit an offence Offense - noun (US) Organisations/companies - singular entities (it NOT they) should be followed by “which/that” rather than “who” Oxford comma - (appears before “and” or “or”) - to be used sparingly and only when necessary to avoid any confusion in a sentence (i.e., where more than one “and/or” appears). Over - should not be used as a replacement for “more than”. P Parliament - does not need a capital p. Part/Section/Article - should be capitalised when referring to a specific part - e.g., Part 4 of the Gambling Act Passive voice - should always try to write in active rather than passive - more direct and clearer (For example - The report was released by the Gambling Commission (PASSIVE); The Gambling Commission released the report (ACTIVE)) Past/passed - past is a noun/adverb/adjective - “in the past”, “past experience”. - passed is the past tense of “to pass” - “the law was passed in government”. Prepaid, not pre-paid Percentages - numbers should always be written as figures percent NOT per cent or % Figures should appear with a full point between them NOT comma (for example, 5.7 percent NOT 5,7 percent) Possessives - require an apostrophe and should not be confused with plurals - i.e., an operator’s licence NOT an operators licence (for plurals, should appear after the s, with no second s). Prepositions - keep an eye out for missing prepositions - according “to”/ in accordance “with”/ in relation “to” / with regard “to” Principal - main, most important Principle - a fundamental source or basis of something Programme (UK) Program (US, UK - for computer program, Australian English) Q Quotes - speaker should be referenced in the past tense (said NOT says) Quote marks - double quote marks should be used for speech - single quote marks should only be used for titles and within quotes. (See Quote reference sheet for more information on how to use quotes.) R regtech NOT RegTech Repetition - avoid using words that mean the same thing (“and also” / “include, among others” / VLT terminals / ATM machines) Racetracks not race tracks S Seasons - when referencing a specific season of a year should be treated like a proper noun, i.e. should include a capital - Winter 2018. Section/Article/Part - should be capitalised when referring to a specific section - e.g., Section 4 of the Gambling Act. Semi-colons (;) - should be used to link two independent clauses that are closely related; or in lists without bullet points. (Do not overuse - often a full stop and new sentence will be better.) Sports betting NOT sportsbetting Sports team names Storey (pl. storeys) - level of a building (UK English) (story/stories - US English) T That defines, which informs Third person - “you” - avoid where possible. Titles - all important words should begin with a capital (i.e. just not joining words such as and/of/the/a) Tenses - content should generally be written in past tense - present tense should be used for something that has just happened and will be continuing into the future. U United States abbreviated to U.S. (Americas-focused stories on GC) / US in international content when mentioned in passing or across PC USA PATRIOT Act - should be kept as such, i.e. with caps, as it’s an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act”) U.S. Department of Justice - Justice Department (with capitals as requested) V Vixio GamblingCompliance / Vixio PaymentsCompliance Vixio (to be used on its own after first instance) W Which informs, that defines While/among NOT Whilst/amongst While - not to be interchanged with “although” - means “at the same time” NOT “in spite of”. X Y Year quarters - Q1, Q2, H1, H2, etc. Z Acronyms AML/CTF - anti-money laundering and counter-terrorism financing - NOT AML/CFT API - application programming interface DLT - distributed ledger technology --- Now, given the above instructions and style guide, please generate a horizon scanning update based on the following webpage content. Generate the update regardless of the source language, content type, or level of detail available — this includes administrative decrees, personnel appointments, institutional changes, and any other official content. Use whatever information is present. PS7/26 – Operational resilience: Operational incident and third-party reporting | Bank of England Our use of cookies We use necessary cookies to make our site work (for example, to manage your session). We’d also like to use some non-essential cookies (including third-party cookies) to help us improve the site. By clicking ‘Accept recommended settings’ on this banner, you accept our use of optional cookies. Necessary cookies Analytics cookies Yes Yes Accept recommended cookies Yes No Proceed with necessary cookies only Necessary cookies Necessary cookies enable core functionality on our website such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions. Analytics cookies We use analytics cookies so we can keep track of the number of visitors to various parts of the site and understand how our website is used. For more information on how these cookies work please see our Cookie policy . Skip to main content PS7/26 – Operational resilience: Operational incident and third-party reporting Policy statement 7/26 Related links Related links CP17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting Published on 18 March 2026 1: Overview 1.1 In December 2024, the Prudential Regulation Authority (PRA) published its consultation paper (CP) 17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting . In light of rising threats to operational resilience at firms and their growing reliance on externally supplied services, the CP proposed to establish a policy for the timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party (MTP) arrangements. 1.2 The final policy contained in this policy statement addresses responses to the consultation and collectively significantly reduces firm burden while still meeting the aim of enhancing firms’ operational resilience. This approach will help the PRA gain better oversight of risks arising from operational incidents and the use of third parties. The collection of operational incident and third-party data will allow the PRA to work with firms to prioritise the mitigation of operational incident impacts and potential key vulnerabilities. It will also support the identification of critical third parties (CTPs) and assess where critical nodes of failure could arise. 1.3 Consultation responses demonstrated clear support for the PRA’s policy aims and proposals to standardise data collection for operational incidents and MTPs. Respondents supported the proposed alignment of reporting requirements with international practice and standards such as the EU Digital Operational Resilience Act (DORA) and the Financial Stability Board’s (FSB) Format for Incident Reporting Exchange (FIRE). Respondents also requested alignment between the UK authorities’ approaches where this would reduce burden. 1.4 The policy was developed jointly with the Financial Conduct Authority (FCA) and the Bank of England (the Bank) in its capacity as a supervisor of financial market infrastructure firms (FMIs) (collectively, the supervisory authorities). 