The UK’s Prudential Regulation Authority (“PRA”) has issued a consultation paper on proposals for rules and expectations for regulated firms to report operational incidents and material third-party arrangements (the “CP”) in order to collect data to enable monitoring and responses to risks.
Operational incident reporting
The proposed new rules will set out specific operational incident reporting requirements, with the definition of ‘operational incident’ being a single or series of linked events which disrupt operations in a way that interferes with the delivery of a service or impacts the availability, authenticity, integrity or confidentiality of information or data relating to an end user. Reportability is subject to clear thresholds that pose a risk to the PRA’s objectives, and should be made using a phased approach entailing:
- an initial incident report;
- further intermediate reports if there is a significant change in circumstances; and
- a final report.
The PRA is proposing that firms submit reports using a template in order to streamline the information that it receives.
Outsourcing and third-party reporting
Given the increasing reliance on third-party support of both an outsourcing and non-outsourcing nature, the PRA is proposing the collection of data on all ‘material third-party arrangements.’ These can be outsourcing or non-outsourcing arrangements the failure of which would have a significant impact on their failure or disruption. Note that the Financial Conduct Authority or FCA is proposing a different approach, and will require notifications for all material third-party arrangements. Also note that the PRA proposes requiring firms to maintain and submit a structured register of information on all of its material third-party arrangements.
Next steps
Implementation is scheduled for no earlier than the second half of 2026, with incident reports to be hosted by the FCA’s Connect portal. Responses to the consultation paper are due by 14 March 2025.