Regulators consult on proposals for operational incident, outsourcing and third party reporting

What does this mean?

The proposed rules support and align with broader policy  objectives for operational resilience, outsourcing and third party risk. The regulators aim to enhance the quality and consistency of information they receive regarding operational incidents and the use of third party providers. 

This involves prioritising significant risks with clear requirements for reporting incidents and material third party arrangements. The proposals also introduce standardised reporting requirements to improve the quality and comparability of information submitted to the regulators, thereby allowing for better identification of key risks and dependencies. This includes better identification of systemic concentration risks and dependencies for management under the new UK Critical Third Parties regime. 

Operational incident reporting

• Definition and scope: Operational incidents are defined as single events or a series of linked events that disrupt a firm's operations, impact the delivery of services to clients, or compromise the availability, authenticity, integrity, or confidentiality of client data. 

• Reporting thresholds and process: Firms are required to report operational incidents that breach specific thresholds. These thresholds are designed to capture incidents that could cause intolerable levels of harm to consumers, pose risks to market stability and integrity, or threaten the safety and soundness of the firm and other market participants. The reporting process involves submitting an initial report as soon as practicable after the incident occurs, followed by intermediate updates as the situation evolves, and a final report once the incident is resolved.

• Impact assessment and factors to consider: The factors firms need to consider include the direct and indirect impact on firms’ clients and the wider sector, the firm's ability to provide adequate services, reputational damage, compliance with legal and regulatory obligations, and the safeguarding of client data. The assessment should be thorough and consider both the immediate and potential long-term effects of the incident.

Outsourcing, and third party reporting

• Scope expansion: Formal expansion of the scope of existing third party data collections to cover both material outsourcing and non-outsourcing (‘material third party’) arrangements, recognising that firms increasingly rely on a wide range of third party services beyond traditional outsourcing. The regulators propose to define a 'third party arrangement' as any form of arrangement between a firm and a service provider, regardless of whether the product or service is one the firm would otherwise provide, is provided directly or by a sub-contractor, or is provided by a person within the same group as the firm.

• Notification and register requirements: Firms would need to submit notifications ahead of entering into or significantly changing all relevant material third party arrangements in a standardised template, supported by additional documentation where necessary. Additionally, in place of existing expectations for outsourcing registers, firms are required to maintain a register of all material third party arrangements, which must be submitted on a consolidated basis at least on an annual basis. Proposed templates for the notifications and register are aligned, including specific data fields and underpinning taxonomies between these and the incident reports to enable dataset interaction. To support understanding of firms’ third party supply chains, they need to ‘rank’ the position of each product or service provider within its supply chain, with direct provision always ranked ‘1’, the provider’s supplier a ‘2’, and lower numbers corresponding to the position of any further dependencies in chains. Only those service providers whose disruption would impair the continuity of firms’ services, regardless of their rank, should be identified.

What do firms need to do?

Firms need to assess the practical impact on their business processes and governance to familiarise themselves with the proposals and optimise compliance. As part of this exercise, they should engage in preliminary planning for the implementation of the proposed rules. This should include:

• identifying the resources needed

• potential changes to internal systems and processes, including existing third party-specific data management

• any training requirements for staff.

Firms should also better understand how the proposed templates will integrate with their existing frameworks and regulatory expectations. These have been designed to be interoperable where possible with similar existing and future regimes, including the EBA Outsourcing Guidelines and the EU's Digital Operational Resilience Act (DORA).

Many firms complying with existing UK regulatory notification and record-keeping expectations will likely already have records of their material third party arrangements for reporting purposes. For example, the PRA has been collecting a similar register of information from some banks on a voluntary ad-hoc basis since 2018, and from certain insurers since 2023.

Identifying existing processes and regulatory expectations, as well as any uplifts required to meet proposals, will help inform responses to these proposals and provide clarity on potential actions and efforts to follow.

Next steps

Firms need to respond to the regulators by 13 March 2025. Following the consultation period, the regulators plan on publishing the finalised rules in H2 2025.