Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao Ecuador El Salvador Guatemala Honduras Mexico Panama Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Liechtenstein Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Iraq Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact us
home Insights

PS7/26

Operational incident, outsourcing and third-party reporting requirements

Author: Dan Spreckley. Director, Consulting
05/05/2026
Group of people brainstorming

What’s required and the practical steps to respond

In March 2026, the PRA introduced its final policy (PS7/26) and supervisory statement (SS1/26) on operational incident, outsourcing and third-party reporting requirements. In this article, we summarise key requirements and changes from the consultation, discuss potential challenges firms may face, and set out some of the practical steps organisations are taking to address the new rules.

Summary of key requirements

New rules are effective from 18 March 2027 and require firms to:

  • notify regulators of operational incidents that meet reporting thresholds, using a standardised reporting template
  • notify regulators when entering into or significantly changing a Material Third-Party (MTP) arrangement
  • submit an annual register of all MTP arrangements using standardised reporting templates.

While these new reporting rules are front and centre, the real significance of PS7/26 lies in broadening the current focus on material outsourcing to include all material third-party arrangements based on risk. Amendments to the existing SS2/21 will require firms to apply the same level of scrutiny in their oversight and assurance of material third-party arrangements as they do material outsourcing.

How it fits in with other rules

PS7/26 forms part of a broader series of policy initiatives undertaken by the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) to put in place a stronger regulatory framework that promotes operational resilience beyond the boundary of an organisation. It builds on existing outsourcing and third-party risk management (TPRM) rules and remains closely aligned with PRA and FCA requirements on operational resilience.

While distinct from rules on the oversight of critical third parties (CTPs), effective from 1 January 2025, PS7/26 will ultimately capture important data on firms’ material third-party arrangements to better identify systemic risks and support PRA recommendations for potential CTPs designated by the UK Treasury.

It aims to strengthen regulators' understanding of operational and third-party vulnerabilities through improved reporting and increase focus on material third parties, as opposed to outsourcing alone. Importantly, for firms with regulatory obligations in multiple jurisdictions, PS7/26 aligns with similar regimes, including the Financial Stability Board's Format for Incident Reporting Exchange (FIRE), and the EU's Digital Operational Resilience Act (DORA). This alignment simplifies compliance for firms operating internationally.

Summary of changes versus the consultation

PS7/26 and SS1/26 still cover the same ground as the consultation paper: incident reporting, material third-party notification and registers. However, final rulesets notably reduce the amount of information firms must report and streamline the submission process itself. Updates to SS2/21, which expand its focus to include material third parties in addition to material outsourcing, remain in effect.

Operational incident reporting

What 
  • Firms are required to report operational incidents that meet reporting thresholds. Thresholds for reporting remain non-prescriptive, aligned to respective regulators’ supervisory objectives. For example, for the PRA, incidents with implications for firm safety and soundness. While additional guidance has been set out in SS1/26 to help interpret these thresholds, including further examples and factors firms should consider, specific metrics or incidents to be reported have not been defined.
  • An incident qualifies for reporting where it “disrupts the delivery of a service to an end user external to the firm”, which aligns closely with operational resilience definitions of externally facing important business services – this is a good guide when thinking about more tangible criteria for what gets reported. Importantly, the obligation to report is not tied to whether a firm breaches its impact tolerances.
  • Near misses have been clarified and do not require notification.
When/ how
  • Firms are required to submit an initial incident report within 24 hours of determining that an incident has met a relevant threshold, followed by a final report within 30 days of the incident being resolved. Intermediate incident reports are still required upon material change in nature of the incident.
  • The proposed model of submitting separate initial, intermediate, and final forms set out in the consultation has been replaced with a single consolidated form, which firms complete in stages – beginning with the initial submission and subsequently updating it with intermediate and final information as the incident progresses.
  • All notifications are to be submitted via FCA Connect – this satisfies reporting for both PRA and FCA.

