The FCA has published a consultation paper on proposals to require firms to report operational incidents and their material third party arrangements.
The requirements will apply to authorised firms and PSPs as well as RIEs, and registered trade repositories and credit rating agencies.
Currently, firms notify the FCA of operational incidents using Principle 11 notifications. But the FCA rules do not define what an “operational incident” is, when firms should report, what information they should include in a report or how to submit the report.
The FCA now proposes to define an operational incident (as a single event or series of linked events that disrupt a firm’s operations such that there is disruption to delivery of a service to a client or external user, or that there is an impact on the availability, authenticity, integrity or confidentiality of information or data relating to such a person) and to require firms to submit standardised reports on incidents that breach certain thresholds relating to consumer harm, market integrity and safety and soundness.
Separately, the FCA plans to introduce rules to require reporting of material third party arrangements that will ensure it is made aware of both outsourcing and non-outsourcing arrangements in a better organised way than the current position, under which it receives only limited and inconsistent data on outsourced arrangements. These requirements will apply to the firms that have the biggest consumer and market impact – broadly dual-authorised firms, enhanced scope SMCR firms, payment and e-money firms and CASS large firms.
The FCA proposes to implement the new requirements through changes to SYSC and SUP, as well as further changes to the glossary including a new definition of “third party arrangement”.
The PRA has issued similar proposals with consequential changes to its rules, and the BoE a related paper setting out similar requirements for FMIs.
Consultation closes on 13 March 2025.