CP17/24 – Operational resilience: Operational incident and outsourcing and third-party reporting

Privacy statement

By responding to this consultation, you provide personal data to the Bank of England (the Bank, which includes the Prudential Regulation Authority (PRA)). This may include your name, contact details (including, if provided, details of the organisation you work for), and opinions or details offered in the response itself.

The response will be assessed to inform our work as a regulator and central bank, both in the public interest and in the exercise of our official authority. We may use your details to contact you to clarify any aspects of your response.

The consultation paper will explain if responses will be shared with other organisations (for example, the Financial Conduct Authority). If this is the case, the other organisation will also review the responses and may also contact you to clarify aspects of your response. We will retain all responses for the period that is relevant to supporting ongoing regulatory policy developments and reviews. However, all personal data will be redacted from the responses within five years of receipt. To find out more about how we deal with your personal data, your rights, or to get in touch please visit Privacy and the Bank of England.

Information provided in response to this consultation, including personal information, may be subject to publication or disclosure to other parties in accordance with access to information regimes including under the Freedom of Information Act 2000 or data protection legislation, or as otherwise required by law or in discharge of the Bank’s functions.

Please indicate if you regard all, or some of, the information you provide as confidential. If the Bank receives a request for disclosure of this information, we will take your indication(s) into account but cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system on emails will not, of itself, be regarded as binding on the Bank.

Responses are requested by 13 March 2025.

Consent to publication

In the policy statement for this consultation, the PRA will publish an account, in general terms, of the representations made as part of this consultation and its response to them.  In the policy statement, the PRA is also required to publish a list of respondents to its consultations, where respondents have consented to such publication.

When you respond to this consultation paper, please tell us in your response if you agree to the publication of your name, or the name of the organisation you are responding on behalf of, in the PRA’s feedback response to this consultation.

Please make it clear if you are responding as an individual or on behalf of an organisation.

Where your name comprises ‘personal data’ within the meaning of data protection law, please see the Bank’s Privacy Notice above, about how your personal data will be processed.

Please note that you do not have to give your consent to the publication of your name. If you do not give consent to your name being published in the PRA’s feedback response to this consultation, please make this clear with your response.

If you do not give consent, the PRA may still collect, record and store it in accordance with the information provided above.

You have the right to withdraw, amend or revoke your consent at any time. If you would like to do this, please contact the PRA using the contact details set out below.

Responses can be sent by email to: CP17_24@bankofengland.co.uk.

Alternatively, please address any comments or enquiries to:
The Recovery, Resolution and Resilience Team
Prudential Regulation Authority
20 Moorgate
London
EC2R 6DA

1: Overview

1.1 This consultation paper (CP) sets out the Prudential Regulation Authority’s (PRA) proposals to set requirements in rules and expectations for firms to report operational incidents and their material third-party arrangements.

1.2 The PRA proposes to establish a framework for timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party arrangements. The proposals set out clear and robust requirements and expectations for regulatory reporting which aim to support the operational resilience of the UK financial sector and enhance the PRA’s understanding of sector threats and vulnerabilities.

1.3 The proposals in this CP would allow the PRA to collect data which would be used to monitor and respond to potential risks arising from operational incidents and firms’ increasing reliance on third parties in an effective but proportionate manner and advance the PRA’s objectives of firm safety and soundness, and policyholder protection.

1.4 The proposals set out in this CP are consistent with the approach developed jointly with the Financial Conduct Authority (FCA) and the Bank of England (the Bank), in its capacity as a supervisor of Financial Market Infrastructures (FMIs). The proposals in this CP would result in:

• requirements for firms in the PRA Rulebook as detailed in the relevant CP Chapters;
• a new supervisory statement (SS) setting out the PRA’s expectations of how firms should comply with and interpret the proposed new requirements in the rules; and
• amendments to SS2/21 – Outsourcing and third-party risk management.

1.5 Chapter 2 of this CP which deals with operational incident reporting, is relevant to all:

• UK banks, building societies, PRA-designated investment firms and branches of overseas banks (‘banks’); and
• UK Solvency II firms, the Society of Lloyd’s and its managing agents (‘insurers’).

1.6 Chapter 3 of this CP which deals with outsourcing and third-party reporting, is relevant to all PRA-regulated firms.

1.7 Banks and insurers are collectively referred to as ‘firms’ in this CP.

1.8 The PRA has a statutory duty to consult when introducing new rules and changing existing rules (s138J of the Financial Services and Markets Act (FSMA) 2000), or new standards instruments (s138S of FSMA). When not making rules, the PRA has a public law duty to consult widely where it would be fair to do so.

1.9 None of the statutory practitioners’ panels were consulted about the proposals in this CP. The PRA consulted the Cost Benefit Analysis (CBA) Panel on its CBA. The feedback from this Panel is detailed in Appendix 4.

1.10 In carrying out its policymaking functions, the PRA is required to comply with several legal obligations. The analysis in this CP explains how the proposals have had regard to the most significant matters, including an explanation of the ways in which having regard to these matters has affected the proposals.

Background

1.11 A key priority for the PRA is to improve the operational resilience of firms and protect the wider financial sector from the impact of operational disruptions. As the financial sector becomes increasingly interconnected, complex and dynamic, strengthening operational resilience enables firms and the financial sector to more effectively deal with risks to prevent, adapt, respond to, recover, and learn from operational disruptions.

