FCA introduces updated guidelines on new incidents and third-party reporting starting March 2027.

2026-03-21

The UK Financial Conduct Authority (FCA) has announced updated guidelines for incident and third-party reporting. These new rules are aimed at clarifying, standardizing, and simplifying the current frameworks to make them more accessible to regulated organizations.

Effective from 18 March 2027, firms will have a year to prepare for these changes. The updates stem from consultations conducted in December 2024 and are intended to rectify inconsistencies in incident reporting procedures, minimize redundant duties, and enable the FCA to receive relevant and organized information that can be used to evaluate disruptions promptly and effectively.

Principal modifications and unified framework

The revised rules have been formulated jointly with the Prudential Regulation Authority and the Bank of England. They establish a single reporting mechanism for firms overseen by multiple regulators, eliminating redundant incident-reporting obligations for payment service providers and credit rating agencies. For most FCA-regulated entities, a brief notification will suffice to communicate an occurrence. Additionally, enhanced guidelines on reporting thresholds, definitions, and roles are provided, along with finalized guidance that includes illustrative examples and assistance in filling out incident forms and third-party registries.

The modifications reflect the escalating complexity of cyber threats and the expanding reliance on third-party suppliers. In 2025, more than 40% of cyber incidents reported to the FCA involved a third party, including significant breaches within the financial industry. The new structure aims to aid the FCA in pinpointing services most vulnerable to third-party disruptions and identifying providers crucial for the UK’s financial system.

The FCA plans to utilize data from this regime to share sector-wide insights and trends over time, with a review set for two years post-implementation to gauge its effectiveness. A webinar for stakeholders is scheduled on 29 April 2026.

Mark Francis, Director of Specialists and Wholesale Sell-Side at the FCA, stated that these revisions provide firms with clearer regulations and practical directives to handle disruptions, while supplying the regulator with a more robust dataset for assessing risks and enhancing overall sector resilience.