1.5 In feedback to specific responses, the PRA has made changes to the proposed policy and reporting templates, which it considers provide greater proportionality and reduce compliance burden for firms. The key changes are: Updating and clarifying the approach to MTP reporting policy through amending the rule on notification. Amending the scope of MTP notification requirements to exclude credit unions with less than £50 million in assets and all third country branches. Reduced reporting burden by updating and refining the MTP reporting templates to ensure full alignment across supervisory authorities. The register and notification templates have been separated to provide firms with further flexibility and the number of data fields in the reports reduced. To support easier submission, the PRA and the FCA have developed a single platform for notification, FCA Connect. Updated and refined the incident report to limit reporting burden by merging the three proposed initial, interim and final incident reports into one report. The new single report has been fully aligned across supervisory authorities and with international standards. The report has been simplified further by removing a number of fields and making more fields optional. The PRA has further clarified how firms should identify MTP arrangements by setting out further expectations and examples in supervisory statement (SS) 2/21 – Outsourcing and third party risk management . Further clarity provided on operational incident reporting by improving guidance on the interpretation of the reporting thresholds, timings for reporting and minor policy changes to ensure further alignment across supervisory authorities. Table 1: Comparison of consultation proposals and final policy CP17/24 and PS7/26 CP17/24 and PS7/26 Operational incident reporting MTP reporting Notifications Register What CP17/24 proposal Report operational incidents that meet the individual authorities’ thresholds (for the PRA, this is safety and soundness, financial stability and policyholder protection). Notify the PRA of MTP arrangements which, due to the risks, necessitates a high degree of due diligence, risk management or governance by the firm. Report an annual register of all MTP arrangements. PS7/26 policy Notify all MTP arrangements. When/how CP17/24 proposal As they occur, submitting three separate reports: initial, intermediate and final. Via FCA Connect. Ahead of entering into or significantly changing arrangements. Via email to supervisor. Annual submission. Via FCA RegData. PS7/26 policy As they occur, submitting a single form that is completed over three phases: initial, intermediate and final. Via FCA Connect. Ahead of entering into or significantly changing arrangements. Via FCA Connect. Who CP17/24 proposal UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’); and UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’). UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’); and UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’). UK banks, building societies, PRA-designated investment firms (‘banks’); UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’)’; and UK credit unions with at least £50 million in total assets. PS7/26 policy UK banks, building societies, PRA-designated investment firms (‘banks’); UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’); and UK credit unions with at least £50 million in total assets. UK banks, building societies, PRA-designated investment firms (‘banks’); UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’); and UK credit unions with at least £50 million in total assets. 1.6 This PS provides detailed feedback to responses the PRA received to the consultation. It also contains the PRA’s final policy, as follows: amendments to the Reporting Part of the PRA Rulebook (Appendix 1); amendments to the Notifications Part of the PRA Rulebook (Appendix 1); PRA’s new SS1/26 – Operational resilience: Incident reporting (Appendix 2); and updated SS2/21 – Outsourcing and third party risk management (Appendix 3). 1.7 The sections of this PS that deal with operational incident reporting are relevant to all UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’), and UK Solvency II firms, and the Society of Lloyd’s and its managing agents (‘insurers’). The section of this PS that deals with outsourcing and third-party reporting is relevant to all PRA-regulated firms. Background 1.8 Currently, firms are required to notify the PRA of certain incidents and material outsourcing arrangements in accordance with PRA Fundamental Rule 7, and the General Notification Requirements in Chapter 2 of the Notification Part of the PRA Rulebook . Under SS2/21, banks are expected to maintain a register of their outsourcing arrangements. In CP17/24, the PRA proposed to: Introduce new requirements and expectations for the reporting of certain operational incidents to the PRA. These set thresholds above which an operational incident must be reported, introduced a three-phased approach to reporting, and set out the information a firm would be required to provide in each phase. Amend the scope of Notifications Rule 2.3(1)(e) to capture notifications of firms’ MTP arrangements and amend Notifications Rule 2.3(1)(e) and Notifications Rule 2.3(1) to reflect that not all MTP arrangements may be considered a ‘restructuring, reorganisation or business expansion’. Set out new rules and expectations for firms to maintain and submit to the PRA a structured register of information on MTP arrangements. Introduce standardised reports for the submission of MTP notifications and the register. 1.9 In determining its final policy, the PRA considers representations received in response to CP17/24, publishing an account of them and the PRA’s feedback. Details of any significant changes are also published. Summary of responses 1.10 The PRA received 35 responses to the CP. The names of respondents to the CP who consented to their names being published are set out at Appendix 9. As well as those who consented, the PRA received responses from 12 respondents who did not consent to the PRA publishing their names. Changes to the draft policy 1.11 The PRA has made a number of changes to the final policy following responses to the consultation, where doing so reduces burden on firms while continuing to advance the safety and soundness of firms, policyholder protection and financial stability. 1.12 The following changes have been made to the draft rules and related policy materials: changes to the Notification Part to reflect the decision to amend the scope of the policy as it applies to credit unions, to require firms to submit notifications on all MTPs and to exclude intragroup arrangements that do not involve an external provider (with the exception of ring-fenced bodies); changes to the Reporting Part to reflect the decision to require firms to submit a single report and update or submit further information over the intermediate and final phases; changes to Chapter 5 of SS2/21 to reflect the changes to the Notification Part and provide clarity on how firms are expected to identify MTPs, including further guidance and examples; changes to SS1/26 to: amend the phased approach to reflect the change from three individual incident reports to a single report; clarify terms within the Operational Incident definition including ‘end user external to the firm’ and ‘a series of linked events’; improve guidance on the interpretation of the reporting thresholds; and provide further examples of an operational incident that would meet the PRA’s thresholds; changes to the incident reporting fields document and MTP templates; and minor changes to the definition of ‘third-party arrangement’ in the Glossary. 2: Feedback to responses 2.1 This chapter sets out the PRA’s feedback to the representations received in response to the CP, and its final decisions. 