1.12 Over recent years, the PRA has undertaken a series of policy development initiatives to put in place a stronger regulatory framework to promote operational resilience. The proposals set out in this CP form part of that programme. The proposed policy would allow the PRA to collect good quality, consistent data focusing on operational incidents and material third-party arrangements which pose the most risk to firms and the financial sector. The proposals set out in this CP aim to enhance operational resilience by helping the PRA gain better oversight of these risks and provide more meaningful feedback to firms and the financial sector to help address vulnerabilities and prepare for emerging risks.

1.13 In 2019, the Treasury Select Committee (TSC) published a report examining the 2018 IT failures in the financial services sector. This report made a number of recommendations for UK regulators, including that the Bank, PRA and FCA (collectively, the ‘supervisory authorities’) should assess the accuracy and consistency of incident reporting data, clarify standards, guidance and definitions for industry and consider the need to expand current reporting requirements. The PRA responded to the TSC report by publicly committing to review its regulatory reporting requirements for operational resilience.

1.14 The PRA previously postponed the introduction of incident reporting proposals due to the Covid–19 pandemic, aiming to avoid placing additional burden on firms during a challenging period. The operational incident reporting proposals set out in this CP seek to address the relevant recommendations made in the TSC report.

1.15 Following the publication of policy statement (PS)6/21 – Operational Resilience policy and SS2/21 – Outsourcing and third-party risk management, in March 2021, the PRA publicly committed to consult on proposals for an online portal^{footnote [1]} that all firms would populate with information about their OATP arrangements.

1.16 In November 2024, the supervisory authorities published the regulatory regime for the supervision of Critical Third Parties (CTPs) to the financial sector in PS16/24 – Operational resilience: Critical third parties to the UK financial sector. PS16/24 recognises the risk that severe disruption arising from certain third parties could pose to the safety and soundness of firms, policyholder protection and the financial stability of the UK. To support the identification of CTPs and assess where critical nodes of failure could arise, the PRA needs to collect adequate data on firms’ material third-party arrangements.^{footnote [2]}

1.17 The proposals in the CP aim to ensure that firms submit consistent and good quality reporting of incidents and material third-party arrangements by:

• Prioritising the most significant risks to operational resilience: by setting out clear requirements which enable firms to report those operational incidents and material third-party arrangements which pose risks to the safety and soundness of the firm, and for insurers, an appropriate degree of policy protection, and/or for systemically important firms,^{footnote [3]} to the resilience of the UK financial sector.^{footnote [4]}
• Setting out standardised reporting requirements: to enhance the quality and comparability of information submitted to the PRA on incidents and material third-party arrangements. This would allow the PRA to understand potential risks and vulnerabilities within the financial sector more effectively and efficiently and better identify firms’ reliance on material third parties.

1.19 There has been increasing focus internationally on strengthening operational resilience. In developing the proposals, the PRA understands that firms may be subject to a number of reporting requirements from regulatory authorities in other jurisdictions. The policy has been designed to be as interoperable as possible with similar existing and future regimes, such as the EU’s Digital Operational Resilience Act (DORA)^{footnote [5]} and the Financial Stability Board’s Format for Incident Reporting Exchange (FIRE).

Structure of the CP

1.20 The CP is structured into the following chapters:

• Chapter 2 – sets out proposals relating to the operational incident reporting.
• Chapter 3 – sets out proposals relating to outsourcing and third-party reporting.

Cost benefit analysis (CBA)

1.21 The PRA has a statutory duty to consult when introducing new rules (s138J of FSMA). Specifically, the PRA is required to publish a CBA alongside any proposed rules, defined as an analysis of the costs, together with an analysis of the benefits that would arise if the proposed rules were made and an estimate of those costs and of those benefits, where reasonably practicable to do so.

1.22 The PRA has consulted the CBA Panel (‘the Panel’) on the preparation of this CBA. The Panel provided feedback on the way the draft CBA analysed the proposals’ counterfactual; the average ongoing costs of some proposals; and the explanation of the proposals’ positive benefits. A summary of the Panel’s comments and how the PRA responded can be found in paragraph 5 of Appendix 4.

Summary of benefits and costs

1.23 The CBA assesses the one-off and ongoing (annual) costs and benefits arising from the proposed framework. Based on the analysis set out below, the PRA expects that the proposals would bring net benefits to the UK financial sector. The full cost benefit analysis is set out in Appendix 4.

1.24 The potential compliance costs to firms directly arising from the proposals reflect the incremental changes that firms would otherwise not have undertaken in the absence of the proposed regulation. The PRA expects there will be one-off costs for firms, including from familiarising themselves with the proposals. There would also be annual ongoing costs to firms to comply with the reporting requirements. To account for individual firm differences and different scopes of application for each of the proposals, the PRA has estimated a range of costs associated with each of the proposals. In summary, the PRA estimates an upper bound of one-off and ongoing (annual) compliance costs of £11,382,000 and £858,000 respectively aggregated across all firms in scope of the proposals.

1.25 The benefits from the proposals are expected to arise through enhanced visibility of individual firms’ and broader financial sector operational resilience and systemic concentration risk arising from firms’ use of third parties. Where appropriate, the PRA can use the data to: work with firms to help them prioritise the mitigation of incident impacts and potential key vulnerabilities; and identify third parties that could be designated as critical to the financial sector as part of work to mitigate risks to financial stability from such entities. The introduction of standardised reporting guidance and reporting thresholds to limit the information submitted to operational incidents and third-party arrangements the PRA considers material could also minimise reporting burden and provide ongoing efficiency gains for firms as firms are currently using a range of approaches.

