Overview
The Financial Conduct Authority’s (FCA) Consultation Paper, CP24/28, outlines proposed changes to the regulatory framework governing how firms report operational incidents and manage third-party arrangements. Introducing this Consultation Paper and the subsequent Policy Statement is a result of the FCA identifying that some firms are unclear on how and when to inform the authority about operational incident. The aim is to enhance the FCA’s ability to oversee and respond to these critical aspects of financial operations.
Purpose
The primary goal of the proposals in CP24/28 is to provide the FCA with a clearer and more structured understanding of firms’ relationships with important third-party suppliers.
The proposed rules will apply to a broad range of regulated entities, including:
- Banks,
- Investment firms, and
- Payment service providers.
This wide applicability ensures that the entire financial sector benefits from improved reporting and oversight practices, enhancing overall operational resilience.
Reporting Requirements
FCA Reporting Requirements:
- Under Principle 11 of the FCA’s Principles for Businesses, firms are required to deal with the FCA in an open and cooperative way and to disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice. This includes material operational incidents.
- SUP 15.3 of the FCA Handbook provides additional rules and guidance on when the FCA would expect notice of matters relating to a firm. An incident may be considered material if it results in significant data loss, unavailability or control of IT systems, affects a large number of customers, or results in unauthorised access to information systems.
PRA Reporting Requirements:
- According to the Prudential Regulation Authority’s (PRA) general notification rules, firms are required to notify the PRA where an incident could lead to the firm failing to satisfy one or more of the threshold conditions, could have a significant adverse impact on the firm’s reputation, could impact the firm’s ability to continue to provide adequate services to its customers, or could result in serious financial consequences to the UK’s wider financial sector or to other firms (PRA Rulebook, Notifications Part, Rule 2.1).
Operational Incident Reporting
One of the key proposals in the Consultation Paper is the introduction of standardised rules for reporting operational incidents including a clear definition of what constitutes an operational incident and a clear process and format for reporting such incidents.
Third Party Reporting
The Consultation Paper also proposes new requirements for firms to report on their material third-party arrangements. This includes expectations for governance and oversight by Senior Management and board members. By ensuring that firms have strong oversight of their third-party relationships, the FCA aims to mitigate risks associated with outsourcing and other third-party dependencies.
Consequences of Failing to Report
In summary, firms regulated by the FCA and PRA must report material operational resilience incidents, and failure to do so can result in significant regulatory and reputational consequences. It is essential for firms to have robust processes in place to identify and report such incidents in a timely manner.
Failing to report operational resilience incidents to the FCA or the PRA can lead to:
Regulatory Action:
- The FCA and PRA have the authority to take enforcement action against firms that fail to comply with their reporting obligations. This can include fines, public censure or other disciplinary actions.
Reputational Damage:
- Non-compliance with reporting requirements can lead to reputational damage for the firm, as it may be perceived as lacking transparency or failing to manage operational risks effectively.
Increased Scrutiny:
- Firms that fail to report incidents may be subject to increased scrutiny from regulators, which can lead to more frequent inspections and a higher regulatory burden.
Impact on Authorisation:
- For severe breaches, the failure to report could impact a firm’s ability to maintain its authorisation to operate, as it may be seen as not meeting the threshold conditions required by the regulators.
Looking ahead and the 2025 Operational Resilience Deadline
The consultation period for CP24/28 is open until March 13, 2025. During this period, stakeholders are encouraged to provide feedback on the proposals.
Additionally, firms should complete their preparations before the Operational Resilience Policy (PS21/3) transition period ends on 31 March 2025. This includes reviewing and possibly strengthening current operational incident reporting processes and third-party management frameworks and improving their overall operational resilience and risk management capabilities.
How Complyport can help
At Complyport, we prioritise your organisation’s operational resilience, recognising its criticality in today’s increasingly interconnected and digital world. Our suite of services encompasses Operational Resilience, IT Audit, and Cybersecurity, designed to ensure your operations’ robustness against potential threats and disruptions.
Complyport’s specialised team can help with:
- Submitting Operational Incident Reports
- Gap Analysis of the Existing Operational Resilience Framework
- Operational Resilience Audit and Remediation
- Ongoing Retainer Support via a dedicated team
- Staff Training
Complete the form below to book a FREE consultation.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today!