2.2 The PRA’s feedback to responses has been grouped as follows: policy aims and objectives; Cost Benefit Analysis (CBA); operational incident reporting; and material third-party arrangements. Policy aims and objectives Operational incident reporting 2.3 Respondents generally supported the policy aims and objectives and the proposed approach to operational incident reporting. They welcomed alignment with international standards, such as the FSB’s FIRE, and interoperability with the approach in EU’s DORA, and efforts to standardise data collection. 2.4 Several respondents emphasised the value of sharing thematic reports and data analysis on reported incidents and lessons learned across industry. Three respondents suggested that the PRA should leverage thematic analysis already conducted across a variety of industry bodies as it would not be proportionate to divert resources dedicated to incident management for the purpose of data collection. 2.5 The PRA confirms that it plans to use the data collected to understand operational resilience vulnerabilities and risks at both individual firm and industry levels more fully. The PRA will, where appropriate, share anonymised aggregated findings on industry-wide trends. The PRA considers that is it appropriate to use the data both to monitor and respond to potential risks arising from operational incidents and for the purposes of thematic analysis. 2.6 Respondents requested clarification on how the CTP incident reporting requirements interact with the operational incident reporting requirements for firms and how supervisory authorities would respond to the disruption of a CTP, or other third party, with systemic implications. In such cases, the PRA would engage individually with the CTP and the individual firms to effectively monitor and supervise the incident. Under the requirements, in the event that an operational incident occurs at a CTP, the PRA would receive reports from both individual firms, when they assess the operational incident has met the reporting thresholds, and the CTP. The PRA expects that both the CTP and the affected firms would have unique information and insights about the incident. footnote [1] Material third-party reporting 2.7 In the CP, the PRA proposed to expand the scope of existing data collections on third-party arrangements. The PRA proposed to use data collected to aid better identification of risks posed by third-party service providers and support its recommendation of potential CTPs to be designated by HMT. 2.8 Respondents welcomed the PRA’s aims to standardise the collection of MTP arrangements and formalise requirements for the register. They supported intentions to improve consistency and clarity. Additionally, the PRA received broad support on its proposal to use MTP data to aid CTP designation recommendations to HMT. Respondents also broadly supported the PRA’s proposals to align, where possible, with international regimes, including the EU’s DORA. In feedback to responses, the PRA has made a number of changes to the policy to provide further proportionality and reduce burden on firms. Cost Benefit Analysis (CBA) 2.9 The PRA received 19 responses regarding its CBA of the proposals. Respondents generally agreed that there were benefits to the reporting requirements. However, several respondents questioned whether the benefits of the policy as proposed would outweigh the costs, which they thought could be higher than estimated. A number noted the need for new systems while others raised concerns about ongoing triage and governance costs. Some respondents noted that implementation costs for EU DORA were much higher than the PRA’s estimated costs of its policy proposals, and others contended that costs would be high for small firms. 2.10 Having considered responses to the consultation, while the PRA recognises concerns about costs (and has taken significant steps outlined in this PS to reduce them), it considers its methodology and assumptions for the CBA to be sound. Estimates for costings have been based on historical reporting costs as well as information provided by a random sample of firms that would be in scope of the policy. Respondents did not provide new quantitative evidence that would enable the PRA to revise the CBA. 2.11 The PRA maintains that the benefits of the policies are significant and should outweigh the costs of implementation. It considers that this is now by a greater margin than envisaged in the original proposals, given the cost reductions resulting from the changes in the final policy. These include: Excluding credit unions with less than £50 million in assets from the MTP notification requirements. Reducing the amount of information firms need to provide in the incident reporting and MTP templates by removing some data fields, and through greater use of tools such as pre-population in FCA Connect and RegData. Further aligning the definitions of operational incidents and MTPs between the supervisory authorities and the FSB’s FIRE. Clarifying and aligning the PRA’s approach for the reporting of intragroup arrangements. Aligning technology platforms among the supervisory authorities. This allows MTP notifications, in addition to operational incident reports and the MTP register, to be shared automatically, eliminating the need for firms to make multiple submissions. Clarifying that the ‘factors to consider’ for operational incident reporting are to aid firms in understanding the reporting thresholds. Clarifying that firms can use existing internal processes to help assess whether it meets the PRA’s thresholds for reporting. 2.12 Benefits are expected to arise from the PRA’s enhanced ability to identify and understand operational resilience threats to individual firms and the broader financial sector. Moreover, the PRA will have an improved understanding of potential systemic vulnerabilities arising from concentrated use of third-party suppliers. The PRA can use the data to work with firms to prioritise the mitigation of operational incident impacts and potential key vulnerabilities. Third-party data would be used to support the identification of CTPs and assess where critical nodes of failure could arise. Operational incident reporting Scope 2.13 The scope of operational incident reporting will be retained as initially proposed. Three respondents noted that proposed UK regulatory requirements for the reporting of operational incidents with regards to credit unions varied across the supervisory authorities, increasing the complexity of compliance. In feedback to the responses, the PRA has decided to maintain the scope as consulted upon. The FCA has revised its policy to remove credit unions from the scope of its enhanced operational incident reporting requirements. Definition 2.14 The PRA proposed to define an operational incident as either a single event or a series of linked events, which disrupts the firm’s operations such that it: disrupts the delivery of a service to an end user external to the firm; or impacts the availability, authenticity, integrity, or confidentiality of information or data relating or belonging to such an end user. 2.15 Eight respondents supported the proposed definition of an operational incident, suggesting it is proportionate and aligned with their systems. A few respondents commented on the differences between the PRA and FCA definitions in their respective consultation papers, suggesting alignment to reduce costs for firms. Ten respondents also asked whether the PRA and FCA are aligned on ‘near-misses’ and whether firms should only report incidents having a crystalised impact. 2.16 In feedback to the response, in its final policy, the FCA has aligned its definition with the PRA’s. The FCA and PRA are also aligned on the approach to ‘near misses’: firms would not be expected to report potential or uncrystallised events. The PRA has clarified its expectations in paragraph 2.8 of SS1/26. 