1.26 The indirect benefits of the proposals could include the maintenance of trust in the PRA’s prudential framework; increased alignment with international reporting frameworks, such as the EU’s DORA and the FSB FIRE; and the potential realisation of benefits from bringing critical third parties into scope of the PRA’s new supervisory oversight regime.

Implementation

1.28 The proposed implementation date for the proposals in the CP is no earlier than the second half of 2026.

1.29 The PRA intends for firms to submit operational incident reports using the FCA’s Connect portal. Connect is an online system hosted by the FCA which would enable firms to log in to complete the reports. The PRA notes this intention is based on its current analysis of technical reporting solutions and will continue to develop this approach ahead of the implementation date to ensure this is the most appropriate reporting platform.

1.30 The PRA intends for firms to submit an initial version of a register of information (‘Register’) of material third-party arrangements using the FCA’s RegData platform and ensure that this is up to date at least on an annual basis. The PRA notes this intention is based on its current analysis of technical reporting solutions and will continue to develop this approach ahead of the implementation date to ensure this is the most appropriate reporting platform. The PRA proposes that the current process for how firms submit Notifications on material OATP arrangements would remain unchanged and should be submitted via electronic means.

Responses and next steps

1.31 This consultation closes on Friday 14 March 2025. The PRA invites feedback on the proposals set out in this consultation. Please address any comments or enquiries to CP17_24@bankofengland.co.uk.

1.32 When providing your response, please tell us whether or not you consent to the PRA publishing your name, and/or the name of your organisation, as a respondent to this CP.

1.33 Please also indicate in your response if you believe any of the proposals in this consultation paper are likely to impact persons who share protected characteristics under the Equality Act 2010, and if so, please explain which groups and what the impact on such groups might be.

1.34 References related to the UK’s membership of the EU in the SS covered by this CP have been updated as part of these proposals to reflect the UK’s withdrawal from the EU. Unless otherwise stated, any remaining references to EU or assimilated legislation refer to the version of that legislation which forms part of assimilated law.^{footnote [6]}

2: Operational incident reporting

2.1 The proposals to require firms to submit a report to the PRA following operational incidents. The PRA’s proposed expectations and requirements are found in Appendices 1 and 2.

2.2 The rules would set out specific operational incident reporting requirements for firms. This would include a definition of an operational incident and clear, proportionate thresholds for reporting. Under current requirements, the PRA receives inconsistent reporting from firms on the types and severity of incidents that occur. Similarly, the data the PRA currently receives on incidents lacks consistency, with firms submitting differing information, both in terms of quantity and quality, and using variable terminology to describe incidents. The purpose of these proposed requirements is for the PRA to receive consistent, sufficient, and timely information about operational incidents which pose a risk to the PRA’s objectives. This would allow the PRA to:

• assess the potential impact of operational incidents on firms, or on the stability of, and confidence in, the UK financial sector;
• obtain a better understanding of the operational resilience of firms and the financial sector; and
• identify potential vulnerabilities and areas for improvement.

2.3 The proposals in this CP set out regulatory reporting requirements for operational incidents which meet the set thresholds. The policy would not replace the firm’s obligations to notify the PRA of certain incidents in accordance with PRA Fundamental Rule 7, and the General Notification Requirements in Chapter 2 of the Notification Part of the PRA’s rules.

Operational incident

2.4 The operational incident reporting proposals would apply to the reporting of an ‘operational incident’, which is defined as either a single event or a series of linked events^{footnote [7]} which disrupts the firm’s operations such that it:

• disrupts the delivery of a service to an end user external to the firm; or
• impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.

2.5 The PRA proposes to take a proportionate approach to operational incident reporting. The proposed requirements in the operational incident reporting rules would apply in respect of operational incidents which meet one or both of the criteria referred to above, not a potential, uncrystallised event. This would have the benefit of reducing the reporting on firms by not requiring firms to report incidents that do not cause such a disruption or impact (‘near-misses’).

Reporting thresholds

2.6 The PRA proposes that firms would be required to report an operational incident when it meets one or more of the thresholds set by the PRA (see Chapter 24 of the Regulatory Reporting Part of the PRA Rulebook and Chapter 2 of the draft new SS in Appendix 2).

2.7 The PRA considers that thresholds must be clear and set to ensure that it only receives incident data relating to operational incidents that pose a risk to its objectives. The PRA proposes to take a proportionate approach to the reporting requirements which does not pose undue burden on firms. The PRA has therefore made a risk appetite decision to link the reporting thresholds to the point where an operational incident poses a risk to its objectives.

2.8 The PRA therefore proposes that firms would be required to submit an operational incident report once an operational incident poses a risk to:

• (where the firm is an O-SII/where the firm is a relevant Solvency II firm (as defined in the PRA Rulebook)) the stability of the UK financial sector;
• the safety and soundness of the firm; and/or
• (for insurers) the appropriate degree of policyholder protection; and/or

2.9 Determining which operational incidents meet the PRA’s thresholds will be a matter of judgement for firms. The PRA does not propose to introduce a definitive list of operational incidents which meet the thresholds, as the same incidents can have varying impacts on different firms for a range of reasons, such as size, business model and customer base. Firms may use their existing internal processes to determine the scale and potential impact of an incident and assess whether it meets the thresholds for reporting. The PRA would expect firms to consider a range of factors when determining whether an operational incident meets the thresholds. This could include, but is not limited to, damage to the firm or the sector’s reputation or the firm being unable to provide adequate services. Further details on the risks firms should consider are set out in the draft new SS.

2.10 A non-exhaustive list of examples of operational incidents which would breach the PRA’s incident reporting threshold have been set out in the draft new SS. These include cyber-attacks, process failures, system update failures and infrastructure problems.

