Background
Earlier this year, the Financial Conduct Authority (“FCA”) published details of its new framework of rules and guidance around the reporting of operational incidents and third-party arrangements. The framework is the culmination of a coordinated effort by the FCA, Prudential Regulation Authority and Bank of England to create a single regulatory framework for incident reporting, in response to rising threats posed by technological innovations such as artificial intelligence (“AI”). The new FCA rules take effect on 18 March 2027. This gives firms nine months to prepare.
The headline point for managers is the introduction of a new obligation for all FCA authorised firms to submit a single report to the FCA in the event of an “operational incident”. An operational incident is a single event (or series of linked events) that disrupts a firm’s operations so that it either:
- disrupts the delivery of a service to an end user outside the firm; or
- affects the availability, authenticity, integrity or confidentiality of an external end user’s information or data.
The second limb means that data incidents may fall within the FCA regime, but it does not replace the separate UK GDPR personal data breach reporting regime. Firms will therefore need to consider whether the same facts also amount to a personal data breach that is reportable to the Information Commissioner’s Office.
The requirement to report to the FCA only applies to “operational incidents” that meet one of three reporting thresholds (as outlined below), and are not intended to capture potential or uncrystallized events or near misses.
Larger systemic firms, such as enhanced scope SMCR firms and banks, will be subject to separate reporting stream known as “enhanced reporting”. This involves the submission of additional reports at an intermediate phase (if relevant) and a final report once the incident is resolved. Asset managers will not be in scope of the “enhanced reporting” stream.
What counts as an “operational incident”?
To determine whether an event constitutes an “operational incident” a firm must assess whether the event impacts an “end user” external to the firm. This may capture other market participants, regulators or a member of the firm’s group, for example a FCA regulated firm proving services to another group entity. In the fund context, this would also include investors in funds advised or managed by the UK firm.
The definition is not intended to capture temporary, controlled interruptions to a service, such as planned maintenance. If a controlled interruption for a firm does goes wrong and crosses one of three applicable thresholds (see below) however, then it will need to be reported to the FCA.
Where the incident involves personal data, the firm should also assess whether there has been a personal data breach under the UK GDPR, which is defined as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. That assessment should not wait for the FCA materiality analysis to conclude.
What are the reporting thresholds?
Firms only need to submit a report to the FCA where an “operational incident” has occurred (in accordance with the definition above) and the firm reasonably believes the incident poses a risk in respect of one of the following three thresholds:
- Consumer harm: of causing intolerable levels of harm to consumers from which consumers cannot easily recover.
- Market stability: to market stability, market integrity or confidence in the UK financial system.
- Safety and soundness: to the safety and soundness of the firm and/or other market participants.
In the accompanying policy paper to the rules, the FCA notes that these thresholds are intended to capture only serious incidents. For example, a one-off event like a temporary loss of power would only need to be reported if serious enough to cross one of the above thresholds in respect of services provided to the firm’s clients. A major IT failure or cyber-attack that disrupts a service to clients would likely be in scope. The FCA expects firms to exercise discretion when determining the impact of an incident on its business, and this assessment will vary on a firm-by-firm basis.
How and when to submit
The new operational incident report will be made through the FCA’s Connect platform.
The report must be submitted as soon as practicable following the firm’s determination that an “operational incident” meets one of the three reporting thresholds, which the FCA expects to be within at least 24 hours. The FCA recognise that a firm may not reasonably believe an incident meets the reporting thresholds initially, and that this could change if an incident escalates – it is at this point that a report must be submitted.
By contrast, a notifiable personal data breach must be reported to the ICO without undue delay and, where feasible, within 72 hours of the firm becoming aware of it. If a firm cannot provide all details within that period, it should not delay the initial notification and can provide further information later.
Only one report is needed per incident, even if several services are affected, but a separate report is needed for each FCA regulated firm in the group that is impacted by the incident with respect to each respective firm’s reporting thresholds.
Overlap with existing Principle 11 duty
Firms that submit an operational incident report can meet their Principle 11 obligations, so there is no need to report the same incident twice. The new regime is only intended to capture serious incidents, and lower-impact issues and near misses should still be reported and/or escalated through existing internal channels. Even if an incident isn’t serious enough to warrant reporting under the new regime, it may still require a Principle 11 report.
The same point does not apply to the UK GDPR regime. A data incident may be too limited to meet the FCA thresholds but still be reportable to the ICO, depending on the risk to individuals. Conversely, a major outage may be reportable to the FCA even if no personal data breach has occurred. The FCA and ICO’s move towards closer coordination over the last 18 months, which we cover here, mean that potential incidents may come to the attention of both regulators.
What you should do now
With the rules taking effect on 18 March 2027, firms have nine months to prepare. Firms should therefore consider the impact of the rule change and update existing reporting procedures. As operational outages become more relevant, it is important firms include the new requirement in their considerations of how to react and manage these situations.
Firms should also map the new FCA process against existing personal data breach procedures, so that incident teams can identify quickly whether FCA, ICO, individual notification, law enforcement or other reporting routes are engaged. Playbooks should reflect the different clocks, thresholds and information requirements under each regime.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.