2.17 Eight respondents asked the PRA to define the term ‘end user external to the firm’. Respondents noted that the term was not clear, or that it is not currently in use in the PRA Rulebook. The PRA has opted to not define the term in the Rulebook and has instead included a description of end user external to the firm in paragraph 2.4 of SS1/26. This approach is consistent with expectations set out in SS1/21 – Operational resilience: impact tolerances for important business services . 2.18 Four respondents asked the PRA to define the term ‘a series of linked events’ and requested examples. The PRA has updated its guidance in paragraph 2.3 of Chapter 2 in SS1/26 and included a description of a series of linked events and relevant examples. The PRA removed the reference to the PRA thresholds initially provided in CP17/24 as firms should consider separately whether an incident meets the definition of an operational incident and reporting thresholds. 2.19 Respondents asked the PRA to consider adding the term ‘unplanned’ disruption to the definition of an operational incident. The PRA has decided to not include ‘unplanned’ in its definition given the high threshold for reporting. The operative issue for the PRA is whether an incident is material enough to pose a risk to its objectives. That said, it considers that planned disruptions – where services are temporarily interrupted but risks are adequately managed – are generally unlikely to meet the threshold for being a reportable operational incident. Important business services 2.20 In CP17/24, the PRA noted it would require firms to report incidents meeting the thresholds set out in the PRA rules, even if these have not yet breached the firm’s impact tolerances or affected any important business services. 2.21 Seven respondents requested that the PRA change the definition of an operational incident as a material disruption affecting important business services. One respondent noted that there could be two different regimes: one related to important business services for firms in scope of operational resilience requirements and one for firms out of scope of operational resilience. 2.22 The PRA has considered responses and whether changing the definition would contribute to reducing the burden on firms. However, a focus only on important business services would risk limiting supervisory oversight. An operational incident could affect a service not classified as an important business service and still pose a risk to the PRA’s objectives. To clarify its approach, the PRA has updated its guidance in paragraphs 2.6 and 2.7 of SS1/26, including examples of reportable incidents. Reporting thresholds 2.23 The PRA proposed that firms (where the firm is a systemically important institution or where the firm is a relevant Solvency II firm) would be required to submit a report once an operational incident poses a risk to: the stability of the UK financial sector; the safety and soundness of the firm; and/or (for insurers) the appropriate degree of policyholder protection. 2.24 Firms may use their internal processes to assess whether an incident meets the thresholds and may consider a range of factors to make the assessment, as listed in the draft SS. 2.25 The PRA received 12 responses on interpreting the reporting thresholds and the factors listed in SS1/26. Several respondents expressed concerns that using internal processes to assess whether an incident is reportable might be subjective and lead to over-reporting. They suggested prescriptive thresholds, aligned with the EU DORA. By contrast, other respondents noted that the judgement should be left entirely to firms and their metrics, and the PRA should consider removing the factors entirely. 2.26 Respondents asked for clarification on the interpretation of certain threshold factors. Some argued that legal and regulatory obligations and reputation were too speculative, and firms could not assess their long-term impacts. Others suggested removing operational and financial contagion as it would require extensive knowledge of the incident’s operational impact on other firms. Respondents also asked for further alignment between the FCA and PRA on threshold factors. A few asked the PRA to provide additional examples. 2.27 Having considered this response, the PRA has decided to maintain the current approach to assessing the reporting thresholds and the factors. The PRA considers that flexibility is important as the same operational incident may have varying impacts and scale across regulated firms. This will likely depend on the size, business model, and services or customer base of the firm. 2.28 Acknowledging respondents’ concerns, the PRA has provided further guidance on the interpretation of the reporting thresholds. The PRA has amended its expectations to clarify that the factors are simply guidance on how firms may interpret the thresholds and do not constitute an exhaustive or prescriptive list. This has been added in paragraph 3.4 of SS1/26. 2.29 Furthermore, the PRA has amended its guidance relating to the threshold factors from the draft SS. This includes clarifying expectations for how firms should approach considering operational and financial contagion, as well as assessing reputational impact. 2.30 The PRA recognises that, in the early stages of incident response, a firm may not have a complete view of the incident’s long-term implications. The threshold assessment should be based on the information available at the time. The PRA has clarified this expectation in paragraph 3.5 of SS1/26. 2.31 The PRA considers operational and financial contagion are key indicators of risks to financial stability. The PRA expects other systemically important institutions and relevant Solvency II firms to assess the risk to financial stability following a disruption to a business service. This specifically applies where there is potential to cause knock-on effects for counterparties under operational resilience expectations. The PRA has also clarified that it does not expect firms to have a complete view of the wider systemic impact when assessing the impact of an operational disruption. This guidance has been added under paragraph 3.9 of SS1/26. 2.32 In feedback to the responses, the PRA has clarified that informing the firm’s senior management of ongoing high-priority incidents is considered good practice, but it would not constitute a high level of internal escalation. The PRA has also clarified its expectations on the interpretation of the factor under paragraph 3.21 of SS1/26. 2.33 The PRA considers the examples given to be general guidance of what could be considered reportable; however, this should be considered on a case-by-case basis by firms. The PRA has included additional examples for some threshold factors under paragraphs 3.10, 3.13, 3.16 and 3.22 of SS1/26. Phased approach 2.34 The PRA proposed that, when an operational incident meets the thresholds, firms would be required to submit an initial report, one or more intermediate reports if there is a significant change in the circumstances of the incident, and a final report. 2.35 To reduce duplication and streamline user experience on FCA Connect, the supervisory authorities have revised the reporting approach. In place of three reports, firms will be required to submit a report at the initial phase and update the report across the intermediate and final phases of an incident. The timings for each phase remain as consulted upon. The PRA has set out its expectations for phased reporting in SS1/26. 