Important business services

2.11 Where an operational incident involves the disruption of one or more important business services, the risk of breaching an impact tolerance set by the firm would provide insight into the risk posed by that operational incident. The Operational Resilience Parts require firms to set impact tolerances for important business services at the maximum tolerable level of disruption before the risking the PRA’s objectives as measured by a length of time and any other relevant metrics. In line with the expectations set out in SS1/21, the PRA would expect firms to analyse the risk of breaching an impact tolerance for each operational incident which disrupts an important business service and take prompt action to manage the potential impact and steps required to improve its operational resilience.^{footnote [8]}  

2.12 The PRA would expect firms to report incidents meeting the thresholds set out in the PRA rules, even if these have not yet breached the impact tolerances of any affected important business services. As set out in paragraph 2.9, firms would need to assess whether operational incidents, which do not initially impact important business services or breach impact tolerances, could pose a risk on the PRA’s statutory objectives and, in the case of O-SIIs or relevant Solvency II firms, financial stability.

2.13 Where an operational incident disrupts the delivery of one or more important business services, firms would be required to state this when submitting an operational incident report.

Phased approach to reporting operational incidents

2.14 When an operational incident meets the thresholds, the PRA proposes to require firms to provide the following incident reports:

• an initial incident report;
• one or more intermediate reports if there is a significant change in the circumstances of the incident; and
• a final report.

2.15 To provide clarity on the phased approach to operational incident reporting, the process has been set out in Figure 1 below, the following sections contain further detail on the proposals for each reporting phase.

2.16 As illustrated in Figure 1, when an operational incident occurs, firms would be required to assess whether it has met a threshold set by the PRA. If a threshold has been met, firms would be required to submit an initial report as soon as practicable. The PRA would expect that firms submit the report within 24 hours. If the firm has resolved the operational incident at the time of the initial report, the firm would not need to complete the intermediate report and would instead have 30 working days to submit a final report, or where this is impracticable, as soon as is practicable but not exceeding 60 working days. If the operational incident remains ongoing when the initial report has been submitted, the firm would be required to submit an intermediate report(s) anytime there is a significant change in the incident status or impact. As soon as practicable after the incident has been resolved, the firm would be required to submit an intermediate report informing the supervisory authorities of this change and would then have 30 working days to submit the final report, or where this is impracticable, as soon as is practicable but not exceeding 60 working days.

2.17 The PRA’s proposed phased and incremental approach to operational incident reporting is aligned to the FSB’s FIRE.

Initial operational incident report

2.18 The PRA recognises the need to balance the objectives of the PRA receiving timely operational incident information to understand potential risks to its statutory objectives and firms taking actions to resolve the incident. Therefore, rather than setting a minimum time the PRA proposes to require firms to submit an initial report as soon as practicable after the operational incident has met the threshold. The new draft SS sets out expectations regarding the timing of the initial report submission, in which a firm would be expected to submit a report within 24 hours of determining an incident has meeting a threshold.

2.19 To limit the burden posed to the firm at a time when it should be focussed on managing the operational incident, firms would be required to submit limited information to allow the PRA to gain an understanding of the incident and assess potential risk to its objectives.

Intermediate operational incident report

2.20 Firms would be required to submit an intermediate report as soon as practicable upon a significant change in the circumstances described in the most recent report submitted to the PRA. This could include, but is not limited to, a change in the impact of the operational incident or the status of the operational incident, such as the firm identifying the origin of the operational incident; the operational incident breaching another regulator’s threshold for submitting an operational incident report after the submission of the initial report; or the firm resolving the operational incident. A non-exhaustive list of examples of when an intermediate report should be submitted are set out in the draft new SS.

2.21 A firm would be required to submit multiple intermediate reports if numerous significant changes occur. At a minimum, where an operational incident is not resolved at the time of the initial report, a firm would be required to complete one intermediate report to inform the PRA that it has resolved the operational incident.

2.22 In the event that a firm has resolved an incident prior to submitting an initial report, they would not be required to complete an intermediate report and can move straight to the final report stage. The firm would be required to let the regulator know that the incident has been resolved within the initial report (which the firm must submit as soon as practicable as set out above) and follow-up with the final incident report as required.

Final operational incident report

2.23 Once an operational incident has been resolved, a firm would be required to submit a final report within 30 working days or, where this is impracticable, as soon as is practicable but not exceeding 60 working days. Where it is impracticable to submit the final report within 30 working days, firms would be expected to contact the PRA explaining the reason as to why it is impracticable and the expected timeframe for the submission of the final report. The PRA proposes that the final report include a full assessment of the impact of the incident, the lessons learned and the identified root causes.

Format of operational incident reports

2.24 The PRA intends for firms submit operational incidents reports using the FCA’s Connect portal.

2.25 Firms would be required to complete the information set out in the reporting fields document found in Appendix 5 for each operational incident report. To minimise the firm’s reporting burden, the PRA has considered the EU’s DORA and FSB FIRE and aligned the reports where possible.

Operational incident data

2.26 The PRA proposes that firms submit reports on operational incidents in a template which would include four broad categories (see Table 1). The level of information required would vary depending on the stage of the reporting, with progressively more expected as the incident progresses or is closed.

2.27 The proposed template has been developed in consideration of the proposals being consulted on under FSB FIRE, including alignment with the format of data fields and taxonomies which underpin these where appropriate. The PRA has, where possible, aligned specific data fields and underpinning taxonomies between the incident reports and the material third-party reporting templates (see Chapter 3) to enable dataset interaction. This could support the PRA’s identification of incident contagion where an incident originates at a third-party.

