The Financial Conduct Authority (FCA) and the Bank of England have finalised their harmonised new rules on reporting incidents – and the requirement for firms to notify them of critical third parties.

The rules span operational incident and "material third party" reporting – the FCA on Wednesday cited cyber attacks and outages at AWS and Cloudflare as among the kinds of incidents that drove a need for the rules.

The rules (which fall under PS26/2 for the FCA and PS7/26 for the Bank of England) are due to apply from 18 March 2027 for any organisation that falls either under the FCA's ambit or that of the Prudential Regulation Authority (PRA).

By that date, banks and other financial institutions must have completed audits of the risks of their cloud and SaaS providers, using a largely "you'll know it if you see it" approach to whether a risk or third party is important enough. 

We expect firms to apply the same standard to both intragroup arrangements and external third party arrangements when assessing operational risks. Firms should not treat an intragroup arrangement as being automatically less risky when assessing its materiality and should consider the risks on a case-by-case basis" - FCA

Regulated firms were urged to take into account issues such as whether a highly publicised cyberattack could scare off counterparties, when considering whether reporting thresholds are used. 

The FCA, meanwhile, said that it has alighed "technology platforms across regulators" so that material third party notifications can be shared automatically, removing the need for firms to make multiple submissions.

No near misses

Near misses, such as a thwarted DDoS attack, are excluded from reporting requirements, but a scheduled system upgrade that overruns to the point of disrupting service probably qualifies.

Outsourced data centres is the first example cited in the FCA guidance on material third parties (MTPs). Hardware is the second example, and software is the third.

"AI-driven failures sit squarely within scope," said Chris Kiew-Smith, formerly an MD with Citi and now heading EMEA compliance for digital assets platform company Galaxy, of the rules. "An agent producing systematically wrong outputs, an AML system missing transactions at scale, a surveillance tool failing during a volatile session — all reportable.

Services that it "would generally expect" to be material, said the FCA, also include DDoS mitigation, SaaS, and AI models used for trading, alongside services that move physical cash around.

Categories it considers not material include website analytics and public telecoms services. 

There are no prescribed timelines for reporting new third-party suppliers that are critical, but firms are expected to "notify us at an early stage and to submit the notice before making any internal or external commitments."

Fields in the third party reporting template include an evaluation of "ability to substitute the service provider" and "ability to reintegrate the product or service provided back in-house".

"Firms will need to use judgement about risks to external parties," said the FCA in its guidance. "We expect firms to be able to assess whether disruption impacts external parties (for example firms and consumers) and the UK financial system."

Net profit

The Bank of England said there was broad support during its consultation on the planned rules, though not for its cost estimates. Having been burnt on higher than forecast costs for implementing the EU’s Digital Operational Resilience Act (DORA), "several respondents questioned whether the benefits of the policy as proposed would outweigh the costs, which they thought could be higher than estimated."

The bank said those companies had failed to "provide new quantitative evidence" on the cost estimates, so it was sticking with its numbers, just more so.

"The PRA maintains that the benefits of the policies are significant and should outweigh the costs of implementation," that regulator said in a statement on Wednesday. "It considers that this is now by a greater margin than envisaged in the original proposals, given the cost reductions resulting from the changes in the final policy."

For big companies, those cost-saving changes come down to more automation and fewer data fields for MTP notification (initially using a Microsoft Excel template), while credit unions with less than £50 million in assets are excluded from reporting.

The FCA cost estimates include a maximum of £120,000 per year "in ongoing annual costs

to firms in scope of third party reporting, offset by £270,000 worth of "ongoing annual benefits to firms from incident reporting efficiencies."

Supply-chain checks

The rules "requiring firms to maintain and annually submit a register of material third-party arrangements forces a level of supply chain visibility that many firms frankly don't yet have," said Matt Saunders, VP for DevOps at Adaptavist this week.

"Firms have a year to prepare, and the ones that treat this as a documentation exercise rather than an operational overhaul will find themselves exposed when the next third-party incident lands."

The standardised register of critical third parties "will help us see through firms’ supply chains to identify which services are the most exposed and help us identify potential critical third parties to the UK financial system," said Mark Francis, director of specialists and wholesale sell-side at the FCA. 

The FCA and BoE say they will share trends and data with the financial industry both as part of resilience building and during disruptions.

The link has been copied!