2.36 One respondent asked for clarification on the notification requirements and whether this will affect engagement with supervisory teams. Operational incident reporting does not replace the notification requirements under Fundamental Rule 7 and the General Notification requirements in Chapter 2 of the Notification Part. The PRA has amended paragraph 4.4 of the SS to clarify that incident reporting may not replace all supervisory engagement, and direct communication may still be needed depending on the incident. 2.37 One respondent asked for clarification on enforcement, and the consequences of failing to report an incident within the specified timeframes. The PRA confirms it takes a proportionate approach to enforcement and will consider the individual circumstances of each firm and incident. Initial phase 2.38 Eight respondents asked the PRA to confirm firms will not be expected to divert resources from response operations for incident reporting. These respondents also asked if firms could submit a single incident report to both the PRA and FCA where it meets both regulators’ thresholds. A few noted that the reporting fields document only allowed firms to make a single selection for the report to be relevant to the FCA, PRA or the Bank and asked to amend to reduce burden. 2.39 While recognising the need to inform the supervisory authorities promptly, the PRA expects firms to prioritise actions to resolve and recover from operational incidents. The initial phase has been designed to gather only essential information, which can be updated with additional information during the intermediate and final phases. This approach enables firms to prioritise resolving the incident. Firms can submit a report to the PRA and FCA jointly to reduce the reporting burden, if they assess both the respective thresholds have been met. To improve guidance for firms, the PRA and FCA have included joint examples of reportable incidents meeting both supervisory authorities’ thresholds. This has been added under paragraph 3.7 of SS1/26. 2.40 Four respondents requested clarification on the alignment between the PRA and FCA’s initial report timelines. Four respondents commented that there were circumstances where longer than 24 hours would be needed to submit an initial report because data may not be available, for example, where this is reliant on third parties. 2.41 The PRA and FCA are aligned on the timelines for the submission of the report in the initial phase. Firms are required to submit a report as soon as reasonably practicable and expect this to be within 24 hours of the firm determining an operational incident has met the threshold. The PRA acknowledges that, in circumstances where an incident requires all the firm’s resources to address the incident, a firm may take longer than 24 hours to submit a report, as outlined in paragraph 4.5 of SS1/26. Intermediate phase 2.42 Four respondents suggested that the requirement to potentially submit multiple reports at the intermediate phase may be too onerous. Other respondents suggested amending the examples of significant changes, including removing some examples. Four respondents disagreed with some of the proposed examples to describe what constitutes a significant change and suggested removing examples such as the activation of a business continuity plan or the incident breaching another supervisory authority’s reporting thresholds. 2.43 The PRA recognises that firms may, in some circumstances, have to submit new or updated information during the intermediate phase multiple times. However, the PRA wishes to clarify that, the bar for the submission of new or updated information during the intermediate phase remains high. The PRA considers that the use of a single report, rather than three individual reports, should reduce firm burden by making it clearer where updates or changes are required. The PRA also notes that the examples listed under paragraph 4.9 of SS1/26 are intended to be high-level guidance and are not prescriptive. Firms may consider these examples when assessing whether to submit an intermediate report, but this may vary on a case-by-case basis. Final phase 2.44 Several respondents expressed concerns about the required timeframe for submitting a final incident report. Six respondents indicated that the 30-working day deadline may not provide sufficient time to complete post-incident reviews, and four noted that even a possible extension to 60 working days could be insufficient. 2.45 The PRA has decided to maintain the timeframe for the submission of the final report as consulted upon noting that this will now take the form of an update rather than a new report. The PRA expects firms to submit the required information for the final phase within 30 working days of resolving the incident unless there are circumstances that mean additional time is required. Such instances could include where an incident is of such complexity that additional time is required to substantiate the root cause of an incident, or where the firm is reliant on another party to provide the required information, as outlined in paragraphs 4.14 and 4.15 of SS1/26. The PRA considers that, where additional time is required, a further 30 working days, (60 working days in total) is sufficient. Operational incident data 2.46 Six respondents commented that the data requested in the initial report was extensive and burdensome, and asked for some fields to be moved to the intermediate report. To address these responses, the PRA has reduced the number of required fields at the initial phase of the incident. In addition, a number of fields have been removed entirely from the incident report. Further detail can be found in Appendix 4: Reporting fields document. 2.47 Some respondents asked the PRA to confirm it was acceptable for firms to provide updated and more detailed information as an incident progressed and whether firms may use best-efforts or estimates. The PRA considers that information may be imprecise at the initial phase of an incident but increase in quantity and accuracy in the intermediate and final phases. The PRA has clarified its expectations under paragraph 4.7 of SS1/26, indicating that a firm should take reasonable steps to collect the best available data at the time of submission, and may gain a more accurate view as the incident progresses. 2.48 The PRA has amended the Reporting Fields Document in feedback to responses and to reflect the final FIRE report published in April 2025. The amendments are listed by initial, intermediate and final phases in Appendix 4: Reporting fields document. Governance 2.49 One respondent requested clarification on the proposals for operational incident reporting and its interaction with the Senior Managers and Certification Regime. They asked if the SMF24 would have responsibility for meeting the outcomes of the policy and how the senior manager would be capable of discharging their duties. One respondent suggested that all incident reports should require the approval from the Senior Management Function (SMF) 24. 2.50 In feedback to the response, the PRA has outlined expectations for governance under Chapter 5 of SS1/26. The PRA would expect the Chief Operations SMF24 to hold overall responsibility for implementing the outcomes of the PRA’s incident reporting requirements and expectations. Where a firm does not have an SMF24, a firm should clearly allocate these responsibilities to a suitable SMF or SMFs. The PRA has also clarified that it does not expect the SMF24 to approve the submission of incident reports, and firms should structure oversight in the most effective manner for their business. Material third-party arrangements Scope 2.51 Three respondents noted that proposed UK regulatory requirements for the reporting of MTPs with regards to credit unions varied across the supervisory authorities, increasing the complexity of compliance. The PRA proposed in the consultation to exclude credit unions with less than £50 million in assets from the MTP register requirements, considering this unduly burdensome. 