2.28 To ensure the PRA has up to date and correct information on the firm reporting the operational incident, firms would be required to complete a section on reporting details. This would include data relating to the entity details, contact information, incident identification and the receiving authority details. Firms would only be required to complete these details once in the Initial Report phase; and subsequent reports would be pre-populated with this information.

2.29 Firms would be required to complete the operational incident details section so supervisory authorities can understand the nature of the incident, any service impacted and what actions the firm may be taking/has taken to resolve the incident. Firms would be required to submit these data items at the Initial Report phase and can update or amend as needed in the Intermediate and Final Report phases.

2.30 To ensure the PRA understands the full or potential impact of an operational incident on the firm, its external end users and the broader UK financial sector, firms would be required to complete the impact assessment section. The required fields for this category vary depending on the phase of the reporting. For example, the initial report requires limited information on the impact assessment any remedial actions. The final report includes additional fields to provide a more comprehensive reporting of the operational incident, including service disruption type and duration and resources affected. Most impact assessment fields would however be available for firms to optionally complete if they have the information to do so.

2.31 The PRA would require firms to submit information on the operational incident closure in the final report phase. This would allow the PRA to understand the actions the firm has taken or needs to take to address and remediate possible risks and vulnerabilities to the firm and the financial sector.

2.32 The incident reports include data fields which require firms to select from a list of options. Where possible, the PRA has aligned the lists underpinning the data fields with FSB FIRE, these include disruption type, incident discovery method, severity, reputation impact, and resource type. The proposed list underpinning the business services data fields is based on the critical economic functions set out in SS19/13 – Resolution Planning and the critical functions set out in the FSB Guidance on Identification of Critical Functions and Critical Share Services. This list is aligned with the proposals for the material third-party reporting templates below in Chapter 3. The proposed list underpinning the root cause data fields is based on the FCA Root Cause component list, which has historically been used by the FCA to manage and triage notified incidents.

2.33 The PRA proposes to include data fields which would be required conditionally depending on the operational incident. For example, where an operational incident originates at a third-party, a firm would be required to provide further information relating to the third-party. Where an operational incident originates at a third-party, the PRA proposes that a firm take reasonable steps to obtain information regarding the root cause of the incident from the third-party.

PRA objectives analysis

2.34 The PRA’s proposals are designed to advance its primary objectives to promote safety and soundness; and, in the context of insurers, contribute to securing an appropriate degree of policyholder protection. By collecting timely, structured and accurate information on operational incidents, the PRA can better monitor and assess individual firms and the broader sector’s operational resilience. Consistent data would also enable the PRA to provide meaningful feedback to industry to help address outstanding vulnerabilities and prepare for emerging risks within the sector.

2.35 The PRA considers that the operational incident reporting proposals support the PRA’s secondary objectives to facilitate growth and the international competitiveness of the UK economy.

2.36 In developing these proposals, the PRA has sought to align with similar incident reporting frameworks internationally to reduce reporting complexities and where doing so advances PRA policy aims, such as the EU’s DORA and FSB’s FIRE.

2.37 The PRA intends to limit compliance burden and ensure firms can efficiently allocate resources for reporting through the introduction of clear reporting thresholds, standardised reporting templates, and developing a single reporting solution to work across the supervisory authorities. The PRA also considers that the introduction of materiality thresholds for reporting would promote proportionality by ensuring that only operational incidents which are material to the PRA are reported.

2.38 The PRA considers that by collecting good quality data on operational vulnerabilities, the PRA would be in an improved position where it can work more effectively with firms to manage vulnerabilities and prepare for emerging risks. This can support the maintenance of confidence within the market and trust in the PRA’s prudential framework.

3: Outsourcing and third-party reporting

3.1 In this Chapter, the PRA is proposing to:

• expand the scope of existing third-party arrangements data collections to cover both material outsourcing and non-outsourcing (‘material third-party’) arrangements;
• require firms to submit material third-party Notifications in a standardised format, using a template which is aligned with the Register; and
• require firms to maintain and submit a Register to the PRA, ensuring this is up to date at least annually.

3.2 The proposals in this Chapter would result in subsequent changes to:

• The Glossary;
• The Notifications Part of the PRA Rulebook;
• The Regulatory Reporting Part of the PRA Rulebook; and
• Chapters 4 and 5 of SS2/21 – Outsourcing and third-party risk management.

3.3 Firms are becoming increasingly reliant on third-party arrangements, both outsourcing and non-outsourcing, to support their operations. This reliance on third-party service providers brings potential benefits and opportunities for the sector but could also pose risks to the safety and soundness of firms, policyholder protection or the financial stability of the UK. To better identify and address these risks, the regulators and the industry have highlighted the importance of collecting effective data on the use of material third-party arrangements.

3.4 Under current requirements, the PRA receives limited and inconsistent data on third-party arrangements, resulting in gaps in its knowledge of potential risks to its statutory objectives. Firms are required to submit information relating to material outsourcing arrangements under the existing Notifications Rules 2.3(1) (‘Notifications’) and expects banks to maintain and submit upon request a register of information (‘Register’) of these arrangements under SS2/21. This means that the PRA may not have visibility over risks that could arise from firms’ material non-outsourcing arrangements.^{footnote [9]} Additionally, while firms provide similar information to the PRA through both Notifications and the Register, the existing Notifications process is unstructured, which limits the interaction between the Notifications and Register data. The current expectations for the register only apply to banks, further limiting the ability of the PRA to understand current third-party arrangements across all regulated firms.

