Introduction
Last month we saw the UK’s financial regulators announce their joint critical third party (CTPs) oversight regime, setting out the robust regulatory framework CTPs must follow when providing services to regulated financial firms – see our summary here. As part of the broader strategy aimed at bolstering the operational resilience of the UK's financial system, the regulators have jointly developed proposals on Operational Incidents and Third Party Reporting. The FCA and PRA both released separate consultation papers but the approach taken in each are consistent with one another (collectively, the CP).
The CP aims to further develop the UK’s operational resilience framework by minimising the impact of operational disruptions and addressing the systemic risks posed by the increasing reliance on third-party service providers. Below, we outline the key insights from the CP, its implications for firms, and next steps.
Operational Incidents
The FCA proposes the following definition of an operational incident:
“A single event or a series of linked events that disrupts the firm’s operations, where it either:
- disrupts the delivery of a service to the firm’s clients or a user external to the firm; or
- impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s clients or a user external to the firm”.
Those familiar with the EU's Digital Operational Resilience Act (DORA), will recognise similarities between its definition of an “ICT-related incident”1 and the terminology used in the CP. A common acknowledgment in the CP is the FCA's intention to align with international operational resilience standards, including DORA. However, a crucial distinction between the CP and DORA lies in the FCA's broader approach. Specifically, the FCA's definition encompasses (i) any incident that disrupts service delivery, extending beyond the security of network and information systems as under DORA; and (ii) requires that the disruption meet only one of the criteria listed in the definition, as opposed to DORA's requirement for both criteria to be met.
The CP’s proposal requires firms to report operational incidents that breach one or more of the following three thresholds:
- Consumer Harm
- Market Integrity
- Safety and Soundness
These thresholds are determined by the actual or potential impact of an incident, placing the onus on firms to assess whether an incident breaches any of these criteria. The CP details various factors for firms to consider when evaluating the reporting thresholds, such as the impact on the firm’s clients or the wider sector, the effect on consumers, and reputational impact, among others.
Mirroring DORA's reporting obligations, firms must submit initial, intermediate, and final reports to the FCA for reportable operational incidents. The FCA emphasises that these rules are designed to align with international incident reporting frameworks, including DORA, facilitating efficient information exchange between regulators across different jurisdictions.
Third-Party Arrangements Reporting
Recognising the growing dependence on third-party service providers and the potential systemic risk this poses, the CP proposes enhancements to the reporting requirements for a subset of firms (these include banks, building societies and PRA designated investment firms). The key proposals include:
- Expanding the scope of existing outsourcing notifications to cover both material outsourcing and non-outsourcing arrangements.
- Introducing a template for firms to notify changes in these arrangements or report new ones.
- Requiring firms to maintain and annually submit a register of their material third-party arrangements to ensure up-to-date information.
The UK financial regulators are seeking to address existing gaps in the oversight of third-party arrangements. Based on the increasing complexity and reliance on technology within firm operations, the new rules will mandate comprehensive risk management for all material third-party arrangements. This includes arrangements involving the provision of data, hardware, software, and more, extending beyond those classified as outsourcing. In line with DORA, the emphasis will be on managing risks associated with service providers in the supply chain whose disruption could compromise the continuity of a firm's services. Additionally, firms will be required to specify the services utilised from a pre-defined list which aligns with Annex III of the Register of Information RTS under DORA but will also include relevant non-ICT services.
Implications for Firms
Firms active in the EU should already be familiar with the principles addressed in this CP. The proposed regulations concerning incident reporting and third-party reporting/register requirements are designed to closely align with DORA and the EBA Outsourcing Guidelines. Although these rules are currently in the consultation phase, firms can leverage their existing processes and compliance frameworks to significantly ease the transition once these regulations are implemented.
Next steps
The CP sets out several questions that it would like feedback on and firms are encouraged to review the proposals and assess their impact on current practices. Feedback on the CP should be submitted to the FCA by 13 March 2025 and the PRA by 14 March 2025.
1 Article 3(8), DORA
.jpg?crop=300,495&format=webply&auto=webp)