2.52 To take a more proportionate approach to supervising risk arising from the use of third parties and limit reporting burden, the PRA has amended the policy to exclude smaller credit unions from the requirement to notify the PRA of MTP arrangements given the relatively lower risk they pose to the broader financial system. The PRA has therefore amended the scope of the notification requirements to apply to only those credit unions with more than £50 million in assets. 2.53 The PRA has also amended the policy to exclude third country branches from the notification requirements given the PRA’s policy is to only allow branches to operate where it has effective cooperation and information sharing with the home state supervisors. Nonetheless, branches remain responsible for the risks associated with services provided by the groups to which they belong, and should be able to provide sufficient information on risks in the group as set out in Box 1 of SS5/21. 2.54 The scope of the MTP register reporting will be retained as initially proposed, which excludes third country branches. The FCA will share data from the registers it collects from third country branches with the PRA. This will allow both authorities to understand the third-party landscape and help to inform CTP designation recommendations. Definitions 2.55 As part of its proposal to expand the scope of its data collections from material outsourcing arrangements to all MTP arrangements, the PRA proposed to introduce definitions for ‘third-party arrangement’ and ‘material third-party arrangement’ in the PRA Rulebook. 2.56 Twelve respondents agreed with the definition of a ‘third-party arrangement’. A few respondents requested minor changes or the removal of references to third-party arrangements within group structures or subcontractors. The PRA and FCA have made some minor amendments to the third-party arrangement definition in the Glossary to further align and provide consistency for firms. The PRA considers that the use of products or services from within the group constitute a third-party arrangement, as do those supplied by subcontractors, and therefore has retained the reference in the definition. 2.57 One respondent asked for clarification on whether the focus of the third-party arrangement definition is on the service provider itself, rather than the use of a business referral. The PRA can confirm that business referrals would not be included in the definition of a third-party arrangement. 2.58 Five respondents asked the PRA and FCA to further align their respective definitions of MTP arrangements. Three respondents suggested that the PRA’s definition of MTP arrangement was too broad. Having considered feedback, the PRA has decided to maintain the materiality criteria within the definition as consulted upon. The PRA and FCA consider that while the materiality criteria must remain specific to each supervisory authority, the respective policies and definitions are aligned in substance. The design and goals of the respective policies are the same, while respecting the different objectives and legal frameworks. 2.59 Six respondents asked for the PRA to provide further clarity through guidance and examples for how firms should identify MTPs. One respondent did not agree with the proposal for firms to make the judgement as to whether an arrangement is material. Following feedback, the PRA has amended Chapter 5 of SS2/21 to provide clarity on how it expects firms to identify MTPs, including by providing further guidance and examples. The PRA considers that is more proportionate to give firms the flexibility to take responsibility and ownership of this judgement as opposed to prescribing detailed requirements for materiality. This approach should also help ensure that firms do not submit reports on third parties that they do not consider to be material. 2.60 Four respondents requested clarity on intragroup arrangements and whether these arrangements should be classified as material. Two of these noted that the PRA and FCA diverged on this issue in the consultation proposals and asked for the supervisory authorities to align. In feedback to the consultation responses, the PRA has amended the Notification Part and the Reporting Part to state that intragroup arrangements do not need to be notified or included in the register submission unless the person providing the intragroup arrangement has entered into an arrangement with a person outside the group for the provision of that product or service to the firm. Where the firm is a ring-fenced body, this applies only if the person providing the product or service is a permitted supplier. This approach has been aligned with the FCA’s. The PRA considers this approach to be proportionate while also ensuring it has sufficient oversight of risks posed by these arrangements to its objectives. 2.61 Two respondents requested further clarity on non-core services and how to consider these as part of the materiality assessments. The PRA can clarify that non-core services should not be considered material, as they are those that, when disrupted, would not result in a service being significantly impacted, interrupted or damaged. Hence, the disruption can be resolved quickly and with minimal impact on the service. Further detail on non-core services can be found in paragraph 5.13 of SS2/21. 2.62 Two respondents noted that expanding reporting requirements to include MTPs could result in a considerable burden for firms, with one stating that arrangements should only be classified as material if they support an important business service. The PRA confirms that firms are only required to submit information on third parties they assess pose significant risk to the PRA’s objectives. The PRA considers this approach balanced giving firms the flexibility to determine their own MTP arrangements, in line with provided guidance, while also promoting clarity and consistency with a standardised template. 2.63 One respondent was concerned that the proposed MTP arrangement rules might overlap with outsourcing requirements. The PRA can clarify that the notification requirements for MTP arrangements will supersede those for material outsourcing notifications. 