3.5 The proposals seek to address these gaps by providing clear and consistent requirements and expectations for the collection of data on material third-party arrangements.

Material third parties

3.6 As firms’ operations have become more complex and dependent on technology over recent years, firms are becoming increasingly reliant on a wider range of services delivered by third-party providers. To support their operational resilience, firms need to manage effectively risks posed by all their third-party arrangements which are material, not just a sub-type of third-party arrangements which are classed as outsourcing. The PRA proposes to expand the scope of its data collections from material outsourcing arrangements to all material third-party arrangements, encompassing both material outsourcing and non-outsourcing arrangements. The proposals aim to aid the PRA in better identifying systemic risks posed by third-party service providers and support the PRA’s recommendation of potential CTPs to be designated to HMT. The proposed amendment would result in the introduction of the proposed definitions for ‘third-party arrangement’ and ‘material third-party arrangement’ in the PRA Rulebook.

3.7 The PRA proposes to define a ‘third-party arrangement’ as any arrangement whereby a person provides a product or service to a firm whether or not this would otherwise be undertaken by the firm itself, provided directly or by a sub-contractor, or provided by a person within the same group as the firm.

3.8 In line with the existing approach, and to ensure the PRA collects relevant information at a proportionate cost to firms, the PRA proposes to only collect information on firms’ ‘Material third-party arrangements’ as defined in the Glossary in the draft Rule Instrument. In line with its approach to operational resilience, the PRA proposes that only O-SIIs and relevant Solvency II firms would be required to explicitly consider the impact of a disruption or failure of their arrangements on UK financial stability.

3.9 To promote greater consistency in the materiality assessment criteria, the PRA proposes to include additional guidance in Chapter 5 of SS2/21 on how firms may be expected to consider the impact of a disruption or failure from their arrangements.

3.10 Determining which third-party arrangements are material will be a matter of judgement for firms. The PRA does not propose to introduce a definitive list of material third-party arrangements. Firms may depend on third-party arrangements in differing ways to deliver services, for example, one firm may use a third-party arrangement within their supply chain whose disruption would be impair the continuity of the firm’s service, while another firm may use the same third-party service and only suffer limited impact following a disruption to that third-party arrangement.

Notifications

3.11 In line with the existing approach, and to ensure the PRA collects relevant information at a proportionate cost to firms, the PRA proposes to only collect information on firms’ material third-party arrangements.

3.12 The PRA proposes to make the following amendments to Notifications Rule 2.3(1)(e):

• amend the scope of the notification requirement that is currently contained in Rule 2.3(1)(e) to capture notifications of firms’ material third-party arrangements which, due to the associated risks, necessitates a high degree of due diligence, risk management or governance by the firm and to reflect the PRA’s proposals in paragraphs 3.6 to 3.10; and
• decouple Notifications Rule 2.3(1)(e) from Notifications Rule 2.3(1) as a result of the amendment above, because the PRA considers that not all material third-party arrangements may be considered a ‘restructuring, reorganisation or business expansion’. This would result in a new proposed Rule 2.3B.

3.13 While the PRA is proposing an amendment to the scope of the notifications requirement to capture material non-outsourcing third-party arrangements as well as material outsourcing arrangements. Firms would only be required to submit notifications on a material third-party arrangement which, due to the risks, necessitates a high degree of due diligence, risk management or governance by the firm. The PRA has not made changes to its expectations or requirements regarding due diligence, risk management or governance as set out in SS2/21 and the PRA rulebook (see in particular the rules referenced in SS2/21).

3.14 Expectations regarding when the PRA would and would not expect a notification of a Material Third-party arrangement have been set out in Chapter 5 of SS2/21. The PRA would use these notifications to conduct any necessary supervisory scrutiny and have adequate oversight over risks to its objectives.

3.15 The PRA is not proposing changes to the way firms submit notifications. The PRA proposes that firms submit notifications ahead of entering into or significantly changing all relevant material third-party arrangements to the PRA as they already do for material outsourcing arrangements.

3.16 The PRA notes that its proposed approach to material third-party notifications diverges with that taken by the Bank and FCA, who are proposing to require Notifications for all material third-party arrangements. The PRA considers that, taking into account the difference in the scope of firms it supervises, taking this approach would allow it to receive notifications on those material third-party arrangements that would be of the most value to be informed of in advance of the arrangement being entered into/changed due to the risks posed to its objectives.

3.17 The PRA considers that the proposed updates to the Notifications Rules would align these with the expectations set out in SS2/21. Consequently, in complying with PRA Fundamental Rule 7, the PRA considers that firms should already be notifying the PRA of material non-outsourcing arrangements as this may constitute ‘information of which the PRA would reasonably expect notice’, therefore the incremental reporting burden may be minimal.

3.18 The PRA proposes to remove non-directive firms (NDFs) from scope of the Notifications requirements as it considers it would be unduly burdensome to collect this information from these firms. All other PRA-regulated firms would remain in scope of the Notifications requirements.

3.19 Firms have previously requested the PRA to provide more guidance on what information notifications should contain or suggested that the PRA develop a standard notification template.

3.20 The PRA has considered how to standardise the way firms submit material third-party Notifications and proposes to require firms to submit this information in a template, supported by additional documentation where necessary. The introduction of a standardised template aims to provide clear expectations on the minimum information expected in material third-party notifications and reduces firms’ reporting burden.

3.21 The information the PRA proposes to collect on firms’ material third-party arrangements is specified in Table 2 below.