MTP reporting

What
  • Firms must provide notification of all new MTP arrangements, as well as significant changes to existing MTP arrangements. While not specified in the consultation, PS7/26 provides clarification that firms are not required to submit retrospective notifications for material third parties – the MTP register will incorporate these. Additional guidance has also been provided in Chapter 5 of SS2/21 to support firms in identifying MTP arrangements.
  • Intragroup arrangements that do not involve an external service provider are now excluded, except where the firm is a ring fenced body. This is a notable exclusion against the consultation, but should not be confused with expectations related to the management and oversight of material intragroup services.
When / how
 
  • Notifications should be made via FCA Connect prior to entering into a new MTP arrangement or before making a material change to an existing one. This is consistent with the consultation.
  • Notification templates and the MTP register have been separated, providing clearer distinction between ongoing record keeping obligations and formal notifications.
  • Credit unions with <£50m in total assets and branches of overseas banks have been removed from scope.

MTP register

What
  • Firms must maintain and report a register of all MTP arrangements. This is consistent with the consultation. Fields expected to be captured within the register remain defined.
  • The register is expected to include both material outsourcing arrangements and MTPs, reflecting the broader scope of MTPs under the updated framework, and as set out in the latest version of SS2/21.
When / how
  • MTP registers are required to be submitted annually via the FCA RegData platform.

Amendments to SS2/21

What
  • Amendments bring material third-party arrangements in scope of more rigorous oversight and assurance practices set out in SS2/21.
  • Exactly what’s required to meet this will vary firm to firm based on current practices, but may require frameworks to be elevated to be more holistic, or for more fundamental gaps to be addressed.
When / how
  • Activity is recurring and ongoing, with amendments to SS2/21 introduced on the same timeline as SS1/26 – effective 18 March 2027.

Implementation challenges

At a recent meeting Crowe hosted with the ABI and a cross-section of the insurance industry, we discussed potential challenges firms may experience in meeting new requirements. Discussion highlighted potential pain points in the following areas.

  1. Broad dependencies
    While new requirements raise expectations for firms, they do not represent the same step change that we saw with SS2/21. SS2/21 introduced a far more holistic and far reaching shift in supervisory expectations. By comparison, the latest updates are, for the most part, more focused.
    That said, there are two important caveats:
    • Broad dependencies implicit in PS7/26 will, for many, mean strengthening wider capabilities. In particular, expectations around operational incident and third-party reporting are dependent upon data being available, and incident reporting and management processes working well – each of which presents its own challenges.
    • Similarly, meeting expanded expectations in SS2/21 regarding material third parties is dependent upon the efficacy of firms’ third-party risk management approaches more broadly, and their ability to scale with demand.
  2. Data
    Reliable data will be essential in meeting the expected level and consistency of information required for incident and third-party reporting. A common issue is the difficulty obtaining complete and reliable data not only from primary service providers but also from subcontractors, where visibility and assurance are often limited. In addition, aligning internal incident reporting and management processes with regulatory expectations and reporting formats may prove challenging where information is fragmented across multiple teams, systems, or processes.
    As such, improving data quality, traceability, and consistency across third-party risk management, incident reporting and regulatory submissions will likely be a focus for firms.
  3. Reporting thresholds
    There is scope for a broad interpretation of reporting thresholds when deciding whether an incident is reportable. Without more tightly defined criteria or triggers set by firms themselves, incidents may be under, or over-reported, particularly in fast-moving situations where information is incomplete or evolving.

Practical steps firms can take

To prepare for PS7/26, firms should consider the following key actions:

  1. Assess implications on your TPRM framework more broadly
    The expansion of supervisory oversight to include all material third parties may mean certain types of third-party arrangements require different treatment, i.e. more rigour. For firms with a well-established framework in place, this may not require much change. However, for firms with less well-established practices, it may highlight gaps. Greater scrutiny and mandated reporting may also surface issues – working through shortfalls now will allow time to close gaps.
  2. Review internal incident reporting processes
    Align existing internal incident management processes, including incident classification and reporting requirements, and update internal management and reporting templates to include information required for regulatory notification.
  3. Update relevant policies
    As required, make updates to relevant policies to codify newly defined reporting timelines and thresholds, akin to the Information Commissioner’s Office (ICO) reporting for data breaches and incidents.
  4. Align the third-party register
    Ensure information required by the MTP register is being captured. The vast majority of financial institutions will already have a third-party register, but information required to be captured in firms’ submissions may require.

For more information or to discuss any of the topics set out above, please reach out to your usual Crowe contact.

Related services

Consulting Sustainability