2.64 One respondent noted that the proposal for third-party arrangements to be considered material, if they pose a risk to policyholder protection (in the case of insurers), overlooks the shared responsibility model. The PRA considers it important to clarify that the risk to policyholder protection lies with the firm, and that the firm must take this into account when entering third-party arrangements. Notification 2.65 The PRA proposed to amend the scope of the Notifications Part to capture material non-outsourcing third-party arrangements as well as material outsourcing arrangements. The CP set out proposals on where firms would be required to submit notifications upon entering, or significantly changing, an MTP arrangement which, due to the risks, necessitates a high degree of due diligence, risk management or governance by the firm. 2.66 Three respondents supported the PRA’s approach to MTP notifications. Ten respondents requested that the PRA and FCA align their approach to notifications due to the complexity of complying with differing requirements. Of these, four respondents asked that the PRA align its approach with the FCA, while one asked for the FCA to align with the PRA. 2.67 Following these responses, the PRA considers that it would improve consistency and reduce burden on firms to align with the FCA by requiring firms to submit notifications when entering into or significantly changing an MTP arrangement. Accordingly, the PRA has amended Rule 2.3B of the Notifications Part and Chapter 5 of SS2/21. To further limit reporting burden on firms, the PRA has worked with the FCA to establish a single platform for notification submissions. Firms must now submit MTP notifications to the PRA through FCA Connect . This approach ensures greater consistency and minimises the burden of submitting notifications to both the PRA and the FCA. 2.68 Two respondents requested that the PRA clarify timelines for reviewing notification submissions and issuing a response. Another respondent requested clarity regarding when firms should submit notifications. As set out in paragraph 5.23 of SS2/21, firms are expected to assess the materiality of planned third-party arrangements sufficiently early to notify the PRA, to enable the PRA to follow up if required. Firms should provide additional information regarding the arrangement if requested to do so and implement follow-up action if needed. As the framework is new to both firms and the PRA, the PRA is not setting specific timelines for firms to submit notifications or when the PRA will review them. 2.69 The PRA also wishes to clarify that the notification process is not an approval process. The PRA is unlikely to respond to submissions where the PRA does not need additional information or for the firm to implement follow-up action as set out in Chapter 5 in SS2/21. 2.70 One respondent asked whether the notification requirements apply solely to new or changing arrangements, or retrospectively to existing arrangements. Another asked the PRA to clarify whether they will need to resubmit the whole MTP register each time a notification is required. The PRA can confirm that the notification requirements would only apply to new or changing arrangements and does not expect firms to submit the register each time a notification is required. Firms are only required to submit the register on an annual basis. 2.71 One respondent requested that the requirement for firms to notify a significant change in an arrangement be removed as such changes could vary widely. Three respondents requested clearer guidance of when to notify supervisory authorities when there has been a 'significant change'. The PRA considers that the notification requirement for a significant change in an MTP arrangement is proportionate and ensures that the PRA has oversight of potential risks arising from significant changes to an arrangement. The PRA has set out further guidance and provided examples of a significant change in paragraph 5.8 of SS2/21. Register 2.72 The PRA proposed that firms submit a register of all their material third-party arrangements on an annual basis via FCA RegData . 2.73 Two respondents expressed concerns regarding the potential burden of completing and submitting the register on an annual basis. The policy seeks to ensure firms have adequate time to review and update data without risking it becoming outdated. The PRA considers that updating the register at least once a year achieves this balance. 2.74 Two respondents asked for clarification on how to submit the register to FCA RegData. The PRA can confirm that firms will be required to complete the template and upload it to FCA RegData on an annual basis. 2.75 One respondent requested firms be given a transitional period to complete the register. The PRA can confirm that firms will have until March 2027 before the requirements come into force. 2.76 One respondent asked if the register requirements apply to all third-party arrangements or just those classified as material. The PRA can clarify that only MTP arrangements need to be submitted via the register, though firms may keep registers of all third-party arrangements if they choose. 2.77 One respondent questioned whether the register requirements applied at the holding company level. The PRA can confirm that the individual entity is responsible for the register requirements. Information to be submitted to the PRA Template 2.78 CP17/24 proposed a reporting template to be used by firms for the notifications and register submissions. To provide consistency and reduce reporting burden on firms, the PRA developed the templates to be interoperable where possible with similar regimes, such as the EBA Outsourcing Guidelines and Article 28 of the EU’s DORA. 2.79 The PRA received broad support from firms regarding the introduction of standardised reporting templates. Respondents also supported efforts to align the templates with similar regimes as much as possible. 2.80 Five respondents requested that the PRA and FCA align the MTP reporting templates. One respondent asked for clarity on whether there is a single template between supervisory authorities or different templates. The PRA can confirm that the supervisory authorities have fully aligned reporting templates for all firms in scope of the policy. 2.81 A respondent requested clarification on whether the same template would be used for both notifications and the register. Some indicated that using a single template could present difficulties, as firms might not have all necessary data at the time of notification. The PRA has reviewed the responses and has revised the policy to provide two separate templates: one for notification and one for the register. Although the data fields are consistent across both templates, some fields in the notifications template are now optional. Additional information is available in Appendix 8: Changes to the material third party reporting templates. 2.82 A respondent sought clarification on which third-party relationships should be included in the template, specifically outsourcing versus non-outsourcing. The PRA clarifies that all MTP arrangements – outsourcing or non-outsourcing – must be listed in the register. Further details on assessing materiality are provided in Chapter 5 of SS2/21. 2.83 Three respondents considered the templates were too burdensome to complete due to the amount of data being requested and the requirement for a new row for each entry. One respondent suggested the creation of a cross industry subject expert group to agree a reporting template along with accompanying guidance to ensure compliance. The PRA has removed numerous data fields to reduce reporting burden and amended the templates and guidance to improve clarity. Regarding rows, the PRA has decided to maintain its current approach to ensure that firms can submit consistent data on each arrangement. While the PRA supports industry cooperation, it does not consider that an industry developed template would be appropriate due to the supervisory authorities’ needs to collect certain data to achieve their policy aims. 2.84 Four respondents expressed concern over the requirement to provide a Legal Entity Identifier (LEI) number. Following feedback, the PRA has provided firms with the option to choose ‘N/A’ if an MTP does not have an LEI number. The PRA considers this provides firms with more flexibility while also ensuring consistency for the purpose of identifying the third-party provider. 