Register

3.22 The following proposals apply to:

• UK banks, building societies, and PRA-designated investment firms (‘banks’);
• Insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (‘insurers’); and
• UK credit unions with at least £50 million in total assets. Entities in scope of these proposals are collectively referred to as ‘firms’.

3.23 As set out in CP30/19 – Outsourcing and third-party risk management, and to reflect the proposals outlined in paragraph 3.6 to 3.9, the PRA proposes to require firms to maintain and submit a structured register of information on all of its material third-party arrangements to the PRA. This would formalise and expand the expectation that banks should maintain a Register of their outsourcing arrangements. This would result in additional rules in the Regulatory Reporting Part set out in Appendix 1.

3.24 The PRA considers that, in complying with existing requirements under Notifications 2.3(1)(e) and Fundamental Rule 7, and record-keeping expectations in Chapter 5 of SS2/21, firms would likely already have records of its material third-party arrangements for this purpose. The PRA has also been collecting a similar register of information from some banks on a voluntary ad-hoc basis since 2018, and has since expanded the collection to also include some insurers since 2023.

3.25 The PRA intends to require firms to submit the Register on a consolidated basis using the FCA RegData platform and ensure that this is up to date at least on an annual basis. To update the Register, firms may re-upload the Register in its entirety on the FCA RegData platform.

3.26 The PRA considers that collecting data on firms’ third-party dependencies in a consistently structured format through a central register supports the PRA’s objectives of promoting firms’ safety and soundness, including through avoiding adverse effects on the stability of the UK financial sector, and policyholder protection. The PRA proposes to use the data collected in the Register to:

• monitor and address systemic concentration risk in non-regulated service providers;
• efficiently identify common third parties which could be considered appropriate for recommendation to HMT for designation as a CTP;
• assess firms’ compliance with existing requirements in the Outsourcing Parts of the PRA Rulebook and performance against expectations of SS2/21;
• collect supervisory insights on individual firms’ levels of third-party usage;
• where appropriate, share anonymised aggregated findings on industry-wide trends; and
• determine contagion risk of operational incidents when firms report incidents caused by third-party disruption.

3.27 The information the PRA proposes to collect on firms’ material third-party arrangements is specified in Table 2 below.

Information to be submitted to the PRA

3.28 To minimise firms’ reporting burden, the PRA has developed the proposed templates for the Notifications and Register to be aligned with one another. The PRA has developed the templates predominantly using the existing Register templates that have been used for previous PRA Outsourcing Register data collections as a basis. To provide consistency and reduce reporting burden on firms, the PRA has developed its proposed templates to be interoperable where possible with similar existing and future regimes, such as the EBA Outsourcing Guidelines and Article 28 of the EU’s DORA.

3.29 The data that the PRA proposes to collect is summarised in Table 2 below. The full proposed template and guidance in Appendix 5. The proposed template features standardised data items which are underpinned by certain taxonomies to increase reporting efficiencies and limit free text fields. The PRA has aligned specific data fields and underpinning taxonomies between the incident reports and material third-party reporting templates to enable dataset interaction. This could support the PRA’s identification of incident contagion where an incident originates at a third-party, and enable it to, where appropriate, alert other firms of these risks.

Table 2: Proposed data field categories to be collected

3.30 The proposed template is comprised of six data groups, which are underpinned by specific taxonomies and are linked to each other using specific keys to form a relational structure, that enables the PRA to form a view of third-party supply chain. These include the firm identifier, contractual arrangement reference numbers, third-party provider name and legal entity identifiers (LEI), and the supply chain rankings.

3.31 Firms would be required to submit high level data relating to their reporting entity details and third-party arrangements to enable the PRA to distinguish each Register or Notification submission. This data would include submission identifiers, firm reference numbers, and contractual arrangement numbers.

3.32 To enable the PRA to assess the extent of the concentration of third-party providers supporting specific firm business services, firms would be required to submit data relating to the types of services being performed by a third-party, including whether this is an Important Business Service for the firm. The proposed list underpinning the business services data field is based on the critical economic functions set out in SS19/13 and the critical functions set out in the FSB Guidance on Identification of Critical Functions and Critical Share Services. This list is aligned with the proposals for the Incident Reporting templates above in Chapter 2.

3.33 To allow the PRA to conduct structured analysis on the types of externally provided products and services firms use, firms would be required to indicate these from a pre-defined list. The proposed list underpinning this data field is based on the DORA Final Report on draft ITS on Register of Information Annex III Type of ICT services taxonomy, which has been modified to include additional relevant non-ICT services.

3.34 To support the PRA’s understanding of a firm’s third-party supply chain, firms would be required ‘rank’ the position of each product or service provider within its supply chain. This is used to link each external provider included in the scope of each contractual arrangement supply chain. The first external service provider that a firm is purchasing from directly would always have a ‘rank’ number of ‘1’, with lower numbers denoting the closeness of the arrangement to the firm (eg providers with rank ‘2’ would be an external provider’s supplier).

3.35 For consolidated group submissions, firms would be required to link each external provider to the individual regulated entity receiving the product or service. Intragroup arrangements do not generally constitute as being externally provided, so the ‘rank’ to be reported should be ‘0’.

3.36 To ensure a proportionate approach, the PRA proposes to only require firms to identify service providers within the supply chain whose disruption would impair the continuity of the firm’s service irrespective of the rank. This is broadly aligned with the approach taken in Article 28 of the EU’s DORA. This would allow the PRA to link all material product or service providers who are part of the same supply chain and can indicate where ‘nth’ party^{footnote [10]} concentration risks may arise.

