From 18 March 2027, UK financial services firms face mandatory reporting obligations for operational incidents and material third-party arrangements under FCA Policy Statement PS26/2. Boards that treat this as a compliance team issue will find themselves personally exposed — the rules place accountability squarely at senior management level.

What Does FCA PS26/2 Actually Require?

Published on 18 March 2026, PS26/2 establishes a standardised framework for firms to report operational incidents to the FCA, PRA, and Bank of England through a single unified portal. The rules apply to banks, insurers, investment firms, payment service providers, and electronic money institutions. Dual-regulated firms are covered by PRA Policy Statement PS7/26, which mirrors the FCA’s requirements and eliminates duplication in reporting.

Two distinct obligations sit at the heart of the regime. First, operational incident reporting: firms must report incidents that exceed prescribed thresholds — covering duration, customer impact, financial loss, and reputational harm — through the single portal. FCA guidance FG26/3 sets out how incidents should be categorised and what information is required at initial notification, intermediate update, and final report stages. Second, material third-party arrangement reporting: firms must notify regulators of any new material third-party arrangements or significant changes to existing ones, and maintain a register of all material third-party dependencies. FCA guidance FG26/4 provides the framework for assessing materiality.

Executive Action:

• Designate a senior manager under SMCR with explicit ownership of PS26/2 compliance
• Commission a gap analysis of your current incident reporting processes against FG26/3 thresholds — the FCA’s definitions are likely to differ from your internal ones
• Begin mapping all material third-party arrangements against the FG26/4 materiality framework

Why Is This Now a Board-Level Issue, Not a Compliance One?

The FCA has been explicit about its intent: PS26/2 is designed to give regulators better visibility of operational disruption and third-party dependencies, enabling what the FCA describes as a “more data-driven supervisory approach.” This is not routine compliance housekeeping. It repositions boards as the first line of accountability when operational failures occur.

Under existing SMCR requirements, the Chief Operating Officer or Chief Information Officer typically holds accountability for operational resilience. PS26/2 tightens that accountability: executives who own important business services bear personal responsibility for ensuring those services have robust incident detection, assessment, and reporting capabilities in place. The regime is designed so that weaknesses in reporting are visible to regulators — and by extension, so are the executives responsible.

The stakes extend beyond regulatory censure. The FCA has made clear that it will use operational incident data to inform its supervisory priorities. According to PwC’s analysis of the regime, firms that have already embedded operational resilience frameworks will still need to update their incident classification processes to align with PS26/2’s specific thresholds. Firms that report late, inconsistently, or incompletely will attract more intensive oversight. Boards should expect this to feature in regulatory conversations from 2027 onwards. INFORMD has been tracking this development closely as part of its ongoing intelligence briefings for UK senior executives — and the direction of travel is unambiguous.

Executive Action:

• Ensure your board risk committee receives quarterly briefings on operational incident trends — before regulators request the same information
• Confirm that SMCR accountability maps are updated to reflect PS26/2 obligations explicitly
• Challenge your COO on how the firm currently defines a “material” incident — the FCA’s threshold is likely to be more prescriptive than your internal standard

How Should UK Executives Build Readiness Before March 2027?

With 12 months to implementation, firms have adequate runway — but not a comfortable one. The technical requirements alone are significant. All incident reports must flow through the single unified portal; firms must have internal systems capable of detecting, classifying, and escalating incidents against the new thresholds within defined timeframes.

Research by EY on operational resilience implementation in UK financial services suggests that firms consistently underestimate the time required to embed consistent incident classification across business lines. Getting categorisation wrong at the point of reporting is as problematic as reporting late — regulators will assess the quality of submissions, not just their timeliness.

For third-party reporting, the challenge is equally demanding. Many organisations lack a single, accurate view of their material third-party dependencies. Building and maintaining a register that satisfies FG26/4 requirements will require coordinated input from procurement, IT, legal, and risk functions — and executive sponsorship to make it happen at pace. For firms already subject to DORA obligations in the EU, there is useful precedent to draw on, though the UK regime has its own specifics.

Executive Action:

• Set a board milestone of Q4 2026 to have your incident classification framework tested and validated against FG26/3
• Commission a third-party mapping exercise now — firms that begin in Q1 2027 will not have sufficient time
• Visit INFORMD’s executive briefing library for further intelligence on the operational resilience regulatory agenda

What Are the Consequences of Not Being Ready by March 2027?

The FCA’s 2025–2030 strategy explicitly links its supervisory approach to data quality. Firms that provide poor-quality incident reports will face more intensive oversight; those that demonstrate accuracy and prompt reporting may benefit from the lighter-touch relationship the FCA has signalled for firms it regards as “doing the right thing.” The incentive structure is clear.

The reputational and legal risk extends further. In the event of a significant operational incident, regulators will assess not just what happened, but how quickly and accurately the firm reported it. For listed companies, this has direct implications for investor confidence and market disclosure obligations under the Companies Act 2006 and the FCA’s Market Abuse Regulation framework. Audit committees should be briefed on how PS26/2 reporting timelines interact with existing MAR obligations — the two are not always aligned.

Executive Action:

• Instruct legal counsel to map PS26/2 reporting timelines against your MAR and Companies Act 2006 disclosure obligations
• Brief your audit committee on how PS26/2 intersects with your existing internal audit programme for operational resilience
• Speak to the INFORMD team at informd.co.uk/contact to arrange a tailored briefing for your board or risk committee

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Frequently Asked Questions

Who does FCA PS26/2 apply to?

PS26/2 applies to all FCA-regulated firms, including banks, insurers, investment firms, payment service providers, and electronic money institutions. Dual-regulated firms are also subject to PRA Policy Statement PS7/26, which was published on the same date and covers the same requirements without duplication.

When do the PS26/2 rules come into force?

The new operational incident and third-party reporting rules take effect on 18 March 2027 — exactly 12 months after the final policy statements were published. The FCA has indicated no intention to extend this implementation window.

What counts as a material third-party arrangement under FG26/4?

The FCA’s guidance FG26/4 takes a principles-based approach, assessing materiality against factors including the criticality of the service to the firm’s important business services, the substitutability of the provider, and the potential for the arrangement to cause widespread harm if it fails. Firms should not assume that existing procurement or vendor risk frameworks apply the same materiality thresholds as the FCA intends.

How does PS26/2 interact with the UK’s Critical Third-Party (CTP) regime?

PS26/2 imposes obligations on regulated firms to report their third-party dependencies to the FCA and PRA. The CTP regime, separately, gives regulators direct oversight powers over third-party providers designated as systemically critical by HM Treasury — such as major cloud platforms. Both regimes apply concurrently. Boards should understand the distinction: PS26/2 is a firm-level reporting obligation; the CTP regime operates at the level of the third-party provider itself.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

---

Related Tools & Templates: Apply a structured framework to your board agenda — use the Project Review Tool or test your AI & Tech Governance knowledge. Explore all INFORMD executive tools and assessments →