2.85 One respondent expressed concern that firms may be limited in the information they can obtain from third parties, which may mean they cannot complete the templates. Another stated that open field questions may cause firms to speculate on the level of detail required. The PRA considers it important to clarify that a firm must take reasonable steps to obtain information from third parties to complete the templates. It also states that a small number of open field questions are required to allow firms to provide further detail and contextual information. 2.86 One respondent stated that the taxonomies proposed were not relevant for PRA-regulated firms that are not subject to DORA. While taxonomies proposed in the templates have been aligned with DORA to provide consistency for firms subject to these requirements, the PRA considers that the taxonomies are also relevant to those that are not subject to these requirements. 2.87 Six respondents sought clarification about the process for ranking the supply chain and requested additional guidance. Three respondents did not agree with the proposal for firms to rank the supply chain. Having considered the responses, the PRA has decided to retain the ranking requirements and notes that the approach is aligned with DORA as much as possible. Firms are increasingly using third parties to support important business services and many of these arrangements rely on multiple third parties. The Rank columns also allow the PRA to identify critical nodes within the supply chain. 2.88 Further comments regarding specific data fields within the reporting templates have been addressed in Appendix 8: Changes to the material third party reporting templates. Reporting solution 2.89 The PRA received broad support for the proposal for firms to submit their register using FCA RegData. Respondents noted that it would reduce duplicative reporting between supervisory authorities. 2.90 One respondent asked whether all information for the register would need to be submitted on FCA RegData and whether information will be shared across supervisory authorities. The PRA can confirm that the register must be submitted via FCA RegData and where appropriate, will be shared across supervisory authorities. 2.91 One respondent expressed concerns about the security of FCA RegData, suggesting that the use of a single point of submission would create a vulnerability. The FCA implements and maintains robust technical and organisational measures to protect the confidentiality, integrity, and availability of information in line with its statutory obligations under the Financial Services and Markets Act 2000 (FSMA). These measures are aligned with recognised security frameworks, including ISO 27001 and the NIST Cybersecurity Framework , and are subject to regular review and assurance. Controls include, but are not limited to, access management, encryption, monitoring, and incident response. 2.92 One respondent asked for clarity as to whether the register collection on BEEDs would continue alongside FCA RegData. The PRA can confirm that the BEEDs collection would not continue once the register requirements come into effect. 3: Accountability framework and implementation Accountability framework 3.1 When making rules, the PRA is required to comply with several legal obligations. In CP17/24, the PRA published its explanation of why the proposed rules were compatible with its objectives and with its duty to have regard to the regulatory principles. footnote [2] 3.2 In addition, when making CRR rules or rules applying to certain holding companies, the PRA must publish a summary of the purpose of the proposed rules. footnote [3] The purpose of the rules included in the Notifications Part and the Reporting Part (Appendix 1) is to set out clear notification and reporting requirements for the reporting of operational incidents and MTP arrangements. 3.3 Where the final rules differ from the draft in the CP in a way that the PRA considers is significant, the Financial Services and Markets Act 2000 (FSMA) footnote [4] requires the PRA to publish: details of the differences together with an updated cost benefit analysis; a statement setting out in the PRA’s opinion whether or not the impact of the final rules on mutuals is significantly different from the impact that the draft rules would have had on mutuals; or the impact that the final rules will have on other PRA-authorised firms. 3.4 Additionally, in carrying out its policymaking functions, the PRA is required to have regard to various matters. In CP17/24, the PRA explained how it had regard to the most relevant of these matters in relation to the proposed policy. 3.5 The PRA considers that the changes to its draft policy on operational incident and MTP reporting do not significantly alter its consideration of its objectives or the matters to which it must have regard, or the impact of its proposals on mutual societies. The PRA considers that the changes made in its final policy are likely to meaningfully reduce costs relative to the benefits from the policy. Implementation and next steps 3.6 The implementation date for final rules and policy materials reflecting policy changes set out in this PS is 18 March 2027. 3.7 References related to the UK’s membership of the EU in SS2/21 covered by the policy in this PS have been updated as part of this PS to reflect the UK’s withdrawal from the EU. Unless otherwise stated, any remaining references to EU or assimilated legislation refer to the version of that legislation which forms part of assimilated law. footnote [5] As noted in paragraph 2.193 of PS16/24. Section 138J(2)(d) of FSMA. Section 144D(2)(a) of FSMA. Sections 138J(5) and 138K(4) of FSMA. For further information please see Transitioning to post-exit rules and standards . For further information please see Transitioning to post-exit rules and standards . Close Sections 138J(5) and 138K(4) of FSMA. Close Section 144D(2)(a) of FSMA. Close Section 138J(2)(d) of FSMA. Close As noted in paragraph 2.193 of PS16/24. Close Appendices Appendix 1: PRA Rulebook: CRR Firms, Non-CRR Firms, Solvency II Firms & Non-Solvency II Firms: Notification of Third-Party Arrangements and Operational Incident Reporting Instrument 2026 Appendix 2: SS1/26 – Operational resilience: Incident reporting Appendix 3: SS2/21 – Outsourcing and third party risk management Appendix 4: Reporting fields document Appendix 5: Material third party notification reporting template 'form M' Appendix 6: Material third party register template Appendix 7: Changes to the reporting fields document Appendix 8: Changes to the material third party reporting templates Appendix 9: List of respondents to CP17/24 who have consented to the publication of their names Convert this page to PDF Other prudential regulation releases Prudential Regulation // Policy statement 18 March 2026 PS7/26 – Operational resilience: Operational... PS7/26 – Operational resilience: Operational incident and third-party reporting Prudential Regulation // Consultation paper 17 March 2026 CP5/26 – Modernising the liquidity policy... CP5/26 – Modernising the liquidity policy framework Prudential Regulation // Policy statement 05 March 2026 PS6/26 – Recognised exchanges policy and... PS6/26 – Recognised exchanges policy and transfer of main indices Prudential Regulation // PRA Regulatory Digest 02 March 2026 PRA Regulatory Digest – February 2026 PRA Regulatory Digest – February 2026 View more Other prudential regulation releases Back to top

PS7/26 – Operational resilience: Operational incident and third-party reporting | Bank of England

Classification

Pipeline Progress

🔄 Pipeline Journey

🤖 How this summary was made

Full AI Instructions