3.37 The PRA also proposes to require firms to submit some basic information relating to their assessments of material third-party arrangements to assess firms’ compliance with the Outsourcing Rule 2.1B and expectations set out in SS2/21.

PRA objectives analysis

3.38 The PRA’s proposals are designed to advance its primary objective to promote safety and soundness; and, in the context of insurers, contribute to securing an appropriate degree of policyholder protection. Collecting consistent and structured data on firms’ material third-party arrangements would enable the PRA to identify and support the oversight of potential CTPs in the financial sector. The PRA can also better monitor emerging risks within the sector and determine incident contagion risks where these originate from third-party providers. The data collected can also support the PRA’s supervision of firms’ performance against the expectations set out in SS2/21 and support firms to address potential gaps to improve their risk management.

3.39 The PRA considers that the material third-party reporting proposals support the PRA’s secondary objectives to facilitate growth and the international competitiveness of the UK economy.

3.40 In developing these proposals, the PRA has sought to align with other material third-party reporting frameworks internationally to reduce reporting complexities and where doing so advances PRA policy aims, such as the EU’s DORA.

3.41 The PRA intends to minimise compliance burden and ensure firms can efficiently allocate resources for reporting through the introduction of clear reporting thresholds, standardised reporting templates, and developing a single reporting solution to work across the supervisory authorities. The PRA also considers that the introduction of thresholds for reporting would promote proportionality by ensuring that only third-party arrangements which are material are reported to the PRA.

3.42 The PRA considers that by collecting good quality data on third-party concentration risk, the PRA would be in an improved position where it can work more effectively with firms to respond to risks arising from firms’ use of third-party arrangements. The data would also support the PRA’s oversight of potential CTPs in the financial sector, which in turn can help to increase the long-term system-wide resilience of the financial sector. This can increase confidence within the market and promote broader UK financial stability.

4: ‘Have regards’ analysis

4.1 In developing these proposals, the PRA has had regard to its framework of regulatory principles. The regulatory principles that the PRA considers are most material to the proposals include:

1. The principle that a burden or restriction which is imposed on a person should be proportionate to the benefits which are expected to result from the imposition of that burden:

• The PRA considers that it can achieve its policy aims while limiting the reporting burden on firms through the use of clear reporting requirements, materiality thresholds and the introduction of standardised templates. This includes the use of optional and conditional data fields within the proposed templates, which reflects that some data fields may not be relevant for specific incidents or material third-party arrangements. The reporting burden has been limited further by proposing to standardise the template and reporting solution to enable dual-regulated firms to submit incident reports and material third-party registers which fulfil the data requirements of the PRA and FCA.
• The PRA considers the proposals are aligned, where possible, with the frameworks set out as proposed by the EU’s DORA and FSB’s FIRE. This alignment aims to limit regulatory reporting burden for firms with reporting obligations in multiple jurisdictions.
• The PRA has proposed to exclude small firms, such as credit unions and NDFs, from scope of the operational incident reporting proposals as it considers it would be unduly burdensome to require this information from these firms. NDFs are also excluded from the material third-party reporting proposals; and credit unions with less than £50 million in assets as well as third country branches are excluded from the material third-party register proposals.
• The proposed reporting thresholds would limit the reports firms submit to operational incidents and third-party arrangements that the PRA considers to be material. Taking this approach also enables firms to make judgements based on individual business models. The proposed thresholds are intended to be proportionate as only O-SIIs and relevant Solvency II firms would be subject to considering the impacts of operational incidents and material third-party arrangements to UK financial stability.

2. Promote the growth and international competitiveness of the UK:

• The PRA considers that the introduction of clear reporting thresholds, standardised reports and a single reporting solution to work across the supervisory authorities would reduce reporting burden and enable firms to efficiently allocate resources for reporting.
• By collecting consistent data on operational vulnerabilities and third-party concentration risk in the sector, the PRA can work more effectively with firms to manage these risks and oversee potential CTPs in the financial sector. This can increase confidence within the market and promote broader financial stability.
• In developing the proposals, the PRA has sought to align with other reporting frameworks internationally to reduce reporting complexities and where doing so advances PRA policy aims, such as the EU DORA and FSB FIRE.

3. The need to use the resources of the PRA in the most efficient and economic way:

• The PRA is proposing the introduction of standardised reporting requirements and a single reporting solution for incident and material third-party register reporting which would work across the supervisory authorities. The PRA has also proposed to limit the data collection to only operational incidents and third-party arrangements which the PRA considers material. Collecting structured data through a simplified reporting solution would enable the PRA to use its resources to efficiently process this and conduct incident analysis.
• The PRA recognises the potential increase in data processing burden as a result of amending the scope of the data collections to capture material third-party arrangements. In addition to the proposals to introduce a standardised template and reporting solution, the PRA has sought to limit the impact of the changes by setting clear materiality considerations and providing guidance to limit the information on material third-party arrangements that firms submit, including those arrangements that firms must notify the PRA of.

4. The principle that regulatory activities should be carried out in a way which is consistent, and targeted only at cases in which action is needed:

• The proposed reporting requirements are consistently applied across firms in scope.
• The proposals are targeted to capture information relating to risks arising from operational incidents and use of third parties which the PRA considers material. This would support the PRA’s supervision of operational resilience and oversight of third-party concentration risk.
• The Register proposals are also only targeted at firms for which the PRA think action is needed, by excluding third country branches, small credit unions and NDFs from the scope of application.
• The Notification proposals are targeted only at the subset of material third-party arrangements that the PRA thinks are of most use to have notice of due to the risks these could pose to its statutory objectives.