Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

FCA publishes Consultation Paper CP24/28: Operational Incident and Third Party Reporting

Dec 18, 2024 | FCA

Link(s):

CP24/28: Operational Incident and Third Party Reporting | FCA
CP24/28: Operational Incident and Third Party Reporting
incident-reporting-fields-document.xlsx

Context

The FCA has published a Consultation Paper CP24/28 in relation to reporting operational incidents and reporting material third-party arrangements. Within the Consultation (see Appendix 2 of the Draft Rules section) there is a link to the proposed operational incident reporting data tables, which are very detailed.

Firms face growing challenges to remaining operationally resilient. When operational incidents do occur, the disruption to the services firms provide can harm consumers and the wider sector. The proposals aim to bolster the FCA’s operational resilience framework for firms and seek to establish a consistent, sufficient, and timely framework for reporting operational incidents and material third-party arrangements.

Operational incident reporting

The FCA currently receives notifications of operational incidents from authorised firms based on Principle 11. However, it does not currently define what constitutes an ‘operational incident’, when one should be reported, what information should be included, or how to submit such reports. Feedback from industry, as part of the Transforming Data Collection programme in 2022, indicated that many firms are unclear about how and when to engage with us regarding incidents. As a result, the FCA is proposing to define an operational incident, requiring firms to submit standardised reports on incidents that breach one or more of the proposed thresholds (which are subject to interpretation and are not at all prescriptive). These thresholds relate to consumer harm, market integrity, and safety and soundness.

Key points and next actions

Third party reporting

Over the years, firms’ operations have become more complex and dependent on technology, increasingly relying on a wide range of services delivered by third parties. Under current requirements, the FCA receives limited and inconsistent data on third party arrangements relating only to firms’ outsourcing arrangements. This has resulted in gaps in the FCA’s knowledge of potential risks that third parties pose to individual firms and the financial services sector. As a result, the FCA is proposing to introduce material third party reporting rules, which includes outsourcing and non-outsourcing arrangements for a sub-set of firms that have the biggest consumer and market impact.

  • Chapter 3 of this consultation paper (CP), which covers proposals for operational incident reporting, is relevant to all authorised firms and some other types of businesses falling within the FCA’s remit.
  • Chapter 4 of this CP, which covers proposals for third party reporting, is relevant to a specific set of types of firm which do not cover our client base, but which does include Enhanced scope SM&CR firms.
  • The draft Rules contain two new defined terms:
    • material third party arrangement means a third-party arrangement which is of such importance that a disruption or failure in the performance of the product or service provided to the firm could:
      • cause intolerable levels of harm to the firm’s clients;
      • pose a risk to the soundness, stability, resilience, confidence or integrity of the UK financial system; or
      • cast serious doubt on the firm’s ability to satisfy the threshold conditions, or meet its obligations under the Principles, or under SYSC 15A (Operational resilience).
    • operational incident means either a single event or a series of linked events which disrupts the firm’s operations such that it:
      • disrupts the delivery of a service to the firm’s client or a user external to the firm; or
      • impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to the firm’s client or a user external to the firm.
  • The three reporting thresholds for operational incident reporting are:
    • Consumer Harm: the incident could cause or has caused intolerable levels of harm to consumers, and they cannot easily recover as a result.
    • Market Integrity: the incident could pose or has posed a risk to market stability, market integrity, or confidence in the UK financial system.
    • Safety and Soundness: the incident could pose or has posed a risk to the safety and soundness of the firm and/or other market participants.
  • There are ten case studies and a useful incident reporting process infographic within Chapter 3, in relation to operational incident reporting.
  • A firm captured by the operational incident reporting requirements must maintain a register of information relating to its material third party arrangements and submit the register of material third party arrangements annually to the FCA.
  • The FCA proposes to define a ‘third party arrangement’ as
    • An arrangement of any form between a firm and a service provider. Whether or not the product or service is:
      • one which would otherwise be provided by the firm itself;
      • provided directly or by a sub-contractor; or
      • provided by a person within the same group as the firm.
  • When identifying third party arrangements, firms should consider their use of those products and services. For example, the FCA will expect to see:
    • products provided by third parties directly used for the firm’s operations (e.g., software); and
    • services provided by third parties either to directly support the firm’s operations (e.g., the third party’s technical support hours), or to support the firm’s use of a product in support of the operations (e.g., the service to provide content updates to the software).