The FCA’s new incident and third-party reporting rules: what applies to your firm?

PS26/2, FG26/3 and FG26/4 give firms a year to prepare. The real challenge is working out what actually applies, and who needs to do what.

The new rules are final — but not every firm is caught in the same way The FCA’s new framework on operational incident and third-party reporting is now settled. It was finalised in PS26/2 on 18 March 2026, with supporting guidance in FG26/3 on Operational Incident Reporting and FG26/4 on Material Third Party Reporting. The new regime comes into force on 18 March 2027, so firms have a year to prepare. 

What makes this change easy to misread is that it is really two regimes sitting alongside each other. One covers operational incident reporting. The other covers material third-party reporting. Some firms will need to deal with both. Others will only be affected by the incident reporting side. That distinction is important, because there is already a risk that firms assume the new third-party register applies to everyone. It does not. 

What PS26/2 actually does...

PS26/2 says the FCA’s final rules are intended to create a single regulatory approach across the FCA, PRA and Bank of England for reporting operational incidents and material third-party arrangements. On the incident side, the rules define what an operational incident is, set reporting thresholds, and introduce a standardised reporting process. On the third-party side, they define a material third-party arrangement, require firms to notify new arrangements or significant changes, and require certain firms to maintain and submit an annual register. 

The policy objective is straightforward. The FCA says operational incidents can harm consumers and the wider sector, and that many incidents originate at third parties on which firms increasingly rely. In other words, this is not just a cyber story. It is also about resilience, dependency and how quickly regulators can understand the impact when something goes wrong.

Which firms are caught by the operational incident reporting rules?

This is the broader part of the framework. According to PS26/2, operational incident reporting applies to all firms with a Part 4A permission, as well as payment service providers, UK recognised investment exchanges, registered trade repositories and registered credit rating agencies. That means a wide range of authorised firms will need to understand this part of the regime. 

FG26/3 then adds more detail by distinguishing between standard reporting firms and enhanced reporting firms. Enhanced reporting firms include enhanced scope SM&CR firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, payment service providers, UK recognised investment exchanges, registered trade repositories and registered credit rating agencies. That matters because the reporting expectations are not identical across all firms. 

Which firms are caught by the third-party reporting rules?

This is the narrower regime. PS26/2 says the third-party reporting requirements apply to enhanced scope SM&CR firms, banks, designated investment firms, building societies, Solvency II firms, CASS large firms, UK recognised investment exchanges, authorised electronic money institutions or authorised payment institutions, and consolidated tape providers. 

So, while many firms will be in scope for incident reporting, a smaller set of firms will need to notify material third-party arrangements and submit the annual register. That is the part many firms need to map carefully before they start building processes that may not actually be required. 

What this means for brokers and intermediaries

For insurance intermediaries, the position is less uniform. If the firm has Part 4A permission, it is likely to be in scope for operational incident reporting. But that does not automatically mean it is in scope for the third-party register and notification regime. Whether that second layer applies will depend on whether the firm falls into one of the categories listed by the FCA, such as enhanced scope SM&CR firms or CASS large firms. 

So for many brokers, the practical answer may be: yes to incident reporting, but not necessarily yes to the third-party register. That is why a proper scope assessment is so important at the start. It is also why this should not be left solely to operations or IT teams. 

Why firms should not underestimate “operational incident”

One of the more useful parts of FG26/3 is that it helps firms think beyond obvious cyber events. The FCA’s own operational incidents page says incidents might result from cyber attacks, failed system changes or disruption at a third party. That is a helpful reminder that firms do not need a headline-grabbing breach before these rules become relevant. 

In practice, many firms are more likely to face issues such as failed upgrades, outages, platform disruption or service interruptions affecting customers and staff. For insurance firms, that could easily mean disruption to claims handling, policy administration or customer servicing. The regulatory challenge is being able to identify quickly when an event crosses the FCA’s thresholds and becomes reportable. 

Why the third-party piece is more significant than it looks

FG26/4 is where many firms may find the real implementation challenge. The FCA is not just asking for a list of outsourcers. It wants firms in scope to identify material third-party arrangements more broadly. That means firms will need a defensible way of deciding which relationships are material, when changes are significant, and how the register will be maintained over time. 

For some firms, that will expose a gap between existing outsourcing records and the wider set of relationships that really matter in practice. A cloud provider, claims technology platform or operational support provider may not always sit neatly inside an old outsourcing inventory, but it may still be highly material to resilience and service delivery. That is exactly the kind of issue these new rules are designed to bring into view. This is an inference from FG26/4’s framework and scope. 

This is also a governance issue

Although PS26/2 is not an SM&CR publication, it clearly has governance implications. Someone in the firm needs to decide whether an incident is reportable, whether a third-party arrangement is material, whether a change is significant, and whether a notification is complete. If those responsibilities are blurred across operations, procurement, compliance and senior management, implementation will be much harder than it needs to be. This is an inference from the structure of the final regime. 

That is why firms should resist the temptation to treat this as a policy drafting exercise. The harder part is ownership, escalation and consistency. The firms that get ahead of this early will usually be the ones that can answer simple questions clearly: what applies to us, who owns it, and how will we evidence the decisions? 

What firms should do now

The best starting point is a scope exercise. Work out first whether your firm is caught only by the operational incident rules, or by both the incident and material third-party regimes. Then identify whether you fall into a standard or enhanced reporting category under FG26/3, and whether you have the information needed to identify material third-party arrangements under FG26/4. 

The FCA has given firms 12 months to prepare and says it will support implementation during that period. Its webpages also point firms to example templates and process guidance, and for the annual material third-party register it notes that firms in scope will be told when the submission window opens and will then have 90 calendar days to file.